From bf8362cb500b413d04d04b1312df1914b4b193f8 Mon Sep 17 00:00:00 2001 From: Jintao Zhang Date: Sat, 29 Oct 2022 07:40:39 +0800 Subject: [PATCH 001/405] chore: bump NGINX version v1.21.4 (#8889) * chore: bump NGINX version v1.21.4 Signed-off-by: Jintao Zhang * chore: bump all others Signed-off-by: Jintao Zhang * apply all patches Signed-off-by: Jintao Zhang * fix files hash Signed-off-by: Jintao Zhang * fix ajp module Signed-off-by: Jintao Zhang Signed-off-by: Jintao Zhang --- images/nginx/rootfs/build.sh | 78 ++++++++++--------- .../patches/nginx-1.19.9-no_Werror.patch | 36 --------- ...> nginx-1.21.4-balancer_status_code.patch} | 0 ... => nginx-1.21.4-cache_manager_exit.patch} | 0 ... nginx-1.21.4-delayed_posted_events.patch} | 0 ...patch => nginx-1.21.4-hash_overflow.patch} | 0 ...ginx-1.21.4-init_cycle_pool_release.patch} | 24 +++--- ...> nginx-1.21.4-larger_max_error_str.patch} | 4 +- .../patches/nginx-1.21.4-no_Werror.patch | 36 +++++++++ ...> nginx-1.21.4-proxy_host_port_vars.patch} | 4 +- ... nginx-1.21.4-resolver_conf_parsing.patch} | 0 ...x-1.21.4-reuseport_close_unused_fds.patch} | 0 ...1.21.4-single_process_graceful_exit.patch} | 0 ...atch => nginx-1.21.4-socket_cloexec.patch} | 0 ...h => nginx-1.21.4-ssl_cert_cb_yield.patch} | 0 ...h => nginx-1.21.4-ssl_sess_cb_yield.patch} | 0 ...tream_proxy_get_next_upstream_tries.patch} | 0 ...x-1.21.4-stream_ssl_preread_no_skip.patch} | 0 ...=> nginx-1.21.4-upstream_pipelining.patch} | 0 ...ginx-1.21.4-upstream_timeout_fields.patch} | 0 .../rootfs/patches/patch.2021.resolver.txt | 23 ------ 21 files changed, 92 insertions(+), 113 deletions(-) delete mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-no_Werror.patch rename images/nginx/rootfs/patches/{nginx-1.19.9-balancer_status_code.patch => nginx-1.21.4-balancer_status_code.patch} (100%) rename images/nginx/rootfs/patches/{nginx-1.19.9-cache_manager_exit.patch => nginx-1.21.4-cache_manager_exit.patch} (100%) rename images/nginx/rootfs/patches/{nginx-1.19.9-delayed_posted_events.patch => nginx-1.21.4-delayed_posted_events.patch} (100%) rename images/nginx/rootfs/patches/{nginx-1.19.9-hash_overflow.patch => nginx-1.21.4-hash_overflow.patch} (100%) rename images/nginx/rootfs/patches/{nginx-1.19.9-init_cycle_pool_release.patch => nginx-1.21.4-init_cycle_pool_release.patch} (65%) rename images/nginx/rootfs/patches/{nginx-1.19.9-larger_max_error_str.patch => nginx-1.21.4-larger_max_error_str.patch} (62%) create mode 100644 images/nginx/rootfs/patches/nginx-1.21.4-no_Werror.patch rename images/nginx/rootfs/patches/{nginx-1.19.9-proxy_host_port_vars.patch => nginx-1.21.4-proxy_host_port_vars.patch} (87%) rename images/nginx/rootfs/patches/{nginx-1.19.9-resolver_conf_parsing.patch => nginx-1.21.4-resolver_conf_parsing.patch} (100%) rename images/nginx/rootfs/patches/{nginx-1.19.9-reuseport_close_unused_fds.patch => nginx-1.21.4-reuseport_close_unused_fds.patch} (100%) rename images/nginx/rootfs/patches/{nginx-1.19.9-single_process_graceful_exit.patch => nginx-1.21.4-single_process_graceful_exit.patch} (100%) rename images/nginx/rootfs/patches/{nginx-1.19.9-socket_cloexec.patch => nginx-1.21.4-socket_cloexec.patch} (100%) rename images/nginx/rootfs/patches/{nginx-1.19.9-ssl_cert_cb_yield.patch => nginx-1.21.4-ssl_cert_cb_yield.patch} (100%) rename images/nginx/rootfs/patches/{nginx-1.19.9-ssl_sess_cb_yield.patch => nginx-1.21.4-ssl_sess_cb_yield.patch} (100%) rename images/nginx/rootfs/patches/{nginx-1.19.9-stream_proxy_get_next_upstream_tries.patch => nginx-1.21.4-stream_proxy_get_next_upstream_tries.patch} (100%) rename images/nginx/rootfs/patches/{nginx-1.19.9-stream_ssl_preread_no_skip.patch => nginx-1.21.4-stream_ssl_preread_no_skip.patch} (100%) rename images/nginx/rootfs/patches/{nginx-1.19.9-upstream_pipelining.patch => nginx-1.21.4-upstream_pipelining.patch} (100%) rename images/nginx/rootfs/patches/{nginx-1.19.9-upstream_timeout_fields.patch => nginx-1.21.4-upstream_timeout_fields.patch} (100%) delete mode 100644 images/nginx/rootfs/patches/patch.2021.resolver.txt diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh index 75d765e78..cfea7b7c8 100755 --- a/images/nginx/rootfs/build.sh +++ b/images/nginx/rootfs/build.sh @@ -18,13 +18,13 @@ set -o errexit set -o nounset set -o pipefail -export NGINX_VERSION=1.19.10 +export NGINX_VERSION=1.21.4 # Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.1...master export NDK_VERSION=0.3.1 -# Check for recent changes: https://github.com/openresty/set-misc-nginx-module/compare/v0.32...master -export SETMISC_VERSION=0.32 +# Check for recent changes: https://github.com/openresty/set-misc-nginx-module/compare/v0.33...master +export SETMISC_VERSION=0.33 # Check for recent changes: https://github.com/openresty/headers-more-nginx-module/compare/v0.33...master export MORE_HEADERS_VERSION=0.33 @@ -65,28 +65,30 @@ export MODSECURITY_LIB_VERSION=v3.0.8 # Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v3.3.2...v3.3/master export OWASP_MODSECURITY_CRS_VERSION=v3.3.4 -# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.20...master -export LUA_NGX_VERSION=b721656a9127255003b696b42ccc871c7ec18d59 +# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.21...master +export LUA_NGX_VERSION=0.10.21 -# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/v0.0.10...master -export LUA_STREAM_NGX_VERSION=74f8c8bca5b95cecbf42d4e1a465bc08cd075a9b +# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/v0.0.11...master +export LUA_STREAM_NGX_VERSION=0.0.11 -# Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/v0.07...master +# Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/8aa93ead98ba2060d4efd594ae33a35d153589bf...master export LUA_UPSTREAM_VERSION=8aa93ead98ba2060d4efd594ae33a35d153589bf -# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.8...openresty:master -export LUA_CJSON_VERSION=4b350c531de3d71008c77ae94e59275b8371b4dc +# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.10...openresty:master +export LUA_CJSON_VERSION=2.1.0.10 export NGINX_INFLUXDB_VERSION=5b09391cb7b9a889687c0aa67964c06a2d933e8b # Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/3.3...master export GEOIP2_VERSION=a26c6beed77e81553686852dceb6c7fdacc5970d -# Check for recent changes: https://github.com/yaoweibin/nginx_ajp_module/compare/v0.3.0...master -export NGINX_AJP_VERSION=a964a0bcc6a9f2bfb82a13752d7794a36319ffac +# Check for recent changes: https://github.com/msva/nginx_ajp_module/compare/fcbb2ccca4901d317ecd7a9dabb3fec9378ff40f...master +# This is a fork from https://github.com/yaoweibin/nginx_ajp_module +# Since it has not been updated and is not compatible with NGINX 1.21 +export NGINX_AJP_VERSION=fcbb2ccca4901d317ecd7a9dabb3fec9378ff40f -# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20210510...v2.1-agentzh -export LUAJIT_VERSION=2.1-20210510 +# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20220411...v2.1-agentzh +export LUAJIT_VERSION=2.1-20220411 # Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/v0.04...master export LUA_RESTY_BALANCER=0.04 @@ -94,8 +96,8 @@ export LUA_RESTY_BALANCER=0.04 # Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/v0.11...master export LUA_RESTY_CACHE=0.11 -# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.22...master -export LUA_RESTY_CORE=0.1.22 +# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.23...master +export LUA_RESTY_CORE=0.1.23 # Check for recent changes: https://github.com/cloudflare/lua-resty-cookie/compare/v0.1.0...master export LUA_RESTY_COOKIE_VERSION=303e32e512defced053a6484bc0745cf9dc0d39e @@ -112,17 +114,17 @@ export LUA_RESTY_LOCK=0.08 # Check for recent changes: https://github.com/openresty/lua-resty-upload/compare/v0.10...master export LUA_RESTY_UPLOAD_VERSION=0.10 -# Check for recent changes: https://github.com/openresty/lua-resty-string/compare/v0.14...master -export LUA_RESTY_STRING_VERSION=9ace36f2dde09451c377c839117ade45eb02d460 +# Check for recent changes: https://github.com/openresty/lua-resty-string/compare/v0.15...master +export LUA_RESTY_STRING_VERSION=0.15 # Check for recent changes: https://github.com/openresty/lua-resty-memcached/compare/v0.16...master export LUA_RESTY_MEMCACHED_VERSION=0.16 -# Check for recent changes: https://github.com/openresty/lua-resty-redis/compare/v0.29...master -export LUA_RESTY_REDIS_VERSION=0.29 +# Check for recent changes: https://github.com/openresty/lua-resty-redis/compare/v0.30...master +export LUA_RESTY_REDIS_VERSION=0.30 -# Check for recent changes: https://github.com/api7/lua-resty-ipmatcher/compare/v0.6...master -export LUA_RESTY_IPMATCHER_VERSION=211e0d2eb8bbb558b79368f89948a0bafdc23654 +# Check for recent changes: https://github.com/api7/lua-resty-ipmatcher/compare/v0.6.1...master +export LUA_RESTY_IPMATCHER_VERSION=0.6.1 # Check for recent changes: https://github.com/ElvinEfendi/lua-resty-global-throttle/compare/v0.2.0...main export LUA_RESTY_GLOBAL_THROTTLE_VERSION=0.2.0 @@ -200,13 +202,13 @@ mkdir --verbose -p "$BUILD_PATH" cd "$BUILD_PATH" # download, verify and extract the source files -get_src e8d0290ff561986ad7cd6c33307e12e11b137186c4403a6a5ccdb4914c082d88 \ +get_src d1f72f474e71bcaaf465dcc7e6f7b6a4705e4b1ed95c581af31df697551f3bfe \ "https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz" get_src 0e971105e210d272a497567fa2e2c256f4e39b845a5ba80d373e26ba1abfbd85 \ "https://github.com/simpl/ngx_devel_kit/archive/v$NDK_VERSION.tar.gz" -get_src f1ad2459c4ee6a61771aa84f77871f4bfe42943a4aa4c30c62ba3f981f52c201 \ +get_src cd5e2cc834bcfa30149e7511f2b5a2183baf0b70dc091af717a89a64e44a2985 \ "https://github.com/openresty/set-misc-nginx-module/archive/v$SETMISC_VERSION.tar.gz" get_src a3dcbab117a9c103bc1ea5200fc00a7b7d2af97ff7fd525f16f8ac2632e30fbf \ @@ -245,11 +247,11 @@ get_src 7d5f3439c8df56046d0564b5857fd8a30296ab1bd6df0f048aed7afb56a0a4c2 \ get_src 99c47c75c159795c9faf76bbb9fa58e5a50b75286c86565ffcec8514b1c74bf9 \ "https://github.com/openresty/stream-lua-nginx-module/archive/v$LUA_STREAM_NGX_VERSION.tar.gz" else -get_src 085a9fb2bf9c4466977595a5fe5156d76f3a2d9a2a81be3cacaff2021773393e \ - "https://github.com/openresty/lua-nginx-module/archive/$LUA_NGX_VERSION.tar.gz" +get_src 9db756000578efaecb43bea4fc6cf631aaa80988d86ffe5d3afeb9927895ffad \ + "https://github.com/openresty/lua-nginx-module/archive/v$LUA_NGX_VERSION.tar.gz" -get_src ba38c9f8e4265836ba7f2ac559ddf140693ff2f5ae33ab1e384f51f3992151ab \ - "https://github.com/openresty/stream-lua-nginx-module/archive/$LUA_STREAM_NGX_VERSION.tar.gz" +get_src c7924f28cb014a99636e747ea907724dd55f60e180cb92cde6e8ed48d2278f27 \ + "https://github.com/openresty/stream-lua-nginx-module/archive/v$LUA_STREAM_NGX_VERSION.tar.gz" fi @@ -260,7 +262,7 @@ if [[ ${ARCH} == "s390x" ]]; then get_src 266ed1abb70a9806d97cb958537a44b67db6afb33d3b32292a2d68a2acedea75 \ "https://github.com/openresty/luajit2/archive/$LUAJIT_VERSION.tar.gz" else -get_src 1ee6dad809a5bb22efb45e6dac767f7ce544ad652d353a93d7f26b605f69fe3f \ +get_src d3f2c870f8f88477b01726b32accab30f6e5d57ae59c5ec87374ff73d0794316 \ "https://github.com/openresty/luajit2/archive/v$LUAJIT_VERSION.tar.gz" fi @@ -273,14 +275,14 @@ get_src 1af5a5632dc8b00ae103d51b7bf225de3a7f0df82f5c6a401996c080106e600e \ get_src 4c1933434572226942c65b2f2b26c8a536ab76aa771a3c7f6c2629faa764976b \ "https://github.com/leev/ngx_http_geoip2_module/archive/$GEOIP2_VERSION.tar.gz" -get_src 94d1512bf0e5e6ffa4eca0489db1279d51f45386fffcb8a1d2d9f7fe93518465 \ - "https://github.com/yaoweibin/nginx_ajp_module/archive/$NGINX_AJP_VERSION.tar.gz" +get_src 778fcca851bd69dabfb382dc827d2ee07662f7eca36b5e66e67d5512bad75ef8 \ + "https://github.com/msva/nginx_ajp_module/archive/$NGINX_AJP_VERSION.tar.gz" get_src 5d16e623d17d4f42cc64ea9cfb69ca960d313e12f5d828f785dd227cc483fcbd \ "https://github.com/openresty/lua-resty-upload/archive/v$LUA_RESTY_UPLOAD_VERSION.tar.gz" -get_src 462c6b38792bab4ca8212bdfd3f2e38f6883bb45c8fb8a03474ea813e0fab853 \ - "https://github.com/openresty/lua-resty-string/archive/$LUA_RESTY_STRING_VERSION.tar.gz" +get_src bdbf271003d95aa91cab0a92f24dca129e99b33f79c13ebfcdbbcbb558129491 \ + "https://github.com/openresty/lua-resty-string/archive/v$LUA_RESTY_STRING_VERSION.tar.gz" get_src 16d72ed133f0c6df376a327386c3ef4e9406cf51003a700737c3805770ade7c5 \ "https://github.com/openresty/lua-resty-balancer/archive/v$LUA_RESTY_BALANCER.tar.gz" @@ -289,11 +291,11 @@ if [[ ${ARCH} == "s390x" ]]; then get_src 8f5f76d2689a3f6b0782f0a009c56a65e4c7a4382be86422c9b3549fe95b0dc4 \ "https://github.com/openresty/lua-resty-core/archive/v$LUA_RESTY_CORE.tar.gz" else -get_src 4d971f711fad48c097070457c128ca36053835d8a3ba25a937e9991547d55d4d \ +get_src efd6b51520429e64b1bcc10f477d370ebed1631c190f7e4dc270d959a743ad7d \ "https://github.com/openresty/lua-resty-core/archive/v$LUA_RESTY_CORE.tar.gz" fi -get_src 8d602af2669fb386931760916a39f6c9034f2363c4965f215042c086b8215238 \ +get_src 0c551d6898f89f876e48730f9b55790d0ba07d5bc0aa6c76153277f63c19489f \ "https://github.com/openresty/lua-cjson/archive/$LUA_CJSON_VERSION.tar.gz" get_src 5ed48c36231e2622b001308622d46a0077525ac2f751e8cc0c9905914254baa4 \ @@ -314,11 +316,11 @@ get_src 9fcb6db95bc37b6fce77d3b3dc740d593f9d90dce0369b405eb04844d56ac43f \ get_src 42893da0e3de4ec180c9bf02f82608d78787290a70c5644b538f29d243147396 \ "https://github.com/openresty/lua-resty-memcached/archive/v$LUA_RESTY_MEMCACHED_VERSION.tar.gz" -get_src 3f602af507aacd1f7aaeddfe7b77627fcde095fe9f115cb9d6ad8de2a52520e1 \ +get_src c15aed1a01c88a3a6387d9af67a957dff670357f5fdb4ee182beb44635eef3f1 \ "https://github.com/openresty/lua-resty-redis/archive/v$LUA_RESTY_REDIS_VERSION.tar.gz" -get_src b8dbd502751140993a852381bcd8e98a402454596bd91838c1e51268d42db261 \ - "https://github.com/api7/lua-resty-ipmatcher/archive/$LUA_RESTY_IPMATCHER_VERSION.tar.gz" +get_src efb767487ea3f6031577b9b224467ddbda2ad51a41c5867a47582d4ad85d609e \ + "https://github.com/api7/lua-resty-ipmatcher/archive/v$LUA_RESTY_IPMATCHER_VERSION.tar.gz" get_src 0fb790e394510e73fdba1492e576aaec0b8ee9ef08e3e821ce253a07719cf7ea \ "https://github.com/ElvinEfendi/lua-resty-global-throttle/archive/v$LUA_RESTY_GLOBAL_THROTTLE_VERSION.tar.gz" diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-no_Werror.patch b/images/nginx/rootfs/patches/nginx-1.19.9-no_Werror.patch deleted file mode 100644 index 7bb0ac902..000000000 --- a/images/nginx/rootfs/patches/nginx-1.19.9-no_Werror.patch +++ /dev/null @@ -1,36 +0,0 @@ -diff -urp nginx-1.19.9/auto/cc/clang nginx-1.19.9-patched/auto/cc/clang ---- nginx-1.19.9/auto/cc/clang 2014-03-04 03:39:24.000000000 -0800 -+++ nginx-1.19.9-patched/auto/cc/clang 2014-03-13 20:54:26.241413360 -0700 -@@ -89,7 +89,7 @@ CFLAGS="$CFLAGS -Wconditional-uninitiali - CFLAGS="$CFLAGS -Wno-unused-parameter" - - # stop on warning --CFLAGS="$CFLAGS -Werror" -+#CFLAGS="$CFLAGS -Werror" - - # debug - CFLAGS="$CFLAGS -g" -diff -urp nginx-1.19.9/auto/cc/gcc nginx-1.19.9-patched/auto/cc/gcc ---- nginx-1.19.9/auto/cc/gcc 2014-03-04 03:39:24.000000000 -0800 -+++ nginx-1.19.9-patched/auto/cc/gcc 2014-03-13 20:54:13.301355329 -0700 -@@ -168,7 +168,7 @@ esac - - - # stop on warning --CFLAGS="$CFLAGS -Werror" -+#CFLAGS="$CFLAGS -Werror" - - # debug - CFLAGS="$CFLAGS -g" -diff -urp nginx-1.19.9/auto/cc/icc nginx-1.19.9-patched/auto/cc/icc ---- nginx-1.19.9/auto/cc/icc 2014-03-04 03:39:24.000000000 -0800 -+++ nginx-1.19.9-patched/auto/cc/icc 2014-03-13 20:54:13.301355329 -0700 -@@ -115,7 +115,7 @@ case "$NGX_ICC_VER" in - esac - - # stop on warning --CFLAGS="$CFLAGS -Werror" -+#CFLAGS="$CFLAGS -Werror" - - # debug - CFLAGS="$CFLAGS -g" diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-balancer_status_code.patch b/images/nginx/rootfs/patches/nginx-1.21.4-balancer_status_code.patch similarity index 100% rename from images/nginx/rootfs/patches/nginx-1.19.9-balancer_status_code.patch rename to images/nginx/rootfs/patches/nginx-1.21.4-balancer_status_code.patch diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-cache_manager_exit.patch b/images/nginx/rootfs/patches/nginx-1.21.4-cache_manager_exit.patch similarity index 100% rename from images/nginx/rootfs/patches/nginx-1.19.9-cache_manager_exit.patch rename to images/nginx/rootfs/patches/nginx-1.21.4-cache_manager_exit.patch diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-delayed_posted_events.patch b/images/nginx/rootfs/patches/nginx-1.21.4-delayed_posted_events.patch similarity index 100% rename from images/nginx/rootfs/patches/nginx-1.19.9-delayed_posted_events.patch rename to images/nginx/rootfs/patches/nginx-1.21.4-delayed_posted_events.patch diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-hash_overflow.patch b/images/nginx/rootfs/patches/nginx-1.21.4-hash_overflow.patch similarity index 100% rename from images/nginx/rootfs/patches/nginx-1.19.9-hash_overflow.patch rename to images/nginx/rootfs/patches/nginx-1.21.4-hash_overflow.patch diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-init_cycle_pool_release.patch b/images/nginx/rootfs/patches/nginx-1.21.4-init_cycle_pool_release.patch similarity index 65% rename from images/nginx/rootfs/patches/nginx-1.19.9-init_cycle_pool_release.patch rename to images/nginx/rootfs/patches/nginx-1.21.4-init_cycle_pool_release.patch index aa2df4660..9cfa4f7cb 100644 --- a/images/nginx/rootfs/patches/nginx-1.19.9-init_cycle_pool_release.patch +++ b/images/nginx/rootfs/patches/nginx-1.21.4-init_cycle_pool_release.patch @@ -1,6 +1,6 @@ -diff -rup nginx-1.19.9/src/core/nginx.c nginx-1.19.9-patched/src/core/nginx.c ---- nginx-1.19.9/src/core/nginx.c 2017-12-17 00:00:38.136470108 -0800 -+++ nginx-1.19.9-patched/src/core/nginx.c 2017-12-16 23:59:51.680958322 -0800 +diff -rup nginx-1.21.4/src/core/nginx.c nginx-1.21.4-patched/src/core/nginx.c +--- nginx-1.21.4/src/core/nginx.c 2017-12-17 00:00:38.136470108 -0800 ++++ nginx-1.21.4-patched/src/core/nginx.c 2017-12-16 23:59:51.680958322 -0800 @@ -186,6 +186,7 @@ static u_char *ngx_prefix; static u_char *ngx_conf_file; static u_char *ngx_conf_params; @@ -18,9 +18,9 @@ diff -rup nginx-1.19.9/src/core/nginx.c nginx-1.19.9-patched/src/core/nginx.c if (ngx_save_argv(&init_cycle, argc, argv) != NGX_OK) { return 1; } -diff -rup nginx-1.19.9/src/core/ngx_core.h nginx-1.19.9-patched/src/core/ngx_core.h ---- nginx-1.19.9/src/core/ngx_core.h 2017-10-10 08:22:51.000000000 -0700 -+++ nginx-1.19.9-patched/src/core/ngx_core.h 2017-12-16 23:59:51.679958370 -0800 +diff -rup nginx-1.21.4/src/core/ngx_core.h nginx-1.21.4-patched/src/core/ngx_core.h +--- nginx-1.21.4/src/core/ngx_core.h 2017-10-10 08:22:51.000000000 -0700 ++++ nginx-1.21.4-patched/src/core/ngx_core.h 2017-12-16 23:59:51.679958370 -0800 @@ -108,4 +108,6 @@ void ngx_cpuinfo(void); #define NGX_DISABLE_SYMLINKS_NOTOWNER 2 #endif @@ -28,9 +28,9 @@ diff -rup nginx-1.19.9/src/core/ngx_core.h nginx-1.19.9-patched/src/core/ngx_cor +extern ngx_pool_t *saved_init_cycle_pool; + #endif /* _NGX_CORE_H_INCLUDED_ */ -diff -rup nginx-1.19.9/src/core/ngx_cycle.c nginx-1.19.9-patched/src/core/ngx_cycle.c ---- nginx-1.19.9/src/core/ngx_cycle.c 2017-10-10 08:22:51.000000000 -0700 -+++ nginx-1.19.9-patched/src/core/ngx_cycle.c 2017-12-16 23:59:51.678958419 -0800 +diff -rup nginx-1.21.4/src/core/ngx_cycle.c nginx-1.21.4-patched/src/core/ngx_cycle.c +--- nginx-1.21.4/src/core/ngx_cycle.c 2017-10-10 08:22:51.000000000 -0700 ++++ nginx-1.21.4-patched/src/core/ngx_cycle.c 2017-12-16 23:59:51.678958419 -0800 @@ -748,6 +748,10 @@ old_shm_zone_done: if (ngx_process == NGX_PROCESS_MASTER || ngx_is_init_cycle(old_cycle)) { @@ -42,9 +42,9 @@ diff -rup nginx-1.19.9/src/core/ngx_cycle.c nginx-1.19.9-patched/src/core/ngx_cy ngx_destroy_pool(old_cycle->pool); cycle->old_cycle = NULL; -diff -rup nginx-1.19.9/src/os/unix/ngx_process_cycle.c nginx-1.19.9-patched/src/os/unix/ngx_process_cycle.c ---- nginx-1.19.9/src/os/unix/ngx_process_cycle.c 2017-12-17 00:00:38.142469762 -0800 -+++ nginx-1.19.9-patched/src/os/unix/ngx_process_cycle.c 2017-12-16 23:59:51.691957791 -0800 +diff -rup nginx-1.21.4/src/os/unix/ngx_process_cycle.c nginx-1.21.4-patched/src/os/unix/ngx_process_cycle.c +--- nginx-1.21.4/src/os/unix/ngx_process_cycle.c 2017-12-17 00:00:38.142469762 -0800 ++++ nginx-1.21.4-patched/src/os/unix/ngx_process_cycle.c 2017-12-16 23:59:51.691957791 -0800 @@ -687,6 +692,11 @@ ngx_master_process_exit(ngx_cycle_t *cyc ngx_exit_cycle.files_n = ngx_cycle->files_n; ngx_cycle = &ngx_exit_cycle; diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-larger_max_error_str.patch b/images/nginx/rootfs/patches/nginx-1.21.4-larger_max_error_str.patch similarity index 62% rename from images/nginx/rootfs/patches/nginx-1.19.9-larger_max_error_str.patch rename to images/nginx/rootfs/patches/nginx-1.21.4-larger_max_error_str.patch index 0628d3abb..c89032c9f 100644 --- a/images/nginx/rootfs/patches/nginx-1.19.9-larger_max_error_str.patch +++ b/images/nginx/rootfs/patches/nginx-1.21.4-larger_max_error_str.patch @@ -1,5 +1,5 @@ ---- nginx-1.19.9/src/core/ngx_log.h 2013-10-08 05:07:14.000000000 -0700 -+++ nginx-1.19.9-patched/src/core/ngx_log.h 2013-12-05 20:35:35.996236720 -0800 +--- nginx-1.21.4/src/core/ngx_log.h 2013-10-08 05:07:14.000000000 -0700 ++++ nginx-1.21.4-patched/src/core/ngx_log.h 2013-12-05 20:35:35.996236720 -0800 @@ -64,7 +64,9 @@ struct ngx_log_s { }; diff --git a/images/nginx/rootfs/patches/nginx-1.21.4-no_Werror.patch b/images/nginx/rootfs/patches/nginx-1.21.4-no_Werror.patch new file mode 100644 index 000000000..f4d6fd0e5 --- /dev/null +++ b/images/nginx/rootfs/patches/nginx-1.21.4-no_Werror.patch @@ -0,0 +1,36 @@ +diff -urp nginx-1.21.4/auto/cc/clang nginx-1.21.4-patched/auto/cc/clang +--- nginx-1.21.4/auto/cc/clang 2014-03-04 03:39:24.000000000 -0800 ++++ nginx-1.21.4-patched/auto/cc/clang 2014-03-13 20:54:26.241413360 -0700 +@@ -89,7 +89,7 @@ CFLAGS="$CFLAGS -Wconditional-uninitiali + CFLAGS="$CFLAGS -Wno-unused-parameter" + + # stop on warning +-CFLAGS="$CFLAGS -Werror" ++#CFLAGS="$CFLAGS -Werror" + + # debug + CFLAGS="$CFLAGS -g" +diff -urp nginx-1.21.4/auto/cc/gcc nginx-1.21.4-patched/auto/cc/gcc +--- nginx-1.21.4/auto/cc/gcc 2014-03-04 03:39:24.000000000 -0800 ++++ nginx-1.21.4-patched/auto/cc/gcc 2014-03-13 20:54:13.301355329 -0700 +@@ -168,7 +168,7 @@ esac + + + # stop on warning +-CFLAGS="$CFLAGS -Werror" ++#CFLAGS="$CFLAGS -Werror" + + # debug + CFLAGS="$CFLAGS -g" +diff -urp nginx-1.21.4/auto/cc/icc nginx-1.21.4-patched/auto/cc/icc +--- nginx-1.21.4/auto/cc/icc 2014-03-04 03:39:24.000000000 -0800 ++++ nginx-1.21.4-patched/auto/cc/icc 2014-03-13 20:54:13.301355329 -0700 +@@ -115,7 +115,7 @@ case "$NGX_ICC_VER" in + esac + + # stop on warning +-CFLAGS="$CFLAGS -Werror" ++#CFLAGS="$CFLAGS -Werror" + + # debug + CFLAGS="$CFLAGS -g" diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-proxy_host_port_vars.patch b/images/nginx/rootfs/patches/nginx-1.21.4-proxy_host_port_vars.patch similarity index 87% rename from images/nginx/rootfs/patches/nginx-1.19.9-proxy_host_port_vars.patch rename to images/nginx/rootfs/patches/nginx-1.21.4-proxy_host_port_vars.patch index 25282bda3..01cebd65a 100644 --- a/images/nginx/rootfs/patches/nginx-1.19.9-proxy_host_port_vars.patch +++ b/images/nginx/rootfs/patches/nginx-1.21.4-proxy_host_port_vars.patch @@ -1,5 +1,5 @@ ---- nginx-1.19.9/src/http/modules/ngx_http_proxy_module.c 2017-07-16 14:02:51.000000000 +0800 -+++ nginx-1.19.9-patched/src/http/modules/ngx_http_proxy_module.c 2017-07-16 14:02:51.000000000 +0800 +--- nginx-1.21.4/src/http/modules/ngx_http_proxy_module.c 2017-07-16 14:02:51.000000000 +0800 ++++ nginx-1.21.4-patched/src/http/modules/ngx_http_proxy_module.c 2017-07-16 14:02:51.000000000 +0800 @@ -793,13 +793,13 @@ static ngx_keyval_t ngx_http_proxy_cach static ngx_http_variable_t ngx_http_proxy_vars[] = { diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-resolver_conf_parsing.patch b/images/nginx/rootfs/patches/nginx-1.21.4-resolver_conf_parsing.patch similarity index 100% rename from images/nginx/rootfs/patches/nginx-1.19.9-resolver_conf_parsing.patch rename to images/nginx/rootfs/patches/nginx-1.21.4-resolver_conf_parsing.patch diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-reuseport_close_unused_fds.patch b/images/nginx/rootfs/patches/nginx-1.21.4-reuseport_close_unused_fds.patch similarity index 100% rename from images/nginx/rootfs/patches/nginx-1.19.9-reuseport_close_unused_fds.patch rename to images/nginx/rootfs/patches/nginx-1.21.4-reuseport_close_unused_fds.patch diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-single_process_graceful_exit.patch b/images/nginx/rootfs/patches/nginx-1.21.4-single_process_graceful_exit.patch similarity index 100% rename from images/nginx/rootfs/patches/nginx-1.19.9-single_process_graceful_exit.patch rename to images/nginx/rootfs/patches/nginx-1.21.4-single_process_graceful_exit.patch diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-socket_cloexec.patch b/images/nginx/rootfs/patches/nginx-1.21.4-socket_cloexec.patch similarity index 100% rename from images/nginx/rootfs/patches/nginx-1.19.9-socket_cloexec.patch rename to images/nginx/rootfs/patches/nginx-1.21.4-socket_cloexec.patch diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-ssl_cert_cb_yield.patch b/images/nginx/rootfs/patches/nginx-1.21.4-ssl_cert_cb_yield.patch similarity index 100% rename from images/nginx/rootfs/patches/nginx-1.19.9-ssl_cert_cb_yield.patch rename to images/nginx/rootfs/patches/nginx-1.21.4-ssl_cert_cb_yield.patch diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-ssl_sess_cb_yield.patch b/images/nginx/rootfs/patches/nginx-1.21.4-ssl_sess_cb_yield.patch similarity index 100% rename from images/nginx/rootfs/patches/nginx-1.19.9-ssl_sess_cb_yield.patch rename to images/nginx/rootfs/patches/nginx-1.21.4-ssl_sess_cb_yield.patch diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-stream_proxy_get_next_upstream_tries.patch b/images/nginx/rootfs/patches/nginx-1.21.4-stream_proxy_get_next_upstream_tries.patch similarity index 100% rename from images/nginx/rootfs/patches/nginx-1.19.9-stream_proxy_get_next_upstream_tries.patch rename to images/nginx/rootfs/patches/nginx-1.21.4-stream_proxy_get_next_upstream_tries.patch diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-stream_ssl_preread_no_skip.patch b/images/nginx/rootfs/patches/nginx-1.21.4-stream_ssl_preread_no_skip.patch similarity index 100% rename from images/nginx/rootfs/patches/nginx-1.19.9-stream_ssl_preread_no_skip.patch rename to images/nginx/rootfs/patches/nginx-1.21.4-stream_ssl_preread_no_skip.patch diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-upstream_pipelining.patch b/images/nginx/rootfs/patches/nginx-1.21.4-upstream_pipelining.patch similarity index 100% rename from images/nginx/rootfs/patches/nginx-1.19.9-upstream_pipelining.patch rename to images/nginx/rootfs/patches/nginx-1.21.4-upstream_pipelining.patch diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-upstream_timeout_fields.patch b/images/nginx/rootfs/patches/nginx-1.21.4-upstream_timeout_fields.patch similarity index 100% rename from images/nginx/rootfs/patches/nginx-1.19.9-upstream_timeout_fields.patch rename to images/nginx/rootfs/patches/nginx-1.21.4-upstream_timeout_fields.patch diff --git a/images/nginx/rootfs/patches/patch.2021.resolver.txt b/images/nginx/rootfs/patches/patch.2021.resolver.txt deleted file mode 100644 index 6c895e61c..000000000 --- a/images/nginx/rootfs/patches/patch.2021.resolver.txt +++ /dev/null @@ -1,23 +0,0 @@ -diff --git src/core/ngx_resolver.c src/core/ngx_resolver.c ---- src/core/ngx_resolver.c -+++ src/core/ngx_resolver.c -@@ -4008,15 +4008,15 @@ done: - n = *src++; - - } else { -+ if (dst != name->data) { -+ *dst++ = '.'; -+ } -+ - ngx_strlow(dst, src, n); - dst += n; - src += n; - - n = *src++; -- -- if (n != 0) { -- *dst++ = '.'; -- } - } - - if (n == 0) { From 0b5e0685112e4537ee20a0bdbba451e9f6158aa3 Mon Sep 17 00:00:00 2001 From: Jintao Zhang Date: Mon, 31 Oct 2022 22:10:45 +0800 Subject: [PATCH 002/405] chore: update NGINX to 1.21.6 (#9231) Signed-off-by: Jintao Zhang Signed-off-by: Jintao Zhang --- images/nginx/rootfs/build.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh index cfea7b7c8..5a6394fd9 100755 --- a/images/nginx/rootfs/build.sh +++ b/images/nginx/rootfs/build.sh @@ -18,7 +18,7 @@ set -o errexit set -o nounset set -o pipefail -export NGINX_VERSION=1.21.4 +export NGINX_VERSION=1.21.6 # Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.1...master export NDK_VERSION=0.3.1 @@ -202,7 +202,7 @@ mkdir --verbose -p "$BUILD_PATH" cd "$BUILD_PATH" # download, verify and extract the source files -get_src d1f72f474e71bcaaf465dcc7e6f7b6a4705e4b1ed95c581af31df697551f3bfe \ +get_src 66dc7081488811e9f925719e34d1b4504c2801c81dee2920e5452a86b11405ae \ "https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz" get_src 0e971105e210d272a497567fa2e2c256f4e39b845a5ba80d373e26ba1abfbd85 \ From 8c698778a3c0a14a3c2579a451cb5aede294d8c7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 31 Oct 2022 09:24:45 -0700 Subject: [PATCH 003/405] Bump actions/dependency-review-action from 2.5.0 to 2.5.1 (#9237) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.0 to 2.5.1. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/fd675ced9c17f1393071e1a2e685ab527e585a0c...0efb1d1d84fc9633afcdaad14c485cbbc90ef46c) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/depreview.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/depreview.yaml b/.github/workflows/depreview.yaml index 18ab95a6a..85c91d664 100644 --- a/.github/workflows/depreview.yaml +++ b/.github/workflows/depreview.yaml @@ -11,4 +11,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 #v3.0.2 - name: 'Dependency Review' - uses: actions/dependency-review-action@fd675ced9c17f1393071e1a2e685ab527e585a0c #v2.0.2 + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c #v2.0.2 From 709e984ff673664996fd67b12ec195bdbfa3896c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 4 Nov 2022 09:52:15 -0700 Subject: [PATCH 004/405] Bump github/codeql-action from 2.1.28 to 2.1.29 (#9236) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.28 to 2.1.29. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/cc7986c02bac29104a72998e67239bb5ee2ee110...ec3cf9c605b848da5f1e41e8452719eb1ccfb9a6) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecards.yml | 2 +- .github/workflows/vulnerability-scans.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 762634db0..90fb2d3d4 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -57,6 +57,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@cc7986c02bac29104a72998e67239bb5ee2ee110 # v2.1.14 + uses: github/codeql-action/upload-sarif@ec3cf9c605b848da5f1e41e8452719eb1ccfb9a6 # v2.1.14 with: sarif_file: results.sarif diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index 34c4f1901..004370a90 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -75,7 +75,7 @@ jobs: # This step checks out a copy of your repository. - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@cc7986c02bac29104a72998e67239bb5ee2ee110 + uses: github/codeql-action/upload-sarif@ec3cf9c605b848da5f1e41e8452719eb1ccfb9a6 with: token: ${{ github.token }} # Path to SARIF file relative to the root of the repository From 12c60288ffc829f22ba23ea53bbb9660e91fd85d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 4 Nov 2022 09:54:14 -0700 Subject: [PATCH 005/405] Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (#9233) Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.6.0 to 1.6.1. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](https://github.com/spf13/cobra/compare/v1.6.0...v1.6.1) --- updated-dependencies: - dependency-name: github.com/spf13/cobra dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index a1b307b36..58c4c58de 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ require ( github.com/prometheus/client_golang v1.13.0 github.com/prometheus/client_model v0.3.0 github.com/prometheus/common v0.37.0 - github.com/spf13/cobra v1.6.0 + github.com/spf13/cobra v1.6.1 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.8.1 github.com/yudai/gojsondiff v1.0.0 diff --git a/go.sum b/go.sum index 529555a3a..30d65e6b4 100644 --- a/go.sum +++ b/go.sum @@ -550,8 +550,8 @@ github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkU github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo= github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk= -github.com/spf13/cobra v1.6.0 h1:42a0n6jwCot1pUmomAp4T7DeMD+20LFv4Q54pxLf2LI= -github.com/spf13/cobra v1.6.0/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= +github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA= +github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= From cf4fb7d8120b770abac78d28d90971266fa83449 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 4 Nov 2022 09:56:14 -0700 Subject: [PATCH 006/405] Bump actions/upload-artifact from 3.1.0 to 3.1.1 (#9234) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.0 to 3.1.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/3cea5372237819ed00197afe530f5a7ea3e805c8...83fd05a356d7e2593de66fc9913b3002723633cb) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yaml | 2 +- .github/workflows/scorecards.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 25cc509f0..7c61d2e4a 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -114,7 +114,7 @@ jobs: | pigz > docker.tar.gz - name: cache - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 with: name: docker.tar.gz path: docker.tar.gz diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 90fb2d3d4..fae11715f 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -49,7 +49,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.0.0 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.0.0 with: name: SARIF file path: results.sarif From 3c32413e30703383ddf32bbe9a1e531d4169e6d4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 4 Nov 2022 09:58:14 -0700 Subject: [PATCH 007/405] Bump azure/setup-helm from 3.3 to 3.4 (#9235) Bumps [azure/setup-helm](https://github.com/azure/setup-helm) from 3.3 to 3.4. - [Release notes](https://github.com/azure/setup-helm/releases) - [Commits](https://github.com/azure/setup-helm/compare/b5b231a831f96336bbfeccc1329990f0005c5bb1...f382f75448129b3be48f8121b9857be18d815a82) --- updated-dependencies: - dependency-name: azure/setup-helm dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 7c61d2e4a..3410b326b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -239,7 +239,7 @@ jobs: failOnError: false - name: Prepare cluster for testing - uses: azure/setup-helm@b5b231a831f96336bbfeccc1329990f0005c5bb1 #v2.1 + uses: azure/setup-helm@f382f75448129b3be48f8121b9857be18d815a82 #v2.1 with: version: 'v3.8.0' id: local-path @@ -296,7 +296,7 @@ jobs: failOnError: false - name: Prepare cluster for testing - uses: azure/setup-helm@b5b231a831f96336bbfeccc1329990f0005c5bb1 #v2.1 + uses: azure/setup-helm@f382f75448129b3be48f8121b9857be18d815a82 #v2.1 with: version: 'v3.8.0' id: local-path From 490ecffc5242be8c54f8735d4af4d4ccad39acb7 Mon Sep 17 00:00:00 2001 From: Tomas Hulata Date: Sat, 5 Nov 2022 22:22:15 +0100 Subject: [PATCH 008/405] fix svc long name (#9245) Signed-off-by: tombokombo Signed-off-by: tombokombo --- .../ingress/controller/store/endpointslice.go | 15 ++++- .../controller/store/endpointslice_test.go | 39 +++++++++++++ test/e2e/e2e.go | 1 + test/e2e/endpointslices/longname.go | 55 +++++++++++++++++++ test/e2e/framework/deployment.go | 6 ++ 5 files changed, 115 insertions(+), 1 deletion(-) create mode 100644 test/e2e/endpointslices/longname.go diff --git a/internal/ingress/controller/store/endpointslice.go b/internal/ingress/controller/store/endpointslice.go index fdd7374e9..78d088695 100644 --- a/internal/ingress/controller/store/endpointslice.go +++ b/internal/ingress/controller/store/endpointslice.go @@ -21,6 +21,7 @@ import ( "strings" discoveryv1 "k8s.io/api/discovery/v1" + apiNames "k8s.io/apiserver/pkg/storage/names" "k8s.io/client-go/tools/cache" ) @@ -32,9 +33,21 @@ type EndpointSliceLister struct { // MatchByKey returns the EndpointsSlices of the Service matching key in the local Endpoint Store. func (s *EndpointSliceLister) MatchByKey(key string) ([]*discoveryv1.EndpointSlice, error) { var eps []*discoveryv1.EndpointSlice + keyNsLen := strings.Index(key, "/") + if keyNsLen < -1 { + keyNsLen = 0 + } else { + // count '/' char + keyNsLen += 1 + } // filter endpointSlices owned by svc for _, listKey := range s.ListKeys() { - if !strings.HasPrefix(listKey, key) { + if len(key) < (apiNames.MaxGeneratedNameLength+keyNsLen) && !strings.HasPrefix(listKey, key) { + continue + } + // generated endpointslices names has truncated svc name as prefix when svc name is too long, we compare only non truncated part + // https://github.com/kubernetes/ingress-nginx/issues/9240 + if len(key) >= (apiNames.MaxGeneratedNameLength+keyNsLen) && !strings.HasPrefix(listKey, key[:apiNames.MaxGeneratedNameLength+keyNsLen-1]) { continue } epss, exists, err := s.GetByKey(listKey) diff --git a/internal/ingress/controller/store/endpointslice_test.go b/internal/ingress/controller/store/endpointslice_test.go index fdc51c0e4..e12a98c2f 100644 --- a/internal/ingress/controller/store/endpointslice_test.go +++ b/internal/ingress/controller/store/endpointslice_test.go @@ -17,6 +17,7 @@ limitations under the License. package store import ( + "fmt" "testing" discoveryv1 "k8s.io/api/discovery/v1" @@ -91,4 +92,42 @@ func TestEndpointSliceLister(t *testing.T) { t.Errorf("expected %v, error, got %v", endpointSlice.GetName(), eps[0].GetName()) } }) + t.Run("svc long name", func(t *testing.T) { + el := newEndpointSliceLister(t) + ns := "namespace" + ns2 := "another-ns" + svcName := "test-backend-http-test-http-test-http-test-http-test-http-truncated" + svcName2 := "another-long-svc-name-for-test-inhttp-test-http-test-http-truncated" + key := fmt.Sprintf("%s/%s", ns, svcName) + endpointSlice := &discoveryv1.EndpointSlice{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: ns, + Name: "test-backend-http-test-http-test-http-test-http-test-http-bar88", + Labels: map[string]string{ + discoveryv1.LabelServiceName: svcName, + }, + }, + } + el.Add(endpointSlice) + endpointSlice2 := &discoveryv1.EndpointSlice{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: ns2, + Name: "another-long-svc-name-for-test-inhttp-test-http-test-http-bar88", + Labels: map[string]string{ + discoveryv1.LabelServiceName: svcName2, + }, + }, + } + el.Add(endpointSlice2) + eps, err := el.MatchByKey(key) + if err != nil { + t.Errorf("unexpeted error %v", err) + } + if len(eps) != 1 { + t.Errorf("expected one slice %v, error, got %d slices", endpointSlice, len(eps)) + } + if len(eps) == 1 && eps[0].Labels[discoveryv1.LabelServiceName] != svcName { + t.Errorf("expected slice %v, error, got %v slices", endpointSlice, eps[0]) + } + }) } diff --git a/test/e2e/e2e.go b/test/e2e/e2e.go index c7010b977..57b047230 100644 --- a/test/e2e/e2e.go +++ b/test/e2e/e2e.go @@ -34,6 +34,7 @@ import ( _ "k8s.io/ingress-nginx/test/e2e/annotations/modsecurity" _ "k8s.io/ingress-nginx/test/e2e/dbg" _ "k8s.io/ingress-nginx/test/e2e/defaultbackend" + _ "k8s.io/ingress-nginx/test/e2e/endpointslices" _ "k8s.io/ingress-nginx/test/e2e/gracefulshutdown" _ "k8s.io/ingress-nginx/test/e2e/ingress" _ "k8s.io/ingress-nginx/test/e2e/leaks" diff --git a/test/e2e/endpointslices/longname.go b/test/e2e/endpointslices/longname.go new file mode 100644 index 000000000..0adb66767 --- /dev/null +++ b/test/e2e/endpointslices/longname.go @@ -0,0 +1,55 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package endpointslices + +import ( + "fmt" + "net/http" + "strings" + + "github.com/onsi/ginkgo/v2" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.IngressNginxDescribe("[Endpointslices] long service name", func() { + f := framework.NewDefaultFramework("endpointslices") + host := "longsvcname.foo.com" + name := "long-name-foobar-foobar-foobar-foobar-foobar-bar-foo-bar-foobuz" + + ginkgo.BeforeEach(func() { + f.NewEchoDeployment(framework.WithName(name)) + }) + + ginkgo.It("should return 200 when service name has max allowed number of characters 63", func() { + + annotations := make(map[string]string) + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, name, 80, annotations) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, func(server string) bool { + return strings.Contains(server, fmt.Sprintf("server_name %s", host)) + }) + + ginkgo.By("checking if the service is reached") + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK) + }) +}) diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go index b37060af1..cb6ef9acc 100644 --- a/test/e2e/framework/deployment.go +++ b/test/e2e/framework/deployment.go @@ -67,6 +67,12 @@ func WithDeploymentReplicas(r int) func(*deploymentOptions) { } } +func WithName(n string) func(*deploymentOptions) { + return func(o *deploymentOptions) { + o.name = n + } +} + // NewEchoDeployment creates a new single replica deployment of the echo server image in a particular namespace func (f *Framework) NewEchoDeployment(opts ...func(*deploymentOptions)) { options := &deploymentOptions{ From 4bd7e176d81a8a055aeddf678626cce99190b96e Mon Sep 17 00:00:00 2001 From: James Strong Date: Sun, 6 Nov 2022 18:36:16 -0500 Subject: [PATCH 009/405] update base image of nginx to 1.21.6 (#9257) * add workflow dispatch and update nginx base Signed-off-by: James Strong * e2e were failing, added a go mod tidy Signed-off-by: James Strong * e2e were failing, added a go mod tidy Signed-off-by: James Strong * push mod and sum from main Signed-off-by: James Strong * Update NGINX_BASE Co-authored-by: Jintao Zhang Signed-off-by: James Strong Co-authored-by: Jintao Zhang --- .github/workflows/ci.yaml | 15 ++++++++++++--- NGINX_BASE | 2 +- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 3410b326b..695799991 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -9,6 +9,13 @@ on: branches: - main + workflow_dispatch: + inputs: + run_e2e: + description: 'Force e2e to run' + required: true + type: boolean + permissions: contents: read @@ -40,9 +47,11 @@ jobs: - 'rootfs/**/*' - 'TAG' - 'test/e2e/**/*' + - 'NGINX_BASE' charts: - 'charts/ingress-nginx/Chart.yaml' - 'charts/ingress-nginx/**/*' + - 'NGINX_BASE' security: @@ -126,7 +135,7 @@ jobs: - changes - build if: | - (needs.changes.outputs.charts == 'true') + (needs.changes.outputs.charts == 'true') || ${{ inputs.run_e2e }} strategy: matrix: @@ -209,7 +218,7 @@ jobs: - changes - build if: | - (needs.changes.outputs.go == 'true') + (needs.changes.outputs.go == 'true') || ${{ inputs.run_e2e }} strategy: matrix: @@ -266,7 +275,7 @@ jobs: - changes - build if: | - (needs.changes.outputs.go == 'true') + (needs.changes.outputs.go == 'true') || ${{ inputs.run_e2e }} strategy: matrix: diff --git a/NGINX_BASE b/NGINX_BASE index bc477308f..45654c627 100644 --- a/NGINX_BASE +++ b/NGINX_BASE @@ -1 +1 @@ -registry.k8s.io/ingress-nginx/nginx:9fdbef829c327b95a3c6d6816a301df41bda997f@sha256:46c27294e467f46d0006ad1eb5fd3f7005eb3cbd00dd43be2ed9b02edfc6e828 +registry.k8s.io/ingress-nginx/nginx:0b5e0685112e4537ee20a0bdbba451e9f6158aa3@sha256:3f5e28bb248d5170e77b77fc2a1a385724aeff41a0b34b5afad7dd9cf93de000 From 5a42ec4f35ae6d62b240f61ceb075459aaece16e Mon Sep 17 00:00:00 2001 From: Ehsan Saei <71217171+esigo@users.noreply.github.com> Date: Tue, 8 Nov 2022 00:44:17 +0100 Subject: [PATCH 010/405] Fix CVE-2022-32149 (#9258) * Fix CVE-2022-32149 * fix CI --- go.sum | 9 --------- images/ext-auth-example-authsvc/rootfs/go.sum | 7 +------ images/kube-webhook-certgen/rootfs/go.mod | 4 ++-- images/kube-webhook-certgen/rootfs/go.sum | 13 ++++--------- 4 files changed, 7 insertions(+), 26 deletions(-) diff --git a/go.sum b/go.sum index 30d65e6b4..caed22265 100644 --- a/go.sum +++ b/go.sum @@ -862,15 +862,6 @@ golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuX golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/images/ext-auth-example-authsvc/rootfs/go.sum b/images/ext-auth-example-authsvc/rootfs/go.sum index 6e3fab295..045452c23 100644 --- a/images/ext-auth-example-authsvc/rootfs/go.sum +++ b/images/ext-auth-example-authsvc/rootfs/go.sum @@ -141,12 +141,7 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= diff --git a/images/kube-webhook-certgen/rootfs/go.mod b/images/kube-webhook-certgen/rootfs/go.mod index 5ac181823..22c4424ea 100644 --- a/images/kube-webhook-certgen/rootfs/go.mod +++ b/images/kube-webhook-certgen/rootfs/go.mod @@ -31,9 +31,9 @@ require ( github.com/tidwall/gjson v1.14.0 // indirect golang.org/x/net v0.0.0-20211209124913-491a49abca63 // indirect golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect - golang.org/x/sys v0.0.0-20210616094352-59db8d763f22 // indirect + golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d // indirect - golang.org/x/text v0.3.6 // indirect + golang.org/x/text v0.4.0 // indirect golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect google.golang.org/appengine v1.6.5 // indirect google.golang.org/protobuf v1.26.0 // indirect diff --git a/images/kube-webhook-certgen/rootfs/go.sum b/images/kube-webhook-certgen/rootfs/go.sum index 5889d4e49..13ce4b641 100644 --- a/images/kube-webhook-certgen/rootfs/go.sum +++ b/images/kube-webhook-certgen/rootfs/go.sum @@ -543,20 +543,15 @@ golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210616094352-59db8d763f22 h1:RqytpXGR1iVNX7psjB3ff8y7sNFinVFvkx1c8SjBkio= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f h1:v4INt8xihDGvnrfjMDVXGxw9wrfxYyCjk0KbXjhR55s= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d h1:SZxvLBoTP5yHO3Frd4z4vrF+DBX9vMVanchswa69toE= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M= -golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From 90a9d6457536158b433719ff4a9a7ed5b4356c06 Mon Sep 17 00:00:00 2001 From: Ehsan Saei <71217171+esigo@users.noreply.github.com> Date: Tue, 8 Nov 2022 00:46:17 +0100 Subject: [PATCH 011/405] Fix CVE-2022-1996 (#9244) * CVE-2022-1996 * clean * fix * fix --- go.mod | 2 +- go.sum | 6 +++--- images/kube-webhook-certgen/rootfs/go.sum | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 58c4c58de..103a74005 100644 --- a/go.mod +++ b/go.mod @@ -61,7 +61,7 @@ require ( github.com/cyphar/filepath-securejoin v0.2.3 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/eapache/queue v1.1.0 // indirect - github.com/emicklei/go-restful/v3 v3.8.0 // indirect + github.com/emicklei/go-restful/v3 v3.9.0 // indirect github.com/evanphx/json-patch v4.12.0+incompatible // indirect github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b // indirect github.com/go-errors/errors v1.0.1 // indirect diff --git a/go.sum b/go.sum index caed22265..010a929d0 100644 --- a/go.sum +++ b/go.sum @@ -154,9 +154,9 @@ github.com/eapache/queue v1.1.0 h1:YOEu7KNc61ntiQlcEeUIoDTJ2o8mQznoNvUhiigpIqc= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/emicklei/go-restful/v3 v3.8.0 h1:eCZ8ulSerjdAiaNpF7GxXIE7ZCMo1moN1qX+S609eVw= -github.com/emicklei/go-restful/v3 v3.8.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful v2.16.0+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= +github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= diff --git a/images/kube-webhook-certgen/rootfs/go.sum b/images/kube-webhook-certgen/rootfs/go.sum index 13ce4b641..61f5a8b34 100644 --- a/images/kube-webhook-certgen/rootfs/go.sum +++ b/images/kube-webhook-certgen/rootfs/go.sum @@ -88,7 +88,7 @@ github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful v2.16.0+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= From 5cba77c2f9d1a6a53c21df8ec4840e36c6eea414 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Nov 2022 15:48:16 -0800 Subject: [PATCH 012/405] Bump github.com/prometheus/client_golang from 1.13.0 to 1.13.1 (#9262) Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.13.0 to 1.13.1. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/v1.13.1/CHANGELOG.md) - [Commits](https://github.com/prometheus/client_golang/compare/v1.13.0...v1.13.1) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 103a74005..f5bc85af1 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/onsi/ginkgo/v2 v2.4.0 github.com/opencontainers/runc v1.1.4 github.com/pmezard/go-difflib v1.0.0 - github.com/prometheus/client_golang v1.13.0 + github.com/prometheus/client_golang v1.13.1 github.com/prometheus/client_model v0.3.0 github.com/prometheus/common v0.37.0 github.com/spf13/cobra v1.6.1 diff --git a/go.sum b/go.sum index 010a929d0..4059a3604 100644 --- a/go.sum +++ b/go.sum @@ -490,8 +490,8 @@ github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5Fsn github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= -github.com/prometheus/client_golang v1.13.0 h1:b71QUfeo5M8gq2+evJdTPfZhYMAU0uKPkyPJ7TPsloU= -github.com/prometheus/client_golang v1.13.0/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5nJFOEMgftOUOmlvYQ= +github.com/prometheus/client_golang v1.13.1 h1:3gMjIY2+/hzmqhtUC/aQNYldJA6DtH3CgQvwS+02K1c= +github.com/prometheus/client_golang v1.13.1/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5nJFOEMgftOUOmlvYQ= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= From 6b22d5a7444ae83caba8404cd1c687f3ecffc507 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Nov 2022 15:50:16 -0800 Subject: [PATCH 013/405] Bump github/codeql-action from 2.1.29 to 2.1.31 (#9263) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.29 to 2.1.31. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/ec3cf9c605b848da5f1e41e8452719eb1ccfb9a6...c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecards.yml | 2 +- .github/workflows/vulnerability-scans.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index fae11715f..7e936c08b 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -57,6 +57,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@ec3cf9c605b848da5f1e41e8452719eb1ccfb9a6 # v2.1.14 + uses: github/codeql-action/upload-sarif@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 # v2.1.14 with: sarif_file: results.sarif diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index 004370a90..f33a550dd 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -75,7 +75,7 @@ jobs: # This step checks out a copy of your repository. - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@ec3cf9c605b848da5f1e41e8452719eb1ccfb9a6 + uses: github/codeql-action/upload-sarif@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 with: token: ${{ github.token }} # Path to SARIF file relative to the root of the repository From 644f05dd755fe595fb9ca7dcf4d5609b2dd3e99c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Nov 2022 15:52:16 -0800 Subject: [PATCH 014/405] Bump aquasecurity/trivy-action from 0.7.1 to 0.8.0 (#9264) Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.7.1 to 0.8.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](https://github.com/aquasecurity/trivy-action/compare/d63413b0a4a4482237085319f7f4a1ce99a8f2ac...9ab158e8597f3b310480b9a69402b419bc03dbd5) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/vulnerability-scans.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index f33a550dd..6cb1dada7 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -60,7 +60,7 @@ jobs: - name: Scan image with AquaSec/Trivy id: scan - uses: aquasecurity/trivy-action@d63413b0a4a4482237085319f7f4a1ce99a8f2ac #v0.5.1 + uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 #v0.5.1 with: image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }} format: 'sarif' From ae3c2464d6571ccbca7ec59b598e711127d97789 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 8 Nov 2022 00:00:34 +0000 Subject: [PATCH 015/405] Bump sigs.k8s.io/controller-runtime from 0.11.2 to 0.13.1 Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.11.2 to 0.13.1. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/master/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.11.2...v0.13.1) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 12 ++- go.sum | 286 ++++++--------------------------------------------------- 2 files changed, 35 insertions(+), 263 deletions(-) diff --git a/go.mod b/go.mod index f5bc85af1..3be4325f6 100644 --- a/go.mod +++ b/go.mod @@ -30,16 +30,16 @@ require ( gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 k8s.io/api v0.25.3 - k8s.io/apiextensions-apiserver v0.23.5 + k8s.io/apiextensions-apiserver v0.25.0 k8s.io/apimachinery v0.25.3 k8s.io/apiserver v0.25.0 k8s.io/cli-runtime v0.25.0 k8s.io/client-go v0.25.3 - k8s.io/code-generator v0.23.5 + k8s.io/code-generator v0.25.0 k8s.io/component-base v0.25.3 k8s.io/klog/v2 v2.80.1 pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 - sigs.k8s.io/controller-runtime v0.11.2 + sigs.k8s.io/controller-runtime v0.13.1 sigs.k8s.io/mdtoc v1.1.0 ) @@ -63,6 +63,7 @@ require ( github.com/eapache/queue v1.1.0 // indirect github.com/emicklei/go-restful/v3 v3.9.0 // indirect github.com/evanphx/json-patch v4.12.0+incompatible // indirect + github.com/evanphx/json-patch/v5 v5.6.0 // indirect github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b // indirect github.com/go-errors/errors v1.0.1 // indirect github.com/go-logr/logr v1.2.3 // indirect @@ -86,6 +87,7 @@ require ( github.com/josharian/intern v1.0.0 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect github.com/mailru/easyjson v0.7.6 // indirect + github.com/mattn/go-colorable v0.1.13 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect github.com/mmarkdown/mmark v2.0.40+incompatible // indirect github.com/moby/sys/mountinfo v0.5.0 // indirect @@ -110,7 +112,7 @@ require ( golang.org/x/sys v0.1.0 // indirect golang.org/x/term v0.1.0 // indirect golang.org/x/text v0.4.0 // indirect - golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect + golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect golang.org/x/tools v0.2.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21 // indirect @@ -119,7 +121,7 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c // indirect + k8s.io/gengo v0.0.0-20211129171323-c02415ce4185 // indirect k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect diff --git a/go.sum b/go.sum index 4059a3604..322c6b4aa 100644 --- a/go.sum +++ b/go.sum @@ -34,7 +34,6 @@ cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4g cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= -cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= @@ -45,14 +44,10 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= -github.com/Azure/go-ansiterm v0.0.0-20210608223527-2377c96fe795/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= -github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= -github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= github.com/Azure/go-autorest/autorest v0.11.27 h1:F3R3q42aWytozkV8ihzcgMO4OA4cuqr3bNlsEuF6//A= github.com/Azure/go-autorest/autorest v0.11.27/go.mod h1:7l8ybrIdUmGqZMTD0sRtAr8NvbHjfofbf8RSP2q7w7U= -github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= github.com/Azure/go-autorest/autorest/adal v0.9.20 h1:gJ3E98kMpFB1MFqQCvA1yFab8vthOeD4VlFRQULxahg= github.com/Azure/go-autorest/autorest/adal v0.9.20/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= @@ -68,8 +63,6 @@ github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBp github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= -github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI= github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= @@ -81,28 +74,15 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRF github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= -github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20210826220005-b48c857c3a0e/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY= -github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= -github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a h1:AP/vsCIvJZ129pdm9Ek7bH7yutN3hByqsMoNrWAxRQc= github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a/go.mod h1:QmP9hvJ91BbJmGVGSbutW19IC0Q9phDCLGaomwTJbgU= -github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= -github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= -github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM= -github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= -github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= -github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84= -github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM= -github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= -github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE= @@ -121,40 +101,23 @@ github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWH github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo= -github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA= -github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI= github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U= -github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= -github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= -github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= -github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= -github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzAJc1DzSI= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= -github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= -github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI= github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= -github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= -github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/eapache/channels v1.1.0 h1:F1taHcn7/F0i8DYqKXJnyhJcVpp2kgFcNePxXtnyu4k= github.com/eapache/channels v1.1.0/go.mod h1:jMm2qB5Ubtg9zLd+inMZd2/NUvXgzmWXsDaLyQIGfH0= github.com/eapache/queue v1.1.0 h1:YOEu7KNc61ntiQlcEeUIoDTJ2o8mQznoNvUhiigpIqc= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= -github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= -github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/emicklei/go-restful v2.16.0+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= @@ -168,19 +131,13 @@ github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go. github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= -github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= -github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= -github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= +github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= +github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= -github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= -github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b h1:074/xhloHUBOpTZwlIzQ28rbPY8pNJvzY7Gcx5KnNOk= github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA= -github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg= -github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-errors/errors v1.0.1 h1:LUHzmkK3GUKUrL/1gfBUxAHzcev3apQlezX/+O7ma6w= github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= @@ -200,12 +157,10 @@ github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTg github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0= github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/zapr v1.2.0/go.mod h1:Qa4Bsj2Vb+FAVeAKsLD8RLQ+YRJB8YDmOAKxaBQf7Ro= github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY= github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= github.com/go-openapi/jsonreference v0.19.5 h1:1WJP/wi4OjB4iV8KVbH73rQaoialJrqv8gitZLxGLtM= github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg= github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= @@ -216,16 +171,12 @@ github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5x github.com/godbus/dbus/v5 v5.0.6 h1:mkgN1ofwASrYnJ5W6U/BxG15eXXXjirgZc7CLqkcaro= github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= -github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= -github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU= github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= -github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -265,8 +216,6 @@ github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Z github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= -github.com/google/cel-go v0.9.0/go.mod h1:U7ayypeSkw23szu4GaQTPJGx66c20mx8JklMSxrmI1w= -github.com/google/cel-spec v0.6.0/go.mod h1:Nwjgxy5CbjlPrtCWjeDjUyKMl8w41YBYGjsyDdqk0xA= github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -313,49 +262,18 @@ github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+ github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0= -github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU= -github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA= -github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= -github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= -github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= -github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= -github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y= -github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= -github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= -github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= -github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= -github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= -github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= -github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= -github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= -github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= -github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= -github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= -github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= -github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= -github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= -github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= -github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= -github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= -github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= -github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= -github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= -github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= -github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc= github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= -github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= +github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= @@ -366,16 +284,12 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= -github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= -github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= -github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= @@ -390,41 +304,27 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= -github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= -github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA= github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/mattn/go-colorable v0.0.9 h1:UVL0vNpWh04HeJXV0KLcaT7r06gOH2l4OW6ddYRUIY4= -github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= -github.com/mattn/go-isatty v0.0.3 h1:ns/ykhmWi7G9O+8a448SecJU3nSMBXJfqQkl0upE1jI= -github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= +github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= +github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ= +github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= -github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= -github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= -github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= -github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc= github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg= -github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= -github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= github.com/mitchellh/hashstructure v1.1.0 h1:P6P1hdjqAAknpY/M1CGipelZgp+4y9ja9kmUZPXP+H0= github.com/mitchellh/hashstructure v1.1.0/go.mod h1:xUDAozZz0Wmdiufv0uyhnHkUTN6/6d8ulp4AwfLKrmA= -github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= -github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= -github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= -github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mmarkdown/mmark v2.0.40+incompatible h1:vMeUeDzBK3H+/mU0oMVfMuhSXJlIA+DE/DMPQNAj5C4= github.com/mmarkdown/mmark v2.0.40+incompatible/go.mod h1:Uvmoz7tvsWpr7bMVxIpqZPyN3FbOtzDmnsJDFp7ltJs= -github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= github.com/moby/sys/mountinfo v0.5.0 h1:2Ks8/r6lopsxWi9m58nlwjaeSzUX9iiL1vj5qB/9ObI= github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU= -github.com/moby/term v0.0.0-20210610120745-9d4ed1856297/go.mod h1:vgPCkQMyxTZ7IDy8SXRufE172gr8+K/JE/7hHFxHW3A= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -437,41 +337,26 @@ github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod github.com/moul/pb v0.0.0-20220425114252-bca18df4138c h1:1STmblv9zmHLDpru4dbnf1PNL6wrrZNf7yBH+SfQU+s= github.com/moul/pb v0.0.0-20220425114252-bca18df4138c/go.mod h1:jE2HT8eoucYyUPBFJMreiVlC3KPHkDMtN8wn+ef7Y64= github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= -github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= -github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= github.com/ncabatoff/fakescraper v0.0.0-20201102132415-4b37ba603d65/go.mod h1:Tx6UMSMyIsjLG/VU/F6xA1+0XI+/f9o1dGJnf1l+bPg= github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833 h1:t4WWQ9I797y7QUgeEjeXnVb+oYuEDQc6gLvrZJTYo94= github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833/go.mod h1:0CznHmXSjMEqs5Tezj/w2emQoM41wzYM9KpDKUHPYag= github.com/ncabatoff/process-exporter v0.7.10 h1:+Ere7+3se6QqP54gg7aBRagWcL8bq3u5zNi/GRSWeKQ= github.com/ncabatoff/process-exporter v0.7.10/go.mod h1:DHZRZjqxw9LCOpLlX0DjBuyn6d5plh41Jv6Tmttj7Ek= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= -github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= -github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= -github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= -github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo/v2 v2.4.0 h1:+Ig9nvqgS5OBSACXNk15PLdp0U9XPYROt9CFzVdFGIs= github.com/onsi/ginkgo/v2 v2.4.0/go.mod h1:iHkDK1fKGcBoEHT5W7YBq4RFWaQulw+caOMkAt4OrFo= -github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= -github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= -github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.22.1 h1:pY8O4lBfsHKZHM/6nrxkhVPUznOlIu3quZcKP/M20KI= github.com/opencontainers/runc v1.1.4 h1:nRCz/8sKg6K6jgYAFLDlXzPeITBZJyX28DBVhWD+5dg= github.com/opencontainers/runc v1.1.4/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= -github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= -github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= -github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= -github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= @@ -479,13 +364,9 @@ github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= -github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= -github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= @@ -498,27 +379,21 @@ github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1: github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4= github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w= -github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= -github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= -github.com/prometheus/common v0.28.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/common v0.29.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/common v0.37.0 h1:ccBbHCgIiT9uSoFY0vX8H3zsNR5eLt17/RQLUvn8pXE= github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA= github.com/prometheus/exporter-toolkit v0.7.0/go.mod h1:ZUBIj498ePooX9t/2xtDjeQYwvRpiPP2lh5u4iblj2g= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= -github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo= github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4= -github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= -github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= @@ -526,8 +401,6 @@ github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUA github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= -github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= @@ -535,30 +408,14 @@ github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeV github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= -github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= -github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= -github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= -github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= -github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= -github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= -github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= -github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo= -github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk= github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA= github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= -github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= -github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= -github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= -github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -576,15 +433,11 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= -github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= -github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/urfave/cli v1.17.1-0.20160602030128-01a33823596e/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= -github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/xlab/treeprint v1.1.0 h1:G/1DjNkPpfZCFt9CSh6b5/nY4VimlbHF3Rh4obvtzDk= github.com/xlab/treeprint v1.1.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= github.com/yudai/gojsondiff v1.0.0 h1:27cbfqXLVEJ1o8I6v3y9lg8Ydm53EKqHXAOMxEGlCOA= @@ -598,18 +451,8 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= -github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a h1:CbXWHAnmrtTKgX+yMVVANuRJP8ld88ELbAYAYnBdLJ4= github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a/go.mod h1:/Hzu8ych2oXCs1iNI+MeASyFzWTncQ6nlu/wgqbqC2A= -go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= -go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4= -go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= -go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= -go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ= -go.etcd.io/etcd/client/v3 v3.5.0/go.mod h1:AIKXXVX/DQXtfTEqBryiLTUXwON+GuvO6Z7lLS/oTh0= -go.etcd.io/etcd/pkg/v3 v3.5.0/go.mod h1:UzJGatBQ1lXChBkQF0AuAtkRQMYnHubxAEYIrC3MSsE= -go.etcd.io/etcd/raft/v3 v3.5.0/go.mod h1:UFOHSIvO/nKwd4lhkwabrTD3cqW5yVyYYf/KlD00Szc= -go.etcd.io/etcd/server/v3 v3.5.0/go.mod h1:3Ah5ruV+M+7RZr0+Y/5mNLwC+eQlni+mQmOVdCRJoS4= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= @@ -617,43 +460,20 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= -go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0/go.mod h1:2AboqHi0CiIZU0qwhtUfCYD1GeUzvvIXWNkhDt7ZMG4= -go.opentelemetry.io/otel v0.20.0/go.mod h1:Y3ugLH2oa81t5QO+Lty+zXf8zC9L26ax4Nzoxm/dooo= -go.opentelemetry.io/otel/exporters/otlp v0.20.0/go.mod h1:YIieizyaN77rtLJra0buKiNBOm9XQfkPEKBeuhoMwAM= -go.opentelemetry.io/otel/metric v0.20.0/go.mod h1:598I5tYlH1vzBjn+BTuhzTCSb/9debfNp6R3s7Pr1eU= -go.opentelemetry.io/otel/oteltest v0.20.0/go.mod h1:L7bgKf9ZB7qCwT9Up7i9/pn0PWIa9FqQ2IQ8LoxiGnw= -go.opentelemetry.io/otel/sdk v0.20.0/go.mod h1:g/IcepuwNsoiX5Byy2nNV0ySUF1em498m7hBWC279Yc= -go.opentelemetry.io/otel/sdk/export/metric v0.20.0/go.mod h1:h7RBNMsDJ5pmI1zExLi+bJK+Dr8NQCh0qGhm1KDnNlE= -go.opentelemetry.io/otel/sdk/metric v0.20.0/go.mod h1:knxiS8Xd4E/N+ZqKmUPf3gTTZ4/0TjTXukfxjzSTpHE= -go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16gUEi0Nf1iBdgw= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 h1:+FNtrFTmVw0YZGpBGX56XDee331t6JAXeK2bcyhLOOc= go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o= -go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= -go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= -go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= -go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4= -go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= -go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= -go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= -go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= -go.uber.org/zap v1.19.1 h1:ue41HOKd1vGURxrmeKIgELGb3jPW9DMUDGtsinblHwI= +go.uber.org/zap v1.21.0 h1:WefMeulhovoZ2sYXz7st6K0sLj7bBhpiFaud4r4zST8= golang.org/dl v0.0.0-20190829154251-82a15e2f2ead/go.mod h1:IUMfjQLJQd4UTqG1Z90tenwKoCX93Gn3MAQJMOSBsDQ= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU= @@ -697,11 +517,7 @@ golang.org/x/mod v0.6.0 h1:b9gGHsz9/HhJ3HF5DHQytPpuwocVTChQJK3AvoLRD5I= golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= @@ -724,7 +540,6 @@ golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/ golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= @@ -732,7 +547,6 @@ golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81R golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= @@ -741,10 +555,7 @@ golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLd golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0= @@ -760,7 +571,6 @@ golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= @@ -778,12 +588,8 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -795,13 +601,10 @@ golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191002063906-3421d5a6bb1c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -816,14 +619,11 @@ golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -835,7 +635,6 @@ golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -845,53 +644,52 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44= -golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/time v0.0.0-20220609170525-579cf78fd858 h1:Dpdu/EMxGMFgq0CeYMh4fazTD2vtlZRYE7wyynxJb9U= +golang.org/x/time v0.0.0-20220609170525-579cf78fd858/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= @@ -931,7 +729,6 @@ golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.6-0.20210820212750-d4cc65f0b2ff/go.mod h1:YD9qOF0M9xpSpdWTBbzEl5e/RnCefISl8E5Noe10jFM= golang.org/x/tools v0.2.0 h1:G6AHpWxTMGY1KyEYoAQ5WTtIekUUvDNjan3ugu60JvE= golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -960,7 +757,6 @@ google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34q google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= -google.golang.org/api v0.44.0/go.mod h1:EBOGZqzyhtvMDoxwS97ctnh0zUmYY6CxqXsc1AvkYD8= google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo= google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4= google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw= @@ -997,7 +793,6 @@ google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfG google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= @@ -1009,7 +804,6 @@ google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201102152239-715cce707fb0/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= @@ -1089,23 +883,15 @@ gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= -gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/go-playground/assert.v1 v1.2.1 h1:xoYuJVE7KT85PYWrN730RguIQO0ePzVRfFMXadIrXTM= gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8bDuhia5mkpMnE= gopkg.in/go-playground/pool.v3 v3.1.1 h1:4Qcj91IsYTpIeRhe/eo6Fz+w6uKWPEghx8vHFTYMfhw= gopkg.in/go-playground/pool.v3 v3.1.1/go.mod h1:pUAGBximS/hccTTSzEop6wvvQhVa3QPDFFW+8REdutg= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= -gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= -gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/mcuadros/go-syslog.v2 v2.3.0 h1:kcsiS+WsTKyIEPABJBJtoG0KkOS6yzvJ+/eZlhD79kk= gopkg.in/mcuadros/go-syslog.v2 v2.3.0/go.mod h1:l5LPIyOOyIdQquNg+oU6Z3524YwrcqEm0aKH+5zpt2U= -gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= -gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= -gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= -gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= -gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -1117,12 +903,9 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= -gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -1130,39 +913,30 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.23.5/go.mod h1:Na4XuKng8PXJ2JsploYYrivXrINeTaycCGcYgF91Xm8= k8s.io/api v0.25.3 h1:Q1v5UFfYe87vi5H7NU0p4RXC26PPMT8KOpr1TLQbCMQ= k8s.io/api v0.25.3/go.mod h1:o42gKscFrEVjHdQnyRenACrMtbuJsVdP+WVjqejfzmI= -k8s.io/apiextensions-apiserver v0.23.5 h1:5SKzdXyvIJKu+zbfPc3kCbWpbxi+O+zdmAJBm26UJqI= -k8s.io/apiextensions-apiserver v0.23.5/go.mod h1:ntcPWNXS8ZPKN+zTXuzYMeg731CP0heCTl6gYBxLcuQ= -k8s.io/apimachinery v0.23.5/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM= +k8s.io/apiextensions-apiserver v0.25.0 h1:CJ9zlyXAbq0FIW8CD7HHyozCMBpDSiH7EdrSTCZcZFY= +k8s.io/apiextensions-apiserver v0.25.0/go.mod h1:3pAjZiN4zw7R8aZC5gR0y3/vCkGlAjCazcg1me8iB/E= k8s.io/apimachinery v0.25.3 h1:7o9ium4uyUOM76t6aunP0nZuex7gDf8VGwkR5RcJnQc= k8s.io/apimachinery v0.25.3/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo= -k8s.io/apiserver v0.23.5/go.mod h1:7wvMtGJ42VRxzgVI7jkbKvMbuCbVbgsWFT7RyXiRNTw= k8s.io/apiserver v0.25.0 h1:8kl2ifbNffD440MyvHtPaIz1mw4mGKVgWqM0nL+oyu4= k8s.io/apiserver v0.25.0/go.mod h1:BKwsE+PTC+aZK+6OJQDPr0v6uS91/HWxX7evElAH6xo= k8s.io/cli-runtime v0.25.0 h1:XBnTc2Fi+w818jcJGzhiJKQuXl8479sZ4FhtV5hVJ1Q= k8s.io/cli-runtime v0.25.0/go.mod h1:bHOI5ZZInRHhbq12OdUiYZQN8ml8aKZLwQgt9QlLINw= -k8s.io/client-go v0.23.5/go.mod h1:flkeinTO1CirYgzMPRWxUCnV0G4Fbu2vLhYCObnt/r4= k8s.io/client-go v0.25.3 h1:oB4Dyl8d6UbfDHD8Bv8evKylzs3BXzzufLiO27xuPs0= k8s.io/client-go v0.25.3/go.mod h1:t39LPczAIMwycjcXkVc+CB+PZV69jQuNx4um5ORDjQA= -k8s.io/code-generator v0.23.5 h1:xn3a6J5pUL49AoH6SPrOFtnB5cvdMl76f/bEY176R3c= -k8s.io/code-generator v0.23.5/go.mod h1:S0Q1JVA+kSzTI1oUvbKAxZY/DYbA/ZUb4Uknog12ETk= -k8s.io/component-base v0.23.5/go.mod h1:c5Nq44KZyt1aLl0IpHX82fhsn84Sb0jjzwjpcA42bY0= +k8s.io/code-generator v0.25.0 h1:QP8fJuXu882ztf6dsqJsso/Btm94pMd68TAZC1rE6KI= +k8s.io/code-generator v0.25.0/go.mod h1:B6jZgI3DvDFAualltPitbYMQ74NjaCFxum3YeKZZ+3w= k8s.io/component-base v0.25.3 h1:UrsxciGdrCY03ULT1h/S/gXFCOPnLhUVwSyx+hM/zq4= k8s.io/component-base v0.25.3/go.mod h1:WYoS8L+IlTZgU7rhAl5Ctpw0WdMxDfCC5dkxcEFa/TI= -k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c h1:GohjlNKauSai7gN4wsJkeZ3WAJx4Sh+oT/b5IYn5suA= -k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/gengo v0.0.0-20211129171323-c02415ce4185 h1:TT1WdmqqXareKxZ/oNXEUSwKlLiHzPMyB0t8BaFeBYI= +k8s.io/gengo v0.0.0-20211129171323-c02415ce4185/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= -k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4= k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65/go.mod h1:sX9MT8g7NVZM5lVL/j8QyCCJe8YSMW30QvGZWaCIDIk= k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 h1:MQ8BAZPZlWk3S9K4a9NCkIFQtZShWqoha7snGixVgEA= k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU= -k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed h1:jAne/RjBTyawwAy0utX5eqigAwz/lQhTmy+Hr/Cpue4= k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 h1:SAElp8THCfmBdM+4lmWX5gebiSSkEr7PAYDVF91qpfg= @@ -1170,10 +944,8 @@ pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732/go.mod h1:lpvCfhqEHNJSSpG5R rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.30/go.mod h1:fEO7lRTdivWO2qYVCVG7dEADOMo/MLDCVr8So2g88Uw= -sigs.k8s.io/controller-runtime v0.11.2 h1:H5GTxQl0Mc9UjRJhORusqfJCIjBO8UtUxGggCwL1rLA= -sigs.k8s.io/controller-runtime v0.11.2/go.mod h1:P6QCzrEjLaZGqHsfd+os7JQ+WFZhvB8MRFsn4dWF7O4= -sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= +sigs.k8s.io/controller-runtime v0.13.1 h1:tUsRCSJVM1QQOOeViGeX3GMT3dQF1eePPw6sEE3xSlg= +sigs.k8s.io/controller-runtime v0.13.1/go.mod h1:Zbz+el8Yg31jubvAEyglRZGdLAjplZl+PgtYNI6WNTI= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/kustomize/api v0.12.1 h1:7YM7gW3kYBwtKvoY216ZzY+8hM+lV53LUayghNRJ0vM= @@ -1182,8 +954,6 @@ sigs.k8s.io/kustomize/kyaml v0.13.9 h1:Qz53EAaFFANyNgyOEJbT/yoIHygK40/ZcvU3rgry2 sigs.k8s.io/kustomize/kyaml v0.13.9/go.mod h1:QsRbD0/KcU+wdk0/L0fIp2KLnohkVzs6fQ85/nOXac4= sigs.k8s.io/mdtoc v1.1.0 h1:q3YtqYzmC2e0hgLXRIOm7/QLuPux1CX3ZHCwlbABxZo= sigs.k8s.io/mdtoc v1.1.0/go.mod h1:QZLVEdHH2iNIR4uHAZyvFRtjloHgVItk8lo/mzCtq3w= -sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= -sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= From 4d4358f6739af655edbdbcbe9aa6cd3ef33792f6 Mon Sep 17 00:00:00 2001 From: Njegos Railic Date: Tue, 8 Nov 2022 15:44:25 +0100 Subject: [PATCH 016/405] Adding support for disabling liveness and readiness probes in the Helm chart (#9238) --- charts/ingress-nginx/templates/controller-daemonset.yaml | 4 ++++ charts/ingress-nginx/templates/controller-deployment.yaml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml index 805d2f209..4163e255c 100644 --- a/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -102,8 +102,12 @@ spec: {{- if .Values.controller.startupProbe }} startupProbe: {{ toYaml .Values.controller.startupProbe | nindent 12 }} {{- end }} + {{- if .Values.controller.livenessProbe }} livenessProbe: {{ toYaml .Values.controller.livenessProbe | nindent 12 }} + {{- end }} + {{- if .Values.controller.readinessProbe }} readinessProbe: {{ toYaml .Values.controller.readinessProbe | nindent 12 }} + {{- end }} ports: {{- range $key, $value := .Values.controller.containerPort }} - name: {{ $key }} diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index fcbdab80d..dfe4cae92 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -106,8 +106,12 @@ spec: {{- if .Values.controller.startupProbe }} startupProbe: {{ toYaml .Values.controller.startupProbe | nindent 12 }} {{- end }} + {{- if .Values.controller.livenessProbe }} livenessProbe: {{ toYaml .Values.controller.livenessProbe | nindent 12 }} + {{- end }} + {{- if .Values.controller.readinessProbe }} readinessProbe: {{ toYaml .Values.controller.readinessProbe | nindent 12 }} + {{- end }} ports: {{- range $key, $value := .Values.controller.containerPort }} - name: {{ $key }} From e03f8cc0360495530dd70889ce30e56ec6f06e52 Mon Sep 17 00:00:00 2001 From: James Strong Date: Tue, 8 Nov 2022 10:24:58 -0500 Subject: [PATCH 017/405] start 1.5.0 release Signed-off-by: James Strong --- TAG | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TAG b/TAG index 66d62a800..2e7bd9108 100644 --- a/TAG +++ b/TAG @@ -1 +1 @@ -v1.4.1 +v1.5.0 From 894937993107e1dbe6e1b28bd916b06790a07d3c Mon Sep 17 00:00:00 2001 From: Oblivion Date: Tue, 8 Nov 2022 16:46:53 +0000 Subject: [PATCH 018/405] fix CVE-2022-27664 --- go.sum | 43 ------------------ images/ext-auth-example-authsvc/rootfs/go.sum | 14 +----- images/kube-webhook-certgen/rootfs/go.mod | 6 +-- images/kube-webhook-certgen/rootfs/go.sum | 45 +++---------------- 4 files changed, 11 insertions(+), 97 deletions(-) diff --git a/go.sum b/go.sum index 322c6b4aa..e212f2972 100644 --- a/go.sum +++ b/go.sum @@ -515,49 +515,6 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0 h1:b9gGHsz9/HhJ3HF5DHQytPpuwocVTChQJK3AvoLRD5I= golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI= -golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= -golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= -golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0= golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= diff --git a/images/ext-auth-example-authsvc/rootfs/go.sum b/images/ext-auth-example-authsvc/rootfs/go.sum index 045452c23..2ca056fae 100644 --- a/images/ext-auth-example-authsvc/rootfs/go.sum +++ b/images/ext-auth-example-authsvc/rootfs/go.sum @@ -105,19 +105,7 @@ golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHl golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= diff --git a/images/kube-webhook-certgen/rootfs/go.mod b/images/kube-webhook-certgen/rootfs/go.mod index 22c4424ea..5e2e98f54 100644 --- a/images/kube-webhook-certgen/rootfs/go.mod +++ b/images/kube-webhook-certgen/rootfs/go.mod @@ -29,10 +29,10 @@ require ( github.com/pkg/errors v0.9.1 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/tidwall/gjson v1.14.0 // indirect - golang.org/x/net v0.0.0-20211209124913-491a49abca63 // indirect + golang.org/x/net v0.1.0 // indirect golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect - golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect - golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d // indirect + golang.org/x/sys v0.1.0 // indirect + golang.org/x/term v0.1.0 // indirect golang.org/x/text v0.4.0 // indirect golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect google.golang.org/appengine v1.6.5 // indirect diff --git a/images/kube-webhook-certgen/rootfs/go.sum b/images/kube-webhook-certgen/rootfs/go.sum index 61f5a8b34..a05f65b19 100644 --- a/images/kube-webhook-certgen/rootfs/go.sum +++ b/images/kube-webhook-certgen/rootfs/go.sum @@ -451,39 +451,8 @@ golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzB golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= -golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.0.0-20211209124913-491a49abca63 h1:iocB37TsdFuN6IBRZ+ry36wrkoV51/tl5vOWqkcPGvY= -golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0= +golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -535,21 +504,21 @@ golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f h1:v4INt8xihDGvnrfjMDVXGxw9wrfxYyCjk0KbXjhR55s= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d h1:SZxvLBoTP5yHO3Frd4z4vrF+DBX9vMVanchswa69toE= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw= +golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From 3bca5e9c19bedfef2365a9214bd0c1675d53a725 Mon Sep 17 00:00:00 2001 From: James Strong Date: Tue, 8 Nov 2022 15:48:44 -0500 Subject: [PATCH 019/405] missed CVE-2022-27664 #9273 in 1.5.0 build Signed-off-by: James Strong --- TAG | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TAG b/TAG index 2e7bd9108..53b5bbb12 100644 --- a/TAG +++ b/TAG @@ -1 +1 @@ -v1.5.0 +v1.5.1 From 63dbbdbb3a099417f411fbd1d684fa2a287c96cd Mon Sep 17 00:00:00 2001 From: James Strong Date: Wed, 9 Nov 2022 20:08:54 -0500 Subject: [PATCH 020/405] udate readme, charts and static deploys for release 1.5.1 (#9280) Signed-off-by: James Strong Signed-off-by: James Strong --- .github/workflows/ci.yaml | 6 +- Changelog.md | 96 ++++++++++++++++++- README.md | 46 ++++----- charts/ingress-nginx/CHANGELOG.md | 7 ++ charts/ingress-nginx/Chart.yaml | 12 +-- charts/ingress-nginx/README.md | 8 +- charts/ingress-nginx/values.yaml | 6 +- deploy/static/provider/aws/deploy.yaml | 48 +++++----- .../aws/nlb-with-tls-termination/deploy.yaml | 48 +++++----- deploy/static/provider/baremetal/deploy.yaml | 48 +++++----- deploy/static/provider/cloud/deploy.yaml | 48 +++++----- deploy/static/provider/do/deploy.yaml | 48 +++++----- deploy/static/provider/exoscale/deploy.yaml | 48 +++++----- deploy/static/provider/kind/deploy.yaml | 48 +++++----- deploy/static/provider/scw/deploy.yaml | 48 +++++----- docs/deploy/index.md | 20 ++-- 16 files changed, 342 insertions(+), 243 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 695799991..6f0c4aee2 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -139,7 +139,7 @@ jobs: strategy: matrix: - k8s: [v1.22.15, v1.23.12, v1.24.6, v1.25.2] + k8s: [v1.23.13, v1.24.7, v1.25.3] steps: @@ -222,7 +222,7 @@ jobs: strategy: matrix: - k8s: [v1.23.12, v1.24.6, v1.25.2] + k8s: [v1.23.13, v1.24.7, v1.25.3] steps: @@ -279,7 +279,7 @@ jobs: strategy: matrix: - k8s: [v1.23.12, v1.24.6, v1.25.2] + k8s: [v1.23.13, v1.24.7, v1.25.3] steps: diff --git a/Changelog.md b/Changelog.md index 34b49e28a..a7b62be50 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,99 @@ # Changelog +### 1.5.1 + +* Upgrade NGINX to 1.21.6 +* Upgrade Golang 1.19.2 +* Fix Service Name length Bug [9245](https://github.com/kubernetes/ingress-nginx/pull/9245) +* CVE fixes CVE-2022-32149, CVE-2022-27664, CVE-2022-1996 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.5.1@sha256:c1c091b88a6c936a83bd7b098662760a87868d12452529bad0d178fb36147345 + +### All Changes: + +* chore Fixed to Support Versions table by @yutachaos in https://github.com/kubernetes/ingress-nginx/pull/9117 +* Updated incorrect version number in the Installation Guide by @afro-coder in https://github.com/kubernetes/ingress-nginx/pull/9120 +* Updated the Developer guide with New Contributor information by @afro-coder in https://github.com/kubernetes/ingress-nginx/pull/9114 +* Remove deprecated net dependency by @rikatz in https://github.com/kubernetes/ingress-nginx/pull/9110 +* Fixed docs helm-docs version by @yutachaos in https://github.com/kubernetes/ingress-nginx/pull/9121 +* Fix CVE 2022 27664 by @strongjz in https://github.com/kubernetes/ingress-nginx/pull/9109 +* upgrade to golang 1.19.2 by @strongjz in https://github.com/kubernetes/ingress-nginx/pull/9124 +* fix e2e resource leak when ginkgo exit before clear resource by @loveRhythm1990 in https://github.com/kubernetes/ingress-nginx/pull/9103 +* fix: handle 401 and 403 by external auth by @johanneswuerbach in https://github.com/kubernetes/ingress-nginx/pull/9131 +* Move bowei to emeritus owner by @rikatz in https://github.com/kubernetes/ingress-nginx/pull/9150 +* fix null ports by @tombokombo in https://github.com/kubernetes/ingress-nginx/pull/9149 +* Documentation added for implemented redirection in the proxy to ensure image pulling by @Sanghamitra-PERSONAL in https://github.com/kubernetes/ingress-nginx/pull/9098 +* updating runner with golang 1.19.2 by @strongjz in https://github.com/kubernetes/ingress-nginx/pull/9158 +* Add install command for OVHcloud by @scraly in https://github.com/kubernetes/ingress-nginx/pull/9171 +* GitHub Templates: Remove trailing whitespaces. by @Gacko in https://github.com/kubernetes/ingress-nginx/pull/9172 +* Update helm chart changelog to show that kubernetes v1.21.x is no longer supported by @cskinfill in https://github.com/kubernetes/ingress-nginx/pull/9147 +* Add section to troubleshooting docs for failure to listen on port by @jrhunger in https://github.com/kubernetes/ingress-nginx/pull/9185 +* Implement parseFloat for annotations by @kirs in https://github.com/kubernetes/ingress-nginx/pull/9195 +* fix typo in docs. by @guettli in https://github.com/kubernetes/ingress-nginx/pull/9167 +* add:(admission-webhooks) ability to set securityContext by @ybelMekk in https://github.com/kubernetes/ingress-nginx/pull/9186 +* Fix Markdown header level by @jaens in https://github.com/kubernetes/ingress-nginx/pull/9210 +* chore: bump NGINX version v1.21.4 by @tao12345666333 in https://github.com/kubernetes/ingress-nginx/pull/8889 +* chore: update NGINX to 1.21.6 by @tao12345666333 in https://github.com/kubernetes/ingress-nginx/pull/9231 +* fix svc long name by @tombokombo in https://github.com/kubernetes/ingress-nginx/pull/9245 +* update base image of nginx to 1.21.6 by @strongjz in https://github.com/kubernetes/ingress-nginx/pull/9257 +* Fix CVE-2022-32149 by @esigo in https://github.com/kubernetes/ingress-nginx/pull/9258 +* Fix CVE-2022-1996 by @esigo in https://github.com/kubernetes/ingress-nginx/pull/9244 +* Adding support for disabling liveness and readiness probes to the Helm chart by @njegosrailic in https://github.com/kubernetes/ingress-nginx/pull/9238 +* fix CVE-2022-27664 by @esigo in https://github.com/kubernetes/ingress-nginx/pull/9273 +* Add CVE-2022-27664 #9273 in latest release by @strongjz in https://github.com/kubernetes/ingress-nginx/pull/9275 + +### Dependencies updates: + +* Bump docker/setup-buildx-action from 2.0.0 to 2.1.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9180 +* Bump dorny/paths-filter from 2.10.2 to 2.11.1 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9183 +* Bump helm/chart-releaser-action from 1.4.0 to 1.4.1 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9136 +* Bump github/codeql-action from 2.1.25 to 2.1.27 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9137 +* Bump ossf/scorecard-action from 2.0.3 to 2.0.4 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9138 +* Bump google.golang.org/grpc from 1.49.0 to 1.50.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9134 +* Bump actions/checkout from 3.0.2 to 3.1.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9135 +* Bump actions/dependency-review-action from 2.5.0 to 2.5.1 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9237 +* Bump github/codeql-action from 2.1.28 to 2.1.29 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9236 +* Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9233 +* Bump actions/upload-artifact from 3.1.0 to 3.1.1 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9234 +* Bump azure/setup-helm from 3.3 to 3.4 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9235 +* Bump github.com/onsi/ginkgo/v2 from 2.3.1 to 2.4.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9201 +* Bump goreleaser/goreleaser-action from 3.1.0 to 3.2.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9208 +* Bump github.com/stretchr/testify from 1.8.0 to 1.8.1 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9202 +* Bump ossf/scorecard-action from 2.0.4 to 2.0.6 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9203 +* Bump docker/setup-buildx-action from 2.1.0 to 2.2.1 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9204 +* Bump actions/setup-go from 3.3.0 to 3.3.1 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9205 +* Bump github/codeql-action from 2.1.27 to 2.1.28 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9206 +* Bump actions/download-artifact from 3.0.0 to 3.0.1 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9207 +* Bump github.com/prometheus/client_model from 0.2.0 to 0.3.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9200 +* Bump github.com/spf13/cobra from 1.5.0 to 1.6.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9173 +* Bump google.golang.org/grpc from 1.50.0 to 1.50.1 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9174 +* Bump k8s.io/component-base from 0.25.2 to 0.25.3 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9175 +* Bump github.com/fsnotify/fsnotify from 1.5.4 to 1.6.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9176 +* Bump github.com/onsi/ginkgo/v2 from 2.2.0 to 2.3.1 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9177 +* Bump geekyeggo/delete-artifact from 1.0.0 to 2.0.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9178 +* Bump actions/dependency-review-action from 2.4.0 to 2.5.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9179 +* Bump docker/setup-qemu-action from 2.0.0 to 2.1.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9181 +* Bump securego/gosec from 2.13.1 to 2.14.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9182 + + +## New Contributors +* @yutachaos made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9117 +* @Gacko made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9123 +* @loveRhythm1990 made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9103 +* @johanneswuerbach made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9131 +* @FutureMatt made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9133 +* @Sanghamitra-PERSONAL made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9098 +* @scraly made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9171 +* @cskinfill made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9147 +* @jrhunger made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9185 +* @guettli made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9167 +* @ybelMekk made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9186 +* @jaens made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9210 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.4.0...controller-v1.5.1 ### 1.4.0 @@ -49,8 +143,6 @@ REMOVED Also upgraded to golang 1.19.1 - - Images: * registry.k8s.io/ingress-nginx/controller:v1.4.0@sha256:34ee929b111ffc7aa426ffd409af44da48e5a0eea1eb2207994d9e0c0882d143 diff --git a/README.md b/README.md index 1af0a6000..f8c020b68 100644 --- a/README.md +++ b/README.md @@ -6,17 +6,11 @@ [![GitHub stars](https://img.shields.io/github/stars/kubernetes/ingress-nginx.svg)](https://github.com/kubernetes/ingress-nginx/stargazers) [![GitHub stars](https://img.shields.io/badge/contributions-welcome-orange.svg)](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md) -### Community Update - -We will discuss the results of our Community Survey, progress on the stabilization project, and ideas going -forward with the project at [Kubecon NA 2022 in Detroit](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/). Come join us and let us hear what you'd like to see in the -future for ingress-nginx. - -https://kccncna2022.sched.com/event/18lgl?iframe=no ## Overview -ingress-nginx is an Ingress controller for Kubernetes using [NGINX](https://www.nginx.org/) as a reverse proxy and load balancer. +ingress-nginx is an Ingress controller for Kubernetes using [NGINX](https://www.nginx.org/) as a reverse proxy and load +balancer. [Learn more about Ingress on the main Kubernetes documentation site](https://kubernetes.io/docs/concepts/services-networking/ingress/). @@ -26,18 +20,25 @@ See the [Getting Started](https://kubernetes.github.io/ingress-nginx/deploy/) do ## Troubleshooting -If you encounter issues, review the [troubleshooting docs](docs/troubleshooting.md), [file an issue](https://github.com/kubernetes/ingress-nginx/issues), or talk to us on the [#ingress-nginx channel](https://kubernetes.slack.com/messages/ingress-nginx) on the Kubernetes Slack server. +If you encounter issues, review the [troubleshooting docs](docs/troubleshooting.md), +[file an issue](https://github.com/kubernetes/ingress-nginx/issues), or talk to us on the +[#ingress-nginx channel](https://kubernetes.slack.com/messages/ingress-nginx) on the Kubernetes Slack server. ## Changelog See [the list of releases](https://github.com/kubernetes/ingress-nginx/releases) to find out about feature changes. For detailed changes for each release; please check the [Changelog.md](Changelog.md) file. -For detailed changes on the `ingress-nginx` helm chart, please check the following [CHANGELOG.md](charts/ingress-nginx/CHANGELOG.md) file. +For detailed changes on the `ingress-nginx` helm chart, please check the following +[CHANGELOG.md](charts/ingress-nginx/CHANGELOG.md) file. -### Support Versions table +### Supported Versions table + +Supported versions for the ingress-nginx project mean that we have completed E2E tests, and they are passing for +the versions listed. Ingress-Nginx versions may work on older versions but the project does not make that guarantee. | Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | |-----------------------|------------------------------|----------------|---------------| +| v1.5.1 | 1.25, 1.24, 1.23 | 3.16.2 | 1.21.6 | | v1.4.0 | 1.25, 1.24, 1.23, 1.22 | 3.16.2 | 1.19.10† | | v1.3.1 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.2 | 1.19.10† | | v1.3.0 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.0 | 1.19.10† | @@ -54,29 +55,28 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi | v1.0.0 | 1.22, 1.21, 1.20, 1.19 | 3.13.5 | 1.20.1 | -† _This build is [patched against CVE-2021-23017](https://github.com/openresty/openresty/commit/4b5ec7edd78616f544abc194308e0cf4b788725b#diff-42ef841dc27fe0b5aa2d06bd31308bb63a59cdcddcbcddd917248349d22020a3)._ +† _This build is +[patched against CVE-2021-23017](https://github.com/openresty/openresty/commit/4b5ec7edd78616f544abc194308e0cf4b788725b#diff-42ef841dc27fe0b5aa2d06bd31308bb63a59cdcddcbcddd917248349d22020a3)._ -See [this article](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) if you want upgrade to the stable Ingress API. +See [this article](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) if you want upgrade to the stable +Ingress API. ## Get Involved Thanks for taking the time to join our community and start contributing! -- This project adheres to the [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md). By participating in this project, you agree to abide by its terms. +- This project adheres to the [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md). + By participating in this project, you agree to abide by its terms. - **Contributing**: Contributions of all kind are welcome! - - Read [`CONTRIBUTING.md`](CONTRIBUTING.md) for information about setting up your environment, the workflow that we expect, and instructions on the developer certificate of origin that we require. - + - Read [`CONTRIBUTING.md`](CONTRIBUTING.md) for information about setting up your environment, the workflow that we + expect, and instructions on the developer certificate of origin that we require. - Join our Kubernetes Slack channel for developer discussion : [#ingress-nginx-dev](https://kubernetes.slack.com/archives/C021E147ZA4). - - - Submit github issues for any feature enhancements, bugs or documentation problems. Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines **may be closed immediately**. - -- **Support**: Join the [#ingress-nginx-users](https://kubernetes.slack.com/messages/CANQGM8BA/) channel inside the [Kubernetes Slack](http://slack.kubernetes.io/) to ask questions or get support from the maintainers and other users. - + - Submit GitHub issues for any feature enhancements, bugs or documentation problems. Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines **may be closed immediately**. + - **Support**: Join the [#ingress-nginx-users](https://kubernetes.slack.com/messages/CANQGM8BA/) channel inside the [Kubernetes Slack](http://slack.kubernetes.io/) to ask questions or get support from the maintainers and other users. - The [GitHub issues](https://github.com/kubernetes/ingress-nginx/issues) in the repository are **exclusively** for bug reports and feature requests. - -- **Discuss**: Tweet using the `#IngressNginx` hashtag. + - **Discuss**: Tweet using the `#IngressNginx` hashtag. ## License diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md index 2ec24733e..1b7adb25b 100644 --- a/charts/ingress-nginx/CHANGELOG.md +++ b/charts/ingress-nginx/CHANGELOG.md @@ -2,6 +2,13 @@ This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). +### 4.4.0 + +* Adding support for disabling liveness and readiness probes to the Helm chart by @njegosrailic in https://github.com/kubernetes/ingress-nginx/pull/9238 +* add:(admission-webhooks) ability to set securityContext by @ybelMekk in https://github.com/kubernetes/ingress-nginx/pull/9186 +* #7652 - Updated Helm chart to use the fullname for the electionID if not specified. by @FutureMatt in https://github.com/kubernetes/ingress-nginx/pull/9133 +* Rename controller-wehbooks-networkpolicy.yaml. by @Gacko in https://github.com/kubernetes/ingress-nginx/pull/9123 + ### 4.3.0 - Support for Kubernetes v.1.25.0 was added and support for endpoint slices - Support for Kubernetes v1.20.0 and v1.21.0 was removed diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 9cf62ecf9..461601f59 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: ingress-nginx # When the version is modified, make sure the artifacthub.io/changes list is updated # Also update CHANGELOG.md -version: 4.3.0 -appVersion: 1.4.0 +version: 4.4.0 +appVersion: 1.5.1 home: https://github.com/kubernetes/ingress-nginx description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png @@ -25,7 +25,7 @@ annotations: # List of changes for the release in artifacthub.io # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog artifacthub.io/changes: | - - "[8890](https://github.com/kubernetes/ingress-nginx/pull/8890) migrate to endpointslices" - - "[9059](https://github.com/kubernetes/ingress-nginx/pull/9059) kubewebhookcertgen sha change after go1191" - - "[9046](https://github.com/kubernetes/ingress-nginx/pull/9046) Parameterize metrics port name" - - "[9104](https://github.com/kubernetes/ingress-nginx/pull/9104) Fix yaml formatting error with multiple annotations" + - Adding support for disabling liveness and readiness probes to the Helm chart + - add:(admission-webhooks) ability to set securityContext + - Updated Helm chart to use the fullname for the electionID if not specified + - Rename controller-wehbooks-networkpolicy.yaml diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 6ce41792e..bf4dcc8cd 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.3.0](https://img.shields.io/badge/Version-4.3.0-informational?style=flat-square) ![AppVersion: 1.4.0](https://img.shields.io/badge/AppVersion-1.4.0-informational?style=flat-square) +![Version: 4.4.0](https://img.shields.io/badge/Version-4.4.0-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -312,13 +312,13 @@ Kubernetes: `>=1.20.0-0` | controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.image.allowPrivilegeEscalation | bool | `true` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `"sha256:34ee929b111ffc7aa426ffd409af44da48e5a0eea1eb2207994d9e0c0882d143"` | | -| controller.image.digestChroot | string | `"sha256:b67e889f1db8692de7e41d4d9aef8de56645bf048261f31fa7f8bfc6ea2222a0"` | | +| controller.image.digest | string | `"sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629"` | | +| controller.image.digestChroot | string | `"sha256:c1c091b88a6c936a83bd7b098662760a87868d12452529bad0d178fb36147345"` | | | controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.registry | string | `"registry.k8s.io"` | | | controller.image.runAsUser | int | `101` | | -| controller.image.tag | string | `"v1.4.0"` | | +| controller.image.tag | string | `"v1.5.1"` | | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass | diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 9092a5de9..6304f2637 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -23,9 +23,9 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: "v1.4.0" - digest: sha256:34ee929b111ffc7aa426ffd409af44da48e5a0eea1eb2207994d9e0c0882d143 - digestChroot: sha256:b67e889f1db8692de7e41d4d9aef8de56645bf048261f31fa7f8bfc6ea2222a0 + tag: "v1.5.1" + digest: sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + digestChroot: sha256:c1c091b88a6c936a83bd7b098662760a87868d12452529bad0d178fb36147345 pullPolicy: IfNotPresent # www-data -> uid 101 runAsUser: 101 diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml index 5c656bfae..fbdf9486a 100644 --- a/deploy/static/provider/aws/deploy.yaml +++ b/deploy/static/provider/aws/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -93,7 +93,7 @@ rules: - apiGroups: - "" resourceNames: - - ingress-controller-leader + - ingress-nginx-leader resources: - configmaps verbs: @@ -108,7 +108,7 @@ rules: - apiGroups: - coordination.k8s.io resourceNames: - - ingress-controller-leader + - ingress-nginx-leader resources: - leases verbs: @@ -144,7 +144,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +163,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx rules: - apiGroups: @@ -245,7 +245,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +264,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +284,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +303,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +322,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -343,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -359,7 +359,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -392,7 +392,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -415,7 +415,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -437,7 +437,7 @@ spec: - args: - /nginx-ingress-controller - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - - --election-id=ingress-controller-leader + - --election-id=ingress-nginx-leader - --controller-class=k8s.io/ingress-nginx - --ingress-class=nginx - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller @@ -455,7 +455,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.4.0@sha256:34ee929b111ffc7aa426ffd409af44da48e5a0eea1eb2207994d9e0c0882d143 + image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -527,7 +527,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -538,7 +538,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create spec: containers: @@ -574,7 +574,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -585,7 +585,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch spec: containers: @@ -623,7 +623,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -636,7 +636,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml index 91886150d..73ec24286 100644 --- a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml +++ b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -93,7 +93,7 @@ rules: - apiGroups: - "" resourceNames: - - ingress-controller-leader + - ingress-nginx-leader resources: - configmaps verbs: @@ -108,7 +108,7 @@ rules: - apiGroups: - coordination.k8s.io resourceNames: - - ingress-controller-leader + - ingress-nginx-leader resources: - leases verbs: @@ -144,7 +144,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +163,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx rules: - apiGroups: @@ -245,7 +245,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +264,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +284,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +303,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +322,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -350,7 +350,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -368,7 +368,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -401,7 +401,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -424,7 +424,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -446,7 +446,7 @@ spec: - args: - /nginx-ingress-controller - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - - --election-id=ingress-controller-leader + - --election-id=ingress-nginx-leader - --controller-class=k8s.io/ingress-nginx - --ingress-class=nginx - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller @@ -464,7 +464,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.4.0@sha256:34ee929b111ffc7aa426ffd409af44da48e5a0eea1eb2207994d9e0c0882d143 + image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -539,7 +539,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -550,7 +550,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create spec: containers: @@ -586,7 +586,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -597,7 +597,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch spec: containers: @@ -635,7 +635,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -648,7 +648,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml index bb9ce026c..9e6e905bb 100644 --- a/deploy/static/provider/baremetal/deploy.yaml +++ b/deploy/static/provider/baremetal/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -93,7 +93,7 @@ rules: - apiGroups: - "" resourceNames: - - ingress-controller-leader + - ingress-nginx-leader resources: - configmaps verbs: @@ -108,7 +108,7 @@ rules: - apiGroups: - coordination.k8s.io resourceNames: - - ingress-controller-leader + - ingress-nginx-leader resources: - leases verbs: @@ -144,7 +144,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +163,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx rules: - apiGroups: @@ -245,7 +245,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +264,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +284,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +303,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +322,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -343,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -387,7 +387,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -410,7 +410,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -431,7 +431,7 @@ spec: containers: - args: - /nginx-ingress-controller - - --election-id=ingress-controller-leader + - --election-id=ingress-nginx-leader - --controller-class=k8s.io/ingress-nginx - --ingress-class=nginx - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller @@ -449,7 +449,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.4.0@sha256:34ee929b111ffc7aa426ffd409af44da48e5a0eea1eb2207994d9e0c0882d143 + image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -521,7 +521,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -532,7 +532,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create spec: containers: @@ -568,7 +568,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -579,7 +579,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch spec: containers: @@ -617,7 +617,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -630,7 +630,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml index 372c71909..dd986a55d 100644 --- a/deploy/static/provider/cloud/deploy.yaml +++ b/deploy/static/provider/cloud/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -93,7 +93,7 @@ rules: - apiGroups: - "" resourceNames: - - ingress-controller-leader + - ingress-nginx-leader resources: - configmaps verbs: @@ -108,7 +108,7 @@ rules: - apiGroups: - coordination.k8s.io resourceNames: - - ingress-controller-leader + - ingress-nginx-leader resources: - leases verbs: @@ -144,7 +144,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +163,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx rules: - apiGroups: @@ -245,7 +245,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +264,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +284,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +303,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +322,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -343,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -388,7 +388,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -411,7 +411,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -433,7 +433,7 @@ spec: - args: - /nginx-ingress-controller - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - - --election-id=ingress-controller-leader + - --election-id=ingress-nginx-leader - --controller-class=k8s.io/ingress-nginx - --ingress-class=nginx - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller @@ -451,7 +451,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.4.0@sha256:34ee929b111ffc7aa426ffd409af44da48e5a0eea1eb2207994d9e0c0882d143 + image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -523,7 +523,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -534,7 +534,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create spec: containers: @@ -570,7 +570,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -581,7 +581,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch spec: containers: @@ -619,7 +619,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -632,7 +632,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml index c7da768ff..64e0366b4 100644 --- a/deploy/static/provider/do/deploy.yaml +++ b/deploy/static/provider/do/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -93,7 +93,7 @@ rules: - apiGroups: - "" resourceNames: - - ingress-controller-leader + - ingress-nginx-leader resources: - configmaps verbs: @@ -108,7 +108,7 @@ rules: - apiGroups: - coordination.k8s.io resourceNames: - - ingress-controller-leader + - ingress-nginx-leader resources: - leases verbs: @@ -144,7 +144,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +163,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx rules: - apiGroups: @@ -245,7 +245,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +264,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +284,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +303,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +322,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -344,7 +344,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -358,7 +358,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -391,7 +391,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -414,7 +414,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -436,7 +436,7 @@ spec: - args: - /nginx-ingress-controller - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - - --election-id=ingress-controller-leader + - --election-id=ingress-nginx-leader - --controller-class=k8s.io/ingress-nginx - --ingress-class=nginx - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller @@ -454,7 +454,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.4.0@sha256:34ee929b111ffc7aa426ffd409af44da48e5a0eea1eb2207994d9e0c0882d143 + image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -526,7 +526,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -537,7 +537,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create spec: containers: @@ -573,7 +573,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -584,7 +584,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch spec: containers: @@ -622,7 +622,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -635,7 +635,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml index dfb0e8f7d..d6a40aed9 100644 --- a/deploy/static/provider/exoscale/deploy.yaml +++ b/deploy/static/provider/exoscale/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -93,7 +93,7 @@ rules: - apiGroups: - "" resourceNames: - - ingress-controller-leader + - ingress-nginx-leader resources: - configmaps verbs: @@ -108,7 +108,7 @@ rules: - apiGroups: - coordination.k8s.io resourceNames: - - ingress-controller-leader + - ingress-nginx-leader resources: - leases verbs: @@ -144,7 +144,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +163,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx rules: - apiGroups: @@ -245,7 +245,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +264,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +284,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +303,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +322,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -343,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -364,7 +364,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -397,7 +397,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -420,7 +420,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -442,7 +442,7 @@ spec: - args: - /nginx-ingress-controller - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - - --election-id=ingress-controller-leader + - --election-id=ingress-nginx-leader - --controller-class=k8s.io/ingress-nginx - --ingress-class=nginx - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller @@ -460,7 +460,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.4.0@sha256:34ee929b111ffc7aa426ffd409af44da48e5a0eea1eb2207994d9e0c0882d143 + image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -532,7 +532,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -543,7 +543,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create spec: containers: @@ -579,7 +579,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -590,7 +590,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch spec: containers: @@ -628,7 +628,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -641,7 +641,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml index cde5ece76..62ead9e34 100644 --- a/deploy/static/provider/kind/deploy.yaml +++ b/deploy/static/provider/kind/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -93,7 +93,7 @@ rules: - apiGroups: - "" resourceNames: - - ingress-controller-leader + - ingress-nginx-leader resources: - configmaps verbs: @@ -108,7 +108,7 @@ rules: - apiGroups: - coordination.k8s.io resourceNames: - - ingress-controller-leader + - ingress-nginx-leader resources: - leases verbs: @@ -144,7 +144,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +163,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx rules: - apiGroups: @@ -245,7 +245,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +264,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +284,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +303,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +322,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -343,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -387,7 +387,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -410,7 +410,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -435,7 +435,7 @@ spec: containers: - args: - /nginx-ingress-controller - - --election-id=ingress-controller-leader + - --election-id=ingress-nginx-leader - --controller-class=k8s.io/ingress-nginx - --ingress-class=nginx - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller @@ -455,7 +455,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.4.0@sha256:34ee929b111ffc7aa426ffd409af44da48e5a0eea1eb2207994d9e0c0882d143 + image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -537,7 +537,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -548,7 +548,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create spec: containers: @@ -584,7 +584,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -595,7 +595,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch spec: containers: @@ -633,7 +633,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -646,7 +646,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml index 25880d180..d52f01489 100644 --- a/deploy/static/provider/scw/deploy.yaml +++ b/deploy/static/provider/scw/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -93,7 +93,7 @@ rules: - apiGroups: - "" resourceNames: - - ingress-controller-leader + - ingress-nginx-leader resources: - configmaps verbs: @@ -108,7 +108,7 @@ rules: - apiGroups: - coordination.k8s.io resourceNames: - - ingress-controller-leader + - ingress-nginx-leader resources: - leases verbs: @@ -144,7 +144,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +163,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx rules: - apiGroups: @@ -245,7 +245,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +264,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +284,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +303,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +322,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -344,7 +344,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -358,7 +358,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -391,7 +391,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -414,7 +414,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -436,7 +436,7 @@ spec: - args: - /nginx-ingress-controller - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - - --election-id=ingress-controller-leader + - --election-id=ingress-nginx-leader - --controller-class=k8s.io/ingress-nginx - --ingress-class=nginx - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller @@ -454,7 +454,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.4.0@sha256:34ee929b111ffc7aa426ffd409af44da48e5a0eea1eb2207994d9e0c0882d143 + image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -526,7 +526,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -537,7 +537,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create spec: containers: @@ -573,7 +573,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -584,7 +584,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch spec: containers: @@ -622,7 +622,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -635,7 +635,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/docs/deploy/index.md b/docs/deploy/index.md index 3f99c7a44..29495b5c0 100644 --- a/docs/deploy/index.md +++ b/docs/deploy/index.md @@ -62,7 +62,7 @@ It will install the controller in the `ingress-nginx` namespace, creating that n **If you don't have Helm** or if you prefer to use a YAML manifest, you can run the following command instead: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.4.0/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/cloud/deploy.yaml ``` !!! info @@ -225,7 +225,7 @@ In AWS, we use a Network load balancer (NLB) to expose the NGINX Ingress control ##### Network Load Balancer (NLB) ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.4.0/deploy/static/provider/aws/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/aws/deploy.yaml ``` ##### TLS termination in AWS Load Balancer (NLB) @@ -233,10 +233,10 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS using an NLB. -1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.4.0/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template +1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template ```console - wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.4.0/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml + wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml ``` 2. Edit the file and change the VPC CIDR in use for the Kubernetes cluster: @@ -282,7 +282,7 @@ Then, the ingress controller can be installed like this: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.4.0/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/cloud/deploy.yaml ``` !!! warning @@ -299,7 +299,7 @@ Proxy-protocol is supported in GCE check the [Official Documentations on how to #### Azure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.4.0/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/cloud/deploy.yaml ``` More information with regard to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller). @@ -307,7 +307,7 @@ More information with regard to Azure annotations for ingress controller can be #### Digital Ocean ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.4.0/deploy/static/provider/do/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/do/deploy.yaml ``` - By default the service object of the ingress-nginx-controller for Digital-Ocean, only configures one annotation. Its this one `service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"`. While this makes the service functional, it was reported that the Digital-Ocean LoadBalancer graphs shows `no data`, unless a few other annotations are also configured. Some of these other annotations require values that can not be generic and hence not forced in a out-of-the-box installation. These annotations and a discussion on them is well documented in [this issue](https://github.com/kubernetes/ingress-nginx/issues/8965). Please refer to the issue to add annotations, with values specific to user, to get graphs of the DO-LB populated with data. @@ -315,7 +315,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont #### Scaleway ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.4.0/deploy/static/provider/scw/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/scw/deploy.yaml ``` #### Exoscale @@ -330,7 +330,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale #### Oracle Cloud Infrastructure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.4.0/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/cloud/deploy.yaml ``` A @@ -357,7 +357,7 @@ For quick testing, you can use a This should work on almost every cluster, but it will typically use a port in the range 30000-32767. ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.4.0/deploy/static/provider/baremetal/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/baremetal/deploy.yaml ``` For more information about bare metal deployments (and how to use port 80 instead of a random port in the 30000-32767 range), From 726d7e6239807c4cde0b6c51fe24de256b43c18e Mon Sep 17 00:00:00 2001 From: pellmont Date: Thu, 10 Nov 2022 11:38:54 +0100 Subject: [PATCH 021/405] add containerSecurityContext to extraModules init containers (kubernetes#9016) (#9242) --- charts/ingress-nginx/README.md | 2 +- ...-extra-modules-default-container-sec-context.yaml | 12 ++++++++++++ ...extra-modules-specific-container-sec-context.yaml | 12 ++++++++++++ .../templates/controller-daemonset.yaml | 6 ++++++ .../templates/controller-deployment.yaml | 3 +++ charts/ingress-nginx/values.yaml | 4 +++- 6 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml create mode 100644 charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index bf4dcc8cd..f34615399 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -300,7 +300,7 @@ Kubernetes: `>=1.20.0-0` | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. | | controller.extraEnvs | list | `[]` | Additional environment variables to set | | controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. | -| controller.extraModules | list | `[]` | | +| controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module | | controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. | | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. | | controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the ingress nginx controller is running in the `hostNetwork: true` mode. | diff --git a/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml b/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml new file mode 100644 index 000000000..2310c344e --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml @@ -0,0 +1,12 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + service: + type: ClusterIP + containerSecurityContext: + allowPrivilegeEscalation: false + extraModules: + - name: opentelemetry + image: busybox diff --git a/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml b/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml new file mode 100644 index 000000000..bd2f011cc --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml @@ -0,0 +1,12 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + service: + type: ClusterIP + extraModules: + - name: opentelemetry + image: busybox + containerSecurityContext: + allowPrivilegeEscalation: false diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml index 4163e255c..802730331 100644 --- a/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -181,6 +181,12 @@ spec: - name: {{ .Name }} image: {{ .Image }} command: ['sh', '-c', '/usr/local/bin/init_module.sh'] + {{- if (or $.Values.controller.containerSecurityContext .containerSecurityContext) }} + securityContext: {{ .containerSecurityContext | default $.Values.controller.containerSecurityContext | toYaml | nindent 14 }} + {{- end }} + volumeMounts: + - name: modules + mountPath: /modules_mount {{- end }} {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index dfe4cae92..9dac747ea 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -187,6 +187,9 @@ spec: - name: {{ .name }} image: {{ .image }} command: ['sh', '-c', '/usr/local/bin/init_module.sh'] + {{- if (or $.Values.controller.containerSecurityContext .containerSecurityContext) }} + securityContext: {{ .containerSecurityContext | default $.Values.controller.containerSecurityContext | toYaml | nindent 14 }} + {{- end }} volumeMounts: - name: modules mountPath: /modules_mount diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 6304f2637..dc9980d14 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -577,10 +577,12 @@ controller: # image: busybox # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] + # -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module extraModules: [] - ## Modules, which are mounted into the core nginx image # - name: opentelemetry # image: registry.k8s.io/ingress-nginx/opentelemetry:v20220906-g981ce38a7@sha256:aa079daa7efd93aa830e26483a49a6343354518360929494bad1d0ad3303142e + # containerSecurityContext: + # allowPrivilegeEscalation: false # # The image must contain a `/usr/local/bin/init_module.sh` executable, which # will be executed as initContainers, to move its config files within the From 170af7be88ccbcd3a13f67811ab728d056377a26 Mon Sep 17 00:00:00 2001 From: Marco Ebert Date: Thu, 10 Nov 2022 12:20:54 +0100 Subject: [PATCH 022/405] PDB: Add `maxUnavailable`. (#9278) --- charts/ingress-nginx/README.md | 2 +- .../templates/controller-poddisruptionbudget.yaml | 4 ++++ charts/ingress-nginx/values.yaml | 3 +++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index f34615399..f4486ac91 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -367,7 +367,7 @@ Kubernetes: `>=1.20.0-0` | controller.metrics.serviceMonitor.relabelings | list | `[]` | | | controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` | | | controller.metrics.serviceMonitor.targetLabels | list | `[]` | | -| controller.minAvailable | int | `1` | | +| controller.minAvailable | int | `1` | Define either 'minAvailable' or 'maxUnavailable', never both. | | controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | controller.name | string | `"controller"` | | | controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ # | diff --git a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml index 8dfbe9891..899d3cc5d 100644 --- a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml +++ b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml @@ -15,5 +15,9 @@ spec: matchLabels: {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} app.kubernetes.io/component: controller + {{- if .Values.controller.minAvailable }} minAvailable: {{ .Values.controller.minAvailable }} + {{- else if .Values.controller.maxUnavailable }} + maxUnavailable: {{ .Values.controller.maxUnavailable }} + {{- end }} {{- end }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index dc9980d14..c71fd2080 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -345,7 +345,10 @@ controller: replicaCount: 1 + # -- Define either 'minAvailable' or 'maxUnavailable', never both. minAvailable: 1 + # -- Define either 'minAvailable' or 'maxUnavailable', never both. + # maxUnavailable: 1 ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes ## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 From 69a811dde9368f0464c1e050648a979a67fad3e8 Mon Sep 17 00:00:00 2001 From: Michael Wittig <948604+Sh4kE@users.noreply.github.com> Date: Thu, 10 Nov 2022 14:48:56 +0100 Subject: [PATCH 023/405] fix broken annotation yaml (#9243) --- charts/ingress-nginx/templates/controller-serviceaccount.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/ingress-nginx/templates/controller-serviceaccount.yaml b/charts/ingress-nginx/templates/controller-serviceaccount.yaml index e31819f7c..e6e776d09 100644 --- a/charts/ingress-nginx/templates/controller-serviceaccount.yaml +++ b/charts/ingress-nginx/templates/controller-serviceaccount.yaml @@ -12,7 +12,7 @@ metadata: namespace: {{ .Release.Namespace }} {{- if .Values.serviceAccount.annotations }} annotations: - {{- toYaml .Values.serviceAccount.annotations | indent 4 }} + {{- toYaml .Values.serviceAccount.annotations | nindent 4 }} {{- end }} automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} {{- end }} From 3db3c19685a6f74859a95859ff75ca87890752c5 Mon Sep 17 00:00:00 2001 From: James Strong Date: Fri, 11 Nov 2022 10:00:10 -0500 Subject: [PATCH 024/405] run helm release on main only and when the chart/value changes only (#9290) Signed-off-by: James Strong Signed-off-by: James Strong --- .github/workflows/helm.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml index 4dadc9349..33e06bbdc 100644 --- a/.github/workflows/helm.yaml +++ b/.github/workflows/helm.yaml @@ -4,7 +4,6 @@ on: push: branches: - main - - legacy permissions: contents: read @@ -34,7 +33,7 @@ jobs: filters: | charts: - 'charts/ingress-nginx/Chart.yaml' - - 'charts/ingress-nginx/**/*' + - 'charts/ingress-nginx/values.yaml' chart: name: Release Chart @@ -52,7 +51,7 @@ jobs: steps: - name: Checkout master - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.2 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 with: # Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896 fetch-depth: 0 @@ -64,10 +63,10 @@ jobs: git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Helm Chart Releaser - uses: helm/chart-releaser-action@v1.4.1 + uses: helm/chart-releaser-action@98bccfd32b0f76149d188912ac8e45ddd3f8695f #v1.4.1 env: CR_SKIP_EXISTING: "false" CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}" with: - charts_dir: charts + charts_dir: charts \ No newline at end of file From f08369cdc6d69e5fd8f88644843c884683ae9f49 Mon Sep 17 00:00:00 2001 From: Joseph Richardson <49208786+JoeHCQ1@users.noreply.github.com> Date: Sun, 13 Nov 2022 14:29:56 -0500 Subject: [PATCH 025/405] Fixed indentation in commented-out autoscaling (#9225) --- charts/ingress-nginx/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index c71fd2080..35f922f6b 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -372,7 +372,7 @@ controller: behavior: {} # scaleDown: # stabilizationWindowSeconds: 300 - # policies: + # policies: # - type: Pods # value: 1 # periodSeconds: 180 From a66ee73c5adb005fc4626d2bc750e7fe7f1125ff Mon Sep 17 00:00:00 2001 From: Ehsan Saei <71217171+esigo@users.noreply.github.com> Date: Mon, 14 Nov 2022 20:50:43 +0100 Subject: [PATCH 026/405] OpenTelemetry static linking (#9286) * static otel lib * clean * nginx 1.21 --- images/opentelemetry/rootfs/CMakeLists.txt | 2 +- images/opentelemetry/rootfs/Dockerfile | 2 +- images/opentelemetry/rootfs/build.sh | 48 +--------------------- 3 files changed, 4 insertions(+), 48 deletions(-) diff --git a/images/opentelemetry/rootfs/CMakeLists.txt b/images/opentelemetry/rootfs/CMakeLists.txt index 7278016a0..e4abc7346 100644 --- a/images/opentelemetry/rootfs/CMakeLists.txt +++ b/images/opentelemetry/rootfs/CMakeLists.txt @@ -80,7 +80,7 @@ ExternalProject_Add( -DgRPC_SSL_PROVIDER=package -DOPENSSL_ROOT_DIR=OpenSSL -DgRPC_BUILD_TESTS=OFF - -DBUILD_SHARED_LIBS=ON + -DBUILD_SHARED_LIBS=OFF -DgRPC_INSTALL=ON CMAKE_CACHE_ARGS -DCMAKE_CXX_FLAGS:STRING=${CMAKE_CXX_FLAGS} TEST_AFTER_INSTALL 0 diff --git a/images/opentelemetry/rootfs/Dockerfile b/images/opentelemetry/rootfs/Dockerfile index f8fb37811..3c137dbe2 100644 --- a/images/opentelemetry/rootfs/Dockerfile +++ b/images/opentelemetry/rootfs/Dockerfile @@ -39,7 +39,7 @@ COPY --from=grpc /opt/third_party/install/ /usr COPY --from=otel-cpp /opt/third_party/install/ /usr RUN bash /opt/third_party/build.sh -n -FROM alpine:3.16.2 +FROM alpine:3.16.2 as final COPY --from=base /opt/third_party/init_module.sh /usr/local/bin/init_module.sh COPY --from=nginx /etc/nginx/modules /etc/nginx/modules COPY --from=nginx /opt/third_party/install/lib /etc/nginx/modules diff --git a/images/opentelemetry/rootfs/build.sh b/images/opentelemetry/rootfs/build.sh index 91298274d..19914932c 100755 --- a/images/opentelemetry/rootfs/build.sh +++ b/images/opentelemetry/rootfs/build.sh @@ -97,7 +97,7 @@ install_otel() -DWITH_JAEGER=OFF \ -DCMAKE_INSTALL_PREFIX=${INSTAL_DIR} \ -DBUILD_TESTING=OFF \ - -DBUILD_SHARED_LIBS=ON \ + -DBUILD_SHARED_LIBS=OFF \ -DWITH_OTLP=ON \ -DWITH_OTLP_GRPC=ON \ -DWITH_EXAMPLES=OFF \ @@ -123,7 +123,7 @@ get_src() install_nginx() { - export NGINX_VERSION=1.19.10 + export NGINX_VERSION=1.21.6 # Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp-contrib/compare/2656a4...main export OPENTELEMETRY_CONTRIB_COMMIT=6467ec2e4d67b08b44580b7eb7a298786f4eef91 @@ -153,50 +153,6 @@ install_nginx() cp ${INSTAL_DIR}/otel_ngx_module.so /etc/nginx/modules/otel_ngx_module.so mkdir -p ${INSTAL_DIR}/lib - cp /usr/lib/libopentelemetry_exporter_otlp_grpc.so* ${INSTAL_DIR}/lib - cp /usr/lib/libopentelemetry_otlp_recordable.so* ${INSTAL_DIR}/lib - cp /usr/lib/libprotobuf.so* ${INSTAL_DIR}/lib - cp /usr/lib/libopentelemetry_trace.so* ${INSTAL_DIR}/lib - cp /usr/lib/libopentelemetry_resources.so* ${INSTAL_DIR}/lib - cp /usr/lib/libopentelemetry_common.so* ${INSTAL_DIR}/lib - cp /usr/lib/libstdc++.so* ${INSTAL_DIR}/lib - - cp /usr/lib/libgrpc.so* ${INSTAL_DIR}/lib - cp /usr/lib/libgcc_s.so* ${INSTAL_DIR}/lib - cp /usr/lib/libgrpc++.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_bad_variant_access.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_synchronization.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_raw_hash_set.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_hash.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_statusor.so* ${INSTAL_DIR}/lib - cp /usr/lib/libgpr.so* ${INSTAL_DIR}/lib - cp /usr/lib/libupb.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_status.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_time.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_strings.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_stacktrace.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_symbolize.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_malloc_internal.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_base.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_spinlock_wait.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_raw_logging_internal.so* ${INSTAL_DIR}/lib - cp /usr/lib/libre2.so* ${INSTAL_DIR}/lib - cp /usr/lib/libaddress_sorting.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_cord.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_bad_optional_access.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_str_format_internal.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_throw_delegate.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_time_zone.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_city.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_low_level_hash.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_cordz_info.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_int128.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_strings_internal.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_debugging_internal.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_cord_internal.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_cordz_functions.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_cordz_handle.so* ${INSTAL_DIR}/lib - cp /usr/lib/libabsl_exponential_biased.so* ${INSTAL_DIR}/lib } while getopts ":hpng:o:" option; do From f6af3b460a262bc75278ea17e15f2c16ac69b7f3 Mon Sep 17 00:00:00 2001 From: Gabriel Gosselin <12598930+toutougabi@users.noreply.github.com> Date: Mon, 14 Nov 2022 21:58:41 -0500 Subject: [PATCH 027/405] Missing controller.ingressClass (#9304) The missing controller.ingressClass would set the deployment to the default class but the controller.ingressClassResource.name would set the creation of a new IngressClass object. For now this needs to be done twice, could be a fix in the chart later on. --- docs/index.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/index.md b/docs/index.md index 5687bf5d3..fded1b2bc 100644 --- a/docs/index.md +++ b/docs/index.md @@ -223,6 +223,7 @@ If you start Ingress-Nginx B with the command line argument `--watch-ingress-wit helm install ingress-nginx-2 ingress-nginx/ingress-nginx \ --namespace ingress-nginx-2 \ --set controller.ingressClassResource.name=nginx-two \ + --set controller.ingressClass=nginx-two \ --set controller.ingressClassResource.controllerValue="example.com/ingress-nginx-2" \ --set controller.ingressClassResource.enabled=true \ --set controller.ingressClassByName=true @@ -234,7 +235,9 @@ If you start Ingress-Nginx B with the command line argument `--watch-ingress-wit --namespace kube-system \ --set controller.electionID=nginx-two-leader \ --set controller.ingressClassResource.name=nginx-two \ + --set controller.ingressClass=nginx-two \ --set controller.ingressClassResource.controllerValue="example.com/ingress-nginx-2" \ --set controller.ingressClassResource.enabled=true \ --set controller.ingressClassByName=true - ``` \ No newline at end of file + ``` + - Note, controller.ingressClassResource.name and controller.ingressClass have to be set with the value of the new class as the first is to create the IngressClass object and the other is to modify the deployment of the actuall ingress controller pod. From 1930b1467d93238bbcd96daac8e3863a91e58747 Mon Sep 17 00:00:00 2001 From: Long Wu Yuan Date: Tue, 15 Nov 2022 18:34:42 +0530 Subject: [PATCH 028/405] added SAN to cert create command (#9295) --- docs/user-guide/tls.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/tls.md b/docs/user-guide/tls.md index 3d5234c0c..11338981b 100644 --- a/docs/user-guide/tls.md +++ b/docs/user-guide/tls.md @@ -10,7 +10,7 @@ Anytime we reference a TLS secret, we mean a PEM-encoded X.509, RSA (2048) secre You can generate a self-signed certificate and private key with: ```bash -$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${KEY_FILE} -out ${CERT_FILE} -subj "/CN=${HOST}/O=${HOST}" +$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${KEY_FILE} -out ${CERT_FILE} -subj "/CN=${HOST}/O=${HOST}" -addext "subjectAltName = DNS:${HOST}" ``` Then create the secret in the cluster via: From 2422f16c3afc4fa3d6b408126336a1c115daa326 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Nov 2022 14:22:48 -0800 Subject: [PATCH 029/405] Bump k8s.io/component-base from 0.25.3 to 0.25.4 (#9300) Bumps [k8s.io/component-base](https://github.com/kubernetes/component-base) from 0.25.3 to 0.25.4. - [Release notes](https://github.com/kubernetes/component-base/releases) - [Commits](https://github.com/kubernetes/component-base/compare/v0.25.3...v0.25.4) --- updated-dependencies: - dependency-name: k8s.io/component-base dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 ++++---- go.sum | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++-------- 2 files changed, 55 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index 3be4325f6..7bcc6b487 100644 --- a/go.mod +++ b/go.mod @@ -29,14 +29,14 @@ require ( google.golang.org/grpc v1.50.1 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 - k8s.io/api v0.25.3 + k8s.io/api v0.25.4 k8s.io/apiextensions-apiserver v0.25.0 - k8s.io/apimachinery v0.25.3 + k8s.io/apimachinery v0.25.4 k8s.io/apiserver v0.25.0 k8s.io/cli-runtime v0.25.0 - k8s.io/client-go v0.25.3 + k8s.io/client-go v0.25.4 k8s.io/code-generator v0.25.0 - k8s.io/component-base v0.25.3 + k8s.io/component-base v0.25.4 k8s.io/klog/v2 v2.80.1 pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 sigs.k8s.io/controller-runtime v0.13.1 diff --git a/go.sum b/go.sum index e212f2972..9067276db 100644 --- a/go.sum +++ b/go.sum @@ -515,6 +515,49 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0 h1:b9gGHsz9/HhJ3HF5DHQytPpuwocVTChQJK3AvoLRD5I= golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= +golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0= golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -870,22 +913,22 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.25.3 h1:Q1v5UFfYe87vi5H7NU0p4RXC26PPMT8KOpr1TLQbCMQ= -k8s.io/api v0.25.3/go.mod h1:o42gKscFrEVjHdQnyRenACrMtbuJsVdP+WVjqejfzmI= +k8s.io/api v0.25.4 h1:3YO8J4RtmG7elEgaWMb4HgmpS2CfY1QlaOz9nwB+ZSs= +k8s.io/api v0.25.4/go.mod h1:IG2+RzyPQLllQxnhzD8KQNEu4c4YvyDTpSMztf4A0OQ= k8s.io/apiextensions-apiserver v0.25.0 h1:CJ9zlyXAbq0FIW8CD7HHyozCMBpDSiH7EdrSTCZcZFY= k8s.io/apiextensions-apiserver v0.25.0/go.mod h1:3pAjZiN4zw7R8aZC5gR0y3/vCkGlAjCazcg1me8iB/E= -k8s.io/apimachinery v0.25.3 h1:7o9ium4uyUOM76t6aunP0nZuex7gDf8VGwkR5RcJnQc= -k8s.io/apimachinery v0.25.3/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo= +k8s.io/apimachinery v0.25.4 h1:CtXsuaitMESSu339tfhVXhQrPET+EiWnIY1rcurKnAc= +k8s.io/apimachinery v0.25.4/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo= k8s.io/apiserver v0.25.0 h1:8kl2ifbNffD440MyvHtPaIz1mw4mGKVgWqM0nL+oyu4= k8s.io/apiserver v0.25.0/go.mod h1:BKwsE+PTC+aZK+6OJQDPr0v6uS91/HWxX7evElAH6xo= k8s.io/cli-runtime v0.25.0 h1:XBnTc2Fi+w818jcJGzhiJKQuXl8479sZ4FhtV5hVJ1Q= k8s.io/cli-runtime v0.25.0/go.mod h1:bHOI5ZZInRHhbq12OdUiYZQN8ml8aKZLwQgt9QlLINw= -k8s.io/client-go v0.25.3 h1:oB4Dyl8d6UbfDHD8Bv8evKylzs3BXzzufLiO27xuPs0= -k8s.io/client-go v0.25.3/go.mod h1:t39LPczAIMwycjcXkVc+CB+PZV69jQuNx4um5ORDjQA= +k8s.io/client-go v0.25.4 h1:3RNRDffAkNU56M/a7gUfXaEzdhZlYhoW8dgViGy5fn8= +k8s.io/client-go v0.25.4/go.mod h1:8trHCAC83XKY0wsBIpbirZU4NTUpbuhc2JnI7OruGZw= k8s.io/code-generator v0.25.0 h1:QP8fJuXu882ztf6dsqJsso/Btm94pMd68TAZC1rE6KI= k8s.io/code-generator v0.25.0/go.mod h1:B6jZgI3DvDFAualltPitbYMQ74NjaCFxum3YeKZZ+3w= -k8s.io/component-base v0.25.3 h1:UrsxciGdrCY03ULT1h/S/gXFCOPnLhUVwSyx+hM/zq4= -k8s.io/component-base v0.25.3/go.mod h1:WYoS8L+IlTZgU7rhAl5Ctpw0WdMxDfCC5dkxcEFa/TI= +k8s.io/component-base v0.25.4 h1:n1bjg9Yt+G1C0WnIDJmg2fo6wbEU1UGMRiQSjmj7hNQ= +k8s.io/component-base v0.25.4/go.mod h1:nnZJU8OP13PJEm6/p5V2ztgX2oyteIaAGKGMYb2L2cY= k8s.io/gengo v0.0.0-20211129171323-c02415ce4185 h1:TT1WdmqqXareKxZ/oNXEUSwKlLiHzPMyB0t8BaFeBYI= k8s.io/gengo v0.0.0-20211129171323-c02415ce4185/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= From b6c6305523ae65114dabeca347fba7ab68e1c789 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Nov 2022 14:24:47 -0800 Subject: [PATCH 030/405] Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (#9301) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 3.0.0. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/0efb1d1d84fc9633afcdaad14c485cbbc90ef46c...30d582111533d59ab793fd9f971817241654f3ec) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/depreview.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/depreview.yaml b/.github/workflows/depreview.yaml index 85c91d664..39125cde4 100644 --- a/.github/workflows/depreview.yaml +++ b/.github/workflows/depreview.yaml @@ -11,4 +11,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 #v3.0.2 - name: 'Dependency Review' - uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c #v2.0.2 + uses: actions/dependency-review-action@30d582111533d59ab793fd9f971817241654f3ec #v2.0.2 From c1413e6079b0e642dcc923642b0df1c5baa29df9 Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Thu, 17 Nov 2022 09:24:40 -0300 Subject: [PATCH 031/405] Validate ingress path fields (#9309) * Validate characters in path fields * Add e2e tests for path validation * Fix review comments --- internal/ingress/controller/store/store.go | 5 + pkg/util/ingress/ingress.go | 25 ++++ pkg/util/ingress/ingress_test.go | 85 +++++++++++++ test/e2e/security/invalid_paths.go | 134 +++++++++++++++++++++ 4 files changed, 249 insertions(+) create mode 100644 test/e2e/security/invalid_paths.go diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go index 7913eb0de..7f493bd8a 100644 --- a/internal/ingress/controller/store/store.go +++ b/internal/ingress/controller/store/store.go @@ -59,6 +59,7 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" "k8s.io/ingress-nginx/internal/k8s" "k8s.io/ingress-nginx/pkg/apis/ingress" + ingressutils "k8s.io/ingress-nginx/pkg/util/ingress" ) // IngressFilterFunc decides if an Ingress should be omitted or not @@ -861,6 +862,10 @@ func (s *k8sStore) syncIngress(ing *networkingv1.Ingress) { if path.Path == "" { copyIng.Spec.Rules[ri].HTTP.Paths[pi].Path = "/" } + if !ingressutils.IsSafePath(copyIng, path.Path) { + klog.Warningf("ingress %s contains invalid path %s", key, path.Path) + return + } } } diff --git a/pkg/util/ingress/ingress.go b/pkg/util/ingress/ingress.go index 7df2cc114..5fb3ee7b9 100644 --- a/pkg/util/ingress/ingress.go +++ b/pkg/util/ingress/ingress.go @@ -18,15 +18,30 @@ package ingress import ( "fmt" + "regexp" "strings" + networkingv1 "k8s.io/api/networking/v1" "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/k8s" "k8s.io/ingress-nginx/internal/net/ssl" "k8s.io/ingress-nginx/pkg/apis/ingress" "k8s.io/klog/v2" ) +const ( + alphaNumericChars = `\-\.\_\~a-zA-Z0-9/` + regexEnabledChars = `\^\$\[\]\(\)\{\}\*\+` +) + +var ( + // pathAlphaNumeric is a regex validation of something like "^/[a-zA-Z]+$" on path + pathAlphaNumeric = regexp.MustCompile("^/[" + alphaNumericChars + "]*$").MatchString + // pathRegexEnabled is a regex validation of paths that may contain regex. + pathRegexEnabled = regexp.MustCompile("^/[" + alphaNumericChars + regexEnabledChars + "]*$").MatchString +) + func GetRemovedHosts(rucfg, newcfg *ingress.Configuration) []string { oldSet := sets.NewString() newSet := sets.NewString() @@ -231,3 +246,13 @@ func BuildRedirects(servers []*ingress.Server) []*redirect { return redirectServers } + +// IsSafePath verifies if the path used in ingress object contains only valid characters. +// It will behave differently if regex is enabled or not +func IsSafePath(copyIng *networkingv1.Ingress, path string) bool { + isRegex, _ := parser.GetBoolAnnotation("use-regex", copyIng) + if isRegex { + return pathRegexEnabled(path) + } + return pathAlphaNumeric(path) +} diff --git a/pkg/util/ingress/ingress_test.go b/pkg/util/ingress/ingress_test.go index 24597fb6e..d829a57f1 100644 --- a/pkg/util/ingress/ingress_test.go +++ b/pkg/util/ingress/ingress_test.go @@ -17,8 +17,13 @@ limitations under the License. package ingress import ( + "fmt" "testing" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + networkingv1 "k8s.io/api/networking/v1" + "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/pkg/apis/ingress" ) @@ -130,3 +135,83 @@ func TestIsDynamicConfigurationEnough(t *testing.T) { t.Errorf("Expected new config to not change") } } + +func generateDumbIngressforPathTest(regexEnabled bool) *networkingv1.Ingress { + var annotations = make(map[string]string) + regexAnnotation := fmt.Sprintf("%s/use-regex", parser.AnnotationsPrefix) + if regexEnabled { + annotations[regexAnnotation] = "true" + } + return &networkingv1.Ingress{ + ObjectMeta: metav1.ObjectMeta{ + Name: "dumb", + Namespace: "default", + Annotations: annotations, + }, + } +} + +func TestIsSafePath(t *testing.T) { + tests := []struct { + name string + copyIng *networkingv1.Ingress + path string + want bool + }{ + { + name: "should accept valid path with regex disabled", + want: true, + copyIng: generateDumbIngressforPathTest(false), + path: "/xpto/~user/t-e_st.exe", + }, + { + name: "should accept valid path / with regex disabled", + want: true, + copyIng: generateDumbIngressforPathTest(false), + path: "/", + }, + { + name: "should reject invalid path with invalid chars", + want: false, + copyIng: generateDumbIngressforPathTest(false), + path: "/foo/bar/;xpto", + }, + { + name: "should reject regex path when regex is disabled", + want: false, + copyIng: generateDumbIngressforPathTest(false), + path: "/foo/bar/(.+)", + }, + { + name: "should accept valid path / with regex enabled", + want: true, + copyIng: generateDumbIngressforPathTest(true), + path: "/", + }, + { + name: "should accept regex path when regex is enabled", + want: true, + copyIng: generateDumbIngressforPathTest(true), + path: "/foo/bar/(.+)", + }, + { + name: "should reject regex path when regex is enabled but the path is invalid", + want: false, + copyIng: generateDumbIngressforPathTest(true), + path: "/foo/bar/;xpto", + }, + { + name: "should reject regex path when regex is enabled but the path is invalid", + want: false, + copyIng: generateDumbIngressforPathTest(true), + path: ";xpto", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := IsSafePath(tt.copyIng, tt.path); got != tt.want { + t.Errorf("IsSafePath() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/test/e2e/security/invalid_paths.go b/test/e2e/security/invalid_paths.go new file mode 100644 index 000000000..d75aefc2c --- /dev/null +++ b/test/e2e/security/invalid_paths.go @@ -0,0 +1,134 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package security + +import ( + "fmt" + "net/http" + "strings" + + "github.com/onsi/ginkgo/v2" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +const ( + validPath = "/xpto/~user/t-e_st.exe" + invalidPath = "/foo/bar/;xpto" + regexPath = "/foo/bar/(.+)" + host = "securitytest.com" +) + +var ( + annotationRegex = map[string]string{ + "nginx.ingress.kubernetes.io/use-regex": "true", + } +) + +var _ = framework.IngressNginxDescribe("[Security] validate path fields", func() { + f := framework.NewDefaultFramework("validate-path") + + ginkgo.BeforeEach(func() { + f.NewEchoDeployment() + }) + + ginkgo.It("should accept an ingress with valid path", func() { + + ing := framework.NewSingleIngress(host, validPath, host, f.Namespace, framework.EchoService, 80, nil) + + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + }) + + f.HTTPTestClient(). + GET(validPath). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK) + }) + + ginkgo.It("should drop an ingress with invalid path", func() { + + ing := framework.NewSingleIngress(host, invalidPath, host, f.Namespace, framework.EchoService, 80, nil) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + }) + + f.HTTPTestClient(). + GET(invalidPath). + WithHeader("Host", host). + Expect(). + Status(http.StatusNotFound) + }) + + ginkgo.It("should drop an ingress with regex path and regex disabled", func() { + + ing := framework.NewSingleIngress(host, regexPath, host, f.Namespace, framework.EchoService, 80, nil) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + }) + + f.HTTPTestClient(). + GET("/foo/bar/lalala"). + WithHeader("Host", host). + Expect(). + Status(http.StatusNotFound) + }) + + ginkgo.It("should accept an ingress with regex path and regex enabled", func() { + + ing := framework.NewSingleIngress(host, regexPath, host, f.Namespace, framework.EchoService, 80, annotationRegex) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + }) + + f.HTTPTestClient(). + GET("/foo/bar/lalala"). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK) + }) + + ginkgo.It("should reject an ingress with invalid path and regex enabled", func() { + + ing := framework.NewSingleIngress(host, invalidPath, host, f.Namespace, framework.EchoService, 80, annotationRegex) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + }) + + f.HTTPTestClient(). + GET(invalidPath). + WithHeader("Host", host). + Expect(). + Status(http.StatusNotFound) + }) +}) From 8f134abb89abae628965ff8458f461c6c4cc84f9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Nov 2022 04:22:31 -0800 Subject: [PATCH 032/405] Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.1 (#9317) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.1. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.4.0...v2.5.1) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 14 +++++++------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index 7bcc6b487..6dc0fceb9 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/mitchellh/mapstructure v1.5.0 github.com/moul/pb v0.0.0-20220425114252-bca18df4138c github.com/ncabatoff/process-exporter v0.7.10 - github.com/onsi/ginkgo/v2 v2.4.0 + github.com/onsi/ginkgo/v2 v2.5.1 github.com/opencontainers/runc v1.1.4 github.com/pmezard/go-difflib v1.0.0 github.com/prometheus/client_golang v1.13.1 @@ -78,7 +78,7 @@ require ( github.com/gomarkdown/markdown v0.0.0-20210514010506-3b9f47219fe7 // indirect github.com/google/btree v1.0.1 // indirect github.com/google/gnostic v0.5.7-v3refs // indirect - github.com/google/go-cmp v0.5.8 // indirect + github.com/google/go-cmp v0.5.9 // indirect github.com/google/gofuzz v1.1.0 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect github.com/google/uuid v1.2.0 // indirect @@ -109,7 +109,7 @@ require ( golang.org/x/mod v0.6.0 // indirect golang.org/x/net v0.1.0 // indirect golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect - golang.org/x/sys v0.1.0 // indirect + golang.org/x/sys v0.2.0 // indirect golang.org/x/term v0.1.0 // indirect golang.org/x/text v0.4.0 // indirect golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect diff --git a/go.sum b/go.sum index 9067276db..2fbdb9db8 100644 --- a/go.sum +++ b/go.sum @@ -230,8 +230,8 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg= -github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -349,9 +349,9 @@ github.com/ncabatoff/process-exporter v0.7.10/go.mod h1:DHZRZjqxw9LCOpLlX0DjBuyn github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= -github.com/onsi/ginkgo/v2 v2.4.0 h1:+Ig9nvqgS5OBSACXNk15PLdp0U9XPYROt9CFzVdFGIs= -github.com/onsi/ginkgo/v2 v2.4.0/go.mod h1:iHkDK1fKGcBoEHT5W7YBq4RFWaQulw+caOMkAt4OrFo= -github.com/onsi/gomega v1.22.1 h1:pY8O4lBfsHKZHM/6nrxkhVPUznOlIu3quZcKP/M20KI= +github.com/onsi/ginkgo/v2 v2.5.1 h1:auzK7OI497k6x4OvWq+TKAcpcSAlod0doAH72oIN0Jw= +github.com/onsi/ginkgo/v2 v2.5.1/go.mod h1:63DOGlLAH8+REH8jUGdL3YpCpu7JODesutUjdENfUAc= +github.com/onsi/gomega v1.24.0 h1:+0glovB9Jd6z3VR+ScSwQqXVTIfJcGA9UBM8yzQxhqg= github.com/opencontainers/runc v1.1.4 h1:nRCz/8sKg6K6jgYAFLDlXzPeITBZJyX28DBVhWD+5dg= github.com/opencontainers/runc v1.1.4/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc= @@ -653,8 +653,8 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= -golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A= +golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw= From 4027efaefa97d4f495833662cd71d4f5e9c9c922 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Nov 2022 13:12:13 -0800 Subject: [PATCH 033/405] Bump golang.org/x/crypto from 0.1.0 to 0.3.0 (#9318) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.1.0 to 0.3.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](https://github.com/golang/crypto/compare/v0.1.0...v0.3.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 6dc0fceb9..6d6bc2eff 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/stretchr/testify v1.8.1 github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a - golang.org/x/crypto v0.1.0 + golang.org/x/crypto v0.3.0 google.golang.org/grpc v1.50.1 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 @@ -107,10 +107,10 @@ require ( github.com/yudai/pp v2.0.1+incompatible // indirect go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect golang.org/x/mod v0.6.0 // indirect - golang.org/x/net v0.1.0 // indirect + golang.org/x/net v0.2.0 // indirect golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect golang.org/x/sys v0.2.0 // indirect - golang.org/x/term v0.1.0 // indirect + golang.org/x/term v0.2.0 // indirect golang.org/x/text v0.4.0 // indirect golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect golang.org/x/tools v0.2.0 // indirect diff --git a/go.sum b/go.sum index 2fbdb9db8..3eb74db73 100644 --- a/go.sum +++ b/go.sum @@ -476,8 +476,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU= -golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= +golang.org/x/crypto v0.3.0 h1:a06MkbcxBrEFc0w0QIZWXrH/9cCX6KJyWbBOIwAn+7A= +golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -558,8 +558,8 @@ golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0= -golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= +golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU= +golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -657,8 +657,8 @@ golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw= -golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.2.0 h1:z85xZCsEl7bi/KwbNADeBYoOP0++7W1ipu+aGnpwzRM= +golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= From d24c97c63e4fd47e0b979256d510ba96ea479f1f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Nov 2022 13:14:12 -0800 Subject: [PATCH 034/405] Bump actions/dependency-review-action from 3.0.0 to 3.0.1 (#9319) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.0 to 3.0.1. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/30d582111533d59ab793fd9f971817241654f3ec...11310527b429536e263dc6cc47873e608189ba21) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/depreview.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/depreview.yaml b/.github/workflows/depreview.yaml index 39125cde4..5350d6e57 100644 --- a/.github/workflows/depreview.yaml +++ b/.github/workflows/depreview.yaml @@ -11,4 +11,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 #v3.0.2 - name: 'Dependency Review' - uses: actions/dependency-review-action@30d582111533d59ab793fd9f971817241654f3ec #v2.0.2 + uses: actions/dependency-review-action@11310527b429536e263dc6cc47873e608189ba21 #v2.0.2 From 7b53347984154d1ea713fbf4a671a172ed79dfac Mon Sep 17 00:00:00 2001 From: caption <101684156+chncaption@users.noreply.github.com> Date: Tue, 22 Nov 2022 05:18:17 +0800 Subject: [PATCH 035/405] update gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b to 3.0.0 (#9277) --- images/kube-webhook-certgen/rootfs/go.mod | 2 +- images/kube-webhook-certgen/rootfs/go.sum | 45 +++++++++++++++++++++++ 2 files changed, 46 insertions(+), 1 deletion(-) diff --git a/images/kube-webhook-certgen/rootfs/go.mod b/images/kube-webhook-certgen/rootfs/go.mod index 5e2e98f54..b98adf58b 100644 --- a/images/kube-webhook-certgen/rootfs/go.mod +++ b/images/kube-webhook-certgen/rootfs/go.mod @@ -39,7 +39,7 @@ require ( google.golang.org/protobuf v1.26.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect - gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect + gopkg.in/yaml.v3 v3.0.0 // indirect k8s.io/klog/v2 v2.9.0 // indirect k8s.io/kube-openapi v0.0.0-20211109043538-20434351676c // indirect k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a // indirect diff --git a/images/kube-webhook-certgen/rootfs/go.sum b/images/kube-webhook-certgen/rootfs/go.sum index a05f65b19..0270e3297 100644 --- a/images/kube-webhook-certgen/rootfs/go.sum +++ b/images/kube-webhook-certgen/rootfs/go.sum @@ -88,6 +88,7 @@ github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emicklei/go-restful v2.16.0+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= @@ -451,6 +452,38 @@ golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzB golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0= golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -504,9 +537,12 @@ golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -519,6 +555,13 @@ golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9sn golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -667,6 +710,8 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0 h1:hjy8E9ON/egN1tAYqKb61G10WtihqetD4sz2H+8nIeA= +gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= From c07f8a573bbfb929b7d85ab069bbc705e5739a76 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Nov 2022 13:20:13 -0800 Subject: [PATCH 036/405] Bump github.com/prometheus/client_golang from 1.13.1 to 1.14.0 (#9298) Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.13.1 to 1.14.0. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](https://github.com/prometheus/client_golang/compare/v1.13.1...v1.14.0) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 6d6bc2eff..91bda5845 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/onsi/ginkgo/v2 v2.5.1 github.com/opencontainers/runc v1.1.4 github.com/pmezard/go-difflib v1.0.0 - github.com/prometheus/client_golang v1.13.1 + github.com/prometheus/client_golang v1.14.0 github.com/prometheus/client_model v0.3.0 github.com/prometheus/common v0.37.0 github.com/spf13/cobra v1.6.1 diff --git a/go.sum b/go.sum index 3eb74db73..f53cec3a6 100644 --- a/go.sum +++ b/go.sum @@ -371,8 +371,8 @@ github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5Fsn github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= -github.com/prometheus/client_golang v1.13.1 h1:3gMjIY2+/hzmqhtUC/aQNYldJA6DtH3CgQvwS+02K1c= -github.com/prometheus/client_golang v1.13.1/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5nJFOEMgftOUOmlvYQ= +github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw= +github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= From 02cfcff81e86b571fe9431af558a5a0cce99960d Mon Sep 17 00:00:00 2001 From: Michael Weibel <307427+mweibel@users.noreply.github.com> Date: Tue, 22 Nov 2022 05:56:15 -0800 Subject: [PATCH 037/405] remove hardcoded datasource from grafana dashboard (#9284) --- deploy/grafana/dashboards/nginx.json | 26 ++------------------------ 1 file changed, 2 insertions(+), 24 deletions(-) diff --git a/deploy/grafana/dashboards/nginx.json b/deploy/grafana/dashboards/nginx.json index 718d41a83..85f93c9eb 100644 --- a/deploy/grafana/dashboards/nginx.json +++ b/deploy/grafana/dashboards/nginx.json @@ -1235,10 +1235,7 @@ "type": "table" }, { - "datasource": { - "type": "prometheus", - "uid": "P1809F7CD0C75ACF3" - }, + "datasource": "${DS_PROMETHEUS}", "fieldConfig": { "defaults": { "color": { @@ -1314,10 +1311,6 @@ "repeatDirection": "h", "targets": [ { - "datasource": { - "type": "prometheus", - "uid": "P1809F7CD0C75ACF3" - }, "exemplar": true, "expr": "histogram_quantile(0.80, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\",exported_namespace=\"uat\"}[2m])) by (le))", "format": "time_series", @@ -1329,10 +1322,6 @@ "refId": "C" }, { - "datasource": { - "type": "prometheus", - "uid": "P1809F7CD0C75ACF3" - }, "exemplar": true, "expr": "histogram_quantile(0.90, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\",exported_namespace=\"uat\"}[2m])) by (le))", "format": "time_series", @@ -1344,10 +1333,6 @@ "refId": "D" }, { - "datasource": { - "type": "prometheus", - "uid": "P1809F7CD0C75ACF3" - }, "editorMode": "code", "exemplar": true, "expr": "histogram_quantile(0.99, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\",exported_namespace=\"uat\"}[2m])) by (le))", @@ -1373,10 +1358,7 @@ "mode": "spectrum" }, "dataFormat": "tsbuckets", - "datasource": { - "type": "prometheus", - "uid": "P1809F7CD0C75ACF3" - }, + "datasource": "${DS_PROMETHEUS}", "description": "", "gridPos": { "h": 7, @@ -1394,10 +1376,6 @@ "reverseYBuckets": false, "targets": [ { - "datasource": { - "type": "prometheus", - "uid": "P1809F7CD0C75ACF3" - }, "exemplar": true, "expr": "sum(increase(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\",exported_namespace=\"uat\"}[2m])) by (le)", "format": "heatmap", From b34f6ef324ad038de4e235706f84f7075a8c836b Mon Sep 17 00:00:00 2001 From: aimuz Date: Thu, 24 Nov 2022 09:38:03 +0800 Subject: [PATCH 038/405] remove the configmap related permissions (#9310) ref: https://github.com/kubernetes/ingress-nginx/pull/8921 We have used the Lease API for selection Signed-off-by: aimuz Signed-off-by: aimuz --- .../templates/controller-role.yaml | 20 ------------------- 1 file changed, 20 deletions(-) diff --git a/charts/ingress-nginx/templates/controller-role.yaml b/charts/ingress-nginx/templates/controller-role.yaml index 395c88e10..d1aa9aac7 100644 --- a/charts/ingress-nginx/templates/controller-role.yaml +++ b/charts/ingress-nginx/templates/controller-role.yaml @@ -58,26 +58,6 @@ rules: - get - list - watch - # TODO(Jintao Zhang) - # Once we release a new version of the controller, - # we will be able to remove the configmap related permissions - # We have used the Lease API for selection - # ref: https://github.com/kubernetes/ingress-nginx/pull/8921 - - apiGroups: - - "" - resources: - - configmaps - resourceNames: - - {{ include "ingress-nginx.controller.electionID" . }} - verbs: - - get - - update - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resources: From 1e08519a733b50134eae37f300f96b58bdb616e5 Mon Sep 17 00:00:00 2001 From: LongWuYuan Date: Fri, 25 Nov 2022 06:09:11 +0530 Subject: [PATCH 039/405] fixed multiple ginkgo versions --- build/run-in-docker.sh | 2 +- images/test-runner/rootfs/Dockerfile | 2 +- test/e2e/run-chart-test.sh | 2 +- test/e2e/run.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh index b0377f455..64dad1cf9 100755 --- a/build/run-in-docker.sh +++ b/build/run-in-docker.sh @@ -77,7 +77,7 @@ if [[ "$DOCKER_IN_DOCKER_ENABLED" == "true" ]]; then echo "FLAGS=$FLAGS" go env set -x - go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.1.4 + go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.5.1 find / -type f -name ginkgo 2>/dev/null which ginkgo /bin/bash -c "${FLAGS}" diff --git a/images/test-runner/rootfs/Dockerfile b/images/test-runner/rootfs/Dockerfile index 790bf1248..199997536 100644 --- a/images/test-runner/rootfs/Dockerfile +++ b/images/test-runner/rootfs/Dockerfile @@ -49,7 +49,7 @@ ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH" -RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.1.4 && go install golang.org/x/lint/golint@latest +RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.5.1 && go install golang.org/x/lint/golint@latest ARG RESTY_CLI_VERSION ARG RESTY_CLI_SHA diff --git a/test/e2e/run-chart-test.sh b/test/e2e/run-chart-test.sh index 2af8aa1d3..fdb3121d8 100755 --- a/test/e2e/run-chart-test.sh +++ b/test/e2e/run-chart-test.sh @@ -78,7 +78,7 @@ fi if [ "${SKIP_IMAGE_CREATION:-false}" = "false" ]; then if ! command -v ginkgo &> /dev/null; then - go get github.com/onsi/ginkgo/v2/ginkgo@v2.1.4 + go get github.com/onsi/ginkgo/v2/ginkgo@v2.5.1 fi echo "[dev-env] building image" make -C ${DIR}/../../ clean-image build image diff --git a/test/e2e/run.sh b/test/e2e/run.sh index 0fc6fdb5e..4cd95267f 100755 --- a/test/e2e/run.sh +++ b/test/e2e/run.sh @@ -79,7 +79,7 @@ fi if [ "${SKIP_IMAGE_CREATION:-false}" = "false" ]; then if ! command -v ginkgo &> /dev/null; then - go get github.com/onsi/ginkgo/v2/ginkgo@v2.1.4 + go get github.com/onsi/ginkgo/v2/ginkgo@v2.5.1 fi echo "[dev-env] building image" From 9d562c47abe8475fc62528140352b7e802ef6bbe Mon Sep 17 00:00:00 2001 From: Long Wu Yuan Date: Fri, 25 Nov 2022 14:58:06 +0530 Subject: [PATCH 040/405] create nsswitch-conf if missing (#9339) --- images/test-runner/rootfs/Dockerfile | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/images/test-runner/rootfs/Dockerfile b/images/test-runner/rootfs/Dockerfile index 199997536..30e7e1ab2 100644 --- a/images/test-runner/rootfs/Dockerfile +++ b/images/test-runner/rootfs/Dockerfile @@ -21,7 +21,13 @@ FROM registry.k8s.io/etcd:${ETCD_VERSION} as etcd FROM ${BASE_IMAGE} -RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf +RUN set -eux; \ + if [ -e /etc/nsswitch.conf ]; then \ + grep '^hosts: files dns' /etc/nsswitch.conf; \ + else \ + echo 'hosts: files dns' > /etc/nsswitch.conf; \ + fi + COPY --from=GO /usr/local/go /usr/local/go COPY --from=etcd /usr/local/bin/etcd /usr/local/bin/etcd From b338cb391754125b7884196d7b8d4b55dbad14d8 Mon Sep 17 00:00:00 2001 From: Long Wu Yuan Date: Sat, 26 Nov 2022 08:46:04 +0530 Subject: [PATCH 041/405] bumped ginkgo to v2.5.1 in testrunner (#9340) --- build/run-in-docker.sh | 2 +- test/e2e-image/Makefile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh index 64dad1cf9..cb8ad18f0 100755 --- a/build/run-in-docker.sh +++ b/build/run-in-docker.sh @@ -38,7 +38,7 @@ function cleanup { } trap cleanup EXIT -E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20221012-controller-v1.4.0-14-g93df79676@sha256:9ab6a412b0ea6ae77abc80309608976ec15141e146fa91ef4352400cb9051086} +E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20221125-controller-v1.5.1-21-g9d562c47a@sha256:50c5469f08b664e928a3035ac94a2348955b669d7ac33809abc674c8fd6c19c1} DOCKER_OPTS=${DOCKER_OPTS:-} DOCKER_IN_DOCKER_ENABLED=${DOCKER_IN_DOCKER_ENABLED:-} diff --git a/test/e2e-image/Makefile b/test/e2e-image/Makefile index ce46b93ab..64094ec34 100644 --- a/test/e2e-image/Makefile +++ b/test/e2e-image/Makefile @@ -1,6 +1,6 @@ DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) -E2E_BASE_IMAGE="registry.k8s.io/ingress-nginx/e2e-test-runner:v20221012-controller-v1.4.0-14-g93df79676@sha256:9ab6a412b0ea6ae77abc80309608976ec15141e146fa91ef4352400cb9051086" +E2E_BASE_IMAGE="registry.k8s.io/ingress-nginx/e2e-test-runner:v20221125-controller-v1.5.1-21-g9d562c47a@sha256:50c5469f08b664e928a3035ac94a2348955b669d7ac33809abc674c8fd6c19c1" image: echo "..entered Makefile in /test/e2e-image" From 3437cab8ca40c929812df10fd94eb20eda240c46 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Herv=C3=A9?= Date: Wed, 30 Nov 2022 16:44:55 +0100 Subject: [PATCH 042/405] Fix typos found by codespell (#9353) ``` $ codespell ./README.md:178: informations ==> information ./README.md.gotmpl:177: informations ==> information ./CHANGELOG.md:132: comparision ==> comparison ./CHANGELOG.md:142: executible ==> executable ./CHANGELOG.md:159: defaul ==> default ``` --- charts/ingress-nginx/CHANGELOG.md | 6 +++--- charts/ingress-nginx/README.md | 2 +- charts/ingress-nginx/README.md.gotmpl | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md index 1b7adb25b..7d81ac1bd 100644 --- a/charts/ingress-nginx/CHANGELOG.md +++ b/charts/ingress-nginx/CHANGELOG.md @@ -129,7 +129,7 @@ This file documents all notable changes to [ingress-nginx](https://github.com/ku - [8118] https://github.com/kubernetes/ingress-nginx/pull/8118 Remove deprecated libraries, update other libs - [8117] https://github.com/kubernetes/ingress-nginx/pull/8117 Fix codegen errors - [8115] https://github.com/kubernetes/ingress-nginx/pull/8115 chart/ghaction: set the correct permission to have access to push a release -- [8098] https://github.com/kubernetes/ingress-nginx/pull/8098 generating SHA for CA only certs in backend_ssl.go + comparision of P… +- [8098] https://github.com/kubernetes/ingress-nginx/pull/8098 generating SHA for CA only certs in backend_ssl.go + comparison of P… - [8088] https://github.com/kubernetes/ingress-nginx/pull/8088 Fix Edit this page link to use main branch - [8072] https://github.com/kubernetes/ingress-nginx/pull/8072 Expose GeoIP2 Continent code as variable - [8061] https://github.com/kubernetes/ingress-nginx/pull/8061 docs(charts): using helm-docs for chart @@ -139,7 +139,7 @@ This file documents all notable changes to [ingress-nginx](https://github.com/ku - [8046] https://github.com/kubernetes/ingress-nginx/pull/8046 Report expired certificates (#8045) - [8044] https://github.com/kubernetes/ingress-nginx/pull/8044 remove G109 check till gosec resolves issues - [8042] https://github.com/kubernetes/ingress-nginx/pull/8042 docs_multiple_instances_one_cluster_ticket_7543 -- [8041] https://github.com/kubernetes/ingress-nginx/pull/8041 docs: fix typo'd executible name +- [8041] https://github.com/kubernetes/ingress-nginx/pull/8041 docs: fix typo'd executable name - [8035] https://github.com/kubernetes/ingress-nginx/pull/8035 Comment busy owners - [8029] https://github.com/kubernetes/ingress-nginx/pull/8029 Add stream-snippet as a ConfigMap and Annotation option - [8023] https://github.com/kubernetes/ingress-nginx/pull/8023 fix nginx compilation flags @@ -156,7 +156,7 @@ This file documents all notable changes to [ingress-nginx](https://github.com/ku - [7996] https://github.com/kubernetes/ingress-nginx/pull/7996 doc: improvement - [7983] https://github.com/kubernetes/ingress-nginx/pull/7983 Fix a couple of misspellings in the annotations documentation. - [7979] https://github.com/kubernetes/ingress-nginx/pull/7979 allow set annotations for admission Jobs -- [7977] https://github.com/kubernetes/ingress-nginx/pull/7977 Add ssl_reject_handshake to defaul server +- [7977] https://github.com/kubernetes/ingress-nginx/pull/7977 Add ssl_reject_handshake to default server - [7975] https://github.com/kubernetes/ingress-nginx/pull/7975 add legacy version update v0.50.0 to main changelog - [7972] https://github.com/kubernetes/ingress-nginx/pull/7972 updated service upstream definition diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index f4486ac91..5922884cd 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -175,7 +175,7 @@ controller: internal: enabled: true annotations: - # Create internal LB. More informations: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing + # Create internal LB. More information: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing # For GKE versions 1.17 and later networking.gke.io/load-balancer-type: "Internal" # For earlier versions diff --git a/charts/ingress-nginx/README.md.gotmpl b/charts/ingress-nginx/README.md.gotmpl index 895996111..9a7d7bdfd 100644 --- a/charts/ingress-nginx/README.md.gotmpl +++ b/charts/ingress-nginx/README.md.gotmpl @@ -174,7 +174,7 @@ controller: internal: enabled: true annotations: - # Create internal LB. More informations: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing + # Create internal LB. More information: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing # For GKE versions 1.17 and later networking.gke.io/load-balancer-type: "Internal" # For earlier versions From c234d1f10b846f7e7a7028f58a14f89b1245c01d Mon Sep 17 00:00:00 2001 From: Long Wu Yuan Date: Sat, 3 Dec 2022 07:13:53 +0530 Subject: [PATCH 043/405] added ginkgo junit reports (#9350) --- build/run-e2e-suite.sh | 35 +++++++++++++++++++++++++++++++++++ test/e2e-image/e2e.sh | 16 ++++++++++++++++ 2 files changed, 51 insertions(+) diff --git a/build/run-e2e-suite.sh b/build/run-e2e-suite.sh index 15eacc355..ebbac9145 100755 --- a/build/run-e2e-suite.sh +++ b/build/run-e2e-suite.sh @@ -88,3 +88,38 @@ kubectl run --rm \ --overrides='{ "apiVersion": "v1", "spec":{"serviceAccountName": "ingress-nginx-e2e"}}' \ e2e --image=nginx-ingress-controller:e2e +# Get the junit-reports stored in the configMaps created during e2etests +echo "Getting the report files out now.." +reportsDir="test/junitreports" +reportFileName="report-e2e-test-suite" +[ ! -e ${reportsDir} ] && mkdir $reportsDir +cd $reportsDir + +# TODO: Seeking Rikatz help here to extract in a loop. Tried things like below without success +#for cmName in `k get cm -l junitreport=true -o json | jq '.items[].binaryData | keys[]' | tr '\"' ' '` +#do +# +# kubectl get cm -l junitreport=true -o json | jq -r '[.items[].binaryData | to_entries[] | {"key": .key, "value": .value }] | from_entries' +# + +# Below lines successfully extract the report but they are one line per report. +# We only have 3 ginkgo reports so its ok for now +# But still, ideally this should be a loop as talked about in comments a few lines above +kubectl get cm $reportFileName.xml.gz -o "jsonpath={.binaryData['report-e2e-test-suite\.xml\.gz']}" > $reportFileName.xml.gz.base64 +kubectl get cm $reportFileName-serial.xml.gz -o "jsonpath={.binaryData['report-e2e-test-suite-serial\.xml\.gz']}" > $reportFileName-serial.xml.gz.base64 + +cat $reportFileName.xml.gz.base64 | base64 -d > $reportFileName.xml.gz +cat $reportFileName-serial.xml.gz.base64 | base64 -d > $reportFileName-serial.xml.gz + +gzip -d $reportFileName.xml.gz +gzip -d $reportFileName-serial.xml.gz + +rm *.base64 +cd ../.. + +# TODO Temporary: if condition to check if the memleak cm exists and only then try the extract for the memleak report +# +#kubectl get cm $reportFileName-serial -o "jsonpath={.data['report-e2e-test-suite-memleak\.xml\.gz']}" > $reportFileName-memleak.base64 +#cat $reportFileName-memleak.base64 | base64 -d > $reportFileName-memleak.xml.gz +#gzip -d $reportFileName-memleak.xml.gz +echo "done getting the reports files out.." diff --git a/test/e2e-image/e2e.sh b/test/e2e-image/e2e.sh index 24e52bcde..150d2d06e 100755 --- a/test/e2e-image/e2e.sh +++ b/test/e2e-image/e2e.sh @@ -34,23 +34,39 @@ ginkgo_args=( "-timeout=75m" ) +# Variable for the prefix of report filenames +reportFileNamePrefix="report-e2e-test-suite" + echo -e "${BGREEN}Running e2e test suite (FOCUS=${FOCUS})...${NC}" ginkgo "${ginkgo_args[@]}" \ -focus="${FOCUS}" \ -skip="\[Serial\]|\[MemoryLeak\]" \ -nodes="${E2E_NODES}" \ + --junit-report=$reportFileNamePrefix.xml \ /e2e.test +# Create configMap out of a compressed report file for extraction later echo -e "${BGREEN}Running e2e test suite with tests that require serial execution...${NC}" ginkgo "${ginkgo_args[@]}" \ -focus="\[Serial\]" \ -skip="\[MemoryLeak\]" \ + --junit-report=$reportFileNamePrefix-serial.xml \ /e2e.test +# Create configMap out of a compressed report file for extraction later if [[ ${E2E_CHECK_LEAKS} != "" ]]; then echo -e "${BGREEN}Running e2e test suite with tests that check for memory leaks...${NC}" ginkgo "${ginkgo_args[@]}" \ -focus="\[MemoryLeak\]" \ -skip="\[Serial\]" \ + --junit-report=$reportFileNamePrefix-memleak.xml \ /e2e.test +# Create configMap out of a compressed report file for extraction later fi + +for rFile in `ls $reportFileNamePrefix*` +do + gzip -k $rFile + kubectl create cm $rFile.gz --from-file $rFile.gz + kubectl label cm $rFile.gz junitreport=true +done From 5aa49dc66d7e74adbbc34bcecbafc7cb08625e94 Mon Sep 17 00:00:00 2001 From: Saumya <76432998+SaumyaBhushan@users.noreply.github.com> Date: Sat, 3 Dec 2022 10:43:54 +0530 Subject: [PATCH 044/405] removed deprecation messsage for ingressClass annotation (#9357) * removed deprecation messsage for ingressClass annotation * modified: docs/user-guide/multiple-ingress.md * modified: docs/user-guide/multiple-ingress.md * modified: docs/user-guide/multiple-ingress.md --- docs/user-guide/multiple-ingress.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/user-guide/multiple-ingress.md b/docs/user-guide/multiple-ingress.md index 35e0e45dc..179041727 100644 --- a/docs/user-guide/multiple-ingress.md +++ b/docs/user-guide/multiple-ingress.md @@ -2,7 +2,9 @@ By default, deploying multiple Ingress controllers (e.g., `ingress-nginx` & `gce`) will result in all controllers simultaneously racing to update Ingress status fields in confusing ways. -To fix this problem, use [IngressClasses](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class). The `kubernetes.io/ingress.class` annotation is deprecated from kubernetes v1.22+. +To fix this problem, use [IngressClasses](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class). The `kubernetes.io/ingress.class` annotation is not being preferred or suggested to use as it can be deprecated in future. Better to use the field `ingress.spec.ingressClassName`. +But, when user has deployed with `scope.enabled`, then the ingress class resource field is not used. + ## Using IngressClasses From 8a5eaa63a93ee247b63b9cf6e3892abacd352d0c Mon Sep 17 00:00:00 2001 From: Tatu Pesonen Date: Sat, 3 Dec 2022 12:28:58 +0200 Subject: [PATCH 045/405] fix(typo): pluralize provider (#9346) --- docs/user-guide/basic-usage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/basic-usage.md b/docs/user-guide/basic-usage.md index 2142121d2..aee0c0fd3 100644 --- a/docs/user-guide/basic-usage.md +++ b/docs/user-guide/basic-usage.md @@ -1,6 +1,6 @@ # Basic usage - host based routing -ingress-nginx can be used for many use cases, inside various cloud provider and supports a lot of configurations. In this section you can find a common usage scenario where a single load balancer powered by ingress-nginx will route traffic to 2 different HTTP backend services based on the host name. +ingress-nginx can be used for many use cases, inside various cloud providers and supports a lot of configurations. In this section you can find a common usage scenario where a single load balancer powered by ingress-nginx will route traffic to 2 different HTTP backend services based on the host name. First of all follow the instructions to install ingress-nginx. Then imagine that you need to expose 2 HTTP services already installed, `myServiceA`, `myServiceB`, and configured as `type: ClusterIP`. From 27ffeeb18f73bbde1b66866e796714308cebf1f4 Mon Sep 17 00:00:00 2001 From: Sjouke de Vries Date: Sun, 4 Dec 2022 20:35:56 +0100 Subject: [PATCH 046/405] fix(hpa): deprecated api version, bump to v2 (#9348) * fix(hpa): deprecated api version, bump to v2 * chore(hpa): abstract hpa apiVersion to helm value * feat(hpa): add controller.autoscaling.apiVersion docs in README * docs(hpa): quotes around apiVersion string type * chore(hpa): run helm-docs in repo * chore(hpa): remove local helm-docs module install and output * docs(helm): add hpa controller.autoscaling.apiVersion description * docs(hpa): remove autoscaling.apiVersion description as it fails ci --- charts/ingress-nginx/README.md | 1 + charts/ingress-nginx/templates/controller-hpa.yaml | 2 +- charts/ingress-nginx/values.yaml | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 5922884cd..5ddd046ea 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -277,6 +277,7 @@ Kubernetes: `>=1.20.0-0` | controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # | | controller.allowSnippetAnnotations | bool | `true` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected | | controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # | +| controller.autoscaling.apiVersion | string | `"autoscaling/v2"` | | | controller.autoscaling.behavior | object | `{}` | | | controller.autoscaling.enabled | bool | `false` | | | controller.autoscaling.maxReplicas | int | `11` | | diff --git a/charts/ingress-nginx/templates/controller-hpa.yaml b/charts/ingress-nginx/templates/controller-hpa.yaml index e0979f14b..d1e78bdfc 100644 --- a/charts/ingress-nginx/templates/controller-hpa.yaml +++ b/charts/ingress-nginx/templates/controller-hpa.yaml @@ -1,7 +1,7 @@ {{- if and .Values.controller.autoscaling.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}} {{- if not .Values.controller.keda.enabled }} -apiVersion: autoscaling/v2beta2 +apiVersion: {{ .Values.controller.autoscaling.apiVersion }} kind: HorizontalPodAutoscaler metadata: annotations: diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 35f922f6b..f80095c56 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -364,6 +364,7 @@ controller: # Mutually exclusive with keda autoscaling autoscaling: + apiVersion: autoscaling/v2 enabled: false minReplicas: 1 maxReplicas: 11 From 49bd5dd7633a56bf5f9a65ca2e35b56e9567d3f5 Mon Sep 17 00:00:00 2001 From: Adam Hukalowicz Date: Sun, 4 Dec 2022 20:39:54 +0100 Subject: [PATCH 047/405] ModSecurity dependencies update to avoid Memory Leaks (#9330) * Update ModSecurity to latest head * modsecurity version pinned --- images/nginx/rootfs/build.sh | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh index 5a6394fd9..6d8937a22 100755 --- a/images/nginx/rootfs/build.sh +++ b/images/nginx/rootfs/build.sh @@ -56,11 +56,11 @@ export MSGPACK_VERSION=3.3.0 # Check for recent changes: https://github.com/DataDog/dd-opentracing-cpp/compare/v1.3.2...master export DATADOG_CPP_VERSION=1.3.2 -# Check for recent changes: https://github.com/SpiderLabs/ModSecurity-nginx/compare/v1.0.2...master -export MODSECURITY_VERSION=1.0.2 +# Check for recent changes: https://github.com/SpiderLabs/ModSecurity-nginx/compare/v1.0.3...master +export MODSECURITY_VERSION=1.0.3 -# Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.5...v3/master -export MODSECURITY_LIB_VERSION=v3.0.8 +# Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.8...v3/master +export MODSECURITY_LIB_VERSION=e9a7ba4a60be48f761e0328c6dfcc668d70e35a0 # Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v3.3.2...v3.3/master export OWASP_MODSECURITY_CRS_VERSION=v3.3.4 @@ -229,7 +229,7 @@ get_src cbe625cba85291712253db5bc3870d60c709acfad9a8af5a302673d3d201e3ea \ get_src 71de3d0658935db7ccea20e006b35e58ddc7e4c18878b9523f2addc2371e9270 \ "https://github.com/rnburn/zipkin-cpp-opentracing/archive/$ZIPKIN_CPP_VERSION.tar.gz" -get_src f8d3ff15520df736c5e20e91d5852ec27e0874566c2afce7dcb979e2298d6980 \ +get_src 32a42256616cc674dca24c8654397390adff15b888b77eb74e0687f023c8751b \ "https://github.com/SpiderLabs/ModSecurity-nginx/archive/v$MODSECURITY_VERSION.tar.gz" get_src 43e6a9fcb146ad871515f0d0873947e5d497a1c9c60c58cb102a97b47208b7c3 \ @@ -495,8 +495,9 @@ make install # build modsecurity library cd "$BUILD_PATH" -git clone --depth=1 -b $MODSECURITY_LIB_VERSION https://github.com/SpiderLabs/ModSecurity +git clone -n https://github.com/SpiderLabs/ModSecurity cd ModSecurity/ +git checkout $MODSECURITY_LIB_VERSION git submodule init git submodule update From 15c4078032d5a5a40ef3b5436261dc21a568c56b Mon Sep 17 00:00:00 2001 From: aimuz Date: Mon, 5 Dec 2022 03:49:54 +0800 Subject: [PATCH 048/405] Enable profiler-address to be configured (#9311) Signed-off-by: aimuz Signed-off-by: aimuz --- cmd/dataplane/main.go | 3 +-- cmd/nginx/main.go | 2 +- internal/nginx/main.go | 3 +++ pkg/flags/flags.go | 5 ++++- 4 files changed, 9 insertions(+), 4 deletions(-) diff --git a/cmd/dataplane/main.go b/cmd/dataplane/main.go index 8ea59a412..0ab978429 100644 --- a/cmd/dataplane/main.go +++ b/cmd/dataplane/main.go @@ -82,8 +82,7 @@ func main() { mc.Start(conf.ValidationWebhook) if conf.EnableProfiling { - // TODO: Turn Profiler address configurable via flags - go metrics.RegisterProfiler("127.0.0.1", nginx.ProfilerPort) + go metrics.RegisterProfiler(nginx.ProfilerAddress, nginx.ProfilerPort) } ngx := controller.NewNGINXController(conf, mc) diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go index c585ed95e..9f0973ec9 100644 --- a/cmd/nginx/main.go +++ b/cmd/nginx/main.go @@ -143,7 +143,7 @@ func main() { mc.Start(conf.ValidationWebhook) if conf.EnableProfiling { - go metrics.RegisterProfiler("127.0.0.1", nginx.ProfilerPort) + go metrics.RegisterProfiler(nginx.ProfilerAddress, nginx.ProfilerPort) } ngx := controller.NewNGINXController(conf, mc) diff --git a/internal/nginx/main.go b/internal/nginx/main.go index 88d2ee877..ae319fe1f 100644 --- a/internal/nginx/main.go +++ b/internal/nginx/main.go @@ -36,6 +36,9 @@ import ( // ProfilerPort port used by the ingress controller to expose the Go Profiler when it is enabled. var ProfilerPort = 10245 +// ProfilerAddress IP address used by the ingress controller to expose the Go Profiler when it is enabled. +var ProfilerAddress = "127.0.0.1" + // TemplatePath path of the NGINX template var TemplatePath = "/etc/nginx/template/nginx.tmpl" diff --git a/pkg/flags/flags.go b/pkg/flags/flags.go index f7c1771e8..877000a7d 100644 --- a/pkg/flags/flags.go +++ b/pkg/flags/flags.go @@ -19,6 +19,7 @@ package flags import ( "flag" "fmt" + "net" "os" "time" @@ -201,7 +202,8 @@ Takes the form ":port". If not provided, no admission controller is starte internalLoggerAddress = flags.String("internal-logger-address", "127.0.0.1:11514", "Address to be used when binding internal syslogger") - profilerPort = flags.Int("profiler-port", 10245, "Port to use for expose the ingress controller Go profiler when it is enabled.") + profilerPort = flags.Int("profiler-port", 10245, "Port to use for expose the ingress controller Go profiler when it is enabled.") + profilerAddress = flags.IP("profiler-address", net.ParseIP("127.0.0.1"), "IP address used by the ingress controller to expose the Go Profiler when it is enabled.") statusUpdateInterval = flags.Int("status-update-interval", status.UpdateInterval, "Time interval in seconds in which the status should check if an update is required. Default is 60 seconds") @@ -275,6 +277,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g nginx.StatusPort = *statusPort nginx.StreamPort = *streamPort nginx.ProfilerPort = *profilerPort + nginx.ProfilerAddress = profilerAddress.String() if *enableSSLPassthrough && !ing_net.IsPortAvailable(*sslProxyPort) { return false, nil, fmt.Errorf("port %v is already in use. Please check the flag --ssl-passthrough-proxy-port", *sslProxyPort) From dbb765a321644deb66a61dd84f0024d61bc9c845 Mon Sep 17 00:00:00 2001 From: Saumya <76432998+SaumyaBhushan@users.noreply.github.com> Date: Mon, 5 Dec 2022 01:20:01 +0530 Subject: [PATCH 049/405] resolved ginkgo deprecation message (#9365) --- go.mod | 9 ++++++++- go.sum | 18 ++++++++++++++++++ test/e2e-image/e2e.sh | 7 ++++--- 3 files changed, 30 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 91bda5845..074cca487 100644 --- a/go.mod +++ b/go.mod @@ -51,9 +51,10 @@ require ( github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect - github.com/BurntSushi/toml v0.3.1 // indirect + github.com/BurntSushi/toml v1.0.0 // indirect github.com/PuerkitoBio/purell v1.1.1 // indirect github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect + github.com/alessio/shellescape v1.4.1 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect @@ -70,6 +71,7 @@ require ( github.com/go-openapi/jsonpointer v0.19.5 // indirect github.com/go-openapi/jsonreference v0.19.5 // indirect github.com/go-openapi/swag v0.19.14 // indirect + github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect github.com/godbus/dbus/v5 v5.0.6 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.2.0 // indirect @@ -80,6 +82,8 @@ require ( github.com/google/gnostic v0.5.7-v3refs // indirect github.com/google/go-cmp v0.5.9 // indirect github.com/google/gofuzz v1.1.0 // indirect + github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect + github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect github.com/google/uuid v1.2.0 // indirect github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect @@ -88,6 +92,7 @@ require ( github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect github.com/mailru/easyjson v0.7.6 // indirect github.com/mattn/go-colorable v0.1.13 // indirect + github.com/mattn/go-isatty v0.0.16 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect github.com/mmarkdown/mmark v2.0.40+incompatible // indirect github.com/moby/sys/mountinfo v0.5.0 // indirect @@ -97,6 +102,7 @@ require ( github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833 // indirect github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 // indirect + github.com/pelletier/go-toml v1.9.4 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/errors v0.9.1 // indirect github.com/prometheus/procfs v0.8.0 // indirect @@ -125,6 +131,7 @@ require ( k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect + sigs.k8s.io/kind v0.17.0 // indirect sigs.k8s.io/kustomize/api v0.12.1 // indirect sigs.k8s.io/kustomize/kyaml v0.13.9 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect diff --git a/go.sum b/go.sum index f53cec3a6..564a127bb 100644 --- a/go.sum +++ b/go.sum @@ -62,6 +62,8 @@ github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUM github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/toml v1.0.0 h1:dtDWrepsVPfW9H/4y7dDgFc2MBUSeJhlaDtK13CxFlU= +github.com/BurntSushi/toml v1.0.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI= @@ -73,6 +75,8 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuy github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= +github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0= +github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a h1:AP/vsCIvJZ129pdm9Ek7bH7yutN3hByqsMoNrWAxRQc= github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a/go.mod h1:QmP9hvJ91BbJmGVGSbutW19IC0Q9phDCLGaomwTJbgU= @@ -105,6 +109,7 @@ github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkX github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzAJc1DzSI= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI= @@ -167,6 +172,8 @@ github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng= github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I= +github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.0.6 h1:mkgN1ofwASrYnJ5W6U/BxG15eXXXjirgZc7CLqkcaro= github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= @@ -252,8 +259,11 @@ github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 h1:SJ+NtwL6QaZ21U+IrK7d0gGgpjGGvd2kz+FzTHVzdqI= +github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2/go.mod h1:Tv1PlzqC9t8wNnpPdctvtSUOPUUg4SHeE6vR1Ir2hmg= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -271,6 +281,7 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1: github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc= github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= @@ -310,6 +321,7 @@ github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= +github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= @@ -357,6 +369,8 @@ github.com/opencontainers/runc v1.1.4/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJ github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= +github.com/pelletier/go-toml v1.9.4 h1:tjENF6MfZAg8e4ZmZTeWaWiT2vXtsoO6+iuOjFhECwM= +github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= @@ -412,6 +426,7 @@ github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= +github.com/spf13/cobra v1.4.0/go.mod h1:Wo4iy3BUC+X2Fybo0PDqwJIv3dNRiZLHQymsfxlB84g= github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA= github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= @@ -880,6 +895,7 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= @@ -948,6 +964,8 @@ sigs.k8s.io/controller-runtime v0.13.1 h1:tUsRCSJVM1QQOOeViGeX3GMT3dQF1eePPw6sEE sigs.k8s.io/controller-runtime v0.13.1/go.mod h1:Zbz+el8Yg31jubvAEyglRZGdLAjplZl+PgtYNI6WNTI= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/kind v0.17.0 h1:CScmGz/wX66puA06Gj8OZb76Wmk7JIjgWf5JDvY7msM= +sigs.k8s.io/kind v0.17.0/go.mod h1:Qqp8AiwOlMZmJWs37Hgs31xcbiYXjtXlRBSftcnZXQk= sigs.k8s.io/kustomize/api v0.12.1 h1:7YM7gW3kYBwtKvoY216ZzY+8hM+lV53LUayghNRJ0vM= sigs.k8s.io/kustomize/api v0.12.1/go.mod h1:y3JUhimkZkR6sbLNwfJHxvo1TCLwuwm14sCYnkH6S1s= sigs.k8s.io/kustomize/kyaml v0.13.9 h1:Qz53EAaFFANyNgyOEJbT/yoIHygK40/ZcvU3rgry2Tk= diff --git a/test/e2e-image/e2e.sh b/test/e2e-image/e2e.sh index 150d2d06e..7b4d56f10 100755 --- a/test/e2e-image/e2e.sh +++ b/test/e2e-image/e2e.sh @@ -19,7 +19,7 @@ set -e NC='\e[0m' BGREEN='\e[32m' -SLOW_E2E_THRESHOLD=${SLOW_E2E_THRESHOLD:-"5s"} +#SLOW_E2E_THRESHOLD=${SLOW_E2E_THRESHOLD:-"5s"} FOCUS=${FOCUS:-.*} E2E_NODES=${E2E_NODES:-5} E2E_CHECK_LEAKS=${E2E_CHECK_LEAKS:-""} @@ -28,8 +28,9 @@ ginkgo_args=( "-randomize-all" "-flake-attempts=2" "-fail-fast" - "-progress" - "-slow-spec-threshold=${SLOW_E2E_THRESHOLD}" + "--show-node-events" + "--poll-progress-after=180s" +# "-slow-spec-threshold=${SLOW_E2E_THRESHOLD}" "-succinct" "-timeout=75m" ) From f71f109b8d497e368dafa2b69f3424e2452e6a9a Mon Sep 17 00:00:00 2001 From: "Justin Wood (Callek)" Date: Sun, 4 Dec 2022 14:51:55 -0500 Subject: [PATCH 050/405] Fix styling in canary annotation docs. (#9259) Before this change, it appears on the website as: > A weight of means implies all requests will be sent to the alternative service specified in the Ingress. `` defaults to 100, and can be increased via `nginx.ingress.kubernetes.io/canary-weight-total`. Where there is the term `weight-total` as a pure html tag in the space. This fixes it to actually display it as text in the prose. --- docs/user-guide/nginx-configuration/annotations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md index 131320bf7..49e252589 100755 --- a/docs/user-guide/nginx-configuration/annotations.md +++ b/docs/user-guide/nginx-configuration/annotations.md @@ -146,7 +146,7 @@ In some cases, you may want to "canary" a new set of changes by sending a small * `nginx.ingress.kubernetes.io/canary-by-cookie`: The cookie to use for notifying the Ingress to route the request to the service specified in the Canary Ingress. When the cookie value is set to `always`, it will be routed to the canary. When the cookie is set to `never`, it will never be routed to the canary. For any other value, the cookie will be ignored and the request compared against the other canary rules by precedence. -* `nginx.ingress.kubernetes.io/canary-weight`: The integer based (0 - ) percent of random requests that should be routed to the service specified in the canary Ingress. A weight of 0 implies that no requests will be sent to the service in the Canary ingress by this canary rule. A weight of means implies all requests will be sent to the alternative service specified in the Ingress. `` defaults to 100, and can be increased via `nginx.ingress.kubernetes.io/canary-weight-total`. +* `nginx.ingress.kubernetes.io/canary-weight`: The integer based (0 - ) percent of random requests that should be routed to the service specified in the canary Ingress. A weight of 0 implies that no requests will be sent to the service in the Canary ingress by this canary rule. A weight of `` means implies all requests will be sent to the alternative service specified in the Ingress. `` defaults to 100, and can be increased via `nginx.ingress.kubernetes.io/canary-weight-total`. * `nginx.ingress.kubernetes.io/canary-weight-total`: The total weight of traffic. If unspecified, it defaults to 100. From 785458ccebfe5ee13d150f25fde0335ee20a408f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 4 Dec 2022 13:09:56 -0800 Subject: [PATCH 051/405] Bump google.golang.org/grpc from 1.50.1 to 1.51.0 (#9316) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.50.1 to 1.51.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.50.1...v1.51.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 074cca487..eab2f9d01 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a golang.org/x/crypto v0.3.0 - google.golang.org/grpc v1.50.1 + google.golang.org/grpc v1.51.0 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 k8s.io/api v0.25.4 diff --git a/go.sum b/go.sum index 564a127bb..21890aa7a 100644 --- a/go.sum +++ b/go.sum @@ -871,8 +871,8 @@ google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= -google.golang.org/grpc v1.50.1 h1:DS/BukOZWp8s6p4Dt/tOaJaTQyPyOoCcrjroHuCeLzY= -google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= +google.golang.org/grpc v1.51.0 h1:E1eGv1FTqoLIdnBCZufiSHgKjlqG6fKFf6pPWtMTh8U= +google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsAIPww= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= From 3aa53aaf5b210dd937598928e172ef1478e90e69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Johannes=20W=C3=BCrbach?= Date: Mon, 5 Dec 2022 02:49:01 +0100 Subject: [PATCH 052/405] fix: missing CORS headers when auth fails (#9251) --- rootfs/etc/nginx/template/nginx.tmpl | 8 ++++---- test/e2e/annotations/auth.go | 28 ++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 92d2c9706..3ace12bc3 100755 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -1268,6 +1268,10 @@ stream { deny all; {{ end }} + {{ if $location.CorsConfig.CorsEnabled }} + {{ template "CORS" $location }} + {{ end }} + {{ if not (isLocationInLocationList $location $all.Cfg.NoAuthLocations) }} {{ if $authPath }} # this location requires authentication @@ -1329,10 +1333,6 @@ stream { {{ range $limit := $limits }} {{ $limit }}{{ end }} - {{ if $location.CorsConfig.CorsEnabled }} - {{ template "CORS" $location }} - {{ end }} - {{ buildInfluxDB $location.InfluxDB }} {{ if isValidByteSize $location.Proxy.BodySize true }} diff --git a/test/e2e/annotations/auth.go b/test/e2e/annotations/auth.go index 7da2ef7d9..1f0f4c3b2 100644 --- a/test/e2e/annotations/auth.go +++ b/test/e2e/annotations/auth.go @@ -141,6 +141,34 @@ var _ = framework.DescribeAnnotation("auth-*", func() { Body().Contains("401 Authorization Required") }) + ginkgo.It("should return status code 401 and cors headers when authentication and cors is configured but Authorization header is not configured", func() { + host := "auth" + + s := f.EnsureSecret(buildSecret("foo", "bar", "test", f.Namespace)) + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/auth-type": "basic", + "nginx.ingress.kubernetes.io/auth-secret": s.Name, + "nginx.ingress.kubernetes.io/auth-realm": "test auth", + "nginx.ingress.kubernetes.io/enable-cors": "true", + } + + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "server_name auth") + }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusUnauthorized). + Header("Access-Control-Allow-Origin").Equal("*") + }) + ginkgo.It("should return status code 200 when authentication is configured and Authorization header is sent", func() { host := "auth" From 3474c33e15d809ba401b38891a2ed3c4080b751e Mon Sep 17 00:00:00 2001 From: Ehsan Saei <71217171+esigo@users.noreply.github.com> Date: Mon, 5 Dec 2022 09:55:02 +0100 Subject: [PATCH 053/405] update OpenTelemetry image (#9308) * update OpenTelemetry image * review comment * helm-docs * clean --- charts/ingress-nginx/README.md | 3 +++ charts/ingress-nginx/templates/_helpers.tpl | 17 +++++++++++++ .../templates/controller-deployment.yaml | 25 ++++++++----------- charts/ingress-nginx/values.yaml | 8 ++++-- 4 files changed, 37 insertions(+), 16 deletions(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 5ddd046ea..36c98984c 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -372,6 +372,9 @@ Kubernetes: `>=1.20.0-0` | controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | controller.name | string | `"controller"` | | | controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ # | +| controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | +| controller.opentelemetry.enabled | bool | `false` | | +| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20221114-controller-v1.5.1-6-ga66ee73c5@sha256:41076fd9fb4255677c1a3da1ac3fc41477f06eba3c7ebf37ffc8f734dad51d7c"` | | | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # | | controller.podLabels | object | `{}` | Labels to add to the pod container metadata | | controller.podSecurityContext | object | `{}` | Security Context policies for controller pods | diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl index 790a19350..7db5b2ca8 100644 --- a/charts/ingress-nginx/templates/_helpers.tpl +++ b/charts/ingress-nginx/templates/_helpers.tpl @@ -193,3 +193,20 @@ IngressClass parameters. {{ toYaml .Values.controller.ingressClassResource.parameters | indent 4}} {{ end }} {{- end -}} + +{{/* +Extra modules. +*/}} +{{- define "extraModules" -}} + +- name: {{ .name }} + image: {{ .image }} + command: ['sh', '-c', '/usr/local/bin/init_module.sh'] + {{- if (.containerSecurityContext) }} + securityContext: {{ .containerSecurityContext | toYaml | nindent 4 }} + {{- end }} + volumeMounts: + - name: {{ toYaml "modules"}} + mountPath: {{ toYaml "/modules_mount"}} + +{{- end -}} diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index 9dac747ea..5cd3c1901 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -147,9 +147,9 @@ spec: hostPort: {{ $key }} {{- end }} {{- end }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} volumeMounts: - {{- if .Values.controller.extraModules }} + {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - name: modules {{ if .Values.controller.image.chroot }} mountPath: /chroot/modules_mount @@ -177,24 +177,21 @@ spec: {{- if .Values.controller.extraContainers }} {{ toYaml .Values.controller.extraContainers | nindent 8 }} {{- end }} - {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }} + {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} initContainers: {{- if .Values.controller.extraInitContainers }} {{ toYaml .Values.controller.extraInitContainers | nindent 8 }} {{- end }} {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} - - name: {{ .name }} - image: {{ .image }} - command: ['sh', '-c', '/usr/local/bin/init_module.sh'] - {{- if (or $.Values.controller.containerSecurityContext .containerSecurityContext) }} - securityContext: {{ .containerSecurityContext | default $.Values.controller.containerSecurityContext | toYaml | nindent 14 }} - {{- end }} - volumeMounts: - - name: modules - mountPath: /modules_mount + {{ $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} + {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext | nindent 8) }} {{- end }} {{- end }} + {{- if .Values.controller.opentelemetry.enabled}} + {{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }} + {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}} + {{- end}} {{- end }} {{- if .Values.controller.hostNetwork }} hostNetwork: {{ .Values.controller.hostNetwork }} @@ -213,9 +210,9 @@ spec: {{- end }} serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} volumes: - {{- if .Values.controller.extraModules }} + {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}} - name: modules emptyDir: {} {{- end }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index f80095c56..6dc28c08d 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -583,8 +583,6 @@ controller: # -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module extraModules: [] - # - name: opentelemetry - # image: registry.k8s.io/ingress-nginx/opentelemetry:v20220906-g981ce38a7@sha256:aa079daa7efd93aa830e26483a49a6343354518360929494bad1d0ad3303142e # containerSecurityContext: # allowPrivilegeEscalation: false # @@ -592,6 +590,12 @@ controller: # will be executed as initContainers, to move its config files within the # mounted volume. + opentelemetry: + enabled: false + image: registry.k8s.io/ingress-nginx/opentelemetry:v20221114-controller-v1.5.1-6-ga66ee73c5@sha256:41076fd9fb4255677c1a3da1ac3fc41477f06eba3c7ebf37ffc8f734dad51d7c + containerSecurityContext: + allowPrivilegeEscalation: false + admissionWebhooks: annotations: {} # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem". From acf6f0a20265229586fc9e3de02b321b36972b2a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Dec 2022 14:33:03 -0800 Subject: [PATCH 054/405] Bump github/codeql-action from 2.1.31 to 2.1.35 (#9369) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.31 to 2.1.35. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898...b2a92eb56d8cb930006a1c6ed86b0782dd8a4297) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecards.yml | 2 +- .github/workflows/vulnerability-scans.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 7e936c08b..7b0dac782 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -57,6 +57,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 # v2.1.14 + uses: github/codeql-action/upload-sarif@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v2.1.14 with: sarif_file: results.sarif diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index 6cb1dada7..bb9b2fbf0 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -75,7 +75,7 @@ jobs: # This step checks out a copy of your repository. - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 + uses: github/codeql-action/upload-sarif@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 with: token: ${{ github.token }} # Path to SARIF file relative to the root of the repository From f3f6554405649de787a3577e5ed445fe3c4ea4aa Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Dec 2022 14:35:03 -0800 Subject: [PATCH 055/405] Bump actions/setup-go from 3.3.1 to 3.4.0 (#9370) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.3.1 to 3.4.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/c4a742cab115ed795e34d4513e2cf7d472deb55f...d0a58c1c4d2b25278816e339b944508c875f3613) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yaml | 6 +++--- .github/workflows/plugin.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6f0c4aee2..f26a99aac 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -81,7 +81,7 @@ jobs: - name: Set up Go 1.19.2 id: go - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # v3.2.0 + uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.2.0 with: go-version: '1.19.2' @@ -147,7 +147,7 @@ jobs: uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.2 - name: Setup Go - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # v3.2.0 + uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.2.0 with: go-version: '1.19.2' @@ -423,7 +423,7 @@ jobs: - name: Set up Go 1.19.2 id: go if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }} - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # v3.2.0 + uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.2.0 with: go-version: '1.19.2' diff --git a/.github/workflows/plugin.yaml b/.github/workflows/plugin.yaml index 5da461528..398d0075b 100644 --- a/.github/workflows/plugin.yaml +++ b/.github/workflows/plugin.yaml @@ -22,7 +22,7 @@ jobs: fetch-depth: 0 - name: Set up Go - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # v3.2.0 + uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.2.0 with: go-version: 1.19.2 From f9cce5a4ed7ef372a18bc826e395ff5660b7a444 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tomek=20=C5=9Awi=C4=99cicki?= Date: Tue, 6 Dec 2022 16:26:38 +0100 Subject: [PATCH 056/405] [user-guide configmap] fix doc for global-auth-snippet (#9372) --- docs/user-guide/nginx-configuration/configmap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index c985d7373..f5d22d11c 100755 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -1221,7 +1221,7 @@ _**default:**_ "" ## global-auth-snippet Sets a custom snippet to use with external authentication. Applied to all the locations. -Similar to the Ingress rule annotation `nginx.ingress.kubernetes.io/auth-request-redirect`. +Similar to the Ingress rule annotation `nginx.ingress.kubernetes.io/auth-snippet`. _**default:**_ "" ## global-auth-cache-key From ad4655a568f907ef85c43c264f2db487401b1ea2 Mon Sep 17 00:00:00 2001 From: Long Wu Yuan Date: Wed, 7 Dec 2022 08:54:37 +0530 Subject: [PATCH 057/405] integrated junit-reports with ghactions (#9361) --- .github/workflows/ci.yaml | 6 ++++++ .github/workflows/junit-reports.yaml | 16 ++++++++++++++++ build/run-e2e-suite.sh | 1 + 3 files changed, 23 insertions(+) create mode 100644 .github/workflows/junit-reports.yaml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index f26a99aac..494477b81 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -267,6 +267,12 @@ jobs: kind get kubeconfig > $HOME/.kube/kind-config-kind make kind-e2e-test + - name: Uplaod e2e junit-reports + uses: actions/upload-artifact@v2 + if: success() || failure() + with: + name: e2e-test-reports + path: 'test/junitreports/report*.xml' kubernetes-chroot: name: Kubernetes chroot diff --git a/.github/workflows/junit-reports.yaml b/.github/workflows/junit-reports.yaml new file mode 100644 index 000000000..21f2674a1 --- /dev/null +++ b/.github/workflows/junit-reports.yaml @@ -0,0 +1,16 @@ +name: 'E2E Test Report' +on: + workflow_run: + workflows: ['CI'] # runs after CI workflow + types: + - completed +jobs: + report: + runs-on: ubuntu-latest + steps: + - uses: dorny/test-reporter@v1 + with: + artifact: e2e-test-reports + name: JEST Tests # Name of the check run which will be created + path: 'report*.xml' # Path to test results (inside artifact .zip) + reporter: jest-junit # Format of test results diff --git a/build/run-e2e-suite.sh b/build/run-e2e-suite.sh index ebbac9145..ae38b5fcc 100755 --- a/build/run-e2e-suite.sh +++ b/build/run-e2e-suite.sh @@ -99,6 +99,7 @@ cd $reportsDir #for cmName in `k get cm -l junitreport=true -o json | jq '.items[].binaryData | keys[]' | tr '\"' ' '` #do # +# # kubectl get cm -l junitreport=true -o json | jq -r '[.items[].binaryData | to_entries[] | {"key": .key, "value": .value }] | from_entries' # From d7674e43230274a485ff90054383083ea4280ef8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Wed, 7 Dec 2022 13:16:38 +0100 Subject: [PATCH 058/405] feat(helm): Optionally use cert-manager instead admission patch (#9279) --- charts/ingress-nginx/README.md | 18 ++++++ charts/ingress-nginx/README.md.gotmpl | 15 +++++ ...ler-admission-tls-cert-manager-values.yaml | 6 ++ .../admission-webhooks/cert-manager.yaml | 63 +++++++++++++++++++ .../job-patch/clusterrole.yaml | 2 +- .../job-patch/clusterrolebinding.yaml | 2 +- .../job-patch/job-createSecret.yaml | 2 +- .../job-patch/job-patchWebhook.yaml | 2 +- .../admission-webhooks/job-patch/role.yaml | 2 +- .../job-patch/rolebinding.yaml | 2 +- .../job-patch/serviceaccount.yaml | 2 +- .../validating-webhook.yaml | 7 ++- .../templates/controller-daemonset.yaml | 7 +++ .../templates/controller-deployment.yaml | 7 +++ charts/ingress-nginx/values.yaml | 11 ++++ test/e2e/run-chart-test.sh | 8 ++- 16 files changed, 147 insertions(+), 9 deletions(-) create mode 100644 charts/ingress-nginx/ci/controller-admission-tls-cert-manager-values.yaml create mode 100644 charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 36c98984c..0e2800d94 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -217,6 +217,21 @@ With nginx-ingress-controller version 0.25+, the nginx ingress controller pod ex With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521) +#### How the Chart Configures the Hooks +A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks. + +1. A pre-install hook provisions a certificate into the same namespace using a format compatible with provisioning using end user certificates. If the certificate already exists, the hook exits. +2. The ingress nginx controller pod is configured to use a TLS proxy container, which will load that certificate. +3. Validating and Mutating webhook configurations are created in the cluster. +4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations + +#### Alternatives +It should be possible to use [cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) if a more complete solution is required. + +You can enable automatic self-signed TLS certificate provisioning via cert-manager by setting the `controller.admissionWebhooks.certManager.enable` value to true. + +Please ensure that cert-manager is correctly installed and configured. + ### Helm Error When Upgrading: spec.clusterIP: Invalid value: "" If you are upgrading this chart from a version between 0.31.0 and 1.2.2 then you may get an error like this: @@ -240,6 +255,9 @@ Kubernetes: `>=1.20.0-0` | commonLabels | object | `{}` | | | controller.addHeaders | object | `{}` | Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers | | controller.admissionWebhooks.annotations | object | `{}` | | +| controller.admissionWebhooks.certManager.admissionCert.duration | string | `""` | | +| controller.admissionWebhooks.certManager.enabled | bool | `false` | | +| controller.admissionWebhooks.certManager.rootCert.duration | string | `""` | | | controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` | | | controller.admissionWebhooks.createSecretJob.resources | object | `{}` | | | controller.admissionWebhooks.createSecretJob.securityContext.allowPrivilegeEscalation | bool | `false` | | diff --git a/charts/ingress-nginx/README.md.gotmpl b/charts/ingress-nginx/README.md.gotmpl index 9a7d7bdfd..78e4f38d4 100644 --- a/charts/ingress-nginx/README.md.gotmpl +++ b/charts/ingress-nginx/README.md.gotmpl @@ -216,6 +216,21 @@ With nginx-ingress-controller version 0.25+, the nginx ingress controller pod ex With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521) +#### How the Chart Configures the Hooks +A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks. + +1. A pre-install hook provisions a certificate into the same namespace using a format compatible with provisioning using end user certificates. If the certificate already exists, the hook exits. +2. The ingress nginx controller pod is configured to use a TLS proxy container, which will load that certificate. +3. Validating and Mutating webhook configurations are created in the cluster. +4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations + +#### Alternatives +It should be possible to use [cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) if a more complete solution is required. + +You can enable automatic self-signed TLS certificate provisioning via cert-manager by setting the `controller.admissionWebhooks.certManager.enable` value to true. + +Please ensure that cert-manager is correctly installed and configured. + ### Helm Error When Upgrading: spec.clusterIP: Invalid value: "" If you are upgrading this chart from a version between 0.31.0 and 1.2.2 then you may get an error like this: diff --git a/charts/ingress-nginx/ci/controller-admission-tls-cert-manager-values.yaml b/charts/ingress-nginx/ci/controller-admission-tls-cert-manager-values.yaml new file mode 100644 index 000000000..a13241cd4 --- /dev/null +++ b/charts/ingress-nginx/ci/controller-admission-tls-cert-manager-values.yaml @@ -0,0 +1,6 @@ +controller: + admissionWebhooks: + certManager: + enabled: true + service: + type: ClusterIP diff --git a/charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml b/charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml new file mode 100644 index 000000000..55fab471c --- /dev/null +++ b/charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml @@ -0,0 +1,63 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.certManager.enabled -}} +{{- if not .Values.controller.admissionWebhooks.certManager.issuerRef -}} +# Create a selfsigned Issuer, in order to create a root CA certificate for +# signing webhook serving certificates +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "ingress-nginx.fullname" . }}-self-signed-issuer + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +--- +# Generate a CA Certificate used to sign certificates for the webhook +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "ingress-nginx.fullname" . }}-root-cert + namespace: {{ .Release.Namespace }} +spec: + secretName: {{ include "ingress-nginx.fullname" . }}-root-cert + duration: {{ .Values.controller.admissionWebhooks.certManager.rootCert.duration | default "43800h0m0s" | quote }} + issuerRef: + name: {{ include "ingress-nginx.fullname" . }}-self-signed-issuer + commonName: "ca.webhook.ingress-nginx" + isCA: true + subject: + organizations: + - ingress-nginx +--- +# Create an Issuer that uses the above generated CA certificate to issue certs +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "ingress-nginx.fullname" . }}-root-issuer + namespace: {{ .Release.Namespace }} +spec: + ca: + secretName: {{ include "ingress-nginx.fullname" . }}-root-cert +{{- end }} +--- +# generate a server certificate for the apiservices to use +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission + namespace: {{ .Release.Namespace }} +spec: + secretName: {{ include "ingress-nginx.fullname" . }}-admission + duration: {{ .Values.controller.admissionWebhooks.certManager.admissionCert.duration | default "8760h0m0s" | quote }} + issuerRef: + {{- if .Values.controller.admissionWebhooks.certManager.issuerRef }} + {{- toYaml .Values.controller.admissionWebhooks.certManager.issuerRef | nindent 4 }} + {{- else }} + name: {{ include "ingress-nginx.fullname" . }}-root-issuer + {{- end }} + dnsNames: + - {{ include "ingress-nginx.controller.fullname" . }}-admission + - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }} + - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }}.svc + subject: + organizations: + - ingress-nginx-admission +{{- end -}} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml index 5659a1f10..f9ec70974 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml index abf17fb9f..002abd43b 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml index de78f45bd..d93433ecd 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: batch/v1 kind: Job metadata: diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml index b670aa05a..0fa3ff9a2 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: batch/v1 kind: Job metadata: diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml index 795bac6b9..2aab6f4b1 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml index 698c5c864..60c3f4ff0 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml index eae475118..00be54ec5 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml index 8caffcb03..f27244dc9 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml @@ -4,8 +4,13 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: + annotations: + {{- if .Values.controller.admissionWebhooks.certManager.enabled }} + certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "ingress-nginx.fullname" .) | quote }} + cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "ingress-nginx.fullname" .) | quote }} + {{- end }} {{- if .Values.controller.admissionWebhooks.annotations }} - annotations: {{ toYaml .Values.controller.admissionWebhooks.annotations | nindent 4 }} + {{- toYaml .Values.controller.admissionWebhooks.annotations | nindent 4 }} {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml index 802730331..e6721566b 100644 --- a/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -225,6 +225,13 @@ spec: - name: webhook-cert secret: secretName: {{ include "ingress-nginx.fullname" . }}-admission + {{- if .Values.controller.admissionWebhooks.certManager.enabled }} + items: + - key: tls.crt + path: cert + - key: tls.key + path: key + {{- end }} {{- end }} {{- if .Values.controller.extraVolumes }} {{ toYaml .Values.controller.extraVolumes | nindent 8 }} diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index 5cd3c1901..9f1cf70db 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -228,6 +228,13 @@ spec: - name: webhook-cert secret: secretName: {{ include "ingress-nginx.fullname" . }}-admission + {{- if .Values.controller.admissionWebhooks.certManager.enabled }} + items: + - key: tls.crt + path: cert + - key: tls.key + path: key + {{- end }} {{- end }} {{- if .Values.controller.extraVolumes }} {{ toYaml .Values.controller.extraVolumes | nindent 8 }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 6dc28c08d..161f974fe 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -677,6 +677,17 @@ controller: runAsUser: 2000 fsGroup: 2000 + # Use certmanager to generate webhook certs + certManager: + enabled: false + # self-signed root certificate + rootCert: + duration: "" # default to be 5y + admissionCert: + duration: "" # default to be 1y + # issuerRef: + # name: "issuer" + # kind: "ClusterIssuer" metrics: port: 10254 diff --git a/test/e2e/run-chart-test.sh b/test/e2e/run-chart-test.sh index fdb3121d8..b2e54993f 100755 --- a/test/e2e/run-chart-test.sh +++ b/test/e2e/run-chart-test.sh @@ -83,13 +83,19 @@ if [ "${SKIP_IMAGE_CREATION:-false}" = "false" ]; then echo "[dev-env] building image" make -C ${DIR}/../../ clean-image build image fi - + KIND_WORKERS=$(kind get nodes --name="${KIND_CLUSTER_NAME}" | awk '{printf (NR>1?",":"") $1}') echo "[dev-env] copying docker images to cluster..." kind load docker-image --name="${KIND_CLUSTER_NAME}" --nodes=${KIND_WORKERS} ${REGISTRY}/controller:${TAG} +if [ "${SKIP_CERT_MANAGER_CREATION:-false}" = "false" ]; then + echo "[dev-env] apply cert-manager ..." + kubectl apply --wait -f https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml + sleep 10 +fi + echo "[dev-env] running helm chart e2e tests..." # Uses a custom chart-testing image to avoid timeouts waiting for namespace deletion. # The changes can be found here: https://github.com/aledbf/chart-testing/commit/41fe0ae0733d0c9a538099fb3cec522e888e3d82 From 59d80f05bc6a363576c2b3c4707d768f1b7b8f66 Mon Sep 17 00:00:00 2001 From: Thomas Milox Date: Thu, 8 Dec 2022 01:10:22 +0100 Subject: [PATCH 059/405] doc: update NEW_CONTRIBUTOR.md (#9381) Add a reference to docker-mac-net-connect for macOS users experiencing ingress not being exposed Signed-off-by: TommyStarK Signed-off-by: TommyStarK --- NEW_CONTRIBUTOR.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/NEW_CONTRIBUTOR.md b/NEW_CONTRIBUTOR.md index 816d05778..e89c1ba88 100644 --- a/NEW_CONTRIBUTOR.md +++ b/NEW_CONTRIBUTOR.md @@ -848,3 +848,5 @@ As you can see from the above output there are several headers added to the curl - Cluster Creation tools - [kind](https://kind.sigs.k8s.io/docs/user/quick-start/) - [minikube](https://minikube.sigs.k8s.io/docs/start/) +- MacOS users + - [docker-mac-net-connect](https://github.com/chipmk/docker-mac-net-connect) - See this [issue](https://github.com/kubernetes/minikube/issues/7332) From 2cb3ce5db68c4d3f1022068527e55c1018dccf9d Mon Sep 17 00:00:00 2001 From: James Strong Date: Thu, 8 Dec 2022 10:52:24 -0500 Subject: [PATCH 060/405] added action for issues to project (#9386) Signed-off-by: James Strong Signed-off-by: James Strong --- .github/workflows/project.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/workflows/project.yml diff --git a/.github/workflows/project.yml b/.github/workflows/project.yml new file mode 100644 index 000000000..9baa09bf2 --- /dev/null +++ b/.github/workflows/project.yml @@ -0,0 +1,19 @@ +name: Adds all issues + +on: + issues: + types: + - opened + +jobs: + add-to-project: + name: Add issue to project + runs-on: ubuntu-latest + permissions: + repository-projects: write + issues: write + steps: + - uses: actions/add-to-project@960fbad431afda394cfcf8743445e741acd19e85 #v0.4.0 + with: + project-url: https://github.com/orgs/kubernetes/projects/104 + github-token: ${{ secrets.PROJECT_WRITER }} From 7e7d0e86992cf2fcda76ccdd2a1c28e16d14704f Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Sun, 11 Dec 2022 21:33:19 -0300 Subject: [PATCH 061/405] Add reporter for all tests (#9395) --- .github/workflows/ci.yaml | 16 +++++++++++++--- .github/workflows/junit-reports.yaml | 4 ++-- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 494477b81..0f21ccc4e 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -13,7 +13,7 @@ on: inputs: run_e2e: description: 'Force e2e to run' - required: true + required: false type: boolean permissions: @@ -73,6 +73,9 @@ jobs: name: Build runs-on: ubuntu-latest needs: changes + if: | + (needs.changes.outputs.go == 'true') || (needs.changes.outputs.charts == 'true') || ${{ inputs.run_e2e }} + steps: @@ -268,10 +271,10 @@ jobs: make kind-e2e-test - name: Uplaod e2e junit-reports - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 if: success() || failure() with: - name: e2e-test-reports + name: e2e-test-reports-${{ matrix.k8s }} path: 'test/junitreports/report*.xml' kubernetes-chroot: @@ -330,6 +333,13 @@ jobs: run: | kind get kubeconfig > $HOME/.kube/kind-config-kind make kind-e2e-test + + - name: Uplaod e2e junit-reports + uses: actions/upload-artifact@v3 + if: success() || failure() + with: + name: e2e-test-reports-chroot-${{ matrix.k8s }} + path: 'test/junitreports/report*.xml' test-image-build: diff --git a/.github/workflows/junit-reports.yaml b/.github/workflows/junit-reports.yaml index 21f2674a1..f02e68466 100644 --- a/.github/workflows/junit-reports.yaml +++ b/.github/workflows/junit-reports.yaml @@ -10,7 +10,7 @@ jobs: steps: - uses: dorny/test-reporter@v1 with: - artifact: e2e-test-reports - name: JEST Tests # Name of the check run which will be created + artifact: /e2e-test-reports-(.*)/ + name: JEST Tests $1 # Name of the check run which will be created path: 'report*.xml' # Path to test results (inside artifact .zip) reporter: jest-junit # Format of test results From 8736b3b9a76ef9d499f5cd69886aa85b4c927248 Mon Sep 17 00:00:00 2001 From: Jintao Zhang Date: Mon, 12 Dec 2022 22:05:37 +0800 Subject: [PATCH 062/405] ci: remove setup-kind step (#9401) kind is already installed by default in the current GitHub Action environment. Signed-off-by: Jintao Zhang Signed-off-by: Jintao Zhang --- .github/workflows/ci.yaml | 26 ++++++++------------------ 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 0f21ccc4e..69ff30f65 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -189,10 +189,8 @@ jobs: - name: Create Kubernetes ${{ matrix.k8s }} cluster id: kind - uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 #v0.5.0 - with: - version: v0.15.0 - image: kindest/node:${{ matrix.k8s }} + run: | + kind create cluster --image=kindest/node:${{ matrix.k8s }} - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v1 with: @@ -239,11 +237,8 @@ jobs: - name: Create Kubernetes ${{ matrix.k8s }} cluster id: kind - uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 #v0.5.0 - with: - version: v0.15.0 - config: test/e2e/kind.yaml - image: kindest/node:${{ matrix.k8s }} + run: | + kind create cluster --image=kindest/node:${{ matrix.k8s }} --config test/e2e/kind.yaml - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v1 with: @@ -302,11 +297,8 @@ jobs: - name: Create Kubernetes ${{ matrix.k8s }} cluster id: kind - uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 #v0.5.0 - with: - version: v0.15.0 - config: test/e2e/kind.yaml - image: kindest/node:${{ matrix.k8s }} + run: | + kind create cluster --image=kindest/node:${{ matrix.k8s }} --config test/e2e/kind.yaml - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af with: @@ -431,10 +423,8 @@ jobs: - name: Create Kubernetes cluster id: kind if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }} - uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 #v0.5.0 - with: - version: v0.15.0 - image: kindest/node:v1.25.2 + run: | + kind create cluster --image=kindest/node:${{ matrix.k8s }} - name: Set up Go 1.19.2 id: go From 4f528fc70a3bfcc2aff1614234891b27aebc1608 Mon Sep 17 00:00:00 2001 From: Jintao Zhang Date: Tue, 13 Dec 2022 00:45:34 +0800 Subject: [PATCH 063/405] ci: remove setup-helm step (#9404) Signed-off-by: Jintao Zhang Signed-off-by: Jintao Zhang --- .github/workflows/ci.yaml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 69ff30f65..cb575ace6 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -245,12 +245,6 @@ jobs: name: docker.tar.gz failOnError: false - - name: Prepare cluster for testing - uses: azure/setup-helm@f382f75448129b3be48f8121b9857be18d815a82 #v2.1 - with: - version: 'v3.8.0' - id: local-path - - name: Load images from cache run: | echo "loading docker images..." @@ -305,12 +299,6 @@ jobs: name: docker.tar.gz failOnError: false - - name: Prepare cluster for testing - uses: azure/setup-helm@f382f75448129b3be48f8121b9857be18d815a82 #v2.1 - with: - version: 'v3.8.0' - id: local-path - - name: Load images from cache run: | echo "loading docker images..." From b93b277e5a0d3928b770da86921fb5c4c7c2c8b4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Dec 2022 19:07:33 -0800 Subject: [PATCH 064/405] Bump github/codeql-action from 2.1.35 to 2.1.36 (#9400) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.35 to 2.1.36. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/b2a92eb56d8cb930006a1c6ed86b0782dd8a4297...a669cc5936cc5e1b6a362ec1ff9e410dc570d190) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecards.yml | 2 +- .github/workflows/vulnerability-scans.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 7b0dac782..a9c36481b 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -57,6 +57,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v2.1.14 + uses: github/codeql-action/upload-sarif@a669cc5936cc5e1b6a362ec1ff9e410dc570d190 # v2.1.14 with: sarif_file: results.sarif diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index bb9b2fbf0..af46c2bcc 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -75,7 +75,7 @@ jobs: # This step checks out a copy of your repository. - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 + uses: github/codeql-action/upload-sarif@a669cc5936cc5e1b6a362ec1ff9e410dc570d190 with: token: ${{ github.token }} # Path to SARIF file relative to the root of the repository From 651b8468210dee3a81e074be2cf938a7152839e6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 17 Dec 2022 02:29:42 -0800 Subject: [PATCH 065/405] Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.6.0 (#9398) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.5.1 to 2.6.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.5.1...v2.6.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 9 +-------- go.sum | 21 ++------------------- 2 files changed, 3 insertions(+), 27 deletions(-) diff --git a/go.mod b/go.mod index eab2f9d01..90f11e285 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/mitchellh/mapstructure v1.5.0 github.com/moul/pb v0.0.0-20220425114252-bca18df4138c github.com/ncabatoff/process-exporter v0.7.10 - github.com/onsi/ginkgo/v2 v2.5.1 + github.com/onsi/ginkgo/v2 v2.6.0 github.com/opencontainers/runc v1.1.4 github.com/pmezard/go-difflib v1.0.0 github.com/prometheus/client_golang v1.14.0 @@ -54,7 +54,6 @@ require ( github.com/BurntSushi/toml v1.0.0 // indirect github.com/PuerkitoBio/purell v1.1.1 // indirect github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect - github.com/alessio/shellescape v1.4.1 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect @@ -71,7 +70,6 @@ require ( github.com/go-openapi/jsonpointer v0.19.5 // indirect github.com/go-openapi/jsonreference v0.19.5 // indirect github.com/go-openapi/swag v0.19.14 // indirect - github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect github.com/godbus/dbus/v5 v5.0.6 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.2.0 // indirect @@ -82,8 +80,6 @@ require ( github.com/google/gnostic v0.5.7-v3refs // indirect github.com/google/go-cmp v0.5.9 // indirect github.com/google/gofuzz v1.1.0 // indirect - github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect - github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect github.com/google/uuid v1.2.0 // indirect github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect @@ -92,7 +88,6 @@ require ( github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect github.com/mailru/easyjson v0.7.6 // indirect github.com/mattn/go-colorable v0.1.13 // indirect - github.com/mattn/go-isatty v0.0.16 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect github.com/mmarkdown/mmark v2.0.40+incompatible // indirect github.com/moby/sys/mountinfo v0.5.0 // indirect @@ -102,7 +97,6 @@ require ( github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833 // indirect github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 // indirect - github.com/pelletier/go-toml v1.9.4 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/errors v0.9.1 // indirect github.com/prometheus/procfs v0.8.0 // indirect @@ -131,7 +125,6 @@ require ( k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect - sigs.k8s.io/kind v0.17.0 // indirect sigs.k8s.io/kustomize/api v0.12.1 // indirect sigs.k8s.io/kustomize/kyaml v0.13.9 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect diff --git a/go.sum b/go.sum index 21890aa7a..9a608ff9d 100644 --- a/go.sum +++ b/go.sum @@ -60,7 +60,6 @@ github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+Z github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= -github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.0.0 h1:dtDWrepsVPfW9H/4y7dDgFc2MBUSeJhlaDtK13CxFlU= github.com/BurntSushi/toml v1.0.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= @@ -75,8 +74,6 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuy github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= -github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0= -github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a h1:AP/vsCIvJZ129pdm9Ek7bH7yutN3hByqsMoNrWAxRQc= github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a/go.mod h1:QmP9hvJ91BbJmGVGSbutW19IC0Q9phDCLGaomwTJbgU= @@ -109,7 +106,6 @@ github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkX github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzAJc1DzSI= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= -github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI= @@ -172,8 +168,6 @@ github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng= github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= -github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I= -github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.0.6 h1:mkgN1ofwASrYnJ5W6U/BxG15eXXXjirgZc7CLqkcaro= github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= @@ -259,11 +253,8 @@ github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= -github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 h1:SJ+NtwL6QaZ21U+IrK7d0gGgpjGGvd2kz+FzTHVzdqI= -github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2/go.mod h1:Tv1PlzqC9t8wNnpPdctvtSUOPUUg4SHeE6vR1Ir2hmg= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -281,7 +272,6 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1: github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= -github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc= github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= @@ -321,7 +311,6 @@ github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= -github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= @@ -361,16 +350,14 @@ github.com/ncabatoff/process-exporter v0.7.10/go.mod h1:DHZRZjqxw9LCOpLlX0DjBuyn github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= -github.com/onsi/ginkgo/v2 v2.5.1 h1:auzK7OI497k6x4OvWq+TKAcpcSAlod0doAH72oIN0Jw= -github.com/onsi/ginkgo/v2 v2.5.1/go.mod h1:63DOGlLAH8+REH8jUGdL3YpCpu7JODesutUjdENfUAc= +github.com/onsi/ginkgo/v2 v2.6.0 h1:9t9b9vRUbFq3C4qKFCGkVuq/fIHji802N1nrtkh1mNc= +github.com/onsi/ginkgo/v2 v2.6.0/go.mod h1:63DOGlLAH8+REH8jUGdL3YpCpu7JODesutUjdENfUAc= github.com/onsi/gomega v1.24.0 h1:+0glovB9Jd6z3VR+ScSwQqXVTIfJcGA9UBM8yzQxhqg= github.com/opencontainers/runc v1.1.4 h1:nRCz/8sKg6K6jgYAFLDlXzPeITBZJyX28DBVhWD+5dg= github.com/opencontainers/runc v1.1.4/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= -github.com/pelletier/go-toml v1.9.4 h1:tjENF6MfZAg8e4ZmZTeWaWiT2vXtsoO6+iuOjFhECwM= -github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= @@ -426,7 +413,6 @@ github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= -github.com/spf13/cobra v1.4.0/go.mod h1:Wo4iy3BUC+X2Fybo0PDqwJIv3dNRiZLHQymsfxlB84g= github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA= github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= @@ -895,7 +881,6 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= @@ -964,8 +949,6 @@ sigs.k8s.io/controller-runtime v0.13.1 h1:tUsRCSJVM1QQOOeViGeX3GMT3dQF1eePPw6sEE sigs.k8s.io/controller-runtime v0.13.1/go.mod h1:Zbz+el8Yg31jubvAEyglRZGdLAjplZl+PgtYNI6WNTI= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/kind v0.17.0 h1:CScmGz/wX66puA06Gj8OZb76Wmk7JIjgWf5JDvY7msM= -sigs.k8s.io/kind v0.17.0/go.mod h1:Qqp8AiwOlMZmJWs37Hgs31xcbiYXjtXlRBSftcnZXQk= sigs.k8s.io/kustomize/api v0.12.1 h1:7YM7gW3kYBwtKvoY216ZzY+8hM+lV53LUayghNRJ0vM= sigs.k8s.io/kustomize/api v0.12.1/go.mod h1:y3JUhimkZkR6sbLNwfJHxvo1TCLwuwm14sCYnkH6S1s= sigs.k8s.io/kustomize/kyaml v0.13.9 h1:Qz53EAaFFANyNgyOEJbT/yoIHygK40/ZcvU3rgry2Tk= From a0dbbd2fb15080bb7aca03a23de72855c77cd8a7 Mon Sep 17 00:00:00 2001 From: Saumya <76432998+SaumyaBhushan@users.noreply.github.com> Date: Sat, 17 Dec 2022 17:07:41 +0530 Subject: [PATCH 066/405] Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.6.0 (#9408) Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.6.0 Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.6.0 --- build/run-in-docker.sh | 2 +- images/test-runner/rootfs/Dockerfile | 2 +- test/e2e/run-chart-test.sh | 2 +- test/e2e/run.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh index cb8ad18f0..c566bc8a0 100755 --- a/build/run-in-docker.sh +++ b/build/run-in-docker.sh @@ -77,7 +77,7 @@ if [[ "$DOCKER_IN_DOCKER_ENABLED" == "true" ]]; then echo "FLAGS=$FLAGS" go env set -x - go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.5.1 + go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.6.0 find / -type f -name ginkgo 2>/dev/null which ginkgo /bin/bash -c "${FLAGS}" diff --git a/images/test-runner/rootfs/Dockerfile b/images/test-runner/rootfs/Dockerfile index 30e7e1ab2..aa7c56c39 100644 --- a/images/test-runner/rootfs/Dockerfile +++ b/images/test-runner/rootfs/Dockerfile @@ -55,7 +55,7 @@ ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH" -RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.5.1 && go install golang.org/x/lint/golint@latest +RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.6.0 && go install golang.org/x/lint/golint@latest ARG RESTY_CLI_VERSION ARG RESTY_CLI_SHA diff --git a/test/e2e/run-chart-test.sh b/test/e2e/run-chart-test.sh index b2e54993f..606215f17 100755 --- a/test/e2e/run-chart-test.sh +++ b/test/e2e/run-chart-test.sh @@ -78,7 +78,7 @@ fi if [ "${SKIP_IMAGE_CREATION:-false}" = "false" ]; then if ! command -v ginkgo &> /dev/null; then - go get github.com/onsi/ginkgo/v2/ginkgo@v2.5.1 + go get github.com/onsi/ginkgo/v2/ginkgo@v2.6.0 fi echo "[dev-env] building image" make -C ${DIR}/../../ clean-image build image diff --git a/test/e2e/run.sh b/test/e2e/run.sh index 4cd95267f..9ca490baa 100755 --- a/test/e2e/run.sh +++ b/test/e2e/run.sh @@ -79,7 +79,7 @@ fi if [ "${SKIP_IMAGE_CREATION:-false}" = "false" ]; then if ! command -v ginkgo &> /dev/null; then - go get github.com/onsi/ginkgo/v2/ginkgo@v2.5.1 + go get github.com/onsi/ginkgo/v2/ginkgo@v2.6.0 fi echo "[dev-env] building image" From 17d8266a2ac923fb86183e534cef015e717d0128 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 17 Dec 2022 06:01:42 -0800 Subject: [PATCH 067/405] Bump github.com/prometheus/common from 0.37.0 to 0.39.0 (#9416) Bumps [github.com/prometheus/common](https://github.com/prometheus/common) from 0.37.0 to 0.39.0. - [Release notes](https://github.com/prometheus/common/releases) - [Commits](https://github.com/prometheus/common/compare/v0.37.0...v0.39.0) --- updated-dependencies: - dependency-name: github.com/prometheus/common dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 14 +++++++------- go.sum | 38 ++++++++++++++------------------------ 2 files changed, 21 insertions(+), 31 deletions(-) diff --git a/go.mod b/go.mod index 90f11e285..db2e85f74 100644 --- a/go.mod +++ b/go.mod @@ -19,7 +19,7 @@ require ( github.com/pmezard/go-difflib v1.0.0 github.com/prometheus/client_golang v1.14.0 github.com/prometheus/client_model v0.3.0 - github.com/prometheus/common v0.37.0 + github.com/prometheus/common v0.39.0 github.com/spf13/cobra v1.6.1 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.8.1 @@ -88,7 +88,7 @@ require ( github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect github.com/mailru/easyjson v0.7.6 // indirect github.com/mattn/go-colorable v0.1.13 // indirect - github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect + github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect github.com/mmarkdown/mmark v2.0.40+incompatible // indirect github.com/moby/sys/mountinfo v0.5.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect @@ -107,11 +107,11 @@ require ( github.com/yudai/pp v2.0.1+incompatible // indirect go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect golang.org/x/mod v0.6.0 // indirect - golang.org/x/net v0.2.0 // indirect - golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect - golang.org/x/sys v0.2.0 // indirect - golang.org/x/term v0.2.0 // indirect - golang.org/x/text v0.4.0 // indirect + golang.org/x/net v0.4.0 // indirect + golang.org/x/oauth2 v0.3.0 // indirect + golang.org/x/sys v0.3.0 // indirect + golang.org/x/term v0.3.0 // indirect + golang.org/x/text v0.5.0 // indirect golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect golang.org/x/tools v0.2.0 // indirect google.golang.org/appengine v1.6.7 // indirect diff --git a/go.sum b/go.sum index 9a608ff9d..644cb2e86 100644 --- a/go.sum +++ b/go.sum @@ -148,11 +148,9 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= -github.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= -github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= @@ -314,8 +312,8 @@ github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovk github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI= -github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= +github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc= github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg= github.com/mitchellh/hashstructure v1.1.0 h1:P6P1hdjqAAknpY/M1CGipelZgp+4y9ja9kmUZPXP+H0= @@ -371,7 +369,6 @@ github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= -github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw= github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= @@ -384,9 +381,8 @@ github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y8 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= github.com/prometheus/common v0.29.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= -github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= -github.com/prometheus/common v0.37.0 h1:ccBbHCgIiT9uSoFY0vX8H3zsNR5eLt17/RQLUvn8pXE= -github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA= +github.com/prometheus/common v0.39.0 h1:oOyhkDq05hPZKItWVBkJ6g6AtGxi+fy7F4JvUV8uhsI= +github.com/prometheus/common v0.39.0/go.mod h1:6XBZ7lYdLCbkAVhwRsWTZn+IN5AB9F/NXd5w0BbEX0Y= github.com/prometheus/exporter-toolkit v0.7.0/go.mod h1:ZUBIj498ePooX9t/2xtDjeQYwvRpiPP2lh5u4iblj2g= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= @@ -557,10 +553,8 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU= -golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= +golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU= +golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -576,8 +570,8 @@ golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b h1:clP8eMhB30EHdc0bd2Twtq6kgU7yl5ub2cQLSdrv1Dg= -golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= +golang.org/x/oauth2 v0.3.0 h1:6l90koy8/LaBLmLu8jpHeHexzMwEita0zFfYlggy2F8= +golang.org/x/oauth2 v0.3.0/go.mod h1:rQrIauxkUhJ6CuwEXwymO2/eh4xz2ZWF1nBkcxS+tGk= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -650,16 +644,13 @@ golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A= -golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ= +golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.2.0 h1:z85xZCsEl7bi/KwbNADeBYoOP0++7W1ipu+aGnpwzRM= -golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= +golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI= +golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -668,9 +659,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= -golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM= +golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From e3e0d9c1f487cf00c02a2a0ca579f4aff9698e59 Mon Sep 17 00:00:00 2001 From: James Strong Date: Sun, 18 Dec 2022 20:07:43 -0500 Subject: [PATCH 068/405] start upgrade to golang 1.19.4 and alpine 3.17.0 (#9417) * start upgrade to 1.19.4 Signed-off-by: James Strong * add matrix to image test-image Signed-off-by: James Strong * update to alpine 3.17 Signed-off-by: James Strong * remove need for curl Signed-off-by: James Strong Signed-off-by: James Strong --- .github/workflows/ci.yaml | 17 ++-- .github/workflows/plugin.yaml | 2 +- docs/examples/customization/sysctl/patch.json | 2 +- images/cfssl/rootfs/Dockerfile | 2 +- images/custom-error-pages/rootfs/Dockerfile | 2 +- .../rootfs/Dockerfile | 2 +- images/fastcgi-helloserver/rootfs/Dockerfile | 2 +- .../go-grpc-greeter-server/rootfs/Dockerfile | 6 +- images/go-grpc-greeter-server/rootfs/main.go | 78 +++++++++++++++++++ images/httpbin/rootfs/Dockerfile | 2 +- images/kube-webhook-certgen/rootfs/Dockerfile | 2 +- images/nginx/rootfs/Dockerfile | 2 +- images/opentelemetry/rootfs/Dockerfile | 2 +- images/test-runner/Makefile | 2 +- images/test-runner/rootfs/Dockerfile | 2 +- rootfs/Dockerfile-chroot | 2 +- 16 files changed, 106 insertions(+), 21 deletions(-) create mode 100644 images/go-grpc-greeter-server/rootfs/main.go diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index cb575ace6..ea46f8cef 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -82,11 +82,11 @@ jobs: - name: Checkout uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.2 - - name: Set up Go 1.19.2 + - name: Set up Go 1.19.4 id: go uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.2.0 with: - go-version: '1.19.2' + go-version: '1.19.4' - name: Set up QEMU uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 #v2.0.0 @@ -152,7 +152,7 @@ jobs: - name: Setup Go uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.2.0 with: - go-version: '1.19.2' + go-version: '1.19.4' - name: cache uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3 @@ -393,9 +393,16 @@ jobs: permissions: contents: read # for dorny/paths-filter to fetch a list of changed files pull-requests: read # for dorny/paths-filter to read pull requests + runs-on: ubuntu-latest + env: PLATFORMS: linux/amd64 + + strategy: + matrix: + k8s: [ v1.23.13, v1.24.7, v1.25.3 ] + steps: - name: Checkout uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.2 @@ -414,12 +421,12 @@ jobs: run: | kind create cluster --image=kindest/node:${{ matrix.k8s }} - - name: Set up Go 1.19.2 + - name: Set up Go 1.19.4 id: go if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }} uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.2.0 with: - go-version: '1.19.2' + go-version: '1.19.4' - name: kube-webhook-certgen image build if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }} diff --git a/.github/workflows/plugin.yaml b/.github/workflows/plugin.yaml index 398d0075b..a1ad05d25 100644 --- a/.github/workflows/plugin.yaml +++ b/.github/workflows/plugin.yaml @@ -24,7 +24,7 @@ jobs: - name: Set up Go uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.2.0 with: - go-version: 1.19.2 + go-version: 1.19.4 - name: Run GoReleaser uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 # v3.0.0 diff --git a/docs/examples/customization/sysctl/patch.json b/docs/examples/customization/sysctl/patch.json index 75d613295..3f736197b 100644 --- a/docs/examples/customization/sysctl/patch.json +++ b/docs/examples/customization/sysctl/patch.json @@ -4,7 +4,7 @@ "spec": { "initContainers": [{ "name": "sysctl", - "image": "alpine:3.16.2", + "image": "alpine:3.17.0", "securityContext": { "privileged": true }, diff --git a/images/cfssl/rootfs/Dockerfile b/images/cfssl/rootfs/Dockerfile index b6dfa567f..f9370c210 100644 --- a/images/cfssl/rootfs/Dockerfile +++ b/images/cfssl/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine:3.16.2 +FROM alpine:3.17.0 RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories RUN apk add --no-cache \ diff --git a/images/custom-error-pages/rootfs/Dockerfile b/images/custom-error-pages/rootfs/Dockerfile index 768b1e9df..ef825dec1 100755 --- a/images/custom-error-pages/rootfs/Dockerfile +++ b/images/custom-error-pages/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.19.1-alpine as builder +FROM golang:1.19.4-alpine3.17 as builder RUN apk add git WORKDIR /go/src/k8s.io/ingress-nginx/images/custom-error-pages diff --git a/images/ext-auth-example-authsvc/rootfs/Dockerfile b/images/ext-auth-example-authsvc/rootfs/Dockerfile index 012b1880f..d54df8ab9 100644 --- a/images/ext-auth-example-authsvc/rootfs/Dockerfile +++ b/images/ext-auth-example-authsvc/rootfs/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.19.2-alpine3.16 as builder +FROM golang:1.19.4-alpine3.17 as builder RUN mkdir /authsvc WORKDIR /authsvc COPY . ./ diff --git a/images/fastcgi-helloserver/rootfs/Dockerfile b/images/fastcgi-helloserver/rootfs/Dockerfile index f572410e7..0213baf87 100755 --- a/images/fastcgi-helloserver/rootfs/Dockerfile +++ b/images/fastcgi-helloserver/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.14-alpine as builder +FROM golang:1.19.4-alpine3.17 as builder WORKDIR /go/src/k8s.io/ingress-nginx/images/fastcgi diff --git a/images/go-grpc-greeter-server/rootfs/Dockerfile b/images/go-grpc-greeter-server/rootfs/Dockerfile index 8db118349..547842512 100644 --- a/images/go-grpc-greeter-server/rootfs/Dockerfile +++ b/images/go-grpc-greeter-server/rootfs/Dockerfile @@ -1,9 +1,9 @@ -FROM golang:buster as build +FROM golang:1.19.4-alpine3.17 as build WORKDIR /go/src/greeter-server -RUN curl -o main.go https://raw.githubusercontent.com/grpc/grpc-go/91e0aeb192456225adf27966d04ada4cf8599915/examples/features/reflection/server/main.go && \ - go mod init greeter-server && \ +COPY main.go . +RUN go mod init greeter-server && \ go mod tidy && \ go build -o /greeter-server main.go diff --git a/images/go-grpc-greeter-server/rootfs/main.go b/images/go-grpc-greeter-server/rootfs/main.go new file mode 100644 index 000000000..569273dfd --- /dev/null +++ b/images/go-grpc-greeter-server/rootfs/main.go @@ -0,0 +1,78 @@ +/* + * + * Copyright 2019 gRPC authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +// Binary server is an example server. +package main + +import ( + "context" + "flag" + "fmt" + "log" + "net" + + "google.golang.org/grpc" + "google.golang.org/grpc/reflection" + + ecpb "google.golang.org/grpc/examples/features/proto/echo" + hwpb "google.golang.org/grpc/examples/helloworld/helloworld" +) + +var port = flag.Int("port", 50051, "the port to serve on") + +// hwServer is used to implement helloworld.GreeterServer. +type hwServer struct { + hwpb.UnimplementedGreeterServer +} + +// SayHello implements helloworld.GreeterServer +func (s *hwServer) SayHello(ctx context.Context, in *hwpb.HelloRequest) (*hwpb.HelloReply, error) { + return &hwpb.HelloReply{Message: "Hello " + in.Name}, nil +} + +type ecServer struct { + ecpb.UnimplementedEchoServer +} + +func (s *ecServer) UnaryEcho(ctx context.Context, req *ecpb.EchoRequest) (*ecpb.EchoResponse, error) { + return &ecpb.EchoResponse{Message: req.Message}, nil +} + +func main() { + flag.Parse() + lis, err := net.Listen("tcp", fmt.Sprintf(":%d", *port)) + if err != nil { + log.Fatalf("failed to listen: %v", err) + } + fmt.Printf("server listening at %v\n", lis.Addr()) + + s := grpc.NewServer() + + // Register Greeter on the server. + hwpb.RegisterGreeterServer(s, &hwServer{}) + + // Register RouteGuide on the same server. + ecpb.RegisterEchoServer(s, &ecServer{}) + + // Register reflection service on gRPC server. + reflection.Register(s) + + if err := s.Serve(lis); err != nil { + log.Fatalf("failed to serve: %v", err) + } +} diff --git a/images/httpbin/rootfs/Dockerfile b/images/httpbin/rootfs/Dockerfile index da9cd0145..1a9b55ba5 100644 --- a/images/httpbin/rootfs/Dockerfile +++ b/images/httpbin/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine:3.16.2 +FROM alpine:3.17.0 ENV LC_ALL=C.UTF-8 ENV LANG=C.UTF-8 diff --git a/images/kube-webhook-certgen/rootfs/Dockerfile b/images/kube-webhook-certgen/rootfs/Dockerfile index c45a64dae..32847fd39 100644 --- a/images/kube-webhook-certgen/rootfs/Dockerfile +++ b/images/kube-webhook-certgen/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM --platform=$BUILDPLATFORM golang:1.19.2 as builder +FROM --platform=$BUILDPLATFORM golang:1.19.4 as builder ARG BUILDPLATFORM ARG TARGETARCH diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile index 6168ee5d8..89bd652b0 100644 --- a/images/nginx/rootfs/Dockerfile +++ b/images/nginx/rootfs/Dockerfile @@ -11,7 +11,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine:3.16.2 as builder +FROM alpine:3.17.0 as builder COPY . / diff --git a/images/opentelemetry/rootfs/Dockerfile b/images/opentelemetry/rootfs/Dockerfile index 3c137dbe2..8951a3806 100644 --- a/images/opentelemetry/rootfs/Dockerfile +++ b/images/opentelemetry/rootfs/Dockerfile @@ -13,7 +13,7 @@ # limitations under the License. -FROM alpine:3.16.2 as base +FROM alpine:3.17.0 as base RUN mkdir -p /opt/third_party/install COPY . /opt/third_party/ diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile index 38ca5f2b3..4d71b8ad5 100644 --- a/images/test-runner/Makefile +++ b/images/test-runner/Makefile @@ -39,7 +39,7 @@ build: ensure-buildx --progress=$(PROGRESS) \ --pull \ --build-arg BASE_IMAGE=$(NGINX_BASE_IMAGE) \ - --build-arg GOLANG_VERSION=1.19.2 \ + --build-arg GOLANG_VERSION=1.19.4 \ --build-arg ETCD_VERSION=3.4.3-0 \ --build-arg K8S_RELEASE=v1.24.2 \ --build-arg RESTY_CLI_VERSION=0.27 \ diff --git a/images/test-runner/rootfs/Dockerfile b/images/test-runner/rootfs/Dockerfile index aa7c56c39..f471e81cc 100644 --- a/images/test-runner/rootfs/Dockerfile +++ b/images/test-runner/rootfs/Dockerfile @@ -16,7 +16,7 @@ ARG BASE_IMAGE ARG GOLANG_VERSION ARG ETCD_VERSION -FROM golang:${GOLANG_VERSION}-alpine as GO +FROM golang:${GOLANG_VERSION}-alpine3.17 as GO FROM registry.k8s.io/etcd:${ETCD_VERSION} as etcd FROM ${BASE_IMAGE} diff --git a/rootfs/Dockerfile-chroot b/rootfs/Dockerfile-chroot index 4805909d5..bdb9be60b 100644 --- a/rootfs/Dockerfile-chroot +++ b/rootfs/Dockerfile-chroot @@ -23,7 +23,7 @@ RUN apk update \ && apk upgrade \ && /chroot.sh -FROM alpine:3.16.2 +FROM alpine:3.17.0 ARG TARGETARCH ARG VERSION From 690969ba5f8d48514326aebce701862eb0d01603 Mon Sep 17 00:00:00 2001 From: James Strong Date: Tue, 20 Dec 2022 09:22:51 -0500 Subject: [PATCH 069/405] patch otel docker file Signed-off-by: James Strong --- images/opentelemetry/rootfs/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/images/opentelemetry/rootfs/Dockerfile b/images/opentelemetry/rootfs/Dockerfile index 8951a3806..7746edbf1 100644 --- a/images/opentelemetry/rootfs/Dockerfile +++ b/images/opentelemetry/rootfs/Dockerfile @@ -21,7 +21,7 @@ COPY . /opt/third_party/ # install build tools RUN apk update \ && apk upgrade \ - && apk add -U bash \ + && apk add -U bash cmake \ && bash /opt/third_party/build.sh -p # install gRPC @@ -39,7 +39,7 @@ COPY --from=grpc /opt/third_party/install/ /usr COPY --from=otel-cpp /opt/third_party/install/ /usr RUN bash /opt/third_party/build.sh -n -FROM alpine:3.16.2 as final +FROM alpine:3.17.0 as final COPY --from=base /opt/third_party/init_module.sh /usr/local/bin/init_module.sh COPY --from=nginx /etc/nginx/modules /etc/nginx/modules COPY --from=nginx /opt/third_party/install/lib /etc/nginx/modules From 58948acd3dc4729e7da5ac91c97799614e257a2a Mon Sep 17 00:00:00 2001 From: James Strong Date: Tue, 20 Dec 2022 09:41:32 -0500 Subject: [PATCH 070/405] gcloud build is timing out Signed-off-by: James Strong --- images/fastcgi-helloserver/cloudbuild.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/images/fastcgi-helloserver/cloudbuild.yaml b/images/fastcgi-helloserver/cloudbuild.yaml index 37df1d168..cb4ac2e94 100644 --- a/images/fastcgi-helloserver/cloudbuild.yaml +++ b/images/fastcgi-helloserver/cloudbuild.yaml @@ -1,4 +1,4 @@ -timeout: 600s +timeout: 1800s options: substitution_option: ALLOW_LOOSE steps: From 6070c8be0105bf72a44012d3774b0874a4bba4c9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 20 Dec 2022 07:35:45 -0800 Subject: [PATCH 071/405] Bump ossf/scorecard-action from 2.0.6 to 2.1.0 (#9422) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.0.6 to 2.1.0. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](https://github.com/ossf/scorecard-action/compare/99c53751e09b9529366343771cc321ec74e9bd3d...937ffa90d79c7d720498178154ad4c7ba1e4ad8c) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index a9c36481b..b5bce044e 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -30,7 +30,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v1.1.1 + uses: ossf/scorecard-action@937ffa90d79c7d720498178154ad4c7ba1e4ad8c # v1.1.1 with: results_file: results.sarif results_format: sarif From 07db4997b3029b4d08f6b5966ad8d214001e54ae Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 20 Dec 2022 07:37:45 -0800 Subject: [PATCH 072/405] Bump actions/dependency-review-action from 3.0.1 to 3.0.2 (#9424) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.1 to 3.0.2. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/11310527b429536e263dc6cc47873e608189ba21...0ff3da6f81b812d4ec3cf37a04e2308c7a723730) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/depreview.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/depreview.yaml b/.github/workflows/depreview.yaml index 5350d6e57..835eb5e9b 100644 --- a/.github/workflows/depreview.yaml +++ b/.github/workflows/depreview.yaml @@ -11,4 +11,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 #v3.0.2 - name: 'Dependency Review' - uses: actions/dependency-review-action@11310527b429536e263dc6cc47873e608189ba21 #v2.0.2 + uses: actions/dependency-review-action@0ff3da6f81b812d4ec3cf37a04e2308c7a723730 #v2.0.2 From bd283b6609bafd59a979db0e888b02c7d3dc068c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 20 Dec 2022 07:39:44 -0800 Subject: [PATCH 073/405] Bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (#9426) Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 3.2.0 to 4.1.0. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](https://github.com/goreleaser/goreleaser-action/compare/b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757...8f67e590f2d095516493f017008adc464e63adb1) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/plugin.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/plugin.yaml b/.github/workflows/plugin.yaml index a1ad05d25..ea53c7f79 100644 --- a/.github/workflows/plugin.yaml +++ b/.github/workflows/plugin.yaml @@ -27,7 +27,7 @@ jobs: go-version: 1.19.4 - name: Run GoReleaser - uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 # v3.0.0 + uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v3.0.0 with: version: latest args: release --rm-dist From 87146d6d93f3aff7d5b70c184b133bc783695f95 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 20 Dec 2022 09:33:43 -0800 Subject: [PATCH 074/405] Bump actions/checkout from 3.1.0 to 3.2.0 (#9425) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.1.0 to 3.2.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8...755da8c3cf115ac066823e79a1e1788f8940201b) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yaml | 16 ++++++++-------- .github/workflows/depreview.yaml | 2 +- .github/workflows/docs.yaml | 4 ++-- .github/workflows/helm.yaml | 4 ++-- .github/workflows/perftest.yaml | 2 +- .github/workflows/plugin.yaml | 2 +- .github/workflows/scorecards.yml | 2 +- .github/workflows/vulnerability-scans.yaml | 4 ++-- 8 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index ea46f8cef..74bca7a72 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2 id: filter @@ -59,7 +59,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 - name: Run Gosec Security Scanner uses: securego/gosec@1af1d5bb49259b62e45c505db397dd2ada5d74f8 # master @@ -80,7 +80,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 - name: Set up Go 1.19.4 id: go @@ -147,7 +147,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 - name: Setup Go uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.2.0 @@ -228,7 +228,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 - name: cache uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v2 @@ -282,7 +282,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 - name: cache uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 @@ -331,7 +331,7 @@ jobs: PLATFORMS: linux/amd64,linux/arm64 steps: - name: Checkout - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2 id: filter-images @@ -405,7 +405,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2 id: filter-images diff --git a/.github/workflows/depreview.yaml b/.github/workflows/depreview.yaml index 835eb5e9b..5a22ea5ff 100644 --- a/.github/workflows/depreview.yaml +++ b/.github/workflows/depreview.yaml @@ -9,6 +9,6 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 #v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b #v3.0.2 - name: 'Dependency Review' uses: actions/dependency-review-action@0ff3da6f81b812d4ec3cf37a04e2308c7a723730 #v2.0.2 diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index f02f0a17e..879f90d85 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -24,7 +24,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 #v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b #v3.0.2 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2 id: filter @@ -49,7 +49,7 @@ jobs: steps: - name: Checkout master - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 #v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b #v3.0.2 - name: Deploy uses: ./.github/actions/mkdocs diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml index 33e06bbdc..0e9f74b50 100644 --- a/.github/workflows/helm.yaml +++ b/.github/workflows/helm.yaml @@ -24,7 +24,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2 id: filter @@ -51,7 +51,7 @@ jobs: steps: - name: Checkout master - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b with: # Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896 fetch-depth: 0 diff --git a/.github/workflows/perftest.yaml b/.github/workflows/perftest.yaml index a9206d9ef..7205b0c08 100644 --- a/.github/workflows/perftest.yaml +++ b/.github/workflows/perftest.yaml @@ -18,7 +18,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b - name: Install K6 run: | diff --git a/.github/workflows/plugin.yaml b/.github/workflows/plugin.yaml index ea53c7f79..c8fca8cca 100644 --- a/.github/workflows/plugin.yaml +++ b/.github/workflows/plugin.yaml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 with: fetch-depth: 0 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index b5bce044e..53f8f25ff 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -25,7 +25,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.0 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.0 with: persist-credentials: false diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index af46c2bcc..b23c5aa5f 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -22,7 +22,7 @@ jobs: versions: ${{ steps.version.outputs.TAGS }} steps: - name: Checkout code - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b with: fetch-depth: 0 @@ -52,7 +52,7 @@ jobs: versions: ${{ fromJSON(needs.version.outputs.versions) }} steps: - name: Checkout code - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b - shell: bash id: test From 787ea74b6beffeb14f20cbf3a0d95c315ee3d8e3 Mon Sep 17 00:00:00 2001 From: my-git9 Date: Wed, 21 Dec 2022 01:39:46 +0800 Subject: [PATCH 075/405] cleanup: remove ioutil for new go version (#9427) Signed-off-by: xin.li Signed-off-by: xin.li --- images/kube-webhook-certgen/rootfs/pkg/certs/certs_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/images/kube-webhook-certgen/rootfs/pkg/certs/certs_test.go b/images/kube-webhook-certgen/rootfs/pkg/certs/certs_test.go index b4d95b9b2..fa8383cbb 100644 --- a/images/kube-webhook-certgen/rootfs/pkg/certs/certs_test.go +++ b/images/kube-webhook-certgen/rootfs/pkg/certs/certs_test.go @@ -5,7 +5,7 @@ import ( "crypto/tls" "crypto/x509" "fmt" - "io/ioutil" + "io" "net/http" "net/http/httptest" "testing" @@ -49,7 +49,7 @@ func TestCertificateCreation(t *testing.T) { t.Errorf("Response code was %v; want 200", res.StatusCode) } - body, err := ioutil.ReadAll(res.Body) + body, err := io.ReadAll(res.Body) if err != nil { t.Fatal(err) } From 7ef5e1ab8b230721626bf9f3dccb94bae951c81b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 20 Dec 2022 11:15:19 -0800 Subject: [PATCH 076/405] Bump github/codeql-action from 2.1.36 to 2.1.37 (#9423) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.36 to 2.1.37. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/a669cc5936cc5e1b6a362ec1ff9e410dc570d190...959cbb7472c4d4ad70cdfe6f4976053fe48ab394) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecards.yml | 2 +- .github/workflows/vulnerability-scans.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 53f8f25ff..cb2aabf95 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -57,6 +57,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@a669cc5936cc5e1b6a362ec1ff9e410dc570d190 # v2.1.14 + uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.14 with: sarif_file: results.sarif diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index b23c5aa5f..9eaebd865 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -75,7 +75,7 @@ jobs: # This step checks out a copy of your repository. - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@a669cc5936cc5e1b6a362ec1ff9e410dc570d190 + uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 with: token: ${{ github.token }} # Path to SARIF file relative to the root of the repository From cd80cb6907b1b3f1871e3b3a634bda5159658684 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 20 Dec 2022 11:21:19 -0800 Subject: [PATCH 077/405] Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.6.1 (#9421) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.6.0 to 2.6.1. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.6.0...v2.6.1) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 14 +++-- go.sum | 190 ++++++--------------------------------------------------- 2 files changed, 26 insertions(+), 178 deletions(-) diff --git a/go.mod b/go.mod index db2e85f74..3c88a910b 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/mitchellh/mapstructure v1.5.0 github.com/moul/pb v0.0.0-20220425114252-bca18df4138c github.com/ncabatoff/process-exporter v0.7.10 - github.com/onsi/ginkgo/v2 v2.6.0 + github.com/onsi/ginkgo/v2 v2.6.1 github.com/opencontainers/runc v1.1.4 github.com/pmezard/go-difflib v1.0.0 github.com/prometheus/client_golang v1.14.0 @@ -27,6 +27,7 @@ require ( github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a golang.org/x/crypto v0.3.0 google.golang.org/grpc v1.51.0 + google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 k8s.io/api v0.25.4 @@ -44,7 +45,8 @@ require ( ) require ( - cloud.google.com/go v0.97.0 // indirect + cloud.google.com/go/compute v1.12.1 // indirect + cloud.google.com/go/compute/metadata v0.2.1 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest v0.11.27 // indirect github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect @@ -81,7 +83,7 @@ require ( github.com/google/go-cmp v0.5.9 // indirect github.com/google/gofuzz v1.1.0 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect - github.com/google/uuid v1.2.0 // indirect + github.com/google/uuid v1.3.0 // indirect github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect github.com/inconshreveable/mousetrap v1.0.1 // indirect github.com/josharian/intern v1.0.0 // indirect @@ -106,16 +108,16 @@ require ( github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect github.com/yudai/pp v2.0.1+incompatible // indirect go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect - golang.org/x/mod v0.6.0 // indirect + golang.org/x/mod v0.7.0 // indirect golang.org/x/net v0.4.0 // indirect golang.org/x/oauth2 v0.3.0 // indirect golang.org/x/sys v0.3.0 // indirect golang.org/x/term v0.3.0 // indirect golang.org/x/text v0.5.0 // indirect golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect - golang.org/x/tools v0.2.0 // indirect + golang.org/x/tools v0.4.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21 // indirect + google.golang.org/genproto v0.0.0-20221118155620-16455021b5e6 // indirect google.golang.org/protobuf v1.28.1 // indirect gopkg.in/go-playground/assert.v1 v1.2.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index 644cb2e86..8362b75ba 100644 --- a/go.sum +++ b/go.sum @@ -13,25 +13,16 @@ cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKV cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= -cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= -cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= -cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= -cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= -cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0= -cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY= -cloud.google.com/go v0.84.0/go.mod h1:RazrYuxIK6Kb7YrzzhPoLmCVzl7Sup4NrbKPg8KHSUM= -cloud.google.com/go v0.87.0/go.mod h1:TpDYlFy7vuLzZMMZ+B6iRiELaY7z/gJPaqbMx6mlWcY= -cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ= -cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= -cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4= -cloud.google.com/go v0.97.0 h1:3DXvAyifywvq64LfkKaMOmkWPS1CikIQdMe2lY9vxU8= -cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= +cloud.google.com/go/compute v1.12.1 h1:gKVJMEyqV5c/UnpzjjQbo3Rjvvqpr9B1DFSbJC4OXr0= +cloud.google.com/go/compute v1.12.1/go.mod h1:e8yNOBcBONZU1vJKCvCoDw/4JQsA0dpM4x/6PIIOocU= +cloud.google.com/go/compute/metadata v0.2.1 h1:efOwf5ymceDhK6PKMnnrTHP4pppY5L22mle96M1yP48= +cloud.google.com/go/compute/metadata v0.2.1/go.mod h1:jgHgmJd2RKBGzXqF5LR2EZMGxBkeanZ9wwa75XHJgOM= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= @@ -64,7 +55,6 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03 github.com/BurntSushi/toml v1.0.0 h1:dtDWrepsVPfW9H/4y7dDgFc2MBUSeJhlaDtK13CxFlU= github.com/BurntSushi/toml v1.0.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI= github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M= @@ -74,7 +64,6 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuy github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= -github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a h1:AP/vsCIvJZ129pdm9Ek7bH7yutN3hByqsMoNrWAxRQc= github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a/go.mod h1:QmP9hvJ91BbJmGVGSbutW19IC0Q9phDCLGaomwTJbgU= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= @@ -84,7 +73,6 @@ github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6r github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE= github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= @@ -95,13 +83,6 @@ github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMn github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= -github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= -github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= -github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U= github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzAJc1DzSI= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= @@ -124,11 +105,6 @@ github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= -github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= -github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= -github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= -github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= -github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= @@ -139,7 +115,6 @@ github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b h1:074/xhloHUBOpTZwlIzQ28rbPY8pNJvzY7Gcx5KnNOk= github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA= -github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-errors/errors v1.0.1 h1:LUHzmkK3GUKUrL/1gfBUxAHzcev3apQlezX/+O7ma6w= github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= @@ -188,8 +163,6 @@ github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= -github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= -github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -205,10 +178,8 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/gomarkdown/markdown v0.0.0-20210514010506-3b9f47219fe7 h1:oKYOfNR7Hp6XpZ4JqolL5u642Js5Z0n7psPVl+S5heo= github.com/gomarkdown/markdown v0.0.0-20210514010506-3b9f47219fe7/go.mod h1:aii0r/K0ZnHv7G0KF7xy1v0A7s2Ljrb5byB7MO5p6TU= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= @@ -224,8 +195,6 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= @@ -236,8 +205,6 @@ github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= -github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= -github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= @@ -245,29 +212,18 @@ github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= -github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.2.0 h1:qJYtXnJRWmpe7m/3XlyhrsLrEURqHRM2kxzoxXqyUDs= -github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= -github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= -github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= -github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc= @@ -348,9 +304,9 @@ github.com/ncabatoff/process-exporter v0.7.10/go.mod h1:DHZRZjqxw9LCOpLlX0DjBuyn github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= -github.com/onsi/ginkgo/v2 v2.6.0 h1:9t9b9vRUbFq3C4qKFCGkVuq/fIHji802N1nrtkh1mNc= -github.com/onsi/ginkgo/v2 v2.6.0/go.mod h1:63DOGlLAH8+REH8jUGdL3YpCpu7JODesutUjdENfUAc= -github.com/onsi/gomega v1.24.0 h1:+0glovB9Jd6z3VR+ScSwQqXVTIfJcGA9UBM8yzQxhqg= +github.com/onsi/ginkgo/v2 v2.6.1 h1:1xQPCjcqYw/J5LchOcp4/2q/jzJFjiAOc25chhnDw+Q= +github.com/onsi/ginkgo/v2 v2.6.1/go.mod h1:yjiuMwPokqY1XauOgju45q3sJt6VzQ/Fict1LFVcsAo= +github.com/onsi/gomega v1.24.1 h1:KORJXNNTzJXzu4ScJWssJfJMnJ+2QJqhoQSRwNlze9E= github.com/opencontainers/runc v1.1.4 h1:nRCz/8sKg6K6jgYAFLDlXzPeITBZJyX28DBVhWD+5dg= github.com/opencontainers/runc v1.1.4/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc= @@ -391,7 +347,6 @@ github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1 github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo= github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4= -github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8= @@ -407,7 +362,6 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= -github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA= github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= @@ -447,7 +401,6 @@ github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a h1:CbXWHAnmrtTKgX+yMVVANuRJP8ld88ELbAYAYnBdLJ4= github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a/go.mod h1:/Hzu8ych2oXCs1iNI+MeASyFzWTncQ6nlu/wgqbqC2A= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= @@ -455,9 +408,6 @@ go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= -go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= -go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 h1:+FNtrFTmVw0YZGpBGX56XDee331t6JAXeK2bcyhLOOc= go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o= go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= @@ -497,8 +447,6 @@ golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHl golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= @@ -507,11 +455,8 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.6.0 h1:b9gGHsz9/HhJ3HF5DHQytPpuwocVTChQJK3AvoLRD5I= -golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI= +golang.org/x/mod v0.7.0 h1:LapD9S96VoQRhi/GrNTqeBJFrUjs5UHCAtTlgwA5oZA= +golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -542,15 +487,8 @@ golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81R golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= -golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU= @@ -560,16 +498,7 @@ golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4Iltr golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.3.0 h1:6l90koy8/LaBLmLu8jpHeHexzMwEita0zFfYlggy2F8= golang.org/x/oauth2 v0.3.0/go.mod h1:rQrIauxkUhJ6CuwEXwymO2/eh4xz2ZWF1nBkcxS+tGk= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -582,7 +511,7 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -618,30 +547,13 @@ golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -656,8 +568,6 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM= golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= @@ -708,20 +618,9 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= -golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= -golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.2.0 h1:G6AHpWxTMGY1KyEYoAQ5WTtIekUUvDNjan3ugu60JvE= -golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA= +golang.org/x/tools v0.4.0 h1:7mTAgkunk3fr4GAloyyCasadO6h9zSsQZbwvcaIciV4= +golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -743,18 +642,6 @@ google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0M google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= -google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= -google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= -google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= -google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= -google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= -google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo= -google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4= -google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw= -google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU= -google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k= -google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= -google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -786,41 +673,15 @@ google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfG google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= -google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= -google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= -google.golang.org/genproto v0.0.0-20210604141403-392c879c8b08/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= -google.golang.org/genproto v0.0.0-20210608205507-b6d2f5bf0d7d/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= -google.golang.org/genproto v0.0.0-20210624195500-8bfb893ecb84/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24= -google.golang.org/genproto v0.0.0-20210713002101-d411969a0d9a/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= -google.golang.org/genproto v0.0.0-20210716133855-ce7ef5c701ea/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= -google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= -google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= -google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w= -google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= -google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= -google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= -google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= -google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21 h1:hrbNEivu7Zn1pxvHk6MBrq9iE22woVILTHqexqBxe6I= -google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= +google.golang.org/genproto v0.0.0-20221118155620-16455021b5e6 h1:a2S6M0+660BgMNl++4JPlcAO/CjkqYItDEZwkoDQK7c= +google.golang.org/genproto v0.0.0-20221118155620-16455021b5e6/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= @@ -833,23 +694,10 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= -google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= -google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= -google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= -google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= -google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= -google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= -google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= -google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= google.golang.org/grpc v1.51.0 h1:E1eGv1FTqoLIdnBCZufiSHgKjlqG6fKFf6pPWtMTh8U= google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsAIPww= -google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= +google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 h1:pPsdyuBif+uoyUoL19yuj/TCfUPsmpJHJZhWQ98JGLU= +google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7/go.mod h1:8pQa1yxxkh+EsxUK8/455D5MSbv3vgmEJqKCH3y17mI= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -863,7 +711,6 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w= google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= @@ -885,7 +732,6 @@ gopkg.in/mcuadros/go-syslog.v2 v2.3.0/go.mod h1:l5LPIyOOyIdQquNg+oU6Z3524YwrcqEm gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= From c648595cd73a2d605cd7d9575b72b367755c7ec8 Mon Sep 17 00:00:00 2001 From: James Strong Date: Tue, 20 Dec 2022 22:55:25 -0500 Subject: [PATCH 078/405] update the nginx run container for alpine:3.17.0 (#9430) Signed-off-by: James Strong Signed-off-by: James Strong --- images/nginx/rootfs/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile index 89bd652b0..a9b01ff82 100644 --- a/images/nginx/rootfs/Dockerfile +++ b/images/nginx/rootfs/Dockerfile @@ -21,7 +21,7 @@ RUN apk update \ && /build.sh # Use a multi-stage build -FROM alpine:3.16.2 +FROM alpine:3.17.0 ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin From 6ffaef32ab4337943ab8fb0630652eb7f8102cbe Mon Sep 17 00:00:00 2001 From: Saumya <76432998+SaumyaBhushan@users.noreply.github.com> Date: Wed, 21 Dec 2022 14:13:25 +0530 Subject: [PATCH 079/405] Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.6.1 (#9432) --- build/run-in-docker.sh | 2 +- images/test-runner/rootfs/Dockerfile | 2 +- test/e2e/run-chart-test.sh | 2 +- test/e2e/run.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh index c566bc8a0..c00453481 100755 --- a/build/run-in-docker.sh +++ b/build/run-in-docker.sh @@ -77,7 +77,7 @@ if [[ "$DOCKER_IN_DOCKER_ENABLED" == "true" ]]; then echo "FLAGS=$FLAGS" go env set -x - go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.6.0 + go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.6.1 find / -type f -name ginkgo 2>/dev/null which ginkgo /bin/bash -c "${FLAGS}" diff --git a/images/test-runner/rootfs/Dockerfile b/images/test-runner/rootfs/Dockerfile index f471e81cc..1e8bc3643 100644 --- a/images/test-runner/rootfs/Dockerfile +++ b/images/test-runner/rootfs/Dockerfile @@ -55,7 +55,7 @@ ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH" -RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.6.0 && go install golang.org/x/lint/golint@latest +RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.6.1 && go install golang.org/x/lint/golint@latest ARG RESTY_CLI_VERSION ARG RESTY_CLI_SHA diff --git a/test/e2e/run-chart-test.sh b/test/e2e/run-chart-test.sh index 606215f17..e501ca6fe 100755 --- a/test/e2e/run-chart-test.sh +++ b/test/e2e/run-chart-test.sh @@ -78,7 +78,7 @@ fi if [ "${SKIP_IMAGE_CREATION:-false}" = "false" ]; then if ! command -v ginkgo &> /dev/null; then - go get github.com/onsi/ginkgo/v2/ginkgo@v2.6.0 + go get github.com/onsi/ginkgo/v2/ginkgo@v2.6.1 fi echo "[dev-env] building image" make -C ${DIR}/../../ clean-image build image diff --git a/test/e2e/run.sh b/test/e2e/run.sh index 9ca490baa..17dad6c39 100755 --- a/test/e2e/run.sh +++ b/test/e2e/run.sh @@ -79,7 +79,7 @@ fi if [ "${SKIP_IMAGE_CREATION:-false}" = "false" ]; then if ! command -v ginkgo &> /dev/null; then - go get github.com/onsi/ginkgo/v2/ginkgo@v2.6.0 + go get github.com/onsi/ginkgo/v2/ginkgo@v2.6.1 fi echo "[dev-env] building image" From a667c93adeb9c4a7b8c50ee4c43e229a86e7e415 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 21 Dec 2022 00:49:26 -0800 Subject: [PATCH 080/405] Bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#9397) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.3.0 to 0.4.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](https://github.com/golang/crypto/compare/v0.3.0...v0.4.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 3c88a910b..b074e7c10 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/stretchr/testify v1.8.1 github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a - golang.org/x/crypto v0.3.0 + golang.org/x/crypto v0.4.0 google.golang.org/grpc v1.51.0 google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 diff --git a/go.sum b/go.sum index 8362b75ba..684ae5beb 100644 --- a/go.sum +++ b/go.sum @@ -423,8 +423,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.3.0 h1:a06MkbcxBrEFc0w0QIZWXrH/9cCX6KJyWbBOIwAn+7A= -golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= +golang.org/x/crypto v0.4.0 h1:UVQgzMY87xqpKNgb+kDsll2Igd33HszWHFLmpaRMq/8= +golang.org/x/crypto v0.4.0/go.mod h1:3quD/ATkf6oY+rnes5c3ExXTbLc8mueNue5/DoinL80= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= From 6ed6a76200595a7c6843322c60491fef2c86a864 Mon Sep 17 00:00:00 2001 From: Marco Ebert Date: Wed, 21 Dec 2022 09:51:26 +0100 Subject: [PATCH 081/405] HPA: Add `controller.autoscaling.annotations` to `values.yaml`. (#9253) This value is already in use, but hasn't been added to `values.yaml`. --- charts/ingress-nginx/README.md | 1 + charts/ingress-nginx/values.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 0e2800d94..af71493fe 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -295,6 +295,7 @@ Kubernetes: `>=1.20.0-0` | controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # | | controller.allowSnippetAnnotations | bool | `true` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected | | controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # | +| controller.autoscaling.annotations | object | `{}` | | | controller.autoscaling.apiVersion | string | `"autoscaling/v2"` | | | controller.autoscaling.behavior | object | `{}` | | | controller.autoscaling.enabled | bool | `false` | | diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 161f974fe..b7089addb 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -366,6 +366,7 @@ controller: autoscaling: apiVersion: autoscaling/v2 enabled: false + annotations: {} minReplicas: 1 maxReplicas: 11 targetCPUUtilizationPercentage: 50 From f685c9b379de340814d2e4014cca85431d717b41 Mon Sep 17 00:00:00 2001 From: James Strong Date: Wed, 21 Dec 2022 12:36:20 -0500 Subject: [PATCH 082/405] force rebuild for curl cve Signed-off-by: James Strong --- images/nginx/rootfs/build.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh index 6d8937a22..8023575c0 100755 --- a/images/nginx/rootfs/build.sh +++ b/images/nginx/rootfs/build.sh @@ -177,7 +177,8 @@ apk add \ mercurial \ alpine-sdk \ findutils \ - curl ca-certificates \ + curl \ + ca-certificates \ patch \ libaio-dev \ openssl \ From bb60e02e960340c382f0bcd4b21292fb06f80602 Mon Sep 17 00:00:00 2001 From: Carlos Tadeu Panato Junior Date: Thu, 22 Dec 2022 16:37:26 +0100 Subject: [PATCH 083/405] CI updates (#9440) * add labels to dependabot prs Signed-off-by: cpanato * sync hashes and versions dependabot can update the version comment now Signed-off-by: cpanato Signed-off-by: cpanato --- .github/dependabot.yml | 10 ++- .github/workflows/ci.yaml | 81 +++++++++++----------- .github/workflows/depreview.yaml | 4 +- .github/workflows/docs.yaml | 10 ++- .github/workflows/helm.yaml | 14 ++-- .github/workflows/junit-reports.yaml | 13 ++-- .github/workflows/perftest.yaml | 7 +- .github/workflows/plugin.yaml | 9 +-- .github/workflows/project.yml | 4 +- .github/workflows/scorecards.yml | 20 +++--- .github/workflows/vulnerability-scans.yaml | 72 +++++++++---------- 11 files changed, 125 insertions(+), 119 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 404ed62e1..28a5e5580 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,7 +5,15 @@ updates: directory: "/" schedule: interval: "weekly" + labels: + - "area/dependency" + - "release-note-none" + - "ok-to-test" - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "weekly" + interval: "weekly" + labels: + - "area/dependency" + - "release-note-none" + - "ok-to-test" diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 74bca7a72..d1a9936b5 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -33,9 +33,9 @@ jobs: steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2 + - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter with: token: ${{ secrets.GITHUB_TOKEN }} @@ -59,10 +59,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - name: Run Gosec Security Scanner - uses: securego/gosec@1af1d5bb49259b62e45c505db397dd2ada5d74f8 # master + uses: securego/gosec@1af1d5bb49259b62e45c505db397dd2ada5d74f8 # v2.14.0 with: # G601 for zz_generated.deepcopy.go # G306 TODO: Expect WriteFile permissions to be 0600 or less @@ -74,26 +74,25 @@ jobs: runs-on: ubuntu-latest needs: changes if: | - (needs.changes.outputs.go == 'true') || (needs.changes.outputs.charts == 'true') || ${{ inputs.run_e2e }} - + (needs.changes.outputs.go == 'true') || (needs.changes.outputs.charts == 'true') || ${{ inputs.run_e2e }} steps: - - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - - name: Set up Go 1.19.4 + - name: Set up Go id: go - uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.2.0 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: - go-version: '1.19.4' + go-version: '1.19' + check-latest: true - name: Set up QEMU - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 #v2.0.0 + uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.0.0 + uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1 with: version: latest @@ -104,7 +103,7 @@ jobs: run: | sudo apt-get -qq update || true sudo apt-get install -y pigz - curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.17.0/bin/linux/amd64/kubectl + curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.25.5/bin/linux/amd64/kubectl chmod +x ./kubectl sudo mv ./kubectl /usr/local/bin/kubectl @@ -138,24 +137,24 @@ jobs: - changes - build if: | - (needs.changes.outputs.charts == 'true') || ${{ inputs.run_e2e }} + (needs.changes.outputs.charts == 'true') || ${{ inputs.run_e2e }} strategy: matrix: k8s: [v1.23.13, v1.24.7, v1.25.3] steps: - - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - name: Setup Go - uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.2.0 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: - go-version: '1.19.4' + go-version: '1.19' + check-latest: true - name: cache - uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3 + uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1 with: name: docker.tar.gz @@ -192,7 +191,7 @@ jobs: run: | kind create cluster --image=kindest/node:${{ matrix.k8s }} - - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v1 + - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0 with: name: docker.tar.gz failOnError: false @@ -211,7 +210,6 @@ jobs: kind get kubeconfig > $HOME/.kube/kind-config-kind make kind-e2e-chart-tests - kubernetes: name: Kubernetes runs-on: ubuntu-latest @@ -219,19 +217,18 @@ jobs: - changes - build if: | - (needs.changes.outputs.go == 'true') || ${{ inputs.run_e2e }} + (needs.changes.outputs.go == 'true') || ${{ inputs.run_e2e }} strategy: matrix: k8s: [v1.23.13, v1.24.7, v1.25.3] steps: - - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - name: cache - uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v2 + uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1 with: name: docker.tar.gz @@ -240,7 +237,7 @@ jobs: run: | kind create cluster --image=kindest/node:${{ matrix.k8s }} --config test/e2e/kind.yaml - - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v1 + - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0 with: name: docker.tar.gz failOnError: false @@ -260,7 +257,7 @@ jobs: make kind-e2e-test - name: Uplaod e2e junit-reports - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 if: success() || failure() with: name: e2e-test-reports-${{ matrix.k8s }} @@ -273,7 +270,7 @@ jobs: - changes - build if: | - (needs.changes.outputs.go == 'true') || ${{ inputs.run_e2e }} + (needs.changes.outputs.go == 'true') || ${{ inputs.run_e2e }} strategy: matrix: @@ -282,10 +279,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - name: cache - uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 + uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1 with: name: docker.tar.gz @@ -294,7 +291,7 @@ jobs: run: | kind create cluster --image=kindest/node:${{ matrix.k8s }} --config test/e2e/kind.yaml - - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af + - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0 with: name: docker.tar.gz failOnError: false @@ -313,9 +310,9 @@ jobs: run: | kind get kubeconfig > $HOME/.kube/kind-config-kind make kind-e2e-test - + - name: Uplaod e2e junit-reports - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 if: success() || failure() with: name: e2e-test-reports-chroot-${{ matrix.k8s }} @@ -331,9 +328,9 @@ jobs: PLATFORMS: linux/amd64,linux/arm64 steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2 + - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter-images with: token: ${{ secrets.GITHUB_TOKEN }} @@ -388,7 +385,6 @@ jobs: run: | cd images/ext-auth-example-authsvc && make build - test-image: permissions: contents: read # for dorny/paths-filter to fetch a list of changed files @@ -405,9 +401,9 @@ jobs: steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2 + - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter-images with: token: ${{ secrets.GITHUB_TOKEN }} @@ -421,12 +417,13 @@ jobs: run: | kind create cluster --image=kindest/node:${{ matrix.k8s }} - - name: Set up Go 1.19.4 + - name: Set up Go id: go if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }} - uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.2.0 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: - go-version: '1.19.4' + go-version: '1.19' + check-latest: true - name: kube-webhook-certgen image build if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }} diff --git a/.github/workflows/depreview.yaml b/.github/workflows/depreview.yaml index 5a22ea5ff..758e4b95f 100644 --- a/.github/workflows/depreview.yaml +++ b/.github/workflows/depreview.yaml @@ -9,6 +9,6 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b #v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - name: 'Dependency Review' - uses: actions/dependency-review-action@0ff3da6f81b812d4ec3cf37a04e2308c7a723730 #v2.0.2 + uses: actions/dependency-review-action@0ff3da6f81b812d4ec3cf37a04e2308c7a723730 # v3.0.2 diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 879f90d85..241921ecf 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -22,11 +22,10 @@ jobs: charts: ${{ steps.filter.outputs.charts }} steps: - - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b #v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2 + - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter with: token: ${{ secrets.GITHUB_TOKEN }} @@ -47,11 +46,10 @@ jobs: contents: write # needed to write releases steps: - - name: Checkout master - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b #v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - name: Deploy uses: ./.github/actions/mkdocs env: - PERSONAL_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + PERSONAL_TOKEN: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml index 0e9f74b50..5d96507a1 100644 --- a/.github/workflows/helm.yaml +++ b/.github/workflows/helm.yaml @@ -22,11 +22,10 @@ jobs: charts: ${{ steps.filter.outputs.charts }} steps: - - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2 + - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter with: token: ${{ secrets.GITHUB_TOKEN }} @@ -49,9 +48,8 @@ jobs: (needs.changes.outputs.charts == 'true') steps: - - name: Checkout master - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 with: # Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896 fetch-depth: 0 @@ -61,12 +59,12 @@ jobs: run: | git config --global user.name "$GITHUB_ACTOR" git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com" - + - name: Helm Chart Releaser - uses: helm/chart-releaser-action@98bccfd32b0f76149d188912ac8e45ddd3f8695f #v1.4.1 + uses: helm/chart-releaser-action@98bccfd32b0f76149d188912ac8e45ddd3f8695f # v1.4.1 env: CR_SKIP_EXISTING: "false" CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}" with: - charts_dir: charts \ No newline at end of file + charts_dir: charts diff --git a/.github/workflows/junit-reports.yaml b/.github/workflows/junit-reports.yaml index f02e68466..eb25bbeca 100644 --- a/.github/workflows/junit-reports.yaml +++ b/.github/workflows/junit-reports.yaml @@ -1,4 +1,5 @@ name: 'E2E Test Report' + on: workflow_run: workflows: ['CI'] # runs after CI workflow @@ -8,9 +9,9 @@ jobs: report: runs-on: ubuntu-latest steps: - - uses: dorny/test-reporter@v1 - with: - artifact: /e2e-test-reports-(.*)/ - name: JEST Tests $1 # Name of the check run which will be created - path: 'report*.xml' # Path to test results (inside artifact .zip) - reporter: jest-junit # Format of test results + - uses: dorny/test-reporter@c9b3d0e2bd2a4e96aaf424dbaa31c46b42318226 # v1.6.0 + with: + artifact: /e2e-test-reports-(.*)/ + name: JEST Tests $1 # Name of the check run which will be created + path: 'report*.xml' # Path to test results (inside artifact .zip) + reporter: jest-junit # Format of test results diff --git a/.github/workflows/perftest.yaml b/.github/workflows/perftest.yaml index 7205b0c08..89dfdfad6 100644 --- a/.github/workflows/perftest.yaml +++ b/.github/workflows/perftest.yaml @@ -1,4 +1,5 @@ name: Performance Test + on: workflow_dispatch: inputs: @@ -18,7 +19,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - name: Install K6 run: | @@ -33,7 +34,7 @@ jobs: mkdir $HOME/.kube make dev-env podName=`kubectl -n ingress-nginx get po | grep -i controller | awk '{print $1}'` - if [[ -z ${podName} ]] ; then + if [[ -z ${podName} ]] ; then sleep 5 fi kubectl wait pod -n ingress-nginx --for condition=Ready $podName @@ -46,7 +47,7 @@ jobs: kubectl create ing k6 --class nginx \ --rule test.ingress-nginx-controller.ga/*=k6:80 podName=`kubectl get po | grep -i k6 | awk '{print $1}'` - if [[ -z ${podName} ]] ; then + if [[ -z ${podName} ]] ; then sleep 5 fi kubectl wait pod --for condition=Ready $podName diff --git a/.github/workflows/plugin.yaml b/.github/workflows/plugin.yaml index c8fca8cca..779cd1da8 100644 --- a/.github/workflows/plugin.yaml +++ b/.github/workflows/plugin.yaml @@ -17,17 +17,18 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 with: fetch-depth: 0 - name: Set up Go - uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.2.0 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: - go-version: 1.19.4 + go-version: 1.19 + check-latest: true - name: Run GoReleaser - uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v3.0.0 + uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v4.1.0 with: version: latest args: release --rm-dist diff --git a/.github/workflows/project.yml b/.github/workflows/project.yml index 9baa09bf2..d75435712 100644 --- a/.github/workflows/project.yml +++ b/.github/workflows/project.yml @@ -11,9 +11,9 @@ jobs: runs-on: ubuntu-latest permissions: repository-projects: write - issues: write + issues: write steps: - - uses: actions/add-to-project@960fbad431afda394cfcf8743445e741acd19e85 #v0.4.0 + - uses: actions/add-to-project@960fbad431afda394cfcf8743445e741acd19e85 # v0.4.0 with: project-url: https://github.com/orgs/kubernetes/projects/104 github-token: ${{ secrets.PROJECT_WRITER }} diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index cb2aabf95..6af70e691 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -1,11 +1,13 @@ name: Scorecards supply-chain security + on: # Only the default branch is supported. branch_protection_rule: schedule: - cron: '20 11 * * 5' push: - branches: [ "main" ] + branches: + - "main" # Declare default permissions as read only. permissions: read-all @@ -22,15 +24,15 @@ jobs: # Needs for private repositories. contents: read actions: read - + steps: - name: "Checkout code" - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.0 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@937ffa90d79c7d720498178154ad4c7ba1e4ad8c # v1.1.1 + uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 with: results_file: results.sarif results_format: sarif @@ -41,22 +43,22 @@ jobs: # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} # Publish the results for public repositories to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, regardless + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless # of the value entered here. publish_results: true # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.0.0 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 with: name: SARIF file path: results.sarif retention-days: 5 - + # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.14 + uses: github/codeql-action/upload-sarif@896079047b4bb059ba6f150a5d87d47dde99e6e5 # v2.1.37 with: sarif_file: results.sarif diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index 9eaebd865..67fad3187 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -22,7 +22,7 @@ jobs: versions: ${{ steps.version.outputs.TAGS }} steps: - name: Checkout code - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 with: fetch-depth: 0 @@ -46,47 +46,47 @@ jobs: scan: runs-on: ubuntu-latest - needs: version + needs: version strategy: matrix: versions: ${{ fromJSON(needs.version.outputs.versions) }} steps: - - name: Checkout code - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b + - name: Checkout code + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - - shell: bash - id: test - run: echo "Scanning registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" + - shell: bash + id: test + run: echo "Scanning registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" - - name: Scan image with AquaSec/Trivy - id: scan - uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 #v0.5.1 - with: - image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }} - format: 'sarif' - output: trivy-results-${{ matrix.versions }}.sarif - exit-code: 0 - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' + - name: Scan image with AquaSec/Trivy + id: scan + uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # v0.8.0 + with: + image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }} + format: 'sarif' + output: trivy-results-${{ matrix.versions }}.sarif + exit-code: 0 + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' - - name: Output Sarif File - shell: bash - run: cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif + - name: Output Sarif File + shell: bash + run: cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif - # This step checks out a copy of your repository. - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 - with: - token: ${{ github.token }} - # Path to SARIF file relative to the root of the repository - sarif_file: ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif + # This step checks out a copy of your repository. + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@896079047b4bb059ba6f150a5d87d47dde99e6e5 # v2.1.37 + with: + token: ${{ github.token }} + # Path to SARIF file relative to the root of the repository + sarif_file: ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif - - name: Vulz Count - shell: bash - run: | - TRIVY_COUNT=$(cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif | jq '.runs[0].results | length') - echo "TRIVY_COUNT: $TRIVY_COUNT" - echo "Image Vulnerability scan output" >> $GITHUB_STEP_SUMMARY - echo "Image ID: registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "Trivy Count: $TRIVY_COUNT" >> $GITHUB_STEP_SUMMARY + - name: Vulz Count + shell: bash + run: | + TRIVY_COUNT=$(cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif | jq '.runs[0].results | length') + echo "TRIVY_COUNT: $TRIVY_COUNT" + echo "Image Vulnerability scan output" >> $GITHUB_STEP_SUMMARY + echo "Image ID: registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "Trivy Count: $TRIVY_COUNT" >> $GITHUB_STEP_SUMMARY From 7206f488abf4c54c33dc3e7bd03dfe17d2f2259d Mon Sep 17 00:00:00 2001 From: Saumya <76432998+SaumyaBhushan@users.noreply.github.com> Date: Thu, 22 Dec 2022 23:49:26 +0530 Subject: [PATCH 084/405] avoid builds and tests for non-code changes (#9392) * avoid builds and tests for non-code changes * dummy test for workflow --- .github/workflows/ci.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index d1a9936b5..596a26b31 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -4,10 +4,16 @@ on: pull_request: branches: - "*" + paths-ignore: + - 'docs/**' + - 'deploy/**' push: branches: - main + paths-ignore: + - 'docs/**' + - 'deploy/**' workflow_dispatch: inputs: From 30d6f7e14043dafba40f078e9f2d8cb4e4f97c51 Mon Sep 17 00:00:00 2001 From: James Strong Date: Fri, 23 Dec 2022 22:27:25 -0500 Subject: [PATCH 085/405] test the new e2e test images (#9444) Signed-off-by: James Strong Signed-off-by: James Strong --- build/run-in-docker.sh | 2 +- test/e2e-image/Makefile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh index c00453481..511c5475f 100755 --- a/build/run-in-docker.sh +++ b/build/run-in-docker.sh @@ -38,7 +38,7 @@ function cleanup { } trap cleanup EXIT -E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20221125-controller-v1.5.1-21-g9d562c47a@sha256:50c5469f08b664e928a3035ac94a2348955b669d7ac33809abc674c8fd6c19c1} +E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20221221-controller-v1.5.1-62-g6ffaef32a@sha256:8f025472964cd15ae2d379503aba150565a8d78eb36b41ddfc5f1e3b1ca81a8e} DOCKER_OPTS=${DOCKER_OPTS:-} DOCKER_IN_DOCKER_ENABLED=${DOCKER_IN_DOCKER_ENABLED:-} diff --git a/test/e2e-image/Makefile b/test/e2e-image/Makefile index 64094ec34..f89bf6bf2 100644 --- a/test/e2e-image/Makefile +++ b/test/e2e-image/Makefile @@ -1,6 +1,6 @@ DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) -E2E_BASE_IMAGE="registry.k8s.io/ingress-nginx/e2e-test-runner:v20221125-controller-v1.5.1-21-g9d562c47a@sha256:50c5469f08b664e928a3035ac94a2348955b669d7ac33809abc674c8fd6c19c1" +E2E_BASE_IMAGE="registry.k8s.io/ingress-nginx/e2e-test-runner:v20221221-controller-v1.5.1-62-g6ffaef32a@sha256:8f025472964cd15ae2d379503aba150565a8d78eb36b41ddfc5f1e3b1ca81a8e" image: echo "..entered Makefile in /test/e2e-image" From c50a9e99bc594d10f9c3a49abab223b8839deecb Mon Sep 17 00:00:00 2001 From: James Strong Date: Sat, 24 Dec 2022 09:17:27 -0500 Subject: [PATCH 086/405] upgrade nginx base image (#9436) * upgrade nginx base and e2e base Signed-off-by: James Strong * upgrade e2e base Signed-off-by: James Strong * update new build Signed-off-by: James Strong * update to latest e2e base Signed-off-by: James Strong * remove e2e update Signed-off-by: James Strong * remove e2e update Signed-off-by: James Strong Signed-off-by: James Strong --- NGINX_BASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NGINX_BASE b/NGINX_BASE index 45654c627..72093c593 100644 --- a/NGINX_BASE +++ b/NGINX_BASE @@ -1 +1 @@ -registry.k8s.io/ingress-nginx/nginx:0b5e0685112e4537ee20a0bdbba451e9f6158aa3@sha256:3f5e28bb248d5170e77b77fc2a1a385724aeff41a0b34b5afad7dd9cf93de000 +registry.k8s.io/ingress-nginx/nginx:21aa7f55a3325c1c26de0dfb62ede4c0a809a994@sha256:da6b877ed96dada46ed6e379051c2dd461dd5d329af7a7531820ad3e16197e20 \ No newline at end of file From 336f25230beecdc4c9d06f448368a1cf51b1beac Mon Sep 17 00:00:00 2001 From: James Strong Date: Sat, 24 Dec 2022 14:23:26 -0500 Subject: [PATCH 087/405] start release 1.5.2 (#9445) * start release 1.5.2 Signed-off-by: James Strong * upgrade kind clusters and add 1.26 Signed-off-by: James Strong Signed-off-by: James Strong --- .github/workflows/ci.yaml | 8 ++++---- TAG | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 596a26b31..d064fa6a2 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -147,7 +147,7 @@ jobs: strategy: matrix: - k8s: [v1.23.13, v1.24.7, v1.25.3] + k8s: [v1.23.13, v1.24.7, v1.25.3, v1.26.0] steps: - name: Checkout @@ -227,7 +227,7 @@ jobs: strategy: matrix: - k8s: [v1.23.13, v1.24.7, v1.25.3] + k8s: [v1.23.13, v1.24.7, v1.25.3, v1.26.0] steps: - name: Checkout @@ -280,7 +280,7 @@ jobs: strategy: matrix: - k8s: [v1.23.13, v1.24.7, v1.25.3] + k8s: [v1.23.13, v1.24.7, v1.25.3, v1.26.0] steps: @@ -403,7 +403,7 @@ jobs: strategy: matrix: - k8s: [ v1.23.13, v1.24.7, v1.25.3 ] + k8s: [v1.23.13, v1.24.7, v1.25.3, v1.26.0] steps: - name: Checkout diff --git a/TAG b/TAG index 53b5bbb12..a503124bd 100644 --- a/TAG +++ b/TAG @@ -1 +1 @@ -v1.5.1 +v1.5.2 From 26507e0fa4d545d1aaa8b9ba5754ba96f47161d6 Mon Sep 17 00:00:00 2001 From: James Strong Date: Sat, 24 Dec 2022 15:51:50 -0500 Subject: [PATCH 088/405] with chroot now it can take longer than 30 mins Signed-off-by: James Strong --- cloudbuild.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index a9d4a214c..d3f1eed62 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -1,6 +1,6 @@ # See https://cloud.google.com/cloud-build/docs/build-config -timeout: 1800s +timeout: 18000s options: substitution_option: ALLOW_LOOSE steps: From d2ba8e6b6bc137bf9628b2d57cb3967716bde773 Mon Sep 17 00:00:00 2001 From: James Strong Date: Mon, 26 Dec 2022 16:16:40 -0500 Subject: [PATCH 089/405] Reset tag to restart 1.5.2 release gcloud timed out on the 1.5.2 build, so we need to restart the release process, so reverting the tag. --- TAG | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TAG b/TAG index a503124bd..53b5bbb12 100644 --- a/TAG +++ b/TAG @@ -1 +1 @@ -v1.5.2 +v1.5.1 From 69b3e7e8c110a91b84fff3155b9c807fa9138adc Mon Sep 17 00:00:00 2001 From: Aleksandr Lebedev <49903054+alebsys@users.noreply.github.com> Date: Tue, 27 Dec 2022 04:23:26 +0700 Subject: [PATCH 090/405] Update command line arguments documentation (#9224) * update cli-arguents.md with latest version flags.go * correct punctuation in pkg/flag/flags.go --- docs/user-guide/cli-arguments.md | 51 ++++++++++++++------------------ pkg/flags/flags.go | 32 ++++++++++---------- 2 files changed, 39 insertions(+), 44 deletions(-) diff --git a/docs/user-guide/cli-arguments.md b/docs/user-guide/cli-arguments.md index 9d7bd9fc6..ab483b1cd 100644 --- a/docs/user-guide/cli-arguments.md +++ b/docs/user-guide/cli-arguments.md @@ -6,22 +6,23 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment | Argument | Description | |----------|-------------| -| `--add_dir_header` | If true, adds the file directory to the header | -| `--alsologtostderr` | log to standard error as well as files | | `--annotations-prefix` | Prefix of the Ingress annotations specific to the NGINX controller. (default "nginx.ingress.kubernetes.io") | | `--apiserver-host` | Address of the Kubernetes API server. Takes the form "protocol://address:port". If not specified, it is assumed the program runs inside a Kubernetes cluster and local discovery is attempted. | | `--certificate-authority` | Path to a cert file for the certificate authority. This certificate is used only when the flag --apiserver-host is specified. | | `--configmap` | Name of the ConfigMap containing custom global configurations for the controller. | +| `--controller-class` | Ingress Class Controller value this Ingress satisfies. The class of an Ingress object is set using the field IngressClassName in Kubernetes clusters version v1.19.0 or higher. The .spec.controller value of the IngressClass referenced in an Ingress Object should be the same value specified here to make this object be watched. | | `--deep-inspect` | Enables ingress object security deep inspector. (default true) | | `--default-backend-service` | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form "namespace/name". The controller configures NGINX to forward requests to the first port of this Service. | | `--default-server-port` | Port to use for exposing the default server (catch-all). (default 8181) | | `--default-ssl-certificate` | Secret containing a SSL certificate to be used by the default HTTPS server (catch-all). Takes the form "namespace/name". | -| `--disable-catch-all` | Disable support for catch-all Ingresses | -| `--disable-full-test` | Disable full test of all merged ingresses at the admission stage and tests the template of the ingress being created or updated (full test of all ingresses is enabled by default) | +| `--disable-catch-all` | Disable support for catch-all Ingresses. (default false) | +| `--disable-full-test` | Disable full test of all merged ingresses at the admission stage and tests the template of the ingress being created or updated (full test of all ingresses is enabled by default). | +| `--disable-svc-external-name` | Disable support for Services of type ExternalName. (default false) | +| `--dynamic-configuration-retries` | Number of times to retry failed dynamic configuration before failing to sync an ingress. (default 15) | | `--election-id` | Election id to use for Ingress status updates. (default "ingress-controller-leader") | -| `--enable-metrics` | Enables the collection of NGINX metrics (default true) | -| `--enable-ssl-chain-completion` | Autocomplete SSL certificate chains with missing intermediate CA certificates. Certificates uploaded to Kubernetes must have the "Authority Information Access" X.509 v3 extension for this to succeed. | -| `--enable-ssl-passthrough` | Enable SSL Passthrough. | +| `--enable-metrics` | Enables the collection of NGINX metrics. (default true) | +| `--enable-ssl-chain-completion` | Autocomplete SSL certificate chains with missing intermediate CA certificates. Certificates uploaded to Kubernetes must have the "Authority Information Access" X.509 v3 extension for this to succeed. (default false)| +| `--enable-ssl-passthrough` | Enable SSL Passthrough. (default false) | | `--health-check-path` | URL path of the health check endpoint. Configured inside the NGINX status server. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. (default "/healthz") | | `--health-check-timeout` | Time limit, in seconds, for a probe to health-check-path to succeed. (default 10) | | `--healthz-port` | Port to use for the healthz endpoint. (default 10254) | @@ -29,48 +30,42 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment | `--http-port` | Port to use for servicing HTTP traffic. (default 80) | | `--https-port` | Port to use for servicing HTTPS traffic. (default 443) | | `--ingress-class` | Name of the ingress class this controller satisfies. The class of an Ingress object is set using the field IngressClassName in Kubernetes clusters version v1.18.0 or higher or the annotation "kubernetes.io/ingress.class" (deprecated). If this parameter is not set, or set to the default value of "nginx", it will handle ingresses with either an empty or "nginx" class name. | -| `--ingress-class-by-name` | Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class. (default false) | -| `--internal-logger-address` | Define the internal logger address to use when chroot images is used. (default 127.0.0.1:11514) | +| `--ingress-class-by-name` | Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class. (default false). | +| `--internal-logger-address` | Address to be used when binding internal syslogger. (default 127.0.0.1:11514) | | `--kubeconfig` | Path to a kubeconfig file containing authorization and API server information. | -| `--length-buckets` | Set of buckets which will be used for prometheus histogram metrics such as RequestLength, ResponseLength. (default `[10, 20, 30, 40, 50, 60, 70, 80, 90, 100]`) | -| `--log_backtrace_at` | when logging hits line file:N, emit a stack trace (default :0) | -| `--log_dir` | If non-empty, write log files in this directory | -| `--log_file` | If non-empty, use this log file | -| `--log_file_max_size` | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) | -| `--logtostderr` | log to standard error instead of files (default true) | +| `--length-buckets` | Set of buckets which will be used for prometheus histogram metrics such as RequestLength, ResponseLength. (default `[10, 20, 30, 40, 50, 60, 70, 80, 90, 100]`) | | `--maxmind-edition-ids` | Maxmind edition ids to download GeoLite2 Databases. (default "GeoLite2-City,GeoLite2-ASN") | | `--maxmind-retries-timeout` | Maxmind downloading delay between 1st and 2nd attempt, 0s - do not retry to download if something went wrong. (default 0s) | | `--maxmind-retries-count` | Number of attempts to download the GeoIP DB. (default 1) | -| `--maxmind-license-key` | Maxmind license key to download GeoLite2 Databases. https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases | -| `--metrics-per-host` | Export metrics per-host (default true) | +| `--maxmind-license-key` | Maxmind license key to download GeoLite2 Databases. https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases . | +| `--maxmind-mirror` | Maxmind mirror url (example: http://geoip.local/databases. | +| `--metrics-per-host` | Export metrics per-host. (default true) | +| `--monitor-max-batch-size` | Max batch size of NGINX metrics. (default 10000)| | `--post-shutdown-grace-period` | Additional delay in seconds before controller container exits. (default 10) | | `--profiler-port` | Port to use for expose the ingress controller Go profiler when it is enabled. (default 10245) | -| `--profiling` | Enable profiling via web interface host:port/debug/pprof/ (default true) | +| `--profiling` | Enable profiling via web interface host:port/debug/pprof/ . (default true) | | `--publish-service` | Service fronting the Ingress controller. Takes the form "namespace/name". When used together with update-status, the controller mirrors the address of this service's endpoints to the load-balancer status of all Ingress objects it satisfies. | | `--publish-status-address` | Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies. Requires the update-status parameter. | -| `--report-node-internal-ip-address`| Set the load-balancer status of Ingress objects to internal Node addresses instead of external. Requires the update-status parameter. | +| `--report-node-internal-ip-address`| Set the load-balancer status of Ingress objects to internal Node addresses instead of external. Requires the update-status parameter. (default false) | | `--report-status-classes` | If true, report status classes in metrics (2xx, 3xx, 4xx and 5xx) instead of full status codes. (default false) | -| `--skip_headers` | If true, avoid header prefixes in the log messages | -| `--skip_log_headers` | If true, avoid headers when opening log files | | `--ssl-passthrough-proxy-port` | Port to use internally for SSL Passthrough. (default 442) | -| `--size-buckets` | Set of buckets which will be used for prometheus histogram metrics such as BytesSent. (default `[10, 100, 1000, 10000, 100000, 1e+06, 1e+07]`) | | `--status-port` | Port to use for the lua HTTP endpoint configuration. (default 10246) | -| `--status-update-interval` | Time interval in seconds in which the status should check if an update is required. Default is 60 seconds (default 60) | -| `--stderrthreshold` | logs at or above this threshold go to stderr (default 2) | +| `--status-update-interval` | Time interval in seconds in which the status should check if an update is required. Default is 60 seconds. (default 60) | | `--stream-port` | Port to use for the lua TCP/UDP endpoint configuration. (default 10247) | | `--sync-period` | Period at which the controller forces the repopulation of its local object stores. Disabled by default. | -| `--sync-rate-limit` | Define the sync frequency upper limit (default 0.3) | +| `--sync-rate-limit` | Define the sync frequency upper limit. (default 0.3) | | `--tcp-services-configmap` | Name of the ConfigMap containing the definition of the TCP services to expose. The key in the map indicates the external port to be used. The value is a reference to a Service in the form "namespace/name:port", where "port" can either be a port number or name. TCP ports 80 and 443 are reserved by the controller for servicing HTTP traffic. | -| `--time-buckets` | Set of buckets which will be used for prometheus histogram metrics such as RequestTime, ResponseTime. (default `[0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10]`) | +| `--time-buckets` | Set of buckets which will be used for prometheus histogram metrics such as RequestTime, ResponseTime. (default `[0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10]`) | | `--udp-services-configmap` | Name of the ConfigMap containing the definition of the UDP services to expose. The key in the map indicates the external port to be used. The value is a reference to a Service in the form "namespace/name:port", where "port" can either be a port name or number. | | `--update-status` | Update the load-balancer status of Ingress objects this controller satisfies. Requires setting the publish-service parameter to a valid Service reference. (default true) | | `--update-status-on-shutdown` | Update the load-balancer status of Ingress objects when the controller shuts down. Requires the update-status parameter. (default true) | -| `--shutdown-grace-period` | Seconds to wait after receiving the shutdown signal, before stopping the nginx process. | +| `--shutdown-grace-period` | Seconds to wait after receiving the shutdown signal, before stopping the nginx process. (default 0) | +| `--size-buckets` | Set of buckets which will be used for prometheus histogram metrics such as BytesSent. (default `[10, 100, 1000, 10000, 100000, 1e+06, 1e+07]`) | | `-v, --v Level` | number for the log level verbosity | | `--validating-webhook` | The address to start an admission controller on to validate incoming ingresses. Takes the form ":port". If not provided, no admission controller is started. | | `--validating-webhook-certificate` | The path of the validating webhook certificate PEM. | | `--validating-webhook-key` | The path of the validating webhook key PEM. | | `--version` | Show release information about the NGINX Ingress controller and exit. | -| `--vmodule` | comma-separated list of pattern=N settings for file-filtered logging | +| `--watch-ingress-without-class` | Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified. (default false) | | `--watch-namespace` | Namespace the controller watches for updates to Kubernetes objects. This includes Ingresses, Services and all configuration resources. All namespaces are watched if this parameter is left empty. | | `--watch-namespace-selector` | The controller will watch namespaces whose labels match the given selector. This flag only takes effective when `--watch-namespace` is empty. | diff --git a/pkg/flags/flags.go b/pkg/flags/flags.go index 877000a7d..65b5fbcdc 100644 --- a/pkg/flags/flags.go +++ b/pkg/flags/flags.go @@ -74,10 +74,10 @@ The class of an Ingress object is set using the field IngressClassName in Kubern referenced in an Ingress Object should be the same value specified here to make this object be watched.`) watchWithoutClass = flags.Bool("watch-ingress-without-class", false, - `Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified`) + `Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified.`) ingressClassByName = flags.Bool("ingress-class-by-name", false, - `Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class`) + `Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class.`) configMap = flags.String("configmap", "", `Name of the ConfigMap containing custom global configurations for the controller.`) @@ -112,7 +112,7 @@ namespaces are watched if this parameter is left empty.`) `Selector selects namespaces the controller watches for updates to Kubernetes objects.`) profiling = flags.Bool("profiling", true, - `Enable profiling via web interface host:port/debug/pprof/`) + `Enable profiling via web interface host:port/debug/pprof/ .`) defSSLCertificate = flags.String("default-ssl-certificate", "", `Secret containing a SSL certificate to be used by the default HTTPS server (catch-all). @@ -147,7 +147,7 @@ Requires the update-status parameter.`) `Enable SSL Passthrough.`) disableServiceExternalName = flags.Bool("disable-svc-external-name", false, - `Disable support for Services of type ExternalName`) + `Disable support for Services of type ExternalName.`) annotationsPrefix = flags.String("annotations-prefix", parser.DefaultAnnotationsPrefix, `Prefix of the Ingress annotations specific to the NGINX controller.`) @@ -165,16 +165,16 @@ extension for this to succeed.`) Requires the update-status parameter.`) enableMetrics = flags.Bool("enable-metrics", true, - `Enables the collection of NGINX metrics`) + `Enables the collection of NGINX metrics.`) metricsPerHost = flags.Bool("metrics-per-host", true, - `Export metrics per-host`) + `Export metrics per-host.`) reportStatusClasses = flags.Bool("report-status-classes", false, - `Use status classes (2xx, 3xx, 4xx and 5xx) instead of status codes in metrics`) + `Use status classes (2xx, 3xx, 4xx and 5xx) instead of status codes in metrics.`) - timeBuckets = flags.Float64Slice("time-buckets", prometheus.DefBuckets, "Set of buckets which will be used for prometheus histogram metrics such as RequestTime, ResponseTime") - lengthBuckets = flags.Float64Slice("length-buckets", prometheus.LinearBuckets(10, 10, 10), "Set of buckets which will be used for prometheus histogram metrics such as RequestLength, ResponseLength") - sizeBuckets = flags.Float64Slice("size-buckets", prometheus.ExponentialBuckets(10, 10, 7), "Set of buckets which will be used for prometheus histogram metrics such as BytesSent") - monitorMaxBatchSize = flags.Int("monitor-max-batch-size", 10000, "Max batch size of NGINX metrics") + timeBuckets = flags.Float64Slice("time-buckets", prometheus.DefBuckets, "Set of buckets which will be used for prometheus histogram metrics such as RequestTime, ResponseTime.") + lengthBuckets = flags.Float64Slice("length-buckets", prometheus.LinearBuckets(10, 10, 10), "Set of buckets which will be used for prometheus histogram metrics such as RequestLength, ResponseLength.") + sizeBuckets = flags.Float64Slice("size-buckets", prometheus.ExponentialBuckets(10, 10, 7), "Set of buckets which will be used for prometheus histogram metrics such as BytesSent.") + monitorMaxBatchSize = flags.Int("monitor-max-batch-size", 10000, "Max batch size of NGINX metrics.") httpPort = flags.Int("http-port", 80, `Port to use for servicing HTTP traffic.`) httpsPort = flags.Int("https-port", 443, `Port to use for servicing HTTPS traffic.`) @@ -185,7 +185,7 @@ Requires the update-status parameter.`) healthzHost = flags.String("healthz-host", "", "Address to bind the healthz endpoint.") disableCatchAll = flags.Bool("disable-catch-all", false, - `Disable support for catch-all Ingresses`) + `Disable support for catch-all Ingresses.`) validationWebhook = flags.String("validating-webhook", "", `The address to start an admission controller on to validate incoming ingresses. @@ -195,12 +195,12 @@ Takes the form ":port". If not provided, no admission controller is starte validationWebhookKey = flags.String("validating-webhook-key", "", `The path of the validating webhook key PEM.`) disableFullValidationTest = flags.Bool("disable-full-test", false, - `Disable full test of all merged ingresses at the admission stage and tests the template of the ingress being created or updated (full test of all ingresses is enabled by default)`) + `Disable full test of all merged ingresses at the admission stage and tests the template of the ingress being created or updated (full test of all ingresses is enabled by default).`) statusPort = flags.Int("status-port", 10246, `Port to use for the lua HTTP endpoint configuration.`) streamPort = flags.Int("stream-port", 10247, "Port to use for the lua TCP/UDP endpoint configuration.") - internalLoggerAddress = flags.String("internal-logger-address", "127.0.0.1:11514", "Address to be used when binding internal syslogger") + internalLoggerAddress = flags.String("internal-logger-address", "127.0.0.1:11514", "Address to be used when binding internal syslogger.") profilerPort = flags.Int("profiler-port", 10245, "Port to use for expose the ingress controller Go profiler when it is enabled.") profilerAddress = flags.IP("profiler-address", net.ParseIP("127.0.0.1"), "IP address used by the ingress controller to expose the Go Profiler when it is enabled.") @@ -216,9 +216,9 @@ Takes the form ":port". If not provided, no admission controller is starte dynamicConfigurationRetries = flags.Int("dynamic-configuration-retries", 15, "Number of times to retry failed dynamic configuration before failing to sync an ingress.") ) - flags.StringVar(&nginx.MaxmindMirror, "maxmind-mirror", "", `Maxmind mirror url (example: http://geoip.local/databases`) + flags.StringVar(&nginx.MaxmindMirror, "maxmind-mirror", "", `Maxmind mirror url (example: http://geoip.local/databases.`) flags.StringVar(&nginx.MaxmindLicenseKey, "maxmind-license-key", "", `Maxmind license key to download GeoLite2 Databases. -https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases`) +https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases .`) flags.StringVar(&nginx.MaxmindEditionIDs, "maxmind-edition-ids", "GeoLite2-City,GeoLite2-ASN", `Maxmind edition ids to download GeoLite2 Databases.`) flags.IntVar(&nginx.MaxmindRetriesCount, "maxmind-retries-count", 1, "Number of attempts to download the GeoIP DB.") flags.DurationVar(&nginx.MaxmindRetriesTimeout, "maxmind-retries-timeout", time.Second*0, "Maxmind downloading delay between 1st and 2nd attempt, 0s - do not retry to download if something went wrong.") From e0733c7fd0520ec8d7f351ca49b09199d35d35df Mon Sep 17 00:00:00 2001 From: James Strong Date: Mon, 26 Dec 2022 17:17:27 -0500 Subject: [PATCH 091/405] restart 1.5.2 release process (#9450) --- TAG | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TAG b/TAG index 53b5bbb12..a503124bd 100644 --- a/TAG +++ b/TAG @@ -1 +1 @@ -v1.5.1 +v1.5.2 From a8f4f2987103092fb12feb865861368d92da2d35 Mon Sep 17 00:00:00 2001 From: Saumya <76432998+SaumyaBhushan@users.noreply.github.com> Date: Wed, 28 Dec 2022 23:43:29 +0530 Subject: [PATCH 092/405] updated the link in RELEASE.md file (#9456) --- RELEASE.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE.md b/RELEASE.md index 589b9ee7f..ca0faa4e1 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -89,7 +89,7 @@ Promoting the images basically means that images, that were pushed to staging co - The sha is also visible here https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx/global/controller - - The sha is also visible [here]((https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*)), after cloud build is finished. Click on the respective job, go to `Artifacts` section in the UI, then again `artifacts` in the directory browser. In the `build.log` at the very bottom you see something like this: + - The sha is also visible [here](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), after cloud build is finished. Click on the respective job, go to `Artifacts` section in the UI, then again `artifacts` in the directory browser. In the `build.log` at the very bottom you see something like this: ``` ... @@ -113,7 +113,7 @@ Promoting the images basically means that images, that were pushed to staging co - For making it easier, you can edit your branch directly in the browser. But be careful about making any mistake. -- Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/registry.k8s.io/images/k8s-staging-ingress-nginx/images.yaml) Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/2536) to see how it was done before +- Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml) Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/2536) to see how it was done before - Save and commit From fe2bf5cbdf614fe40348c7b2484ead52a7216f5a Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Wed, 28 Dec 2022 17:59:27 -0300 Subject: [PATCH 093/405] Add sslpassthrough tests (#9457) --- build/build.sh | 8 +- build/run-in-docker.sh | 16 +-- pkg/tcpproxy/tcp.go | 8 +- test/e2e/framework/deployment.go | 33 +++-- test/e2e/framework/httpexpect/request.go | 29 ++++ test/e2e/settings/ssl_passthrough.go | 165 +++++++++++++++++++++++ 6 files changed, 231 insertions(+), 28 deletions(-) create mode 100644 test/e2e/settings/ssl_passthrough.go diff --git a/build/build.sh b/build/build.sh index f2f1ec2eb..1ae505d91 100755 --- a/build/build.sh +++ b/build/build.sh @@ -16,10 +16,10 @@ GO_BUILD_CMD="go build" -if [ -n "$DEBUG" ]; then - set -x - GO_BUILD_CMD="go build -v" -fi +#if [ -n "$DEBUG" ]; then +# set -x +# GO_BUILD_CMD="go build -v" +#fi set -o errexit set -o nounset diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh index 511c5475f..d41464e2e 100755 --- a/build/run-in-docker.sh +++ b/build/run-in-docker.sh @@ -65,23 +65,21 @@ fi USER=${USER:-nobody} -echo "..printing env & other vars to stdout" -echo "HOSTNAME=`hostname`" -uname -a -env -echo "DIND_ENABLED=$DOCKER_IN_DOCKER_ENABLED" -echo "done..printing env & other vars to stdout" +#echo "..printing env & other vars to stdout" +#echo "HOSTNAME=`hostname`" +#uname -a +#env +#echo "DIND_ENABLED=$DOCKER_IN_DOCKER_ENABLED" +#echo "done..printing env & other vars to stdout" if [[ "$DOCKER_IN_DOCKER_ENABLED" == "true" ]]; then echo "..reached DIND check TRUE block, inside run-in-docker.sh" echo "FLAGS=$FLAGS" - go env - set -x + #go env go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.6.1 find / -type f -name ginkgo 2>/dev/null which ginkgo /bin/bash -c "${FLAGS}" - set +x else echo "Reached DIND check ELSE block, inside run-in-docker.sh" docker run \ diff --git a/pkg/tcpproxy/tcp.go b/pkg/tcpproxy/tcp.go index 7bbff80b4..4c34e1f7b 100644 --- a/pkg/tcpproxy/tcp.go +++ b/pkg/tcpproxy/tcp.go @@ -80,6 +80,7 @@ func (p *TCPProxy) Handle(conn net.Conn) { } hostPort := net.JoinHostPort(proxy.IP, fmt.Sprintf("%v", proxy.Port)) + klog.V(4).InfoS("passing to", "hostport", hostPort) clientConn, err := net.Dial("tcp", hostPort) if err != nil { klog.V(4).ErrorS(err, "error dialing proxy", "ip", proxy.IP, "port", proxy.Port, "hostname", proxy.Hostname) @@ -99,7 +100,7 @@ func (p *TCPProxy) Handle(conn net.Conn) { } proxyProtocolHeader := fmt.Sprintf("PROXY %s %s %s %d %d\r\n", protocol, remoteAddr.IP.String(), localAddr.IP.String(), remoteAddr.Port, localAddr.Port) klog.V(4).InfoS("Writing Proxy Protocol", "header", proxyProtocolHeader) - _, err = fmt.Fprintf(clientConn, proxyProtocolHeader) + _, err = fmt.Fprint(clientConn, proxyProtocolHeader) } if err != nil { klog.ErrorS(err, "Error writing Proxy Protocol header") @@ -126,8 +127,5 @@ func pipe(client, server net.Conn) { go doCopy(server, client, cancel) go doCopy(client, server, cancel) - select { - case <-cancel: - return - } + <-cancel } diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go index cb6ef9acc..3cfe8f360 100644 --- a/test/e2e/framework/deployment.go +++ b/test/e2e/framework/deployment.go @@ -85,9 +85,10 @@ func (f *Framework) NewEchoDeployment(opts ...func(*deploymentOptions)) { } deployment := newDeployment(options.name, options.namespace, "registry.k8s.io/ingress-nginx/e2e-test-echo@sha256:778ac6d1188c8de8ecabeddd3c37b72c8adc8c712bad2bd7a81fb23a3514934c", 80, int32(options.replicas), - nil, + nil, nil, nil, []corev1.VolumeMount{}, []corev1.Volume{}, + true, ) f.EnsureDeployment(deployment) @@ -183,7 +184,7 @@ func (f *Framework) NGINXDeployment(name string, cfg string, waitendpoint bool) assert.Nil(ginkgo.GinkgoT(), err, "creating configmap") deployment := newDeployment(name, f.Namespace, f.GetNginxBaseImage(), 80, 1, - nil, + nil, nil, nil, []corev1.VolumeMount{ { Name: name, @@ -203,7 +204,7 @@ func (f *Framework) NGINXDeployment(name string, cfg string, waitendpoint bool) }, }, }, - }, + }, true, ) f.EnsureDeployment(deployment) @@ -334,8 +335,8 @@ func (f *Framework) NewGRPCBinDeployment() { assert.Nil(ginkgo.GinkgoT(), err, "waiting for endpoints to become ready") } -func newDeployment(name, namespace, image string, port int32, replicas int32, command []string, - volumeMounts []corev1.VolumeMount, volumes []corev1.Volume) *appsv1.Deployment { +func newDeployment(name, namespace, image string, port int32, replicas int32, command []string, args []string, env []corev1.EnvVar, + volumeMounts []corev1.VolumeMount, volumes []corev1.Volume, setProbe bool) *appsv1.Deployment { probe := &corev1.Probe{ InitialDelaySeconds: 2, PeriodSeconds: 1, @@ -381,9 +382,7 @@ func newDeployment(name, namespace, image string, port int32, replicas int32, co ContainerPort: port, }, }, - ReadinessProbe: probe, - LivenessProbe: probe, - VolumeMounts: volumeMounts, + VolumeMounts: volumeMounts, }, }, Volumes: volumes, @@ -392,10 +391,20 @@ func newDeployment(name, namespace, image string, port int32, replicas int32, co }, } + if setProbe { + d.Spec.Template.Spec.Containers[0].ReadinessProbe = probe + d.Spec.Template.Spec.Containers[0].LivenessProbe = probe + } if len(command) > 0 { d.Spec.Template.Spec.Containers[0].Command = command } + if len(args) > 0 { + d.Spec.Template.Spec.Containers[0].Args = args + } + if len(env) > 0 { + d.Spec.Template.Spec.Containers[0].Env = env + } return d } @@ -404,9 +413,13 @@ func (f *Framework) NewHttpbinDeployment() { f.NewDeployment(HTTPBinService, "registry.k8s.io/ingress-nginx/e2e-test-httpbin@sha256:c6372ef57a775b95f18e19d4c735a9819f2e7bb4641e5e3f27287d831dfeb7e8", 80, 1) } -// NewDeployment creates a new deployment in a particular namespace. func (f *Framework) NewDeployment(name, image string, port int32, replicas int32) { - deployment := newDeployment(name, f.Namespace, image, port, replicas, nil, nil, nil) + f.NewDeploymentWithOpts(name, image, port, replicas, nil, nil, nil, nil, nil, true) +} + +// NewDeployment creates a new deployment in a particular namespace. +func (f *Framework) NewDeploymentWithOpts(name, image string, port int32, replicas int32, command []string, args []string, env []corev1.EnvVar, volumeMounts []corev1.VolumeMount, volumes []corev1.Volume, setProbe bool) { + deployment := newDeployment(name, f.Namespace, image, port, replicas, command, args, env, volumeMounts, volumes, setProbe) f.EnsureDeployment(deployment) diff --git a/test/e2e/framework/httpexpect/request.go b/test/e2e/framework/httpexpect/request.go index 335e3931e..d8edb42ce 100644 --- a/test/e2e/framework/httpexpect/request.go +++ b/test/e2e/framework/httpexpect/request.go @@ -17,8 +17,10 @@ limitations under the License. package httpexpect import ( + "context" "fmt" "io" + "net" "net/http" "net/url" "path" @@ -71,6 +73,33 @@ func (h *HTTPRequest) DoRequest(method, rpath string) *HTTPRequest { return h } +// ForceResolve forces the test resolver to point to a specific endpoint +func (h *HTTPRequest) ForceResolve(ip string, port uint16) *HTTPRequest { + addr := net.ParseIP(ip) + if addr == nil { + h.chain.fail(fmt.Sprintf("invalid ip address: %s", ip)) + return h + } + dialer := &net.Dialer{ + Timeout: h.client.Timeout, + KeepAlive: h.client.Timeout, + DualStack: true, + } + resolveAddr := fmt.Sprintf("%s:%d", ip, int(port)) + + oldTransport, ok := h.client.Transport.(*http.Transport) + if !ok { + h.chain.fail("invalid old transport address") + return h + } + newTransport := oldTransport.Clone() + newTransport.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) { + return dialer.DialContext(ctx, network, resolveAddr) + } + h.client.Transport = newTransport + return h +} + // Expect executes the request and returns an HTTP response. func (h *HTTPRequest) Expect() *HTTPResponse { if h.query != nil { diff --git a/test/e2e/settings/ssl_passthrough.go b/test/e2e/settings/ssl_passthrough.go new file mode 100644 index 000000000..77a3c990e --- /dev/null +++ b/test/e2e/settings/ssl_passthrough.go @@ -0,0 +1,165 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package settings + +import ( + "context" + "crypto/tls" + "fmt" + "net/http" + "strings" + + "github.com/onsi/ginkgo/v2" + "github.com/stretchr/testify/assert" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { + f := framework.NewDefaultFramework("ssl-passthrough") + + ginkgo.BeforeEach(func() { + err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error { + args := deployment.Spec.Template.Spec.Containers[0].Args + args = append(args, "--enable-ssl-passthrough") + deployment.Spec.Template.Spec.Containers[0].Args = args + _, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{}) + return err + }) + assert.Nil(ginkgo.GinkgoT(), err, "updating ingress controller deployment flags") + + f.WaitForNginxServer("_", + func(server string) bool { + return strings.Contains(server, "listen 442") + }) + }) + + ginkgo.Describe("With enable-ssl-passthrough enabled", func() { + ginkgo.It("should enable ssl-passthrough-proxy-port on a different port", func() { + + err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error { + args := deployment.Spec.Template.Spec.Containers[0].Args + args = append(args, "--ssl-passthrough-proxy-port=1442") + deployment.Spec.Template.Spec.Containers[0].Args = args + _, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{}) + return err + }) + assert.Nil(ginkgo.GinkgoT(), err, "updating ingress controller deployment flags") + + f.WaitForNginxServer("_", + func(server string) bool { + return strings.Contains(server, "listen 1442") + }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", "something"). + Expect(). + Status(http.StatusNotFound) + }) + + ginkgo.It("should pass unknown traffic to default backend and handle known traffic", func() { + + host := "testpassthrough.com" + echoName := "echopass" + + /* Even with enable-ssl-passthrough enabled, only annotated ingresses may receive the trafic */ + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/ssl-passthrough": "true", + } + + ingressDef := framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, echoName, 80, annotations) + tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet, + ingressDef.Spec.TLS[0].Hosts, + ingressDef.Spec.TLS[0].SecretName, + ingressDef.Namespace) + + volumeMount := []corev1.VolumeMount{ + { + Name: "certs", + ReadOnly: true, + MountPath: "/certs", + }, + } + volume := []corev1.Volume{ + { + Name: "certs", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: ingressDef.Spec.TLS[0].SecretName, + }, + }, + }, + } + envs := []corev1.EnvVar{ + { + Name: "HTTPBUN_SSL_CERT", + Value: "/certs/tls.crt", + }, + { + Name: "HTTPBUN_SSL_KEY", + Value: "/certs/tls.key", + }, + } + f.NewDeploymentWithOpts("echopass", "ghcr.io/sharat87/httpbun:latest", 80, 1, nil, nil, envs, volumeMount, volume, false) + + f.EnsureIngress(ingressDef) + + assert.Nil(ginkgo.GinkgoT(), err) + framework.WaitForTLS(f.GetURL(framework.HTTPS), tlsConfig) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "listen 442") + }) + + /* This one should not receive traffic as it does not contain passthrough annotation */ + hostBad := "noannotationnopassthrough.com" + ingBad := f.EnsureIngress(framework.NewSingleIngressWithTLS(hostBad, "/", hostBad, []string{hostBad}, f.Namespace, echoName, 80, nil)) + tlsConfigBad, err := framework.CreateIngressTLSSecret(f.KubeClientSet, + ingBad.Spec.TLS[0].Hosts, + ingBad.Spec.TLS[0].SecretName, + ingBad.Namespace) + assert.Nil(ginkgo.GinkgoT(), err) + framework.WaitForTLS(f.GetURL(framework.HTTPS), tlsConfigBad) + + f.WaitForNginxServer(hostBad, + func(server string) bool { + return strings.Contains(server, "listen 442") + }) + + f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). + GET("/"). + WithURL(fmt.Sprintf("https://%s:443", host)). + ForceResolve(f.GetNginxIP(), 443). + Expect(). + Status(http.StatusOK) + + f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: hostBad, InsecureSkipVerify: true}). + GET("/"). + WithURL(fmt.Sprintf("https://%s:443", hostBad)). + ForceResolve(f.GetNginxIP(), 443). + Expect(). + Status(http.StatusNotFound) + + }) + }) +}) From 2db8552a870c673f72b6d537006d4387195d398b Mon Sep 17 00:00:00 2001 From: James Strong Date: Thu, 29 Dec 2022 16:35:32 -0500 Subject: [PATCH 094/405] Automated Release Controller 1.5.2 (#9455) Signed-off-by: James Strong Signed-off-by: James Strong --- Changelog.md | 2 + README.md | 1 + changelog/Changelog-1.5.2.md | 79 + charts/ingress-nginx/Chart.yaml | 47 +- charts/ingress-nginx/README.md | 8 +- charts/ingress-nginx/changelog.md.gotmpl | 9 + .../changelog/Changelog-1.5.2.md | 12 + charts/ingress-nginx/values.yaml | 1593 ++++++++--------- deploy/static/provider/aws/deploy.yaml | 57 +- .../aws/nlb-with-tls-termination/deploy.yaml | 57 +- deploy/static/provider/baremetal/deploy.yaml | 57 +- deploy/static/provider/cloud/deploy.yaml | 57 +- deploy/static/provider/do/deploy.yaml | 57 +- deploy/static/provider/exoscale/deploy.yaml | 57 +- deploy/static/provider/kind/deploy.yaml | 57 +- deploy/static/provider/scw/deploy.yaml | 57 +- docs/deploy/index.md | 20 +- docs/e2e-tests.md | 974 +++++++--- hack/generate-e2e-suite-doc.sh | 6 +- 19 files changed, 1822 insertions(+), 1385 deletions(-) create mode 100644 changelog/Changelog-1.5.2.md create mode 100644 charts/ingress-nginx/changelog.md.gotmpl create mode 100644 charts/ingress-nginx/changelog/Changelog-1.5.2.md diff --git a/Changelog.md b/Changelog.md index a7b62be50..400c187f7 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,7 @@ # Changelog +All New change are in [Changelog](./changelog) + ### 1.5.1 * Upgrade NGINX to 1.21.6 diff --git a/README.md b/README.md index f8c020b68..73baa8fd2 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,7 @@ the versions listed. Ingress-Nginx versions may work on older versions but the p | Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | |-----------------------|------------------------------|----------------|---------------| +| v1.5.2 | 1.26, 1.25, 1.24, 1.23 | 3.17.2 | 1.21.6 | | v1.5.1 | 1.25, 1.24, 1.23 | 3.16.2 | 1.21.6 | | v1.4.0 | 1.25, 1.24, 1.23, 1.22 | 3.16.2 | 1.19.10† | | v1.3.1 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.2 | 1.19.10† | diff --git a/changelog/Changelog-1.5.2.md b/changelog/Changelog-1.5.2.md new file mode 100644 index 000000000..8b6779e47 --- /dev/null +++ b/changelog/Changelog-1.5.2.md @@ -0,0 +1,79 @@ +# Changelog + +### 1.5.2 +Images: + + * registry.k8s.io/controller:controller-v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 + * registry.k8s.io/controller-chroot:controller-v1.5.2@sha256:84613555694f2c59a8b2551126d226c9aa648544ebf0cde1e0df942f7dbce42b + +### All Changes: + +* restart 1.5.2 release process (#9450) +* Update command line arguments documentation (#9224) +* start release 1.5.2 (#9445) +* upgrade nginx base image (#9436) +* test the new e2e test images (#9444) +* avoid builds and tests for non-code changes (#9392) +* CI updates (#9440) +* HPA: Add `controller.autoscaling.annotations` to `values.yaml`. (#9253) +* update the nginx run container for alpine:3.17.0 (#9430) +* cleanup: remove ioutil for new go version (#9427) +* start upgrade to golang 1.19.4 and alpine 3.17.0 (#9417) +* ci: remove setup-helm step (#9404) +* ci: remove setup-kind step (#9401) +* Add reporter for all tests (#9395) +* added action for issues to project (#9386) +* doc: update NEW_CONTRIBUTOR.md (#9381) +* feat(helm): Optionally use cert-manager instead admission patch (#9279) +* integrated junit-reports with ghactions (#9361) +* [user-guide configmap] fix doc for global-auth-snippet (#9372) +* update OpenTelemetry image (#9308) +* fix: missing CORS headers when auth fails (#9251) +* Fix styling in canary annotation docs. (#9259) +* resolved ginkgo deprecation message (#9365) +* Enable profiler-address to be configured (#9311) +* ModSecurity dependencies update to avoid Memory Leaks (#9330) +* fix(hpa): deprecated api version, bump to v2 (#9348) +* fix(typo): pluralize provider (#9346) +* removed deprecation messsage for ingressClass annotation (#9357) +* added ginkgo junit reports (#9350) +* Fix typos found by codespell (#9353) +* bumped ginkgo to v2.5.1 in testrunner (#9340) +* create nsswitch-conf if missing (#9339) +* remove the configmap related permissions (#9310) +* remove hardcoded datasource from grafana dashboard (#9284) +* update gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b to 3.0.0 (#9277) +* Validate ingress path fields (#9309) +* added SAN to cert create command (#9295) +* Missing controller.ingressClass (#9304) +* OpenTelemetry static linking (#9286) +* Fixed indentation in commented-out autoscaling (#9225) +* run helm release on main only and when the chart/value changes only (#9290) +* fix broken annotation yaml (#9243) +* PDB: Add `maxUnavailable`. (#9278) +* add containerSecurityContext to extraModules init containers (kubernetes#9016) (#9242) + +### Dependencies updates: +* Bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#9397) +* Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.6.1 (#9432) +* Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.6.1 (#9421) +* Bump github/codeql-action from 2.1.36 to 2.1.37 (#9423) +* Bump actions/checkout from 3.1.0 to 3.2.0 (#9425) +* Bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (#9426) +* Bump actions/dependency-review-action from 3.0.1 to 3.0.2 (#9424) +* Bump ossf/scorecard-action from 2.0.6 to 2.1.0 (#9422) +* Bump github.com/prometheus/common from 0.37.0 to 0.39.0 (#9416) +* Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.6.0 (#9408) +* Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.6.0 (#9398) +* Bump github/codeql-action from 2.1.35 to 2.1.36 (#9400) +* Bump actions/setup-go from 3.3.1 to 3.4.0 (#9370) +* Bump github/codeql-action from 2.1.31 to 2.1.35 (#9369) +* Bump google.golang.org/grpc from 1.50.1 to 1.51.0 (#9316) +* Bump github.com/prometheus/client_golang from 1.13.1 to 1.14.0 (#9298) +* Bump actions/dependency-review-action from 3.0.0 to 3.0.1 (#9319) +* Bump golang.org/x/crypto from 0.1.0 to 0.3.0 (#9318) +* Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.1 (#9317) +* Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (#9301) +* Bump k8s.io/component-base from 0.25.3 to 0.25.4 (#9300) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.5.1...controller-controller-v1.5.2 diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 461601f59..11ab03634 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -1,31 +1,26 @@ +annotations: + artifacthub.io/changes: | + - "ci: remove setup-helm step (#9404)" + - "feat(helm): Optionally use cert-manager instead admission patch (#9279)" + - "run helm release on main only and when the chart/value changes only (#9290)" + - "Update Ingress-Nginx version controller-v1.5.2" + artifacthub.io/prerelease: "false" apiVersion: v2 -name: ingress-nginx -# When the version is modified, make sure the artifacthub.io/changes list is updated -# Also update CHANGELOG.md -version: 4.4.0 -appVersion: 1.5.1 +appVersion: 1.5.2 +description: Ingress controller for Kubernetes using NGINX as a reverse proxy and + load balancer +engine: gotpl home: https://github.com/kubernetes/ingress-nginx -description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png keywords: - - ingress - - nginx -sources: - - https://github.com/kubernetes/ingress-nginx +- ingress +- nginx +kubeVersion: '>=1.20.0-0' maintainers: - - name: rikatz - - name: strongjz - - name: tao12345666333 -engine: gotpl -kubeVersion: ">=1.20.0-0" -annotations: - # Use this annotation to indicate that this chart version is a pre-release. - # https://artifacthub.io/docs/topics/annotations/helm/ - artifacthub.io/prerelease: "false" - # List of changes for the release in artifacthub.io - # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog - artifacthub.io/changes: | - - Adding support for disabling liveness and readiness probes to the Helm chart - - add:(admission-webhooks) ability to set securityContext - - Updated Helm chart to use the fullname for the electionID if not specified - - Rename controller-wehbooks-networkpolicy.yaml +- name: rikatz +- name: strongjz +- name: tao12345666333 +name: ingress-nginx +sources: +- https://github.com/kubernetes/ingress-nginx +version: 4.4.1 diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index af71493fe..4daff76c6 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.4.0](https://img.shields.io/badge/Version-4.4.0-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square) +![Version: 4.4.1](https://img.shields.io/badge/Version-4.4.1-informational?style=flat-square) ![AppVersion: 1.5.2](https://img.shields.io/badge/AppVersion-1.5.2-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -332,13 +332,13 @@ Kubernetes: `>=1.20.0-0` | controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.image.allowPrivilegeEscalation | bool | `true` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `"sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629"` | | -| controller.image.digestChroot | string | `"sha256:c1c091b88a6c936a83bd7b098662760a87868d12452529bad0d178fb36147345"` | | +| controller.image.digest | string | `"sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655"` | | +| controller.image.digestChroot | string | `"sha256:84613555694f2c59a8b2551126d226c9aa648544ebf0cde1e0df942f7dbce42b"` | | | controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.registry | string | `"registry.k8s.io"` | | | controller.image.runAsUser | int | `101` | | -| controller.image.tag | string | `"v1.5.1"` | | +| controller.image.tag | string | `"v1.5.2"` | | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass | diff --git a/charts/ingress-nginx/changelog.md.gotmpl b/charts/ingress-nginx/changelog.md.gotmpl new file mode 100644 index 000000000..de9885670 --- /dev/null +++ b/charts/ingress-nginx/changelog.md.gotmpl @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### {{ .NewHelmChartVersion }} +{{ with .HelmUpdates }} +{{ range . }}* {{ . }} +{{ end }}{{ end }} +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-{{ .PreviousHelmChartVersion }}...helm-chart-{{ .NewHelmChartVersion }} diff --git a/charts/ingress-nginx/changelog/Changelog-1.5.2.md b/charts/ingress-nginx/changelog/Changelog-1.5.2.md new file mode 100644 index 000000000..5e0563858 --- /dev/null +++ b/charts/ingress-nginx/changelog/Changelog-1.5.2.md @@ -0,0 +1,12 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.4.1 + +* ci: remove setup-helm step (#9404) +* feat(helm): Optionally use cert-manager instead admission patch (#9279) +* run helm release on main only and when the chart/value changes only (#9290) +* Update Ingress-Nginx version controller-v1.5.2 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.4.1...helm-chart-4.4.1 diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index b7089addb..e5f8922a0 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -14,222 +14,190 @@ commonLabels: {} # myLabel: aakkmd controller: - name: controller - image: - ## Keep false as default for now! - chroot: false - registry: registry.k8s.io - image: ingress-nginx/controller - ## for backwards compatibility consider setting the full image url via the repository value below - ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail - ## repository: - tag: "v1.5.1" - digest: sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 - digestChroot: sha256:c1c091b88a6c936a83bd7b098662760a87868d12452529bad0d178fb36147345 - pullPolicy: IfNotPresent - # www-data -> uid 101 - runAsUser: 101 - allowPrivilegeEscalation: true + name: controller + image: + ## Keep false as default for now! + chroot: false + registry: registry.k8s.io + image: ingress-nginx/controller + ## for backwards compatibility consider setting the full image url via the repository value below + ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + ## repository: + tag: "v1.5.2" + digest: sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 + digestChroot: sha256:84613555694f2c59a8b2551126d226c9aa648544ebf0cde1e0df942f7dbce42b + pullPolicy: IfNotPresent + # www-data -> uid 101 + runAsUser: 101 + allowPrivilegeEscalation: true + # -- Use an existing PSP instead of creating one + existingPsp: "" + # -- Configures the controller container name + containerName: controller + # -- Configures the ports that the nginx-controller listens on + containerPort: + http: 80 + https: 443 + # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ + config: {} + # -- Annotations to be added to the controller config configuration configmap. + configAnnotations: {} + # -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers + proxySetHeaders: {} + # -- Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers + addHeaders: {} + # -- Optionally customize the pod dnsConfig. + dnsConfig: {} + # -- Optionally customize the pod hostname. + hostname: {} + # -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. + # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller + # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. + dnsPolicy: ClusterFirst + # -- Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network + # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply + reportNodeInternalIp: false + # -- Process Ingress objects without ingressClass annotation/ingressClassName field + # Overrides value for --watch-ingress-without-class flag of the controller binary + # Defaults to false + watchIngressWithoutClass: false + # -- Process IngressClass per name (additionally as per spec.controller). + ingressClassByName: false + # -- This configuration defines if Ingress Controller should allow users to set + # their own *-snippet annotations, otherwise this is forbidden / dropped + # when users add those annotations. + # Global snippets in ConfigMap are still respected + allowSnippetAnnotations: true + # -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), + # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 + # is merged + hostNetwork: false + ## Use host ports 80 and 443 + ## Disabled by default + hostPort: + # -- Enable 'hostPort' or not + enabled: false + ports: + # -- 'hostPort' http port + http: 80 + # -- 'hostPort' https port + https: 443 + # -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' + electionID: "" + ## This section refers to the creation of the IngressClass resource + ## IngressClass resources are supported since k8s >= 1.18 and required since k8s >= 1.19 + ingressClassResource: + # -- Name of the ingressClass + name: nginx + # -- Is this ingressClass enabled or not + enabled: true + # -- Is this the default ingressClass for the cluster + default: false + # -- Controller-value of the controller that is processing this ingressClass + controllerValue: "k8s.io/ingress-nginx" + # -- Parameters is a link to a custom resource containing additional + # configuration for the controller. This is optional if the controller + # does not require extra parameters. + parameters: {} + # -- For backwards compatibility with ingress.class annotation, use ingressClass. + # Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation + ingressClass: nginx + # -- Labels to add to the pod container metadata + podLabels: {} + # key: value - # -- Use an existing PSP instead of creating one - existingPsp: "" + # -- Security Context policies for controller pods + podSecurityContext: {} + # -- See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls + sysctls: {} + # sysctls: + # "net.core.somaxconn": "8192" - # -- Configures the controller container name - containerName: controller - - # -- Configures the ports that the nginx-controller listens on - containerPort: - http: 80 - https: 443 - - # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ - config: {} - - # -- Annotations to be added to the controller config configuration configmap. - configAnnotations: {} - - # -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers - proxySetHeaders: {} - - # -- Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers - addHeaders: {} - - # -- Optionally customize the pod dnsConfig. - dnsConfig: {} - - # -- Optionally customize the pod hostname. - hostname: {} - - # -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. - # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller - # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. - dnsPolicy: ClusterFirst - - # -- Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network - # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply - reportNodeInternalIp: false - - # -- Process Ingress objects without ingressClass annotation/ingressClassName field - # Overrides value for --watch-ingress-without-class flag of the controller binary - # Defaults to false - watchIngressWithoutClass: false - - # -- Process IngressClass per name (additionally as per spec.controller). - ingressClassByName: false - - # -- This configuration defines if Ingress Controller should allow users to set - # their own *-snippet annotations, otherwise this is forbidden / dropped - # when users add those annotations. - # Global snippets in ConfigMap are still respected - allowSnippetAnnotations: true - - # -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), - # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 - # is merged - hostNetwork: false - - ## Use host ports 80 and 443 - ## Disabled by default - hostPort: - # -- Enable 'hostPort' or not - enabled: false - ports: - # -- 'hostPort' http port - http: 80 - # -- 'hostPort' https port - https: 443 - - # -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' - electionID: "" - - ## This section refers to the creation of the IngressClass resource - ## IngressClass resources are supported since k8s >= 1.18 and required since k8s >= 1.19 - ingressClassResource: - # -- Name of the ingressClass - name: nginx - # -- Is this ingressClass enabled or not - enabled: true - # -- Is this the default ingressClass for the cluster - default: false - # -- Controller-value of the controller that is processing this ingressClass - controllerValue: "k8s.io/ingress-nginx" - - # -- Parameters is a link to a custom resource containing additional - # configuration for the controller. This is optional if the controller - # does not require extra parameters. - parameters: {} - - # -- For backwards compatibility with ingress.class annotation, use ingressClass. - # Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation - ingressClass: nginx - - # -- Labels to add to the pod container metadata - podLabels: {} - # key: value - - # -- Security Context policies for controller pods - podSecurityContext: {} - - # -- See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls - sysctls: {} - # sysctls: - # "net.core.somaxconn": "8192" - - # -- Allows customization of the source of the IP address or FQDN to report - # in the ingress status field. By default, it reads the information provided - # by the service. If disable, the status field reports the IP address of the - # node or nodes where an ingress controller pod is running. - publishService: - # -- Enable 'publishService' or not - enabled: true - # -- Allows overriding of the publish service to bind to - # Must be / - pathOverride: "" - - # Limit the scope of the controller to a specific namespace - scope: - # -- Enable 'scope' or not - enabled: false - # -- Namespace to limit the controller to; defaults to $(POD_NAMESPACE) - namespace: "" - # -- When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels - # only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. - namespaceSelector: "" - - # -- Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) - configMapNamespace: "" - - tcp: - # -- Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) + # -- Allows customization of the source of the IP address or FQDN to report + # in the ingress status field. By default, it reads the information provided + # by the service. If disable, the status field reports the IP address of the + # node or nodes where an ingress controller pod is running. + publishService: + # -- Enable 'publishService' or not + enabled: true + # -- Allows overriding of the publish service to bind to + # Must be / + pathOverride: "" + # Limit the scope of the controller to a specific namespace + scope: + # -- Enable 'scope' or not + enabled: false + # -- Namespace to limit the controller to; defaults to $(POD_NAMESPACE) + namespace: "" + # -- When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels + # only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. + namespaceSelector: "" + # -- Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) configMapNamespace: "" - # -- Annotations to be added to the tcp config configmap + tcp: + # -- Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) + configMapNamespace: "" + # -- Annotations to be added to the tcp config configmap + annotations: {} + udp: + # -- Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) + configMapNamespace: "" + # -- Annotations to be added to the udp config configmap + annotations: {} + # -- Maxmind license key to download GeoLite2 Databases. + ## https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases + maxmindLicenseKey: "" + # -- Additional command line arguments to pass to nginx-ingress-controller + # E.g. to specify the default SSL certificate you can use + extraArgs: {} + ## extraArgs: + ## default-ssl-certificate: "/" + + # -- Additional environment variables to set + extraEnvs: [] + # extraEnvs: + # - name: FOO + # valueFrom: + # secretKeyRef: + # key: FOO + # name: secret-resource + + # -- Use a `DaemonSet` or `Deployment` + kind: Deployment + # -- Annotations to be added to the controller Deployment or DaemonSet + ## annotations: {} + # keel.sh/pollSchedule: "@every 60m" - udp: - # -- Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) - configMapNamespace: "" - # -- Annotations to be added to the udp config configmap - annotations: {} + # -- Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels + ## + labels: {} + # keel.sh/policy: patch + # keel.sh/trigger: poll - # -- Maxmind license key to download GeoLite2 Databases. - ## https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases - maxmindLicenseKey: "" + # -- The update strategy to apply to the Deployment or DaemonSet + ## + updateStrategy: {} + # rollingUpdate: + # maxUnavailable: 1 + # type: RollingUpdate - # -- Additional command line arguments to pass to nginx-ingress-controller - # E.g. to specify the default SSL certificate you can use - extraArgs: {} - ## extraArgs: - ## default-ssl-certificate: "/" + # -- `minReadySeconds` to avoid killing pods before we are ready + ## + minReadySeconds: 0 + # -- Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - # -- Additional environment variables to set - extraEnvs: [] - # extraEnvs: - # - name: FOO - # valueFrom: - # secretKeyRef: - # key: FOO - # name: secret-resource - - # -- Use a `DaemonSet` or `Deployment` - kind: Deployment - - # -- Annotations to be added to the controller Deployment or DaemonSet - ## - annotations: {} - # keel.sh/pollSchedule: "@every 60m" - - # -- Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels - ## - labels: {} - # keel.sh/policy: patch - # keel.sh/trigger: poll - - - # -- The update strategy to apply to the Deployment or DaemonSet - ## - updateStrategy: {} - # rollingUpdate: - # maxUnavailable: 1 - # type: RollingUpdate - - # -- `minReadySeconds` to avoid killing pods before we are ready - ## - minReadySeconds: 0 - - - # -- Node tolerations for server scheduling to nodes with taints - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - ## - tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - - # -- Affinity and anti-affinity rules for server scheduling to nodes - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## - affinity: {} + # -- Affinity and anti-affinity rules for server scheduling to nodes + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## + affinity: {} # # An example of preferred pod anti-affinity, weight is in the range 1-100 # podAntiAffinity: # preferredDuringSchedulingIgnoredDuringExecution: @@ -270,10 +238,10 @@ controller: # - controller # topologyKey: "kubernetes.io/hostname" - # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - ## - topologySpreadConstraints: [] + # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] # - maxSkew: 1 # topologyKey: topology.kubernetes.io/zone # whenUnsatisfiable: DoNotSchedule @@ -281,669 +249,605 @@ controller: # matchLabels: # app.kubernetes.io/instance: ingress-nginx-internal - # -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready - ## wait up to five minutes for the drain of connections - ## - terminationGracePeriodSeconds: 300 - - # -- Node labels for controller pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: - kubernetes.io/os: linux - - ## Liveness and readiness probe values - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes - ## - ## startupProbe: - ## httpGet: - ## # should match container.healthCheckPath - ## path: "/healthz" - ## port: 10254 - ## scheme: HTTP - ## initialDelaySeconds: 5 - ## periodSeconds: 5 - ## timeoutSeconds: 2 - ## successThreshold: 1 - ## failureThreshold: 5 - livenessProbe: - httpGet: - # should match container.healthCheckPath - path: "/healthz" - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 5 - readinessProbe: - httpGet: - # should match container.healthCheckPath - path: "/healthz" - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - - - # -- Path of the health check endpoint. All requests received on the port defined by - # the healthz-port parameter are forwarded internally to this path. - healthCheckPath: "/healthz" - - # -- Address to bind the health check endpoint. - # It is better to set this option to the internal node address - # if the ingress nginx controller is running in the `hostNetwork: true` mode. - healthCheckHost: "" - - # -- Annotations to be added to controller pods - ## - podAnnotations: {} - - replicaCount: 1 - - # -- Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Define either 'minAvailable' or 'maxUnavailable', never both. - # maxUnavailable: 1 - - ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes - ## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 - ## Ideally, there should be no limits. - ## https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/ - resources: - ## limits: - ## cpu: 100m - ## memory: 90Mi - requests: - cpu: 100m - memory: 90Mi - - # Mutually exclusive with keda autoscaling - autoscaling: - apiVersion: autoscaling/v2 - enabled: false - annotations: {} - minReplicas: 1 - maxReplicas: 11 - targetCPUUtilizationPercentage: 50 - targetMemoryUtilizationPercentage: 50 - behavior: {} - # scaleDown: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 1 - # periodSeconds: 180 - # scaleUp: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 2 - # periodSeconds: 60 - - autoscalingTemplate: [] - # Custom or additional autoscaling metrics - # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics - # - type: Pods - # pods: - # metric: - # name: nginx_ingress_controller_nginx_process_requests_total - # target: - # type: AverageValue - # averageValue: 10000m - - # Mutually exclusive with hpa autoscaling - keda: - apiVersion: "keda.sh/v1alpha1" - ## apiVersion changes with keda 1.x vs 2.x - ## 2.x = keda.sh/v1alpha1 - ## 1.x = keda.k8s.io/v1alpha1 - enabled: false - minReplicas: 1 - maxReplicas: 11 - pollingInterval: 30 - cooldownPeriod: 300 - restoreToOriginalReplicaCount: false - scaledObject: - annotations: {} - # Custom annotations for ScaledObject resource - # annotations: - # key: value - triggers: [] - # - type: prometheus - # metadata: - # serverAddress: http://:9090 - # metricName: http_requests_total - # threshold: '100' - # query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) - - behavior: {} - # scaleDown: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 1 - # periodSeconds: 180 - # scaleUp: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 2 - # periodSeconds: 60 - - # -- Enable mimalloc as a drop-in replacement for malloc. - ## ref: https://github.com/microsoft/mimalloc - ## - enableMimalloc: true - - ## Override NGINX template - customTemplate: - configMapName: "" - configMapKey: "" - - service: - enabled: true - - # -- If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were - # using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http - # It allows choosing the protocol for each backend specified in the Kubernetes service. - # See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 - # Will be ignored for Kubernetes versions older than 1.20 + # -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready + ## wait up to five minutes for the drain of connections ## - appProtocol: true - - annotations: {} - labels: {} - # clusterIP: "" - - # -- List of IP addresses at which the controller services are available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + terminationGracePeriodSeconds: 300 + # -- Node labels for controller pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ ## - externalIPs: [] - - # -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer - loadBalancerIP: "" - loadBalancerSourceRanges: [] - - enableHttp: true - enableHttps: true - - ## Set external traffic policy to: "Local" to preserve source IP on providers supporting it. - ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - # externalTrafficPolicy: "" - - ## Must be either "None" or "ClientIP" if set. Kubernetes will default to "None". - ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - # sessionAffinity: "" - - ## Specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified, - ## the service controller allocates a port from your cluster’s NodePort range. - ## Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - # healthCheckNodePort: 0 - - # -- Represents the dual-stack-ness requested or required by this Service. Possible values are - # SingleStack, PreferDualStack or RequireDualStack. - # The ipFamilies and clusterIPs fields depend on the value of this field. - ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ - ipFamilyPolicy: "SingleStack" - - # -- List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically - # based on cluster configuration and the ipFamilyPolicy field. - ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ - ipFamilies: - - IPv4 - - ports: - http: 80 - https: 443 - - targetPorts: - http: http - https: https - - type: LoadBalancer - - ## type: NodePort - ## nodePorts: - ## http: 32080 - ## https: 32443 - ## tcp: - ## 8080: 32808 - nodePorts: - http: "" - https: "" - tcp: {} - udp: {} - - external: - enabled: true - - internal: - # -- Enables an additional internal load balancer (besides the external one). - enabled: false - # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. - annotations: {} - - # loadBalancerIP: "" - - # -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. - loadBalancerSourceRanges: [] - - ## Set external traffic policy to: "Local" to preserve source IP on - ## providers supporting it - ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - # externalTrafficPolicy: "" - - # shareProcessNamespace enables process namespace sharing within the pod. - # This can be used for example to signal log rotation using `kill -USR1` from a sidecar. - shareProcessNamespace: false - - # -- Additional containers to be added to the controller pod. - # See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. - extraContainers: [] - # - name: my-sidecar - # image: nginx:latest - # - name: lemonldap-ng-controller - # image: lemonldapng/lemonldap-ng-controller:0.2.0 - # args: - # - /lemonldap-ng-controller - # - --alsologtostderr - # - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration - # env: - # - name: POD_NAME - # valueFrom: - # fieldRef: - # fieldPath: metadata.name - # - name: POD_NAMESPACE - # valueFrom: - # fieldRef: - # fieldPath: metadata.namespace - # volumeMounts: - # - name: copy-portal-skins - # mountPath: /srv/var/lib/lemonldap-ng/portal/skins - - # -- Additional volumeMounts to the controller main container. - extraVolumeMounts: [] - # - name: copy-portal-skins - # mountPath: /var/lib/lemonldap-ng/portal/skins - - # -- Additional volumes to the controller pod. - extraVolumes: [] - # - name: copy-portal-skins - # emptyDir: {} - - # -- Containers, which are run before the app containers are started. - extraInitContainers: [] - # - name: init-myservice - # image: busybox - # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] - - # -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module - extraModules: [] - # containerSecurityContext: - # allowPrivilegeEscalation: false - # - # The image must contain a `/usr/local/bin/init_module.sh` executable, which - # will be executed as initContainers, to move its config files within the - # mounted volume. - - opentelemetry: - enabled: false - image: registry.k8s.io/ingress-nginx/opentelemetry:v20221114-controller-v1.5.1-6-ga66ee73c5@sha256:41076fd9fb4255677c1a3da1ac3fc41477f06eba3c7ebf37ffc8f734dad51d7c - containerSecurityContext: - allowPrivilegeEscalation: false - - admissionWebhooks: - annotations: {} - # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem". - - ## Additional annotations to the admission webhooks. - ## These annotations will be added to the ValidatingWebhookConfiguration and - ## the Jobs Spec of the admission webhooks. - enabled: true - # -- Additional environment variables to set - extraEnvs: [] - # extraEnvs: - # - name: FOO - # valueFrom: - # secretKeyRef: - # key: FOO - # name: secret-resource - # -- Admission Webhook failure policy to use - failurePolicy: Fail - # timeoutSeconds: 10 - port: 8443 - certificate: "/usr/local/certificates/cert" - key: "/usr/local/certificates/key" - namespaceSelector: {} - objectSelector: {} - # -- Labels to be added to admission webhooks - labels: {} - - # -- Use an existing PSP instead of creating one - existingPsp: "" - networkPolicyEnabled: false - - service: - annotations: {} - # clusterIP: "" - externalIPs: [] - # loadBalancerIP: "" - loadBalancerSourceRanges: [] - servicePort: 443 - type: ClusterIP - - createSecretJob: - securityContext: - allowPrivilegeEscalation: false - resources: {} - # limits: - # cpu: 10m - # memory: 20Mi - # requests: - # cpu: 10m - # memory: 20Mi - - patchWebhookJob: - securityContext: - allowPrivilegeEscalation: false - resources: {} - - patch: - enabled: true - image: - registry: registry.k8s.io - image: ingress-nginx/kube-webhook-certgen - ## for backwards compatibility consider setting the full image url via the repository value below - ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail - ## repository: - tag: v20220916-gd32f8c343 - digest: sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f - pullPolicy: IfNotPresent - # -- Provide a priority class name to the webhook patching job - ## - priorityClassName: "" - podAnnotations: {} - nodeSelector: + nodeSelector: kubernetes.io/os: linux - tolerations: [] - # -- Labels to be added to patch job resources - labels: {} - securityContext: - runAsNonRoot: true - runAsUser: 2000 - fsGroup: 2000 + ## Liveness and readiness probe values + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + ## startupProbe: + ## httpGet: + ## # should match container.healthCheckPath + ## path: "/healthz" + ## port: 10254 + ## scheme: HTTP + ## initialDelaySeconds: 5 + ## periodSeconds: 5 + ## timeoutSeconds: 2 + ## successThreshold: 1 + ## failureThreshold: 5 + livenessProbe: + httpGet: + # should match container.healthCheckPath + path: "/healthz" + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + httpGet: + # should match container.healthCheckPath + path: "/healthz" + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + # -- Path of the health check endpoint. All requests received on the port defined by + # the healthz-port parameter are forwarded internally to this path. + healthCheckPath: "/healthz" + # -- Address to bind the health check endpoint. + # It is better to set this option to the internal node address + # if the ingress nginx controller is running in the `hostNetwork: true` mode. + healthCheckHost: "" + # -- Annotations to be added to controller pods + ## + podAnnotations: {} + replicaCount: 1 + # -- Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Define either 'minAvailable' or 'maxUnavailable', never both. + # maxUnavailable: 1 - # Use certmanager to generate webhook certs - certManager: - enabled: false - # self-signed root certificate - rootCert: - duration: "" # default to be 5y - admissionCert: - duration: "" # default to be 1y - # issuerRef: - # name: "issuer" - # kind: "ClusterIssuer" + ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes + ## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 + ## Ideally, there should be no limits. + ## https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/ + resources: + ## limits: + ## cpu: 100m + ## memory: 90Mi + requests: + cpu: 100m + memory: 90Mi + # Mutually exclusive with keda autoscaling + autoscaling: + apiVersion: autoscaling/v2 + enabled: false + annotations: {} + minReplicas: 1 + maxReplicas: 11 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + autoscalingTemplate: [] + # Custom or additional autoscaling metrics + # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics + # - type: Pods + # pods: + # metric: + # name: nginx_ingress_controller_nginx_process_requests_total + # target: + # type: AverageValue + # averageValue: 10000m - metrics: - port: 10254 - portName: metrics - # if this port is changed, change healthz-port: in extraArgs: accordingly - enabled: false + # Mutually exclusive with hpa autoscaling + keda: + apiVersion: "keda.sh/v1alpha1" + ## apiVersion changes with keda 1.x vs 2.x + ## 2.x = keda.sh/v1alpha1 + ## 1.x = keda.k8s.io/v1alpha1 + enabled: false + minReplicas: 1 + maxReplicas: 11 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + # Custom annotations for ScaledObject resource + # annotations: + # key: value + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: http_requests_total + # threshold: '100' + # query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + + # -- Enable mimalloc as a drop-in replacement for malloc. + ## ref: https://github.com/microsoft/mimalloc + ## + enableMimalloc: true + ## Override NGINX template + customTemplate: + configMapName: "" + configMapKey: "" service: - annotations: {} - # prometheus.io/scrape: "true" - # prometheus.io/port: "10254" + enabled: true + # -- If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were + # using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http + # It allows choosing the protocol for each backend specified in the Kubernetes service. + # See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 + # Will be ignored for Kubernetes versions older than 1.20 + ## + appProtocol: true + annotations: {} + labels: {} + # clusterIP: "" - # clusterIP: "" + # -- List of IP addresses at which the controller services are available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + # -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + loadBalancerSourceRanges: [] + enableHttp: true + enableHttps: true + ## Set external traffic policy to: "Local" to preserve source IP on providers supporting it. + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "" - # -- List of IP addresses at which the stats-exporter service is available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips - ## - externalIPs: [] + ## Must be either "None" or "ClientIP" if set. Kubernetes will default to "None". + ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + # sessionAffinity: "" - # loadBalancerIP: "" - loadBalancerSourceRanges: [] - servicePort: 10254 - type: ClusterIP - # externalTrafficPolicy: "" - # nodePort: "" + ## Specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified, + ## the service controller allocates a port from your cluster’s NodePort range. + ## Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + # healthCheckNodePort: 0 - serviceMonitor: - enabled: false - additionalLabels: {} - ## The label to use to retrieve the job name from. - ## jobLabel: "app.kubernetes.io/name" - namespace: "" - namespaceSelector: {} - ## Default: scrape .Release.Namespace only - ## To scrape all, use the following: - ## namespaceSelector: - ## any: true - scrapeInterval: 30s - # honorLabels: true - targetLabels: [] - relabelings: [] - metricRelabelings: [] + # -- Represents the dual-stack-ness requested or required by this Service. Possible values are + # SingleStack, PreferDualStack or RequireDualStack. + # The ipFamilies and clusterIPs fields depend on the value of this field. + ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ipFamilyPolicy: "SingleStack" + # -- List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically + # based on cluster configuration and the ipFamilyPolicy field. + ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ipFamilies: + - IPv4 + ports: + http: 80 + https: 443 + targetPorts: + http: http + https: https + type: LoadBalancer + ## type: NodePort + ## nodePorts: + ## http: 32080 + ## https: 32443 + ## tcp: + ## 8080: 32808 + nodePorts: + http: "" + https: "" + tcp: {} + udp: {} + external: + enabled: true + internal: + # -- Enables an additional internal load balancer (besides the external one). + enabled: false + # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. + annotations: {} + # loadBalancerIP: "" - prometheusRule: - enabled: false - additionalLabels: {} - # namespace: "" - rules: [] - # # These are just examples rules, please adapt them to your needs - # - alert: NGINXConfigFailed - # expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0 - # for: 1s - # labels: - # severity: critical - # annotations: - # description: bad ingress config - nginx config test failed - # summary: uninstall the latest ingress changes to allow config reloads to resume - # - alert: NGINXCertificateExpiry - # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800 - # for: 1s - # labels: - # severity: critical - # annotations: - # description: ssl certificate(s) will expire in less then a week - # summary: renew expiring certificates to avoid downtime - # - alert: NGINXTooMany500s - # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 - # for: 1m - # labels: - # severity: warning - # annotations: - # description: Too many 5XXs - # summary: More than 5% of all requests returned 5XX, this requires your attention - # - alert: NGINXTooMany400s - # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 - # for: 1m - # labels: - # severity: warning - # annotations: - # description: Too many 4XXs - # summary: More than 5% of all requests returned 4XX, this requires your attention + # -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. + loadBalancerSourceRanges: [] + ## Set external traffic policy to: "Local" to preserve source IP on + ## providers supporting it + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "" + # shareProcessNamespace enables process namespace sharing within the pod. + # This can be used for example to signal log rotation using `kill -USR1` from a sidecar. + shareProcessNamespace: false + # -- Additional containers to be added to the controller pod. + # See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. + extraContainers: [] + # - name: my-sidecar + # image: nginx:latest + # - name: lemonldap-ng-controller + # image: lemonldapng/lemonldap-ng-controller:0.2.0 + # args: + # - /lemonldap-ng-controller + # - --alsologtostderr + # - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration + # env: + # - name: POD_NAME + # valueFrom: + # fieldRef: + # fieldPath: metadata.name + # - name: POD_NAMESPACE + # valueFrom: + # fieldRef: + # fieldPath: metadata.namespace + # volumeMounts: + # - name: copy-portal-skins + # mountPath: /srv/var/lib/lemonldap-ng/portal/skins - # -- Improve connection draining when ingress controller pod is deleted using a lifecycle hook: - # With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds - # to 300, allowing the draining of connections up to five minutes. - # If the active connections end before that, the pod will terminate gracefully at that time. - # To effectively take advantage of this feature, the Configmap feature - # worker-shutdown-timeout new value is 240s instead of 10s. - ## - lifecycle: - preStop: - exec: - command: - - /wait-shutdown + # -- Additional volumeMounts to the controller main container. + extraVolumeMounts: [] + # - name: copy-portal-skins + # mountPath: /var/lib/lemonldap-ng/portal/skins - priorityClassName: "" + # -- Additional volumes to the controller pod. + extraVolumes: [] + # - name: copy-portal-skins + # emptyDir: {} + # -- Containers, which are run before the app containers are started. + extraInitContainers: [] + # - name: init-myservice + # image: busybox + # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] + + # -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module + extraModules: [] + # containerSecurityContext: + # allowPrivilegeEscalation: false + # + # The image must contain a `/usr/local/bin/init_module.sh` executable, which + # will be executed as initContainers, to move its config files within the + # mounted volume. + + opentelemetry: + enabled: false + image: registry.k8s.io/ingress-nginx/opentelemetry:v20221114-controller-v1.5.1-6-ga66ee73c5@sha256:41076fd9fb4255677c1a3da1ac3fc41477f06eba3c7ebf37ffc8f734dad51d7c + containerSecurityContext: + allowPrivilegeEscalation: false + admissionWebhooks: + annotations: {} + # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem". + + ## Additional annotations to the admission webhooks. + ## These annotations will be added to the ValidatingWebhookConfiguration and + ## the Jobs Spec of the admission webhooks. + enabled: true + # -- Additional environment variables to set + extraEnvs: [] + # extraEnvs: + # - name: FOO + # valueFrom: + # secretKeyRef: + # key: FOO + # name: secret-resource + # -- Admission Webhook failure policy to use + failurePolicy: Fail + # timeoutSeconds: 10 + port: 8443 + certificate: "/usr/local/certificates/cert" + key: "/usr/local/certificates/key" + namespaceSelector: {} + objectSelector: {} + # -- Labels to be added to admission webhooks + labels: {} + # -- Use an existing PSP instead of creating one + existingPsp: "" + networkPolicyEnabled: false + service: + annotations: {} + # clusterIP: "" + externalIPs: [] + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 443 + type: ClusterIP + createSecretJob: + securityContext: + allowPrivilegeEscalation: false + resources: {} + # limits: + # cpu: 10m + # memory: 20Mi + # requests: + # cpu: 10m + # memory: 20Mi + patchWebhookJob: + securityContext: + allowPrivilegeEscalation: false + resources: {} + patch: + enabled: true + image: + registry: registry.k8s.io + image: ingress-nginx/kube-webhook-certgen + ## for backwards compatibility consider setting the full image url via the repository value below + ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + ## repository: + tag: v20220916-gd32f8c343 + digest: sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + pullPolicy: IfNotPresent + # -- Provide a priority class name to the webhook patching job + ## + priorityClassName: "" + podAnnotations: {} + nodeSelector: + kubernetes.io/os: linux + tolerations: [] + # -- Labels to be added to patch job resources + labels: {} + securityContext: + runAsNonRoot: true + runAsUser: 2000 + fsGroup: 2000 + # Use certmanager to generate webhook certs + certManager: + enabled: false + # self-signed root certificate + rootCert: + # default to be 5y + duration: "" + admissionCert: + # default to be 1y + duration: "" + # issuerRef: + # name: "issuer" + # kind: "ClusterIssuer" + metrics: + port: 10254 + portName: metrics + # if this port is changed, change healthz-port: in extraArgs: accordingly + enabled: false + service: + annotations: {} + # prometheus.io/scrape: "true" + # prometheus.io/port: "10254" + + # clusterIP: "" + + # -- List of IP addresses at which the stats-exporter service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 10254 + type: ClusterIP + # externalTrafficPolicy: "" + # nodePort: "" + serviceMonitor: + enabled: false + additionalLabels: {} + ## The label to use to retrieve the job name from. + ## jobLabel: "app.kubernetes.io/name" + namespace: "" + namespaceSelector: {} + ## Default: scrape .Release.Namespace only + ## To scrape all, use the following: + ## namespaceSelector: + ## any: true + scrapeInterval: 30s + # honorLabels: true + targetLabels: [] + relabelings: [] + metricRelabelings: [] + prometheusRule: + enabled: false + additionalLabels: {} + # namespace: "" + rules: [] + # # These are just examples rules, please adapt them to your needs + # - alert: NGINXConfigFailed + # expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0 + # for: 1s + # labels: + # severity: critical + # annotations: + # description: bad ingress config - nginx config test failed + # summary: uninstall the latest ingress changes to allow config reloads to resume + # - alert: NGINXCertificateExpiry + # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800 + # for: 1s + # labels: + # severity: critical + # annotations: + # description: ssl certificate(s) will expire in less then a week + # summary: renew expiring certificates to avoid downtime + # - alert: NGINXTooMany500s + # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 + # for: 1m + # labels: + # severity: warning + # annotations: + # description: Too many 5XXs + # summary: More than 5% of all requests returned 5XX, this requires your attention + # - alert: NGINXTooMany400s + # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 + # for: 1m + # labels: + # severity: warning + # annotations: + # description: Too many 4XXs + # summary: More than 5% of all requests returned 4XX, this requires your attention + # -- Improve connection draining when ingress controller pod is deleted using a lifecycle hook: + # With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds + # to 300, allowing the draining of connections up to five minutes. + # If the active connections end before that, the pod will terminate gracefully at that time. + # To effectively take advantage of this feature, the Configmap feature + # worker-shutdown-timeout new value is 240s instead of 10s. + ## + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + priorityClassName: "" # -- Rollback limit ## revisionHistoryLimit: 10 - ## Default 404 backend ## defaultBackend: - ## - enabled: false - - name: defaultbackend - image: - registry: registry.k8s.io - image: defaultbackend-amd64 - ## for backwards compatibility consider setting the full image url via the repository value below - ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail - ## repository: - tag: "1.5" - pullPolicy: IfNotPresent - # nobody user -> uid 65534 - runAsUser: 65534 - runAsNonRoot: true - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - - # -- Use an existing PSP instead of creating one - existingPsp: "" - - extraArgs: {} - - serviceAccount: - create: true - name: "" - automountServiceAccountToken: true - # -- Additional environment variables to set for defaultBackend pods - extraEnvs: [] - - port: 8080 - - ## Readiness and liveness probes for default backend - ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ - ## - livenessProbe: - failureThreshold: 3 - initialDelaySeconds: 30 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - failureThreshold: 6 - initialDelaySeconds: 0 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 5 - - # -- Node tolerations for server scheduling to nodes with taints - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - ## - tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - - affinity: {} - - # -- Security Context policies for controller pods - # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for - # notes on enabling and using sysctls - ## - podSecurityContext: {} - - # -- Security Context policies for controller main container. - # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for - # notes on enabling and using sysctls - ## - containerSecurityContext: {} - - # -- Labels to add to the pod container metadata - podLabels: {} - # key: value - - # -- Node labels for default backend pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: - kubernetes.io/os: linux - - # -- Annotations to be added to default backend pods - ## - podAnnotations: {} - - replicaCount: 1 - - minAvailable: 1 - - resources: {} - # limits: - # cpu: 10m - # memory: 20Mi - # requests: - # cpu: 10m - # memory: 20Mi - - extraVolumeMounts: [] - ## Additional volumeMounts to the default backend container. - # - name: copy-portal-skins - # mountPath: /var/lib/lemonldap-ng/portal/skins - - extraVolumes: [] - ## Additional volumes to the default backend pod. - # - name: copy-portal-skins - # emptyDir: {} - - autoscaling: - annotations: {} - enabled: false - minReplicas: 1 - maxReplicas: 2 - targetCPUUtilizationPercentage: 50 - targetMemoryUtilizationPercentage: 50 - - service: - annotations: {} - - # clusterIP: "" - - # -- List of IP addresses at which the default backend service is available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips ## - externalIPs: [] + enabled: false + name: defaultbackend + image: + registry: registry.k8s.io + image: defaultbackend-amd64 + ## for backwards compatibility consider setting the full image url via the repository value below + ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + ## repository: + tag: "1.5" + pullPolicy: IfNotPresent + # nobody user -> uid 65534 + runAsUser: 65534 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + # -- Use an existing PSP instead of creating one + existingPsp: "" + extraArgs: {} + serviceAccount: + create: true + name: "" + automountServiceAccountToken: true + # -- Additional environment variables to set for defaultBackend pods + extraEnvs: [] + port: 8080 + ## Readiness and liveness probes for default backend + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + ## + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 6 + initialDelaySeconds: 0 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + # -- Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - # loadBalancerIP: "" - loadBalancerSourceRanges: [] - servicePort: 80 - type: ClusterIP + affinity: {} + # -- Security Context policies for controller pods + # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for + # notes on enabling and using sysctls + ## + podSecurityContext: {} + # -- Security Context policies for controller main container. + # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for + # notes on enabling and using sysctls + ## + containerSecurityContext: {} + # -- Labels to add to the pod container metadata + podLabels: {} + # key: value - priorityClassName: "" - # -- Labels to be added to the default backend resources - labels: {} + # -- Node labels for default backend pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: + kubernetes.io/os: linux + # -- Annotations to be added to default backend pods + ## + podAnnotations: {} + replicaCount: 1 + minAvailable: 1 + resources: {} + # limits: + # cpu: 10m + # memory: 20Mi + # requests: + # cpu: 10m + # memory: 20Mi + extraVolumeMounts: [] + ## Additional volumeMounts to the default backend container. + # - name: copy-portal-skins + # mountPath: /var/lib/lemonldap-ng/portal/skins + + extraVolumes: [] + ## Additional volumes to the default backend pod. + # - name: copy-portal-skins + # emptyDir: {} + + autoscaling: + annotations: {} + enabled: false + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + service: + annotations: {} + # clusterIP: "" + + # -- List of IP addresses at which the default backend service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 80 + type: ClusterIP + priorityClassName: "" + # -- Labels to be added to the default backend resources + labels: {} ## Enable RBAC as per https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/rbac.md and https://github.com/kubernetes/ingress-nginx/issues/266 rbac: - create: true - scope: false - + create: true + scope: false ## If true, create & use Pod Security Policy resources ## https://kubernetes.io/docs/concepts/policy/pod-security-policy/ podSecurityPolicy: - enabled: false - + enabled: false serviceAccount: - create: true - name: "" - automountServiceAccountToken: true - # -- Annotations for the controller service account - annotations: {} - + create: true + name: "" + automountServiceAccountToken: true + # -- Annotations for the controller service account + annotations: {} # -- Optional array of imagePullSecrets containing private registry credentials ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ imagePullSecrets: [] @@ -964,7 +868,6 @@ udp: {} # -- Prefix for TCP and UDP ports names in ingress controller service ## Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration portNamePrefix: "" - # -- (string) A base64-encoded Diffie-Hellman parameter. # This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` ## Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml index fbdf9486a..54d315b50 100644 --- a/deploy/static/provider/aws/deploy.yaml +++ b/deploy/static/provider/aws/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -343,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -359,7 +344,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -392,7 +377,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -415,7 +400,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -455,7 +440,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -527,7 +512,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -538,7 +523,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-create spec: containers: @@ -574,7 +559,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -585,7 +570,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-patch spec: containers: @@ -623,7 +608,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: nginx spec: controller: k8s.io/ingress-nginx @@ -636,7 +621,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml index 73ec24286..819de9079 100644 --- a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml +++ b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -350,7 +335,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -368,7 +353,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -401,7 +386,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -424,7 +409,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -464,7 +449,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -539,7 +524,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -550,7 +535,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-create spec: containers: @@ -586,7 +571,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -597,7 +582,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-patch spec: containers: @@ -635,7 +620,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: nginx spec: controller: k8s.io/ingress-nginx @@ -648,7 +633,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml index 9e6e905bb..73aec6dc9 100644 --- a/deploy/static/provider/baremetal/deploy.yaml +++ b/deploy/static/provider/baremetal/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -343,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -355,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -387,7 +372,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -410,7 +395,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -449,7 +434,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -521,7 +506,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -532,7 +517,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-create spec: containers: @@ -568,7 +553,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -579,7 +564,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-patch spec: containers: @@ -617,7 +602,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: nginx spec: controller: k8s.io/ingress-nginx @@ -630,7 +615,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml index dd986a55d..19455ed27 100644 --- a/deploy/static/provider/cloud/deploy.yaml +++ b/deploy/static/provider/cloud/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -343,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -355,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -388,7 +373,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -411,7 +396,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -451,7 +436,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -523,7 +508,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -534,7 +519,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-create spec: containers: @@ -570,7 +555,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -581,7 +566,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-patch spec: containers: @@ -619,7 +604,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: nginx spec: controller: k8s.io/ingress-nginx @@ -632,7 +617,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml index 64e0366b4..3c4a022c3 100644 --- a/deploy/static/provider/do/deploy.yaml +++ b/deploy/static/provider/do/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -344,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -358,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -391,7 +376,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -414,7 +399,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -454,7 +439,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -526,7 +511,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -537,7 +522,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-create spec: containers: @@ -573,7 +558,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -584,7 +569,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-patch spec: containers: @@ -622,7 +607,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: nginx spec: controller: k8s.io/ingress-nginx @@ -635,7 +620,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml index d6a40aed9..084fcd897 100644 --- a/deploy/static/provider/exoscale/deploy.yaml +++ b/deploy/static/provider/exoscale/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -343,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -364,7 +349,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -397,7 +382,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -420,7 +405,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -460,7 +445,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -532,7 +517,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -543,7 +528,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-create spec: containers: @@ -579,7 +564,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -590,7 +575,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-patch spec: containers: @@ -628,7 +613,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: nginx spec: controller: k8s.io/ingress-nginx @@ -641,7 +626,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml index 62ead9e34..355ca8054 100644 --- a/deploy/static/provider/kind/deploy.yaml +++ b/deploy/static/provider/kind/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -343,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -355,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -387,7 +372,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -410,7 +395,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -455,7 +440,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -537,7 +522,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -548,7 +533,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-create spec: containers: @@ -584,7 +569,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -595,7 +580,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-patch spec: containers: @@ -633,7 +618,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: nginx spec: controller: k8s.io/ingress-nginx @@ -646,7 +631,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml index d52f01489..ff8b820b3 100644 --- a/deploy/static/provider/scw/deploy.yaml +++ b/deploy/static/provider/scw/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -344,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -358,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -391,7 +376,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -414,7 +399,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -454,7 +439,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -526,7 +511,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -537,7 +522,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-create spec: containers: @@ -573,7 +558,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -584,7 +569,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission-patch spec: containers: @@ -622,7 +607,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: nginx spec: controller: k8s.io/ingress-nginx @@ -635,7 +620,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.5.2 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/docs/deploy/index.md b/docs/deploy/index.md index 29495b5c0..71a27b15f 100644 --- a/docs/deploy/index.md +++ b/docs/deploy/index.md @@ -62,7 +62,7 @@ It will install the controller in the `ingress-nginx` namespace, creating that n **If you don't have Helm** or if you prefer to use a YAML manifest, you can run the following command instead: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.2/deploy/static/provider/cloud/deploy.yaml ``` !!! info @@ -225,7 +225,7 @@ In AWS, we use a Network load balancer (NLB) to expose the NGINX Ingress control ##### Network Load Balancer (NLB) ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/aws/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.2/deploy/static/provider/aws/deploy.yaml ``` ##### TLS termination in AWS Load Balancer (NLB) @@ -233,10 +233,10 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS using an NLB. -1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template +1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.2/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template ```console - wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml + wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.2/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml ``` 2. Edit the file and change the VPC CIDR in use for the Kubernetes cluster: @@ -282,7 +282,7 @@ Then, the ingress controller can be installed like this: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.2/deploy/static/provider/cloud/deploy.yaml ``` !!! warning @@ -299,7 +299,7 @@ Proxy-protocol is supported in GCE check the [Official Documentations on how to #### Azure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.2/deploy/static/provider/cloud/deploy.yaml ``` More information with regard to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller). @@ -307,7 +307,7 @@ More information with regard to Azure annotations for ingress controller can be #### Digital Ocean ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/do/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.2/deploy/static/provider/do/deploy.yaml ``` - By default the service object of the ingress-nginx-controller for Digital-Ocean, only configures one annotation. Its this one `service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"`. While this makes the service functional, it was reported that the Digital-Ocean LoadBalancer graphs shows `no data`, unless a few other annotations are also configured. Some of these other annotations require values that can not be generic and hence not forced in a out-of-the-box installation. These annotations and a discussion on them is well documented in [this issue](https://github.com/kubernetes/ingress-nginx/issues/8965). Please refer to the issue to add annotations, with values specific to user, to get graphs of the DO-LB populated with data. @@ -315,7 +315,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont #### Scaleway ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/scw/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.2/deploy/static/provider/scw/deploy.yaml ``` #### Exoscale @@ -330,7 +330,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale #### Oracle Cloud Infrastructure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.2/deploy/static/provider/cloud/deploy.yaml ``` A @@ -357,7 +357,7 @@ For quick testing, you can use a This should work on almost every cluster, but it will typically use a port in the range 30000-32767. ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/baremetal/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.2/deploy/static/provider/baremetal/deploy.yaml ``` For more information about bare metal deployments (and how to use port 80 instead of a random port in the 30000-32767 range), diff --git a/docs/e2e-tests.md b/docs/e2e-tests.md index d5aa6cc16..f943a96a6 100644 --- a/docs/e2e-tests.md +++ b/docs/e2e-tests.md @@ -7,11 +7,651 @@ Do not try to edit it manually. +### [[Serial] admission controller](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L35) + +- [reject ingress with global-rate-limit annotations when memcached is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L48) +- [should not allow overlaps of host and paths without canary annotations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L75) +- [should allow overlaps of host and paths with canary annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L92) +- [should block ingress with invalid path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L113) +- [should return an error if there is an error validating the ingress definition](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L130) +- [should return an error if there is an invalid value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L141) +- [should return an error if there is a forbidden value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L155) +- [should not return an error if the Ingress V1 definition is valid with Ingress Class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L169) +- [should not return an error if the Ingress V1 definition is valid with IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L185) +- [should return an error if the Ingress V1 definition contains invalid annotations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L201) +- [should not return an error for an invalid Ingress when it has unknown class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L212) + +### [affinity session-cookie-name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L35) + +- [should set sticky cookie SERVERID](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L42) +- [should change cookie name on ingress definition change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L64) +- [should set the path to /something on the generated cookie](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L99) +- [does not set the path to / on the generated cookie if there's more than one rule referring to the same backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L121) +- [should set cookie with expires](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L194) +- [should set cookie with domain](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L225) +- [should not set cookie without domain annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L248) +- [should work with use-regex annotation and session-cookie-path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L270) +- [should warn user when use-regex is true and session-cookie-path is not set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L294) +- [should not set affinity across all server locations when using separate ingresses](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L320) +- [should set sticky cookie without host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L352) +- [should work with server-alias annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L372) +- [should set secure in cookie with provided true annotation on http](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L412) +- [should not set secure in cookie with provided false annotation on http](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L435) +- [should set secure in cookie with provided false annotation on https](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L458) + +### [affinitymode](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinitymode.go#L31) + +- [Balanced affinity mode should balance](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinitymode.go#L34) +- [Check persistent affinity mode](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinitymode.go#L67) + +### [server-alias](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/alias.go#L29) + +- [should return status code 200 for host 'foo' and 404 for 'bar'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/alias.go#L36) +- [should return status code 200 for host 'foo' and 'bar'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/alias.go#L62) +- [should return status code 200 for hosts defined in two ingresses, different path with one alias](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/alias.go#L87) + +### [app-root](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/approot.go#L28) + +- [should redirect to /foo](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/approot.go#L35) + +### [auth-tls-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L29) + +- [should set sslClientCertificate, sslVerifyClient and sslVerifyDepth with auth-tls-secret](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L36) +- [should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L84) +- [should 302 redirect to error page instead of 400 when auth-tls-error-page is set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L114) +- [should pass URL-encoded certificate to upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L161) +- [should validate auth-tls-verify-client](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L206) +- [should return 403 using auth-tls-match-cn with no matching CN from client](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L266) +- [should return 200 using auth-tls-match-cn with matching CN from client](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L295) +- [should return 200 using auth-tls-match-cn where atleast one of the regex options matches CN from client](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L324) + +### [backend-protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L27) + +- [should set backend protocol to https:// and use proxy_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L34) +- [should set backend protocol to $scheme:// and use proxy_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L49) +- [should set backend protocol to grpc:// and use grpc_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L64) +- [should set backend protocol to grpcs:// and use grpc_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L79) +- [should set backend protocol to '' and use fastcgi_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L94) +- [should set backend protocol to '' and use ajp_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L109) + +### [canary-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L36) + +- [should response with a 200 status from the mainline upstream when requests are made to the mainline ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L48) +- [should return 404 status for requests to the canary if no matching ingress is found](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L80) +- [should return the correct status codes when endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L107) +- [should route requests to the correct upstream if mainline ingress is created before the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L161) +- [should route requests to the correct upstream if mainline ingress is created after the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L206) +- [should route requests to the correct upstream if the mainline ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L250) +- [should route requests to the correct upstream if the canary ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L307) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L372) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L426) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L490) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L532) +- [should routes to mainline upstream when the given Regex causes error](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L566) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L604) +- [respects always and never values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L643) +- [should route requests only to mainline if canary weight is 0](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L705) +- [should route requests only to canary if canary weight is 100](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L743) +- [should route requests only to canary if canary weight is equal to canary weight total](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L775) +- [should route requests split between mainline and canary if canary weight is 50](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L808) +- [should not use canary as a catch-all server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L836) +- [should not use canary with domain as a server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L864) +- [does not crash when canary ingress has multiple paths to the same non-matching backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L888) +- [always routes traffic to canary if first request was affinitized to canary (default behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L916) +- [always routes traffic to canary if first request was affinitized to canary (explicit sticky behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L973) +- [routes traffic to either mainline or canary backend (legacy behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1031) + +### [client-body-buffer-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L28) + +- [should set client_body_buffer_size to 1000](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L35) +- [should set client_body_buffer_size to 1K](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L57) +- [should set client_body_buffer_size to 1k](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L79) +- [should set client_body_buffer_size to 1m](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L101) +- [should set client_body_buffer_size to 1M](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L123) +- [should not set client_body_buffer_size to invalid 1b](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L145) + +### [connection-proxy-header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/connection.go#L29) + +- [set connection header to keep-alive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/connection.go#L36) + +### [cors-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L28) + +- [should enable cors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L35) +- [should set cors methods to only allow POST, GET](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L62) +- [should set cors max-age](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L78) +- [should disable cors allow credentials](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L94) +- [should allow origin for cors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L110) +- [should allow headers for cors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L137) +- [should expose headers for cors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L153) +- [should allow - single origin for multiple cors values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L169) +- [should not allow - single origin for multiple cors values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L196) +- [should allow correct origins - single origin for multiple cors values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L216) +- [should not break functionality](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L267) +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L291) +- [should not break functionality with extra domain](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L314) +- [should not match](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L338) +- [should allow - single origin with required port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L358) +- [should not allow - single origin with port and origin without port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L386) +- [should not allow - single origin without port and origin with required port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L405) +- [should allow - matching origin with wildcard origin (2 subdomains)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L425) +- [should not allow - unmatching origin with wildcard origin (2 subdomains)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L468) +- [should allow - matching origin+port with wildcard origin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L488) +- [should not allow - portless origin with wildcard origin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L515) +- [should allow correct origins - missing subdomain + origin with wildcard origin and correct origin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L535) +- [should allow - missing origins (should allow all origins)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L571) + +### [custom-http-errors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/customhttperrors.go#L34) + +- [configures Nginx correctly](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/customhttperrors.go#L41) + +### [default-backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/default_backend.go#L29) + +- [should use a custom default backend as upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/default_backend.go#L37) + +### [disable-access-log disable-http-access-log disable-stream-access-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L28) + +- [disable-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L35) +- [disable-http-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L53) +- [disable-stream-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L71) + +### [backend-protocol - FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L31) + +- [should use fastcgi_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L38) +- [should add fastcgi_index in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L55) +- [should add fastcgi_param in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L72) +- [should return OK for service with backend protocol FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L105) + +### [force-ssl-redirect](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/forcesslredirect.go#L27) + +- [should redirect to https](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/forcesslredirect.go#L34) + +### [from-to-www-redirect](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fromtowwwredirect.go#L31) + +- [should redirect from www HTTP to HTTP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fromtowwwredirect.go#L38) +- [should redirect from www HTTPS to HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fromtowwwredirect.go#L64) + +### [annotation-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/globalratelimit.go#L30) + +- [generates correct configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/globalratelimit.go#L38) + +### [backend-protocol - GRPC](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L40) + +- [should use grpc_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L43) +- [should return OK for service with backend protocol GRPC](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L68) +- [authorization metadata should be overwritten by external auth response headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L126) +- [should return OK for service with backend protocol GRPCS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L199) + +### [http2-push-preload](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/http2pushpreload.go#L27) + +- [enable the http2-push-preload directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/http2pushpreload.go#L34) + +### [influxdb-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/influxdb.go#L39) + +- [should send the request metric to the influxdb server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/influxdb.go#L48) + +### [whitelist-source-range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipwhitelist.go#L27) + +- [should set valid ip whitelist range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipwhitelist.go#L34) + +### [Annotation - limit-connections](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/limitconnections.go#L31) + +- [should limit-connections](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/limitconnections.go#L38) + +### [limit-rate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/limitrate.go#L29) + +- [Check limit-rate annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/limitrate.go#L37) + +### [enable-access-log enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/log.go#L27) + +- [set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/log.go#L34) +- [set rewrite_log on](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/log.go#L49) + +### [mirror-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L28) + +- [should set mirror-target to http://localhost/mirror](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L36) +- [should set mirror-target to https://test.env.com/$request_uri](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L51) +- [should disable mirror-request-body](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L67) + +### [modsecurity owasp](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L28) + +- [should enable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L35) +- [should enable modsecurity with transaction ID and OWASP rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L53) +- [should disable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L74) +- [should enable modsecurity with snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L91) +- [should enable modsecurity without using 'modsecurity on;'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L110) +- [should disable modsecurity using 'modsecurity off;'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L132) +- [should enable modsecurity with snippet and block requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L153) +- [should enable modsecurity globally and with modsecurity-snippet block requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L189) +- [should enable modsecurity when enable-owasp-modsecurity-crs is set to true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L225) +- [should enable modsecurity through the config map](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L264) +- [should enable modsecurity through the config map but ignore snippet as disabled by admin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L305) +- [should disable default modsecurity conf setting when modsecurity-snippet is specified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L347) + +### [preserve-trailing-slash](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/preservetrailingslash.go#L27) + +- [should allow preservation of trailing slashes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/preservetrailingslash.go#L34) + +### [proxy-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L28) + +- [should set proxy_redirect to off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L36) +- [should set proxy_redirect to default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L52) +- [should set proxy_redirect to hello.com goodbye.com](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L68) +- [should set proxy client-max-body-size to 8m](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L85) +- [should not set proxy client-max-body-size to incorrect value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L100) +- [should set valid proxy timeouts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L115) +- [should not set invalid proxy timeouts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L136) +- [should turn on proxy-buffering](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L157) +- [should turn off proxy-request-buffering](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L179) +- [should build proxy next upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L194) +- [should setup proxy cookies](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L215) +- [should change the default proxy HTTP version](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L233) + +### [proxy-ssl-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L30) + +- [should set valid proxy-ssl-secret](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L37) +- [should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L64) +- [should set valid proxy-ssl-secret, proxy-ssl-ciphers to HIGH:!AES](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L94) +- [should set valid proxy-ssl-secret, proxy-ssl-protocols](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L122) +- [proxy-ssl-location-only flag should change the nginx config server part](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L150) + +### [permanent-redirect permanent-redirect-code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/redirect.go#L30) + +- [should respond with a standard redirect code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/redirect.go#L33) +- [should respond with a custom redirect code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/redirect.go#L61) + +### [rewrite-target use-regex enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L30) + +- [should write rewrite logs](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L37) +- [should use correct longest path match](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L66) +- [should use ~* location modifier if regex annotation is present](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L111) +- [should fail to use longest match for documented warning](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L158) +- [should allow for custom rewrite parameters](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L190) + +### [satisfy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/satisfy.go#L35) + +- [should configure satisfy directive correctly](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/satisfy.go#L42) +- [should allow multiple auth with satisfy any](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/satisfy.go#L84) + +### [server-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serversnippet.go#L28) + +- [add valid directives to server via server snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serversnippet.go#L35) +- [drops server snippet if disabled by the administrator](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serversnippet.go#L61) + +### [service-upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serviceupstream.go#L32) + +- [should use the Service Cluster IP and Port ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serviceupstream.go#L41) +- [should use the Service Cluster IP and Port ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serviceupstream.go#L70) +- [should not use the Service Cluster IP and Port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serviceupstream.go#L99) + +### [configuration-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/snippet.go#L28) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/snippet.go#L35) +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/snippet.go#L58) + +### [ssl-ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/sslciphers.go#L28) + +- [should change ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/sslciphers.go#L35) + +### [stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/streamsnippet.go#L34) + +- [should add value of stream-snippet to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/streamsnippet.go#L41) +- [should add stream-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/streamsnippet.go#L85) + +### [upstream-hash-by-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamhashby.go#L76) + +- [should connect to the same pod](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamhashby.go#L83) +- [should connect to the same subset of pods](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamhashby.go#L92) + +### [upstream-vhost](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamvhost.go#L27) + +- [set host to upstreamvhost.bar.com](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamvhost.go#L34) + +### [x-forwarded-prefix](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L28) + +- [should set the X-Forwarded-Prefix to the annotation value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L35) +- [should not add X-Forwarded-Prefix if the annotation value is empty](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L57) + +### [auth-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L39) + +- [should return status code 200 when no authentication is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L46) +- [should return status code 503 when authentication is configured with an invalid secret](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L65) +- [should return status code 401 when authentication is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L89) +- [should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L116) +- [should return status code 401 and cors headers when authentication and cors is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L144) +- [should return status code 200 when authentication is configured and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L172) +- [should return status code 200 when authentication is configured with a map and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L199) +- [should return status code 401 when authentication is configured with invalid content and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L227) +- [ when external auth is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L266) +- [ when external auth is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L284) +- [ when auth-headers are set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L301) +- [should set cache_key when external auth cache is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L322) +- [user retains cookie by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L411) +- [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L422) +- [user with annotated ingress retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L433) +- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L485) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L494) +- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L505) +- [should overwrite Foo header with auth response](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L529) +- [should not create additional upstream block when auth-keepalive is not set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L552) +- [should not create additional upstream block when host part of auth-url contains a variable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L570) +- [should not create additional upstream block when auth-keepalive is negative](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L590) +- [should not create additional upstream block when auth-keepalive is set with HTTP/2](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L609) +- [should create additional upstream block when auth-keepalive is set with HTTP/1.x](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L623) +- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L678) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L687) +- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L698) +- [should return status code 200 when signed in after auth backend is deleted ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L772) +- [should deny login for different location on same server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L792) +- [should deny login for different servers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L820) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L849) +- [should return 503 (location was denied)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L879) +- [should add error to the config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L887) + +### [Debug CLI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L29) + +- [should list the backend servers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L37) +- [should get information for a specific backend server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L56) +- [should produce valid JSON for /dbg general](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L85) + +### [[Default Backend] custom service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/custom_default_backend.go#L33) + +- [uses custom default backend that returns 200 as status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/custom_default_backend.go#L36) + +### [[Default Backend]](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/default_backend.go#L30) + +- [should return 404 sending requests when only a default backend is running](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/default_backend.go#L33) +- [enables access logging for default backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/default_backend.go#L88) +- [disables access logging for default backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/default_backend.go#L105) + +### [[Default Backend] SSL](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/ssl.go#L26) + +- [should return a self generated SSL certificate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/ssl.go#L29) + +### [[Default Backend] change default settings](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/with_hosts.go#L30) + +- [should apply the annotation to the default backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/with_hosts.go#L38) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e_test.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e_test.go#L) + +### [[Endpointslices] long service name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/longname.go#L29) + +- [should return 200 when service name has max allowed number of characters 63](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/longname.go#L38) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/fastcgi_helloserver.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/fastcgi_helloserver.go#L) + +### [[Setting] ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L190) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L206) +- [ [MemoryLeak]](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L207) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/grpc_fortune_teller.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/grpc_fortune_teller.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/array.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/array.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/chain.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/chain.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/cookie.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/cookie.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/match.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/match.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/object.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/object.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/reporter.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/reporter.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/request.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/request.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/response.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/response.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/string.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/string.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/value.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/value.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/influxdb.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/influxdb.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/k8s.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/k8s.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/logs.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/logs.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/ssl.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/ssl.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/test_context.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/test_context.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/util.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/util.go#L) + +### [[Shutdown] Grace period shutdown](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/grace_period.go#L32) + +- [/healthz should return status code 500 during shutdown grace period](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/grace_period.go#L35) + +### [[Shutdown] ingress controller](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/shutdown.go#L30) + +- [should shutdown in less than 60 secons without pending connections](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/shutdown.go#L40) +- [should shutdown after waiting 60 seconds for pending connections to be closed](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/shutdown.go#L61) +- [should shutdown after waiting 150 seconds for pending connections to be closed](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/shutdown.go#L106) + +### [[Shutdown] Graceful shutdown with pending request](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/slow_requests.go#L25) + +- [should let slow requests finish before shutting down](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/slow_requests.go#L33) + +### [[Ingress] DeepInspection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/deep_inspection.go#L27) + +- [should drop whole ingress if one path matches invalid regex](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/deep_inspection.go#L34) + +### [single ingress - multiple hosts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/multiple_rules.go#L30) + +- [should set the correct $service_name NGINX variable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/multiple_rules.go#L38) + +### [[Ingress] [PathType] exact](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_exact.go#L30) + +- [should choose exact location for /exact](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_exact.go#L37) + +### [[Ingress] [PathType] mix Exact and Prefix paths](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_mixed.go#L30) + +- [should choose the correct location](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_mixed.go#L39) + +### [[Ingress] [PathType] prefix checks](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_prefix.go#L28) + +- [should return 404 when prefix /aaa does not match request /aaaccc](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_prefix.go#L35) + +### [[Ingress] definition without host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/without_host.go#L31) + +- [should set ingress details variables for ingresses without a host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/without_host.go#L34) +- [should set ingress details variables for ingresses with host without IngressRuleValue, only Backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/without_host.go#L55) + +### [[Memory Leak] Dynamic Certificates](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/leaks/lua_ssl.go#L35) + +- [should not leak memory from ingress SSL certificates or configuration updates](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/leaks/lua_ssl.go#L42) + +### [[Load Balancer] load-balance](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/configmap.go#L28) + +- [should apply the configmap load-balance setting](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/configmap.go#L35) + +### [[Load Balancer] EWMA](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/ewma.go#L31) + +- [does not fail requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/ewma.go#L42) + +### [[Load Balancer] round-robin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/round_robin.go#L31) + +- [should evenly distribute requests with round-robin (default algorithm)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/round_robin.go#L39) + +### [[Lua] dynamic certificates](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L37) + +- [picks up the certificate when we add TLS spec to existing ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L45) +- [picks up the previously missing secret for a given ingress without reloading](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L70) +- [supports requests with domain with trailing dot](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L145) +- [picks up the updated certificate without reloading](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L149) +- [falls back to using default certificate when secret gets deleted without reloading](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L185) +- [picks up a non-certificate only change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L218) +- [removes HTTPS configuration when we delete TLS spec](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L233) + +### [[Lua] dynamic configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L42) + +- [configures balancer Lua middleware correctly](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L50) +- [handles endpoints only changes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L62) +- [handles endpoints only changes (down scaling of replicas)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L87) +- [handles endpoints only changes consistently (down scaling of replicas vs. empty service)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L125) +- [handles an annotation change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L171) + +### [nginx-configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L99) + +- [start nginx with default configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L102) +- [fails when using alias directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L115) +- [fails when using root directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L124) + +### [[Security] request smuggling](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/request_smuggling.go#L32) + +- [should not return body content from error_page](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/request_smuggling.go#L39) + +### [[Security] validate path fields](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L42) + +- [should accept an ingress with valid path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L49) +- [should drop an ingress with invalid path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L67) +- [should drop an ingress with regex path and regex disabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L84) +- [should accept an ingress with regex path and regex enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L101) +- [should reject an ingress with invalid path and regex enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L118) + +### [[Service] backend status code 503](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L33) + +- [should return 503 when backend service does not exist](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L36) +- [should return 503 when all backend service endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L54) + +### [[Service] Type ExternalName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L59) + +- [works with external name set to incomplete fqdn](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L62) +- [should return 200 for service type=ExternalName without a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L95) +- [should return 200 for service type=ExternalName with a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L129) +- [should return status 502 for service type=ExternalName with an invalid host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L153) +- [should return 200 for service type=ExternalName using a port name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L184) +- [should return 200 for service type=ExternalName using FQDN with trailing dot](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L217) +- [should update the external name after a service update](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L248) +- [should sync ingress on external name service addition/deletion](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L311) + +### [[Service] Nil Service Backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_nil_backend.go#L31) + +- [should return 404 when backend service is nil](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_nil_backend.go#L38) + +### [access-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L27) + +- [use the default configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L32) +- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L42) +- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L54) +- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L67) +- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L80) + +### [Bad annotation values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L29) + +- [[BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L36) +- [[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L67) +- [[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L102) +- [[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L133) + +### [brotli](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/brotli.go#L30) + +- [ condition](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/brotli.go#L39) + +### [Configmap change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L29) + +- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L36) + +### [add-headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L30) + +- [Add a custom header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L40) +- [Add multiple custom headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L65) + +### [[SSL] [Flag] default-ssl-certificate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L33) + +- [uses default ssl certificate for catch-all ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L64) +- [uses default ssl certificate for host based ingress when configured certificate does not match host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L80) + +### [[Flag] disable-catch-all](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L33) + +- [should ignore catch all Ingress with backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L50) +- [should ignore catch all Ingress with backend and rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L69) +- [should delete Ingress updated to catch-all](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L81) +- [should allow Ingress with rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L123) + +### [[Flag] disable-service-external-name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_service_external_name.go#L35) + +- [should ignore services of external-name type](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_service_external_name.go#L52) + +### [enable-real-ip](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L30) + +- [trusts X-Forwarded-For header only when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L40) +- [should not trust X-Forwarded-For header when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L78) + +### [use-forwarded-headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L30) + +- [should trust X-Forwarded headers when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L40) +- [should not trust X-Forwarded headers when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L92) + ### [Geoip2](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/geoip2.go#L37) - [should include geoip2 line in config when enabled and db file exists](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/geoip2.go#L46) - [should only allow requests from specific countries](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/geoip2.go#L70) +### [[Security] block-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L28) + +- [should block CIDRs defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L38) +- [should block User-Agents defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L55) +- [should block Referers defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L88) + ### [[Security] global-auth-url](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L34) - [should return status code 401 when request any protected service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L85) @@ -27,59 +667,39 @@ Do not try to edit it manually. - [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L337) - [user with global-auth-always-set-cookie key in configmap retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L348) -### [[Security] Pod Security Policies](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy.go#L40) +### [global-options](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L28) -- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy.go#L43) +- [should have worker_rlimit_nofile option](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L31) +- [should have worker_rlimit_nofile option and be independent on amount of worker processes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L38) -### [log-format-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L28) +### [settings-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/globalratelimit.go#L30) -- [should disable the log-format-escape-json by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L40) -- [should enable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L47) -- [should disable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L55) -- [log-format-escape-json enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L66) -- [log-format-escape-json disabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L89) +- [generates correct NGINX configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/globalratelimit.go#L38) -### [server-tokens](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L29) +### [hash size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L27) -- [should not exists Server header in the response](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L38) -- [should exists Server header in the response when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L50) +- [should set server_names_hash_bucket_size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L40) +- [should set server_names_hash_max_size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L48) +- [should set proxy-headers-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L60) +- [should set proxy-headers-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L68) +- [should set variables-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L80) +- [should set variables-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L88) +- [should set vmap-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L100) -### [proxy-connect-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L28) +### [[Flag] ingress-class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L39) -- [should set valid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L36) -- [should not set invalid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L52) - -### [ssl-ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_ciphers.go#L28) - -- [Add ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_ciphers.go#L31) - -### [use-proxy-protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L36) - -- [should respect port passed by the PROXY Protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L46) -- [should respect proto passed by the PROXY Protocol server port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L79) -- [should enable PROXY Protocol for HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L112) -- [should enable PROXY Protocol for TCP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L155) - -### [plugins](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/plugins.go#L28) - -- [should exist a x-hello-world header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/plugins.go#L35) - -### [configmap server-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L28) - -- [should add value of server-snippet setting to all ingress config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L35) -- [should add global server-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L92) - -### [[Flag] disable-catch-all](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L33) - -- [should ignore catch all Ingress with backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L50) -- [should ignore catch all Ingress with backend and rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L69) -- [should delete Ingress updated to catch-all](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L81) -- [should allow Ingress with rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L123) - -### [enable-real-ip](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L30) - -- [trusts X-Forwarded-For header only when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L40) -- [should not trust X-Forwarded-For header when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L78) +- [should ignore Ingress with a different class annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L68) +- [should ignore Ingress with different controller class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L104) +- [should accept both Ingresses with default IngressClassName and IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L132) +- [should ignore Ingress without IngressClass configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L164) +- [should delete Ingress when class is removed](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L192) +- [should serve Ingress when class is added](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L257) +- [should serve Ingress when class is updated between annotation and ingressClassName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L323) +- [should ignore Ingress with no class and accept the correctly configured Ingresses](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L413) +- [should watch Ingress with no class and ignore ingress with a different class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L482) +- [should watch Ingress that uses the class name even if spec is different](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L539) +- [should watch Ingress with correct annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L631) +- [should ignore Ingress with only IngressClassName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L652) ### [keep-alive keep-alive-requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L28) @@ -87,7 +707,41 @@ Do not try to edit it manually. - [should set keepalive_requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L48) - [should set keepalive connection to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L59) - [should set keep alive connection timeout to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L68) -- [should set the request count to upstream server through one keep alive connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L77) +- [should set keepalive time to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L77) +- [should set the request count to upstream server through one keep alive connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L86) + +### [Configmap - limit-rate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/limit_rate.go#L28) + +- [Check limit-rate config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/limit_rate.go#L36) + +### [[Flag] custom HTTP and HTTPS ports](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L32) + +- [should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L48) +- [should set X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L70) +- [should set the X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L100) + +### [log-format-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L28) + +- [should not configure log-format escape by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L40) +- [should enable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L47) +- [should disable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L55) +- [should enable the log-format-escape-none](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L63) +- [should disable the log-format-escape-none](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L71) +- [log-format-escape-json enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L82) +- [log-format default escape](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L105) +- [log-format-escape-none enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L128) + +### [[Lua] lua-shared-dicts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/lua_shared_dicts.go#L26) + +- [configures lua shared dicts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/lua_shared_dicts.go#L29) + +### [main-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/main_snippet.go#L27) + +- [should add value of main-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/main_snippet.go#L31) + +### [[Security] modsecurity-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L27) + +- [should add value of modsecurity-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L30) ### [enable-multi-accept](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/multi_accept.go#L27) @@ -99,9 +753,19 @@ Do not try to edit it manually. - [should ingore Ingress of namespace without label foo=bar and accept those of namespace with label foo=bar](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/namespace_selector.go#L70) -### [[Flag] disable-service-external-name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_service_external_name.go#L34) +### [[Security] no-auth-locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L33) -- [should ignore services of external-name type](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_service_external_name.go#L51) +- [should return status code 401 when accessing '/' unauthentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L54) +- [should return status code 200 when accessing '/' authentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L68) +- [should return status code 200 when accessing '/noauth' unauthenticated](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L82) + +### [Add no tls redirect locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L28) + +- [Check no tls redirect locations config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L31) + +### [OCSP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L42) + +- [should enable OCSP and contain stapling information in the connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L49) ### [Configure OpenTracing](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L48) @@ -119,41 +783,48 @@ Do not try to edit it manually. - [should enable opentracing using jaeger with an HTTP endpoint](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L228) - [should enable opentracing using datadog](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L241) -### [Configmap change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L29) +### [plugins](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/plugins.go#L28) -- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L36) +- [should exist a x-hello-world header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/plugins.go#L35) -### [Configmap - limit-rate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/limit_rate.go#L28) +### [[Security] Pod Security Policies](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy.go#L41) -- [Check limit-rate config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/limit_rate.go#L36) +- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy.go#L44) -### [access-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L26) +### [[Security] Pod Security Policies with volumes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy_volumes.go#L37) -- [use the default configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L31) -- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L41) -- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L53) -- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L66) -- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L79) +- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy_volumes.go#L40) -### [global-options](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L28) +### [proxy-connect-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L28) -- [should have worker_rlimit_nofile option](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L31) -- [should have worker_rlimit_nofile option and be independent on amount of worker processes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L38) +- [should set valid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L36) +- [should not set invalid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L52) -### [[Flag] ingress-class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L39) +### [Dynamic $proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L28) -- [should ignore Ingress with a different class annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L68) -- [should ignore Ingress with different controller class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L104) -- [should accept both Ingresses with default IngressClassName and IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L132) -- [should ignore Ingress without IngressClass configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L164) -- [should delete Ingress when class is removed](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L192) -- [should serve Ingress when class is added](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L257) -- [should serve Ingress when class is updated between annotation and ingressClassName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L323) -- [should ignore Ingress with no class and accept the correctly configured Ingresses](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L413) -- [should watch Ingress with no class and ignore ingress with a different class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L482) -- [should watch Ingress that uses the class name even if spec is different](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L539) -- [should watch Ingress with correct annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L631) -- [should ignore Ingress with only IngressClassName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L652) +- [should exist a proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L36) +- [should exist a proxy_host using the upstream-vhost annotation value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L57) + +### [proxy-next-upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_next_upstream.go#L28) + +- [should build proxy next upstream using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_next_upstream.go#L36) + +### [use-proxy-protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L36) + +- [should respect port passed by the PROXY Protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L46) +- [should respect proto passed by the PROXY Protocol server port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L79) +- [should enable PROXY Protocol for HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L112) +- [should enable PROXY Protocol for TCP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L155) + +### [proxy-read-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L28) + +- [should set valid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L36) +- [should not set invalid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L52) + +### [proxy-send-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L28) + +- [should set valid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L36) +- [should not set invalid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L52) ### [reuse-port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/reuse-port.go#L27) @@ -161,133 +832,33 @@ Do not try to edit it manually. - [reuse port should be disabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/reuse-port.go#L44) - [reuse port should be enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/reuse-port.go#L52) -### [proxy-send-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L28) +### [configmap server-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L28) -- [should set valid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L36) -- [should not set invalid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L52) +- [should add value of server-snippet setting to all ingress config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L35) +- [should add global server-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L92) -### [[SSL] [Flag] default-ssl-certificate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L33) +### [server-tokens](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L29) -- [uses default ssl certificate for catch-all ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L64) -- [uses default ssl certificate for host based ingress when configured certificate does not match host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L80) +- [should not exists Server header in the response](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L38) +- [should exists Server header in the response when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L50) -### [brotli](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/brotli.go#L30) +### [ssl-ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_ciphers.go#L28) -- [ condition](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/brotli.go#L39) +- [Add ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_ciphers.go#L31) -### [[Security] Pod Security Policies with volumes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy_volumes.go#L36) +### [configmap stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/stream_snippet.go#L35) -- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy_volumes.go#L39) - -### [Dynamic $proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L28) - -- [should exist a proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L36) -- [should exist a proxy_host using the upstream-vhost annotation value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L57) - -### [[Security] block-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L28) - -- [should block CIDRs defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L38) -- [should block User-Agents defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L55) -- [should block Referers defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L88) - -### [settings-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/globalratelimit.go#L30) - -- [generates correct NGINX configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/globalratelimit.go#L38) - -### [Add no tls redirect locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L28) - -- [Check no tls redirect locations config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L31) - -### [main-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/main_snippet.go#L27) - -- [should add value of main-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/main_snippet.go#L31) - -### [[Lua] lua-shared-dicts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/lua_shared_dicts.go#L26) - -- [configures lua shared dicts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/lua_shared_dicts.go#L29) - -### [Bad annotation values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L29) - -- [[BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L36) -- [[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L67) -- [[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L102) -- [[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L133) +- [should add value of stream-snippet via config map to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/stream_snippet.go#L42) ### [[SSL] TLS protocols, ciphers and headers)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L31) - [setting cipher suite](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L65) -- [enforcing TLS v1.0](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L87) -- [setting max-age parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L133) -- [setting includeSubDomains parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L149) -- [setting preload parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L168) -- [overriding what's set from the upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L188) -- [should not use ports during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L209) -- [should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L227) - -### [[Security] modsecurity-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L27) - -- [should add value of modsecurity-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L30) - -### [OCSP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L42) - -- [should enable OCSP and contain stapling information in the connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L49) - -### [configmap stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/stream_snippet.go#L34) - -- [should add value of stream-snippet via config map to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/stream_snippet.go#L41) - -### [proxy-read-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L28) - -- [should set valid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L36) -- [should not set invalid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L52) - -### [proxy-next-upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_next_upstream.go#L28) - -- [should build proxy next upstream using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_next_upstream.go#L36) - -### [hash size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L27) - -- [should set server_names_hash_bucket_size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L40) -- [should set server_names_hash_max_size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L48) -- [should set proxy-headers-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L60) -- [should set proxy-headers-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L68) -- [should set variables-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L80) -- [should set variables-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L88) -- [should set vmap-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L100) - -### [[Security] no-auth-locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L33) - -- [should return status code 401 when accessing '/' unauthentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L54) -- [should return status code 200 when accessing '/' authentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L68) -- [should return status code 200 when accessing '/noauth' unauthenticated](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L82) - -### [[Flag] custom HTTP and HTTPS ports](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L32) - -- [should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L48) -- [should set X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L70) -- [should set the X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L100) - -### [use-forwarded-headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L30) - -- [should trust X-Forwarded headers when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L40) -- [should not trust X-Forwarded headers when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L92) - -### [add-headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L30) - -- [Add a custom header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L40) -- [Add multiple custom headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L65) - -### [[Load Balancer] round-robin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/round_robin.go#L31) - -- [should evenly distribute requests with round-robin (default algorithm)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/round_robin.go#L39) - -### [[Load Balancer] EWMA](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/ewma.go#L31) - -- [does not fail requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/ewma.go#L42) - -### [[Load Balancer] load-balance](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/configmap.go#L28) - -- [should apply the configmap load-balance setting](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/configmap.go#L35) +- [setting max-age parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L111) +- [setting includeSubDomains parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L127) +- [setting preload parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L146) +- [overriding what's set from the upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L166) +- [should not use ports during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L187) +- [should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L205) ### [[SSL] redirect to HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/http_redirect.go#L29) @@ -298,22 +869,11 @@ Do not try to edit it manually. - [should not appear references to secret updates not used in ingress rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/secret_update.go#L40) - [should return the fake SSL certificate if the secret is invalid](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/secret_update.go#L82) -### [[Service] Type ExternalName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L58) +### [[Status] status update](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/status/update.go#L38) -- [works with external name set to incomplete fqdn](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L61) -- [should return 200 for service type=ExternalName without a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L94) -- [should return 200 for service type=ExternalName with a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L128) -- [should return status 502 for service type=ExternalName with an invalid host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L152) -- [should return 200 for service type=ExternalName using a port name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L183) -- [should return 200 for service type=ExternalName using FQDN with trailing dot](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L216) -- [should update the external name after a service update](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L247) -- [should sync ingress on external name service addition/deletion](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L310) +- [should update status field after client-go reconnection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/status/update.go#L43) -### [[Service] Nil Service Backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_nil_backend.go#L31) +### [[TCP] tcp-services](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L37) -- [should return 404 when backend service is nil](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_nil_backend.go#L38) - -### [[Service] backend status code 503](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L33) - -- [should return 503 when backend service does not exist](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L36) -- [should return 503 when all backend service endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L54) +- [should expose a TCP service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L40) +- [should expose an ExternalName TCP service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L98) \ No newline at end of file diff --git a/hack/generate-e2e-suite-doc.sh b/hack/generate-e2e-suite-doc.sh index 2265bb079..a4ccc8fc2 100755 --- a/hack/generate-e2e-suite-doc.sh +++ b/hack/generate-e2e-suite-doc.sh @@ -18,10 +18,6 @@ if [ -n "$DEBUG" ]; then set -x fi -set -o errexit -set -o nounset -set -o pipefail - URL="https://github.com/kubernetes/ingress-nginx/tree/main/" DIR=$(cd $(dirname "${BASH_SOURCE}")/.. && pwd -P) @@ -34,7 +30,7 @@ Do not try to edit it manually. " -for FILE in `find $DIR/test/e2e -name "*.go"`;do +for FILE in $(find $DIR/test/e2e -name "*.go");do # describe definition DESCRIBE=$(cat $FILE | grep -n -oP 'Describe.*') # line number From 3916f7b8b72ce5da7e3ba2377adfb1d06d4bcae8 Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Thu, 29 Dec 2022 19:09:29 -0300 Subject: [PATCH 095/405] move tests to gh actions (#9461) --- .github/workflows/ci.yaml | 57 +++++++++++++++++++ Makefile | 1 + internal/ingress/annotations/authreq/main.go | 3 +- .../ingress/controller/template/template.go | 11 ++-- internal/ingress/resolver/mock.go | 3 +- pkg/util/runtime/cpu_linux.go | 3 +- rootfs/chroot.sh | 1 - test/e2e/framework/util.go | 4 +- 8 files changed, 72 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index d064fa6a2..61f5970db 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -75,6 +75,63 @@ jobs: # G307 TODO: Deferring unsafe method "Close" args: -exclude=G109,G601,G104,G204,G304,G306,G307 -tests=false -exclude-dir=test -exclude-dir=images/ -exclude-dir=docs/ ./... + lint: + runs-on: ubuntu-latest + needs: changes + if: | + (needs.changes.outputs.go == 'true') + steps: + - name: Checkout + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + + - name: Set up Go + id: go + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + with: + go-version: '1.19' + check-latest: true + + - name: Run Lint + run: ./hack/verify-golint.sh + + gofmt: + runs-on: ubuntu-latest + needs: changes + if: | + (needs.changes.outputs.go == 'true') + steps: + - name: Checkout + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + + - name: Set up Go + id: go + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + with: + go-version: '1.19' + check-latest: true + + - name: Run go-fmt + run: ./hack/verify-gofmt.sh + + test-go: + runs-on: ubuntu-latest + needs: changes + if: | + (needs.changes.outputs.go == 'true') + steps: + - name: Checkout + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + + - name: Set up Go + id: go + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + with: + go-version: '1.19' + check-latest: true + + - name: Run test + run: make test + build: name: Build runs-on: ubuntu-latest diff --git a/Makefile b/Makefile index 8204a2087..5099b4645 100644 --- a/Makefile +++ b/Makefile @@ -141,6 +141,7 @@ test: ## Run go unit tests. COMMIT_SHA=$(COMMIT_SHA) \ REPO_INFO=$(REPO_INFO) \ TAG=$(TAG) \ + GOFLAGS="-buildvcs=false" \ test/test.sh .PHONY: lua-test diff --git a/internal/ingress/annotations/authreq/main.go b/internal/ingress/annotations/authreq/main.go index b607f5482..6a8a4611a 100644 --- a/internal/ingress/annotations/authreq/main.go +++ b/internal/ingress/annotations/authreq/main.go @@ -149,7 +149,8 @@ func ValidHeader(header string) bool { // ValidCacheDuration checks if the provided string is a valid cache duration // spec: [code ...] [time ...]; // with: code is an http status code -// time must match the time regex and may appear multiple times, e.g. `1h 30m` +// +// time must match the time regex and may appear multiple times, e.g. `1h 30m` func ValidCacheDuration(duration string) bool { elements := strings.Split(duration, " ") seenDuration := false diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go index 8d4cb6e75..315262150 100644 --- a/internal/ingress/controller/template/template.go +++ b/internal/ingress/controller/template/template.go @@ -75,8 +75,8 @@ type Template struct { bp *BufferPool } -//NewTemplate returns a new Template instance or an -//error if the specified template file contains errors +// NewTemplate returns a new Template instance or an +// error if the specified template file contains errors func NewTemplate(file string) (*Template, error) { data, err := os.ReadFile(file) if err != nil { @@ -287,9 +287,10 @@ var ( // escapeLiteralDollar will replace the $ character with ${literal_dollar} // which is made to work via the following configuration in the http section of // the template: -// geo $literal_dollar { -// default "$"; -// } +// +// geo $literal_dollar { +// default "$"; +// } func escapeLiteralDollar(input interface{}) string { inputStr, ok := input.(string) if !ok { diff --git a/internal/ingress/resolver/mock.go b/internal/ingress/resolver/mock.go index 556262b42..62c5c6db9 100644 --- a/internal/ingress/resolver/mock.go +++ b/internal/ingress/resolver/mock.go @@ -41,7 +41,8 @@ func (m Mock) GetSecret(string) (*apiv1.Secret, error) { // GetAuthCertificate resolves a given secret name into an SSL certificate. // The secret must contain 3 keys named: -// ca.crt: contains the certificate chain used for authentication +// +// ca.crt: contains the certificate chain used for authentication func (m Mock) GetAuthCertificate(string) (*AuthSSLCert, error) { return nil, nil } diff --git a/pkg/util/runtime/cpu_linux.go b/pkg/util/runtime/cpu_linux.go index e7513d619..cfc49d924 100644 --- a/pkg/util/runtime/cpu_linux.go +++ b/pkg/util/runtime/cpu_linux.go @@ -33,7 +33,8 @@ import ( // NumCPU returns the number of logical CPUs usable by the current process. // If CPU cgroups limits are configured, use cfs_quota_us / cfs_period_us // as formula -// https://www.kernel.org/doc/Documentation/scheduler/sched-bwc.txt +// +// https://www.kernel.org/doc/Documentation/scheduler/sched-bwc.txt func NumCPU() int { cpus := runtime.NumCPU() diff --git a/rootfs/chroot.sh b/rootfs/chroot.sh index 3f64aa63f..9f3cbd804 100755 --- a/rootfs/chroot.sh +++ b/rootfs/chroot.sh @@ -40,7 +40,6 @@ for dir in "${writeDirs[@]}"; do chown -R www-data.www-data ${dir}; done - mkdir -p /chroot/lib /chroot/proc /chroot/usr /chroot/bin /chroot/dev /chroot/run cp /etc/passwd /etc/group /chroot/etc/ cp -a /usr/* /chroot/usr/ diff --git a/test/e2e/framework/util.go b/test/e2e/framework/util.go index 8f50dac98..90f15eb1b 100644 --- a/test/e2e/framework/util.go +++ b/test/e2e/framework/util.go @@ -189,7 +189,7 @@ func CreateIngressClass(namespace string, c kubernetes.Interface) (string, error return ic.Name, nil } -//deleteIngressClass deletes an IngressClass and its related ClusterRole* objects +// deleteIngressClass deletes an IngressClass and its related ClusterRole* objects func deleteIngressClass(c kubernetes.Interface, ingressclass string) error { var err error grace := int64(0) @@ -215,7 +215,7 @@ func deleteIngressClass(c kubernetes.Interface, ingressclass string) error { return nil } -//GetIngressClassName returns the default IngressClassName given a namespace +// GetIngressClassName returns the default IngressClassName given a namespace func GetIngressClassName(namespace string) *string { icname := fmt.Sprintf("ic-%s", namespace) return &icname From 8b5a25fa141dff2d7f6bb8eecc07ee66a1f1a210 Mon Sep 17 00:00:00 2001 From: James Strong Date: Thu, 29 Dec 2022 18:59:07 -0500 Subject: [PATCH 096/405] fix change images (#9463) Signed-off-by: James Strong Signed-off-by: James Strong --- changelog/Changelog-1.5.2.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/changelog/Changelog-1.5.2.md b/changelog/Changelog-1.5.2.md index 8b6779e47..8b2617924 100644 --- a/changelog/Changelog-1.5.2.md +++ b/changelog/Changelog-1.5.2.md @@ -3,8 +3,8 @@ ### 1.5.2 Images: - * registry.k8s.io/controller:controller-v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 - * registry.k8s.io/controller-chroot:controller-v1.5.2@sha256:84613555694f2c59a8b2551126d226c9aa648544ebf0cde1e0df942f7dbce42b + * registry.k8s.io/ingress-nginx/controller:controller-v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 + * registry.k8s.io/ingress-nginx/controller-chroot:controller-v1.5.2@sha256:84613555694f2c59a8b2551126d226c9aa648544ebf0cde1e0df942f7dbce42b ### All Changes: From 11e21bf3e72277740639d20416b83971d99846e1 Mon Sep 17 00:00:00 2001 From: James Strong Date: Thu, 29 Dec 2022 19:55:27 -0500 Subject: [PATCH 097/405] rollback tag Signed-off-by: James Strong --- TAG | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TAG b/TAG index a503124bd..c9b3c015f 100644 --- a/TAG +++ b/TAG @@ -1 +1 @@ -v1.5.2 +v1.5.1 \ No newline at end of file From 6f9c65abf4a18e4c32bea1d2006efcb2c9896871 Mon Sep 17 00:00:00 2001 From: James Strong Date: Thu, 29 Dec 2022 19:58:15 -0500 Subject: [PATCH 098/405] revert 1.5.2 Signed-off-by: James Strong --- charts/ingress-nginx/Chart.yaml | 47 +- charts/ingress-nginx/README.md | 8 +- .../changelog/Changelog-1.5.2.md | 12 - charts/ingress-nginx/values.yaml | 1607 +++++++++-------- deploy/static/provider/aws/deploy.yaml | 57 +- .../aws/nlb-with-tls-termination/deploy.yaml | 57 +- deploy/static/provider/baremetal/deploy.yaml | 57 +- deploy/static/provider/cloud/deploy.yaml | 57 +- deploy/static/provider/do/deploy.yaml | 57 +- deploy/static/provider/exoscale/deploy.yaml | 57 +- deploy/static/provider/kind/deploy.yaml | 57 +- deploy/static/provider/scw/deploy.yaml | 57 +- docs/deploy/index.md | 20 +- docs/e2e-tests.md | 974 +++------- 14 files changed, 1387 insertions(+), 1737 deletions(-) delete mode 100644 charts/ingress-nginx/changelog/Changelog-1.5.2.md diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 11ab03634..461601f59 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -1,26 +1,31 @@ -annotations: - artifacthub.io/changes: | - - "ci: remove setup-helm step (#9404)" - - "feat(helm): Optionally use cert-manager instead admission patch (#9279)" - - "run helm release on main only and when the chart/value changes only (#9290)" - - "Update Ingress-Nginx version controller-v1.5.2" - artifacthub.io/prerelease: "false" apiVersion: v2 -appVersion: 1.5.2 -description: Ingress controller for Kubernetes using NGINX as a reverse proxy and - load balancer -engine: gotpl +name: ingress-nginx +# When the version is modified, make sure the artifacthub.io/changes list is updated +# Also update CHANGELOG.md +version: 4.4.0 +appVersion: 1.5.1 home: https://github.com/kubernetes/ingress-nginx +description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png keywords: -- ingress -- nginx -kubeVersion: '>=1.20.0-0' -maintainers: -- name: rikatz -- name: strongjz -- name: tao12345666333 -name: ingress-nginx + - ingress + - nginx sources: -- https://github.com/kubernetes/ingress-nginx -version: 4.4.1 + - https://github.com/kubernetes/ingress-nginx +maintainers: + - name: rikatz + - name: strongjz + - name: tao12345666333 +engine: gotpl +kubeVersion: ">=1.20.0-0" +annotations: + # Use this annotation to indicate that this chart version is a pre-release. + # https://artifacthub.io/docs/topics/annotations/helm/ + artifacthub.io/prerelease: "false" + # List of changes for the release in artifacthub.io + # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog + artifacthub.io/changes: | + - Adding support for disabling liveness and readiness probes to the Helm chart + - add:(admission-webhooks) ability to set securityContext + - Updated Helm chart to use the fullname for the electionID if not specified + - Rename controller-wehbooks-networkpolicy.yaml diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 4daff76c6..af71493fe 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.4.1](https://img.shields.io/badge/Version-4.4.1-informational?style=flat-square) ![AppVersion: 1.5.2](https://img.shields.io/badge/AppVersion-1.5.2-informational?style=flat-square) +![Version: 4.4.0](https://img.shields.io/badge/Version-4.4.0-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -332,13 +332,13 @@ Kubernetes: `>=1.20.0-0` | controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.image.allowPrivilegeEscalation | bool | `true` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `"sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655"` | | -| controller.image.digestChroot | string | `"sha256:84613555694f2c59a8b2551126d226c9aa648544ebf0cde1e0df942f7dbce42b"` | | +| controller.image.digest | string | `"sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629"` | | +| controller.image.digestChroot | string | `"sha256:c1c091b88a6c936a83bd7b098662760a87868d12452529bad0d178fb36147345"` | | | controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.registry | string | `"registry.k8s.io"` | | | controller.image.runAsUser | int | `101` | | -| controller.image.tag | string | `"v1.5.2"` | | +| controller.image.tag | string | `"v1.5.1"` | | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass | diff --git a/charts/ingress-nginx/changelog/Changelog-1.5.2.md b/charts/ingress-nginx/changelog/Changelog-1.5.2.md deleted file mode 100644 index 5e0563858..000000000 --- a/charts/ingress-nginx/changelog/Changelog-1.5.2.md +++ /dev/null @@ -1,12 +0,0 @@ -# Changelog - -This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). - -### 4.4.1 - -* ci: remove setup-helm step (#9404) -* feat(helm): Optionally use cert-manager instead admission patch (#9279) -* run helm release on main only and when the chart/value changes only (#9290) -* Update Ingress-Nginx version controller-v1.5.2 - -**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.4.1...helm-chart-4.4.1 diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index e5f8922a0..b7089addb 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -14,190 +14,222 @@ commonLabels: {} # myLabel: aakkmd controller: - name: controller - image: - ## Keep false as default for now! - chroot: false - registry: registry.k8s.io - image: ingress-nginx/controller - ## for backwards compatibility consider setting the full image url via the repository value below - ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail - ## repository: - tag: "v1.5.2" - digest: sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 - digestChroot: sha256:84613555694f2c59a8b2551126d226c9aa648544ebf0cde1e0df942f7dbce42b - pullPolicy: IfNotPresent - # www-data -> uid 101 - runAsUser: 101 - allowPrivilegeEscalation: true - # -- Use an existing PSP instead of creating one - existingPsp: "" - # -- Configures the controller container name - containerName: controller - # -- Configures the ports that the nginx-controller listens on - containerPort: - http: 80 - https: 443 - # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ - config: {} - # -- Annotations to be added to the controller config configuration configmap. - configAnnotations: {} - # -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers - proxySetHeaders: {} - # -- Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers - addHeaders: {} - # -- Optionally customize the pod dnsConfig. - dnsConfig: {} - # -- Optionally customize the pod hostname. - hostname: {} - # -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. - # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller - # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. - dnsPolicy: ClusterFirst - # -- Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network - # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply - reportNodeInternalIp: false - # -- Process Ingress objects without ingressClass annotation/ingressClassName field - # Overrides value for --watch-ingress-without-class flag of the controller binary - # Defaults to false - watchIngressWithoutClass: false - # -- Process IngressClass per name (additionally as per spec.controller). - ingressClassByName: false - # -- This configuration defines if Ingress Controller should allow users to set - # their own *-snippet annotations, otherwise this is forbidden / dropped - # when users add those annotations. - # Global snippets in ConfigMap are still respected - allowSnippetAnnotations: true - # -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), - # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 - # is merged - hostNetwork: false - ## Use host ports 80 and 443 - ## Disabled by default - hostPort: - # -- Enable 'hostPort' or not - enabled: false - ports: - # -- 'hostPort' http port - http: 80 - # -- 'hostPort' https port - https: 443 - # -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' - electionID: "" - ## This section refers to the creation of the IngressClass resource - ## IngressClass resources are supported since k8s >= 1.18 and required since k8s >= 1.19 - ingressClassResource: - # -- Name of the ingressClass - name: nginx - # -- Is this ingressClass enabled or not - enabled: true - # -- Is this the default ingressClass for the cluster - default: false - # -- Controller-value of the controller that is processing this ingressClass - controllerValue: "k8s.io/ingress-nginx" - # -- Parameters is a link to a custom resource containing additional - # configuration for the controller. This is optional if the controller - # does not require extra parameters. - parameters: {} - # -- For backwards compatibility with ingress.class annotation, use ingressClass. - # Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation - ingressClass: nginx - # -- Labels to add to the pod container metadata - podLabels: {} - # key: value + name: controller + image: + ## Keep false as default for now! + chroot: false + registry: registry.k8s.io + image: ingress-nginx/controller + ## for backwards compatibility consider setting the full image url via the repository value below + ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + ## repository: + tag: "v1.5.1" + digest: sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + digestChroot: sha256:c1c091b88a6c936a83bd7b098662760a87868d12452529bad0d178fb36147345 + pullPolicy: IfNotPresent + # www-data -> uid 101 + runAsUser: 101 + allowPrivilegeEscalation: true - # -- Security Context policies for controller pods - podSecurityContext: {} - # -- See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls - sysctls: {} - # sysctls: - # "net.core.somaxconn": "8192" + # -- Use an existing PSP instead of creating one + existingPsp: "" - # -- Allows customization of the source of the IP address or FQDN to report - # in the ingress status field. By default, it reads the information provided - # by the service. If disable, the status field reports the IP address of the - # node or nodes where an ingress controller pod is running. - publishService: - # -- Enable 'publishService' or not - enabled: true - # -- Allows overriding of the publish service to bind to - # Must be / - pathOverride: "" - # Limit the scope of the controller to a specific namespace - scope: - # -- Enable 'scope' or not - enabled: false - # -- Namespace to limit the controller to; defaults to $(POD_NAMESPACE) - namespace: "" - # -- When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels - # only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. - namespaceSelector: "" - # -- Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) + # -- Configures the controller container name + containerName: controller + + # -- Configures the ports that the nginx-controller listens on + containerPort: + http: 80 + https: 443 + + # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ + config: {} + + # -- Annotations to be added to the controller config configuration configmap. + configAnnotations: {} + + # -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers + proxySetHeaders: {} + + # -- Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers + addHeaders: {} + + # -- Optionally customize the pod dnsConfig. + dnsConfig: {} + + # -- Optionally customize the pod hostname. + hostname: {} + + # -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. + # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller + # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. + dnsPolicy: ClusterFirst + + # -- Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network + # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply + reportNodeInternalIp: false + + # -- Process Ingress objects without ingressClass annotation/ingressClassName field + # Overrides value for --watch-ingress-without-class flag of the controller binary + # Defaults to false + watchIngressWithoutClass: false + + # -- Process IngressClass per name (additionally as per spec.controller). + ingressClassByName: false + + # -- This configuration defines if Ingress Controller should allow users to set + # their own *-snippet annotations, otherwise this is forbidden / dropped + # when users add those annotations. + # Global snippets in ConfigMap are still respected + allowSnippetAnnotations: true + + # -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), + # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 + # is merged + hostNetwork: false + + ## Use host ports 80 and 443 + ## Disabled by default + hostPort: + # -- Enable 'hostPort' or not + enabled: false + ports: + # -- 'hostPort' http port + http: 80 + # -- 'hostPort' https port + https: 443 + + # -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' + electionID: "" + + ## This section refers to the creation of the IngressClass resource + ## IngressClass resources are supported since k8s >= 1.18 and required since k8s >= 1.19 + ingressClassResource: + # -- Name of the ingressClass + name: nginx + # -- Is this ingressClass enabled or not + enabled: true + # -- Is this the default ingressClass for the cluster + default: false + # -- Controller-value of the controller that is processing this ingressClass + controllerValue: "k8s.io/ingress-nginx" + + # -- Parameters is a link to a custom resource containing additional + # configuration for the controller. This is optional if the controller + # does not require extra parameters. + parameters: {} + + # -- For backwards compatibility with ingress.class annotation, use ingressClass. + # Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation + ingressClass: nginx + + # -- Labels to add to the pod container metadata + podLabels: {} + # key: value + + # -- Security Context policies for controller pods + podSecurityContext: {} + + # -- See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls + sysctls: {} + # sysctls: + # "net.core.somaxconn": "8192" + + # -- Allows customization of the source of the IP address or FQDN to report + # in the ingress status field. By default, it reads the information provided + # by the service. If disable, the status field reports the IP address of the + # node or nodes where an ingress controller pod is running. + publishService: + # -- Enable 'publishService' or not + enabled: true + # -- Allows overriding of the publish service to bind to + # Must be / + pathOverride: "" + + # Limit the scope of the controller to a specific namespace + scope: + # -- Enable 'scope' or not + enabled: false + # -- Namespace to limit the controller to; defaults to $(POD_NAMESPACE) + namespace: "" + # -- When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels + # only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. + namespaceSelector: "" + + # -- Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) + configMapNamespace: "" + + tcp: + # -- Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) configMapNamespace: "" - tcp: - # -- Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) - configMapNamespace: "" - # -- Annotations to be added to the tcp config configmap - annotations: {} - udp: - # -- Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) - configMapNamespace: "" - # -- Annotations to be added to the udp config configmap - annotations: {} - # -- Maxmind license key to download GeoLite2 Databases. - ## https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases - maxmindLicenseKey: "" - # -- Additional command line arguments to pass to nginx-ingress-controller - # E.g. to specify the default SSL certificate you can use - extraArgs: {} - ## extraArgs: - ## default-ssl-certificate: "/" - - # -- Additional environment variables to set - extraEnvs: [] - # extraEnvs: - # - name: FOO - # valueFrom: - # secretKeyRef: - # key: FOO - # name: secret-resource - - # -- Use a `DaemonSet` or `Deployment` - kind: Deployment - # -- Annotations to be added to the controller Deployment or DaemonSet - ## + # -- Annotations to be added to the tcp config configmap annotations: {} - # keel.sh/pollSchedule: "@every 60m" - # -- Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels - ## - labels: {} - # keel.sh/policy: patch - # keel.sh/trigger: poll + udp: + # -- Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) + configMapNamespace: "" + # -- Annotations to be added to the udp config configmap + annotations: {} - # -- The update strategy to apply to the Deployment or DaemonSet - ## - updateStrategy: {} - # rollingUpdate: - # maxUnavailable: 1 - # type: RollingUpdate + # -- Maxmind license key to download GeoLite2 Databases. + ## https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases + maxmindLicenseKey: "" - # -- `minReadySeconds` to avoid killing pods before we are ready - ## - minReadySeconds: 0 - # -- Node tolerations for server scheduling to nodes with taints - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - ## - tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + # -- Additional command line arguments to pass to nginx-ingress-controller + # E.g. to specify the default SSL certificate you can use + extraArgs: {} + ## extraArgs: + ## default-ssl-certificate: "/" - # -- Affinity and anti-affinity rules for server scheduling to nodes - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## - affinity: {} + # -- Additional environment variables to set + extraEnvs: [] + # extraEnvs: + # - name: FOO + # valueFrom: + # secretKeyRef: + # key: FOO + # name: secret-resource + + # -- Use a `DaemonSet` or `Deployment` + kind: Deployment + + # -- Annotations to be added to the controller Deployment or DaemonSet + ## + annotations: {} + # keel.sh/pollSchedule: "@every 60m" + + # -- Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels + ## + labels: {} + # keel.sh/policy: patch + # keel.sh/trigger: poll + + + # -- The update strategy to apply to the Deployment or DaemonSet + ## + updateStrategy: {} + # rollingUpdate: + # maxUnavailable: 1 + # type: RollingUpdate + + # -- `minReadySeconds` to avoid killing pods before we are ready + ## + minReadySeconds: 0 + + + # -- Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- Affinity and anti-affinity rules for server scheduling to nodes + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## + affinity: {} # # An example of preferred pod anti-affinity, weight is in the range 1-100 # podAntiAffinity: # preferredDuringSchedulingIgnoredDuringExecution: @@ -238,10 +270,10 @@ controller: # - controller # topologyKey: "kubernetes.io/hostname" - # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - ## - topologySpreadConstraints: [] + # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] # - maxSkew: 1 # topologyKey: topology.kubernetes.io/zone # whenUnsatisfiable: DoNotSchedule @@ -249,605 +281,669 @@ controller: # matchLabels: # app.kubernetes.io/instance: ingress-nginx-internal - # -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready - ## wait up to five minutes for the drain of connections - ## - terminationGracePeriodSeconds: 300 - # -- Node labels for controller pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: - kubernetes.io/os: linux - ## Liveness and readiness probe values - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes - ## - ## startupProbe: - ## httpGet: - ## # should match container.healthCheckPath - ## path: "/healthz" - ## port: 10254 - ## scheme: HTTP - ## initialDelaySeconds: 5 - ## periodSeconds: 5 - ## timeoutSeconds: 2 - ## successThreshold: 1 - ## failureThreshold: 5 - livenessProbe: - httpGet: - # should match container.healthCheckPath - path: "/healthz" - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 5 - readinessProbe: - httpGet: - # should match container.healthCheckPath - path: "/healthz" - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - # -- Path of the health check endpoint. All requests received on the port defined by - # the healthz-port parameter are forwarded internally to this path. - healthCheckPath: "/healthz" - # -- Address to bind the health check endpoint. - # It is better to set this option to the internal node address - # if the ingress nginx controller is running in the `hostNetwork: true` mode. - healthCheckHost: "" - # -- Annotations to be added to controller pods - ## - podAnnotations: {} - replicaCount: 1 - # -- Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Define either 'minAvailable' or 'maxUnavailable', never both. - # maxUnavailable: 1 + # -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready + ## wait up to five minutes for the drain of connections + ## + terminationGracePeriodSeconds: 300 - ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes - ## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 - ## Ideally, there should be no limits. - ## https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/ - resources: - ## limits: - ## cpu: 100m - ## memory: 90Mi - requests: - cpu: 100m - memory: 90Mi - # Mutually exclusive with keda autoscaling - autoscaling: - apiVersion: autoscaling/v2 - enabled: false - annotations: {} - minReplicas: 1 - maxReplicas: 11 - targetCPUUtilizationPercentage: 50 - targetMemoryUtilizationPercentage: 50 - behavior: {} - # scaleDown: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 1 - # periodSeconds: 180 - # scaleUp: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 2 - # periodSeconds: 60 - autoscalingTemplate: [] - # Custom or additional autoscaling metrics - # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics - # - type: Pods - # pods: - # metric: - # name: nginx_ingress_controller_nginx_process_requests_total - # target: - # type: AverageValue - # averageValue: 10000m + # -- Node labels for controller pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: + kubernetes.io/os: linux - # Mutually exclusive with hpa autoscaling - keda: - apiVersion: "keda.sh/v1alpha1" - ## apiVersion changes with keda 1.x vs 2.x - ## 2.x = keda.sh/v1alpha1 - ## 1.x = keda.k8s.io/v1alpha1 - enabled: false - minReplicas: 1 - maxReplicas: 11 - pollingInterval: 30 - cooldownPeriod: 300 - restoreToOriginalReplicaCount: false - scaledObject: - annotations: {} - # Custom annotations for ScaledObject resource - # annotations: - # key: value - triggers: [] - # - type: prometheus - # metadata: - # serverAddress: http://:9090 - # metricName: http_requests_total - # threshold: '100' - # query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) + ## Liveness and readiness probe values + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + ## startupProbe: + ## httpGet: + ## # should match container.healthCheckPath + ## path: "/healthz" + ## port: 10254 + ## scheme: HTTP + ## initialDelaySeconds: 5 + ## periodSeconds: 5 + ## timeoutSeconds: 2 + ## successThreshold: 1 + ## failureThreshold: 5 + livenessProbe: + httpGet: + # should match container.healthCheckPath + path: "/healthz" + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + httpGet: + # should match container.healthCheckPath + path: "/healthz" + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 - behavior: {} - # scaleDown: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 1 - # periodSeconds: 180 - # scaleUp: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 2 - # periodSeconds: 60 - # -- Enable mimalloc as a drop-in replacement for malloc. - ## ref: https://github.com/microsoft/mimalloc - ## - enableMimalloc: true - ## Override NGINX template - customTemplate: - configMapName: "" - configMapKey: "" - service: - enabled: true - # -- If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were - # using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http - # It allows choosing the protocol for each backend specified in the Kubernetes service. - # See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 - # Will be ignored for Kubernetes versions older than 1.20 - ## - appProtocol: true - annotations: {} - labels: {} - # clusterIP: "" + # -- Path of the health check endpoint. All requests received on the port defined by + # the healthz-port parameter are forwarded internally to this path. + healthCheckPath: "/healthz" - # -- List of IP addresses at which the controller services are available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips - ## - externalIPs: [] - # -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer - loadBalancerIP: "" - loadBalancerSourceRanges: [] - enableHttp: true - enableHttps: true - ## Set external traffic policy to: "Local" to preserve source IP on providers supporting it. - ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - # externalTrafficPolicy: "" + # -- Address to bind the health check endpoint. + # It is better to set this option to the internal node address + # if the ingress nginx controller is running in the `hostNetwork: true` mode. + healthCheckHost: "" - ## Must be either "None" or "ClientIP" if set. Kubernetes will default to "None". - ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - # sessionAffinity: "" + # -- Annotations to be added to controller pods + ## + podAnnotations: {} - ## Specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified, - ## the service controller allocates a port from your cluster’s NodePort range. - ## Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - # healthCheckNodePort: 0 + replicaCount: 1 - # -- Represents the dual-stack-ness requested or required by this Service. Possible values are - # SingleStack, PreferDualStack or RequireDualStack. - # The ipFamilies and clusterIPs fields depend on the value of this field. - ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ - ipFamilyPolicy: "SingleStack" - # -- List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically - # based on cluster configuration and the ipFamilyPolicy field. - ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ - ipFamilies: - - IPv4 - ports: - http: 80 - https: 443 - targetPorts: - http: http - https: https - type: LoadBalancer - ## type: NodePort - ## nodePorts: - ## http: 32080 - ## https: 32443 - ## tcp: - ## 8080: 32808 - nodePorts: - http: "" - https: "" - tcp: {} - udp: {} - external: - enabled: true - internal: - # -- Enables an additional internal load balancer (besides the external one). - enabled: false - # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. - annotations: {} - # loadBalancerIP: "" + # -- Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Define either 'minAvailable' or 'maxUnavailable', never both. + # maxUnavailable: 1 - # -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. - loadBalancerSourceRanges: [] - ## Set external traffic policy to: "Local" to preserve source IP on - ## providers supporting it - ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - # externalTrafficPolicy: "" - # shareProcessNamespace enables process namespace sharing within the pod. - # This can be used for example to signal log rotation using `kill -USR1` from a sidecar. - shareProcessNamespace: false - # -- Additional containers to be added to the controller pod. - # See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. - extraContainers: [] - # - name: my-sidecar - # image: nginx:latest - # - name: lemonldap-ng-controller - # image: lemonldapng/lemonldap-ng-controller:0.2.0 - # args: - # - /lemonldap-ng-controller - # - --alsologtostderr - # - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration - # env: - # - name: POD_NAME - # valueFrom: - # fieldRef: - # fieldPath: metadata.name - # - name: POD_NAMESPACE - # valueFrom: - # fieldRef: - # fieldPath: metadata.namespace - # volumeMounts: - # - name: copy-portal-skins - # mountPath: /srv/var/lib/lemonldap-ng/portal/skins + ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes + ## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 + ## Ideally, there should be no limits. + ## https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/ + resources: + ## limits: + ## cpu: 100m + ## memory: 90Mi + requests: + cpu: 100m + memory: 90Mi - # -- Additional volumeMounts to the controller main container. - extraVolumeMounts: [] - # - name: copy-portal-skins - # mountPath: /var/lib/lemonldap-ng/portal/skins - - # -- Additional volumes to the controller pod. - extraVolumes: [] - # - name: copy-portal-skins - # emptyDir: {} - - # -- Containers, which are run before the app containers are started. - extraInitContainers: [] - # - name: init-myservice - # image: busybox - # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] - - # -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module - extraModules: [] - # containerSecurityContext: - # allowPrivilegeEscalation: false - # - # The image must contain a `/usr/local/bin/init_module.sh` executable, which - # will be executed as initContainers, to move its config files within the - # mounted volume. - - opentelemetry: - enabled: false - image: registry.k8s.io/ingress-nginx/opentelemetry:v20221114-controller-v1.5.1-6-ga66ee73c5@sha256:41076fd9fb4255677c1a3da1ac3fc41477f06eba3c7ebf37ffc8f734dad51d7c - containerSecurityContext: - allowPrivilegeEscalation: false - admissionWebhooks: - annotations: {} - # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem". - - ## Additional annotations to the admission webhooks. - ## These annotations will be added to the ValidatingWebhookConfiguration and - ## the Jobs Spec of the admission webhooks. - enabled: true - # -- Additional environment variables to set - extraEnvs: [] - # extraEnvs: - # - name: FOO - # valueFrom: - # secretKeyRef: - # key: FOO - # name: secret-resource - # -- Admission Webhook failure policy to use - failurePolicy: Fail - # timeoutSeconds: 10 - port: 8443 - certificate: "/usr/local/certificates/cert" - key: "/usr/local/certificates/key" - namespaceSelector: {} - objectSelector: {} - # -- Labels to be added to admission webhooks - labels: {} - # -- Use an existing PSP instead of creating one - existingPsp: "" - networkPolicyEnabled: false - service: - annotations: {} - # clusterIP: "" - externalIPs: [] - # loadBalancerIP: "" - loadBalancerSourceRanges: [] - servicePort: 443 - type: ClusterIP - createSecretJob: - securityContext: - allowPrivilegeEscalation: false - resources: {} - # limits: - # cpu: 10m - # memory: 20Mi - # requests: - # cpu: 10m - # memory: 20Mi - patchWebhookJob: - securityContext: - allowPrivilegeEscalation: false - resources: {} - patch: - enabled: true - image: - registry: registry.k8s.io - image: ingress-nginx/kube-webhook-certgen - ## for backwards compatibility consider setting the full image url via the repository value below - ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail - ## repository: - tag: v20220916-gd32f8c343 - digest: sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f - pullPolicy: IfNotPresent - # -- Provide a priority class name to the webhook patching job - ## - priorityClassName: "" - podAnnotations: {} - nodeSelector: - kubernetes.io/os: linux - tolerations: [] - # -- Labels to be added to patch job resources - labels: {} - securityContext: - runAsNonRoot: true - runAsUser: 2000 - fsGroup: 2000 - # Use certmanager to generate webhook certs - certManager: - enabled: false - # self-signed root certificate - rootCert: - # default to be 5y - duration: "" - admissionCert: - # default to be 1y - duration: "" - # issuerRef: - # name: "issuer" - # kind: "ClusterIssuer" - metrics: - port: 10254 - portName: metrics - # if this port is changed, change healthz-port: in extraArgs: accordingly - enabled: false - service: - annotations: {} - # prometheus.io/scrape: "true" - # prometheus.io/port: "10254" - - # clusterIP: "" - - # -- List of IP addresses at which the stats-exporter service is available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips - ## - externalIPs: [] - # loadBalancerIP: "" - loadBalancerSourceRanges: [] - servicePort: 10254 - type: ClusterIP - # externalTrafficPolicy: "" - # nodePort: "" - serviceMonitor: - enabled: false - additionalLabels: {} - ## The label to use to retrieve the job name from. - ## jobLabel: "app.kubernetes.io/name" - namespace: "" - namespaceSelector: {} - ## Default: scrape .Release.Namespace only - ## To scrape all, use the following: - ## namespaceSelector: - ## any: true - scrapeInterval: 30s - # honorLabels: true - targetLabels: [] - relabelings: [] - metricRelabelings: [] - prometheusRule: - enabled: false - additionalLabels: {} - # namespace: "" - rules: [] - # # These are just examples rules, please adapt them to your needs - # - alert: NGINXConfigFailed - # expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0 - # for: 1s - # labels: - # severity: critical - # annotations: - # description: bad ingress config - nginx config test failed - # summary: uninstall the latest ingress changes to allow config reloads to resume - # - alert: NGINXCertificateExpiry - # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800 - # for: 1s - # labels: - # severity: critical - # annotations: - # description: ssl certificate(s) will expire in less then a week - # summary: renew expiring certificates to avoid downtime - # - alert: NGINXTooMany500s - # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 - # for: 1m - # labels: - # severity: warning - # annotations: - # description: Too many 5XXs - # summary: More than 5% of all requests returned 5XX, this requires your attention - # - alert: NGINXTooMany400s - # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 - # for: 1m - # labels: - # severity: warning - # annotations: - # description: Too many 4XXs - # summary: More than 5% of all requests returned 4XX, this requires your attention - # -- Improve connection draining when ingress controller pod is deleted using a lifecycle hook: - # With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds - # to 300, allowing the draining of connections up to five minutes. - # If the active connections end before that, the pod will terminate gracefully at that time. - # To effectively take advantage of this feature, the Configmap feature - # worker-shutdown-timeout new value is 240s instead of 10s. - ## - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - priorityClassName: "" -# -- Rollback limit -## -revisionHistoryLimit: 10 -## Default 404 backend -## -defaultBackend: - ## + # Mutually exclusive with keda autoscaling + autoscaling: + apiVersion: autoscaling/v2 enabled: false - name: defaultbackend - image: + annotations: {} + minReplicas: 1 + maxReplicas: 11 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + + autoscalingTemplate: [] + # Custom or additional autoscaling metrics + # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics + # - type: Pods + # pods: + # metric: + # name: nginx_ingress_controller_nginx_process_requests_total + # target: + # type: AverageValue + # averageValue: 10000m + + # Mutually exclusive with hpa autoscaling + keda: + apiVersion: "keda.sh/v1alpha1" + ## apiVersion changes with keda 1.x vs 2.x + ## 2.x = keda.sh/v1alpha1 + ## 1.x = keda.k8s.io/v1alpha1 + enabled: false + minReplicas: 1 + maxReplicas: 11 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + # Custom annotations for ScaledObject resource + # annotations: + # key: value + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: http_requests_total + # threshold: '100' + # query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) + + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + + # -- Enable mimalloc as a drop-in replacement for malloc. + ## ref: https://github.com/microsoft/mimalloc + ## + enableMimalloc: true + + ## Override NGINX template + customTemplate: + configMapName: "" + configMapKey: "" + + service: + enabled: true + + # -- If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were + # using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http + # It allows choosing the protocol for each backend specified in the Kubernetes service. + # See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 + # Will be ignored for Kubernetes versions older than 1.20 + ## + appProtocol: true + + annotations: {} + labels: {} + # clusterIP: "" + + # -- List of IP addresses at which the controller services are available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + # -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + loadBalancerSourceRanges: [] + + enableHttp: true + enableHttps: true + + ## Set external traffic policy to: "Local" to preserve source IP on providers supporting it. + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "" + + ## Must be either "None" or "ClientIP" if set. Kubernetes will default to "None". + ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + # sessionAffinity: "" + + ## Specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified, + ## the service controller allocates a port from your cluster’s NodePort range. + ## Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + # healthCheckNodePort: 0 + + # -- Represents the dual-stack-ness requested or required by this Service. Possible values are + # SingleStack, PreferDualStack or RequireDualStack. + # The ipFamilies and clusterIPs fields depend on the value of this field. + ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ipFamilyPolicy: "SingleStack" + + # -- List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically + # based on cluster configuration and the ipFamilyPolicy field. + ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ipFamilies: + - IPv4 + + ports: + http: 80 + https: 443 + + targetPorts: + http: http + https: https + + type: LoadBalancer + + ## type: NodePort + ## nodePorts: + ## http: 32080 + ## https: 32443 + ## tcp: + ## 8080: 32808 + nodePorts: + http: "" + https: "" + tcp: {} + udp: {} + + external: + enabled: true + + internal: + # -- Enables an additional internal load balancer (besides the external one). + enabled: false + # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. + annotations: {} + + # loadBalancerIP: "" + + # -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. + loadBalancerSourceRanges: [] + + ## Set external traffic policy to: "Local" to preserve source IP on + ## providers supporting it + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "" + + # shareProcessNamespace enables process namespace sharing within the pod. + # This can be used for example to signal log rotation using `kill -USR1` from a sidecar. + shareProcessNamespace: false + + # -- Additional containers to be added to the controller pod. + # See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. + extraContainers: [] + # - name: my-sidecar + # image: nginx:latest + # - name: lemonldap-ng-controller + # image: lemonldapng/lemonldap-ng-controller:0.2.0 + # args: + # - /lemonldap-ng-controller + # - --alsologtostderr + # - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration + # env: + # - name: POD_NAME + # valueFrom: + # fieldRef: + # fieldPath: metadata.name + # - name: POD_NAMESPACE + # valueFrom: + # fieldRef: + # fieldPath: metadata.namespace + # volumeMounts: + # - name: copy-portal-skins + # mountPath: /srv/var/lib/lemonldap-ng/portal/skins + + # -- Additional volumeMounts to the controller main container. + extraVolumeMounts: [] + # - name: copy-portal-skins + # mountPath: /var/lib/lemonldap-ng/portal/skins + + # -- Additional volumes to the controller pod. + extraVolumes: [] + # - name: copy-portal-skins + # emptyDir: {} + + # -- Containers, which are run before the app containers are started. + extraInitContainers: [] + # - name: init-myservice + # image: busybox + # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] + + # -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module + extraModules: [] + # containerSecurityContext: + # allowPrivilegeEscalation: false + # + # The image must contain a `/usr/local/bin/init_module.sh` executable, which + # will be executed as initContainers, to move its config files within the + # mounted volume. + + opentelemetry: + enabled: false + image: registry.k8s.io/ingress-nginx/opentelemetry:v20221114-controller-v1.5.1-6-ga66ee73c5@sha256:41076fd9fb4255677c1a3da1ac3fc41477f06eba3c7ebf37ffc8f734dad51d7c + containerSecurityContext: + allowPrivilegeEscalation: false + + admissionWebhooks: + annotations: {} + # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem". + + ## Additional annotations to the admission webhooks. + ## These annotations will be added to the ValidatingWebhookConfiguration and + ## the Jobs Spec of the admission webhooks. + enabled: true + # -- Additional environment variables to set + extraEnvs: [] + # extraEnvs: + # - name: FOO + # valueFrom: + # secretKeyRef: + # key: FOO + # name: secret-resource + # -- Admission Webhook failure policy to use + failurePolicy: Fail + # timeoutSeconds: 10 + port: 8443 + certificate: "/usr/local/certificates/cert" + key: "/usr/local/certificates/key" + namespaceSelector: {} + objectSelector: {} + # -- Labels to be added to admission webhooks + labels: {} + + # -- Use an existing PSP instead of creating one + existingPsp: "" + networkPolicyEnabled: false + + service: + annotations: {} + # clusterIP: "" + externalIPs: [] + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 443 + type: ClusterIP + + createSecretJob: + securityContext: + allowPrivilegeEscalation: false + resources: {} + # limits: + # cpu: 10m + # memory: 20Mi + # requests: + # cpu: 10m + # memory: 20Mi + + patchWebhookJob: + securityContext: + allowPrivilegeEscalation: false + resources: {} + + patch: + enabled: true + image: registry: registry.k8s.io - image: defaultbackend-amd64 + image: ingress-nginx/kube-webhook-certgen ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: "1.5" + tag: v20220916-gd32f8c343 + digest: sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f pullPolicy: IfNotPresent - # nobody user -> uid 65534 - runAsUser: 65534 - runAsNonRoot: true - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - # -- Use an existing PSP instead of creating one - existingPsp: "" - extraArgs: {} - serviceAccount: - create: true - name: "" - automountServiceAccountToken: true - # -- Additional environment variables to set for defaultBackend pods - extraEnvs: [] - port: 8080 - ## Readiness and liveness probes for default backend - ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ - ## - livenessProbe: - failureThreshold: 3 - initialDelaySeconds: 30 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - failureThreshold: 6 - initialDelaySeconds: 0 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 5 - # -- Node tolerations for server scheduling to nodes with taints - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - ## - tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - - affinity: {} - # -- Security Context policies for controller pods - # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for - # notes on enabling and using sysctls - ## - podSecurityContext: {} - # -- Security Context policies for controller main container. - # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for - # notes on enabling and using sysctls - ## - containerSecurityContext: {} - # -- Labels to add to the pod container metadata - podLabels: {} - # key: value - - # -- Node labels for default backend pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: + # -- Provide a priority class name to the webhook patching job + ## + priorityClassName: "" + podAnnotations: {} + nodeSelector: kubernetes.io/os: linux - # -- Annotations to be added to default backend pods - ## - podAnnotations: {} - replicaCount: 1 - minAvailable: 1 - resources: {} - # limits: - # cpu: 10m - # memory: 20Mi - # requests: - # cpu: 10m - # memory: 20Mi + tolerations: [] + # -- Labels to be added to patch job resources + labels: {} + securityContext: + runAsNonRoot: true + runAsUser: 2000 + fsGroup: 2000 - extraVolumeMounts: [] - ## Additional volumeMounts to the default backend container. - # - name: copy-portal-skins - # mountPath: /var/lib/lemonldap-ng/portal/skins + # Use certmanager to generate webhook certs + certManager: + enabled: false + # self-signed root certificate + rootCert: + duration: "" # default to be 5y + admissionCert: + duration: "" # default to be 1y + # issuerRef: + # name: "issuer" + # kind: "ClusterIssuer" - extraVolumes: [] - ## Additional volumes to the default backend pod. - # - name: copy-portal-skins - # emptyDir: {} - - autoscaling: - annotations: {} - enabled: false - minReplicas: 1 - maxReplicas: 2 - targetCPUUtilizationPercentage: 50 - targetMemoryUtilizationPercentage: 50 - service: - annotations: {} - # clusterIP: "" - - # -- List of IP addresses at which the default backend service is available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips - ## - externalIPs: [] - # loadBalancerIP: "" - loadBalancerSourceRanges: [] - servicePort: 80 - type: ClusterIP - priorityClassName: "" - # -- Labels to be added to the default backend resources - labels: {} -## Enable RBAC as per https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/rbac.md and https://github.com/kubernetes/ingress-nginx/issues/266 -rbac: - create: true - scope: false -## If true, create & use Pod Security Policy resources -## https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -podSecurityPolicy: + metrics: + port: 10254 + portName: metrics + # if this port is changed, change healthz-port: in extraArgs: accordingly enabled: false -serviceAccount: + + service: + annotations: {} + # prometheus.io/scrape: "true" + # prometheus.io/port: "10254" + + # clusterIP: "" + + # -- List of IP addresses at which the stats-exporter service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 10254 + type: ClusterIP + # externalTrafficPolicy: "" + # nodePort: "" + + serviceMonitor: + enabled: false + additionalLabels: {} + ## The label to use to retrieve the job name from. + ## jobLabel: "app.kubernetes.io/name" + namespace: "" + namespaceSelector: {} + ## Default: scrape .Release.Namespace only + ## To scrape all, use the following: + ## namespaceSelector: + ## any: true + scrapeInterval: 30s + # honorLabels: true + targetLabels: [] + relabelings: [] + metricRelabelings: [] + + prometheusRule: + enabled: false + additionalLabels: {} + # namespace: "" + rules: [] + # # These are just examples rules, please adapt them to your needs + # - alert: NGINXConfigFailed + # expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0 + # for: 1s + # labels: + # severity: critical + # annotations: + # description: bad ingress config - nginx config test failed + # summary: uninstall the latest ingress changes to allow config reloads to resume + # - alert: NGINXCertificateExpiry + # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800 + # for: 1s + # labels: + # severity: critical + # annotations: + # description: ssl certificate(s) will expire in less then a week + # summary: renew expiring certificates to avoid downtime + # - alert: NGINXTooMany500s + # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 + # for: 1m + # labels: + # severity: warning + # annotations: + # description: Too many 5XXs + # summary: More than 5% of all requests returned 5XX, this requires your attention + # - alert: NGINXTooMany400s + # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 + # for: 1m + # labels: + # severity: warning + # annotations: + # description: Too many 4XXs + # summary: More than 5% of all requests returned 4XX, this requires your attention + + # -- Improve connection draining when ingress controller pod is deleted using a lifecycle hook: + # With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds + # to 300, allowing the draining of connections up to five minutes. + # If the active connections end before that, the pod will terminate gracefully at that time. + # To effectively take advantage of this feature, the Configmap feature + # worker-shutdown-timeout new value is 240s instead of 10s. + ## + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + + priorityClassName: "" + +# -- Rollback limit +## +revisionHistoryLimit: 10 + +## Default 404 backend +## +defaultBackend: + ## + enabled: false + + name: defaultbackend + image: + registry: registry.k8s.io + image: defaultbackend-amd64 + ## for backwards compatibility consider setting the full image url via the repository value below + ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + ## repository: + tag: "1.5" + pullPolicy: IfNotPresent + # nobody user -> uid 65534 + runAsUser: 65534 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + + # -- Use an existing PSP instead of creating one + existingPsp: "" + + extraArgs: {} + + serviceAccount: create: true name: "" automountServiceAccountToken: true - # -- Annotations for the controller service account + # -- Additional environment variables to set for defaultBackend pods + extraEnvs: [] + + port: 8080 + + ## Readiness and liveness probes for default backend + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + ## + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 6 + initialDelaySeconds: 0 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + + # -- Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + affinity: {} + + # -- Security Context policies for controller pods + # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for + # notes on enabling and using sysctls + ## + podSecurityContext: {} + + # -- Security Context policies for controller main container. + # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for + # notes on enabling and using sysctls + ## + containerSecurityContext: {} + + # -- Labels to add to the pod container metadata + podLabels: {} + # key: value + + # -- Node labels for default backend pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: + kubernetes.io/os: linux + + # -- Annotations to be added to default backend pods + ## + podAnnotations: {} + + replicaCount: 1 + + minAvailable: 1 + + resources: {} + # limits: + # cpu: 10m + # memory: 20Mi + # requests: + # cpu: 10m + # memory: 20Mi + + extraVolumeMounts: [] + ## Additional volumeMounts to the default backend container. + # - name: copy-portal-skins + # mountPath: /var/lib/lemonldap-ng/portal/skins + + extraVolumes: [] + ## Additional volumes to the default backend pod. + # - name: copy-portal-skins + # emptyDir: {} + + autoscaling: annotations: {} + enabled: false + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + + service: + annotations: {} + + # clusterIP: "" + + # -- List of IP addresses at which the default backend service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 80 + type: ClusterIP + + priorityClassName: "" + # -- Labels to be added to the default backend resources + labels: {} + +## Enable RBAC as per https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/rbac.md and https://github.com/kubernetes/ingress-nginx/issues/266 +rbac: + create: true + scope: false + +## If true, create & use Pod Security Policy resources +## https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +podSecurityPolicy: + enabled: false + +serviceAccount: + create: true + name: "" + automountServiceAccountToken: true + # -- Annotations for the controller service account + annotations: {} + # -- Optional array of imagePullSecrets containing private registry credentials ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ imagePullSecrets: [] @@ -868,6 +964,7 @@ udp: {} # -- Prefix for TCP and UDP ports names in ingress controller service ## Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration portNamePrefix: "" + # -- (string) A base64-encoded Diffie-Hellman parameter. # This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` ## Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml index 54d315b50..fbdf9486a 100644 --- a/deploy/static/provider/aws/deploy.yaml +++ b/deploy/static/provider/aws/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,6 +90,21 @@ rules: - get - list - watch +- apiGroups: + - "" + resourceNames: + - ingress-nginx-leader + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create - apiGroups: - coordination.k8s.io resourceNames: @@ -129,7 +144,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +163,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +245,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +264,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +284,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +303,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +322,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -344,7 +359,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -377,7 +392,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -400,7 +415,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -440,7 +455,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 + image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -512,7 +527,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -523,7 +538,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create spec: containers: @@ -559,7 +574,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -570,7 +585,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch spec: containers: @@ -608,7 +623,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -621,7 +636,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml index 819de9079..73ec24286 100644 --- a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml +++ b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,6 +90,21 @@ rules: - get - list - watch +- apiGroups: + - "" + resourceNames: + - ingress-nginx-leader + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create - apiGroups: - coordination.k8s.io resourceNames: @@ -129,7 +144,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +163,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +245,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +264,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +284,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +303,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +322,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -335,7 +350,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -353,7 +368,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -386,7 +401,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -409,7 +424,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -449,7 +464,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 + image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -524,7 +539,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -535,7 +550,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create spec: containers: @@ -571,7 +586,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -582,7 +597,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch spec: containers: @@ -620,7 +635,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -633,7 +648,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml index 73aec6dc9..9e6e905bb 100644 --- a/deploy/static/provider/baremetal/deploy.yaml +++ b/deploy/static/provider/baremetal/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,6 +90,21 @@ rules: - get - list - watch +- apiGroups: + - "" + resourceNames: + - ingress-nginx-leader + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create - apiGroups: - coordination.k8s.io resourceNames: @@ -129,7 +144,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +163,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +245,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +264,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +284,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +303,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +322,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +355,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -372,7 +387,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -395,7 +410,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -434,7 +449,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 + image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -506,7 +521,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -517,7 +532,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create spec: containers: @@ -553,7 +568,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -564,7 +579,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch spec: containers: @@ -602,7 +617,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -615,7 +630,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml index 19455ed27..dd986a55d 100644 --- a/deploy/static/provider/cloud/deploy.yaml +++ b/deploy/static/provider/cloud/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,6 +90,21 @@ rules: - get - list - watch +- apiGroups: + - "" + resourceNames: + - ingress-nginx-leader + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create - apiGroups: - coordination.k8s.io resourceNames: @@ -129,7 +144,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +163,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +245,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +264,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +284,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +303,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +322,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +355,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -373,7 +388,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -396,7 +411,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -436,7 +451,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 + image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -508,7 +523,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -519,7 +534,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create spec: containers: @@ -555,7 +570,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -566,7 +581,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch spec: containers: @@ -604,7 +619,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -617,7 +632,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml index 3c4a022c3..64e0366b4 100644 --- a/deploy/static/provider/do/deploy.yaml +++ b/deploy/static/provider/do/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,6 +90,21 @@ rules: - get - list - watch +- apiGroups: + - "" + resourceNames: + - ingress-nginx-leader + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create - apiGroups: - coordination.k8s.io resourceNames: @@ -129,7 +144,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +163,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +245,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +264,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +284,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +303,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +322,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -329,7 +344,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -343,7 +358,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -376,7 +391,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -399,7 +414,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -439,7 +454,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 + image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -511,7 +526,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -522,7 +537,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create spec: containers: @@ -558,7 +573,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -569,7 +584,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch spec: containers: @@ -607,7 +622,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -620,7 +635,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml index 084fcd897..d6a40aed9 100644 --- a/deploy/static/provider/exoscale/deploy.yaml +++ b/deploy/static/provider/exoscale/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,6 +90,21 @@ rules: - get - list - watch +- apiGroups: + - "" + resourceNames: + - ingress-nginx-leader + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create - apiGroups: - coordination.k8s.io resourceNames: @@ -129,7 +144,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +163,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +245,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +264,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +284,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +303,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +322,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -349,7 +364,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -382,7 +397,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -405,7 +420,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -445,7 +460,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 + image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -517,7 +532,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -528,7 +543,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create spec: containers: @@ -564,7 +579,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -575,7 +590,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch spec: containers: @@ -613,7 +628,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -626,7 +641,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml index 355ca8054..62ead9e34 100644 --- a/deploy/static/provider/kind/deploy.yaml +++ b/deploy/static/provider/kind/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,6 +90,21 @@ rules: - get - list - watch +- apiGroups: + - "" + resourceNames: + - ingress-nginx-leader + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create - apiGroups: - coordination.k8s.io resourceNames: @@ -129,7 +144,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +163,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +245,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +264,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +284,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +303,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +322,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +355,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -372,7 +387,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -395,7 +410,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -440,7 +455,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 + image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -522,7 +537,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -533,7 +548,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create spec: containers: @@ -569,7 +584,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -580,7 +595,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch spec: containers: @@ -618,7 +633,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -631,7 +646,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml index ff8b820b3..d52f01489 100644 --- a/deploy/static/provider/scw/deploy.yaml +++ b/deploy/static/provider/scw/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,6 +90,21 @@ rules: - get - list - watch +- apiGroups: + - "" + resourceNames: + - ingress-nginx-leader + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create - apiGroups: - coordination.k8s.io resourceNames: @@ -129,7 +144,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +163,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +245,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +264,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +284,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +303,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +322,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -329,7 +344,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -343,7 +358,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -376,7 +391,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -399,7 +414,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -439,7 +454,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 + image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -511,7 +526,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -522,7 +537,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-create spec: containers: @@ -558,7 +573,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -569,7 +584,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission-patch spec: containers: @@ -607,7 +622,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -620,7 +635,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.2 + app.kubernetes.io/version: 1.5.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/docs/deploy/index.md b/docs/deploy/index.md index 71a27b15f..29495b5c0 100644 --- a/docs/deploy/index.md +++ b/docs/deploy/index.md @@ -62,7 +62,7 @@ It will install the controller in the `ingress-nginx` namespace, creating that n **If you don't have Helm** or if you prefer to use a YAML manifest, you can run the following command instead: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.2/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/cloud/deploy.yaml ``` !!! info @@ -225,7 +225,7 @@ In AWS, we use a Network load balancer (NLB) to expose the NGINX Ingress control ##### Network Load Balancer (NLB) ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.2/deploy/static/provider/aws/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/aws/deploy.yaml ``` ##### TLS termination in AWS Load Balancer (NLB) @@ -233,10 +233,10 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS using an NLB. -1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.2/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template +1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template ```console - wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.2/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml + wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml ``` 2. Edit the file and change the VPC CIDR in use for the Kubernetes cluster: @@ -282,7 +282,7 @@ Then, the ingress controller can be installed like this: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.2/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/cloud/deploy.yaml ``` !!! warning @@ -299,7 +299,7 @@ Proxy-protocol is supported in GCE check the [Official Documentations on how to #### Azure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.2/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/cloud/deploy.yaml ``` More information with regard to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller). @@ -307,7 +307,7 @@ More information with regard to Azure annotations for ingress controller can be #### Digital Ocean ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.2/deploy/static/provider/do/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/do/deploy.yaml ``` - By default the service object of the ingress-nginx-controller for Digital-Ocean, only configures one annotation. Its this one `service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"`. While this makes the service functional, it was reported that the Digital-Ocean LoadBalancer graphs shows `no data`, unless a few other annotations are also configured. Some of these other annotations require values that can not be generic and hence not forced in a out-of-the-box installation. These annotations and a discussion on them is well documented in [this issue](https://github.com/kubernetes/ingress-nginx/issues/8965). Please refer to the issue to add annotations, with values specific to user, to get graphs of the DO-LB populated with data. @@ -315,7 +315,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont #### Scaleway ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.2/deploy/static/provider/scw/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/scw/deploy.yaml ``` #### Exoscale @@ -330,7 +330,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale #### Oracle Cloud Infrastructure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.2/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/cloud/deploy.yaml ``` A @@ -357,7 +357,7 @@ For quick testing, you can use a This should work on almost every cluster, but it will typically use a port in the range 30000-32767. ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.2/deploy/static/provider/baremetal/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/baremetal/deploy.yaml ``` For more information about bare metal deployments (and how to use port 80 instead of a random port in the 30000-32767 range), diff --git a/docs/e2e-tests.md b/docs/e2e-tests.md index f943a96a6..d5aa6cc16 100644 --- a/docs/e2e-tests.md +++ b/docs/e2e-tests.md @@ -7,651 +7,11 @@ Do not try to edit it manually. -### [[Serial] admission controller](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L35) - -- [reject ingress with global-rate-limit annotations when memcached is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L48) -- [should not allow overlaps of host and paths without canary annotations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L75) -- [should allow overlaps of host and paths with canary annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L92) -- [should block ingress with invalid path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L113) -- [should return an error if there is an error validating the ingress definition](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L130) -- [should return an error if there is an invalid value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L141) -- [should return an error if there is a forbidden value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L155) -- [should not return an error if the Ingress V1 definition is valid with Ingress Class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L169) -- [should not return an error if the Ingress V1 definition is valid with IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L185) -- [should return an error if the Ingress V1 definition contains invalid annotations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L201) -- [should not return an error for an invalid Ingress when it has unknown class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L212) - -### [affinity session-cookie-name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L35) - -- [should set sticky cookie SERVERID](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L42) -- [should change cookie name on ingress definition change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L64) -- [should set the path to /something on the generated cookie](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L99) -- [does not set the path to / on the generated cookie if there's more than one rule referring to the same backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L121) -- [should set cookie with expires](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L194) -- [should set cookie with domain](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L225) -- [should not set cookie without domain annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L248) -- [should work with use-regex annotation and session-cookie-path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L270) -- [should warn user when use-regex is true and session-cookie-path is not set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L294) -- [should not set affinity across all server locations when using separate ingresses](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L320) -- [should set sticky cookie without host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L352) -- [should work with server-alias annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L372) -- [should set secure in cookie with provided true annotation on http](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L412) -- [should not set secure in cookie with provided false annotation on http](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L435) -- [should set secure in cookie with provided false annotation on https](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L458) - -### [affinitymode](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinitymode.go#L31) - -- [Balanced affinity mode should balance](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinitymode.go#L34) -- [Check persistent affinity mode](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinitymode.go#L67) - -### [server-alias](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/alias.go#L29) - -- [should return status code 200 for host 'foo' and 404 for 'bar'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/alias.go#L36) -- [should return status code 200 for host 'foo' and 'bar'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/alias.go#L62) -- [should return status code 200 for hosts defined in two ingresses, different path with one alias](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/alias.go#L87) - -### [app-root](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/approot.go#L28) - -- [should redirect to /foo](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/approot.go#L35) - -### [auth-tls-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L29) - -- [should set sslClientCertificate, sslVerifyClient and sslVerifyDepth with auth-tls-secret](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L36) -- [should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L84) -- [should 302 redirect to error page instead of 400 when auth-tls-error-page is set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L114) -- [should pass URL-encoded certificate to upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L161) -- [should validate auth-tls-verify-client](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L206) -- [should return 403 using auth-tls-match-cn with no matching CN from client](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L266) -- [should return 200 using auth-tls-match-cn with matching CN from client](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L295) -- [should return 200 using auth-tls-match-cn where atleast one of the regex options matches CN from client](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L324) - -### [backend-protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L27) - -- [should set backend protocol to https:// and use proxy_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L34) -- [should set backend protocol to $scheme:// and use proxy_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L49) -- [should set backend protocol to grpc:// and use grpc_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L64) -- [should set backend protocol to grpcs:// and use grpc_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L79) -- [should set backend protocol to '' and use fastcgi_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L94) -- [should set backend protocol to '' and use ajp_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L109) - -### [canary-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L36) - -- [should response with a 200 status from the mainline upstream when requests are made to the mainline ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L48) -- [should return 404 status for requests to the canary if no matching ingress is found](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L80) -- [should return the correct status codes when endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L107) -- [should route requests to the correct upstream if mainline ingress is created before the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L161) -- [should route requests to the correct upstream if mainline ingress is created after the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L206) -- [should route requests to the correct upstream if the mainline ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L250) -- [should route requests to the correct upstream if the canary ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L307) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L372) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L426) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L490) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L532) -- [should routes to mainline upstream when the given Regex causes error](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L566) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L604) -- [respects always and never values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L643) -- [should route requests only to mainline if canary weight is 0](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L705) -- [should route requests only to canary if canary weight is 100](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L743) -- [should route requests only to canary if canary weight is equal to canary weight total](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L775) -- [should route requests split between mainline and canary if canary weight is 50](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L808) -- [should not use canary as a catch-all server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L836) -- [should not use canary with domain as a server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L864) -- [does not crash when canary ingress has multiple paths to the same non-matching backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L888) -- [always routes traffic to canary if first request was affinitized to canary (default behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L916) -- [always routes traffic to canary if first request was affinitized to canary (explicit sticky behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L973) -- [routes traffic to either mainline or canary backend (legacy behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1031) - -### [client-body-buffer-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L28) - -- [should set client_body_buffer_size to 1000](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L35) -- [should set client_body_buffer_size to 1K](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L57) -- [should set client_body_buffer_size to 1k](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L79) -- [should set client_body_buffer_size to 1m](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L101) -- [should set client_body_buffer_size to 1M](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L123) -- [should not set client_body_buffer_size to invalid 1b](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L145) - -### [connection-proxy-header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/connection.go#L29) - -- [set connection header to keep-alive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/connection.go#L36) - -### [cors-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L28) - -- [should enable cors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L35) -- [should set cors methods to only allow POST, GET](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L62) -- [should set cors max-age](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L78) -- [should disable cors allow credentials](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L94) -- [should allow origin for cors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L110) -- [should allow headers for cors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L137) -- [should expose headers for cors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L153) -- [should allow - single origin for multiple cors values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L169) -- [should not allow - single origin for multiple cors values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L196) -- [should allow correct origins - single origin for multiple cors values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L216) -- [should not break functionality](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L267) -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L291) -- [should not break functionality with extra domain](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L314) -- [should not match](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L338) -- [should allow - single origin with required port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L358) -- [should not allow - single origin with port and origin without port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L386) -- [should not allow - single origin without port and origin with required port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L405) -- [should allow - matching origin with wildcard origin (2 subdomains)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L425) -- [should not allow - unmatching origin with wildcard origin (2 subdomains)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L468) -- [should allow - matching origin+port with wildcard origin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L488) -- [should not allow - portless origin with wildcard origin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L515) -- [should allow correct origins - missing subdomain + origin with wildcard origin and correct origin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L535) -- [should allow - missing origins (should allow all origins)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L571) - -### [custom-http-errors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/customhttperrors.go#L34) - -- [configures Nginx correctly](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/customhttperrors.go#L41) - -### [default-backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/default_backend.go#L29) - -- [should use a custom default backend as upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/default_backend.go#L37) - -### [disable-access-log disable-http-access-log disable-stream-access-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L28) - -- [disable-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L35) -- [disable-http-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L53) -- [disable-stream-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L71) - -### [backend-protocol - FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L31) - -- [should use fastcgi_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L38) -- [should add fastcgi_index in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L55) -- [should add fastcgi_param in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L72) -- [should return OK for service with backend protocol FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L105) - -### [force-ssl-redirect](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/forcesslredirect.go#L27) - -- [should redirect to https](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/forcesslredirect.go#L34) - -### [from-to-www-redirect](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fromtowwwredirect.go#L31) - -- [should redirect from www HTTP to HTTP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fromtowwwredirect.go#L38) -- [should redirect from www HTTPS to HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fromtowwwredirect.go#L64) - -### [annotation-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/globalratelimit.go#L30) - -- [generates correct configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/globalratelimit.go#L38) - -### [backend-protocol - GRPC](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L40) - -- [should use grpc_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L43) -- [should return OK for service with backend protocol GRPC](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L68) -- [authorization metadata should be overwritten by external auth response headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L126) -- [should return OK for service with backend protocol GRPCS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L199) - -### [http2-push-preload](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/http2pushpreload.go#L27) - -- [enable the http2-push-preload directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/http2pushpreload.go#L34) - -### [influxdb-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/influxdb.go#L39) - -- [should send the request metric to the influxdb server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/influxdb.go#L48) - -### [whitelist-source-range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipwhitelist.go#L27) - -- [should set valid ip whitelist range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipwhitelist.go#L34) - -### [Annotation - limit-connections](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/limitconnections.go#L31) - -- [should limit-connections](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/limitconnections.go#L38) - -### [limit-rate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/limitrate.go#L29) - -- [Check limit-rate annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/limitrate.go#L37) - -### [enable-access-log enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/log.go#L27) - -- [set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/log.go#L34) -- [set rewrite_log on](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/log.go#L49) - -### [mirror-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L28) - -- [should set mirror-target to http://localhost/mirror](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L36) -- [should set mirror-target to https://test.env.com/$request_uri](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L51) -- [should disable mirror-request-body](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L67) - -### [modsecurity owasp](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L28) - -- [should enable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L35) -- [should enable modsecurity with transaction ID and OWASP rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L53) -- [should disable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L74) -- [should enable modsecurity with snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L91) -- [should enable modsecurity without using 'modsecurity on;'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L110) -- [should disable modsecurity using 'modsecurity off;'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L132) -- [should enable modsecurity with snippet and block requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L153) -- [should enable modsecurity globally and with modsecurity-snippet block requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L189) -- [should enable modsecurity when enable-owasp-modsecurity-crs is set to true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L225) -- [should enable modsecurity through the config map](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L264) -- [should enable modsecurity through the config map but ignore snippet as disabled by admin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L305) -- [should disable default modsecurity conf setting when modsecurity-snippet is specified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L347) - -### [preserve-trailing-slash](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/preservetrailingslash.go#L27) - -- [should allow preservation of trailing slashes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/preservetrailingslash.go#L34) - -### [proxy-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L28) - -- [should set proxy_redirect to off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L36) -- [should set proxy_redirect to default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L52) -- [should set proxy_redirect to hello.com goodbye.com](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L68) -- [should set proxy client-max-body-size to 8m](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L85) -- [should not set proxy client-max-body-size to incorrect value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L100) -- [should set valid proxy timeouts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L115) -- [should not set invalid proxy timeouts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L136) -- [should turn on proxy-buffering](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L157) -- [should turn off proxy-request-buffering](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L179) -- [should build proxy next upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L194) -- [should setup proxy cookies](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L215) -- [should change the default proxy HTTP version](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L233) - -### [proxy-ssl-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L30) - -- [should set valid proxy-ssl-secret](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L37) -- [should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L64) -- [should set valid proxy-ssl-secret, proxy-ssl-ciphers to HIGH:!AES](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L94) -- [should set valid proxy-ssl-secret, proxy-ssl-protocols](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L122) -- [proxy-ssl-location-only flag should change the nginx config server part](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L150) - -### [permanent-redirect permanent-redirect-code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/redirect.go#L30) - -- [should respond with a standard redirect code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/redirect.go#L33) -- [should respond with a custom redirect code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/redirect.go#L61) - -### [rewrite-target use-regex enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L30) - -- [should write rewrite logs](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L37) -- [should use correct longest path match](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L66) -- [should use ~* location modifier if regex annotation is present](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L111) -- [should fail to use longest match for documented warning](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L158) -- [should allow for custom rewrite parameters](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L190) - -### [satisfy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/satisfy.go#L35) - -- [should configure satisfy directive correctly](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/satisfy.go#L42) -- [should allow multiple auth with satisfy any](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/satisfy.go#L84) - -### [server-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serversnippet.go#L28) - -- [add valid directives to server via server snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serversnippet.go#L35) -- [drops server snippet if disabled by the administrator](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serversnippet.go#L61) - -### [service-upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serviceupstream.go#L32) - -- [should use the Service Cluster IP and Port ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serviceupstream.go#L41) -- [should use the Service Cluster IP and Port ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serviceupstream.go#L70) -- [should not use the Service Cluster IP and Port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serviceupstream.go#L99) - -### [configuration-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/snippet.go#L28) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/snippet.go#L35) -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/snippet.go#L58) - -### [ssl-ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/sslciphers.go#L28) - -- [should change ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/sslciphers.go#L35) - -### [stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/streamsnippet.go#L34) - -- [should add value of stream-snippet to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/streamsnippet.go#L41) -- [should add stream-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/streamsnippet.go#L85) - -### [upstream-hash-by-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamhashby.go#L76) - -- [should connect to the same pod](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamhashby.go#L83) -- [should connect to the same subset of pods](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamhashby.go#L92) - -### [upstream-vhost](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamvhost.go#L27) - -- [set host to upstreamvhost.bar.com](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamvhost.go#L34) - -### [x-forwarded-prefix](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L28) - -- [should set the X-Forwarded-Prefix to the annotation value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L35) -- [should not add X-Forwarded-Prefix if the annotation value is empty](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L57) - -### [auth-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L39) - -- [should return status code 200 when no authentication is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L46) -- [should return status code 503 when authentication is configured with an invalid secret](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L65) -- [should return status code 401 when authentication is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L89) -- [should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L116) -- [should return status code 401 and cors headers when authentication and cors is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L144) -- [should return status code 200 when authentication is configured and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L172) -- [should return status code 200 when authentication is configured with a map and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L199) -- [should return status code 401 when authentication is configured with invalid content and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L227) -- [ when external auth is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L266) -- [ when external auth is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L284) -- [ when auth-headers are set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L301) -- [should set cache_key when external auth cache is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L322) -- [user retains cookie by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L411) -- [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L422) -- [user with annotated ingress retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L433) -- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L485) -- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L494) -- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L505) -- [should overwrite Foo header with auth response](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L529) -- [should not create additional upstream block when auth-keepalive is not set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L552) -- [should not create additional upstream block when host part of auth-url contains a variable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L570) -- [should not create additional upstream block when auth-keepalive is negative](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L590) -- [should not create additional upstream block when auth-keepalive is set with HTTP/2](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L609) -- [should create additional upstream block when auth-keepalive is set with HTTP/1.x](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L623) -- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L678) -- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L687) -- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L698) -- [should return status code 200 when signed in after auth backend is deleted ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L772) -- [should deny login for different location on same server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L792) -- [should deny login for different servers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L820) -- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L849) -- [should return 503 (location was denied)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L879) -- [should add error to the config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L887) - -### [Debug CLI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L29) - -- [should list the backend servers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L37) -- [should get information for a specific backend server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L56) -- [should produce valid JSON for /dbg general](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L85) - -### [[Default Backend] custom service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/custom_default_backend.go#L33) - -- [uses custom default backend that returns 200 as status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/custom_default_backend.go#L36) - -### [[Default Backend]](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/default_backend.go#L30) - -- [should return 404 sending requests when only a default backend is running](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/default_backend.go#L33) -- [enables access logging for default backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/default_backend.go#L88) -- [disables access logging for default backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/default_backend.go#L105) - -### [[Default Backend] SSL](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/ssl.go#L26) - -- [should return a self generated SSL certificate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/ssl.go#L29) - -### [[Default Backend] change default settings](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/with_hosts.go#L30) - -- [should apply the annotation to the default backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/with_hosts.go#L38) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e_test.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e_test.go#L) - -### [[Endpointslices] long service name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/longname.go#L29) - -- [should return 200 when service name has max allowed number of characters 63](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/longname.go#L38) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/fastcgi_helloserver.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/fastcgi_helloserver.go#L) - -### [[Setting] ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L190) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L206) -- [ [MemoryLeak]](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L207) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/grpc_fortune_teller.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/grpc_fortune_teller.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/array.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/array.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/chain.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/chain.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/cookie.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/cookie.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/match.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/match.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/object.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/object.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/reporter.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/reporter.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/request.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/request.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/response.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/response.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/string.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/string.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/value.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/value.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/influxdb.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/influxdb.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/k8s.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/k8s.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/logs.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/logs.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/ssl.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/ssl.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/test_context.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/test_context.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/util.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/util.go#L) - -### [[Shutdown] Grace period shutdown](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/grace_period.go#L32) - -- [/healthz should return status code 500 during shutdown grace period](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/grace_period.go#L35) - -### [[Shutdown] ingress controller](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/shutdown.go#L30) - -- [should shutdown in less than 60 secons without pending connections](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/shutdown.go#L40) -- [should shutdown after waiting 60 seconds for pending connections to be closed](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/shutdown.go#L61) -- [should shutdown after waiting 150 seconds for pending connections to be closed](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/shutdown.go#L106) - -### [[Shutdown] Graceful shutdown with pending request](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/slow_requests.go#L25) - -- [should let slow requests finish before shutting down](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/slow_requests.go#L33) - -### [[Ingress] DeepInspection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/deep_inspection.go#L27) - -- [should drop whole ingress if one path matches invalid regex](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/deep_inspection.go#L34) - -### [single ingress - multiple hosts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/multiple_rules.go#L30) - -- [should set the correct $service_name NGINX variable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/multiple_rules.go#L38) - -### [[Ingress] [PathType] exact](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_exact.go#L30) - -- [should choose exact location for /exact](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_exact.go#L37) - -### [[Ingress] [PathType] mix Exact and Prefix paths](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_mixed.go#L30) - -- [should choose the correct location](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_mixed.go#L39) - -### [[Ingress] [PathType] prefix checks](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_prefix.go#L28) - -- [should return 404 when prefix /aaa does not match request /aaaccc](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_prefix.go#L35) - -### [[Ingress] definition without host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/without_host.go#L31) - -- [should set ingress details variables for ingresses without a host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/without_host.go#L34) -- [should set ingress details variables for ingresses with host without IngressRuleValue, only Backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/without_host.go#L55) - -### [[Memory Leak] Dynamic Certificates](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/leaks/lua_ssl.go#L35) - -- [should not leak memory from ingress SSL certificates or configuration updates](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/leaks/lua_ssl.go#L42) - -### [[Load Balancer] load-balance](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/configmap.go#L28) - -- [should apply the configmap load-balance setting](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/configmap.go#L35) - -### [[Load Balancer] EWMA](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/ewma.go#L31) - -- [does not fail requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/ewma.go#L42) - -### [[Load Balancer] round-robin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/round_robin.go#L31) - -- [should evenly distribute requests with round-robin (default algorithm)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/round_robin.go#L39) - -### [[Lua] dynamic certificates](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L37) - -- [picks up the certificate when we add TLS spec to existing ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L45) -- [picks up the previously missing secret for a given ingress without reloading](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L70) -- [supports requests with domain with trailing dot](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L145) -- [picks up the updated certificate without reloading](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L149) -- [falls back to using default certificate when secret gets deleted without reloading](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L185) -- [picks up a non-certificate only change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L218) -- [removes HTTPS configuration when we delete TLS spec](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L233) - -### [[Lua] dynamic configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L42) - -- [configures balancer Lua middleware correctly](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L50) -- [handles endpoints only changes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L62) -- [handles endpoints only changes (down scaling of replicas)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L87) -- [handles endpoints only changes consistently (down scaling of replicas vs. empty service)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L125) -- [handles an annotation change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L171) - -### [nginx-configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L99) - -- [start nginx with default configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L102) -- [fails when using alias directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L115) -- [fails when using root directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L124) - -### [[Security] request smuggling](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/request_smuggling.go#L32) - -- [should not return body content from error_page](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/request_smuggling.go#L39) - -### [[Security] validate path fields](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L42) - -- [should accept an ingress with valid path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L49) -- [should drop an ingress with invalid path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L67) -- [should drop an ingress with regex path and regex disabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L84) -- [should accept an ingress with regex path and regex enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L101) -- [should reject an ingress with invalid path and regex enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L118) - -### [[Service] backend status code 503](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L33) - -- [should return 503 when backend service does not exist](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L36) -- [should return 503 when all backend service endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L54) - -### [[Service] Type ExternalName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L59) - -- [works with external name set to incomplete fqdn](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L62) -- [should return 200 for service type=ExternalName without a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L95) -- [should return 200 for service type=ExternalName with a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L129) -- [should return status 502 for service type=ExternalName with an invalid host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L153) -- [should return 200 for service type=ExternalName using a port name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L184) -- [should return 200 for service type=ExternalName using FQDN with trailing dot](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L217) -- [should update the external name after a service update](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L248) -- [should sync ingress on external name service addition/deletion](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L311) - -### [[Service] Nil Service Backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_nil_backend.go#L31) - -- [should return 404 when backend service is nil](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_nil_backend.go#L38) - -### [access-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L27) - -- [use the default configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L32) -- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L42) -- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L54) -- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L67) -- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L80) - -### [Bad annotation values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L29) - -- [[BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L36) -- [[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L67) -- [[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L102) -- [[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L133) - -### [brotli](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/brotli.go#L30) - -- [ condition](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/brotli.go#L39) - -### [Configmap change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L29) - -- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L36) - -### [add-headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L30) - -- [Add a custom header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L40) -- [Add multiple custom headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L65) - -### [[SSL] [Flag] default-ssl-certificate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L33) - -- [uses default ssl certificate for catch-all ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L64) -- [uses default ssl certificate for host based ingress when configured certificate does not match host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L80) - -### [[Flag] disable-catch-all](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L33) - -- [should ignore catch all Ingress with backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L50) -- [should ignore catch all Ingress with backend and rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L69) -- [should delete Ingress updated to catch-all](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L81) -- [should allow Ingress with rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L123) - -### [[Flag] disable-service-external-name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_service_external_name.go#L35) - -- [should ignore services of external-name type](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_service_external_name.go#L52) - -### [enable-real-ip](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L30) - -- [trusts X-Forwarded-For header only when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L40) -- [should not trust X-Forwarded-For header when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L78) - -### [use-forwarded-headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L30) - -- [should trust X-Forwarded headers when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L40) -- [should not trust X-Forwarded headers when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L92) - ### [Geoip2](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/geoip2.go#L37) - [should include geoip2 line in config when enabled and db file exists](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/geoip2.go#L46) - [should only allow requests from specific countries](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/geoip2.go#L70) -### [[Security] block-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L28) - -- [should block CIDRs defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L38) -- [should block User-Agents defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L55) -- [should block Referers defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L88) - ### [[Security] global-auth-url](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L34) - [should return status code 401 when request any protected service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L85) @@ -667,39 +27,59 @@ Do not try to edit it manually. - [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L337) - [user with global-auth-always-set-cookie key in configmap retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L348) -### [global-options](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L28) +### [[Security] Pod Security Policies](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy.go#L40) -- [should have worker_rlimit_nofile option](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L31) -- [should have worker_rlimit_nofile option and be independent on amount of worker processes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L38) +- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy.go#L43) -### [settings-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/globalratelimit.go#L30) +### [log-format-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L28) -- [generates correct NGINX configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/globalratelimit.go#L38) +- [should disable the log-format-escape-json by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L40) +- [should enable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L47) +- [should disable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L55) +- [log-format-escape-json enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L66) +- [log-format-escape-json disabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L89) -### [hash size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L27) +### [server-tokens](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L29) -- [should set server_names_hash_bucket_size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L40) -- [should set server_names_hash_max_size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L48) -- [should set proxy-headers-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L60) -- [should set proxy-headers-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L68) -- [should set variables-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L80) -- [should set variables-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L88) -- [should set vmap-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L100) +- [should not exists Server header in the response](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L38) +- [should exists Server header in the response when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L50) -### [[Flag] ingress-class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L39) +### [proxy-connect-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L28) -- [should ignore Ingress with a different class annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L68) -- [should ignore Ingress with different controller class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L104) -- [should accept both Ingresses with default IngressClassName and IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L132) -- [should ignore Ingress without IngressClass configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L164) -- [should delete Ingress when class is removed](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L192) -- [should serve Ingress when class is added](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L257) -- [should serve Ingress when class is updated between annotation and ingressClassName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L323) -- [should ignore Ingress with no class and accept the correctly configured Ingresses](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L413) -- [should watch Ingress with no class and ignore ingress with a different class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L482) -- [should watch Ingress that uses the class name even if spec is different](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L539) -- [should watch Ingress with correct annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L631) -- [should ignore Ingress with only IngressClassName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L652) +- [should set valid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L36) +- [should not set invalid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L52) + +### [ssl-ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_ciphers.go#L28) + +- [Add ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_ciphers.go#L31) + +### [use-proxy-protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L36) + +- [should respect port passed by the PROXY Protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L46) +- [should respect proto passed by the PROXY Protocol server port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L79) +- [should enable PROXY Protocol for HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L112) +- [should enable PROXY Protocol for TCP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L155) + +### [plugins](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/plugins.go#L28) + +- [should exist a x-hello-world header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/plugins.go#L35) + +### [configmap server-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L28) + +- [should add value of server-snippet setting to all ingress config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L35) +- [should add global server-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L92) + +### [[Flag] disable-catch-all](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L33) + +- [should ignore catch all Ingress with backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L50) +- [should ignore catch all Ingress with backend and rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L69) +- [should delete Ingress updated to catch-all](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L81) +- [should allow Ingress with rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L123) + +### [enable-real-ip](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L30) + +- [trusts X-Forwarded-For header only when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L40) +- [should not trust X-Forwarded-For header when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L78) ### [keep-alive keep-alive-requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L28) @@ -707,41 +87,7 @@ Do not try to edit it manually. - [should set keepalive_requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L48) - [should set keepalive connection to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L59) - [should set keep alive connection timeout to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L68) -- [should set keepalive time to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L77) -- [should set the request count to upstream server through one keep alive connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L86) - -### [Configmap - limit-rate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/limit_rate.go#L28) - -- [Check limit-rate config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/limit_rate.go#L36) - -### [[Flag] custom HTTP and HTTPS ports](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L32) - -- [should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L48) -- [should set X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L70) -- [should set the X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L100) - -### [log-format-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L28) - -- [should not configure log-format escape by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L40) -- [should enable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L47) -- [should disable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L55) -- [should enable the log-format-escape-none](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L63) -- [should disable the log-format-escape-none](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L71) -- [log-format-escape-json enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L82) -- [log-format default escape](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L105) -- [log-format-escape-none enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L128) - -### [[Lua] lua-shared-dicts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/lua_shared_dicts.go#L26) - -- [configures lua shared dicts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/lua_shared_dicts.go#L29) - -### [main-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/main_snippet.go#L27) - -- [should add value of main-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/main_snippet.go#L31) - -### [[Security] modsecurity-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L27) - -- [should add value of modsecurity-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L30) +- [should set the request count to upstream server through one keep alive connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L77) ### [enable-multi-accept](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/multi_accept.go#L27) @@ -753,19 +99,9 @@ Do not try to edit it manually. - [should ingore Ingress of namespace without label foo=bar and accept those of namespace with label foo=bar](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/namespace_selector.go#L70) -### [[Security] no-auth-locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L33) +### [[Flag] disable-service-external-name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_service_external_name.go#L34) -- [should return status code 401 when accessing '/' unauthentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L54) -- [should return status code 200 when accessing '/' authentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L68) -- [should return status code 200 when accessing '/noauth' unauthenticated](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L82) - -### [Add no tls redirect locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L28) - -- [Check no tls redirect locations config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L31) - -### [OCSP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L42) - -- [should enable OCSP and contain stapling information in the connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L49) +- [should ignore services of external-name type](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_service_external_name.go#L51) ### [Configure OpenTracing](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L48) @@ -783,48 +119,41 @@ Do not try to edit it manually. - [should enable opentracing using jaeger with an HTTP endpoint](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L228) - [should enable opentracing using datadog](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L241) -### [plugins](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/plugins.go#L28) +### [Configmap change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L29) -- [should exist a x-hello-world header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/plugins.go#L35) +- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L36) -### [[Security] Pod Security Policies](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy.go#L41) +### [Configmap - limit-rate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/limit_rate.go#L28) -- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy.go#L44) +- [Check limit-rate config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/limit_rate.go#L36) -### [[Security] Pod Security Policies with volumes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy_volumes.go#L37) +### [access-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L26) -- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy_volumes.go#L40) +- [use the default configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L31) +- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L41) +- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L53) +- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L66) +- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L79) -### [proxy-connect-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L28) +### [global-options](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L28) -- [should set valid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L36) -- [should not set invalid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L52) +- [should have worker_rlimit_nofile option](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L31) +- [should have worker_rlimit_nofile option and be independent on amount of worker processes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L38) -### [Dynamic $proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L28) +### [[Flag] ingress-class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L39) -- [should exist a proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L36) -- [should exist a proxy_host using the upstream-vhost annotation value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L57) - -### [proxy-next-upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_next_upstream.go#L28) - -- [should build proxy next upstream using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_next_upstream.go#L36) - -### [use-proxy-protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L36) - -- [should respect port passed by the PROXY Protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L46) -- [should respect proto passed by the PROXY Protocol server port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L79) -- [should enable PROXY Protocol for HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L112) -- [should enable PROXY Protocol for TCP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L155) - -### [proxy-read-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L28) - -- [should set valid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L36) -- [should not set invalid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L52) - -### [proxy-send-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L28) - -- [should set valid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L36) -- [should not set invalid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L52) +- [should ignore Ingress with a different class annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L68) +- [should ignore Ingress with different controller class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L104) +- [should accept both Ingresses with default IngressClassName and IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L132) +- [should ignore Ingress without IngressClass configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L164) +- [should delete Ingress when class is removed](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L192) +- [should serve Ingress when class is added](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L257) +- [should serve Ingress when class is updated between annotation and ingressClassName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L323) +- [should ignore Ingress with no class and accept the correctly configured Ingresses](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L413) +- [should watch Ingress with no class and ignore ingress with a different class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L482) +- [should watch Ingress that uses the class name even if spec is different](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L539) +- [should watch Ingress with correct annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L631) +- [should ignore Ingress with only IngressClassName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L652) ### [reuse-port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/reuse-port.go#L27) @@ -832,33 +161,133 @@ Do not try to edit it manually. - [reuse port should be disabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/reuse-port.go#L44) - [reuse port should be enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/reuse-port.go#L52) -### [configmap server-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L28) +### [proxy-send-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L28) -- [should add value of server-snippet setting to all ingress config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L35) -- [should add global server-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L92) +- [should set valid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L36) +- [should not set invalid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L52) -### [server-tokens](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L29) +### [[SSL] [Flag] default-ssl-certificate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L33) -- [should not exists Server header in the response](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L38) -- [should exists Server header in the response when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L50) +- [uses default ssl certificate for catch-all ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L64) +- [uses default ssl certificate for host based ingress when configured certificate does not match host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L80) -### [ssl-ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_ciphers.go#L28) +### [brotli](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/brotli.go#L30) -- [Add ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_ciphers.go#L31) +- [ condition](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/brotli.go#L39) -### [configmap stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/stream_snippet.go#L35) +### [[Security] Pod Security Policies with volumes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy_volumes.go#L36) -- [should add value of stream-snippet via config map to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/stream_snippet.go#L42) +- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy_volumes.go#L39) + +### [Dynamic $proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L28) + +- [should exist a proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L36) +- [should exist a proxy_host using the upstream-vhost annotation value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L57) + +### [[Security] block-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L28) + +- [should block CIDRs defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L38) +- [should block User-Agents defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L55) +- [should block Referers defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L88) + +### [settings-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/globalratelimit.go#L30) + +- [generates correct NGINX configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/globalratelimit.go#L38) + +### [Add no tls redirect locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L28) + +- [Check no tls redirect locations config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L31) + +### [main-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/main_snippet.go#L27) + +- [should add value of main-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/main_snippet.go#L31) + +### [[Lua] lua-shared-dicts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/lua_shared_dicts.go#L26) + +- [configures lua shared dicts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/lua_shared_dicts.go#L29) + +### [Bad annotation values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L29) + +- [[BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L36) +- [[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L67) +- [[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L102) +- [[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L133) ### [[SSL] TLS protocols, ciphers and headers)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L31) - [setting cipher suite](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L65) -- [setting max-age parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L111) -- [setting includeSubDomains parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L127) -- [setting preload parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L146) -- [overriding what's set from the upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L166) -- [should not use ports during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L187) -- [should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L205) +- [enforcing TLS v1.0](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L87) +- [setting max-age parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L133) +- [setting includeSubDomains parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L149) +- [setting preload parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L168) +- [overriding what's set from the upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L188) +- [should not use ports during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L209) +- [should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L227) + +### [[Security] modsecurity-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L27) + +- [should add value of modsecurity-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L30) + +### [OCSP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L42) + +- [should enable OCSP and contain stapling information in the connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L49) + +### [configmap stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/stream_snippet.go#L34) + +- [should add value of stream-snippet via config map to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/stream_snippet.go#L41) + +### [proxy-read-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L28) + +- [should set valid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L36) +- [should not set invalid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L52) + +### [proxy-next-upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_next_upstream.go#L28) + +- [should build proxy next upstream using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_next_upstream.go#L36) + +### [hash size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L27) + +- [should set server_names_hash_bucket_size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L40) +- [should set server_names_hash_max_size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L48) +- [should set proxy-headers-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L60) +- [should set proxy-headers-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L68) +- [should set variables-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L80) +- [should set variables-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L88) +- [should set vmap-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L100) + +### [[Security] no-auth-locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L33) + +- [should return status code 401 when accessing '/' unauthentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L54) +- [should return status code 200 when accessing '/' authentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L68) +- [should return status code 200 when accessing '/noauth' unauthenticated](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L82) + +### [[Flag] custom HTTP and HTTPS ports](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L32) + +- [should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L48) +- [should set X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L70) +- [should set the X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L100) + +### [use-forwarded-headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L30) + +- [should trust X-Forwarded headers when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L40) +- [should not trust X-Forwarded headers when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L92) + +### [add-headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L30) + +- [Add a custom header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L40) +- [Add multiple custom headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L65) + +### [[Load Balancer] round-robin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/round_robin.go#L31) + +- [should evenly distribute requests with round-robin (default algorithm)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/round_robin.go#L39) + +### [[Load Balancer] EWMA](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/ewma.go#L31) + +- [does not fail requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/ewma.go#L42) + +### [[Load Balancer] load-balance](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/configmap.go#L28) + +- [should apply the configmap load-balance setting](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/configmap.go#L35) ### [[SSL] redirect to HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/http_redirect.go#L29) @@ -869,11 +298,22 @@ Do not try to edit it manually. - [should not appear references to secret updates not used in ingress rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/secret_update.go#L40) - [should return the fake SSL certificate if the secret is invalid](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/secret_update.go#L82) -### [[Status] status update](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/status/update.go#L38) +### [[Service] Type ExternalName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L58) -- [should update status field after client-go reconnection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/status/update.go#L43) +- [works with external name set to incomplete fqdn](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L61) +- [should return 200 for service type=ExternalName without a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L94) +- [should return 200 for service type=ExternalName with a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L128) +- [should return status 502 for service type=ExternalName with an invalid host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L152) +- [should return 200 for service type=ExternalName using a port name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L183) +- [should return 200 for service type=ExternalName using FQDN with trailing dot](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L216) +- [should update the external name after a service update](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L247) +- [should sync ingress on external name service addition/deletion](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L310) -### [[TCP] tcp-services](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L37) +### [[Service] Nil Service Backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_nil_backend.go#L31) -- [should expose a TCP service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L40) -- [should expose an ExternalName TCP service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L98) \ No newline at end of file +- [should return 404 when backend service is nil](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_nil_backend.go#L38) + +### [[Service] backend status code 503](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L33) + +- [should return 503 when backend service does not exist](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L36) +- [should return 503 when all backend service endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L54) From a6badc438f33b5d7d2fff5f3444c0364af76a42d Mon Sep 17 00:00:00 2001 From: James Strong Date: Thu, 29 Dec 2022 20:02:55 -0500 Subject: [PATCH 099/405] roll helm chart forward Signed-off-by: James Strong --- charts/ingress-nginx/Chart.yaml | 2 +- charts/ingress-nginx/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 461601f59..2a15960f7 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: ingress-nginx # When the version is modified, make sure the artifacthub.io/changes list is updated # Also update CHANGELOG.md -version: 4.4.0 +version: 4.4.2 appVersion: 1.5.1 home: https://github.com/kubernetes/ingress-nginx description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index af71493fe..e4ef9ec1b 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.4.0](https://img.shields.io/badge/Version-4.4.0-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square) +![Version: 4.4.2](https://img.shields.io/badge/Version-4.4.2-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. From 5bfd3e2a674a0b6e36282df3d48077c9ed5bd8c8 Mon Sep 17 00:00:00 2001 From: Kir Shatrov Date: Fri, 6 Jan 2023 18:07:58 +0300 Subject: [PATCH 100/405] Optional podman support (#9294) --- .gitignore | 1 + build/run-in-docker.sh | 45 ++++++++++++++++++++++-------------------- 2 files changed, 25 insertions(+), 21 deletions(-) diff --git a/.gitignore b/.gitignore index 0943c3b1a..2c0accad7 100644 --- a/.gitignore +++ b/.gitignore @@ -59,3 +59,4 @@ images/fastcgi-helloserver/rootfs/fastcgi-helloserver cmd/plugin/release/ingress-nginx.yaml cmd/plugin/release/*.tar.gz cmd/plugin/release/LICENSE +tmp/ diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh index d41464e2e..44ca2d5f7 100755 --- a/build/run-in-docker.sh +++ b/build/run-in-docker.sh @@ -19,20 +19,26 @@ if [ "$DEBUG" == "true" ]; then set -x fi +RUNTIME=${RUNTIME:-"docker"} + set -o errexit set -o nounset set -o pipefail # temporal directory for the /etc/ingress-controller directory -INGRESS_VOLUME=$(mktemp -d) +if [[ "$OSTYPE" == darwin* ]] && [[ "$RUNTIME" == podman ]]; then + mkdir -p "tmp" + INGRESS_VOLUME=$(pwd)/$(mktemp -d tmp/XXXXXX) +else + INGRESS_VOLUME=$(mktemp -d) + if [[ "$OSTYPE" == darwin* ]]; then + INGRESS_VOLUME=/private$INGRESS_VOLUME + fi +fi # make sure directory for SSL cert storage exists under ingress volume mkdir "${INGRESS_VOLUME}/ssl" -if [[ "$OSTYPE" == darwin* ]]; then - INGRESS_VOLUME=/private$INGRESS_VOLUME -fi - function cleanup { rm -rf "${INGRESS_VOLUME}" } @@ -40,6 +46,11 @@ trap cleanup EXIT E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20221221-controller-v1.5.1-62-g6ffaef32a@sha256:8f025472964cd15ae2d379503aba150565a8d78eb36b41ddfc5f1e3b1ca81a8e} +if [[ "$RUNTIME" == podman ]]; then + # Podman does not support both tag and digest + E2E_IMAGE=$(echo $E2E_IMAGE | awk -F "@sha" '{print $1}') +fi + DOCKER_OPTS=${DOCKER_OPTS:-} DOCKER_IN_DOCKER_ENABLED=${DOCKER_IN_DOCKER_ENABLED:-} @@ -82,20 +93,12 @@ if [[ "$DOCKER_IN_DOCKER_ENABLED" == "true" ]]; then /bin/bash -c "${FLAGS}" else echo "Reached DIND check ELSE block, inside run-in-docker.sh" - docker run \ - ${PLATFORM_FLAG} ${PLATFORM} \ - --tty \ - --rm \ - ${DOCKER_OPTS} \ - -e DEBUG=${DEBUG} \ - -e GOCACHE="/go/src/${PKG}/.cache" \ - -e GOMODCACHE="/go/src/${PKG}/.modcache" \ - -e DOCKER_IN_DOCKER_ENABLED="true" \ - -v "${HOME}/.kube:${HOME}/.kube" \ - -v "${KUBE_ROOT}:/go/src/${PKG}" \ - -v "${KUBE_ROOT}/bin/${ARCH}:/go/bin/linux_${ARCH}" \ - -v "/var/run/docker.sock:/var/run/docker.sock" \ - -v "${INGRESS_VOLUME}:/etc/ingress-controller/" \ - -w "/go/src/${PKG}" \ - ${E2E_IMAGE} /bin/bash -c "${FLAGS}" + + args="${PLATFORM_FLAG} ${PLATFORM} --tty --rm ${DOCKER_OPTS} -e DEBUG=${DEBUG} -e GOCACHE="/go/src/${PKG}/.cache" -e GOMODCACHE="/go/src/${PKG}/.modcache" -e DOCKER_IN_DOCKER_ENABLED="true" -v "${HOME}/.kube:${HOME}/.kube" -v "${KUBE_ROOT}:/go/src/${PKG}" -v "${KUBE_ROOT}/bin/${ARCH}:/go/bin/linux_${ARCH}" -v "${INGRESS_VOLUME}:/etc/ingress-controller/" -w "/go/src/${PKG}"" + + if [[ "$RUNTIME" == "docker" ]]; then + args="$args -v /var/run/docker.sock:/var/run/docker.sock" + fi + + ${RUNTIME} run $args ${E2E_IMAGE} /bin/bash -c "${FLAGS}" fi From 96b3d216550e8aa538a730fa112a40e8f75aec95 Mon Sep 17 00:00:00 2001 From: Ehsan Saei <71217171+esigo@users.noreply.github.com> Date: Sun, 8 Jan 2023 00:37:27 +0100 Subject: [PATCH 101/405] bump OpenTelemetry (#9489) --- images/opentelemetry/rootfs/CMakeLists.txt | 2 +- images/opentelemetry/rootfs/Dockerfile | 4 ++-- images/opentelemetry/rootfs/build.sh | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/images/opentelemetry/rootfs/CMakeLists.txt b/images/opentelemetry/rootfs/CMakeLists.txt index e4abc7346..ef90b5805 100644 --- a/images/opentelemetry/rootfs/CMakeLists.txt +++ b/images/opentelemetry/rootfs/CMakeLists.txt @@ -21,7 +21,7 @@ project( LANGUAGES CXX VERSION 0.0.1) -set(CMAKE_CXX_STANDARD 11) +set(CMAKE_CXX_STANDARD 17) set(CMAKE_CXX_EXTENSIONS OFF) set(CMAKE_CXX_STANDARD_REQUIRED ON) set(CMAKE_CXX_FLAGS "-O2") diff --git a/images/opentelemetry/rootfs/Dockerfile b/images/opentelemetry/rootfs/Dockerfile index 7746edbf1..aa4e219af 100644 --- a/images/opentelemetry/rootfs/Dockerfile +++ b/images/opentelemetry/rootfs/Dockerfile @@ -26,12 +26,12 @@ RUN apk update \ # install gRPC FROM base as grpc -RUN bash /opt/third_party/build.sh -g v1.43.2 +RUN bash /opt/third_party/build.sh -g v1.49.2 # install OpenTelemetry-cpp FROM base as otel-cpp COPY --from=grpc /opt/third_party/install/ /usr -RUN bash /opt/third_party/build.sh -o v1.3.0 +RUN bash /opt/third_party/build.sh -o v1.8.1 # install otel_ngx_module.so FROM base as nginx diff --git a/images/opentelemetry/rootfs/build.sh b/images/opentelemetry/rootfs/build.sh index 19914932c..6ad4601c6 100755 --- a/images/opentelemetry/rootfs/build.sh +++ b/images/opentelemetry/rootfs/build.sh @@ -100,9 +100,9 @@ install_otel() -DBUILD_SHARED_LIBS=OFF \ -DWITH_OTLP=ON \ -DWITH_OTLP_GRPC=ON \ - -DWITH_EXAMPLES=OFF \ - -DWITH_ABSEIL=ON \ -DWITH_OTLP_HTTP=OFF \ + -DWITH_ABSEIL=OFF \ + -DWITH_EXAMPLES=OFF \ .. cmake --build . -j ${CORES} --target install } @@ -126,7 +126,7 @@ install_nginx() export NGINX_VERSION=1.21.6 # Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp-contrib/compare/2656a4...main - export OPENTELEMETRY_CONTRIB_COMMIT=6467ec2e4d67b08b44580b7eb7a298786f4eef91 + export OPENTELEMETRY_CONTRIB_COMMIT=1ec94c82095bab61f06c7393b6f3272469d285af mkdir -p /etc/nginx cd "$BUILD_PATH" From 490e872b4ab779b811d4828502309971c348f6ba Mon Sep 17 00:00:00 2001 From: Ehsan Saei <71217171+esigo@users.noreply.github.com> Date: Sun, 8 Jan 2023 22:21:28 +0100 Subject: [PATCH 102/405] update OpenTelemetry image (#9491) * update OpenTelemetry image * helm-doc --- charts/ingress-nginx/README.md | 2 +- charts/ingress-nginx/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index e4ef9ec1b..57f4ea072 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -393,7 +393,7 @@ Kubernetes: `>=1.20.0-0` | controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ # | | controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | | controller.opentelemetry.enabled | bool | `false` | | -| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20221114-controller-v1.5.1-6-ga66ee73c5@sha256:41076fd9fb4255677c1a3da1ac3fc41477f06eba3c7ebf37ffc8f734dad51d7c"` | | +| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230107-helm-chart-4.4.2-2-g96b3d2165@sha256:331b9bebd6acfcd2d3048abbdd86555f5be76b7e3d0b5af4300b04235c6056c9"` | | | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # | | controller.podLabels | object | `{}` | Labels to add to the pod container metadata | | controller.podSecurityContext | object | `{}` | Security Context policies for controller pods | diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index b7089addb..26252ac29 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -593,7 +593,7 @@ controller: opentelemetry: enabled: false - image: registry.k8s.io/ingress-nginx/opentelemetry:v20221114-controller-v1.5.1-6-ga66ee73c5@sha256:41076fd9fb4255677c1a3da1ac3fc41477f06eba3c7ebf37ffc8f734dad51d7c + image: registry.k8s.io/ingress-nginx/opentelemetry:v20230107-helm-chart-4.4.2-2-g96b3d2165@sha256:331b9bebd6acfcd2d3048abbdd86555f5be76b7e3d0b5af4300b04235c6056c9 containerSecurityContext: allowPrivilegeEscalation: false From 5b0403314c61e8f28a5a5c6b30c5fa36c7b34114 Mon Sep 17 00:00:00 2001 From: Marco Ebert Date: Sun, 8 Jan 2023 22:59:28 +0100 Subject: [PATCH 103/405] Admission Webhooks/Job: Add `NetworkPolicy`. (#9218) --- .../job-patch/clusterrolebinding.yaml | 2 +- .../job-patch/networkpolicy.yaml | 26 +++++++++++++++++++ .../admission-webhooks/job-patch/role.yaml | 2 +- 3 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml index 002abd43b..871953261 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission + name: {{ include "ingress-nginx.fullname" . }}-admission annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml new file mode 100644 index 000000000..08b32257c --- /dev/null +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.networkPolicyEnabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook + {{- with .Values.controller.admissionWebhooks.patch.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: + {{- include "ingress-nginx.labels" . | nindent 6 }} + app.kubernetes.io/component: admission-webhook + policyTypes: + - Ingress + - Egress + egress: + - {} +{{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml index 2aab6f4b1..ea7c20818 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission + name: {{ include "ingress-nginx.fullname" . }}-admission namespace: {{ .Release.Namespace }} annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade From f82e29a7302d1219c30726588c8e3aa0409fcfe2 Mon Sep 17 00:00:00 2001 From: Carlos Tadeu Panato Junior Date: Sun, 8 Jan 2023 23:25:27 +0100 Subject: [PATCH 104/405] add github actions stale bot (#9439) Signed-off-by: cpanato Signed-off-by: cpanato --- .github/workflows/stale.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .github/workflows/stale.yaml diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml new file mode 100644 index 000000000..736585e05 --- /dev/null +++ b/.github/workflows/stale.yaml @@ -0,0 +1,24 @@ +name: 'Stale Issues and PRs' + +on: + schedule: + - cron: '30 1 * * *' + +jobs: + stale: + runs-on: ubuntu-latest + + permissions: + issues: write + pull-requests: write + + steps: + - uses: actions/stale@6f05e4244c9a0b2ed3401882b05d701dd0a7289b # v7.0.0 + with: + stale-issue-message: 'This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach `#ingress-nginx-dev` on Kubernetes Slack.' + stale-pr-message: 'This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach `#ingress-nginx-dev` on Kubernetes Slack.' + stale-issue-label: lifecycle/frozen + stale-pr-label: lifecycle/frozen + days-before-issue-stale: 30 + days-before-pr-stale: 45 + days-before-close: -1 # dont not close issues/prs From 0b34a037ce41efacbbb1fe13ea0fea617452458b Mon Sep 17 00:00:00 2001 From: Naseem Ullah <24660299+naseemkullah@users.noreply.github.com> Date: Sun, 8 Jan 2023 17:27:28 -0500 Subject: [PATCH 105/405] Update monitoring.md (#9269) --- docs/user-guide/monitoring.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/monitoring.md b/docs/user-guide/monitoring.md index 5c53213ea..cc9fb91ec 100644 --- a/docs/user-guide/monitoring.md +++ b/docs/user-guide/monitoring.md @@ -357,7 +357,7 @@ Prometheus metrics are exposed on port 10254. * `nginx_ingress_controller_request_duration_seconds` Histogram - The request processing time in milliseconds (affected by client speed) + The request processing time in seconds (affected by client speed) nginx var: `request_time` From 9926f1d642335b57c05b79ce00e5e55904cca6e4 Mon Sep 17 00:00:00 2001 From: Julien Pellet Date: Sun, 8 Jan 2023 17:29:27 -0500 Subject: [PATCH 106/405] Fix indentation on serviceAccount annotation (#9129) From bbf7c79f96d54e3815c28c0e4ca54334a902925d Mon Sep 17 00:00:00 2001 From: yutachaos <18604471+yutachaos@users.noreply.github.com> Date: Mon, 9 Jan 2023 07:37:27 +0900 Subject: [PATCH 107/405] Add update updateStrategy and minReadySeconds for defaultBackend (#8506) * Add update updateStrategy and minReadySeconds for defaultBackend * Bump chart * Fixed docs helm-docs version --- charts/ingress-nginx/README.md | 2 ++ .../templates/default-backend-deployment.yaml | 5 +++++ charts/ingress-nginx/values.yaml | 11 +++++++++++ 3 files changed, 18 insertions(+) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 57f4ea072..00d85156e 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -481,6 +481,7 @@ Kubernetes: `>=1.20.0-0` | defaultBackend.livenessProbe.successThreshold | int | `1` | | | defaultBackend.livenessProbe.timeoutSeconds | int | `5` | | | defaultBackend.minAvailable | int | `1` | | +| defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | defaultBackend.name | string | `"defaultbackend"` | | | defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ # | | defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # | @@ -504,6 +505,7 @@ Kubernetes: `>=1.20.0-0` | defaultBackend.serviceAccount.create | bool | `true` | | | defaultBackend.serviceAccount.name | string | `""` | | | defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # | +| defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # | | dhParam | string | `nil` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param | | imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | | podSecurityPolicy.enabled | bool | `false` | | diff --git a/charts/ingress-nginx/templates/default-backend-deployment.yaml b/charts/ingress-nginx/templates/default-backend-deployment.yaml index fd3e96e9e..87aced49d 100644 --- a/charts/ingress-nginx/templates/default-backend-deployment.yaml +++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml @@ -19,6 +19,11 @@ spec: replicas: {{ .Values.defaultBackend.replicaCount }} {{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + {{- if .Values.defaultBackend.updateStrategy }} + strategy: + {{ toYaml .Values.defaultBackend.updateStrategy | nindent 4 }} + {{- end }} + minReadySeconds: {{ .Values.defaultBackend.minReadySeconds }} template: metadata: {{- if .Values.defaultBackend.podAnnotations }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 26252ac29..a7fab0fe9 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -841,6 +841,17 @@ defaultBackend: successThreshold: 1 timeoutSeconds: 5 + # -- The update strategy to apply to the Deployment or DaemonSet + ## + updateStrategy: {} + # rollingUpdate: + # maxUnavailable: 1 + # type: RollingUpdate + + # -- `minReadySeconds` to avoid killing pods before we are ready + ## + minReadySeconds: 0 + # -- Node tolerations for server scheduling to nodes with taints ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ ## From 8ed3a27e255aef5616de631986f8cbfc1b882a5a Mon Sep 17 00:00:00 2001 From: Phil Nichol <35630607+philnichol@users.noreply.github.com> Date: Sun, 8 Jan 2023 22:43:28 +0000 Subject: [PATCH 108/405] Adding ipdenylist annotation (#8795) * feat: Add support for IP Deny List * fixed gomod * Update package * go mod tidy * Revert "go mod tidy" This reverts commit e6a837e1e76d72115e8727a33d2f4c1cd7249f1f. * update ginko version * Updates e2e tests * fix test typo --- .../nginx-configuration/annotations.md | 12 + .../nginx-configuration/configmap.md | 6 + internal/ingress/annotations/annotations.go | 3 + .../ingress/annotations/ipdenylist/main.go | 95 + .../annotations/ipdenylist/main_test.go | 216 ++ internal/ingress/controller/config/config.go | 1 + internal/ingress/controller/controller.go | 1 + .../ingress/controller/template/configmap.go | 8 + .../controller/template/configmap_test.go | 2 + internal/ingress/defaults/main.go | 4 + pkg/apis/ingress/types.go | 6 + pkg/apis/ingress/types_equals.go | 3 + rootfs/etc/nginx/template/nginx.tmpl | 4 + test/data/config.json | 3060 +++++++++++++++++ test/e2e/annotations/ipdenylist.go | 147 + 15 files changed, 3568 insertions(+) create mode 100644 internal/ingress/annotations/ipdenylist/main.go create mode 100644 internal/ingress/annotations/ipdenylist/main_test.go create mode 100644 test/e2e/annotations/ipdenylist.go diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md index 49e252589..8cc6f4c16 100755 --- a/docs/user-guide/nginx-configuration/annotations.md +++ b/docs/user-guide/nginx-configuration/annotations.md @@ -109,6 +109,7 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz |[nginx.ingress.kubernetes.io/x-forwarded-prefix](#x-forwarded-prefix-header)|string| |[nginx.ingress.kubernetes.io/load-balance](#custom-nginx-load-balancing)|string| |[nginx.ingress.kubernetes.io/upstream-vhost](#custom-nginx-upstream-vhost)|string| +|[nginx.ingress.kubernetes.io/denylist-source-range](#denylist-source-range)|CIDR| |[nginx.ingress.kubernetes.io/whitelist-source-range](#whitelist-source-range)|CIDR| |[nginx.ingress.kubernetes.io/proxy-buffering](#proxy-buffering)|string| |[nginx.ingress.kubernetes.io/proxy-buffers-number](#proxy-buffers-number)|number| @@ -638,6 +639,17 @@ To enable this feature use the annotation `nginx.ingress.kubernetes.io/from-to-w !!! attention For HTTPS to HTTPS redirects is mandatory the SSL Certificate defined in the Secret, located in the TLS section of Ingress, contains both FQDN in the common name of the certificate. +### Denylist source range + +You can specify blocked client IP source ranges through the `nginx.ingress.kubernetes.io/denylist-source-range` annotation. +The value is a comma separated list of [CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing), e.g. `10.0.0.0/24,172.10.0.1`. + +To configure this setting globally for all Ingress rules, the `denylist-source-range` value may be set in the [NGINX ConfigMap](./configmap.md#denylist-source-range). + +!!! note + Adding an annotation to an Ingress rule overrides any global restriction. + + ### Whitelist source range You can specify allowed client IP source ranges through the `nginx.ingress.kubernetes.io/whitelist-source-range` annotation. diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index f5d22d11c..77cee0507 100755 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -176,6 +176,7 @@ The following table shows a configuration option's name, type, and the default v |[proxy-request-buffering](#proxy-request-buffering)|string|"on"| |[ssl-redirect](#ssl-redirect)|bool|"true"| |[force-ssl-redirect](#force-ssl-redirect)|bool|"false"| +|[denylist-source-range](#denylist-source-range)|[]string|[]string{}| |[whitelist-source-range](#whitelist-source-range)|[]string|[]string{}| |[skip-access-log-urls](#skip-access-log-urls)|[]string|[]string{}| |[limit-rate](#limit-rate)|int|0| @@ -1096,6 +1097,11 @@ _**default:**_ "true" Sets the global value of redirects (308) to HTTPS if the server has a default TLS certificate (defined in extra-args). _**default:**_ "false" +## denylist-source-range + +Sets the default denylisted IPs for each `server` block. This can be overwritten by an annotation on an Ingress rule. +See [ngx_http_access_module](https://nginx.org/en/docs/http/ngx_http_access_module.html). + ## whitelist-source-range Sets the default whitelisted IPs for each `server` block. This can be overwritten by an annotation on an Ingress rule. diff --git a/internal/ingress/annotations/annotations.go b/internal/ingress/annotations/annotations.go index fe7400ac7..14415a4f7 100644 --- a/internal/ingress/annotations/annotations.go +++ b/internal/ingress/annotations/annotations.go @@ -44,6 +44,7 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/globalratelimit" "k8s.io/ingress-nginx/internal/ingress/annotations/http2pushpreload" "k8s.io/ingress-nginx/internal/ingress/annotations/influxdb" + "k8s.io/ingress-nginx/internal/ingress/annotations/ipdenylist" "k8s.io/ingress-nginx/internal/ingress/annotations/ipwhitelist" "k8s.io/ingress-nginx/internal/ingress/annotations/loadbalancing" "k8s.io/ingress-nginx/internal/ingress/annotations/log" @@ -110,6 +111,7 @@ type Ingress struct { LoadBalancing string UpstreamVhost string Whitelist ipwhitelist.SourceRange + Denylist ipdenylist.SourceRange XForwardedPrefix string SSLCipher sslcipher.Config Logs log.Config @@ -160,6 +162,7 @@ func NewAnnotationExtractor(cfg resolver.Resolver) Extractor { "LoadBalancing": loadbalancing.NewParser(cfg), "UpstreamVhost": upstreamvhost.NewParser(cfg), "Whitelist": ipwhitelist.NewParser(cfg), + "Denylist": ipdenylist.NewParser(cfg), "XForwardedPrefix": xforwardedprefix.NewParser(cfg), "SSLCipher": sslcipher.NewParser(cfg), "Logs": log.NewParser(cfg), diff --git a/internal/ingress/annotations/ipdenylist/main.go b/internal/ingress/annotations/ipdenylist/main.go new file mode 100644 index 000000000..f6a0e10f1 --- /dev/null +++ b/internal/ingress/annotations/ipdenylist/main.go @@ -0,0 +1,95 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package ipdenylist + +import ( + "fmt" + "sort" + "strings" + + networking "k8s.io/api/networking/v1" + "k8s.io/ingress-nginx/internal/net" + + "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" + "k8s.io/ingress-nginx/internal/ingress/resolver" + "k8s.io/ingress-nginx/pkg/util/sets" +) + +// SourceRange returns the CIDR +type SourceRange struct { + CIDR []string `json:"cidr,omitempty"` +} + +// Equal tests for equality between two SourceRange types +func (sr1 *SourceRange) Equal(sr2 *SourceRange) bool { + if sr1 == sr2 { + return true + } + if sr1 == nil || sr2 == nil { + return false + } + + return sets.StringElementsMatch(sr1.CIDR, sr2.CIDR) +} + +type ipdenylist struct { + r resolver.Resolver +} + +// NewParser creates a new denylist annotation parser +func NewParser(r resolver.Resolver) parser.IngressAnnotation { + return ipdenylist{r} +} + +// ParseAnnotations parses the annotations contained in the ingress +// rule used to limit access to certain client addresses or networks. +// Multiple ranges can specified using commas as separator +// e.g. `18.0.0.0/8,56.0.0.0/8` +func (a ipdenylist) Parse(ing *networking.Ingress) (interface{}, error) { + defBackend := a.r.GetDefaultBackend() + + defaultDenylistSourceRange := make([]string, len(defBackend.DenylistSourceRange)) + copy(defaultDenylistSourceRange, defBackend.DenylistSourceRange) + sort.Strings(defaultDenylistSourceRange) + + val, err := parser.GetStringAnnotation("denylist-source-range", ing) + // A missing annotation is not a problem, just use the default + if err == ing_errors.ErrMissingAnnotations { + return &SourceRange{CIDR: defaultDenylistSourceRange}, nil + } + + values := strings.Split(val, ",") + ipnets, ips, err := net.ParseIPNets(values...) + if err != nil && len(ips) == 0 { + return &SourceRange{CIDR: defaultDenylistSourceRange}, ing_errors.LocationDenied{ + Reason: fmt.Errorf("the annotation does not contain a valid IP address or network: %w", err), + } + } + + cidrs := []string{} + for k := range ipnets { + cidrs = append(cidrs, k) + } + for k := range ips { + cidrs = append(cidrs, k) + } + + sort.Strings(cidrs) + + return &SourceRange{cidrs}, nil +} diff --git a/internal/ingress/annotations/ipdenylist/main_test.go b/internal/ingress/annotations/ipdenylist/main_test.go new file mode 100644 index 000000000..eb69aa520 --- /dev/null +++ b/internal/ingress/annotations/ipdenylist/main_test.go @@ -0,0 +1,216 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package ipdenylist + +import ( + "testing" + + api "k8s.io/api/core/v1" + networking "k8s.io/api/networking/v1" + meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/defaults" + "k8s.io/ingress-nginx/internal/ingress/resolver" +) + +func buildIngress() *networking.Ingress { + defaultBackend := networking.IngressBackend{ + Service: &networking.IngressServiceBackend{ + Name: "default-backend", + Port: networking.ServiceBackendPort{ + Number: 80, + }, + }, + } + + return &networking.Ingress{ + ObjectMeta: meta_v1.ObjectMeta{ + Name: "foo", + Namespace: api.NamespaceDefault, + }, + Spec: networking.IngressSpec{ + DefaultBackend: &networking.IngressBackend{ + Service: &networking.IngressServiceBackend{ + Name: "default-backend", + Port: networking.ServiceBackendPort{ + Number: 80, + }, + }, + }, + Rules: []networking.IngressRule{ + { + Host: "foo.bar.com", + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + Path: "/foo", + Backend: defaultBackend, + }, + }, + }, + }, + }, + }, + }, + } +} + +func TestParseAnnotations(t *testing.T) { + ing := buildIngress() + tests := map[string]struct { + net string + expectCidr []string + expectErr bool + errOut string + }{ + "test parse a valid net": { + net: "10.0.0.0/24", + expectCidr: []string{"10.0.0.0/24"}, + expectErr: false, + }, + "test parse a invalid net": { + net: "ww", + expectErr: true, + errOut: "the annotation does not contain a valid IP address or network: invalid CIDR address: ww", + }, + "test parse a empty net": { + net: "", + expectErr: true, + errOut: "the annotation does not contain a valid IP address or network: invalid CIDR address: ", + }, + "test parse a malicious escaped string": { + net: `10.0.0.0/8"rm /tmp",11.0.0.0/8`, + expectErr: true, + errOut: `the annotation does not contain a valid IP address or network: invalid CIDR address: 10.0.0.0/8"rm /tmp"`, + }, + "test parse multiple valid cidr": { + net: "2.2.2.2/32,1.1.1.1/32,3.3.3.0/24", + expectCidr: []string{"1.1.1.1/32", "2.2.2.2/32", "3.3.3.0/24"}, + expectErr: false, + }, + } + + for testName, test := range tests { + data := map[string]string{} + data[parser.GetAnnotationWithPrefix("denylist-source-range")] = test.net + ing.SetAnnotations(data) + p := NewParser(&resolver.Mock{}) + i, err := p.Parse(ing) + if err != nil && !test.expectErr { + t.Errorf("%v:unexpected error: %v", testName, err) + } + if test.expectErr { + if err.Error() != test.errOut { + t.Errorf("%v:expected error: %v but %v return", testName, test.errOut, err.Error()) + } + } + if !test.expectErr { + sr, ok := i.(*SourceRange) + if !ok { + t.Errorf("%v:expected a SourceRange type", testName) + } + if !strsEquals(sr.CIDR, test.expectCidr) { + t.Errorf("%v:expected %v CIDR but %v returned", testName, test.expectCidr, sr.CIDR) + } + } + } +} + +type mockBackend struct { + resolver.Mock +} + +// GetDefaultBackend returns the backend that must be used as default +func (m mockBackend) GetDefaultBackend() defaults.Backend { + return defaults.Backend{ + DenylistSourceRange: []string{"4.4.4.0/24", "1.2.3.4/32"}, + } +} + +// Test that when we have a denylist set on the Backend that is used when we +// don't have the annotation +func TestParseAnnotationsWithDefaultConfig(t *testing.T) { + ing := buildIngress() + + mockBackend := mockBackend{} + + tests := map[string]struct { + net string + expectCidr []string + expectErr bool + errOut string + }{ + "test parse a valid net": { + net: "10.0.0.0/24", + expectCidr: []string{"10.0.0.0/24"}, + expectErr: false, + }, + "test parse a invalid net": { + net: "ww", + expectErr: true, + errOut: "the annotation does not contain a valid IP address or network: invalid CIDR address: ww", + }, + "test parse a empty net": { + net: "", + expectErr: true, + errOut: "the annotation does not contain a valid IP address or network: invalid CIDR address: ", + }, + "test parse multiple valid cidr": { + net: "2.2.2.2/32,1.1.1.1/32,3.3.3.0/24", + expectCidr: []string{"1.1.1.1/32", "2.2.2.2/32", "3.3.3.0/24"}, + expectErr: false, + }, + } + + for testName, test := range tests { + data := map[string]string{} + data[parser.GetAnnotationWithPrefix("denylist-source-range")] = test.net + ing.SetAnnotations(data) + p := NewParser(mockBackend) + i, err := p.Parse(ing) + if err != nil && !test.expectErr { + t.Errorf("%v:unexpected error: %v", testName, err) + } + if test.expectErr { + if err.Error() != test.errOut { + t.Errorf("%v:expected error: %v but %v return", testName, test.errOut, err.Error()) + } + } + if !test.expectErr { + sr, ok := i.(*SourceRange) + if !ok { + t.Errorf("%v:expected a SourceRange type", testName) + } + if !strsEquals(sr.CIDR, test.expectCidr) { + t.Errorf("%v:expected %v CIDR but %v returned", testName, test.expectCidr, sr.CIDR) + } + } + } +} + +func strsEquals(a, b []string) bool { + if len(a) != len(b) { + return false + } + for i, v := range a { + if v != b[i] { + return false + } + } + return true +} diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index 8bf71b774..f064dad53 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -895,6 +895,7 @@ func NewDefault() Configuration { PreserveTrailingSlash: false, SSLRedirect: true, CustomHTTPErrors: []int{}, + DenylistSourceRange: []string{}, WhitelistSourceRange: []string{}, SkipAccessLogURLs: []string{}, LimitRate: 0, diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index f60f7a053..8eee56647 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -1412,6 +1412,7 @@ func locationApplyAnnotations(loc *ingress.Location, anns *annotations.Ingress) loc.Redirect = anns.Redirect loc.Rewrite = anns.Rewrite loc.UpstreamVhost = anns.UpstreamVhost + loc.Denylist = anns.Denylist loc.Whitelist = anns.Whitelist loc.Denied = anns.Denied loc.XForwardedPrefix = anns.XForwardedPrefix diff --git a/internal/ingress/controller/template/configmap.go b/internal/ingress/controller/template/configmap.go index 35a0e4536..61e8e4998 100644 --- a/internal/ingress/controller/template/configmap.go +++ b/internal/ingress/controller/template/configmap.go @@ -41,6 +41,7 @@ const ( customHTTPErrors = "custom-http-errors" skipAccessLogUrls = "skip-access-log-urls" whitelistSourceRange = "whitelist-source-range" + denylistSourceRange = "denylist-source-range" proxyRealIPCIDR = "proxy-real-ip-cidr" bindAddress = "bind-address" httpRedirectCode = "http-redirect-code" @@ -100,6 +101,7 @@ func ReadConfig(src map[string]string) config.Configuration { to := config.NewDefault() errors := make([]int, 0) skipUrls := make([]string, 0) + denyList := make([]string, 0) whiteList := make([]string, 0) proxyList := make([]string, 0) hideHeadersList := make([]string, 0) @@ -169,6 +171,11 @@ func ReadConfig(src map[string]string) config.Configuration { skipUrls = splitAndTrimSpace(val, ",") } + if val, ok := conf[denylistSourceRange]; ok { + delete(conf, denylistSourceRange) + denyList = append(denyList, splitAndTrimSpace(val, ",")...) + } + if val, ok := conf[whitelistSourceRange]; ok { delete(conf, whitelistSourceRange) whiteList = append(whiteList, splitAndTrimSpace(val, ",")...) @@ -395,6 +402,7 @@ func ReadConfig(src map[string]string) config.Configuration { to.CustomHTTPErrors = filterErrors(errors) to.SkipAccessLogURLs = skipUrls + to.DenylistSourceRange = denyList to.WhitelistSourceRange = whiteList to.ProxyRealIPCIDR = proxyList to.BindAddressIpv4 = bindAddressIpv4List diff --git a/internal/ingress/controller/template/configmap_test.go b/internal/ingress/controller/template/configmap_test.go index be3ffb0ce..c662e0bc7 100644 --- a/internal/ingress/controller/template/configmap_test.go +++ b/internal/ingress/controller/template/configmap_test.go @@ -149,6 +149,7 @@ func TestMergeConfigMapToStruct(t *testing.T) { def = config.NewDefault() def.LuaSharedDicts = defaultLuaSharedDicts + def.DenylistSourceRange = []string{"2.2.2.2/32"} def.WhitelistSourceRange = []string{"1.1.1.1/32"} def.DisableIpv6DNS = true @@ -161,6 +162,7 @@ func TestMergeConfigMapToStruct(t *testing.T) { def.Checksum = fmt.Sprintf("%v", hash) to = ReadConfig(map[string]string{ + "denylist-source-range": "2.2.2.2/32", "whitelist-source-range": "1.1.1.1/32", "disable-ipv6-dns": "true", }) diff --git a/internal/ingress/defaults/main.go b/internal/ingress/defaults/main.go index bc9734257..0aab2ff47 100644 --- a/internal/ingress/defaults/main.go +++ b/internal/ingress/defaults/main.go @@ -139,6 +139,10 @@ type Backend struct { // http://nginx.org/en/docs/http/ngx_http_access_module.html WhitelistSourceRange []string `json:"whitelist-source-range"` + // DenylistSourceRange allows limiting access to certain client addresses + // http://nginx.org/en/docs/http/ngx_http_access_module.html + DenylistSourceRange []string `json:"denylist-source-range"` + // Limits the rate of response transmission to a client. // The rate is specified in bytes per second. The zero value disables rate limiting. // The limit is set per a request, and so if a client simultaneously opens two connections, diff --git a/pkg/apis/ingress/types.go b/pkg/apis/ingress/types.go index 7c1c825b7..9395683ec 100644 --- a/pkg/apis/ingress/types.go +++ b/pkg/apis/ingress/types.go @@ -30,6 +30,7 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/fastcgi" "k8s.io/ingress-nginx/internal/ingress/annotations/globalratelimit" "k8s.io/ingress-nginx/internal/ingress/annotations/influxdb" + "k8s.io/ingress-nginx/internal/ingress/annotations/ipdenylist" "k8s.io/ingress-nginx/internal/ingress/annotations/ipwhitelist" "k8s.io/ingress-nginx/internal/ingress/annotations/log" "k8s.io/ingress-nginx/internal/ingress/annotations/mirror" @@ -222,6 +223,7 @@ type Server struct { // In some cases when more than one annotations is defined a particular order in the execution // is required. // The chain in the execution order of annotations should be: +// - Denylist // - Whitelist // - RateLimit // - BasicDigestAuth @@ -292,6 +294,10 @@ type Location struct { // Rewrite describes the redirection this location. // +optional Rewrite rewrite.Config `json:"rewrite,omitempty"` + // Denylist indicates only connections from certain client + // addresses or networks are allowed. + // +optional + Denylist ipdenylist.SourceRange `json:"denylist,omitempty"` // Whitelist indicates only connections from certain client // addresses or networks are allowed. // +optional diff --git a/pkg/apis/ingress/types_equals.go b/pkg/apis/ingress/types_equals.go index a954a253b..0941e0956 100644 --- a/pkg/apis/ingress/types_equals.go +++ b/pkg/apis/ingress/types_equals.go @@ -401,6 +401,9 @@ func (l1 *Location) Equal(l2 *Location) bool { if !(&l1.Rewrite).Equal(&l2.Rewrite) { return false } + if !(&l1.Denylist).Equal(&l2.Denylist) { + return false + } if !(&l1.Whitelist).Equal(&l2.Whitelist) { return false } diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 3ace12bc3..02c5637f0 100755 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -1262,6 +1262,10 @@ stream { {{ buildModSecurityForLocation $all.Cfg $location }} {{ if isLocationAllowed $location }} + {{ if gt (len $location.Denylist.CIDR) 0 }} + {{ range $ip := $location.Denylist.CIDR }} + deny {{ $ip }};{{ end }} + {{ end }} {{ if gt (len $location.Whitelist.CIDR) 0 }} {{ range $ip := $location.Whitelist.CIDR }} allow {{ $ip }};{{ end }} diff --git a/test/data/config.json b/test/data/config.json index b506399bd..5d8a88cbe 100644 --- a/test/data/config.json +++ b/test/data/config.json @@ -100,6 +100,9 @@ "addBaseUrl": false, "sslRedirect": true }, + "denylist": { + "cidr": ["1.1.1.1"] + }, "whitelist": { "cidr": ["1.1.1.1"] }, @@ -150,6 +153,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": ["1.1.1.1"] + }, "whitelist": { "cidr": ["1.1.1.1"] }, @@ -206,6 +212,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -256,6 +265,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -306,6 +318,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": null + }, "whitelist": { "cidr": null }, @@ -362,6 +377,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": null + }, "whitelist": { "cidr": null }, @@ -418,6 +436,9 @@ "addBaseUrl": false, "sslRedirect": true }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -474,6 +495,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -530,6 +554,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -586,6 +613,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -642,6 +672,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -698,6 +731,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -754,6 +790,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -810,6 +849,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -866,6 +908,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -922,6 +967,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -978,6 +1026,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1034,6 +1085,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1090,6 +1144,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1146,6 +1203,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1202,6 +1262,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1258,6 +1321,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1314,6 +1380,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1370,6 +1439,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1426,6 +1498,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1482,6 +1557,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1538,6 +1616,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1594,6 +1675,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1650,6 +1734,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1706,6 +1793,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1762,6 +1852,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1818,6 +1911,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1874,6 +1970,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1930,6 +2029,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1986,6 +2088,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2042,6 +2147,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2098,6 +2206,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2154,6 +2265,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2210,6 +2324,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2266,6 +2383,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2322,6 +2442,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2378,6 +2501,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2434,6 +2560,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2490,6 +2619,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2546,6 +2678,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2602,6 +2737,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2658,6 +2796,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2714,6 +2855,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2770,6 +2914,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2826,6 +2973,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2882,6 +3032,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2938,6 +3091,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2994,6 +3150,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3050,6 +3209,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3106,6 +3268,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3162,6 +3327,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3218,6 +3386,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3274,6 +3445,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3330,6 +3504,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3386,6 +3563,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3442,6 +3622,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3498,6 +3681,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3554,6 +3740,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3610,6 +3799,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3666,6 +3858,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3722,6 +3917,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3778,6 +3976,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3834,6 +4035,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3890,6 +4094,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3946,6 +4153,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4002,6 +4212,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4058,6 +4271,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4114,6 +4330,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4170,6 +4389,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4226,6 +4448,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4282,6 +4507,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4338,6 +4566,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4394,6 +4625,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4450,6 +4684,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4506,6 +4743,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4562,6 +4802,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4618,6 +4861,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4674,6 +4920,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4730,6 +4979,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4786,6 +5038,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4842,6 +5097,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4898,6 +5156,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4954,6 +5215,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5010,6 +5274,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5066,6 +5333,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5122,6 +5392,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5178,6 +5451,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5234,6 +5510,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5290,6 +5569,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5346,6 +5628,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5402,6 +5687,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5458,6 +5746,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5514,6 +5805,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5570,6 +5864,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5626,6 +5923,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5682,6 +5982,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5738,6 +6041,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5794,6 +6100,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5850,6 +6159,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5906,6 +6218,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5962,6 +6277,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6018,6 +6336,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6074,6 +6395,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6130,6 +6454,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6186,6 +6513,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6242,6 +6572,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6298,6 +6631,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6354,6 +6690,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6410,6 +6749,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6466,6 +6808,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6522,6 +6867,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6578,6 +6926,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6634,6 +6985,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6690,6 +7044,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6746,6 +7103,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6802,6 +7162,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6858,6 +7221,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6914,6 +7280,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6970,6 +7339,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7026,6 +7398,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7082,6 +7457,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7138,6 +7516,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7194,6 +7575,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7250,6 +7634,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7306,6 +7693,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7362,6 +7752,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7418,6 +7811,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7474,6 +7870,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7530,6 +7929,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7586,6 +7988,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7642,6 +8047,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7698,6 +8106,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7754,6 +8165,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7810,6 +8224,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7866,6 +8283,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7922,6 +8342,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7978,6 +8401,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8034,6 +8460,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8090,6 +8519,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8146,6 +8578,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8202,6 +8637,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8258,6 +8696,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8314,6 +8755,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8370,6 +8814,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8426,6 +8873,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8482,6 +8932,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8538,6 +8991,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8594,6 +9050,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8650,6 +9109,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8706,6 +9168,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8762,6 +9227,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8818,6 +9286,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8874,6 +9345,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8930,6 +9404,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8986,6 +9463,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9042,6 +9522,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9098,6 +9581,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9154,6 +9640,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9210,6 +9699,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9266,6 +9758,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9322,6 +9817,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9378,6 +9876,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9434,6 +9935,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9490,6 +9994,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9546,6 +10053,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9602,6 +10112,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9658,6 +10171,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9714,6 +10230,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9770,6 +10289,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9826,6 +10348,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9882,6 +10407,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9938,6 +10466,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9994,6 +10525,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10050,6 +10584,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10106,6 +10643,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10162,6 +10702,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10218,6 +10761,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10274,6 +10820,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10330,6 +10879,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10386,6 +10938,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10442,6 +10997,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10498,6 +11056,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10554,6 +11115,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10610,6 +11174,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10666,6 +11233,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10722,6 +11292,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10778,6 +11351,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10834,6 +11410,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10890,6 +11469,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10946,6 +11528,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11002,6 +11587,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11058,6 +11646,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11114,6 +11705,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11170,6 +11764,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11226,6 +11823,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11282,6 +11882,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11338,6 +11941,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11394,6 +12000,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11450,6 +12059,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11506,6 +12118,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11562,6 +12177,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11618,6 +12236,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11674,6 +12295,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11730,6 +12354,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11786,6 +12413,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11842,6 +12472,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11898,6 +12531,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11954,6 +12590,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12010,6 +12649,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12066,6 +12708,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12122,6 +12767,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12178,6 +12826,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12234,6 +12885,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12290,6 +12944,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12346,6 +13003,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12402,6 +13062,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12458,6 +13121,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12514,6 +13180,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12570,6 +13239,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12626,6 +13298,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12682,6 +13357,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12738,6 +13416,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12794,6 +13475,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12850,6 +13534,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12906,6 +13593,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12962,6 +13652,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13018,6 +13711,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13074,6 +13770,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13130,6 +13829,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13186,6 +13888,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13242,6 +13947,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13298,6 +14006,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13354,6 +14065,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13410,6 +14124,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13466,6 +14183,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13522,6 +14242,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13578,6 +14301,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13634,6 +14360,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13690,6 +14419,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13746,6 +14478,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13802,6 +14537,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13858,6 +14596,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13914,6 +14655,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13970,6 +14714,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14026,6 +14773,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14082,6 +14832,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14138,6 +14891,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14194,6 +14950,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14250,6 +15009,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14306,6 +15068,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14362,6 +15127,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14418,6 +15186,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14474,6 +15245,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14530,6 +15304,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14586,6 +15363,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14642,6 +15422,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14698,6 +15481,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14754,6 +15540,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14810,6 +15599,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14866,6 +15658,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14922,6 +15717,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14978,6 +15776,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15034,6 +15835,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15090,6 +15894,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15146,6 +15953,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15202,6 +16012,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15258,6 +16071,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15314,6 +16130,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15370,6 +16189,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15426,6 +16248,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15482,6 +16307,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15538,6 +16366,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15594,6 +16425,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15650,6 +16484,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15706,6 +16543,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15762,6 +16602,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15818,6 +16661,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15874,6 +16720,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15930,6 +16779,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15986,6 +16838,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16042,6 +16897,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16098,6 +16956,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16154,6 +17015,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16210,6 +17074,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16266,6 +17133,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16322,6 +17192,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16378,6 +17251,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16434,6 +17310,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16490,6 +17369,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16546,6 +17428,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16602,6 +17487,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16658,6 +17546,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16714,6 +17605,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16770,6 +17664,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16826,6 +17723,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16882,6 +17782,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16938,6 +17841,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16994,6 +17900,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17050,6 +17959,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17106,6 +18018,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17162,6 +18077,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17218,6 +18136,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17274,6 +18195,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17330,6 +18254,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17386,6 +18313,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17442,6 +18372,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17498,6 +18431,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17554,6 +18490,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17610,6 +18549,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17666,6 +18608,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17722,6 +18667,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17778,6 +18726,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17834,6 +18785,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17890,6 +18844,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17946,6 +18903,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18002,6 +18962,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18058,6 +19021,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18114,6 +19080,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18170,6 +19139,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18226,6 +19198,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18282,6 +19257,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18338,6 +19316,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18394,6 +19375,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18450,6 +19434,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18506,6 +19493,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18562,6 +19552,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18618,6 +19611,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18674,6 +19670,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18730,6 +19729,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18786,6 +19788,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18842,6 +19847,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18898,6 +19906,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18954,6 +19965,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19010,6 +20024,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19066,6 +20083,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19122,6 +20142,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19178,6 +20201,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19234,6 +20260,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19290,6 +20319,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19346,6 +20378,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19402,6 +20437,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19458,6 +20496,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19514,6 +20555,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19570,6 +20614,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19626,6 +20673,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19682,6 +20732,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19738,6 +20791,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19794,6 +20850,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19850,6 +20909,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19906,6 +20968,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19962,6 +21027,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20018,6 +21086,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20074,6 +21145,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20130,6 +21204,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20186,6 +21263,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20242,6 +21322,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20298,6 +21381,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20354,6 +21440,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20410,6 +21499,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20466,6 +21558,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20522,6 +21617,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20578,6 +21676,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20634,6 +21735,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20690,6 +21794,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20746,6 +21853,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20802,6 +21912,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20858,6 +21971,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20914,6 +22030,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20970,6 +22089,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21026,6 +22148,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21082,6 +22207,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21138,6 +22266,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21194,6 +22325,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21250,6 +22384,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21306,6 +22443,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21362,6 +22502,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21418,6 +22561,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21474,6 +22620,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21530,6 +22679,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21586,6 +22738,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21642,6 +22797,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21698,6 +22856,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21754,6 +22915,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21810,6 +22974,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21866,6 +23033,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21922,6 +23092,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21978,6 +23151,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22034,6 +23210,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22090,6 +23269,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22146,6 +23328,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22202,6 +23387,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22258,6 +23446,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22314,6 +23505,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22370,6 +23564,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22426,6 +23623,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22482,6 +23682,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22538,6 +23741,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22594,6 +23800,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22650,6 +23859,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22706,6 +23918,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22762,6 +23977,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22818,6 +24036,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22874,6 +24095,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22930,6 +24154,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22986,6 +24213,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23042,6 +24272,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23098,6 +24331,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23154,6 +24390,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23210,6 +24449,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23266,6 +24508,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23322,6 +24567,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23378,6 +24626,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23434,6 +24685,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23490,6 +24744,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23546,6 +24803,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23602,6 +24862,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23658,6 +24921,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23714,6 +24980,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23770,6 +25039,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23826,6 +25098,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23882,6 +25157,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23938,6 +25216,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23994,6 +25275,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24050,6 +25334,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24106,6 +25393,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24162,6 +25452,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24218,6 +25511,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24274,6 +25570,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24330,6 +25629,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24386,6 +25688,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24442,6 +25747,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24498,6 +25806,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24554,6 +25865,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24610,6 +25924,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24666,6 +25983,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24722,6 +26042,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24778,6 +26101,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24834,6 +26160,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24890,6 +26219,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24946,6 +26278,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25002,6 +26337,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25058,6 +26396,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25114,6 +26455,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25170,6 +26514,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25226,6 +26573,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25282,6 +26632,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25338,6 +26691,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25394,6 +26750,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25450,6 +26809,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25506,6 +26868,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25562,6 +26927,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25618,6 +26986,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25674,6 +27045,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25730,6 +27104,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25786,6 +27163,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25842,6 +27222,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25898,6 +27281,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25954,6 +27340,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26010,6 +27399,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26066,6 +27458,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26122,6 +27517,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26178,6 +27576,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26234,6 +27635,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26290,6 +27694,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26346,6 +27753,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26402,6 +27812,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26458,6 +27871,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26514,6 +27930,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26570,6 +27989,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26626,6 +28048,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26682,6 +28107,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26738,6 +28166,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26794,6 +28225,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26850,6 +28284,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26906,6 +28343,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26962,6 +28402,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27018,6 +28461,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27074,6 +28520,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27130,6 +28579,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27186,6 +28638,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27242,6 +28697,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27298,6 +28756,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27354,6 +28815,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27410,6 +28874,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27466,6 +28933,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27522,6 +28992,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27578,6 +29051,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27634,6 +29110,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27690,6 +29169,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27746,6 +29228,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27802,6 +29287,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27858,6 +29346,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27914,6 +29405,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27970,6 +29464,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28026,6 +29523,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28082,6 +29582,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28138,6 +29641,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28194,6 +29700,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28250,6 +29759,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28306,6 +29818,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28362,6 +29877,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28418,6 +29936,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28474,6 +29995,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28530,6 +30054,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28586,6 +30113,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28642,6 +30172,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28698,6 +30231,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28754,6 +30290,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28810,6 +30349,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28866,6 +30408,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28922,6 +30467,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28978,6 +30526,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29034,6 +30585,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29090,6 +30644,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29146,6 +30703,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29202,6 +30762,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29258,6 +30821,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29314,6 +30880,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29370,6 +30939,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29426,6 +30998,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29482,6 +31057,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29538,6 +31116,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29594,6 +31175,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29650,6 +31234,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29706,6 +31293,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29762,6 +31352,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29818,6 +31411,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29874,6 +31470,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29930,6 +31529,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29986,6 +31588,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30042,6 +31647,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30098,6 +31706,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30154,6 +31765,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30210,6 +31824,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30266,6 +31883,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30322,6 +31942,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30378,6 +32001,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30434,6 +32060,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30490,6 +32119,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30546,6 +32178,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30602,6 +32237,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30658,6 +32296,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30714,6 +32355,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30770,6 +32414,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30826,6 +32473,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30882,6 +32532,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30938,6 +32591,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30994,6 +32650,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31050,6 +32709,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31106,6 +32768,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31162,6 +32827,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31218,6 +32886,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31274,6 +32945,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31330,6 +33004,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31386,6 +33063,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31442,6 +33122,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31498,6 +33181,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31554,6 +33240,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31610,6 +33299,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31666,6 +33358,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31722,6 +33417,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31778,6 +33476,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31834,6 +33535,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31890,6 +33594,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31946,6 +33653,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32002,6 +33712,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32058,6 +33771,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32114,6 +33830,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32170,6 +33889,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32226,6 +33948,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32282,6 +34007,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32338,6 +34066,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32394,6 +34125,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32450,6 +34184,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32506,6 +34243,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32562,6 +34302,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32618,6 +34361,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32674,6 +34420,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32730,6 +34479,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32786,6 +34538,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32842,6 +34597,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32898,6 +34656,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32954,6 +34715,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33010,6 +34774,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33066,6 +34833,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33122,6 +34892,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33178,6 +34951,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33234,6 +35010,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33290,6 +35069,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33346,6 +35128,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33402,6 +35187,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33458,6 +35246,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33514,6 +35305,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33570,6 +35364,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33626,6 +35423,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33682,6 +35482,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33738,6 +35541,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33794,6 +35600,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33850,6 +35659,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33906,6 +35718,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33962,6 +35777,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34018,6 +35836,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34074,6 +35895,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34130,6 +35954,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34186,6 +36013,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34242,6 +36072,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34298,6 +36131,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34354,6 +36190,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34410,6 +36249,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34466,6 +36308,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34522,6 +36367,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34578,6 +36426,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34634,6 +36485,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34690,6 +36544,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34746,6 +36603,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34802,6 +36662,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34858,6 +36721,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34914,6 +36780,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34970,6 +36839,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35026,6 +36898,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35082,6 +36957,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35138,6 +37016,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35194,6 +37075,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35250,6 +37134,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35306,6 +37193,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35362,6 +37252,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35418,6 +37311,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35474,6 +37370,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35530,6 +37429,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35586,6 +37488,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35642,6 +37547,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35698,6 +37606,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35754,6 +37665,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35810,6 +37724,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35866,6 +37783,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35922,6 +37842,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35978,6 +37901,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36034,6 +37960,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36090,6 +38019,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36146,6 +38078,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36202,6 +38137,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36258,6 +38196,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36314,6 +38255,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36370,6 +38314,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36426,6 +38373,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36482,6 +38432,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36538,6 +38491,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36594,6 +38550,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36650,6 +38609,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36706,6 +38668,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36762,6 +38727,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36818,6 +38786,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36874,6 +38845,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36930,6 +38904,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36986,6 +38963,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37042,6 +39022,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37098,6 +39081,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37154,6 +39140,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37210,6 +39199,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37266,6 +39258,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37322,6 +39317,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37378,6 +39376,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37434,6 +39435,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37490,6 +39494,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37546,6 +39553,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37602,6 +39612,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37658,6 +39671,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37714,6 +39730,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37770,6 +39789,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37826,6 +39848,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37882,6 +39907,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37938,6 +39966,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37994,6 +40025,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38050,6 +40084,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38106,6 +40143,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38162,6 +40202,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38218,6 +40261,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38274,6 +40320,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38330,6 +40379,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38386,6 +40438,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38442,6 +40497,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38498,6 +40556,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38554,6 +40615,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38610,6 +40674,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38666,6 +40733,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38722,6 +40792,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38778,6 +40851,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38834,6 +40910,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38890,6 +40969,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38946,6 +41028,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39002,6 +41087,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39058,6 +41146,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39114,6 +41205,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39170,6 +41264,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39226,6 +41323,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39282,6 +41382,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39338,6 +41441,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39394,6 +41500,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39450,6 +41559,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39506,6 +41618,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39562,6 +41677,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39618,6 +41736,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39674,6 +41795,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39730,6 +41854,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39786,6 +41913,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39842,6 +41972,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39898,6 +42031,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39954,6 +42090,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40010,6 +42149,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40066,6 +42208,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40122,6 +42267,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40178,6 +42326,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40234,6 +42385,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40290,6 +42444,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40346,6 +42503,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40402,6 +42562,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40458,6 +42621,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40514,6 +42680,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40570,6 +42739,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40626,6 +42798,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40682,6 +42857,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40738,6 +42916,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40794,6 +42975,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40850,6 +43034,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40906,6 +43093,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40962,6 +43152,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41018,6 +43211,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41074,6 +43270,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41130,6 +43329,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41186,6 +43388,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41242,6 +43447,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41298,6 +43506,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41354,6 +43565,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41410,6 +43624,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41466,6 +43683,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41522,6 +43742,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41578,6 +43801,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41634,6 +43860,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41690,6 +43919,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41746,6 +43978,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41802,6 +44037,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41858,6 +44096,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41914,6 +44155,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41970,6 +44214,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42026,6 +44273,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42082,6 +44332,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42138,6 +44391,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42194,6 +44450,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42250,6 +44509,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42306,6 +44568,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42362,6 +44627,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42418,6 +44686,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42474,6 +44745,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42530,6 +44804,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42586,6 +44863,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42642,6 +44922,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42698,6 +44981,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42754,6 +45040,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42810,6 +45099,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42866,6 +45158,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42922,6 +45217,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42978,6 +45276,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43034,6 +45335,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43090,6 +45394,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43146,6 +45453,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43202,6 +45512,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43258,6 +45571,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43314,6 +45630,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43370,6 +45689,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43426,6 +45748,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43482,6 +45807,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43538,6 +45866,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43594,6 +45925,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43650,6 +45984,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43706,6 +46043,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43762,6 +46102,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43818,6 +46161,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43874,6 +46220,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43930,6 +46279,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43986,6 +46338,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44042,6 +46397,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44098,6 +46456,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44154,6 +46515,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44210,6 +46574,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44266,6 +46633,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44322,6 +46692,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44378,6 +46751,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44434,6 +46810,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44490,6 +46869,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44546,6 +46928,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44602,6 +46987,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44658,6 +47046,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44714,6 +47105,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44770,6 +47164,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44826,6 +47223,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44882,6 +47282,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44938,6 +47341,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44994,6 +47400,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45050,6 +47459,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45106,6 +47518,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45162,6 +47577,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45218,6 +47636,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45274,6 +47695,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45330,6 +47754,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45386,6 +47813,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45442,6 +47872,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45498,6 +47931,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45554,6 +47990,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45610,6 +48049,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45666,6 +48108,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45722,6 +48167,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45778,6 +48226,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45834,6 +48285,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45890,6 +48344,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45946,6 +48403,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46002,6 +48462,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46058,6 +48521,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46114,6 +48580,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46170,6 +48639,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46226,6 +48698,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46282,6 +48757,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46338,6 +48816,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46394,6 +48875,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46450,6 +48934,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46506,6 +48993,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46562,6 +49052,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46618,6 +49111,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46674,6 +49170,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46730,6 +49229,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46786,6 +49288,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46842,6 +49347,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46898,6 +49406,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46954,6 +49465,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47010,6 +49524,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47066,6 +49583,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47122,6 +49642,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47178,6 +49701,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47234,6 +49760,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47290,6 +49819,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47346,6 +49878,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47402,6 +49937,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47458,6 +49996,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47514,6 +50055,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47570,6 +50114,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47626,6 +50173,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47682,6 +50232,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47738,6 +50291,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47794,6 +50350,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47850,6 +50409,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47906,6 +50468,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47962,6 +50527,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48018,6 +50586,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48074,6 +50645,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48130,6 +50704,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48186,6 +50763,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48242,6 +50822,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48298,6 +50881,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48354,6 +50940,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48410,6 +50999,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48466,6 +51058,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48522,6 +51117,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48578,6 +51176,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48634,6 +51235,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48690,6 +51294,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48746,6 +51353,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48802,6 +51412,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48858,6 +51471,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48914,6 +51530,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48970,6 +51589,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49026,6 +51648,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49082,6 +51707,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49138,6 +51766,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49194,6 +51825,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49250,6 +51884,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49306,6 +51943,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49362,6 +52002,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49418,6 +52061,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49474,6 +52120,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49530,6 +52179,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49586,6 +52238,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49642,6 +52297,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49698,6 +52356,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49754,6 +52415,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49810,6 +52474,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49866,6 +52533,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49922,6 +52592,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49978,6 +52651,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50034,6 +52710,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50090,6 +52769,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50146,6 +52828,9 @@ "addBaseUrl": false, "sslRedirect": true }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50202,6 +52887,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50258,6 +52946,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50314,6 +53005,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50370,6 +53064,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50426,6 +53123,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50482,6 +53182,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50538,6 +53241,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50594,6 +53300,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50650,6 +53359,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50706,6 +53418,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50762,6 +53477,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50818,6 +53536,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50874,6 +53595,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50930,6 +53654,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50986,6 +53713,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51042,6 +53772,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51098,6 +53831,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51154,6 +53890,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51210,6 +53949,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51266,6 +54008,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51322,6 +54067,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51378,6 +54126,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51434,6 +54185,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51490,6 +54244,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51546,6 +54303,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51602,6 +54362,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51658,6 +54421,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51714,6 +54480,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51770,6 +54539,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51826,6 +54598,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51882,6 +54657,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51938,6 +54716,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51994,6 +54775,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52050,6 +54834,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52106,6 +54893,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52162,6 +54952,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52218,6 +55011,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52274,6 +55070,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52330,6 +55129,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52386,6 +55188,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52442,6 +55247,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52498,6 +55306,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52554,6 +55365,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52610,6 +55424,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52666,6 +55483,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52722,6 +55542,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52778,6 +55601,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52834,6 +55660,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52890,6 +55719,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52946,6 +55778,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53002,6 +55837,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53058,6 +55896,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53114,6 +55955,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53170,6 +56014,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53226,6 +56073,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53282,6 +56132,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53338,6 +56191,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53394,6 +56250,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53450,6 +56309,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53506,6 +56368,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53562,6 +56427,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53618,6 +56486,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53674,6 +56545,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53730,6 +56604,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53786,6 +56663,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53842,6 +56722,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53898,6 +56781,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53954,6 +56840,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54010,6 +56899,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54066,6 +56958,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54122,6 +57017,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54178,6 +57076,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54234,6 +57135,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54290,6 +57194,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54346,6 +57253,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54402,6 +57312,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54458,6 +57371,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54514,6 +57430,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54570,6 +57489,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54626,6 +57548,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54682,6 +57607,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54738,6 +57666,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54794,6 +57725,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54850,6 +57784,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54906,6 +57843,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54962,6 +57902,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55018,6 +57961,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55074,6 +58020,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55130,6 +58079,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55186,6 +58138,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55242,6 +58197,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55298,6 +58256,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55354,6 +58315,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55410,6 +58374,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55466,6 +58433,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55522,6 +58492,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55578,6 +58551,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55634,6 +58610,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55690,6 +58669,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55746,6 +58728,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55802,6 +58787,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55858,6 +58846,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55914,6 +58905,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55970,6 +58964,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56026,6 +59023,9 @@ "addBaseUrl": false, "sslRedirect": true }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56082,6 +59082,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56138,6 +59141,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56194,6 +59200,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56250,6 +59259,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56306,6 +59318,9 @@ "addBaseUrl": false, "sslRedirect": true }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56362,6 +59377,9 @@ "addBaseUrl": false, "sslRedirect": true }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56418,6 +59436,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56468,6 +59489,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56524,6 +59548,9 @@ "addBaseUrl": false, "sslRedirect": true }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56580,6 +59607,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56636,6 +59666,9 @@ "addBaseUrl": false, "sslRedirect": true }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56692,6 +59725,9 @@ "addBaseUrl": true, "sslRedirect": true }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56742,6 +59778,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": null }, @@ -56798,6 +59837,9 @@ "addBaseUrl": false, "sslRedirect": true }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56854,6 +59896,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56904,6 +59949,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": null }, @@ -56960,6 +60008,9 @@ "addBaseUrl": false, "sslRedirect": true }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -57010,6 +60061,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": null }, @@ -57066,6 +60120,9 @@ "addBaseUrl": false, "sslRedirect": true }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -57122,6 +60179,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, diff --git a/test/e2e/annotations/ipdenylist.go b/test/e2e/annotations/ipdenylist.go new file mode 100644 index 000000000..9c1d45cf5 --- /dev/null +++ b/test/e2e/annotations/ipdenylist.go @@ -0,0 +1,147 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package annotations + +import ( + "net/http" + "strings" + + "github.com/onsi/ginkgo/v2" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.DescribeAnnotation("denylist-source-range", func() { + f := framework.NewDefaultFramework("ipdenylist") + + ginkgo.BeforeEach(func() { + f.NewEchoDeployment() + }) + + ginkgo.It("only deny explicitly denied IPs, allow all others", func() { + host := "ipdenylist.foo.com" + namespace := f.Namespace + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/denylist-source-range": "18.0.0.0/8, 56.0.0.1", + } + + ing := framework.NewSingleIngress(host, "/", host, namespace, framework.EchoService, 80, annotations) + + // Temporarily trust forwarded headers so we can test IP based access control + f.UpdateNginxConfigMapData("use-forwarded-headers", "true") + defer func() { + // Return to the original value + f.UpdateNginxConfigMapData("use-forwarded-headers", "false") + }() + + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "deny 18.0.0.0/8;") && + strings.Contains(server, "deny 56.0.0.1;") && + !strings.Contains(server, "deny all;") + }) + + ginkgo.By("sending request from an explicitly denied IP range") + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithHeader("X-Forwarded-For", "18.0.0.1"). + Expect(). + Status(http.StatusForbidden) + + ginkgo.By("sending request from an explicitly denied IP address") + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithHeader("X-Forwarded-For", "56.0.0.1"). + Expect(). + Status(http.StatusForbidden) + + ginkgo.By("sending request from an implicitly allowed IP range") + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithHeader("X-Forwarded-For", "56.0.0.2"). + Expect(). + Status(http.StatusOK) + }) + + ginkgo.It("only allow explicitly allowed IPs, deny all others", func() { + host := "ipdenylist.foo.com" + namespace := f.Namespace + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/denylist-source-range": "18.1.0.0/16, 56.0.0.0/8", + "nginx.ingress.kubernetes.io/whitelist-source-range": "18.0.0.0/8, 55.0.0.0/8", + } + + ing := framework.NewSingleIngress(host, "/", host, namespace, framework.EchoService, 80, annotations) + + // Temporarily trust forwarded headers so we can test IP based access control + f.UpdateNginxConfigMapData("use-forwarded-headers", "true") + defer func() { + // Return to the original value + f.UpdateNginxConfigMapData("use-forwarded-headers", "false") + }() + + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "deny 18.1.0.0/16;") && + strings.Contains(server, "deny 56.0.0.0/8;") && + strings.Contains(server, "allow 18.0.0.0/8;") && + strings.Contains(server, "allow 55.0.0.0/8;") && + strings.Contains(server, "deny all;") + }) + + ginkgo.By("sending request from an explicitly denied IP range") + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithHeader("X-Forwarded-For", "18.1.0.1"). + Expect(). + Status(http.StatusForbidden) + + ginkgo.By("sending request from an implicitly denied IP") + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithHeader("X-Forwarded-For", "10.10.10.10"). + Expect(). + Status(http.StatusForbidden) + + ginkgo.By("sending request from an explicitly allowed IP range") + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithHeader("X-Forwarded-For", "18.4.0.1"). + Expect(). + Status(http.StatusOK) + + ginkgo.By("sending request from an explicitly allowed IP range") + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithHeader("X-Forwarded-For", "55.55.55.55"). + Expect(). + Status(http.StatusOK) + }) +}) From 424cc8671b1c6df1db08283179d113fbaa5b2213 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Johannes=20W=C3=BCrbach?= Date: Sun, 8 Jan 2023 23:49:27 +0100 Subject: [PATCH 109/405] fix: disable auth access logs (#9049) --- rootfs/etc/nginx/template/nginx.tmpl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 02c5637f0..cde7b2b87 100755 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -1058,6 +1058,8 @@ stream { opentracing_propagate_context; {{ end }} + access_log off; + # Ensure that modsecurity will not run on an internal location as this is not accessible from outside {{ if $all.Cfg.EnableModsecurity }} modsecurity off; From 275d5e15e7024af34fa864c2bdbcbf404efea6f6 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Mon, 9 Jan 2023 14:01:29 +0300 Subject: [PATCH 110/405] Add buildResolvers to the stream module (#9184) --- rootfs/etc/nginx/template/nginx.tmpl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index cde7b2b87..fc48de912 100755 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -736,6 +736,8 @@ stream { lua_package_path "/etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/?.lua;;"; lua_shared_dict tcp_udp_configuration_data 5M; + + {{ buildResolvers $cfg.Resolver $cfg.DisableIpv6DNS }} init_by_lua_block { collectgarbage("collect") From 54dd88a5d1c1ae432e132b5f96ead24ce3b3314b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Jan 2023 06:09:32 -0800 Subject: [PATCH 111/405] Bump golang.org/x/crypto from 0.4.0 to 0.5.0 (#9494) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.4.0 to 0.5.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](https://github.com/golang/crypto/compare/v0.4.0...v0.5.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 10 +++++----- go.sum | 20 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/go.mod b/go.mod index b074e7c10..2daf8e667 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/stretchr/testify v1.8.1 github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a - golang.org/x/crypto v0.4.0 + golang.org/x/crypto v0.5.0 google.golang.org/grpc v1.51.0 google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 @@ -109,11 +109,11 @@ require ( github.com/yudai/pp v2.0.1+incompatible // indirect go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect golang.org/x/mod v0.7.0 // indirect - golang.org/x/net v0.4.0 // indirect + golang.org/x/net v0.5.0 // indirect golang.org/x/oauth2 v0.3.0 // indirect - golang.org/x/sys v0.3.0 // indirect - golang.org/x/term v0.3.0 // indirect - golang.org/x/text v0.5.0 // indirect + golang.org/x/sys v0.4.0 // indirect + golang.org/x/term v0.4.0 // indirect + golang.org/x/text v0.6.0 // indirect golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect golang.org/x/tools v0.4.0 // indirect google.golang.org/appengine v1.6.7 // indirect diff --git a/go.sum b/go.sum index 684ae5beb..84a8bb106 100644 --- a/go.sum +++ b/go.sum @@ -423,8 +423,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.4.0 h1:UVQgzMY87xqpKNgb+kDsll2Igd33HszWHFLmpaRMq/8= -golang.org/x/crypto v0.4.0/go.mod h1:3quD/ATkf6oY+rnes5c3ExXTbLc8mueNue5/DoinL80= +golang.org/x/crypto v0.5.0 h1:U/0M97KRkSFvyD/3FSmdP5W5swImpNgle/EHFhOsQPE= +golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -491,8 +491,8 @@ golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU= -golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= +golang.org/x/net v0.5.0 h1:GyT4nK/YDHSqa1c4753ouYCDajOYKTja9Xb/OHtgvSw= +golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -558,19 +558,19 @@ golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ= -golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.4.0 h1:Zr2JFtRQNX3BCZ8YtxRE9hNJYC8J6I1MVbMg6owUp18= +golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI= -golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= +golang.org/x/term v0.4.0 h1:O7UWfv5+A2qiuulQk30kVinPoMtoIPeVaKLEgLpVkvg= +golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM= -golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.6.0 h1:3XmdazWV+ubf7QgHSTWeykHOci5oeekaGJBLkrkaw4k= +golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From e7bee5308e84269d13b58352aeae3a6f27ea6e52 Mon Sep 17 00:00:00 2001 From: Marcus Noble Date: Mon, 9 Jan 2023 14:37:31 +0000 Subject: [PATCH 112/405] added option to disable sync event creation (#8528) * added option to disable event creation Signed-off-by: Marcus Noble * Re-trigger github workflows Signed-off-by: Marcus Noble Signed-off-by: Marcus Noble --- docs/user-guide/cli-arguments.md | 1 + internal/ingress/controller/controller.go | 2 + .../ingress/controller/controller_test.go | 4 +- internal/ingress/controller/nginx.go | 3 +- internal/ingress/controller/store/store.go | 11 +- .../ingress/controller/store/store_test.go | 33 ++++-- pkg/flags/flags.go | 3 + test/e2e/settings/disable_sync_events.go | 107 ++++++++++++++++++ 8 files changed, 147 insertions(+), 17 deletions(-) create mode 100644 test/e2e/settings/disable_sync_events.go diff --git a/docs/user-guide/cli-arguments.md b/docs/user-guide/cli-arguments.md index ab483b1cd..4379d0b34 100644 --- a/docs/user-guide/cli-arguments.md +++ b/docs/user-guide/cli-arguments.md @@ -18,6 +18,7 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment | `--disable-catch-all` | Disable support for catch-all Ingresses. (default false) | | `--disable-full-test` | Disable full test of all merged ingresses at the admission stage and tests the template of the ingress being created or updated (full test of all ingresses is enabled by default). | | `--disable-svc-external-name` | Disable support for Services of type ExternalName. (default false) | +| `--disable-sync-events` | Disables the creation of 'Sync' Event resources, but still logs them | | `--dynamic-configuration-retries` | Number of times to retry failed dynamic configuration before failing to sync an ingress. (default 15) | | `--election-id` | Election id to use for Ingress status updates. (default "ingress-controller-leader") | | `--enable-metrics` | Enables the collection of NGINX metrics. (default true) | diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 8eee56647..010eba162 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -129,6 +129,8 @@ type Configuration struct { DeepInspector bool DynamicConfigurationRetries int + + DisableSyncEvents bool } // GetPublishService returns the Service used to set the load-balancer status of Ingresses. diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go index da9f10e45..796012cd3 100644 --- a/internal/ingress/controller/controller_test.go +++ b/internal/ingress/controller/controller_test.go @@ -2404,6 +2404,7 @@ func newNGINXController(t *testing.T) *NGINXController { Controller: "k8s.io/ingress-nginx", AnnotationValue: "nginx", }, + false, ) sslCert := ssl.GetFakeSSLCert() @@ -2468,7 +2469,8 @@ func newDynamicNginxController(t *testing.T, setConfigMap func(string) *v1.Confi &ingressclass.IngressClassConfiguration{ Controller: "k8s.io/ingress-nginx", AnnotationValue: "nginx", - }) + }, + false) sslCert := ssl.GetFakeSSLCert() config := &Configuration{ diff --git a/internal/ingress/controller/nginx.go b/internal/ingress/controller/nginx.go index 4b543ea2f..5575009ea 100644 --- a/internal/ingress/controller/nginx.go +++ b/internal/ingress/controller/nginx.go @@ -136,7 +136,8 @@ func NewNGINXController(config *Configuration, mc metric.Collector) *NGINXContro n.updateCh, config.DisableCatchAll, config.DeepInspector, - config.IngressClassConfiguration) + config.IngressClassConfiguration, + config.DisableSyncEvents) n.syncQueue = task.NewTaskQueue(n.syncIngress) diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go index 7f493bd8a..13af28137 100644 --- a/internal/ingress/controller/store/store.go +++ b/internal/ingress/controller/store/store.go @@ -251,7 +251,8 @@ func New( updateCh *channels.RingChannel, disableCatchAll bool, deepInspector bool, - icConfig *ingressclass.IngressClassConfiguration) Storer { + icConfig *ingressclass.IngressClassConfiguration, + disableSyncEvents bool) Storer { store := &k8sStore{ informers: &Informer{}, @@ -267,9 +268,11 @@ func New( eventBroadcaster := record.NewBroadcaster() eventBroadcaster.StartLogging(klog.Infof) - eventBroadcaster.StartRecordingToSink(&clientcorev1.EventSinkImpl{ - Interface: client.CoreV1().Events(namespace), - }) + if !disableSyncEvents { + eventBroadcaster.StartRecordingToSink(&clientcorev1.EventSinkImpl{ + Interface: client.CoreV1().Events(namespace), + }) + } recorder := eventBroadcaster.NewRecorder(scheme.Scheme, corev1.EventSource{ Component: "nginx-ingress-controller", }) diff --git a/internal/ingress/controller/store/store_test.go b/internal/ingress/controller/store/store_test.go index 9b8947f9c..9fe6e37bb 100644 --- a/internal/ingress/controller/store/store_test.go +++ b/internal/ingress/controller/store/store_test.go @@ -125,7 +125,8 @@ func TestStore(t *testing.T) { updateCh, false, true, - DefaultClassConfig) + DefaultClassConfig, + false) storer.Run(stopCh) @@ -206,7 +207,8 @@ func TestStore(t *testing.T) { updateCh, false, true, - DefaultClassConfig) + DefaultClassConfig, + false) storer.Run(stopCh) ic := createIngressClass(clientSet, t, "not-k8s.io/not-ingress-nginx") @@ -310,7 +312,8 @@ func TestStore(t *testing.T) { updateCh, false, true, - DefaultClassConfig) + DefaultClassConfig, + false) storer.Run(stopCh) validSpec := commonIngressSpec @@ -426,7 +429,8 @@ func TestStore(t *testing.T) { updateCh, false, true, - ingressClassconfig) + ingressClassconfig, + false) storer.Run(stopCh) @@ -556,7 +560,8 @@ func TestStore(t *testing.T) { updateCh, false, true, - ingressClassconfig) + ingressClassconfig, + false) storer.Run(stopCh) validSpec := commonIngressSpec @@ -656,7 +661,8 @@ func TestStore(t *testing.T) { updateCh, false, true, - DefaultClassConfig) + DefaultClassConfig, + false) storer.Run(stopCh) @@ -750,7 +756,8 @@ func TestStore(t *testing.T) { updateCh, false, true, - DefaultClassConfig) + DefaultClassConfig, + false) storer.Run(stopCh) invalidSpec := commonIngressSpec @@ -836,7 +843,8 @@ func TestStore(t *testing.T) { updateCh, false, true, - DefaultClassConfig) + DefaultClassConfig, + false) storer.Run(stopCh) @@ -932,7 +940,8 @@ func TestStore(t *testing.T) { updateCh, false, true, - DefaultClassConfig) + DefaultClassConfig, + false) storer.Run(stopCh) @@ -1056,7 +1065,8 @@ func TestStore(t *testing.T) { updateCh, false, true, - DefaultClassConfig) + DefaultClassConfig, + false) storer.Run(stopCh) @@ -1177,7 +1187,8 @@ func TestStore(t *testing.T) { updateCh, false, true, - DefaultClassConfig) + DefaultClassConfig, + false) storer.Run(stopCh) diff --git a/pkg/flags/flags.go b/pkg/flags/flags.go index 65b5fbcdc..6e183289c 100644 --- a/pkg/flags/flags.go +++ b/pkg/flags/flags.go @@ -214,6 +214,8 @@ Takes the form ":port". If not provided, no admission controller is starte deepInspector = flags.Bool("deep-inspect", true, "Enables ingress object security deep inspector") dynamicConfigurationRetries = flags.Int("dynamic-configuration-retries", 15, "Number of times to retry failed dynamic configuration before failing to sync an ingress.") + + disableSyncEvents = flags.Bool("disable-sync-events", false, "Disables the creation of 'Sync' event resources") ) flags.StringVar(&nginx.MaxmindMirror, "maxmind-mirror", "", `Maxmind mirror url (example: http://geoip.local/databases.`) @@ -364,6 +366,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g ValidationWebhookCertPath: *validationWebhookCert, ValidationWebhookKeyPath: *validationWebhookKey, InternalLoggerAddress: *internalLoggerAddress, + DisableSyncEvents: *disableSyncEvents, } if *apiserverHost != "" { diff --git a/test/e2e/settings/disable_sync_events.go b/test/e2e/settings/disable_sync_events.go new file mode 100644 index 000000000..7d1298087 --- /dev/null +++ b/test/e2e/settings/disable_sync_events.go @@ -0,0 +1,107 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package settings + +import ( + "context" + "fmt" + "strings" + + "github.com/onsi/ginkgo/v2" + "github.com/stretchr/testify/assert" + appsv1 "k8s.io/api/apps/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.IngressNginxDescribe("[Flag] disable-sync-events", func() { + f := framework.NewDefaultFramework("disable-sync-events") + + ginkgo.It("should create sync events (default)", func() { + host := "sync-events-default" + f.NewEchoDeployment(framework.WithDeploymentReplicas(1)) + + ing := framework.NewSingleIngressWithIngressClass(host, "/", host, f.Namespace, framework.EchoService, f.IngressClass, 80, nil) + ing = f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, fmt.Sprintf("server_name %v", host)) + }) + + events, err := f.KubeClientSet.CoreV1().Events(ing.Namespace).List(context.TODO(), metav1.ListOptions{FieldSelector: "reason=Sync,involvedObject.name=" + host}) + assert.Nil(ginkgo.GinkgoT(), err, "listing events") + + assert.NotEmpty(ginkgo.GinkgoT(), events.Items, "got events") + }) + + ginkgo.It("should create sync events", func() { + host := "disable-sync-events-false" + f.NewEchoDeployment(framework.WithDeploymentReplicas(1)) + + err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error { + args := deployment.Spec.Template.Spec.Containers[0].Args + args = append(args, "--disable-sync-events=false") + deployment.Spec.Template.Spec.Containers[0].Args = args + _, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{}) + return err + }) + assert.Nil(ginkgo.GinkgoT(), err, "updating ingress controller deployment flags") + + ing := framework.NewSingleIngressWithIngressClass(host, "/", host, f.Namespace, framework.EchoService, f.IngressClass, 80, nil) + ing = f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, fmt.Sprintf("server_name %v", host)) + }) + + events, err := f.KubeClientSet.CoreV1().Events(ing.Namespace).List(context.TODO(), metav1.ListOptions{FieldSelector: "reason=Sync,involvedObject.name=" + host}) + assert.Nil(ginkgo.GinkgoT(), err, "listing events") + + assert.NotEmpty(ginkgo.GinkgoT(), events.Items, "got events") + }) + + ginkgo.It("should not create sync events", func() { + host := "disable-sync-events-true" + f.NewEchoDeployment(framework.WithDeploymentReplicas(1)) + + err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error { + args := deployment.Spec.Template.Spec.Containers[0].Args + args = append(args, "--disable-sync-events=true") + deployment.Spec.Template.Spec.Containers[0].Args = args + _, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{}) + return err + }) + assert.Nil(ginkgo.GinkgoT(), err, "updating ingress controller deployment flags") + + ing := framework.NewSingleIngressWithIngressClass(host, "/", host, f.Namespace, framework.EchoService, f.IngressClass, 80, nil) + ing = f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, fmt.Sprintf("server_name %v", host)) + }) + + events, err := f.KubeClientSet.CoreV1().Events(ing.Namespace).List(context.TODO(), metav1.ListOptions{FieldSelector: "reason=Sync,involvedObject.name=" + host}) + assert.Nil(ginkgo.GinkgoT(), err, "listing events") + + assert.Empty(ginkgo.GinkgoT(), events.Items, "got events") + }) + +}) From 54e2739282a4d878a65d61c1bf797337164f0eed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Henri?= Date: Tue, 10 Jan 2023 12:47:26 -0300 Subject: [PATCH 113/405] Remove nonexistent load flag from docker build commands (#9122) --- Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 5099b4645..0ce3e3cef 100644 --- a/Makefile +++ b/Makefile @@ -201,7 +201,6 @@ dev-env-stop: ## Deletes local Kubernetes cluster created by kind. live-docs: ## Build and launch a local copy of the documentation website in http://localhost:8000 @docker build ${PLATFORM_FLAG} ${PLATFORM} \ --no-cache \ - $(MAC_DOCKER_FLAGS) \ -t ingress-nginx-docs .github/actions/mkdocs @docker run ${PLATFORM_FLAG} ${PLATFORM} --rm -it \ -p 8000:8000 \ @@ -241,6 +240,7 @@ release: ensure-buildx clean docker buildx build \ --no-cache \ + $(MAC_DOCKER_FLAGS) \ --push \ --pull \ --progress plain \ @@ -253,6 +253,7 @@ release: ensure-buildx clean docker buildx build \ --no-cache \ + $(MAC_DOCKER_FLAGS) \ --push \ --pull \ --progress plain \ From ada114315eeeb141111a9fa540e1ed521e647b88 Mon Sep 17 00:00:00 2001 From: James Strong Date: Tue, 10 Jan 2023 11:20:21 -0500 Subject: [PATCH 114/405] Remove 1.5.2 from readme (#9498) --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 73baa8fd2..f8c020b68 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,6 @@ the versions listed. Ingress-Nginx versions may work on older versions but the p | Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | |-----------------------|------------------------------|----------------|---------------| -| v1.5.2 | 1.26, 1.25, 1.24, 1.23 | 3.17.2 | 1.21.6 | | v1.5.1 | 1.25, 1.24, 1.23 | 3.16.2 | 1.21.6 | | v1.4.0 | 1.25, 1.24, 1.23, 1.22 | 3.16.2 | 1.19.10† | | v1.3.1 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.2 | 1.19.10† | From 5b2a9475dc2260dc15561fd117dc221b892464da Mon Sep 17 00:00:00 2001 From: Tomas Hulata Date: Mon, 16 Jan 2023 03:46:50 +0100 Subject: [PATCH 115/405] feat: support topology aware hints (#9165) * support topology aware hints Signed-off-by: tombokombo * add flag to enable topology and fixes Signed-off-by: tombokombo * update readme Signed-off-by: tombokombo * add e2e test Signed-off-by: tombokombo * isolate topology test Signed-off-by: tombokombo * gofmt fix Signed-off-by: tombokombo Signed-off-by: tombokombo --- charts/ingress-nginx/README.md | 1 + charts/ingress-nginx/templates/_params.tpl | 3 + charts/ingress-nginx/values.yaml | 4 + docs/user-guide/cli-arguments.md | 1 + internal/ingress/controller/controller.go | 55 +++- internal/ingress/controller/endpointslices.go | 31 ++- .../ingress/controller/endpointslices_test.go | 261 +++++++++++++++++- internal/k8s/main.go | 20 ++ pkg/flags/flags.go | 3 + test/e2e-image/e2e.sh | 12 +- .../namespace-overlays/topology/values.yaml | 51 ++++ test/e2e/endpointslices/topology.go | 112 ++++++++ test/e2e/framework/deployment.go | 22 +- test/e2e/kind.yaml | 6 + 14 files changed, 564 insertions(+), 18 deletions(-) create mode 100644 test/e2e-image/namespace-overlays/topology/values.yaml create mode 100644 test/e2e/endpointslices/topology.go diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 00d85156e..817059af2 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -315,6 +315,7 @@ Kubernetes: `>=1.20.0-0` | controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. | | controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' | | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # | +| controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto" Defaults to false | | controller.existingPsp | string | `""` | Use an existing PSP instead of creating one | | controller.extraArgs | object | `{}` | Additional command line arguments to pass to nginx-ingress-controller E.g. to specify the default SSL certificate you can use | | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. | diff --git a/charts/ingress-nginx/templates/_params.tpl b/charts/ingress-nginx/templates/_params.tpl index 66c581fa6..a1aef01ae 100644 --- a/charts/ingress-nginx/templates/_params.tpl +++ b/charts/ingress-nginx/templates/_params.tpl @@ -51,6 +51,9 @@ {{- if .Values.controller.watchIngressWithoutClass }} - --watch-ingress-without-class=true {{- end }} +{{- if .Values.controller.enableTopologyAwareRouting }} +- --enable-topology-aware-routing=true +{{- end }} {{- range $key, $value := .Values.controller.extraArgs }} {{- /* Accept keys without values or with false as value */}} {{- if eq ($value | quote | len) 2 }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index a7fab0fe9..a6df47694 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -77,6 +77,10 @@ controller: # -- Process IngressClass per name (additionally as per spec.controller). ingressClassByName: false + # -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto" + # Defaults to false + enableTopologyAwareRouting: false + # -- This configuration defines if Ingress Controller should allow users to set # their own *-snippet annotations, otherwise this is forbidden / dropped # when users add those annotations. diff --git a/docs/user-guide/cli-arguments.md b/docs/user-guide/cli-arguments.md index 4379d0b34..febc6f762 100644 --- a/docs/user-guide/cli-arguments.md +++ b/docs/user-guide/cli-arguments.md @@ -24,6 +24,7 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment | `--enable-metrics` | Enables the collection of NGINX metrics. (default true) | | `--enable-ssl-chain-completion` | Autocomplete SSL certificate chains with missing intermediate CA certificates. Certificates uploaded to Kubernetes must have the "Authority Information Access" X.509 v3 extension for this to succeed. (default false)| | `--enable-ssl-passthrough` | Enable SSL Passthrough. (default false) | +| `--enable-topology-aware-routing` | Enable topology aware hints feature, needs service object annotation service.kubernetes.io/topology-aware-hints sets to auto. (default false) | | `--health-check-path` | URL path of the health check endpoint. Configured inside the NGINX status server. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. (default "/healthz") | | `--health-check-timeout` | Time limit, in seconds, for a probe to health-check-path to succeed. (default 10) | | `--healthz-port` | Port to use for the healthz endpoint. (default 10254) | diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 010eba162..8bacb3025 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -53,6 +53,7 @@ const ( defUpstreamName = "upstream-default-backend" defServerName = "_" rootLocation = "/" + emptyZone = "" ) // Configuration contains all the settings required by an Ingress controller @@ -131,6 +132,21 @@ type Configuration struct { DynamicConfigurationRetries int DisableSyncEvents bool + + EnableTopologyAwareRouting bool +} + +func getIngressPodZone(svc *apiv1.Service) string { + svcKey := k8s.MetaNamespaceKey(svc) + if svcZoneAnnotation, ok := svc.ObjectMeta.GetAnnotations()[apiv1.AnnotationTopologyAwareHints]; ok { + if strings.ToLower(svcZoneAnnotation) == "auto" { + if foundZone, ok := k8s.IngressNodeDetails.GetLabels()[apiv1.LabelTopologyZone]; ok { + klog.V(3).Infof("Svc has topology aware annotation enabled, try to use zone %q where controller pod is running for Service %q ", foundZone, svcKey) + return foundZone + } + } + } + return emptyZone } // GetPublishService returns the Service used to set the load-balancer status of Ingresses. @@ -429,6 +445,13 @@ func (n *NGINXController) getStreamServices(configmapName string, proto apiv1.Pr var endps []ingress.Endpoint /* #nosec */ targetPort, err := strconv.Atoi(svcPort) // #nosec + var zone string + if n.cfg.EnableTopologyAwareRouting { + zone = getIngressPodZone(svc) + } else { + zone = emptyZone + } + if err != nil { // not a port number, fall back to using port name klog.V(3).Infof("Searching Endpoints with %v port name %q for Service %q", proto, svcPort, nsName) @@ -436,7 +459,7 @@ func (n *NGINXController) getStreamServices(configmapName string, proto apiv1.Pr sp := svc.Spec.Ports[i] if sp.Name == svcPort { if sp.Protocol == proto { - endps = getEndpointsFromSlices(svc, &sp, proto, n.store.GetServiceEndpointsSlices) + endps = getEndpointsFromSlices(svc, &sp, proto, zone, n.store.GetServiceEndpointsSlices) break } } @@ -447,7 +470,7 @@ func (n *NGINXController) getStreamServices(configmapName string, proto apiv1.Pr sp := svc.Spec.Ports[i] if sp.Port == int32(targetPort) { if sp.Protocol == proto { - endps = getEndpointsFromSlices(svc, &sp, proto, n.store.GetServiceEndpointsSlices) + endps = getEndpointsFromSlices(svc, &sp, proto, zone, n.store.GetServiceEndpointsSlices) break } } @@ -498,8 +521,13 @@ func (n *NGINXController) getDefaultUpstream() *ingress.Backend { upstream.Endpoints = append(upstream.Endpoints, n.DefaultEndpoint()) return upstream } - - endps := getEndpointsFromSlices(svc, &svc.Spec.Ports[0], apiv1.ProtocolTCP, n.store.GetServiceEndpointsSlices) + var zone string + if n.cfg.EnableTopologyAwareRouting { + zone = getIngressPodZone(svc) + } else { + zone = emptyZone + } + endps := getEndpointsFromSlices(svc, &svc.Spec.Ports[0], apiv1.ProtocolTCP, zone, n.store.GetServiceEndpointsSlices) if len(endps) == 0 { klog.Warningf("Service %q does not have any active Endpoint", svcKey) endps = []ingress.Endpoint{n.DefaultEndpoint()} @@ -827,7 +855,13 @@ func (n *NGINXController) getBackendServers(ingresses []*ingress.Ingress) ([]*in } sp := location.DefaultBackend.Spec.Ports[0] - endps := getEndpointsFromSlices(location.DefaultBackend, &sp, apiv1.ProtocolTCP, n.store.GetServiceEndpointsSlices) + var zone string + if n.cfg.EnableTopologyAwareRouting { + zone = getIngressPodZone(location.DefaultBackend) + } else { + zone = emptyZone + } + endps := getEndpointsFromSlices(location.DefaultBackend, &sp, apiv1.ProtocolTCP, zone, n.store.GetServiceEndpointsSlices) // custom backend is valid only if contains at least one endpoint if len(endps) > 0 { name := fmt.Sprintf("custom-default-backend-%v-%v", location.DefaultBackend.GetNamespace(), location.DefaultBackend.GetName()) @@ -1083,7 +1117,12 @@ func (n *NGINXController) serviceEndpoints(svcKey, backendPort string) ([]ingres if err != nil { return upstreams, err } - + var zone string + if n.cfg.EnableTopologyAwareRouting { + zone = getIngressPodZone(svc) + } else { + zone = emptyZone + } klog.V(3).Infof("Obtaining ports information for Service %q", svcKey) // Ingress with an ExternalName Service and no port defined for that Service if svc.Spec.Type == apiv1.ServiceTypeExternalName { @@ -1092,7 +1131,7 @@ func (n *NGINXController) serviceEndpoints(svcKey, backendPort string) ([]ingres return upstreams, nil } servicePort := externalNamePorts(backendPort, svc) - endps := getEndpointsFromSlices(svc, servicePort, apiv1.ProtocolTCP, n.store.GetServiceEndpointsSlices) + endps := getEndpointsFromSlices(svc, servicePort, apiv1.ProtocolTCP, zone, n.store.GetServiceEndpointsSlices) if len(endps) == 0 { klog.Warningf("Service %q does not have any active Endpoint.", svcKey) return upstreams, nil @@ -1109,7 +1148,7 @@ func (n *NGINXController) serviceEndpoints(svcKey, backendPort string) ([]ingres servicePort.TargetPort.String() == backendPort || servicePort.Name == backendPort { - endps := getEndpointsFromSlices(svc, &servicePort, apiv1.ProtocolTCP, n.store.GetServiceEndpointsSlices) + endps := getEndpointsFromSlices(svc, &servicePort, apiv1.ProtocolTCP, zone, n.store.GetServiceEndpointsSlices) if len(endps) == 0 { klog.Warningf("Service %q does not have any active Endpoint.", svcKey) } diff --git a/internal/ingress/controller/endpointslices.go b/internal/ingress/controller/endpointslices.go index 5a24c3880..34d5266dd 100644 --- a/internal/ingress/controller/endpointslices.go +++ b/internal/ingress/controller/endpointslices.go @@ -35,7 +35,7 @@ import ( ) // getEndpoints returns a list of Endpoint structs for a given service/target port combination. -func getEndpointsFromSlices(s *corev1.Service, port *corev1.ServicePort, proto corev1.Protocol, +func getEndpointsFromSlices(s *corev1.Service, port *corev1.ServicePort, proto corev1.Protocol, zoneForHints string, getServiceEndpointsSlices func(string) ([]*discoveryv1.EndpointSlice, error)) []ingress.Endpoint { upsServers := []ingress.Endpoint{} @@ -49,6 +49,7 @@ func getEndpointsFromSlices(s *corev1.Service, port *corev1.ServicePort, proto c processedUpstreamServers := make(map[string]struct{}) svcKey := k8s.MetaNamespaceKey(s) + var useTopologyHints bool // ExternalName services if s.Spec.Type == corev1.ServiceTypeExternalName { @@ -111,12 +112,38 @@ func getEndpointsFromSlices(s *corev1.Service, port *corev1.ServicePort, proto c ports = append(ports, targetPort) } } + useTopologyHints = false + if zoneForHints != emptyZone { + useTopologyHints = true + // check if all endpointslices has zone hints + for _, ep := range eps.Endpoints { + if ep.Hints == nil || len(ep.Hints.ForZones) == 0 { + useTopologyHints = false + break + } + } + if useTopologyHints { + klog.V(3).Infof("All endpoint slices has zone hint, using zone %q for Service %q", zoneForHints, svcKey) + } + } + for _, ep := range eps.Endpoints { if !(*ep.Conditions.Ready) { continue } + epHasZone := false + if useTopologyHints { + for _, epzone := range ep.Hints.ForZones { + if epzone.Name == zoneForHints { + epHasZone = true + break + } + } + } - // ep.Hints + if useTopologyHints && !epHasZone { + continue + } for _, epPort := range ports { for _, epAddress := range ep.Addresses { diff --git a/internal/ingress/controller/endpointslices_test.go b/internal/ingress/controller/endpointslices_test.go index e404c4949..b61e9a4f3 100644 --- a/internal/ingress/controller/endpointslices_test.go +++ b/internal/ingress/controller/endpointslices_test.go @@ -33,6 +33,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { svc *corev1.Service port *corev1.ServicePort proto corev1.Protocol + zone string fn func(string) ([]*discoveryv1.EndpointSlice, error) result []ingress.Endpoint }{ @@ -41,6 +42,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { nil, nil, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return nil, nil }, @@ -51,6 +53,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { &corev1.Service{}, nil, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return nil, nil }, @@ -61,6 +64,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { &corev1.Service{}, &corev1.ServicePort{Name: "default"}, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{}, nil }, @@ -75,6 +79,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { }, &corev1.ServicePort{Name: "default"}, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{}, nil }, @@ -99,6 +104,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromInt(80), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{}, nil }, @@ -123,6 +129,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromInt(80), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{}, nil }, @@ -147,6 +154,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromInt(80), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{}, nil }, @@ -176,6 +184,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromInt(80), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{}, nil }, @@ -205,6 +214,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromInt(80), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{}, nil }, @@ -229,6 +239,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromInt(80), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return nil, fmt.Errorf("unexpected error") }, @@ -253,6 +264,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromInt(80), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{{ ObjectMeta: metav1.ObjectMeta{ @@ -296,6 +308,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromInt(80), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{{ ObjectMeta: metav1.ObjectMeta{ @@ -339,6 +352,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromString("port-1"), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{{ ObjectMeta: metav1.ObjectMeta{ @@ -382,6 +396,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromInt(80), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{{ ObjectMeta: metav1.ObjectMeta{ @@ -430,6 +445,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromInt(80), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{{ ObjectMeta: metav1.ObjectMeta{ @@ -478,6 +494,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromString("port-1"), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{ { @@ -552,6 +569,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromString("port-1"), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{ { @@ -622,6 +640,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromString("port-1"), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{{ ObjectMeta: metav1.ObjectMeta{ @@ -656,11 +675,251 @@ func TestGetEndpointsFromSlices(t *testing.T) { }, }, }, + { + "should return one endpoint which belongs to zone", + &corev1.Service{ + Spec: corev1.ServiceSpec{ + Type: corev1.ServiceTypeClusterIP, + ClusterIP: "1.1.1.1", + Ports: []corev1.ServicePort{ + { + Name: "default", + TargetPort: intstr.FromString("port-1"), + }, + }, + }, + }, + &corev1.ServicePort{ + Name: "port-1", + TargetPort: intstr.FromString("port-1"), + }, + corev1.ProtocolTCP, + "eu-west-1b", + func(string) ([]*discoveryv1.EndpointSlice, error) { + return []*discoveryv1.EndpointSlice{{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{discoveryv1.LabelServiceName: "default"}, + }, + Endpoints: []discoveryv1.Endpoint{ + { + Addresses: []string{"1.1.1.1"}, + Conditions: discoveryv1.EndpointConditions{ + Ready: &[]bool{true}[0], + }, + Hints: &[]discoveryv1.EndpointHints{{ + ForZones: []discoveryv1.ForZone{{ + Name: "eu-west-1b", + }}, + }}[0], + }, + { + Addresses: []string{"1.1.1.2"}, + Conditions: discoveryv1.EndpointConditions{ + Ready: &[]bool{true}[0], + }, + Hints: &[]discoveryv1.EndpointHints{{ + ForZones: []discoveryv1.ForZone{{ + Name: "eu-west-1a", + }}, + }}[0], + }, + { + Addresses: []string{"1.1.1.3"}, + Conditions: discoveryv1.EndpointConditions{ + Ready: &[]bool{true}[0], + }, + Hints: &[]discoveryv1.EndpointHints{{ + ForZones: []discoveryv1.ForZone{{ + Name: "eu-west-1c", + }}, + }}[0], + }, + }, + Ports: []discoveryv1.EndpointPort{ + { + Protocol: &[]corev1.Protocol{corev1.ProtocolTCP}[0], + Port: &[]int32{80}[0], + Name: &[]string{"port-1"}[0], + }, + }, + }}, nil + }, + []ingress.Endpoint{ + { + Address: "1.1.1.1", + Port: "80", + }, + }, + }, + { + "should return all endpoints because one is missing zone hint", + &corev1.Service{ + Spec: corev1.ServiceSpec{ + Type: corev1.ServiceTypeClusterIP, + ClusterIP: "1.1.1.1", + Ports: []corev1.ServicePort{ + { + Name: "default", + TargetPort: intstr.FromString("port-1"), + }, + }, + }, + }, + &corev1.ServicePort{ + Name: "port-1", + TargetPort: intstr.FromString("port-1"), + }, + corev1.ProtocolTCP, + "eu-west-1b", + func(string) ([]*discoveryv1.EndpointSlice, error) { + return []*discoveryv1.EndpointSlice{{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{discoveryv1.LabelServiceName: "default"}, + }, + Endpoints: []discoveryv1.Endpoint{ + { + Addresses: []string{"1.1.1.1"}, + Conditions: discoveryv1.EndpointConditions{ + Ready: &[]bool{true}[0], + }, + Hints: &[]discoveryv1.EndpointHints{{ + ForZones: []discoveryv1.ForZone{{ + Name: "eu-west-1b", + }}, + }}[0], + }, + { + Addresses: []string{"1.1.1.2"}, + Conditions: discoveryv1.EndpointConditions{ + Ready: &[]bool{true}[0], + }, + Hints: &[]discoveryv1.EndpointHints{{ + ForZones: []discoveryv1.ForZone{{ + Name: "eu-west-1b", + }}, + }}[0], + }, + { + Addresses: []string{"1.1.1.3"}, + Conditions: discoveryv1.EndpointConditions{ + Ready: &[]bool{true}[0], + }, + Hints: &[]discoveryv1.EndpointHints{{}}[0], + }, + }, + Ports: []discoveryv1.EndpointPort{ + { + Protocol: &[]corev1.Protocol{corev1.ProtocolTCP}[0], + Port: &[]int32{80}[0], + Name: &[]string{"port-1"}[0], + }, + }, + }}, nil + }, + []ingress.Endpoint{ + { + Address: "1.1.1.1", + Port: "80", + }, + { + Address: "1.1.1.2", + Port: "80", + }, + { + Address: "1.1.1.3", + Port: "80", + }, + }, + }, + { + "should return all endpoints because no zone from controller node", + &corev1.Service{ + Spec: corev1.ServiceSpec{ + Type: corev1.ServiceTypeClusterIP, + ClusterIP: "1.1.1.1", + Ports: []corev1.ServicePort{ + { + Name: "default", + TargetPort: intstr.FromString("port-1"), + }, + }, + }, + }, + &corev1.ServicePort{ + Name: "port-1", + TargetPort: intstr.FromString("port-1"), + }, + corev1.ProtocolTCP, + "", + func(string) ([]*discoveryv1.EndpointSlice, error) { + return []*discoveryv1.EndpointSlice{{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{discoveryv1.LabelServiceName: "default"}, + }, + Endpoints: []discoveryv1.Endpoint{ + { + Addresses: []string{"1.1.1.1"}, + Conditions: discoveryv1.EndpointConditions{ + Ready: &[]bool{true}[0], + }, + Hints: &[]discoveryv1.EndpointHints{{ + ForZones: []discoveryv1.ForZone{{ + Name: "eu-west-1a", + }}, + }}[0], + }, + { + Addresses: []string{"1.1.1.2"}, + Conditions: discoveryv1.EndpointConditions{ + Ready: &[]bool{true}[0], + }, + Hints: &[]discoveryv1.EndpointHints{{ + ForZones: []discoveryv1.ForZone{{ + Name: "eu-west-1b", + }}, + }}[0], + }, + { + Addresses: []string{"1.1.1.3"}, + Conditions: discoveryv1.EndpointConditions{ + Ready: &[]bool{true}[0], + }, + Hints: &[]discoveryv1.EndpointHints{{ + ForZones: []discoveryv1.ForZone{{ + Name: "eu-west-1c", + }}, + }}[0], + }, + }, + Ports: []discoveryv1.EndpointPort{ + { + Protocol: &[]corev1.Protocol{corev1.ProtocolTCP}[0], + Port: &[]int32{80}[0], + Name: &[]string{"port-1"}[0], + }, + }, + }}, nil + }, + []ingress.Endpoint{ + { + Address: "1.1.1.1", + Port: "80", + }, + { + Address: "1.1.1.2", + Port: "80", + }, + { + Address: "1.1.1.3", + Port: "80", + }, + }, + }, } for _, testCase := range tests { t.Run(testCase.name, func(t *testing.T) { - result := getEndpointsFromSlices(testCase.svc, testCase.port, testCase.proto, testCase.fn) + result := getEndpointsFromSlices(testCase.svc, testCase.port, testCase.proto, testCase.zone, testCase.fn) if len(testCase.result) != len(result) { t.Errorf("Expected %d Endpoints but got %d", len(testCase.result), len(result)) } diff --git a/internal/k8s/main.go b/internal/k8s/main.go index 5332631a7..e0d2a1660 100644 --- a/internal/k8s/main.go +++ b/internal/k8s/main.go @@ -78,6 +78,8 @@ func GetNodeIPOrName(kubeClient clientset.Interface, name string, useInternalIP var ( // IngressPodDetails hold information about the ingress-nginx pod IngressPodDetails *PodInfo + // IngressNodeDetails old information about the node running ingress-nginx pod + IngressNodeDetails *NodeInfo ) // PodInfo contains runtime information about the pod running the Ingres controller @@ -87,6 +89,12 @@ type PodInfo struct { metav1.ObjectMeta } +// NodeInfo contains runtime information about the node pod running the Ingres controller, eg. zone where pod is running +type NodeInfo struct { + metav1.TypeMeta + metav1.ObjectMeta +} + // GetIngressPod load the ingress-nginx pod func GetIngressPod(kubeClient clientset.Interface) error { podName := os.Getenv("POD_NAME") @@ -108,6 +116,18 @@ func GetIngressPod(kubeClient clientset.Interface) error { pod.ObjectMeta.DeepCopyInto(&IngressPodDetails.ObjectMeta) IngressPodDetails.SetLabels(pod.GetLabels()) + IngressNodeDetails = &NodeInfo{ + TypeMeta: metav1.TypeMeta{APIVersion: "v1", Kind: "Node"}, + } + // Try to get node info/labels to determine topology zone where pod is running + node, err := kubeClient.CoreV1().Nodes().Get(context.TODO(), pod.Spec.NodeName, metav1.GetOptions{}) + if err != nil { + klog.Warningf("Unable to get NODE information: %v", err) + } else { + node.ObjectMeta.DeepCopyInto(&IngressNodeDetails.ObjectMeta) + IngressNodeDetails.SetLabels(node.GetLabels()) + } + return nil } diff --git a/pkg/flags/flags.go b/pkg/flags/flags.go index 6e183289c..911ab775c 100644 --- a/pkg/flags/flags.go +++ b/pkg/flags/flags.go @@ -216,6 +216,8 @@ Takes the form ":port". If not provided, no admission controller is starte dynamicConfigurationRetries = flags.Int("dynamic-configuration-retries", 15, "Number of times to retry failed dynamic configuration before failing to sync an ingress.") disableSyncEvents = flags.Bool("disable-sync-events", false, "Disables the creation of 'Sync' event resources") + + enableTopologyAwareRouting = flags.Bool("enable-topology-aware-routing", false, "Enable topology aware hints feature, needs service object annotation service.kubernetes.io/topology-aware-hints sets to auto.") ) flags.StringVar(&nginx.MaxmindMirror, "maxmind-mirror", "", `Maxmind mirror url (example: http://geoip.local/databases.`) @@ -348,6 +350,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g SyncRateLimit: *syncRateLimit, HealthCheckHost: *healthzHost, DynamicConfigurationRetries: *dynamicConfigurationRetries, + EnableTopologyAwareRouting: *enableTopologyAwareRouting, ListenPorts: &ngx_config.ListenPorts{ Default: *defServerPort, Health: *healthzPort, diff --git a/test/e2e-image/e2e.sh b/test/e2e-image/e2e.sh index 7b4d56f10..ed13926fb 100755 --- a/test/e2e-image/e2e.sh +++ b/test/e2e-image/e2e.sh @@ -41,12 +41,22 @@ reportFileNamePrefix="report-e2e-test-suite" echo -e "${BGREEN}Running e2e test suite (FOCUS=${FOCUS})...${NC}" ginkgo "${ginkgo_args[@]}" \ -focus="${FOCUS}" \ - -skip="\[Serial\]|\[MemoryLeak\]" \ + -skip="\[Serial\]|\[MemoryLeak\]|\[TopologyHints\]" \ -nodes="${E2E_NODES}" \ --junit-report=$reportFileNamePrefix.xml \ /e2e.test # Create configMap out of a compressed report file for extraction later +# Must be isolated, there is a collision if multiple helms tries to install same clusterRole at same time +echo -e "${BGREEN}Running e2e test for topology aware hints...${NC}" +ginkgo "${ginkgo_args[@]}" \ + -focus="\[TopologyHints\]" \ + -skip="\[Serial\]|\[MemoryLeak\]]" \ + -nodes="${E2E_NODES}" \ + --junit-report=$reportFileNamePrefix-topology.xml \ + /e2e.test +# Create configMap out of a compressed report file for extraction later + echo -e "${BGREEN}Running e2e test suite with tests that require serial execution...${NC}" ginkgo "${ginkgo_args[@]}" \ -focus="\[Serial\]" \ diff --git a/test/e2e-image/namespace-overlays/topology/values.yaml b/test/e2e-image/namespace-overlays/topology/values.yaml new file mode 100644 index 000000000..28b1cad19 --- /dev/null +++ b/test/e2e-image/namespace-overlays/topology/values.yaml @@ -0,0 +1,51 @@ +# TODO: remove the need to use fullnameOverride +fullnameOverride: nginx-ingress +controller: + image: + repository: ingress-controller/controller + chroot: true + tag: 1.0.0-dev + digest: + digestChroot: + scope: + enabled: false + config: + worker-processes: "1" + readinessProbe: + initialDelaySeconds: 3 + periodSeconds: 1 + livenessProbe: + initialDelaySeconds: 3 + periodSeconds: 1 + service: + type: NodePort + electionID: ingress-controller-leader + ingressClassResource: + # We will create and remove each IC/ClusterRole/ClusterRoleBinding per test so there's no conflict + enabled: false + extraArgs: + tcp-services-configmap: $NAMESPACE/tcp-services + # e2e tests do not require information about ingress status + update-status: "false" + terminationGracePeriodSeconds: 1 + admissionWebhooks: + enabled: false + + enableTopologyAwareRouting: true + + # ulimit -c unlimited + # mkdir -p /tmp/coredump + # chmod a+rwx /tmp/coredump + # echo "/tmp/coredump/core.%e.%p.%h.%t" > /proc/sys/kernel/core_pattern + extraVolumeMounts: + - name: coredump + mountPath: /tmp/coredump + + extraVolumes: + - name: coredump + hostPath: + path: /tmp/coredump + +rbac: + create: true + scope: false diff --git a/test/e2e/endpointslices/topology.go b/test/e2e/endpointslices/topology.go new file mode 100644 index 000000000..ce913e966 --- /dev/null +++ b/test/e2e/endpointslices/topology.go @@ -0,0 +1,112 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package endpointslices + +import ( + "context" + "encoding/json" + "fmt" + "net/http" + "os/exec" + "strings" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "github.com/onsi/ginkgo/v2" + "github.com/stretchr/testify/assert" + + "k8s.io/ingress-nginx/internal/nginx" + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.IngressNginxDescribe("[TopologyHints] topology aware routing", func() { + f := framework.NewDefaultFramework("topology") + host := "topology-svc.foo.com" + + ginkgo.BeforeEach(func() { + f.NewEchoDeployment(framework.WithDeploymentReplicas(2), framework.WithSvcTopologyAnnotations()) + }) + + ginkgo.AfterEach(func() { + // we need to uninstall chart because of clusterRole which is not destroyed with namespace + err := uninstallChart(f) + assert.Nil(ginkgo.GinkgoT(), err, "uninstalling helm chart") + }) + + ginkgo.It("should return 200 when service has topology hints", func() { + + annotations := make(map[string]string) + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, func(server string) bool { + return strings.Contains(server, fmt.Sprintf("server_name %s", host)) + }) + + ginkgo.By("checking if the service is reached") + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK) + + slices, err := f.KubeClientSet.DiscoveryV1().EndpointSlices(f.Namespace).List(context.TODO(), metav1.ListOptions{ + LabelSelector: "kubernetes.io/service-name=echo", + Limit: 1, + }) + assert.Nil(ginkgo.GinkgoT(), err) + + // check if we have hints, really depends on k8s endpoint slice controller + gotHints := true + for _, ep := range slices.Items[0].Endpoints { + if ep.Hints == nil || len(ep.Hints.ForZones) == 0 { + gotHints = false + break + } + } + + curlCmd := fmt.Sprintf("curl --fail --silent http://localhost:%v/configuration/backends", nginx.StatusPort) + status, err := f.ExecIngressPod(curlCmd) + assert.Nil(ginkgo.GinkgoT(), err) + var backends []map[string]interface{} + json.Unmarshal([]byte(status), &backends) + gotBackends := 0 + for _, bck := range backends { + if strings.Contains(bck["name"].(string), "topology") { + gotBackends = len(bck["endpoints"].([]interface{})) + } + } + + if gotHints { + //we have 2 replics, if there is just one backend it means that we are routing according slices hints to same zone as controller is + assert.Equal(ginkgo.GinkgoT(), 1, gotBackends) + } else { + // two replicas should have two endpoints without topology hints + assert.Equal(ginkgo.GinkgoT(), 2, gotBackends) + } + }) +}) + +func uninstallChart(f *framework.Framework) error { + cmd := exec.Command("helm", "uninstall", "--namespace", f.Namespace, "nginx-ingress") + _, err := cmd.CombinedOutput() + if err != nil { + return fmt.Errorf("unexpected error uninstalling ingress-nginx release: %v", err) + } + + return nil +} diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go index 3cfe8f360..8115fd12e 100644 --- a/test/e2e/framework/deployment.go +++ b/test/e2e/framework/deployment.go @@ -40,10 +40,10 @@ const SlowEchoService = "slow-echo" const HTTPBinService = "httpbin" type deploymentOptions struct { - namespace string - name string - replicas int - image string + namespace string + name string + replicas int + svcAnnotations map[string]string } // WithDeploymentNamespace allows configuring the deployment's namespace @@ -53,6 +53,15 @@ func WithDeploymentNamespace(n string) func(*deploymentOptions) { } } +// WithSvcTopologyAnnotations create svc with topology aware hints sets to auto +func WithSvcTopologyAnnotations() func(*deploymentOptions) { + return func(o *deploymentOptions) { + o.svcAnnotations = map[string]string{ + "service.kubernetes.io/topology-aware-hints": "auto", + } + } +} + // WithDeploymentName allows configuring the deployment's names func WithDeploymentName(n string) func(*deploymentOptions) { return func(o *deploymentOptions) { @@ -95,8 +104,9 @@ func (f *Framework) NewEchoDeployment(opts ...func(*deploymentOptions)) { service := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ - Name: options.name, - Namespace: options.namespace, + Name: options.name, + Namespace: options.namespace, + Annotations: options.svcAnnotations, }, Spec: corev1.ServiceSpec{ Ports: []corev1.ServicePort{ diff --git a/test/e2e/kind.yaml b/test/e2e/kind.yaml index 97dc7082d..07a56dae8 100644 --- a/test/e2e/kind.yaml +++ b/test/e2e/kind.yaml @@ -2,8 +2,14 @@ kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane + labels: + topology.kubernetes.io/zone: zone-1 - role: worker + labels: + topology.kubernetes.io/zone: zone-1 - role: worker + labels: + topology.kubernetes.io/zone: zone-2 kubeadmConfigPatches: - | kind: ClusterConfiguration From 1a65027e4c2051ef2df8afee4b06021d8dde26bb Mon Sep 17 00:00:00 2001 From: lythandas <90504445+lythandas@users.noreply.github.com> Date: Mon, 16 Jan 2023 03:52:50 +0100 Subject: [PATCH 116/405] Change default value of enable-brotli (#9500) --- docs/user-guide/nginx-configuration/configmap.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index 77cee0507..5c0b79510 100755 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -693,7 +693,8 @@ _**default:**_ false ## enable-brotli Enables or disables compression of HTTP responses using the ["brotli" module](https://github.com/google/ngx_brotli). -The default mime type list to compress is: `application/xml+rss application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component`. _**default:**_ is disabled +The default mime type list to compress is: `application/xml+rss application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component`. +_**default:**_ false > __Note:__ Brotli does not works in Safari < 11. For more information see [https://caniuse.com/#feat=brotli](https://caniuse.com/#feat=brotli) From dbe88c55a353c01e6748f0eadbc5a8e8108ffc74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Libor=20Ry=C5=A1av=C3=BD?= Date: Mon, 16 Jan 2023 13:18:51 +0100 Subject: [PATCH 117/405] Sanitise request metrics in monitoring docs (#9384) Also add more detailed description to `nginx_ingress_controller_request_duration_seconds` and `nginx_ingress_controller_response_duration_seconds` based on NGINX docs. Also reformat the list so the descriptions are under the corresponding list item. --- docs/user-guide/monitoring.md | 52 ++++++++++++----------------------- 1 file changed, 18 insertions(+), 34 deletions(-) diff --git a/docs/user-guide/monitoring.md b/docs/user-guide/monitoring.md index cc9fb91ec..058c261ab 100644 --- a/docs/user-guide/monitoring.md +++ b/docs/user-guide/monitoring.md @@ -355,56 +355,40 @@ Prometheus metrics are exposed on port 10254. ### Request metrics -* `nginx_ingress_controller_request_duration_seconds` Histogram - - The request processing time in seconds (affected by client speed) - +* `nginx_ingress_controller_request_duration_seconds` Histogram\ + The request processing (time elapsed between the first bytes were read from the client and the log write after the last bytes were sent to the client) time in seconds (affected by client speed).\ nginx var: `request_time` -* `nginx_ingress_controller_response_duration_seconds` Histogram - - The time spent on receiving the response from the upstream server (affected by client speed) - +* `nginx_ingress_controller_response_duration_seconds` Histogram\ + The time spent on receiving the response from the upstream server in seconds (affected by client speed when the response is bigger than proxy buffers).\ + Note: can be up to several millis bigger than the `nginx_ingress_controller_request_duration_seconds` because of the different measuring method. nginx var: `upstream_response_time` -* `nginx_ingress_controller_header_duration_seconds` Histogram - - The time spent on receiving first header from the upstream server - +* `nginx_ingress_controller_header_duration_seconds` Histogram\ + The time spent on receiving first header from the upstream server\ nginx var: `upstream_header_time` -* `nginx_ingress_controller_connect_duration_seconds` Histogram - - The time spent on establishing a connection with the upstream server - +* `nginx_ingress_controller_connect_duration_seconds` Histogram\ + The time spent on establishing a connection with the upstream server\ nginx var: `upstream_connect_time` -* `nginx_ingress_controller_response_size` Histogram - - The response length (including request line, header, and request body) - +* `nginx_ingress_controller_response_size` Histogram\ + The response length (including request line, header, and request body)\ nginx var: `bytes_sent` -* `nginx_ingress_controller_request_size` Histogram - - The request length (including request line, header, and request body) - +* `nginx_ingress_controller_request_size` Histogram\ + The request length (including request line, header, and request body)\ nginx var: `request_length` -* `nginx_ingress_controller_requests` Counter - +* `nginx_ingress_controller_requests` Counter\ The total number of client requests -* `nginx_ingress_controller_bytes_sent` Histogram - - The number of bytes sent to a client. **Deprecated**, use `nginx_ingress_controller_response_size` - +* `nginx_ingress_controller_bytes_sent` Histogram\ + The number of bytes sent to a client. **Deprecated**, use `nginx_ingress_controller_response_size`\ nginx var: `bytes_sent` -* `nginx_ingress_controller_ingress_upstream_latency_seconds` Summary - - Upstream service latency per Ingress. **Deprecated**, use `nginx_ingress_controller_connect_duration_seconds` - +* `nginx_ingress_controller_ingress_upstream_latency_seconds` Summary\ + Upstream service latency per Ingress. **Deprecated**, use `nginx_ingress_controller_connect_duration_seconds`\ nginx var: `upstream_connect_time` ``` From 39b5ce844b4966a4f449b77f928759900eb261ec Mon Sep 17 00:00:00 2001 From: Makhonin Alexey <60808275+alex123012@users.noreply.github.com> Date: Mon, 16 Jan 2023 16:22:51 +0400 Subject: [PATCH 118/405] Add new prometheus metric for orphaned ingress (#8230) * Add new metric for orhaned ingress * Fix const labels * Fix after rebase --- internal/ingress/controller/controller.go | 18 +++++++--- .../ingress/controller/controller_test.go | 7 ++-- .../ingress/metric/collectors/controller.go | 33 +++++++++++++++++++ internal/ingress/metric/dummy.go | 6 ++++ internal/ingress/metric/main.go | 10 ++++++ 5 files changed, 67 insertions(+), 7 deletions(-) diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 8bacb3025..dab507cdf 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -50,10 +50,12 @@ import ( ) const ( - defUpstreamName = "upstream-default-backend" - defServerName = "_" - rootLocation = "/" - emptyZone = "" + defUpstreamName = "upstream-default-backend" + defServerName = "_" + rootLocation = "/" + emptyZone = "" + orphanMetricLabelNoService = "no-service" + orphanMetricLabelNoEndpoint = "no-endpoint" ) // Configuration contains all the settings required by an Ingress controller @@ -1052,8 +1054,16 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B endp, err := n.serviceEndpoints(svcKey, port.String()) if err != nil { klog.Warningf("Error obtaining Endpoints for Service %q: %v", svcKey, err) + n.metricCollector.IncOrphanIngress(ing.Namespace, ing.Name, orphanMetricLabelNoService) continue } + n.metricCollector.DecOrphanIngress(ing.Namespace, ing.Name, orphanMetricLabelNoService) + + if len(endp) == 0 { + n.metricCollector.IncOrphanIngress(ing.Namespace, ing.Name, orphanMetricLabelNoEndpoint) + } else { + n.metricCollector.DecOrphanIngress(ing.Namespace, ing.Name, orphanMetricLabelNoEndpoint) + } upstreams[name].Endpoints = endp } diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go index 796012cd3..8cca10385 100644 --- a/internal/ingress/controller/controller_test.go +++ b/internal/ingress/controller/controller_test.go @@ -2481,8 +2481,9 @@ func newDynamicNginxController(t *testing.T, setConfigMap func(string) *v1.Confi } return &NGINXController{ - store: storer, - cfg: config, - command: NewNginxCommand(), + store: storer, + cfg: config, + command: NewNginxCommand(), + metricCollector: metric.DummyCollector{}, } } diff --git a/internal/ingress/metric/collectors/controller.go b/internal/ingress/metric/collectors/controller.go index 5822f0d57..3a65a1a99 100644 --- a/internal/ingress/metric/collectors/controller.go +++ b/internal/ingress/metric/collectors/controller.go @@ -32,6 +32,7 @@ var ( ingressOperation = []string{"controller_namespace", "controller_class", "controller_pod", "namespace", "ingress"} sslLabelHost = []string{"namespace", "class", "host", "secret_name"} sslInfoLabels = []string{"namespace", "class", "host", "secret_name", "identifier", "issuer_organization", "issuer_common_name", "serial_number", "public_key_algorithm"} + orphanityLabels = []string{"controller_namespace", "controller_class", "controller_pod", "namespace", "ingress", "type"} ) // Controller defines base metrics about the ingress controller @@ -48,6 +49,7 @@ type Controller struct { checkIngressOperationErrors *prometheus.CounterVec sslExpireTime *prometheus.GaugeVec sslInfo *prometheus.GaugeVec + OrphanIngress *prometheus.GaugeVec constLabels prometheus.Labels labels prometheus.Labels @@ -171,6 +173,15 @@ func NewController(pod, namespace, class string) *Controller { }, []string{"name"}, ), + OrphanIngress: prometheus.NewGaugeVec( + prometheus.GaugeOpts{ + Namespace: PrometheusNamespace, + Name: "orphan_ingress", + Help: `Gauge reporting status of ingress orphanity, 1 indicates orphaned ingress. + 'namespace' is the string used to identify namespace of ingress, 'ingress' for ingress name and 'type' for 'no-service' or 'no-endpoint' of orphanity`, + }, + orphanityLabels, + ), } return cm @@ -214,6 +225,26 @@ func (cm *Controller) IncCheckErrorCount(namespace, name string) { cm.checkIngressOperationErrors.MustCurryWith(cm.constLabels).With(labels).Inc() } +// IncOrphanIngress sets the the orphaned ingress gauge to one +func (cm *Controller) IncOrphanIngress(namespace string, name string, orphanityType string) { + labels := prometheus.Labels{ + "namespace": namespace, + "ingress": name, + "type": orphanityType, + } + cm.OrphanIngress.MustCurryWith(cm.constLabels).With(labels).Set(1.0) +} + +// DecOrphanIngress sets the the orphaned ingress gauge to zero (all services has their endpoints) +func (cm *Controller) DecOrphanIngress(namespace string, name string, orphanityType string) { + labels := prometheus.Labels{ + "namespace": namespace, + "ingress": name, + "type": orphanityType, + } + cm.OrphanIngress.MustCurryWith(cm.constLabels).With(labels).Set(0.0) +} + // ConfigSuccess set a boolean flag according to the output of the controller configuration reload func (cm *Controller) ConfigSuccess(hash uint64, success bool) { if success { @@ -242,6 +273,7 @@ func (cm Controller) Describe(ch chan<- *prometheus.Desc) { cm.sslInfo.Describe(ch) cm.leaderElection.Describe(ch) cm.buildInfo.Describe(ch) + cm.OrphanIngress.Describe(ch) } // Collect implements the prometheus.Collector interface. @@ -257,6 +289,7 @@ func (cm Controller) Collect(ch chan<- prometheus.Metric) { cm.sslInfo.Collect(ch) cm.leaderElection.Collect(ch) cm.buildInfo.Collect(ch) + cm.OrphanIngress.Collect(ch) } // SetSSLExpireTime sets the expiration time of SSL Certificates diff --git a/internal/ingress/metric/dummy.go b/internal/ingress/metric/dummy.go index 4a6366b84..e34b5ecbd 100644 --- a/internal/ingress/metric/dummy.go +++ b/internal/ingress/metric/dummy.go @@ -41,6 +41,12 @@ func (dc DummyCollector) IncReloadCount() {} // IncReloadErrorCount ... func (dc DummyCollector) IncReloadErrorCount() {} +// IncOrphanIngress ... +func (dc DummyCollector) IncOrphanIngress(string, string, string) {} + +// DecOrphanIngress ... +func (dc DummyCollector) DecOrphanIngress(string, string, string) {} + // IncCheckCount ... func (dc DummyCollector) IncCheckCount(string, string) {} diff --git a/internal/ingress/metric/main.go b/internal/ingress/metric/main.go index b3323c7fe..892c8e8db 100644 --- a/internal/ingress/metric/main.go +++ b/internal/ingress/metric/main.go @@ -43,6 +43,8 @@ type Collector interface { IncCheckCount(string, string) IncCheckErrorCount(string, string) + IncOrphanIngress(string, string, string) + DecOrphanIngress(string, string, string) RemoveMetrics(ingresses, endpoints, certificates []string) @@ -181,6 +183,14 @@ func (c *collector) SetSSLInfo(servers []*ingress.Server) { c.ingressController.SetSSLInfo(servers) } +func (c *collector) IncOrphanIngress(namespace string, name string, orphanityType string) { + c.ingressController.IncOrphanIngress(namespace, name, orphanityType) +} + +func (c *collector) DecOrphanIngress(namespace string, name string, orphanityType string) { + c.ingressController.DecOrphanIngress(namespace, name, orphanityType) +} + func (c *collector) SetHosts(hosts sets.String) { c.socket.SetHosts(hosts) } From a2c9b8833b482cdbf484c80bd8c8d169d2899cb5 Mon Sep 17 00:00:00 2001 From: Makhonin Alexey <60808275+alex123012@users.noreply.github.com> Date: Mon, 16 Jan 2023 20:26:38 +0400 Subject: [PATCH 119/405] Add docs about orphan_ingress metric (#9514) --- docs/user-guide/monitoring.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/user-guide/monitoring.md b/docs/user-guide/monitoring.md index 058c261ab..807d91afc 100644 --- a/docs/user-guide/monitoring.md +++ b/docs/user-guide/monitoring.md @@ -453,6 +453,8 @@ Prometheus metrics are exposed on port 10254. # TYPE nginx_ingress_controller_ssl_certificate_info gauge # HELP nginx_ingress_controller_success Cumulative number of Ingress controller reload operations # TYPE nginx_ingress_controller_success counter +# HELP nginx_ingress_controller_orphan_ingress Gauge reporting status of ingress orphanity, 1 indicates orphaned ingress. 'namespace' is the string used to identify namespace of ingress, 'ingress' for ingress name and 'type' for 'no-service' or 'no-endpoint' of orphanity +# TYPE nginx_ingress_controller_orphan_ingress gauge ``` ### Admission metrics From a069617ef88a9a33b8cbd2f4d92a4c2574dac818 Mon Sep 17 00:00:00 2001 From: Marco Ebert Date: Mon, 16 Jan 2023 17:38:50 +0100 Subject: [PATCH 120/405] Values: Add missing `controller.metrics.service.labels`. (#9501) --- charts/ingress-nginx/README.md | 1 + charts/ingress-nginx/values.yaml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 817059af2..65236e08c 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -377,6 +377,7 @@ Kubernetes: `>=1.20.0-0` | controller.metrics.prometheusRule.rules | list | `[]` | | | controller.metrics.service.annotations | object | `{}` | | | controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # | +| controller.metrics.service.labels | object | `{}` | Labels to be added to the metrics service resource | | controller.metrics.service.loadBalancerSourceRanges | list | `[]` | | | controller.metrics.service.servicePort | int | `10254` | | | controller.metrics.service.type | string | `"ClusterIP"` | | diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index a6df47694..215ce509d 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -704,6 +704,8 @@ controller: annotations: {} # prometheus.io/scrape: "true" # prometheus.io/port: "10254" + # -- Labels to be added to the metrics service resource + labels: {} # clusterIP: "" From e6dcd6845e3dc2e314a676cad7107fe75225def0 Mon Sep 17 00:00:00 2001 From: Samuel Vaillant Date: Tue, 17 Jan 2023 02:08:32 +0100 Subject: [PATCH 121/405] feat(configmap): expose gzip-disable (#9505) * docs(configmap): add link for gzip-min-length * feat(configmap): expose gzip-disable * test(e2e): cover gzip settings * docs(configmap): simplify description with NGINX link * refactor(configmap): simplify condition --- .../nginx-configuration/configmap.md | 6 ++ internal/ingress/controller/config/config.go | 6 +- .../controller/template/configmap_test.go | 2 + rootfs/etc/nginx/template/nginx.tmpl | 3 + test/e2e/settings/gzip.go | 99 +++++++++++++++++++ 5 files changed, 115 insertions(+), 1 deletion(-) create mode 100644 test/e2e/settings/gzip.go diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index 5c0b79510..2a3369044 100755 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -103,7 +103,9 @@ The following table shows a configuration option's name, type, and the default v |[brotli-min-length](#brotli-min-length)|int|20| |[brotli-types](#brotli-types)|string|"application/xml+rss application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component"| |[use-http2](#use-http2)|bool|"true"| +|[gzip-disable](#gzip-disable)|string|""| |[gzip-level](#gzip-level)|int|1| +|[gzip-min-length](#gzip-min-length)|int|256| |[gzip-types](#gzip-types)|string|"application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component"| |[worker-processes](#worker-processes)|string|``| |[worker-cpu-affinity](#worker-cpu-affinity)|string|""| @@ -715,6 +717,10 @@ _**default:**_ `application/xml+rss application/atom+xml application/javascript Enables or disables [HTTP/2](https://nginx.org/en/docs/http/ngx_http_v2_module.html) support in secure connections. +## gzip-disable + +Disables [gzipping](http://nginx.org/en/docs/http/ngx_http_gzip_module.html#gzip_disable) of responses for requests with "User-Agent" header fields matching any of the specified regular expressions. + ## gzip-level Sets the gzip Compression Level that will be used. _**default:**_ 1 diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index f064dad53..a4a4c5a0b 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -438,6 +438,11 @@ type Configuration struct { // Default: true UseHTTP2 bool `json:"use-http2,omitempty"` + // Disables gzipping of responses for requests with "User-Agent" header fields matching any of + // the specified regular expressions. + // http://nginx.org/en/docs/http/ngx_http_gzip_module.html#gzip_disable + GzipDisable string `json:"gzip-disable,omitempty"` + // gzip Compression Level that will be used GzipLevel int `json:"gzip-level,omitempty"` @@ -794,7 +799,6 @@ func NewDefault() Configuration { defGlobalExternalAuth := GlobalExternalAuth{"", "", "", "", "", append(defResponseHeaders, ""), "", "", "", []string{}, map[string]string{}, false} cfg := Configuration{ - AllowSnippetAnnotations: true, AllowBackendServerHeader: false, AnnotationValueWordBlocklist: "", diff --git a/internal/ingress/controller/template/configmap_test.go b/internal/ingress/controller/template/configmap_test.go index c662e0bc7..ebe55d192 100644 --- a/internal/ingress/controller/template/configmap_test.go +++ b/internal/ingress/controller/template/configmap_test.go @@ -64,6 +64,7 @@ func TestMergeConfigMapToStruct(t *testing.T) { "access-log-path": "/var/log/test/access.log", "error-log-path": "/var/log/test/error.log", "use-gzip": "false", + "gzip-disable": "msie6", "gzip-level": "9", "gzip-min-length": "1024", "gzip-types": "text/html", @@ -87,6 +88,7 @@ func TestMergeConfigMapToStruct(t *testing.T) { def.ProxyReadTimeout = 1 def.ProxySendTimeout = 2 def.UseProxyProtocol = true + def.GzipDisable = "msie6" def.GzipLevel = 9 def.GzipMinLength = 1024 def.GzipTypes = "text/html" diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index fc48de912..911cf75ea 100755 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -336,6 +336,9 @@ http { {{ if $cfg.UseGzip }} gzip on; gzip_comp_level {{ $cfg.GzipLevel }}; + {{- if $cfg.GzipDisable }} + gzip_disable "{{ $cfg.GzipDisable }}"; + {{- end }} gzip_http_version 1.1; gzip_min_length {{ $cfg.GzipMinLength}}; gzip_types {{ $cfg.GzipTypes }}; diff --git a/test/e2e/settings/gzip.go b/test/e2e/settings/gzip.go new file mode 100644 index 000000000..68e80d3a0 --- /dev/null +++ b/test/e2e/settings/gzip.go @@ -0,0 +1,99 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package settings + +import ( + "fmt" + "strings" + + "github.com/onsi/ginkgo/v2" + + "k8s.io/ingress-nginx/internal/ingress/controller/config" + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.DescribeSetting("gzip", func() { + f := framework.NewDefaultFramework("gzip") + + ginkgo.It("should be disabled by default", func() { + f.WaitForNginxConfiguration( + func(cfg string) bool { + return !strings.Contains(cfg, "gzip on;") + }) + }) + + ginkgo.It("should be enabled with default settings", func() { + f.UpdateNginxConfigMapData("use-gzip", "true") + + f.WaitForNginxConfiguration( + func(cfg string) bool { + defaultCfg := config.NewDefault() + return strings.Contains(cfg, "gzip on;") && + strings.Contains(cfg, fmt.Sprintf("gzip_comp_level %d;", defaultCfg.GzipLevel)) && + !strings.Contains(cfg, "gzip_disable") && + strings.Contains(cfg, "gzip_http_version 1.1;") && + strings.Contains(cfg, fmt.Sprintf("gzip_min_length %d;", defaultCfg.GzipMinLength)) && + strings.Contains(cfg, fmt.Sprintf("gzip_types %s;", defaultCfg.GzipTypes)) && + strings.Contains(cfg, "gzip_proxied any;") && + strings.Contains(cfg, "gzip_vary on;") + }) + }) + + ginkgo.It("should set gzip_comp_level to 4", func() { + f.UpdateNginxConfigMapData("use-gzip", "true") + f.UpdateNginxConfigMapData("gzip-level", "4") + + f.WaitForNginxConfiguration( + func(cfg string) bool { + return strings.Contains(cfg, "gzip on;") && + strings.Contains(cfg, "gzip_comp_level 4;") + }) + }) + + ginkgo.It("should set gzip_disable to msie6", func() { + f.UpdateNginxConfigMapData("use-gzip", "true") + f.UpdateNginxConfigMapData("gzip-disable", "msie6") + + f.WaitForNginxConfiguration( + func(cfg string) bool { + return strings.Contains(cfg, "gzip on;") && + strings.Contains(cfg, `gzip_disable "msie6";`) + }) + }) + + ginkgo.It("should set gzip_min_length to 100", func() { + f.UpdateNginxConfigMapData("use-gzip", "true") + f.UpdateNginxConfigMapData("gzip-min-length", "100") + + f.WaitForNginxConfiguration( + func(cfg string) bool { + return strings.Contains(cfg, "gzip on;") && + strings.Contains(cfg, "gzip_min_length 100;") + }) + }) + + ginkgo.It("should set gzip_types to application/javascript", func() { + f.UpdateNginxConfigMapData("use-gzip", "true") + f.UpdateNginxConfigMapData("gzip-types", "application/javascript") + + f.WaitForNginxConfiguration( + func(cfg string) bool { + return strings.Contains(cfg, "gzip on;") && + strings.Contains(cfg, "gzip_types application/javascript;") + }) + }) +}) From da98c744b95e1d36d24f77454b3a76ad29b53702 Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Mon, 16 Jan 2023 23:51:23 -0300 Subject: [PATCH 122/405] Implement pathType validation (#9511) --- charts/ingress-nginx/README.md | 1 + .../templates/controller-configmap.yaml | 1 + charts/ingress-nginx/values.yaml | 5 + .../nginx-configuration/configmap.md | 23 +++ internal/ingress/controller/config/config.go | 13 ++ internal/ingress/controller/controller.go | 4 + .../ingress/controller/controller_test.go | 91 +++++++++ internal/ingress/controller/store/store.go | 9 +- internal/k8s/main.go | 3 - pkg/util/ingress/ingress.go | 60 ++++-- pkg/util/ingress/ingress_test.go | 188 +++++++++++++----- test/e2e/admission/admission.go | 34 ++++ test/e2e/annotations/affinity.go | 6 + test/e2e/annotations/rewrite.go | 8 + test/e2e/security/invalid_paths.go | 134 ------------- 15 files changed, 373 insertions(+), 207 deletions(-) delete mode 100644 test/e2e/security/invalid_paths.go diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 65236e08c..174a8870d 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -311,6 +311,7 @@ Kubernetes: `>=1.20.0-0` | controller.containerPort | object | `{"http":80,"https":443}` | Configures the ports that the nginx-controller listens on | | controller.customTemplate.configMapKey | string | `""` | | | controller.customTemplate.configMapName | string | `""` | | +| controller.disablePathTypeValidation | bool | `false` | This configuration defines if Ingress Controller should validate pathType. If this is true, special characters will be allowed on paths of any pathType. If false, special characters are only allowed on paths with pathType = ImplementationSpecific | | controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. | | controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. | | controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' | diff --git a/charts/ingress-nginx/templates/controller-configmap.yaml b/charts/ingress-nginx/templates/controller-configmap.yaml index f28b26e1e..ffd003ee8 100644 --- a/charts/ingress-nginx/templates/controller-configmap.yaml +++ b/charts/ingress-nginx/templates/controller-configmap.yaml @@ -14,6 +14,7 @@ metadata: namespace: {{ .Release.Namespace }} data: allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}" + disable-pathtype-validation: "{{ .Values.controller.disablePathTypeValidation }}" {{- if .Values.controller.addHeaders }} add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers {{- end }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 215ce509d..072493ccc 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -87,6 +87,11 @@ controller: # Global snippets in ConfigMap are still respected allowSnippetAnnotations: true + # -- This configuration defines if Ingress Controller should validate pathType. + # If this is true, special characters will be allowed on paths of any pathType. If + # false, special characters are only allowed on paths with pathType = ImplementationSpecific + disablePathTypeValidation: false + # -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 # is merged diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index 2a3369044..849d6968a 100755 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -216,6 +216,8 @@ The following table shows a configuration option's name, type, and the default v |[service-upstream](#service-upstream)|bool|"false"| |[ssl-reject-handshake](#ssl-reject-handshake)|bool|"false"| |[debug-connections](#debug-connections)|[]string|"127.0.0.1,1.1.1.1/24"| +|[disable-pathtype-validation](#disable-pathtype-validation)|bool|"false"| +|[path-additional-allowed-chars](#path-additional-allowed-chars)|string|"^%$[](){}*+?"| ## add-headers @@ -1326,3 +1328,24 @@ _**default:**_ "" _References:_ [http://nginx.org/en/docs/ngx_core_module.html#debug_connection](http://nginx.org/en/docs/ngx_core_module.html#debug_connection) + +## disable-pathtype-validation +Ingress Controller validates the pathType, and only allows special characters on "path" if pathType is +ImplementationSpecific. + +The only characters allowed on ingresses with pathType not ImplementationSpecific +will be 0-9, a-z, A-Z, "-", ".", "_", "~", "/". + +If the validation is disabled, the [#path-additional-allowed-chars](#path-additional-allowed-chars) will +be allowed on any pathType. + +This behavior can be disabled, so special characters are accepted regardless of pathType +_**default:**_ "false" + +## path-additional-allowed-chars +When validating path on Ingress resources, defines the additional set of special characters that +will be allowed. + +See also [#disable-pathtype-validation](#disable-pathtype-validation). + +_**default:**_ "^%$[](){}*+?|" \ No newline at end of file diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index a4a4c5a0b..b246ef9cf 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -782,6 +782,17 @@ type Configuration struct { // http://nginx.org/en/docs/ngx_core_module.html#debug_connection // Default: "" DebugConnections []string `json:"debug-connections"` + + // DisablePathTypeValidation allows the admin to disable the pathType validation. + // If PathTypeValidation is enabled, the Controller will only allow alphanumeric + // characters on path (0-9, a-z, A-Z, "-", ".", "_", "~", "/") + DisablePathTypeValidation bool `json:"disable-pathtype-validation"` + + // PathAdditionalAllowedChars allows the admin to specify what are the additional + // characters allowed in case of pathType=ImplementationSpecific. + // Case disable-pathtype-validation=true, this characters will be allowed on any path. + // Defaults to: "^%$[](){}*+?" + PathAdditionalAllowedChars string `json:"path-additional-allowed-chars"` } // NewDefault returns the default nginx configuration @@ -817,6 +828,8 @@ func NewDefault() Configuration { ClientHeaderTimeout: 60, ClientBodyBufferSize: "8k", ClientBodyTimeout: 60, + DisablePathTypeValidation: false, + PathAdditionalAllowedChars: "^%$[](){}*+?|", EnableUnderscoresInHeaders: false, ErrorLogLevel: errorLevel, UseForwardedHeaders: false, diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index dab507cdf..5b22fd17a 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -325,6 +325,10 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { k8s.SetDefaultNGINXPathType(ing) + if err := utilingress.ValidateIngressPath(ing, cfg.DisablePathTypeValidation, cfg.PathAdditionalAllowedChars); err != nil { + return fmt.Errorf("ingress contains invalid characters: %s", err) + } + allIngresses := n.store.ListIngresses() filter := func(toCheck *ingress.Ingress) bool { diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go index 8cca10385..d91760552 100644 --- a/internal/ingress/controller/controller_test.go +++ b/internal/ingress/controller/controller_test.go @@ -201,6 +201,97 @@ func TestCheckIngress(t *testing.T) { }, }, } + + t.Run("when validating pathType", func(t *testing.T) { + t.Run("When ingress contains invalid path and pathType validation is not disabled", func(t *testing.T) { + nginx.store = fakeIngressStore{ + ingresses: []*ingress.Ingress{}, + configuration: ngx_config.Configuration{ + DisablePathTypeValidation: false, + }, + } + nginx.command = testNginxTestCommand{ + t: t, + err: nil, + expected: "", + } + nginx.cfg.IngressClassConfiguration = &ingressclass.IngressClassConfiguration{ + WatchWithoutClass: true, + } + ingPath := &networking.Ingress{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-ingress1", + Namespace: "user-namespace1", + Annotations: map[string]string{ + "kubernetes.io/ingress.class": "nginx", + }, + }, + Spec: networking.IngressSpec{ + Rules: []networking.IngressRule{ + { + Host: "example.com", + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + Path: "/xpto/(a+)", + PathType: &pathTypePrefix, + }, + }, + }, + }, + }, + }, + }, + } + + if nginx.CheckIngress(ingPath) == nil { + t.Errorf("invalid path on pathTypePrefix and validation enabled should return an error") + } + }) + t.Run("When ingress contains invalid path and pathType validation is disabled", func(t *testing.T) { + nginx.store = fakeIngressStore{ + ingresses: []*ingress.Ingress{}, + configuration: ngx_config.Configuration{ + DisablePathTypeValidation: true, + PathAdditionalAllowedChars: "^%$[](){}*+?|", + }, + } + nginx.command = testNginxTestCommand{ + t: t, + err: nil, + expected: "_,example.com", + } + + ingPath := &networking.Ingress{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-ingress2", + Namespace: "user-namespace2", + }, + Spec: networking.IngressSpec{ + Rules: []networking.IngressRule{ + { + Host: "example.com", + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + Path: "/example(/|$)(.*)", + PathType: &pathTypePrefix, + }, + }, + }, + }, + }, + }, + }, + } + + if nginx.CheckIngress(ingPath) != nil { + t.Errorf("invalid path on pathTypePrefix and validation disabled should not return an error: %s", nginx.CheckIngress(ingPath)) + } + }) + }) t.Run("when the class is the nginx one", func(t *testing.T) { ing.ObjectMeta.Annotations["kubernetes.io/ingress.class"] = "nginx" nginx.command = testNginxTestCommand{ diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go index 13af28137..1006858e8 100644 --- a/internal/ingress/controller/store/store.go +++ b/internal/ingress/controller/store/store.go @@ -846,6 +846,11 @@ func (s *k8sStore) syncIngress(ing *networkingv1.Ingress) { copyIng := &networkingv1.Ingress{} ing.ObjectMeta.DeepCopyInto(©Ing.ObjectMeta) + if err := ingressutils.ValidateIngressPath(ing, s.backendConfig.DisablePathTypeValidation, s.backendConfig.PathAdditionalAllowedChars); err != nil { + klog.Errorf("ingress %s contains invalid path and will be skipped: %s", key, err) + return + } + if s.backendConfig.AnnotationValueWordBlocklist != "" { if err := checkBadAnnotationValue(copyIng.Annotations, s.backendConfig.AnnotationValueWordBlocklist); err != nil { klog.Warningf("skipping ingress %s: %s", key, err) @@ -865,10 +870,6 @@ func (s *k8sStore) syncIngress(ing *networkingv1.Ingress) { if path.Path == "" { copyIng.Spec.Rules[ri].HTTP.Paths[pi].Path = "/" } - if !ingressutils.IsSafePath(copyIng, path.Path) { - klog.Warningf("ingress %s contains invalid path %s", key, path.Path) - return - } } } diff --git a/internal/k8s/main.go b/internal/k8s/main.go index e0d2a1660..6973b6cb7 100644 --- a/internal/k8s/main.go +++ b/internal/k8s/main.go @@ -180,9 +180,6 @@ func SetDefaultNGINXPathType(ing *networkingv1.Ingress) { p.PathType = &defaultPathType } - if *p.PathType == networkingv1.PathTypeImplementationSpecific { - p.PathType = &defaultPathType - } } } } diff --git a/pkg/util/ingress/ingress.go b/pkg/util/ingress/ingress.go index 5fb3ee7b9..e16518251 100644 --- a/pkg/util/ingress/ingress.go +++ b/pkg/util/ingress/ingress.go @@ -23,7 +23,6 @@ import ( networkingv1 "k8s.io/api/networking/v1" "k8s.io/apimachinery/pkg/util/sets" - "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/k8s" "k8s.io/ingress-nginx/internal/net/ssl" "k8s.io/ingress-nginx/pkg/apis/ingress" @@ -31,15 +30,15 @@ import ( ) const ( - alphaNumericChars = `\-\.\_\~a-zA-Z0-9/` - regexEnabledChars = `\^\$\[\]\(\)\{\}\*\+` + alphaNumericChars = `A-Za-z0-9\-\.\_\~\/` // This is the default allowed set on paths ) var ( - // pathAlphaNumeric is a regex validation of something like "^/[a-zA-Z]+$" on path - pathAlphaNumeric = regexp.MustCompile("^/[" + alphaNumericChars + "]*$").MatchString - // pathRegexEnabled is a regex validation of paths that may contain regex. - pathRegexEnabled = regexp.MustCompile("^/[" + alphaNumericChars + regexEnabledChars + "]*$").MatchString + // pathAlphaNumeric is a regex validation that allows only (0-9, a-z, A-Z, "-", ".", "_", "~", "/") + pathAlphaNumericRegex = regexp.MustCompile("^[" + alphaNumericChars + "]*$").MatchString + + // default path type is Prefix to not break existing definitions + defaultPathType = networkingv1.PathTypePrefix ) func GetRemovedHosts(rucfg, newcfg *ingress.Configuration) []string { @@ -247,12 +246,45 @@ func BuildRedirects(servers []*ingress.Server) []*redirect { return redirectServers } -// IsSafePath verifies if the path used in ingress object contains only valid characters. -// It will behave differently if regex is enabled or not -func IsSafePath(copyIng *networkingv1.Ingress, path string) bool { - isRegex, _ := parser.GetBoolAnnotation("use-regex", copyIng) - if isRegex { - return pathRegexEnabled(path) +func ValidateIngressPath(copyIng *networkingv1.Ingress, disablePathTypeValidation bool, additionalChars string) error { + + if copyIng == nil { + return nil } - return pathAlphaNumeric(path) + + escapedAdditionalChars := regexp.QuoteMeta(additionalChars) + regexPath, err := regexp.Compile("^[" + alphaNumericChars + escapedAdditionalChars + "]*$") + if err != nil { + return fmt.Errorf("ingress has misconfigured validation regex on configmap: %s - %w", additionalChars, err) + } + + for _, rule := range copyIng.Spec.Rules { + if rule.HTTP == nil { + continue + } + if err := checkPath(rule.HTTP.Paths, disablePathTypeValidation, regexPath); err != nil { + return fmt.Errorf("error validating ingressPath: %w", err) + } + } + return nil +} + +func checkPath(paths []networkingv1.HTTPIngressPath, disablePathTypeValidation bool, regexSpecificChars *regexp.Regexp) error { + for _, path := range paths { + if path.PathType == nil { + path.PathType = &defaultPathType + } + + if disablePathTypeValidation || *path.PathType == networkingv1.PathTypeImplementationSpecific { + if !regexSpecificChars.MatchString(path.Path) { + return fmt.Errorf("path %s of type %s contains invalid characters", path.Path, *path.PathType) + } + continue + } + + if !pathAlphaNumericRegex(path.Path) { + return fmt.Errorf("path %s of type %s contains invalid characters", path.Path, *path.PathType) + } + } + return nil } diff --git a/pkg/util/ingress/ingress_test.go b/pkg/util/ingress/ingress_test.go index d829a57f1..a79da6b6f 100644 --- a/pkg/util/ingress/ingress_test.go +++ b/pkg/util/ingress/ingress_test.go @@ -17,13 +17,10 @@ limitations under the License. package ingress import ( - "fmt" "testing" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - networkingv1 "k8s.io/api/networking/v1" - "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/ingress-nginx/pkg/apis/ingress" ) @@ -136,81 +133,168 @@ func TestIsDynamicConfigurationEnough(t *testing.T) { } } -func generateDumbIngressforPathTest(regexEnabled bool) *networkingv1.Ingress { - var annotations = make(map[string]string) - regexAnnotation := fmt.Sprintf("%s/use-regex", parser.AnnotationsPrefix) - if regexEnabled { - annotations[regexAnnotation] = "true" - } +func generateDumbIngressforPathTest(pathType *networkingv1.PathType, path string) *networkingv1.Ingress { return &networkingv1.Ingress{ ObjectMeta: metav1.ObjectMeta{ - Name: "dumb", - Namespace: "default", - Annotations: annotations, + Name: "dumb", + Namespace: "default", + }, + Spec: networkingv1.IngressSpec{ + Rules: []networkingv1.IngressRule{ + { + Host: "test.com", + IngressRuleValue: networkingv1.IngressRuleValue{ + HTTP: &networkingv1.HTTPIngressRuleValue{ + Paths: []networkingv1.HTTPIngressPath{ + { + PathType: pathType, + Path: path, + }, + }, + }, + }, + }, + }, }, } } -func TestIsSafePath(t *testing.T) { +func generateComplexIngress(ing *networkingv1.Ingress) *networkingv1.Ingress { + + oldRules := ing.Spec.DeepCopy().Rules + ing.Spec.Rules = []networkingv1.IngressRule{ + { + Host: "test1.com", + IngressRuleValue: networkingv1.IngressRuleValue{ + HTTP: &networkingv1.HTTPIngressRuleValue{ + Paths: []networkingv1.HTTPIngressPath{ + { + PathType: &pathTypeExact, + Path: "/xpto", + }, + }, + }, + }, + }, + { + Host: "test2.com", + IngressRuleValue: networkingv1.IngressRuleValue{ + HTTP: &networkingv1.HTTPIngressRuleValue{ + Paths: []networkingv1.HTTPIngressPath{ + { + PathType: &pathTypeExact, + Path: "/someotherpath", + }, + { + PathType: &pathTypePrefix, + Path: "/someprefix/~xpto/lala123", + }, + }, + }, + }, + }, + } + // we want to invert the order to test better :) + ing.Spec.Rules = append(ing.Spec.Rules, oldRules...) + + return ing +} + +var ( + pathTypeExact = networkingv1.PathTypeExact + pathTypePrefix = networkingv1.PathTypePrefix + pathTypeImplSpecific = networkingv1.PathTypeImplementationSpecific +) + +const ( + defaultAdditionalChars = "^%$[](){}*+?" +) + +func TestValidateIngressPath(t *testing.T) { tests := []struct { - name string - copyIng *networkingv1.Ingress - path string - want bool + name string + copyIng *networkingv1.Ingress + disablePathTypeValidation bool + additionalChars string + wantErr bool }{ { - name: "should accept valid path with regex disabled", - want: true, - copyIng: generateDumbIngressforPathTest(false), - path: "/xpto/~user/t-e_st.exe", + name: "should return nil when ingress = nil", + wantErr: false, + copyIng: nil, }, { - name: "should accept valid path / with regex disabled", - want: true, - copyIng: generateDumbIngressforPathTest(false), - path: "/", + name: "should accept valid path on pathType Exact", + wantErr: false, + copyIng: generateDumbIngressforPathTest(&pathTypeExact, "/xpto/~user9/t-e_st.exe"), }, { - name: "should reject invalid path with invalid chars", - want: false, - copyIng: generateDumbIngressforPathTest(false), - path: "/foo/bar/;xpto", + name: "should accept valid path on pathType Prefix", + wantErr: false, + copyIng: generateDumbIngressforPathTest(&pathTypePrefix, "/xpto/~user9/t-e_st.exe"), }, { - name: "should reject regex path when regex is disabled", - want: false, - copyIng: generateDumbIngressforPathTest(false), - path: "/foo/bar/(.+)", + name: "should accept valid simple path on pathType Impl Specific", + wantErr: false, + copyIng: generateDumbIngressforPathTest(&pathTypeImplSpecific, "/xpto/~user9/t-e_st.exe"), }, { - name: "should accept valid path / with regex enabled", - want: true, - copyIng: generateDumbIngressforPathTest(true), - path: "/", + name: "should accept valid path on pathType nil", + wantErr: false, + copyIng: generateDumbIngressforPathTest(nil, "/xpto/~user/t-e_st.exe"), }, { - name: "should accept regex path when regex is enabled", - want: true, - copyIng: generateDumbIngressforPathTest(true), - path: "/foo/bar/(.+)", + name: "should accept empty path", + wantErr: false, + copyIng: generateDumbIngressforPathTest(&pathTypePrefix, ""), }, { - name: "should reject regex path when regex is enabled but the path is invalid", - want: false, - copyIng: generateDumbIngressforPathTest(true), - path: "/foo/bar/;xpto", + name: "should deny path with bad characters and pathType not implementationSpecific", + wantErr: true, + additionalChars: defaultAdditionalChars, + copyIng: generateDumbIngressforPathTest(&pathTypeExact, "/foo/bar/(.+)"), }, { - name: "should reject regex path when regex is enabled but the path is invalid", - want: false, - copyIng: generateDumbIngressforPathTest(true), - path: ";xpto", + name: "should accept path with regex characters and pathType implementationSpecific", + wantErr: false, + additionalChars: defaultAdditionalChars, + copyIng: generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.+)"), + }, + { + name: "should accept path with regex characters and pathType exact, but pathType validation disabled", + wantErr: false, + additionalChars: defaultAdditionalChars, + disablePathTypeValidation: true, + copyIng: generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.+)"), + }, + { + name: "should reject path when the allowed additional set does not match", + wantErr: true, + additionalChars: "().?", + disablePathTypeValidation: false, + copyIng: generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.+)"), + }, + { + name: "should accept path when the allowed additional set does match", + wantErr: false, + additionalChars: "().?", + copyIng: generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.?)"), + }, + { + name: "should block if at least one path is bad", + wantErr: true, + copyIng: generateComplexIngress(generateDumbIngressforPathTest(&pathTypeExact, "/foo/bar/(.?)")), + }, + { + name: "should block if at least one path is bad", + wantErr: true, + copyIng: generateComplexIngress(generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.?)")), }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - if got := IsSafePath(tt.copyIng, tt.path); got != tt.want { - t.Errorf("IsSafePath() = %v, want %v", got, tt.want) + if err := ValidateIngressPath(tt.copyIng, tt.disablePathTypeValidation, tt.additionalChars); (err != nil) != tt.wantErr { + t.Errorf("ValidateIngressPath() error = %v, wantErr %v", err, tt.wantErr) } }) } diff --git a/test/e2e/admission/admission.go b/test/e2e/admission/admission.go index bde98fddf..5c037a0c5 100644 --- a/test/e2e/admission/admission.go +++ b/test/e2e/admission/admission.go @@ -30,6 +30,14 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/ingress-nginx/test/e2e/framework" + + networkingv1 "k8s.io/api/networking/v1" +) + +var ( + pathExact = networkingv1.PathTypeExact + pathPrefix = networkingv1.PathTypePrefix + pathImplSpecific = networkingv1.PathTypeImplementationSpecific ) var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() { @@ -152,6 +160,32 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() { assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid annotation value should return an error") }) + ginkgo.It("should reject ingress with bad characters and pathType != ImplementationSpecific", func() { + host := "admission-test" + + firstIngress := framework.NewSingleIngress("first-ingress", "/xpto*", host, f.Namespace, framework.EchoService, 80, nil) + firstIngress.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathPrefix + _, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{}) + assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid path value should return an error") + + secondIngress := framework.NewSingleIngress("second-ingress", "/abc123*", host, f.Namespace, framework.EchoService, 80, nil) + secondIngress.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathImplSpecific + _, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), secondIngress, metav1.CreateOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "creating an ingress with regex on path and pathType ImplementationSpecific should not return an error") + + }) + + ginkgo.It("should not validate characters on ingress when validation of pathType is disabled", func() { + host := "admission-test" + + f.UpdateNginxConfigMapData("disable-pathtype-validation", "true") + + firstIngress := framework.NewSingleIngress("first-ingress", "/xpto*", host, f.Namespace, framework.EchoService, 80, nil) + firstIngress.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathPrefix + _, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "creating an ingress with regex chars on path and pathType validation disabled should be accepted") + }) + ginkgo.It("should return an error if there is a forbidden value in some annotation", func() { host := "admission-test" diff --git a/test/e2e/annotations/affinity.go b/test/e2e/annotations/affinity.go index 3e1e9e969..31e8905d1 100644 --- a/test/e2e/annotations/affinity.go +++ b/test/e2e/annotations/affinity.go @@ -35,6 +35,8 @@ import ( var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { f := framework.NewDefaultFramework("affinity") + pathImpl := networking.PathTypeImplementationSpecific + ginkgo.BeforeEach(func() { f.NewEchoDeployment(framework.WithDeploymentReplicas(2)) }) @@ -276,6 +278,8 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { annotations["nginx.ingress.kubernetes.io/session-cookie-path"] = "/foo/bar" ing := framework.NewSingleIngress(host, "/foo/.*", host, f.Namespace, framework.EchoService, 80, annotations) + ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathImpl + f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -299,6 +303,8 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { annotations["nginx.ingress.kubernetes.io/use-regex"] = "true" ing := framework.NewSingleIngress(host, "/foo/.*", host, f.Namespace, framework.EchoService, 80, annotations) + ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathImpl + f.EnsureIngress(ing) f.WaitForNginxServer(host, diff --git a/test/e2e/annotations/rewrite.go b/test/e2e/annotations/rewrite.go index 79738b984..0c426a8df 100644 --- a/test/e2e/annotations/rewrite.go +++ b/test/e2e/annotations/rewrite.go @@ -24,12 +24,15 @@ import ( "github.com/onsi/ginkgo/v2" "github.com/stretchr/testify/assert" + networking "k8s.io/api/networking/v1" "k8s.io/ingress-nginx/test/e2e/framework" ) var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-log", func() { f := framework.NewDefaultFramework("rewrite") + pathImpl := networking.PathTypeImplementationSpecific + ginkgo.BeforeEach(func() { f.NewEchoDeployment() }) @@ -126,6 +129,7 @@ var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-lo "nginx.ingress.kubernetes.io/rewrite-target": "/new/backend", } ing = framework.NewSingleIngress("regex", "/foo.+", host, f.Namespace, framework.EchoService, 80, annotations) + ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathImpl f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -168,6 +172,8 @@ var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-lo "nginx.ingress.kubernetes.io/rewrite-target": "/new/backend", } ing = framework.NewSingleIngress("regex", "/foo/bar/[a-z]{3}", host, f.Namespace, framework.EchoService, 80, annotations) + ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathImpl + f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -196,6 +202,8 @@ var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-lo "nginx.ingress.kubernetes.io/rewrite-target": "/new/backend/$1", } ing := framework.NewSingleIngress("regex", "/foo/bar/(.+)", host, f.Namespace, framework.EchoService, 80, annotations) + ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathImpl + f.EnsureIngress(ing) f.WaitForNginxServer(host, diff --git a/test/e2e/security/invalid_paths.go b/test/e2e/security/invalid_paths.go deleted file mode 100644 index d75aefc2c..000000000 --- a/test/e2e/security/invalid_paths.go +++ /dev/null @@ -1,134 +0,0 @@ -/* -Copyright 2022 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package security - -import ( - "fmt" - "net/http" - "strings" - - "github.com/onsi/ginkgo/v2" - - "k8s.io/ingress-nginx/test/e2e/framework" -) - -const ( - validPath = "/xpto/~user/t-e_st.exe" - invalidPath = "/foo/bar/;xpto" - regexPath = "/foo/bar/(.+)" - host = "securitytest.com" -) - -var ( - annotationRegex = map[string]string{ - "nginx.ingress.kubernetes.io/use-regex": "true", - } -) - -var _ = framework.IngressNginxDescribe("[Security] validate path fields", func() { - f := framework.NewDefaultFramework("validate-path") - - ginkgo.BeforeEach(func() { - f.NewEchoDeployment() - }) - - ginkgo.It("should accept an ingress with valid path", func() { - - ing := framework.NewSingleIngress(host, validPath, host, f.Namespace, framework.EchoService, 80, nil) - - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) - }) - - f.HTTPTestClient(). - GET(validPath). - WithHeader("Host", host). - Expect(). - Status(http.StatusOK) - }) - - ginkgo.It("should drop an ingress with invalid path", func() { - - ing := framework.NewSingleIngress(host, invalidPath, host, f.Namespace, framework.EchoService, 80, nil) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) - }) - - f.HTTPTestClient(). - GET(invalidPath). - WithHeader("Host", host). - Expect(). - Status(http.StatusNotFound) - }) - - ginkgo.It("should drop an ingress with regex path and regex disabled", func() { - - ing := framework.NewSingleIngress(host, regexPath, host, f.Namespace, framework.EchoService, 80, nil) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) - }) - - f.HTTPTestClient(). - GET("/foo/bar/lalala"). - WithHeader("Host", host). - Expect(). - Status(http.StatusNotFound) - }) - - ginkgo.It("should accept an ingress with regex path and regex enabled", func() { - - ing := framework.NewSingleIngress(host, regexPath, host, f.Namespace, framework.EchoService, 80, annotationRegex) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) - }) - - f.HTTPTestClient(). - GET("/foo/bar/lalala"). - WithHeader("Host", host). - Expect(). - Status(http.StatusOK) - }) - - ginkgo.It("should reject an ingress with invalid path and regex enabled", func() { - - ing := framework.NewSingleIngress(host, invalidPath, host, f.Namespace, framework.EchoService, 80, annotationRegex) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) - }) - - f.HTTPTestClient(). - GET(invalidPath). - WithHeader("Host", host). - Expect(). - Status(http.StatusNotFound) - }) -}) From fe2e713f424a01b2261d79f461cd0f71e0e38047 Mon Sep 17 00:00:00 2001 From: Ismayil Mirzali Date: Wed, 18 Jan 2023 15:10:34 +0200 Subject: [PATCH 123/405] Bump `client-go` to remove dependence on go-autorest dependency (#9488) * deps: bump k8s dependencies to remove go-autorest * fix: update use of apiv1.LoadBalancerIngress Due to changes in the Kubernetes API, we needed to switch to using v1.IngressLoadBalancerIngress instead of apiv1.LoadBalancerIngress. The struct is otherwise identical despite the name change. * fix ingress status test cases Signed-off-by: Jintao Zhang Signed-off-by: Ismayil Mirzali Signed-off-by: Jintao Zhang Signed-off-by: Ismayil Mirzali Co-authored-by: Jintao Zhang --- go.mod | 35 ++++----- go.sum | 83 +++++++-------------- internal/ingress/status/status.go | 45 ++++++------ internal/ingress/status/status_test.go | 99 +++++++++++++------------- test/e2e/status/update.go | 8 +-- 5 files changed, 114 insertions(+), 156 deletions(-) diff --git a/go.mod b/go.mod index 2daf8e667..780cac648 100644 --- a/go.mod +++ b/go.mod @@ -30,14 +30,14 @@ require ( google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 - k8s.io/api v0.25.4 - k8s.io/apiextensions-apiserver v0.25.0 - k8s.io/apimachinery v0.25.4 - k8s.io/apiserver v0.25.0 - k8s.io/cli-runtime v0.25.0 - k8s.io/client-go v0.25.4 - k8s.io/code-generator v0.25.0 - k8s.io/component-base v0.25.4 + k8s.io/api v0.26.0 + k8s.io/apiextensions-apiserver v0.26.0 + k8s.io/apimachinery v0.26.0 + k8s.io/apiserver v0.26.0 + k8s.io/cli-runtime v0.26.0 + k8s.io/client-go v0.26.0 + k8s.io/code-generator v0.26.0 + k8s.io/component-base v0.26.0 k8s.io/klog/v2 v2.80.1 pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 sigs.k8s.io/controller-runtime v0.13.1 @@ -45,17 +45,7 @@ require ( ) require ( - cloud.google.com/go/compute v1.12.1 // indirect - cloud.google.com/go/compute/metadata v0.2.1 // indirect - github.com/Azure/go-autorest v14.2.0+incompatible // indirect - github.com/Azure/go-autorest/autorest v0.11.27 // indirect - github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect - github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect - github.com/Azure/go-autorest/logger v0.2.1 // indirect - github.com/Azure/go-autorest/tracing v0.6.0 // indirect github.com/BurntSushi/toml v1.0.0 // indirect - github.com/PuerkitoBio/purell v1.1.1 // indirect - github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect @@ -70,11 +60,10 @@ require ( github.com/go-errors/errors v1.0.1 // indirect github.com/go-logr/logr v1.2.3 // indirect github.com/go-openapi/jsonpointer v0.19.5 // indirect - github.com/go-openapi/jsonreference v0.19.5 // indirect + github.com/go-openapi/jsonreference v0.20.0 // indirect github.com/go-openapi/swag v0.19.14 // indirect github.com/godbus/dbus/v5 v5.0.6 // indirect github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang-jwt/jwt/v4 v4.2.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.2 // indirect github.com/gomarkdown/markdown v0.0.0-20210514010506-3b9f47219fe7 // indirect @@ -123,9 +112,9 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/gengo v0.0.0-20211129171323-c02415ce4185 // indirect - k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect - k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect + k8s.io/gengo v0.0.0-20220902162205-c0856e24416d // indirect + k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect + k8s.io/utils v0.0.0-20221107191617-1a15be271d1d // indirect sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect sigs.k8s.io/kustomize/api v0.12.1 // indirect sigs.k8s.io/kustomize/kyaml v0.13.9 // indirect diff --git a/go.sum b/go.sum index 84a8bb106..f03756bab 100644 --- a/go.sum +++ b/go.sum @@ -19,10 +19,6 @@ cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvf cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= -cloud.google.com/go/compute v1.12.1 h1:gKVJMEyqV5c/UnpzjjQbo3Rjvvqpr9B1DFSbJC4OXr0= -cloud.google.com/go/compute v1.12.1/go.mod h1:e8yNOBcBONZU1vJKCvCoDw/4JQsA0dpM4x/6PIIOocU= -cloud.google.com/go/compute/metadata v0.2.1 h1:efOwf5ymceDhK6PKMnnrTHP4pppY5L22mle96M1yP48= -cloud.google.com/go/compute/metadata v0.2.1/go.mod h1:jgHgmJd2RKBGzXqF5LR2EZMGxBkeanZ9wwa75XHJgOM= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= @@ -35,30 +31,10 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= -github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= -github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= -github.com/Azure/go-autorest/autorest v0.11.27 h1:F3R3q42aWytozkV8ihzcgMO4OA4cuqr3bNlsEuF6//A= -github.com/Azure/go-autorest/autorest v0.11.27/go.mod h1:7l8ybrIdUmGqZMTD0sRtAr8NvbHjfofbf8RSP2q7w7U= -github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= -github.com/Azure/go-autorest/autorest/adal v0.9.20 h1:gJ3E98kMpFB1MFqQCvA1yFab8vthOeD4VlFRQULxahg= -github.com/Azure/go-autorest/autorest/adal v0.9.20/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= -github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= -github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= -github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= -github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw= -github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU= -github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= -github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= -github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= -github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.0.0 h1:dtDWrepsVPfW9H/4y7dDgFc2MBUSeJhlaDtK13CxFlU= github.com/BurntSushi/toml v1.0.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI= -github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M= -github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= @@ -126,7 +102,6 @@ github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vb github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= -github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0= @@ -135,8 +110,8 @@ github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY= github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonreference v0.19.5 h1:1WJP/wi4OjB4iV8KVbH73rQaoialJrqv8gitZLxGLtM= -github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg= +github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA= +github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo= github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng= github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= @@ -147,9 +122,6 @@ github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5x github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= -github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU= -github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -362,7 +334,6 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= -github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA= github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= @@ -421,8 +392,6 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.5.0 h1:U/0M97KRkSFvyD/3FSmdP5W5swImpNgle/EHFhOsQPE= golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -471,7 +440,6 @@ golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -490,7 +458,6 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.5.0 h1:GyT4nK/YDHSqa1c4753ouYCDajOYKTja9Xb/OHtgvSw= golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -511,7 +478,6 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -750,32 +716,31 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.25.4 h1:3YO8J4RtmG7elEgaWMb4HgmpS2CfY1QlaOz9nwB+ZSs= -k8s.io/api v0.25.4/go.mod h1:IG2+RzyPQLllQxnhzD8KQNEu4c4YvyDTpSMztf4A0OQ= -k8s.io/apiextensions-apiserver v0.25.0 h1:CJ9zlyXAbq0FIW8CD7HHyozCMBpDSiH7EdrSTCZcZFY= -k8s.io/apiextensions-apiserver v0.25.0/go.mod h1:3pAjZiN4zw7R8aZC5gR0y3/vCkGlAjCazcg1me8iB/E= -k8s.io/apimachinery v0.25.4 h1:CtXsuaitMESSu339tfhVXhQrPET+EiWnIY1rcurKnAc= -k8s.io/apimachinery v0.25.4/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo= -k8s.io/apiserver v0.25.0 h1:8kl2ifbNffD440MyvHtPaIz1mw4mGKVgWqM0nL+oyu4= -k8s.io/apiserver v0.25.0/go.mod h1:BKwsE+PTC+aZK+6OJQDPr0v6uS91/HWxX7evElAH6xo= -k8s.io/cli-runtime v0.25.0 h1:XBnTc2Fi+w818jcJGzhiJKQuXl8479sZ4FhtV5hVJ1Q= -k8s.io/cli-runtime v0.25.0/go.mod h1:bHOI5ZZInRHhbq12OdUiYZQN8ml8aKZLwQgt9QlLINw= -k8s.io/client-go v0.25.4 h1:3RNRDffAkNU56M/a7gUfXaEzdhZlYhoW8dgViGy5fn8= -k8s.io/client-go v0.25.4/go.mod h1:8trHCAC83XKY0wsBIpbirZU4NTUpbuhc2JnI7OruGZw= -k8s.io/code-generator v0.25.0 h1:QP8fJuXu882ztf6dsqJsso/Btm94pMd68TAZC1rE6KI= -k8s.io/code-generator v0.25.0/go.mod h1:B6jZgI3DvDFAualltPitbYMQ74NjaCFxum3YeKZZ+3w= -k8s.io/component-base v0.25.4 h1:n1bjg9Yt+G1C0WnIDJmg2fo6wbEU1UGMRiQSjmj7hNQ= -k8s.io/component-base v0.25.4/go.mod h1:nnZJU8OP13PJEm6/p5V2ztgX2oyteIaAGKGMYb2L2cY= -k8s.io/gengo v0.0.0-20211129171323-c02415ce4185 h1:TT1WdmqqXareKxZ/oNXEUSwKlLiHzPMyB0t8BaFeBYI= -k8s.io/gengo v0.0.0-20211129171323-c02415ce4185/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= -k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= +k8s.io/api v0.26.0 h1:IpPlZnxBpV1xl7TGk/X6lFtpgjgntCg8PJ+qrPHAC7I= +k8s.io/api v0.26.0/go.mod h1:k6HDTaIFC8yn1i6pSClSqIwLABIcLV9l5Q4EcngKnQg= +k8s.io/apiextensions-apiserver v0.26.0 h1:Gy93Xo1eg2ZIkNX/8vy5xviVSxwQulsnUdQ00nEdpDo= +k8s.io/apiextensions-apiserver v0.26.0/go.mod h1:7ez0LTiyW5nq3vADtK6C3kMESxadD51Bh6uz3JOlqWQ= +k8s.io/apimachinery v0.26.0 h1:1feANjElT7MvPqp0JT6F3Ss6TWDwmcjLypwoPpEf7zg= +k8s.io/apimachinery v0.26.0/go.mod h1:tnPmbONNJ7ByJNz9+n9kMjNP8ON+1qoAIIC70lztu74= +k8s.io/apiserver v0.26.0 h1:q+LqIK5EZwdznGZb8bq0+a+vCqdeEEe4Ux3zsOjbc4o= +k8s.io/apiserver v0.26.0/go.mod h1:aWhlLD+mU+xRo+zhkvP/gFNbShI4wBDHS33o0+JGI84= +k8s.io/cli-runtime v0.26.0 h1:aQHa1SyUhpqxAw1fY21x2z2OS5RLtMJOCj7tN4oq8mw= +k8s.io/cli-runtime v0.26.0/go.mod h1:o+4KmwHzO/UK0wepE1qpRk6l3o60/txUZ1fEXWGIKTY= +k8s.io/client-go v0.26.0 h1:lT1D3OfO+wIi9UFolCrifbjUUgu7CpLca0AD8ghRLI8= +k8s.io/client-go v0.26.0/go.mod h1:I2Sh57A79EQsDmn7F7ASpmru1cceh3ocVT9KlX2jEZg= +k8s.io/code-generator v0.26.0 h1:ZDY+7Gic9p/lACgD1G72gQg2CvNGeAYZTPIncv+iALM= +k8s.io/code-generator v0.26.0/go.mod h1:OMoJ5Dqx1wgaQzKgc+ZWaZPfGjdRq/Y3WubFrZmeI3I= +k8s.io/component-base v0.26.0 h1:0IkChOCohtDHttmKuz+EP3j3+qKmV55rM9gIFTXA7Vs= +k8s.io/component-base v0.26.0/go.mod h1:lqHwlfV1/haa14F/Z5Zizk5QmzaVf23nQzCwVOQpfC8= +k8s.io/gengo v0.0.0-20220902162205-c0856e24416d h1:U9tB195lKdzwqicbJvyJeOXV7Klv+wNAWENRnXEGi08= +k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4= k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 h1:MQ8BAZPZlWk3S9K4a9NCkIFQtZShWqoha7snGixVgEA= -k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU= -k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed h1:jAne/RjBTyawwAy0utX5eqigAwz/lQhTmy+Hr/Cpue4= -k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E= +k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= +k8s.io/utils v0.0.0-20221107191617-1a15be271d1d h1:0Smp/HP1OH4Rvhe+4B8nWGERtlqAGSftbSbbmm45oFs= +k8s.io/utils v0.0.0-20221107191617-1a15be271d1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 h1:SAElp8THCfmBdM+4lmWX5gebiSSkEr7PAYDVF91qpfg= pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732/go.mod h1:lpvCfhqEHNJSSpG5R5A2EgsVzG8RTt4RfPoQuRAcDmg= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= diff --git a/internal/ingress/status/status.go b/internal/ingress/status/status.go index 2e53682a0..eac1f6cb0 100644 --- a/internal/ingress/status/status.go +++ b/internal/ingress/status/status.go @@ -19,6 +19,7 @@ package status import ( "context" "fmt" + v1 "k8s.io/api/networking/v1" "net" "regexp" "sort" @@ -128,7 +129,7 @@ func (s statusSync) Shutdown() { } klog.InfoS("removing value from ingress status", "address", addrs) - s.updateStatus([]apiv1.LoadBalancerIngress{}) + s.updateStatus([]v1.IngressLoadBalancerIngress{}) } func (s *statusSync) sync(key interface{}) error { @@ -160,21 +161,21 @@ func NewStatusSyncer(config Config) Syncer { return st } -func nameOrIPToLoadBalancerIngress(nameOrIP string) apiv1.LoadBalancerIngress { +func nameOrIPToLoadBalancerIngress(nameOrIP string) v1.IngressLoadBalancerIngress { if net.ParseIP(nameOrIP) != nil { - return apiv1.LoadBalancerIngress{IP: nameOrIP} + return v1.IngressLoadBalancerIngress{IP: nameOrIP} } - return apiv1.LoadBalancerIngress{Hostname: nameOrIP} + return v1.IngressLoadBalancerIngress{Hostname: nameOrIP} } // runningAddresses returns a list of IP addresses and/or FQDN where the // ingress controller is currently running -func (s *statusSync) runningAddresses() ([]apiv1.LoadBalancerIngress, error) { +func (s *statusSync) runningAddresses() ([]v1.IngressLoadBalancerIngress, error) { if s.PublishStatusAddress != "" { re := regexp.MustCompile(`,\s*`) multipleAddrs := re.Split(s.PublishStatusAddress, -1) - addrs := make([]apiv1.LoadBalancerIngress, len(multipleAddrs)) + addrs := make([]v1.IngressLoadBalancerIngress, len(multipleAddrs)) for i, addr := range multipleAddrs { addrs[i] = nameOrIPToLoadBalancerIngress(addr) } @@ -193,7 +194,7 @@ func (s *statusSync) runningAddresses() ([]apiv1.LoadBalancerIngress, error) { return nil, err } - addrs := make([]apiv1.LoadBalancerIngress, 0) + addrs := make([]v1.IngressLoadBalancerIngress, 0) for i := range pods.Items { pod := pods.Items[i] // only Running pods are valid @@ -250,7 +251,7 @@ func (s *statusSync) isRunningMultiplePods() bool { // standardizeLoadBalancerIngresses sorts the list of loadbalancer by // IP -func standardizeLoadBalancerIngresses(lbi []apiv1.LoadBalancerIngress) []apiv1.LoadBalancerIngress { +func standardizeLoadBalancerIngresses(lbi []v1.IngressLoadBalancerIngress) []v1.IngressLoadBalancerIngress { sort.SliceStable(lbi, func(a, b int) bool { return lbi[a].IP < lbi[b].IP }) @@ -259,7 +260,7 @@ func standardizeLoadBalancerIngresses(lbi []apiv1.LoadBalancerIngress) []apiv1.L } // updateStatus changes the status information of Ingress rules -func (s *statusSync) updateStatus(newIngressPoint []apiv1.LoadBalancerIngress) { +func (s *statusSync) updateStatus(newIngressPoint []v1.IngressLoadBalancerIngress) { ings := s.IngressLister.ListIngresses() p := pool.NewLimited(10) @@ -283,7 +284,7 @@ func (s *statusSync) updateStatus(newIngressPoint []apiv1.LoadBalancerIngress) { batch.WaitAll() } -func runUpdate(ing *ingress.Ingress, status []apiv1.LoadBalancerIngress, +func runUpdate(ing *ingress.Ingress, status []v1.IngressLoadBalancerIngress, client clientset.Interface) pool.WorkFunc { return func(wu pool.WorkUnit) (interface{}, error) { if wu.IsCancelled() { @@ -307,7 +308,7 @@ func runUpdate(ing *ingress.Ingress, status []apiv1.LoadBalancerIngress, } } -func lessLoadBalancerIngress(addrs []apiv1.LoadBalancerIngress) func(int, int) bool { +func lessLoadBalancerIngress(addrs []v1.IngressLoadBalancerIngress) func(int, int) bool { return func(a, b int) bool { switch strings.Compare(addrs[a].Hostname, addrs[b].Hostname) { case -1: @@ -319,7 +320,7 @@ func lessLoadBalancerIngress(addrs []apiv1.LoadBalancerIngress) func(int, int) b } } -func ingressSliceEqual(lhs, rhs []apiv1.LoadBalancerIngress) bool { +func ingressSliceEqual(lhs, rhs []v1.IngressLoadBalancerIngress) bool { if len(lhs) != len(rhs) { return false } @@ -336,7 +337,7 @@ func ingressSliceEqual(lhs, rhs []apiv1.LoadBalancerIngress) bool { return true } -func statusAddressFromService(service string, kubeClient clientset.Interface) ([]apiv1.LoadBalancerIngress, error) { +func statusAddressFromService(service string, kubeClient clientset.Interface) ([]v1.IngressLoadBalancerIngress, error) { ns, name, _ := k8s.ParseNameNS(service) svc, err := kubeClient.CoreV1().Services(ns).Get(context.TODO(), name, metav1.GetOptions{}) if err != nil { @@ -345,28 +346,28 @@ func statusAddressFromService(service string, kubeClient clientset.Interface) ([ switch svc.Spec.Type { case apiv1.ServiceTypeExternalName: - return []apiv1.LoadBalancerIngress{{ + return []v1.IngressLoadBalancerIngress{{ Hostname: svc.Spec.ExternalName, }}, nil case apiv1.ServiceTypeClusterIP: - return []apiv1.LoadBalancerIngress{{ + return []v1.IngressLoadBalancerIngress{{ IP: svc.Spec.ClusterIP, }}, nil case apiv1.ServiceTypeNodePort: if svc.Spec.ExternalIPs == nil { - return []apiv1.LoadBalancerIngress{{ + return []v1.IngressLoadBalancerIngress{{ IP: svc.Spec.ClusterIP, }}, nil } - addrs := make([]apiv1.LoadBalancerIngress, len(svc.Spec.ExternalIPs)) + addrs := make([]v1.IngressLoadBalancerIngress, len(svc.Spec.ExternalIPs)) for i, ip := range svc.Spec.ExternalIPs { - addrs[i] = apiv1.LoadBalancerIngress{IP: ip} + addrs[i] = v1.IngressLoadBalancerIngress{IP: ip} } return addrs, nil case apiv1.ServiceTypeLoadBalancer: - addrs := make([]apiv1.LoadBalancerIngress, len(svc.Status.LoadBalancer.Ingress)) + addrs := make([]v1.IngressLoadBalancerIngress, len(svc.Status.LoadBalancer.Ingress)) for i, ingress := range svc.Status.LoadBalancer.Ingress { - addrs[i] = apiv1.LoadBalancerIngress{} + addrs[i] = v1.IngressLoadBalancerIngress{} if ingress.Hostname != "" { addrs[i].Hostname = ingress.Hostname } @@ -376,7 +377,7 @@ func statusAddressFromService(service string, kubeClient clientset.Interface) ([ } for _, ip := range svc.Spec.ExternalIPs { if !stringInIngresses(ip, addrs) { - addrs = append(addrs, apiv1.LoadBalancerIngress{IP: ip}) + addrs = append(addrs, v1.IngressLoadBalancerIngress{IP: ip}) } } return addrs, nil @@ -386,7 +387,7 @@ func statusAddressFromService(service string, kubeClient clientset.Interface) ([ } // stringInSlice returns true if s is in list -func stringInIngresses(s string, list []apiv1.LoadBalancerIngress) bool { +func stringInIngresses(s string, list []v1.IngressLoadBalancerIngress) bool { for _, v := range list { if v.IP == s || v.Hostname == s { return true diff --git a/internal/ingress/status/status_test.go b/internal/ingress/status/status_test.go index d4ef09e7c..3dd56f37d 100644 --- a/internal/ingress/status/status_test.go +++ b/internal/ingress/status/status_test.go @@ -34,8 +34,8 @@ import ( "k8s.io/ingress-nginx/pkg/apis/ingress" ) -func buildLoadBalancerIngressByIP() []apiv1.LoadBalancerIngress { - return []apiv1.LoadBalancerIngress{ +func buildLoadBalancerIngressByIP() []networking.IngressLoadBalancerIngress { + return []networking.IngressLoadBalancerIngress{ { IP: "10.0.0.1", Hostname: "foo1", @@ -123,17 +123,20 @@ func buildSimpleClientSet() *testclient.Clientset { }, }}, &apiv1.ServiceList{Items: []apiv1.Service{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - Namespace: apiv1.NamespaceDefault, - }, - Status: apiv1.ServiceStatus{ - LoadBalancer: apiv1.LoadBalancerStatus{ - Ingress: buildLoadBalancerIngressByIP(), - }, - }, - }, + // This is commented out as the ServiceStatus.LoadBalancer field expects a LoadBalancerStatus object + // which is incompatible with the current Ingress struct which expects a IngressLoadBalancerStatus object + // TODO: update this service when the ServiceStatus struct gets updated + //{ + // ObjectMeta: metav1.ObjectMeta{ + // Name: "foo", + // Namespace: apiv1.NamespaceDefault, + // }, + // Status: apiv1.ServiceStatus{ + // LoadBalancer: apiv1.LoadBalancerStatus{ + // Ingress: buildLoadBalancerIngressByIP(), + // }, + // }, + //}, { ObjectMeta: metav1.ObjectMeta{ Name: "foo_non_exist", @@ -199,8 +202,8 @@ func buildExtensionsIngresses() []networking.Ingress { Namespace: apiv1.NamespaceDefault, }, Status: networking.IngressStatus{ - LoadBalancer: apiv1.LoadBalancerStatus{ - Ingress: []apiv1.LoadBalancerIngress{ + LoadBalancer: networking.IngressLoadBalancerStatus{ + Ingress: []networking.IngressLoadBalancerIngress{ { IP: "10.0.0.1", Hostname: "foo1", @@ -218,8 +221,8 @@ func buildExtensionsIngresses() []networking.Ingress { }, }, Status: networking.IngressStatus{ - LoadBalancer: apiv1.LoadBalancerStatus{ - Ingress: []apiv1.LoadBalancerIngress{ + LoadBalancer: networking.IngressLoadBalancerStatus{ + Ingress: []networking.IngressLoadBalancerIngress{ { IP: "0.0.0.0", Hostname: "foo.bar.com", @@ -234,8 +237,8 @@ func buildExtensionsIngresses() []networking.Ingress { Namespace: apiv1.NamespaceDefault, }, Status: networking.IngressStatus{ - LoadBalancer: apiv1.LoadBalancerStatus{ - Ingress: []apiv1.LoadBalancerIngress{}, + LoadBalancer: networking.IngressLoadBalancerStatus{ + Ingress: []networking.IngressLoadBalancerIngress{}, }, }, }, @@ -261,7 +264,7 @@ func (til *testIngressLister) ListIngresses() []*ingress.Ingress { Namespace: apiv1.NamespaceDefault, }, Status: networking.IngressStatus{ - LoadBalancer: apiv1.LoadBalancerStatus{ + LoadBalancer: networking.IngressLoadBalancerStatus{ Ingress: buildLoadBalancerIngressByIP(), }, }, @@ -325,7 +328,7 @@ func TestStatusActions(t *testing.T) { fk.sync("just-test") // PublishService is empty, so the running address is: ["11.0.0.2"] // after updated, the ingress's ip should only be "11.0.0.2" - newIPs := []apiv1.LoadBalancerIngress{{ + newIPs := []networking.IngressLoadBalancerIngress{{ IP: "11.0.0.2", }} fooIngress1, err1 := fk.Client.NetworkingV1().Ingresses(apiv1.NamespaceDefault).Get(context.TODO(), "foo_ingress_1", metav1.GetOptions{}) @@ -342,7 +345,7 @@ func TestStatusActions(t *testing.T) { // execute shutdown fk.Shutdown() // ingress should be empty - newIPs2 := []apiv1.LoadBalancerIngress{} + var newIPs2 []networking.IngressLoadBalancerIngress fooIngress2, err2 := fk.Client.NetworkingV1().Ingresses(apiv1.NamespaceDefault).Get(context.TODO(), "foo_ingress_1", metav1.GetOptions{}) if err2 != nil { t.Fatalf("unexpected error") @@ -382,7 +385,7 @@ func TestKeyfunc(t *testing.T) { func TestRunningAddressesWithPublishService(t *testing.T) { testCases := map[string]struct { fakeClient *testclient.Clientset - expected []apiv1.LoadBalancerIngress + expected []networking.IngressLoadBalancerIngress errExpected bool }{ "service type ClusterIP": { @@ -416,7 +419,7 @@ func TestRunningAddressesWithPublishService(t *testing.T) { }, }, ), - []apiv1.LoadBalancerIngress{ + []networking.IngressLoadBalancerIngress{ {IP: "1.1.1.1"}, }, false, @@ -437,7 +440,7 @@ func TestRunningAddressesWithPublishService(t *testing.T) { }, }, ), - []apiv1.LoadBalancerIngress{ + []networking.IngressLoadBalancerIngress{ {IP: "1.1.1.1"}, }, false, @@ -458,7 +461,7 @@ func TestRunningAddressesWithPublishService(t *testing.T) { }, }, ), - []apiv1.LoadBalancerIngress{ + []networking.IngressLoadBalancerIngress{ {Hostname: "foo.bar"}, }, false, @@ -495,7 +498,7 @@ func TestRunningAddressesWithPublishService(t *testing.T) { }, }, ), - []apiv1.LoadBalancerIngress{ + []networking.IngressLoadBalancerIngress{ {IP: "10.0.0.1"}, {Hostname: "foo"}, { @@ -530,7 +533,7 @@ func TestRunningAddressesWithPublishService(t *testing.T) { }, }, ), - []apiv1.LoadBalancerIngress{ + []networking.IngressLoadBalancerIngress{ {IP: "10.0.0.1"}, }, false, @@ -568,7 +571,7 @@ func TestRunningAddressesWithPublishService(t *testing.T) { } if ra == nil { - t.Fatalf("returned nil but expected valid []apiv1.LoadBalancerIngress") + t.Fatalf("returned nil but expected valid []networking.IngressLoadBalancerIngress") } if !reflect.DeepEqual(tc.expected, ra) { @@ -584,7 +587,7 @@ func TestRunningAddressesWithPods(t *testing.T) { r, _ := fk.runningAddresses() if r == nil { - t.Fatalf("returned nil but expected valid []apiv1.LoadBalancerIngress") + t.Fatalf("returned nil but expected valid []networking.IngressLoadBalancerIngress") } rl := len(r) if len(r) != 1 { @@ -592,7 +595,7 @@ func TestRunningAddressesWithPods(t *testing.T) { } rv := r[0] if rv.IP != "11.0.0.2" { - t.Errorf("returned %v but expected %v", rv, apiv1.LoadBalancerIngress{IP: "11.0.0.2"}) + t.Errorf("returned %v but expected %v", rv, networking.IngressLoadBalancerIngress{IP: "11.0.0.2"}) } } @@ -602,7 +605,7 @@ func TestRunningAddressesWithPublishStatusAddress(t *testing.T) { ra, _ := fk.runningAddresses() if ra == nil { - t.Fatalf("returned nil but expected valid []apiv1.LoadBalancerIngress") + t.Fatalf("returned nil but expected valid []networking.IngressLoadBalancerIngress") } rl := len(ra) if len(ra) != 1 { @@ -610,7 +613,7 @@ func TestRunningAddressesWithPublishStatusAddress(t *testing.T) { } rv := ra[0] if rv.IP != "127.0.0.1" { - t.Errorf("returned %v but expected %v", rv, apiv1.LoadBalancerIngress{IP: "127.0.0.1"}) + t.Errorf("returned %v but expected %v", rv, networking.IngressLoadBalancerIngress{IP: "127.0.0.1"}) } } @@ -620,7 +623,7 @@ func TestRunningAddressesWithPublishStatusAddresses(t *testing.T) { ra, _ := fk.runningAddresses() if ra == nil { - t.Fatalf("returned nil but expected valid []apiv1.LoadBalancerIngress") + t.Fatalf("returned nil but expected valid []networking.IngressLoadBalancerIngress") } rl := len(ra) if len(ra) != 2 { @@ -629,10 +632,10 @@ func TestRunningAddressesWithPublishStatusAddresses(t *testing.T) { rv := ra[0] rv2 := ra[1] if rv.IP != "127.0.0.1" { - t.Errorf("returned %v but expected %v", rv, apiv1.LoadBalancerIngress{IP: "127.0.0.1"}) + t.Errorf("returned %v but expected %v", rv, networking.IngressLoadBalancerIngress{IP: "127.0.0.1"}) } if rv2.IP != "1.1.1.1" { - t.Errorf("returned %v but expected %v", rv2, apiv1.LoadBalancerIngress{IP: "1.1.1.1"}) + t.Errorf("returned %v but expected %v", rv2, networking.IngressLoadBalancerIngress{IP: "1.1.1.1"}) } } @@ -642,7 +645,7 @@ func TestRunningAddressesWithPublishStatusAddressesAndSpaces(t *testing.T) { ra, _ := fk.runningAddresses() if ra == nil { - t.Fatalf("returned nil but expected valid []apiv1.LoadBalancerIngresst") + t.Fatalf("returned nil but expected valid []networking.IngressLoadBalancerIngresst") } rl := len(ra) if len(ra) != 2 { @@ -651,15 +654,15 @@ func TestRunningAddressesWithPublishStatusAddressesAndSpaces(t *testing.T) { rv := ra[0] rv2 := ra[1] if rv.IP != "127.0.0.1" { - t.Errorf("returned %v but expected %v", rv, apiv1.LoadBalancerIngress{IP: "127.0.0.1"}) + t.Errorf("returned %v but expected %v", rv, networking.IngressLoadBalancerIngress{IP: "127.0.0.1"}) } if rv2.IP != "1.1.1.1" { - t.Errorf("returned %v but expected %v", rv2, apiv1.LoadBalancerIngress{IP: "1.1.1.1"}) + t.Errorf("returned %v but expected %v", rv2, networking.IngressLoadBalancerIngress{IP: "1.1.1.1"}) } } func TestStandardizeLoadBalancerIngresses(t *testing.T) { - fkEndpoints := []apiv1.LoadBalancerIngress{ + fkEndpoints := []networking.IngressLoadBalancerIngress{ {IP: "2001:db8::68"}, {IP: "10.0.0.1"}, {Hostname: "opensource-k8s-ingress"}, @@ -668,7 +671,7 @@ func TestStandardizeLoadBalancerIngresses(t *testing.T) { r := standardizeLoadBalancerIngresses(fkEndpoints) if r == nil { - t.Fatalf("returned nil but expected a valid []apiv1.LoadBalancerIngress") + t.Fatalf("returned nil but expected a valid []networking.IngressLoadBalancerIngress") } rl := len(r) if rl != 3 { @@ -676,21 +679,21 @@ func TestStandardizeLoadBalancerIngresses(t *testing.T) { } re1 := r[0] if re1.Hostname != "opensource-k8s-ingress" { - t.Fatalf("returned %v but expected %v", re1, apiv1.LoadBalancerIngress{Hostname: "opensource-k8s-ingress"}) + t.Fatalf("returned %v but expected %v", re1, networking.IngressLoadBalancerIngress{Hostname: "opensource-k8s-ingress"}) } re2 := r[1] if re2.IP != "10.0.0.1" { - t.Fatalf("returned %v but expected %v", re2, apiv1.LoadBalancerIngress{IP: "10.0.0.1"}) + t.Fatalf("returned %v but expected %v", re2, networking.IngressLoadBalancerIngress{IP: "10.0.0.1"}) } re3 := r[2] if re3.IP != "2001:db8::68" { - t.Fatalf("returned %v but expected %v", re3, apiv1.LoadBalancerIngress{IP: "2001:db8::68"}) + t.Fatalf("returned %v but expected %v", re3, networking.IngressLoadBalancerIngress{IP: "2001:db8::68"}) } } func TestIngressSliceEqual(t *testing.T) { fk1 := buildLoadBalancerIngressByIP() - fk2 := append(buildLoadBalancerIngressByIP(), apiv1.LoadBalancerIngress{ + fk2 := append(buildLoadBalancerIngressByIP(), networking.IngressLoadBalancerIngress{ IP: "10.0.0.5", Hostname: "foo5", }) @@ -700,8 +703,8 @@ func TestIngressSliceEqual(t *testing.T) { fk4[2].IP = "11.0.0.3" fooTests := []struct { - lhs []apiv1.LoadBalancerIngress - rhs []apiv1.LoadBalancerIngress + lhs []networking.IngressLoadBalancerIngress + rhs []networking.IngressLoadBalancerIngress er bool }{ {fk1, fk1, true}, @@ -710,7 +713,7 @@ func TestIngressSliceEqual(t *testing.T) { {fk4, fk1, false}, {fk1, nil, false}, {nil, nil, true}, - {[]apiv1.LoadBalancerIngress{}, []apiv1.LoadBalancerIngress{}, true}, + {[]networking.IngressLoadBalancerIngress{}, []networking.IngressLoadBalancerIngress{}, true}, } for _, fooTest := range fooTests { diff --git a/test/e2e/status/update.go b/test/e2e/status/update.go index c9c6ef333..8bedc4d4e 100644 --- a/test/e2e/status/update.go +++ b/test/e2e/status/update.go @@ -19,6 +19,7 @@ package settings import ( "context" "fmt" + v1 "k8s.io/api/networking/v1" "log" "net" "strings" @@ -28,7 +29,6 @@ import ( "github.com/stretchr/testify/assert" appsv1 "k8s.io/api/apps/v1" - apiv1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/wait" @@ -87,7 +87,7 @@ var _ = framework.IngressNginxDescribe("[Status] status update", func() { ing, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error getting %s/%v Ingress", f.Namespace, host) - ing.Status.LoadBalancer.Ingress = []apiv1.LoadBalancerIngress{} + ing.Status.LoadBalancer.Ingress = []v1.IngressLoadBalancerIngress{} _, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).UpdateStatus(context.TODO(), ing, metav1.UpdateOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error cleaning Ingress status") framework.Sleep(10 * time.Second) @@ -121,9 +121,9 @@ var _ = framework.IngressNginxDescribe("[Status] status update", func() { return true, nil }) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error waiting for ingress status") - assert.Equal(ginkgo.GinkgoT(), ing.Status.LoadBalancer.Ingress, ([]apiv1.LoadBalancerIngress{ + assert.Equal(ginkgo.GinkgoT(), ing.Status.LoadBalancer.Ingress, []v1.IngressLoadBalancerIngress{ {IP: "1.1.0.0"}, - })) + }) }) }) From ea0db8de77dffc0f21d8324fa79180855422e27c Mon Sep 17 00:00:00 2001 From: Christian Schaefer Date: Wed, 18 Jan 2023 14:22:35 +0100 Subject: [PATCH 124/405] Align default value for keepalive_request with NGINX default (#9518) * Align default value for keepalive_request with NGINX default * Align default value for keepalive_request with NGINX default --- docs/user-guide/nginx-configuration/configmap.md | 4 ++-- internal/ingress/controller/config/config.go | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index 849d6968a..baefa7c72 100755 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -62,7 +62,7 @@ The following table shows a configuration option's name, type, and the default v |[hsts-max-age](#hsts-max-age)|string|"15724800"| |[hsts-preload](#hsts-preload)|bool|"false"| |[keep-alive](#keep-alive)|int|75| -|[keep-alive-requests](#keep-alive-requests)|int|100| +|[keep-alive-requests](#keep-alive-requests)|int|1000| |[large-client-header-buffers](#large-client-header-buffers)|string|"4 8k"| |[log-format-escape-none](#log-format-escape-none)|bool|"false"| |[log-format-escape-json](#log-format-escape-json)|bool|"false"| @@ -1348,4 +1348,4 @@ will be allowed. See also [#disable-pathtype-validation](#disable-pathtype-validation). -_**default:**_ "^%$[](){}*+?|" \ No newline at end of file +_**default:**_ "^%$[](){}*+?|" diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index b246ef9cf..8be92167d 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -852,7 +852,7 @@ func NewDefault() Configuration { GzipMinLength: 256, GzipTypes: gzipTypes, KeepAlive: 75, - KeepAliveRequests: 100, + KeepAliveRequests: 1000, LargeClientHeaderBuffers: "4 8k", LogFormatEscapeJSON: false, LogFormatStream: logFormatStream, From e846c30e47ffd4bc2290ed4b9ed5d4fb8dd09a4c Mon Sep 17 00:00:00 2001 From: James Strong Date: Fri, 13 Jan 2023 08:54:28 -0500 Subject: [PATCH 125/405] start 1.6.0 release Signed-off-by: James Strong --- TAG | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TAG b/TAG index c9b3c015f..05f629f1b 100644 --- a/TAG +++ b/TAG @@ -1 +1 @@ -v1.5.1 \ No newline at end of file +v1.6.0 \ No newline at end of file From 101ab06010f80990009c212d7cb5c187e6502648 Mon Sep 17 00:00:00 2001 From: Zadkiel Aharonian Date: Thu, 19 Jan 2023 15:36:38 +0100 Subject: [PATCH 126/405] fix(grafana-dashboard): remove hardcoded namespace references (#9523) --- deploy/grafana/dashboards/nginx.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/deploy/grafana/dashboards/nginx.json b/deploy/grafana/dashboards/nginx.json index 85f93c9eb..3c3205b4a 100644 --- a/deploy/grafana/dashboards/nginx.json +++ b/deploy/grafana/dashboards/nginx.json @@ -1312,7 +1312,7 @@ "targets": [ { "exemplar": true, - "expr": "histogram_quantile(0.80, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\",exported_namespace=\"uat\"}[2m])) by (le))", + "expr": "histogram_quantile(0.80, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (le))", "format": "time_series", "hide": false, "instant": false, @@ -1323,7 +1323,7 @@ }, { "exemplar": true, - "expr": "histogram_quantile(0.90, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\",exported_namespace=\"uat\"}[2m])) by (le))", + "expr": "histogram_quantile(0.90, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (le))", "format": "time_series", "hide": false, "instant": false, @@ -1335,7 +1335,7 @@ { "editorMode": "code", "exemplar": true, - "expr": "histogram_quantile(0.99, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\",exported_namespace=\"uat\"}[2m])) by (le))", + "expr": "histogram_quantile(0.99, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (le))", "format": "time_series", "hide": false, "instant": false, @@ -1377,7 +1377,7 @@ "targets": [ { "exemplar": true, - "expr": "sum(increase(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\",exported_namespace=\"uat\"}[2m])) by (le)", + "expr": "sum(increase(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (le)", "format": "heatmap", "interval": "", "legendFormat": "{{le}}", From 8c4cd879e33f966a80c06032955f2cd1d3a2f59b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 19 Jan 2023 06:48:35 -0800 Subject: [PATCH 127/405] Bump google.golang.org/grpc from 1.51.0 to 1.52.0 (#9512) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.51.0 to 1.52.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.51.0...v1.52.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 780cac648..2412ad6db 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a golang.org/x/crypto v0.5.0 - google.golang.org/grpc v1.51.0 + google.golang.org/grpc v1.52.0 google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 diff --git a/go.sum b/go.sum index f03756bab..6dc3d7f54 100644 --- a/go.sum +++ b/go.sum @@ -660,8 +660,8 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.51.0 h1:E1eGv1FTqoLIdnBCZufiSHgKjlqG6fKFf6pPWtMTh8U= -google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsAIPww= +google.golang.org/grpc v1.52.0 h1:kd48UiU7EHsV4rnLyOJRuP/Il/UHE7gdDAQ+SZI7nZk= +google.golang.org/grpc v1.52.0/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5vorUY= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 h1:pPsdyuBif+uoyUoL19yuj/TCfUPsmpJHJZhWQ98JGLU= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7/go.mod h1:8pQa1yxxkh+EsxUK8/455D5MSbv3vgmEJqKCH3y17mI= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= From d1af3b5ccaf2ff3cde0f3b3fcdb27c2f45fc0516 Mon Sep 17 00:00:00 2001 From: Harpreet singh Date: Thu, 19 Jan 2023 22:58:36 +0800 Subject: [PATCH 128/405] Add CORS template check inside location for externalAuth.SignURL (#8814) * Add CORS template check inside location for externalAuth.SignURL * Add testcase for CORS header for auth-signin redirect with CORS enabled. --- rootfs/etc/nginx/template/nginx.tmpl | 4 +++ test/e2e/annotations/auth.go | 45 ++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 911cf75ea..958397dd5 100755 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -1180,6 +1180,10 @@ stream { add_header Set-Cookie $auth_cookie; + {{ if $location.CorsConfig.CorsEnabled }} + {{ template "CORS" $location }} + {{ end }} + # Ensure that modsecurity will not run on an internal location as this is not accessible from outside {{ if $all.Cfg.EnableModsecurity }} modsecurity off; diff --git a/test/e2e/annotations/auth.go b/test/e2e/annotations/auth.go index 1f0f4c3b2..e26fcbd46 100644 --- a/test/e2e/annotations/auth.go +++ b/test/e2e/annotations/auth.go @@ -720,6 +720,51 @@ http { }) }) + ginkgo.Context("when external authentication is configured along with CORS enabled", func() { + host := "auth" + var annotations map[string]string + var ing *networking.Ingress + + ginkgo.BeforeEach(func() { + f.NewHttpbinDeployment() + + var httpbinIP string + + err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1) + assert.Nil(ginkgo.GinkgoT(), err) + + e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{}) + assert.Nil(ginkgo.GinkgoT(), err) + + httpbinIP = e.Subsets[0].Addresses[0].IP + + annotations = map[string]string{ + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP), + "nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start", + "nginx.ingress.kubernetes.io/enable-cors": "true", + } + + ing = framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, func(server string) bool { + return strings.Contains(server, "server_name auth") + }) + }) + + ginkgo.It("should redirect to signin url when not signed in along With CORS headers in response", func() { + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithQuery("a", "b"). + WithQuery("c", "d"). + Expect(). + Status(http.StatusFound). + Header("Access-Control-Allow-Origin").Equal(fmt.Sprintf("*")) + + }) + }) + ginkgo.Context("when external authentication with caching is configured", func() { thisHost := "auth" thatHost := "different" From ef5bf06c61b12e78e0e3168a3bc7fd4222fb5db0 Mon Sep 17 00:00:00 2001 From: James Strong Date: Wed, 9 Nov 2022 16:05:42 -0500 Subject: [PATCH 129/405] testing auto change Signed-off-by: James Strong --- hack/changelog.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100755 hack/changelog.sh diff --git a/hack/changelog.sh b/hack/changelog.sh new file mode 100755 index 000000000..6ecd9f890 --- /dev/null +++ b/hack/changelog.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +set -o errexit +set -o nounset +set -o pipefail + +declare -a mandatory +mandatory=( + LINES + RELEASE +) + +gh pr list -R kubernetes/ingress-nginx -s merged -L ${LINES} -B main | cut -f1,2 | awk '{ printf "* [%s](https://github.com/kubernetes/ingress-nginx/pull/%s) %s\n",$1,$1, substr($0,6)}' + + From 2a9e420bf7977a75515825a6338d2975a6b6a1fc Mon Sep 17 00:00:00 2001 From: James Strong Date: Fri, 11 Nov 2022 09:23:19 -0500 Subject: [PATCH 130/405] Add mage files for changelog Signed-off-by: James Strong --- Changelog.md.gotmpl | 15 + RELEASE.md => MANUAL_RELEASE.md | 10 +- NEW_RELEASE_PROCESS.md | 9 + TAG | 2 +- changelog/Changelog-1.5.2.md | 36 ++ charts/ingress-nginx/changelog/.gitkeep | 0 .../changelog/Changelog-1.5.2.md | 12 + go.mod | 1 + go.sum | 2 + hack/changelog.sh | 15 - ingress-nginx.yaml | 68 ++ magefiles/common.go | 66 ++ magefiles/docker.go | 3 + magefiles/go.go | 15 + magefiles/go.mod | 32 + magefiles/go.sum | 105 +++ magefiles/helm.go | 608 ++++++++++++++++++ magefiles/mage.go | 13 + magefiles/release.go | 526 +++++++++++++++ magefiles/tags.go | 130 ++++ magefiles/yaml.go | 3 + 21 files changed, 1650 insertions(+), 21 deletions(-) create mode 100644 Changelog.md.gotmpl rename RELEASE.md => MANUAL_RELEASE.md (96%) create mode 100644 NEW_RELEASE_PROCESS.md create mode 100644 charts/ingress-nginx/changelog/.gitkeep create mode 100644 charts/ingress-nginx/changelog/Changelog-1.5.2.md delete mode 100755 hack/changelog.sh create mode 100644 ingress-nginx.yaml create mode 100644 magefiles/common.go create mode 100644 magefiles/docker.go create mode 100644 magefiles/go.go create mode 100644 magefiles/go.mod create mode 100644 magefiles/go.sum create mode 100644 magefiles/helm.go create mode 100644 magefiles/mage.go create mode 100644 magefiles/release.go create mode 100644 magefiles/tags.go create mode 100644 magefiles/yaml.go diff --git a/Changelog.md.gotmpl b/Changelog.md.gotmpl new file mode 100644 index 000000000..d35df8ade --- /dev/null +++ b/Changelog.md.gotmpl @@ -0,0 +1,15 @@ +# Changelog + +### {{ .Version }} +Images: +{{ with .ControllerImages }} +{{ range . }} * {{ .Registry }}/{{ .Name }}:{{ .Tag}}@{{ .Digest }} +{{ end }} {{ end }} +### All Changes: +{{ with .Updates }} +{{ range . }}* {{ . }} +{{ end }}{{ end }} +### Dependencies updates: {{ with .DepUpdates }} +{{ range . }}* {{ . }} +{{ end }} {{ end }} +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-{{ .PreviousControllerVersion }}...controller-{{ .NewControllerVersion }} diff --git a/RELEASE.md b/MANUAL_RELEASE.md similarity index 96% rename from RELEASE.md rename to MANUAL_RELEASE.md index ca0faa4e1..d7144b85d 100644 --- a/RELEASE.md +++ b/MANUAL_RELEASE.md @@ -103,7 +103,7 @@ Promoting the images basically means that images, that were pushed to staging co - Fork that other project (if you don't have a fork already). -- Other project to fork [Github repo kubernetes/k8s.io](http://github.com/kubernetes/k8s.io) +- Other project to fork [GitHub repo kubernetes/k8s.io](http://github.com/kubernetes/k8s.io) - Fetch --all and rebase to upstream if already forked. @@ -111,7 +111,7 @@ Promoting the images basically means that images, that were pushed to staging co - In the related branch, of your fork, edit the file /registry.k8s.io/images/k8s-staging-ingress-nginx/images.yaml. -- For making it easier, you can edit your branch directly in the browser. But be careful about making any mistake. +- For making, it easier, you can edit your branch directly in the browser. But be careful about making any mistake. - Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml) Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/2536) to see how it was done before @@ -132,7 +132,7 @@ Promoting the images basically means that images, that were pushed to staging co - Make sure to get the tag and sha of the promoted image from the step before, either from cloudbuild or from [here](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/ingress-nginx/controller). -- This involves editing of several different files. So carefully follow the steps below and double check all changes with diff/grep etc., repeatedly. Mistakes here impact endusers. +- This involves editing of several files. So carefully follow the steps below and double check all changes with diff/grep etc., repeatedly. Mistakes here impact endusers. ### a. Make sure your git workspace is ready @@ -160,7 +160,7 @@ Promoting the images basically means that images, that were pushed to staging co - [TAG](https://github.com/kubernetes/ingress-nginx/blob/main/TAG#L1) ### c. Edit the helm Chart - - Change the below mentioned [Fields in Chart.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/Chart.yaml) + - Change the below-mentioned [Fields in Chart.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/Chart.yaml) - version - appVersion - kubeVersion (**ONLY if applicable**) @@ -168,7 +168,7 @@ Promoting the images basically means that images, that were pushed to staging co - artifacthub.io/prerelease: "true" - artifacthub.io/changes: | - Replace this line and other lines under this annotation with the Changelog. One process to generate the Changelog is described below - - Install and configure github cli as per the docs of gh-cli https://cli.github.com/, + - Install and configure GitHub cli as per the docs of gh-cli https://cli.github.com/, - Change dir to your clone, of your fork, of the ingress-nginx project - Run the below command and save the output to a txt file diff --git a/NEW_RELEASE_PROCESS.md b/NEW_RELEASE_PROCESS.md new file mode 100644 index 000000000..cdb683abf --- /dev/null +++ b/NEW_RELEASE_PROCESS.md @@ -0,0 +1,9 @@ +# Semi-Automated Release Process + +1. Update TAG +2. Cloud Build +3. k8s.io PR +4. git pull origin main +5. git checkout -b $RELEASE_VERSION +6. mage release:newrelease $RELEASE_VERSION +7. Wait for PR \ No newline at end of file diff --git a/TAG b/TAG index 05f629f1b..b7c0a9b1d 100644 --- a/TAG +++ b/TAG @@ -1 +1 @@ -v1.6.0 \ No newline at end of file +v1.6.0 diff --git a/changelog/Changelog-1.5.2.md b/changelog/Changelog-1.5.2.md index 8b2617924..ed8532374 100644 --- a/changelog/Changelog-1.5.2.md +++ b/changelog/Changelog-1.5.2.md @@ -3,6 +3,7 @@ ### 1.5.2 Images: +<<<<<<< HEAD * registry.k8s.io/ingress-nginx/controller:controller-v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 * registry.k8s.io/ingress-nginx/controller-chroot:controller-v1.5.2@sha256:84613555694f2c59a8b2551126d226c9aa648544ebf0cde1e0df942f7dbce42b @@ -19,6 +20,24 @@ Images: * update the nginx run container for alpine:3.17.0 (#9430) * cleanup: remove ioutil for new go version (#9427) * start upgrade to golang 1.19.4 and alpine 3.17.0 (#9417) +======= + * registry.k8s.io/controller:controller-v1.5.2@sha256:c1c091b88a6c936a83bd7g098v62f60a87868d12452529bad0d178fb36143346 + * registry.k8s.io/controller-chroot:controller-v1.5.2@sha256:c1c091b88a6c936a83bd7b098662760a87868d12452529b350d178fb36147345 + +### All Changes: + +<<<<<<< HEAD +>>>>>>> f4164ae0b (THE CHANGELOG WORKS) +======= +* upgrade nginx base image (#9436) +* test the new e2e test images (#9444) +* avoid builds and tests for non-code changes (#9392) +* CI updates (#9440) +* HPA: Add `controller.autoscaling.annotations` to `values.yaml`. (#9253) +* update the nginx run container for alpine:3.17.0 (#9430) +* cleanup: remove ioutil for new go version (#9427) +* start upgrade to golang 1.19.4 and alpine 3.17.0 (#9417) +>>>>>>> 9ecab7d85 (e2e doc updates work now) * ci: remove setup-helm step (#9404) * ci: remove setup-kind step (#9401) * Add reporter for all tests (#9395) @@ -54,6 +73,10 @@ Images: * add containerSecurityContext to extraModules init containers (kubernetes#9016) (#9242) ### Dependencies updates: +<<<<<<< HEAD +<<<<<<< HEAD +======= +>>>>>>> 9ecab7d85 (e2e doc updates work now) * Bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#9397) * Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.6.1 (#9432) * Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.6.1 (#9421) @@ -62,6 +85,11 @@ Images: * Bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (#9426) * Bump actions/dependency-review-action from 3.0.1 to 3.0.2 (#9424) * Bump ossf/scorecard-action from 2.0.6 to 2.1.0 (#9422) +<<<<<<< HEAD +======= +>>>>>>> f4164ae0b (THE CHANGELOG WORKS) +======= +>>>>>>> 9ecab7d85 (e2e doc updates work now) * Bump github.com/prometheus/common from 0.37.0 to 0.39.0 (#9416) * Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.6.0 (#9408) * Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.6.0 (#9398) @@ -76,4 +104,12 @@ Images: * Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (#9301) * Bump k8s.io/component-base from 0.25.3 to 0.25.4 (#9300) +<<<<<<< HEAD +<<<<<<< HEAD **Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.5.1...controller-controller-v1.5.2 +======= +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.5.2...controller-controller-v1.5.1 +>>>>>>> f4164ae0b (THE CHANGELOG WORKS) +======= +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.5.1...controller-controller-v1.5.2 +>>>>>>> 9ecab7d85 (e2e doc updates work now) diff --git a/charts/ingress-nginx/changelog/.gitkeep b/charts/ingress-nginx/changelog/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/charts/ingress-nginx/changelog/Changelog-1.5.2.md b/charts/ingress-nginx/changelog/Changelog-1.5.2.md new file mode 100644 index 000000000..5e0563858 --- /dev/null +++ b/charts/ingress-nginx/changelog/Changelog-1.5.2.md @@ -0,0 +1,12 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.4.1 + +* ci: remove setup-helm step (#9404) +* feat(helm): Optionally use cert-manager instead admission patch (#9279) +* run helm release on main only and when the chart/value changes only (#9290) +* Update Ingress-Nginx version controller-v1.5.2 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.4.1...helm-chart-4.4.1 diff --git a/go.mod b/go.mod index 780cac648..c69a122ab 100644 --- a/go.mod +++ b/go.mod @@ -77,6 +77,7 @@ require ( github.com/inconshreveable/mousetrap v1.0.1 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect + github.com/magefile/mage v1.14.0 // indirect github.com/mailru/easyjson v0.7.6 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect diff --git a/go.sum b/go.sum index f03756bab..05f07c5f3 100644 --- a/go.sum +++ b/go.sum @@ -231,6 +231,8 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= +github.com/magefile/mage v1.14.0 h1:6QDX3g6z1YvJ4olPhT1wksUcSa/V0a1B+pJb73fBjyo= +github.com/magefile/mage v1.14.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA= diff --git a/hack/changelog.sh b/hack/changelog.sh deleted file mode 100755 index 6ecd9f890..000000000 --- a/hack/changelog.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env bash - -set -o errexit -set -o nounset -set -o pipefail - -declare -a mandatory -mandatory=( - LINES - RELEASE -) - -gh pr list -R kubernetes/ingress-nginx -s merged -L ${LINES} -B main | cut -f1,2 | awk '{ printf "* [%s](https://github.com/kubernetes/ingress-nginx/pull/%s) %s\n",$1,$1, substr($0,6)}' - - diff --git a/ingress-nginx.yaml b/ingress-nginx.yaml new file mode 100644 index 000000000..be66255e0 --- /dev/null +++ b/ingress-nginx.yaml @@ -0,0 +1,68 @@ +CURRENT_VERSION: "v1.5.1" +GOLANG_VERSION: "1.19.2" +GIT_TAG: "controller-v1.5.1" +NGINX_BASE_IMAGE: "registry.k8s.io/ingress-nginx/nginx:0b5e0685112e4537ee20a0bdbba451e9f6158aa3@sha256:3f5e28bb248d5170e77b77fc2a1a385724aeff41a0b34b5afad7dd9cf93de000" +NGINX_VERSION: "1.21.6" +VERSION_TABLE: + - "v1.5.1": + - Alpine: "3.16.2" + - Kubernetes: ["1.25","1.24","1.23"] + - NGINX: "1.21.6" + - CONTROLLER_IMAGE: "registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629" + - CHROOT_CONTROLLER_IMAGE: "registry.k8s.io/ingress-nginx/controller-chroot:v1.5.1@sha256:c1c091b88a6c936a83bd7b098662760a87868d12452529bad0d178fb36147345" + - "v1.4.0": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.3.1": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.3.0": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.2.1": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.1.3": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.1.2": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.1.1": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.1.0": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.0.5": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.0.4": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.0.3": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.0.2": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.0.1": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.0.0": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" diff --git a/magefiles/common.go b/magefiles/common.go new file mode 100644 index 000000000..ae2fed0c4 --- /dev/null +++ b/magefiles/common.go @@ -0,0 +1,66 @@ +//go:build mage + +package main + +import ( + "fmt" + "os" + "strings" + "time" +) + +var DEBUG bool + +func init() { + DEBUG = false + debugENV := os.Getenv("MAGE_DEBUG") + if debugENV == "true" { + DEBUG = true + } +} + +// CheckArgs should be used to ensure the right command line arguments are +// passed before executing an example. +func CheckArgs(arg ...string) { + if len(os.Args) < len(arg)+1 { + ErrorF("Usage: %s %s", os.Args[0], strings.Join(arg, " ")) + os.Exit(1) + } +} + +// CheckIfError should be used to naively panics if an error is not nil. +func CheckIfError(err error, format string, args ...interface{}) { + if err == nil { + return + } + + fmt.Printf("\x1b[31;1m%s ERROR %s %s\x1b[0m\n", timeStamp(), fmt.Sprintf(format, args...), err) + os.Exit(1) +} + +// Info should be used to describe the example commands that are about to run. +func Info(format string, args ...interface{}) { + fmt.Printf("\x1b[34;1m%s INFO: %s\x1b[0m\n", timeStamp(), fmt.Sprintf(format, args...)) +} + +func timeStamp() string { + t := time.Now() + return t.Format(time.RFC3339) +} + +// Warning should be used to display a warning +func Warning(format string, args ...interface{}) { + fmt.Printf("\x1b[36;1m%s WARNING: %s\x1b[0m\n", timeStamp(), fmt.Sprintf(format, args...)) +} + +// Info should be used to describe the example commands that are about to run. +func Debug(format string, args ...interface{}) { + if DEBUG { + fmt.Printf("\x1b[34;1m%s DEBUG: %s\x1b[0m\n", timeStamp(), fmt.Sprintf(format, args...)) + } +} + +// Info should be used to describe the example commands that are about to run. +func ErrorF(format string, args ...interface{}) { + fmt.Printf("\x1b[31;1m%s ERROR: %s\x1b[0m\n", timeStamp(), fmt.Sprintf(format, args...)) +} diff --git a/magefiles/docker.go b/magefiles/docker.go new file mode 100644 index 000000000..7353508f3 --- /dev/null +++ b/magefiles/docker.go @@ -0,0 +1,3 @@ +//go:build mage + +package main diff --git a/magefiles/go.go b/magefiles/go.go new file mode 100644 index 000000000..352b8fb1e --- /dev/null +++ b/magefiles/go.go @@ -0,0 +1,15 @@ +//go:build mage + +package main + +//import ( +// "github.com/magefile/mage/mg" +// "github.com/mysteriumnetwork/go-ci/commands" +//) +// +//type Go mg.Namespace +// +//// Checks for issues with go imports +//func (Go) CheckGoImports() error { +// return commands.GoImports("./...") +//} diff --git a/magefiles/go.mod b/magefiles/go.mod new file mode 100644 index 000000000..31c11a061 --- /dev/null +++ b/magefiles/go.mod @@ -0,0 +1,32 @@ +module github.com/kubernetes/ingress-nginx/magefiles + +go 1.19 + +require ( + github.com/blang/semver/v4 v4.0.0 + github.com/google/go-github/v48 v48.2.0 + github.com/helm/helm v2.17.0+incompatible + github.com/magefile/mage v1.14.0 + github.com/vmware-labs/yaml-jsonpath v0.3.2 + golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be + gopkg.in/yaml.v3 v3.0.1 +) + +require ( + github.com/BurntSushi/toml v1.2.1 // indirect + github.com/Masterminds/semver v1.5.0 // indirect + github.com/cyphar/filepath-securejoin v0.2.3 // indirect + github.com/dprotaso/go-yit v0.0.0-20191028211022-135eb7262960 // indirect + github.com/ghodss/yaml v1.0.0 // indirect + github.com/gobwas/glob v0.2.3 // indirect + github.com/golang/protobuf v1.5.2 // indirect + github.com/google/go-querystring v1.1.0 // indirect + github.com/stretchr/testify v1.8.1 // indirect + golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 // indirect + golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect + google.golang.org/appengine v1.6.7 // indirect + google.golang.org/protobuf v1.28.0 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + k8s.io/apimachinery v0.25.4 // indirect + k8s.io/helm v2.17.0+incompatible // indirect +) diff --git a/magefiles/go.sum b/magefiles/go.sum new file mode 100644 index 000000000..38a4235f6 --- /dev/null +++ b/magefiles/go.sum @@ -0,0 +1,105 @@ +github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak= +github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww= +github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= +github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= +github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= +github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI= +github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dprotaso/go-yit v0.0.0-20191028211022-135eb7262960 h1:aRd8M7HJVZOqn/vhOzrGcQH0lNAMkqMn+pXUYkatmcA= +github.com/dprotaso/go-yit v0.0.0-20191028211022-135eb7262960/go.mod h1:9HQzr9D/0PGwMEbC3d5AB7oi67+h4TsQqItC1GVYG58= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= +github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= +github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-github/v48 v48.2.0 h1:68puzySE6WqUY9KWmpOsDEQfDZsso98rT6pZcz9HqcE= +github.com/google/go-github/v48 v48.2.0/go.mod h1:dDlehKBDo850ZPvCTK0sEqTCVWcrGl2LcDiajkYi89Y= +github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= +github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU= +github.com/helm/helm v2.17.0+incompatible h1:0iy95yMXrfWpwaoOA9XRP+cTvitTrq+LcJV9DvR5n1Y= +github.com/helm/helm v2.17.0+incompatible/go.mod h1:ahXhuvluW4YnSL6W6hDVetZsVK8Pv4BP8OwKli7aMqo= +github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/magefile/mage v1.14.0 h1:6QDX3g6z1YvJ4olPhT1wksUcSa/V0a1B+pJb73fBjyo= +github.com/magefile/mage v1.14.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= +github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.2 h1:uqH7bpe+ERSiDa34FDOF7RikN6RzXgduUF8yarlZp94= +github.com/onsi/ginkgo v1.10.2/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= +github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/vmware-labs/yaml-jsonpath v0.3.2 h1:/5QKeCBGdsInyDCyVNLbXyilb61MXGi9NP674f9Hobk= +github.com/vmware-labs/yaml-jsonpath v0.3.2/go.mod h1:U6whw1z03QyqgWdgXxvVnQ90zN1BWz5V+51Ewf8k+rQ= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 h1:HWj/xjIHfjYU5nVXpTM0s39J9CbLn7Cc5a7IC5rwsMQ= +golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b h1:PxfKdU9lEEDYjdIzOtC4qFWgkU2rGHdKlKowJSMN9h0= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be h1:vEDujvNQGv4jgYKudGeI/+DAX4Jffq6hpD55MmoEvKs= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a h1:dGzPydgVsqGcTRVwiLJ1jVbufYwmzD3LfVPLKsKg+0k= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw= +google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU= +gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20191026110619-0b21df46bc1d/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +k8s.io/apimachinery v0.25.4 h1:CtXsuaitMESSu339tfhVXhQrPET+EiWnIY1rcurKnAc= +k8s.io/apimachinery v0.25.4/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo= +k8s.io/helm v2.17.0+incompatible h1:Bpn6o1wKLYqKM3+Osh8e+1/K2g/GsQJ4F4yNF2+deao= +k8s.io/helm v2.17.0+incompatible/go.mod h1:LZzlS4LQBHfciFOurYBFkCMTaZ0D1l+p0teMg7TSULI= diff --git a/magefiles/helm.go b/magefiles/helm.go new file mode 100644 index 000000000..87966dea0 --- /dev/null +++ b/magefiles/helm.go @@ -0,0 +1,608 @@ +//go:build mage + +package main + +import ( + "fmt" + semver "github.com/blang/semver/v4" + "github.com/helm/helm/pkg/chartutil" + "github.com/magefile/mage/mg" + "github.com/magefile/mage/sh" + yamlpath "github.com/vmware-labs/yaml-jsonpath/pkg/yamlpath" + "gopkg.in/yaml.v3" + "os" + "strings" +) + +const HelmChartPath = "charts/ingress-nginx/Chart.yaml" +const HelmChartValues = "charts/ingress-nginx/values.yaml" + +type Helm mg.Namespace + +// UpdateAppVersion Updates the Helm App Version of Ingress Nginx Controller +func (Helm) UpdateAppVersion() { + updateAppVersion() +} + +func updateAppVersion() { + +} + +// UpdateVersion Update Helm Version of the Chart +func (Helm) UpdateVersion(version string) { + updateVersion(version) +} + +func currentChartVersion() string { + chart, err := chartutil.LoadChartfile(HelmChartPath) + CheckIfError(err, "HELM Could not Load Chart") + return chart.Version +} + +func currentChartAppVersion() string { + chart, err := chartutil.LoadChartfile(HelmChartPath) + CheckIfError(err, "HELM Could not Load Chart") + return chart.AppVersion +} + +func updateVersion(version string) { + Info("HELM Reading File %v", HelmChartPath) + + chart, err := chartutil.LoadChartfile(HelmChartPath) + CheckIfError(err, "HELM Could not Load Chart") + + //Get the current tag + //appVersionV, err := getIngressNGINXVersion() + //CheckIfError(err, "HELM Issue Retrieving the Current Ingress Nginx Version") + + //remove the v from TAG + appVersion := version + + Info("HELM Ingress-Nginx App Version: %s Chart AppVersion: %s", appVersion, chart.AppVersion) + if appVersion == chart.AppVersion { + Warning("HELM Ingress NGINX Version didnt change Ingress-Nginx App Version: %s Chart AppVersion: %s", appVersion, chart.AppVersion) + return + } + + //Update the helm chart + chart.AppVersion = appVersion + cTag, err := semver.Make(chart.Version) + CheckIfError(err, "HELM Creating Chart Version: %v", err) + + if err = cTag.IncrementPatch(); err != nil { + ErrorF("HELM Incrementing Chart Version: %v", err) + os.Exit(1) + } + chart.Version = cTag.String() + Debug("HELM Updated Chart Version: %v", chart.Version) + + err = chartutil.SaveChartfile(HelmChartPath, chart) + CheckIfError(err, "HELM Saving new Chart") +} + +func updateChartReleaseNotes(releasesNotes []string) { + Info("HELM Updating the Chart Release notes") + chart, err := chartutil.LoadChartfile(HelmChartPath) + CheckIfError(err, "HELM Could not Load Chart to update release notes %s", HelmChartPath) + var releaseNoteString string + for i := range releasesNotes { + releaseNoteString = fmt.Sprintf("%s - %s\n", releaseNoteString, releasesNotes[i]) + } + Info("HLEM Release note string %s", releaseNoteString) + chart.Annotations["artifacthub.io/changes"] = releaseNoteString + err = chartutil.SaveChartfile(HelmChartPath, chart) + CheckIfError(err, "HELM Saving updated release notes for Chart") +} + +func UpdateChartChangelog() { + +} + +// UpdateAppVersion Updates the Helm App Version of Ingress Nginx Controller +func (Helm) UpdateChartValue(key, value string) { + updateChartValue(key, value) +} + +func updateChartValue(key, value string) { + Info("HELM Updating Chart %s %s:%s", HelmChartValues, key, value) + + //read current values.yaml + data, err := os.ReadFile(HelmChartValues) + CheckIfError(err, "HELM Could not Load Helm Chart Values files %s", HelmChartValues) + + //var valuesStruct IngressChartValue + var n yaml.Node + CheckIfError(yaml.Unmarshal(data, &n), "HELM Could not Unmarshal %s", HelmChartValues) + + //update value + //keyParse := parsePath(key) + p, err := yamlpath.NewPath(key) + CheckIfError(err, "HELM cannot create path") + + q, err := p.Find(&n) + CheckIfError(err, "HELM unexpected error finding path") + + for _, i := range q { + Info("HELM Found %s at %s", i.Value, key) + i.Value = value + Info("HELM Updated %s at %s", i.Value, key) + } + + //// write to file + newValueFile, err := yaml.Marshal(&n) + CheckIfError(err, "HELM Could not Marshal new Values file") + err = os.WriteFile(HelmChartValues, newValueFile, 0644) + CheckIfError(err, "HELM Could not write new Values file to %s", HelmChartValues) + + Info("HELM Ingress Nginx Helm Chart update %s %s", key, value) +} + +func runHelmDocs() error { + err := installHelmDocs() + if err != nil { + return err + } + err = sh.RunV("helm-docs", "--chart-search-root=${PWD}/charts") + if err != nil { + return err + } + return nil +} + +func installHelmDocs() error { + Info("HELM Install HelmDocs") + var g0 = sh.RunCmd("go") + + err := g0("install", "github.com/norwoodj/helm-docs/cmd/helm-docs@v1.11.0") + if err != nil { + return err + } + return nil +} +func parsePath(key string) []string { return strings.Split(key, ".") } + +func updateHelmDocs() { + +} + +type IngressChartValue struct { + CommonLabels struct { + } `yaml:"commonLabels"` + Controller struct { + Name string `yaml:"name"` + Image struct { + Chroot bool `yaml:"chroot"` + Registry string `yaml:"registry"` + Image string `yaml:"image"` + Tag string `yaml:"tag"` + Digest string `yaml:"digest"` + DigestChroot string `yaml:"digestChroot"` + PullPolicy string `yaml:"pullPolicy"` + RunAsUser int `yaml:"runAsUser"` + AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` + } `yaml:"image"` + ExistingPsp string `yaml:"existingPsp"` + ContainerName string `yaml:"containerName"` + ContainerPort struct { + HTTP int `yaml:"http"` + HTTPS int `yaml:"https"` + } `yaml:"containerPort"` + Config struct { + } `yaml:"config"` + ConfigAnnotations struct { + } `yaml:"configAnnotations"` + ProxySetHeaders struct { + } `yaml:"proxySetHeaders"` + AddHeaders struct { + } `yaml:"addHeaders"` + DNSConfig struct { + } `yaml:"dnsConfig"` + Hostname struct { + } `yaml:"hostname"` + DNSPolicy string `yaml:"dnsPolicy"` + ReportNodeInternalIP bool `yaml:"reportNodeInternalIp"` + WatchIngressWithoutClass bool `yaml:"watchIngressWithoutClass"` + IngressClassByName bool `yaml:"ingressClassByName"` + AllowSnippetAnnotations bool `yaml:"allowSnippetAnnotations"` + HostNetwork bool `yaml:"hostNetwork"` + HostPort struct { + Enabled bool `yaml:"enabled"` + Ports struct { + HTTP int `yaml:"http"` + HTTPS int `yaml:"https"` + } `yaml:"ports"` + } `yaml:"hostPort"` + ElectionID string `yaml:"electionID"` + IngressClassResource struct { + Name string `yaml:"name"` + Enabled bool `yaml:"enabled"` + Default bool `yaml:"default"` + ControllerValue string `yaml:"controllerValue"` + Parameters struct { + } `yaml:"parameters"` + } `yaml:"ingressClassResource"` + IngressClass string `yaml:"ingressClass"` + PodLabels struct { + } `yaml:"podLabels"` + PodSecurityContext struct { + } `yaml:"podSecurityContext"` + Sysctls struct { + } `yaml:"sysctls"` + PublishService struct { + Enabled bool `yaml:"enabled"` + PathOverride string `yaml:"pathOverride"` + } `yaml:"publishService"` + Scope struct { + Enabled bool `yaml:"enabled"` + Namespace string `yaml:"namespace"` + NamespaceSelector string `yaml:"namespaceSelector"` + } `yaml:"scope"` + ConfigMapNamespace string `yaml:"configMapNamespace"` + TCP struct { + ConfigMapNamespace string `yaml:"configMapNamespace"` + Annotations struct { + } `yaml:"annotations"` + } `yaml:"tcp"` + UDP struct { + ConfigMapNamespace string `yaml:"configMapNamespace"` + Annotations struct { + } `yaml:"annotations"` + } `yaml:"udp"` + MaxmindLicenseKey string `yaml:"maxmindLicenseKey"` + ExtraArgs struct { + } `yaml:"extraArgs"` + ExtraEnvs []interface{} `yaml:"extraEnvs"` + Kind string `yaml:"kind"` + Annotations struct { + } `yaml:"annotations"` + Labels struct { + } `yaml:"labels"` + UpdateStrategy struct { + } `yaml:"updateStrategy"` + MinReadySeconds int `yaml:"minReadySeconds"` + Tolerations []interface{} `yaml:"tolerations"` + Affinity struct { + } `yaml:"affinity"` + TopologySpreadConstraints []interface{} `yaml:"topologySpreadConstraints"` + TerminationGracePeriodSeconds int `yaml:"terminationGracePeriodSeconds"` + NodeSelector struct { + KubernetesIoOs string `yaml:"kubernetes.io/os"` + } `yaml:"nodeSelector"` + LivenessProbe struct { + HTTPGet struct { + Path string `yaml:"path"` + Port int `yaml:"port"` + Scheme string `yaml:"scheme"` + } `yaml:"httpGet"` + InitialDelaySeconds int `yaml:"initialDelaySeconds"` + PeriodSeconds int `yaml:"periodSeconds"` + TimeoutSeconds int `yaml:"timeoutSeconds"` + SuccessThreshold int `yaml:"successThreshold"` + FailureThreshold int `yaml:"failureThreshold"` + } `yaml:"livenessProbe"` + ReadinessProbe struct { + HTTPGet struct { + Path string `yaml:"path"` + Port int `yaml:"port"` + Scheme string `yaml:"scheme"` + } `yaml:"httpGet"` + InitialDelaySeconds int `yaml:"initialDelaySeconds"` + PeriodSeconds int `yaml:"periodSeconds"` + TimeoutSeconds int `yaml:"timeoutSeconds"` + SuccessThreshold int `yaml:"successThreshold"` + FailureThreshold int `yaml:"failureThreshold"` + } `yaml:"readinessProbe"` + HealthCheckPath string `yaml:"healthCheckPath"` + HealthCheckHost string `yaml:"healthCheckHost"` + PodAnnotations struct { + } `yaml:"podAnnotations"` + ReplicaCount int `yaml:"replicaCount"` + MinAvailable int `yaml:"minAvailable"` + Resources struct { + Requests struct { + CPU string `yaml:"cpu"` + Memory string `yaml:"memory"` + } `yaml:"requests"` + } `yaml:"resources"` + Autoscaling struct { + APIVersion string `yaml:"apiVersion"` + Enabled bool `yaml:"enabled"` + Annotations struct { + } `yaml:"annotations"` + MinReplicas int `yaml:"minReplicas"` + MaxReplicas int `yaml:"maxReplicas"` + TargetCPUUtilizationPercentage int `yaml:"targetCPUUtilizationPercentage"` + TargetMemoryUtilizationPercentage int `yaml:"targetMemoryUtilizationPercentage"` + Behavior struct { + } `yaml:"behavior"` + } `yaml:"autoscaling"` + AutoscalingTemplate []interface{} `yaml:"autoscalingTemplate"` + Keda struct { + APIVersion string `yaml:"apiVersion"` + Enabled bool `yaml:"enabled"` + MinReplicas int `yaml:"minReplicas"` + MaxReplicas int `yaml:"maxReplicas"` + PollingInterval int `yaml:"pollingInterval"` + CooldownPeriod int `yaml:"cooldownPeriod"` + RestoreToOriginalReplicaCount bool `yaml:"restoreToOriginalReplicaCount"` + ScaledObject struct { + Annotations struct { + } `yaml:"annotations"` + } `yaml:"scaledObject"` + Triggers []interface{} `yaml:"triggers"` + Behavior struct { + } `yaml:"behavior"` + } `yaml:"keda"` + EnableMimalloc bool `yaml:"enableMimalloc"` + CustomTemplate struct { + ConfigMapName string `yaml:"configMapName"` + ConfigMapKey string `yaml:"configMapKey"` + } `yaml:"customTemplate"` + Service struct { + Enabled bool `yaml:"enabled"` + AppProtocol bool `yaml:"appProtocol"` + Annotations struct { + } `yaml:"annotations"` + Labels struct { + } `yaml:"labels"` + ExternalIPs []interface{} `yaml:"externalIPs"` + LoadBalancerIP string `yaml:"loadBalancerIP"` + LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` + EnableHTTP bool `yaml:"enableHttp"` + EnableHTTPS bool `yaml:"enableHttps"` + IPFamilyPolicy string `yaml:"ipFamilyPolicy"` + IPFamilies []string `yaml:"ipFamilies"` + Ports struct { + HTTP int `yaml:"http"` + HTTPS int `yaml:"https"` + } `yaml:"ports"` + TargetPorts struct { + HTTP string `yaml:"http"` + HTTPS string `yaml:"https"` + } `yaml:"targetPorts"` + Type string `yaml:"type"` + NodePorts struct { + HTTP string `yaml:"http"` + HTTPS string `yaml:"https"` + TCP struct { + } `yaml:"tcp"` + UDP struct { + } `yaml:"udp"` + } `yaml:"nodePorts"` + External struct { + Enabled bool `yaml:"enabled"` + } `yaml:"external"` + Internal struct { + Enabled bool `yaml:"enabled"` + Annotations struct { + } `yaml:"annotations"` + LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` + } `yaml:"internal"` + } `yaml:"service"` + ShareProcessNamespace bool `yaml:"shareProcessNamespace"` + ExtraContainers []interface{} `yaml:"extraContainers"` + ExtraVolumeMounts []interface{} `yaml:"extraVolumeMounts"` + ExtraVolumes []interface{} `yaml:"extraVolumes"` + ExtraInitContainers []interface{} `yaml:"extraInitContainers"` + ExtraModules []interface{} `yaml:"extraModules"` + Opentelemetry struct { + Enabled bool `yaml:"enabled"` + Image string `yaml:"image"` + ContainerSecurityContext struct { + AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` + } `yaml:"containerSecurityContext"` + } `yaml:"opentelemetry"` + AdmissionWebhooks struct { + Annotations struct { + } `yaml:"annotations"` + Enabled bool `yaml:"enabled"` + ExtraEnvs []interface{} `yaml:"extraEnvs"` + FailurePolicy string `yaml:"failurePolicy"` + Port int `yaml:"port"` + Certificate string `yaml:"certificate"` + Key string `yaml:"key"` + NamespaceSelector struct { + } `yaml:"namespaceSelector"` + ObjectSelector struct { + } `yaml:"objectSelector"` + Labels struct { + } `yaml:"labels"` + ExistingPsp string `yaml:"existingPsp"` + NetworkPolicyEnabled bool `yaml:"networkPolicyEnabled"` + Service struct { + Annotations struct { + } `yaml:"annotations"` + ExternalIPs []interface{} `yaml:"externalIPs"` + LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` + ServicePort int `yaml:"servicePort"` + Type string `yaml:"type"` + } `yaml:"service"` + CreateSecretJob struct { + SecurityContext struct { + AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` + } `yaml:"securityContext"` + Resources struct { + } `yaml:"resources"` + } `yaml:"createSecretJob"` + PatchWebhookJob struct { + SecurityContext struct { + AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` + } `yaml:"securityContext"` + Resources struct { + } `yaml:"resources"` + } `yaml:"patchWebhookJob"` + Patch struct { + Enabled bool `yaml:"enabled"` + Image struct { + Registry string `yaml:"registry"` + Image string `yaml:"image"` + Tag string `yaml:"tag"` + Digest string `yaml:"digest"` + PullPolicy string `yaml:"pullPolicy"` + } `yaml:"image"` + PriorityClassName string `yaml:"priorityClassName"` + PodAnnotations struct { + } `yaml:"podAnnotations"` + NodeSelector struct { + KubernetesIoOs string `yaml:"kubernetes.io/os"` + } `yaml:"nodeSelector"` + Tolerations []interface{} `yaml:"tolerations"` + Labels struct { + } `yaml:"labels"` + SecurityContext struct { + RunAsNonRoot bool `yaml:"runAsNonRoot"` + RunAsUser int `yaml:"runAsUser"` + FsGroup int `yaml:"fsGroup"` + } `yaml:"securityContext"` + } `yaml:"patch"` + CertManager struct { + Enabled bool `yaml:"enabled"` + RootCert struct { + Duration string `yaml:"duration"` + } `yaml:"rootCert"` + AdmissionCert struct { + Duration string `yaml:"duration"` + } `yaml:"admissionCert"` + } `yaml:"certManager"` + } `yaml:"admissionWebhooks"` + Metrics struct { + Port int `yaml:"port"` + PortName string `yaml:"portName"` + Enabled bool `yaml:"enabled"` + Service struct { + Annotations struct { + } `yaml:"annotations"` + ExternalIPs []interface{} `yaml:"externalIPs"` + LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` + ServicePort int `yaml:"servicePort"` + Type string `yaml:"type"` + } `yaml:"service"` + ServiceMonitor struct { + Enabled bool `yaml:"enabled"` + AdditionalLabels struct { + } `yaml:"additionalLabels"` + Namespace string `yaml:"namespace"` + NamespaceSelector struct { + } `yaml:"namespaceSelector"` + ScrapeInterval string `yaml:"scrapeInterval"` + TargetLabels []interface{} `yaml:"targetLabels"` + Relabelings []interface{} `yaml:"relabelings"` + MetricRelabelings []interface{} `yaml:"metricRelabelings"` + } `yaml:"serviceMonitor"` + PrometheusRule struct { + Enabled bool `yaml:"enabled"` + AdditionalLabels struct { + } `yaml:"additionalLabels"` + Rules []interface{} `yaml:"rules"` + } `yaml:"prometheusRule"` + } `yaml:"metrics"` + Lifecycle struct { + PreStop struct { + Exec struct { + Command []string `yaml:"command"` + } `yaml:"exec"` + } `yaml:"preStop"` + } `yaml:"lifecycle"` + PriorityClassName string `yaml:"priorityClassName"` + } `yaml:"controller"` + RevisionHistoryLimit int `yaml:"revisionHistoryLimit"` + DefaultBackend struct { + Enabled bool `yaml:"enabled"` + Name string `yaml:"name"` + Image struct { + Registry string `yaml:"registry"` + Image string `yaml:"image"` + Tag string `yaml:"tag"` + PullPolicy string `yaml:"pullPolicy"` + RunAsUser int `yaml:"runAsUser"` + RunAsNonRoot bool `yaml:"runAsNonRoot"` + ReadOnlyRootFilesystem bool `yaml:"readOnlyRootFilesystem"` + AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` + } `yaml:"image"` + ExistingPsp string `yaml:"existingPsp"` + ExtraArgs struct { + } `yaml:"extraArgs"` + ServiceAccount struct { + Create bool `yaml:"create"` + Name string `yaml:"name"` + AutomountServiceAccountToken bool `yaml:"automountServiceAccountToken"` + } `yaml:"serviceAccount"` + ExtraEnvs []interface{} `yaml:"extraEnvs"` + Port int `yaml:"port"` + LivenessProbe struct { + FailureThreshold int `yaml:"failureThreshold"` + InitialDelaySeconds int `yaml:"initialDelaySeconds"` + PeriodSeconds int `yaml:"periodSeconds"` + SuccessThreshold int `yaml:"successThreshold"` + TimeoutSeconds int `yaml:"timeoutSeconds"` + } `yaml:"livenessProbe"` + ReadinessProbe struct { + FailureThreshold int `yaml:"failureThreshold"` + InitialDelaySeconds int `yaml:"initialDelaySeconds"` + PeriodSeconds int `yaml:"periodSeconds"` + SuccessThreshold int `yaml:"successThreshold"` + TimeoutSeconds int `yaml:"timeoutSeconds"` + } `yaml:"readinessProbe"` + Tolerations []interface{} `yaml:"tolerations"` + Affinity struct { + } `yaml:"affinity"` + PodSecurityContext struct { + } `yaml:"podSecurityContext"` + ContainerSecurityContext struct { + } `yaml:"containerSecurityContext"` + PodLabels struct { + } `yaml:"podLabels"` + NodeSelector struct { + KubernetesIoOs string `yaml:"kubernetes.io/os"` + } `yaml:"nodeSelector"` + PodAnnotations struct { + } `yaml:"podAnnotations"` + ReplicaCount int `yaml:"replicaCount"` + MinAvailable int `yaml:"minAvailable"` + Resources struct { + } `yaml:"resources"` + ExtraVolumeMounts []interface{} `yaml:"extraVolumeMounts"` + ExtraVolumes []interface{} `yaml:"extraVolumes"` + Autoscaling struct { + Annotations struct { + } `yaml:"annotations"` + Enabled bool `yaml:"enabled"` + MinReplicas int `yaml:"minReplicas"` + MaxReplicas int `yaml:"maxReplicas"` + TargetCPUUtilizationPercentage int `yaml:"targetCPUUtilizationPercentage"` + TargetMemoryUtilizationPercentage int `yaml:"targetMemoryUtilizationPercentage"` + } `yaml:"autoscaling"` + Service struct { + Annotations struct { + } `yaml:"annotations"` + ExternalIPs []interface{} `yaml:"externalIPs"` + LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` + ServicePort int `yaml:"servicePort"` + Type string `yaml:"type"` + } `yaml:"service"` + PriorityClassName string `yaml:"priorityClassName"` + Labels struct { + } `yaml:"labels"` + } `yaml:"defaultBackend"` + Rbac struct { + Create bool `yaml:"create"` + Scope bool `yaml:"scope"` + } `yaml:"rbac"` + PodSecurityPolicy struct { + Enabled bool `yaml:"enabled"` + } `yaml:"podSecurityPolicy"` + ServiceAccount struct { + Create bool `yaml:"create"` + Name string `yaml:"name"` + AutomountServiceAccountToken bool `yaml:"automountServiceAccountToken"` + Annotations struct { + } `yaml:"annotations"` + } `yaml:"serviceAccount"` + ImagePullSecrets []interface{} `yaml:"imagePullSecrets"` + TCP struct { + } `yaml:"tcp"` + UDP struct { + } `yaml:"udp"` + PortNamePrefix string `yaml:"portNamePrefix"` + DhParam interface{} `yaml:"dhParam"` +} diff --git a/magefiles/mage.go b/magefiles/mage.go new file mode 100644 index 000000000..97ab4712a --- /dev/null +++ b/magefiles/mage.go @@ -0,0 +1,13 @@ +//go:build ignore +// +build ignore + +package main + +import ( + "github.com/magefile/mage/mage" + "os" +) + +func main() { + os.Exit(mage.Main()) +} diff --git a/magefiles/release.go b/magefiles/release.go new file mode 100644 index 000000000..a48a9dbd0 --- /dev/null +++ b/magefiles/release.go @@ -0,0 +1,526 @@ +//go:build mage + +package main + +import ( + "context" + "errors" + "fmt" + "github.com/google/go-github/v48/github" + "github.com/magefile/mage/mg" + "github.com/magefile/mage/sh" + "golang.org/x/oauth2" + "gopkg.in/yaml.v3" + "io" + "net" + "net/http" + "os" + "text/template" + + "regexp" + "strings" + "time" +) + +type Release mg.Namespace + +var INGRESS_ORG = "strongjz" // the owner so we can test from forks +var INGRESS_REPO = "ingress-nginx" // the repo to pull from +var RELEASE_BRANCH = "main" //we only release from main +var GITHUB_TOKEN string // the Google/gogithub lib needs an PAT to access the GitHub API +var K8S_IO_ORG = "strongjz" //the owner or organization for the k8s.io repo +var K8S_IO_REPO = "k8s.io" //the repo that holds the images yaml for production promotion +var INGRESS_REGISTRY = "registry.k8s.io" //Container registry for storage Ingress-nginx images + +// ingress-nginx releases start with a TAG then a cloudbuild, then a promotion through a PR, this the location of that PR +// var IMAGES_YAML = "https://raw.githubusercontent.com/kubernetes/k8s.io/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml" +var IMAGES_YAML = "https://raw.githubusercontent.com/strongjz/k8s.io/testing/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml" + +var ctx = context.Background() // Context used for GitHub Client + +const CHANGELOG = "Changelog.md" //Name of the changelog + +func init() { + GITHUB_TOKEN = os.Getenv("GITHUB_TOKEN") +} + +// PromoteImage Creates PR into the k8s.io repo for promotion of ingress from staging to production +func (Release) PromoteImage(version, sha string) { + +} + +// Release Create a new release of ingress nginx controller +func (Release) NewRelease(version string) { + //newRelease := Release{} + + //update ingress-nginx version + //This is the step that kicks all the release process + //it is already done, so it kicks off the gcloud build of the controller images + //mg.Deps(mg.F(Tag.BumpNginx, version)) + + tag, err := getIngressNGINXVersion() + CheckIfError(err, "RELEASE Retrieving the current Ingress Nginx Version") + + Info("RELEASE Checking Current Version %s to New Version %s", tag, version) + //if the version were upgrading does not match the TAG file, lets update the TAG file + if tag != version { + Warning("RELEASE Ingress Nginx TAG %s and new version %s do not match", tag, version) + mg.Deps(mg.F(Tag.BumpNginx, fmt.Sprintf("v%s", version))) + } + + //update git controller tag controller-v$version + mg.Deps(mg.F(Tag.NewControllerTag, version)) + + //make release notes + releaseNotes, err := makeReleaseNotes(version) + CheckIfError(err, "RELEASE Creating Release Notes for version %s", version) + Info("RELEASE Release Notes %s completed", releaseNotes.Version) + + //update chart values.yaml new controller tag and image digest + releaseNotes.PreviousHelmChartVersion = currentChartVersion() + + //controller tag + updateChartValue("controller.image.tag", fmt.Sprintf("v%s", releaseNotes.Version)) + //controller digest + if releaseNotes.ControllerImages[0].Name == "controller" { + updateChartValue("controller.image.digest", releaseNotes.ControllerImages[0].Digest) + } + //controller chroot digest + if releaseNotes.ControllerImages[1].Name == "controller-chroot" { + updateChartValue("controller.image.digestChroot", releaseNotes.ControllerImages[1].Digest) + } + + //update helm chart app version + mg.Deps(mg.F(Helm.UpdateVersion, version)) + + releaseNotes.NewHelmChartVersion = currentChartVersion() + + //update helm chart release notes + updateChartReleaseNotes(releaseNotes.HelmUpdates) + + //Run helm docs update + CheckIfError(runHelmDocs(), "Error Updating Helm Docs ") + + releaseNotes.helmTemplate() + + //update static manifest + CheckIfError(updateStaticManifest(), "Error Updating Static manifests") + + ////update e2e docs TODO + updateE2EDocs() + + //update documentation with ingress-nginx version + CheckIfError(updateIndexMD(releaseNotes.PreviousControllerVersion, releaseNotes.NewControllerVersion), "Error Updating %s", INDEX_DOCS) + + //git commit TODO + + //make Pull Request TODO + + //make release TODO + //mg.Deps(mg.F(Release.CreateRelease, version)) +} + +const INDEX_DOCS = "docs/deploy/index.md" + +func updateIndexMD(old, new string) error { + Info("Updating Deploy docs with new version") + data, err := os.ReadFile(INDEX_DOCS) + CheckIfError(err, "Could not read INDEX_DOCS file %s", INDEX_DOCS) + datString := string(data) + datString = strings.Replace(datString, old, new, -1) + err = os.WriteFile(INDEX_DOCS, []byte(datString), 644) + if err != nil { + ErrorF("Could not write new %s %s", INDEX_DOCS, err) + return err + } + return nil +} + +func updateE2EDocs() { + //hack/generate-deploy-scripts.sh + updates, err := sh.Output("./hack/generate-e2e-suite-doc.sh") + CheckIfError(err, "Could not run update hack script") + err = os.WriteFile("docs/e2e-tests.md", []byte(updates), 644) + CheckIfError(err, "Could not write new e2e test file ") +} + +func installKustomize() error { + Info("Install Kustomize") + var g0 = sh.RunCmd("go") + + // somewhere in your main code + err := g0("install", "sigs.k8s.io/kustomize/kustomize/v4@v4.5.4") + if err != nil { + return err + } + return nil +} + +func updateStaticManifest() error { + CheckIfError(installKustomize(), "error installing kustomize") + + //hack/generate-deploy-scripts.sh + err := sh.RunV("./hack/generate-deploy-scripts.sh") + if err != nil { + return err + } + return nil +} + +//// CreateRelease Creates a new GitHub Release +//func (Release) CreateRelease(name string) { +// releaser, err := gh_release.NewReleaser(INGRESS_ORG, INGRESS_REPO, GITHUB_TOKEN) +// CheckIfError(err, "GitHub Release Client error") +// newRelease, err := releaser.Create(fmt.Sprintf("controller-%s", name)) +// CheckIfError(err, "Create release error") +// Info("New Release: Tag %v, ID: %v", newRelease.TagName, newRelease.ID) +//} + +type ControllerImage struct { + Tag string + Digest string + Registry string + Name string +} + +type IngressRelease struct { + ControllerVersion string + ControllerImage ControllerImage + ReleaseNote ReleaseNote + Release *github.RepositoryRelease +} + +type ReleaseNote struct { + Version string + NewControllerVersion string + PreviousControllerVersion string + ControllerImages []ControllerImage + DepUpdates []string + Updates []string + HelmUpdates []string + NewHelmChartVersion string + PreviousHelmChartVersion string +} + +// Returns a GitHub client ready for use +func githubClient() *github.Client { + ts := oauth2.StaticTokenSource( + &oauth2.Token{AccessToken: GITHUB_TOKEN}, + ) + oauthClient := oauth2.NewClient(ctx, ts) + return github.NewClient(oauthClient) +} + +// LatestCommitLogs Retrieves the commit log between the latest two controller versions. +func (Release) LatestCommitLogs() { + commitLog := commitsBetweenTags() + for i, s := range commitLog { + Info("#%v Version %v", i, s) + } +} + +func commitsBetweenTags() []string { + tags := getAllControllerTags() + Info("Getting Commits between %v and %v", tags[0], tags[1]) + commitLog, err := git("log", "--full-history", "--pretty", "--oneline", fmt.Sprintf("%v..%v", tags[1], tags[0])) + + if commitLog == "" { + Warning("All Controller Tags is empty") + } + CheckIfError(err, "Retrieving Commit log") + return strings.Split(commitLog, "\n") +} + +// Generate Release Notes +func (Release) ReleaseNotes(newVersion string) error { + notes, err := makeReleaseNotes(newVersion) + CheckIfError(err, "Creating Release Notes for version %s", newVersion) + Info("Release Notes %s completed", notes.Version) + return nil +} + +func makeReleaseNotes(newVersion string) (*ReleaseNote, error) { + var newReleaseNotes = ReleaseNote{} + + newReleaseNotes.Version = newVersion + allControllerTags := getAllControllerTags() + + //new version + newReleaseNotes.NewControllerVersion = allControllerTags[0] + newControllerVersion := fmt.Sprintf("controller-v%s", newVersion) + + //the newControllerVersion should match the latest tag + if newControllerVersion != allControllerTags[0] { + return nil, errors.New(fmt.Sprintf("Generating release new version %s didnt match the current latest tag %s", newControllerVersion, allControllerTags[0])) + } + //previous version + newReleaseNotes.PreviousControllerVersion = allControllerTags[1] + + Info("New Version: %s Old Version: %s", newReleaseNotes.NewControllerVersion, newReleaseNotes.PreviousControllerVersion) + + commits := commitsBetweenTags() + + //dependency_updates + //all_updates + var allUpdates []string + var depUpdates []string + var helmUpdates []string + prRegex := regexp.MustCompile("\\(#\\d+\\)") + depBot := regexp.MustCompile("^(\\w){1,10} Bump ") + helmRegex := regexp.MustCompile("helm|chart") + for i, s := range commits { + //matches on PR + if prRegex.Match([]byte(s)) { + //matches a dependant bot update + if depBot.Match([]byte(s)) { // + Debug("#%v DEPENDABOT %v", i, s) + u := strings.SplitN(s, " ", 2) + depUpdates = append(depUpdates, u[1]) + } else { // add it to the all updates slice + Debug("#%v ALL UPDATES %v", i, s) + u := strings.SplitN(s, " ", 2) + allUpdates = append(allUpdates, u[1]) + + //helm chart updates + if helmRegex.Match([]byte(s)) { + u := strings.SplitN(s, " ", 2) + helmUpdates = append(helmUpdates, u[1]) + } + } + + } + } + helmUpdates = append(helmUpdates, fmt.Sprintf("Update Ingress-Nginx version %s", newReleaseNotes.NewControllerVersion)) + + newReleaseNotes.Updates = allUpdates + newReleaseNotes.DepUpdates = depUpdates + newReleaseNotes.HelmUpdates = helmUpdates + + //controller_image_digests + imagesYaml, err := downloadFile(IMAGES_YAML) + if err != nil { + ErrorF("Could not download file %s : %s", IMAGES_YAML, err) + return nil, err + } + Debug("%s", imagesYaml) + + data := ImageYamls{} + + err = yaml.Unmarshal([]byte(imagesYaml), &data) + if err != nil { + ErrorF("Could not unmarshal images yaml %s", err) + return nil, err + } + + //controller + controllerDigest := findImageDigest(data, "controller", newVersion) + if len(controllerDigest) == 0 { + ErrorF("Controller Digest could not be found") + return nil, errors.New("Controller digest could not be found") + } + + controllerChrootDigest := findImageDigest(data, "controller-chroot", newVersion) + if len(controllerChrootDigest) == 0 { + ErrorF("Controller Chroot Digest could not be found") + return nil, errors.New("Controller Chroot digest could not be found") + } + + Debug("Latest Controller Digest %v", controllerDigest) + Debug("Latest Controller Chroot Digest %v", controllerChrootDigest) + c1 := ControllerImage{ + Digest: controllerDigest, + Registry: INGRESS_REGISTRY, + Name: "controller", + Tag: newReleaseNotes.NewControllerVersion, + } + c2 := ControllerImage{ + Digest: controllerChrootDigest, + Registry: INGRESS_REGISTRY, + Name: "controller-chroot", + Tag: newReleaseNotes.NewControllerVersion, + } + newReleaseNotes.ControllerImages = append(newReleaseNotes.ControllerImages, c1) + newReleaseNotes.ControllerImages = append(newReleaseNotes.ControllerImages, c2) + Debug("New Release Controller Images %s %s", newReleaseNotes.ControllerImages[0].Digest, newReleaseNotes.ControllerImages[1].Digest) + + if DEBUG { + newReleaseNotes.printRelease() + } + + //write it all out to the changelog file + newReleaseNotes.template() + + return &newReleaseNotes, nil +} + +func (i ControllerImage) print() string { + return fmt.Sprintf("%s/%s:%s@%s", i.Registry, i.Name, i.Tag, i.Digest) +} + +func (r ReleaseNote) template() { + // Files are provided as a slice of strings. + changelogTemplate, err := os.ReadFile("Changelog.md.gotmpl") + if err != nil { + ErrorF("Could not read changelog template file %s", err) + } + Debug("ChangeLog Templates %s", string(changelogTemplate)) + t := template.Must(template.New("changelog").Parse(string(changelogTemplate))) + // create a new file + file, err := os.Create(fmt.Sprintf("changelog/Changelog-%s.md", r.Version)) + if err != nil { + ErrorF("Could not create changelog file %s", err) + } + defer file.Close() + + err = t.Execute(file, r) + if err != nil { + ErrorF("executing template:", err) + } +} + +func (r ReleaseNote) helmTemplate() { + // Files are provided as a slice of strings. + changelogTemplate, err := os.ReadFile("charts/ingress-nginx/changelog.md.gotmpl") + if err != nil { + ErrorF("Could not read changelog template file %s", err) + } + Debug("ChangeLog Templates %s", string(changelogTemplate)) + t := template.Must(template.New("changelog").Parse(string(changelogTemplate))) + // create a new file + file, err := os.Create(fmt.Sprintf("charts/ingress-nginx/changelog/Changelog-%s.md", r.Version)) + if err != nil { + ErrorF("Could not create changelog file %s", err) + } + defer file.Close() + + err = t.Execute(file, r) + if err != nil { + ErrorF("executing template:", err) + } +} + +func (r ReleaseNote) printRelease() { + Info("Release Version: %v", r.NewControllerVersion) + Info("Previous Version: %v", r.PreviousControllerVersion) + Info("Controller Image: %v", r.ControllerImages[0].print()) + Info("Controller Chroot Image: %v", r.ControllerImages[1].print()) + for i := range r.Updates { + Info("Update #%v - %v", i, r.Updates[i]) + } + for j := range r.DepUpdates { + Info("Dependabot Update #%v - %v", j, r.DepUpdates[j]) + } +} + +type ImageYamls []ImageElement + +type ImageElement struct { + Name string `json:"name"` + Dmap map[string][]string `json:"dmap"` +} + +func findImageDigest(yaml ImageYamls, image, version string) string { + version = fmt.Sprintf("v%s", version) + Info("Searching Digest for %s:%s", image, version) + for i := range yaml { + if yaml[i].Name == image { + for k, v := range yaml[i].Dmap { + if v[0] == version { + return k + } + } + return "" + } + } + return "" +} + +func downloadFile(url string) (string, error) { + client := &http.Client{ + Transport: &http.Transport{ + DialContext: (&net.Dialer{ + Timeout: 5 * time.Second, + KeepAlive: 5 * time.Second, + }).DialContext, + TLSHandshakeTimeout: 5 * time.Second, + ResponseHeaderTimeout: 5 * time.Second, + ExpectContinueTimeout: 1 * time.Second, + MaxIdleConnsPerHost: -1, + }, + } + resp, err := client.Get(url) + if err != nil { + return "", nil + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusOK { + return "", errors.New(fmt.Sprintf("Could not retrieve file, response from server %s for file %s", resp.StatusCode, url)) + } + bodyBytes, err := io.ReadAll(resp.Body) + if err != nil { + return "", nil + } + return string(bodyBytes), nil +} + +// Latest returns latest Github Release +func (Release) Latest() error { + r, _, err := latestRelease() + if err != nil { + ErrorF("Latest Release error %s", err) + return err + } + Info("Latest Release %v", r.String()) + return nil +} + +func (Release) ReleaseByTag(tag string) error { + r, _, err := releaseByTag(tag) + if err != nil { + ErrorF("Release retrieve tag error %s", tag, err) + return err + } + + Info("Latest Release %v", r.String()) + + return nil +} + +func releaseByTag(tag string) (*github.RepositoryRelease, *github.Response, error) { + ghClient := githubClient() + return ghClient.Repositories.GetReleaseByTag(ctx, INGRESS_ORG, INGRESS_REPO, tag) +} + +func latestRelease() (*github.RepositoryRelease, *github.Response, error) { + ghClient := githubClient() + return ghClient.Repositories.GetLatestRelease(ctx, INGRESS_ORG, INGRESS_REPO) +} + +// Copy Test function to copy a release +func (Release) Copy() error { + ghClient := githubClient() + kRelease, _, err := ghClient.Repositories.GetLatestRelease(ctx, "kubernetes", "ingress-nginx") + if err != nil { + ErrorF("Get Release from kubernetes %s", err) + return err + } + + sRelease := &github.RepositoryRelease{ + TagName: kRelease.TagName, + Name: kRelease.Name, + Body: kRelease.Body, + Draft: kRelease.Draft, + Prerelease: kRelease.GenerateReleaseNotes, + DiscussionCategoryName: kRelease.DiscussionCategoryName, + GenerateReleaseNotes: kRelease.GenerateReleaseNotes, + } + + sRelease, _, err = ghClient.Repositories.CreateRelease(ctx, "strongjz", "ingress-nginx", sRelease) + if err != nil { + ErrorF("Creating Strongjz release %s", err) + return err + } + Info("Copied over Kubernetes Release %v to Strongjz %v", &kRelease.Name, &sRelease.Name) + return nil +} diff --git a/magefiles/tags.go b/magefiles/tags.go new file mode 100644 index 000000000..858677ba5 --- /dev/null +++ b/magefiles/tags.go @@ -0,0 +1,130 @@ +//go:build mage + +package main + +import ( + "fmt" + semver "github.com/blang/semver/v4" + "github.com/magefile/mage/mg" + "github.com/magefile/mage/sh" + "os" + "strings" +) + +type Tag mg.Namespace + +var git = sh.OutCmd("git") + +// Nginx returns the ingress-nginx current version +func (Tag) Nginx() { + tag, err := getIngressNGINXVersion() + CheckIfError(err, "") + fmt.Printf("%v", tag) +} + +func getIngressNGINXVersion() (string, error) { + dat, err := os.ReadFile("TAG") + CheckIfError(err, "Could not read TAG file") + datString := string(dat) + //remove newline + datString = strings.Replace(datString, "\n", "", -1) + return datString, nil +} + +func checkSemVer(currentVersion, newVersion string) bool { + Info("Checking Sem Ver between current %s and new %s", currentVersion, newVersion) + cVersion, err := semver.Make(currentVersion[1:]) + if err != nil { + ErrorF("TAG Error Current Tag %v Making Semver : %v", currentVersion[1:], err) + return false + } + nVersion, err := semver.Make(newVersion) + if err != nil { + ErrorF("TAG %v Error Making Semver %v \n", newVersion, err) + return false + } + + err = nVersion.Validate() + if err != nil { + ErrorF("TAG %v not a valid Semver %v \n", newVersion, err) + return false + } + + //The result will be + //0 if newVersion == currentVersion + //-1 if newVersion < currentVersion + //+1 if newVersion > currentVersion. + Info("TAG Comparing Old %s to New %s", cVersion.String(), nVersion.String()) + comp := nVersion.Compare(cVersion) + if comp <= 0 { + Warning("SemVer:%v is not an update\n", newVersion) + return false + } + return true +} + +// BumpNginx will update the nginx TAG +func (Tag) BumpNginx(newTag string) { + Info("TAG BumpNginx version %v", newTag) + currentTag, err := getIngressNGINXVersion() + CheckIfError(err, "Getting Ingress-nginx Version") + bump(currentTag, newTag) +} + +func bump(currentTag, newTag string) { + //check if semver is valid + if !checkSemVer(currentTag, newTag) { + ErrorF("ERROR: Semver is not valid %v", newTag) + os.Exit(1) + } + + Info("Updating Tag %v to %v", currentTag, newTag) + err := os.WriteFile("TAG", []byte(newTag), 0666) + CheckIfError(err, "Error Writing New Tag File") +} + +// Git Returns the latest git tag +func (Tag) Git() { + tag, err := getGitTag() + CheckIfError(err, "Retrieving Git Tag") + Info("Git tag: %v", tag) +} + +func getGitTag() (string, error) { + return git("describe", "--tags", "--match", "controller-v*", "--abbrev=0") +} + +// ControllerTag Creates a new Git Tag for the ingress controller +func (Tag) NewControllerTag(version string) { + Info("Create Ingress Nginx Controller Tag v%s", version) + tag, err := controllerTag(version) + CheckIfError(err, "Creating git tag") + Debug("Git Tag: %s", tag) +} + +func controllerTag(version string) (string, error) { + return git("tag", "-a", "-m", fmt.Sprintf("-m \"Automated Controller release %v\"", version), fmt.Sprintf("controller-v%s", version)) +} + +func (Tag) AllControllerTags() { + tags := getAllControllerTags() + for i, s := range tags { + Info("#%v Version %v", i, s) + } +} + +func getAllControllerTags() []string { + allControllerTags, err := git("tag", "-l", "--sort=-v:refname", "controller-v*") + CheckIfError(err, "Retrieving git tags") + if !sh.CmdRan(err) { + Warning("Issue Running Command") + } + if allControllerTags == "" { + Warning("All Controller Tags is empty") + } + Debug("Controller Tags: %v", allControllerTags) + + temp := strings.Split(allControllerTags, "\n") + Debug("There are %v controller tags", len(temp)) + return temp +} diff --git a/magefiles/yaml.go b/magefiles/yaml.go new file mode 100644 index 000000000..7353508f3 --- /dev/null +++ b/magefiles/yaml.go @@ -0,0 +1,3 @@ +//go:build mage + +package main From f77eccb141c8b281e917b5989198185db2a94331 Mon Sep 17 00:00:00 2001 From: James Strong Date: Tue, 17 Jan 2023 14:13:50 -0500 Subject: [PATCH 131/405] change format Signed-off-by: James Strong --- magefiles/common.go | 14 ++++++++++++++ magefiles/docker.go | 14 ++++++++++++++ magefiles/go.go | 14 ++++++++++++++ magefiles/helm.go | 14 ++++++++++++++ magefiles/mage.go | 14 ++++++++++++++ magefiles/release.go | 14 ++++++++++++++ magefiles/tags.go | 14 ++++++++++++++ magefiles/yaml.go | 14 ++++++++++++++ 8 files changed, 112 insertions(+) diff --git a/magefiles/common.go b/magefiles/common.go index ae2fed0c4..772e5527c 100644 --- a/magefiles/common.go +++ b/magefiles/common.go @@ -1,3 +1,17 @@ +//Copyright 2023 The Kubernetes Authors. +// +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. + //go:build mage package main diff --git a/magefiles/docker.go b/magefiles/docker.go index 7353508f3..443722de1 100644 --- a/magefiles/docker.go +++ b/magefiles/docker.go @@ -1,3 +1,17 @@ +//Copyright 2023 The Kubernetes Authors. +// +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. + //go:build mage package main diff --git a/magefiles/go.go b/magefiles/go.go index 352b8fb1e..9ef4d9fdc 100644 --- a/magefiles/go.go +++ b/magefiles/go.go @@ -1,3 +1,17 @@ +//Copyright 2023 The Kubernetes Authors. +// +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. + //go:build mage package main diff --git a/magefiles/helm.go b/magefiles/helm.go index 87966dea0..2ac2fc573 100644 --- a/magefiles/helm.go +++ b/magefiles/helm.go @@ -1,3 +1,17 @@ +//Copyright 2023 The Kubernetes Authors. +// +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. + //go:build mage package main diff --git a/magefiles/mage.go b/magefiles/mage.go index 97ab4712a..c6d4a2587 100644 --- a/magefiles/mage.go +++ b/magefiles/mage.go @@ -1,3 +1,17 @@ +//Copyright 2023 The Kubernetes Authors. +// +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. + //go:build ignore // +build ignore diff --git a/magefiles/release.go b/magefiles/release.go index a48a9dbd0..714c24334 100644 --- a/magefiles/release.go +++ b/magefiles/release.go @@ -1,3 +1,17 @@ +//Copyright 2023 The Kubernetes Authors. +// +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. + //go:build mage package main diff --git a/magefiles/tags.go b/magefiles/tags.go index 858677ba5..b8dc86f88 100644 --- a/magefiles/tags.go +++ b/magefiles/tags.go @@ -1,3 +1,17 @@ +//Copyright 2023 The Kubernetes Authors. +// +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. + //go:build mage package main diff --git a/magefiles/yaml.go b/magefiles/yaml.go index 7353508f3..443722de1 100644 --- a/magefiles/yaml.go +++ b/magefiles/yaml.go @@ -1,3 +1,17 @@ +//Copyright 2023 The Kubernetes Authors. +// +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. + //go:build mage package main From a4fd7c80960270c5567e62427d01e6bafdcda640 Mon Sep 17 00:00:00 2001 From: James Strong Date: Tue, 17 Jan 2023 14:22:38 -0500 Subject: [PATCH 132/405] fixed boiler plate lint Signed-off-by: James Strong --- magefiles/common.go | 30 ++++++++++++++++-------------- magefiles/docker.go | 30 ++++++++++++++++-------------- magefiles/go.go | 30 ++++++++++++++++-------------- magefiles/helm.go | 30 ++++++++++++++++-------------- magefiles/mage.go | 30 ++++++++++++++++-------------- magefiles/release.go | 30 ++++++++++++++++-------------- magefiles/tags.go | 30 ++++++++++++++++-------------- magefiles/yaml.go | 30 ++++++++++++++++-------------- 8 files changed, 128 insertions(+), 112 deletions(-) diff --git a/magefiles/common.go b/magefiles/common.go index 772e5527c..c5c33f989 100644 --- a/magefiles/common.go +++ b/magefiles/common.go @@ -1,19 +1,21 @@ -//Copyright 2023 The Kubernetes Authors. -// -//Licensed under the Apache License, Version 2.0 (the "License"); -//you may not use this file except in compliance with the License. -//You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -//Unless required by applicable law or agreed to in writing, software -//distributed under the License is distributed on an "AS IS" BASIS, -//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -//See the License for the specific language governing permissions and -//limitations under the License. - //go:build mage +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package main import ( diff --git a/magefiles/docker.go b/magefiles/docker.go index 443722de1..d7c7f588e 100644 --- a/magefiles/docker.go +++ b/magefiles/docker.go @@ -1,17 +1,19 @@ -//Copyright 2023 The Kubernetes Authors. -// -//Licensed under the Apache License, Version 2.0 (the "License"); -//you may not use this file except in compliance with the License. -//You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -//Unless required by applicable law or agreed to in writing, software -//distributed under the License is distributed on an "AS IS" BASIS, -//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -//See the License for the specific language governing permissions and -//limitations under the License. - //go:build mage +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package main diff --git a/magefiles/go.go b/magefiles/go.go index 9ef4d9fdc..2385b089e 100644 --- a/magefiles/go.go +++ b/magefiles/go.go @@ -1,19 +1,21 @@ -//Copyright 2023 The Kubernetes Authors. -// -//Licensed under the Apache License, Version 2.0 (the "License"); -//you may not use this file except in compliance with the License. -//You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -//Unless required by applicable law or agreed to in writing, software -//distributed under the License is distributed on an "AS IS" BASIS, -//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -//See the License for the specific language governing permissions and -//limitations under the License. - //go:build mage +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package main //import ( diff --git a/magefiles/helm.go b/magefiles/helm.go index 2ac2fc573..f9bf09cb5 100644 --- a/magefiles/helm.go +++ b/magefiles/helm.go @@ -1,19 +1,21 @@ -//Copyright 2023 The Kubernetes Authors. -// -//Licensed under the Apache License, Version 2.0 (the "License"); -//you may not use this file except in compliance with the License. -//You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -//Unless required by applicable law or agreed to in writing, software -//distributed under the License is distributed on an "AS IS" BASIS, -//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -//See the License for the specific language governing permissions and -//limitations under the License. - //go:build mage +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package main import ( diff --git a/magefiles/mage.go b/magefiles/mage.go index c6d4a2587..605d687a9 100644 --- a/magefiles/mage.go +++ b/magefiles/mage.go @@ -1,20 +1,22 @@ -//Copyright 2023 The Kubernetes Authors. -// -//Licensed under the Apache License, Version 2.0 (the "License"); -//you may not use this file except in compliance with the License. -//You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -//Unless required by applicable law or agreed to in writing, software -//distributed under the License is distributed on an "AS IS" BASIS, -//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -//See the License for the specific language governing permissions and -//limitations under the License. - //go:build ignore // +build ignore +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package main import ( diff --git a/magefiles/release.go b/magefiles/release.go index 714c24334..cbc4d51de 100644 --- a/magefiles/release.go +++ b/magefiles/release.go @@ -1,19 +1,21 @@ -//Copyright 2023 The Kubernetes Authors. -// -//Licensed under the Apache License, Version 2.0 (the "License"); -//you may not use this file except in compliance with the License. -//You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -//Unless required by applicable law or agreed to in writing, software -//distributed under the License is distributed on an "AS IS" BASIS, -//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -//See the License for the specific language governing permissions and -//limitations under the License. - //go:build mage +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package main import ( diff --git a/magefiles/tags.go b/magefiles/tags.go index b8dc86f88..02bbbcb37 100644 --- a/magefiles/tags.go +++ b/magefiles/tags.go @@ -1,19 +1,21 @@ -//Copyright 2023 The Kubernetes Authors. -// -//Licensed under the Apache License, Version 2.0 (the "License"); -//you may not use this file except in compliance with the License. -//You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -//Unless required by applicable law or agreed to in writing, software -//distributed under the License is distributed on an "AS IS" BASIS, -//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -//See the License for the specific language governing permissions and -//limitations under the License. - //go:build mage +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package main import ( diff --git a/magefiles/yaml.go b/magefiles/yaml.go index 443722de1..d7c7f588e 100644 --- a/magefiles/yaml.go +++ b/magefiles/yaml.go @@ -1,17 +1,19 @@ -//Copyright 2023 The Kubernetes Authors. -// -//Licensed under the Apache License, Version 2.0 (the "License"); -//you may not use this file except in compliance with the License. -//You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -//Unless required by applicable law or agreed to in writing, software -//distributed under the License is distributed on an "AS IS" BASIS, -//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -//See the License for the specific language governing permissions and -//limitations under the License. - //go:build mage +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package main From 9d4b81ca2ad27f26bbbc1d5d586f970b5d04443e Mon Sep 17 00:00:00 2001 From: James Strong Date: Wed, 18 Jan 2023 15:54:44 -0500 Subject: [PATCH 133/405] update docs, and production urls Signed-off-by: James Strong --- magefiles/helm.go | 2 +- magefiles/release.go | 112 ++++++++++++++++++++++--------------------- 2 files changed, 59 insertions(+), 55 deletions(-) diff --git a/magefiles/helm.go b/magefiles/helm.go index f9bf09cb5..a57c46813 100644 --- a/magefiles/helm.go +++ b/magefiles/helm.go @@ -104,7 +104,7 @@ func updateChartReleaseNotes(releasesNotes []string) { for i := range releasesNotes { releaseNoteString = fmt.Sprintf("%s - %s\n", releaseNoteString, releasesNotes[i]) } - Info("HLEM Release note string %s", releaseNoteString) + Info("HELM Release note string %s", releaseNoteString) chart.Annotations["artifacthub.io/changes"] = releaseNoteString err = chartutil.SaveChartfile(HelmChartPath, chart) CheckIfError(err, "HELM Saving updated release notes for Chart") diff --git a/magefiles/release.go b/magefiles/release.go index cbc4d51de..3340a99ff 100644 --- a/magefiles/release.go +++ b/magefiles/release.go @@ -40,22 +40,61 @@ import ( type Release mg.Namespace -var INGRESS_ORG = "strongjz" // the owner so we can test from forks -var INGRESS_REPO = "ingress-nginx" // the repo to pull from -var RELEASE_BRANCH = "main" //we only release from main -var GITHUB_TOKEN string // the Google/gogithub lib needs an PAT to access the GitHub API -var K8S_IO_ORG = "strongjz" //the owner or organization for the k8s.io repo -var K8S_IO_REPO = "k8s.io" //the repo that holds the images yaml for production promotion -var INGRESS_REGISTRY = "registry.k8s.io" //Container registry for storage Ingress-nginx images +var INGRESS_ORG = "kubernetes" // the owner so we can test from forks +var INGRESS_REPO = "ingress-nginx" // the repo to pull from +var RELEASE_BRANCH = "main" //we only release from main +var GITHUB_TOKEN string // the Google/gogithub lib needs an PAT to access the GitHub API +var K8S_IO_ORG = "kubernetes" //the owner or organization for the k8s.io repo +var K8S_IO_REPO = "k8s.io" //the repo that holds the images yaml for production promotion +var INGRESS_REGISTRY = "registry.k8s.io" //Container registry for storage Ingress-nginx images +var KUSTOMIZE_INSTALL_VERSION = "sigs.k8s.io/kustomize/kustomize/v4@v4.5.4" //static deploys needs kustomize to generate the template // ingress-nginx releases start with a TAG then a cloudbuild, then a promotion through a PR, this the location of that PR -// var IMAGES_YAML = "https://raw.githubusercontent.com/kubernetes/k8s.io/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml" -var IMAGES_YAML = "https://raw.githubusercontent.com/strongjz/k8s.io/testing/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml" - +var IMAGES_YAML = "https://raw.githubusercontent.com/kubernetes/k8s.io/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml" var ctx = context.Background() // Context used for GitHub Client -const CHANGELOG = "Changelog.md" //Name of the changelog +const INDEX_DOCS = "docs/deploy/index.md" //index.md has a version of the controller and needs to updated +const CHANGELOG = "Changelog.md" //Name of the changelog +//ControllerImage - struct with info about controllers +type ControllerImage struct { + Tag string + Digest string + Registry string + Name string +} + +//IngressRelease All the information about an ingress-nginx release that gets updated +type IngressRelease struct { + ControllerVersion string + ControllerImage ControllerImage + ReleaseNote ReleaseNote + Release *github.RepositoryRelease +} + +//ReleaseNote - All the pieces of information/documents that get updated during a release +type ReleaseNote struct { + Version string + NewControllerVersion string + PreviousControllerVersion string + ControllerImages []ControllerImage + DepUpdates []string + Updates []string + HelmUpdates []string + NewHelmChartVersion string + PreviousHelmChartVersion string +} + +//IMAGES_YAML returns this data structure +type ImageYamls []ImageElement + +//ImageElement - a specific image and it's data structure the dmap is a list of shas and container versions +type ImageElement struct { + Name string `json:"name"` + Dmap map[string][]string `json:"dmap"` +} + +//init will set the GitHub token from the committers/releasers env var func init() { GITHUB_TOKEN = os.Getenv("GITHUB_TOKEN") } @@ -79,7 +118,7 @@ func (Release) NewRelease(version string) { Info("RELEASE Checking Current Version %s to New Version %s", tag, version) //if the version were upgrading does not match the TAG file, lets update the TAG file - if tag != version { + if tag[1:] != version { Warning("RELEASE Ingress Nginx TAG %s and new version %s do not match", tag, version) mg.Deps(mg.F(Tag.BumpNginx, fmt.Sprintf("v%s", version))) } @@ -122,22 +161,20 @@ func (Release) NewRelease(version string) { //update static manifest CheckIfError(updateStaticManifest(), "Error Updating Static manifests") - ////update e2e docs TODO + ////update e2e docs updateE2EDocs() //update documentation with ingress-nginx version CheckIfError(updateIndexMD(releaseNotes.PreviousControllerVersion, releaseNotes.NewControllerVersion), "Error Updating %s", INDEX_DOCS) + //keeping these manual for now //git commit TODO - //make Pull Request TODO - //make release TODO //mg.Deps(mg.F(Release.CreateRelease, version)) } -const INDEX_DOCS = "docs/deploy/index.md" - +// the index.md doc needs the controller version updated func updateIndexMD(old, new string) error { Info("Updating Deploy docs with new version") data, err := os.ReadFile(INDEX_DOCS) @@ -152,29 +189,29 @@ func updateIndexMD(old, new string) error { return nil } +//runs the hack/generate-deploy-scripts.sh func updateE2EDocs() { - //hack/generate-deploy-scripts.sh updates, err := sh.Output("./hack/generate-e2e-suite-doc.sh") CheckIfError(err, "Could not run update hack script") err = os.WriteFile("docs/e2e-tests.md", []byte(updates), 644) CheckIfError(err, "Could not write new e2e test file ") } +//The static deploy scripts use kustomize to generate them, this function ensures kustomize is installed func installKustomize() error { Info("Install Kustomize") var g0 = sh.RunCmd("go") - // somewhere in your main code - err := g0("install", "sigs.k8s.io/kustomize/kustomize/v4@v4.5.4") + err := g0("install", KUSTOMIZE_INSTALL_VERSION) if err != nil { return err } return nil } +// func updateStaticManifest() error { CheckIfError(installKustomize(), "error installing kustomize") - //hack/generate-deploy-scripts.sh err := sh.RunV("./hack/generate-deploy-scripts.sh") if err != nil { @@ -192,32 +229,6 @@ func updateStaticManifest() error { // Info("New Release: Tag %v, ID: %v", newRelease.TagName, newRelease.ID) //} -type ControllerImage struct { - Tag string - Digest string - Registry string - Name string -} - -type IngressRelease struct { - ControllerVersion string - ControllerImage ControllerImage - ReleaseNote ReleaseNote - Release *github.RepositoryRelease -} - -type ReleaseNote struct { - Version string - NewControllerVersion string - PreviousControllerVersion string - ControllerImages []ControllerImage - DepUpdates []string - Updates []string - HelmUpdates []string - NewHelmChartVersion string - PreviousHelmChartVersion string -} - // Returns a GitHub client ready for use func githubClient() *github.Client { ts := oauth2.StaticTokenSource( @@ -428,13 +439,6 @@ func (r ReleaseNote) printRelease() { } } -type ImageYamls []ImageElement - -type ImageElement struct { - Name string `json:"name"` - Dmap map[string][]string `json:"dmap"` -} - func findImageDigest(yaml ImageYamls, image, version string) string { version = fmt.Sprintf("v%s", version) Info("Searching Digest for %s:%s", image, version) From 3c93c73975d89e2e90f4c822ab9af470b98a2e6f Mon Sep 17 00:00:00 2001 From: James Strong Date: Thu, 19 Jan 2023 11:50:27 -0500 Subject: [PATCH 134/405] go fmt Signed-off-by: James Strong --- magefiles/release.go | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/magefiles/release.go b/magefiles/release.go index 3340a99ff..3c715bc07 100644 --- a/magefiles/release.go +++ b/magefiles/release.go @@ -56,7 +56,7 @@ var ctx = context.Background() // Context used for GitHub Client const INDEX_DOCS = "docs/deploy/index.md" //index.md has a version of the controller and needs to updated const CHANGELOG = "Changelog.md" //Name of the changelog -//ControllerImage - struct with info about controllers +// ControllerImage - struct with info about controllers type ControllerImage struct { Tag string Digest string @@ -64,7 +64,7 @@ type ControllerImage struct { Name string } -//IngressRelease All the information about an ingress-nginx release that gets updated +// IngressRelease All the information about an ingress-nginx release that gets updated type IngressRelease struct { ControllerVersion string ControllerImage ControllerImage @@ -72,7 +72,7 @@ type IngressRelease struct { Release *github.RepositoryRelease } -//ReleaseNote - All the pieces of information/documents that get updated during a release +// ReleaseNote - All the pieces of information/documents that get updated during a release type ReleaseNote struct { Version string NewControllerVersion string @@ -85,16 +85,16 @@ type ReleaseNote struct { PreviousHelmChartVersion string } -//IMAGES_YAML returns this data structure +// IMAGES_YAML returns this data structure type ImageYamls []ImageElement -//ImageElement - a specific image and it's data structure the dmap is a list of shas and container versions +// ImageElement - a specific image and it's data structure the dmap is a list of shas and container versions type ImageElement struct { Name string `json:"name"` Dmap map[string][]string `json:"dmap"` } -//init will set the GitHub token from the committers/releasers env var +// init will set the GitHub token from the committers/releasers env var func init() { GITHUB_TOKEN = os.Getenv("GITHUB_TOKEN") } @@ -189,7 +189,7 @@ func updateIndexMD(old, new string) error { return nil } -//runs the hack/generate-deploy-scripts.sh +// runs the hack/generate-deploy-scripts.sh func updateE2EDocs() { updates, err := sh.Output("./hack/generate-e2e-suite-doc.sh") CheckIfError(err, "Could not run update hack script") @@ -197,7 +197,7 @@ func updateE2EDocs() { CheckIfError(err, "Could not write new e2e test file ") } -//The static deploy scripts use kustomize to generate them, this function ensures kustomize is installed +// The static deploy scripts use kustomize to generate them, this function ensures kustomize is installed func installKustomize() error { Info("Install Kustomize") var g0 = sh.RunCmd("go") @@ -209,7 +209,6 @@ func installKustomize() error { return nil } -// func updateStaticManifest() error { CheckIfError(installKustomize(), "error installing kustomize") //hack/generate-deploy-scripts.sh From ea629a175ec5f99e0a691e6c79a95e1546bc3a26 Mon Sep 17 00:00:00 2001 From: Aarni Koskela Date: Wed, 25 Jan 2023 11:44:11 +0200 Subject: [PATCH 135/405] Move and spell-check Kubernetes 1.22 migration FAQ (#9544) * Move Kubernetes 1.22 migration guide to a separate file * Reformat and spell-check Kubernetes 1.22 migration doc --- docs/index.md | 232 +------------------------ docs/user-guide/k8s-122-migration.md | 245 +++++++++++++++++++++++++++ 2 files changed, 248 insertions(+), 229 deletions(-) create mode 100644 docs/user-guide/k8s-122-migration.md diff --git a/docs/index.md b/docs/index.md index fded1b2bc..bcf4a4018 100644 --- a/docs/index.md +++ b/docs/index.md @@ -11,233 +11,7 @@ You can learn more about using [Ingress](http://kubernetes.io/docs/user-guide/in See [Deployment](./deploy/) for a whirlwind tour that will get you started. -# FAQ - Migration to apiVersion `networking.k8s.io/v1` +# FAQ - Kubernetes 1.22 Migration -If you are using Ingress objects in your cluster (running Kubernetes older than v1.22), and you plan to upgrade to Kubernetes v1.22, this section is relevant to you. - -- Please read this [official blog on deprecated Ingress API versions](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) - -- Please read this [official documentation on the IngressClass object](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) - -## What is an IngressClass and why is it important for users of Ingress-NGINX controller now ? - -IngressClass is a Kubernetes resource. See the description below. It's important because until now, a default install of the Ingress-NGINX controller did not require any IngressClass object. From version 1.0.0 of the Ingress-NGINX Controller, an IngressClass object is required. - -On clusters with more than one instance of the Ingress-NGINX controller, all instances of the controllers must be aware of which Ingress objects they serve. The `ingressClassName` field of an Ingress is the way to let the controller know about that. - -```console -kubectl explain ingressclass -``` -``` -KIND: IngressClass -VERSION: networking.k8s.io/v1 - -DESCRIPTION: - IngressClass represents the class of the Ingress, referenced by the Ingress - Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be - used to indicate that an IngressClass should be considered default. When a - single IngressClass resource has this annotation set to true, new Ingress - resources without a class specified will be assigned this default class. - -FIELDS: - apiVersion - APIVersion defines the versioned schema of this representation of an - object. Servers should convert recognized schemas to the latest internal - value, and may reject unrecognized values. More info: - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - - kind - Kind is a string value representing the REST resource this object - represents. Servers may infer this from the endpoint the client submits - requests to. Cannot be updated. In CamelCase. More info: - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - - metadata - Standard object's metadata. More info: - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - - spec - Spec is the desired state of the IngressClass. More info: - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status` - -``` - -## What has caused this change in behavior? - -There are 2 reasons primarily. - -### Reason #1 - -Until K8s version 1.21, it was possible to create an Ingress resource using deprecated versions of the Ingress API, such as: - - - `extensions/v1beta1` - - `networking.k8s.io/v1beta1` - -You would get a message about deprecation, but the Ingress resource would get created. - -From K8s version 1.22 onwards, you can **only** access the Ingress API via the stable, `networking.k8s.io/v1` API. The reason is explained in the [official blog on deprecated ingress API versions](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/). - -### Reason #2 - -If you are already using the Ingress-NGINX controller and then upgrade to K8s version v1.22 , there are several scenarios where your existing Ingress objects will not work how you expect. Read this FAQ to check which scenario matches your use case. - -## What is ingressClassName field ? - -`ingressClassName` is a field in the specs of an Ingress object. - -```shell -kubectl explain ingress.spec.ingressClassName -``` -```console -KIND: Ingress -VERSION: networking.k8s.io/v1 - -FIELD: ingressClassName - -DESCRIPTION: - IngressClassName is the name of the IngressClass cluster resource. The - associated IngressClass defines which controller will implement the - resource. This replaces the deprecated `kubernetes.io/ingress.class` - annotation. For backwards compatibility, when that annotation is set, it - must be given precedence over this field. The controller may emit a warning - if the field and annotation have different values. Implementations of this - API should ignore Ingresses without a class specified. An IngressClass - resource may be marked as default, which can be used to set a default value - for this field. For more information, refer to the IngressClass - documentation. -``` - -The `.spec.ingressClassName` behavior has precedence over the deprecated `kubernetes.io/ingress.class` annotation. - - -## I have only one ingress controller in my cluster. What should I do? - -If a single instance of the Ingress-NGINX controller is the sole Ingress controller running in your cluster, you should add the annotation "ingressclass.kubernetes.io/is-default-class" in your IngressClass, so any new Ingress objects will have this one as default IngressClass. - -When using Helm, you can enable this annotation by setting `.controller.ingressClassResource.default: true` in your Helm chart installation's values file. - -If you have any old Ingress objects remaining without an IngressClass set, you can do one or more of the following to make the Ingress-NGINX controller aware of the old objects: - -- You can manually set the [`.spec.ingressClassName`](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) field in the manifest of your own Ingress resources. -- You can re-create them after setting the `ingressclass.kubernetes.io/is-default-class` annotation to `true` on the IngressClass -- Alternatively you can make the Ingress-NGINX controller watch Ingress objects without the ingressClassName field set by starting your Ingress-NGINX with the flag [--watch-ingress-without-class=true](#what-is-the-flag-watch-ingress-without-class) . When using Helm, you can configure your Helm chart installation's values file with `.controller.watchIngressWithoutClass: true` - -You can configure your Helm chart installation's values file with `.controller.watchIngressWithoutClass: true`. - -We recommend that you create the IngressClass as shown below: -``` ---- -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - labels: - app.kubernetes.io/component: controller - name: nginx - annotations: - ingressclass.kubernetes.io/is-default-class: "true" -spec: - controller: k8s.io/ingress-nginx -``` - -And add the value `spec.ingressClassName=nginx` in your Ingress objects. - - -## I have multiple ingress objects in my cluster. What should I do ? -- If you have lot of ingress objects without ingressClass configuration, you can run the ingress-controller with the flag `--watch-ingress-without-class=true`. - - -### What is the flag '--watch-ingress-without-class' ? -- Its a flag that is passed,as an argument, to the `nginx-ingress-controller` executable. In the configuration, it looks like this: -``` -... -... -args: - - /nginx-ingress-controller - - --watch-ingress-without-class=true - - --publish-service=$(POD_NAMESPACE)/ingress-nginx-dev-v1-test-controller - - --election-id=ingress-controller-leader - - --controller-class=k8s.io/ingress-nginx - - --configmap=$(POD_NAMESPACE)/ingress-nginx-dev-v1-test-controller - - --validating-webhook=:8443 - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key -... -... -``` - -## I have more than one controller in my cluster and already use the annotation ? - -No problem. This should still keep working, but we highly recommend you to test! - -Even though `kubernetes.io/ingress.class` is deprecated, the Ingress-NGINX controller still understands that annotation. -If you want to follow good practice, you should consider migrating to use IngressClass and `.spec.ingressClassName`. - -## I have more than one controller running in my cluster, and I want to use the new API ? - -In this scenario, you need to create multiple IngressClasses (see example one). But be aware that IngressClass works in a very specific way: you will need to change the `.spec.controller` value in your IngressClass and configure the controller to expect the exact same value. - -Let's see some example, supposing that you have three IngressClasses: - -- IngressClass `ingress-nginx-one`, with `.spec.controller` equal to `example.com/ingress-nginx1` -- IngressClass `ingress-nginx-two`, with `.spec.controller` equal to `example.com/ingress-nginx2` -- IngressClass `ingress-nginx-three`, with `.spec.controller` equal to `example.com/ingress-nginx1` - -(for private use, you can also use a controller name that doesn't contain a `/`; for example: `ingress-nginx1`) - -When deploying your ingress controllers, you will have to change the `--controller-class` field as follows: - -- Ingress-Nginx A, configured to use controller class name `example.com/ingress-nginx1` -- Ingress-Nginx B, configured to use controller class name `example.com/ingress-nginx2` - -Then, when you create an Ingress object with its `ingressClassName` set to `ingress-nginx-two`, only controllers looking for the `example.com/ingress-nginx2` controller class pay attention to the new object. Given that Ingress-Nginx B is set up that way, it will serve that object, whereas Ingress-Nginx A ignores the new Ingress. - -Bear in mind that, if you start Ingress-Nginx B with the command line argument `--watch-ingress-without-class=true`, then it will serve: - -1. Ingresses without any `ingressClassName` set -2. Ingresses where the deprecated annotation (`kubernetes.io/ingress.class`) matches the value set in the command line argument `--ingress-class` -3. Ingresses that refer to any IngressClass that has the same `spec.controller` as configured in `--controller-class` - -If you start Ingress-Nginx B with the command line argument `--watch-ingress-without-class=true` and you run Ingress-Nginx A with the command line argument `--watch-ingress-without-class=false` then this is a supported configuration. If you have two Ingress-NGINX controllers for the same cluster, both running with `--watch-ingress-without-class=true` then there is likely to be a conflict. - -## I am seeing this error message in the logs of the Ingress-NGINX controller: "ingress class annotation is not equal to the expected by Ingress Controller". Why ? - -- It is highly likely that you will also see the name of the ingress resource in the same error message. This error message has been observed on use the deprecated annotation (`kubernetes.io/ingress.class`) in a Ingress resource manifest. It is recommended to use the `.spec.ingressClassName` field of the Ingress resource, to specify the name of the IngressClass of the Ingress you are defining. - -## How to easily install multiple instances of the ingress-NGINX controller in the same cluster ? -- Create a new namespace - ``` - kubectl create namespace ingress-nginx-2 - ``` -- Use Helm to install the additional instance of the ingress controller -- Ensure you have Helm working (refer to the [Helm documentation](https://helm.sh/docs/)) -- We have to assume that you have the helm repo for the ingress-NGINX controller already added to your Helm config. But, if you have not added the helm repo then you can do this to add the repo to your helm config; - ``` - helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx - ``` -- Make sure you have updated the helm repo data; - ``` - helm repo update - ``` -- Now, install an additional instance of the ingress-NGINX controller like this: - ``` - helm install ingress-nginx-2 ingress-nginx/ingress-nginx \ - --namespace ingress-nginx-2 \ - --set controller.ingressClassResource.name=nginx-two \ - --set controller.ingressClass=nginx-two \ - --set controller.ingressClassResource.controllerValue="example.com/ingress-nginx-2" \ - --set controller.ingressClassResource.enabled=true \ - --set controller.ingressClassByName=true - ``` -- If you need to install yet another instance, then repeat the procedure to create a new namespace, change the values such as names & namespaces (for example from "-2" to "-3"), or anything else that meets your needs. -- If you need to install all instances in the same namespace, then you need to specify a different **election id**, like this: - ``` - helm install ingress-nginx-2 ingress-nginx/ingress-nginx \ - --namespace kube-system \ - --set controller.electionID=nginx-two-leader \ - --set controller.ingressClassResource.name=nginx-two \ - --set controller.ingressClass=nginx-two \ - --set controller.ingressClassResource.controllerValue="example.com/ingress-nginx-2" \ - --set controller.ingressClassResource.enabled=true \ - --set controller.ingressClassByName=true - ``` - - Note, controller.ingressClassResource.name and controller.ingressClass have to be set with the value of the new class as the first is to create the IngressClass object and the other is to modify the deployment of the actuall ingress controller pod. +If you are using Ingress objects in your cluster (running Kubernetes older than v1.22), +and you plan to upgrade to Kubernetes v1.22, please read [the migration guide here](./user-guide/k8s-122-migration.md). diff --git a/docs/user-guide/k8s-122-migration.md b/docs/user-guide/k8s-122-migration.md new file mode 100644 index 000000000..34893f931 --- /dev/null +++ b/docs/user-guide/k8s-122-migration.md @@ -0,0 +1,245 @@ +# FAQ - Migration to Kubernetes 1.22 and apiVersion `networking.k8s.io/v1` + +If you are using Ingress objects in your cluster (running Kubernetes older than v1.22), +and you plan to upgrade to Kubernetes v1.22, this page is relevant to you. + +- Please read this [official blog on deprecated Ingress API versions](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) +- Please read this [official documentation on the IngressClass object](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) + +## What is an IngressClass and why is it important for users of ingress-nginx controller now? + +IngressClass is a Kubernetes resource. See the description below. +It's important because until now, a default install of the ingress-nginx controller did not require a IngressClass object. +From version 1.0.0 of the ingress-nginx controller, an IngressClass object is required. + +On clusters with more than one instance of the ingress-nginx controller, all instances of the controllers must be aware of which Ingress objects they serve. +The `ingressClassName` field of an Ingress is the way to let the controller know about that. + +```console +kubectl explain ingressclass +``` + +``` +KIND: IngressClass +VERSION: networking.k8s.io/v1 +DESCRIPTION: + IngressClass represents the class of the Ingress, referenced by the Ingress + Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be + used to indicate that an IngressClass should be considered default. When a + single IngressClass resource has this annotation set to true, new Ingress + resources without a class specified will be assigned this default class. +FIELDS: + apiVersion + APIVersion defines the versioned schema of this representation of an + object. Servers should convert recognized schemas to the latest internal + value, and may reject unrecognized values. More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind + Kind is a string value representing the REST resource this object + represents. Servers may infer this from the endpoint the client submits + requests to. Cannot be updated. In CamelCase. More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata + Standard object's metadata. More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + spec + Spec is the desired state of the IngressClass. More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status` +``` + +## What has caused this change in behavior? + +There are 2 primary reasons. + +### Reason 1 + +Until K8s version 1.21, it was possible to create an Ingress resource using deprecated versions of the Ingress API, such as: + +- `extensions/v1beta1` +- `networking.k8s.io/v1beta1` + You would get a message about deprecation, but the Ingress resource would get created. + +From K8s version 1.22 onwards, you can **only** access the Ingress API via the stable, `networking.k8s.io/v1` API. +The reason is explained in the [official blog on deprecated ingress API versions](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/). + +### Reason #2 + +If you are already using the ingress-nginx controller and then upgrade to Kubernetes 1.22, +there are several scenarios where your existing Ingress objects will not work how you expect. + +Read this FAQ to check which scenario matches your use case. + +## What is the `ingressClassName` field? + +`ingressClassName` is a field in the spec of an Ingress object. + +```shell +kubectl explain ingress.spec.ingressClassName +``` + +```console +KIND: Ingress +VERSION: networking.k8s.io/v1 +FIELD: ingressClassName +DESCRIPTION: + IngressClassName is the name of the IngressClass cluster resource. The + associated IngressClass defines which controller will implement the + resource. This replaces the deprecated `kubernetes.io/ingress.class` + annotation. For backwards compatibility, when that annotation is set, it + must be given precedence over this field. The controller may emit a warning + if the field and annotation have different values. Implementations of this + API should ignore Ingresses without a class specified. An IngressClass + resource may be marked as default, which can be used to set a default value + for this field. For more information, refer to the IngressClass + documentation. +``` + +The `.spec.ingressClassName` behavior has precedence over the deprecated `kubernetes.io/ingress.class` annotation. + +## I have only one ingress controller in my cluster. What should I do? + +If a single instance of the ingress-nginx controller is the sole Ingress controller running in your cluster, +you should add the annotation "ingressclass.kubernetes.io/is-default-class" in your IngressClass, +so any new Ingress objects will have this one as default IngressClass. + +When using Helm, you can enable this annotation by setting `.controller.ingressClassResource.default: true` in your Helm chart installation's values file. + +If you have any old Ingress objects remaining without an IngressClass set, you can do one or more of the following to make the ingress-nginx controller aware of the old objects: + +- You can manually set the [`.spec.ingressClassName`](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) field in the manifest of your own Ingress resources. +- You can re-create them after setting the `ingressclass.kubernetes.io/is-default-class` annotation to `true` on the IngressClass +- Alternatively you can make the ingress-nginx controller watch Ingress objects without the ingressClassName field set by starting your ingress-nginx with the flag [--watch-ingress-without-class=true](#what-is-the-flag-watch-ingress-without-class). + When using Helm, you can configure your Helm chart installation's values file with `.controller.watchIngressWithoutClass: true`. + +We recommend that you create the IngressClass as shown below: + +``` +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/component: controller + name: nginx + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +spec: + controller: k8s.io/ingress-nginx +``` + +and add the value `spec.ingressClassName=nginx` in your Ingress objects. + +## I have many ingress objects in my cluster. What should I do? + +If you have lot of ingress objects without ingressClass configuration, +you can run the ingress controller with the flag `--watch-ingress-without-class=true`. + +### What is the flag `--watch-ingress-without-class`? + +It's a flag that is passed, as an argument, to the `nginx-ingress-controller` executable. +In the configuration, it looks like this: + +```yaml +# ... +args: + - /nginx-ingress-controller + - --watch-ingress-without-class=true + - --controller-class=k8s.io/ingress-nginx + # ... +# ... +``` + +## I have more than one controller in my cluster, and I'm already using the annotation + +No problem. This should still keep working, but we highly recommend you to test! +Even though `kubernetes.io/ingress.class` is deprecated, the ingress-nginx controller still understands that annotation. +If you want to follow good practice, you should consider migrating to use IngressClass and `.spec.ingressClassName`. + +## I have more than one controller running in my cluster, and I want to use the new API + +In this scenario, you need to create multiple IngressClasses (see the example above). + +Be aware that IngressClass works in a very specific way: you will need to change the `.spec.controller` value in your IngressClass and configure the controller to expect the exact same value. + +Let's see an example, supposing that you have three IngressClasses: + +- IngressClass `ingress-nginx-one`, with `.spec.controller` equal to `example.com/ingress-nginx1` +- IngressClass `ingress-nginx-two`, with `.spec.controller` equal to `example.com/ingress-nginx2` +- IngressClass `ingress-nginx-three`, with `.spec.controller` equal to `example.com/ingress-nginx1` + +For private use, you can also use a controller name that doesn't contain a `/`, e.g. `ingress-nginx1`. + +When deploying your ingress controllers, you will have to change the `--controller-class` field as follows: + +- Ingress-Nginx A, configured to use controller class name `example.com/ingress-nginx1` +- Ingress-Nginx B, configured to use controller class name `example.com/ingress-nginx2` + +When you create an Ingress object with its `ingressClassName` set to `ingress-nginx-two`, +only controllers looking for the `example.com/ingress-nginx2` controller class pay attention to the new object. + +Given that Ingress-Nginx B is set up that way, it will serve that object, whereas Ingress-Nginx A ignores the new Ingress. + +Bear in mind that if you start Ingress-Nginx B with the command line argument `--watch-ingress-without-class=true`, it will serve: + +1. Ingresses without any `ingressClassName` set +2. Ingresses where the deprecated annotation (`kubernetes.io/ingress.class`) matches the value set in the command line argument `--ingress-class` +3. Ingresses that refer to any IngressClass that has the same `spec.controller` as configured in `--controller-class` +4. If you start Ingress-Nginx B with the command line argument `--watch-ingress-without-class=true` and you run Ingress-Nginx A with the command line argument `--watch-ingress-without-class=false` then this is a supported configuration. + If you have two ingress-nginx controllers for the same cluster, both running with `--watch-ingress-without-class=true` then there is likely to be a conflict. + +## Why am I am seeing "ingress class annotation is not equal to the expected by Ingress Controller" in my controller logs? + +It is highly likely that you will also see the name of the ingress resource in the same error message. +This error message has been observed on use the deprecated annotation (`kubernetes.io/ingress.class`) in a Ingress resource manifest. +It is recommended to use the `.spec.ingressClassName` field of the Ingress resource, to specify the name of the IngressClass of the Ingress you are defining. + +## How can I easily install multiple instances of the ingress-nginx controller in the same cluster? + +You can install them in different namespaces. + +- Create a new namespace + ``` + kubectl create namespace ingress-nginx-2 + ``` +- Use Helm to install the additional instance of the ingress controller +- Ensure you have Helm working (refer to the [Helm documentation](https://helm.sh/docs/)) +- We have to assume that you have the helm repo for the ingress-nginx controller already added to your Helm config. + But, if you have not added the helm repo then you can do this to add the repo to your helm config; + ``` + helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx + ``` +- Make sure you have updated the helm repo data; + ``` + helm repo update + ``` +- Now, install an additional instance of the ingress-nginx controller like this: + ``` + helm install ingress-nginx-2 ingress-nginx/ingress-nginx \ + --namespace ingress-nginx-2 \ + --set controller.ingressClassResource.name=nginx-two \ + --set controller.ingressClass=nginx-two \ + --set controller.ingressClassResource.controllerValue="example.com/ingress-nginx-2" \ + --set controller.ingressClassResource.enabled=true \ + --set controller.ingressClassByName=true + ``` + +If you need to install yet another instance, then repeat the procedure to create a new namespace, +change the values such as names & namespaces (for example from "-2" to "-3"), or anything else that meets your needs. + +Note that `controller.ingressClassResource.name` and `controller.ingressClass` have to be set correctly. +The first is to create the IngressClass object and the other is to modify the deployment of the actual ingress controller pod. + +### I can't use multiple namespaces, what should I do? + +If you need to install all instances in the same namespace, then you need to specify a different **election id**, like this: + +``` +helm install ingress-nginx-2 ingress-nginx/ingress-nginx \ +--namespace kube-system \ +--set controller.electionID=nginx-two-leader \ +--set controller.ingressClassResource.name=nginx-two \ +--set controller.ingressClass=nginx-two \ +--set controller.ingressClassResource.controllerValue="example.com/ingress-nginx-2" \ +--set controller.ingressClassResource.enabled=true \ +--set controller.ingressClassByName=true +``` From 5628f765fe883dd8c13ccd3084e9003ffd3e28d5 Mon Sep 17 00:00:00 2001 From: Ismayil Mirzali Date: Fri, 27 Jan 2023 17:12:27 +0200 Subject: [PATCH 136/405] tcpproxy: increase buffer size to 16K (#9548) --- pkg/tcpproxy/tcp.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg/tcpproxy/tcp.go b/pkg/tcpproxy/tcp.go index 4c34e1f7b..86850ad54 100644 --- a/pkg/tcpproxy/tcp.go +++ b/pkg/tcpproxy/tcp.go @@ -59,11 +59,12 @@ func (p *TCPProxy) Get(host string) *TCPServer { // and open a connection to the passthrough server. func (p *TCPProxy) Handle(conn net.Conn) { defer conn.Close() - data := make([]byte, 4096) + // See: https://www.ibm.com/docs/en/ztpf/1.1.0.15?topic=sessions-ssl-record-format + data := make([]byte, 16384) length, err := conn.Read(data) if err != nil { - klog.V(4).ErrorS(err, "Error reading the first 4k of the connection") + klog.V(4).ErrorS(err, "Error reading data from the connection") return } From f90f37bed66d343e6c57ea981d6c4e90e4955975 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Jan 2023 12:44:50 -0800 Subject: [PATCH 137/405] Bump sigs.k8s.io/controller-runtime from 0.13.1 to 0.14.2 (#9552) Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.13.1 to 0.14.2. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/master/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.13.1...v0.14.2) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 22 ++++++++++---------- go.sum | 65 +++++++++++++++++++++++++++++++++++++--------------------- 2 files changed, 53 insertions(+), 34 deletions(-) diff --git a/go.mod b/go.mod index 6f90615ff..03b3ebdb7 100644 --- a/go.mod +++ b/go.mod @@ -30,17 +30,17 @@ require ( google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 - k8s.io/api v0.26.0 - k8s.io/apiextensions-apiserver v0.26.0 - k8s.io/apimachinery v0.26.0 - k8s.io/apiserver v0.26.0 + k8s.io/api v0.26.1 + k8s.io/apiextensions-apiserver v0.26.1 + k8s.io/apimachinery v0.26.1 + k8s.io/apiserver v0.26.1 k8s.io/cli-runtime v0.26.0 - k8s.io/client-go v0.26.0 - k8s.io/code-generator v0.26.0 - k8s.io/component-base v0.26.0 + k8s.io/client-go v0.26.1 + k8s.io/code-generator v0.26.1 + k8s.io/component-base v0.26.1 k8s.io/klog/v2 v2.80.1 pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 - sigs.k8s.io/controller-runtime v0.13.1 + sigs.k8s.io/controller-runtime v0.14.2 sigs.k8s.io/mdtoc v1.1.0 ) @@ -77,7 +77,6 @@ require ( github.com/inconshreveable/mousetrap v1.0.1 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect - github.com/magefile/mage v1.14.0 // indirect github.com/mailru/easyjson v0.7.6 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect @@ -88,6 +87,7 @@ require ( github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833 // indirect + github.com/onsi/ginkgo v1.16.5 // indirect github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/errors v0.9.1 // indirect @@ -104,7 +104,7 @@ require ( golang.org/x/sys v0.4.0 // indirect golang.org/x/term v0.4.0 // indirect golang.org/x/text v0.6.0 // indirect - golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect + golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.4.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20221118155620-16455021b5e6 // indirect @@ -115,7 +115,7 @@ require ( gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/gengo v0.0.0-20220902162205-c0856e24416d // indirect k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect - k8s.io/utils v0.0.0-20221107191617-1a15be271d1d // indirect + k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 // indirect sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect sigs.k8s.io/kustomize/api v0.12.1 // indirect sigs.k8s.io/kustomize/kyaml v0.13.9 // indirect diff --git a/go.sum b/go.sum index 8a32d3e00..7588a51fb 100644 --- a/go.sum +++ b/go.sum @@ -87,6 +87,8 @@ github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQL github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b h1:074/xhloHUBOpTZwlIzQ28rbPY8pNJvzY7Gcx5KnNOk= @@ -116,6 +118,7 @@ github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng= github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.0.6 h1:mkgN1ofwASrYnJ5W6U/BxG15eXXXjirgZc7CLqkcaro= github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= @@ -195,6 +198,7 @@ github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWet github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= @@ -231,8 +235,6 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= -github.com/magefile/mage v1.14.0 h1:6QDX3g6z1YvJ4olPhT1wksUcSa/V0a1B+pJb73fBjyo= -github.com/magefile/mage v1.14.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA= @@ -276,10 +278,17 @@ github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833/go.mod h1:0CznHmX github.com/ncabatoff/process-exporter v0.7.10 h1:+Ere7+3se6QqP54gg7aBRagWcL8bq3u5zNi/GRSWeKQ= github.com/ncabatoff/process-exporter v0.7.10/go.mod h1:DHZRZjqxw9LCOpLlX0DjBuyn6d5plh41Jv6Tmttj7Ek= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= +github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= +github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= +github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= github.com/onsi/ginkgo/v2 v2.6.1 h1:1xQPCjcqYw/J5LchOcp4/2q/jzJFjiAOc25chhnDw+Q= github.com/onsi/ginkgo/v2 v2.6.1/go.mod h1:yjiuMwPokqY1XauOgju45q3sJt6VzQ/Fict1LFVcsAo= +github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= +github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.24.1 h1:KORJXNNTzJXzu4ScJWssJfJMnJ+2QJqhoQSRwNlze9E= github.com/opencontainers/runc v1.1.4 h1:nRCz/8sKg6K6jgYAFLDlXzPeITBZJyX28DBVhWD+5dg= github.com/opencontainers/runc v1.1.4/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg= @@ -385,7 +394,7 @@ go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 h1:+FNtrFTmVw0YZGpBGX56XDee33 go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o= go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4= -go.uber.org/zap v1.21.0 h1:WefMeulhovoZ2sYXz7st6K0sLj7bBhpiFaud4r4zST8= +go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= golang.org/dl v0.0.0-20190829154251-82a15e2f2ead/go.mod h1:IUMfjQLJQd4UTqG1Z90tenwKoCX93Gn3MAQJMOSBsDQ= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= @@ -430,6 +439,7 @@ golang.org/x/mod v0.7.0 h1:LapD9S96VoQRhi/GrNTqeBJFrUjs5UHCAtTlgwA5oZA= golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -452,6 +462,7 @@ golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/ golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= @@ -482,6 +493,7 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -493,10 +505,13 @@ golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191002063906-3421d5a6bb1c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -517,6 +532,7 @@ golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -542,8 +558,8 @@ golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20220609170525-579cf78fd858 h1:Dpdu/EMxGMFgq0CeYMh4fazTD2vtlZRYE7wyynxJb9U= -golang.org/x/time v0.0.0-20220609170525-579cf78fd858/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= +golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= @@ -586,6 +602,7 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.4.0 h1:7mTAgkunk3fr4GAloyyCasadO6h9zSsQZbwvcaIciV4= golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ= @@ -689,6 +706,7 @@ gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/go-playground/assert.v1 v1.2.1 h1:xoYuJVE7KT85PYWrN730RguIQO0ePzVRfFMXadIrXTM= gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8bDuhia5mkpMnE= gopkg.in/go-playground/pool.v3 v3.1.1 h1:4Qcj91IsYTpIeRhe/eo6Fz+w6uKWPEghx8vHFTYMfhw= @@ -698,6 +716,7 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/mcuadros/go-syslog.v2 v2.3.0 h1:kcsiS+WsTKyIEPABJBJtoG0KkOS6yzvJ+/eZlhD79kk= gopkg.in/mcuadros/go-syslog.v2 v2.3.0/go.mod h1:l5LPIyOOyIdQquNg+oU6Z3524YwrcqEm0aKH+5zpt2U= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -718,22 +737,22 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.26.0 h1:IpPlZnxBpV1xl7TGk/X6lFtpgjgntCg8PJ+qrPHAC7I= -k8s.io/api v0.26.0/go.mod h1:k6HDTaIFC8yn1i6pSClSqIwLABIcLV9l5Q4EcngKnQg= -k8s.io/apiextensions-apiserver v0.26.0 h1:Gy93Xo1eg2ZIkNX/8vy5xviVSxwQulsnUdQ00nEdpDo= -k8s.io/apiextensions-apiserver v0.26.0/go.mod h1:7ez0LTiyW5nq3vADtK6C3kMESxadD51Bh6uz3JOlqWQ= -k8s.io/apimachinery v0.26.0 h1:1feANjElT7MvPqp0JT6F3Ss6TWDwmcjLypwoPpEf7zg= -k8s.io/apimachinery v0.26.0/go.mod h1:tnPmbONNJ7ByJNz9+n9kMjNP8ON+1qoAIIC70lztu74= -k8s.io/apiserver v0.26.0 h1:q+LqIK5EZwdznGZb8bq0+a+vCqdeEEe4Ux3zsOjbc4o= -k8s.io/apiserver v0.26.0/go.mod h1:aWhlLD+mU+xRo+zhkvP/gFNbShI4wBDHS33o0+JGI84= +k8s.io/api v0.26.1 h1:f+SWYiPd/GsiWwVRz+NbFyCgvv75Pk9NK6dlkZgpCRQ= +k8s.io/api v0.26.1/go.mod h1:xd/GBNgR0f707+ATNyPmQ1oyKSgndzXij81FzWGsejg= +k8s.io/apiextensions-apiserver v0.26.1 h1:cB8h1SRk6e/+i3NOrQgSFij1B2S0Y0wDoNl66bn8RMI= +k8s.io/apiextensions-apiserver v0.26.1/go.mod h1:AptjOSXDGuE0JICx/Em15PaoO7buLwTs0dGleIHixSM= +k8s.io/apimachinery v0.26.1 h1:8EZ/eGJL+hY/MYCNwhmDzVqq2lPl3N3Bo8rvweJwXUQ= +k8s.io/apimachinery v0.26.1/go.mod h1:tnPmbONNJ7ByJNz9+n9kMjNP8ON+1qoAIIC70lztu74= +k8s.io/apiserver v0.26.1 h1:6vmnAqCDO194SVCPU3MU8NcDgSqsUA62tBUSWrFXhsc= +k8s.io/apiserver v0.26.1/go.mod h1:wr75z634Cv+sifswE9HlAo5FQ7UoUauIICRlOE+5dCg= k8s.io/cli-runtime v0.26.0 h1:aQHa1SyUhpqxAw1fY21x2z2OS5RLtMJOCj7tN4oq8mw= k8s.io/cli-runtime v0.26.0/go.mod h1:o+4KmwHzO/UK0wepE1qpRk6l3o60/txUZ1fEXWGIKTY= -k8s.io/client-go v0.26.0 h1:lT1D3OfO+wIi9UFolCrifbjUUgu7CpLca0AD8ghRLI8= -k8s.io/client-go v0.26.0/go.mod h1:I2Sh57A79EQsDmn7F7ASpmru1cceh3ocVT9KlX2jEZg= -k8s.io/code-generator v0.26.0 h1:ZDY+7Gic9p/lACgD1G72gQg2CvNGeAYZTPIncv+iALM= -k8s.io/code-generator v0.26.0/go.mod h1:OMoJ5Dqx1wgaQzKgc+ZWaZPfGjdRq/Y3WubFrZmeI3I= -k8s.io/component-base v0.26.0 h1:0IkChOCohtDHttmKuz+EP3j3+qKmV55rM9gIFTXA7Vs= -k8s.io/component-base v0.26.0/go.mod h1:lqHwlfV1/haa14F/Z5Zizk5QmzaVf23nQzCwVOQpfC8= +k8s.io/client-go v0.26.1 h1:87CXzYJnAMGaa/IDDfRdhTzxk/wzGZ+/HUQpqgVSZXU= +k8s.io/client-go v0.26.1/go.mod h1:IWNSglg+rQ3OcvDkhY6+QLeasV4OYHDjdqeWkDQZwGE= +k8s.io/code-generator v0.26.1 h1:dusFDsnNSKlMFYhzIM0jAO1OlnTN5WYwQQ+Ai12IIlo= +k8s.io/code-generator v0.26.1/go.mod h1:OMoJ5Dqx1wgaQzKgc+ZWaZPfGjdRq/Y3WubFrZmeI3I= +k8s.io/component-base v0.26.1 h1:4ahudpeQXHZL5kko+iDHqLj/FSGAEUnSVO0EBbgDd+4= +k8s.io/component-base v0.26.1/go.mod h1:VHrLR0b58oC035w6YQiBSbtsf0ThuSwXP+p5dD/kAWU= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d h1:U9tB195lKdzwqicbJvyJeOXV7Klv+wNAWENRnXEGi08= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= @@ -741,15 +760,15 @@ k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4= k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E= k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= -k8s.io/utils v0.0.0-20221107191617-1a15be271d1d h1:0Smp/HP1OH4Rvhe+4B8nWGERtlqAGSftbSbbmm45oFs= -k8s.io/utils v0.0.0-20221107191617-1a15be271d1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 h1:KTgPnR10d5zhztWptI952TNtt/4u5h3IzDXkdIMuo2Y= +k8s.io/utils v0.0.0-20221128185143-99ec85e7a448/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 h1:SAElp8THCfmBdM+4lmWX5gebiSSkEr7PAYDVF91qpfg= pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732/go.mod h1:lpvCfhqEHNJSSpG5R5A2EgsVzG8RTt4RfPoQuRAcDmg= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/controller-runtime v0.13.1 h1:tUsRCSJVM1QQOOeViGeX3GMT3dQF1eePPw6sEE3xSlg= -sigs.k8s.io/controller-runtime v0.13.1/go.mod h1:Zbz+el8Yg31jubvAEyglRZGdLAjplZl+PgtYNI6WNTI= +sigs.k8s.io/controller-runtime v0.14.2 h1:P6IwDhbsRWsBClt/8/h8Zy36bCuGuW5Op7MHpFrN/60= +sigs.k8s.io/controller-runtime v0.14.2/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/kustomize/api v0.12.1 h1:7YM7gW3kYBwtKvoY216ZzY+8hM+lV53LUayghNRJ0vM= From 7d1c47ab5408a40993993b1b47954a4fd44d39f3 Mon Sep 17 00:00:00 2001 From: James Strong Date: Tue, 31 Jan 2023 20:09:06 -0500 Subject: [PATCH 138/405] Switch logic on path type validation and setting it to false (#9543) * update path type validation to be false and update e2e test scripts Signed-off-by: James Strong * update to make tests clear Signed-off-by: James Strong * update test params Signed-off-by: James Strong * Adding else per pr comments Signed-off-by: James Strong --------- Signed-off-by: James Strong Signed-off-by: James Strong --- Makefile | 4 +- charts/ingress-nginx/README.md | 2 +- .../templates/controller-configmap.yaml | 2 +- charts/ingress-nginx/values.yaml | 6 +- .../nginx-configuration/configmap.md | 394 +++++++++--------- internal/ingress/controller/config/config.go | 11 +- internal/ingress/controller/controller.go | 2 +- .../ingress/controller/controller_test.go | 6 +- internal/ingress/controller/store/store.go | 2 +- pkg/util/ingress/ingress.go | 43 +- pkg/util/ingress/ingress_test.go | 66 +-- test/e2e/admission/admission.go | 28 +- {build => test/e2e}/run-e2e-suite.sh | 15 +- test/e2e/{run.sh => run-kind-e2e.sh} | 92 ++-- 14 files changed, 354 insertions(+), 319 deletions(-) rename {build => test/e2e}/run-e2e-suite.sh (97%) rename test/e2e/{run.sh => run-kind-e2e.sh} (62%) diff --git a/Makefile b/Makefile index 0ce3e3cef..25855a224 100644 --- a/Makefile +++ b/Makefile @@ -153,11 +153,11 @@ lua-test: ## Run lua unit tests. .PHONY: e2e-test e2e-test: ## Run e2e tests (expects access to a working Kubernetes cluster). - @build/run-e2e-suite.sh + @test/e2e/run-e2e-suite.sh .PHONY: kind-e2e-test kind-e2e-test: ## Run e2e tests using kind. - @test/e2e/run.sh + @test/e2e/run-kind-e2e.sh .PHONY: kind-e2e-chart-tests kind-e2e-chart-tests: ## Run helm chart e2e tests diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 174a8870d..7f3ea1866 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -253,6 +253,7 @@ Kubernetes: `>=1.20.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | commonLabels | object | `{}` | | +| controller.EnablePathTypeValidation | bool | `false` | This configuration defines if Ingress Controller should validate pathType. If false, special characters will be allowed on paths of any pathType. If true, special characters are only allowed on paths with pathType = ImplementationSpecific | | controller.addHeaders | object | `{}` | Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers | | controller.admissionWebhooks.annotations | object | `{}` | | | controller.admissionWebhooks.certManager.admissionCert.duration | string | `""` | | @@ -311,7 +312,6 @@ Kubernetes: `>=1.20.0-0` | controller.containerPort | object | `{"http":80,"https":443}` | Configures the ports that the nginx-controller listens on | | controller.customTemplate.configMapKey | string | `""` | | | controller.customTemplate.configMapName | string | `""` | | -| controller.disablePathTypeValidation | bool | `false` | This configuration defines if Ingress Controller should validate pathType. If this is true, special characters will be allowed on paths of any pathType. If false, special characters are only allowed on paths with pathType = ImplementationSpecific | | controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. | | controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. | | controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' | diff --git a/charts/ingress-nginx/templates/controller-configmap.yaml b/charts/ingress-nginx/templates/controller-configmap.yaml index ffd003ee8..a1fbdf549 100644 --- a/charts/ingress-nginx/templates/controller-configmap.yaml +++ b/charts/ingress-nginx/templates/controller-configmap.yaml @@ -14,7 +14,7 @@ metadata: namespace: {{ .Release.Namespace }} data: allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}" - disable-pathtype-validation: "{{ .Values.controller.disablePathTypeValidation }}" + enable-pathtype-validation: "{{ .Values.controller.EnablePathTypeValidation }}" {{- if .Values.controller.addHeaders }} add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers {{- end }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 072493ccc..4c587ee88 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -88,9 +88,9 @@ controller: allowSnippetAnnotations: true # -- This configuration defines if Ingress Controller should validate pathType. - # If this is true, special characters will be allowed on paths of any pathType. If - # false, special characters are only allowed on paths with pathType = ImplementationSpecific - disablePathTypeValidation: false + # If false, special characters will be allowed on paths of any pathType. + # If true, special characters are only allowed on paths with pathType = ImplementationSpecific + EnablePathTypeValidation: false # -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index baefa7c72..3832bba16 100755 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -25,199 +25,199 @@ data: The following table shows a configuration option's name, type, and the default value: -|name|type|default| -|:---|:---|:------| -|[add-headers](#add-headers)|string|""| -|[allow-backend-server-header](#allow-backend-server-header)|bool|"false"| -|[allow-snippet-annotations](#allow-snippet-annotations)|bool|true| -|[annotation-value-word-blocklist](#annotation-value-word-blocklist)|string array|""| -|[hide-headers](#hide-headers)|string array|empty| -|[access-log-params](#access-log-params)|string|""| -|[access-log-path](#access-log-path)|string|"/var/log/nginx/access.log"| -|[http-access-log-path](#http-access-log-path)|string|""| -|[stream-access-log-path](#stream-access-log-path)|string|""| -|[enable-access-log-for-default-backend](#enable-access-log-for-default-backend)|bool|"false"| -|[error-log-path](#error-log-path)|string|"/var/log/nginx/error.log"| -|[enable-modsecurity](#enable-modsecurity)|bool|"false"| -|[modsecurity-snippet](#modsecurity-snippet)|string|""| -|[enable-owasp-modsecurity-crs](#enable-owasp-modsecurity-crs)|bool|"false"| -|[client-header-buffer-size](#client-header-buffer-size)|string|"1k"| -|[client-header-timeout](#client-header-timeout)|int|60| -|[client-body-buffer-size](#client-body-buffer-size)|string|"8k"| -|[client-body-timeout](#client-body-timeout)|int|60| -|[disable-access-log](#disable-access-log)|bool|false| -|[disable-ipv6](#disable-ipv6)|bool|false| -|[disable-ipv6-dns](#disable-ipv6-dns)|bool|false| -|[enable-underscores-in-headers](#enable-underscores-in-headers)|bool|false| -|[enable-ocsp](#enable-ocsp)|bool|false| -|[ignore-invalid-headers](#ignore-invalid-headers)|bool|true| -|[retry-non-idempotent](#retry-non-idempotent)|bool|"false"| -|[error-log-level](#error-log-level)|string|"notice"| -|[http2-max-field-size](#http2-max-field-size)|string|"4k"| -|[http2-max-header-size](#http2-max-header-size)|string|"16k"| -|[http2-max-requests](#http2-max-requests)|int|1000| -|[http2-max-concurrent-streams](#http2-max-concurrent-streams)|int|128| -|[hsts](#hsts)|bool|"true"| -|[hsts-include-subdomains](#hsts-include-subdomains)|bool|"true"| -|[hsts-max-age](#hsts-max-age)|string|"15724800"| -|[hsts-preload](#hsts-preload)|bool|"false"| -|[keep-alive](#keep-alive)|int|75| -|[keep-alive-requests](#keep-alive-requests)|int|1000| -|[large-client-header-buffers](#large-client-header-buffers)|string|"4 8k"| -|[log-format-escape-none](#log-format-escape-none)|bool|"false"| -|[log-format-escape-json](#log-format-escape-json)|bool|"false"| -|[log-format-upstream](#log-format-upstream)|string|`$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] [$proxy_alternative_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status $req_id`| -|[log-format-stream](#log-format-stream)|string|`[$remote_addr] [$time_local] $protocol $status $bytes_sent $bytes_received $session_time`| -|[enable-multi-accept](#enable-multi-accept)|bool|"true"| -|[max-worker-connections](#max-worker-connections)|int|16384| -|[max-worker-open-files](#max-worker-open-files)|int|0| -|[map-hash-bucket-size](#max-hash-bucket-size)|int|64| -|[nginx-status-ipv4-whitelist](#nginx-status-ipv4-whitelist)|[]string|"127.0.0.1"| -|[nginx-status-ipv6-whitelist](#nginx-status-ipv6-whitelist)|[]string|"::1"| -|[proxy-real-ip-cidr](#proxy-real-ip-cidr)|[]string|"0.0.0.0/0"| -|[proxy-set-headers](#proxy-set-headers)|string|""| -|[server-name-hash-max-size](#server-name-hash-max-size)|int|1024| -|[server-name-hash-bucket-size](#server-name-hash-bucket-size)|int|`` -|[proxy-headers-hash-max-size](#proxy-headers-hash-max-size)|int|512| -|[proxy-headers-hash-bucket-size](#proxy-headers-hash-bucket-size)|int|64| -|[plugins](#plugins)|[]string| | -|[reuse-port](#reuse-port)|bool|"true"| -|[server-tokens](#server-tokens)|bool|"false"| -|[ssl-ciphers](#ssl-ciphers)|string|"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"| -|[ssl-ecdh-curve](#ssl-ecdh-curve)|string|"auto"| -|[ssl-dh-param](#ssl-dh-param)|string|""| -|[ssl-protocols](#ssl-protocols)|string|"TLSv1.2 TLSv1.3"| -|[ssl-session-cache](#ssl-session-cache)|bool|"true"| -|[ssl-session-cache-size](#ssl-session-cache-size)|string|"10m"| -|[ssl-session-tickets](#ssl-session-tickets)|bool|"false"| -|[ssl-session-ticket-key](#ssl-session-ticket-key)|string|`` -|[ssl-session-timeout](#ssl-session-timeout)|string|"10m"| -|[ssl-buffer-size](#ssl-buffer-size)|string|"4k"| -|[use-proxy-protocol](#use-proxy-protocol)|bool|"false"| -|[proxy-protocol-header-timeout](#proxy-protocol-header-timeout)|string|"5s"| -|[use-gzip](#use-gzip)|bool|"false"| -|[use-geoip](#use-geoip)|bool|"true"| -|[use-geoip2](#use-geoip2)|bool|"false"| -|[enable-brotli](#enable-brotli)|bool|"false"| -|[brotli-level](#brotli-level)|int|4| -|[brotli-min-length](#brotli-min-length)|int|20| -|[brotli-types](#brotli-types)|string|"application/xml+rss application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component"| -|[use-http2](#use-http2)|bool|"true"| -|[gzip-disable](#gzip-disable)|string|""| -|[gzip-level](#gzip-level)|int|1| -|[gzip-min-length](#gzip-min-length)|int|256| -|[gzip-types](#gzip-types)|string|"application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component"| -|[worker-processes](#worker-processes)|string|``| -|[worker-cpu-affinity](#worker-cpu-affinity)|string|""| -|[worker-shutdown-timeout](#worker-shutdown-timeout)|string|"240s"| -|[load-balance](#load-balance)|string|"round_robin"| -|[variables-hash-bucket-size](#variables-hash-bucket-size)|int|128| -|[variables-hash-max-size](#variables-hash-max-size)|int|2048| -|[upstream-keepalive-connections](#upstream-keepalive-connections)|int|320| -|[upstream-keepalive-time](#upstream-keepalive-time)|string|"1h"| -|[upstream-keepalive-timeout](#upstream-keepalive-timeout)|int|60| -|[upstream-keepalive-requests](#upstream-keepalive-requests)|int|10000| -|[limit-conn-zone-variable](#limit-conn-zone-variable)|string|"$binary_remote_addr"| -|[proxy-stream-timeout](#proxy-stream-timeout)|string|"600s"| -|[proxy-stream-next-upstream](#proxy-stream-next-upstream)|bool|"true"| -|[proxy-stream-next-upstream-timeout](#proxy-stream-next-upstream-timeout)|string|"600s"| -|[proxy-stream-next-upstream-tries](#proxy-stream-next-upstream-tries)|int|3| -|[proxy-stream-responses](#proxy-stream-responses)|int|1| -|[bind-address](#bind-address)|[]string|""| -|[use-forwarded-headers](#use-forwarded-headers)|bool|"false"| -|[enable-real-ip](#enable-real-ip)|bool|"false"| -|[forwarded-for-header](#forwarded-for-header)|string|"X-Forwarded-For"| -|[compute-full-forwarded-for](#compute-full-forwarded-for)|bool|"false"| -|[proxy-add-original-uri-header](#proxy-add-original-uri-header)|bool|"false"| -|[generate-request-id](#generate-request-id)|bool|"true"| -|[enable-opentracing](#enable-opentracing)|bool|"false"| -|[opentracing-operation-name](#opentracing-operation-name)|string|""| -|[opentracing-location-operation-name](#opentracing-location-operation-name)|string|""| -|[zipkin-collector-host](#zipkin-collector-host)|string|""| -|[zipkin-collector-port](#zipkin-collector-port)|int|9411| -|[zipkin-service-name](#zipkin-service-name)|string|"nginx"| -|[zipkin-sample-rate](#zipkin-sample-rate)|float|1.0| -|[jaeger-collector-host](#jaeger-collector-host)|string|""| -|[jaeger-collector-port](#jaeger-collector-port)|int|6831| -|[jaeger-endpoint](#jaeger-endpoint)|string|""| -|[jaeger-service-name](#jaeger-service-name)|string|"nginx"| -|[jaeger-propagation-format](#jaeger-propagation-format)|string|"jaeger"| -|[jaeger-sampler-type](#jaeger-sampler-type)|string|"const"| -|[jaeger-sampler-param](#jaeger-sampler-param)|string|"1"| -|[jaeger-sampler-host](#jaeger-sampler-host)|string|"http://127.0.0.1"| -|[jaeger-sampler-port](#jaeger-sampler-port)|int|5778| -|[jaeger-trace-context-header-name](#jaeger-trace-context-header-name)|string|uber-trace-id| -|[jaeger-debug-header](#jaeger-debug-header)|string|uber-debug-id| -|[jaeger-baggage-header](#jaeger-baggage-header)|string|jaeger-baggage| -|[jaeger-trace-baggage-header-prefix](#jaeger-trace-baggage-header-prefix)|string|uberctx-| -|[datadog-collector-host](#datadog-collector-host)|string|""| -|[datadog-collector-port](#datadog-collector-port)|int|8126| -|[datadog-service-name](#datadog-service-name)|string|"nginx"| -|[datadog-environment](#datadog-environment)|string|"prod"| -|[datadog-operation-name-override](#datadog-operation-name-override)|string|"nginx.handle"| -|[datadog-priority-sampling](#datadog-priority-sampling)|bool|"true"| -|[datadog-sample-rate](#datadog-sample-rate)|float|1.0| -|[main-snippet](#main-snippet)|string|""| -|[http-snippet](#http-snippet)|string|""| -|[server-snippet](#server-snippet)|string|""| -|[stream-snippet](#stream-snippet)|string|""| -|[location-snippet](#location-snippet)|string|""| -|[custom-http-errors](#custom-http-errors)|[]int|[]int{}| -|[proxy-body-size](#proxy-body-size)|string|"1m"| -|[proxy-connect-timeout](#proxy-connect-timeout)|int|5| -|[proxy-read-timeout](#proxy-read-timeout)|int|60| -|[proxy-send-timeout](#proxy-send-timeout)|int|60| -|[proxy-buffers-number](#proxy-buffers-number)|int|4| -|[proxy-buffer-size](#proxy-buffer-size)|string|"4k"| -|[proxy-cookie-path](#proxy-cookie-path)|string|"off"| -|[proxy-cookie-domain](#proxy-cookie-domain)|string|"off"| -|[proxy-next-upstream](#proxy-next-upstream)|string|"error timeout"| -|[proxy-next-upstream-timeout](#proxy-next-upstream-timeout)|int|0| -|[proxy-next-upstream-tries](#proxy-next-upstream-tries)|int|3| -|[proxy-redirect-from](#proxy-redirect-from)|string|"off"| -|[proxy-request-buffering](#proxy-request-buffering)|string|"on"| -|[ssl-redirect](#ssl-redirect)|bool|"true"| -|[force-ssl-redirect](#force-ssl-redirect)|bool|"false"| -|[denylist-source-range](#denylist-source-range)|[]string|[]string{}| -|[whitelist-source-range](#whitelist-source-range)|[]string|[]string{}| -|[skip-access-log-urls](#skip-access-log-urls)|[]string|[]string{}| -|[limit-rate](#limit-rate)|int|0| -|[limit-rate-after](#limit-rate-after)|int|0| -|[lua-shared-dicts](#lua-shared-dicts)|string|""| -|[http-redirect-code](#http-redirect-code)|int|308| -|[proxy-buffering](#proxy-buffering)|string|"off"| -|[limit-req-status-code](#limit-req-status-code)|int|503| -|[limit-conn-status-code](#limit-conn-status-code)|int|503| -|[enable-syslog](#enable-syslog)|bool|false| -|[syslog-host](#syslog-host)|string|""| -|[syslog-port](#syslog-port)|int|514| -|[no-tls-redirect-locations](#no-tls-redirect-locations)|string|"/.well-known/acme-challenge"| -|[global-auth-url](#global-auth-url)|string|""| -|[global-auth-method](#global-auth-method)|string|""| -|[global-auth-signin](#global-auth-signin)|string|""| -|[global-auth-signin-redirect-param](#global-auth-signin-redirect-param)|string|"rd"| -|[global-auth-response-headers](#global-auth-response-headers)|string|""| -|[global-auth-request-redirect](#global-auth-request-redirect)|string|""| -|[global-auth-snippet](#global-auth-snippet)|string|""| -|[global-auth-cache-key](#global-auth-cache-key)|string|""| -|[global-auth-cache-duration](#global-auth-cache-duration)|string|"200 202 401 5m"| -|[no-auth-locations](#no-auth-locations)|string|"/.well-known/acme-challenge"| -|[block-cidrs](#block-cidrs)|[]string|""| -|[block-user-agents](#block-user-agents)|[]string|""| -|[block-referers](#block-referers)|[]string|""| -|[proxy-ssl-location-only](#proxy-ssl-location-only)|bool|"false"| -|[default-type](#default-type)|string|"text/html"| -|[global-rate-limit-memcached-host](#global-rate-limit)|string|""| -|[global-rate-limit-memcached-port](#global-rate-limit)|int|11211| -|[global-rate-limit-memcached-connect-timeout](#global-rate-limit)|int|50| -|[global-rate-limit-memcached-max-idle-timeout](#global-rate-limit)|int|10000| -|[global-rate-limit-memcached-pool-size](#global-rate-limit)|int|50| -|[global-rate-limit-status-code](#global-rate-limit)|int|429| -|[service-upstream](#service-upstream)|bool|"false"| -|[ssl-reject-handshake](#ssl-reject-handshake)|bool|"false"| -|[debug-connections](#debug-connections)|[]string|"127.0.0.1,1.1.1.1/24"| -|[disable-pathtype-validation](#disable-pathtype-validation)|bool|"false"| -|[path-additional-allowed-chars](#path-additional-allowed-chars)|string|"^%$[](){}*+?"| +| name | type | default | +|:--------------------------------------------------------------------------------|:-------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [add-headers](#add-headers) | string | "" | +| [allow-backend-server-header](#allow-backend-server-header) | bool | "false" | +| [allow-snippet-annotations](#allow-snippet-annotations) | bool | true | +| [annotation-value-word-blocklist](#annotation-value-word-blocklist) | string array | "" | +| [hide-headers](#hide-headers) | string array | empty | +| [access-log-params](#access-log-params) | string | "" | +| [access-log-path](#access-log-path) | string | "/var/log/nginx/access.log" | +| [http-access-log-path](#http-access-log-path) | string | "" | +| [stream-access-log-path](#stream-access-log-path) | string | "" | +| [enable-access-log-for-default-backend](#enable-access-log-for-default-backend) | bool | "false" | +| [error-log-path](#error-log-path) | string | "/var/log/nginx/error.log" | +| [enable-modsecurity](#enable-modsecurity) | bool | "false" | +| [modsecurity-snippet](#modsecurity-snippet) | string | "" | +| [enable-owasp-modsecurity-crs](#enable-owasp-modsecurity-crs) | bool | "false" | +| [client-header-buffer-size](#client-header-buffer-size) | string | "1k" | +| [client-header-timeout](#client-header-timeout) | int | 60 | +| [client-body-buffer-size](#client-body-buffer-size) | string | "8k" | +| [client-body-timeout](#client-body-timeout) | int | 60 | +| [disable-access-log](#disable-access-log) | bool | false | +| [disable-ipv6](#disable-ipv6) | bool | false | +| [disable-ipv6-dns](#disable-ipv6-dns) | bool | false | +| [enable-underscores-in-headers](#enable-underscores-in-headers) | bool | false | +| [enable-ocsp](#enable-ocsp) | bool | false | +| [ignore-invalid-headers](#ignore-invalid-headers) | bool | true | +| [retry-non-idempotent](#retry-non-idempotent) | bool | "false" | +| [error-log-level](#error-log-level) | string | "notice" | +| [http2-max-field-size](#http2-max-field-size) | string | "4k" | +| [http2-max-header-size](#http2-max-header-size) | string | "16k" | +| [http2-max-requests](#http2-max-requests) | int | 1000 | +| [http2-max-concurrent-streams](#http2-max-concurrent-streams) | int | 128 | +| [hsts](#hsts) | bool | "true" | +| [hsts-include-subdomains](#hsts-include-subdomains) | bool | "true" | +| [hsts-max-age](#hsts-max-age) | string | "15724800" | +| [hsts-preload](#hsts-preload) | bool | "false" | +| [keep-alive](#keep-alive) | int | 75 | +| [keep-alive-requests](#keep-alive-requests) | int | 1000 | +| [large-client-header-buffers](#large-client-header-buffers) | string | "4 8k" | +| [log-format-escape-none](#log-format-escape-none) | bool | "false" | +| [log-format-escape-json](#log-format-escape-json) | bool | "false" | +| [log-format-upstream](#log-format-upstream) | string | `$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] [$proxy_alternative_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status $req_id` | +| [log-format-stream](#log-format-stream) | string | `[$remote_addr] [$time_local] $protocol $status $bytes_sent $bytes_received $session_time` | +| [enable-multi-accept](#enable-multi-accept) | bool | "true" | +| [max-worker-connections](#max-worker-connections) | int | 16384 | +| [max-worker-open-files](#max-worker-open-files) | int | 0 | +| [map-hash-bucket-size](#max-hash-bucket-size) | int | 64 | +| [nginx-status-ipv4-whitelist](#nginx-status-ipv4-whitelist) | []string | "127.0.0.1" | +| [nginx-status-ipv6-whitelist](#nginx-status-ipv6-whitelist) | []string | "::1" | +| [proxy-real-ip-cidr](#proxy-real-ip-cidr) | []string | "0.0.0.0/0" | +| [proxy-set-headers](#proxy-set-headers) | string | "" | +| [server-name-hash-max-size](#server-name-hash-max-size) | int | 1024 | +| [server-name-hash-bucket-size](#server-name-hash-bucket-size) | int | `` | +| [proxy-headers-hash-max-size](#proxy-headers-hash-max-size) | int | 512 | +| [proxy-headers-hash-bucket-size](#proxy-headers-hash-bucket-size) | int | 64 | +| [plugins](#plugins) | []string | | +| [reuse-port](#reuse-port) | bool | "true" | +| [server-tokens](#server-tokens) | bool | "false" | +| [ssl-ciphers](#ssl-ciphers) | string | "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" | +| [ssl-ecdh-curve](#ssl-ecdh-curve) | string | "auto" | +| [ssl-dh-param](#ssl-dh-param) | string | "" | +| [ssl-protocols](#ssl-protocols) | string | "TLSv1.2 TLSv1.3" | +| [ssl-session-cache](#ssl-session-cache) | bool | "true" | +| [ssl-session-cache-size](#ssl-session-cache-size) | string | "10m" | +| [ssl-session-tickets](#ssl-session-tickets) | bool | "false" | +| [ssl-session-ticket-key](#ssl-session-ticket-key) | string | `` | +| [ssl-session-timeout](#ssl-session-timeout) | string | "10m" | +| [ssl-buffer-size](#ssl-buffer-size) | string | "4k" | +| [use-proxy-protocol](#use-proxy-protocol) | bool | "false" | +| [proxy-protocol-header-timeout](#proxy-protocol-header-timeout) | string | "5s" | +| [use-gzip](#use-gzip) | bool | "false" | +| [use-geoip](#use-geoip) | bool | "true" | +| [use-geoip2](#use-geoip2) | bool | "false" | +| [enable-brotli](#enable-brotli) | bool | "false" | +| [brotli-level](#brotli-level) | int | 4 | +| [brotli-min-length](#brotli-min-length) | int | 20 | +| [brotli-types](#brotli-types) | string | "application/xml+rss application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component" | +| [use-http2](#use-http2) | bool | "true" | +| [gzip-disable](#gzip-disable) | string | "" | +| [gzip-level](#gzip-level) | int | 1 | +| [gzip-min-length](#gzip-min-length) | int | 256 | +| [gzip-types](#gzip-types) | string | "application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component" | +| [worker-processes](#worker-processes) | string | `` | +| [worker-cpu-affinity](#worker-cpu-affinity) | string | "" | +| [worker-shutdown-timeout](#worker-shutdown-timeout) | string | "240s" | +| [load-balance](#load-balance) | string | "round_robin" | +| [variables-hash-bucket-size](#variables-hash-bucket-size) | int | 128 | +| [variables-hash-max-size](#variables-hash-max-size) | int | 2048 | +| [upstream-keepalive-connections](#upstream-keepalive-connections) | int | 320 | +| [upstream-keepalive-time](#upstream-keepalive-time) | string | "1h" | +| [upstream-keepalive-timeout](#upstream-keepalive-timeout) | int | 60 | +| [upstream-keepalive-requests](#upstream-keepalive-requests) | int | 10000 | +| [limit-conn-zone-variable](#limit-conn-zone-variable) | string | "$binary_remote_addr" | +| [proxy-stream-timeout](#proxy-stream-timeout) | string | "600s" | +| [proxy-stream-next-upstream](#proxy-stream-next-upstream) | bool | "true" | +| [proxy-stream-next-upstream-timeout](#proxy-stream-next-upstream-timeout) | string | "600s" | +| [proxy-stream-next-upstream-tries](#proxy-stream-next-upstream-tries) | int | 3 | +| [proxy-stream-responses](#proxy-stream-responses) | int | 1 | +| [bind-address](#bind-address) | []string | "" | +| [use-forwarded-headers](#use-forwarded-headers) | bool | "false" | +| [enable-real-ip](#enable-real-ip) | bool | "false" | +| [forwarded-for-header](#forwarded-for-header) | string | "X-Forwarded-For" | +| [compute-full-forwarded-for](#compute-full-forwarded-for) | bool | "false" | +| [proxy-add-original-uri-header](#proxy-add-original-uri-header) | bool | "false" | +| [generate-request-id](#generate-request-id) | bool | "true" | +| [enable-opentracing](#enable-opentracing) | bool | "false" | +| [opentracing-operation-name](#opentracing-operation-name) | string | "" | +| [opentracing-location-operation-name](#opentracing-location-operation-name) | string | "" | +| [zipkin-collector-host](#zipkin-collector-host) | string | "" | +| [zipkin-collector-port](#zipkin-collector-port) | int | 9411 | +| [zipkin-service-name](#zipkin-service-name) | string | "nginx" | +| [zipkin-sample-rate](#zipkin-sample-rate) | float | 1.0 | +| [jaeger-collector-host](#jaeger-collector-host) | string | "" | +| [jaeger-collector-port](#jaeger-collector-port) | int | 6831 | +| [jaeger-endpoint](#jaeger-endpoint) | string | "" | +| [jaeger-service-name](#jaeger-service-name) | string | "nginx" | +| [jaeger-propagation-format](#jaeger-propagation-format) | string | "jaeger" | +| [jaeger-sampler-type](#jaeger-sampler-type) | string | "const" | +| [jaeger-sampler-param](#jaeger-sampler-param) | string | "1" | +| [jaeger-sampler-host](#jaeger-sampler-host) | string | "http://127.0.0.1" | +| [jaeger-sampler-port](#jaeger-sampler-port) | int | 5778 | +| [jaeger-trace-context-header-name](#jaeger-trace-context-header-name) | string | uber-trace-id | +| [jaeger-debug-header](#jaeger-debug-header) | string | uber-debug-id | +| [jaeger-baggage-header](#jaeger-baggage-header) | string | jaeger-baggage | +| [jaeger-trace-baggage-header-prefix](#jaeger-trace-baggage-header-prefix) | string | uberctx- | +| [datadog-collector-host](#datadog-collector-host) | string | "" | +| [datadog-collector-port](#datadog-collector-port) | int | 8126 | +| [datadog-service-name](#datadog-service-name) | string | "nginx" | +| [datadog-environment](#datadog-environment) | string | "prod" | +| [datadog-operation-name-override](#datadog-operation-name-override) | string | "nginx.handle" | +| [datadog-priority-sampling](#datadog-priority-sampling) | bool | "true" | +| [datadog-sample-rate](#datadog-sample-rate) | float | 1.0 | +| [main-snippet](#main-snippet) | string | "" | +| [http-snippet](#http-snippet) | string | "" | +| [server-snippet](#server-snippet) | string | "" | +| [stream-snippet](#stream-snippet) | string | "" | +| [location-snippet](#location-snippet) | string | "" | +| [custom-http-errors](#custom-http-errors) | []int | []int{} | +| [proxy-body-size](#proxy-body-size) | string | "1m" | +| [proxy-connect-timeout](#proxy-connect-timeout) | int | 5 | +| [proxy-read-timeout](#proxy-read-timeout) | int | 60 | +| [proxy-send-timeout](#proxy-send-timeout) | int | 60 | +| [proxy-buffers-number](#proxy-buffers-number) | int | 4 | +| [proxy-buffer-size](#proxy-buffer-size) | string | "4k" | +| [proxy-cookie-path](#proxy-cookie-path) | string | "off" | +| [proxy-cookie-domain](#proxy-cookie-domain) | string | "off" | +| [proxy-next-upstream](#proxy-next-upstream) | string | "error timeout" | +| [proxy-next-upstream-timeout](#proxy-next-upstream-timeout) | int | 0 | +| [proxy-next-upstream-tries](#proxy-next-upstream-tries) | int | 3 | +| [proxy-redirect-from](#proxy-redirect-from) | string | "off" | +| [proxy-request-buffering](#proxy-request-buffering) | string | "on" | +| [ssl-redirect](#ssl-redirect) | bool | "true" | +| [force-ssl-redirect](#force-ssl-redirect) | bool | "false" | +| [denylist-source-range](#denylist-source-range) | []string | []string{} | +| [whitelist-source-range](#whitelist-source-range) | []string | []string{} | +| [skip-access-log-urls](#skip-access-log-urls) | []string | []string{} | +| [limit-rate](#limit-rate) | int | 0 | +| [limit-rate-after](#limit-rate-after) | int | 0 | +| [lua-shared-dicts](#lua-shared-dicts) | string | "" | +| [http-redirect-code](#http-redirect-code) | int | 308 | +| [proxy-buffering](#proxy-buffering) | string | "off" | +| [limit-req-status-code](#limit-req-status-code) | int | 503 | +| [limit-conn-status-code](#limit-conn-status-code) | int | 503 | +| [enable-syslog](#enable-syslog) | bool | false | +| [syslog-host](#syslog-host) | string | "" | +| [syslog-port](#syslog-port) | int | 514 | +| [no-tls-redirect-locations](#no-tls-redirect-locations) | string | "/.well-known/acme-challenge" | +| [global-auth-url](#global-auth-url) | string | "" | +| [global-auth-method](#global-auth-method) | string | "" | +| [global-auth-signin](#global-auth-signin) | string | "" | +| [global-auth-signin-redirect-param](#global-auth-signin-redirect-param) | string | "rd" | +| [global-auth-response-headers](#global-auth-response-headers) | string | "" | +| [global-auth-request-redirect](#global-auth-request-redirect) | string | "" | +| [global-auth-snippet](#global-auth-snippet) | string | "" | +| [global-auth-cache-key](#global-auth-cache-key) | string | "" | +| [global-auth-cache-duration](#global-auth-cache-duration) | string | "200 202 401 5m" | +| [no-auth-locations](#no-auth-locations) | string | "/.well-known/acme-challenge" | +| [block-cidrs](#block-cidrs) | []string | "" | +| [block-user-agents](#block-user-agents) | []string | "" | +| [block-referers](#block-referers) | []string | "" | +| [proxy-ssl-location-only](#proxy-ssl-location-only) | bool | "false" | +| [default-type](#default-type) | string | "text/html" | +| [global-rate-limit-memcached-host](#global-rate-limit) | string | "" | +| [global-rate-limit-memcached-port](#global-rate-limit) | int | 11211 | +| [global-rate-limit-memcached-connect-timeout](#global-rate-limit) | int | 50 | +| [global-rate-limit-memcached-max-idle-timeout](#global-rate-limit) | int | 10000 | +| [global-rate-limit-memcached-pool-size](#global-rate-limit) | int | 50 | +| [global-rate-limit-status-code](#global-rate-limit) | int | 429 | +| [service-upstream](#service-upstream) | bool | "false" | +| [ssl-reject-handshake](#ssl-reject-handshake) | bool | "false" | +| [debug-connections](#debug-connections) | []string | "127.0.0.1,1.1.1.1/24" | +| [enable-pathtype-validation](#enable-pathtype-validation) | bool | "false" | +| [path-additional-allowed-chars](#path-additional-allowed-chars) | string | "^%$[](){}*+?" | ## add-headers @@ -1329,7 +1329,7 @@ _**default:**_ "" _References:_ [http://nginx.org/en/docs/ngx_core_module.html#debug_connection](http://nginx.org/en/docs/ngx_core_module.html#debug_connection) -## disable-pathtype-validation +## enable-pathtype-validation Ingress Controller validates the pathType, and only allows special characters on "path" if pathType is ImplementationSpecific. @@ -1339,13 +1339,11 @@ will be 0-9, a-z, A-Z, "-", ".", "_", "~", "/". If the validation is disabled, the [#path-additional-allowed-chars](#path-additional-allowed-chars) will be allowed on any pathType. -This behavior can be disabled, so special characters are accepted regardless of pathType +This behavior is disabled by default, so special characters are accepted regardless of pathType _**default:**_ "false" ## path-additional-allowed-chars -When validating path on Ingress resources, defines the additional set of special characters that +When [enable-pathtype-validation](enable-pathtype-validation) is set to true [#path-additional-allowed-chars](#path-additional-allowed-chars) defines the additional set of special characters that will be allowed. -See also [#disable-pathtype-validation](#disable-pathtype-validation). - _**default:**_ "^%$[](){}*+?|" diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index 8be92167d..b02e5998e 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -783,14 +783,15 @@ type Configuration struct { // Default: "" DebugConnections []string `json:"debug-connections"` - // DisablePathTypeValidation allows the admin to disable the pathType validation. - // If PathTypeValidation is enabled, the Controller will only allow alphanumeric + // EnablePathTypeValidation allows the admin to enable the pathType validation. + // If EnablePathTypeValidation is enabled, the Controller will only allow alphanumeric // characters on path (0-9, a-z, A-Z, "-", ".", "_", "~", "/") - DisablePathTypeValidation bool `json:"disable-pathtype-validation"` + // to control what characters are allowed set them with PathAdditionalAllowedChars + EnablePathTypeValidation bool `json:"enable-pathtype-validation"` // PathAdditionalAllowedChars allows the admin to specify what are the additional // characters allowed in case of pathType=ImplementationSpecific. - // Case disable-pathtype-validation=true, this characters will be allowed on any path. + // Case enable-pathtype-validation=true, this characters will be only allowed on ImplementationSpecific. // Defaults to: "^%$[](){}*+?" PathAdditionalAllowedChars string `json:"path-additional-allowed-chars"` } @@ -828,7 +829,7 @@ func NewDefault() Configuration { ClientHeaderTimeout: 60, ClientBodyBufferSize: "8k", ClientBodyTimeout: 60, - DisablePathTypeValidation: false, + EnablePathTypeValidation: false, PathAdditionalAllowedChars: "^%$[](){}*+?|", EnableUnderscoresInHeaders: false, ErrorLogLevel: errorLevel, diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 5b22fd17a..9812bd97e 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -325,7 +325,7 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { k8s.SetDefaultNGINXPathType(ing) - if err := utilingress.ValidateIngressPath(ing, cfg.DisablePathTypeValidation, cfg.PathAdditionalAllowedChars); err != nil { + if err := utilingress.ValidateIngressPath(ing, cfg.EnablePathTypeValidation, cfg.PathAdditionalAllowedChars); err != nil { return fmt.Errorf("ingress contains invalid characters: %s", err) } diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go index d91760552..dab1e6e37 100644 --- a/internal/ingress/controller/controller_test.go +++ b/internal/ingress/controller/controller_test.go @@ -203,11 +203,11 @@ func TestCheckIngress(t *testing.T) { } t.Run("when validating pathType", func(t *testing.T) { - t.Run("When ingress contains invalid path and pathType validation is not disabled", func(t *testing.T) { + t.Run("When ingress contains invalid path and pathType validation is enabled", func(t *testing.T) { nginx.store = fakeIngressStore{ ingresses: []*ingress.Ingress{}, configuration: ngx_config.Configuration{ - DisablePathTypeValidation: false, + EnablePathTypeValidation: true, }, } nginx.command = testNginxTestCommand{ @@ -253,7 +253,7 @@ func TestCheckIngress(t *testing.T) { nginx.store = fakeIngressStore{ ingresses: []*ingress.Ingress{}, configuration: ngx_config.Configuration{ - DisablePathTypeValidation: true, + EnablePathTypeValidation: false, PathAdditionalAllowedChars: "^%$[](){}*+?|", }, } diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go index 1006858e8..e0f6cfb54 100644 --- a/internal/ingress/controller/store/store.go +++ b/internal/ingress/controller/store/store.go @@ -846,7 +846,7 @@ func (s *k8sStore) syncIngress(ing *networkingv1.Ingress) { copyIng := &networkingv1.Ingress{} ing.ObjectMeta.DeepCopyInto(©Ing.ObjectMeta) - if err := ingressutils.ValidateIngressPath(ing, s.backendConfig.DisablePathTypeValidation, s.backendConfig.PathAdditionalAllowedChars); err != nil { + if err := ingressutils.ValidateIngressPath(ing, s.backendConfig.EnablePathTypeValidation, s.backendConfig.PathAdditionalAllowedChars); err != nil { klog.Errorf("ingress %s contains invalid path and will be skipped: %s", key, err) return } diff --git a/pkg/util/ingress/ingress.go b/pkg/util/ingress/ingress.go index e16518251..acadad432 100644 --- a/pkg/util/ingress/ingress.go +++ b/pkg/util/ingress/ingress.go @@ -246,44 +246,65 @@ func BuildRedirects(servers []*ingress.Server) []*redirect { return redirectServers } -func ValidateIngressPath(copyIng *networkingv1.Ingress, disablePathTypeValidation bool, additionalChars string) error { +func ValidateIngressPath(copyIng *networkingv1.Ingress, enablePathTypeValidation bool, pathAdditionalAllowedChars string) error { if copyIng == nil { return nil } - escapedAdditionalChars := regexp.QuoteMeta(additionalChars) - regexPath, err := regexp.Compile("^[" + alphaNumericChars + escapedAdditionalChars + "]*$") + escapedPathAdditionalAllowedChars := regexp.QuoteMeta(pathAdditionalAllowedChars) + regexPath, err := regexp.Compile("^[" + alphaNumericChars + escapedPathAdditionalAllowedChars + "]*$") if err != nil { - return fmt.Errorf("ingress has misconfigured validation regex on configmap: %s - %w", additionalChars, err) + return fmt.Errorf("ingress has misconfigured validation regex on configmap: %s - %w", pathAdditionalAllowedChars, err) } for _, rule := range copyIng.Spec.Rules { + if rule.HTTP == nil { continue } - if err := checkPath(rule.HTTP.Paths, disablePathTypeValidation, regexPath); err != nil { + + if err := checkPath(rule.HTTP.Paths, enablePathTypeValidation, regexPath); err != nil { return fmt.Errorf("error validating ingressPath: %w", err) } } return nil } -func checkPath(paths []networkingv1.HTTPIngressPath, disablePathTypeValidation bool, regexSpecificChars *regexp.Regexp) error { +func checkPath(paths []networkingv1.HTTPIngressPath, enablePathTypeValidation bool, regexSpecificChars *regexp.Regexp) error { + for _, path := range paths { if path.PathType == nil { path.PathType = &defaultPathType } - if disablePathTypeValidation || *path.PathType == networkingv1.PathTypeImplementationSpecific { + klog.V(9).InfoS("PathType Validation", "enablePathTypeValidation", enablePathTypeValidation, "regexSpecificChars", regexSpecificChars.String(), "Path", path.Path) + + switch pathType := *path.PathType; pathType { + case networkingv1.PathTypeImplementationSpecific: + //only match on regex chars per Ingress spec when path is implementation specific if !regexSpecificChars.MatchString(path.Path) { return fmt.Errorf("path %s of type %s contains invalid characters", path.Path, *path.PathType) } - continue - } - if !pathAlphaNumericRegex(path.Path) { - return fmt.Errorf("path %s of type %s contains invalid characters", path.Path, *path.PathType) + case networkingv1.PathTypeExact, networkingv1.PathTypePrefix: + //enforce path type validation + if enablePathTypeValidation { + //only allow alphanumeric chars, no regex chars + if !pathAlphaNumericRegex(path.Path) { + return fmt.Errorf("path %s of type %s contains invalid characters", path.Path, *path.PathType) + } + continue + } else { + //path validation is disabled, so we check what regex chars are allowed by user + if !regexSpecificChars.MatchString(path.Path) { + return fmt.Errorf("path %s of type %s contains invalid characters", path.Path, *path.PathType) + } + continue + } + + default: + return fmt.Errorf("unknown path type %v on path %v", *path.PathType, path.Path) } } return nil diff --git a/pkg/util/ingress/ingress_test.go b/pkg/util/ingress/ingress_test.go index a79da6b6f..3bd7f1230 100644 --- a/pkg/util/ingress/ingress_test.go +++ b/pkg/util/ingress/ingress_test.go @@ -212,11 +212,11 @@ const ( func TestValidateIngressPath(t *testing.T) { tests := []struct { - name string - copyIng *networkingv1.Ingress - disablePathTypeValidation bool - additionalChars string - wantErr bool + name string + copyIng *networkingv1.Ingress + EnablePathTypeValidation bool + additionalChars string + wantErr bool }{ { name: "should return nil when ingress = nil", @@ -251,49 +251,53 @@ func TestValidateIngressPath(t *testing.T) { { name: "should deny path with bad characters and pathType not implementationSpecific", wantErr: true, - additionalChars: defaultAdditionalChars, + additionalChars: "()", copyIng: generateDumbIngressforPathTest(&pathTypeExact, "/foo/bar/(.+)"), }, { - name: "should accept path with regex characters and pathType implementationSpecific", - wantErr: false, - additionalChars: defaultAdditionalChars, - copyIng: generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.+)"), + name: "should accept path with regex characters and pathType implementationSpecific", + wantErr: false, + additionalChars: defaultAdditionalChars, + EnablePathTypeValidation: false, + copyIng: generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.+)"), }, { - name: "should accept path with regex characters and pathType exact, but pathType validation disabled", - wantErr: false, - additionalChars: defaultAdditionalChars, - disablePathTypeValidation: true, - copyIng: generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.+)"), + name: "should accept path with regex characters and pathType exact, but pathType validation disabled", + wantErr: false, + additionalChars: defaultAdditionalChars, + EnablePathTypeValidation: false, + copyIng: generateDumbIngressforPathTest(&pathTypeExact, "/foo/bar/(.+)"), }, { - name: "should reject path when the allowed additional set does not match", - wantErr: true, - additionalChars: "().?", - disablePathTypeValidation: false, - copyIng: generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.+)"), + name: "should reject path when the allowed additional set does not match", + wantErr: true, + additionalChars: "().?", + EnablePathTypeValidation: false, + copyIng: generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.+)"), }, { - name: "should accept path when the allowed additional set does match", - wantErr: false, - additionalChars: "().?", - copyIng: generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.?)"), + name: "should accept path when the allowed additional set does match", + wantErr: false, + additionalChars: "().?", + EnablePathTypeValidation: false, + copyIng: generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.?)"), }, { - name: "should block if at least one path is bad", - wantErr: true, - copyIng: generateComplexIngress(generateDumbIngressforPathTest(&pathTypeExact, "/foo/bar/(.?)")), + name: "should block if at least one path is bad", + wantErr: true, + EnablePathTypeValidation: false, + copyIng: generateComplexIngress(generateDumbIngressforPathTest(&pathTypeExact, "/foo/bar/(.?)")), }, { - name: "should block if at least one path is bad", - wantErr: true, - copyIng: generateComplexIngress(generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.?)")), + name: "should block if at least one path is bad", + wantErr: true, + EnablePathTypeValidation: false, + copyIng: generateComplexIngress(generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.?)")), }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - if err := ValidateIngressPath(tt.copyIng, tt.disablePathTypeValidation, tt.additionalChars); (err != nil) != tt.wantErr { + if err := ValidateIngressPath(tt.copyIng, tt.EnablePathTypeValidation, tt.additionalChars); (err != nil) != tt.wantErr { t.Errorf("ValidateIngressPath() error = %v, wantErr %v", err, tt.wantErr) } }) diff --git a/test/e2e/admission/admission.go b/test/e2e/admission/admission.go index 5c037a0c5..e0f55df4e 100644 --- a/test/e2e/admission/admission.go +++ b/test/e2e/admission/admission.go @@ -160,9 +160,22 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() { assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid annotation value should return an error") }) - ginkgo.It("should reject ingress with bad characters and pathType != ImplementationSpecific", func() { + ginkgo.It("ADMISSION should not validate characters on ingress when validation of pathType is disabled", func() { host := "admission-test" + f.UpdateNginxConfigMapData("enable-pathtype-validation", "false") + + firstIngress := framework.NewSingleIngress("first-ingress", "/xpto*", host, f.Namespace, framework.EchoService, 80, nil) + firstIngress.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathPrefix + _, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "creating an ingress with regex chars on path and pathType validation disabled should be accepted") + }) + + ginkgo.It("ADMISSION should reject ingress with bad characters and pathType != ImplementationSpecific", func() { + host := "admission-test" + + f.UpdateNginxConfigMapData("enable-pathtype-validation", "true") + firstIngress := framework.NewSingleIngress("first-ingress", "/xpto*", host, f.Namespace, framework.EchoService, 80, nil) firstIngress.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathPrefix _, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{}) @@ -175,18 +188,7 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() { }) - ginkgo.It("should not validate characters on ingress when validation of pathType is disabled", func() { - host := "admission-test" - - f.UpdateNginxConfigMapData("disable-pathtype-validation", "true") - - firstIngress := framework.NewSingleIngress("first-ingress", "/xpto*", host, f.Namespace, framework.EchoService, 80, nil) - firstIngress.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathPrefix - _, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "creating an ingress with regex chars on path and pathType validation disabled should be accepted") - }) - - ginkgo.It("should return an error if there is a forbidden value in some annotation", func() { + ginkgo.It("ADMISSION should return an error if there is a forbidden value in some annotation", func() { host := "admission-test" annotations := map[string]string{ diff --git a/build/run-e2e-suite.sh b/test/e2e/run-e2e-suite.sh similarity index 97% rename from build/run-e2e-suite.sh rename to test/e2e/run-e2e-suite.sh index ae38b5fcc..7920c0523 100755 --- a/build/run-e2e-suite.sh +++ b/test/e2e/run-e2e-suite.sh @@ -14,10 +14,16 @@ # See the License for the specific language governing permissions and # limitations under the License. -if ! [ -z "$DEBUG" ]; then +if [ -n "$DEBUG" ]; then set -x +else + trap cleanup EXIT fi +function cleanup { + kubectl delete pod e2e 2>/dev/null || true +} + set -o errexit set -o nounset set -o pipefail @@ -43,16 +49,11 @@ if [ "$missing" = true ]; then exit 1 fi -function cleanup { - kubectl delete pod e2e 2>/dev/null || true -} -trap cleanup EXIT - E2E_CHECK_LEAKS=${E2E_CHECK_LEAKS:-} FOCUS=${FOCUS:-.*} BASEDIR=$(dirname "$0") -NGINX_BASE_IMAGE=$(cat $BASEDIR/../NGINX_BASE) +NGINX_BASE_IMAGE=$(cat $BASEDIR/../../NGINX_BASE) export E2E_CHECK_LEAKS export FOCUS diff --git a/test/e2e/run.sh b/test/e2e/run-kind-e2e.sh similarity index 62% rename from test/e2e/run.sh rename to test/e2e/run-kind-e2e.sh index 17dad6c39..bb61706b4 100755 --- a/test/e2e/run.sh +++ b/test/e2e/run-kind-e2e.sh @@ -14,13 +14,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -KIND_LOG_LEVEL="1" - -if ! [ -z $DEBUG ]; then - set -x - KIND_LOG_LEVEL="6" -fi - set -o errexit set -o nounset set -o pipefail @@ -31,45 +24,56 @@ cleanup() { fi kind delete cluster \ - --verbosity=${KIND_LOG_LEVEL} \ - --name ${KIND_CLUSTER_NAME} + --verbosity="${KIND_LOG_LEVEL}" \ + --name "${KIND_CLUSTER_NAME}" } -trap cleanup EXIT +DEBUG=${DEBUG:=false} +if [ "${DEBUG}" = "true" ]; then + set -x + KIND_LOG_LEVEL="6" +else + trap cleanup EXIT +fi + +KIND_LOG_LEVEL="1" +IS_CHROOT="${IS_CHROOT:-false}" export KIND_CLUSTER_NAME=${KIND_CLUSTER_NAME:-ingress-nginx-dev} +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +# Use 1.0.0-dev to make sure we use the latest configuration in the helm template +export TAG=1.0.0-dev +export ARCH=${ARCH:-amd64} +export REGISTRY=ingress-controller +NGINX_BASE_IMAGE=$(cat "$DIR"/../../NGINX_BASE) +export NGINX_BASE_IMAGE=$NGINX_BASE_IMAGE +export DOCKER_CLI_EXPERIMENTAL=enabled +export KUBECONFIG="${KUBECONFIG:-$HOME/.kube/kind-config-$KIND_CLUSTER_NAME}" +SKIP_INGRESS_IMAGE_CREATION="${SKIP_INGRESS_IMAGE_CREATION:-false}" +SKIP_E2E_IMAGE_CREATION="${SKIP_E2E_IMAGE_CREATION:=false}" +SKIP_CLUSTER_CREATION="${SKIP_CLUSTER_CREATION:-false}" if ! command -v kind --version &> /dev/null; then echo "kind is not installed. Use the package manager or visit the official site https://kind.sigs.k8s.io/" exit 1 fi -DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" - -# Use 1.0.0-dev to make sure we use the latest configuration in the helm template -export TAG=1.0.0-dev -export ARCH=${ARCH:-amd64} -export REGISTRY=ingress-controller - -NGINX_BASE_IMAGE=$(cat $DIR/../../NGINX_BASE) - echo "Running e2e with nginx base image ${NGINX_BASE_IMAGE}" -export NGINX_BASE_IMAGE=$NGINX_BASE_IMAGE - -export DOCKER_CLI_EXPERIMENTAL=enabled - -export KUBECONFIG="${KUBECONFIG:-$HOME/.kube/kind-config-$KIND_CLUSTER_NAME}" - -if [ "${SKIP_CLUSTER_CREATION:-false}" = "false" ]; then +if [ "${SKIP_CLUSTER_CREATION}" = "false" ]; then echo "[dev-env] creating Kubernetes cluster with kind" export K8S_VERSION=${K8S_VERSION:-v1.25.2@sha256:9be91e9e9cdf116809841fc77ebdb8845443c4c72fe5218f3ae9eb57fdb4bace} + # delete the cluster if it exists + if kind get clusters | grep "${KIND_CLUSTER_NAME}"; then + kind delete cluster --name "${KIND_CLUSTER_NAME}" + fi + kind create cluster \ - --verbosity=${KIND_LOG_LEVEL} \ - --name ${KIND_CLUSTER_NAME} \ - --config ${DIR}/kind.yaml \ + --verbosity="${KIND_LOG_LEVEL}" \ + --name "${KIND_CLUSTER_NAME}" \ + --config "${DIR}"/kind.yaml \ --retain \ --image "kindest/node:${K8S_VERSION}" @@ -77,16 +81,26 @@ if [ "${SKIP_CLUSTER_CREATION:-false}" = "false" ]; then kubectl get nodes -o wide fi -if [ "${SKIP_IMAGE_CREATION:-false}" = "false" ]; then +if [ "${SKIP_INGRESS_IMAGE_CREATION}" = "false" ]; then + echo "[dev-env] building image" + if [ "${IS_CHROOT}" = "true" ]; then + make -C "${DIR}"/../../ clean-image build image-chroot + docker tag ${REGISTRY}/controller-chroot:${TAG} ${REGISTRY}/controller:${TAG} + else + make -C "${DIR}"/../../ clean-image build image + fi + + echo "[dev-env] .. done building controller images" +fi + +if [ "${SKIP_E2E_IMAGE_CREATION}" = "false" ]; then if ! command -v ginkgo &> /dev/null; then go get github.com/onsi/ginkgo/v2/ginkgo@v2.6.1 fi - echo "[dev-env] building image" - make -C ${DIR}/../../ clean-image build image image-chroot echo "[dev-env] .. done building controller images" echo "[dev-env] now building e2e-image.." - make -C ${DIR}/../e2e-image image + make -C "${DIR}"/../e2e-image image echo "[dev-env] ..done building e2e-image" fi @@ -95,13 +109,7 @@ KIND_WORKERS=$(kind get nodes --name="${KIND_CLUSTER_NAME}" | grep worker | awk echo "[dev-env] copying docker images to cluster..." -kind load docker-image --name="${KIND_CLUSTER_NAME}" --nodes=${KIND_WORKERS} nginx-ingress-controller:e2e - -if [ "${IS_CHROOT:-false}" = "true" ]; then - docker tag ${REGISTRY}/controller-chroot:${TAG} ${REGISTRY}/controller:${TAG} -fi - -kind load docker-image --name="${KIND_CLUSTER_NAME}" --nodes=${KIND_WORKERS} ${REGISTRY}/controller:${TAG} - +kind load docker-image --name="${KIND_CLUSTER_NAME}" --nodes="${KIND_WORKERS}" nginx-ingress-controller:e2e +kind load docker-image --name="${KIND_CLUSTER_NAME}" --nodes="${KIND_WORKERS}" "${REGISTRY}"/controller:"${TAG}" echo "[dev-env] running e2e tests..." -make -C ${DIR}/../../ e2e-test +make -C "${DIR}"/../../ e2e-test \ No newline at end of file From 8918135eeacbe90696ec8fd7f24e8c04203b46d3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 31 Jan 2023 17:31:05 -0800 Subject: [PATCH 139/405] Bump k8s.io/klog/v2 from 2.80.1 to 2.90.0 (#9553) Bumps [k8s.io/klog/v2](https://github.com/kubernetes/klog) from 2.80.1 to 2.90.0. - [Release notes](https://github.com/kubernetes/klog/releases) - [Changelog](https://github.com/kubernetes/klog/blob/main/RELEASE.md) - [Commits](https://github.com/kubernetes/klog/compare/v2.80.1...v2.90.0) --- updated-dependencies: - dependency-name: k8s.io/klog/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 03b3ebdb7..5224aefbe 100644 --- a/go.mod +++ b/go.mod @@ -38,7 +38,7 @@ require ( k8s.io/client-go v0.26.1 k8s.io/code-generator v0.26.1 k8s.io/component-base v0.26.1 - k8s.io/klog/v2 v2.80.1 + k8s.io/klog/v2 v2.90.0 pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 sigs.k8s.io/controller-runtime v0.14.2 sigs.k8s.io/mdtoc v1.1.0 diff --git a/go.sum b/go.sum index 7588a51fb..0a7ed9440 100644 --- a/go.sum +++ b/go.sum @@ -756,8 +756,8 @@ k8s.io/component-base v0.26.1/go.mod h1:VHrLR0b58oC035w6YQiBSbtsf0ThuSwXP+p5dD/k k8s.io/gengo v0.0.0-20220902162205-c0856e24416d h1:U9tB195lKdzwqicbJvyJeOXV7Klv+wNAWENRnXEGi08= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= -k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4= -k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.90.0 h1:VkTxIV/FjRXn1fgNNcKGM8cfmL1Z33ZjXRTVxKCoF5M= +k8s.io/klog/v2 v2.90.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E= k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 h1:KTgPnR10d5zhztWptI952TNtt/4u5h3IzDXkdIMuo2Y= From 141da0b1ec92d2fa959db539d849a0bde0c74e20 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 31 Jan 2023 17:33:06 -0800 Subject: [PATCH 140/405] Bump google.golang.org/grpc from 1.52.0 to 1.52.3 (#9555) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.52.0 to 1.52.3. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.52.0...v1.52.3) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 5224aefbe..10b9e2fda 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a golang.org/x/crypto v0.5.0 - google.golang.org/grpc v1.52.0 + google.golang.org/grpc v1.52.3 google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 diff --git a/go.sum b/go.sum index 0a7ed9440..6e370c655 100644 --- a/go.sum +++ b/go.sum @@ -679,8 +679,8 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.52.0 h1:kd48UiU7EHsV4rnLyOJRuP/Il/UHE7gdDAQ+SZI7nZk= -google.golang.org/grpc v1.52.0/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5vorUY= +google.golang.org/grpc v1.52.3 h1:pf7sOysg4LdgBqduXveGKrcEwbStiK2rtfghdzlUYDQ= +google.golang.org/grpc v1.52.3/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5vorUY= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 h1:pPsdyuBif+uoyUoL19yuj/TCfUPsmpJHJZhWQ98JGLU= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7/go.mod h1:8pQa1yxxkh+EsxUK8/455D5MSbv3vgmEJqKCH3y17mI= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= From 90c857d8e59124fc600be89ac80ee3fc6e9d930a Mon Sep 17 00:00:00 2001 From: James Strong Date: Tue, 31 Jan 2023 21:16:48 -0500 Subject: [PATCH 141/405] build release 1.6.1 image Signed-off-by: James Strong --- TAG | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TAG b/TAG index b7c0a9b1d..023604509 100644 --- a/TAG +++ b/TAG @@ -1 +1 @@ -v1.6.0 +v1.6.1 From 254b814985f8b46510fb1ab2c7f492ac76ad3b4f Mon Sep 17 00:00:00 2001 From: James Strong Date: Wed, 1 Feb 2023 16:51:36 -0500 Subject: [PATCH 142/405] add lint on chart before release (#9570) Signed-off-by: James Strong --- .github/workflows/helm.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml index 5d96507a1..2bd271bb2 100644 --- a/.github/workflows/helm.yaml +++ b/.github/workflows/helm.yaml @@ -25,6 +25,18 @@ jobs: - name: Checkout uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + - name: Run Artifact Hub lint + run: | + wget https://github.com/artifacthub/hub/releases/download/v1.5.0/ah_1.5.0_linux_amd64.tar.gz + echo 'ad0e44c6ea058ab6b85dbf582e88bad9fdbc64ded0d1dd4edbac65133e5c87da *ah_1.5.0_linux_amd64.tar.gz' | shasum -c + tar -xzvf ah_1.5.0_linux_amd64.tar.gz ah + ./ah lint -p charts/ingress-nginx || exit 1 + rm -f ./ah ./ah_1.5.0_linux_amd64.tar.gz + + - name: Lint + run: | + ./build/run-in-docker.sh ./hack/verify-chart-lint.sh + - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter with: From 6c41f19b55ae950885eecd34511f4f1567f11f6a Mon Sep 17 00:00:00 2001 From: James Strong Date: Thu, 2 Feb 2023 14:28:43 -0500 Subject: [PATCH 143/405] add path validation to implementation specific as well (#9573) Signed-off-by: James Strong --- pkg/util/ingress/ingress.go | 8 +++++--- pkg/util/ingress/ingress_test.go | 4 ++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/pkg/util/ingress/ingress.go b/pkg/util/ingress/ingress.go index acadad432..91243e2cc 100644 --- a/pkg/util/ingress/ingress.go +++ b/pkg/util/ingress/ingress.go @@ -282,9 +282,11 @@ func checkPath(paths []networkingv1.HTTPIngressPath, enablePathTypeValidation bo switch pathType := *path.PathType; pathType { case networkingv1.PathTypeImplementationSpecific: - //only match on regex chars per Ingress spec when path is implementation specific - if !regexSpecificChars.MatchString(path.Path) { - return fmt.Errorf("path %s of type %s contains invalid characters", path.Path, *path.PathType) + if enablePathTypeValidation { + //only match on regex chars per Ingress spec when path is implementation specific + if !regexSpecificChars.MatchString(path.Path) { + return fmt.Errorf("path %s of type %s contains invalid characters", path.Path, *path.PathType) + } } case networkingv1.PathTypeExact, networkingv1.PathTypePrefix: diff --git a/pkg/util/ingress/ingress_test.go b/pkg/util/ingress/ingress_test.go index 3bd7f1230..12c2ff1da 100644 --- a/pkg/util/ingress/ingress_test.go +++ b/pkg/util/ingress/ingress_test.go @@ -272,7 +272,7 @@ func TestValidateIngressPath(t *testing.T) { name: "should reject path when the allowed additional set does not match", wantErr: true, additionalChars: "().?", - EnablePathTypeValidation: false, + EnablePathTypeValidation: true, copyIng: generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.+)"), }, { @@ -291,7 +291,7 @@ func TestValidateIngressPath(t *testing.T) { { name: "should block if at least one path is bad", wantErr: true, - EnablePathTypeValidation: false, + EnablePathTypeValidation: true, copyIng: generateComplexIngress(generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.?)")), }, } From 3348a6038edb72e19681ce273148d26ba54abea9 Mon Sep 17 00:00:00 2001 From: James Strong Date: Thu, 2 Feb 2023 14:48:36 -0500 Subject: [PATCH 144/405] build 1.6.2 to fix #9569 Signed-off-by: James Strong --- TAG | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TAG b/TAG index 023604509..98610aa42 100644 --- a/TAG +++ b/TAG @@ -1 +1 @@ -v1.6.1 +v1.6.2 \ No newline at end of file From 60d9716b1f075c4eebc957cff831a5d351f8cfa2 Mon Sep 17 00:00:00 2001 From: Jongwoo Han Date: Mon, 6 Feb 2023 16:37:00 +0900 Subject: [PATCH 145/405] Replace deprecated command with environment file (#9581) Signed-off-by: jongwooo --- .github/workflows/vulnerability-scans.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index 67fad3187..b19031ff6 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -42,7 +42,7 @@ jobs: echo "${SHORT_TAGS[0]},${SHORT_TAGS[1]},${SHORT_TAGS[2]}" TAGS_JSON="[\"${SHORT_TAGS[0]}\",\"${SHORT_TAGS[1]}\",\"${SHORT_TAGS[2]}\"]" echo "${TAGS_JSON}" - echo "::set-output name=TAGS::${TAGS_JSON}" + echo "TAGS=${TAGS_JSON}" >> $GITHUB_OUTPUT scan: runs-on: ubuntu-latest From 460181b1de53f191df6d3f0a19915193cb253642 Mon Sep 17 00:00:00 2001 From: Ismayil Mirzali Date: Wed, 18 Jan 2023 15:10:34 +0200 Subject: [PATCH 146/405] Bump `client-go` to remove dependence on go-autorest dependency (#9488) * deps: bump k8s dependencies to remove go-autorest * fix: update use of apiv1.LoadBalancerIngress Due to changes in the Kubernetes API, we needed to switch to using v1.IngressLoadBalancerIngress instead of apiv1.LoadBalancerIngress. The struct is otherwise identical despite the name change. * fix ingress status test cases Signed-off-by: Jintao Zhang Signed-off-by: Ismayil Mirzali Signed-off-by: Jintao Zhang Signed-off-by: Ismayil Mirzali Co-authored-by: Jintao Zhang --- go.mod | 35 ++++----- go.sum | 83 +++++++-------------- internal/ingress/status/status.go | 45 ++++++------ internal/ingress/status/status_test.go | 99 +++++++++++++------------- test/e2e/status/update.go | 8 +-- 5 files changed, 114 insertions(+), 156 deletions(-) diff --git a/go.mod b/go.mod index 2daf8e667..780cac648 100644 --- a/go.mod +++ b/go.mod @@ -30,14 +30,14 @@ require ( google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 - k8s.io/api v0.25.4 - k8s.io/apiextensions-apiserver v0.25.0 - k8s.io/apimachinery v0.25.4 - k8s.io/apiserver v0.25.0 - k8s.io/cli-runtime v0.25.0 - k8s.io/client-go v0.25.4 - k8s.io/code-generator v0.25.0 - k8s.io/component-base v0.25.4 + k8s.io/api v0.26.0 + k8s.io/apiextensions-apiserver v0.26.0 + k8s.io/apimachinery v0.26.0 + k8s.io/apiserver v0.26.0 + k8s.io/cli-runtime v0.26.0 + k8s.io/client-go v0.26.0 + k8s.io/code-generator v0.26.0 + k8s.io/component-base v0.26.0 k8s.io/klog/v2 v2.80.1 pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 sigs.k8s.io/controller-runtime v0.13.1 @@ -45,17 +45,7 @@ require ( ) require ( - cloud.google.com/go/compute v1.12.1 // indirect - cloud.google.com/go/compute/metadata v0.2.1 // indirect - github.com/Azure/go-autorest v14.2.0+incompatible // indirect - github.com/Azure/go-autorest/autorest v0.11.27 // indirect - github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect - github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect - github.com/Azure/go-autorest/logger v0.2.1 // indirect - github.com/Azure/go-autorest/tracing v0.6.0 // indirect github.com/BurntSushi/toml v1.0.0 // indirect - github.com/PuerkitoBio/purell v1.1.1 // indirect - github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect @@ -70,11 +60,10 @@ require ( github.com/go-errors/errors v1.0.1 // indirect github.com/go-logr/logr v1.2.3 // indirect github.com/go-openapi/jsonpointer v0.19.5 // indirect - github.com/go-openapi/jsonreference v0.19.5 // indirect + github.com/go-openapi/jsonreference v0.20.0 // indirect github.com/go-openapi/swag v0.19.14 // indirect github.com/godbus/dbus/v5 v5.0.6 // indirect github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang-jwt/jwt/v4 v4.2.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.2 // indirect github.com/gomarkdown/markdown v0.0.0-20210514010506-3b9f47219fe7 // indirect @@ -123,9 +112,9 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/gengo v0.0.0-20211129171323-c02415ce4185 // indirect - k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect - k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect + k8s.io/gengo v0.0.0-20220902162205-c0856e24416d // indirect + k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect + k8s.io/utils v0.0.0-20221107191617-1a15be271d1d // indirect sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect sigs.k8s.io/kustomize/api v0.12.1 // indirect sigs.k8s.io/kustomize/kyaml v0.13.9 // indirect diff --git a/go.sum b/go.sum index 84a8bb106..f03756bab 100644 --- a/go.sum +++ b/go.sum @@ -19,10 +19,6 @@ cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvf cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= -cloud.google.com/go/compute v1.12.1 h1:gKVJMEyqV5c/UnpzjjQbo3Rjvvqpr9B1DFSbJC4OXr0= -cloud.google.com/go/compute v1.12.1/go.mod h1:e8yNOBcBONZU1vJKCvCoDw/4JQsA0dpM4x/6PIIOocU= -cloud.google.com/go/compute/metadata v0.2.1 h1:efOwf5ymceDhK6PKMnnrTHP4pppY5L22mle96M1yP48= -cloud.google.com/go/compute/metadata v0.2.1/go.mod h1:jgHgmJd2RKBGzXqF5LR2EZMGxBkeanZ9wwa75XHJgOM= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= @@ -35,30 +31,10 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= -github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= -github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= -github.com/Azure/go-autorest/autorest v0.11.27 h1:F3R3q42aWytozkV8ihzcgMO4OA4cuqr3bNlsEuF6//A= -github.com/Azure/go-autorest/autorest v0.11.27/go.mod h1:7l8ybrIdUmGqZMTD0sRtAr8NvbHjfofbf8RSP2q7w7U= -github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= -github.com/Azure/go-autorest/autorest/adal v0.9.20 h1:gJ3E98kMpFB1MFqQCvA1yFab8vthOeD4VlFRQULxahg= -github.com/Azure/go-autorest/autorest/adal v0.9.20/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= -github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= -github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= -github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= -github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw= -github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU= -github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= -github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= -github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= -github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.0.0 h1:dtDWrepsVPfW9H/4y7dDgFc2MBUSeJhlaDtK13CxFlU= github.com/BurntSushi/toml v1.0.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI= -github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M= -github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= @@ -126,7 +102,6 @@ github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vb github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= -github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0= @@ -135,8 +110,8 @@ github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY= github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonreference v0.19.5 h1:1WJP/wi4OjB4iV8KVbH73rQaoialJrqv8gitZLxGLtM= -github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg= +github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA= +github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo= github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng= github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= @@ -147,9 +122,6 @@ github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5x github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= -github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU= -github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -362,7 +334,6 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= -github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA= github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= @@ -421,8 +392,6 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.5.0 h1:U/0M97KRkSFvyD/3FSmdP5W5swImpNgle/EHFhOsQPE= golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -471,7 +440,6 @@ golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -490,7 +458,6 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.5.0 h1:GyT4nK/YDHSqa1c4753ouYCDajOYKTja9Xb/OHtgvSw= golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -511,7 +478,6 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -750,32 +716,31 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.25.4 h1:3YO8J4RtmG7elEgaWMb4HgmpS2CfY1QlaOz9nwB+ZSs= -k8s.io/api v0.25.4/go.mod h1:IG2+RzyPQLllQxnhzD8KQNEu4c4YvyDTpSMztf4A0OQ= -k8s.io/apiextensions-apiserver v0.25.0 h1:CJ9zlyXAbq0FIW8CD7HHyozCMBpDSiH7EdrSTCZcZFY= -k8s.io/apiextensions-apiserver v0.25.0/go.mod h1:3pAjZiN4zw7R8aZC5gR0y3/vCkGlAjCazcg1me8iB/E= -k8s.io/apimachinery v0.25.4 h1:CtXsuaitMESSu339tfhVXhQrPET+EiWnIY1rcurKnAc= -k8s.io/apimachinery v0.25.4/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo= -k8s.io/apiserver v0.25.0 h1:8kl2ifbNffD440MyvHtPaIz1mw4mGKVgWqM0nL+oyu4= -k8s.io/apiserver v0.25.0/go.mod h1:BKwsE+PTC+aZK+6OJQDPr0v6uS91/HWxX7evElAH6xo= -k8s.io/cli-runtime v0.25.0 h1:XBnTc2Fi+w818jcJGzhiJKQuXl8479sZ4FhtV5hVJ1Q= -k8s.io/cli-runtime v0.25.0/go.mod h1:bHOI5ZZInRHhbq12OdUiYZQN8ml8aKZLwQgt9QlLINw= -k8s.io/client-go v0.25.4 h1:3RNRDffAkNU56M/a7gUfXaEzdhZlYhoW8dgViGy5fn8= -k8s.io/client-go v0.25.4/go.mod h1:8trHCAC83XKY0wsBIpbirZU4NTUpbuhc2JnI7OruGZw= -k8s.io/code-generator v0.25.0 h1:QP8fJuXu882ztf6dsqJsso/Btm94pMd68TAZC1rE6KI= -k8s.io/code-generator v0.25.0/go.mod h1:B6jZgI3DvDFAualltPitbYMQ74NjaCFxum3YeKZZ+3w= -k8s.io/component-base v0.25.4 h1:n1bjg9Yt+G1C0WnIDJmg2fo6wbEU1UGMRiQSjmj7hNQ= -k8s.io/component-base v0.25.4/go.mod h1:nnZJU8OP13PJEm6/p5V2ztgX2oyteIaAGKGMYb2L2cY= -k8s.io/gengo v0.0.0-20211129171323-c02415ce4185 h1:TT1WdmqqXareKxZ/oNXEUSwKlLiHzPMyB0t8BaFeBYI= -k8s.io/gengo v0.0.0-20211129171323-c02415ce4185/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= -k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= +k8s.io/api v0.26.0 h1:IpPlZnxBpV1xl7TGk/X6lFtpgjgntCg8PJ+qrPHAC7I= +k8s.io/api v0.26.0/go.mod h1:k6HDTaIFC8yn1i6pSClSqIwLABIcLV9l5Q4EcngKnQg= +k8s.io/apiextensions-apiserver v0.26.0 h1:Gy93Xo1eg2ZIkNX/8vy5xviVSxwQulsnUdQ00nEdpDo= +k8s.io/apiextensions-apiserver v0.26.0/go.mod h1:7ez0LTiyW5nq3vADtK6C3kMESxadD51Bh6uz3JOlqWQ= +k8s.io/apimachinery v0.26.0 h1:1feANjElT7MvPqp0JT6F3Ss6TWDwmcjLypwoPpEf7zg= +k8s.io/apimachinery v0.26.0/go.mod h1:tnPmbONNJ7ByJNz9+n9kMjNP8ON+1qoAIIC70lztu74= +k8s.io/apiserver v0.26.0 h1:q+LqIK5EZwdznGZb8bq0+a+vCqdeEEe4Ux3zsOjbc4o= +k8s.io/apiserver v0.26.0/go.mod h1:aWhlLD+mU+xRo+zhkvP/gFNbShI4wBDHS33o0+JGI84= +k8s.io/cli-runtime v0.26.0 h1:aQHa1SyUhpqxAw1fY21x2z2OS5RLtMJOCj7tN4oq8mw= +k8s.io/cli-runtime v0.26.0/go.mod h1:o+4KmwHzO/UK0wepE1qpRk6l3o60/txUZ1fEXWGIKTY= +k8s.io/client-go v0.26.0 h1:lT1D3OfO+wIi9UFolCrifbjUUgu7CpLca0AD8ghRLI8= +k8s.io/client-go v0.26.0/go.mod h1:I2Sh57A79EQsDmn7F7ASpmru1cceh3ocVT9KlX2jEZg= +k8s.io/code-generator v0.26.0 h1:ZDY+7Gic9p/lACgD1G72gQg2CvNGeAYZTPIncv+iALM= +k8s.io/code-generator v0.26.0/go.mod h1:OMoJ5Dqx1wgaQzKgc+ZWaZPfGjdRq/Y3WubFrZmeI3I= +k8s.io/component-base v0.26.0 h1:0IkChOCohtDHttmKuz+EP3j3+qKmV55rM9gIFTXA7Vs= +k8s.io/component-base v0.26.0/go.mod h1:lqHwlfV1/haa14F/Z5Zizk5QmzaVf23nQzCwVOQpfC8= +k8s.io/gengo v0.0.0-20220902162205-c0856e24416d h1:U9tB195lKdzwqicbJvyJeOXV7Klv+wNAWENRnXEGi08= +k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4= k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 h1:MQ8BAZPZlWk3S9K4a9NCkIFQtZShWqoha7snGixVgEA= -k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU= -k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed h1:jAne/RjBTyawwAy0utX5eqigAwz/lQhTmy+Hr/Cpue4= -k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E= +k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= +k8s.io/utils v0.0.0-20221107191617-1a15be271d1d h1:0Smp/HP1OH4Rvhe+4B8nWGERtlqAGSftbSbbmm45oFs= +k8s.io/utils v0.0.0-20221107191617-1a15be271d1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 h1:SAElp8THCfmBdM+4lmWX5gebiSSkEr7PAYDVF91qpfg= pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732/go.mod h1:lpvCfhqEHNJSSpG5R5A2EgsVzG8RTt4RfPoQuRAcDmg= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= diff --git a/internal/ingress/status/status.go b/internal/ingress/status/status.go index 2e53682a0..eac1f6cb0 100644 --- a/internal/ingress/status/status.go +++ b/internal/ingress/status/status.go @@ -19,6 +19,7 @@ package status import ( "context" "fmt" + v1 "k8s.io/api/networking/v1" "net" "regexp" "sort" @@ -128,7 +129,7 @@ func (s statusSync) Shutdown() { } klog.InfoS("removing value from ingress status", "address", addrs) - s.updateStatus([]apiv1.LoadBalancerIngress{}) + s.updateStatus([]v1.IngressLoadBalancerIngress{}) } func (s *statusSync) sync(key interface{}) error { @@ -160,21 +161,21 @@ func NewStatusSyncer(config Config) Syncer { return st } -func nameOrIPToLoadBalancerIngress(nameOrIP string) apiv1.LoadBalancerIngress { +func nameOrIPToLoadBalancerIngress(nameOrIP string) v1.IngressLoadBalancerIngress { if net.ParseIP(nameOrIP) != nil { - return apiv1.LoadBalancerIngress{IP: nameOrIP} + return v1.IngressLoadBalancerIngress{IP: nameOrIP} } - return apiv1.LoadBalancerIngress{Hostname: nameOrIP} + return v1.IngressLoadBalancerIngress{Hostname: nameOrIP} } // runningAddresses returns a list of IP addresses and/or FQDN where the // ingress controller is currently running -func (s *statusSync) runningAddresses() ([]apiv1.LoadBalancerIngress, error) { +func (s *statusSync) runningAddresses() ([]v1.IngressLoadBalancerIngress, error) { if s.PublishStatusAddress != "" { re := regexp.MustCompile(`,\s*`) multipleAddrs := re.Split(s.PublishStatusAddress, -1) - addrs := make([]apiv1.LoadBalancerIngress, len(multipleAddrs)) + addrs := make([]v1.IngressLoadBalancerIngress, len(multipleAddrs)) for i, addr := range multipleAddrs { addrs[i] = nameOrIPToLoadBalancerIngress(addr) } @@ -193,7 +194,7 @@ func (s *statusSync) runningAddresses() ([]apiv1.LoadBalancerIngress, error) { return nil, err } - addrs := make([]apiv1.LoadBalancerIngress, 0) + addrs := make([]v1.IngressLoadBalancerIngress, 0) for i := range pods.Items { pod := pods.Items[i] // only Running pods are valid @@ -250,7 +251,7 @@ func (s *statusSync) isRunningMultiplePods() bool { // standardizeLoadBalancerIngresses sorts the list of loadbalancer by // IP -func standardizeLoadBalancerIngresses(lbi []apiv1.LoadBalancerIngress) []apiv1.LoadBalancerIngress { +func standardizeLoadBalancerIngresses(lbi []v1.IngressLoadBalancerIngress) []v1.IngressLoadBalancerIngress { sort.SliceStable(lbi, func(a, b int) bool { return lbi[a].IP < lbi[b].IP }) @@ -259,7 +260,7 @@ func standardizeLoadBalancerIngresses(lbi []apiv1.LoadBalancerIngress) []apiv1.L } // updateStatus changes the status information of Ingress rules -func (s *statusSync) updateStatus(newIngressPoint []apiv1.LoadBalancerIngress) { +func (s *statusSync) updateStatus(newIngressPoint []v1.IngressLoadBalancerIngress) { ings := s.IngressLister.ListIngresses() p := pool.NewLimited(10) @@ -283,7 +284,7 @@ func (s *statusSync) updateStatus(newIngressPoint []apiv1.LoadBalancerIngress) { batch.WaitAll() } -func runUpdate(ing *ingress.Ingress, status []apiv1.LoadBalancerIngress, +func runUpdate(ing *ingress.Ingress, status []v1.IngressLoadBalancerIngress, client clientset.Interface) pool.WorkFunc { return func(wu pool.WorkUnit) (interface{}, error) { if wu.IsCancelled() { @@ -307,7 +308,7 @@ func runUpdate(ing *ingress.Ingress, status []apiv1.LoadBalancerIngress, } } -func lessLoadBalancerIngress(addrs []apiv1.LoadBalancerIngress) func(int, int) bool { +func lessLoadBalancerIngress(addrs []v1.IngressLoadBalancerIngress) func(int, int) bool { return func(a, b int) bool { switch strings.Compare(addrs[a].Hostname, addrs[b].Hostname) { case -1: @@ -319,7 +320,7 @@ func lessLoadBalancerIngress(addrs []apiv1.LoadBalancerIngress) func(int, int) b } } -func ingressSliceEqual(lhs, rhs []apiv1.LoadBalancerIngress) bool { +func ingressSliceEqual(lhs, rhs []v1.IngressLoadBalancerIngress) bool { if len(lhs) != len(rhs) { return false } @@ -336,7 +337,7 @@ func ingressSliceEqual(lhs, rhs []apiv1.LoadBalancerIngress) bool { return true } -func statusAddressFromService(service string, kubeClient clientset.Interface) ([]apiv1.LoadBalancerIngress, error) { +func statusAddressFromService(service string, kubeClient clientset.Interface) ([]v1.IngressLoadBalancerIngress, error) { ns, name, _ := k8s.ParseNameNS(service) svc, err := kubeClient.CoreV1().Services(ns).Get(context.TODO(), name, metav1.GetOptions{}) if err != nil { @@ -345,28 +346,28 @@ func statusAddressFromService(service string, kubeClient clientset.Interface) ([ switch svc.Spec.Type { case apiv1.ServiceTypeExternalName: - return []apiv1.LoadBalancerIngress{{ + return []v1.IngressLoadBalancerIngress{{ Hostname: svc.Spec.ExternalName, }}, nil case apiv1.ServiceTypeClusterIP: - return []apiv1.LoadBalancerIngress{{ + return []v1.IngressLoadBalancerIngress{{ IP: svc.Spec.ClusterIP, }}, nil case apiv1.ServiceTypeNodePort: if svc.Spec.ExternalIPs == nil { - return []apiv1.LoadBalancerIngress{{ + return []v1.IngressLoadBalancerIngress{{ IP: svc.Spec.ClusterIP, }}, nil } - addrs := make([]apiv1.LoadBalancerIngress, len(svc.Spec.ExternalIPs)) + addrs := make([]v1.IngressLoadBalancerIngress, len(svc.Spec.ExternalIPs)) for i, ip := range svc.Spec.ExternalIPs { - addrs[i] = apiv1.LoadBalancerIngress{IP: ip} + addrs[i] = v1.IngressLoadBalancerIngress{IP: ip} } return addrs, nil case apiv1.ServiceTypeLoadBalancer: - addrs := make([]apiv1.LoadBalancerIngress, len(svc.Status.LoadBalancer.Ingress)) + addrs := make([]v1.IngressLoadBalancerIngress, len(svc.Status.LoadBalancer.Ingress)) for i, ingress := range svc.Status.LoadBalancer.Ingress { - addrs[i] = apiv1.LoadBalancerIngress{} + addrs[i] = v1.IngressLoadBalancerIngress{} if ingress.Hostname != "" { addrs[i].Hostname = ingress.Hostname } @@ -376,7 +377,7 @@ func statusAddressFromService(service string, kubeClient clientset.Interface) ([ } for _, ip := range svc.Spec.ExternalIPs { if !stringInIngresses(ip, addrs) { - addrs = append(addrs, apiv1.LoadBalancerIngress{IP: ip}) + addrs = append(addrs, v1.IngressLoadBalancerIngress{IP: ip}) } } return addrs, nil @@ -386,7 +387,7 @@ func statusAddressFromService(service string, kubeClient clientset.Interface) ([ } // stringInSlice returns true if s is in list -func stringInIngresses(s string, list []apiv1.LoadBalancerIngress) bool { +func stringInIngresses(s string, list []v1.IngressLoadBalancerIngress) bool { for _, v := range list { if v.IP == s || v.Hostname == s { return true diff --git a/internal/ingress/status/status_test.go b/internal/ingress/status/status_test.go index d4ef09e7c..3dd56f37d 100644 --- a/internal/ingress/status/status_test.go +++ b/internal/ingress/status/status_test.go @@ -34,8 +34,8 @@ import ( "k8s.io/ingress-nginx/pkg/apis/ingress" ) -func buildLoadBalancerIngressByIP() []apiv1.LoadBalancerIngress { - return []apiv1.LoadBalancerIngress{ +func buildLoadBalancerIngressByIP() []networking.IngressLoadBalancerIngress { + return []networking.IngressLoadBalancerIngress{ { IP: "10.0.0.1", Hostname: "foo1", @@ -123,17 +123,20 @@ func buildSimpleClientSet() *testclient.Clientset { }, }}, &apiv1.ServiceList{Items: []apiv1.Service{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - Namespace: apiv1.NamespaceDefault, - }, - Status: apiv1.ServiceStatus{ - LoadBalancer: apiv1.LoadBalancerStatus{ - Ingress: buildLoadBalancerIngressByIP(), - }, - }, - }, + // This is commented out as the ServiceStatus.LoadBalancer field expects a LoadBalancerStatus object + // which is incompatible with the current Ingress struct which expects a IngressLoadBalancerStatus object + // TODO: update this service when the ServiceStatus struct gets updated + //{ + // ObjectMeta: metav1.ObjectMeta{ + // Name: "foo", + // Namespace: apiv1.NamespaceDefault, + // }, + // Status: apiv1.ServiceStatus{ + // LoadBalancer: apiv1.LoadBalancerStatus{ + // Ingress: buildLoadBalancerIngressByIP(), + // }, + // }, + //}, { ObjectMeta: metav1.ObjectMeta{ Name: "foo_non_exist", @@ -199,8 +202,8 @@ func buildExtensionsIngresses() []networking.Ingress { Namespace: apiv1.NamespaceDefault, }, Status: networking.IngressStatus{ - LoadBalancer: apiv1.LoadBalancerStatus{ - Ingress: []apiv1.LoadBalancerIngress{ + LoadBalancer: networking.IngressLoadBalancerStatus{ + Ingress: []networking.IngressLoadBalancerIngress{ { IP: "10.0.0.1", Hostname: "foo1", @@ -218,8 +221,8 @@ func buildExtensionsIngresses() []networking.Ingress { }, }, Status: networking.IngressStatus{ - LoadBalancer: apiv1.LoadBalancerStatus{ - Ingress: []apiv1.LoadBalancerIngress{ + LoadBalancer: networking.IngressLoadBalancerStatus{ + Ingress: []networking.IngressLoadBalancerIngress{ { IP: "0.0.0.0", Hostname: "foo.bar.com", @@ -234,8 +237,8 @@ func buildExtensionsIngresses() []networking.Ingress { Namespace: apiv1.NamespaceDefault, }, Status: networking.IngressStatus{ - LoadBalancer: apiv1.LoadBalancerStatus{ - Ingress: []apiv1.LoadBalancerIngress{}, + LoadBalancer: networking.IngressLoadBalancerStatus{ + Ingress: []networking.IngressLoadBalancerIngress{}, }, }, }, @@ -261,7 +264,7 @@ func (til *testIngressLister) ListIngresses() []*ingress.Ingress { Namespace: apiv1.NamespaceDefault, }, Status: networking.IngressStatus{ - LoadBalancer: apiv1.LoadBalancerStatus{ + LoadBalancer: networking.IngressLoadBalancerStatus{ Ingress: buildLoadBalancerIngressByIP(), }, }, @@ -325,7 +328,7 @@ func TestStatusActions(t *testing.T) { fk.sync("just-test") // PublishService is empty, so the running address is: ["11.0.0.2"] // after updated, the ingress's ip should only be "11.0.0.2" - newIPs := []apiv1.LoadBalancerIngress{{ + newIPs := []networking.IngressLoadBalancerIngress{{ IP: "11.0.0.2", }} fooIngress1, err1 := fk.Client.NetworkingV1().Ingresses(apiv1.NamespaceDefault).Get(context.TODO(), "foo_ingress_1", metav1.GetOptions{}) @@ -342,7 +345,7 @@ func TestStatusActions(t *testing.T) { // execute shutdown fk.Shutdown() // ingress should be empty - newIPs2 := []apiv1.LoadBalancerIngress{} + var newIPs2 []networking.IngressLoadBalancerIngress fooIngress2, err2 := fk.Client.NetworkingV1().Ingresses(apiv1.NamespaceDefault).Get(context.TODO(), "foo_ingress_1", metav1.GetOptions{}) if err2 != nil { t.Fatalf("unexpected error") @@ -382,7 +385,7 @@ func TestKeyfunc(t *testing.T) { func TestRunningAddressesWithPublishService(t *testing.T) { testCases := map[string]struct { fakeClient *testclient.Clientset - expected []apiv1.LoadBalancerIngress + expected []networking.IngressLoadBalancerIngress errExpected bool }{ "service type ClusterIP": { @@ -416,7 +419,7 @@ func TestRunningAddressesWithPublishService(t *testing.T) { }, }, ), - []apiv1.LoadBalancerIngress{ + []networking.IngressLoadBalancerIngress{ {IP: "1.1.1.1"}, }, false, @@ -437,7 +440,7 @@ func TestRunningAddressesWithPublishService(t *testing.T) { }, }, ), - []apiv1.LoadBalancerIngress{ + []networking.IngressLoadBalancerIngress{ {IP: "1.1.1.1"}, }, false, @@ -458,7 +461,7 @@ func TestRunningAddressesWithPublishService(t *testing.T) { }, }, ), - []apiv1.LoadBalancerIngress{ + []networking.IngressLoadBalancerIngress{ {Hostname: "foo.bar"}, }, false, @@ -495,7 +498,7 @@ func TestRunningAddressesWithPublishService(t *testing.T) { }, }, ), - []apiv1.LoadBalancerIngress{ + []networking.IngressLoadBalancerIngress{ {IP: "10.0.0.1"}, {Hostname: "foo"}, { @@ -530,7 +533,7 @@ func TestRunningAddressesWithPublishService(t *testing.T) { }, }, ), - []apiv1.LoadBalancerIngress{ + []networking.IngressLoadBalancerIngress{ {IP: "10.0.0.1"}, }, false, @@ -568,7 +571,7 @@ func TestRunningAddressesWithPublishService(t *testing.T) { } if ra == nil { - t.Fatalf("returned nil but expected valid []apiv1.LoadBalancerIngress") + t.Fatalf("returned nil but expected valid []networking.IngressLoadBalancerIngress") } if !reflect.DeepEqual(tc.expected, ra) { @@ -584,7 +587,7 @@ func TestRunningAddressesWithPods(t *testing.T) { r, _ := fk.runningAddresses() if r == nil { - t.Fatalf("returned nil but expected valid []apiv1.LoadBalancerIngress") + t.Fatalf("returned nil but expected valid []networking.IngressLoadBalancerIngress") } rl := len(r) if len(r) != 1 { @@ -592,7 +595,7 @@ func TestRunningAddressesWithPods(t *testing.T) { } rv := r[0] if rv.IP != "11.0.0.2" { - t.Errorf("returned %v but expected %v", rv, apiv1.LoadBalancerIngress{IP: "11.0.0.2"}) + t.Errorf("returned %v but expected %v", rv, networking.IngressLoadBalancerIngress{IP: "11.0.0.2"}) } } @@ -602,7 +605,7 @@ func TestRunningAddressesWithPublishStatusAddress(t *testing.T) { ra, _ := fk.runningAddresses() if ra == nil { - t.Fatalf("returned nil but expected valid []apiv1.LoadBalancerIngress") + t.Fatalf("returned nil but expected valid []networking.IngressLoadBalancerIngress") } rl := len(ra) if len(ra) != 1 { @@ -610,7 +613,7 @@ func TestRunningAddressesWithPublishStatusAddress(t *testing.T) { } rv := ra[0] if rv.IP != "127.0.0.1" { - t.Errorf("returned %v but expected %v", rv, apiv1.LoadBalancerIngress{IP: "127.0.0.1"}) + t.Errorf("returned %v but expected %v", rv, networking.IngressLoadBalancerIngress{IP: "127.0.0.1"}) } } @@ -620,7 +623,7 @@ func TestRunningAddressesWithPublishStatusAddresses(t *testing.T) { ra, _ := fk.runningAddresses() if ra == nil { - t.Fatalf("returned nil but expected valid []apiv1.LoadBalancerIngress") + t.Fatalf("returned nil but expected valid []networking.IngressLoadBalancerIngress") } rl := len(ra) if len(ra) != 2 { @@ -629,10 +632,10 @@ func TestRunningAddressesWithPublishStatusAddresses(t *testing.T) { rv := ra[0] rv2 := ra[1] if rv.IP != "127.0.0.1" { - t.Errorf("returned %v but expected %v", rv, apiv1.LoadBalancerIngress{IP: "127.0.0.1"}) + t.Errorf("returned %v but expected %v", rv, networking.IngressLoadBalancerIngress{IP: "127.0.0.1"}) } if rv2.IP != "1.1.1.1" { - t.Errorf("returned %v but expected %v", rv2, apiv1.LoadBalancerIngress{IP: "1.1.1.1"}) + t.Errorf("returned %v but expected %v", rv2, networking.IngressLoadBalancerIngress{IP: "1.1.1.1"}) } } @@ -642,7 +645,7 @@ func TestRunningAddressesWithPublishStatusAddressesAndSpaces(t *testing.T) { ra, _ := fk.runningAddresses() if ra == nil { - t.Fatalf("returned nil but expected valid []apiv1.LoadBalancerIngresst") + t.Fatalf("returned nil but expected valid []networking.IngressLoadBalancerIngresst") } rl := len(ra) if len(ra) != 2 { @@ -651,15 +654,15 @@ func TestRunningAddressesWithPublishStatusAddressesAndSpaces(t *testing.T) { rv := ra[0] rv2 := ra[1] if rv.IP != "127.0.0.1" { - t.Errorf("returned %v but expected %v", rv, apiv1.LoadBalancerIngress{IP: "127.0.0.1"}) + t.Errorf("returned %v but expected %v", rv, networking.IngressLoadBalancerIngress{IP: "127.0.0.1"}) } if rv2.IP != "1.1.1.1" { - t.Errorf("returned %v but expected %v", rv2, apiv1.LoadBalancerIngress{IP: "1.1.1.1"}) + t.Errorf("returned %v but expected %v", rv2, networking.IngressLoadBalancerIngress{IP: "1.1.1.1"}) } } func TestStandardizeLoadBalancerIngresses(t *testing.T) { - fkEndpoints := []apiv1.LoadBalancerIngress{ + fkEndpoints := []networking.IngressLoadBalancerIngress{ {IP: "2001:db8::68"}, {IP: "10.0.0.1"}, {Hostname: "opensource-k8s-ingress"}, @@ -668,7 +671,7 @@ func TestStandardizeLoadBalancerIngresses(t *testing.T) { r := standardizeLoadBalancerIngresses(fkEndpoints) if r == nil { - t.Fatalf("returned nil but expected a valid []apiv1.LoadBalancerIngress") + t.Fatalf("returned nil but expected a valid []networking.IngressLoadBalancerIngress") } rl := len(r) if rl != 3 { @@ -676,21 +679,21 @@ func TestStandardizeLoadBalancerIngresses(t *testing.T) { } re1 := r[0] if re1.Hostname != "opensource-k8s-ingress" { - t.Fatalf("returned %v but expected %v", re1, apiv1.LoadBalancerIngress{Hostname: "opensource-k8s-ingress"}) + t.Fatalf("returned %v but expected %v", re1, networking.IngressLoadBalancerIngress{Hostname: "opensource-k8s-ingress"}) } re2 := r[1] if re2.IP != "10.0.0.1" { - t.Fatalf("returned %v but expected %v", re2, apiv1.LoadBalancerIngress{IP: "10.0.0.1"}) + t.Fatalf("returned %v but expected %v", re2, networking.IngressLoadBalancerIngress{IP: "10.0.0.1"}) } re3 := r[2] if re3.IP != "2001:db8::68" { - t.Fatalf("returned %v but expected %v", re3, apiv1.LoadBalancerIngress{IP: "2001:db8::68"}) + t.Fatalf("returned %v but expected %v", re3, networking.IngressLoadBalancerIngress{IP: "2001:db8::68"}) } } func TestIngressSliceEqual(t *testing.T) { fk1 := buildLoadBalancerIngressByIP() - fk2 := append(buildLoadBalancerIngressByIP(), apiv1.LoadBalancerIngress{ + fk2 := append(buildLoadBalancerIngressByIP(), networking.IngressLoadBalancerIngress{ IP: "10.0.0.5", Hostname: "foo5", }) @@ -700,8 +703,8 @@ func TestIngressSliceEqual(t *testing.T) { fk4[2].IP = "11.0.0.3" fooTests := []struct { - lhs []apiv1.LoadBalancerIngress - rhs []apiv1.LoadBalancerIngress + lhs []networking.IngressLoadBalancerIngress + rhs []networking.IngressLoadBalancerIngress er bool }{ {fk1, fk1, true}, @@ -710,7 +713,7 @@ func TestIngressSliceEqual(t *testing.T) { {fk4, fk1, false}, {fk1, nil, false}, {nil, nil, true}, - {[]apiv1.LoadBalancerIngress{}, []apiv1.LoadBalancerIngress{}, true}, + {[]networking.IngressLoadBalancerIngress{}, []networking.IngressLoadBalancerIngress{}, true}, } for _, fooTest := range fooTests { diff --git a/test/e2e/status/update.go b/test/e2e/status/update.go index c9c6ef333..8bedc4d4e 100644 --- a/test/e2e/status/update.go +++ b/test/e2e/status/update.go @@ -19,6 +19,7 @@ package settings import ( "context" "fmt" + v1 "k8s.io/api/networking/v1" "log" "net" "strings" @@ -28,7 +29,6 @@ import ( "github.com/stretchr/testify/assert" appsv1 "k8s.io/api/apps/v1" - apiv1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/wait" @@ -87,7 +87,7 @@ var _ = framework.IngressNginxDescribe("[Status] status update", func() { ing, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error getting %s/%v Ingress", f.Namespace, host) - ing.Status.LoadBalancer.Ingress = []apiv1.LoadBalancerIngress{} + ing.Status.LoadBalancer.Ingress = []v1.IngressLoadBalancerIngress{} _, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).UpdateStatus(context.TODO(), ing, metav1.UpdateOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error cleaning Ingress status") framework.Sleep(10 * time.Second) @@ -121,9 +121,9 @@ var _ = framework.IngressNginxDescribe("[Status] status update", func() { return true, nil }) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error waiting for ingress status") - assert.Equal(ginkgo.GinkgoT(), ing.Status.LoadBalancer.Ingress, ([]apiv1.LoadBalancerIngress{ + assert.Equal(ginkgo.GinkgoT(), ing.Status.LoadBalancer.Ingress, []v1.IngressLoadBalancerIngress{ {IP: "1.1.0.0"}, - })) + }) }) }) From 7f8f5f8f68a435948e86b78b76616a67d9d6a652 Mon Sep 17 00:00:00 2001 From: James Strong Date: Fri, 13 Jan 2023 08:54:28 -0500 Subject: [PATCH 147/405] start 1.6.0 release Signed-off-by: James Strong --- TAG | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TAG b/TAG index c9b3c015f..05f629f1b 100644 --- a/TAG +++ b/TAG @@ -1 +1 @@ -v1.5.1 \ No newline at end of file +v1.6.0 \ No newline at end of file From 45632e586397520afee83449737b85de822e8b24 Mon Sep 17 00:00:00 2001 From: Zadkiel Aharonian Date: Thu, 19 Jan 2023 15:36:38 +0100 Subject: [PATCH 148/405] fix(grafana-dashboard): remove hardcoded namespace references (#9523) --- deploy/grafana/dashboards/nginx.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/deploy/grafana/dashboards/nginx.json b/deploy/grafana/dashboards/nginx.json index 85f93c9eb..3c3205b4a 100644 --- a/deploy/grafana/dashboards/nginx.json +++ b/deploy/grafana/dashboards/nginx.json @@ -1312,7 +1312,7 @@ "targets": [ { "exemplar": true, - "expr": "histogram_quantile(0.80, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\",exported_namespace=\"uat\"}[2m])) by (le))", + "expr": "histogram_quantile(0.80, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (le))", "format": "time_series", "hide": false, "instant": false, @@ -1323,7 +1323,7 @@ }, { "exemplar": true, - "expr": "histogram_quantile(0.90, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\",exported_namespace=\"uat\"}[2m])) by (le))", + "expr": "histogram_quantile(0.90, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (le))", "format": "time_series", "hide": false, "instant": false, @@ -1335,7 +1335,7 @@ { "editorMode": "code", "exemplar": true, - "expr": "histogram_quantile(0.99, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\",exported_namespace=\"uat\"}[2m])) by (le))", + "expr": "histogram_quantile(0.99, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (le))", "format": "time_series", "hide": false, "instant": false, @@ -1377,7 +1377,7 @@ "targets": [ { "exemplar": true, - "expr": "sum(increase(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\",exported_namespace=\"uat\"}[2m])) by (le)", + "expr": "sum(increase(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (le)", "format": "heatmap", "interval": "", "legendFormat": "{{le}}", From 87a9f1e007d9f37f194d699914a46409492d324a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 19 Jan 2023 06:48:35 -0800 Subject: [PATCH 149/405] Bump google.golang.org/grpc from 1.51.0 to 1.52.0 (#9512) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 780cac648..2412ad6db 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a golang.org/x/crypto v0.5.0 - google.golang.org/grpc v1.51.0 + google.golang.org/grpc v1.52.0 google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 diff --git a/go.sum b/go.sum index f03756bab..6dc3d7f54 100644 --- a/go.sum +++ b/go.sum @@ -660,8 +660,8 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.51.0 h1:E1eGv1FTqoLIdnBCZufiSHgKjlqG6fKFf6pPWtMTh8U= -google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsAIPww= +google.golang.org/grpc v1.52.0 h1:kd48UiU7EHsV4rnLyOJRuP/Il/UHE7gdDAQ+SZI7nZk= +google.golang.org/grpc v1.52.0/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5vorUY= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 h1:pPsdyuBif+uoyUoL19yuj/TCfUPsmpJHJZhWQ98JGLU= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7/go.mod h1:8pQa1yxxkh+EsxUK8/455D5MSbv3vgmEJqKCH3y17mI= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= From 82720c8e1dc1489a03d2a3bbfc949f49bacc5dc3 Mon Sep 17 00:00:00 2001 From: Harpreet singh Date: Thu, 19 Jan 2023 22:58:36 +0800 Subject: [PATCH 150/405] Add CORS template check inside location for externalAuth.SignURL (#8814) * Add CORS template check inside location for externalAuth.SignURL * Add testcase for CORS header for auth-signin redirect with CORS enabled. --- rootfs/etc/nginx/template/nginx.tmpl | 4 +++ test/e2e/annotations/auth.go | 45 ++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 911cf75ea..958397dd5 100755 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -1180,6 +1180,10 @@ stream { add_header Set-Cookie $auth_cookie; + {{ if $location.CorsConfig.CorsEnabled }} + {{ template "CORS" $location }} + {{ end }} + # Ensure that modsecurity will not run on an internal location as this is not accessible from outside {{ if $all.Cfg.EnableModsecurity }} modsecurity off; diff --git a/test/e2e/annotations/auth.go b/test/e2e/annotations/auth.go index 1f0f4c3b2..e26fcbd46 100644 --- a/test/e2e/annotations/auth.go +++ b/test/e2e/annotations/auth.go @@ -720,6 +720,51 @@ http { }) }) + ginkgo.Context("when external authentication is configured along with CORS enabled", func() { + host := "auth" + var annotations map[string]string + var ing *networking.Ingress + + ginkgo.BeforeEach(func() { + f.NewHttpbinDeployment() + + var httpbinIP string + + err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1) + assert.Nil(ginkgo.GinkgoT(), err) + + e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{}) + assert.Nil(ginkgo.GinkgoT(), err) + + httpbinIP = e.Subsets[0].Addresses[0].IP + + annotations = map[string]string{ + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP), + "nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start", + "nginx.ingress.kubernetes.io/enable-cors": "true", + } + + ing = framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, func(server string) bool { + return strings.Contains(server, "server_name auth") + }) + }) + + ginkgo.It("should redirect to signin url when not signed in along With CORS headers in response", func() { + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithQuery("a", "b"). + WithQuery("c", "d"). + Expect(). + Status(http.StatusFound). + Header("Access-Control-Allow-Origin").Equal(fmt.Sprintf("*")) + + }) + }) + ginkgo.Context("when external authentication with caching is configured", func() { thisHost := "auth" thatHost := "different" From c015c628b5e4e07078a04a5f8c3ced8441c255a3 Mon Sep 17 00:00:00 2001 From: James Strong Date: Wed, 9 Nov 2022 16:05:42 -0500 Subject: [PATCH 151/405] testing auto change Signed-off-by: James Strong --- hack/changelog.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100755 hack/changelog.sh diff --git a/hack/changelog.sh b/hack/changelog.sh new file mode 100755 index 000000000..6ecd9f890 --- /dev/null +++ b/hack/changelog.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +set -o errexit +set -o nounset +set -o pipefail + +declare -a mandatory +mandatory=( + LINES + RELEASE +) + +gh pr list -R kubernetes/ingress-nginx -s merged -L ${LINES} -B main | cut -f1,2 | awk '{ printf "* [%s](https://github.com/kubernetes/ingress-nginx/pull/%s) %s\n",$1,$1, substr($0,6)}' + + From 71e9bdcb685acbfb14d3d7afa56189d7f0f8258f Mon Sep 17 00:00:00 2001 From: James Strong Date: Fri, 11 Nov 2022 09:23:19 -0500 Subject: [PATCH 152/405] Add mage files for changelog Signed-off-by: James Strong --- Changelog.md.gotmpl | 15 + RELEASE.md => MANUAL_RELEASE.md | 10 +- NEW_RELEASE_PROCESS.md | 9 + TAG | 2 +- changelog/Changelog-1.5.2.md | 36 ++ charts/ingress-nginx/changelog/.gitkeep | 0 .../changelog/Changelog-1.5.2.md | 12 + go.mod | 1 + go.sum | 2 + hack/changelog.sh | 15 - ingress-nginx.yaml | 68 ++ magefiles/common.go | 66 ++ magefiles/docker.go | 3 + magefiles/go.go | 15 + magefiles/go.mod | 32 + magefiles/go.sum | 105 +++ magefiles/helm.go | 608 ++++++++++++++++++ magefiles/mage.go | 13 + magefiles/release.go | 526 +++++++++++++++ magefiles/tags.go | 130 ++++ magefiles/yaml.go | 3 + 21 files changed, 1650 insertions(+), 21 deletions(-) create mode 100644 Changelog.md.gotmpl rename RELEASE.md => MANUAL_RELEASE.md (96%) create mode 100644 NEW_RELEASE_PROCESS.md create mode 100644 charts/ingress-nginx/changelog/.gitkeep create mode 100644 charts/ingress-nginx/changelog/Changelog-1.5.2.md delete mode 100755 hack/changelog.sh create mode 100644 ingress-nginx.yaml create mode 100644 magefiles/common.go create mode 100644 magefiles/docker.go create mode 100644 magefiles/go.go create mode 100644 magefiles/go.mod create mode 100644 magefiles/go.sum create mode 100644 magefiles/helm.go create mode 100644 magefiles/mage.go create mode 100644 magefiles/release.go create mode 100644 magefiles/tags.go create mode 100644 magefiles/yaml.go diff --git a/Changelog.md.gotmpl b/Changelog.md.gotmpl new file mode 100644 index 000000000..d35df8ade --- /dev/null +++ b/Changelog.md.gotmpl @@ -0,0 +1,15 @@ +# Changelog + +### {{ .Version }} +Images: +{{ with .ControllerImages }} +{{ range . }} * {{ .Registry }}/{{ .Name }}:{{ .Tag}}@{{ .Digest }} +{{ end }} {{ end }} +### All Changes: +{{ with .Updates }} +{{ range . }}* {{ . }} +{{ end }}{{ end }} +### Dependencies updates: {{ with .DepUpdates }} +{{ range . }}* {{ . }} +{{ end }} {{ end }} +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-{{ .PreviousControllerVersion }}...controller-{{ .NewControllerVersion }} diff --git a/RELEASE.md b/MANUAL_RELEASE.md similarity index 96% rename from RELEASE.md rename to MANUAL_RELEASE.md index ca0faa4e1..d7144b85d 100644 --- a/RELEASE.md +++ b/MANUAL_RELEASE.md @@ -103,7 +103,7 @@ Promoting the images basically means that images, that were pushed to staging co - Fork that other project (if you don't have a fork already). -- Other project to fork [Github repo kubernetes/k8s.io](http://github.com/kubernetes/k8s.io) +- Other project to fork [GitHub repo kubernetes/k8s.io](http://github.com/kubernetes/k8s.io) - Fetch --all and rebase to upstream if already forked. @@ -111,7 +111,7 @@ Promoting the images basically means that images, that were pushed to staging co - In the related branch, of your fork, edit the file /registry.k8s.io/images/k8s-staging-ingress-nginx/images.yaml. -- For making it easier, you can edit your branch directly in the browser. But be careful about making any mistake. +- For making, it easier, you can edit your branch directly in the browser. But be careful about making any mistake. - Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml) Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/2536) to see how it was done before @@ -132,7 +132,7 @@ Promoting the images basically means that images, that were pushed to staging co - Make sure to get the tag and sha of the promoted image from the step before, either from cloudbuild or from [here](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/ingress-nginx/controller). -- This involves editing of several different files. So carefully follow the steps below and double check all changes with diff/grep etc., repeatedly. Mistakes here impact endusers. +- This involves editing of several files. So carefully follow the steps below and double check all changes with diff/grep etc., repeatedly. Mistakes here impact endusers. ### a. Make sure your git workspace is ready @@ -160,7 +160,7 @@ Promoting the images basically means that images, that were pushed to staging co - [TAG](https://github.com/kubernetes/ingress-nginx/blob/main/TAG#L1) ### c. Edit the helm Chart - - Change the below mentioned [Fields in Chart.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/Chart.yaml) + - Change the below-mentioned [Fields in Chart.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/Chart.yaml) - version - appVersion - kubeVersion (**ONLY if applicable**) @@ -168,7 +168,7 @@ Promoting the images basically means that images, that were pushed to staging co - artifacthub.io/prerelease: "true" - artifacthub.io/changes: | - Replace this line and other lines under this annotation with the Changelog. One process to generate the Changelog is described below - - Install and configure github cli as per the docs of gh-cli https://cli.github.com/, + - Install and configure GitHub cli as per the docs of gh-cli https://cli.github.com/, - Change dir to your clone, of your fork, of the ingress-nginx project - Run the below command and save the output to a txt file diff --git a/NEW_RELEASE_PROCESS.md b/NEW_RELEASE_PROCESS.md new file mode 100644 index 000000000..cdb683abf --- /dev/null +++ b/NEW_RELEASE_PROCESS.md @@ -0,0 +1,9 @@ +# Semi-Automated Release Process + +1. Update TAG +2. Cloud Build +3. k8s.io PR +4. git pull origin main +5. git checkout -b $RELEASE_VERSION +6. mage release:newrelease $RELEASE_VERSION +7. Wait for PR \ No newline at end of file diff --git a/TAG b/TAG index 05f629f1b..b7c0a9b1d 100644 --- a/TAG +++ b/TAG @@ -1 +1 @@ -v1.6.0 \ No newline at end of file +v1.6.0 diff --git a/changelog/Changelog-1.5.2.md b/changelog/Changelog-1.5.2.md index 8b2617924..ed8532374 100644 --- a/changelog/Changelog-1.5.2.md +++ b/changelog/Changelog-1.5.2.md @@ -3,6 +3,7 @@ ### 1.5.2 Images: +<<<<<<< HEAD * registry.k8s.io/ingress-nginx/controller:controller-v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 * registry.k8s.io/ingress-nginx/controller-chroot:controller-v1.5.2@sha256:84613555694f2c59a8b2551126d226c9aa648544ebf0cde1e0df942f7dbce42b @@ -19,6 +20,24 @@ Images: * update the nginx run container for alpine:3.17.0 (#9430) * cleanup: remove ioutil for new go version (#9427) * start upgrade to golang 1.19.4 and alpine 3.17.0 (#9417) +======= + * registry.k8s.io/controller:controller-v1.5.2@sha256:c1c091b88a6c936a83bd7g098v62f60a87868d12452529bad0d178fb36143346 + * registry.k8s.io/controller-chroot:controller-v1.5.2@sha256:c1c091b88a6c936a83bd7b098662760a87868d12452529b350d178fb36147345 + +### All Changes: + +<<<<<<< HEAD +>>>>>>> f4164ae0b (THE CHANGELOG WORKS) +======= +* upgrade nginx base image (#9436) +* test the new e2e test images (#9444) +* avoid builds and tests for non-code changes (#9392) +* CI updates (#9440) +* HPA: Add `controller.autoscaling.annotations` to `values.yaml`. (#9253) +* update the nginx run container for alpine:3.17.0 (#9430) +* cleanup: remove ioutil for new go version (#9427) +* start upgrade to golang 1.19.4 and alpine 3.17.0 (#9417) +>>>>>>> 9ecab7d85 (e2e doc updates work now) * ci: remove setup-helm step (#9404) * ci: remove setup-kind step (#9401) * Add reporter for all tests (#9395) @@ -54,6 +73,10 @@ Images: * add containerSecurityContext to extraModules init containers (kubernetes#9016) (#9242) ### Dependencies updates: +<<<<<<< HEAD +<<<<<<< HEAD +======= +>>>>>>> 9ecab7d85 (e2e doc updates work now) * Bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#9397) * Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.6.1 (#9432) * Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.6.1 (#9421) @@ -62,6 +85,11 @@ Images: * Bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (#9426) * Bump actions/dependency-review-action from 3.0.1 to 3.0.2 (#9424) * Bump ossf/scorecard-action from 2.0.6 to 2.1.0 (#9422) +<<<<<<< HEAD +======= +>>>>>>> f4164ae0b (THE CHANGELOG WORKS) +======= +>>>>>>> 9ecab7d85 (e2e doc updates work now) * Bump github.com/prometheus/common from 0.37.0 to 0.39.0 (#9416) * Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.6.0 (#9408) * Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.6.0 (#9398) @@ -76,4 +104,12 @@ Images: * Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (#9301) * Bump k8s.io/component-base from 0.25.3 to 0.25.4 (#9300) +<<<<<<< HEAD +<<<<<<< HEAD **Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.5.1...controller-controller-v1.5.2 +======= +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.5.2...controller-controller-v1.5.1 +>>>>>>> f4164ae0b (THE CHANGELOG WORKS) +======= +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.5.1...controller-controller-v1.5.2 +>>>>>>> 9ecab7d85 (e2e doc updates work now) diff --git a/charts/ingress-nginx/changelog/.gitkeep b/charts/ingress-nginx/changelog/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/charts/ingress-nginx/changelog/Changelog-1.5.2.md b/charts/ingress-nginx/changelog/Changelog-1.5.2.md new file mode 100644 index 000000000..5e0563858 --- /dev/null +++ b/charts/ingress-nginx/changelog/Changelog-1.5.2.md @@ -0,0 +1,12 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.4.1 + +* ci: remove setup-helm step (#9404) +* feat(helm): Optionally use cert-manager instead admission patch (#9279) +* run helm release on main only and when the chart/value changes only (#9290) +* Update Ingress-Nginx version controller-v1.5.2 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.4.1...helm-chart-4.4.1 diff --git a/go.mod b/go.mod index 2412ad6db..6f90615ff 100644 --- a/go.mod +++ b/go.mod @@ -77,6 +77,7 @@ require ( github.com/inconshreveable/mousetrap v1.0.1 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect + github.com/magefile/mage v1.14.0 // indirect github.com/mailru/easyjson v0.7.6 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect diff --git a/go.sum b/go.sum index 6dc3d7f54..8a32d3e00 100644 --- a/go.sum +++ b/go.sum @@ -231,6 +231,8 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= +github.com/magefile/mage v1.14.0 h1:6QDX3g6z1YvJ4olPhT1wksUcSa/V0a1B+pJb73fBjyo= +github.com/magefile/mage v1.14.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA= diff --git a/hack/changelog.sh b/hack/changelog.sh deleted file mode 100755 index 6ecd9f890..000000000 --- a/hack/changelog.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env bash - -set -o errexit -set -o nounset -set -o pipefail - -declare -a mandatory -mandatory=( - LINES - RELEASE -) - -gh pr list -R kubernetes/ingress-nginx -s merged -L ${LINES} -B main | cut -f1,2 | awk '{ printf "* [%s](https://github.com/kubernetes/ingress-nginx/pull/%s) %s\n",$1,$1, substr($0,6)}' - - diff --git a/ingress-nginx.yaml b/ingress-nginx.yaml new file mode 100644 index 000000000..be66255e0 --- /dev/null +++ b/ingress-nginx.yaml @@ -0,0 +1,68 @@ +CURRENT_VERSION: "v1.5.1" +GOLANG_VERSION: "1.19.2" +GIT_TAG: "controller-v1.5.1" +NGINX_BASE_IMAGE: "registry.k8s.io/ingress-nginx/nginx:0b5e0685112e4537ee20a0bdbba451e9f6158aa3@sha256:3f5e28bb248d5170e77b77fc2a1a385724aeff41a0b34b5afad7dd9cf93de000" +NGINX_VERSION: "1.21.6" +VERSION_TABLE: + - "v1.5.1": + - Alpine: "3.16.2" + - Kubernetes: ["1.25","1.24","1.23"] + - NGINX: "1.21.6" + - CONTROLLER_IMAGE: "registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629" + - CHROOT_CONTROLLER_IMAGE: "registry.k8s.io/ingress-nginx/controller-chroot:v1.5.1@sha256:c1c091b88a6c936a83bd7b098662760a87868d12452529bad0d178fb36147345" + - "v1.4.0": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.3.1": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.3.0": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.2.1": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.1.3": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.1.2": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.1.1": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.1.0": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.0.5": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.0.4": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.0.3": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.0.2": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.0.1": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.0.0": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" diff --git a/magefiles/common.go b/magefiles/common.go new file mode 100644 index 000000000..ae2fed0c4 --- /dev/null +++ b/magefiles/common.go @@ -0,0 +1,66 @@ +//go:build mage + +package main + +import ( + "fmt" + "os" + "strings" + "time" +) + +var DEBUG bool + +func init() { + DEBUG = false + debugENV := os.Getenv("MAGE_DEBUG") + if debugENV == "true" { + DEBUG = true + } +} + +// CheckArgs should be used to ensure the right command line arguments are +// passed before executing an example. +func CheckArgs(arg ...string) { + if len(os.Args) < len(arg)+1 { + ErrorF("Usage: %s %s", os.Args[0], strings.Join(arg, " ")) + os.Exit(1) + } +} + +// CheckIfError should be used to naively panics if an error is not nil. +func CheckIfError(err error, format string, args ...interface{}) { + if err == nil { + return + } + + fmt.Printf("\x1b[31;1m%s ERROR %s %s\x1b[0m\n", timeStamp(), fmt.Sprintf(format, args...), err) + os.Exit(1) +} + +// Info should be used to describe the example commands that are about to run. +func Info(format string, args ...interface{}) { + fmt.Printf("\x1b[34;1m%s INFO: %s\x1b[0m\n", timeStamp(), fmt.Sprintf(format, args...)) +} + +func timeStamp() string { + t := time.Now() + return t.Format(time.RFC3339) +} + +// Warning should be used to display a warning +func Warning(format string, args ...interface{}) { + fmt.Printf("\x1b[36;1m%s WARNING: %s\x1b[0m\n", timeStamp(), fmt.Sprintf(format, args...)) +} + +// Info should be used to describe the example commands that are about to run. +func Debug(format string, args ...interface{}) { + if DEBUG { + fmt.Printf("\x1b[34;1m%s DEBUG: %s\x1b[0m\n", timeStamp(), fmt.Sprintf(format, args...)) + } +} + +// Info should be used to describe the example commands that are about to run. +func ErrorF(format string, args ...interface{}) { + fmt.Printf("\x1b[31;1m%s ERROR: %s\x1b[0m\n", timeStamp(), fmt.Sprintf(format, args...)) +} diff --git a/magefiles/docker.go b/magefiles/docker.go new file mode 100644 index 000000000..7353508f3 --- /dev/null +++ b/magefiles/docker.go @@ -0,0 +1,3 @@ +//go:build mage + +package main diff --git a/magefiles/go.go b/magefiles/go.go new file mode 100644 index 000000000..352b8fb1e --- /dev/null +++ b/magefiles/go.go @@ -0,0 +1,15 @@ +//go:build mage + +package main + +//import ( +// "github.com/magefile/mage/mg" +// "github.com/mysteriumnetwork/go-ci/commands" +//) +// +//type Go mg.Namespace +// +//// Checks for issues with go imports +//func (Go) CheckGoImports() error { +// return commands.GoImports("./...") +//} diff --git a/magefiles/go.mod b/magefiles/go.mod new file mode 100644 index 000000000..31c11a061 --- /dev/null +++ b/magefiles/go.mod @@ -0,0 +1,32 @@ +module github.com/kubernetes/ingress-nginx/magefiles + +go 1.19 + +require ( + github.com/blang/semver/v4 v4.0.0 + github.com/google/go-github/v48 v48.2.0 + github.com/helm/helm v2.17.0+incompatible + github.com/magefile/mage v1.14.0 + github.com/vmware-labs/yaml-jsonpath v0.3.2 + golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be + gopkg.in/yaml.v3 v3.0.1 +) + +require ( + github.com/BurntSushi/toml v1.2.1 // indirect + github.com/Masterminds/semver v1.5.0 // indirect + github.com/cyphar/filepath-securejoin v0.2.3 // indirect + github.com/dprotaso/go-yit v0.0.0-20191028211022-135eb7262960 // indirect + github.com/ghodss/yaml v1.0.0 // indirect + github.com/gobwas/glob v0.2.3 // indirect + github.com/golang/protobuf v1.5.2 // indirect + github.com/google/go-querystring v1.1.0 // indirect + github.com/stretchr/testify v1.8.1 // indirect + golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 // indirect + golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect + google.golang.org/appengine v1.6.7 // indirect + google.golang.org/protobuf v1.28.0 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + k8s.io/apimachinery v0.25.4 // indirect + k8s.io/helm v2.17.0+incompatible // indirect +) diff --git a/magefiles/go.sum b/magefiles/go.sum new file mode 100644 index 000000000..38a4235f6 --- /dev/null +++ b/magefiles/go.sum @@ -0,0 +1,105 @@ +github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak= +github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww= +github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= +github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= +github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= +github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI= +github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dprotaso/go-yit v0.0.0-20191028211022-135eb7262960 h1:aRd8M7HJVZOqn/vhOzrGcQH0lNAMkqMn+pXUYkatmcA= +github.com/dprotaso/go-yit v0.0.0-20191028211022-135eb7262960/go.mod h1:9HQzr9D/0PGwMEbC3d5AB7oi67+h4TsQqItC1GVYG58= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= +github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= +github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-github/v48 v48.2.0 h1:68puzySE6WqUY9KWmpOsDEQfDZsso98rT6pZcz9HqcE= +github.com/google/go-github/v48 v48.2.0/go.mod h1:dDlehKBDo850ZPvCTK0sEqTCVWcrGl2LcDiajkYi89Y= +github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= +github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU= +github.com/helm/helm v2.17.0+incompatible h1:0iy95yMXrfWpwaoOA9XRP+cTvitTrq+LcJV9DvR5n1Y= +github.com/helm/helm v2.17.0+incompatible/go.mod h1:ahXhuvluW4YnSL6W6hDVetZsVK8Pv4BP8OwKli7aMqo= +github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/magefile/mage v1.14.0 h1:6QDX3g6z1YvJ4olPhT1wksUcSa/V0a1B+pJb73fBjyo= +github.com/magefile/mage v1.14.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= +github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.2 h1:uqH7bpe+ERSiDa34FDOF7RikN6RzXgduUF8yarlZp94= +github.com/onsi/ginkgo v1.10.2/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= +github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/vmware-labs/yaml-jsonpath v0.3.2 h1:/5QKeCBGdsInyDCyVNLbXyilb61MXGi9NP674f9Hobk= +github.com/vmware-labs/yaml-jsonpath v0.3.2/go.mod h1:U6whw1z03QyqgWdgXxvVnQ90zN1BWz5V+51Ewf8k+rQ= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 h1:HWj/xjIHfjYU5nVXpTM0s39J9CbLn7Cc5a7IC5rwsMQ= +golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b h1:PxfKdU9lEEDYjdIzOtC4qFWgkU2rGHdKlKowJSMN9h0= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be h1:vEDujvNQGv4jgYKudGeI/+DAX4Jffq6hpD55MmoEvKs= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a h1:dGzPydgVsqGcTRVwiLJ1jVbufYwmzD3LfVPLKsKg+0k= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw= +google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU= +gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20191026110619-0b21df46bc1d/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +k8s.io/apimachinery v0.25.4 h1:CtXsuaitMESSu339tfhVXhQrPET+EiWnIY1rcurKnAc= +k8s.io/apimachinery v0.25.4/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo= +k8s.io/helm v2.17.0+incompatible h1:Bpn6o1wKLYqKM3+Osh8e+1/K2g/GsQJ4F4yNF2+deao= +k8s.io/helm v2.17.0+incompatible/go.mod h1:LZzlS4LQBHfciFOurYBFkCMTaZ0D1l+p0teMg7TSULI= diff --git a/magefiles/helm.go b/magefiles/helm.go new file mode 100644 index 000000000..87966dea0 --- /dev/null +++ b/magefiles/helm.go @@ -0,0 +1,608 @@ +//go:build mage + +package main + +import ( + "fmt" + semver "github.com/blang/semver/v4" + "github.com/helm/helm/pkg/chartutil" + "github.com/magefile/mage/mg" + "github.com/magefile/mage/sh" + yamlpath "github.com/vmware-labs/yaml-jsonpath/pkg/yamlpath" + "gopkg.in/yaml.v3" + "os" + "strings" +) + +const HelmChartPath = "charts/ingress-nginx/Chart.yaml" +const HelmChartValues = "charts/ingress-nginx/values.yaml" + +type Helm mg.Namespace + +// UpdateAppVersion Updates the Helm App Version of Ingress Nginx Controller +func (Helm) UpdateAppVersion() { + updateAppVersion() +} + +func updateAppVersion() { + +} + +// UpdateVersion Update Helm Version of the Chart +func (Helm) UpdateVersion(version string) { + updateVersion(version) +} + +func currentChartVersion() string { + chart, err := chartutil.LoadChartfile(HelmChartPath) + CheckIfError(err, "HELM Could not Load Chart") + return chart.Version +} + +func currentChartAppVersion() string { + chart, err := chartutil.LoadChartfile(HelmChartPath) + CheckIfError(err, "HELM Could not Load Chart") + return chart.AppVersion +} + +func updateVersion(version string) { + Info("HELM Reading File %v", HelmChartPath) + + chart, err := chartutil.LoadChartfile(HelmChartPath) + CheckIfError(err, "HELM Could not Load Chart") + + //Get the current tag + //appVersionV, err := getIngressNGINXVersion() + //CheckIfError(err, "HELM Issue Retrieving the Current Ingress Nginx Version") + + //remove the v from TAG + appVersion := version + + Info("HELM Ingress-Nginx App Version: %s Chart AppVersion: %s", appVersion, chart.AppVersion) + if appVersion == chart.AppVersion { + Warning("HELM Ingress NGINX Version didnt change Ingress-Nginx App Version: %s Chart AppVersion: %s", appVersion, chart.AppVersion) + return + } + + //Update the helm chart + chart.AppVersion = appVersion + cTag, err := semver.Make(chart.Version) + CheckIfError(err, "HELM Creating Chart Version: %v", err) + + if err = cTag.IncrementPatch(); err != nil { + ErrorF("HELM Incrementing Chart Version: %v", err) + os.Exit(1) + } + chart.Version = cTag.String() + Debug("HELM Updated Chart Version: %v", chart.Version) + + err = chartutil.SaveChartfile(HelmChartPath, chart) + CheckIfError(err, "HELM Saving new Chart") +} + +func updateChartReleaseNotes(releasesNotes []string) { + Info("HELM Updating the Chart Release notes") + chart, err := chartutil.LoadChartfile(HelmChartPath) + CheckIfError(err, "HELM Could not Load Chart to update release notes %s", HelmChartPath) + var releaseNoteString string + for i := range releasesNotes { + releaseNoteString = fmt.Sprintf("%s - %s\n", releaseNoteString, releasesNotes[i]) + } + Info("HLEM Release note string %s", releaseNoteString) + chart.Annotations["artifacthub.io/changes"] = releaseNoteString + err = chartutil.SaveChartfile(HelmChartPath, chart) + CheckIfError(err, "HELM Saving updated release notes for Chart") +} + +func UpdateChartChangelog() { + +} + +// UpdateAppVersion Updates the Helm App Version of Ingress Nginx Controller +func (Helm) UpdateChartValue(key, value string) { + updateChartValue(key, value) +} + +func updateChartValue(key, value string) { + Info("HELM Updating Chart %s %s:%s", HelmChartValues, key, value) + + //read current values.yaml + data, err := os.ReadFile(HelmChartValues) + CheckIfError(err, "HELM Could not Load Helm Chart Values files %s", HelmChartValues) + + //var valuesStruct IngressChartValue + var n yaml.Node + CheckIfError(yaml.Unmarshal(data, &n), "HELM Could not Unmarshal %s", HelmChartValues) + + //update value + //keyParse := parsePath(key) + p, err := yamlpath.NewPath(key) + CheckIfError(err, "HELM cannot create path") + + q, err := p.Find(&n) + CheckIfError(err, "HELM unexpected error finding path") + + for _, i := range q { + Info("HELM Found %s at %s", i.Value, key) + i.Value = value + Info("HELM Updated %s at %s", i.Value, key) + } + + //// write to file + newValueFile, err := yaml.Marshal(&n) + CheckIfError(err, "HELM Could not Marshal new Values file") + err = os.WriteFile(HelmChartValues, newValueFile, 0644) + CheckIfError(err, "HELM Could not write new Values file to %s", HelmChartValues) + + Info("HELM Ingress Nginx Helm Chart update %s %s", key, value) +} + +func runHelmDocs() error { + err := installHelmDocs() + if err != nil { + return err + } + err = sh.RunV("helm-docs", "--chart-search-root=${PWD}/charts") + if err != nil { + return err + } + return nil +} + +func installHelmDocs() error { + Info("HELM Install HelmDocs") + var g0 = sh.RunCmd("go") + + err := g0("install", "github.com/norwoodj/helm-docs/cmd/helm-docs@v1.11.0") + if err != nil { + return err + } + return nil +} +func parsePath(key string) []string { return strings.Split(key, ".") } + +func updateHelmDocs() { + +} + +type IngressChartValue struct { + CommonLabels struct { + } `yaml:"commonLabels"` + Controller struct { + Name string `yaml:"name"` + Image struct { + Chroot bool `yaml:"chroot"` + Registry string `yaml:"registry"` + Image string `yaml:"image"` + Tag string `yaml:"tag"` + Digest string `yaml:"digest"` + DigestChroot string `yaml:"digestChroot"` + PullPolicy string `yaml:"pullPolicy"` + RunAsUser int `yaml:"runAsUser"` + AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` + } `yaml:"image"` + ExistingPsp string `yaml:"existingPsp"` + ContainerName string `yaml:"containerName"` + ContainerPort struct { + HTTP int `yaml:"http"` + HTTPS int `yaml:"https"` + } `yaml:"containerPort"` + Config struct { + } `yaml:"config"` + ConfigAnnotations struct { + } `yaml:"configAnnotations"` + ProxySetHeaders struct { + } `yaml:"proxySetHeaders"` + AddHeaders struct { + } `yaml:"addHeaders"` + DNSConfig struct { + } `yaml:"dnsConfig"` + Hostname struct { + } `yaml:"hostname"` + DNSPolicy string `yaml:"dnsPolicy"` + ReportNodeInternalIP bool `yaml:"reportNodeInternalIp"` + WatchIngressWithoutClass bool `yaml:"watchIngressWithoutClass"` + IngressClassByName bool `yaml:"ingressClassByName"` + AllowSnippetAnnotations bool `yaml:"allowSnippetAnnotations"` + HostNetwork bool `yaml:"hostNetwork"` + HostPort struct { + Enabled bool `yaml:"enabled"` + Ports struct { + HTTP int `yaml:"http"` + HTTPS int `yaml:"https"` + } `yaml:"ports"` + } `yaml:"hostPort"` + ElectionID string `yaml:"electionID"` + IngressClassResource struct { + Name string `yaml:"name"` + Enabled bool `yaml:"enabled"` + Default bool `yaml:"default"` + ControllerValue string `yaml:"controllerValue"` + Parameters struct { + } `yaml:"parameters"` + } `yaml:"ingressClassResource"` + IngressClass string `yaml:"ingressClass"` + PodLabels struct { + } `yaml:"podLabels"` + PodSecurityContext struct { + } `yaml:"podSecurityContext"` + Sysctls struct { + } `yaml:"sysctls"` + PublishService struct { + Enabled bool `yaml:"enabled"` + PathOverride string `yaml:"pathOverride"` + } `yaml:"publishService"` + Scope struct { + Enabled bool `yaml:"enabled"` + Namespace string `yaml:"namespace"` + NamespaceSelector string `yaml:"namespaceSelector"` + } `yaml:"scope"` + ConfigMapNamespace string `yaml:"configMapNamespace"` + TCP struct { + ConfigMapNamespace string `yaml:"configMapNamespace"` + Annotations struct { + } `yaml:"annotations"` + } `yaml:"tcp"` + UDP struct { + ConfigMapNamespace string `yaml:"configMapNamespace"` + Annotations struct { + } `yaml:"annotations"` + } `yaml:"udp"` + MaxmindLicenseKey string `yaml:"maxmindLicenseKey"` + ExtraArgs struct { + } `yaml:"extraArgs"` + ExtraEnvs []interface{} `yaml:"extraEnvs"` + Kind string `yaml:"kind"` + Annotations struct { + } `yaml:"annotations"` + Labels struct { + } `yaml:"labels"` + UpdateStrategy struct { + } `yaml:"updateStrategy"` + MinReadySeconds int `yaml:"minReadySeconds"` + Tolerations []interface{} `yaml:"tolerations"` + Affinity struct { + } `yaml:"affinity"` + TopologySpreadConstraints []interface{} `yaml:"topologySpreadConstraints"` + TerminationGracePeriodSeconds int `yaml:"terminationGracePeriodSeconds"` + NodeSelector struct { + KubernetesIoOs string `yaml:"kubernetes.io/os"` + } `yaml:"nodeSelector"` + LivenessProbe struct { + HTTPGet struct { + Path string `yaml:"path"` + Port int `yaml:"port"` + Scheme string `yaml:"scheme"` + } `yaml:"httpGet"` + InitialDelaySeconds int `yaml:"initialDelaySeconds"` + PeriodSeconds int `yaml:"periodSeconds"` + TimeoutSeconds int `yaml:"timeoutSeconds"` + SuccessThreshold int `yaml:"successThreshold"` + FailureThreshold int `yaml:"failureThreshold"` + } `yaml:"livenessProbe"` + ReadinessProbe struct { + HTTPGet struct { + Path string `yaml:"path"` + Port int `yaml:"port"` + Scheme string `yaml:"scheme"` + } `yaml:"httpGet"` + InitialDelaySeconds int `yaml:"initialDelaySeconds"` + PeriodSeconds int `yaml:"periodSeconds"` + TimeoutSeconds int `yaml:"timeoutSeconds"` + SuccessThreshold int `yaml:"successThreshold"` + FailureThreshold int `yaml:"failureThreshold"` + } `yaml:"readinessProbe"` + HealthCheckPath string `yaml:"healthCheckPath"` + HealthCheckHost string `yaml:"healthCheckHost"` + PodAnnotations struct { + } `yaml:"podAnnotations"` + ReplicaCount int `yaml:"replicaCount"` + MinAvailable int `yaml:"minAvailable"` + Resources struct { + Requests struct { + CPU string `yaml:"cpu"` + Memory string `yaml:"memory"` + } `yaml:"requests"` + } `yaml:"resources"` + Autoscaling struct { + APIVersion string `yaml:"apiVersion"` + Enabled bool `yaml:"enabled"` + Annotations struct { + } `yaml:"annotations"` + MinReplicas int `yaml:"minReplicas"` + MaxReplicas int `yaml:"maxReplicas"` + TargetCPUUtilizationPercentage int `yaml:"targetCPUUtilizationPercentage"` + TargetMemoryUtilizationPercentage int `yaml:"targetMemoryUtilizationPercentage"` + Behavior struct { + } `yaml:"behavior"` + } `yaml:"autoscaling"` + AutoscalingTemplate []interface{} `yaml:"autoscalingTemplate"` + Keda struct { + APIVersion string `yaml:"apiVersion"` + Enabled bool `yaml:"enabled"` + MinReplicas int `yaml:"minReplicas"` + MaxReplicas int `yaml:"maxReplicas"` + PollingInterval int `yaml:"pollingInterval"` + CooldownPeriod int `yaml:"cooldownPeriod"` + RestoreToOriginalReplicaCount bool `yaml:"restoreToOriginalReplicaCount"` + ScaledObject struct { + Annotations struct { + } `yaml:"annotations"` + } `yaml:"scaledObject"` + Triggers []interface{} `yaml:"triggers"` + Behavior struct { + } `yaml:"behavior"` + } `yaml:"keda"` + EnableMimalloc bool `yaml:"enableMimalloc"` + CustomTemplate struct { + ConfigMapName string `yaml:"configMapName"` + ConfigMapKey string `yaml:"configMapKey"` + } `yaml:"customTemplate"` + Service struct { + Enabled bool `yaml:"enabled"` + AppProtocol bool `yaml:"appProtocol"` + Annotations struct { + } `yaml:"annotations"` + Labels struct { + } `yaml:"labels"` + ExternalIPs []interface{} `yaml:"externalIPs"` + LoadBalancerIP string `yaml:"loadBalancerIP"` + LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` + EnableHTTP bool `yaml:"enableHttp"` + EnableHTTPS bool `yaml:"enableHttps"` + IPFamilyPolicy string `yaml:"ipFamilyPolicy"` + IPFamilies []string `yaml:"ipFamilies"` + Ports struct { + HTTP int `yaml:"http"` + HTTPS int `yaml:"https"` + } `yaml:"ports"` + TargetPorts struct { + HTTP string `yaml:"http"` + HTTPS string `yaml:"https"` + } `yaml:"targetPorts"` + Type string `yaml:"type"` + NodePorts struct { + HTTP string `yaml:"http"` + HTTPS string `yaml:"https"` + TCP struct { + } `yaml:"tcp"` + UDP struct { + } `yaml:"udp"` + } `yaml:"nodePorts"` + External struct { + Enabled bool `yaml:"enabled"` + } `yaml:"external"` + Internal struct { + Enabled bool `yaml:"enabled"` + Annotations struct { + } `yaml:"annotations"` + LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` + } `yaml:"internal"` + } `yaml:"service"` + ShareProcessNamespace bool `yaml:"shareProcessNamespace"` + ExtraContainers []interface{} `yaml:"extraContainers"` + ExtraVolumeMounts []interface{} `yaml:"extraVolumeMounts"` + ExtraVolumes []interface{} `yaml:"extraVolumes"` + ExtraInitContainers []interface{} `yaml:"extraInitContainers"` + ExtraModules []interface{} `yaml:"extraModules"` + Opentelemetry struct { + Enabled bool `yaml:"enabled"` + Image string `yaml:"image"` + ContainerSecurityContext struct { + AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` + } `yaml:"containerSecurityContext"` + } `yaml:"opentelemetry"` + AdmissionWebhooks struct { + Annotations struct { + } `yaml:"annotations"` + Enabled bool `yaml:"enabled"` + ExtraEnvs []interface{} `yaml:"extraEnvs"` + FailurePolicy string `yaml:"failurePolicy"` + Port int `yaml:"port"` + Certificate string `yaml:"certificate"` + Key string `yaml:"key"` + NamespaceSelector struct { + } `yaml:"namespaceSelector"` + ObjectSelector struct { + } `yaml:"objectSelector"` + Labels struct { + } `yaml:"labels"` + ExistingPsp string `yaml:"existingPsp"` + NetworkPolicyEnabled bool `yaml:"networkPolicyEnabled"` + Service struct { + Annotations struct { + } `yaml:"annotations"` + ExternalIPs []interface{} `yaml:"externalIPs"` + LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` + ServicePort int `yaml:"servicePort"` + Type string `yaml:"type"` + } `yaml:"service"` + CreateSecretJob struct { + SecurityContext struct { + AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` + } `yaml:"securityContext"` + Resources struct { + } `yaml:"resources"` + } `yaml:"createSecretJob"` + PatchWebhookJob struct { + SecurityContext struct { + AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` + } `yaml:"securityContext"` + Resources struct { + } `yaml:"resources"` + } `yaml:"patchWebhookJob"` + Patch struct { + Enabled bool `yaml:"enabled"` + Image struct { + Registry string `yaml:"registry"` + Image string `yaml:"image"` + Tag string `yaml:"tag"` + Digest string `yaml:"digest"` + PullPolicy string `yaml:"pullPolicy"` + } `yaml:"image"` + PriorityClassName string `yaml:"priorityClassName"` + PodAnnotations struct { + } `yaml:"podAnnotations"` + NodeSelector struct { + KubernetesIoOs string `yaml:"kubernetes.io/os"` + } `yaml:"nodeSelector"` + Tolerations []interface{} `yaml:"tolerations"` + Labels struct { + } `yaml:"labels"` + SecurityContext struct { + RunAsNonRoot bool `yaml:"runAsNonRoot"` + RunAsUser int `yaml:"runAsUser"` + FsGroup int `yaml:"fsGroup"` + } `yaml:"securityContext"` + } `yaml:"patch"` + CertManager struct { + Enabled bool `yaml:"enabled"` + RootCert struct { + Duration string `yaml:"duration"` + } `yaml:"rootCert"` + AdmissionCert struct { + Duration string `yaml:"duration"` + } `yaml:"admissionCert"` + } `yaml:"certManager"` + } `yaml:"admissionWebhooks"` + Metrics struct { + Port int `yaml:"port"` + PortName string `yaml:"portName"` + Enabled bool `yaml:"enabled"` + Service struct { + Annotations struct { + } `yaml:"annotations"` + ExternalIPs []interface{} `yaml:"externalIPs"` + LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` + ServicePort int `yaml:"servicePort"` + Type string `yaml:"type"` + } `yaml:"service"` + ServiceMonitor struct { + Enabled bool `yaml:"enabled"` + AdditionalLabels struct { + } `yaml:"additionalLabels"` + Namespace string `yaml:"namespace"` + NamespaceSelector struct { + } `yaml:"namespaceSelector"` + ScrapeInterval string `yaml:"scrapeInterval"` + TargetLabels []interface{} `yaml:"targetLabels"` + Relabelings []interface{} `yaml:"relabelings"` + MetricRelabelings []interface{} `yaml:"metricRelabelings"` + } `yaml:"serviceMonitor"` + PrometheusRule struct { + Enabled bool `yaml:"enabled"` + AdditionalLabels struct { + } `yaml:"additionalLabels"` + Rules []interface{} `yaml:"rules"` + } `yaml:"prometheusRule"` + } `yaml:"metrics"` + Lifecycle struct { + PreStop struct { + Exec struct { + Command []string `yaml:"command"` + } `yaml:"exec"` + } `yaml:"preStop"` + } `yaml:"lifecycle"` + PriorityClassName string `yaml:"priorityClassName"` + } `yaml:"controller"` + RevisionHistoryLimit int `yaml:"revisionHistoryLimit"` + DefaultBackend struct { + Enabled bool `yaml:"enabled"` + Name string `yaml:"name"` + Image struct { + Registry string `yaml:"registry"` + Image string `yaml:"image"` + Tag string `yaml:"tag"` + PullPolicy string `yaml:"pullPolicy"` + RunAsUser int `yaml:"runAsUser"` + RunAsNonRoot bool `yaml:"runAsNonRoot"` + ReadOnlyRootFilesystem bool `yaml:"readOnlyRootFilesystem"` + AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` + } `yaml:"image"` + ExistingPsp string `yaml:"existingPsp"` + ExtraArgs struct { + } `yaml:"extraArgs"` + ServiceAccount struct { + Create bool `yaml:"create"` + Name string `yaml:"name"` + AutomountServiceAccountToken bool `yaml:"automountServiceAccountToken"` + } `yaml:"serviceAccount"` + ExtraEnvs []interface{} `yaml:"extraEnvs"` + Port int `yaml:"port"` + LivenessProbe struct { + FailureThreshold int `yaml:"failureThreshold"` + InitialDelaySeconds int `yaml:"initialDelaySeconds"` + PeriodSeconds int `yaml:"periodSeconds"` + SuccessThreshold int `yaml:"successThreshold"` + TimeoutSeconds int `yaml:"timeoutSeconds"` + } `yaml:"livenessProbe"` + ReadinessProbe struct { + FailureThreshold int `yaml:"failureThreshold"` + InitialDelaySeconds int `yaml:"initialDelaySeconds"` + PeriodSeconds int `yaml:"periodSeconds"` + SuccessThreshold int `yaml:"successThreshold"` + TimeoutSeconds int `yaml:"timeoutSeconds"` + } `yaml:"readinessProbe"` + Tolerations []interface{} `yaml:"tolerations"` + Affinity struct { + } `yaml:"affinity"` + PodSecurityContext struct { + } `yaml:"podSecurityContext"` + ContainerSecurityContext struct { + } `yaml:"containerSecurityContext"` + PodLabels struct { + } `yaml:"podLabels"` + NodeSelector struct { + KubernetesIoOs string `yaml:"kubernetes.io/os"` + } `yaml:"nodeSelector"` + PodAnnotations struct { + } `yaml:"podAnnotations"` + ReplicaCount int `yaml:"replicaCount"` + MinAvailable int `yaml:"minAvailable"` + Resources struct { + } `yaml:"resources"` + ExtraVolumeMounts []interface{} `yaml:"extraVolumeMounts"` + ExtraVolumes []interface{} `yaml:"extraVolumes"` + Autoscaling struct { + Annotations struct { + } `yaml:"annotations"` + Enabled bool `yaml:"enabled"` + MinReplicas int `yaml:"minReplicas"` + MaxReplicas int `yaml:"maxReplicas"` + TargetCPUUtilizationPercentage int `yaml:"targetCPUUtilizationPercentage"` + TargetMemoryUtilizationPercentage int `yaml:"targetMemoryUtilizationPercentage"` + } `yaml:"autoscaling"` + Service struct { + Annotations struct { + } `yaml:"annotations"` + ExternalIPs []interface{} `yaml:"externalIPs"` + LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` + ServicePort int `yaml:"servicePort"` + Type string `yaml:"type"` + } `yaml:"service"` + PriorityClassName string `yaml:"priorityClassName"` + Labels struct { + } `yaml:"labels"` + } `yaml:"defaultBackend"` + Rbac struct { + Create bool `yaml:"create"` + Scope bool `yaml:"scope"` + } `yaml:"rbac"` + PodSecurityPolicy struct { + Enabled bool `yaml:"enabled"` + } `yaml:"podSecurityPolicy"` + ServiceAccount struct { + Create bool `yaml:"create"` + Name string `yaml:"name"` + AutomountServiceAccountToken bool `yaml:"automountServiceAccountToken"` + Annotations struct { + } `yaml:"annotations"` + } `yaml:"serviceAccount"` + ImagePullSecrets []interface{} `yaml:"imagePullSecrets"` + TCP struct { + } `yaml:"tcp"` + UDP struct { + } `yaml:"udp"` + PortNamePrefix string `yaml:"portNamePrefix"` + DhParam interface{} `yaml:"dhParam"` +} diff --git a/magefiles/mage.go b/magefiles/mage.go new file mode 100644 index 000000000..97ab4712a --- /dev/null +++ b/magefiles/mage.go @@ -0,0 +1,13 @@ +//go:build ignore +// +build ignore + +package main + +import ( + "github.com/magefile/mage/mage" + "os" +) + +func main() { + os.Exit(mage.Main()) +} diff --git a/magefiles/release.go b/magefiles/release.go new file mode 100644 index 000000000..a48a9dbd0 --- /dev/null +++ b/magefiles/release.go @@ -0,0 +1,526 @@ +//go:build mage + +package main + +import ( + "context" + "errors" + "fmt" + "github.com/google/go-github/v48/github" + "github.com/magefile/mage/mg" + "github.com/magefile/mage/sh" + "golang.org/x/oauth2" + "gopkg.in/yaml.v3" + "io" + "net" + "net/http" + "os" + "text/template" + + "regexp" + "strings" + "time" +) + +type Release mg.Namespace + +var INGRESS_ORG = "strongjz" // the owner so we can test from forks +var INGRESS_REPO = "ingress-nginx" // the repo to pull from +var RELEASE_BRANCH = "main" //we only release from main +var GITHUB_TOKEN string // the Google/gogithub lib needs an PAT to access the GitHub API +var K8S_IO_ORG = "strongjz" //the owner or organization for the k8s.io repo +var K8S_IO_REPO = "k8s.io" //the repo that holds the images yaml for production promotion +var INGRESS_REGISTRY = "registry.k8s.io" //Container registry for storage Ingress-nginx images + +// ingress-nginx releases start with a TAG then a cloudbuild, then a promotion through a PR, this the location of that PR +// var IMAGES_YAML = "https://raw.githubusercontent.com/kubernetes/k8s.io/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml" +var IMAGES_YAML = "https://raw.githubusercontent.com/strongjz/k8s.io/testing/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml" + +var ctx = context.Background() // Context used for GitHub Client + +const CHANGELOG = "Changelog.md" //Name of the changelog + +func init() { + GITHUB_TOKEN = os.Getenv("GITHUB_TOKEN") +} + +// PromoteImage Creates PR into the k8s.io repo for promotion of ingress from staging to production +func (Release) PromoteImage(version, sha string) { + +} + +// Release Create a new release of ingress nginx controller +func (Release) NewRelease(version string) { + //newRelease := Release{} + + //update ingress-nginx version + //This is the step that kicks all the release process + //it is already done, so it kicks off the gcloud build of the controller images + //mg.Deps(mg.F(Tag.BumpNginx, version)) + + tag, err := getIngressNGINXVersion() + CheckIfError(err, "RELEASE Retrieving the current Ingress Nginx Version") + + Info("RELEASE Checking Current Version %s to New Version %s", tag, version) + //if the version were upgrading does not match the TAG file, lets update the TAG file + if tag != version { + Warning("RELEASE Ingress Nginx TAG %s and new version %s do not match", tag, version) + mg.Deps(mg.F(Tag.BumpNginx, fmt.Sprintf("v%s", version))) + } + + //update git controller tag controller-v$version + mg.Deps(mg.F(Tag.NewControllerTag, version)) + + //make release notes + releaseNotes, err := makeReleaseNotes(version) + CheckIfError(err, "RELEASE Creating Release Notes for version %s", version) + Info("RELEASE Release Notes %s completed", releaseNotes.Version) + + //update chart values.yaml new controller tag and image digest + releaseNotes.PreviousHelmChartVersion = currentChartVersion() + + //controller tag + updateChartValue("controller.image.tag", fmt.Sprintf("v%s", releaseNotes.Version)) + //controller digest + if releaseNotes.ControllerImages[0].Name == "controller" { + updateChartValue("controller.image.digest", releaseNotes.ControllerImages[0].Digest) + } + //controller chroot digest + if releaseNotes.ControllerImages[1].Name == "controller-chroot" { + updateChartValue("controller.image.digestChroot", releaseNotes.ControllerImages[1].Digest) + } + + //update helm chart app version + mg.Deps(mg.F(Helm.UpdateVersion, version)) + + releaseNotes.NewHelmChartVersion = currentChartVersion() + + //update helm chart release notes + updateChartReleaseNotes(releaseNotes.HelmUpdates) + + //Run helm docs update + CheckIfError(runHelmDocs(), "Error Updating Helm Docs ") + + releaseNotes.helmTemplate() + + //update static manifest + CheckIfError(updateStaticManifest(), "Error Updating Static manifests") + + ////update e2e docs TODO + updateE2EDocs() + + //update documentation with ingress-nginx version + CheckIfError(updateIndexMD(releaseNotes.PreviousControllerVersion, releaseNotes.NewControllerVersion), "Error Updating %s", INDEX_DOCS) + + //git commit TODO + + //make Pull Request TODO + + //make release TODO + //mg.Deps(mg.F(Release.CreateRelease, version)) +} + +const INDEX_DOCS = "docs/deploy/index.md" + +func updateIndexMD(old, new string) error { + Info("Updating Deploy docs with new version") + data, err := os.ReadFile(INDEX_DOCS) + CheckIfError(err, "Could not read INDEX_DOCS file %s", INDEX_DOCS) + datString := string(data) + datString = strings.Replace(datString, old, new, -1) + err = os.WriteFile(INDEX_DOCS, []byte(datString), 644) + if err != nil { + ErrorF("Could not write new %s %s", INDEX_DOCS, err) + return err + } + return nil +} + +func updateE2EDocs() { + //hack/generate-deploy-scripts.sh + updates, err := sh.Output("./hack/generate-e2e-suite-doc.sh") + CheckIfError(err, "Could not run update hack script") + err = os.WriteFile("docs/e2e-tests.md", []byte(updates), 644) + CheckIfError(err, "Could not write new e2e test file ") +} + +func installKustomize() error { + Info("Install Kustomize") + var g0 = sh.RunCmd("go") + + // somewhere in your main code + err := g0("install", "sigs.k8s.io/kustomize/kustomize/v4@v4.5.4") + if err != nil { + return err + } + return nil +} + +func updateStaticManifest() error { + CheckIfError(installKustomize(), "error installing kustomize") + + //hack/generate-deploy-scripts.sh + err := sh.RunV("./hack/generate-deploy-scripts.sh") + if err != nil { + return err + } + return nil +} + +//// CreateRelease Creates a new GitHub Release +//func (Release) CreateRelease(name string) { +// releaser, err := gh_release.NewReleaser(INGRESS_ORG, INGRESS_REPO, GITHUB_TOKEN) +// CheckIfError(err, "GitHub Release Client error") +// newRelease, err := releaser.Create(fmt.Sprintf("controller-%s", name)) +// CheckIfError(err, "Create release error") +// Info("New Release: Tag %v, ID: %v", newRelease.TagName, newRelease.ID) +//} + +type ControllerImage struct { + Tag string + Digest string + Registry string + Name string +} + +type IngressRelease struct { + ControllerVersion string + ControllerImage ControllerImage + ReleaseNote ReleaseNote + Release *github.RepositoryRelease +} + +type ReleaseNote struct { + Version string + NewControllerVersion string + PreviousControllerVersion string + ControllerImages []ControllerImage + DepUpdates []string + Updates []string + HelmUpdates []string + NewHelmChartVersion string + PreviousHelmChartVersion string +} + +// Returns a GitHub client ready for use +func githubClient() *github.Client { + ts := oauth2.StaticTokenSource( + &oauth2.Token{AccessToken: GITHUB_TOKEN}, + ) + oauthClient := oauth2.NewClient(ctx, ts) + return github.NewClient(oauthClient) +} + +// LatestCommitLogs Retrieves the commit log between the latest two controller versions. +func (Release) LatestCommitLogs() { + commitLog := commitsBetweenTags() + for i, s := range commitLog { + Info("#%v Version %v", i, s) + } +} + +func commitsBetweenTags() []string { + tags := getAllControllerTags() + Info("Getting Commits between %v and %v", tags[0], tags[1]) + commitLog, err := git("log", "--full-history", "--pretty", "--oneline", fmt.Sprintf("%v..%v", tags[1], tags[0])) + + if commitLog == "" { + Warning("All Controller Tags is empty") + } + CheckIfError(err, "Retrieving Commit log") + return strings.Split(commitLog, "\n") +} + +// Generate Release Notes +func (Release) ReleaseNotes(newVersion string) error { + notes, err := makeReleaseNotes(newVersion) + CheckIfError(err, "Creating Release Notes for version %s", newVersion) + Info("Release Notes %s completed", notes.Version) + return nil +} + +func makeReleaseNotes(newVersion string) (*ReleaseNote, error) { + var newReleaseNotes = ReleaseNote{} + + newReleaseNotes.Version = newVersion + allControllerTags := getAllControllerTags() + + //new version + newReleaseNotes.NewControllerVersion = allControllerTags[0] + newControllerVersion := fmt.Sprintf("controller-v%s", newVersion) + + //the newControllerVersion should match the latest tag + if newControllerVersion != allControllerTags[0] { + return nil, errors.New(fmt.Sprintf("Generating release new version %s didnt match the current latest tag %s", newControllerVersion, allControllerTags[0])) + } + //previous version + newReleaseNotes.PreviousControllerVersion = allControllerTags[1] + + Info("New Version: %s Old Version: %s", newReleaseNotes.NewControllerVersion, newReleaseNotes.PreviousControllerVersion) + + commits := commitsBetweenTags() + + //dependency_updates + //all_updates + var allUpdates []string + var depUpdates []string + var helmUpdates []string + prRegex := regexp.MustCompile("\\(#\\d+\\)") + depBot := regexp.MustCompile("^(\\w){1,10} Bump ") + helmRegex := regexp.MustCompile("helm|chart") + for i, s := range commits { + //matches on PR + if prRegex.Match([]byte(s)) { + //matches a dependant bot update + if depBot.Match([]byte(s)) { // + Debug("#%v DEPENDABOT %v", i, s) + u := strings.SplitN(s, " ", 2) + depUpdates = append(depUpdates, u[1]) + } else { // add it to the all updates slice + Debug("#%v ALL UPDATES %v", i, s) + u := strings.SplitN(s, " ", 2) + allUpdates = append(allUpdates, u[1]) + + //helm chart updates + if helmRegex.Match([]byte(s)) { + u := strings.SplitN(s, " ", 2) + helmUpdates = append(helmUpdates, u[1]) + } + } + + } + } + helmUpdates = append(helmUpdates, fmt.Sprintf("Update Ingress-Nginx version %s", newReleaseNotes.NewControllerVersion)) + + newReleaseNotes.Updates = allUpdates + newReleaseNotes.DepUpdates = depUpdates + newReleaseNotes.HelmUpdates = helmUpdates + + //controller_image_digests + imagesYaml, err := downloadFile(IMAGES_YAML) + if err != nil { + ErrorF("Could not download file %s : %s", IMAGES_YAML, err) + return nil, err + } + Debug("%s", imagesYaml) + + data := ImageYamls{} + + err = yaml.Unmarshal([]byte(imagesYaml), &data) + if err != nil { + ErrorF("Could not unmarshal images yaml %s", err) + return nil, err + } + + //controller + controllerDigest := findImageDigest(data, "controller", newVersion) + if len(controllerDigest) == 0 { + ErrorF("Controller Digest could not be found") + return nil, errors.New("Controller digest could not be found") + } + + controllerChrootDigest := findImageDigest(data, "controller-chroot", newVersion) + if len(controllerChrootDigest) == 0 { + ErrorF("Controller Chroot Digest could not be found") + return nil, errors.New("Controller Chroot digest could not be found") + } + + Debug("Latest Controller Digest %v", controllerDigest) + Debug("Latest Controller Chroot Digest %v", controllerChrootDigest) + c1 := ControllerImage{ + Digest: controllerDigest, + Registry: INGRESS_REGISTRY, + Name: "controller", + Tag: newReleaseNotes.NewControllerVersion, + } + c2 := ControllerImage{ + Digest: controllerChrootDigest, + Registry: INGRESS_REGISTRY, + Name: "controller-chroot", + Tag: newReleaseNotes.NewControllerVersion, + } + newReleaseNotes.ControllerImages = append(newReleaseNotes.ControllerImages, c1) + newReleaseNotes.ControllerImages = append(newReleaseNotes.ControllerImages, c2) + Debug("New Release Controller Images %s %s", newReleaseNotes.ControllerImages[0].Digest, newReleaseNotes.ControllerImages[1].Digest) + + if DEBUG { + newReleaseNotes.printRelease() + } + + //write it all out to the changelog file + newReleaseNotes.template() + + return &newReleaseNotes, nil +} + +func (i ControllerImage) print() string { + return fmt.Sprintf("%s/%s:%s@%s", i.Registry, i.Name, i.Tag, i.Digest) +} + +func (r ReleaseNote) template() { + // Files are provided as a slice of strings. + changelogTemplate, err := os.ReadFile("Changelog.md.gotmpl") + if err != nil { + ErrorF("Could not read changelog template file %s", err) + } + Debug("ChangeLog Templates %s", string(changelogTemplate)) + t := template.Must(template.New("changelog").Parse(string(changelogTemplate))) + // create a new file + file, err := os.Create(fmt.Sprintf("changelog/Changelog-%s.md", r.Version)) + if err != nil { + ErrorF("Could not create changelog file %s", err) + } + defer file.Close() + + err = t.Execute(file, r) + if err != nil { + ErrorF("executing template:", err) + } +} + +func (r ReleaseNote) helmTemplate() { + // Files are provided as a slice of strings. + changelogTemplate, err := os.ReadFile("charts/ingress-nginx/changelog.md.gotmpl") + if err != nil { + ErrorF("Could not read changelog template file %s", err) + } + Debug("ChangeLog Templates %s", string(changelogTemplate)) + t := template.Must(template.New("changelog").Parse(string(changelogTemplate))) + // create a new file + file, err := os.Create(fmt.Sprintf("charts/ingress-nginx/changelog/Changelog-%s.md", r.Version)) + if err != nil { + ErrorF("Could not create changelog file %s", err) + } + defer file.Close() + + err = t.Execute(file, r) + if err != nil { + ErrorF("executing template:", err) + } +} + +func (r ReleaseNote) printRelease() { + Info("Release Version: %v", r.NewControllerVersion) + Info("Previous Version: %v", r.PreviousControllerVersion) + Info("Controller Image: %v", r.ControllerImages[0].print()) + Info("Controller Chroot Image: %v", r.ControllerImages[1].print()) + for i := range r.Updates { + Info("Update #%v - %v", i, r.Updates[i]) + } + for j := range r.DepUpdates { + Info("Dependabot Update #%v - %v", j, r.DepUpdates[j]) + } +} + +type ImageYamls []ImageElement + +type ImageElement struct { + Name string `json:"name"` + Dmap map[string][]string `json:"dmap"` +} + +func findImageDigest(yaml ImageYamls, image, version string) string { + version = fmt.Sprintf("v%s", version) + Info("Searching Digest for %s:%s", image, version) + for i := range yaml { + if yaml[i].Name == image { + for k, v := range yaml[i].Dmap { + if v[0] == version { + return k + } + } + return "" + } + } + return "" +} + +func downloadFile(url string) (string, error) { + client := &http.Client{ + Transport: &http.Transport{ + DialContext: (&net.Dialer{ + Timeout: 5 * time.Second, + KeepAlive: 5 * time.Second, + }).DialContext, + TLSHandshakeTimeout: 5 * time.Second, + ResponseHeaderTimeout: 5 * time.Second, + ExpectContinueTimeout: 1 * time.Second, + MaxIdleConnsPerHost: -1, + }, + } + resp, err := client.Get(url) + if err != nil { + return "", nil + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusOK { + return "", errors.New(fmt.Sprintf("Could not retrieve file, response from server %s for file %s", resp.StatusCode, url)) + } + bodyBytes, err := io.ReadAll(resp.Body) + if err != nil { + return "", nil + } + return string(bodyBytes), nil +} + +// Latest returns latest Github Release +func (Release) Latest() error { + r, _, err := latestRelease() + if err != nil { + ErrorF("Latest Release error %s", err) + return err + } + Info("Latest Release %v", r.String()) + return nil +} + +func (Release) ReleaseByTag(tag string) error { + r, _, err := releaseByTag(tag) + if err != nil { + ErrorF("Release retrieve tag error %s", tag, err) + return err + } + + Info("Latest Release %v", r.String()) + + return nil +} + +func releaseByTag(tag string) (*github.RepositoryRelease, *github.Response, error) { + ghClient := githubClient() + return ghClient.Repositories.GetReleaseByTag(ctx, INGRESS_ORG, INGRESS_REPO, tag) +} + +func latestRelease() (*github.RepositoryRelease, *github.Response, error) { + ghClient := githubClient() + return ghClient.Repositories.GetLatestRelease(ctx, INGRESS_ORG, INGRESS_REPO) +} + +// Copy Test function to copy a release +func (Release) Copy() error { + ghClient := githubClient() + kRelease, _, err := ghClient.Repositories.GetLatestRelease(ctx, "kubernetes", "ingress-nginx") + if err != nil { + ErrorF("Get Release from kubernetes %s", err) + return err + } + + sRelease := &github.RepositoryRelease{ + TagName: kRelease.TagName, + Name: kRelease.Name, + Body: kRelease.Body, + Draft: kRelease.Draft, + Prerelease: kRelease.GenerateReleaseNotes, + DiscussionCategoryName: kRelease.DiscussionCategoryName, + GenerateReleaseNotes: kRelease.GenerateReleaseNotes, + } + + sRelease, _, err = ghClient.Repositories.CreateRelease(ctx, "strongjz", "ingress-nginx", sRelease) + if err != nil { + ErrorF("Creating Strongjz release %s", err) + return err + } + Info("Copied over Kubernetes Release %v to Strongjz %v", &kRelease.Name, &sRelease.Name) + return nil +} diff --git a/magefiles/tags.go b/magefiles/tags.go new file mode 100644 index 000000000..858677ba5 --- /dev/null +++ b/magefiles/tags.go @@ -0,0 +1,130 @@ +//go:build mage + +package main + +import ( + "fmt" + semver "github.com/blang/semver/v4" + "github.com/magefile/mage/mg" + "github.com/magefile/mage/sh" + "os" + "strings" +) + +type Tag mg.Namespace + +var git = sh.OutCmd("git") + +// Nginx returns the ingress-nginx current version +func (Tag) Nginx() { + tag, err := getIngressNGINXVersion() + CheckIfError(err, "") + fmt.Printf("%v", tag) +} + +func getIngressNGINXVersion() (string, error) { + dat, err := os.ReadFile("TAG") + CheckIfError(err, "Could not read TAG file") + datString := string(dat) + //remove newline + datString = strings.Replace(datString, "\n", "", -1) + return datString, nil +} + +func checkSemVer(currentVersion, newVersion string) bool { + Info("Checking Sem Ver between current %s and new %s", currentVersion, newVersion) + cVersion, err := semver.Make(currentVersion[1:]) + if err != nil { + ErrorF("TAG Error Current Tag %v Making Semver : %v", currentVersion[1:], err) + return false + } + nVersion, err := semver.Make(newVersion) + if err != nil { + ErrorF("TAG %v Error Making Semver %v \n", newVersion, err) + return false + } + + err = nVersion.Validate() + if err != nil { + ErrorF("TAG %v not a valid Semver %v \n", newVersion, err) + return false + } + + //The result will be + //0 if newVersion == currentVersion + //-1 if newVersion < currentVersion + //+1 if newVersion > currentVersion. + Info("TAG Comparing Old %s to New %s", cVersion.String(), nVersion.String()) + comp := nVersion.Compare(cVersion) + if comp <= 0 { + Warning("SemVer:%v is not an update\n", newVersion) + return false + } + return true +} + +// BumpNginx will update the nginx TAG +func (Tag) BumpNginx(newTag string) { + Info("TAG BumpNginx version %v", newTag) + currentTag, err := getIngressNGINXVersion() + CheckIfError(err, "Getting Ingress-nginx Version") + bump(currentTag, newTag) +} + +func bump(currentTag, newTag string) { + //check if semver is valid + if !checkSemVer(currentTag, newTag) { + ErrorF("ERROR: Semver is not valid %v", newTag) + os.Exit(1) + } + + Info("Updating Tag %v to %v", currentTag, newTag) + err := os.WriteFile("TAG", []byte(newTag), 0666) + CheckIfError(err, "Error Writing New Tag File") +} + +// Git Returns the latest git tag +func (Tag) Git() { + tag, err := getGitTag() + CheckIfError(err, "Retrieving Git Tag") + Info("Git tag: %v", tag) +} + +func getGitTag() (string, error) { + return git("describe", "--tags", "--match", "controller-v*", "--abbrev=0") +} + +// ControllerTag Creates a new Git Tag for the ingress controller +func (Tag) NewControllerTag(version string) { + Info("Create Ingress Nginx Controller Tag v%s", version) + tag, err := controllerTag(version) + CheckIfError(err, "Creating git tag") + Debug("Git Tag: %s", tag) +} + +func controllerTag(version string) (string, error) { + return git("tag", "-a", "-m", fmt.Sprintf("-m \"Automated Controller release %v\"", version), fmt.Sprintf("controller-v%s", version)) +} + +func (Tag) AllControllerTags() { + tags := getAllControllerTags() + for i, s := range tags { + Info("#%v Version %v", i, s) + } +} + +func getAllControllerTags() []string { + allControllerTags, err := git("tag", "-l", "--sort=-v:refname", "controller-v*") + CheckIfError(err, "Retrieving git tags") + if !sh.CmdRan(err) { + Warning("Issue Running Command") + } + if allControllerTags == "" { + Warning("All Controller Tags is empty") + } + Debug("Controller Tags: %v", allControllerTags) + + temp := strings.Split(allControllerTags, "\n") + Debug("There are %v controller tags", len(temp)) + return temp +} diff --git a/magefiles/yaml.go b/magefiles/yaml.go new file mode 100644 index 000000000..7353508f3 --- /dev/null +++ b/magefiles/yaml.go @@ -0,0 +1,3 @@ +//go:build mage + +package main From 76a5fdfecf40391e58e0f9e9f079f48d7d31df45 Mon Sep 17 00:00:00 2001 From: James Strong Date: Tue, 17 Jan 2023 14:13:50 -0500 Subject: [PATCH 153/405] change format Signed-off-by: James Strong --- magefiles/common.go | 14 ++++++++++++++ magefiles/docker.go | 14 ++++++++++++++ magefiles/go.go | 14 ++++++++++++++ magefiles/helm.go | 14 ++++++++++++++ magefiles/mage.go | 14 ++++++++++++++ magefiles/release.go | 14 ++++++++++++++ magefiles/tags.go | 14 ++++++++++++++ magefiles/yaml.go | 14 ++++++++++++++ 8 files changed, 112 insertions(+) diff --git a/magefiles/common.go b/magefiles/common.go index ae2fed0c4..772e5527c 100644 --- a/magefiles/common.go +++ b/magefiles/common.go @@ -1,3 +1,17 @@ +//Copyright 2023 The Kubernetes Authors. +// +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. + //go:build mage package main diff --git a/magefiles/docker.go b/magefiles/docker.go index 7353508f3..443722de1 100644 --- a/magefiles/docker.go +++ b/magefiles/docker.go @@ -1,3 +1,17 @@ +//Copyright 2023 The Kubernetes Authors. +// +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. + //go:build mage package main diff --git a/magefiles/go.go b/magefiles/go.go index 352b8fb1e..9ef4d9fdc 100644 --- a/magefiles/go.go +++ b/magefiles/go.go @@ -1,3 +1,17 @@ +//Copyright 2023 The Kubernetes Authors. +// +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. + //go:build mage package main diff --git a/magefiles/helm.go b/magefiles/helm.go index 87966dea0..2ac2fc573 100644 --- a/magefiles/helm.go +++ b/magefiles/helm.go @@ -1,3 +1,17 @@ +//Copyright 2023 The Kubernetes Authors. +// +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. + //go:build mage package main diff --git a/magefiles/mage.go b/magefiles/mage.go index 97ab4712a..c6d4a2587 100644 --- a/magefiles/mage.go +++ b/magefiles/mage.go @@ -1,3 +1,17 @@ +//Copyright 2023 The Kubernetes Authors. +// +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. + //go:build ignore // +build ignore diff --git a/magefiles/release.go b/magefiles/release.go index a48a9dbd0..714c24334 100644 --- a/magefiles/release.go +++ b/magefiles/release.go @@ -1,3 +1,17 @@ +//Copyright 2023 The Kubernetes Authors. +// +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. + //go:build mage package main diff --git a/magefiles/tags.go b/magefiles/tags.go index 858677ba5..b8dc86f88 100644 --- a/magefiles/tags.go +++ b/magefiles/tags.go @@ -1,3 +1,17 @@ +//Copyright 2023 The Kubernetes Authors. +// +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. + //go:build mage package main diff --git a/magefiles/yaml.go b/magefiles/yaml.go index 7353508f3..443722de1 100644 --- a/magefiles/yaml.go +++ b/magefiles/yaml.go @@ -1,3 +1,17 @@ +//Copyright 2023 The Kubernetes Authors. +// +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. + //go:build mage package main From 22d9c35edec8faeca4cf4f8b72e8f08da20c1618 Mon Sep 17 00:00:00 2001 From: James Strong Date: Tue, 17 Jan 2023 14:22:38 -0500 Subject: [PATCH 154/405] fixed boiler plate lint Signed-off-by: James Strong --- magefiles/common.go | 30 ++++++++++++++++-------------- magefiles/docker.go | 30 ++++++++++++++++-------------- magefiles/go.go | 30 ++++++++++++++++-------------- magefiles/helm.go | 30 ++++++++++++++++-------------- magefiles/mage.go | 30 ++++++++++++++++-------------- magefiles/release.go | 30 ++++++++++++++++-------------- magefiles/tags.go | 30 ++++++++++++++++-------------- magefiles/yaml.go | 30 ++++++++++++++++-------------- 8 files changed, 128 insertions(+), 112 deletions(-) diff --git a/magefiles/common.go b/magefiles/common.go index 772e5527c..c5c33f989 100644 --- a/magefiles/common.go +++ b/magefiles/common.go @@ -1,19 +1,21 @@ -//Copyright 2023 The Kubernetes Authors. -// -//Licensed under the Apache License, Version 2.0 (the "License"); -//you may not use this file except in compliance with the License. -//You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -//Unless required by applicable law or agreed to in writing, software -//distributed under the License is distributed on an "AS IS" BASIS, -//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -//See the License for the specific language governing permissions and -//limitations under the License. - //go:build mage +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package main import ( diff --git a/magefiles/docker.go b/magefiles/docker.go index 443722de1..d7c7f588e 100644 --- a/magefiles/docker.go +++ b/magefiles/docker.go @@ -1,17 +1,19 @@ -//Copyright 2023 The Kubernetes Authors. -// -//Licensed under the Apache License, Version 2.0 (the "License"); -//you may not use this file except in compliance with the License. -//You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -//Unless required by applicable law or agreed to in writing, software -//distributed under the License is distributed on an "AS IS" BASIS, -//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -//See the License for the specific language governing permissions and -//limitations under the License. - //go:build mage +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package main diff --git a/magefiles/go.go b/magefiles/go.go index 9ef4d9fdc..2385b089e 100644 --- a/magefiles/go.go +++ b/magefiles/go.go @@ -1,19 +1,21 @@ -//Copyright 2023 The Kubernetes Authors. -// -//Licensed under the Apache License, Version 2.0 (the "License"); -//you may not use this file except in compliance with the License. -//You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -//Unless required by applicable law or agreed to in writing, software -//distributed under the License is distributed on an "AS IS" BASIS, -//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -//See the License for the specific language governing permissions and -//limitations under the License. - //go:build mage +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package main //import ( diff --git a/magefiles/helm.go b/magefiles/helm.go index 2ac2fc573..f9bf09cb5 100644 --- a/magefiles/helm.go +++ b/magefiles/helm.go @@ -1,19 +1,21 @@ -//Copyright 2023 The Kubernetes Authors. -// -//Licensed under the Apache License, Version 2.0 (the "License"); -//you may not use this file except in compliance with the License. -//You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -//Unless required by applicable law or agreed to in writing, software -//distributed under the License is distributed on an "AS IS" BASIS, -//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -//See the License for the specific language governing permissions and -//limitations under the License. - //go:build mage +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package main import ( diff --git a/magefiles/mage.go b/magefiles/mage.go index c6d4a2587..605d687a9 100644 --- a/magefiles/mage.go +++ b/magefiles/mage.go @@ -1,20 +1,22 @@ -//Copyright 2023 The Kubernetes Authors. -// -//Licensed under the Apache License, Version 2.0 (the "License"); -//you may not use this file except in compliance with the License. -//You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -//Unless required by applicable law or agreed to in writing, software -//distributed under the License is distributed on an "AS IS" BASIS, -//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -//See the License for the specific language governing permissions and -//limitations under the License. - //go:build ignore // +build ignore +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package main import ( diff --git a/magefiles/release.go b/magefiles/release.go index 714c24334..cbc4d51de 100644 --- a/magefiles/release.go +++ b/magefiles/release.go @@ -1,19 +1,21 @@ -//Copyright 2023 The Kubernetes Authors. -// -//Licensed under the Apache License, Version 2.0 (the "License"); -//you may not use this file except in compliance with the License. -//You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -//Unless required by applicable law or agreed to in writing, software -//distributed under the License is distributed on an "AS IS" BASIS, -//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -//See the License for the specific language governing permissions and -//limitations under the License. - //go:build mage +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package main import ( diff --git a/magefiles/tags.go b/magefiles/tags.go index b8dc86f88..02bbbcb37 100644 --- a/magefiles/tags.go +++ b/magefiles/tags.go @@ -1,19 +1,21 @@ -//Copyright 2023 The Kubernetes Authors. -// -//Licensed under the Apache License, Version 2.0 (the "License"); -//you may not use this file except in compliance with the License. -//You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -//Unless required by applicable law or agreed to in writing, software -//distributed under the License is distributed on an "AS IS" BASIS, -//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -//See the License for the specific language governing permissions and -//limitations under the License. - //go:build mage +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package main import ( diff --git a/magefiles/yaml.go b/magefiles/yaml.go index 443722de1..d7c7f588e 100644 --- a/magefiles/yaml.go +++ b/magefiles/yaml.go @@ -1,17 +1,19 @@ -//Copyright 2023 The Kubernetes Authors. -// -//Licensed under the Apache License, Version 2.0 (the "License"); -//you may not use this file except in compliance with the License. -//You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -//Unless required by applicable law or agreed to in writing, software -//distributed under the License is distributed on an "AS IS" BASIS, -//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -//See the License for the specific language governing permissions and -//limitations under the License. - //go:build mage +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package main From 87baa3e99e1cb9021455cea02c0a98706d095561 Mon Sep 17 00:00:00 2001 From: James Strong Date: Wed, 18 Jan 2023 15:54:44 -0500 Subject: [PATCH 155/405] update docs, and production urls Signed-off-by: James Strong --- magefiles/helm.go | 2 +- magefiles/release.go | 112 ++++++++++++++++++++++--------------------- 2 files changed, 59 insertions(+), 55 deletions(-) diff --git a/magefiles/helm.go b/magefiles/helm.go index f9bf09cb5..a57c46813 100644 --- a/magefiles/helm.go +++ b/magefiles/helm.go @@ -104,7 +104,7 @@ func updateChartReleaseNotes(releasesNotes []string) { for i := range releasesNotes { releaseNoteString = fmt.Sprintf("%s - %s\n", releaseNoteString, releasesNotes[i]) } - Info("HLEM Release note string %s", releaseNoteString) + Info("HELM Release note string %s", releaseNoteString) chart.Annotations["artifacthub.io/changes"] = releaseNoteString err = chartutil.SaveChartfile(HelmChartPath, chart) CheckIfError(err, "HELM Saving updated release notes for Chart") diff --git a/magefiles/release.go b/magefiles/release.go index cbc4d51de..3340a99ff 100644 --- a/magefiles/release.go +++ b/magefiles/release.go @@ -40,22 +40,61 @@ import ( type Release mg.Namespace -var INGRESS_ORG = "strongjz" // the owner so we can test from forks -var INGRESS_REPO = "ingress-nginx" // the repo to pull from -var RELEASE_BRANCH = "main" //we only release from main -var GITHUB_TOKEN string // the Google/gogithub lib needs an PAT to access the GitHub API -var K8S_IO_ORG = "strongjz" //the owner or organization for the k8s.io repo -var K8S_IO_REPO = "k8s.io" //the repo that holds the images yaml for production promotion -var INGRESS_REGISTRY = "registry.k8s.io" //Container registry for storage Ingress-nginx images +var INGRESS_ORG = "kubernetes" // the owner so we can test from forks +var INGRESS_REPO = "ingress-nginx" // the repo to pull from +var RELEASE_BRANCH = "main" //we only release from main +var GITHUB_TOKEN string // the Google/gogithub lib needs an PAT to access the GitHub API +var K8S_IO_ORG = "kubernetes" //the owner or organization for the k8s.io repo +var K8S_IO_REPO = "k8s.io" //the repo that holds the images yaml for production promotion +var INGRESS_REGISTRY = "registry.k8s.io" //Container registry for storage Ingress-nginx images +var KUSTOMIZE_INSTALL_VERSION = "sigs.k8s.io/kustomize/kustomize/v4@v4.5.4" //static deploys needs kustomize to generate the template // ingress-nginx releases start with a TAG then a cloudbuild, then a promotion through a PR, this the location of that PR -// var IMAGES_YAML = "https://raw.githubusercontent.com/kubernetes/k8s.io/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml" -var IMAGES_YAML = "https://raw.githubusercontent.com/strongjz/k8s.io/testing/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml" - +var IMAGES_YAML = "https://raw.githubusercontent.com/kubernetes/k8s.io/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml" var ctx = context.Background() // Context used for GitHub Client -const CHANGELOG = "Changelog.md" //Name of the changelog +const INDEX_DOCS = "docs/deploy/index.md" //index.md has a version of the controller and needs to updated +const CHANGELOG = "Changelog.md" //Name of the changelog +//ControllerImage - struct with info about controllers +type ControllerImage struct { + Tag string + Digest string + Registry string + Name string +} + +//IngressRelease All the information about an ingress-nginx release that gets updated +type IngressRelease struct { + ControllerVersion string + ControllerImage ControllerImage + ReleaseNote ReleaseNote + Release *github.RepositoryRelease +} + +//ReleaseNote - All the pieces of information/documents that get updated during a release +type ReleaseNote struct { + Version string + NewControllerVersion string + PreviousControllerVersion string + ControllerImages []ControllerImage + DepUpdates []string + Updates []string + HelmUpdates []string + NewHelmChartVersion string + PreviousHelmChartVersion string +} + +//IMAGES_YAML returns this data structure +type ImageYamls []ImageElement + +//ImageElement - a specific image and it's data structure the dmap is a list of shas and container versions +type ImageElement struct { + Name string `json:"name"` + Dmap map[string][]string `json:"dmap"` +} + +//init will set the GitHub token from the committers/releasers env var func init() { GITHUB_TOKEN = os.Getenv("GITHUB_TOKEN") } @@ -79,7 +118,7 @@ func (Release) NewRelease(version string) { Info("RELEASE Checking Current Version %s to New Version %s", tag, version) //if the version were upgrading does not match the TAG file, lets update the TAG file - if tag != version { + if tag[1:] != version { Warning("RELEASE Ingress Nginx TAG %s and new version %s do not match", tag, version) mg.Deps(mg.F(Tag.BumpNginx, fmt.Sprintf("v%s", version))) } @@ -122,22 +161,20 @@ func (Release) NewRelease(version string) { //update static manifest CheckIfError(updateStaticManifest(), "Error Updating Static manifests") - ////update e2e docs TODO + ////update e2e docs updateE2EDocs() //update documentation with ingress-nginx version CheckIfError(updateIndexMD(releaseNotes.PreviousControllerVersion, releaseNotes.NewControllerVersion), "Error Updating %s", INDEX_DOCS) + //keeping these manual for now //git commit TODO - //make Pull Request TODO - //make release TODO //mg.Deps(mg.F(Release.CreateRelease, version)) } -const INDEX_DOCS = "docs/deploy/index.md" - +// the index.md doc needs the controller version updated func updateIndexMD(old, new string) error { Info("Updating Deploy docs with new version") data, err := os.ReadFile(INDEX_DOCS) @@ -152,29 +189,29 @@ func updateIndexMD(old, new string) error { return nil } +//runs the hack/generate-deploy-scripts.sh func updateE2EDocs() { - //hack/generate-deploy-scripts.sh updates, err := sh.Output("./hack/generate-e2e-suite-doc.sh") CheckIfError(err, "Could not run update hack script") err = os.WriteFile("docs/e2e-tests.md", []byte(updates), 644) CheckIfError(err, "Could not write new e2e test file ") } +//The static deploy scripts use kustomize to generate them, this function ensures kustomize is installed func installKustomize() error { Info("Install Kustomize") var g0 = sh.RunCmd("go") - // somewhere in your main code - err := g0("install", "sigs.k8s.io/kustomize/kustomize/v4@v4.5.4") + err := g0("install", KUSTOMIZE_INSTALL_VERSION) if err != nil { return err } return nil } +// func updateStaticManifest() error { CheckIfError(installKustomize(), "error installing kustomize") - //hack/generate-deploy-scripts.sh err := sh.RunV("./hack/generate-deploy-scripts.sh") if err != nil { @@ -192,32 +229,6 @@ func updateStaticManifest() error { // Info("New Release: Tag %v, ID: %v", newRelease.TagName, newRelease.ID) //} -type ControllerImage struct { - Tag string - Digest string - Registry string - Name string -} - -type IngressRelease struct { - ControllerVersion string - ControllerImage ControllerImage - ReleaseNote ReleaseNote - Release *github.RepositoryRelease -} - -type ReleaseNote struct { - Version string - NewControllerVersion string - PreviousControllerVersion string - ControllerImages []ControllerImage - DepUpdates []string - Updates []string - HelmUpdates []string - NewHelmChartVersion string - PreviousHelmChartVersion string -} - // Returns a GitHub client ready for use func githubClient() *github.Client { ts := oauth2.StaticTokenSource( @@ -428,13 +439,6 @@ func (r ReleaseNote) printRelease() { } } -type ImageYamls []ImageElement - -type ImageElement struct { - Name string `json:"name"` - Dmap map[string][]string `json:"dmap"` -} - func findImageDigest(yaml ImageYamls, image, version string) string { version = fmt.Sprintf("v%s", version) Info("Searching Digest for %s:%s", image, version) From 3885a823a01573b904a762cadd0e9f794280a255 Mon Sep 17 00:00:00 2001 From: James Strong Date: Thu, 19 Jan 2023 11:50:27 -0500 Subject: [PATCH 156/405] go fmt Signed-off-by: James Strong --- magefiles/release.go | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/magefiles/release.go b/magefiles/release.go index 3340a99ff..3c715bc07 100644 --- a/magefiles/release.go +++ b/magefiles/release.go @@ -56,7 +56,7 @@ var ctx = context.Background() // Context used for GitHub Client const INDEX_DOCS = "docs/deploy/index.md" //index.md has a version of the controller and needs to updated const CHANGELOG = "Changelog.md" //Name of the changelog -//ControllerImage - struct with info about controllers +// ControllerImage - struct with info about controllers type ControllerImage struct { Tag string Digest string @@ -64,7 +64,7 @@ type ControllerImage struct { Name string } -//IngressRelease All the information about an ingress-nginx release that gets updated +// IngressRelease All the information about an ingress-nginx release that gets updated type IngressRelease struct { ControllerVersion string ControllerImage ControllerImage @@ -72,7 +72,7 @@ type IngressRelease struct { Release *github.RepositoryRelease } -//ReleaseNote - All the pieces of information/documents that get updated during a release +// ReleaseNote - All the pieces of information/documents that get updated during a release type ReleaseNote struct { Version string NewControllerVersion string @@ -85,16 +85,16 @@ type ReleaseNote struct { PreviousHelmChartVersion string } -//IMAGES_YAML returns this data structure +// IMAGES_YAML returns this data structure type ImageYamls []ImageElement -//ImageElement - a specific image and it's data structure the dmap is a list of shas and container versions +// ImageElement - a specific image and it's data structure the dmap is a list of shas and container versions type ImageElement struct { Name string `json:"name"` Dmap map[string][]string `json:"dmap"` } -//init will set the GitHub token from the committers/releasers env var +// init will set the GitHub token from the committers/releasers env var func init() { GITHUB_TOKEN = os.Getenv("GITHUB_TOKEN") } @@ -189,7 +189,7 @@ func updateIndexMD(old, new string) error { return nil } -//runs the hack/generate-deploy-scripts.sh +// runs the hack/generate-deploy-scripts.sh func updateE2EDocs() { updates, err := sh.Output("./hack/generate-e2e-suite-doc.sh") CheckIfError(err, "Could not run update hack script") @@ -197,7 +197,7 @@ func updateE2EDocs() { CheckIfError(err, "Could not write new e2e test file ") } -//The static deploy scripts use kustomize to generate them, this function ensures kustomize is installed +// The static deploy scripts use kustomize to generate them, this function ensures kustomize is installed func installKustomize() error { Info("Install Kustomize") var g0 = sh.RunCmd("go") @@ -209,7 +209,6 @@ func installKustomize() error { return nil } -// func updateStaticManifest() error { CheckIfError(installKustomize(), "error installing kustomize") //hack/generate-deploy-scripts.sh From 4e85acce99fa27d56cc30aa2ef440e5d3c8f3359 Mon Sep 17 00:00:00 2001 From: Aarni Koskela Date: Wed, 25 Jan 2023 11:44:11 +0200 Subject: [PATCH 157/405] Move and spell-check Kubernetes 1.22 migration FAQ (#9544) * Move Kubernetes 1.22 migration guide to a separate file * Reformat and spell-check Kubernetes 1.22 migration doc --- docs/index.md | 232 +------------------------ docs/user-guide/k8s-122-migration.md | 245 +++++++++++++++++++++++++++ 2 files changed, 248 insertions(+), 229 deletions(-) create mode 100644 docs/user-guide/k8s-122-migration.md diff --git a/docs/index.md b/docs/index.md index fded1b2bc..bcf4a4018 100644 --- a/docs/index.md +++ b/docs/index.md @@ -11,233 +11,7 @@ You can learn more about using [Ingress](http://kubernetes.io/docs/user-guide/in See [Deployment](./deploy/) for a whirlwind tour that will get you started. -# FAQ - Migration to apiVersion `networking.k8s.io/v1` +# FAQ - Kubernetes 1.22 Migration -If you are using Ingress objects in your cluster (running Kubernetes older than v1.22), and you plan to upgrade to Kubernetes v1.22, this section is relevant to you. - -- Please read this [official blog on deprecated Ingress API versions](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) - -- Please read this [official documentation on the IngressClass object](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) - -## What is an IngressClass and why is it important for users of Ingress-NGINX controller now ? - -IngressClass is a Kubernetes resource. See the description below. It's important because until now, a default install of the Ingress-NGINX controller did not require any IngressClass object. From version 1.0.0 of the Ingress-NGINX Controller, an IngressClass object is required. - -On clusters with more than one instance of the Ingress-NGINX controller, all instances of the controllers must be aware of which Ingress objects they serve. The `ingressClassName` field of an Ingress is the way to let the controller know about that. - -```console -kubectl explain ingressclass -``` -``` -KIND: IngressClass -VERSION: networking.k8s.io/v1 - -DESCRIPTION: - IngressClass represents the class of the Ingress, referenced by the Ingress - Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be - used to indicate that an IngressClass should be considered default. When a - single IngressClass resource has this annotation set to true, new Ingress - resources without a class specified will be assigned this default class. - -FIELDS: - apiVersion - APIVersion defines the versioned schema of this representation of an - object. Servers should convert recognized schemas to the latest internal - value, and may reject unrecognized values. More info: - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - - kind - Kind is a string value representing the REST resource this object - represents. Servers may infer this from the endpoint the client submits - requests to. Cannot be updated. In CamelCase. More info: - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - - metadata - Standard object's metadata. More info: - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - - spec - Spec is the desired state of the IngressClass. More info: - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status` - -``` - -## What has caused this change in behavior? - -There are 2 reasons primarily. - -### Reason #1 - -Until K8s version 1.21, it was possible to create an Ingress resource using deprecated versions of the Ingress API, such as: - - - `extensions/v1beta1` - - `networking.k8s.io/v1beta1` - -You would get a message about deprecation, but the Ingress resource would get created. - -From K8s version 1.22 onwards, you can **only** access the Ingress API via the stable, `networking.k8s.io/v1` API. The reason is explained in the [official blog on deprecated ingress API versions](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/). - -### Reason #2 - -If you are already using the Ingress-NGINX controller and then upgrade to K8s version v1.22 , there are several scenarios where your existing Ingress objects will not work how you expect. Read this FAQ to check which scenario matches your use case. - -## What is ingressClassName field ? - -`ingressClassName` is a field in the specs of an Ingress object. - -```shell -kubectl explain ingress.spec.ingressClassName -``` -```console -KIND: Ingress -VERSION: networking.k8s.io/v1 - -FIELD: ingressClassName - -DESCRIPTION: - IngressClassName is the name of the IngressClass cluster resource. The - associated IngressClass defines which controller will implement the - resource. This replaces the deprecated `kubernetes.io/ingress.class` - annotation. For backwards compatibility, when that annotation is set, it - must be given precedence over this field. The controller may emit a warning - if the field and annotation have different values. Implementations of this - API should ignore Ingresses without a class specified. An IngressClass - resource may be marked as default, which can be used to set a default value - for this field. For more information, refer to the IngressClass - documentation. -``` - -The `.spec.ingressClassName` behavior has precedence over the deprecated `kubernetes.io/ingress.class` annotation. - - -## I have only one ingress controller in my cluster. What should I do? - -If a single instance of the Ingress-NGINX controller is the sole Ingress controller running in your cluster, you should add the annotation "ingressclass.kubernetes.io/is-default-class" in your IngressClass, so any new Ingress objects will have this one as default IngressClass. - -When using Helm, you can enable this annotation by setting `.controller.ingressClassResource.default: true` in your Helm chart installation's values file. - -If you have any old Ingress objects remaining without an IngressClass set, you can do one or more of the following to make the Ingress-NGINX controller aware of the old objects: - -- You can manually set the [`.spec.ingressClassName`](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) field in the manifest of your own Ingress resources. -- You can re-create them after setting the `ingressclass.kubernetes.io/is-default-class` annotation to `true` on the IngressClass -- Alternatively you can make the Ingress-NGINX controller watch Ingress objects without the ingressClassName field set by starting your Ingress-NGINX with the flag [--watch-ingress-without-class=true](#what-is-the-flag-watch-ingress-without-class) . When using Helm, you can configure your Helm chart installation's values file with `.controller.watchIngressWithoutClass: true` - -You can configure your Helm chart installation's values file with `.controller.watchIngressWithoutClass: true`. - -We recommend that you create the IngressClass as shown below: -``` ---- -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - labels: - app.kubernetes.io/component: controller - name: nginx - annotations: - ingressclass.kubernetes.io/is-default-class: "true" -spec: - controller: k8s.io/ingress-nginx -``` - -And add the value `spec.ingressClassName=nginx` in your Ingress objects. - - -## I have multiple ingress objects in my cluster. What should I do ? -- If you have lot of ingress objects without ingressClass configuration, you can run the ingress-controller with the flag `--watch-ingress-without-class=true`. - - -### What is the flag '--watch-ingress-without-class' ? -- Its a flag that is passed,as an argument, to the `nginx-ingress-controller` executable. In the configuration, it looks like this: -``` -... -... -args: - - /nginx-ingress-controller - - --watch-ingress-without-class=true - - --publish-service=$(POD_NAMESPACE)/ingress-nginx-dev-v1-test-controller - - --election-id=ingress-controller-leader - - --controller-class=k8s.io/ingress-nginx - - --configmap=$(POD_NAMESPACE)/ingress-nginx-dev-v1-test-controller - - --validating-webhook=:8443 - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key -... -... -``` - -## I have more than one controller in my cluster and already use the annotation ? - -No problem. This should still keep working, but we highly recommend you to test! - -Even though `kubernetes.io/ingress.class` is deprecated, the Ingress-NGINX controller still understands that annotation. -If you want to follow good practice, you should consider migrating to use IngressClass and `.spec.ingressClassName`. - -## I have more than one controller running in my cluster, and I want to use the new API ? - -In this scenario, you need to create multiple IngressClasses (see example one). But be aware that IngressClass works in a very specific way: you will need to change the `.spec.controller` value in your IngressClass and configure the controller to expect the exact same value. - -Let's see some example, supposing that you have three IngressClasses: - -- IngressClass `ingress-nginx-one`, with `.spec.controller` equal to `example.com/ingress-nginx1` -- IngressClass `ingress-nginx-two`, with `.spec.controller` equal to `example.com/ingress-nginx2` -- IngressClass `ingress-nginx-three`, with `.spec.controller` equal to `example.com/ingress-nginx1` - -(for private use, you can also use a controller name that doesn't contain a `/`; for example: `ingress-nginx1`) - -When deploying your ingress controllers, you will have to change the `--controller-class` field as follows: - -- Ingress-Nginx A, configured to use controller class name `example.com/ingress-nginx1` -- Ingress-Nginx B, configured to use controller class name `example.com/ingress-nginx2` - -Then, when you create an Ingress object with its `ingressClassName` set to `ingress-nginx-two`, only controllers looking for the `example.com/ingress-nginx2` controller class pay attention to the new object. Given that Ingress-Nginx B is set up that way, it will serve that object, whereas Ingress-Nginx A ignores the new Ingress. - -Bear in mind that, if you start Ingress-Nginx B with the command line argument `--watch-ingress-without-class=true`, then it will serve: - -1. Ingresses without any `ingressClassName` set -2. Ingresses where the deprecated annotation (`kubernetes.io/ingress.class`) matches the value set in the command line argument `--ingress-class` -3. Ingresses that refer to any IngressClass that has the same `spec.controller` as configured in `--controller-class` - -If you start Ingress-Nginx B with the command line argument `--watch-ingress-without-class=true` and you run Ingress-Nginx A with the command line argument `--watch-ingress-without-class=false` then this is a supported configuration. If you have two Ingress-NGINX controllers for the same cluster, both running with `--watch-ingress-without-class=true` then there is likely to be a conflict. - -## I am seeing this error message in the logs of the Ingress-NGINX controller: "ingress class annotation is not equal to the expected by Ingress Controller". Why ? - -- It is highly likely that you will also see the name of the ingress resource in the same error message. This error message has been observed on use the deprecated annotation (`kubernetes.io/ingress.class`) in a Ingress resource manifest. It is recommended to use the `.spec.ingressClassName` field of the Ingress resource, to specify the name of the IngressClass of the Ingress you are defining. - -## How to easily install multiple instances of the ingress-NGINX controller in the same cluster ? -- Create a new namespace - ``` - kubectl create namespace ingress-nginx-2 - ``` -- Use Helm to install the additional instance of the ingress controller -- Ensure you have Helm working (refer to the [Helm documentation](https://helm.sh/docs/)) -- We have to assume that you have the helm repo for the ingress-NGINX controller already added to your Helm config. But, if you have not added the helm repo then you can do this to add the repo to your helm config; - ``` - helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx - ``` -- Make sure you have updated the helm repo data; - ``` - helm repo update - ``` -- Now, install an additional instance of the ingress-NGINX controller like this: - ``` - helm install ingress-nginx-2 ingress-nginx/ingress-nginx \ - --namespace ingress-nginx-2 \ - --set controller.ingressClassResource.name=nginx-two \ - --set controller.ingressClass=nginx-two \ - --set controller.ingressClassResource.controllerValue="example.com/ingress-nginx-2" \ - --set controller.ingressClassResource.enabled=true \ - --set controller.ingressClassByName=true - ``` -- If you need to install yet another instance, then repeat the procedure to create a new namespace, change the values such as names & namespaces (for example from "-2" to "-3"), or anything else that meets your needs. -- If you need to install all instances in the same namespace, then you need to specify a different **election id**, like this: - ``` - helm install ingress-nginx-2 ingress-nginx/ingress-nginx \ - --namespace kube-system \ - --set controller.electionID=nginx-two-leader \ - --set controller.ingressClassResource.name=nginx-two \ - --set controller.ingressClass=nginx-two \ - --set controller.ingressClassResource.controllerValue="example.com/ingress-nginx-2" \ - --set controller.ingressClassResource.enabled=true \ - --set controller.ingressClassByName=true - ``` - - Note, controller.ingressClassResource.name and controller.ingressClass have to be set with the value of the new class as the first is to create the IngressClass object and the other is to modify the deployment of the actuall ingress controller pod. +If you are using Ingress objects in your cluster (running Kubernetes older than v1.22), +and you plan to upgrade to Kubernetes v1.22, please read [the migration guide here](./user-guide/k8s-122-migration.md). diff --git a/docs/user-guide/k8s-122-migration.md b/docs/user-guide/k8s-122-migration.md new file mode 100644 index 000000000..34893f931 --- /dev/null +++ b/docs/user-guide/k8s-122-migration.md @@ -0,0 +1,245 @@ +# FAQ - Migration to Kubernetes 1.22 and apiVersion `networking.k8s.io/v1` + +If you are using Ingress objects in your cluster (running Kubernetes older than v1.22), +and you plan to upgrade to Kubernetes v1.22, this page is relevant to you. + +- Please read this [official blog on deprecated Ingress API versions](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) +- Please read this [official documentation on the IngressClass object](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) + +## What is an IngressClass and why is it important for users of ingress-nginx controller now? + +IngressClass is a Kubernetes resource. See the description below. +It's important because until now, a default install of the ingress-nginx controller did not require a IngressClass object. +From version 1.0.0 of the ingress-nginx controller, an IngressClass object is required. + +On clusters with more than one instance of the ingress-nginx controller, all instances of the controllers must be aware of which Ingress objects they serve. +The `ingressClassName` field of an Ingress is the way to let the controller know about that. + +```console +kubectl explain ingressclass +``` + +``` +KIND: IngressClass +VERSION: networking.k8s.io/v1 +DESCRIPTION: + IngressClass represents the class of the Ingress, referenced by the Ingress + Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be + used to indicate that an IngressClass should be considered default. When a + single IngressClass resource has this annotation set to true, new Ingress + resources without a class specified will be assigned this default class. +FIELDS: + apiVersion + APIVersion defines the versioned schema of this representation of an + object. Servers should convert recognized schemas to the latest internal + value, and may reject unrecognized values. More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind + Kind is a string value representing the REST resource this object + represents. Servers may infer this from the endpoint the client submits + requests to. Cannot be updated. In CamelCase. More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata + Standard object's metadata. More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + spec + Spec is the desired state of the IngressClass. More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status` +``` + +## What has caused this change in behavior? + +There are 2 primary reasons. + +### Reason 1 + +Until K8s version 1.21, it was possible to create an Ingress resource using deprecated versions of the Ingress API, such as: + +- `extensions/v1beta1` +- `networking.k8s.io/v1beta1` + You would get a message about deprecation, but the Ingress resource would get created. + +From K8s version 1.22 onwards, you can **only** access the Ingress API via the stable, `networking.k8s.io/v1` API. +The reason is explained in the [official blog on deprecated ingress API versions](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/). + +### Reason #2 + +If you are already using the ingress-nginx controller and then upgrade to Kubernetes 1.22, +there are several scenarios where your existing Ingress objects will not work how you expect. + +Read this FAQ to check which scenario matches your use case. + +## What is the `ingressClassName` field? + +`ingressClassName` is a field in the spec of an Ingress object. + +```shell +kubectl explain ingress.spec.ingressClassName +``` + +```console +KIND: Ingress +VERSION: networking.k8s.io/v1 +FIELD: ingressClassName +DESCRIPTION: + IngressClassName is the name of the IngressClass cluster resource. The + associated IngressClass defines which controller will implement the + resource. This replaces the deprecated `kubernetes.io/ingress.class` + annotation. For backwards compatibility, when that annotation is set, it + must be given precedence over this field. The controller may emit a warning + if the field and annotation have different values. Implementations of this + API should ignore Ingresses without a class specified. An IngressClass + resource may be marked as default, which can be used to set a default value + for this field. For more information, refer to the IngressClass + documentation. +``` + +The `.spec.ingressClassName` behavior has precedence over the deprecated `kubernetes.io/ingress.class` annotation. + +## I have only one ingress controller in my cluster. What should I do? + +If a single instance of the ingress-nginx controller is the sole Ingress controller running in your cluster, +you should add the annotation "ingressclass.kubernetes.io/is-default-class" in your IngressClass, +so any new Ingress objects will have this one as default IngressClass. + +When using Helm, you can enable this annotation by setting `.controller.ingressClassResource.default: true` in your Helm chart installation's values file. + +If you have any old Ingress objects remaining without an IngressClass set, you can do one or more of the following to make the ingress-nginx controller aware of the old objects: + +- You can manually set the [`.spec.ingressClassName`](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) field in the manifest of your own Ingress resources. +- You can re-create them after setting the `ingressclass.kubernetes.io/is-default-class` annotation to `true` on the IngressClass +- Alternatively you can make the ingress-nginx controller watch Ingress objects without the ingressClassName field set by starting your ingress-nginx with the flag [--watch-ingress-without-class=true](#what-is-the-flag-watch-ingress-without-class). + When using Helm, you can configure your Helm chart installation's values file with `.controller.watchIngressWithoutClass: true`. + +We recommend that you create the IngressClass as shown below: + +``` +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/component: controller + name: nginx + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +spec: + controller: k8s.io/ingress-nginx +``` + +and add the value `spec.ingressClassName=nginx` in your Ingress objects. + +## I have many ingress objects in my cluster. What should I do? + +If you have lot of ingress objects without ingressClass configuration, +you can run the ingress controller with the flag `--watch-ingress-without-class=true`. + +### What is the flag `--watch-ingress-without-class`? + +It's a flag that is passed, as an argument, to the `nginx-ingress-controller` executable. +In the configuration, it looks like this: + +```yaml +# ... +args: + - /nginx-ingress-controller + - --watch-ingress-without-class=true + - --controller-class=k8s.io/ingress-nginx + # ... +# ... +``` + +## I have more than one controller in my cluster, and I'm already using the annotation + +No problem. This should still keep working, but we highly recommend you to test! +Even though `kubernetes.io/ingress.class` is deprecated, the ingress-nginx controller still understands that annotation. +If you want to follow good practice, you should consider migrating to use IngressClass and `.spec.ingressClassName`. + +## I have more than one controller running in my cluster, and I want to use the new API + +In this scenario, you need to create multiple IngressClasses (see the example above). + +Be aware that IngressClass works in a very specific way: you will need to change the `.spec.controller` value in your IngressClass and configure the controller to expect the exact same value. + +Let's see an example, supposing that you have three IngressClasses: + +- IngressClass `ingress-nginx-one`, with `.spec.controller` equal to `example.com/ingress-nginx1` +- IngressClass `ingress-nginx-two`, with `.spec.controller` equal to `example.com/ingress-nginx2` +- IngressClass `ingress-nginx-three`, with `.spec.controller` equal to `example.com/ingress-nginx1` + +For private use, you can also use a controller name that doesn't contain a `/`, e.g. `ingress-nginx1`. + +When deploying your ingress controllers, you will have to change the `--controller-class` field as follows: + +- Ingress-Nginx A, configured to use controller class name `example.com/ingress-nginx1` +- Ingress-Nginx B, configured to use controller class name `example.com/ingress-nginx2` + +When you create an Ingress object with its `ingressClassName` set to `ingress-nginx-two`, +only controllers looking for the `example.com/ingress-nginx2` controller class pay attention to the new object. + +Given that Ingress-Nginx B is set up that way, it will serve that object, whereas Ingress-Nginx A ignores the new Ingress. + +Bear in mind that if you start Ingress-Nginx B with the command line argument `--watch-ingress-without-class=true`, it will serve: + +1. Ingresses without any `ingressClassName` set +2. Ingresses where the deprecated annotation (`kubernetes.io/ingress.class`) matches the value set in the command line argument `--ingress-class` +3. Ingresses that refer to any IngressClass that has the same `spec.controller` as configured in `--controller-class` +4. If you start Ingress-Nginx B with the command line argument `--watch-ingress-without-class=true` and you run Ingress-Nginx A with the command line argument `--watch-ingress-without-class=false` then this is a supported configuration. + If you have two ingress-nginx controllers for the same cluster, both running with `--watch-ingress-without-class=true` then there is likely to be a conflict. + +## Why am I am seeing "ingress class annotation is not equal to the expected by Ingress Controller" in my controller logs? + +It is highly likely that you will also see the name of the ingress resource in the same error message. +This error message has been observed on use the deprecated annotation (`kubernetes.io/ingress.class`) in a Ingress resource manifest. +It is recommended to use the `.spec.ingressClassName` field of the Ingress resource, to specify the name of the IngressClass of the Ingress you are defining. + +## How can I easily install multiple instances of the ingress-nginx controller in the same cluster? + +You can install them in different namespaces. + +- Create a new namespace + ``` + kubectl create namespace ingress-nginx-2 + ``` +- Use Helm to install the additional instance of the ingress controller +- Ensure you have Helm working (refer to the [Helm documentation](https://helm.sh/docs/)) +- We have to assume that you have the helm repo for the ingress-nginx controller already added to your Helm config. + But, if you have not added the helm repo then you can do this to add the repo to your helm config; + ``` + helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx + ``` +- Make sure you have updated the helm repo data; + ``` + helm repo update + ``` +- Now, install an additional instance of the ingress-nginx controller like this: + ``` + helm install ingress-nginx-2 ingress-nginx/ingress-nginx \ + --namespace ingress-nginx-2 \ + --set controller.ingressClassResource.name=nginx-two \ + --set controller.ingressClass=nginx-two \ + --set controller.ingressClassResource.controllerValue="example.com/ingress-nginx-2" \ + --set controller.ingressClassResource.enabled=true \ + --set controller.ingressClassByName=true + ``` + +If you need to install yet another instance, then repeat the procedure to create a new namespace, +change the values such as names & namespaces (for example from "-2" to "-3"), or anything else that meets your needs. + +Note that `controller.ingressClassResource.name` and `controller.ingressClass` have to be set correctly. +The first is to create the IngressClass object and the other is to modify the deployment of the actual ingress controller pod. + +### I can't use multiple namespaces, what should I do? + +If you need to install all instances in the same namespace, then you need to specify a different **election id**, like this: + +``` +helm install ingress-nginx-2 ingress-nginx/ingress-nginx \ +--namespace kube-system \ +--set controller.electionID=nginx-two-leader \ +--set controller.ingressClassResource.name=nginx-two \ +--set controller.ingressClass=nginx-two \ +--set controller.ingressClassResource.controllerValue="example.com/ingress-nginx-2" \ +--set controller.ingressClassResource.enabled=true \ +--set controller.ingressClassByName=true +``` From 909a8185920c45f99292cce705dba07c770e6f74 Mon Sep 17 00:00:00 2001 From: Ismayil Mirzali Date: Fri, 27 Jan 2023 17:12:27 +0200 Subject: [PATCH 158/405] tcpproxy: increase buffer size to 16K (#9548) --- pkg/tcpproxy/tcp.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg/tcpproxy/tcp.go b/pkg/tcpproxy/tcp.go index 4c34e1f7b..86850ad54 100644 --- a/pkg/tcpproxy/tcp.go +++ b/pkg/tcpproxy/tcp.go @@ -59,11 +59,12 @@ func (p *TCPProxy) Get(host string) *TCPServer { // and open a connection to the passthrough server. func (p *TCPProxy) Handle(conn net.Conn) { defer conn.Close() - data := make([]byte, 4096) + // See: https://www.ibm.com/docs/en/ztpf/1.1.0.15?topic=sessions-ssl-record-format + data := make([]byte, 16384) length, err := conn.Read(data) if err != nil { - klog.V(4).ErrorS(err, "Error reading the first 4k of the connection") + klog.V(4).ErrorS(err, "Error reading data from the connection") return } From 0c3625cdb919c9348033369dd890569aea66ed4a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Jan 2023 12:44:50 -0800 Subject: [PATCH 159/405] Bump sigs.k8s.io/controller-runtime from 0.13.1 to 0.14.2 (#9552) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 22 ++++++++++---------- go.sum | 65 +++++++++++++++++++++++++++++++++++++--------------------- 2 files changed, 53 insertions(+), 34 deletions(-) diff --git a/go.mod b/go.mod index 6f90615ff..03b3ebdb7 100644 --- a/go.mod +++ b/go.mod @@ -30,17 +30,17 @@ require ( google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 - k8s.io/api v0.26.0 - k8s.io/apiextensions-apiserver v0.26.0 - k8s.io/apimachinery v0.26.0 - k8s.io/apiserver v0.26.0 + k8s.io/api v0.26.1 + k8s.io/apiextensions-apiserver v0.26.1 + k8s.io/apimachinery v0.26.1 + k8s.io/apiserver v0.26.1 k8s.io/cli-runtime v0.26.0 - k8s.io/client-go v0.26.0 - k8s.io/code-generator v0.26.0 - k8s.io/component-base v0.26.0 + k8s.io/client-go v0.26.1 + k8s.io/code-generator v0.26.1 + k8s.io/component-base v0.26.1 k8s.io/klog/v2 v2.80.1 pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 - sigs.k8s.io/controller-runtime v0.13.1 + sigs.k8s.io/controller-runtime v0.14.2 sigs.k8s.io/mdtoc v1.1.0 ) @@ -77,7 +77,6 @@ require ( github.com/inconshreveable/mousetrap v1.0.1 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect - github.com/magefile/mage v1.14.0 // indirect github.com/mailru/easyjson v0.7.6 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect @@ -88,6 +87,7 @@ require ( github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833 // indirect + github.com/onsi/ginkgo v1.16.5 // indirect github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/errors v0.9.1 // indirect @@ -104,7 +104,7 @@ require ( golang.org/x/sys v0.4.0 // indirect golang.org/x/term v0.4.0 // indirect golang.org/x/text v0.6.0 // indirect - golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect + golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.4.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20221118155620-16455021b5e6 // indirect @@ -115,7 +115,7 @@ require ( gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/gengo v0.0.0-20220902162205-c0856e24416d // indirect k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect - k8s.io/utils v0.0.0-20221107191617-1a15be271d1d // indirect + k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 // indirect sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect sigs.k8s.io/kustomize/api v0.12.1 // indirect sigs.k8s.io/kustomize/kyaml v0.13.9 // indirect diff --git a/go.sum b/go.sum index 8a32d3e00..7588a51fb 100644 --- a/go.sum +++ b/go.sum @@ -87,6 +87,8 @@ github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQL github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b h1:074/xhloHUBOpTZwlIzQ28rbPY8pNJvzY7Gcx5KnNOk= @@ -116,6 +118,7 @@ github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng= github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.0.6 h1:mkgN1ofwASrYnJ5W6U/BxG15eXXXjirgZc7CLqkcaro= github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= @@ -195,6 +198,7 @@ github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWet github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= @@ -231,8 +235,6 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= -github.com/magefile/mage v1.14.0 h1:6QDX3g6z1YvJ4olPhT1wksUcSa/V0a1B+pJb73fBjyo= -github.com/magefile/mage v1.14.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA= @@ -276,10 +278,17 @@ github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833/go.mod h1:0CznHmX github.com/ncabatoff/process-exporter v0.7.10 h1:+Ere7+3se6QqP54gg7aBRagWcL8bq3u5zNi/GRSWeKQ= github.com/ncabatoff/process-exporter v0.7.10/go.mod h1:DHZRZjqxw9LCOpLlX0DjBuyn6d5plh41Jv6Tmttj7Ek= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= +github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= +github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= +github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= github.com/onsi/ginkgo/v2 v2.6.1 h1:1xQPCjcqYw/J5LchOcp4/2q/jzJFjiAOc25chhnDw+Q= github.com/onsi/ginkgo/v2 v2.6.1/go.mod h1:yjiuMwPokqY1XauOgju45q3sJt6VzQ/Fict1LFVcsAo= +github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= +github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.24.1 h1:KORJXNNTzJXzu4ScJWssJfJMnJ+2QJqhoQSRwNlze9E= github.com/opencontainers/runc v1.1.4 h1:nRCz/8sKg6K6jgYAFLDlXzPeITBZJyX28DBVhWD+5dg= github.com/opencontainers/runc v1.1.4/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg= @@ -385,7 +394,7 @@ go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 h1:+FNtrFTmVw0YZGpBGX56XDee33 go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o= go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4= -go.uber.org/zap v1.21.0 h1:WefMeulhovoZ2sYXz7st6K0sLj7bBhpiFaud4r4zST8= +go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= golang.org/dl v0.0.0-20190829154251-82a15e2f2ead/go.mod h1:IUMfjQLJQd4UTqG1Z90tenwKoCX93Gn3MAQJMOSBsDQ= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= @@ -430,6 +439,7 @@ golang.org/x/mod v0.7.0 h1:LapD9S96VoQRhi/GrNTqeBJFrUjs5UHCAtTlgwA5oZA= golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -452,6 +462,7 @@ golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/ golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= @@ -482,6 +493,7 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -493,10 +505,13 @@ golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191002063906-3421d5a6bb1c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -517,6 +532,7 @@ golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -542,8 +558,8 @@ golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20220609170525-579cf78fd858 h1:Dpdu/EMxGMFgq0CeYMh4fazTD2vtlZRYE7wyynxJb9U= -golang.org/x/time v0.0.0-20220609170525-579cf78fd858/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= +golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= @@ -586,6 +602,7 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.4.0 h1:7mTAgkunk3fr4GAloyyCasadO6h9zSsQZbwvcaIciV4= golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ= @@ -689,6 +706,7 @@ gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/go-playground/assert.v1 v1.2.1 h1:xoYuJVE7KT85PYWrN730RguIQO0ePzVRfFMXadIrXTM= gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8bDuhia5mkpMnE= gopkg.in/go-playground/pool.v3 v3.1.1 h1:4Qcj91IsYTpIeRhe/eo6Fz+w6uKWPEghx8vHFTYMfhw= @@ -698,6 +716,7 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/mcuadros/go-syslog.v2 v2.3.0 h1:kcsiS+WsTKyIEPABJBJtoG0KkOS6yzvJ+/eZlhD79kk= gopkg.in/mcuadros/go-syslog.v2 v2.3.0/go.mod h1:l5LPIyOOyIdQquNg+oU6Z3524YwrcqEm0aKH+5zpt2U= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -718,22 +737,22 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.26.0 h1:IpPlZnxBpV1xl7TGk/X6lFtpgjgntCg8PJ+qrPHAC7I= -k8s.io/api v0.26.0/go.mod h1:k6HDTaIFC8yn1i6pSClSqIwLABIcLV9l5Q4EcngKnQg= -k8s.io/apiextensions-apiserver v0.26.0 h1:Gy93Xo1eg2ZIkNX/8vy5xviVSxwQulsnUdQ00nEdpDo= -k8s.io/apiextensions-apiserver v0.26.0/go.mod h1:7ez0LTiyW5nq3vADtK6C3kMESxadD51Bh6uz3JOlqWQ= -k8s.io/apimachinery v0.26.0 h1:1feANjElT7MvPqp0JT6F3Ss6TWDwmcjLypwoPpEf7zg= -k8s.io/apimachinery v0.26.0/go.mod h1:tnPmbONNJ7ByJNz9+n9kMjNP8ON+1qoAIIC70lztu74= -k8s.io/apiserver v0.26.0 h1:q+LqIK5EZwdznGZb8bq0+a+vCqdeEEe4Ux3zsOjbc4o= -k8s.io/apiserver v0.26.0/go.mod h1:aWhlLD+mU+xRo+zhkvP/gFNbShI4wBDHS33o0+JGI84= +k8s.io/api v0.26.1 h1:f+SWYiPd/GsiWwVRz+NbFyCgvv75Pk9NK6dlkZgpCRQ= +k8s.io/api v0.26.1/go.mod h1:xd/GBNgR0f707+ATNyPmQ1oyKSgndzXij81FzWGsejg= +k8s.io/apiextensions-apiserver v0.26.1 h1:cB8h1SRk6e/+i3NOrQgSFij1B2S0Y0wDoNl66bn8RMI= +k8s.io/apiextensions-apiserver v0.26.1/go.mod h1:AptjOSXDGuE0JICx/Em15PaoO7buLwTs0dGleIHixSM= +k8s.io/apimachinery v0.26.1 h1:8EZ/eGJL+hY/MYCNwhmDzVqq2lPl3N3Bo8rvweJwXUQ= +k8s.io/apimachinery v0.26.1/go.mod h1:tnPmbONNJ7ByJNz9+n9kMjNP8ON+1qoAIIC70lztu74= +k8s.io/apiserver v0.26.1 h1:6vmnAqCDO194SVCPU3MU8NcDgSqsUA62tBUSWrFXhsc= +k8s.io/apiserver v0.26.1/go.mod h1:wr75z634Cv+sifswE9HlAo5FQ7UoUauIICRlOE+5dCg= k8s.io/cli-runtime v0.26.0 h1:aQHa1SyUhpqxAw1fY21x2z2OS5RLtMJOCj7tN4oq8mw= k8s.io/cli-runtime v0.26.0/go.mod h1:o+4KmwHzO/UK0wepE1qpRk6l3o60/txUZ1fEXWGIKTY= -k8s.io/client-go v0.26.0 h1:lT1D3OfO+wIi9UFolCrifbjUUgu7CpLca0AD8ghRLI8= -k8s.io/client-go v0.26.0/go.mod h1:I2Sh57A79EQsDmn7F7ASpmru1cceh3ocVT9KlX2jEZg= -k8s.io/code-generator v0.26.0 h1:ZDY+7Gic9p/lACgD1G72gQg2CvNGeAYZTPIncv+iALM= -k8s.io/code-generator v0.26.0/go.mod h1:OMoJ5Dqx1wgaQzKgc+ZWaZPfGjdRq/Y3WubFrZmeI3I= -k8s.io/component-base v0.26.0 h1:0IkChOCohtDHttmKuz+EP3j3+qKmV55rM9gIFTXA7Vs= -k8s.io/component-base v0.26.0/go.mod h1:lqHwlfV1/haa14F/Z5Zizk5QmzaVf23nQzCwVOQpfC8= +k8s.io/client-go v0.26.1 h1:87CXzYJnAMGaa/IDDfRdhTzxk/wzGZ+/HUQpqgVSZXU= +k8s.io/client-go v0.26.1/go.mod h1:IWNSglg+rQ3OcvDkhY6+QLeasV4OYHDjdqeWkDQZwGE= +k8s.io/code-generator v0.26.1 h1:dusFDsnNSKlMFYhzIM0jAO1OlnTN5WYwQQ+Ai12IIlo= +k8s.io/code-generator v0.26.1/go.mod h1:OMoJ5Dqx1wgaQzKgc+ZWaZPfGjdRq/Y3WubFrZmeI3I= +k8s.io/component-base v0.26.1 h1:4ahudpeQXHZL5kko+iDHqLj/FSGAEUnSVO0EBbgDd+4= +k8s.io/component-base v0.26.1/go.mod h1:VHrLR0b58oC035w6YQiBSbtsf0ThuSwXP+p5dD/kAWU= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d h1:U9tB195lKdzwqicbJvyJeOXV7Klv+wNAWENRnXEGi08= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= @@ -741,15 +760,15 @@ k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4= k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E= k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= -k8s.io/utils v0.0.0-20221107191617-1a15be271d1d h1:0Smp/HP1OH4Rvhe+4B8nWGERtlqAGSftbSbbmm45oFs= -k8s.io/utils v0.0.0-20221107191617-1a15be271d1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 h1:KTgPnR10d5zhztWptI952TNtt/4u5h3IzDXkdIMuo2Y= +k8s.io/utils v0.0.0-20221128185143-99ec85e7a448/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 h1:SAElp8THCfmBdM+4lmWX5gebiSSkEr7PAYDVF91qpfg= pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732/go.mod h1:lpvCfhqEHNJSSpG5R5A2EgsVzG8RTt4RfPoQuRAcDmg= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/controller-runtime v0.13.1 h1:tUsRCSJVM1QQOOeViGeX3GMT3dQF1eePPw6sEE3xSlg= -sigs.k8s.io/controller-runtime v0.13.1/go.mod h1:Zbz+el8Yg31jubvAEyglRZGdLAjplZl+PgtYNI6WNTI= +sigs.k8s.io/controller-runtime v0.14.2 h1:P6IwDhbsRWsBClt/8/h8Zy36bCuGuW5Op7MHpFrN/60= +sigs.k8s.io/controller-runtime v0.14.2/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/kustomize/api v0.12.1 h1:7YM7gW3kYBwtKvoY216ZzY+8hM+lV53LUayghNRJ0vM= From 3999fb8923e3a7bf2ab89eccf4210e4df0f8af52 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 31 Jan 2023 17:31:05 -0800 Subject: [PATCH 160/405] Bump k8s.io/klog/v2 from 2.80.1 to 2.90.0 (#9553) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 03b3ebdb7..5224aefbe 100644 --- a/go.mod +++ b/go.mod @@ -38,7 +38,7 @@ require ( k8s.io/client-go v0.26.1 k8s.io/code-generator v0.26.1 k8s.io/component-base v0.26.1 - k8s.io/klog/v2 v2.80.1 + k8s.io/klog/v2 v2.90.0 pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 sigs.k8s.io/controller-runtime v0.14.2 sigs.k8s.io/mdtoc v1.1.0 diff --git a/go.sum b/go.sum index 7588a51fb..0a7ed9440 100644 --- a/go.sum +++ b/go.sum @@ -756,8 +756,8 @@ k8s.io/component-base v0.26.1/go.mod h1:VHrLR0b58oC035w6YQiBSbtsf0ThuSwXP+p5dD/k k8s.io/gengo v0.0.0-20220902162205-c0856e24416d h1:U9tB195lKdzwqicbJvyJeOXV7Klv+wNAWENRnXEGi08= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= -k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4= -k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.90.0 h1:VkTxIV/FjRXn1fgNNcKGM8cfmL1Z33ZjXRTVxKCoF5M= +k8s.io/klog/v2 v2.90.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E= k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 h1:KTgPnR10d5zhztWptI952TNtt/4u5h3IzDXkdIMuo2Y= From 95e525ccc20cc86d97e8771c90b1b75cad543c10 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 31 Jan 2023 17:33:06 -0800 Subject: [PATCH 161/405] Bump google.golang.org/grpc from 1.52.0 to 1.52.3 (#9555) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 5224aefbe..10b9e2fda 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a golang.org/x/crypto v0.5.0 - google.golang.org/grpc v1.52.0 + google.golang.org/grpc v1.52.3 google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 diff --git a/go.sum b/go.sum index 0a7ed9440..6e370c655 100644 --- a/go.sum +++ b/go.sum @@ -679,8 +679,8 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.52.0 h1:kd48UiU7EHsV4rnLyOJRuP/Il/UHE7gdDAQ+SZI7nZk= -google.golang.org/grpc v1.52.0/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5vorUY= +google.golang.org/grpc v1.52.3 h1:pf7sOysg4LdgBqduXveGKrcEwbStiK2rtfghdzlUYDQ= +google.golang.org/grpc v1.52.3/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5vorUY= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 h1:pPsdyuBif+uoyUoL19yuj/TCfUPsmpJHJZhWQ98JGLU= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7/go.mod h1:8pQa1yxxkh+EsxUK8/455D5MSbv3vgmEJqKCH3y17mI= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= From fb2223b12c70cdf746349393a7f44b753576b49c Mon Sep 17 00:00:00 2001 From: James Strong Date: Tue, 31 Jan 2023 21:16:48 -0500 Subject: [PATCH 162/405] build release 1.6.1 image Signed-off-by: James Strong --- TAG | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TAG b/TAG index b7c0a9b1d..023604509 100644 --- a/TAG +++ b/TAG @@ -1 +1 @@ -v1.6.0 +v1.6.1 From 41c2f2454c0b1b4c7aad49f05f8bcc6af4e6ed35 Mon Sep 17 00:00:00 2001 From: James Strong Date: Wed, 1 Feb 2023 16:51:36 -0500 Subject: [PATCH 163/405] add lint on chart before release (#9570) Signed-off-by: James Strong --- .github/workflows/helm.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml index 5d96507a1..2bd271bb2 100644 --- a/.github/workflows/helm.yaml +++ b/.github/workflows/helm.yaml @@ -25,6 +25,18 @@ jobs: - name: Checkout uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + - name: Run Artifact Hub lint + run: | + wget https://github.com/artifacthub/hub/releases/download/v1.5.0/ah_1.5.0_linux_amd64.tar.gz + echo 'ad0e44c6ea058ab6b85dbf582e88bad9fdbc64ded0d1dd4edbac65133e5c87da *ah_1.5.0_linux_amd64.tar.gz' | shasum -c + tar -xzvf ah_1.5.0_linux_amd64.tar.gz ah + ./ah lint -p charts/ingress-nginx || exit 1 + rm -f ./ah ./ah_1.5.0_linux_amd64.tar.gz + + - name: Lint + run: | + ./build/run-in-docker.sh ./hack/verify-chart-lint.sh + - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter with: From 7782c70030bc5cbe9f981fc4126c31dd715f9427 Mon Sep 17 00:00:00 2001 From: James Strong Date: Thu, 2 Feb 2023 14:48:36 -0500 Subject: [PATCH 164/405] build 1.6.2 to fix (#9569) --- TAG | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TAG b/TAG index 023604509..98610aa42 100644 --- a/TAG +++ b/TAG @@ -1 +1 @@ -v1.6.1 +v1.6.2 \ No newline at end of file From dea3a9a3f788f92f10d668c9ecd33e76b1347a87 Mon Sep 17 00:00:00 2001 From: Jongwoo Han Date: Mon, 6 Feb 2023 16:37:00 +0900 Subject: [PATCH 165/405] Replace deprecated command with environment file (#9581) Signed-off-by: jongwooo --- .github/workflows/vulnerability-scans.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index 67fad3187..b19031ff6 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -42,7 +42,7 @@ jobs: echo "${SHORT_TAGS[0]},${SHORT_TAGS[1]},${SHORT_TAGS[2]}" TAGS_JSON="[\"${SHORT_TAGS[0]}\",\"${SHORT_TAGS[1]}\",\"${SHORT_TAGS[2]}\"]" echo "${TAGS_JSON}" - echo "::set-output name=TAGS::${TAGS_JSON}" + echo "TAGS=${TAGS_JSON}" >> $GITHUB_OUTPUT scan: runs-on: ubuntu-latest From 6f713b76a15f4ed6488b9969cedaa176f3cbeb9d Mon Sep 17 00:00:00 2001 From: Kir Shatrov Date: Wed, 8 Feb 2023 20:25:02 +0300 Subject: [PATCH 166/405] Allow to pass a target test (#9542) --- test/test-lua.sh | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-) diff --git a/test/test-lua.sh b/test/test-lua.sh index 3b00cf35a..9c8149eac 100755 --- a/test/test-lua.sh +++ b/test/test-lua.sh @@ -25,14 +25,23 @@ set -o pipefail BUSTED_ARGS="-v --pattern=_test" -resty \ - -I ./rootfs/etc/nginx/lua \ - --shdict "configuration_data 5M" \ - --shdict "certificate_data 16M" \ - --shdict "certificate_servers 1M" \ - --shdict "ocsp_response_cache 1M" \ - --shdict "balancer_ewma 1M" \ - --shdict "balancer_ewma_last_touched_at 1M" \ - --shdict "balancer_ewma_locks 512k" \ - --shdict "global_throttle_cache 5M" \ - ./rootfs/etc/nginx/lua/test/run.lua ${BUSTED_ARGS} ./rootfs/etc/nginx/lua/test/ ./rootfs/etc/nginx/lua/plugins/**/test +SHDICT_ARGS=( + "-I" "./rootfs/etc/nginx/lua" + "--shdict" "configuration_data 5M" + "--shdict" "certificate_data 16M" + "--shdict" "certificate_servers 1M" + "--shdict" "ocsp_response_cache 1M" + "--shdict" "balancer_ewma 1M" + "--shdict" "quota_tracker 1M" + "--shdict" "high_throughput_tracker 1M" + "--shdict" "balancer_ewma_last_touched_at 1M" + "--shdict" "balancer_ewma_locks 512k" + "--shdict" "global_throttle_cache 5M" + "./rootfs/etc/nginx/lua/test/run.lua" +) + +if [ $# -eq 0 ]; then + resty "${SHDICT_ARGS[@]}" ./rootfs/etc/nginx/lua/test/ ./rootfs/etc/nginx/lua/plugins/**/test +else + resty "${SHDICT_ARGS[@]}" $@ +fi From 59d247dd7433fd2cd99d381c1bcfce9f7dde7ac0 Mon Sep 17 00:00:00 2001 From: James Strong Date: Fri, 10 Feb 2023 15:13:30 +0100 Subject: [PATCH 167/405] update history and allow to pass a target test (#9605) * Replace deprecated command with environment file (#9581) Signed-off-by: jongwooo * Allow to pass a target test (#9542) * start 1.6.0 release Signed-off-by: James Strong * testing auto change Signed-off-by: James Strong * Add mage files for changelog Signed-off-by: James Strong * change format Signed-off-by: James Strong * fixed boiler plate lint Signed-off-by: James Strong * Align default value for keepalive_request with NGINX default (#9518) * Align default value for keepalive_request with NGINX default --------- Signed-off-by: jongwooo Signed-off-by: James Strong Co-authored-by: Jongwoo Han Co-authored-by: Kir Shatrov Co-authored-by: Christian Schaefer --- TAG | 3 +- .../nginx-configuration/configmap.md | 403 +++++++++--------- go.mod | 1 + go.sum | 2 + 4 files changed, 196 insertions(+), 213 deletions(-) diff --git a/TAG b/TAG index 98610aa42..103ae529e 100644 --- a/TAG +++ b/TAG @@ -1 +1,2 @@ -v1.6.2 \ No newline at end of file +v1.6.2 + diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index 3832bba16..fc5bd07c2 100755 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -25,199 +25,197 @@ data: The following table shows a configuration option's name, type, and the default value: -| name | type | default | -|:--------------------------------------------------------------------------------|:-------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| [add-headers](#add-headers) | string | "" | -| [allow-backend-server-header](#allow-backend-server-header) | bool | "false" | -| [allow-snippet-annotations](#allow-snippet-annotations) | bool | true | -| [annotation-value-word-blocklist](#annotation-value-word-blocklist) | string array | "" | -| [hide-headers](#hide-headers) | string array | empty | -| [access-log-params](#access-log-params) | string | "" | -| [access-log-path](#access-log-path) | string | "/var/log/nginx/access.log" | -| [http-access-log-path](#http-access-log-path) | string | "" | -| [stream-access-log-path](#stream-access-log-path) | string | "" | -| [enable-access-log-for-default-backend](#enable-access-log-for-default-backend) | bool | "false" | -| [error-log-path](#error-log-path) | string | "/var/log/nginx/error.log" | -| [enable-modsecurity](#enable-modsecurity) | bool | "false" | -| [modsecurity-snippet](#modsecurity-snippet) | string | "" | -| [enable-owasp-modsecurity-crs](#enable-owasp-modsecurity-crs) | bool | "false" | -| [client-header-buffer-size](#client-header-buffer-size) | string | "1k" | -| [client-header-timeout](#client-header-timeout) | int | 60 | -| [client-body-buffer-size](#client-body-buffer-size) | string | "8k" | -| [client-body-timeout](#client-body-timeout) | int | 60 | -| [disable-access-log](#disable-access-log) | bool | false | -| [disable-ipv6](#disable-ipv6) | bool | false | -| [disable-ipv6-dns](#disable-ipv6-dns) | bool | false | -| [enable-underscores-in-headers](#enable-underscores-in-headers) | bool | false | -| [enable-ocsp](#enable-ocsp) | bool | false | -| [ignore-invalid-headers](#ignore-invalid-headers) | bool | true | -| [retry-non-idempotent](#retry-non-idempotent) | bool | "false" | -| [error-log-level](#error-log-level) | string | "notice" | -| [http2-max-field-size](#http2-max-field-size) | string | "4k" | -| [http2-max-header-size](#http2-max-header-size) | string | "16k" | -| [http2-max-requests](#http2-max-requests) | int | 1000 | -| [http2-max-concurrent-streams](#http2-max-concurrent-streams) | int | 128 | -| [hsts](#hsts) | bool | "true" | -| [hsts-include-subdomains](#hsts-include-subdomains) | bool | "true" | -| [hsts-max-age](#hsts-max-age) | string | "15724800" | -| [hsts-preload](#hsts-preload) | bool | "false" | -| [keep-alive](#keep-alive) | int | 75 | -| [keep-alive-requests](#keep-alive-requests) | int | 1000 | -| [large-client-header-buffers](#large-client-header-buffers) | string | "4 8k" | -| [log-format-escape-none](#log-format-escape-none) | bool | "false" | -| [log-format-escape-json](#log-format-escape-json) | bool | "false" | -| [log-format-upstream](#log-format-upstream) | string | `$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] [$proxy_alternative_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status $req_id` | -| [log-format-stream](#log-format-stream) | string | `[$remote_addr] [$time_local] $protocol $status $bytes_sent $bytes_received $session_time` | -| [enable-multi-accept](#enable-multi-accept) | bool | "true" | -| [max-worker-connections](#max-worker-connections) | int | 16384 | -| [max-worker-open-files](#max-worker-open-files) | int | 0 | -| [map-hash-bucket-size](#max-hash-bucket-size) | int | 64 | -| [nginx-status-ipv4-whitelist](#nginx-status-ipv4-whitelist) | []string | "127.0.0.1" | -| [nginx-status-ipv6-whitelist](#nginx-status-ipv6-whitelist) | []string | "::1" | -| [proxy-real-ip-cidr](#proxy-real-ip-cidr) | []string | "0.0.0.0/0" | -| [proxy-set-headers](#proxy-set-headers) | string | "" | -| [server-name-hash-max-size](#server-name-hash-max-size) | int | 1024 | -| [server-name-hash-bucket-size](#server-name-hash-bucket-size) | int | `` | -| [proxy-headers-hash-max-size](#proxy-headers-hash-max-size) | int | 512 | -| [proxy-headers-hash-bucket-size](#proxy-headers-hash-bucket-size) | int | 64 | -| [plugins](#plugins) | []string | | -| [reuse-port](#reuse-port) | bool | "true" | -| [server-tokens](#server-tokens) | bool | "false" | -| [ssl-ciphers](#ssl-ciphers) | string | "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" | -| [ssl-ecdh-curve](#ssl-ecdh-curve) | string | "auto" | -| [ssl-dh-param](#ssl-dh-param) | string | "" | -| [ssl-protocols](#ssl-protocols) | string | "TLSv1.2 TLSv1.3" | -| [ssl-session-cache](#ssl-session-cache) | bool | "true" | -| [ssl-session-cache-size](#ssl-session-cache-size) | string | "10m" | -| [ssl-session-tickets](#ssl-session-tickets) | bool | "false" | -| [ssl-session-ticket-key](#ssl-session-ticket-key) | string | `` | -| [ssl-session-timeout](#ssl-session-timeout) | string | "10m" | -| [ssl-buffer-size](#ssl-buffer-size) | string | "4k" | -| [use-proxy-protocol](#use-proxy-protocol) | bool | "false" | -| [proxy-protocol-header-timeout](#proxy-protocol-header-timeout) | string | "5s" | -| [use-gzip](#use-gzip) | bool | "false" | -| [use-geoip](#use-geoip) | bool | "true" | -| [use-geoip2](#use-geoip2) | bool | "false" | -| [enable-brotli](#enable-brotli) | bool | "false" | -| [brotli-level](#brotli-level) | int | 4 | -| [brotli-min-length](#brotli-min-length) | int | 20 | -| [brotli-types](#brotli-types) | string | "application/xml+rss application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component" | -| [use-http2](#use-http2) | bool | "true" | -| [gzip-disable](#gzip-disable) | string | "" | -| [gzip-level](#gzip-level) | int | 1 | -| [gzip-min-length](#gzip-min-length) | int | 256 | -| [gzip-types](#gzip-types) | string | "application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component" | -| [worker-processes](#worker-processes) | string | `` | -| [worker-cpu-affinity](#worker-cpu-affinity) | string | "" | -| [worker-shutdown-timeout](#worker-shutdown-timeout) | string | "240s" | -| [load-balance](#load-balance) | string | "round_robin" | -| [variables-hash-bucket-size](#variables-hash-bucket-size) | int | 128 | -| [variables-hash-max-size](#variables-hash-max-size) | int | 2048 | -| [upstream-keepalive-connections](#upstream-keepalive-connections) | int | 320 | -| [upstream-keepalive-time](#upstream-keepalive-time) | string | "1h" | -| [upstream-keepalive-timeout](#upstream-keepalive-timeout) | int | 60 | -| [upstream-keepalive-requests](#upstream-keepalive-requests) | int | 10000 | -| [limit-conn-zone-variable](#limit-conn-zone-variable) | string | "$binary_remote_addr" | -| [proxy-stream-timeout](#proxy-stream-timeout) | string | "600s" | -| [proxy-stream-next-upstream](#proxy-stream-next-upstream) | bool | "true" | -| [proxy-stream-next-upstream-timeout](#proxy-stream-next-upstream-timeout) | string | "600s" | -| [proxy-stream-next-upstream-tries](#proxy-stream-next-upstream-tries) | int | 3 | -| [proxy-stream-responses](#proxy-stream-responses) | int | 1 | -| [bind-address](#bind-address) | []string | "" | -| [use-forwarded-headers](#use-forwarded-headers) | bool | "false" | -| [enable-real-ip](#enable-real-ip) | bool | "false" | -| [forwarded-for-header](#forwarded-for-header) | string | "X-Forwarded-For" | -| [compute-full-forwarded-for](#compute-full-forwarded-for) | bool | "false" | -| [proxy-add-original-uri-header](#proxy-add-original-uri-header) | bool | "false" | -| [generate-request-id](#generate-request-id) | bool | "true" | -| [enable-opentracing](#enable-opentracing) | bool | "false" | -| [opentracing-operation-name](#opentracing-operation-name) | string | "" | -| [opentracing-location-operation-name](#opentracing-location-operation-name) | string | "" | -| [zipkin-collector-host](#zipkin-collector-host) | string | "" | -| [zipkin-collector-port](#zipkin-collector-port) | int | 9411 | -| [zipkin-service-name](#zipkin-service-name) | string | "nginx" | -| [zipkin-sample-rate](#zipkin-sample-rate) | float | 1.0 | -| [jaeger-collector-host](#jaeger-collector-host) | string | "" | -| [jaeger-collector-port](#jaeger-collector-port) | int | 6831 | -| [jaeger-endpoint](#jaeger-endpoint) | string | "" | -| [jaeger-service-name](#jaeger-service-name) | string | "nginx" | -| [jaeger-propagation-format](#jaeger-propagation-format) | string | "jaeger" | -| [jaeger-sampler-type](#jaeger-sampler-type) | string | "const" | -| [jaeger-sampler-param](#jaeger-sampler-param) | string | "1" | -| [jaeger-sampler-host](#jaeger-sampler-host) | string | "http://127.0.0.1" | -| [jaeger-sampler-port](#jaeger-sampler-port) | int | 5778 | -| [jaeger-trace-context-header-name](#jaeger-trace-context-header-name) | string | uber-trace-id | -| [jaeger-debug-header](#jaeger-debug-header) | string | uber-debug-id | -| [jaeger-baggage-header](#jaeger-baggage-header) | string | jaeger-baggage | -| [jaeger-trace-baggage-header-prefix](#jaeger-trace-baggage-header-prefix) | string | uberctx- | -| [datadog-collector-host](#datadog-collector-host) | string | "" | -| [datadog-collector-port](#datadog-collector-port) | int | 8126 | -| [datadog-service-name](#datadog-service-name) | string | "nginx" | -| [datadog-environment](#datadog-environment) | string | "prod" | -| [datadog-operation-name-override](#datadog-operation-name-override) | string | "nginx.handle" | -| [datadog-priority-sampling](#datadog-priority-sampling) | bool | "true" | -| [datadog-sample-rate](#datadog-sample-rate) | float | 1.0 | -| [main-snippet](#main-snippet) | string | "" | -| [http-snippet](#http-snippet) | string | "" | -| [server-snippet](#server-snippet) | string | "" | -| [stream-snippet](#stream-snippet) | string | "" | -| [location-snippet](#location-snippet) | string | "" | -| [custom-http-errors](#custom-http-errors) | []int | []int{} | -| [proxy-body-size](#proxy-body-size) | string | "1m" | -| [proxy-connect-timeout](#proxy-connect-timeout) | int | 5 | -| [proxy-read-timeout](#proxy-read-timeout) | int | 60 | -| [proxy-send-timeout](#proxy-send-timeout) | int | 60 | -| [proxy-buffers-number](#proxy-buffers-number) | int | 4 | -| [proxy-buffer-size](#proxy-buffer-size) | string | "4k" | -| [proxy-cookie-path](#proxy-cookie-path) | string | "off" | -| [proxy-cookie-domain](#proxy-cookie-domain) | string | "off" | -| [proxy-next-upstream](#proxy-next-upstream) | string | "error timeout" | -| [proxy-next-upstream-timeout](#proxy-next-upstream-timeout) | int | 0 | -| [proxy-next-upstream-tries](#proxy-next-upstream-tries) | int | 3 | -| [proxy-redirect-from](#proxy-redirect-from) | string | "off" | -| [proxy-request-buffering](#proxy-request-buffering) | string | "on" | -| [ssl-redirect](#ssl-redirect) | bool | "true" | -| [force-ssl-redirect](#force-ssl-redirect) | bool | "false" | -| [denylist-source-range](#denylist-source-range) | []string | []string{} | -| [whitelist-source-range](#whitelist-source-range) | []string | []string{} | -| [skip-access-log-urls](#skip-access-log-urls) | []string | []string{} | -| [limit-rate](#limit-rate) | int | 0 | -| [limit-rate-after](#limit-rate-after) | int | 0 | -| [lua-shared-dicts](#lua-shared-dicts) | string | "" | -| [http-redirect-code](#http-redirect-code) | int | 308 | -| [proxy-buffering](#proxy-buffering) | string | "off" | -| [limit-req-status-code](#limit-req-status-code) | int | 503 | -| [limit-conn-status-code](#limit-conn-status-code) | int | 503 | -| [enable-syslog](#enable-syslog) | bool | false | -| [syslog-host](#syslog-host) | string | "" | -| [syslog-port](#syslog-port) | int | 514 | -| [no-tls-redirect-locations](#no-tls-redirect-locations) | string | "/.well-known/acme-challenge" | -| [global-auth-url](#global-auth-url) | string | "" | -| [global-auth-method](#global-auth-method) | string | "" | -| [global-auth-signin](#global-auth-signin) | string | "" | -| [global-auth-signin-redirect-param](#global-auth-signin-redirect-param) | string | "rd" | -| [global-auth-response-headers](#global-auth-response-headers) | string | "" | -| [global-auth-request-redirect](#global-auth-request-redirect) | string | "" | -| [global-auth-snippet](#global-auth-snippet) | string | "" | -| [global-auth-cache-key](#global-auth-cache-key) | string | "" | -| [global-auth-cache-duration](#global-auth-cache-duration) | string | "200 202 401 5m" | -| [no-auth-locations](#no-auth-locations) | string | "/.well-known/acme-challenge" | -| [block-cidrs](#block-cidrs) | []string | "" | -| [block-user-agents](#block-user-agents) | []string | "" | -| [block-referers](#block-referers) | []string | "" | -| [proxy-ssl-location-only](#proxy-ssl-location-only) | bool | "false" | -| [default-type](#default-type) | string | "text/html" | -| [global-rate-limit-memcached-host](#global-rate-limit) | string | "" | -| [global-rate-limit-memcached-port](#global-rate-limit) | int | 11211 | -| [global-rate-limit-memcached-connect-timeout](#global-rate-limit) | int | 50 | -| [global-rate-limit-memcached-max-idle-timeout](#global-rate-limit) | int | 10000 | -| [global-rate-limit-memcached-pool-size](#global-rate-limit) | int | 50 | -| [global-rate-limit-status-code](#global-rate-limit) | int | 429 | -| [service-upstream](#service-upstream) | bool | "false" | -| [ssl-reject-handshake](#ssl-reject-handshake) | bool | "false" | -| [debug-connections](#debug-connections) | []string | "127.0.0.1,1.1.1.1/24" | -| [enable-pathtype-validation](#enable-pathtype-validation) | bool | "false" | -| [path-additional-allowed-chars](#path-additional-allowed-chars) | string | "^%$[](){}*+?" | +|name|type|default| +|:---|:---|:------| +|[add-headers](#add-headers)|string|""| +|[allow-backend-server-header](#allow-backend-server-header)|bool|"false"| +|[allow-snippet-annotations](#allow-snippet-annotations)|bool|true| +|[annotation-value-word-blocklist](#annotation-value-word-blocklist)|string array|""| +|[hide-headers](#hide-headers)|string array|empty| +|[access-log-params](#access-log-params)|string|""| +|[access-log-path](#access-log-path)|string|"/var/log/nginx/access.log"| +|[http-access-log-path](#http-access-log-path)|string|""| +|[stream-access-log-path](#stream-access-log-path)|string|""| +|[enable-access-log-for-default-backend](#enable-access-log-for-default-backend)|bool|"false"| +|[error-log-path](#error-log-path)|string|"/var/log/nginx/error.log"| +|[enable-modsecurity](#enable-modsecurity)|bool|"false"| +|[modsecurity-snippet](#modsecurity-snippet)|string|""| +|[enable-owasp-modsecurity-crs](#enable-owasp-modsecurity-crs)|bool|"false"| +|[client-header-buffer-size](#client-header-buffer-size)|string|"1k"| +|[client-header-timeout](#client-header-timeout)|int|60| +|[client-body-buffer-size](#client-body-buffer-size)|string|"8k"| +|[client-body-timeout](#client-body-timeout)|int|60| +|[disable-access-log](#disable-access-log)|bool|false| +|[disable-ipv6](#disable-ipv6)|bool|false| +|[disable-ipv6-dns](#disable-ipv6-dns)|bool|false| +|[enable-underscores-in-headers](#enable-underscores-in-headers)|bool|false| +|[enable-ocsp](#enable-ocsp)|bool|false| +|[ignore-invalid-headers](#ignore-invalid-headers)|bool|true| +|[retry-non-idempotent](#retry-non-idempotent)|bool|"false"| +|[error-log-level](#error-log-level)|string|"notice"| +|[http2-max-field-size](#http2-max-field-size)|string|"4k"| +|[http2-max-header-size](#http2-max-header-size)|string|"16k"| +|[http2-max-requests](#http2-max-requests)|int|1000| +|[http2-max-concurrent-streams](#http2-max-concurrent-streams)|int|128| +|[hsts](#hsts)|bool|"true"| +|[hsts-include-subdomains](#hsts-include-subdomains)|bool|"true"| +|[hsts-max-age](#hsts-max-age)|string|"15724800"| +|[hsts-preload](#hsts-preload)|bool|"false"| +|[keep-alive](#keep-alive)|int|75| +|[keep-alive-requests](#keep-alive-requests)|int|1000| +|[large-client-header-buffers](#large-client-header-buffers)|string|"4 8k"| +|[log-format-escape-none](#log-format-escape-none)|bool|"false"| +|[log-format-escape-json](#log-format-escape-json)|bool|"false"| +|[log-format-upstream](#log-format-upstream)|string|`$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] [$proxy_alternative_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status $req_id`| +|[log-format-stream](#log-format-stream)|string|`[$remote_addr] [$time_local] $protocol $status $bytes_sent $bytes_received $session_time`| +|[enable-multi-accept](#enable-multi-accept)|bool|"true"| +|[max-worker-connections](#max-worker-connections)|int|16384| +|[max-worker-open-files](#max-worker-open-files)|int|0| +|[map-hash-bucket-size](#max-hash-bucket-size)|int|64| +|[nginx-status-ipv4-whitelist](#nginx-status-ipv4-whitelist)|[]string|"127.0.0.1"| +|[nginx-status-ipv6-whitelist](#nginx-status-ipv6-whitelist)|[]string|"::1"| +|[proxy-real-ip-cidr](#proxy-real-ip-cidr)|[]string|"0.0.0.0/0"| +|[proxy-set-headers](#proxy-set-headers)|string|""| +|[server-name-hash-max-size](#server-name-hash-max-size)|int|1024| +|[server-name-hash-bucket-size](#server-name-hash-bucket-size)|int|`` +|[proxy-headers-hash-max-size](#proxy-headers-hash-max-size)|int|512| +|[proxy-headers-hash-bucket-size](#proxy-headers-hash-bucket-size)|int|64| +|[plugins](#plugins)|[]string| | +|[reuse-port](#reuse-port)|bool|"true"| +|[server-tokens](#server-tokens)|bool|"false"| +|[ssl-ciphers](#ssl-ciphers)|string|"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"| +|[ssl-ecdh-curve](#ssl-ecdh-curve)|string|"auto"| +|[ssl-dh-param](#ssl-dh-param)|string|""| +|[ssl-protocols](#ssl-protocols)|string|"TLSv1.2 TLSv1.3"| +|[ssl-session-cache](#ssl-session-cache)|bool|"true"| +|[ssl-session-cache-size](#ssl-session-cache-size)|string|"10m"| +|[ssl-session-tickets](#ssl-session-tickets)|bool|"false"| +|[ssl-session-ticket-key](#ssl-session-ticket-key)|string|`` +|[ssl-session-timeout](#ssl-session-timeout)|string|"10m"| +|[ssl-buffer-size](#ssl-buffer-size)|string|"4k"| +|[use-proxy-protocol](#use-proxy-protocol)|bool|"false"| +|[proxy-protocol-header-timeout](#proxy-protocol-header-timeout)|string|"5s"| +|[use-gzip](#use-gzip)|bool|"false"| +|[use-geoip](#use-geoip)|bool|"true"| +|[use-geoip2](#use-geoip2)|bool|"false"| +|[enable-brotli](#enable-brotli)|bool|"false"| +|[brotli-level](#brotli-level)|int|4| +|[brotli-min-length](#brotli-min-length)|int|20| +|[brotli-types](#brotli-types)|string|"application/xml+rss application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component"| +|[use-http2](#use-http2)|bool|"true"| +|[gzip-disable](#gzip-disable)|string|""| +|[gzip-level](#gzip-level)|int|1| +|[gzip-min-length](#gzip-min-length)|int|256| +|[gzip-types](#gzip-types)|string|"application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component"| +|[worker-processes](#worker-processes)|string|``| +|[worker-cpu-affinity](#worker-cpu-affinity)|string|""| +|[worker-shutdown-timeout](#worker-shutdown-timeout)|string|"240s"| +|[load-balance](#load-balance)|string|"round_robin"| +|[variables-hash-bucket-size](#variables-hash-bucket-size)|int|128| +|[variables-hash-max-size](#variables-hash-max-size)|int|2048| +|[upstream-keepalive-connections](#upstream-keepalive-connections)|int|320| +|[upstream-keepalive-time](#upstream-keepalive-time)|string|"1h"| +|[upstream-keepalive-timeout](#upstream-keepalive-timeout)|int|60| +|[upstream-keepalive-requests](#upstream-keepalive-requests)|int|10000| +|[limit-conn-zone-variable](#limit-conn-zone-variable)|string|"$binary_remote_addr"| +|[proxy-stream-timeout](#proxy-stream-timeout)|string|"600s"| +|[proxy-stream-next-upstream](#proxy-stream-next-upstream)|bool|"true"| +|[proxy-stream-next-upstream-timeout](#proxy-stream-next-upstream-timeout)|string|"600s"| +|[proxy-stream-next-upstream-tries](#proxy-stream-next-upstream-tries)|int|3| +|[proxy-stream-responses](#proxy-stream-responses)|int|1| +|[bind-address](#bind-address)|[]string|""| +|[use-forwarded-headers](#use-forwarded-headers)|bool|"false"| +|[enable-real-ip](#enable-real-ip)|bool|"false"| +|[forwarded-for-header](#forwarded-for-header)|string|"X-Forwarded-For"| +|[compute-full-forwarded-for](#compute-full-forwarded-for)|bool|"false"| +|[proxy-add-original-uri-header](#proxy-add-original-uri-header)|bool|"false"| +|[generate-request-id](#generate-request-id)|bool|"true"| +|[enable-opentracing](#enable-opentracing)|bool|"false"| +|[opentracing-operation-name](#opentracing-operation-name)|string|""| +|[opentracing-location-operation-name](#opentracing-location-operation-name)|string|""| +|[zipkin-collector-host](#zipkin-collector-host)|string|""| +|[zipkin-collector-port](#zipkin-collector-port)|int|9411| +|[zipkin-service-name](#zipkin-service-name)|string|"nginx"| +|[zipkin-sample-rate](#zipkin-sample-rate)|float|1.0| +|[jaeger-collector-host](#jaeger-collector-host)|string|""| +|[jaeger-collector-port](#jaeger-collector-port)|int|6831| +|[jaeger-endpoint](#jaeger-endpoint)|string|""| +|[jaeger-service-name](#jaeger-service-name)|string|"nginx"| +|[jaeger-propagation-format](#jaeger-propagation-format)|string|"jaeger"| +|[jaeger-sampler-type](#jaeger-sampler-type)|string|"const"| +|[jaeger-sampler-param](#jaeger-sampler-param)|string|"1"| +|[jaeger-sampler-host](#jaeger-sampler-host)|string|"http://127.0.0.1"| +|[jaeger-sampler-port](#jaeger-sampler-port)|int|5778| +|[jaeger-trace-context-header-name](#jaeger-trace-context-header-name)|string|uber-trace-id| +|[jaeger-debug-header](#jaeger-debug-header)|string|uber-debug-id| +|[jaeger-baggage-header](#jaeger-baggage-header)|string|jaeger-baggage| +|[jaeger-trace-baggage-header-prefix](#jaeger-trace-baggage-header-prefix)|string|uberctx-| +|[datadog-collector-host](#datadog-collector-host)|string|""| +|[datadog-collector-port](#datadog-collector-port)|int|8126| +|[datadog-service-name](#datadog-service-name)|string|"nginx"| +|[datadog-environment](#datadog-environment)|string|"prod"| +|[datadog-operation-name-override](#datadog-operation-name-override)|string|"nginx.handle"| +|[datadog-priority-sampling](#datadog-priority-sampling)|bool|"true"| +|[datadog-sample-rate](#datadog-sample-rate)|float|1.0| +|[main-snippet](#main-snippet)|string|""| +|[http-snippet](#http-snippet)|string|""| +|[server-snippet](#server-snippet)|string|""| +|[stream-snippet](#stream-snippet)|string|""| +|[location-snippet](#location-snippet)|string|""| +|[custom-http-errors](#custom-http-errors)|[]int|[]int{}| +|[proxy-body-size](#proxy-body-size)|string|"1m"| +|[proxy-connect-timeout](#proxy-connect-timeout)|int|5| +|[proxy-read-timeout](#proxy-read-timeout)|int|60| +|[proxy-send-timeout](#proxy-send-timeout)|int|60| +|[proxy-buffers-number](#proxy-buffers-number)|int|4| +|[proxy-buffer-size](#proxy-buffer-size)|string|"4k"| +|[proxy-cookie-path](#proxy-cookie-path)|string|"off"| +|[proxy-cookie-domain](#proxy-cookie-domain)|string|"off"| +|[proxy-next-upstream](#proxy-next-upstream)|string|"error timeout"| +|[proxy-next-upstream-timeout](#proxy-next-upstream-timeout)|int|0| +|[proxy-next-upstream-tries](#proxy-next-upstream-tries)|int|3| +|[proxy-redirect-from](#proxy-redirect-from)|string|"off"| +|[proxy-request-buffering](#proxy-request-buffering)|string|"on"| +|[ssl-redirect](#ssl-redirect)|bool|"true"| +|[force-ssl-redirect](#force-ssl-redirect)|bool|"false"| +|[denylist-source-range](#denylist-source-range)|[]string|[]string{}| +|[whitelist-source-range](#whitelist-source-range)|[]string|[]string{}| +|[skip-access-log-urls](#skip-access-log-urls)|[]string|[]string{}| +|[limit-rate](#limit-rate)|int|0| +|[limit-rate-after](#limit-rate-after)|int|0| +|[lua-shared-dicts](#lua-shared-dicts)|string|""| +|[http-redirect-code](#http-redirect-code)|int|308| +|[proxy-buffering](#proxy-buffering)|string|"off"| +|[limit-req-status-code](#limit-req-status-code)|int|503| +|[limit-conn-status-code](#limit-conn-status-code)|int|503| +|[enable-syslog](#enable-syslog)|bool|false| +|[syslog-host](#syslog-host)|string|""| +|[syslog-port](#syslog-port)|int|514| +|[no-tls-redirect-locations](#no-tls-redirect-locations)|string|"/.well-known/acme-challenge"| +|[global-auth-url](#global-auth-url)|string|""| +|[global-auth-method](#global-auth-method)|string|""| +|[global-auth-signin](#global-auth-signin)|string|""| +|[global-auth-signin-redirect-param](#global-auth-signin-redirect-param)|string|"rd"| +|[global-auth-response-headers](#global-auth-response-headers)|string|""| +|[global-auth-request-redirect](#global-auth-request-redirect)|string|""| +|[global-auth-snippet](#global-auth-snippet)|string|""| +|[global-auth-cache-key](#global-auth-cache-key)|string|""| +|[global-auth-cache-duration](#global-auth-cache-duration)|string|"200 202 401 5m"| +|[no-auth-locations](#no-auth-locations)|string|"/.well-known/acme-challenge"| +|[block-cidrs](#block-cidrs)|[]string|""| +|[block-user-agents](#block-user-agents)|[]string|""| +|[block-referers](#block-referers)|[]string|""| +|[proxy-ssl-location-only](#proxy-ssl-location-only)|bool|"false"| +|[default-type](#default-type)|string|"text/html"| +|[global-rate-limit-memcached-host](#global-rate-limit)|string|""| +|[global-rate-limit-memcached-port](#global-rate-limit)|int|11211| +|[global-rate-limit-memcached-connect-timeout](#global-rate-limit)|int|50| +|[global-rate-limit-memcached-max-idle-timeout](#global-rate-limit)|int|10000| +|[global-rate-limit-memcached-pool-size](#global-rate-limit)|int|50| +|[global-rate-limit-status-code](#global-rate-limit)|int|429| +|[service-upstream](#service-upstream)|bool|"false"| +|[ssl-reject-handshake](#ssl-reject-handshake)|bool|"false"| +|[debug-connections](#debug-connections)|[]string|"127.0.0.1,1.1.1.1/24"| ## add-headers @@ -1328,22 +1326,3 @@ _**default:**_ "" _References:_ [http://nginx.org/en/docs/ngx_core_module.html#debug_connection](http://nginx.org/en/docs/ngx_core_module.html#debug_connection) - -## enable-pathtype-validation -Ingress Controller validates the pathType, and only allows special characters on "path" if pathType is -ImplementationSpecific. - -The only characters allowed on ingresses with pathType not ImplementationSpecific -will be 0-9, a-z, A-Z, "-", ".", "_", "~", "/". - -If the validation is disabled, the [#path-additional-allowed-chars](#path-additional-allowed-chars) will -be allowed on any pathType. - -This behavior is disabled by default, so special characters are accepted regardless of pathType -_**default:**_ "false" - -## path-additional-allowed-chars -When [enable-pathtype-validation](enable-pathtype-validation) is set to true [#path-additional-allowed-chars](#path-additional-allowed-chars) defines the additional set of special characters that -will be allowed. - -_**default:**_ "^%$[](){}*+?|" diff --git a/go.mod b/go.mod index 10b9e2fda..1aad274fb 100644 --- a/go.mod +++ b/go.mod @@ -77,6 +77,7 @@ require ( github.com/inconshreveable/mousetrap v1.0.1 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect + github.com/magefile/mage v1.14.0 // indirect github.com/mailru/easyjson v0.7.6 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect diff --git a/go.sum b/go.sum index 6e370c655..1d99238cb 100644 --- a/go.sum +++ b/go.sum @@ -235,6 +235,8 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= +github.com/magefile/mage v1.14.0 h1:6QDX3g6z1YvJ4olPhT1wksUcSa/V0a1B+pJb73fBjyo= +github.com/magefile/mage v1.14.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA= From 01c9a2bf253ce962d969b624763e8a8b000dfa76 Mon Sep 17 00:00:00 2001 From: James Strong Date: Mon, 13 Feb 2023 07:57:29 +0100 Subject: [PATCH 168/405] Revert Implement pathType validation (#9511) (#9607) Signed-off-by: James Strong --- charts/ingress-nginx/README.md | 1 - .../templates/controller-configmap.yaml | 1 - charts/ingress-nginx/values.yaml | 5 - internal/ingress/controller/config/config.go | 14 -- internal/ingress/controller/controller.go | 4 - .../ingress/controller/controller_test.go | 91 --------- internal/ingress/controller/store/store.go | 9 +- internal/k8s/main.go | 3 + magefiles/helm.go | 3 + pkg/util/ingress/ingress.go | 83 ++------ pkg/util/ingress/ingress_test.go | 192 +++++------------- test/e2e/admission/admission.go | 38 +--- test/e2e/annotations/affinity.go | 6 - test/e2e/annotations/auth.go | 45 ---- test/e2e/annotations/rewrite.go | 8 - test/e2e/security/invalid_paths.go | 134 ++++++++++++ 16 files changed, 211 insertions(+), 426 deletions(-) create mode 100644 test/e2e/security/invalid_paths.go diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 7f3ea1866..65236e08c 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -253,7 +253,6 @@ Kubernetes: `>=1.20.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | commonLabels | object | `{}` | | -| controller.EnablePathTypeValidation | bool | `false` | This configuration defines if Ingress Controller should validate pathType. If false, special characters will be allowed on paths of any pathType. If true, special characters are only allowed on paths with pathType = ImplementationSpecific | | controller.addHeaders | object | `{}` | Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers | | controller.admissionWebhooks.annotations | object | `{}` | | | controller.admissionWebhooks.certManager.admissionCert.duration | string | `""` | | diff --git a/charts/ingress-nginx/templates/controller-configmap.yaml b/charts/ingress-nginx/templates/controller-configmap.yaml index a1fbdf549..f28b26e1e 100644 --- a/charts/ingress-nginx/templates/controller-configmap.yaml +++ b/charts/ingress-nginx/templates/controller-configmap.yaml @@ -14,7 +14,6 @@ metadata: namespace: {{ .Release.Namespace }} data: allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}" - enable-pathtype-validation: "{{ .Values.controller.EnablePathTypeValidation }}" {{- if .Values.controller.addHeaders }} add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers {{- end }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 4c587ee88..215ce509d 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -87,11 +87,6 @@ controller: # Global snippets in ConfigMap are still respected allowSnippetAnnotations: true - # -- This configuration defines if Ingress Controller should validate pathType. - # If false, special characters will be allowed on paths of any pathType. - # If true, special characters are only allowed on paths with pathType = ImplementationSpecific - EnablePathTypeValidation: false - # -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 # is merged diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index b02e5998e..5786b6776 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -782,18 +782,6 @@ type Configuration struct { // http://nginx.org/en/docs/ngx_core_module.html#debug_connection // Default: "" DebugConnections []string `json:"debug-connections"` - - // EnablePathTypeValidation allows the admin to enable the pathType validation. - // If EnablePathTypeValidation is enabled, the Controller will only allow alphanumeric - // characters on path (0-9, a-z, A-Z, "-", ".", "_", "~", "/") - // to control what characters are allowed set them with PathAdditionalAllowedChars - EnablePathTypeValidation bool `json:"enable-pathtype-validation"` - - // PathAdditionalAllowedChars allows the admin to specify what are the additional - // characters allowed in case of pathType=ImplementationSpecific. - // Case enable-pathtype-validation=true, this characters will be only allowed on ImplementationSpecific. - // Defaults to: "^%$[](){}*+?" - PathAdditionalAllowedChars string `json:"path-additional-allowed-chars"` } // NewDefault returns the default nginx configuration @@ -829,8 +817,6 @@ func NewDefault() Configuration { ClientHeaderTimeout: 60, ClientBodyBufferSize: "8k", ClientBodyTimeout: 60, - EnablePathTypeValidation: false, - PathAdditionalAllowedChars: "^%$[](){}*+?|", EnableUnderscoresInHeaders: false, ErrorLogLevel: errorLevel, UseForwardedHeaders: false, diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 9812bd97e..dab507cdf 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -325,10 +325,6 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { k8s.SetDefaultNGINXPathType(ing) - if err := utilingress.ValidateIngressPath(ing, cfg.EnablePathTypeValidation, cfg.PathAdditionalAllowedChars); err != nil { - return fmt.Errorf("ingress contains invalid characters: %s", err) - } - allIngresses := n.store.ListIngresses() filter := func(toCheck *ingress.Ingress) bool { diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go index dab1e6e37..8cca10385 100644 --- a/internal/ingress/controller/controller_test.go +++ b/internal/ingress/controller/controller_test.go @@ -201,97 +201,6 @@ func TestCheckIngress(t *testing.T) { }, }, } - - t.Run("when validating pathType", func(t *testing.T) { - t.Run("When ingress contains invalid path and pathType validation is enabled", func(t *testing.T) { - nginx.store = fakeIngressStore{ - ingresses: []*ingress.Ingress{}, - configuration: ngx_config.Configuration{ - EnablePathTypeValidation: true, - }, - } - nginx.command = testNginxTestCommand{ - t: t, - err: nil, - expected: "", - } - nginx.cfg.IngressClassConfiguration = &ingressclass.IngressClassConfiguration{ - WatchWithoutClass: true, - } - ingPath := &networking.Ingress{ - ObjectMeta: metav1.ObjectMeta{ - Name: "test-ingress1", - Namespace: "user-namespace1", - Annotations: map[string]string{ - "kubernetes.io/ingress.class": "nginx", - }, - }, - Spec: networking.IngressSpec{ - Rules: []networking.IngressRule{ - { - Host: "example.com", - IngressRuleValue: networking.IngressRuleValue{ - HTTP: &networking.HTTPIngressRuleValue{ - Paths: []networking.HTTPIngressPath{ - { - Path: "/xpto/(a+)", - PathType: &pathTypePrefix, - }, - }, - }, - }, - }, - }, - }, - } - - if nginx.CheckIngress(ingPath) == nil { - t.Errorf("invalid path on pathTypePrefix and validation enabled should return an error") - } - }) - t.Run("When ingress contains invalid path and pathType validation is disabled", func(t *testing.T) { - nginx.store = fakeIngressStore{ - ingresses: []*ingress.Ingress{}, - configuration: ngx_config.Configuration{ - EnablePathTypeValidation: false, - PathAdditionalAllowedChars: "^%$[](){}*+?|", - }, - } - nginx.command = testNginxTestCommand{ - t: t, - err: nil, - expected: "_,example.com", - } - - ingPath := &networking.Ingress{ - ObjectMeta: metav1.ObjectMeta{ - Name: "test-ingress2", - Namespace: "user-namespace2", - }, - Spec: networking.IngressSpec{ - Rules: []networking.IngressRule{ - { - Host: "example.com", - IngressRuleValue: networking.IngressRuleValue{ - HTTP: &networking.HTTPIngressRuleValue{ - Paths: []networking.HTTPIngressPath{ - { - Path: "/example(/|$)(.*)", - PathType: &pathTypePrefix, - }, - }, - }, - }, - }, - }, - }, - } - - if nginx.CheckIngress(ingPath) != nil { - t.Errorf("invalid path on pathTypePrefix and validation disabled should not return an error: %s", nginx.CheckIngress(ingPath)) - } - }) - }) t.Run("when the class is the nginx one", func(t *testing.T) { ing.ObjectMeta.Annotations["kubernetes.io/ingress.class"] = "nginx" nginx.command = testNginxTestCommand{ diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go index e0f6cfb54..13af28137 100644 --- a/internal/ingress/controller/store/store.go +++ b/internal/ingress/controller/store/store.go @@ -846,11 +846,6 @@ func (s *k8sStore) syncIngress(ing *networkingv1.Ingress) { copyIng := &networkingv1.Ingress{} ing.ObjectMeta.DeepCopyInto(©Ing.ObjectMeta) - if err := ingressutils.ValidateIngressPath(ing, s.backendConfig.EnablePathTypeValidation, s.backendConfig.PathAdditionalAllowedChars); err != nil { - klog.Errorf("ingress %s contains invalid path and will be skipped: %s", key, err) - return - } - if s.backendConfig.AnnotationValueWordBlocklist != "" { if err := checkBadAnnotationValue(copyIng.Annotations, s.backendConfig.AnnotationValueWordBlocklist); err != nil { klog.Warningf("skipping ingress %s: %s", key, err) @@ -870,6 +865,10 @@ func (s *k8sStore) syncIngress(ing *networkingv1.Ingress) { if path.Path == "" { copyIng.Spec.Rules[ri].HTTP.Paths[pi].Path = "/" } + if !ingressutils.IsSafePath(copyIng, path.Path) { + klog.Warningf("ingress %s contains invalid path %s", key, path.Path) + return + } } } diff --git a/internal/k8s/main.go b/internal/k8s/main.go index 6973b6cb7..e0d2a1660 100644 --- a/internal/k8s/main.go +++ b/internal/k8s/main.go @@ -180,6 +180,9 @@ func SetDefaultNGINXPathType(ing *networkingv1.Ingress) { p.PathType = &defaultPathType } + if *p.PathType == networkingv1.PathTypeImplementationSpecific { + p.PathType = &defaultPathType + } } } } diff --git a/magefiles/helm.go b/magefiles/helm.go index a57c46813..e69c4e029 100644 --- a/magefiles/helm.go +++ b/magefiles/helm.go @@ -153,6 +153,9 @@ func updateChartValue(key, value string) { Info("HELM Ingress Nginx Helm Chart update %s %s", key, value) } +func (Helm) Helmdocs() error { + return runHelmDocs() +} func runHelmDocs() error { err := installHelmDocs() if err != nil { diff --git a/pkg/util/ingress/ingress.go b/pkg/util/ingress/ingress.go index 91243e2cc..5fb3ee7b9 100644 --- a/pkg/util/ingress/ingress.go +++ b/pkg/util/ingress/ingress.go @@ -23,6 +23,7 @@ import ( networkingv1 "k8s.io/api/networking/v1" "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/k8s" "k8s.io/ingress-nginx/internal/net/ssl" "k8s.io/ingress-nginx/pkg/apis/ingress" @@ -30,15 +31,15 @@ import ( ) const ( - alphaNumericChars = `A-Za-z0-9\-\.\_\~\/` // This is the default allowed set on paths + alphaNumericChars = `\-\.\_\~a-zA-Z0-9/` + regexEnabledChars = `\^\$\[\]\(\)\{\}\*\+` ) var ( - // pathAlphaNumeric is a regex validation that allows only (0-9, a-z, A-Z, "-", ".", "_", "~", "/") - pathAlphaNumericRegex = regexp.MustCompile("^[" + alphaNumericChars + "]*$").MatchString - - // default path type is Prefix to not break existing definitions - defaultPathType = networkingv1.PathTypePrefix + // pathAlphaNumeric is a regex validation of something like "^/[a-zA-Z]+$" on path + pathAlphaNumeric = regexp.MustCompile("^/[" + alphaNumericChars + "]*$").MatchString + // pathRegexEnabled is a regex validation of paths that may contain regex. + pathRegexEnabled = regexp.MustCompile("^/[" + alphaNumericChars + regexEnabledChars + "]*$").MatchString ) func GetRemovedHosts(rucfg, newcfg *ingress.Configuration) []string { @@ -246,68 +247,12 @@ func BuildRedirects(servers []*ingress.Server) []*redirect { return redirectServers } -func ValidateIngressPath(copyIng *networkingv1.Ingress, enablePathTypeValidation bool, pathAdditionalAllowedChars string) error { - - if copyIng == nil { - return nil +// IsSafePath verifies if the path used in ingress object contains only valid characters. +// It will behave differently if regex is enabled or not +func IsSafePath(copyIng *networkingv1.Ingress, path string) bool { + isRegex, _ := parser.GetBoolAnnotation("use-regex", copyIng) + if isRegex { + return pathRegexEnabled(path) } - - escapedPathAdditionalAllowedChars := regexp.QuoteMeta(pathAdditionalAllowedChars) - regexPath, err := regexp.Compile("^[" + alphaNumericChars + escapedPathAdditionalAllowedChars + "]*$") - if err != nil { - return fmt.Errorf("ingress has misconfigured validation regex on configmap: %s - %w", pathAdditionalAllowedChars, err) - } - - for _, rule := range copyIng.Spec.Rules { - - if rule.HTTP == nil { - continue - } - - if err := checkPath(rule.HTTP.Paths, enablePathTypeValidation, regexPath); err != nil { - return fmt.Errorf("error validating ingressPath: %w", err) - } - } - return nil -} - -func checkPath(paths []networkingv1.HTTPIngressPath, enablePathTypeValidation bool, regexSpecificChars *regexp.Regexp) error { - - for _, path := range paths { - if path.PathType == nil { - path.PathType = &defaultPathType - } - - klog.V(9).InfoS("PathType Validation", "enablePathTypeValidation", enablePathTypeValidation, "regexSpecificChars", regexSpecificChars.String(), "Path", path.Path) - - switch pathType := *path.PathType; pathType { - case networkingv1.PathTypeImplementationSpecific: - if enablePathTypeValidation { - //only match on regex chars per Ingress spec when path is implementation specific - if !regexSpecificChars.MatchString(path.Path) { - return fmt.Errorf("path %s of type %s contains invalid characters", path.Path, *path.PathType) - } - } - - case networkingv1.PathTypeExact, networkingv1.PathTypePrefix: - //enforce path type validation - if enablePathTypeValidation { - //only allow alphanumeric chars, no regex chars - if !pathAlphaNumericRegex(path.Path) { - return fmt.Errorf("path %s of type %s contains invalid characters", path.Path, *path.PathType) - } - continue - } else { - //path validation is disabled, so we check what regex chars are allowed by user - if !regexSpecificChars.MatchString(path.Path) { - return fmt.Errorf("path %s of type %s contains invalid characters", path.Path, *path.PathType) - } - continue - } - - default: - return fmt.Errorf("unknown path type %v on path %v", *path.PathType, path.Path) - } - } - return nil + return pathAlphaNumeric(path) } diff --git a/pkg/util/ingress/ingress_test.go b/pkg/util/ingress/ingress_test.go index 12c2ff1da..d829a57f1 100644 --- a/pkg/util/ingress/ingress_test.go +++ b/pkg/util/ingress/ingress_test.go @@ -17,10 +17,13 @@ limitations under the License. package ingress import ( + "fmt" "testing" - networkingv1 "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + networkingv1 "k8s.io/api/networking/v1" + "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/pkg/apis/ingress" ) @@ -133,172 +136,81 @@ func TestIsDynamicConfigurationEnough(t *testing.T) { } } -func generateDumbIngressforPathTest(pathType *networkingv1.PathType, path string) *networkingv1.Ingress { +func generateDumbIngressforPathTest(regexEnabled bool) *networkingv1.Ingress { + var annotations = make(map[string]string) + regexAnnotation := fmt.Sprintf("%s/use-regex", parser.AnnotationsPrefix) + if regexEnabled { + annotations[regexAnnotation] = "true" + } return &networkingv1.Ingress{ ObjectMeta: metav1.ObjectMeta{ - Name: "dumb", - Namespace: "default", - }, - Spec: networkingv1.IngressSpec{ - Rules: []networkingv1.IngressRule{ - { - Host: "test.com", - IngressRuleValue: networkingv1.IngressRuleValue{ - HTTP: &networkingv1.HTTPIngressRuleValue{ - Paths: []networkingv1.HTTPIngressPath{ - { - PathType: pathType, - Path: path, - }, - }, - }, - }, - }, - }, + Name: "dumb", + Namespace: "default", + Annotations: annotations, }, } } -func generateComplexIngress(ing *networkingv1.Ingress) *networkingv1.Ingress { - - oldRules := ing.Spec.DeepCopy().Rules - ing.Spec.Rules = []networkingv1.IngressRule{ - { - Host: "test1.com", - IngressRuleValue: networkingv1.IngressRuleValue{ - HTTP: &networkingv1.HTTPIngressRuleValue{ - Paths: []networkingv1.HTTPIngressPath{ - { - PathType: &pathTypeExact, - Path: "/xpto", - }, - }, - }, - }, - }, - { - Host: "test2.com", - IngressRuleValue: networkingv1.IngressRuleValue{ - HTTP: &networkingv1.HTTPIngressRuleValue{ - Paths: []networkingv1.HTTPIngressPath{ - { - PathType: &pathTypeExact, - Path: "/someotherpath", - }, - { - PathType: &pathTypePrefix, - Path: "/someprefix/~xpto/lala123", - }, - }, - }, - }, - }, - } - // we want to invert the order to test better :) - ing.Spec.Rules = append(ing.Spec.Rules, oldRules...) - - return ing -} - -var ( - pathTypeExact = networkingv1.PathTypeExact - pathTypePrefix = networkingv1.PathTypePrefix - pathTypeImplSpecific = networkingv1.PathTypeImplementationSpecific -) - -const ( - defaultAdditionalChars = "^%$[](){}*+?" -) - -func TestValidateIngressPath(t *testing.T) { +func TestIsSafePath(t *testing.T) { tests := []struct { - name string - copyIng *networkingv1.Ingress - EnablePathTypeValidation bool - additionalChars string - wantErr bool + name string + copyIng *networkingv1.Ingress + path string + want bool }{ { - name: "should return nil when ingress = nil", - wantErr: false, - copyIng: nil, + name: "should accept valid path with regex disabled", + want: true, + copyIng: generateDumbIngressforPathTest(false), + path: "/xpto/~user/t-e_st.exe", }, { - name: "should accept valid path on pathType Exact", - wantErr: false, - copyIng: generateDumbIngressforPathTest(&pathTypeExact, "/xpto/~user9/t-e_st.exe"), + name: "should accept valid path / with regex disabled", + want: true, + copyIng: generateDumbIngressforPathTest(false), + path: "/", }, { - name: "should accept valid path on pathType Prefix", - wantErr: false, - copyIng: generateDumbIngressforPathTest(&pathTypePrefix, "/xpto/~user9/t-e_st.exe"), + name: "should reject invalid path with invalid chars", + want: false, + copyIng: generateDumbIngressforPathTest(false), + path: "/foo/bar/;xpto", }, { - name: "should accept valid simple path on pathType Impl Specific", - wantErr: false, - copyIng: generateDumbIngressforPathTest(&pathTypeImplSpecific, "/xpto/~user9/t-e_st.exe"), + name: "should reject regex path when regex is disabled", + want: false, + copyIng: generateDumbIngressforPathTest(false), + path: "/foo/bar/(.+)", }, { - name: "should accept valid path on pathType nil", - wantErr: false, - copyIng: generateDumbIngressforPathTest(nil, "/xpto/~user/t-e_st.exe"), + name: "should accept valid path / with regex enabled", + want: true, + copyIng: generateDumbIngressforPathTest(true), + path: "/", }, { - name: "should accept empty path", - wantErr: false, - copyIng: generateDumbIngressforPathTest(&pathTypePrefix, ""), + name: "should accept regex path when regex is enabled", + want: true, + copyIng: generateDumbIngressforPathTest(true), + path: "/foo/bar/(.+)", }, { - name: "should deny path with bad characters and pathType not implementationSpecific", - wantErr: true, - additionalChars: "()", - copyIng: generateDumbIngressforPathTest(&pathTypeExact, "/foo/bar/(.+)"), + name: "should reject regex path when regex is enabled but the path is invalid", + want: false, + copyIng: generateDumbIngressforPathTest(true), + path: "/foo/bar/;xpto", }, { - name: "should accept path with regex characters and pathType implementationSpecific", - wantErr: false, - additionalChars: defaultAdditionalChars, - EnablePathTypeValidation: false, - copyIng: generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.+)"), - }, - { - name: "should accept path with regex characters and pathType exact, but pathType validation disabled", - wantErr: false, - additionalChars: defaultAdditionalChars, - EnablePathTypeValidation: false, - copyIng: generateDumbIngressforPathTest(&pathTypeExact, "/foo/bar/(.+)"), - }, - { - name: "should reject path when the allowed additional set does not match", - wantErr: true, - additionalChars: "().?", - EnablePathTypeValidation: true, - copyIng: generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.+)"), - }, - { - name: "should accept path when the allowed additional set does match", - wantErr: false, - additionalChars: "().?", - EnablePathTypeValidation: false, - copyIng: generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.?)"), - }, - { - name: "should block if at least one path is bad", - wantErr: true, - EnablePathTypeValidation: false, - copyIng: generateComplexIngress(generateDumbIngressforPathTest(&pathTypeExact, "/foo/bar/(.?)")), - }, - { - name: "should block if at least one path is bad", - wantErr: true, - EnablePathTypeValidation: true, - copyIng: generateComplexIngress(generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.?)")), + name: "should reject regex path when regex is enabled but the path is invalid", + want: false, + copyIng: generateDumbIngressforPathTest(true), + path: ";xpto", }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - if err := ValidateIngressPath(tt.copyIng, tt.EnablePathTypeValidation, tt.additionalChars); (err != nil) != tt.wantErr { - t.Errorf("ValidateIngressPath() error = %v, wantErr %v", err, tt.wantErr) + if got := IsSafePath(tt.copyIng, tt.path); got != tt.want { + t.Errorf("IsSafePath() = %v, want %v", got, tt.want) } }) } diff --git a/test/e2e/admission/admission.go b/test/e2e/admission/admission.go index e0f55df4e..bde98fddf 100644 --- a/test/e2e/admission/admission.go +++ b/test/e2e/admission/admission.go @@ -30,14 +30,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/ingress-nginx/test/e2e/framework" - - networkingv1 "k8s.io/api/networking/v1" -) - -var ( - pathExact = networkingv1.PathTypeExact - pathPrefix = networkingv1.PathTypePrefix - pathImplSpecific = networkingv1.PathTypeImplementationSpecific ) var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() { @@ -160,35 +152,7 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() { assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid annotation value should return an error") }) - ginkgo.It("ADMISSION should not validate characters on ingress when validation of pathType is disabled", func() { - host := "admission-test" - - f.UpdateNginxConfigMapData("enable-pathtype-validation", "false") - - firstIngress := framework.NewSingleIngress("first-ingress", "/xpto*", host, f.Namespace, framework.EchoService, 80, nil) - firstIngress.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathPrefix - _, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "creating an ingress with regex chars on path and pathType validation disabled should be accepted") - }) - - ginkgo.It("ADMISSION should reject ingress with bad characters and pathType != ImplementationSpecific", func() { - host := "admission-test" - - f.UpdateNginxConfigMapData("enable-pathtype-validation", "true") - - firstIngress := framework.NewSingleIngress("first-ingress", "/xpto*", host, f.Namespace, framework.EchoService, 80, nil) - firstIngress.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathPrefix - _, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{}) - assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid path value should return an error") - - secondIngress := framework.NewSingleIngress("second-ingress", "/abc123*", host, f.Namespace, framework.EchoService, 80, nil) - secondIngress.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathImplSpecific - _, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), secondIngress, metav1.CreateOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "creating an ingress with regex on path and pathType ImplementationSpecific should not return an error") - - }) - - ginkgo.It("ADMISSION should return an error if there is a forbidden value in some annotation", func() { + ginkgo.It("should return an error if there is a forbidden value in some annotation", func() { host := "admission-test" annotations := map[string]string{ diff --git a/test/e2e/annotations/affinity.go b/test/e2e/annotations/affinity.go index 31e8905d1..3e1e9e969 100644 --- a/test/e2e/annotations/affinity.go +++ b/test/e2e/annotations/affinity.go @@ -35,8 +35,6 @@ import ( var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { f := framework.NewDefaultFramework("affinity") - pathImpl := networking.PathTypeImplementationSpecific - ginkgo.BeforeEach(func() { f.NewEchoDeployment(framework.WithDeploymentReplicas(2)) }) @@ -278,8 +276,6 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { annotations["nginx.ingress.kubernetes.io/session-cookie-path"] = "/foo/bar" ing := framework.NewSingleIngress(host, "/foo/.*", host, f.Namespace, framework.EchoService, 80, annotations) - ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathImpl - f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -303,8 +299,6 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { annotations["nginx.ingress.kubernetes.io/use-regex"] = "true" ing := framework.NewSingleIngress(host, "/foo/.*", host, f.Namespace, framework.EchoService, 80, annotations) - ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathImpl - f.EnsureIngress(ing) f.WaitForNginxServer(host, diff --git a/test/e2e/annotations/auth.go b/test/e2e/annotations/auth.go index e26fcbd46..1f0f4c3b2 100644 --- a/test/e2e/annotations/auth.go +++ b/test/e2e/annotations/auth.go @@ -720,51 +720,6 @@ http { }) }) - ginkgo.Context("when external authentication is configured along with CORS enabled", func() { - host := "auth" - var annotations map[string]string - var ing *networking.Ingress - - ginkgo.BeforeEach(func() { - f.NewHttpbinDeployment() - - var httpbinIP string - - err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1) - assert.Nil(ginkgo.GinkgoT(), err) - - e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err) - - httpbinIP = e.Subsets[0].Addresses[0].IP - - annotations = map[string]string{ - "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP), - "nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start", - "nginx.ingress.kubernetes.io/enable-cors": "true", - } - - ing = framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name auth") - }) - }) - - ginkgo.It("should redirect to signin url when not signed in along With CORS headers in response", func() { - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithQuery("a", "b"). - WithQuery("c", "d"). - Expect(). - Status(http.StatusFound). - Header("Access-Control-Allow-Origin").Equal(fmt.Sprintf("*")) - - }) - }) - ginkgo.Context("when external authentication with caching is configured", func() { thisHost := "auth" thatHost := "different" diff --git a/test/e2e/annotations/rewrite.go b/test/e2e/annotations/rewrite.go index 0c426a8df..79738b984 100644 --- a/test/e2e/annotations/rewrite.go +++ b/test/e2e/annotations/rewrite.go @@ -24,15 +24,12 @@ import ( "github.com/onsi/ginkgo/v2" "github.com/stretchr/testify/assert" - networking "k8s.io/api/networking/v1" "k8s.io/ingress-nginx/test/e2e/framework" ) var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-log", func() { f := framework.NewDefaultFramework("rewrite") - pathImpl := networking.PathTypeImplementationSpecific - ginkgo.BeforeEach(func() { f.NewEchoDeployment() }) @@ -129,7 +126,6 @@ var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-lo "nginx.ingress.kubernetes.io/rewrite-target": "/new/backend", } ing = framework.NewSingleIngress("regex", "/foo.+", host, f.Namespace, framework.EchoService, 80, annotations) - ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathImpl f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -172,8 +168,6 @@ var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-lo "nginx.ingress.kubernetes.io/rewrite-target": "/new/backend", } ing = framework.NewSingleIngress("regex", "/foo/bar/[a-z]{3}", host, f.Namespace, framework.EchoService, 80, annotations) - ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathImpl - f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -202,8 +196,6 @@ var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-lo "nginx.ingress.kubernetes.io/rewrite-target": "/new/backend/$1", } ing := framework.NewSingleIngress("regex", "/foo/bar/(.+)", host, f.Namespace, framework.EchoService, 80, annotations) - ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathImpl - f.EnsureIngress(ing) f.WaitForNginxServer(host, diff --git a/test/e2e/security/invalid_paths.go b/test/e2e/security/invalid_paths.go new file mode 100644 index 000000000..d75aefc2c --- /dev/null +++ b/test/e2e/security/invalid_paths.go @@ -0,0 +1,134 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package security + +import ( + "fmt" + "net/http" + "strings" + + "github.com/onsi/ginkgo/v2" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +const ( + validPath = "/xpto/~user/t-e_st.exe" + invalidPath = "/foo/bar/;xpto" + regexPath = "/foo/bar/(.+)" + host = "securitytest.com" +) + +var ( + annotationRegex = map[string]string{ + "nginx.ingress.kubernetes.io/use-regex": "true", + } +) + +var _ = framework.IngressNginxDescribe("[Security] validate path fields", func() { + f := framework.NewDefaultFramework("validate-path") + + ginkgo.BeforeEach(func() { + f.NewEchoDeployment() + }) + + ginkgo.It("should accept an ingress with valid path", func() { + + ing := framework.NewSingleIngress(host, validPath, host, f.Namespace, framework.EchoService, 80, nil) + + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + }) + + f.HTTPTestClient(). + GET(validPath). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK) + }) + + ginkgo.It("should drop an ingress with invalid path", func() { + + ing := framework.NewSingleIngress(host, invalidPath, host, f.Namespace, framework.EchoService, 80, nil) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + }) + + f.HTTPTestClient(). + GET(invalidPath). + WithHeader("Host", host). + Expect(). + Status(http.StatusNotFound) + }) + + ginkgo.It("should drop an ingress with regex path and regex disabled", func() { + + ing := framework.NewSingleIngress(host, regexPath, host, f.Namespace, framework.EchoService, 80, nil) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + }) + + f.HTTPTestClient(). + GET("/foo/bar/lalala"). + WithHeader("Host", host). + Expect(). + Status(http.StatusNotFound) + }) + + ginkgo.It("should accept an ingress with regex path and regex enabled", func() { + + ing := framework.NewSingleIngress(host, regexPath, host, f.Namespace, framework.EchoService, 80, annotationRegex) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + }) + + f.HTTPTestClient(). + GET("/foo/bar/lalala"). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK) + }) + + ginkgo.It("should reject an ingress with invalid path and regex enabled", func() { + + ing := framework.NewSingleIngress(host, invalidPath, host, f.Namespace, framework.EchoService, 80, annotationRegex) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + }) + + f.HTTPTestClient(). + GET(invalidPath). + WithHeader("Host", host). + Expect(). + Status(http.StatusNotFound) + }) +}) From b3fc7c7a066c95cd0b6497082c68d4b0167b0929 Mon Sep 17 00:00:00 2001 From: James Strong Date: Mon, 13 Feb 2023 08:22:52 -0500 Subject: [PATCH 169/405] trigger the build 1.6.3 --- TAG | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TAG b/TAG index 103ae529e..e37df95ee 100644 --- a/TAG +++ b/TAG @@ -1,2 +1,2 @@ -v1.6.2 +v1.6.3 From 80fd69e641d5b730048fff61f3d58682e2494fd1 Mon Sep 17 00:00:00 2001 From: James Strong Date: Tue, 14 Feb 2023 04:23:31 +0100 Subject: [PATCH 170/405] Release docs for Controller v1.6.3 and Helm v4.5.0 (#9614) Signed-off-by: James Strong --- README.md | 1 + ...{Changelog-1.5.2.md => Changelog-1.6.3.md} | 101 +- charts/ingress-nginx/Chart.yaml | 48 +- charts/ingress-nginx/README.md | 8 +- ...{Changelog-1.5.2.md => Changelog-4.5.0.md} | 7 +- charts/ingress-nginx/values.yaml | 1624 ++++++++--------- deploy/static/provider/aws/deploy.yaml | 57 +- .../aws/nlb-with-tls-termination/deploy.yaml | 57 +- deploy/static/provider/baremetal/deploy.yaml | 57 +- deploy/static/provider/cloud/deploy.yaml | 57 +- deploy/static/provider/do/deploy.yaml | 57 +- deploy/static/provider/exoscale/deploy.yaml | 57 +- deploy/static/provider/kind/deploy.yaml | 57 +- deploy/static/provider/scw/deploy.yaml | 57 +- docs/deploy/index.md | 20 +- docs/e2e-tests.md | 991 ++++++++-- 16 files changed, 1822 insertions(+), 1434 deletions(-) rename changelog/{Changelog-1.5.2.md => Changelog-1.6.3.md} (52%) rename charts/ingress-nginx/changelog/{Changelog-1.5.2.md => Changelog-4.5.0.md} (75%) diff --git a/README.md b/README.md index f8c020b68..6d3fb7873 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,7 @@ the versions listed. Ingress-Nginx versions may work on older versions but the p | Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | |-----------------------|------------------------------|----------------|---------------| +| v1.6.3 | 1.26, 1.25, 1.24, 1.23 | 3.17.0 | 1.21.6 | | v1.5.1 | 1.25, 1.24, 1.23 | 3.16.2 | 1.21.6 | | v1.4.0 | 1.25, 1.24, 1.23, 1.22 | 3.16.2 | 1.19.10† | | v1.3.1 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.2 | 1.19.10† | diff --git a/changelog/Changelog-1.5.2.md b/changelog/Changelog-1.6.3.md similarity index 52% rename from changelog/Changelog-1.5.2.md rename to changelog/Changelog-1.6.3.md index ed8532374..39fa5bb24 100644 --- a/changelog/Changelog-1.5.2.md +++ b/changelog/Changelog-1.6.3.md @@ -1,14 +1,59 @@ # Changelog -### 1.5.2 +### 1.6.3 Images: -<<<<<<< HEAD - * registry.k8s.io/ingress-nginx/controller:controller-v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 - * registry.k8s.io/ingress-nginx/controller-chroot:controller-v1.5.2@sha256:84613555694f2c59a8b2551126d226c9aa648544ebf0cde1e0df942f7dbce42b + * registry.k8s.io/controller:controller-v1.6.3@sha256:b92667e0afde1103b736e6a3f00dd75ae66eec4e71827d19f19f471699e909d2 + * registry.k8s.io/controller-chroot:controller-v1.6.3@sha256:4b4a249c9a35ac16a8ec0e22f6c522b8707f7e59e656e64a4ad9ace8fea830a4 ### All Changes: +* Revert Implement pathType validation (#9511) (#9607) +* update history and allow to pass a target test (#9605) +* Allow to pass a target test (#9542) +* Replace deprecated command with environment file (#9581) +* build 1.6.2 to fix (#9569) +* add lint on chart before release (#9570) +* tcpproxy: increase buffer size to 16K (#9548) +* Move and spell-check Kubernetes 1.22 migration FAQ (#9544) +* Add CORS template check inside location for externalAuth.SignURL (#8814) +* fix(grafana-dashboard): remove hardcoded namespace references (#9523) +* Replace deprecated command with environment file (#9581) +* add path validation to implementation specific as well (#9573) +* add lint on chart before release (#9570) +* Switch logic on path type validation and setting it to false (#9543) +* tcpproxy: increase buffer size to 16K (#9548) +* Move and spell-check Kubernetes 1.22 migration FAQ (#9544) +* Add CORS template check inside location for externalAuth.SignURL (#8814) +* fix(grafana-dashboard): remove hardcoded namespace references (#9523) +* Align default value for keepalive_request with NGINX default (#9518) +* Implement pathType validation (#9511) +* feat(configmap): expose gzip-disable (#9505) +* Values: Add missing `controller.metrics.service.labels`. (#9501) +* Add docs about orphan_ingress metric (#9514) +* Add new prometheus metric for orphaned ingress (#8230) +* Sanitise request metrics in monitoring docs (#9384) +* Change default value of enable-brotli (#9500) +* feat: support topology aware hints (#9165) +* Remove 1.5.2 from readme (#9498) +* Remove nonexistent load flag from docker build commands (#9122) +* added option to disable sync event creation (#8528) +* Add buildResolvers to the stream module (#9184) +* fix: disable auth access logs (#9049) +* Adding ipdenylist annotation (#8795) +* Add update updateStrategy and minReadySeconds for defaultBackend (#8506) +* Fix indentation on serviceAccount annotation (#9129) +* Update monitoring.md (#9269) +* add github actions stale bot (#9439) +* Admission Webhooks/Job: Add `NetworkPolicy`. (#9218) +* update OpenTelemetry image (#9491) +* bump OpenTelemetry (#9489) +* Optional podman support (#9294) +* fix change images (#9463) +* move tests to gh actions (#9461) +* Automated Release Controller 1.5.2 (#9455) +* Add sslpassthrough tests (#9457) +* updated the link in RELEASE.md file (#9456) * restart 1.5.2 release process (#9450) * Update command line arguments documentation (#9224) * start release 1.5.2 (#9445) @@ -20,24 +65,6 @@ Images: * update the nginx run container for alpine:3.17.0 (#9430) * cleanup: remove ioutil for new go version (#9427) * start upgrade to golang 1.19.4 and alpine 3.17.0 (#9417) -======= - * registry.k8s.io/controller:controller-v1.5.2@sha256:c1c091b88a6c936a83bd7g098v62f60a87868d12452529bad0d178fb36143346 - * registry.k8s.io/controller-chroot:controller-v1.5.2@sha256:c1c091b88a6c936a83bd7b098662760a87868d12452529b350d178fb36147345 - -### All Changes: - -<<<<<<< HEAD ->>>>>>> f4164ae0b (THE CHANGELOG WORKS) -======= -* upgrade nginx base image (#9436) -* test the new e2e test images (#9444) -* avoid builds and tests for non-code changes (#9392) -* CI updates (#9440) -* HPA: Add `controller.autoscaling.annotations` to `values.yaml`. (#9253) -* update the nginx run container for alpine:3.17.0 (#9430) -* cleanup: remove ioutil for new go version (#9427) -* start upgrade to golang 1.19.4 and alpine 3.17.0 (#9417) ->>>>>>> 9ecab7d85 (e2e doc updates work now) * ci: remove setup-helm step (#9404) * ci: remove setup-kind step (#9401) * Add reporter for all tests (#9395) @@ -73,10 +100,17 @@ Images: * add containerSecurityContext to extraModules init containers (kubernetes#9016) (#9242) ### Dependencies updates: -<<<<<<< HEAD -<<<<<<< HEAD -======= ->>>>>>> 9ecab7d85 (e2e doc updates work now) +* Bump google.golang.org/grpc from 1.52.0 to 1.52.3 (#9555) +* Bump k8s.io/klog/v2 from 2.80.1 to 2.90.0 (#9553) +* Bump sigs.k8s.io/controller-runtime from 0.13.1 to 0.14.2 (#9552) +* Bump google.golang.org/grpc from 1.51.0 to 1.52.0 (#9512) +* Bump `client-go` to remove dependence on go-autorest dependency (#9488) +* Bump google.golang.org/grpc from 1.52.0 to 1.52.3 (#9555) +* Bump k8s.io/klog/v2 from 2.80.1 to 2.90.0 (#9553) +* Bump sigs.k8s.io/controller-runtime from 0.13.1 to 0.14.2 (#9552) +* Bump google.golang.org/grpc from 1.51.0 to 1.52.0 (#9512) +* Bump `client-go` to remove dependence on go-autorest dependency (#9488) +* Bump golang.org/x/crypto from 0.4.0 to 0.5.0 (#9494) * Bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#9397) * Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.6.1 (#9432) * Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.6.1 (#9421) @@ -85,11 +119,6 @@ Images: * Bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (#9426) * Bump actions/dependency-review-action from 3.0.1 to 3.0.2 (#9424) * Bump ossf/scorecard-action from 2.0.6 to 2.1.0 (#9422) -<<<<<<< HEAD -======= ->>>>>>> f4164ae0b (THE CHANGELOG WORKS) -======= ->>>>>>> 9ecab7d85 (e2e doc updates work now) * Bump github.com/prometheus/common from 0.37.0 to 0.39.0 (#9416) * Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.6.0 (#9408) * Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.6.0 (#9398) @@ -104,12 +133,4 @@ Images: * Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (#9301) * Bump k8s.io/component-base from 0.25.3 to 0.25.4 (#9300) -<<<<<<< HEAD -<<<<<<< HEAD -**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.5.1...controller-controller-v1.5.2 -======= -**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.5.2...controller-controller-v1.5.1 ->>>>>>> f4164ae0b (THE CHANGELOG WORKS) -======= -**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.5.1...controller-controller-v1.5.2 ->>>>>>> 9ecab7d85 (e2e doc updates work now) +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.5.1...controller-controller-v1.6.3 diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 2a15960f7..c11859326 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -1,31 +1,27 @@ +annotations: + artifacthub.io/changes: | + - "add lint on chart before release (#9570)" + - "ci: remove setup-helm step (#9404)" + - "feat(helm): Optionally use cert-manager instead admission patch (#9279)" + - "run helm release on main only and when the chart/value changes only (#9290)" + - "Update Ingress-Nginx version controller-v1.6.3" + artifacthub.io/prerelease: "false" apiVersion: v2 -name: ingress-nginx -# When the version is modified, make sure the artifacthub.io/changes list is updated -# Also update CHANGELOG.md -version: 4.4.2 -appVersion: 1.5.1 +appVersion: 1.6.3 +description: Ingress controller for Kubernetes using NGINX as a reverse proxy and + load balancer +engine: gotpl home: https://github.com/kubernetes/ingress-nginx -description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png keywords: - - ingress - - nginx -sources: - - https://github.com/kubernetes/ingress-nginx +- ingress +- nginx +kubeVersion: '>=1.20.0-0' maintainers: - - name: rikatz - - name: strongjz - - name: tao12345666333 -engine: gotpl -kubeVersion: ">=1.20.0-0" -annotations: - # Use this annotation to indicate that this chart version is a pre-release. - # https://artifacthub.io/docs/topics/annotations/helm/ - artifacthub.io/prerelease: "false" - # List of changes for the release in artifacthub.io - # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog - artifacthub.io/changes: | - - Adding support for disabling liveness and readiness probes to the Helm chart - - add:(admission-webhooks) ability to set securityContext - - Updated Helm chart to use the fullname for the electionID if not specified - - Rename controller-wehbooks-networkpolicy.yaml +- name: rikatz +- name: strongjz +- name: tao12345666333 +name: ingress-nginx +sources: +- https://github.com/kubernetes/ingress-nginx +version: 4.5.0 diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 65236e08c..cb454b535 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.4.2](https://img.shields.io/badge/Version-4.4.2-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square) +![Version: 4.5.0](https://img.shields.io/badge/Version-4.5.0-informational?style=flat-square) ![AppVersion: 1.6.3](https://img.shields.io/badge/AppVersion-1.6.3-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -333,13 +333,13 @@ Kubernetes: `>=1.20.0-0` | controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.image.allowPrivilegeEscalation | bool | `true` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `"sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629"` | | -| controller.image.digestChroot | string | `"sha256:c1c091b88a6c936a83bd7b098662760a87868d12452529bad0d178fb36147345"` | | +| controller.image.digest | string | `"sha256:b92667e0afde1103b736e6a3f00dd75ae66eec4e71827d19f19f471699e909d2"` | | +| controller.image.digestChroot | string | `"sha256:4b4a249c9a35ac16a8ec0e22f6c522b8707f7e59e656e64a4ad9ace8fea830a4"` | | | controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.registry | string | `"registry.k8s.io"` | | | controller.image.runAsUser | int | `101` | | -| controller.image.tag | string | `"v1.5.1"` | | +| controller.image.tag | string | `"v1.6.3"` | | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass | diff --git a/charts/ingress-nginx/changelog/Changelog-1.5.2.md b/charts/ingress-nginx/changelog/Changelog-4.5.0.md similarity index 75% rename from charts/ingress-nginx/changelog/Changelog-1.5.2.md rename to charts/ingress-nginx/changelog/Changelog-4.5.0.md index 5e0563858..ba4b52cbc 100644 --- a/charts/ingress-nginx/changelog/Changelog-1.5.2.md +++ b/charts/ingress-nginx/changelog/Changelog-4.5.0.md @@ -2,11 +2,12 @@ This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). -### 4.4.1 +### 4.5.0 +* add lint on chart before release (#9570) * ci: remove setup-helm step (#9404) * feat(helm): Optionally use cert-manager instead admission patch (#9279) * run helm release on main only and when the chart/value changes only (#9290) -* Update Ingress-Nginx version controller-v1.5.2 +* Update Ingress-Nginx version controller-v1.6.3 -**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.4.1...helm-chart-4.4.1 +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.4.3...helm-chart-4.5.0 diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 215ce509d..34e1cf6ef 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -14,226 +14,193 @@ commonLabels: {} # myLabel: aakkmd controller: - name: controller - image: - ## Keep false as default for now! - chroot: false - registry: registry.k8s.io - image: ingress-nginx/controller - ## for backwards compatibility consider setting the full image url via the repository value below - ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail - ## repository: - tag: "v1.5.1" - digest: sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 - digestChroot: sha256:c1c091b88a6c936a83bd7b098662760a87868d12452529bad0d178fb36147345 - pullPolicy: IfNotPresent - # www-data -> uid 101 - runAsUser: 101 - allowPrivilegeEscalation: true + name: controller + image: + ## Keep false as default for now! + chroot: false + registry: registry.k8s.io + image: ingress-nginx/controller + ## for backwards compatibility consider setting the full image url via the repository value below + ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + ## repository: + tag: "v1.6.3" + digest: sha256:b92667e0afde1103b736e6a3f00dd75ae66eec4e71827d19f19f471699e909d2 + digestChroot: sha256:4b4a249c9a35ac16a8ec0e22f6c522b8707f7e59e656e64a4ad9ace8fea830a4 + pullPolicy: IfNotPresent + # www-data -> uid 101 + runAsUser: 101 + allowPrivilegeEscalation: true + # -- Use an existing PSP instead of creating one + existingPsp: "" + # -- Configures the controller container name + containerName: controller + # -- Configures the ports that the nginx-controller listens on + containerPort: + http: 80 + https: 443 + # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ + config: {} + # -- Annotations to be added to the controller config configuration configmap. + configAnnotations: {} + # -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers + proxySetHeaders: {} + # -- Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers + addHeaders: {} + # -- Optionally customize the pod dnsConfig. + dnsConfig: {} + # -- Optionally customize the pod hostname. + hostname: {} + # -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. + # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller + # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. + dnsPolicy: ClusterFirst + # -- Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network + # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply + reportNodeInternalIp: false + # -- Process Ingress objects without ingressClass annotation/ingressClassName field + # Overrides value for --watch-ingress-without-class flag of the controller binary + # Defaults to false + watchIngressWithoutClass: false + # -- Process IngressClass per name (additionally as per spec.controller). + ingressClassByName: false + # -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto" + # Defaults to false + enableTopologyAwareRouting: false + # -- This configuration defines if Ingress Controller should allow users to set + # their own *-snippet annotations, otherwise this is forbidden / dropped + # when users add those annotations. + # Global snippets in ConfigMap are still respected + allowSnippetAnnotations: true + # -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), + # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 + # is merged + hostNetwork: false + ## Use host ports 80 and 443 + ## Disabled by default + hostPort: + # -- Enable 'hostPort' or not + enabled: false + ports: + # -- 'hostPort' http port + http: 80 + # -- 'hostPort' https port + https: 443 + # -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' + electionID: "" + ## This section refers to the creation of the IngressClass resource + ## IngressClass resources are supported since k8s >= 1.18 and required since k8s >= 1.19 + ingressClassResource: + # -- Name of the ingressClass + name: nginx + # -- Is this ingressClass enabled or not + enabled: true + # -- Is this the default ingressClass for the cluster + default: false + # -- Controller-value of the controller that is processing this ingressClass + controllerValue: "k8s.io/ingress-nginx" + # -- Parameters is a link to a custom resource containing additional + # configuration for the controller. This is optional if the controller + # does not require extra parameters. + parameters: {} + # -- For backwards compatibility with ingress.class annotation, use ingressClass. + # Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation + ingressClass: nginx + # -- Labels to add to the pod container metadata + podLabels: {} + # key: value - # -- Use an existing PSP instead of creating one - existingPsp: "" + # -- Security Context policies for controller pods + podSecurityContext: {} + # -- See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls + sysctls: {} + # sysctls: + # "net.core.somaxconn": "8192" - # -- Configures the controller container name - containerName: controller - - # -- Configures the ports that the nginx-controller listens on - containerPort: - http: 80 - https: 443 - - # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ - config: {} - - # -- Annotations to be added to the controller config configuration configmap. - configAnnotations: {} - - # -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers - proxySetHeaders: {} - - # -- Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers - addHeaders: {} - - # -- Optionally customize the pod dnsConfig. - dnsConfig: {} - - # -- Optionally customize the pod hostname. - hostname: {} - - # -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. - # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller - # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. - dnsPolicy: ClusterFirst - - # -- Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network - # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply - reportNodeInternalIp: false - - # -- Process Ingress objects without ingressClass annotation/ingressClassName field - # Overrides value for --watch-ingress-without-class flag of the controller binary - # Defaults to false - watchIngressWithoutClass: false - - # -- Process IngressClass per name (additionally as per spec.controller). - ingressClassByName: false - - # -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto" - # Defaults to false - enableTopologyAwareRouting: false - - # -- This configuration defines if Ingress Controller should allow users to set - # their own *-snippet annotations, otherwise this is forbidden / dropped - # when users add those annotations. - # Global snippets in ConfigMap are still respected - allowSnippetAnnotations: true - - # -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), - # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 - # is merged - hostNetwork: false - - ## Use host ports 80 and 443 - ## Disabled by default - hostPort: - # -- Enable 'hostPort' or not - enabled: false - ports: - # -- 'hostPort' http port - http: 80 - # -- 'hostPort' https port - https: 443 - - # -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' - electionID: "" - - ## This section refers to the creation of the IngressClass resource - ## IngressClass resources are supported since k8s >= 1.18 and required since k8s >= 1.19 - ingressClassResource: - # -- Name of the ingressClass - name: nginx - # -- Is this ingressClass enabled or not - enabled: true - # -- Is this the default ingressClass for the cluster - default: false - # -- Controller-value of the controller that is processing this ingressClass - controllerValue: "k8s.io/ingress-nginx" - - # -- Parameters is a link to a custom resource containing additional - # configuration for the controller. This is optional if the controller - # does not require extra parameters. - parameters: {} - - # -- For backwards compatibility with ingress.class annotation, use ingressClass. - # Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation - ingressClass: nginx - - # -- Labels to add to the pod container metadata - podLabels: {} - # key: value - - # -- Security Context policies for controller pods - podSecurityContext: {} - - # -- See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls - sysctls: {} - # sysctls: - # "net.core.somaxconn": "8192" - - # -- Allows customization of the source of the IP address or FQDN to report - # in the ingress status field. By default, it reads the information provided - # by the service. If disable, the status field reports the IP address of the - # node or nodes where an ingress controller pod is running. - publishService: - # -- Enable 'publishService' or not - enabled: true - # -- Allows overriding of the publish service to bind to - # Must be / - pathOverride: "" - - # Limit the scope of the controller to a specific namespace - scope: - # -- Enable 'scope' or not - enabled: false - # -- Namespace to limit the controller to; defaults to $(POD_NAMESPACE) - namespace: "" - # -- When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels - # only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. - namespaceSelector: "" - - # -- Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) - configMapNamespace: "" - - tcp: - # -- Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) + # -- Allows customization of the source of the IP address or FQDN to report + # in the ingress status field. By default, it reads the information provided + # by the service. If disable, the status field reports the IP address of the + # node or nodes where an ingress controller pod is running. + publishService: + # -- Enable 'publishService' or not + enabled: true + # -- Allows overriding of the publish service to bind to + # Must be / + pathOverride: "" + # Limit the scope of the controller to a specific namespace + scope: + # -- Enable 'scope' or not + enabled: false + # -- Namespace to limit the controller to; defaults to $(POD_NAMESPACE) + namespace: "" + # -- When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels + # only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. + namespaceSelector: "" + # -- Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) configMapNamespace: "" - # -- Annotations to be added to the tcp config configmap + tcp: + # -- Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) + configMapNamespace: "" + # -- Annotations to be added to the tcp config configmap + annotations: {} + udp: + # -- Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) + configMapNamespace: "" + # -- Annotations to be added to the udp config configmap + annotations: {} + # -- Maxmind license key to download GeoLite2 Databases. + ## https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases + maxmindLicenseKey: "" + # -- Additional command line arguments to pass to nginx-ingress-controller + # E.g. to specify the default SSL certificate you can use + extraArgs: {} + ## extraArgs: + ## default-ssl-certificate: "/" + + # -- Additional environment variables to set + extraEnvs: [] + # extraEnvs: + # - name: FOO + # valueFrom: + # secretKeyRef: + # key: FOO + # name: secret-resource + + # -- Use a `DaemonSet` or `Deployment` + kind: Deployment + # -- Annotations to be added to the controller Deployment or DaemonSet + ## annotations: {} + # keel.sh/pollSchedule: "@every 60m" - udp: - # -- Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) - configMapNamespace: "" - # -- Annotations to be added to the udp config configmap - annotations: {} + # -- Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels + ## + labels: {} + # keel.sh/policy: patch + # keel.sh/trigger: poll - # -- Maxmind license key to download GeoLite2 Databases. - ## https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases - maxmindLicenseKey: "" + # -- The update strategy to apply to the Deployment or DaemonSet + ## + updateStrategy: {} + # rollingUpdate: + # maxUnavailable: 1 + # type: RollingUpdate - # -- Additional command line arguments to pass to nginx-ingress-controller - # E.g. to specify the default SSL certificate you can use - extraArgs: {} - ## extraArgs: - ## default-ssl-certificate: "/" + # -- `minReadySeconds` to avoid killing pods before we are ready + ## + minReadySeconds: 0 + # -- Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - # -- Additional environment variables to set - extraEnvs: [] - # extraEnvs: - # - name: FOO - # valueFrom: - # secretKeyRef: - # key: FOO - # name: secret-resource - - # -- Use a `DaemonSet` or `Deployment` - kind: Deployment - - # -- Annotations to be added to the controller Deployment or DaemonSet - ## - annotations: {} - # keel.sh/pollSchedule: "@every 60m" - - # -- Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels - ## - labels: {} - # keel.sh/policy: patch - # keel.sh/trigger: poll - - - # -- The update strategy to apply to the Deployment or DaemonSet - ## - updateStrategy: {} - # rollingUpdate: - # maxUnavailable: 1 - # type: RollingUpdate - - # -- `minReadySeconds` to avoid killing pods before we are ready - ## - minReadySeconds: 0 - - - # -- Node tolerations for server scheduling to nodes with taints - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - ## - tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - - # -- Affinity and anti-affinity rules for server scheduling to nodes - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## - affinity: {} + # -- Affinity and anti-affinity rules for server scheduling to nodes + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## + affinity: {} # # An example of preferred pod anti-affinity, weight is in the range 1-100 # podAntiAffinity: # preferredDuringSchedulingIgnoredDuringExecution: @@ -274,10 +241,10 @@ controller: # - controller # topologyKey: "kubernetes.io/hostname" - # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - ## - topologySpreadConstraints: [] + # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] # - maxSkew: 1 # topologyKey: topology.kubernetes.io/zone # whenUnsatisfiable: DoNotSchedule @@ -285,682 +252,616 @@ controller: # matchLabels: # app.kubernetes.io/instance: ingress-nginx-internal - # -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready - ## wait up to five minutes for the drain of connections - ## - terminationGracePeriodSeconds: 300 - - # -- Node labels for controller pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: - kubernetes.io/os: linux - - ## Liveness and readiness probe values - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes - ## - ## startupProbe: - ## httpGet: - ## # should match container.healthCheckPath - ## path: "/healthz" - ## port: 10254 - ## scheme: HTTP - ## initialDelaySeconds: 5 - ## periodSeconds: 5 - ## timeoutSeconds: 2 - ## successThreshold: 1 - ## failureThreshold: 5 - livenessProbe: - httpGet: - # should match container.healthCheckPath - path: "/healthz" - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 5 - readinessProbe: - httpGet: - # should match container.healthCheckPath - path: "/healthz" - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - - - # -- Path of the health check endpoint. All requests received on the port defined by - # the healthz-port parameter are forwarded internally to this path. - healthCheckPath: "/healthz" - - # -- Address to bind the health check endpoint. - # It is better to set this option to the internal node address - # if the ingress nginx controller is running in the `hostNetwork: true` mode. - healthCheckHost: "" - - # -- Annotations to be added to controller pods - ## - podAnnotations: {} - - replicaCount: 1 - - # -- Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Define either 'minAvailable' or 'maxUnavailable', never both. - # maxUnavailable: 1 - - ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes - ## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 - ## Ideally, there should be no limits. - ## https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/ - resources: - ## limits: - ## cpu: 100m - ## memory: 90Mi - requests: - cpu: 100m - memory: 90Mi - - # Mutually exclusive with keda autoscaling - autoscaling: - apiVersion: autoscaling/v2 - enabled: false - annotations: {} - minReplicas: 1 - maxReplicas: 11 - targetCPUUtilizationPercentage: 50 - targetMemoryUtilizationPercentage: 50 - behavior: {} - # scaleDown: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 1 - # periodSeconds: 180 - # scaleUp: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 2 - # periodSeconds: 60 - - autoscalingTemplate: [] - # Custom or additional autoscaling metrics - # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics - # - type: Pods - # pods: - # metric: - # name: nginx_ingress_controller_nginx_process_requests_total - # target: - # type: AverageValue - # averageValue: 10000m - - # Mutually exclusive with hpa autoscaling - keda: - apiVersion: "keda.sh/v1alpha1" - ## apiVersion changes with keda 1.x vs 2.x - ## 2.x = keda.sh/v1alpha1 - ## 1.x = keda.k8s.io/v1alpha1 - enabled: false - minReplicas: 1 - maxReplicas: 11 - pollingInterval: 30 - cooldownPeriod: 300 - restoreToOriginalReplicaCount: false - scaledObject: - annotations: {} - # Custom annotations for ScaledObject resource - # annotations: - # key: value - triggers: [] - # - type: prometheus - # metadata: - # serverAddress: http://:9090 - # metricName: http_requests_total - # threshold: '100' - # query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) - - behavior: {} - # scaleDown: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 1 - # periodSeconds: 180 - # scaleUp: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 2 - # periodSeconds: 60 - - # -- Enable mimalloc as a drop-in replacement for malloc. - ## ref: https://github.com/microsoft/mimalloc - ## - enableMimalloc: true - - ## Override NGINX template - customTemplate: - configMapName: "" - configMapKey: "" - - service: - enabled: true - - # -- If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were - # using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http - # It allows choosing the protocol for each backend specified in the Kubernetes service. - # See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 - # Will be ignored for Kubernetes versions older than 1.20 + # -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready + ## wait up to five minutes for the drain of connections ## - appProtocol: true - - annotations: {} - labels: {} - # clusterIP: "" - - # -- List of IP addresses at which the controller services are available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + terminationGracePeriodSeconds: 300 + # -- Node labels for controller pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ ## - externalIPs: [] - - # -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer - loadBalancerIP: "" - loadBalancerSourceRanges: [] - - enableHttp: true - enableHttps: true - - ## Set external traffic policy to: "Local" to preserve source IP on providers supporting it. - ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - # externalTrafficPolicy: "" - - ## Must be either "None" or "ClientIP" if set. Kubernetes will default to "None". - ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - # sessionAffinity: "" - - ## Specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified, - ## the service controller allocates a port from your cluster’s NodePort range. - ## Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - # healthCheckNodePort: 0 - - # -- Represents the dual-stack-ness requested or required by this Service. Possible values are - # SingleStack, PreferDualStack or RequireDualStack. - # The ipFamilies and clusterIPs fields depend on the value of this field. - ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ - ipFamilyPolicy: "SingleStack" - - # -- List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically - # based on cluster configuration and the ipFamilyPolicy field. - ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ - ipFamilies: - - IPv4 - - ports: - http: 80 - https: 443 - - targetPorts: - http: http - https: https - - type: LoadBalancer - - ## type: NodePort - ## nodePorts: - ## http: 32080 - ## https: 32443 - ## tcp: - ## 8080: 32808 - nodePorts: - http: "" - https: "" - tcp: {} - udp: {} - - external: - enabled: true - - internal: - # -- Enables an additional internal load balancer (besides the external one). - enabled: false - # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. - annotations: {} - - # loadBalancerIP: "" - - # -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. - loadBalancerSourceRanges: [] - - ## Set external traffic policy to: "Local" to preserve source IP on - ## providers supporting it - ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - # externalTrafficPolicy: "" - - # shareProcessNamespace enables process namespace sharing within the pod. - # This can be used for example to signal log rotation using `kill -USR1` from a sidecar. - shareProcessNamespace: false - - # -- Additional containers to be added to the controller pod. - # See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. - extraContainers: [] - # - name: my-sidecar - # image: nginx:latest - # - name: lemonldap-ng-controller - # image: lemonldapng/lemonldap-ng-controller:0.2.0 - # args: - # - /lemonldap-ng-controller - # - --alsologtostderr - # - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration - # env: - # - name: POD_NAME - # valueFrom: - # fieldRef: - # fieldPath: metadata.name - # - name: POD_NAMESPACE - # valueFrom: - # fieldRef: - # fieldPath: metadata.namespace - # volumeMounts: - # - name: copy-portal-skins - # mountPath: /srv/var/lib/lemonldap-ng/portal/skins - - # -- Additional volumeMounts to the controller main container. - extraVolumeMounts: [] - # - name: copy-portal-skins - # mountPath: /var/lib/lemonldap-ng/portal/skins - - # -- Additional volumes to the controller pod. - extraVolumes: [] - # - name: copy-portal-skins - # emptyDir: {} - - # -- Containers, which are run before the app containers are started. - extraInitContainers: [] - # - name: init-myservice - # image: busybox - # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] - - # -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module - extraModules: [] - # containerSecurityContext: - # allowPrivilegeEscalation: false - # - # The image must contain a `/usr/local/bin/init_module.sh` executable, which - # will be executed as initContainers, to move its config files within the - # mounted volume. - - opentelemetry: - enabled: false - image: registry.k8s.io/ingress-nginx/opentelemetry:v20230107-helm-chart-4.4.2-2-g96b3d2165@sha256:331b9bebd6acfcd2d3048abbdd86555f5be76b7e3d0b5af4300b04235c6056c9 - containerSecurityContext: - allowPrivilegeEscalation: false - - admissionWebhooks: - annotations: {} - # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem". - - ## Additional annotations to the admission webhooks. - ## These annotations will be added to the ValidatingWebhookConfiguration and - ## the Jobs Spec of the admission webhooks. - enabled: true - # -- Additional environment variables to set - extraEnvs: [] - # extraEnvs: - # - name: FOO - # valueFrom: - # secretKeyRef: - # key: FOO - # name: secret-resource - # -- Admission Webhook failure policy to use - failurePolicy: Fail - # timeoutSeconds: 10 - port: 8443 - certificate: "/usr/local/certificates/cert" - key: "/usr/local/certificates/key" - namespaceSelector: {} - objectSelector: {} - # -- Labels to be added to admission webhooks - labels: {} - - # -- Use an existing PSP instead of creating one - existingPsp: "" - networkPolicyEnabled: false - - service: - annotations: {} - # clusterIP: "" - externalIPs: [] - # loadBalancerIP: "" - loadBalancerSourceRanges: [] - servicePort: 443 - type: ClusterIP - - createSecretJob: - securityContext: - allowPrivilegeEscalation: false - resources: {} - # limits: - # cpu: 10m - # memory: 20Mi - # requests: - # cpu: 10m - # memory: 20Mi - - patchWebhookJob: - securityContext: - allowPrivilegeEscalation: false - resources: {} - - patch: - enabled: true - image: - registry: registry.k8s.io - image: ingress-nginx/kube-webhook-certgen - ## for backwards compatibility consider setting the full image url via the repository value below - ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail - ## repository: - tag: v20220916-gd32f8c343 - digest: sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f - pullPolicy: IfNotPresent - # -- Provide a priority class name to the webhook patching job - ## - priorityClassName: "" - podAnnotations: {} - nodeSelector: + nodeSelector: kubernetes.io/os: linux - tolerations: [] - # -- Labels to be added to patch job resources - labels: {} - securityContext: - runAsNonRoot: true - runAsUser: 2000 - fsGroup: 2000 + ## Liveness and readiness probe values + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + ## startupProbe: + ## httpGet: + ## # should match container.healthCheckPath + ## path: "/healthz" + ## port: 10254 + ## scheme: HTTP + ## initialDelaySeconds: 5 + ## periodSeconds: 5 + ## timeoutSeconds: 2 + ## successThreshold: 1 + ## failureThreshold: 5 + livenessProbe: + httpGet: + # should match container.healthCheckPath + path: "/healthz" + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + httpGet: + # should match container.healthCheckPath + path: "/healthz" + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + # -- Path of the health check endpoint. All requests received on the port defined by + # the healthz-port parameter are forwarded internally to this path. + healthCheckPath: "/healthz" + # -- Address to bind the health check endpoint. + # It is better to set this option to the internal node address + # if the ingress nginx controller is running in the `hostNetwork: true` mode. + healthCheckHost: "" + # -- Annotations to be added to controller pods + ## + podAnnotations: {} + replicaCount: 1 + # -- Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Define either 'minAvailable' or 'maxUnavailable', never both. + # maxUnavailable: 1 - # Use certmanager to generate webhook certs - certManager: - enabled: false - # self-signed root certificate - rootCert: - duration: "" # default to be 5y - admissionCert: - duration: "" # default to be 1y - # issuerRef: - # name: "issuer" - # kind: "ClusterIssuer" + ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes + ## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 + ## Ideally, there should be no limits. + ## https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/ + resources: + ## limits: + ## cpu: 100m + ## memory: 90Mi + requests: + cpu: 100m + memory: 90Mi + # Mutually exclusive with keda autoscaling + autoscaling: + apiVersion: autoscaling/v2 + enabled: false + annotations: {} + minReplicas: 1 + maxReplicas: 11 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + autoscalingTemplate: [] + # Custom or additional autoscaling metrics + # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics + # - type: Pods + # pods: + # metric: + # name: nginx_ingress_controller_nginx_process_requests_total + # target: + # type: AverageValue + # averageValue: 10000m - metrics: - port: 10254 - portName: metrics - # if this port is changed, change healthz-port: in extraArgs: accordingly - enabled: false + # Mutually exclusive with hpa autoscaling + keda: + apiVersion: "keda.sh/v1alpha1" + ## apiVersion changes with keda 1.x vs 2.x + ## 2.x = keda.sh/v1alpha1 + ## 1.x = keda.k8s.io/v1alpha1 + enabled: false + minReplicas: 1 + maxReplicas: 11 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + # Custom annotations for ScaledObject resource + # annotations: + # key: value + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: http_requests_total + # threshold: '100' + # query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + + # -- Enable mimalloc as a drop-in replacement for malloc. + ## ref: https://github.com/microsoft/mimalloc + ## + enableMimalloc: true + ## Override NGINX template + customTemplate: + configMapName: "" + configMapKey: "" service: - annotations: {} - # prometheus.io/scrape: "true" - # prometheus.io/port: "10254" - # -- Labels to be added to the metrics service resource - labels: {} + enabled: true + # -- If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were + # using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http + # It allows choosing the protocol for each backend specified in the Kubernetes service. + # See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 + # Will be ignored for Kubernetes versions older than 1.20 + ## + appProtocol: true + annotations: {} + labels: {} + # clusterIP: "" - # clusterIP: "" + # -- List of IP addresses at which the controller services are available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + # -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + loadBalancerSourceRanges: [] + enableHttp: true + enableHttps: true + ## Set external traffic policy to: "Local" to preserve source IP on providers supporting it. + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "" - # -- List of IP addresses at which the stats-exporter service is available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips - ## - externalIPs: [] + ## Must be either "None" or "ClientIP" if set. Kubernetes will default to "None". + ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + # sessionAffinity: "" - # loadBalancerIP: "" - loadBalancerSourceRanges: [] - servicePort: 10254 - type: ClusterIP - # externalTrafficPolicy: "" - # nodePort: "" + ## Specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified, + ## the service controller allocates a port from your cluster’s NodePort range. + ## Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + # healthCheckNodePort: 0 - serviceMonitor: - enabled: false - additionalLabels: {} - ## The label to use to retrieve the job name from. - ## jobLabel: "app.kubernetes.io/name" - namespace: "" - namespaceSelector: {} - ## Default: scrape .Release.Namespace only - ## To scrape all, use the following: - ## namespaceSelector: - ## any: true - scrapeInterval: 30s - # honorLabels: true - targetLabels: [] - relabelings: [] - metricRelabelings: [] + # -- Represents the dual-stack-ness requested or required by this Service. Possible values are + # SingleStack, PreferDualStack or RequireDualStack. + # The ipFamilies and clusterIPs fields depend on the value of this field. + ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ipFamilyPolicy: "SingleStack" + # -- List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically + # based on cluster configuration and the ipFamilyPolicy field. + ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ipFamilies: + - IPv4 + ports: + http: 80 + https: 443 + targetPorts: + http: http + https: https + type: LoadBalancer + ## type: NodePort + ## nodePorts: + ## http: 32080 + ## https: 32443 + ## tcp: + ## 8080: 32808 + nodePorts: + http: "" + https: "" + tcp: {} + udp: {} + external: + enabled: true + internal: + # -- Enables an additional internal load balancer (besides the external one). + enabled: false + # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. + annotations: {} + # loadBalancerIP: "" - prometheusRule: - enabled: false - additionalLabels: {} - # namespace: "" - rules: [] - # # These are just examples rules, please adapt them to your needs - # - alert: NGINXConfigFailed - # expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0 - # for: 1s - # labels: - # severity: critical - # annotations: - # description: bad ingress config - nginx config test failed - # summary: uninstall the latest ingress changes to allow config reloads to resume - # - alert: NGINXCertificateExpiry - # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800 - # for: 1s - # labels: - # severity: critical - # annotations: - # description: ssl certificate(s) will expire in less then a week - # summary: renew expiring certificates to avoid downtime - # - alert: NGINXTooMany500s - # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 - # for: 1m - # labels: - # severity: warning - # annotations: - # description: Too many 5XXs - # summary: More than 5% of all requests returned 5XX, this requires your attention - # - alert: NGINXTooMany400s - # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 - # for: 1m - # labels: - # severity: warning - # annotations: - # description: Too many 4XXs - # summary: More than 5% of all requests returned 4XX, this requires your attention + # -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. + loadBalancerSourceRanges: [] + ## Set external traffic policy to: "Local" to preserve source IP on + ## providers supporting it + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "" + # shareProcessNamespace enables process namespace sharing within the pod. + # This can be used for example to signal log rotation using `kill -USR1` from a sidecar. + shareProcessNamespace: false + # -- Additional containers to be added to the controller pod. + # See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. + extraContainers: [] + # - name: my-sidecar + # image: nginx:latest + # - name: lemonldap-ng-controller + # image: lemonldapng/lemonldap-ng-controller:0.2.0 + # args: + # - /lemonldap-ng-controller + # - --alsologtostderr + # - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration + # env: + # - name: POD_NAME + # valueFrom: + # fieldRef: + # fieldPath: metadata.name + # - name: POD_NAMESPACE + # valueFrom: + # fieldRef: + # fieldPath: metadata.namespace + # volumeMounts: + # - name: copy-portal-skins + # mountPath: /srv/var/lib/lemonldap-ng/portal/skins - # -- Improve connection draining when ingress controller pod is deleted using a lifecycle hook: - # With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds - # to 300, allowing the draining of connections up to five minutes. - # If the active connections end before that, the pod will terminate gracefully at that time. - # To effectively take advantage of this feature, the Configmap feature - # worker-shutdown-timeout new value is 240s instead of 10s. - ## - lifecycle: - preStop: - exec: - command: - - /wait-shutdown + # -- Additional volumeMounts to the controller main container. + extraVolumeMounts: [] + # - name: copy-portal-skins + # mountPath: /var/lib/lemonldap-ng/portal/skins - priorityClassName: "" + # -- Additional volumes to the controller pod. + extraVolumes: [] + # - name: copy-portal-skins + # emptyDir: {} + # -- Containers, which are run before the app containers are started. + extraInitContainers: [] + # - name: init-myservice + # image: busybox + # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] + + # -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module + extraModules: [] + # containerSecurityContext: + # allowPrivilegeEscalation: false + # + # The image must contain a `/usr/local/bin/init_module.sh` executable, which + # will be executed as initContainers, to move its config files within the + # mounted volume. + + opentelemetry: + enabled: false + image: registry.k8s.io/ingress-nginx/opentelemetry:v20230107-helm-chart-4.4.2-2-g96b3d2165@sha256:331b9bebd6acfcd2d3048abbdd86555f5be76b7e3d0b5af4300b04235c6056c9 + containerSecurityContext: + allowPrivilegeEscalation: false + admissionWebhooks: + annotations: {} + # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem". + + ## Additional annotations to the admission webhooks. + ## These annotations will be added to the ValidatingWebhookConfiguration and + ## the Jobs Spec of the admission webhooks. + enabled: true + # -- Additional environment variables to set + extraEnvs: [] + # extraEnvs: + # - name: FOO + # valueFrom: + # secretKeyRef: + # key: FOO + # name: secret-resource + # -- Admission Webhook failure policy to use + failurePolicy: Fail + # timeoutSeconds: 10 + port: 8443 + certificate: "/usr/local/certificates/cert" + key: "/usr/local/certificates/key" + namespaceSelector: {} + objectSelector: {} + # -- Labels to be added to admission webhooks + labels: {} + # -- Use an existing PSP instead of creating one + existingPsp: "" + networkPolicyEnabled: false + service: + annotations: {} + # clusterIP: "" + externalIPs: [] + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 443 + type: ClusterIP + createSecretJob: + securityContext: + allowPrivilegeEscalation: false + resources: {} + # limits: + # cpu: 10m + # memory: 20Mi + # requests: + # cpu: 10m + # memory: 20Mi + patchWebhookJob: + securityContext: + allowPrivilegeEscalation: false + resources: {} + patch: + enabled: true + image: + registry: registry.k8s.io + image: ingress-nginx/kube-webhook-certgen + ## for backwards compatibility consider setting the full image url via the repository value below + ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + ## repository: + tag: v20220916-gd32f8c343 + digest: sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + pullPolicy: IfNotPresent + # -- Provide a priority class name to the webhook patching job + ## + priorityClassName: "" + podAnnotations: {} + nodeSelector: + kubernetes.io/os: linux + tolerations: [] + # -- Labels to be added to patch job resources + labels: {} + securityContext: + runAsNonRoot: true + runAsUser: 2000 + fsGroup: 2000 + # Use certmanager to generate webhook certs + certManager: + enabled: false + # self-signed root certificate + rootCert: + # default to be 5y + duration: "" + admissionCert: + # default to be 1y + duration: "" + # issuerRef: + # name: "issuer" + # kind: "ClusterIssuer" + metrics: + port: 10254 + portName: metrics + # if this port is changed, change healthz-port: in extraArgs: accordingly + enabled: false + service: + annotations: {} + # prometheus.io/scrape: "true" + # prometheus.io/port: "10254" + # -- Labels to be added to the metrics service resource + labels: {} + # clusterIP: "" + + # -- List of IP addresses at which the stats-exporter service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 10254 + type: ClusterIP + # externalTrafficPolicy: "" + # nodePort: "" + serviceMonitor: + enabled: false + additionalLabels: {} + ## The label to use to retrieve the job name from. + ## jobLabel: "app.kubernetes.io/name" + namespace: "" + namespaceSelector: {} + ## Default: scrape .Release.Namespace only + ## To scrape all, use the following: + ## namespaceSelector: + ## any: true + scrapeInterval: 30s + # honorLabels: true + targetLabels: [] + relabelings: [] + metricRelabelings: [] + prometheusRule: + enabled: false + additionalLabels: {} + # namespace: "" + rules: [] + # # These are just examples rules, please adapt them to your needs + # - alert: NGINXConfigFailed + # expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0 + # for: 1s + # labels: + # severity: critical + # annotations: + # description: bad ingress config - nginx config test failed + # summary: uninstall the latest ingress changes to allow config reloads to resume + # - alert: NGINXCertificateExpiry + # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800 + # for: 1s + # labels: + # severity: critical + # annotations: + # description: ssl certificate(s) will expire in less then a week + # summary: renew expiring certificates to avoid downtime + # - alert: NGINXTooMany500s + # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 + # for: 1m + # labels: + # severity: warning + # annotations: + # description: Too many 5XXs + # summary: More than 5% of all requests returned 5XX, this requires your attention + # - alert: NGINXTooMany400s + # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 + # for: 1m + # labels: + # severity: warning + # annotations: + # description: Too many 4XXs + # summary: More than 5% of all requests returned 4XX, this requires your attention + # -- Improve connection draining when ingress controller pod is deleted using a lifecycle hook: + # With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds + # to 300, allowing the draining of connections up to five minutes. + # If the active connections end before that, the pod will terminate gracefully at that time. + # To effectively take advantage of this feature, the Configmap feature + # worker-shutdown-timeout new value is 240s instead of 10s. + ## + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + priorityClassName: "" # -- Rollback limit ## revisionHistoryLimit: 10 - ## Default 404 backend ## defaultBackend: - ## - enabled: false - - name: defaultbackend - image: - registry: registry.k8s.io - image: defaultbackend-amd64 - ## for backwards compatibility consider setting the full image url via the repository value below - ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail - ## repository: - tag: "1.5" - pullPolicy: IfNotPresent - # nobody user -> uid 65534 - runAsUser: 65534 - runAsNonRoot: true - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - - # -- Use an existing PSP instead of creating one - existingPsp: "" - - extraArgs: {} - - serviceAccount: - create: true - name: "" - automountServiceAccountToken: true - # -- Additional environment variables to set for defaultBackend pods - extraEnvs: [] - - port: 8080 - - ## Readiness and liveness probes for default backend - ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ - ## - livenessProbe: - failureThreshold: 3 - initialDelaySeconds: 30 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - failureThreshold: 6 - initialDelaySeconds: 0 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 5 - - # -- The update strategy to apply to the Deployment or DaemonSet - ## - updateStrategy: {} - # rollingUpdate: - # maxUnavailable: 1 - # type: RollingUpdate - - # -- `minReadySeconds` to avoid killing pods before we are ready - ## - minReadySeconds: 0 - - # -- Node tolerations for server scheduling to nodes with taints - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - ## - tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - - affinity: {} - - # -- Security Context policies for controller pods - # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for - # notes on enabling and using sysctls - ## - podSecurityContext: {} - - # -- Security Context policies for controller main container. - # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for - # notes on enabling and using sysctls - ## - containerSecurityContext: {} - - # -- Labels to add to the pod container metadata - podLabels: {} - # key: value - - # -- Node labels for default backend pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: - kubernetes.io/os: linux - - # -- Annotations to be added to default backend pods - ## - podAnnotations: {} - - replicaCount: 1 - - minAvailable: 1 - - resources: {} - # limits: - # cpu: 10m - # memory: 20Mi - # requests: - # cpu: 10m - # memory: 20Mi - - extraVolumeMounts: [] - ## Additional volumeMounts to the default backend container. - # - name: copy-portal-skins - # mountPath: /var/lib/lemonldap-ng/portal/skins - - extraVolumes: [] - ## Additional volumes to the default backend pod. - # - name: copy-portal-skins - # emptyDir: {} - - autoscaling: - annotations: {} - enabled: false - minReplicas: 1 - maxReplicas: 2 - targetCPUUtilizationPercentage: 50 - targetMemoryUtilizationPercentage: 50 - - service: - annotations: {} - - # clusterIP: "" - - # -- List of IP addresses at which the default backend service is available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips ## - externalIPs: [] + enabled: false + name: defaultbackend + image: + registry: registry.k8s.io + image: defaultbackend-amd64 + ## for backwards compatibility consider setting the full image url via the repository value below + ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + ## repository: + tag: "1.5" + pullPolicy: IfNotPresent + # nobody user -> uid 65534 + runAsUser: 65534 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + # -- Use an existing PSP instead of creating one + existingPsp: "" + extraArgs: {} + serviceAccount: + create: true + name: "" + automountServiceAccountToken: true + # -- Additional environment variables to set for defaultBackend pods + extraEnvs: [] + port: 8080 + ## Readiness and liveness probes for default backend + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + ## + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 6 + initialDelaySeconds: 0 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + # -- The update strategy to apply to the Deployment or DaemonSet + ## + updateStrategy: {} + # rollingUpdate: + # maxUnavailable: 1 + # type: RollingUpdate - # loadBalancerIP: "" - loadBalancerSourceRanges: [] - servicePort: 80 - type: ClusterIP + # -- `minReadySeconds` to avoid killing pods before we are ready + ## + minReadySeconds: 0 + # -- Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - priorityClassName: "" - # -- Labels to be added to the default backend resources - labels: {} + affinity: {} + # -- Security Context policies for controller pods + # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for + # notes on enabling and using sysctls + ## + podSecurityContext: {} + # -- Security Context policies for controller main container. + # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for + # notes on enabling and using sysctls + ## + containerSecurityContext: {} + # -- Labels to add to the pod container metadata + podLabels: {} + # key: value + # -- Node labels for default backend pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: + kubernetes.io/os: linux + # -- Annotations to be added to default backend pods + ## + podAnnotations: {} + replicaCount: 1 + minAvailable: 1 + resources: {} + # limits: + # cpu: 10m + # memory: 20Mi + # requests: + # cpu: 10m + # memory: 20Mi + + extraVolumeMounts: [] + ## Additional volumeMounts to the default backend container. + # - name: copy-portal-skins + # mountPath: /var/lib/lemonldap-ng/portal/skins + + extraVolumes: [] + ## Additional volumes to the default backend pod. + # - name: copy-portal-skins + # emptyDir: {} + + autoscaling: + annotations: {} + enabled: false + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + service: + annotations: {} + # clusterIP: "" + + # -- List of IP addresses at which the default backend service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 80 + type: ClusterIP + priorityClassName: "" + # -- Labels to be added to the default backend resources + labels: {} ## Enable RBAC as per https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/rbac.md and https://github.com/kubernetes/ingress-nginx/issues/266 rbac: - create: true - scope: false - + create: true + scope: false ## If true, create & use Pod Security Policy resources ## https://kubernetes.io/docs/concepts/policy/pod-security-policy/ podSecurityPolicy: - enabled: false - + enabled: false serviceAccount: - create: true - name: "" - automountServiceAccountToken: true - # -- Annotations for the controller service account - annotations: {} - + create: true + name: "" + automountServiceAccountToken: true + # -- Annotations for the controller service account + annotations: {} # -- Optional array of imagePullSecrets containing private registry credentials ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ imagePullSecrets: [] @@ -981,7 +882,6 @@ udp: {} # -- Prefix for TCP and UDP ports names in ingress controller service ## Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration portNamePrefix: "" - # -- (string) A base64-encoded Diffie-Hellman parameter. # This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` ## Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml index fbdf9486a..c79412536 100644 --- a/deploy/static/provider/aws/deploy.yaml +++ b/deploy/static/provider/aws/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -343,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -359,7 +344,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -392,7 +377,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -415,7 +400,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -455,7 +440,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.6.3@sha256:b92667e0afde1103b736e6a3f00dd75ae66eec4e71827d19f19f471699e909d2 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -527,7 +512,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -538,7 +523,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-create spec: containers: @@ -574,7 +559,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -585,7 +570,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-patch spec: containers: @@ -623,7 +608,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: nginx spec: controller: k8s.io/ingress-nginx @@ -636,7 +621,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml index 73ec24286..fae1c5d61 100644 --- a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml +++ b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -350,7 +335,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -368,7 +353,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -401,7 +386,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -424,7 +409,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -464,7 +449,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.6.3@sha256:b92667e0afde1103b736e6a3f00dd75ae66eec4e71827d19f19f471699e909d2 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -539,7 +524,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -550,7 +535,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-create spec: containers: @@ -586,7 +571,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -597,7 +582,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-patch spec: containers: @@ -635,7 +620,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: nginx spec: controller: k8s.io/ingress-nginx @@ -648,7 +633,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml index 9e6e905bb..245978140 100644 --- a/deploy/static/provider/baremetal/deploy.yaml +++ b/deploy/static/provider/baremetal/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -343,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -355,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -387,7 +372,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -410,7 +395,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -449,7 +434,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.6.3@sha256:b92667e0afde1103b736e6a3f00dd75ae66eec4e71827d19f19f471699e909d2 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -521,7 +506,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -532,7 +517,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-create spec: containers: @@ -568,7 +553,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -579,7 +564,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-patch spec: containers: @@ -617,7 +602,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: nginx spec: controller: k8s.io/ingress-nginx @@ -630,7 +615,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml index dd986a55d..9bc28ec80 100644 --- a/deploy/static/provider/cloud/deploy.yaml +++ b/deploy/static/provider/cloud/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -343,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -355,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -388,7 +373,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -411,7 +396,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -451,7 +436,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.6.3@sha256:b92667e0afde1103b736e6a3f00dd75ae66eec4e71827d19f19f471699e909d2 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -523,7 +508,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -534,7 +519,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-create spec: containers: @@ -570,7 +555,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -581,7 +566,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-patch spec: containers: @@ -619,7 +604,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: nginx spec: controller: k8s.io/ingress-nginx @@ -632,7 +617,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml index 64e0366b4..b17da8a07 100644 --- a/deploy/static/provider/do/deploy.yaml +++ b/deploy/static/provider/do/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -344,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -358,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -391,7 +376,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -414,7 +399,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -454,7 +439,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.6.3@sha256:b92667e0afde1103b736e6a3f00dd75ae66eec4e71827d19f19f471699e909d2 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -526,7 +511,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -537,7 +522,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-create spec: containers: @@ -573,7 +558,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -584,7 +569,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-patch spec: containers: @@ -622,7 +607,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: nginx spec: controller: k8s.io/ingress-nginx @@ -635,7 +620,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml index d6a40aed9..d93497323 100644 --- a/deploy/static/provider/exoscale/deploy.yaml +++ b/deploy/static/provider/exoscale/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -343,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -364,7 +349,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -397,7 +382,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -420,7 +405,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -460,7 +445,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.6.3@sha256:b92667e0afde1103b736e6a3f00dd75ae66eec4e71827d19f19f471699e909d2 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -532,7 +517,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -543,7 +528,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-create spec: containers: @@ -579,7 +564,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -590,7 +575,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-patch spec: containers: @@ -628,7 +613,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: nginx spec: controller: k8s.io/ingress-nginx @@ -641,7 +626,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml index 62ead9e34..8c9e96891 100644 --- a/deploy/static/provider/kind/deploy.yaml +++ b/deploy/static/provider/kind/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -343,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -355,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -387,7 +372,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -410,7 +395,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -455,7 +440,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.6.3@sha256:b92667e0afde1103b736e6a3f00dd75ae66eec4e71827d19f19f471699e909d2 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -537,7 +522,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -548,7 +533,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-create spec: containers: @@ -584,7 +569,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -595,7 +580,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-patch spec: containers: @@ -633,7 +618,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: nginx spec: controller: k8s.io/ingress-nginx @@ -646,7 +631,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml index d52f01489..edd00a98d 100644 --- a/deploy/static/provider/scw/deploy.yaml +++ b/deploy/static/provider/scw/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -344,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -358,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -391,7 +376,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -414,7 +399,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -454,7 +439,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.6.3@sha256:b92667e0afde1103b736e6a3f00dd75ae66eec4e71827d19f19f471699e909d2 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -526,7 +511,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -537,7 +522,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-create spec: containers: @@ -573,7 +558,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -584,7 +569,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission-patch spec: containers: @@ -622,7 +607,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: nginx spec: controller: k8s.io/ingress-nginx @@ -635,7 +620,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.6.3 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/docs/deploy/index.md b/docs/deploy/index.md index 29495b5c0..57df7a215 100644 --- a/docs/deploy/index.md +++ b/docs/deploy/index.md @@ -62,7 +62,7 @@ It will install the controller in the `ingress-nginx` namespace, creating that n **If you don't have Helm** or if you prefer to use a YAML manifest, you can run the following command instead: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.3/deploy/static/provider/cloud/deploy.yaml ``` !!! info @@ -225,7 +225,7 @@ In AWS, we use a Network load balancer (NLB) to expose the NGINX Ingress control ##### Network Load Balancer (NLB) ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/aws/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.3/deploy/static/provider/aws/deploy.yaml ``` ##### TLS termination in AWS Load Balancer (NLB) @@ -233,10 +233,10 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS using an NLB. -1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template +1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.3/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template ```console - wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml + wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.3/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml ``` 2. Edit the file and change the VPC CIDR in use for the Kubernetes cluster: @@ -282,7 +282,7 @@ Then, the ingress controller can be installed like this: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.3/deploy/static/provider/cloud/deploy.yaml ``` !!! warning @@ -299,7 +299,7 @@ Proxy-protocol is supported in GCE check the [Official Documentations on how to #### Azure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.3/deploy/static/provider/cloud/deploy.yaml ``` More information with regard to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller). @@ -307,7 +307,7 @@ More information with regard to Azure annotations for ingress controller can be #### Digital Ocean ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/do/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.3/deploy/static/provider/do/deploy.yaml ``` - By default the service object of the ingress-nginx-controller for Digital-Ocean, only configures one annotation. Its this one `service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"`. While this makes the service functional, it was reported that the Digital-Ocean LoadBalancer graphs shows `no data`, unless a few other annotations are also configured. Some of these other annotations require values that can not be generic and hence not forced in a out-of-the-box installation. These annotations and a discussion on them is well documented in [this issue](https://github.com/kubernetes/ingress-nginx/issues/8965). Please refer to the issue to add annotations, with values specific to user, to get graphs of the DO-LB populated with data. @@ -315,7 +315,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont #### Scaleway ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/scw/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.3/deploy/static/provider/scw/deploy.yaml ``` #### Exoscale @@ -330,7 +330,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale #### Oracle Cloud Infrastructure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.3/deploy/static/provider/cloud/deploy.yaml ``` A @@ -357,7 +357,7 @@ For quick testing, you can use a This should work on almost every cluster, but it will typically use a port in the range 30000-32767. ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/baremetal/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.3/deploy/static/provider/baremetal/deploy.yaml ``` For more information about bare metal deployments (and how to use port 80 instead of a random port in the 30000-32767 range), diff --git a/docs/e2e-tests.md b/docs/e2e-tests.md index d5aa6cc16..5c67b47aa 100644 --- a/docs/e2e-tests.md +++ b/docs/e2e-tests.md @@ -7,11 +7,660 @@ Do not try to edit it manually. +### [[Serial] admission controller](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L35) + +- [reject ingress with global-rate-limit annotations when memcached is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L48) +- [should not allow overlaps of host and paths without canary annotations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L75) +- [should allow overlaps of host and paths with canary annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L92) +- [should block ingress with invalid path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L113) +- [should return an error if there is an error validating the ingress definition](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L130) +- [should return an error if there is an invalid value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L141) +- [should return an error if there is a forbidden value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L155) +- [should not return an error if the Ingress V1 definition is valid with Ingress Class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L169) +- [should not return an error if the Ingress V1 definition is valid with IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L185) +- [should return an error if the Ingress V1 definition contains invalid annotations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L201) +- [should not return an error for an invalid Ingress when it has unknown class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L212) + +### [affinitymode](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinitymode.go#L31) + +- [Balanced affinity mode should balance](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinitymode.go#L34) +- [Check persistent affinity mode](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinitymode.go#L67) + +### [server-alias](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/alias.go#L29) + +- [should return status code 200 for host 'foo' and 404 for 'bar'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/alias.go#L36) +- [should return status code 200 for host 'foo' and 'bar'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/alias.go#L62) +- [should return status code 200 for hosts defined in two ingresses, different path with one alias](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/alias.go#L87) + +### [app-root](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/approot.go#L28) + +- [should redirect to /foo](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/approot.go#L35) + +### [auth-tls-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L29) + +- [should set sslClientCertificate, sslVerifyClient and sslVerifyDepth with auth-tls-secret](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L36) +- [should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L84) +- [should 302 redirect to error page instead of 400 when auth-tls-error-page is set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L114) +- [should pass URL-encoded certificate to upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L161) +- [should validate auth-tls-verify-client](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L206) +- [should return 403 using auth-tls-match-cn with no matching CN from client](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L266) +- [should return 200 using auth-tls-match-cn with matching CN from client](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L295) +- [should return 200 using auth-tls-match-cn where atleast one of the regex options matches CN from client](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L324) + +### [backend-protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L27) + +- [should set backend protocol to https:// and use proxy_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L34) +- [should set backend protocol to $scheme:// and use proxy_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L49) +- [should set backend protocol to grpc:// and use grpc_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L64) +- [should set backend protocol to grpcs:// and use grpc_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L79) +- [should set backend protocol to '' and use fastcgi_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L94) +- [should set backend protocol to '' and use ajp_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L109) + +### [canary-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L36) + +- [should response with a 200 status from the mainline upstream when requests are made to the mainline ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L48) +- [should return 404 status for requests to the canary if no matching ingress is found](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L80) +- [should return the correct status codes when endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L107) +- [should route requests to the correct upstream if mainline ingress is created before the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L161) +- [should route requests to the correct upstream if mainline ingress is created after the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L206) +- [should route requests to the correct upstream if the mainline ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L250) +- [should route requests to the correct upstream if the canary ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L307) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L372) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L426) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L490) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L532) +- [should routes to mainline upstream when the given Regex causes error](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L566) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L604) +- [respects always and never values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L643) +- [should route requests only to mainline if canary weight is 0](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L705) +- [should route requests only to canary if canary weight is 100](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L743) +- [should route requests only to canary if canary weight is equal to canary weight total](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L775) +- [should route requests split between mainline and canary if canary weight is 50](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L808) +- [should not use canary as a catch-all server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L836) +- [should not use canary with domain as a server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L864) +- [does not crash when canary ingress has multiple paths to the same non-matching backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L888) +- [always routes traffic to canary if first request was affinitized to canary (default behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L916) +- [always routes traffic to canary if first request was affinitized to canary (explicit sticky behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L973) +- [routes traffic to either mainline or canary backend (legacy behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1031) + +### [client-body-buffer-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L28) + +- [should set client_body_buffer_size to 1000](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L35) +- [should set client_body_buffer_size to 1K](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L57) +- [should set client_body_buffer_size to 1k](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L79) +- [should set client_body_buffer_size to 1m](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L101) +- [should set client_body_buffer_size to 1M](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L123) +- [should not set client_body_buffer_size to invalid 1b](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L145) + +### [connection-proxy-header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/connection.go#L29) + +- [set connection header to keep-alive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/connection.go#L36) + +### [cors-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L28) + +- [should enable cors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L35) +- [should set cors methods to only allow POST, GET](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L62) +- [should set cors max-age](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L78) +- [should disable cors allow credentials](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L94) +- [should allow origin for cors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L110) +- [should allow headers for cors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L137) +- [should expose headers for cors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L153) +- [should allow - single origin for multiple cors values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L169) +- [should not allow - single origin for multiple cors values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L196) +- [should allow correct origins - single origin for multiple cors values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L216) +- [should not break functionality](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L267) +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L291) +- [should not break functionality with extra domain](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L314) +- [should not match](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L338) +- [should allow - single origin with required port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L358) +- [should not allow - single origin with port and origin without port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L386) +- [should not allow - single origin without port and origin with required port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L405) +- [should allow - matching origin with wildcard origin (2 subdomains)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L425) +- [should not allow - unmatching origin with wildcard origin (2 subdomains)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L468) +- [should allow - matching origin+port with wildcard origin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L488) +- [should not allow - portless origin with wildcard origin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L515) +- [should allow correct origins - missing subdomain + origin with wildcard origin and correct origin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L535) +- [should allow - missing origins (should allow all origins)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L571) + +### [custom-http-errors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/customhttperrors.go#L34) + +- [configures Nginx correctly](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/customhttperrors.go#L41) + +### [default-backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/default_backend.go#L29) + +- [should use a custom default backend as upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/default_backend.go#L37) + +### [disable-access-log disable-http-access-log disable-stream-access-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L28) + +- [disable-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L35) +- [disable-http-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L53) +- [disable-stream-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L71) + +### [backend-protocol - FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L31) + +- [should use fastcgi_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L38) +- [should add fastcgi_index in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L55) +- [should add fastcgi_param in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L72) +- [should return OK for service with backend protocol FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L105) + +### [force-ssl-redirect](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/forcesslredirect.go#L27) + +- [should redirect to https](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/forcesslredirect.go#L34) + +### [from-to-www-redirect](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fromtowwwredirect.go#L31) + +- [should redirect from www HTTP to HTTP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fromtowwwredirect.go#L38) +- [should redirect from www HTTPS to HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fromtowwwredirect.go#L64) + +### [annotation-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/globalratelimit.go#L30) + +- [generates correct configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/globalratelimit.go#L38) + +### [backend-protocol - GRPC](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L40) + +- [should use grpc_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L43) +- [should return OK for service with backend protocol GRPC](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L68) +- [authorization metadata should be overwritten by external auth response headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L126) +- [should return OK for service with backend protocol GRPCS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L199) + +### [http2-push-preload](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/http2pushpreload.go#L27) + +- [enable the http2-push-preload directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/http2pushpreload.go#L34) + +### [influxdb-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/influxdb.go#L39) + +- [should send the request metric to the influxdb server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/influxdb.go#L48) + +### [whitelist-source-range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipwhitelist.go#L27) + +- [should set valid ip whitelist range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipwhitelist.go#L34) + +### [Annotation - limit-connections](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/limitconnections.go#L31) + +- [should limit-connections](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/limitconnections.go#L38) + +### [limit-rate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/limitrate.go#L29) + +- [Check limit-rate annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/limitrate.go#L37) + +### [enable-access-log enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/log.go#L27) + +- [set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/log.go#L34) +- [set rewrite_log on](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/log.go#L49) + +### [mirror-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L28) + +- [should set mirror-target to http://localhost/mirror](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L36) +- [should set mirror-target to https://test.env.com/$request_uri](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L51) +- [should disable mirror-request-body](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L67) + +### [modsecurity owasp](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L28) + +- [should enable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L35) +- [should enable modsecurity with transaction ID and OWASP rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L53) +- [should disable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L74) +- [should enable modsecurity with snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L91) +- [should enable modsecurity without using 'modsecurity on;'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L110) +- [should disable modsecurity using 'modsecurity off;'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L132) +- [should enable modsecurity with snippet and block requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L153) +- [should enable modsecurity globally and with modsecurity-snippet block requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L189) +- [should enable modsecurity when enable-owasp-modsecurity-crs is set to true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L225) +- [should enable modsecurity through the config map](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L264) +- [should enable modsecurity through the config map but ignore snippet as disabled by admin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L305) +- [should disable default modsecurity conf setting when modsecurity-snippet is specified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L347) + +### [preserve-trailing-slash](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/preservetrailingslash.go#L27) + +- [should allow preservation of trailing slashes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/preservetrailingslash.go#L34) + +### [proxy-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L28) + +- [should set proxy_redirect to off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L36) +- [should set proxy_redirect to default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L52) +- [should set proxy_redirect to hello.com goodbye.com](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L68) +- [should set proxy client-max-body-size to 8m](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L85) +- [should not set proxy client-max-body-size to incorrect value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L100) +- [should set valid proxy timeouts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L115) +- [should not set invalid proxy timeouts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L136) +- [should turn on proxy-buffering](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L157) +- [should turn off proxy-request-buffering](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L179) +- [should build proxy next upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L194) +- [should setup proxy cookies](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L215) +- [should change the default proxy HTTP version](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L233) + +### [proxy-ssl-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L30) + +- [should set valid proxy-ssl-secret](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L37) +- [should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L64) +- [should set valid proxy-ssl-secret, proxy-ssl-ciphers to HIGH:!AES](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L94) +- [should set valid proxy-ssl-secret, proxy-ssl-protocols](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L122) +- [proxy-ssl-location-only flag should change the nginx config server part](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L150) + +### [permanent-redirect permanent-redirect-code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/redirect.go#L30) + +- [should respond with a standard redirect code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/redirect.go#L33) +- [should respond with a custom redirect code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/redirect.go#L61) + +### [satisfy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/satisfy.go#L35) + +- [should configure satisfy directive correctly](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/satisfy.go#L42) +- [should allow multiple auth with satisfy any](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/satisfy.go#L84) + +### [server-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serversnippet.go#L28) + +- [add valid directives to server via server snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serversnippet.go#L35) +- [drops server snippet if disabled by the administrator](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serversnippet.go#L61) + +### [service-upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serviceupstream.go#L32) + +- [should use the Service Cluster IP and Port ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serviceupstream.go#L41) +- [should use the Service Cluster IP and Port ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serviceupstream.go#L70) +- [should not use the Service Cluster IP and Port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serviceupstream.go#L99) + +### [configuration-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/snippet.go#L28) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/snippet.go#L35) +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/snippet.go#L58) + +### [ssl-ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/sslciphers.go#L28) + +- [should change ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/sslciphers.go#L35) + +### [stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/streamsnippet.go#L34) + +- [should add value of stream-snippet to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/streamsnippet.go#L41) +- [should add stream-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/streamsnippet.go#L85) + +### [upstream-hash-by-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamhashby.go#L76) + +- [should connect to the same pod](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamhashby.go#L83) +- [should connect to the same subset of pods](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamhashby.go#L92) + +### [upstream-vhost](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamvhost.go#L27) + +- [set host to upstreamvhost.bar.com](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamvhost.go#L34) + +### [x-forwarded-prefix](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L28) + +- [should set the X-Forwarded-Prefix to the annotation value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L35) +- [should not add X-Forwarded-Prefix if the annotation value is empty](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L57) + +### [denylist-source-range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L28) + +- [only deny explicitly denied IPs, allow all others](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L35) +- [only allow explicitly allowed IPs, deny all others](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L86) + +### [affinity session-cookie-name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L35) + +- [should set sticky cookie SERVERID](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L42) +- [should change cookie name on ingress definition change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L64) +- [should set the path to /something on the generated cookie](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L99) +- [does not set the path to / on the generated cookie if there's more than one rule referring to the same backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L121) +- [should set cookie with expires](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L194) +- [should set cookie with domain](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L225) +- [should not set cookie without domain annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L248) +- [should work with use-regex annotation and session-cookie-path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L270) +- [should warn user when use-regex is true and session-cookie-path is not set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L294) +- [should not set affinity across all server locations when using separate ingresses](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L320) +- [should set sticky cookie without host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L352) +- [should work with server-alias annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L372) +- [should set secure in cookie with provided true annotation on http](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L412) +- [should not set secure in cookie with provided false annotation on http](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L435) +- [should set secure in cookie with provided false annotation on https](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L458) + +### [auth-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L39) + +- [should return status code 200 when no authentication is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L46) +- [should return status code 503 when authentication is configured with an invalid secret](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L65) +- [should return status code 401 when authentication is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L89) +- [should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L116) +- [should return status code 401 and cors headers when authentication and cors is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L144) +- [should return status code 200 when authentication is configured and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L172) +- [should return status code 200 when authentication is configured with a map and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L199) +- [should return status code 401 when authentication is configured with invalid content and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L227) +- [ when external auth is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L266) +- [ when external auth is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L284) +- [ when auth-headers are set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L301) +- [should set cache_key when external auth cache is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L322) +- [user retains cookie by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L411) +- [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L422) +- [user with annotated ingress retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L433) +- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L485) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L494) +- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L505) +- [should overwrite Foo header with auth response](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L529) +- [should not create additional upstream block when auth-keepalive is not set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L552) +- [should not create additional upstream block when host part of auth-url contains a variable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L570) +- [should not create additional upstream block when auth-keepalive is negative](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L590) +- [should not create additional upstream block when auth-keepalive is set with HTTP/2](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L609) +- [should create additional upstream block when auth-keepalive is set with HTTP/1.x](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L623) +- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L678) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L687) +- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L698) +- [should return status code 200 when signed in after auth backend is deleted ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L772) +- [should deny login for different location on same server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L792) +- [should deny login for different servers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L820) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L849) +- [should return 503 (location was denied)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L879) +- [should add error to the config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L887) + +### [rewrite-target use-regex enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L30) + +- [should write rewrite logs](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L37) +- [should use correct longest path match](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L66) +- [should use ~* location modifier if regex annotation is present](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L111) +- [should fail to use longest match for documented warning](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L158) +- [should allow for custom rewrite parameters](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L190) + +### [Debug CLI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L29) + +- [should list the backend servers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L37) +- [should get information for a specific backend server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L56) +- [should produce valid JSON for /dbg general](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L85) + +### [[Default Backend] custom service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/custom_default_backend.go#L33) + +- [uses custom default backend that returns 200 as status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/custom_default_backend.go#L36) + +### [[Default Backend]](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/default_backend.go#L30) + +- [should return 404 sending requests when only a default backend is running](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/default_backend.go#L33) +- [enables access logging for default backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/default_backend.go#L88) +- [disables access logging for default backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/default_backend.go#L105) + +### [[Default Backend] SSL](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/ssl.go#L26) + +- [should return a self generated SSL certificate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/ssl.go#L29) + +### [[Default Backend] change default settings](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/with_hosts.go#L30) + +- [should apply the annotation to the default backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/with_hosts.go#L38) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e_test.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e_test.go#L) + +### [[Endpointslices] long service name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/longname.go#L29) + +- [should return 200 when service name has max allowed number of characters 63](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/longname.go#L38) + +### [[TopologyHints] topology aware routing](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/topology.go#L36) + +- [should return 200 when service has topology hints](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/topology.go#L50) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/fastcgi_helloserver.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/fastcgi_helloserver.go#L) + +### [[Setting] ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L190) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L206) +- [ [MemoryLeak]](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L207) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/grpc_fortune_teller.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/grpc_fortune_teller.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/array.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/array.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/chain.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/chain.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/cookie.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/cookie.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/match.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/match.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/object.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/object.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/reporter.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/reporter.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/response.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/response.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/string.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/string.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/value.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/value.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/request.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/request.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/influxdb.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/influxdb.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/k8s.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/k8s.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/logs.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/logs.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/ssl.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/ssl.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/test_context.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/test_context.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/util.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/util.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) + +### [[Shutdown] Grace period shutdown](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/grace_period.go#L32) + +- [/healthz should return status code 500 during shutdown grace period](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/grace_period.go#L35) + +### [[Shutdown] ingress controller](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/shutdown.go#L30) + +- [should shutdown in less than 60 secons without pending connections](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/shutdown.go#L40) +- [should shutdown after waiting 60 seconds for pending connections to be closed](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/shutdown.go#L61) +- [should shutdown after waiting 150 seconds for pending connections to be closed](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/shutdown.go#L106) + +### [[Shutdown] Graceful shutdown with pending request](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/slow_requests.go#L25) + +- [should let slow requests finish before shutting down](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/slow_requests.go#L33) + +### [[Ingress] DeepInspection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/deep_inspection.go#L27) + +- [should drop whole ingress if one path matches invalid regex](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/deep_inspection.go#L34) + +### [single ingress - multiple hosts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/multiple_rules.go#L30) + +- [should set the correct $service_name NGINX variable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/multiple_rules.go#L38) + +### [[Ingress] [PathType] exact](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_exact.go#L30) + +- [should choose exact location for /exact](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_exact.go#L37) + +### [[Ingress] [PathType] mix Exact and Prefix paths](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_mixed.go#L30) + +- [should choose the correct location](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_mixed.go#L39) + +### [[Ingress] [PathType] prefix checks](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_prefix.go#L28) + +- [should return 404 when prefix /aaa does not match request /aaaccc](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_prefix.go#L35) + +### [[Ingress] definition without host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/without_host.go#L31) + +- [should set ingress details variables for ingresses without a host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/without_host.go#L34) +- [should set ingress details variables for ingresses with host without IngressRuleValue, only Backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/without_host.go#L55) + +### [[Memory Leak] Dynamic Certificates](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/leaks/lua_ssl.go#L35) + +- [should not leak memory from ingress SSL certificates or configuration updates](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/leaks/lua_ssl.go#L42) + +### [[Load Balancer] load-balance](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/configmap.go#L28) + +- [should apply the configmap load-balance setting](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/configmap.go#L35) + +### [[Load Balancer] EWMA](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/ewma.go#L31) + +- [does not fail requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/ewma.go#L42) + +### [[Load Balancer] round-robin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/round_robin.go#L31) + +- [should evenly distribute requests with round-robin (default algorithm)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/round_robin.go#L39) + +### [[Lua] dynamic certificates](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L37) + +- [picks up the certificate when we add TLS spec to existing ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L45) +- [picks up the previously missing secret for a given ingress without reloading](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L70) +- [supports requests with domain with trailing dot](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L145) +- [picks up the updated certificate without reloading](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L149) +- [falls back to using default certificate when secret gets deleted without reloading](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L185) +- [picks up a non-certificate only change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L218) +- [removes HTTPS configuration when we delete TLS spec](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L233) + +### [[Lua] dynamic configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L42) + +- [configures balancer Lua middleware correctly](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L50) +- [handles endpoints only changes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L62) +- [handles endpoints only changes (down scaling of replicas)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L87) +- [handles endpoints only changes consistently (down scaling of replicas vs. empty service)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L125) +- [handles an annotation change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L171) + +### [nginx-configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L99) + +- [start nginx with default configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L102) +- [fails when using alias directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L115) +- [fails when using root directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L124) + +### [[Security] request smuggling](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/request_smuggling.go#L32) + +- [should not return body content from error_page](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/request_smuggling.go#L39) + +### [[Security] validate path fields](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L42) + +- [should accept an ingress with valid path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L49) +- [should drop an ingress with invalid path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L67) +- [should drop an ingress with regex path and regex disabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L84) +- [should accept an ingress with regex path and regex enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L101) +- [should reject an ingress with invalid path and regex enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L118) + +### [[Service] backend status code 503](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L33) + +- [should return 503 when backend service does not exist](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L36) +- [should return 503 when all backend service endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L54) + +### [[Service] Type ExternalName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L59) + +- [works with external name set to incomplete fqdn](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L62) +- [should return 200 for service type=ExternalName without a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L95) +- [should return 200 for service type=ExternalName with a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L129) +- [should return status 502 for service type=ExternalName with an invalid host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L153) +- [should return 200 for service type=ExternalName using a port name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L184) +- [should return 200 for service type=ExternalName using FQDN with trailing dot](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L217) +- [should update the external name after a service update](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L248) +- [should sync ingress on external name service addition/deletion](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L311) + +### [[Service] Nil Service Backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_nil_backend.go#L31) + +- [should return 404 when backend service is nil](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_nil_backend.go#L38) + +### [access-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L27) + +- [use the default configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L32) +- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L42) +- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L54) +- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L67) +- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L80) + +### [Bad annotation values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L29) + +- [[BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L36) +- [[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L67) +- [[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L102) +- [[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L133) + +### [brotli](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/brotli.go#L30) + +- [ condition](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/brotli.go#L39) + +### [Configmap change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L29) + +- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L36) + +### [add-headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L30) + +- [Add a custom header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L40) +- [Add multiple custom headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L65) + +### [[SSL] [Flag] default-ssl-certificate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L33) + +- [uses default ssl certificate for catch-all ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L64) +- [uses default ssl certificate for host based ingress when configured certificate does not match host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L80) + +### [[Flag] disable-catch-all](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L33) + +- [should ignore catch all Ingress with backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L50) +- [should ignore catch all Ingress with backend and rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L69) +- [should delete Ingress updated to catch-all](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L81) +- [should allow Ingress with rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L123) + +### [[Flag] disable-service-external-name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_service_external_name.go#L35) + +- [should ignore services of external-name type](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_service_external_name.go#L52) + +### [enable-real-ip](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L30) + +- [trusts X-Forwarded-For header only when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L40) +- [should not trust X-Forwarded-For header when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L78) + +### [use-forwarded-headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L30) + +- [should trust X-Forwarded headers when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L40) +- [should not trust X-Forwarded headers when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L92) + ### [Geoip2](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/geoip2.go#L37) - [should include geoip2 line in config when enabled and db file exists](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/geoip2.go#L46) - [should only allow requests from specific countries](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/geoip2.go#L70) +### [[Security] block-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L28) + +- [should block CIDRs defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L38) +- [should block User-Agents defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L55) +- [should block Referers defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L88) + ### [[Security] global-auth-url](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L34) - [should return status code 401 when request any protected service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L85) @@ -27,59 +676,39 @@ Do not try to edit it manually. - [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L337) - [user with global-auth-always-set-cookie key in configmap retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L348) -### [[Security] Pod Security Policies](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy.go#L40) +### [global-options](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L28) -- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy.go#L43) +- [should have worker_rlimit_nofile option](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L31) +- [should have worker_rlimit_nofile option and be independent on amount of worker processes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L38) -### [log-format-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L28) +### [settings-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/globalratelimit.go#L30) -- [should disable the log-format-escape-json by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L40) -- [should enable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L47) -- [should disable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L55) -- [log-format-escape-json enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L66) -- [log-format-escape-json disabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L89) +- [generates correct NGINX configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/globalratelimit.go#L38) -### [server-tokens](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L29) +### [hash size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L27) -- [should not exists Server header in the response](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L38) -- [should exists Server header in the response when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L50) +- [should set server_names_hash_bucket_size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L40) +- [should set server_names_hash_max_size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L48) +- [should set proxy-headers-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L60) +- [should set proxy-headers-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L68) +- [should set variables-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L80) +- [should set variables-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L88) +- [should set vmap-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L100) -### [proxy-connect-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L28) +### [[Flag] ingress-class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L39) -- [should set valid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L36) -- [should not set invalid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L52) - -### [ssl-ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_ciphers.go#L28) - -- [Add ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_ciphers.go#L31) - -### [use-proxy-protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L36) - -- [should respect port passed by the PROXY Protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L46) -- [should respect proto passed by the PROXY Protocol server port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L79) -- [should enable PROXY Protocol for HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L112) -- [should enable PROXY Protocol for TCP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L155) - -### [plugins](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/plugins.go#L28) - -- [should exist a x-hello-world header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/plugins.go#L35) - -### [configmap server-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L28) - -- [should add value of server-snippet setting to all ingress config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L35) -- [should add global server-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L92) - -### [[Flag] disable-catch-all](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L33) - -- [should ignore catch all Ingress with backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L50) -- [should ignore catch all Ingress with backend and rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L69) -- [should delete Ingress updated to catch-all](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L81) -- [should allow Ingress with rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L123) - -### [enable-real-ip](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L30) - -- [trusts X-Forwarded-For header only when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L40) -- [should not trust X-Forwarded-For header when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L78) +- [should ignore Ingress with a different class annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L68) +- [should ignore Ingress with different controller class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L104) +- [should accept both Ingresses with default IngressClassName and IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L132) +- [should ignore Ingress without IngressClass configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L164) +- [should delete Ingress when class is removed](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L192) +- [should serve Ingress when class is added](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L257) +- [should serve Ingress when class is updated between annotation and ingressClassName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L323) +- [should ignore Ingress with no class and accept the correctly configured Ingresses](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L413) +- [should watch Ingress with no class and ignore ingress with a different class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L482) +- [should watch Ingress that uses the class name even if spec is different](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L539) +- [should watch Ingress with correct annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L631) +- [should ignore Ingress with only IngressClassName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L652) ### [keep-alive keep-alive-requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L28) @@ -87,7 +716,41 @@ Do not try to edit it manually. - [should set keepalive_requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L48) - [should set keepalive connection to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L59) - [should set keep alive connection timeout to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L68) -- [should set the request count to upstream server through one keep alive connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L77) +- [should set keepalive time to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L77) +- [should set the request count to upstream server through one keep alive connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L86) + +### [Configmap - limit-rate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/limit_rate.go#L28) + +- [Check limit-rate config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/limit_rate.go#L36) + +### [[Flag] custom HTTP and HTTPS ports](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L32) + +- [should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L48) +- [should set X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L70) +- [should set the X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L100) + +### [log-format-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L28) + +- [should not configure log-format escape by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L40) +- [should enable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L47) +- [should disable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L55) +- [should enable the log-format-escape-none](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L63) +- [should disable the log-format-escape-none](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L71) +- [log-format-escape-json enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L82) +- [log-format default escape](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L105) +- [log-format-escape-none enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L128) + +### [[Lua] lua-shared-dicts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/lua_shared_dicts.go#L26) + +- [configures lua shared dicts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/lua_shared_dicts.go#L29) + +### [main-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/main_snippet.go#L27) + +- [should add value of main-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/main_snippet.go#L31) + +### [[Security] modsecurity-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L27) + +- [should add value of modsecurity-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L30) ### [enable-multi-accept](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/multi_accept.go#L27) @@ -99,9 +762,19 @@ Do not try to edit it manually. - [should ingore Ingress of namespace without label foo=bar and accept those of namespace with label foo=bar](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/namespace_selector.go#L70) -### [[Flag] disable-service-external-name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_service_external_name.go#L34) +### [[Security] no-auth-locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L33) -- [should ignore services of external-name type](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_service_external_name.go#L51) +- [should return status code 401 when accessing '/' unauthentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L54) +- [should return status code 200 when accessing '/' authentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L68) +- [should return status code 200 when accessing '/noauth' unauthenticated](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L82) + +### [Add no tls redirect locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L28) + +- [Check no tls redirect locations config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L31) + +### [OCSP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L42) + +- [should enable OCSP and contain stapling information in the connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L49) ### [Configure OpenTracing](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L48) @@ -119,41 +792,48 @@ Do not try to edit it manually. - [should enable opentracing using jaeger with an HTTP endpoint](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L228) - [should enable opentracing using datadog](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L241) -### [Configmap change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L29) +### [plugins](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/plugins.go#L28) -- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L36) +- [should exist a x-hello-world header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/plugins.go#L35) -### [Configmap - limit-rate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/limit_rate.go#L28) +### [[Security] Pod Security Policies](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy.go#L41) -- [Check limit-rate config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/limit_rate.go#L36) +- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy.go#L44) -### [access-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L26) +### [[Security] Pod Security Policies with volumes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy_volumes.go#L37) -- [use the default configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L31) -- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L41) -- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L53) -- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L66) -- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L79) +- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy_volumes.go#L40) -### [global-options](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L28) +### [proxy-connect-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L28) -- [should have worker_rlimit_nofile option](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L31) -- [should have worker_rlimit_nofile option and be independent on amount of worker processes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L38) +- [should set valid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L36) +- [should not set invalid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L52) -### [[Flag] ingress-class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L39) +### [Dynamic $proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L28) -- [should ignore Ingress with a different class annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L68) -- [should ignore Ingress with different controller class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L104) -- [should accept both Ingresses with default IngressClassName and IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L132) -- [should ignore Ingress without IngressClass configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L164) -- [should delete Ingress when class is removed](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L192) -- [should serve Ingress when class is added](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L257) -- [should serve Ingress when class is updated between annotation and ingressClassName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L323) -- [should ignore Ingress with no class and accept the correctly configured Ingresses](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L413) -- [should watch Ingress with no class and ignore ingress with a different class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L482) -- [should watch Ingress that uses the class name even if spec is different](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L539) -- [should watch Ingress with correct annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L631) -- [should ignore Ingress with only IngressClassName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L652) +- [should exist a proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L36) +- [should exist a proxy_host using the upstream-vhost annotation value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L57) + +### [proxy-next-upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_next_upstream.go#L28) + +- [should build proxy next upstream using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_next_upstream.go#L36) + +### [use-proxy-protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L36) + +- [should respect port passed by the PROXY Protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L46) +- [should respect proto passed by the PROXY Protocol server port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L79) +- [should enable PROXY Protocol for HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L112) +- [should enable PROXY Protocol for TCP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L155) + +### [proxy-read-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L28) + +- [should set valid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L36) +- [should not set invalid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L52) + +### [proxy-send-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L28) + +- [should set valid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L36) +- [should not set invalid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L52) ### [reuse-port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/reuse-port.go#L27) @@ -161,133 +841,53 @@ Do not try to edit it manually. - [reuse port should be disabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/reuse-port.go#L44) - [reuse port should be enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/reuse-port.go#L52) -### [proxy-send-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L28) +### [configmap server-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L28) -- [should set valid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L36) -- [should not set invalid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L52) +- [should add value of server-snippet setting to all ingress config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L35) +- [should add global server-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L92) -### [[SSL] [Flag] default-ssl-certificate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L33) +### [server-tokens](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L29) -- [uses default ssl certificate for catch-all ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L64) -- [uses default ssl certificate for host based ingress when configured certificate does not match host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L80) +- [should not exists Server header in the response](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L38) +- [should exists Server header in the response when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L50) -### [brotli](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/brotli.go#L30) +### [ssl-ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_ciphers.go#L28) -- [ condition](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/brotli.go#L39) +- [Add ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_ciphers.go#L31) -### [[Security] Pod Security Policies with volumes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy_volumes.go#L36) +### [configmap stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/stream_snippet.go#L35) -- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy_volumes.go#L39) - -### [Dynamic $proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L28) - -- [should exist a proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L36) -- [should exist a proxy_host using the upstream-vhost annotation value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L57) - -### [[Security] block-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L28) - -- [should block CIDRs defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L38) -- [should block User-Agents defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L55) -- [should block Referers defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L88) - -### [settings-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/globalratelimit.go#L30) - -- [generates correct NGINX configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/globalratelimit.go#L38) - -### [Add no tls redirect locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L28) - -- [Check no tls redirect locations config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L31) - -### [main-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/main_snippet.go#L27) - -- [should add value of main-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/main_snippet.go#L31) - -### [[Lua] lua-shared-dicts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/lua_shared_dicts.go#L26) - -- [configures lua shared dicts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/lua_shared_dicts.go#L29) - -### [Bad annotation values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L29) - -- [[BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L36) -- [[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L67) -- [[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L102) -- [[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L133) +- [should add value of stream-snippet via config map to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/stream_snippet.go#L42) ### [[SSL] TLS protocols, ciphers and headers)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L31) - [setting cipher suite](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L65) -- [enforcing TLS v1.0](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L87) -- [setting max-age parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L133) -- [setting includeSubDomains parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L149) -- [setting preload parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L168) -- [overriding what's set from the upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L188) -- [should not use ports during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L209) -- [should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L227) +- [setting max-age parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L111) +- [setting includeSubDomains parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L127) +- [setting preload parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L146) +- [overriding what's set from the upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L166) +- [should not use ports during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L187) +- [should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L205) -### [[Security] modsecurity-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L27) +### [With enable-ssl-passthrough enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L36) -- [should add value of modsecurity-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L30) +- [should enable ssl-passthrough-proxy-port on a different port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L56) +- [should pass unknown traffic to default backend and handle known traffic](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L79) -### [OCSP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L42) +### [[Flag] disable-sync-events](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_sync_events.go#L32) -- [should enable OCSP and contain stapling information in the connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L49) +- [should create sync events (default)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_sync_events.go#L35) +- [should create sync events](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_sync_events.go#L53) +- [should not create sync events](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_sync_events.go#L80) -### [configmap stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/stream_snippet.go#L34) +### [gzip](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L29) -- [should add value of stream-snippet via config map to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/stream_snippet.go#L41) - -### [proxy-read-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L28) - -- [should set valid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L36) -- [should not set invalid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L52) - -### [proxy-next-upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_next_upstream.go#L28) - -- [should build proxy next upstream using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_next_upstream.go#L36) - -### [hash size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L27) - -- [should set server_names_hash_bucket_size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L40) -- [should set server_names_hash_max_size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L48) -- [should set proxy-headers-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L60) -- [should set proxy-headers-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L68) -- [should set variables-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L80) -- [should set variables-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L88) -- [should set vmap-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L100) - -### [[Security] no-auth-locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L33) - -- [should return status code 401 when accessing '/' unauthentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L54) -- [should return status code 200 when accessing '/' authentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L68) -- [should return status code 200 when accessing '/noauth' unauthenticated](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L82) - -### [[Flag] custom HTTP and HTTPS ports](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L32) - -- [should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L48) -- [should set X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L70) -- [should set the X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L100) - -### [use-forwarded-headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L30) - -- [should trust X-Forwarded headers when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L40) -- [should not trust X-Forwarded headers when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L92) - -### [add-headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L30) - -- [Add a custom header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L40) -- [Add multiple custom headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L65) - -### [[Load Balancer] round-robin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/round_robin.go#L31) - -- [should evenly distribute requests with round-robin (default algorithm)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/round_robin.go#L39) - -### [[Load Balancer] EWMA](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/ewma.go#L31) - -- [does not fail requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/ewma.go#L42) - -### [[Load Balancer] load-balance](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/configmap.go#L28) - -- [should apply the configmap load-balance setting](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/configmap.go#L35) +- [should be disabled by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L32) +- [should be enabled with default settings](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L39) +- [should set gzip_comp_level to 4](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L56) +- [should set gzip_disable to msie6](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L67) +- [should set gzip_min_length to 100](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L78) +- [should set gzip_types to application/javascript](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L89) ### [[SSL] redirect to HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/http_redirect.go#L29) @@ -298,22 +898,11 @@ Do not try to edit it manually. - [should not appear references to secret updates not used in ingress rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/secret_update.go#L40) - [should return the fake SSL certificate if the secret is invalid](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/secret_update.go#L82) -### [[Service] Type ExternalName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L58) +### [[Status] status update](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/status/update.go#L38) -- [works with external name set to incomplete fqdn](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L61) -- [should return 200 for service type=ExternalName without a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L94) -- [should return 200 for service type=ExternalName with a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L128) -- [should return status 502 for service type=ExternalName with an invalid host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L152) -- [should return 200 for service type=ExternalName using a port name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L183) -- [should return 200 for service type=ExternalName using FQDN with trailing dot](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L216) -- [should update the external name after a service update](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L247) -- [should sync ingress on external name service addition/deletion](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L310) +- [should update status field after client-go reconnection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/status/update.go#L43) -### [[Service] Nil Service Backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_nil_backend.go#L31) +### [[TCP] tcp-services](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L37) -- [should return 404 when backend service is nil](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_nil_backend.go#L38) - -### [[Service] backend status code 503](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L33) - -- [should return 503 when backend service does not exist](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L36) -- [should return 503 when all backend service endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L54) +- [should expose a TCP service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L40) +- [should expose an ExternalName TCP service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L98) \ No newline at end of file From bbc8bd4bcebd43faeb2ad009babe307590e06dcf Mon Sep 17 00:00:00 2001 From: lou-lan Date: Tue, 14 Feb 2023 17:37:30 +0800 Subject: [PATCH 171/405] Fix incorrect annotation name in upstream hashing configuration (#9617) --- docs/user-guide/nginx-configuration/annotations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md index 8cc6f4c16..9c79d9d9c 100755 --- a/docs/user-guide/nginx-configuration/annotations.md +++ b/docs/user-guide/nginx-configuration/annotations.md @@ -239,7 +239,7 @@ To enable consistent hashing for a backend: `nginx.ingress.kubernetes.io/upstream-hash-by`: the nginx variable, text value or any combination thereof to use for consistent hashing. For example: `nginx.ingress.kubernetes.io/upstream-hash-by: "$request_uri"` or `nginx.ingress.kubernetes.io/upstream-hash-by: "$request_uri$host"` or `nginx.ingress.kubernetes.io/upstream-hash-by: "${request_uri}-text-value"` to consistently hash upstream requests by the current request URI. -"subset" hashing can be enabled setting `nginx.ingress.kubernetes.io/upstream-hash-by-subset`: "true". This maps requests to subset of nodes instead of a single one. `upstream-hash-by-subset-size` determines the size of each subset (default 3). +"subset" hashing can be enabled setting `nginx.ingress.kubernetes.io/upstream-hash-by-subset`: "true". This maps requests to subset of nodes instead of a single one. `nginx.ingress.kubernetes.io/upstream-hash-by-subset-size` determines the size of each subset (default 3). Please check the [chashsubset](../../examples/chashsubset/deployment.yaml) example. From 5e85747db71578d3ac828923b72d38f7d7f7027b Mon Sep 17 00:00:00 2001 From: James Strong Date: Tue, 14 Feb 2023 21:33:52 +0100 Subject: [PATCH 172/405] remove tests and regex path checks (#9626) Signed-off-by: James Strong --- go.mod | 1 - go.sum | 2 - internal/ingress/controller/store/store.go | 5 - pkg/util/ingress/ingress.go | 25 ---- pkg/util/ingress/ingress_test.go | 85 ------------- test/e2e/security/invalid_paths.go | 134 --------------------- 6 files changed, 252 deletions(-) delete mode 100644 test/e2e/security/invalid_paths.go diff --git a/go.mod b/go.mod index 1aad274fb..10b9e2fda 100644 --- a/go.mod +++ b/go.mod @@ -77,7 +77,6 @@ require ( github.com/inconshreveable/mousetrap v1.0.1 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect - github.com/magefile/mage v1.14.0 // indirect github.com/mailru/easyjson v0.7.6 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect diff --git a/go.sum b/go.sum index 1d99238cb..6e370c655 100644 --- a/go.sum +++ b/go.sum @@ -235,8 +235,6 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= -github.com/magefile/mage v1.14.0 h1:6QDX3g6z1YvJ4olPhT1wksUcSa/V0a1B+pJb73fBjyo= -github.com/magefile/mage v1.14.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA= diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go index 13af28137..b5731c4bf 100644 --- a/internal/ingress/controller/store/store.go +++ b/internal/ingress/controller/store/store.go @@ -59,7 +59,6 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" "k8s.io/ingress-nginx/internal/k8s" "k8s.io/ingress-nginx/pkg/apis/ingress" - ingressutils "k8s.io/ingress-nginx/pkg/util/ingress" ) // IngressFilterFunc decides if an Ingress should be omitted or not @@ -865,10 +864,6 @@ func (s *k8sStore) syncIngress(ing *networkingv1.Ingress) { if path.Path == "" { copyIng.Spec.Rules[ri].HTTP.Paths[pi].Path = "/" } - if !ingressutils.IsSafePath(copyIng, path.Path) { - klog.Warningf("ingress %s contains invalid path %s", key, path.Path) - return - } } } diff --git a/pkg/util/ingress/ingress.go b/pkg/util/ingress/ingress.go index 5fb3ee7b9..7df2cc114 100644 --- a/pkg/util/ingress/ingress.go +++ b/pkg/util/ingress/ingress.go @@ -18,30 +18,15 @@ package ingress import ( "fmt" - "regexp" "strings" - networkingv1 "k8s.io/api/networking/v1" "k8s.io/apimachinery/pkg/util/sets" - "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/k8s" "k8s.io/ingress-nginx/internal/net/ssl" "k8s.io/ingress-nginx/pkg/apis/ingress" "k8s.io/klog/v2" ) -const ( - alphaNumericChars = `\-\.\_\~a-zA-Z0-9/` - regexEnabledChars = `\^\$\[\]\(\)\{\}\*\+` -) - -var ( - // pathAlphaNumeric is a regex validation of something like "^/[a-zA-Z]+$" on path - pathAlphaNumeric = regexp.MustCompile("^/[" + alphaNumericChars + "]*$").MatchString - // pathRegexEnabled is a regex validation of paths that may contain regex. - pathRegexEnabled = regexp.MustCompile("^/[" + alphaNumericChars + regexEnabledChars + "]*$").MatchString -) - func GetRemovedHosts(rucfg, newcfg *ingress.Configuration) []string { oldSet := sets.NewString() newSet := sets.NewString() @@ -246,13 +231,3 @@ func BuildRedirects(servers []*ingress.Server) []*redirect { return redirectServers } - -// IsSafePath verifies if the path used in ingress object contains only valid characters. -// It will behave differently if regex is enabled or not -func IsSafePath(copyIng *networkingv1.Ingress, path string) bool { - isRegex, _ := parser.GetBoolAnnotation("use-regex", copyIng) - if isRegex { - return pathRegexEnabled(path) - } - return pathAlphaNumeric(path) -} diff --git a/pkg/util/ingress/ingress_test.go b/pkg/util/ingress/ingress_test.go index d829a57f1..24597fb6e 100644 --- a/pkg/util/ingress/ingress_test.go +++ b/pkg/util/ingress/ingress_test.go @@ -17,13 +17,8 @@ limitations under the License. package ingress import ( - "fmt" "testing" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - networkingv1 "k8s.io/api/networking/v1" - "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/pkg/apis/ingress" ) @@ -135,83 +130,3 @@ func TestIsDynamicConfigurationEnough(t *testing.T) { t.Errorf("Expected new config to not change") } } - -func generateDumbIngressforPathTest(regexEnabled bool) *networkingv1.Ingress { - var annotations = make(map[string]string) - regexAnnotation := fmt.Sprintf("%s/use-regex", parser.AnnotationsPrefix) - if regexEnabled { - annotations[regexAnnotation] = "true" - } - return &networkingv1.Ingress{ - ObjectMeta: metav1.ObjectMeta{ - Name: "dumb", - Namespace: "default", - Annotations: annotations, - }, - } -} - -func TestIsSafePath(t *testing.T) { - tests := []struct { - name string - copyIng *networkingv1.Ingress - path string - want bool - }{ - { - name: "should accept valid path with regex disabled", - want: true, - copyIng: generateDumbIngressforPathTest(false), - path: "/xpto/~user/t-e_st.exe", - }, - { - name: "should accept valid path / with regex disabled", - want: true, - copyIng: generateDumbIngressforPathTest(false), - path: "/", - }, - { - name: "should reject invalid path with invalid chars", - want: false, - copyIng: generateDumbIngressforPathTest(false), - path: "/foo/bar/;xpto", - }, - { - name: "should reject regex path when regex is disabled", - want: false, - copyIng: generateDumbIngressforPathTest(false), - path: "/foo/bar/(.+)", - }, - { - name: "should accept valid path / with regex enabled", - want: true, - copyIng: generateDumbIngressforPathTest(true), - path: "/", - }, - { - name: "should accept regex path when regex is enabled", - want: true, - copyIng: generateDumbIngressforPathTest(true), - path: "/foo/bar/(.+)", - }, - { - name: "should reject regex path when regex is enabled but the path is invalid", - want: false, - copyIng: generateDumbIngressforPathTest(true), - path: "/foo/bar/;xpto", - }, - { - name: "should reject regex path when regex is enabled but the path is invalid", - want: false, - copyIng: generateDumbIngressforPathTest(true), - path: ";xpto", - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if got := IsSafePath(tt.copyIng, tt.path); got != tt.want { - t.Errorf("IsSafePath() = %v, want %v", got, tt.want) - } - }) - } -} diff --git a/test/e2e/security/invalid_paths.go b/test/e2e/security/invalid_paths.go deleted file mode 100644 index d75aefc2c..000000000 --- a/test/e2e/security/invalid_paths.go +++ /dev/null @@ -1,134 +0,0 @@ -/* -Copyright 2022 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package security - -import ( - "fmt" - "net/http" - "strings" - - "github.com/onsi/ginkgo/v2" - - "k8s.io/ingress-nginx/test/e2e/framework" -) - -const ( - validPath = "/xpto/~user/t-e_st.exe" - invalidPath = "/foo/bar/;xpto" - regexPath = "/foo/bar/(.+)" - host = "securitytest.com" -) - -var ( - annotationRegex = map[string]string{ - "nginx.ingress.kubernetes.io/use-regex": "true", - } -) - -var _ = framework.IngressNginxDescribe("[Security] validate path fields", func() { - f := framework.NewDefaultFramework("validate-path") - - ginkgo.BeforeEach(func() { - f.NewEchoDeployment() - }) - - ginkgo.It("should accept an ingress with valid path", func() { - - ing := framework.NewSingleIngress(host, validPath, host, f.Namespace, framework.EchoService, 80, nil) - - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) - }) - - f.HTTPTestClient(). - GET(validPath). - WithHeader("Host", host). - Expect(). - Status(http.StatusOK) - }) - - ginkgo.It("should drop an ingress with invalid path", func() { - - ing := framework.NewSingleIngress(host, invalidPath, host, f.Namespace, framework.EchoService, 80, nil) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) - }) - - f.HTTPTestClient(). - GET(invalidPath). - WithHeader("Host", host). - Expect(). - Status(http.StatusNotFound) - }) - - ginkgo.It("should drop an ingress with regex path and regex disabled", func() { - - ing := framework.NewSingleIngress(host, regexPath, host, f.Namespace, framework.EchoService, 80, nil) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) - }) - - f.HTTPTestClient(). - GET("/foo/bar/lalala"). - WithHeader("Host", host). - Expect(). - Status(http.StatusNotFound) - }) - - ginkgo.It("should accept an ingress with regex path and regex enabled", func() { - - ing := framework.NewSingleIngress(host, regexPath, host, f.Namespace, framework.EchoService, 80, annotationRegex) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) - }) - - f.HTTPTestClient(). - GET("/foo/bar/lalala"). - WithHeader("Host", host). - Expect(). - Status(http.StatusOK) - }) - - ginkgo.It("should reject an ingress with invalid path and regex enabled", func() { - - ing := framework.NewSingleIngress(host, invalidPath, host, f.Namespace, framework.EchoService, 80, annotationRegex) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) - }) - - f.HTTPTestClient(). - GET(invalidPath). - WithHeader("Host", host). - Expect(). - Status(http.StatusNotFound) - }) -}) From 8afba516e7b14019327dd62da89fcc0c6d094659 Mon Sep 17 00:00:00 2001 From: James Strong Date: Tue, 14 Feb 2023 15:55:09 -0500 Subject: [PATCH 173/405] start 1.6.4 build Signed-off-by: James Strong --- TAG | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TAG b/TAG index e37df95ee..9dc820555 100644 --- a/TAG +++ b/TAG @@ -1,2 +1,2 @@ -v1.6.3 +v1.6.4 From 8045cd29fbaaf720dea7586e5b559005250f03c9 Mon Sep 17 00:00:00 2001 From: James Strong Date: Tue, 14 Feb 2023 19:12:18 -0500 Subject: [PATCH 174/405] Release Notes Controller 1.6.4 Helm 4.5.1 Signed-off-by: James Strong --- README.md | 2 +- ...{Changelog-1.6.3.md => Changelog-1.6.4.md} | 14 +- charts/ingress-nginx/Chart.yaml | 6 +- charts/ingress-nginx/README.md | 8 +- ...{Changelog-4.5.0.md => Changelog-4.5.1.md} | 6 +- charts/ingress-nginx/values.yaml | 6 +- deploy/static/provider/aws/deploy.yaml | 42 ++--- .../aws/nlb-with-tls-termination/deploy.yaml | 42 ++--- deploy/static/provider/baremetal/deploy.yaml | 42 ++--- deploy/static/provider/cloud/deploy.yaml | 42 ++--- deploy/static/provider/do/deploy.yaml | 42 ++--- deploy/static/provider/exoscale/deploy.yaml | 42 ++--- deploy/static/provider/kind/deploy.yaml | 42 ++--- deploy/static/provider/scw/deploy.yaml | 42 ++--- docs/e2e-tests.md | 148 +++++++++--------- 15 files changed, 259 insertions(+), 267 deletions(-) rename changelog/{Changelog-1.6.3.md => Changelog-1.6.4.md} (93%) rename charts/ingress-nginx/changelog/{Changelog-4.5.0.md => Changelog-4.5.1.md} (82%) diff --git a/README.md b/README.md index 6d3fb7873..855c47418 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,7 @@ the versions listed. Ingress-Nginx versions may work on older versions but the p | Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | |-----------------------|------------------------------|----------------|---------------| -| v1.6.3 | 1.26, 1.25, 1.24, 1.23 | 3.17.0 | 1.21.6 | +| v1.6.4 | 1.26, 1.25, 1.24, 1.23 | 3.17.0 | 1.21.6 | | v1.5.1 | 1.25, 1.24, 1.23 | 3.16.2 | 1.21.6 | | v1.4.0 | 1.25, 1.24, 1.23, 1.22 | 3.16.2 | 1.19.10† | | v1.3.1 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.2 | 1.19.10† | diff --git a/changelog/Changelog-1.6.3.md b/changelog/Changelog-1.6.4.md similarity index 93% rename from changelog/Changelog-1.6.3.md rename to changelog/Changelog-1.6.4.md index 39fa5bb24..5f940d1c4 100644 --- a/changelog/Changelog-1.6.3.md +++ b/changelog/Changelog-1.6.4.md @@ -1,13 +1,16 @@ # Changelog -### 1.6.3 +### 1.6.4 Images: - * registry.k8s.io/controller:controller-v1.6.3@sha256:b92667e0afde1103b736e6a3f00dd75ae66eec4e71827d19f19f471699e909d2 - * registry.k8s.io/controller-chroot:controller-v1.6.3@sha256:4b4a249c9a35ac16a8ec0e22f6c522b8707f7e59e656e64a4ad9ace8fea830a4 + * registry.k8s.io/controller:controller-v1.6.4@sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f + * registry.k8s.io/controller-chroot:controller-v1.6.4@sha256:0de01e2c316c3ca7847ca13b32d077af7910d07f21a4a82f81061839764f8f81 ### All Changes: +* remove tests and regex path checks (#9626) +* Fix incorrect annotation name in upstream hashing configuration (#9617) +* Release docs for Controller v1.6.3 and Helm v4.5.0 (#9614) * Revert Implement pathType validation (#9511) (#9607) * update history and allow to pass a target test (#9605) * Allow to pass a target test (#9542) @@ -19,7 +22,6 @@ Images: * Add CORS template check inside location for externalAuth.SignURL (#8814) * fix(grafana-dashboard): remove hardcoded namespace references (#9523) * Replace deprecated command with environment file (#9581) -* add path validation to implementation specific as well (#9573) * add lint on chart before release (#9570) * Switch logic on path type validation and setting it to false (#9543) * tcpproxy: increase buffer size to 16K (#9548) @@ -27,7 +29,6 @@ Images: * Add CORS template check inside location for externalAuth.SignURL (#8814) * fix(grafana-dashboard): remove hardcoded namespace references (#9523) * Align default value for keepalive_request with NGINX default (#9518) -* Implement pathType validation (#9511) * feat(configmap): expose gzip-disable (#9505) * Values: Add missing `controller.metrics.service.labels`. (#9501) * Add docs about orphan_ingress metric (#9514) @@ -89,7 +90,6 @@ Images: * remove the configmap related permissions (#9310) * remove hardcoded datasource from grafana dashboard (#9284) * update gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b to 3.0.0 (#9277) -* Validate ingress path fields (#9309) * added SAN to cert create command (#9295) * Missing controller.ingressClass (#9304) * OpenTelemetry static linking (#9286) @@ -133,4 +133,4 @@ Images: * Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (#9301) * Bump k8s.io/component-base from 0.25.3 to 0.25.4 (#9300) -**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.5.1...controller-controller-v1.6.3 +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.5.1...controller-controller-v1.6.4 diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index c11859326..89e679d49 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -4,10 +4,10 @@ annotations: - "ci: remove setup-helm step (#9404)" - "feat(helm): Optionally use cert-manager instead admission patch (#9279)" - "run helm release on main only and when the chart/value changes only (#9290)" - - "Update Ingress-Nginx version controller-v1.6.3" + - "Update Ingress-Nginx version controller-v1.6.4" artifacthub.io/prerelease: "false" apiVersion: v2 -appVersion: 1.6.3 +appVersion: 1.6.4 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer engine: gotpl @@ -24,4 +24,4 @@ maintainers: name: ingress-nginx sources: - https://github.com/kubernetes/ingress-nginx -version: 4.5.0 +version: 4.5.1 diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index cb454b535..6c5437a26 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.5.0](https://img.shields.io/badge/Version-4.5.0-informational?style=flat-square) ![AppVersion: 1.6.3](https://img.shields.io/badge/AppVersion-1.6.3-informational?style=flat-square) +![Version: 4.5.1](https://img.shields.io/badge/Version-4.5.1-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -333,13 +333,13 @@ Kubernetes: `>=1.20.0-0` | controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.image.allowPrivilegeEscalation | bool | `true` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `"sha256:b92667e0afde1103b736e6a3f00dd75ae66eec4e71827d19f19f471699e909d2"` | | -| controller.image.digestChroot | string | `"sha256:4b4a249c9a35ac16a8ec0e22f6c522b8707f7e59e656e64a4ad9ace8fea830a4"` | | +| controller.image.digest | string | `"sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f"` | | +| controller.image.digestChroot | string | `"sha256:0de01e2c316c3ca7847ca13b32d077af7910d07f21a4a82f81061839764f8f81"` | | | controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.registry | string | `"registry.k8s.io"` | | | controller.image.runAsUser | int | `101` | | -| controller.image.tag | string | `"v1.6.3"` | | +| controller.image.tag | string | `"v1.6.4"` | | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass | diff --git a/charts/ingress-nginx/changelog/Changelog-4.5.0.md b/charts/ingress-nginx/changelog/Changelog-4.5.1.md similarity index 82% rename from charts/ingress-nginx/changelog/Changelog-4.5.0.md rename to charts/ingress-nginx/changelog/Changelog-4.5.1.md index ba4b52cbc..ebe78f49c 100644 --- a/charts/ingress-nginx/changelog/Changelog-4.5.0.md +++ b/charts/ingress-nginx/changelog/Changelog-4.5.1.md @@ -2,12 +2,12 @@ This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). -### 4.5.0 +### 4.5.1 * add lint on chart before release (#9570) * ci: remove setup-helm step (#9404) * feat(helm): Optionally use cert-manager instead admission patch (#9279) * run helm release on main only and when the chart/value changes only (#9290) -* Update Ingress-Nginx version controller-v1.6.3 +* Update Ingress-Nginx version controller-v1.6.4 -**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.4.3...helm-chart-4.5.0 +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.4.3...helm-chart-4.5.1 diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 34e1cf6ef..202cd4a23 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -23,9 +23,9 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: "v1.6.3" - digest: sha256:b92667e0afde1103b736e6a3f00dd75ae66eec4e71827d19f19f471699e909d2 - digestChroot: sha256:4b4a249c9a35ac16a8ec0e22f6c522b8707f7e59e656e64a4ad9ace8fea830a4 + tag: "v1.6.4" + digest: sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f + digestChroot: sha256:0de01e2c316c3ca7847ca13b32d077af7910d07f21a4a82f81061839764f8f81 pullPolicy: IfNotPresent # www-data -> uid 101 runAsUser: 101 diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml index c79412536..487340a73 100644 --- a/deploy/static/provider/aws/deploy.yaml +++ b/deploy/static/provider/aws/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -344,7 +344,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -377,7 +377,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -400,7 +400,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -440,7 +440,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.6.3@sha256:b92667e0afde1103b736e6a3f00dd75ae66eec4e71827d19f19f471699e909d2 + image: registry.k8s.io/ingress-nginx/controller:v1.6.4@sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -512,7 +512,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -523,7 +523,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-create spec: containers: @@ -559,7 +559,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -570,7 +570,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-patch spec: containers: @@ -608,7 +608,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: nginx spec: controller: k8s.io/ingress-nginx @@ -621,7 +621,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml index fae1c5d61..4763623c8 100644 --- a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml +++ b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -335,7 +335,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -353,7 +353,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -386,7 +386,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -409,7 +409,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -449,7 +449,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.6.3@sha256:b92667e0afde1103b736e6a3f00dd75ae66eec4e71827d19f19f471699e909d2 + image: registry.k8s.io/ingress-nginx/controller:v1.6.4@sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -524,7 +524,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -535,7 +535,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-create spec: containers: @@ -571,7 +571,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -582,7 +582,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-patch spec: containers: @@ -620,7 +620,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: nginx spec: controller: k8s.io/ingress-nginx @@ -633,7 +633,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml index 245978140..a642d67da 100644 --- a/deploy/static/provider/baremetal/deploy.yaml +++ b/deploy/static/provider/baremetal/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -372,7 +372,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -395,7 +395,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -434,7 +434,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.6.3@sha256:b92667e0afde1103b736e6a3f00dd75ae66eec4e71827d19f19f471699e909d2 + image: registry.k8s.io/ingress-nginx/controller:v1.6.4@sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -506,7 +506,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -517,7 +517,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-create spec: containers: @@ -553,7 +553,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -564,7 +564,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-patch spec: containers: @@ -602,7 +602,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: nginx spec: controller: k8s.io/ingress-nginx @@ -615,7 +615,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml index 9bc28ec80..8b09efac1 100644 --- a/deploy/static/provider/cloud/deploy.yaml +++ b/deploy/static/provider/cloud/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -373,7 +373,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -396,7 +396,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -436,7 +436,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.6.3@sha256:b92667e0afde1103b736e6a3f00dd75ae66eec4e71827d19f19f471699e909d2 + image: registry.k8s.io/ingress-nginx/controller:v1.6.4@sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -508,7 +508,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -519,7 +519,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-create spec: containers: @@ -555,7 +555,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -566,7 +566,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-patch spec: containers: @@ -604,7 +604,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: nginx spec: controller: k8s.io/ingress-nginx @@ -617,7 +617,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml index b17da8a07..7461d9794 100644 --- a/deploy/static/provider/do/deploy.yaml +++ b/deploy/static/provider/do/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -329,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -343,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -376,7 +376,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -399,7 +399,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -439,7 +439,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.6.3@sha256:b92667e0afde1103b736e6a3f00dd75ae66eec4e71827d19f19f471699e909d2 + image: registry.k8s.io/ingress-nginx/controller:v1.6.4@sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -511,7 +511,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -522,7 +522,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-create spec: containers: @@ -558,7 +558,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -569,7 +569,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-patch spec: containers: @@ -607,7 +607,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: nginx spec: controller: k8s.io/ingress-nginx @@ -620,7 +620,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml index d93497323..be0e2f587 100644 --- a/deploy/static/provider/exoscale/deploy.yaml +++ b/deploy/static/provider/exoscale/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -349,7 +349,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -382,7 +382,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -405,7 +405,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -445,7 +445,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.6.3@sha256:b92667e0afde1103b736e6a3f00dd75ae66eec4e71827d19f19f471699e909d2 + image: registry.k8s.io/ingress-nginx/controller:v1.6.4@sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -517,7 +517,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -528,7 +528,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-create spec: containers: @@ -564,7 +564,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -575,7 +575,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-patch spec: containers: @@ -613,7 +613,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: nginx spec: controller: k8s.io/ingress-nginx @@ -626,7 +626,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml index 8c9e96891..abb310999 100644 --- a/deploy/static/provider/kind/deploy.yaml +++ b/deploy/static/provider/kind/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -372,7 +372,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -395,7 +395,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -440,7 +440,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.6.3@sha256:b92667e0afde1103b736e6a3f00dd75ae66eec4e71827d19f19f471699e909d2 + image: registry.k8s.io/ingress-nginx/controller:v1.6.4@sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -522,7 +522,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -533,7 +533,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-create spec: containers: @@ -569,7 +569,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -580,7 +580,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-patch spec: containers: @@ -618,7 +618,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: nginx spec: controller: k8s.io/ingress-nginx @@ -631,7 +631,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml index edd00a98d..fdc3c6cde 100644 --- a/deploy/static/provider/scw/deploy.yaml +++ b/deploy/static/provider/scw/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -329,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -343,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -376,7 +376,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -399,7 +399,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -439,7 +439,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.6.3@sha256:b92667e0afde1103b736e6a3f00dd75ae66eec4e71827d19f19f471699e909d2 + image: registry.k8s.io/ingress-nginx/controller:v1.6.4@sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -511,7 +511,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -522,7 +522,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-create spec: containers: @@ -558,7 +558,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -569,7 +569,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission-patch spec: containers: @@ -607,7 +607,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: nginx spec: controller: k8s.io/ingress-nginx @@ -620,7 +620,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.3 + app.kubernetes.io/version: 1.6.4 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/docs/e2e-tests.md b/docs/e2e-tests.md index 5c67b47aa..9f66e3991 100644 --- a/docs/e2e-tests.md +++ b/docs/e2e-tests.md @@ -21,6 +21,21 @@ Do not try to edit it manually. - [should return an error if the Ingress V1 definition contains invalid annotations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L201) - [should not return an error for an invalid Ingress when it has unknown class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L212) +### [modsecurity owasp](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L28) + +- [should enable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L35) +- [should enable modsecurity with transaction ID and OWASP rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L53) +- [should disable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L74) +- [should enable modsecurity with snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L91) +- [should enable modsecurity without using 'modsecurity on;'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L110) +- [should disable modsecurity using 'modsecurity off;'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L132) +- [should enable modsecurity with snippet and block requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L153) +- [should enable modsecurity globally and with modsecurity-snippet block requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L189) +- [should enable modsecurity when enable-owasp-modsecurity-crs is set to true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L225) +- [should enable modsecurity through the config map](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L264) +- [should enable modsecurity through the config map but ignore snippet as disabled by admin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L305) +- [should disable default modsecurity conf setting when modsecurity-snippet is specified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L347) + ### [affinitymode](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinitymode.go#L31) - [Balanced affinity mode should balance](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinitymode.go#L34) @@ -194,21 +209,6 @@ Do not try to edit it manually. - [should set mirror-target to https://test.env.com/$request_uri](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L51) - [should disable mirror-request-body](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L67) -### [modsecurity owasp](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L28) - -- [should enable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L35) -- [should enable modsecurity with transaction ID and OWASP rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L53) -- [should disable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L74) -- [should enable modsecurity with snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L91) -- [should enable modsecurity without using 'modsecurity on;'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L110) -- [should disable modsecurity using 'modsecurity off;'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L132) -- [should enable modsecurity with snippet and block requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L153) -- [should enable modsecurity globally and with modsecurity-snippet block requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L189) -- [should enable modsecurity when enable-owasp-modsecurity-crs is set to true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L225) -- [should enable modsecurity through the config map](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L264) -- [should enable modsecurity through the config map but ignore snippet as disabled by admin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L305) -- [should disable default modsecurity conf setting when modsecurity-snippet is specified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L347) - ### [preserve-trailing-slash](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/preservetrailingslash.go#L27) - [should allow preservation of trailing slashes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/preservetrailingslash.go#L34) @@ -285,11 +285,6 @@ Do not try to edit it manually. - [should set the X-Forwarded-Prefix to the annotation value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L35) - [should not add X-Forwarded-Prefix if the annotation value is empty](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L57) -### [denylist-source-range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L28) - -- [only deny explicitly denied IPs, allow all others](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L35) -- [only allow explicitly allowed IPs, deny all others](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L86) - ### [affinity session-cookie-name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L35) - [should set sticky cookie SERVERID](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L42) @@ -308,6 +303,14 @@ Do not try to edit it manually. - [should not set secure in cookie with provided false annotation on http](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L435) - [should set secure in cookie with provided false annotation on https](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L458) +### [rewrite-target use-regex enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L30) + +- [should write rewrite logs](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L37) +- [should use correct longest path match](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L66) +- [should use ~* location modifier if regex annotation is present](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L111) +- [should fail to use longest match for documented warning](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L158) +- [should allow for custom rewrite parameters](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L190) + ### [auth-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L39) - [should return status code 200 when no authentication is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L46) @@ -344,13 +347,10 @@ Do not try to edit it manually. - [should return 503 (location was denied)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L879) - [should add error to the config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L887) -### [rewrite-target use-regex enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L30) +### [denylist-source-range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L28) -- [should write rewrite logs](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L37) -- [should use correct longest path match](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L66) -- [should use ~* location modifier if regex annotation is present](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L111) -- [should fail to use longest match for documented warning](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L158) -- [should allow for custom rewrite parameters](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L190) +- [only deny explicitly denied IPs, allow all others](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L35) +- [only allow explicitly allowed IPs, deny all others](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L86) ### [Debug CLI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L29) @@ -376,26 +376,22 @@ Do not try to edit it manually. - [should apply the annotation to the default backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/with_hosts.go#L38) -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) - ### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e_test.go#L) - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e_test.go#L) -### [[Endpointslices] long service name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/longname.go#L29) - -- [should return 200 when service name has max allowed number of characters 63](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/longname.go#L38) - -### [[TopologyHints] topology aware routing](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/topology.go#L36) - -- [should return 200 when service has topology hints](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/topology.go#L50) - ### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) + ### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/fastcgi_helloserver.go#L) - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/fastcgi_helloserver.go#L) @@ -409,10 +405,6 @@ Do not try to edit it manually. - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/grpc_fortune_teller.go#L) -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) - ### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/array.go#L) - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/array.go#L) @@ -465,10 +457,6 @@ Do not try to edit it manually. - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/logs.go#L) -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) - ### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/ssl.go#L) - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/ssl.go#L) @@ -477,14 +465,14 @@ Do not try to edit it manually. - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/test_context.go#L) -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/util.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/util.go#L) - ### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/util.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/util.go#L) + ### [[Shutdown] Grace period shutdown](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/grace_period.go#L32) - [/healthz should return status code 500 during shutdown grace period](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/grace_period.go#L35) @@ -558,24 +546,10 @@ Do not try to edit it manually. - [handles endpoints only changes consistently (down scaling of replicas vs. empty service)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L125) - [handles an annotation change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L171) -### [nginx-configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L99) - -- [start nginx with default configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L102) -- [fails when using alias directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L115) -- [fails when using root directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L124) - ### [[Security] request smuggling](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/request_smuggling.go#L32) - [should not return body content from error_page](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/request_smuggling.go#L39) -### [[Security] validate path fields](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L42) - -- [should accept an ingress with valid path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L49) -- [should drop an ingress with invalid path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L67) -- [should drop an ingress with regex path and regex disabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L84) -- [should accept an ingress with regex path and regex enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L101) -- [should reject an ingress with invalid path and regex enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/invalid_paths.go#L118) - ### [[Service] backend status code 503](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L33) - [should return 503 when backend service does not exist](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L36) @@ -596,6 +570,14 @@ Do not try to edit it manually. - [should return 404 when backend service is nil](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_nil_backend.go#L38) +### [[Security] modsecurity-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L27) + +- [should add value of modsecurity-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L30) + +### [OCSP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L42) + +- [should enable OCSP and contain stapling information in the connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L49) + ### [access-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L27) - [use the default configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L32) @@ -748,10 +730,6 @@ Do not try to edit it manually. - [should add value of main-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/main_snippet.go#L31) -### [[Security] modsecurity-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L27) - -- [should add value of modsecurity-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L30) - ### [enable-multi-accept](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/multi_accept.go#L27) - [should be enabled by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/multi_accept.go#L31) @@ -772,10 +750,6 @@ Do not try to edit it manually. - [Check no tls redirect locations config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L31) -### [OCSP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L42) - -- [should enable OCSP and contain stapling information in the connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L49) - ### [Configure OpenTracing](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L48) - [should not exists opentracing directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L58) @@ -869,11 +843,6 @@ Do not try to edit it manually. - [should not use ports during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L187) - [should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L205) -### [With enable-ssl-passthrough enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L36) - -- [should enable ssl-passthrough-proxy-port on a different port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L56) -- [should pass unknown traffic to default backend and handle known traffic](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L79) - ### [[Flag] disable-sync-events](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_sync_events.go#L32) - [should create sync events (default)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_sync_events.go#L35) @@ -889,6 +858,11 @@ Do not try to edit it manually. - [should set gzip_min_length to 100](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L78) - [should set gzip_types to application/javascript](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L89) +### [With enable-ssl-passthrough enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L36) + +- [should enable ssl-passthrough-proxy-port on a different port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L56) +- [should pass unknown traffic to default backend and handle known traffic](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L79) + ### [[SSL] redirect to HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/http_redirect.go#L29) - [should redirect from HTTP to HTTPS when secret is missing](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/http_redirect.go#L36) @@ -905,4 +879,22 @@ Do not try to edit it manually. ### [[TCP] tcp-services](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L37) - [should expose a TCP service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L40) -- [should expose an ExternalName TCP service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L98) \ No newline at end of file +- [should expose an ExternalName TCP service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L98) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) + +### [[Endpointslices] long service name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/longname.go#L29) + +- [should return 200 when service name has max allowed number of characters 63](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/longname.go#L38) + +### [[TopologyHints] topology aware routing](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/topology.go#L36) + +- [should return 200 when service has topology hints](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/topology.go#L50) + +### [nginx-configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L99) + +- [start nginx with default configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L102) +- [fails when using alias directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L115) +- [fails when using root directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L124) \ No newline at end of file From 864316955fce19b7c5397680d91da313b097fc9b Mon Sep 17 00:00:00 2001 From: James Strong Date: Tue, 14 Feb 2023 20:22:36 -0500 Subject: [PATCH 175/405] Release new Helm Chart Signed-off-by: James Strong --- charts/ingress-nginx/Chart.yaml | 2 +- charts/ingress-nginx/README.md | 2 +- .../changelog/{Changelog-4.5.1.md => Changelog-4.5.2.md} | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) rename charts/ingress-nginx/changelog/{Changelog-4.5.1.md => Changelog-4.5.2.md} (91%) diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 89e679d49..21779e195 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -24,4 +24,4 @@ maintainers: name: ingress-nginx sources: - https://github.com/kubernetes/ingress-nginx -version: 4.5.1 +version: 4.5.2 diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 6c5437a26..49bb38273 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.5.1](https://img.shields.io/badge/Version-4.5.1-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) +![Version: 4.5.2](https://img.shields.io/badge/Version-4.5.2-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. diff --git a/charts/ingress-nginx/changelog/Changelog-4.5.1.md b/charts/ingress-nginx/changelog/Changelog-4.5.2.md similarity index 91% rename from charts/ingress-nginx/changelog/Changelog-4.5.1.md rename to charts/ingress-nginx/changelog/Changelog-4.5.2.md index ebe78f49c..b6d8a3b0c 100644 --- a/charts/ingress-nginx/changelog/Changelog-4.5.1.md +++ b/charts/ingress-nginx/changelog/Changelog-4.5.2.md @@ -2,7 +2,7 @@ This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). -### 4.5.1 +### 4.5.2 * add lint on chart before release (#9570) * ci: remove setup-helm step (#9404) @@ -10,4 +10,4 @@ This file documents all notable changes to [ingress-nginx](https://github.com/ku * run helm release on main only and when the chart/value changes only (#9290) * Update Ingress-Nginx version controller-v1.6.4 -**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.4.3...helm-chart-4.5.1 +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.4.3...helm-chart-4.5.2 From de793dfeea03bd2db064b1f4c9b63e768a961172 Mon Sep 17 00:00:00 2001 From: Igor Milavec Date: Wed, 15 Feb 2023 14:50:24 +0100 Subject: [PATCH 176/405] Fix rewrite example (#9633) --- docs/examples/rewrite/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/examples/rewrite/README.md b/docs/examples/rewrite/README.md index c529c34ef..5b42e1fc7 100644 --- a/docs/examples/rewrite/README.md +++ b/docs/examples/rewrite/README.md @@ -38,6 +38,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: + nginx.ingress.kubernetes.io/use-regex: "true" nginx.ingress.kubernetes.io/rewrite-target: /$2 name: rewrite namespace: default From 9a79b059ca99380ff463f7ff589e8b4f01b19d75 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 Feb 2023 05:52:25 -0800 Subject: [PATCH 177/405] Bump golang.org/x/crypto from 0.5.0 to 0.6.0 (#9609) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.5.0 to 0.6.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](https://github.com/golang/crypto/compare/v0.5.0...v0.6.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 10 +++++----- go.sum | 20 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/go.mod b/go.mod index 10b9e2fda..0aa7e6880 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/stretchr/testify v1.8.1 github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a - golang.org/x/crypto v0.5.0 + golang.org/x/crypto v0.6.0 google.golang.org/grpc v1.52.3 google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 @@ -99,11 +99,11 @@ require ( github.com/yudai/pp v2.0.1+incompatible // indirect go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect golang.org/x/mod v0.7.0 // indirect - golang.org/x/net v0.5.0 // indirect + golang.org/x/net v0.6.0 // indirect golang.org/x/oauth2 v0.3.0 // indirect - golang.org/x/sys v0.4.0 // indirect - golang.org/x/term v0.4.0 // indirect - golang.org/x/text v0.6.0 // indirect + golang.org/x/sys v0.5.0 // indirect + golang.org/x/term v0.5.0 // indirect + golang.org/x/text v0.7.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.4.0 // indirect google.golang.org/appengine v1.6.7 // indirect diff --git a/go.sum b/go.sum index 6e370c655..47777a30d 100644 --- a/go.sum +++ b/go.sum @@ -403,8 +403,8 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.5.0 h1:U/0M97KRkSFvyD/3FSmdP5W5swImpNgle/EHFhOsQPE= -golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU= +golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc= +golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -471,8 +471,8 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.5.0 h1:GyT4nK/YDHSqa1c4753ouYCDajOYKTja9Xb/OHtgvSw= -golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= +golang.org/x/net v0.6.0 h1:L4ZwwTvKW9gr0ZMS1yrHD9GZhIuVjOBBnaKH+SPQK0Q= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -542,19 +542,19 @@ golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.4.0 h1:Zr2JFtRQNX3BCZ8YtxRE9hNJYC8J6I1MVbMg6owUp18= -golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.4.0 h1:O7UWfv5+A2qiuulQk30kVinPoMtoIPeVaKLEgLpVkvg= -golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ= +golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.6.0 h1:3XmdazWV+ubf7QgHSTWeykHOci5oeekaGJBLkrkaw4k= -golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From 15ecd2531fdcb722c8c477f0b51b86ab9213723f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 Feb 2023 05:54:24 -0800 Subject: [PATCH 178/405] Bump github.com/prometheus/client_golang (#9630) Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.11.0 to 1.11.1. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](https://github.com/prometheus/client_golang/compare/v1.11.0...v1.11.1) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- images/custom-error-pages/rootfs/go.mod | 2 +- images/custom-error-pages/rootfs/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/images/custom-error-pages/rootfs/go.mod b/images/custom-error-pages/rootfs/go.mod index b39db8b20..515b72c09 100644 --- a/images/custom-error-pages/rootfs/go.mod +++ b/images/custom-error-pages/rootfs/go.mod @@ -2,7 +2,7 @@ module k8s.io/ingress-nginx/custom-error-pages go 1.19 -require github.com/prometheus/client_golang v1.11.0 +require github.com/prometheus/client_golang v1.11.1 require ( github.com/beorn7/perks v1.0.1 // indirect diff --git a/images/custom-error-pages/rootfs/go.sum b/images/custom-error-pages/rootfs/go.sum index 87cd96b26..d071619b7 100644 --- a/images/custom-error-pages/rootfs/go.sum +++ b/images/custom-error-pages/rootfs/go.sum @@ -66,8 +66,8 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= -github.com/prometheus/client_golang v1.11.0 h1:HNkLOAEQMIDv/K+04rukrLx6ch7msSRwf3/SASFAGtQ= -github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= +github.com/prometheus/client_golang v1.11.1 h1:+4eQaD7vAZ6DsfsxB15hbE0odUjGI5ARs9yskGu1v4s= +github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M= From 00086ab429d99e3888bc2adf70178d2da66d2f57 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 Feb 2023 07:06:25 -0800 Subject: [PATCH 179/405] Bump google.golang.org/grpc from 1.52.3 to 1.53.0 (#9610) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.52.3 to 1.53.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.52.3...v1.53.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 ++++---- go.sum | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index 0aa7e6880..d942c1637 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a golang.org/x/crypto v0.6.0 - google.golang.org/grpc v1.52.3 + google.golang.org/grpc v1.53.0 google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 @@ -48,7 +48,7 @@ require ( github.com/BurntSushi/toml v1.0.0 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect - github.com/cespare/xxhash/v2 v2.1.2 // indirect + github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/coreos/go-systemd/v22 v22.3.2 // indirect github.com/cyphar/filepath-securejoin v0.2.3 // indirect github.com/davecgh/go-spew v1.1.1 // indirect @@ -100,14 +100,14 @@ require ( go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect golang.org/x/mod v0.7.0 // indirect golang.org/x/net v0.6.0 // indirect - golang.org/x/oauth2 v0.3.0 // indirect + golang.org/x/oauth2 v0.4.0 // indirect golang.org/x/sys v0.5.0 // indirect golang.org/x/term v0.5.0 // indirect golang.org/x/text v0.7.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.4.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20221118155620-16455021b5e6 // indirect + google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f // indirect google.golang.org/protobuf v1.28.1 // indirect gopkg.in/go-playground/assert.v1 v1.2.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index 47777a30d..b1f6269a6 100644 --- a/go.sum +++ b/go.sum @@ -50,8 +50,8 @@ github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE= -github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= +github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= @@ -479,8 +479,8 @@ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4Iltr golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.3.0 h1:6l90koy8/LaBLmLu8jpHeHexzMwEita0zFfYlggy2F8= -golang.org/x/oauth2 v0.3.0/go.mod h1:rQrIauxkUhJ6CuwEXwymO2/eh4xz2ZWF1nBkcxS+tGk= +golang.org/x/oauth2 v0.4.0 h1:NF0gk8LVPg1Ml7SSbGyySuoxdsXitj7TvgvuRxIMc/M= +golang.org/x/oauth2 v0.4.0/go.mod h1:RznEsdpjGAINPTOF0UH/t+xJ75L18YO3Ho6Pyn+uRec= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -665,8 +665,8 @@ google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20221118155620-16455021b5e6 h1:a2S6M0+660BgMNl++4JPlcAO/CjkqYItDEZwkoDQK7c= -google.golang.org/genproto v0.0.0-20221118155620-16455021b5e6/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg= +google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f h1:BWUVssLB0HVOSY78gIdvk1dTVYtT1y8SBWtPYuTJ/6w= +google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= @@ -679,8 +679,8 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.52.3 h1:pf7sOysg4LdgBqduXveGKrcEwbStiK2rtfghdzlUYDQ= -google.golang.org/grpc v1.52.3/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5vorUY= +google.golang.org/grpc v1.53.0 h1:LAv2ds7cmFV/XTS3XG1NneeENYrXGmorPxsBbptIjNc= +google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 h1:pPsdyuBif+uoyUoL19yuj/TCfUPsmpJHJZhWQ98JGLU= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7/go.mod h1:8pQa1yxxkh+EsxUK8/455D5MSbv3vgmEJqKCH3y17mI= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= From fbdbc24a423a1afa195d5770529fbd873ef68e66 Mon Sep 17 00:00:00 2001 From: Fish-pro Date: Thu, 16 Feb 2023 21:59:39 +0800 Subject: [PATCH 180/405] Optimize the judgment mode to remove redundant transformations (#9588) Signed-off-by: Fish-pro --- internal/ingress/inspector/inspector.go | 6 +++--- internal/nginx/maxmind.go | 2 +- pkg/apis/ingress/types_equals.go | 6 +----- 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/internal/ingress/inspector/inspector.go b/internal/ingress/inspector/inspector.go index 98f257997..e7b6c2f10 100644 --- a/internal/ingress/inspector/inspector.go +++ b/internal/ingress/inspector/inspector.go @@ -26,11 +26,11 @@ import ( // if an object contains invalid configurations that may represent a security risk, // and returning an error in this case func DeepInspect(obj interface{}) error { - switch obj.(type) { + switch obj := obj.(type) { case *networking.Ingress: - return InspectIngress(obj.(*networking.Ingress)) + return InspectIngress(obj) case *corev1.Service: - return InspectService(obj.(*corev1.Service)) + return InspectService(obj) default: klog.Warningf("received invalid object to inspect: %T", obj) return nil diff --git a/internal/nginx/maxmind.go b/internal/nginx/maxmind.go index df9fd2231..5aee414cd 100644 --- a/internal/nginx/maxmind.go +++ b/internal/nginx/maxmind.go @@ -165,7 +165,7 @@ func downloadDatabase(dbName string) error { mmdbFile := dbName + dbExtension tarReader := tar.NewReader(archive) - for true { + for { header, err := tarReader.Next() if err == io.EOF { break diff --git a/pkg/apis/ingress/types_equals.go b/pkg/apis/ingress/types_equals.go index 0941e0956..2485f8a7b 100644 --- a/pkg/apis/ingress/types_equals.go +++ b/pkg/apis/ingress/types_equals.go @@ -76,11 +76,7 @@ func (c1 *Configuration) Equal(c2 *Configuration) bool { } } - if c1.BackendConfigChecksum != c2.BackendConfigChecksum { - return false - } - - return true + return c1.BackendConfigChecksum == c2.BackendConfigChecksum } // Equal tests for equality between two Backend types From 1cdd61fb9496b39dc7892ca3f3670784cb58ec58 Mon Sep 17 00:00:00 2001 From: Fish-pro Date: Thu, 16 Feb 2023 22:05:40 +0800 Subject: [PATCH 181/405] Adjust the import package order and use http library variables (#9587) Signed-off-by: Fish-pro --- internal/ingress/controller/checker_test.go | 2 +- internal/ingress/controller/nginx_test.go | 4 ++-- internal/ingress/status/status.go | 2 +- test/e2e/framework/healthz.go | 2 +- test/e2e/framework/metrics.go | 2 +- test/e2e/status/update.go | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/internal/ingress/controller/checker_test.go b/internal/ingress/controller/checker_test.go index 5d9fb1baf..a0d2baafa 100644 --- a/internal/ingress/controller/checker_test.go +++ b/internal/ingress/controller/checker_test.go @@ -122,7 +122,7 @@ func TestNginxCheck(t *testing.T) { } func callHealthz(expErr bool, healthzPath string, mux *http.ServeMux) error { - req, err := http.NewRequest("GET", healthzPath, nil) + req, err := http.NewRequest(http.MethodGet, healthzPath, nil) if err != nil { return fmt.Errorf("healthz error: %v", err) } diff --git a/internal/ingress/controller/nginx_test.go b/internal/ingress/controller/nginx_test.go index 4d3155194..56eb0f324 100644 --- a/internal/ingress/controller/nginx_test.go +++ b/internal/ingress/controller/nginx_test.go @@ -62,7 +62,7 @@ func TestConfigureDynamically(t *testing.T) { Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusCreated) - if r.Method != "POST" { + if r.Method != http.MethodPost { t.Errorf("expected a 'POST' request, got '%s'", r.Method) } @@ -222,7 +222,7 @@ func TestConfigureCertificates(t *testing.T) { Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusCreated) - if r.Method != "POST" { + if r.Method != http.MethodPost { t.Errorf("expected a 'POST' request, got '%s'", r.Method) } diff --git a/internal/ingress/status/status.go b/internal/ingress/status/status.go index eac1f6cb0..a7506705c 100644 --- a/internal/ingress/status/status.go +++ b/internal/ingress/status/status.go @@ -19,7 +19,6 @@ package status import ( "context" "fmt" - v1 "k8s.io/api/networking/v1" "net" "regexp" "sort" @@ -30,6 +29,7 @@ import ( pool "gopkg.in/go-playground/pool.v3" apiv1 "k8s.io/api/core/v1" + v1 "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/util/wait" diff --git a/test/e2e/framework/healthz.go b/test/e2e/framework/healthz.go index bef093355..b52c3ffde 100644 --- a/test/e2e/framework/healthz.go +++ b/test/e2e/framework/healthz.go @@ -26,7 +26,7 @@ func (f *Framework) VerifyHealthz(ip string, statusCode int) error { url := fmt.Sprintf("http://%v:10254/healthz", ip) client := &http.Client{} - req, err := http.NewRequest("GET", url, nil) + req, err := http.NewRequest(http.MethodGet, url, nil) if err != nil { return fmt.Errorf("creating GET request for URL %q failed: %v", url, err) } diff --git a/test/e2e/framework/metrics.go b/test/e2e/framework/metrics.go index 349eb4dc3..830237540 100644 --- a/test/e2e/framework/metrics.go +++ b/test/e2e/framework/metrics.go @@ -29,7 +29,7 @@ func (f *Framework) GetMetric(metricName, ip string) (*dto.MetricFamily, error) url := fmt.Sprintf("http://%v:10254/metrics", ip) client := &http.Client{} - req, err := http.NewRequest("GET", url, nil) + req, err := http.NewRequest(http.MethodGet, url, nil) if err != nil { return nil, fmt.Errorf("creating GET request for URL %q failed: %v", url, err) } diff --git a/test/e2e/status/update.go b/test/e2e/status/update.go index 8bedc4d4e..5c6ea4977 100644 --- a/test/e2e/status/update.go +++ b/test/e2e/status/update.go @@ -19,7 +19,6 @@ package settings import ( "context" "fmt" - v1 "k8s.io/api/networking/v1" "log" "net" "strings" @@ -29,6 +28,7 @@ import ( "github.com/stretchr/testify/assert" appsv1 "k8s.io/api/apps/v1" + v1 "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/wait" From ac8dd3dd53344b948b291530a71bcbffef9ca5d4 Mon Sep 17 00:00:00 2001 From: Fish-pro Date: Thu, 16 Feb 2023 22:05:48 +0800 Subject: [PATCH 182/405] sets.String is deprecated: use generic Set instead. new ways: s1 := Set[string]{} s2 := New[string]() (#9589) Signed-off-by: Fish-pro --- internal/ingress/controller/controller.go | 4 ++-- internal/ingress/controller/store/objectref.go | 8 ++++---- internal/ingress/controller/template/template.go | 10 +++++----- internal/ingress/metric/collectors/socket.go | 4 ++-- internal/ingress/metric/collectors/socket_test.go | 2 +- internal/ingress/metric/dummy.go | 2 +- internal/ingress/metric/main.go | 4 ++-- pkg/util/ingress/ingress.go | 2 +- 8 files changed, 18 insertions(+), 18 deletions(-) diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index dab507cdf..a77d2ff37 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -541,11 +541,11 @@ func (n *NGINXController) getDefaultUpstream() *ingress.Backend { } // getConfiguration returns the configuration matching the standard kubernetes ingress -func (n *NGINXController) getConfiguration(ingresses []*ingress.Ingress) (sets.String, []*ingress.Server, *ingress.Configuration) { +func (n *NGINXController) getConfiguration(ingresses []*ingress.Ingress) (sets.Set[string], []*ingress.Server, *ingress.Configuration) { upstreams, servers := n.getBackendServers(ingresses) var passUpstreams []*ingress.SSLPassthroughBackend - hosts := sets.NewString() + hosts := sets.New[string]() for _, server := range servers { // If a location is defined by a prefix string that ends with the slash character, and requests are processed by one of diff --git a/internal/ingress/controller/store/objectref.go b/internal/ingress/controller/store/objectref.go index 9ef13bf07..89ea47251 100644 --- a/internal/ingress/controller/store/objectref.go +++ b/internal/ingress/controller/store/objectref.go @@ -37,13 +37,13 @@ type ObjectRefMap interface { type objectRefMap struct { sync.Mutex - v map[string]sets.String + v map[string]sets.Set[string] } // NewObjectRefMap returns a new ObjectRefMap. func NewObjectRefMap() ObjectRefMap { return &objectRefMap{ - v: make(map[string]sets.String), + v: make(map[string]sets.Set[string]), } } @@ -54,7 +54,7 @@ func (o *objectRefMap) Insert(consumer string, ref ...string) { for _, r := range ref { if _, ok := o.v[r]; !ok { - o.v[r] = sets.NewString(consumer) + o.v[r] = sets.New[string](consumer) continue } o.v[r].Insert(consumer) @@ -112,7 +112,7 @@ func (o *objectRefMap) Reference(ref string) []string { if !ok { return make([]string, 0) } - return consumers.List() + return consumers.UnsortedList() } // ReferencedBy returns all objects referenced by the given object. diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go index 315262150..ea9807bd0 100644 --- a/internal/ingress/controller/template/template.go +++ b/internal/ingress/controller/template/template.go @@ -792,7 +792,7 @@ rewrite "(?i)%s" %s break; func filterRateLimits(input interface{}) []ratelimit.Config { ratelimits := []ratelimit.Config{} - found := sets.String{} + found := sets.Set[string]{} servers, ok := input.([]*ingress.Server) if !ok { @@ -815,12 +815,12 @@ func filterRateLimits(input interface{}) []ratelimit.Config { // for connection limit by IP address, one for limiting requests per minute, and // one for limiting requests per second. func buildRateLimitZones(input interface{}) []string { - zones := sets.String{} + zones := sets.Set[string]{} servers, ok := input.([]*ingress.Server) if !ok { klog.Errorf("expected a '[]*ingress.Server' type but %T was returned", input) - return zones.List() + return zones.UnsortedList() } for _, server := range servers { @@ -859,7 +859,7 @@ func buildRateLimitZones(input interface{}) []string { } } - return zones.List() + return zones.UnsortedList() } // buildRateLimit produces an array of limit_req to be used inside the Path of @@ -1654,7 +1654,7 @@ func buildModSecurityForLocation(cfg config.Configuration, location *ingress.Loc func buildMirrorLocations(locs []*ingress.Location) string { var buffer bytes.Buffer - mapped := sets.String{} + mapped := sets.Set[string]{} for _, loc := range locs { if loc.Mirror.Source == "" || loc.Mirror.Target == "" { diff --git a/internal/ingress/metric/collectors/socket.go b/internal/ingress/metric/collectors/socket.go index 9c0376cd3..23048d5d6 100644 --- a/internal/ingress/metric/collectors/socket.go +++ b/internal/ingress/metric/collectors/socket.go @@ -80,7 +80,7 @@ type SocketCollector struct { metricMapping map[string]interface{} - hosts sets.String + hosts sets.Set[string] metricsPerHost bool reportStatusClasses bool @@ -505,7 +505,7 @@ func (sc SocketCollector) Collect(ch chan<- prometheus.Metric) { // SetHosts sets the hostnames that are being served by the ingress controller // This set of hostnames is used to filter the metrics to be exposed -func (sc *SocketCollector) SetHosts(hosts sets.String) { +func (sc *SocketCollector) SetHosts(hosts sets.Set[string]) { sc.hosts = hosts } diff --git a/internal/ingress/metric/collectors/socket_test.go b/internal/ingress/metric/collectors/socket_test.go index f175828cc..4bebc7600 100644 --- a/internal/ingress/metric/collectors/socket_test.go +++ b/internal/ingress/metric/collectors/socket_test.go @@ -485,7 +485,7 @@ func TestCollector(t *testing.T) { t.Errorf("registering collector failed: %s", err) } - sc.SetHosts(sets.NewString("testshop.com")) + sc.SetHosts(sets.New[string]("testshop.com")) for _, d := range c.data { sc.handleMessage([]byte(d)) diff --git a/internal/ingress/metric/dummy.go b/internal/ingress/metric/dummy.go index e34b5ecbd..d8ae0155a 100644 --- a/internal/ingress/metric/dummy.go +++ b/internal/ingress/metric/dummy.go @@ -69,7 +69,7 @@ func (dc DummyCollector) SetSSLInfo([]*ingress.Server) {} func (dc DummyCollector) SetSSLExpireTime([]*ingress.Server) {} // SetHosts ... -func (dc DummyCollector) SetHosts(hosts sets.String) {} +func (dc DummyCollector) SetHosts(hosts sets.Set[string]) {} // OnStartedLeading indicates the pod is not the current leader func (dc DummyCollector) OnStartedLeading(electionID string) {} diff --git a/internal/ingress/metric/main.go b/internal/ingress/metric/main.go index 892c8e8db..cac86e889 100644 --- a/internal/ingress/metric/main.go +++ b/internal/ingress/metric/main.go @@ -52,7 +52,7 @@ type Collector interface { SetSSLInfo(servers []*ingress.Server) // SetHosts sets the hostnames that are being served by the ingress controller - SetHosts(sets.String) + SetHosts(set sets.Set[string]) Start(string) Stop(string) @@ -191,7 +191,7 @@ func (c *collector) DecOrphanIngress(namespace string, name string, orphanityTyp c.ingressController.DecOrphanIngress(namespace, name, orphanityType) } -func (c *collector) SetHosts(hosts sets.String) { +func (c *collector) SetHosts(hosts sets.Set[string]) { c.socket.SetHosts(hosts) } diff --git a/pkg/util/ingress/ingress.go b/pkg/util/ingress/ingress.go index 7df2cc114..39ca3f883 100644 --- a/pkg/util/ingress/ingress.go +++ b/pkg/util/ingress/ingress.go @@ -177,7 +177,7 @@ type redirect struct { // BuildRedirects build the redirects of servers based on configurations and certificates func BuildRedirects(servers []*ingress.Server) []*redirect { - names := sets.String{} + names := sets.Set[string]{} redirectServers := make([]*redirect, 0) for _, srv := range servers { From 57398dee16808fb5f7acc378bc7f84a9761348a9 Mon Sep 17 00:00:00 2001 From: Fish-pro Date: Thu, 16 Feb 2023 22:07:39 +0800 Subject: [PATCH 183/405] Optimize the document for readability (#9551) Signed-off-by: Fish-pro --- docs/how-it-works.md | 2 +- docs/user-guide/k8s-122-migration.md | 6 +++--- docs/user-guide/miscellaneous.md | 2 +- docs/user-guide/monitoring.md | 6 +++--- docs/user-guide/multiple-ingress.md | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/how-it-works.md b/docs/how-it-works.md index 4ad824dc8..894a504dc 100644 --- a/docs/how-it-works.md +++ b/docs/how-it-works.md @@ -10,7 +10,7 @@ The goal of this Ingress controller is the assembly of a configuration file (ngi Usually, a Kubernetes Controller utilizes the [synchronization loop pattern][1] to check if the desired state in the controller is updated or a change is required. To this purpose, we need to build a model using different objects from the cluster, in particular (in no special order) Ingresses, Services, Endpoints, Secrets, and Configmaps to generate a point in time configuration file that reflects the state of the cluster. -To get this object from the cluster, we use [Kubernetes Informers][2], in particular, `FilteredSharedInformer`. This informers allows reacting to changes in using [callbacks][3] to individual changes when a new object is added, modified or removed. Unfortunately, there is no way to know if a particular change is going to affect the final configuration file. Therefore on every change, we have to rebuild a new model from scratch based on the state of cluster and compare it to the current model. If the new model equals to the current one, then we avoid generating a new NGINX configuration and triggering a reload. Otherwise, we check if the difference is only about Endpoints. If so we then send the new list of Endpoints to a Lua handler running inside Nginx using HTTP POST request and again avoid generating a new NGINX configuration and triggering a reload. If the difference between running and new model is about more than just Endpoints we create a new NGINX configuration based on the new model, replace the current model and trigger a reload. +To get this object from the cluster, we use [Kubernetes Informers][2], in particular, `FilteredSharedInformer`. These informers allow reacting to change in using [callbacks][3] to individual changes when a new object is added, modified or removed. Unfortunately, there is no way to know if a particular change is going to affect the final configuration file. Therefore on every change, we have to rebuild a new model from scratch based on the state of cluster and compare it to the current model. If the new model equals to the current one, then we avoid generating a new NGINX configuration and triggering a reload. Otherwise, we check if the difference is only about Endpoints. If so we then send the new list of Endpoints to a Lua handler running inside Nginx using HTTP POST request and again avoid generating a new NGINX configuration and triggering a reload. If the difference between running and new model is about more than just Endpoints we create a new NGINX configuration based on the new model, replace the current model and trigger a reload. One of the uses of the model is to avoid unnecessary reloads when there's no change in the state and to detect conflicts in definitions. diff --git a/docs/user-guide/k8s-122-migration.md b/docs/user-guide/k8s-122-migration.md index 34893f931..9a1ca081d 100644 --- a/docs/user-guide/k8s-122-migration.md +++ b/docs/user-guide/k8s-122-migration.md @@ -131,7 +131,7 @@ and add the value `spec.ingressClassName=nginx` in your Ingress objects. ## I have many ingress objects in my cluster. What should I do? -If you have lot of ingress objects without ingressClass configuration, +If you have a lot of ingress objects without ingressClass configuration, you can run the ingress controller with the flag `--watch-ingress-without-class=true`. ### What is the flag `--watch-ingress-without-class`? @@ -187,10 +187,10 @@ Bear in mind that if you start Ingress-Nginx B with the command line argument `- 4. If you start Ingress-Nginx B with the command line argument `--watch-ingress-without-class=true` and you run Ingress-Nginx A with the command line argument `--watch-ingress-without-class=false` then this is a supported configuration. If you have two ingress-nginx controllers for the same cluster, both running with `--watch-ingress-without-class=true` then there is likely to be a conflict. -## Why am I am seeing "ingress class annotation is not equal to the expected by Ingress Controller" in my controller logs? +## Why am I seeing "ingress class annotation is not equal to the expected by Ingress Controller" in my controller logs? It is highly likely that you will also see the name of the ingress resource in the same error message. -This error message has been observed on use the deprecated annotation (`kubernetes.io/ingress.class`) in a Ingress resource manifest. +This error message has been observed on use the deprecated annotation (`kubernetes.io/ingress.class`) in an Ingress resource manifest. It is recommended to use the `.spec.ingressClassName` field of the Ingress resource, to specify the name of the IngressClass of the Ingress you are defining. ## How can I easily install multiple instances of the ingress-nginx controller in the same cluster? diff --git a/docs/user-guide/miscellaneous.md b/docs/user-guide/miscellaneous.md index 196ea17fc..d9b32d36f 100644 --- a/docs/user-guide/miscellaneous.md +++ b/docs/user-guide/miscellaneous.md @@ -27,7 +27,7 @@ Support for websockets is provided by NGINX out of the box. No special configura The only requirement to avoid the close of connections is the increase of the values of `proxy-read-timeout` and `proxy-send-timeout`. -The default value of this settings is `60 seconds`. +The default value of these settings is `60 seconds`. A more adequate value to support websockets is a value higher than one hour (`3600`). diff --git a/docs/user-guide/monitoring.md b/docs/user-guide/monitoring.md index 807d91afc..281207866 100644 --- a/docs/user-guide/monitoring.md +++ b/docs/user-guide/monitoring.md @@ -170,7 +170,7 @@ According to the above example, this URL will be http://10.192.0.3:31086 - By default request metrics are labeled with the hostname. When you have a wildcard domain ingress, then there will be no metrics for that ingress (to prevent the metrics from exploding in cardinality). To get metrics in this case you need to run the ingress controller with `--metrics-per-host=false` (you will lose labeling by hostname, but still have labeling by ingress). ### Grafana dashboard using ingress resource - - If you want to expose the dashboard for grafana using a ingress resource, then you can : + - If you want to expose the dashboard for grafana using an ingress resource, then you can : - change the service type of the prometheus-server service and the grafana service to "ClusterIP" like this : ``` kubectl -n ingress-nginx edit svc grafana @@ -178,8 +178,8 @@ According to the above example, this URL will be http://10.192.0.3:31086 - This will open the currently deployed service grafana in the default editor configured in your shell (vi/nvim/nano/other) - scroll down to line 34 that looks like "type: NodePort" - change it to look like "type: ClusterIP". Save and exit. - - create a ingress resource with backend as "grafana" and port as "3000" - - Similarly, you can edit the service "prometheus-server" and add a ingress resource. + - create an ingress resource with backend as "grafana" and port as "3000" + - Similarly, you can edit the service "prometheus-server" and add an ingress resource. ## Prometheus and Grafana installation using Service Monitors This document assumes you're using helm and using the kube-prometheus-stack package to install Prometheus and Grafana. diff --git a/docs/user-guide/multiple-ingress.md b/docs/user-guide/multiple-ingress.md index 179041727..6a9457a9c 100644 --- a/docs/user-guide/multiple-ingress.md +++ b/docs/user-guide/multiple-ingress.md @@ -2,7 +2,7 @@ By default, deploying multiple Ingress controllers (e.g., `ingress-nginx` & `gce`) will result in all controllers simultaneously racing to update Ingress status fields in confusing ways. -To fix this problem, use [IngressClasses](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class). The `kubernetes.io/ingress.class` annotation is not being preferred or suggested to use as it can be deprecated in future. Better to use the field `ingress.spec.ingressClassName`. +To fix this problem, use [IngressClasses](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class). The `kubernetes.io/ingress.class` annotation is not being preferred or suggested to use as it can be deprecated in the future. Better to use the field `ingress.spec.ingressClassName`. But, when user has deployed with `scope.enabled`, then the ingress class resource field is not used. From 080c905fabd95fdccbd8deb8efcc108ebd632182 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=A8=E5=88=9A=20=20=28=E6=88=90=E9=83=BD=29?= Date: Thu, 16 Feb 2023 22:11:39 +0800 Subject: [PATCH 184/405] code clean for fsnotify (#9571) Signed-off-by: yanggang --- pkg/util/file/file_watcher.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/util/file/file_watcher.go b/pkg/util/file/file_watcher.go index eeb7b5721..daf955e52 100644 --- a/pkg/util/file/file_watcher.go +++ b/pkg/util/file/file_watcher.go @@ -72,8 +72,8 @@ func (f *OSFileWatcher) watch() error { for { select { case event := <-watcher.Events: - if event.Op&fsnotify.Create == fsnotify.Create || - event.Op&fsnotify.Write == fsnotify.Write { + if event.Has(fsnotify.Create) || + event.Has(fsnotify.Write) { if finfo, err := os.Lstat(event.Name); err != nil { log.Printf("can not lstat file: %v\n", err) } else if finfo.Mode()&os.ModeSymlink != 0 { From d6bba853511d01d336fbe3c13b34ae23dc187b62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Herv=C3=A9?= Date: Thu, 16 Feb 2023 15:15:39 +0100 Subject: [PATCH 185/405] Rework Ginkgo usage (#9522) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Rework Ginkgo usage Currently Ginkgo is launched multiple times with different options to accomodate various use-cases. In particular, some specs needs to be run sequentially because non-namespaced objects are created that conflicts with concurent Helm deployments. However Ginkgo is able to handle such cases natively, in particular specs that needs to be run sequentially are supported (Serial spec). This commit marks the specs that needs to be run sequentially as Serial specs and runs the whole test suite from a single Ginkgo invocation. As a result, a single JUnit report is now generated. Signed-off-by: Hervé Werner * Fix controller error in test Error getting ConfigMap "$NAMESPACE/tcp-services": no object matching key "$NAMESPACE/tcp-services" in local store Signed-off-by: Hervé Werner * Replace "go get" invocations by "go install" Executing "go get" changes the go.mod & go.sum files which is not the case of "go install". Signed-off-by: Hervé Werner * Always clean out the Helm deployment Signed-off-by: Hervé Werner * Add E2E test to verify that changes to one or more configmap trigger an update Signed-off-by: Hervé Werner --------- Signed-off-by: Hervé Werner --- Makefile | 2 +- internal/ingress/controller/store/store.go | 1 - internal/k8s/main.go | 2 +- test/e2e-image/e2e.sh | 77 ++++------- .../namespace-overlays/topology/values.yaml | 19 +-- test/e2e/admission/admission.go | 17 +-- test/e2e/annotations/fastcgi.go | 5 +- test/e2e/endpointslices/topology.go | 19 +-- test/e2e/framework/exec.go | 10 ++ test/e2e/framework/framework.go | 18 ++- test/e2e/framework/influxdb.go | 6 +- test/e2e/framework/k8s.go | 41 ++++-- test/e2e/leaks/lua_ssl.go | 2 +- test/e2e/run-chart-test.sh | 2 +- test/e2e/run-e2e-suite.sh | 46 +------ test/e2e/run-kind-e2e.sh | 2 +- test/e2e/settings/configmap_change.go | 4 + test/e2e/settings/namespace_selector.go | 11 +- test/e2e/settings/ocsp/ocsp.go | 4 +- test/e2e/tcpudp/tcp.go | 129 ++++++++++-------- 20 files changed, 165 insertions(+), 252 deletions(-) diff --git a/Makefile b/Makefile index 25855a224..6037ac39d 100644 --- a/Makefile +++ b/Makefile @@ -31,7 +31,7 @@ TAG ?= $(shell cat TAG) # e2e settings # Allow limiting the scope of the e2e tests. By default run everything -FOCUS ?= .* +FOCUS ?= # number of parallel test E2E_NODES ?= 7 # run e2e test suite with tests that check for memory leaks? (default is false) diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go index b5731c4bf..7157332c3 100644 --- a/internal/ingress/controller/store/store.go +++ b/internal/ingress/controller/store/store.go @@ -701,7 +701,6 @@ func New( }, } - // TODO: add e2e test to verify that changes to one or more configmap trigger an update changeTriggerUpdate := func(name string) bool { return name == configmap || name == tcp || name == udp } diff --git a/internal/k8s/main.go b/internal/k8s/main.go index e0d2a1660..d61013a9f 100644 --- a/internal/k8s/main.go +++ b/internal/k8s/main.go @@ -78,7 +78,7 @@ func GetNodeIPOrName(kubeClient clientset.Interface, name string, useInternalIP var ( // IngressPodDetails hold information about the ingress-nginx pod IngressPodDetails *PodInfo - // IngressNodeDetails old information about the node running ingress-nginx pod + // IngressNodeDetails hold information about the node running ingress-nginx pod IngressNodeDetails *NodeInfo ) diff --git a/test/e2e-image/e2e.sh b/test/e2e-image/e2e.sh index ed13926fb..f8ecd5337 100755 --- a/test/e2e-image/e2e.sh +++ b/test/e2e-image/e2e.sh @@ -14,70 +14,39 @@ # See the License for the specific language governing permissions and # limitations under the License. -set -e +set -eu NC='\e[0m' BGREEN='\e[32m' -#SLOW_E2E_THRESHOLD=${SLOW_E2E_THRESHOLD:-"5s"} -FOCUS=${FOCUS:-.*} E2E_NODES=${E2E_NODES:-5} E2E_CHECK_LEAKS=${E2E_CHECK_LEAKS:-""} +reportFile="report-e2e-test-suite.xml" ginkgo_args=( - "-randomize-all" - "-flake-attempts=2" - "-fail-fast" - "--show-node-events" + "--fail-fast" + "--flake-attempts=2" + "--junit-report=${reportFile}" + "--nodes=${E2E_NODES}" "--poll-progress-after=180s" -# "-slow-spec-threshold=${SLOW_E2E_THRESHOLD}" - "-succinct" - "-timeout=75m" + "--randomize-all" + "--show-node-events" + "--succinct" + "--timeout=75m" ) -# Variable for the prefix of report filenames -reportFileNamePrefix="report-e2e-test-suite" - -echo -e "${BGREEN}Running e2e test suite (FOCUS=${FOCUS})...${NC}" -ginkgo "${ginkgo_args[@]}" \ - -focus="${FOCUS}" \ - -skip="\[Serial\]|\[MemoryLeak\]|\[TopologyHints\]" \ - -nodes="${E2E_NODES}" \ - --junit-report=$reportFileNamePrefix.xml \ - /e2e.test -# Create configMap out of a compressed report file for extraction later - -# Must be isolated, there is a collision if multiple helms tries to install same clusterRole at same time -echo -e "${BGREEN}Running e2e test for topology aware hints...${NC}" -ginkgo "${ginkgo_args[@]}" \ - -focus="\[TopologyHints\]" \ - -skip="\[Serial\]|\[MemoryLeak\]]" \ - -nodes="${E2E_NODES}" \ - --junit-report=$reportFileNamePrefix-topology.xml \ - /e2e.test -# Create configMap out of a compressed report file for extraction later - -echo -e "${BGREEN}Running e2e test suite with tests that require serial execution...${NC}" -ginkgo "${ginkgo_args[@]}" \ - -focus="\[Serial\]" \ - -skip="\[MemoryLeak\]" \ - --junit-report=$reportFileNamePrefix-serial.xml \ - /e2e.test -# Create configMap out of a compressed report file for extraction later - -if [[ ${E2E_CHECK_LEAKS} != "" ]]; then - echo -e "${BGREEN}Running e2e test suite with tests that check for memory leaks...${NC}" - ginkgo "${ginkgo_args[@]}" \ - -focus="\[MemoryLeak\]" \ - -skip="\[Serial\]" \ - --junit-report=$reportFileNamePrefix-memleak.xml \ - /e2e.test -# Create configMap out of a compressed report file for extraction later +if [ -n "${FOCUS}" ]; then + ginkgo_args+=("--focus=${FOCUS}") fi -for rFile in `ls $reportFileNamePrefix*` -do - gzip -k $rFile - kubectl create cm $rFile.gz --from-file $rFile.gz - kubectl label cm $rFile.gz junitreport=true -done +if [ -z "${E2E_CHECK_LEAKS}" ]; then + ginkgo_args+=("--skip=\[Memory Leak\]") +fi + +echo -e "${BGREEN}Running e2e test suite...${NC}" +(set -x; ginkgo "${ginkgo_args[@]}" /e2e.test) + +# Create configMap out of a compressed report file for extraction later +gzip -k ${reportFile} +kubectl create cm ${reportFile}.gz --from-file ${reportFile}.gz +kubectl label cm ${reportFile}.gz junitreport=true diff --git a/test/e2e-image/namespace-overlays/topology/values.yaml b/test/e2e-image/namespace-overlays/topology/values.yaml index 28b1cad19..5e27f7902 100644 --- a/test/e2e-image/namespace-overlays/topology/values.yaml +++ b/test/e2e-image/namespace-overlays/topology/values.yaml @@ -8,6 +8,7 @@ controller: digest: digestChroot: scope: + # Necessary to allow the ingress controller to get the topology information from the nodes enabled: false config: worker-processes: "1" @@ -19,12 +20,7 @@ controller: periodSeconds: 1 service: type: NodePort - electionID: ingress-controller-leader - ingressClassResource: - # We will create and remove each IC/ClusterRole/ClusterRoleBinding per test so there's no conflict - enabled: false extraArgs: - tcp-services-configmap: $NAMESPACE/tcp-services # e2e tests do not require information about ingress status update-status: "false" terminationGracePeriodSeconds: 1 @@ -33,19 +29,6 @@ controller: enableTopologyAwareRouting: true - # ulimit -c unlimited - # mkdir -p /tmp/coredump - # chmod a+rwx /tmp/coredump - # echo "/tmp/coredump/core.%e.%p.%h.%t" > /proc/sys/kernel/core_pattern - extraVolumeMounts: - - name: coredump - mountPath: /tmp/coredump - - extraVolumes: - - name: coredump - hostPath: - path: /tmp/coredump - rbac: create: true scope: false diff --git a/test/e2e/admission/admission.go b/test/e2e/admission/admission.go index bde98fddf..4a4e31980 100644 --- a/test/e2e/admission/admission.go +++ b/test/e2e/admission/admission.go @@ -32,7 +32,7 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) -var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() { +var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", func() { f := framework.NewDefaultFramework("admission") ginkgo.BeforeEach(func() { @@ -40,11 +40,6 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() { f.NewSlowEchoDeployment() }) - ginkgo.AfterEach(func() { - err := uninstallChart(f) - assert.Nil(ginkgo.GinkgoT(), err, "uninstalling helm chart") - }) - ginkgo.It("reject ingress with global-rate-limit annotations when memcached is not configured", func() { host := "admission-test" @@ -216,16 +211,6 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() { }) }) -func uninstallChart(f *framework.Framework) error { - cmd := exec.Command("helm", "uninstall", "--namespace", f.Namespace, "nginx-ingress") - _, err := cmd.CombinedOutput() - if err != nil { - return fmt.Errorf("unexpected error uninstalling ingress-nginx release: %v", err) - } - - return nil -} - const ( validV1Ingress = ` apiVersion: networking.k8s.io/v1 diff --git a/test/e2e/annotations/fastcgi.go b/test/e2e/annotations/fastcgi.go index 0dc6ae4a4..572eca548 100644 --- a/test/e2e/annotations/fastcgi.go +++ b/test/e2e/annotations/fastcgi.go @@ -21,7 +21,6 @@ import ( "strings" "github.com/onsi/ginkgo/v2" - "github.com/stretchr/testify/assert" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -81,9 +80,7 @@ var _ = framework.DescribeAnnotation("backend-protocol - FastCGI", func() { }, } - cm, err := f.EnsureConfigMap(configuration) - assert.Nil(ginkgo.GinkgoT(), err, "creating configmap") - assert.NotNil(ginkgo.GinkgoT(), cm, "expected a configmap but none returned") + f.EnsureConfigMap(configuration) host := "fastcgi-params-configmap" diff --git a/test/e2e/endpointslices/topology.go b/test/e2e/endpointslices/topology.go index ce913e966..7cc67cedb 100644 --- a/test/e2e/endpointslices/topology.go +++ b/test/e2e/endpointslices/topology.go @@ -21,7 +21,6 @@ import ( "encoding/json" "fmt" "net/http" - "os/exec" "strings" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -33,7 +32,7 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) -var _ = framework.IngressNginxDescribe("[TopologyHints] topology aware routing", func() { +var _ = framework.IngressNginxDescribeSerial("[TopologyHints] topology aware routing", func() { f := framework.NewDefaultFramework("topology") host := "topology-svc.foo.com" @@ -41,12 +40,6 @@ var _ = framework.IngressNginxDescribe("[TopologyHints] topology aware routing", f.NewEchoDeployment(framework.WithDeploymentReplicas(2), framework.WithSvcTopologyAnnotations()) }) - ginkgo.AfterEach(func() { - // we need to uninstall chart because of clusterRole which is not destroyed with namespace - err := uninstallChart(f) - assert.Nil(ginkgo.GinkgoT(), err, "uninstalling helm chart") - }) - ginkgo.It("should return 200 when service has topology hints", func() { annotations := make(map[string]string) @@ -100,13 +93,3 @@ var _ = framework.IngressNginxDescribe("[TopologyHints] topology aware routing", } }) }) - -func uninstallChart(f *framework.Framework) error { - cmd := exec.Command("helm", "uninstall", "--namespace", f.Namespace, "nginx-ingress") - _, err := cmd.CombinedOutput() - if err != nil { - return fmt.Errorf("unexpected error uninstalling ingress-nginx release: %v", err) - } - - return nil -} diff --git a/test/e2e/framework/exec.go b/test/e2e/framework/exec.go index 8c8c7ddb0..0284e768c 100644 --- a/test/e2e/framework/exec.go +++ b/test/e2e/framework/exec.go @@ -152,6 +152,16 @@ func (f *Framework) KubectlProxy(port int) (int, *exec.Cmd, error) { return -1, cmd, fmt.Errorf("failed to parse port from proxy stdout: %s", output) } +func (f *Framework) UninstallChart() error { + cmd := exec.Command("helm", "uninstall", "--namespace", f.Namespace, "nginx-ingress") + _, err := cmd.CombinedOutput() + if err != nil { + return fmt.Errorf("unexpected error uninstalling ingress-nginx release: %v", err) + } + + return nil +} + func startCmdAndStreamOutput(cmd *exec.Cmd) (stdout, stderr io.ReadCloser, err error) { stdout, err = cmd.StdoutPipe() if err != nil { diff --git a/test/e2e/framework/framework.go b/test/e2e/framework/framework.go index 662cd0879..cac6dfd20 100644 --- a/test/e2e/framework/framework.go +++ b/test/e2e/framework/framework.go @@ -150,7 +150,11 @@ func (f *Framework) AfterEach() { defer func(kubeClient kubernetes.Interface, ingressclass string) { defer ginkgo.GinkgoRecover() - err := deleteIngressClass(kubeClient, ingressclass) + + err := f.UninstallChart() + assert.Nil(ginkgo.GinkgoT(), err, "uninstalling helm chart") + + err = deleteIngressClass(kubeClient, ingressclass) assert.Nil(ginkgo.GinkgoT(), err, "deleting IngressClass") }(f.KubeClientSet, f.IngressClass) @@ -192,6 +196,11 @@ func IngressNginxDescribe(text string, body func()) bool { return ginkgo.Describe(text, body) } +// IngressNginxDescribeSerial wrapper function for ginkgo describe. Adds namespacing. +func IngressNginxDescribeSerial(text string, body func()) bool { + return ginkgo.Describe(text, ginkgo.Serial, body) +} + // DescribeAnnotation wrapper function for ginkgo describe. Adds namespacing. func DescribeAnnotation(text string, body func()) bool { return ginkgo.Describe("[Annotations] "+text, body) @@ -202,11 +211,6 @@ func DescribeSetting(text string, body func()) bool { return ginkgo.Describe("[Setting] "+text, body) } -// MemoryLeakIt is wrapper function for ginkgo It. Adds "[MemoryLeak]" tag and makes static analysis easier. -func MemoryLeakIt(text string, body interface{}) bool { - return ginkgo.It(text+" [MemoryLeak]", body) -} - // GetNginxIP returns the number of TCP port where NGINX is running func (f *Framework) GetNginxIP() string { s, err := f.KubeClientSet. @@ -387,7 +391,7 @@ func (f *Framework) UpdateNginxConfigMapData(key string, value string) { } // WaitForReload calls the passed function and -// asser it has caused at least 1 reload. +// asserts it has caused at least 1 reload. func (f *Framework) WaitForReload(fn func()) { initialReloadCount := getReloadCount(f.pod, f.Namespace, f.KubeClientSet) diff --git a/test/e2e/framework/influxdb.go b/test/e2e/framework/influxdb.go index c3c0e3421..43a5702e6 100644 --- a/test/e2e/framework/influxdb.go +++ b/test/e2e/framework/influxdb.go @@ -68,9 +68,7 @@ func (f *Framework) NewInfluxDBDeployment() { }, } - cm, err := f.EnsureConfigMap(configuration) - assert.Nil(ginkgo.GinkgoT(), err, "creating an Influxdb deployment") - assert.NotNil(ginkgo.GinkgoT(), cm, "expected a configmap but none returned") + f.EnsureConfigMap(configuration) deployment := &appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ @@ -136,7 +134,7 @@ func (f *Framework) NewInfluxDBDeployment() { d := f.EnsureDeployment(deployment) - err = waitForPodsReady(f.KubeClientSet, DefaultTimeout, 1, f.Namespace, metav1.ListOptions{ + err := waitForPodsReady(f.KubeClientSet, DefaultTimeout, 1, f.Namespace, metav1.ListOptions{ LabelSelector: fields.SelectorFromSet(fields.Set(d.Spec.Template.ObjectMeta.Labels)).String(), }) assert.Nil(ginkgo.GinkgoT(), err, "waiting for influxdb pod to become ready") diff --git a/test/e2e/framework/k8s.go b/test/e2e/framework/k8s.go index ef9c522d6..fc3e59b08 100644 --- a/test/e2e/framework/k8s.go +++ b/test/e2e/framework/k8s.go @@ -25,9 +25,7 @@ import ( "github.com/onsi/ginkgo/v2" "github.com/stretchr/testify/assert" appsv1 "k8s.io/api/apps/v1" - api "k8s.io/api/core/v1" core "k8s.io/api/core/v1" - v1 "k8s.io/api/core/v1" networking "k8s.io/api/networking/v1" k8sErrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -36,8 +34,8 @@ import ( "k8s.io/client-go/kubernetes" ) -// EnsureSecret creates a Secret object or returns it if it already exists. -func (f *Framework) EnsureSecret(secret *api.Secret) *api.Secret { +// EnsureSecret creates a Secret object or returns it. +func (f *Framework) EnsureSecret(secret *core.Secret) *core.Secret { err := createSecretWithRetries(f.KubeClientSet, secret.Namespace, secret) assert.Nil(ginkgo.GinkgoT(), err, "creating secret") @@ -48,17 +46,30 @@ func (f *Framework) EnsureSecret(secret *api.Secret) *api.Secret { return s } -// EnsureConfigMap creates a ConfigMap object or returns it if it already exists. -func (f *Framework) EnsureConfigMap(configMap *api.ConfigMap) (*api.ConfigMap, error) { - cm, err := f.KubeClientSet.CoreV1().ConfigMaps(configMap.Namespace).Create(context.TODO(), configMap, metav1.CreateOptions{}) - if err != nil { - if k8sErrors.IsAlreadyExists(err) { - return f.KubeClientSet.CoreV1().ConfigMaps(configMap.Namespace).Update(context.TODO(), configMap, metav1.UpdateOptions{}) - } - return nil, err +// GetConfigMap gets a ConfigMap object from the given namespace, name and returns it, throws error if it does not exist. +func (f *Framework) GetConfigMap(namespace string, name string) *core.ConfigMap { + cm, err := f.KubeClientSet.CoreV1().ConfigMaps(namespace).Get(context.TODO(), name, metav1.GetOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "getting configmap") + assert.NotNil(ginkgo.GinkgoT(), cm, "expected a configmap but none returned") + return cm +} + +// EnsureConfigMap creates or updates an existing ConfigMap object or returns it. +func (f *Framework) EnsureConfigMap(configMap *core.ConfigMap) *core.ConfigMap { + cm := configMap.DeepCopy() + // Clean out ResourceVersion field if present + if cm.ObjectMeta.ResourceVersion != "" { + cm.ObjectMeta.ResourceVersion = "" } - return cm, nil + res, err := f.KubeClientSet.CoreV1().ConfigMaps(configMap.Namespace).Create(context.TODO(), cm, metav1.CreateOptions{}) + if k8sErrors.IsAlreadyExists(err) { + res, err = f.KubeClientSet.CoreV1().ConfigMaps(configMap.Namespace).Update(context.TODO(), cm, metav1.UpdateOptions{}) + } + assert.Nil(ginkgo.GinkgoT(), err, "updating configmap") + assert.NotNil(ginkgo.GinkgoT(), res, "updating configmap") + + return res } // GetIngress gets an Ingress object from the given namespace, name and returns it, throws error if it does not exists. @@ -293,7 +304,7 @@ func createDeploymentWithRetries(c kubernetes.Interface, namespace string, obj * return retryWithExponentialBackOff(createFunc) } -func createSecretWithRetries(c kubernetes.Interface, namespace string, obj *v1.Secret) error { +func createSecretWithRetries(c kubernetes.Interface, namespace string, obj *core.Secret) error { if obj == nil { return fmt.Errorf("Object provided to create is empty") } @@ -313,7 +324,7 @@ func createSecretWithRetries(c kubernetes.Interface, namespace string, obj *v1.S return retryWithExponentialBackOff(createFunc) } -func createServiceWithRetries(c kubernetes.Interface, namespace string, obj *v1.Service) error { +func createServiceWithRetries(c kubernetes.Interface, namespace string, obj *core.Service) error { if obj == nil { return fmt.Errorf("Object provided to create is empty") } diff --git a/test/e2e/leaks/lua_ssl.go b/test/e2e/leaks/lua_ssl.go index 8ebd05ccb..e63a1e353 100644 --- a/test/e2e/leaks/lua_ssl.go +++ b/test/e2e/leaks/lua_ssl.go @@ -39,7 +39,7 @@ var _ = framework.IngressNginxDescribe("[Memory Leak] Dynamic Certificates", fun f.NewEchoDeployment() }) - framework.MemoryLeakIt("should not leak memory from ingress SSL certificates or configuration updates", func() { + ginkgo.It("should not leak memory from ingress SSL certificates or configuration updates", func() { hostCount := 1000 iterations := 10 diff --git a/test/e2e/run-chart-test.sh b/test/e2e/run-chart-test.sh index e501ca6fe..d01ab4486 100755 --- a/test/e2e/run-chart-test.sh +++ b/test/e2e/run-chart-test.sh @@ -78,7 +78,7 @@ fi if [ "${SKIP_IMAGE_CREATION:-false}" = "false" ]; then if ! command -v ginkgo &> /dev/null; then - go get github.com/onsi/ginkgo/v2/ginkgo@v2.6.1 + go install github.com/onsi/ginkgo/v2/ginkgo@v2.6.1 fi echo "[dev-env] building image" make -C ${DIR}/../../ clean-image build image diff --git a/test/e2e/run-e2e-suite.sh b/test/e2e/run-e2e-suite.sh index 7920c0523..b1de8bf9a 100755 --- a/test/e2e/run-e2e-suite.sh +++ b/test/e2e/run-e2e-suite.sh @@ -49,15 +49,9 @@ if [ "$missing" = true ]; then exit 1 fi -E2E_CHECK_LEAKS=${E2E_CHECK_LEAKS:-} -FOCUS=${FOCUS:-.*} - BASEDIR=$(dirname "$0") NGINX_BASE_IMAGE=$(cat $BASEDIR/../../NGINX_BASE) -export E2E_CHECK_LEAKS -export FOCUS - echo -e "${BGREEN}Granting permissions to ingress-nginx e2e service account...${NC}" kubectl create serviceaccount ingress-nginx-e2e || true kubectl create clusterrolebinding permissive-binding \ @@ -66,7 +60,6 @@ kubectl create clusterrolebinding permissive-binding \ --user=kubelet \ --serviceaccount=default:ingress-nginx-e2e || true - VER=$(kubectl version --client=false -o json |jq '.serverVersion.minor |tonumber') if [ $VER -lt 24 ]; then echo -e "${BGREEN}Waiting service account...${NC}"; \ @@ -76,7 +69,6 @@ if [ $VER -lt 24 ]; then done fi - echo -e "Starting the e2e test pod" kubectl run --rm \ @@ -90,38 +82,10 @@ kubectl run --rm \ e2e --image=nginx-ingress-controller:e2e # Get the junit-reports stored in the configMaps created during e2etests -echo "Getting the report files out now.." +echo "Getting the report file out now.." reportsDir="test/junitreports" -reportFileName="report-e2e-test-suite" -[ ! -e ${reportsDir} ] && mkdir $reportsDir +reportFile="report-e2e-test-suite.xml.gz" +mkdir -p $reportsDir cd $reportsDir - -# TODO: Seeking Rikatz help here to extract in a loop. Tried things like below without success -#for cmName in `k get cm -l junitreport=true -o json | jq '.items[].binaryData | keys[]' | tr '\"' ' '` -#do -# -# -# kubectl get cm -l junitreport=true -o json | jq -r '[.items[].binaryData | to_entries[] | {"key": .key, "value": .value }] | from_entries' -# - -# Below lines successfully extract the report but they are one line per report. -# We only have 3 ginkgo reports so its ok for now -# But still, ideally this should be a loop as talked about in comments a few lines above -kubectl get cm $reportFileName.xml.gz -o "jsonpath={.binaryData['report-e2e-test-suite\.xml\.gz']}" > $reportFileName.xml.gz.base64 -kubectl get cm $reportFileName-serial.xml.gz -o "jsonpath={.binaryData['report-e2e-test-suite-serial\.xml\.gz']}" > $reportFileName-serial.xml.gz.base64 - -cat $reportFileName.xml.gz.base64 | base64 -d > $reportFileName.xml.gz -cat $reportFileName-serial.xml.gz.base64 | base64 -d > $reportFileName-serial.xml.gz - -gzip -d $reportFileName.xml.gz -gzip -d $reportFileName-serial.xml.gz - -rm *.base64 -cd ../.. - -# TODO Temporary: if condition to check if the memleak cm exists and only then try the extract for the memleak report -# -#kubectl get cm $reportFileName-serial -o "jsonpath={.data['report-e2e-test-suite-memleak\.xml\.gz']}" > $reportFileName-memleak.base64 -#cat $reportFileName-memleak.base64 | base64 -d > $reportFileName-memleak.xml.gz -#gzip -d $reportFileName-memleak.xml.gz -echo "done getting the reports files out.." +kubectl get cm $reportFile -o "jsonpath={.binaryData['${reportFile//\./\\.}']}" | base64 -d | gunzip > ${reportFile%\.gz} +echo "done getting the report file out.." diff --git a/test/e2e/run-kind-e2e.sh b/test/e2e/run-kind-e2e.sh index bb61706b4..df927bd1c 100755 --- a/test/e2e/run-kind-e2e.sh +++ b/test/e2e/run-kind-e2e.sh @@ -95,7 +95,7 @@ fi if [ "${SKIP_E2E_IMAGE_CREATION}" = "false" ]; then if ! command -v ginkgo &> /dev/null; then - go get github.com/onsi/ginkgo/v2/ginkgo@v2.6.1 + go install github.com/onsi/ginkgo/v2/ginkgo@v2.6.1 fi echo "[dev-env] .. done building controller images" diff --git a/test/e2e/settings/configmap_change.go b/test/e2e/settings/configmap_change.go index be3ab0b11..3e37b62cd 100644 --- a/test/e2e/settings/configmap_change.go +++ b/test/e2e/settings/configmap_change.go @@ -73,5 +73,9 @@ var _ = framework.DescribeSetting("Configmap change", func() { return strings.ContainsAny(cfg, "error_log /var/log/nginx/error.log debug;") }) assert.NotEqual(ginkgo.GinkgoT(), checksum, newChecksum) + + logs, err := f.NginxLogs() + assert.Nil(ginkgo.GinkgoT(), err, "obtaining nginx logs") + assert.Contains(ginkgo.GinkgoT(), logs, "Backend successfully reloaded") }) }) diff --git a/test/e2e/settings/namespace_selector.go b/test/e2e/settings/namespace_selector.go index a23514dca..3bf856566 100644 --- a/test/e2e/settings/namespace_selector.go +++ b/test/e2e/settings/namespace_selector.go @@ -27,7 +27,7 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) -var _ = framework.IngressNginxDescribe("[Flag] watch namespace selector", func() { +var _ = framework.IngressNginxDescribeSerial("[Flag] watch namespace selector", func() { f := framework.NewDefaultFramework("namespace-selector") notMatchedHost, matchedHost := "bar", "foo" var notMatchedNs string @@ -45,7 +45,7 @@ var _ = framework.IngressNginxDescribe("[Flag] watch namespace selector", func() cleanupNamespace := func(ns string) { err := framework.DeleteKubeNamespace(f.KubeClientSet, ns) - assert.Nil(ginkgo.GinkgoT(), err, "deleting temporarily crated namespace") + assert.Nil(ginkgo.GinkgoT(), err, "deleting temporarily created namespace") } ginkgo.BeforeEach(func() { @@ -56,13 +56,6 @@ var _ = framework.IngressNginxDescribe("[Flag] watch namespace selector", func() ginkgo.AfterEach(func() { cleanupNamespace(notMatchedNs) cleanupNamespace(matchedNs) - - // cleanup clusterrole/clusterrolebinding created by installing chart with controller.scope.enabled=false - err := f.KubeClientSet.RbacV1().ClusterRoles().Delete(context.TODO(), "nginx-ingress", metav1.DeleteOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "deleting clusterrole nginx-ingress") - - err = f.KubeClientSet.RbacV1().ClusterRoleBindings().Delete(context.TODO(), "nginx-ingress", metav1.DeleteOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "deleting clusterrolebinging nginx-ingress") }) ginkgo.Context("With specific watch-namespace-selector flags", func() { diff --git a/test/e2e/settings/ocsp/ocsp.go b/test/e2e/settings/ocsp/ocsp.go index ea137aeb1..adf4351e7 100644 --- a/test/e2e/settings/ocsp/ocsp.go +++ b/test/e2e/settings/ocsp/ocsp.go @@ -85,7 +85,7 @@ var _ = framework.DescribeSetting("OCSP", func() { cfsslDB, err := os.ReadFile("empty.db") assert.Nil(ginkgo.GinkgoT(), err) - cmap, err := f.EnsureConfigMap(&corev1.ConfigMap{ + f.EnsureConfigMap(&corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "ocspserve", Namespace: f.Namespace, @@ -95,8 +95,6 @@ var _ = framework.DescribeSetting("OCSP", func() { "db-config.json": []byte(`{"driver":"sqlite3","data_source":"/data/empty.db"}`), }, }) - assert.Nil(ginkgo.GinkgoT(), err) - assert.NotNil(ginkgo.GinkgoT(), cmap) d, s := ocspserveDeployment(f.Namespace) f.EnsureDeployment(d) diff --git a/test/e2e/tcpudp/tcp.go b/test/e2e/tcpudp/tcp.go index b62134a03..16a633b63 100644 --- a/test/e2e/tcpudp/tcp.go +++ b/test/e2e/tcpudp/tcp.go @@ -21,6 +21,7 @@ import ( "fmt" "net" "net/http" + "regexp" "strings" "time" @@ -36,58 +37,39 @@ import ( var _ = framework.IngressNginxDescribe("[TCP] tcp-services", func() { f := framework.NewDefaultFramework("tcp") + var ip string + + ginkgo.BeforeEach(func() { + ip = f.GetNginxIP() + }) ginkgo.It("should expose a TCP service", func() { f.NewEchoDeployment() - config, err := f.KubeClientSet. - CoreV1(). - ConfigMaps(f.Namespace). - Get(context.TODO(), "tcp-services", metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error obtaining tcp-services configmap") - assert.NotNil(ginkgo.GinkgoT(), config, "expected a configmap but none returned") - - if config.Data == nil { - config.Data = map[string]string{} + cm := f.GetConfigMap(f.Namespace, "tcp-services") + cm.Data = map[string]string{ + "8080": fmt.Sprintf("%v/%v:80", f.Namespace, framework.EchoService), } + f.EnsureConfigMap(cm) - config.Data["8080"] = fmt.Sprintf("%v/%v:80", f.Namespace, framework.EchoService) - - _, err = f.KubeClientSet. - CoreV1(). - ConfigMaps(f.Namespace). - Update(context.TODO(), config, metav1.UpdateOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error updating configmap") - - svc, err := f.KubeClientSet. - CoreV1(). - Services(f.Namespace). - Get(context.TODO(), "nginx-ingress-controller", metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error obtaining ingress-nginx service") - assert.NotNil(ginkgo.GinkgoT(), svc, "expected a service but none returned") - + svc := f.GetService(f.Namespace, "nginx-ingress-controller") svc.Spec.Ports = append(svc.Spec.Ports, corev1.ServicePort{ Name: framework.EchoService, Port: 8080, TargetPort: intstr.FromInt(8080), }) - _, err = f.KubeClientSet. + _, err := f.KubeClientSet. CoreV1(). Services(f.Namespace). Update(context.TODO(), svc, metav1.UpdateOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error updating service") - // wait for update and nginx reload and new endpoint is available - framework.Sleep() - f.WaitForNginxConfiguration( func(cfg string) bool { return strings.Contains(cfg, fmt.Sprintf(`ngx.var.proxy_upstream_name="tcp-%v-%v-80"`, f.Namespace, framework.EchoService)) }) - ip := f.GetNginxIP() - f.HTTPTestClient(). GET("/"). WithURL(fmt.Sprintf("http://%v:8080", ip)). @@ -122,44 +104,25 @@ var _ = framework.IngressNginxDescribe("[TCP] tcp-services", func() { } f.EnsureService(externalService) - // Expose the `external name` port on the `ingress-nginx` service - svc, err := f.KubeClientSet. - CoreV1(). - Services(f.Namespace). - Get(context.TODO(), "nginx-ingress-controller", metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error obtaining ingress-nginx service") - assert.NotNil(ginkgo.GinkgoT(), svc, "expected a service but none returned") - + // Expose the `external name` port on the `ingress-nginx-controller` service + svc := f.GetService(f.Namespace, "nginx-ingress-controller") svc.Spec.Ports = append(svc.Spec.Ports, corev1.ServicePort{ Name: "dns-svc", Port: 5353, TargetPort: intstr.FromInt(5353), }) - _, err = f.KubeClientSet. + _, err := f.KubeClientSet. CoreV1(). Services(f.Namespace). Update(context.TODO(), svc, metav1.UpdateOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error updating service") // Update the TCP configmap to link port 5353 to the DNS external name service - config, err := f.KubeClientSet. - CoreV1(). - ConfigMaps(f.Namespace). - Get(context.TODO(), "tcp-services", metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error obtaining tcp-services configmap") - assert.NotNil(ginkgo.GinkgoT(), config, "expected a configmap but none returned") - - if config.Data == nil { - config.Data = map[string]string{} + config := f.GetConfigMap(f.Namespace, "tcp-services") + config.Data = map[string]string{ + "5353": fmt.Sprintf("%v/dns-external-name-svc:5353", f.Namespace), } - - config.Data["5353"] = fmt.Sprintf("%v/dns-external-name-svc:5353", f.Namespace) - - _, err = f.KubeClientSet. - CoreV1(). - ConfigMaps(f.Namespace). - Update(context.TODO(), config, metav1.UpdateOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error updating configmap") + f.EnsureConfigMap(config) // Validate that the generated nginx config contains the expected `proxy_upstream_name` value f.WaitForNginxConfiguration( @@ -168,7 +131,6 @@ var _ = framework.IngressNginxDescribe("[TCP] tcp-services", func() { }) // Execute the test. Use the `external name` service to resolve a domain name. - ip := f.GetNginxIP() resolver := net.Resolver{ PreferGo: true, Dial: func(ctx context.Context, network, address string) (net.Conn, error) { @@ -203,4 +165,57 @@ var _ = framework.IngressNginxDescribe("[TCP] tcp-services", func() { assert.Nil(ginkgo.GinkgoT(), err, "unexpected error from DNS resolver") assert.Contains(ginkgo.GinkgoT(), ips, "8.8.4.4") }) + + ginkgo.It("should reload after an update in the configuration", func() { + + ginkgo.By("setting up a first deployment") + f.NewEchoDeployment(framework.WithDeploymentName("first-service")) + + cm := f.GetConfigMap(f.Namespace, "tcp-services") + cm.Data = map[string]string{ + "8080": fmt.Sprintf("%v/first-service:80", f.Namespace), + } + f.EnsureConfigMap(cm) + + checksumRegex := regexp.MustCompile(`Configuration checksum:\s+(\d+)`) + checksum := "" + + f.WaitForNginxConfiguration( + func(cfg string) bool { + // before returning, extract the current checksum + match := checksumRegex.FindStringSubmatch(cfg) + if len(match) > 0 { + checksum = match[1] + } + + return strings.Contains(cfg, fmt.Sprintf(`ngx.var.proxy_upstream_name="tcp-%v-first-service-80"`, + f.Namespace)) + }) + assert.NotEmpty(ginkgo.GinkgoT(), checksum) + + ginkgo.By("updating the tcp service to a second deployment") + f.NewEchoDeployment(framework.WithDeploymentName("second-service")) + + cm = f.GetConfigMap(f.Namespace, "tcp-services") + cm.Data["8080"] = fmt.Sprintf("%v/second-service:80", f.Namespace) + f.EnsureConfigMap(cm) + + newChecksum := "" + f.WaitForNginxConfiguration( + func(cfg string) bool { + match := checksumRegex.FindStringSubmatch(cfg) + if len(match) > 0 { + newChecksum = match[1] + } + + return strings.Contains(cfg, fmt.Sprintf(`ngx.var.proxy_upstream_name="tcp-%v-second-service-80"`, + f.Namespace)) + }) + assert.NotEqual(ginkgo.GinkgoT(), checksum, newChecksum) + + logs, err := f.NginxLogs() + assert.Nil(ginkgo.GinkgoT(), err, "obtaining nginx logs") + assert.Contains(ginkgo.GinkgoT(), logs, "Backend successfully reloaded") + }) + }) From 4aef45c17734d7dcba32a2032f97ac604c59d7bd Mon Sep 17 00:00:00 2001 From: Toon Schoenmakers Date: Fri, 17 Feb 2023 22:48:10 +0100 Subject: [PATCH 186/405] controller: Don't panic when ready condition in a endpointslice is missing (#9550) --- internal/ingress/controller/endpointslices.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/ingress/controller/endpointslices.go b/internal/ingress/controller/endpointslices.go index 34d5266dd..56e7a2dcb 100644 --- a/internal/ingress/controller/endpointslices.go +++ b/internal/ingress/controller/endpointslices.go @@ -128,7 +128,7 @@ func getEndpointsFromSlices(s *corev1.Service, port *corev1.ServicePort, proto c } for _, ep := range eps.Endpoints { - if !(*ep.Conditions.Ready) { + if (ep.Conditions.Ready != nil) && !(*ep.Conditions.Ready) { continue } epHasZone := false From 9126401eebf81e75bed25b5c7a1d0bbf94e2ecb6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 17 Feb 2023 16:00:03 -0800 Subject: [PATCH 187/405] Bump golang.org/x/net in /images/kube-webhook-certgen/rootfs (#9645) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.1.0 to 0.7.0. - [Release notes](https://github.com/golang/net/releases) - [Commits](https://github.com/golang/net/compare/v0.1.0...v0.7.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- images/kube-webhook-certgen/rootfs/go.mod | 8 ++++---- images/kube-webhook-certgen/rootfs/go.sum | 20 ++++++++------------ 2 files changed, 12 insertions(+), 16 deletions(-) diff --git a/images/kube-webhook-certgen/rootfs/go.mod b/images/kube-webhook-certgen/rootfs/go.mod index b98adf58b..a6e2b7ed2 100644 --- a/images/kube-webhook-certgen/rootfs/go.mod +++ b/images/kube-webhook-certgen/rootfs/go.mod @@ -29,11 +29,11 @@ require ( github.com/pkg/errors v0.9.1 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/tidwall/gjson v1.14.0 // indirect - golang.org/x/net v0.1.0 // indirect + golang.org/x/net v0.7.0 // indirect golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect - golang.org/x/sys v0.1.0 // indirect - golang.org/x/term v0.1.0 // indirect - golang.org/x/text v0.4.0 // indirect + golang.org/x/sys v0.5.0 // indirect + golang.org/x/term v0.5.0 // indirect + golang.org/x/text v0.7.0 // indirect golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect google.golang.org/appengine v1.6.5 // indirect google.golang.org/protobuf v1.26.0 // indirect diff --git a/images/kube-webhook-certgen/rootfs/go.sum b/images/kube-webhook-certgen/rootfs/go.sum index 0270e3297..7817b7f29 100644 --- a/images/kube-webhook-certgen/rootfs/go.sum +++ b/images/kube-webhook-certgen/rootfs/go.sum @@ -89,7 +89,6 @@ github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25Kn github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/emicklei/go-restful v2.16.0+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= @@ -484,8 +483,8 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0= -golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= +golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -545,16 +544,14 @@ golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= -golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw= -golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -562,8 +559,8 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= -golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -708,7 +705,6 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0 h1:hjy8E9ON/egN1tAYqKb61G10WtihqetD4sz2H+8nIeA= gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= From d21ae2dbf6810158e912dcba0ef5f5775f823978 Mon Sep 17 00:00:00 2001 From: Long Wu Yuan Date: Sat, 18 Feb 2023 17:11:37 +0530 Subject: [PATCH 188/405] changed v1.6.3 to v1.6.4 on deploy docs (#9647) --- docs/deploy/index.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/deploy/index.md b/docs/deploy/index.md index 57df7a215..49340e2f5 100644 --- a/docs/deploy/index.md +++ b/docs/deploy/index.md @@ -62,7 +62,7 @@ It will install the controller in the `ingress-nginx` namespace, creating that n **If you don't have Helm** or if you prefer to use a YAML manifest, you can run the following command instead: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.3/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.4/deploy/static/provider/cloud/deploy.yaml ``` !!! info @@ -225,7 +225,7 @@ In AWS, we use a Network load balancer (NLB) to expose the NGINX Ingress control ##### Network Load Balancer (NLB) ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.3/deploy/static/provider/aws/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.4/deploy/static/provider/aws/deploy.yaml ``` ##### TLS termination in AWS Load Balancer (NLB) @@ -233,10 +233,10 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS using an NLB. -1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.3/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template +1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.4/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template ```console - wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.3/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml + wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.4/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml ``` 2. Edit the file and change the VPC CIDR in use for the Kubernetes cluster: @@ -282,7 +282,7 @@ Then, the ingress controller can be installed like this: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.3/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.4/deploy/static/provider/cloud/deploy.yaml ``` !!! warning @@ -299,7 +299,7 @@ Proxy-protocol is supported in GCE check the [Official Documentations on how to #### Azure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.3/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.4/deploy/static/provider/cloud/deploy.yaml ``` More information with regard to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller). @@ -307,7 +307,7 @@ More information with regard to Azure annotations for ingress controller can be #### Digital Ocean ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.3/deploy/static/provider/do/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.4/deploy/static/provider/do/deploy.yaml ``` - By default the service object of the ingress-nginx-controller for Digital-Ocean, only configures one annotation. Its this one `service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"`. While this makes the service functional, it was reported that the Digital-Ocean LoadBalancer graphs shows `no data`, unless a few other annotations are also configured. Some of these other annotations require values that can not be generic and hence not forced in a out-of-the-box installation. These annotations and a discussion on them is well documented in [this issue](https://github.com/kubernetes/ingress-nginx/issues/8965). Please refer to the issue to add annotations, with values specific to user, to get graphs of the DO-LB populated with data. @@ -315,7 +315,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont #### Scaleway ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.3/deploy/static/provider/scw/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.4/deploy/static/provider/scw/deploy.yaml ``` #### Exoscale @@ -330,7 +330,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale #### Oracle Cloud Infrastructure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.3/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.4/deploy/static/provider/cloud/deploy.yaml ``` A @@ -357,7 +357,7 @@ For quick testing, you can use a This should work on almost every cluster, but it will typically use a port in the range 30000-32767. ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.3/deploy/static/provider/baremetal/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.4/deploy/static/provider/baremetal/deploy.yaml ``` For more information about bare metal deployments (and how to use port 80 instead of a random port in the 30000-32767 range), @@ -429,4 +429,4 @@ of the NGINX Ingress Controller (e.g. version 0.49). The Helm chart of the NGINX Ingress Controller switched to version 1 in version 4 of the chart. In other words, if you're running Kubernetes 1.19 or earlier, you should use version 3.X of the chart (this can be done by adding -`--version='<4'` to the `helm install` command). +`--version='<4'` to the `helm install` command ). From c5d73d58c69f71a8d1aecad6b5c15b5ede4a23e8 Mon Sep 17 00:00:00 2001 From: Mitsuo Heijo <25817501+johejo@users.noreply.github.com> Date: Thu, 23 Feb 2023 00:27:57 +0900 Subject: [PATCH 189/405] migrate mitchellh/hashstructure to v2 (#9651) --- go.mod | 2 +- go.sum | 4 ++-- internal/ingress/controller/controller.go | 4 ++-- internal/ingress/controller/template/configmap.go | 4 ++-- internal/ingress/controller/template/configmap_test.go | 8 ++++---- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/go.mod b/go.mod index d942c1637..2b51cda17 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/json-iterator/go v1.1.12 github.com/kylelemons/godebug v1.1.0 github.com/mitchellh/go-ps v1.0.0 - github.com/mitchellh/hashstructure v1.1.0 + github.com/mitchellh/hashstructure/v2 v2.0.2 github.com/mitchellh/mapstructure v1.5.0 github.com/moul/pb v0.0.0-20220425114252-bca18df4138c github.com/ncabatoff/process-exporter v0.7.10 diff --git a/go.sum b/go.sum index b1f6269a6..fe147d4a5 100644 --- a/go.sum +++ b/go.sum @@ -248,8 +248,8 @@ github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zk github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc= github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg= -github.com/mitchellh/hashstructure v1.1.0 h1:P6P1hdjqAAknpY/M1CGipelZgp+4y9ja9kmUZPXP+H0= -github.com/mitchellh/hashstructure v1.1.0/go.mod h1:xUDAozZz0Wmdiufv0uyhnHkUTN6/6d8ulp4AwfLKrmA= +github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4= +github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mmarkdown/mmark v2.0.40+incompatible h1:vMeUeDzBK3H+/mU0oMVfMuhSXJlIA+DE/DMPQNAj5C4= diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index a77d2ff37..1914765d8 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -23,7 +23,7 @@ import ( "strings" "time" - "github.com/mitchellh/hashstructure" + "github.com/mitchellh/hashstructure/v2" apiv1 "k8s.io/api/core/v1" networking "k8s.io/api/networking/v1" apiequality "k8s.io/apimachinery/pkg/api/equality" @@ -187,7 +187,7 @@ func (n *NGINXController) syncIngress(interface{}) error { if !utilingress.IsDynamicConfigurationEnough(pcfg, n.runningConfig) { klog.InfoS("Configuration changes detected, backend reload required") - hash, _ := hashstructure.Hash(pcfg, &hashstructure.HashOptions{ + hash, _ := hashstructure.Hash(pcfg, hashstructure.FormatV1, &hashstructure.HashOptions{ TagName: "json", }) diff --git a/internal/ingress/controller/template/configmap.go b/internal/ingress/controller/template/configmap.go index 61e8e4998..c73f3b6c0 100644 --- a/internal/ingress/controller/template/configmap.go +++ b/internal/ingress/controller/template/configmap.go @@ -26,7 +26,7 @@ import ( "k8s.io/klog/v2" - "github.com/mitchellh/hashstructure" + "github.com/mitchellh/hashstructure/v2" "github.com/mitchellh/mapstructure" "k8s.io/apimachinery/pkg/util/sets" @@ -431,7 +431,7 @@ func ReadConfig(src map[string]string) config.Configuration { klog.Warningf("unexpected error merging defaults: %v", err) } - hash, err := hashstructure.Hash(to, &hashstructure.HashOptions{ + hash, err := hashstructure.Hash(to, hashstructure.FormatV1, &hashstructure.HashOptions{ TagName: "json", }) if err != nil { diff --git a/internal/ingress/controller/template/configmap_test.go b/internal/ingress/controller/template/configmap_test.go index ebe55d192..dad841694 100644 --- a/internal/ingress/controller/template/configmap_test.go +++ b/internal/ingress/controller/template/configmap_test.go @@ -23,7 +23,7 @@ import ( "time" "github.com/kylelemons/godebug/pretty" - "github.com/mitchellh/hashstructure" + "github.com/mitchellh/hashstructure/v2" "k8s.io/ingress-nginx/internal/ingress/annotations/authreq" "k8s.io/ingress-nginx/internal/ingress/controller/config" @@ -104,7 +104,7 @@ func TestMergeConfigMapToStruct(t *testing.T) { def.DefaultType = "text/plain" def.DebugConnections = []string{"127.0.0.1", "1.1.1.1/24", "::1"} - hash, err := hashstructure.Hash(def, &hashstructure.HashOptions{ + hash, err := hashstructure.Hash(def, hashstructure.FormatV1, &hashstructure.HashOptions{ TagName: "json", }) if err != nil { @@ -134,7 +134,7 @@ func TestMergeConfigMapToStruct(t *testing.T) { def.LuaSharedDicts = defaultLuaSharedDicts def.DisableIpv6DNS = true - hash, err = hashstructure.Hash(def, &hashstructure.HashOptions{ + hash, err = hashstructure.Hash(def, hashstructure.FormatV1, &hashstructure.HashOptions{ TagName: "json", }) if err != nil { @@ -155,7 +155,7 @@ func TestMergeConfigMapToStruct(t *testing.T) { def.WhitelistSourceRange = []string{"1.1.1.1/32"} def.DisableIpv6DNS = true - hash, err = hashstructure.Hash(def, &hashstructure.HashOptions{ + hash, err = hashstructure.Hash(def, hashstructure.FormatV1, &hashstructure.HashOptions{ TagName: "json", }) if err != nil { From 6865ee0fba2d0f4256463d3fce747d89d4c69698 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 22 Feb 2023 07:37:57 -0800 Subject: [PATCH 190/405] Bump golang.org/x/net from 0.6.0 to 0.7.0 (#9646) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.6.0 to 0.7.0. - [Release notes](https://github.com/golang/net/releases) - [Commits](https://github.com/golang/net/compare/v0.6.0...v0.7.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 2b51cda17..2b485801f 100644 --- a/go.mod +++ b/go.mod @@ -99,7 +99,7 @@ require ( github.com/yudai/pp v2.0.1+incompatible // indirect go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect golang.org/x/mod v0.7.0 // indirect - golang.org/x/net v0.6.0 // indirect + golang.org/x/net v0.7.0 // indirect golang.org/x/oauth2 v0.4.0 // indirect golang.org/x/sys v0.5.0 // indirect golang.org/x/term v0.5.0 // indirect diff --git a/go.sum b/go.sum index fe147d4a5..741fa7b5b 100644 --- a/go.sum +++ b/go.sum @@ -471,8 +471,8 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.6.0 h1:L4ZwwTvKW9gr0ZMS1yrHD9GZhIuVjOBBnaKH+SPQK0Q= -golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= From 33b3dc32153699517908404099cff779dac0b296 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 22 Feb 2023 07:39:57 -0800 Subject: [PATCH 191/405] Bump github.com/prometheus/common from 0.39.0 to 0.40.0 (#9653) Bumps [github.com/prometheus/common](https://github.com/prometheus/common) from 0.39.0 to 0.40.0. - [Release notes](https://github.com/prometheus/common/releases) - [Commits](https://github.com/prometheus/common/compare/v0.39.0...v0.40.0) --- updated-dependencies: - dependency-name: github.com/prometheus/common dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 2b485801f..8c4a7123c 100644 --- a/go.mod +++ b/go.mod @@ -19,7 +19,7 @@ require ( github.com/pmezard/go-difflib v1.0.0 github.com/prometheus/client_golang v1.14.0 github.com/prometheus/client_model v0.3.0 - github.com/prometheus/common v0.39.0 + github.com/prometheus/common v0.40.0 github.com/spf13/cobra v1.6.1 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.8.1 diff --git a/go.sum b/go.sum index 741fa7b5b..31c11e5a4 100644 --- a/go.sum +++ b/go.sum @@ -320,8 +320,8 @@ github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y8 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= github.com/prometheus/common v0.29.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= -github.com/prometheus/common v0.39.0 h1:oOyhkDq05hPZKItWVBkJ6g6AtGxi+fy7F4JvUV8uhsI= -github.com/prometheus/common v0.39.0/go.mod h1:6XBZ7lYdLCbkAVhwRsWTZn+IN5AB9F/NXd5w0BbEX0Y= +github.com/prometheus/common v0.40.0 h1:Afz7EVRqGg2Mqqf4JuF9vdvp1pi220m55Pi9T2JnO4Q= +github.com/prometheus/common v0.40.0/go.mod h1:L65ZJPSmfn/UBWLQIHV7dBrKFidB/wPlF1y5TlSt9OE= github.com/prometheus/exporter-toolkit v0.7.0/go.mod h1:ZUBIj498ePooX9t/2xtDjeQYwvRpiPP2lh5u4iblj2g= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= From dc61f6cd8bdc9dfa87ee8924d16838549242cf2b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 Feb 2023 04:26:19 -0800 Subject: [PATCH 192/405] Bump github.com/stretchr/testify from 1.8.1 to 1.8.2 (#9675) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.1 to 1.8.2. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 8c4a7123c..00765b534 100644 --- a/go.mod +++ b/go.mod @@ -22,7 +22,7 @@ require ( github.com/prometheus/common v0.40.0 github.com/spf13/cobra v1.6.1 github.com/spf13/pflag v1.0.5 - github.com/stretchr/testify v1.8.1 + github.com/stretchr/testify v1.8.2 github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a golang.org/x/crypto v0.6.0 diff --git a/go.sum b/go.sum index 31c11e5a4..6274257aa 100644 --- a/go.sum +++ b/go.sum @@ -364,8 +364,8 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= -github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= +github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/urfave/cli v1.17.1-0.20160602030128-01a33823596e/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= From 640bdac76d8c5b0505b10255a3195709b971154f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 5 Mar 2023 10:56:57 -0800 Subject: [PATCH 193/405] Bump golang.org/x/sys in /images/custom-error-pages/rootfs (#9671) Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.0.0-20210603081109-ebe580a85c40 to 0.1.0. - [Release notes](https://github.com/golang/sys/releases) - [Commits](https://github.com/golang/sys/commits/v0.1.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- images/custom-error-pages/rootfs/go.mod | 2 +- images/custom-error-pages/rootfs/go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/images/custom-error-pages/rootfs/go.mod b/images/custom-error-pages/rootfs/go.mod index 515b72c09..2e762d091 100644 --- a/images/custom-error-pages/rootfs/go.mod +++ b/images/custom-error-pages/rootfs/go.mod @@ -12,6 +12,6 @@ require ( github.com/prometheus/client_model v0.2.0 // indirect github.com/prometheus/common v0.26.0 // indirect github.com/prometheus/procfs v0.6.0 // indirect - golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40 // indirect + golang.org/x/sys v0.1.0 // indirect google.golang.org/protobuf v1.28.0 // indirect ) diff --git a/images/custom-error-pages/rootfs/go.sum b/images/custom-error-pages/rootfs/go.sum index d071619b7..a5f86cade 100644 --- a/images/custom-error-pages/rootfs/go.sum +++ b/images/custom-error-pages/rootfs/go.sum @@ -113,8 +113,9 @@ golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40 h1:JWgyZ1qgdTaF3N3oxC+MdTV7qvEEgHo3otj+HB5CM7Q= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= From 82e836fbe89815ba57dcc1c8f9e370773d6bf291 Mon Sep 17 00:00:00 2001 From: cui fliter Date: Mon, 6 Mar 2023 03:00:57 +0800 Subject: [PATCH 194/405] fix some comments (#9688) Signed-off-by: cui fliter --- docs/developer-guide/code-overview.md | 2 +- images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go | 2 +- internal/ingress/controller/endpointslices.go | 2 +- internal/ingress/controller/template/template.go | 2 +- magefiles/helm.go | 7 ++++--- pkg/util/ingress/ingress.go | 2 +- test/e2e/settings/ssl_passthrough.go | 2 +- 7 files changed, 10 insertions(+), 9 deletions(-) diff --git a/docs/developer-guide/code-overview.md b/docs/developer-guide/code-overview.md index c55fb69f9..a26083c6a 100644 --- a/docs/developer-guide/code-overview.md +++ b/docs/developer-guide/code-overview.md @@ -104,7 +104,7 @@ Describe here `kubectl plugin`, `dbg`, `waitshutdown` and cover the hack scripts ### kubectl plugin -It containes kubectl plugin for inspecting your ingress-nginx deployments. +It contains kubectl plugin for inspecting your ingress-nginx deployments. This part of code can be found in [cmd/plugin](https://github.com/kubernetes/ingress-nginx/tree/main/cmd/plugin) directory Detail functions flow and available flow can be found in [kubectl-plugin](https://github.com/kubernetes/ingress-nginx/blob/main/docs/kubectl-plugin.md) diff --git a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go index 0034235fb..6018b4253 100644 --- a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go +++ b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go @@ -105,7 +105,7 @@ func (k8s *k8s) patchAPIService(ctx context.Context, objectName string, ca []byt return nil } -// PatchWebhookConfigurations will patch validatingWebhook and mutatingWebhook clientConfig configurations with +// patchWebhookConfigurations will patch validatingWebhook and mutatingWebhook clientConfig configurations with // the provided ca data. If failurePolicy is provided, patch all webhooks with this value func (k8s *k8s) patchWebhookConfigurations( ctx context.Context, diff --git a/internal/ingress/controller/endpointslices.go b/internal/ingress/controller/endpointslices.go index 56e7a2dcb..ca6e595c8 100644 --- a/internal/ingress/controller/endpointslices.go +++ b/internal/ingress/controller/endpointslices.go @@ -34,7 +34,7 @@ import ( "k8s.io/ingress-nginx/pkg/apis/ingress" ) -// getEndpoints returns a list of Endpoint structs for a given service/target port combination. +// getEndpointsFromSlices returns a list of Endpoint structs for a given service/target port combination. func getEndpointsFromSlices(s *corev1.Service, port *corev1.ServicePort, proto corev1.Protocol, zoneForHints string, getServiceEndpointsSlices func(string) ([]*discoveryv1.EndpointSlice, error)) []ingress.Endpoint { diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go index ea9807bd0..f3283a782 100644 --- a/internal/ingress/controller/template/template.go +++ b/internal/ingress/controller/template/template.go @@ -1732,7 +1732,7 @@ func buildServerName(hostname string) string { return `~^(?[\w-]+)\.` + strings.Join(parts, "\\.") + `$` } -// parseComplexNGINXVar parses things like "$my${complex}ngx\$var" into +// parseComplexNginxVarIntoLuaTable parses things like "$my${complex}ngx\$var" into // [["$var", "complex", "my", "ngx"]]. In other words, 2nd and 3rd elements // in the result are actual NGINX variable names, whereas first and 4th elements // are string literals. diff --git a/magefiles/helm.go b/magefiles/helm.go index e69c4e029..93c440584 100644 --- a/magefiles/helm.go +++ b/magefiles/helm.go @@ -20,14 +20,15 @@ package main import ( "fmt" + "os" + "strings" + semver "github.com/blang/semver/v4" "github.com/helm/helm/pkg/chartutil" "github.com/magefile/mage/mg" "github.com/magefile/mage/sh" yamlpath "github.com/vmware-labs/yaml-jsonpath/pkg/yamlpath" "gopkg.in/yaml.v3" - "os" - "strings" ) const HelmChartPath = "charts/ingress-nginx/Chart.yaml" @@ -114,7 +115,7 @@ func UpdateChartChangelog() { } -// UpdateAppVersion Updates the Helm App Version of Ingress Nginx Controller +// UpdateChartValue Updates the Helm ChartValue func (Helm) UpdateChartValue(key, value string) { updateChartValue(key, value) } diff --git a/pkg/util/ingress/ingress.go b/pkg/util/ingress/ingress.go index 39ca3f883..e69ca7b29 100644 --- a/pkg/util/ingress/ingress.go +++ b/pkg/util/ingress/ingress.go @@ -46,7 +46,7 @@ func GetRemovedHosts(rucfg, newcfg *ingress.Configuration) []string { return oldSet.Difference(newSet).List() } -// GetRemovedCertificateSerialNumber extracts the difference of certificates between two configurations +// GetRemovedCertificateSerialNumbers extracts the difference of certificates between two configurations func GetRemovedCertificateSerialNumbers(rucfg, newcfg *ingress.Configuration) []string { oldCertificates := sets.NewString() newCertificates := sets.NewString() diff --git a/test/e2e/settings/ssl_passthrough.go b/test/e2e/settings/ssl_passthrough.go index 77a3c990e..a906a2d11 100644 --- a/test/e2e/settings/ssl_passthrough.go +++ b/test/e2e/settings/ssl_passthrough.go @@ -81,7 +81,7 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { host := "testpassthrough.com" echoName := "echopass" - /* Even with enable-ssl-passthrough enabled, only annotated ingresses may receive the trafic */ + /* Even with enable-ssl-passthrough enabled, only annotated ingresses may receive the traffic */ annotations := map[string]string{ "nginx.ingress.kubernetes.io/ssl-passthrough": "true", } From c84003e3b1e34d8a3c8cce6a026c267e37a0fbea Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 5 Mar 2023 12:10:58 -0800 Subject: [PATCH 195/405] Bump golang.org/x/net in /magefiles (#9692) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.0.0-20220722155237-a158d28d115b to 0.7.0. - [Release notes](https://github.com/golang/net/releases) - [Commits](https://github.com/golang/net/commits/v0.7.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- magefiles/go.mod | 2 +- magefiles/go.sum | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/magefiles/go.mod b/magefiles/go.mod index 31c11a061..613e5fb1f 100644 --- a/magefiles/go.mod +++ b/magefiles/go.mod @@ -23,7 +23,7 @@ require ( github.com/google/go-querystring v1.1.0 // indirect github.com/stretchr/testify v1.8.1 // indirect golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 // indirect - golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect + golang.org/x/net v0.7.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/protobuf v1.28.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/magefiles/go.sum b/magefiles/go.sum index 38a4235f6..f6b4786a5 100644 --- a/magefiles/go.sum +++ b/magefiles/go.sum @@ -64,17 +64,17 @@ golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 h1:HWj/xjIHfjYU5nVXpTM0s3 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= -golang.org/x/net v0.0.0-20220722155237-a158d28d115b h1:PxfKdU9lEEDYjdIzOtC4qFWgkU2rGHdKlKowJSMN9h0= -golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be h1:vEDujvNQGv4jgYKudGeI/+DAX4Jffq6hpD55MmoEvKs= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a h1:dGzPydgVsqGcTRVwiLJ1jVbufYwmzD3LfVPLKsKg+0k= +golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= -golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= +golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= From 0bb07bffd02e104b68d3ab7e5603924e8d117bde Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Mar 2023 23:22:18 -0800 Subject: [PATCH 196/405] Bump sigs.k8s.io/controller-runtime from 0.14.2 to 0.14.5 (#9697) Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.14.2 to 0.14.5. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.14.2...v0.14.5) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 00765b534..0ffda4dcf 100644 --- a/go.mod +++ b/go.mod @@ -40,7 +40,7 @@ require ( k8s.io/component-base v0.26.1 k8s.io/klog/v2 v2.90.0 pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 - sigs.k8s.io/controller-runtime v0.14.2 + sigs.k8s.io/controller-runtime v0.14.5 sigs.k8s.io/mdtoc v1.1.0 ) diff --git a/go.sum b/go.sum index 6274257aa..a9f0db95e 100644 --- a/go.sum +++ b/go.sum @@ -767,8 +767,8 @@ pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732/go.mod h1:lpvCfhqEHNJSSpG5R rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/controller-runtime v0.14.2 h1:P6IwDhbsRWsBClt/8/h8Zy36bCuGuW5Op7MHpFrN/60= -sigs.k8s.io/controller-runtime v0.14.2/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0= +sigs.k8s.io/controller-runtime v0.14.5 h1:6xaWFqzT5KuAQ9ufgUaj1G/+C4Y1GRkhrxl+BJ9i+5s= +sigs.k8s.io/controller-runtime v0.14.5/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/kustomize/api v0.12.1 h1:7YM7gW3kYBwtKvoY216ZzY+8hM+lV53LUayghNRJ0vM= From ec2fe2b6d1e99202d15b6c0577bcfd69cf461c3a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:54:41 -0800 Subject: [PATCH 197/405] Bump github.com/prometheus/common from 0.40.0 to 0.41.0 (#9698) Bumps [github.com/prometheus/common](https://github.com/prometheus/common) from 0.40.0 to 0.41.0. - [Release notes](https://github.com/prometheus/common/releases) - [Commits](https://github.com/prometheus/common/compare/v0.40.0...v0.41.0) --- updated-dependencies: - dependency-name: github.com/prometheus/common dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 0ffda4dcf..e85419dcc 100644 --- a/go.mod +++ b/go.mod @@ -19,7 +19,7 @@ require ( github.com/pmezard/go-difflib v1.0.0 github.com/prometheus/client_golang v1.14.0 github.com/prometheus/client_model v0.3.0 - github.com/prometheus/common v0.40.0 + github.com/prometheus/common v0.41.0 github.com/spf13/cobra v1.6.1 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.8.2 @@ -100,7 +100,7 @@ require ( go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect golang.org/x/mod v0.7.0 // indirect golang.org/x/net v0.7.0 // indirect - golang.org/x/oauth2 v0.4.0 // indirect + golang.org/x/oauth2 v0.5.0 // indirect golang.org/x/sys v0.5.0 // indirect golang.org/x/term v0.5.0 // indirect golang.org/x/text v0.7.0 // indirect diff --git a/go.sum b/go.sum index a9f0db95e..0729873ef 100644 --- a/go.sum +++ b/go.sum @@ -320,8 +320,8 @@ github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y8 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= github.com/prometheus/common v0.29.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= -github.com/prometheus/common v0.40.0 h1:Afz7EVRqGg2Mqqf4JuF9vdvp1pi220m55Pi9T2JnO4Q= -github.com/prometheus/common v0.40.0/go.mod h1:L65ZJPSmfn/UBWLQIHV7dBrKFidB/wPlF1y5TlSt9OE= +github.com/prometheus/common v0.41.0 h1:npo01n6vUlRViIj5fgwiK8vlNIh8bnoxqh3gypKsyAw= +github.com/prometheus/common v0.41.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc= github.com/prometheus/exporter-toolkit v0.7.0/go.mod h1:ZUBIj498ePooX9t/2xtDjeQYwvRpiPP2lh5u4iblj2g= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= @@ -479,8 +479,8 @@ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4Iltr golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.4.0 h1:NF0gk8LVPg1Ml7SSbGyySuoxdsXitj7TvgvuRxIMc/M= -golang.org/x/oauth2 v0.4.0/go.mod h1:RznEsdpjGAINPTOF0UH/t+xJ75L18YO3Ho6Pyn+uRec= +golang.org/x/oauth2 v0.5.0 h1:HuArIo48skDwlrvM3sEdHXElYslAMsf3KwRkkW4MC4s= +golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= From 4f74e03aad663c7d72edaa36d8e874f1ebe1aa2d Mon Sep 17 00:00:00 2001 From: Alan Clucas Date: Thu, 9 Mar 2023 15:26:04 +0000 Subject: [PATCH 198/405] Indent values.yaml using 2 instead of 4 spaces (#9656) * Generate values.yaml with indentation of 2 Signed-off-by: Alan Clucas * Fix review comments --------- Signed-off-by: Alan Clucas --- magefiles/helm.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/magefiles/helm.go b/magefiles/helm.go index 93c440584..d56cbed78 100644 --- a/magefiles/helm.go +++ b/magefiles/helm.go @@ -19,6 +19,7 @@ limitations under the License. package main import ( + "bytes" "fmt" "os" "strings" @@ -146,9 +147,12 @@ func updateChartValue(key, value string) { } //// write to file - newValueFile, err := yaml.Marshal(&n) + var b bytes.Buffer + yamlEncoder := yaml.NewEncoder(&b) + yamlEncoder.SetIndent(2) + err = yamlEncoder.Encode(&n) CheckIfError(err, "HELM Could not Marshal new Values file") - err = os.WriteFile(HelmChartValues, newValueFile, 0644) + err = os.WriteFile(HelmChartValues, b.Bytes(), 0644) CheckIfError(err, "HELM Could not write new Values file to %s", HelmChartValues) Info("HELM Ingress Nginx Helm Chart update %s %s", key, value) From 1b11527f59388e53b84105589508862fa3229417 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 Mar 2023 08:54:40 -0800 Subject: [PATCH 199/405] Bump k8s.io/component-base from 0.26.1 to 0.26.2 (#9696) Bumps [k8s.io/component-base](https://github.com/kubernetes/component-base) from 0.26.1 to 0.26.2. - [Release notes](https://github.com/kubernetes/component-base/releases) - [Commits](https://github.com/kubernetes/component-base/compare/v0.26.1...v0.26.2) --- updated-dependencies: - dependency-name: k8s.io/component-base dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 ++++---- go.sum | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index e85419dcc..39e76c331 100644 --- a/go.mod +++ b/go.mod @@ -30,14 +30,14 @@ require ( google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 - k8s.io/api v0.26.1 + k8s.io/api v0.26.2 k8s.io/apiextensions-apiserver v0.26.1 - k8s.io/apimachinery v0.26.1 + k8s.io/apimachinery v0.26.2 k8s.io/apiserver v0.26.1 k8s.io/cli-runtime v0.26.0 - k8s.io/client-go v0.26.1 + k8s.io/client-go v0.26.2 k8s.io/code-generator v0.26.1 - k8s.io/component-base v0.26.1 + k8s.io/component-base v0.26.2 k8s.io/klog/v2 v2.90.0 pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 sigs.k8s.io/controller-runtime v0.14.5 diff --git a/go.sum b/go.sum index 0729873ef..d299919fb 100644 --- a/go.sum +++ b/go.sum @@ -737,22 +737,22 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.26.1 h1:f+SWYiPd/GsiWwVRz+NbFyCgvv75Pk9NK6dlkZgpCRQ= -k8s.io/api v0.26.1/go.mod h1:xd/GBNgR0f707+ATNyPmQ1oyKSgndzXij81FzWGsejg= +k8s.io/api v0.26.2 h1:dM3cinp3PGB6asOySalOZxEG4CZ0IAdJsrYZXE/ovGQ= +k8s.io/api v0.26.2/go.mod h1:1kjMQsFE+QHPfskEcVNgL3+Hp88B80uj0QtSOlj8itU= k8s.io/apiextensions-apiserver v0.26.1 h1:cB8h1SRk6e/+i3NOrQgSFij1B2S0Y0wDoNl66bn8RMI= k8s.io/apiextensions-apiserver v0.26.1/go.mod h1:AptjOSXDGuE0JICx/Em15PaoO7buLwTs0dGleIHixSM= -k8s.io/apimachinery v0.26.1 h1:8EZ/eGJL+hY/MYCNwhmDzVqq2lPl3N3Bo8rvweJwXUQ= -k8s.io/apimachinery v0.26.1/go.mod h1:tnPmbONNJ7ByJNz9+n9kMjNP8ON+1qoAIIC70lztu74= +k8s.io/apimachinery v0.26.2 h1:da1u3D5wfR5u2RpLhE/ZtZS2P7QvDgLZTi9wrNZl/tQ= +k8s.io/apimachinery v0.26.2/go.mod h1:ats7nN1LExKHvJ9TmwootT00Yz05MuYqPXEXaVeOy5I= k8s.io/apiserver v0.26.1 h1:6vmnAqCDO194SVCPU3MU8NcDgSqsUA62tBUSWrFXhsc= k8s.io/apiserver v0.26.1/go.mod h1:wr75z634Cv+sifswE9HlAo5FQ7UoUauIICRlOE+5dCg= k8s.io/cli-runtime v0.26.0 h1:aQHa1SyUhpqxAw1fY21x2z2OS5RLtMJOCj7tN4oq8mw= k8s.io/cli-runtime v0.26.0/go.mod h1:o+4KmwHzO/UK0wepE1qpRk6l3o60/txUZ1fEXWGIKTY= -k8s.io/client-go v0.26.1 h1:87CXzYJnAMGaa/IDDfRdhTzxk/wzGZ+/HUQpqgVSZXU= -k8s.io/client-go v0.26.1/go.mod h1:IWNSglg+rQ3OcvDkhY6+QLeasV4OYHDjdqeWkDQZwGE= +k8s.io/client-go v0.26.2 h1:s1WkVujHX3kTp4Zn4yGNFK+dlDXy1bAAkIl+cFAiuYI= +k8s.io/client-go v0.26.2/go.mod h1:u5EjOuSyBa09yqqyY7m3abZeovO/7D/WehVVlZ2qcqU= k8s.io/code-generator v0.26.1 h1:dusFDsnNSKlMFYhzIM0jAO1OlnTN5WYwQQ+Ai12IIlo= k8s.io/code-generator v0.26.1/go.mod h1:OMoJ5Dqx1wgaQzKgc+ZWaZPfGjdRq/Y3WubFrZmeI3I= -k8s.io/component-base v0.26.1 h1:4ahudpeQXHZL5kko+iDHqLj/FSGAEUnSVO0EBbgDd+4= -k8s.io/component-base v0.26.1/go.mod h1:VHrLR0b58oC035w6YQiBSbtsf0ThuSwXP+p5dD/kAWU= +k8s.io/component-base v0.26.2 h1:IfWgCGUDzrD6wLLgXEstJKYZKAFS2kO+rBRi0p3LqcI= +k8s.io/component-base v0.26.2/go.mod h1:DxbuIe9M3IZPRxPIzhch2m1eT7uFrSBJUBuVCQEBivs= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d h1:U9tB195lKdzwqicbJvyJeOXV7Klv+wNAWENRnXEGi08= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= From 67ca41d797bd4471ddb8ac95c7df51c945893e43 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 11 Mar 2023 11:34:41 -0800 Subject: [PATCH 200/405] Bump golang.org/x/crypto in /magefiles (#9691) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.0.0-20210817164053-32db794688a5 to 0.1.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](https://github.com/golang/crypto/commits/v0.1.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- magefiles/go.mod | 2 +- magefiles/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/magefiles/go.mod b/magefiles/go.mod index 613e5fb1f..9ad1e11c9 100644 --- a/magefiles/go.mod +++ b/magefiles/go.mod @@ -22,7 +22,7 @@ require ( github.com/golang/protobuf v1.5.2 // indirect github.com/google/go-querystring v1.1.0 // indirect github.com/stretchr/testify v1.8.1 // indirect - golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 // indirect + golang.org/x/crypto v0.1.0 // indirect golang.org/x/net v0.7.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/protobuf v1.28.0 // indirect diff --git a/magefiles/go.sum b/magefiles/go.sum index f6b4786a5..9c0c8ee7f 100644 --- a/magefiles/go.sum +++ b/magefiles/go.sum @@ -60,8 +60,8 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o github.com/vmware-labs/yaml-jsonpath v0.3.2 h1:/5QKeCBGdsInyDCyVNLbXyilb61MXGi9NP674f9Hobk= github.com/vmware-labs/yaml-jsonpath v0.3.2/go.mod h1:U6whw1z03QyqgWdgXxvVnQ90zN1BWz5V+51Ewf8k+rQ= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 h1:HWj/xjIHfjYU5nVXpTM0s39J9CbLn7Cc5a7IC5rwsMQ= -golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU= +golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g= From 5dabf2155868f3415520abe74423f2479cef4599 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 11 Mar 2023 11:36:42 -0800 Subject: [PATCH 201/405] Bump k8s.io/klog/v2 from 2.90.0 to 2.90.1 (#9694) Bumps [k8s.io/klog/v2](https://github.com/kubernetes/klog) from 2.90.0 to 2.90.1. - [Release notes](https://github.com/kubernetes/klog/releases) - [Changelog](https://github.com/kubernetes/klog/blob/main/RELEASE.md) - [Commits](https://github.com/kubernetes/klog/compare/v2.90.0...v2.90.1) --- updated-dependencies: - dependency-name: k8s.io/klog/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 39e76c331..bf0f83625 100644 --- a/go.mod +++ b/go.mod @@ -38,7 +38,7 @@ require ( k8s.io/client-go v0.26.2 k8s.io/code-generator v0.26.1 k8s.io/component-base v0.26.2 - k8s.io/klog/v2 v2.90.0 + k8s.io/klog/v2 v2.90.1 pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 sigs.k8s.io/controller-runtime v0.14.5 sigs.k8s.io/mdtoc v1.1.0 diff --git a/go.sum b/go.sum index d299919fb..a46367fb7 100644 --- a/go.sum +++ b/go.sum @@ -756,8 +756,8 @@ k8s.io/component-base v0.26.2/go.mod h1:DxbuIe9M3IZPRxPIzhch2m1eT7uFrSBJUBuVCQEB k8s.io/gengo v0.0.0-20220902162205-c0856e24416d h1:U9tB195lKdzwqicbJvyJeOXV7Klv+wNAWENRnXEGi08= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= -k8s.io/klog/v2 v2.90.0 h1:VkTxIV/FjRXn1fgNNcKGM8cfmL1Z33ZjXRTVxKCoF5M= -k8s.io/klog/v2 v2.90.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.90.1 h1:m4bYOKall2MmOiRaR1J+We67Do7vm9KiQVlT96lnHUw= +k8s.io/klog/v2 v2.90.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E= k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 h1:KTgPnR10d5zhztWptI952TNtt/4u5h3IzDXkdIMuo2Y= From ddcfaecb3c4f6820f570f1ac926f16a3a433f586 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 11 Mar 2023 11:38:39 -0800 Subject: [PATCH 202/405] Bump github.com/onsi/ginkgo/v2 from 2.6.1 to 2.9.0 (#9695) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.6.1 to 2.9.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.6.1...v2.9.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 +++++--- go.sum | 18 +++++++++++------- 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index bf0f83625..011d69e63 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/mitchellh/mapstructure v1.5.0 github.com/moul/pb v0.0.0-20220425114252-bca18df4138c github.com/ncabatoff/process-exporter v0.7.10 - github.com/onsi/ginkgo/v2 v2.6.1 + github.com/onsi/ginkgo/v2 v2.9.0 github.com/opencontainers/runc v1.1.4 github.com/pmezard/go-difflib v1.0.0 github.com/prometheus/client_golang v1.14.0 @@ -62,6 +62,7 @@ require ( github.com/go-openapi/jsonpointer v0.19.5 // indirect github.com/go-openapi/jsonreference v0.20.0 // indirect github.com/go-openapi/swag v0.19.14 // indirect + github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect github.com/godbus/dbus/v5 v5.0.6 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect @@ -71,6 +72,7 @@ require ( github.com/google/gnostic v0.5.7-v3refs // indirect github.com/google/go-cmp v0.5.9 // indirect github.com/google/gofuzz v1.1.0 // indirect + github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect github.com/google/uuid v1.3.0 // indirect github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect @@ -98,14 +100,14 @@ require ( github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect github.com/yudai/pp v2.0.1+incompatible // indirect go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect - golang.org/x/mod v0.7.0 // indirect + golang.org/x/mod v0.8.0 // indirect golang.org/x/net v0.7.0 // indirect golang.org/x/oauth2 v0.5.0 // indirect golang.org/x/sys v0.5.0 // indirect golang.org/x/term v0.5.0 // indirect golang.org/x/text v0.7.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.4.0 // indirect + golang.org/x/tools v0.6.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f // indirect google.golang.org/protobuf v1.28.1 // indirect diff --git a/go.sum b/go.sum index a46367fb7..1c709138d 100644 --- a/go.sum +++ b/go.sum @@ -118,6 +118,7 @@ github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng= github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.0.6 h1:mkgN1ofwASrYnJ5W6U/BxG15eXXXjirgZc7CLqkcaro= @@ -187,6 +188,8 @@ github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 h1:yAJXTCF9TqKcTiHJAE8dj7HMvPfh66eeA2JYW7eFpSE= +github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= @@ -200,6 +203,7 @@ github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc= @@ -285,11 +289,11 @@ github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.6.1 h1:1xQPCjcqYw/J5LchOcp4/2q/jzJFjiAOc25chhnDw+Q= -github.com/onsi/ginkgo/v2 v2.6.1/go.mod h1:yjiuMwPokqY1XauOgju45q3sJt6VzQ/Fict1LFVcsAo= +github.com/onsi/ginkgo/v2 v2.9.0 h1:Tugw2BKlNHTMfG+CheOITkYvk4LAh6MFOvikhGVnhE8= +github.com/onsi/ginkgo/v2 v2.9.0/go.mod h1:4xkjoL/tZv4SMWeww56BU5kAt19mVB47gTWxmrTcxyk= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/onsi/gomega v1.24.1 h1:KORJXNNTzJXzu4ScJWssJfJMnJ+2QJqhoQSRwNlze9E= +github.com/onsi/gomega v1.27.1 h1:rfztXRbg6nv/5f+Raen9RcGoSecHIFgBBLQK3Wdj754= github.com/opencontainers/runc v1.1.4 h1:nRCz/8sKg6K6jgYAFLDlXzPeITBZJyX28DBVhWD+5dg= github.com/opencontainers/runc v1.1.4/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc= @@ -435,8 +439,8 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.7.0 h1:LapD9S96VoQRhi/GrNTqeBJFrUjs5UHCAtTlgwA5oZA= -golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -604,8 +608,8 @@ golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.4.0 h1:7mTAgkunk3fr4GAloyyCasadO6h9zSsQZbwvcaIciV4= -golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ= +golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From 66a760794f91809bcd897cbdb45435653d73fd92 Mon Sep 17 00:00:00 2001 From: James Strong Date: Sat, 11 Mar 2023 23:38:39 -0500 Subject: [PATCH 203/405] update to golang 1.20 (#9690) update alpine and golang remove nano update go modules remove need for openssl external cli fix stale Signed-off-by: James Strong --- .github/workflows/ci.yaml | 12 +++++------ .github/workflows/plugin.yaml | 2 +- .github/workflows/stale.yaml | 4 ++-- go.mod | 4 ++-- go.sum | 4 ++-- images/cfssl/rootfs/Dockerfile | 2 +- images/custom-error-pages/rootfs/Dockerfile | 2 +- images/custom-error-pages/rootfs/go.mod | 2 +- .../rootfs/Dockerfile | 2 +- images/ext-auth-example-authsvc/rootfs/go.mod | 2 +- images/ext-auth-example-authsvc/rootfs/go.sum | 21 +++++++++++++++++-- images/fastcgi-helloserver/rootfs/Dockerfile | 2 +- .../go-grpc-greeter-server/rootfs/Dockerfile | 2 +- images/httpbin/rootfs/Dockerfile | 2 +- images/kube-webhook-certgen/rootfs/Dockerfile | 2 +- images/kube-webhook-certgen/rootfs/go.mod | 2 +- images/nginx/rootfs/Dockerfile | 5 ++--- images/opentelemetry/rootfs/Dockerfile | 4 ++-- images/test-runner/Makefile | 2 +- magefiles/go.mod | 2 +- rootfs/Dockerfile-chroot | 4 ++-- test/e2e-image/Dockerfile | 2 +- test/e2e/annotations/auth.go | 8 ++++--- test/e2e/settings/no_auth_locations.go | 5 +++-- 24 files changed, 59 insertions(+), 40 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 61f5970db..b9a400747 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -88,7 +88,7 @@ jobs: id: go uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: - go-version: '1.19' + go-version: '1.20' check-latest: true - name: Run Lint @@ -107,7 +107,7 @@ jobs: id: go uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: - go-version: '1.19' + go-version: '1.20' check-latest: true - name: Run go-fmt @@ -126,7 +126,7 @@ jobs: id: go uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: - go-version: '1.19' + go-version: '1.20' check-latest: true - name: Run test @@ -147,7 +147,7 @@ jobs: id: go uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: - go-version: '1.19' + go-version: '1.20' check-latest: true - name: Set up QEMU @@ -213,7 +213,7 @@ jobs: - name: Setup Go uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: - go-version: '1.19' + go-version: '1.20' check-latest: true - name: cache @@ -485,7 +485,7 @@ jobs: if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }} uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: - go-version: '1.19' + go-version: '1.20' check-latest: true - name: kube-webhook-certgen image build diff --git a/.github/workflows/plugin.yaml b/.github/workflows/plugin.yaml index 779cd1da8..cb0f73489 100644 --- a/.github/workflows/plugin.yaml +++ b/.github/workflows/plugin.yaml @@ -24,7 +24,7 @@ jobs: - name: Set up Go uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: - go-version: 1.19 + go-version: 1.20 check-latest: true - name: Run GoReleaser diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index 736585e05..8a172d370 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -15,8 +15,8 @@ jobs: steps: - uses: actions/stale@6f05e4244c9a0b2ed3401882b05d701dd0a7289b # v7.0.0 with: - stale-issue-message: 'This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach `#ingress-nginx-dev` on Kubernetes Slack.' - stale-pr-message: 'This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach `#ingress-nginx-dev` on Kubernetes Slack.' + stale-issue-message: "This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach `#ingress-nginx-dev` on Kubernetes Slack." + stale-pr-message: "This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach `#ingress-nginx-dev` on Kubernetes Slack." stale-issue-label: lifecycle/frozen stale-pr-label: lifecycle/frozen days-before-issue-stale: 30 diff --git a/go.mod b/go.mod index 011d69e63..a653632f5 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module k8s.io/ingress-nginx -go 1.19 +go 1.20 require ( github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a @@ -93,7 +93,7 @@ require ( github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/prometheus/procfs v0.8.0 // indirect + github.com/prometheus/procfs v0.9.0 // indirect github.com/sergi/go-diff v1.1.0 // indirect github.com/sirupsen/logrus v1.8.1 // indirect github.com/xlab/treeprint v1.1.0 // indirect diff --git a/go.sum b/go.sum index 1c709138d..ff41229cf 100644 --- a/go.sum +++ b/go.sum @@ -332,8 +332,8 @@ github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsT github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= -github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo= -github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4= +github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI= +github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8= diff --git a/images/cfssl/rootfs/Dockerfile b/images/cfssl/rootfs/Dockerfile index f9370c210..7841e189c 100644 --- a/images/cfssl/rootfs/Dockerfile +++ b/images/cfssl/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine:3.17.0 +FROM alpine:3.17.2 RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories RUN apk add --no-cache \ diff --git a/images/custom-error-pages/rootfs/Dockerfile b/images/custom-error-pages/rootfs/Dockerfile index ef825dec1..942228eac 100755 --- a/images/custom-error-pages/rootfs/Dockerfile +++ b/images/custom-error-pages/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.19.4-alpine3.17 as builder +FROM golang:1.20.1-alpine3.17 as builder RUN apk add git WORKDIR /go/src/k8s.io/ingress-nginx/images/custom-error-pages diff --git a/images/custom-error-pages/rootfs/go.mod b/images/custom-error-pages/rootfs/go.mod index 2e762d091..89e47a4b5 100644 --- a/images/custom-error-pages/rootfs/go.mod +++ b/images/custom-error-pages/rootfs/go.mod @@ -1,6 +1,6 @@ module k8s.io/ingress-nginx/custom-error-pages -go 1.19 +go 1.20 require github.com/prometheus/client_golang v1.11.1 diff --git a/images/ext-auth-example-authsvc/rootfs/Dockerfile b/images/ext-auth-example-authsvc/rootfs/Dockerfile index d54df8ab9..c604651d4 100644 --- a/images/ext-auth-example-authsvc/rootfs/Dockerfile +++ b/images/ext-auth-example-authsvc/rootfs/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.19.4-alpine3.17 as builder +FROM golang:1.20.1-alpine3.17 as builder RUN mkdir /authsvc WORKDIR /authsvc COPY . ./ diff --git a/images/ext-auth-example-authsvc/rootfs/go.mod b/images/ext-auth-example-authsvc/rootfs/go.mod index 0be630b8b..cc5124072 100644 --- a/images/ext-auth-example-authsvc/rootfs/go.mod +++ b/images/ext-auth-example-authsvc/rootfs/go.mod @@ -1,6 +1,6 @@ module example.com/authsvc -go 1.19 +go 1.20 require k8s.io/apimachinery v0.23.1 diff --git a/images/ext-auth-example-authsvc/rootfs/go.sum b/images/ext-auth-example-authsvc/rootfs/go.sum index 2ca056fae..6e3fab295 100644 --- a/images/ext-auth-example-authsvc/rootfs/go.sum +++ b/images/ext-auth-example-authsvc/rootfs/go.sum @@ -105,7 +105,19 @@ golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHl golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -129,7 +141,12 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= diff --git a/images/fastcgi-helloserver/rootfs/Dockerfile b/images/fastcgi-helloserver/rootfs/Dockerfile index 0213baf87..7d9220ddf 100755 --- a/images/fastcgi-helloserver/rootfs/Dockerfile +++ b/images/fastcgi-helloserver/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.19.4-alpine3.17 as builder +FROM golang:1.20.1-alpine3.17 as builder WORKDIR /go/src/k8s.io/ingress-nginx/images/fastcgi diff --git a/images/go-grpc-greeter-server/rootfs/Dockerfile b/images/go-grpc-greeter-server/rootfs/Dockerfile index 547842512..67aed038e 100644 --- a/images/go-grpc-greeter-server/rootfs/Dockerfile +++ b/images/go-grpc-greeter-server/rootfs/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.19.4-alpine3.17 as build +FROM golang:1.20.1-alpine3.17 as build WORKDIR /go/src/greeter-server diff --git a/images/httpbin/rootfs/Dockerfile b/images/httpbin/rootfs/Dockerfile index 1a9b55ba5..0e490be74 100644 --- a/images/httpbin/rootfs/Dockerfile +++ b/images/httpbin/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine:3.17.0 +FROM alpine:3.17.2 ENV LC_ALL=C.UTF-8 ENV LANG=C.UTF-8 diff --git a/images/kube-webhook-certgen/rootfs/Dockerfile b/images/kube-webhook-certgen/rootfs/Dockerfile index 32847fd39..40a2c31ac 100644 --- a/images/kube-webhook-certgen/rootfs/Dockerfile +++ b/images/kube-webhook-certgen/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM --platform=$BUILDPLATFORM golang:1.19.4 as builder +FROM --platform=$BUILDPLATFORM golang:1.20.1 as builder ARG BUILDPLATFORM ARG TARGETARCH diff --git a/images/kube-webhook-certgen/rootfs/go.mod b/images/kube-webhook-certgen/rootfs/go.mod index a6e2b7ed2..49f95828f 100644 --- a/images/kube-webhook-certgen/rootfs/go.mod +++ b/images/kube-webhook-certgen/rootfs/go.mod @@ -1,6 +1,6 @@ module github.com/jet/kube-webhook-certgen -go 1.19 +go 1.20 require ( github.com/onrik/logrus v0.9.0 diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile index a9b01ff82..3279af5d5 100644 --- a/images/nginx/rootfs/Dockerfile +++ b/images/nginx/rootfs/Dockerfile @@ -11,7 +11,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine:3.17.0 as builder +FROM alpine:3.17.2 as builder COPY . / @@ -21,7 +21,7 @@ RUN apk update \ && /build.sh # Use a multi-stage build -FROM alpine:3.17.0 +FROM alpine:3.17.2 ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin @@ -49,7 +49,6 @@ RUN apk update \ libmaxminddb \ yaml-cpp \ dumb-init \ - nano \ tzdata \ && ln -s /usr/local/nginx/sbin/nginx /sbin/nginx \ && adduser -S -D -H -u 101 -h /usr/local/nginx \ diff --git a/images/opentelemetry/rootfs/Dockerfile b/images/opentelemetry/rootfs/Dockerfile index aa4e219af..33f5bcb36 100644 --- a/images/opentelemetry/rootfs/Dockerfile +++ b/images/opentelemetry/rootfs/Dockerfile @@ -13,7 +13,7 @@ # limitations under the License. -FROM alpine:3.17.0 as base +FROM alpine:3.17.2 as base RUN mkdir -p /opt/third_party/install COPY . /opt/third_party/ @@ -39,7 +39,7 @@ COPY --from=grpc /opt/third_party/install/ /usr COPY --from=otel-cpp /opt/third_party/install/ /usr RUN bash /opt/third_party/build.sh -n -FROM alpine:3.17.0 as final +FROM alpine:3.17.2 as final COPY --from=base /opt/third_party/init_module.sh /usr/local/bin/init_module.sh COPY --from=nginx /etc/nginx/modules /etc/nginx/modules COPY --from=nginx /opt/third_party/install/lib /etc/nginx/modules diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile index 4d71b8ad5..a8c3a4560 100644 --- a/images/test-runner/Makefile +++ b/images/test-runner/Makefile @@ -39,7 +39,7 @@ build: ensure-buildx --progress=$(PROGRESS) \ --pull \ --build-arg BASE_IMAGE=$(NGINX_BASE_IMAGE) \ - --build-arg GOLANG_VERSION=1.19.4 \ + --build-arg GOLANG_VERSION=1.20.1 \ --build-arg ETCD_VERSION=3.4.3-0 \ --build-arg K8S_RELEASE=v1.24.2 \ --build-arg RESTY_CLI_VERSION=0.27 \ diff --git a/magefiles/go.mod b/magefiles/go.mod index 9ad1e11c9..40b909600 100644 --- a/magefiles/go.mod +++ b/magefiles/go.mod @@ -1,6 +1,6 @@ module github.com/kubernetes/ingress-nginx/magefiles -go 1.19 +go 1.20 require ( github.com/blang/semver/v4 v4.0.0 diff --git a/rootfs/Dockerfile-chroot b/rootfs/Dockerfile-chroot index bdb9be60b..7ab8584a7 100644 --- a/rootfs/Dockerfile-chroot +++ b/rootfs/Dockerfile-chroot @@ -23,7 +23,7 @@ RUN apk update \ && apk upgrade \ && /chroot.sh -FROM alpine:3.17.0 +FROM alpine:3.17.2 ARG TARGETARCH ARG VERSION @@ -49,8 +49,8 @@ RUN apk update \ && apk upgrade \ && apk add -U --no-cache \ bash \ - curl \ openssl \ + curl \ ca-certificates \ dumb-init \ tzdata \ diff --git a/test/e2e-image/Dockerfile b/test/e2e-image/Dockerfile index ab4ba5026..09ce36cc5 100644 --- a/test/e2e-image/Dockerfile +++ b/test/e2e-image/Dockerfile @@ -1,7 +1,7 @@ ARG E2E_BASE_IMAGE FROM ${E2E_BASE_IMAGE} AS BASE -FROM alpine:3.16.2 +FROM alpine:3.17.2 RUN apk add -U --no-cache \ ca-certificates \ diff --git a/test/e2e/annotations/auth.go b/test/e2e/annotations/auth.go index 1f0f4c3b2..e3d0bcb2e 100644 --- a/test/e2e/annotations/auth.go +++ b/test/e2e/annotations/auth.go @@ -19,9 +19,9 @@ package annotations import ( "context" "fmt" + "golang.org/x/crypto/bcrypt" "net/http" "net/url" - "os/exec" "regexp" "strings" "time" @@ -899,7 +899,8 @@ http { // Auth error func buildSecret(username, password, name, namespace string) *corev1.Secret { - out, err := exec.Command("openssl", "passwd", "-crypt", password).CombinedOutput() + //out, err := exec.Command("openssl", "passwd", "-crypt", password).CombinedOutput() + out, err := bcrypt.GenerateFromPassword([]byte(password), 14) encpass := fmt.Sprintf("%v:%s\n", username, out) assert.Nil(ginkgo.GinkgoT(), err) @@ -917,7 +918,8 @@ func buildSecret(username, password, name, namespace string) *corev1.Secret { } func buildMapSecret(username, password, name, namespace string) *corev1.Secret { - out, err := exec.Command("openssl", "passwd", "-crypt", password).CombinedOutput() + //out, err := exec.Command("openssl", "passwd", "-crypt", password).CombinedOutput() + out, err := bcrypt.GenerateFromPassword([]byte(password), 14) assert.Nil(ginkgo.GinkgoT(), err) return &corev1.Secret{ diff --git a/test/e2e/settings/no_auth_locations.go b/test/e2e/settings/no_auth_locations.go index 70ec3be8f..2fc4b6455 100644 --- a/test/e2e/settings/no_auth_locations.go +++ b/test/e2e/settings/no_auth_locations.go @@ -18,8 +18,8 @@ package settings import ( "fmt" + "golang.org/x/crypto/bcrypt" "net/http" - "os/exec" "strings" "github.com/onsi/ginkgo/v2" @@ -147,7 +147,8 @@ func buildBasicAuthIngressWithSecondPath(host, namespace, secretName, pathName s } func buildSecret(username, password, name, namespace string) *corev1.Secret { - out, err := exec.Command("openssl", "passwd", "-crypt", password).CombinedOutput() + //out, err := exec.Command("openssl", "passwd", "-crypt", password).CombinedOutput() + out, err := bcrypt.GenerateFromPassword([]byte(password), 14) assert.Nil(ginkgo.GinkgoT(), err, "creating password") encpass := fmt.Sprintf("%v:%s\n", username, out) From f93d11b4cf549c4c443c0d81cf15fbecfd0b3388 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 12 Mar 2023 05:18:40 -0700 Subject: [PATCH 204/405] Bump helm/chart-releaser-action from 1.4.1 to 1.5.0 (#9720) Bumps [helm/chart-releaser-action](https://github.com/helm/chart-releaser-action) from 1.4.1 to 1.5.0. - [Release notes](https://github.com/helm/chart-releaser-action/releases) - [Commits](https://github.com/helm/chart-releaser-action/compare/98bccfd32b0f76149d188912ac8e45ddd3f8695f...be16258da8010256c6e82849661221415f031968) --- updated-dependencies: - dependency-name: helm/chart-releaser-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/helm.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml index 2bd271bb2..b1db0c1d8 100644 --- a/.github/workflows/helm.yaml +++ b/.github/workflows/helm.yaml @@ -73,7 +73,7 @@ jobs: git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Helm Chart Releaser - uses: helm/chart-releaser-action@98bccfd32b0f76149d188912ac8e45ddd3f8695f # v1.4.1 + uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0 env: CR_SKIP_EXISTING: "false" CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" From b87645fe5318dc6fe9b00b3d9c6c25b5098d9e0e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 12 Mar 2023 05:20:40 -0700 Subject: [PATCH 205/405] Bump docker/setup-buildx-action from 2.2.1 to 2.5.0 (#9719) Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2.2.1 to 2.5.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/8c0edbc76e98fa90f69d9a2c020dcb50019dc325...4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b9a400747..db9f69c41 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -155,7 +155,7 @@ jobs: - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1 + uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0 with: version: latest From e2d076c4fc52f6c9cdcf9af93d9ae41821303faa Mon Sep 17 00:00:00 2001 From: Do Hoang Khiem Date: Tue, 14 Mar 2023 18:32:18 +0700 Subject: [PATCH 206/405] HPA: autoscaling/v2beta1 deprecated, bump apiVersion to v2 for defaultBackend (#9731) --- charts/ingress-nginx/README.md | 1 + charts/ingress-nginx/templates/default-backend-hpa.yaml | 2 +- charts/ingress-nginx/values.yaml | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 49bb38273..5e7fa85a1 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -456,6 +456,7 @@ Kubernetes: `>=1.20.0-0` | controller.watchIngressWithoutClass | bool | `false` | Process Ingress objects without ingressClass annotation/ingressClassName field Overrides value for --watch-ingress-without-class flag of the controller binary Defaults to false | | defaultBackend.affinity | object | `{}` | | | defaultBackend.autoscaling.annotations | object | `{}` | | +| defaultBackend.autoscaling.apiVersion | string | `"autoscaling/v2"` | | | defaultBackend.autoscaling.enabled | bool | `false` | | | defaultBackend.autoscaling.maxReplicas | int | `2` | | | defaultBackend.autoscaling.minReplicas | int | `1` | | diff --git a/charts/ingress-nginx/templates/default-backend-hpa.yaml b/charts/ingress-nginx/templates/default-backend-hpa.yaml index 594d26525..f9ae0b276 100644 --- a/charts/ingress-nginx/templates/default-backend-hpa.yaml +++ b/charts/ingress-nginx/templates/default-backend-hpa.yaml @@ -1,5 +1,5 @@ {{- if and .Values.defaultBackend.enabled .Values.defaultBackend.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 +apiVersion: {{ .Values.defaultBackend.autoscaling.apiVersion }} kind: HorizontalPodAutoscaler metadata: labels: diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 202cd4a23..031078499 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -827,6 +827,7 @@ defaultBackend: # emptyDir: {} autoscaling: + apiVersion: autoscaling/v2 annotations: {} enabled: false minReplicas: 1 From 520384b1103d8382c857c0f86551dab2343eda2c Mon Sep 17 00:00:00 2001 From: Long Wu Yuan Date: Tue, 14 Mar 2023 17:06:17 +0530 Subject: [PATCH 207/405] bumped ginkgo to v2.9.0 (#9722) --- build/run-in-docker.sh | 2 +- images/test-runner/rootfs/Dockerfile | 2 +- test/e2e/run-chart-test.sh | 2 +- test/e2e/run-kind-e2e.sh | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh index 44ca2d5f7..d375c4336 100755 --- a/build/run-in-docker.sh +++ b/build/run-in-docker.sh @@ -87,7 +87,7 @@ if [[ "$DOCKER_IN_DOCKER_ENABLED" == "true" ]]; then echo "..reached DIND check TRUE block, inside run-in-docker.sh" echo "FLAGS=$FLAGS" #go env - go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.6.1 + go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.9.0 find / -type f -name ginkgo 2>/dev/null which ginkgo /bin/bash -c "${FLAGS}" diff --git a/images/test-runner/rootfs/Dockerfile b/images/test-runner/rootfs/Dockerfile index 1e8bc3643..7872b7a2b 100644 --- a/images/test-runner/rootfs/Dockerfile +++ b/images/test-runner/rootfs/Dockerfile @@ -55,7 +55,7 @@ ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH" -RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.6.1 && go install golang.org/x/lint/golint@latest +RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.9.0 && go install golang.org/x/lint/golint@latest ARG RESTY_CLI_VERSION ARG RESTY_CLI_SHA diff --git a/test/e2e/run-chart-test.sh b/test/e2e/run-chart-test.sh index d01ab4486..813e296cf 100755 --- a/test/e2e/run-chart-test.sh +++ b/test/e2e/run-chart-test.sh @@ -78,7 +78,7 @@ fi if [ "${SKIP_IMAGE_CREATION:-false}" = "false" ]; then if ! command -v ginkgo &> /dev/null; then - go install github.com/onsi/ginkgo/v2/ginkgo@v2.6.1 + go install github.com/onsi/ginkgo/v2/ginkgo@v2.9.0 fi echo "[dev-env] building image" make -C ${DIR}/../../ clean-image build image diff --git a/test/e2e/run-kind-e2e.sh b/test/e2e/run-kind-e2e.sh index df927bd1c..d3ea18b6d 100755 --- a/test/e2e/run-kind-e2e.sh +++ b/test/e2e/run-kind-e2e.sh @@ -95,7 +95,7 @@ fi if [ "${SKIP_E2E_IMAGE_CREATION}" = "false" ]; then if ! command -v ginkgo &> /dev/null; then - go install github.com/onsi/ginkgo/v2/ginkgo@v2.6.1 + go install github.com/onsi/ginkgo/v2/ginkgo@v2.9.0 fi echo "[dev-env] .. done building controller images" @@ -112,4 +112,4 @@ echo "[dev-env] copying docker images to cluster..." kind load docker-image --name="${KIND_CLUSTER_NAME}" --nodes="${KIND_WORKERS}" nginx-ingress-controller:e2e kind load docker-image --name="${KIND_CLUSTER_NAME}" --nodes="${KIND_WORKERS}" "${REGISTRY}"/controller:"${TAG}" echo "[dev-env] running e2e tests..." -make -C "${DIR}"/../../ e2e-test \ No newline at end of file +make -C "${DIR}"/../../ e2e-test From 47eb3a17fd95e9205dbe0c6bdb474ac4603f498d Mon Sep 17 00:00:00 2001 From: Marco Ebert Date: Tue, 14 Mar 2023 14:44:17 +0100 Subject: [PATCH 208/405] Deployment/DaemonSet: Label pods using `ingress-nginx.labels`. (#9732) --- charts/ingress-nginx/templates/controller-daemonset.yaml | 2 +- charts/ingress-nginx/templates/controller-deployment.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml index e6721566b..efa273dac 100644 --- a/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -33,7 +33,7 @@ spec: {{- end }} {{- end }} labels: - {{- include "ingress-nginx.selectorLabels" . | nindent 8 }} + {{- include "ingress-nginx.labels" . | nindent 8 }} app.kubernetes.io/component: controller {{- with .Values.controller.labels }} {{- toYaml . | nindent 8 }} diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index 9f1cf70db..36d7670e3 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -37,7 +37,7 @@ spec: {{- end }} {{- end }} labels: - {{- include "ingress-nginx.selectorLabels" . | nindent 8 }} + {{- include "ingress-nginx.labels" . | nindent 8 }} app.kubernetes.io/component: controller {{- with .Values.controller.labels }} {{- toYaml . | nindent 8 }} From 2d15a9946b0017d0888b59066862c48f09ad6fa3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 14 Mar 2023 07:22:17 -0700 Subject: [PATCH 209/405] Bump actions/upload-artifact from 3.1.1 to 3.1.2 (#9717) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.1 to 3.1.2. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/83fd05a356d7e2593de66fc9913b3002723633cb...0b7f8abb1508181956e8e162db84b466c27e18ce) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yaml | 6 +++--- .github/workflows/scorecards.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index db9f69c41..56d87c000 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -188,7 +188,7 @@ jobs: | pigz > docker.tar.gz - name: cache - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: docker.tar.gz path: docker.tar.gz @@ -320,7 +320,7 @@ jobs: make kind-e2e-test - name: Uplaod e2e junit-reports - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 if: success() || failure() with: name: e2e-test-reports-${{ matrix.k8s }} @@ -375,7 +375,7 @@ jobs: make kind-e2e-test - name: Uplaod e2e junit-reports - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 if: success() || failure() with: name: e2e-test-reports-chroot-${{ matrix.k8s }} diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 6af70e691..8a3af47de 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -51,7 +51,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: SARIF file path: results.sarif From 7a95a43df63627d7fe1a4db6eceb1c83bf556d8f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 14 Mar 2023 07:24:23 -0700 Subject: [PATCH 210/405] Bump goreleaser/goreleaser-action from 4.1.0 to 4.2.0 (#9718) Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 4.1.0 to 4.2.0. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](https://github.com/goreleaser/goreleaser-action/compare/8f67e590f2d095516493f017008adc464e63adb1...f82d6c1c344bcacabba2c841718984797f664a6b) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/plugin.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/plugin.yaml b/.github/workflows/plugin.yaml index cb0f73489..760420765 100644 --- a/.github/workflows/plugin.yaml +++ b/.github/workflows/plugin.yaml @@ -28,7 +28,7 @@ jobs: check-latest: true - name: Run GoReleaser - uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v4.1.0 + uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0 with: version: latest args: release --rm-dist From 778577253e612181114e694028105e046d16c90e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 14 Mar 2023 07:26:18 -0700 Subject: [PATCH 211/405] Bump actions/download-artifact from 3.0.1 to 3.0.2 (#9721) Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3.0.1 to 3.0.2. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/9782bd6a9848b53b110e712e20e42d89988822b7...9bc31d5ccc31df68ecc42ccf4149144866c47d8a) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 56d87c000..00049bddf 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -217,7 +217,7 @@ jobs: check-latest: true - name: cache - uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: docker.tar.gz @@ -291,7 +291,7 @@ jobs: uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - name: cache - uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: docker.tar.gz @@ -345,7 +345,7 @@ jobs: uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - name: cache - uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: docker.tar.gz From 4d443962d698ce022e71db4373ce48ef6b5964c2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 14 Mar 2023 07:28:16 -0700 Subject: [PATCH 212/405] Bump golang.org/x/crypto from 0.6.0 to 0.7.0 (#9723) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.6.0 to 0.7.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](https://github.com/golang/crypto/compare/v0.6.0...v0.7.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 10 +++++----- go.sum | 20 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/go.mod b/go.mod index a653632f5..9144ff337 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/stretchr/testify v1.8.2 github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a - golang.org/x/crypto v0.6.0 + golang.org/x/crypto v0.7.0 google.golang.org/grpc v1.53.0 google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 @@ -101,11 +101,11 @@ require ( github.com/yudai/pp v2.0.1+incompatible // indirect go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect golang.org/x/mod v0.8.0 // indirect - golang.org/x/net v0.7.0 // indirect + golang.org/x/net v0.8.0 // indirect golang.org/x/oauth2 v0.5.0 // indirect - golang.org/x/sys v0.5.0 // indirect - golang.org/x/term v0.5.0 // indirect - golang.org/x/text v0.7.0 // indirect + golang.org/x/sys v0.6.0 // indirect + golang.org/x/term v0.6.0 // indirect + golang.org/x/text v0.8.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.6.0 // indirect google.golang.org/appengine v1.6.7 // indirect diff --git a/go.sum b/go.sum index ff41229cf..813771bbc 100644 --- a/go.sum +++ b/go.sum @@ -407,8 +407,8 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc= -golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= +golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A= +golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -475,8 +475,8 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g= -golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ= +golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -546,19 +546,19 @@ golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU= -golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY= -golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw= +golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo= -golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68= +golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From ce18c5e552158ff512afd8034de361fc42a2b381 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 14 Mar 2023 07:30:17 -0700 Subject: [PATCH 213/405] Bump github.com/prometheus/common from 0.41.0 to 0.42.0 (#9724) Bumps [github.com/prometheus/common](https://github.com/prometheus/common) from 0.41.0 to 0.42.0. - [Release notes](https://github.com/prometheus/common/releases) - [Commits](https://github.com/prometheus/common/compare/v0.41.0...v0.42.0) --- updated-dependencies: - dependency-name: github.com/prometheus/common dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 9144ff337..4c4bc903a 100644 --- a/go.mod +++ b/go.mod @@ -19,7 +19,7 @@ require ( github.com/pmezard/go-difflib v1.0.0 github.com/prometheus/client_golang v1.14.0 github.com/prometheus/client_model v0.3.0 - github.com/prometheus/common v0.41.0 + github.com/prometheus/common v0.42.0 github.com/spf13/cobra v1.6.1 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.8.2 diff --git a/go.sum b/go.sum index 813771bbc..c3a2152b7 100644 --- a/go.sum +++ b/go.sum @@ -324,8 +324,8 @@ github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y8 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= github.com/prometheus/common v0.29.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= -github.com/prometheus/common v0.41.0 h1:npo01n6vUlRViIj5fgwiK8vlNIh8bnoxqh3gypKsyAw= -github.com/prometheus/common v0.41.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc= +github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM= +github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc= github.com/prometheus/exporter-toolkit v0.7.0/go.mod h1:ZUBIj498ePooX9t/2xtDjeQYwvRpiPP2lh5u4iblj2g= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= From dba7ae04f5074ef49d1a61811660ad00680f0e6c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 14 Mar 2023 07:32:16 -0700 Subject: [PATCH 214/405] Bump actions/dependency-review-action from 3.0.2 to 3.0.3 (#9727) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.2 to 3.0.3. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/0ff3da6f81b812d4ec3cf37a04e2308c7a723730...c090f4e553673e6e505ea70d6a95362ee12adb94) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/depreview.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/depreview.yaml b/.github/workflows/depreview.yaml index 758e4b95f..0ecdcd55c 100644 --- a/.github/workflows/depreview.yaml +++ b/.github/workflows/depreview.yaml @@ -11,4 +11,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - name: 'Dependency Review' - uses: actions/dependency-review-action@0ff3da6f81b812d4ec3cf37a04e2308c7a723730 # v3.0.2 + uses: actions/dependency-review-action@c090f4e553673e6e505ea70d6a95362ee12adb94 # v3.0.3 From 3cd4ff93fe6cef93665604fd490f100fe65a3f53 Mon Sep 17 00:00:00 2001 From: longwuyuan Date: Wed, 15 Mar 2023 23:44:25 +0530 Subject: [PATCH 215/405] changed test-runner-image tag and sha --- build/run-in-docker.sh | 2 +- test/e2e-image/Makefile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh index d375c4336..3a6aeb43d 100755 --- a/build/run-in-docker.sh +++ b/build/run-in-docker.sh @@ -44,7 +44,7 @@ function cleanup { } trap cleanup EXIT -E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20221221-controller-v1.5.1-62-g6ffaef32a@sha256:8f025472964cd15ae2d379503aba150565a8d78eb36b41ddfc5f1e3b1ca81a8e} +E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20230314-helm-chart-4.5.2-32-g520384b11@sha256:754c62f9a5efd1ee515ee908ecc16c0c4d1dda96a8cc8019667182a55f3a9035} if [[ "$RUNTIME" == podman ]]; then # Podman does not support both tag and digest diff --git a/test/e2e-image/Makefile b/test/e2e-image/Makefile index f89bf6bf2..001146f65 100644 --- a/test/e2e-image/Makefile +++ b/test/e2e-image/Makefile @@ -1,6 +1,6 @@ DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) -E2E_BASE_IMAGE="registry.k8s.io/ingress-nginx/e2e-test-runner:v20221221-controller-v1.5.1-62-g6ffaef32a@sha256:8f025472964cd15ae2d379503aba150565a8d78eb36b41ddfc5f1e3b1ca81a8e" +E2E_BASE_IMAGE="registry.k8s.io/ingress-nginx/e2e-test-runner:v20230314-helm-chart-4.5.2-32-g520384b11@sha256:754c62f9a5efd1ee515ee908ecc16c0c4d1dda96a8cc8019667182a55f3a9035" image: echo "..entered Makefile in /test/e2e-image" From 2324ad0d0556d07aa39c4b8872e1b8419f338e33 Mon Sep 17 00:00:00 2001 From: Saumya <76432998+SaumyaBhushan@users.noreply.github.com> Date: Thu, 16 Mar 2023 13:57:18 +0530 Subject: [PATCH 216/405] updated NGINX_BASE image with latest tag (#9747) --- NGINX_BASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NGINX_BASE b/NGINX_BASE index 72093c593..bf23fa5a7 100644 --- a/NGINX_BASE +++ b/NGINX_BASE @@ -1 +1 @@ -registry.k8s.io/ingress-nginx/nginx:21aa7f55a3325c1c26de0dfb62ede4c0a809a994@sha256:da6b877ed96dada46ed6e379051c2dd461dd5d329af7a7531820ad3e16197e20 \ No newline at end of file +registry.k8s.io/ingress-nginx/nginx:66a760794f91809bcd897cbdb45435653d73fd92@sha256:86c1581e69dc92d107f8edd36724890ea682a3afda8c1fb1ba41aabc7bc0128d \ No newline at end of file From 58e5a2c01f72bd1e4d9e924d5059b29350577d76 Mon Sep 17 00:00:00 2001 From: Marco Ebert Date: Fri, 17 Mar 2023 02:39:16 +0100 Subject: [PATCH 217/405] Chart: Drop `controller.headers`, rework DH param secret. (#9659) --- charts/ingress-nginx/README.md | 2 +- charts/ingress-nginx/templates/NOTES.txt | 7 ------- .../controller-configmap-proxyheaders.yaml | 9 ++------- .../templates/controller-configmap.yaml | 7 +++---- .../templates/controller-secret.yaml | 15 +++++++++++++++ .../ingress-nginx/templates/dh-param-secret.yaml | 10 ---------- charts/ingress-nginx/values.yaml | 2 +- 7 files changed, 22 insertions(+), 30 deletions(-) create mode 100644 charts/ingress-nginx/templates/controller-secret.yaml delete mode 100644 charts/ingress-nginx/templates/dh-param-secret.yaml diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 5e7fa85a1..a72805054 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -509,7 +509,7 @@ Kubernetes: `>=1.20.0-0` | defaultBackend.serviceAccount.name | string | `""` | | | defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # | | defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # | -| dhParam | string | `nil` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param | +| dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param | | imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | | podSecurityPolicy.enabled | bool | `false` | | | portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration | diff --git a/charts/ingress-nginx/templates/NOTES.txt b/charts/ingress-nginx/templates/NOTES.txt index 8985c56c0..9fe35c785 100644 --- a/charts/ingress-nginx/templates/NOTES.txt +++ b/charts/ingress-nginx/templates/NOTES.txt @@ -71,10 +71,3 @@ If TLS is enabled for the Ingress, a Secret containing the certificate and key m tls.crt: tls.key: type: kubernetes.io/tls - -{{- if .Values.controller.headers }} -################################################################################# -###### WARNING: `controller.headers` has been deprecated! ##### -###### It has been renamed to `controller.proxySetHeaders`. ##### -################################################################################# -{{- end }} diff --git a/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml b/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml index f8d15faf9..38feb721f 100644 --- a/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml +++ b/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml @@ -1,4 +1,4 @@ -{{- if or .Values.controller.proxySetHeaders .Values.controller.headers -}} +{{- if .Values.controller.proxySetHeaders -}} apiVersion: v1 kind: ConfigMap metadata: @@ -10,10 +10,5 @@ metadata: {{- end }} name: {{ include "ingress-nginx.fullname" . }}-custom-proxy-headers namespace: {{ .Release.Namespace }} -data: -{{- if .Values.controller.proxySetHeaders }} -{{ toYaml .Values.controller.proxySetHeaders | indent 2 }} -{{ else if and .Values.controller.headers (not .Values.controller.proxySetHeaders) }} -{{ toYaml .Values.controller.headers | indent 2 }} -{{- end }} +data: {{ toYaml .Values.controller.proxySetHeaders | nindent 2 }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-configmap.yaml b/charts/ingress-nginx/templates/controller-configmap.yaml index f28b26e1e..9ec2b8369 100644 --- a/charts/ingress-nginx/templates/controller-configmap.yaml +++ b/charts/ingress-nginx/templates/controller-configmap.yaml @@ -17,13 +17,12 @@ data: {{- if .Values.controller.addHeaders }} add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers {{- end }} -{{- if or .Values.controller.proxySetHeaders .Values.controller.headers }} +{{- if .Values.controller.proxySetHeaders }} proxy-set-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers {{- end }} {{- if .Values.dhParam }} - ssl-dh-param: {{ printf "%s/%s" .Release.Namespace (include "ingress-nginx.controller.fullname" .) }} + ssl-dh-param: {{ .Release.Namespace }}/{{ include "ingress-nginx.controller.fullname" . }} {{- end }} {{- range $key, $value := .Values.controller.config }} - {{- $key | nindent 2 }}: {{ $value | quote }} + {{- $key | nindent 2 }}: {{ $value | quote }} {{- end }} - diff --git a/charts/ingress-nginx/templates/controller-secret.yaml b/charts/ingress-nginx/templates/controller-secret.yaml new file mode 100644 index 000000000..f3744232f --- /dev/null +++ b/charts/ingress-nginx/templates/controller-secret.yaml @@ -0,0 +1,15 @@ +{{- if .Values.dhParam -}} +apiVersion: v1 +kind: Secret +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- with .Values.controller.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }} + namespace: {{ .Release.Namespace }} +data: + dhparam.pem: {{ .Values.dhParam }} +{{- end }} diff --git a/charts/ingress-nginx/templates/dh-param-secret.yaml b/charts/ingress-nginx/templates/dh-param-secret.yaml deleted file mode 100644 index 12e7a4f63..000000000 --- a/charts/ingress-nginx/templates/dh-param-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{- with .Values.dhParam -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "ingress-nginx.controller.fullname" $ }} - labels: - {{- include "ingress-nginx.labels" $ | nindent 4 }} -data: - dhparam.pem: {{ . }} -{{- end }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 031078499..1fab6f52a 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -886,4 +886,4 @@ portNamePrefix: "" # -- (string) A base64-encoded Diffie-Hellman parameter. # This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` ## Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param -dhParam: +dhParam: "" From fec1dbe3a122089a92c1f794fa2ca6b389640d49 Mon Sep 17 00:00:00 2001 From: Saumya <76432998+SaumyaBhushan@users.noreply.github.com> Date: Sun, 19 Mar 2023 03:43:16 +0530 Subject: [PATCH 218/405] changes Makefile of echo folder to trigger code-build (#9754) --- images/echo/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/images/echo/Makefile b/images/echo/Makefile index 500704e81..0ab1c945f 100644 --- a/images/echo/Makefile +++ b/images/echo/Makefile @@ -4,7 +4,7 @@ # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # -# http://www.apache.org/licenses/LICENSE-2.0 +# http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, From 1e629fae1d12a6bf3151f709ecdb96b5b1165ebb Mon Sep 17 00:00:00 2001 From: Saumya <76432998+SaumyaBhushan@users.noreply.github.com> Date: Sun, 19 Mar 2023 03:45:16 +0530 Subject: [PATCH 219/405] added upgrade ginkgo documentation for contributors (#9753) --- ginkgo_upgrade.md | 131 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 131 insertions(+) create mode 100644 ginkgo_upgrade.md diff --git a/ginkgo_upgrade.md b/ginkgo_upgrade.md new file mode 100644 index 000000000..1ed996cd1 --- /dev/null +++ b/ginkgo_upgrade.md @@ -0,0 +1,131 @@ +# GINKGO UPGRADE + +#### Bumping ginkgo in the project requires four PRs. + +## 1. Dependabot PR + +- Dependabot automatically updates `ginkgo version` but only in [go.mod ](go.mod) and [go.sum ](go.sum) files. +- This is an automatically generated PR by Dependabot but it needs approval from maintainers to get merged. + +## 2. Edit-hardcoded-version PR + +### a. Make changes to appropriate files in required directories + +- Make changes in files where gingko version is hardcoded. These files are : + - [run-in-docker.sh ](build/run-in-docker.sh) + - [Dockerfile ](images/test-runner/rootfs/Dockerfile) + - [run.sh ](test/e2e/run.sh) + - [run-chart-test.sh ](test/e2e/run-chart-test.sh) + +### b. Create PR + +- Open pull request(s) accordingly, to fire cloudbuild for building the component's image (if applicable). + +### c. Merge + +- Merging will fire cloudbuild, which will result in images being promoted to the [staging container registry](https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx). + +### d. Make sure cloudbuild is a success + +- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx). If you don't have access to cloudbuild, you can also have a look at [this](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), to see the progress of the build. + +- Proceed only after cloud-build is successful in building a new Ingress-Nginx-Controller image. + + +## 3. PROMOTE the new-testrunner-image PR: + +Promoting the images basically means that images, that were pushed to staging container registry in the steps above, now are also pushed to the public container registry. Thus are publicly available. Follow these steps to promote images: +- When you make changes to the `Dockerfile` or other core content under [images directory ](images), it generates a new image in google cloudbuild. This is because kubernetes projects need to use the infra provided for the kubernetes projects. The new image is always only pushed to the staging repository of K8S. From the staging repo, the new image needs to be promoted to the production repo. And once promoted, its possible to use the sha of the new image in the code. + +### a. Get the sha + +- Get the sha of the new image(s) of the controller, from the cloudbuild, from steps above + + - The sha is available in output from [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx) + + - The sha is also visible [here](https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx/global/e2e-test-runner) + + - The sha is also visible [here]((https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*)), after cloud build is finished. Click on the respective job, go to `Artifacts` section in the UI, then again `artifacts` in the directory browser. In the `build.log` at the very bottom you see something like this: + + ``` + ... + pushing manifest for gcr.io/k8s-staging-ingress-nginx/controller:v1.0.2@sha256:e15fac6e8474d77e1f017edc33d804ce72a184e3c0a30963b2a0d7f0b89f6b16 + ... + ``` + +### b. Add the new image to [k8s.io](http://github.com/kubernetes/k8s.io) + +- The sha(s) from the step before (and the tag(s) for the new image(s) have to be added, as a new line, in a file, of the [k8s.io](http://github.com/kubernetes/k8s.io) project of Kubernetes organization. + +- Fork that other project (if you don't have a fork already). + +- Other project to fork [Github repo kubernetes/k8s.io](http://github.com/kubernetes/k8s.io) + +- Fetch --all and rebase to upstream if already forked. + +- Create a branch in your fork, named as the issue number for this release + +- In the related branch, of your fork, edit the file k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml. + +- For making it easier, you can edit your branch directly in the browser. But be careful about making any mistake. + +- Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml) Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/4499) to see how it was done before + +- Save and commit + +### c. Create PR + +- Open pull request to promote the new e2e-test-runner image. + +### d. Merge + +- Merge success is required. + +- Proceed only after cloud-build is successful in building a new e2e-test-runner image. + + +## 4. Change testrunner-image-sha PR + +### a. Get the sha + +- Make sure to get the tag and sha of the promoted image from the step before, either from cloudbuild or from [here](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/ingress-nginx/e2e-test-runner). + +### a. Make sure your git workspace is ready + +- Get your git workspace ready + + - If not using a pre-existing fork, then Fork the repo kubernetes/ingress-nginx + + - Clone (to laptop or wherever) + + - Add upstream + + - Set upstream url to no_push + + - Checkout & switch to branch, named as per related new-release-issue-number + + - If already forked, and upstream already added, then `git fetch --all` and `git rebase upstream/main` (not origin) + + - Checkout a branch in your fork's clone + + - Perform any other diligence as needed + +- Prefer to edit only and only in your branch, in your Fork + +### b. Change testrunner-image-sha + +- You need update the testrunner-image-sha in the following files : + + - [run-in-docker.sh](https://github.com/kubernetes/ingress-nginx/blob/main/build/run-in-docker.sh#L41) + - [Makefile](https://github.com/kubernetes/ingress-nginx/blob/main/test/e2e-image/Makefile#L3) + +### c. Create PR + +- Look at this PR for how it was done before [example PR](https://github.com/kubernetes/ingress-nginx/pull/9444) +- Create a PR + +### d. Merge + +- Finally merge the PR. + +## END ## \ No newline at end of file From 6eb52c39c8d964e3e23d537a23c1aadb1befb3fd Mon Sep 17 00:00:00 2001 From: Saumya <76432998+SaumyaBhushan@users.noreply.github.com> Date: Sun, 19 Mar 2023 03:47:15 +0530 Subject: [PATCH 220/405] updated nginx-error digest and tags (#9755) --- .../custom-errors/custom-default-backend.helm.values.yaml | 2 +- .../customization/custom-errors/custom-default-backend.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml b/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml index 670208559..807da71a4 100644 --- a/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml +++ b/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml @@ -6,7 +6,7 @@ defaultBackend: image: registry: registry.k8s.io image: ingress-nginx/nginx-errors - tag: "v20220916-gd32f8c343@sha256:09c421ac743bace19ab77979b82186941c5125c95e62cdb40bdf41293b5c275c" + tag: "v20230312-helm-chart-4.5.2-28-g66a760794@sha256:332be6ff8c4e93e8845963932f98839dfd52ae49829c29e06475368a3e4fbd9e" extraVolumes: - name: custom-error-pages configMap: diff --git a/docs/examples/customization/custom-errors/custom-default-backend.yaml b/docs/examples/customization/custom-errors/custom-default-backend.yaml index 072beab3b..5fc5c55e4 100644 --- a/docs/examples/customization/custom-errors/custom-default-backend.yaml +++ b/docs/examples/customization/custom-errors/custom-default-backend.yaml @@ -36,7 +36,7 @@ spec: spec: containers: - name: nginx-error-server - image: registry.k8s.io/ingress-nginx/nginx-errors:v20220916-gd32f8c343@sha256:09c421ac743bace19ab77979b82186941c5125c95e62cdb40bdf41293b5c275c + image: registry.k8s.io/ingress-nginx/nginx-errors:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:332be6ff8c4e93e8845963932f98839dfd52ae49829c29e06475368a3e4fbd9e ports: - containerPort: 8080 # Setting the environment variable DEBUG we can see the headers sent From 45dae623c74515382d3566a3643c105d0f6d2b2e Mon Sep 17 00:00:00 2001 From: Saumya <76432998+SaumyaBhushan@users.noreply.github.com> Date: Sun, 19 Mar 2023 21:29:16 +0530 Subject: [PATCH 221/405] updated kube-webhook-certgen digest and tags (#9756) --- charts/ingress-nginx/README.md | 4 ++-- charts/ingress-nginx/values.yaml | 4 ++-- deploy/static/provider/aws/deploy.yaml | 4 ++-- .../static/provider/aws/nlb-with-tls-termination/deploy.yaml | 4 ++-- deploy/static/provider/baremetal/deploy.yaml | 4 ++-- deploy/static/provider/cloud/deploy.yaml | 4 ++-- deploy/static/provider/do/deploy.yaml | 4 ++-- deploy/static/provider/exoscale/deploy.yaml | 4 ++-- deploy/static/provider/kind/deploy.yaml | 4 ++-- deploy/static/provider/scw/deploy.yaml | 4 ++-- 10 files changed, 20 insertions(+), 20 deletions(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index a72805054..6725bb2bb 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -271,11 +271,11 @@ Kubernetes: `>=1.20.0-0` | controller.admissionWebhooks.networkPolicyEnabled | bool | `false` | | | controller.admissionWebhooks.objectSelector | object | `{}` | | | controller.admissionWebhooks.patch.enabled | bool | `true` | | -| controller.admissionWebhooks.patch.image.digest | string | `"sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f"` | | +| controller.admissionWebhooks.patch.image.digest | string | `"sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f"` | | | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | | | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | | | controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | | -| controller.admissionWebhooks.patch.image.tag | string | `"v20220916-gd32f8c343"` | | +| controller.admissionWebhooks.patch.image.tag | string | `"v20230312-helm-chart-4.5.2-28-g66a760794"` | | | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources | | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | controller.admissionWebhooks.patch.podAnnotations | object | `{}` | | diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 1fab6f52a..f6064911a 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -598,8 +598,8 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: v20220916-gd32f8c343 - digest: sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + tag: v20230312-helm-chart-4.5.2-28-g66a760794 + digest: sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f pullPolicy: IfNotPresent # -- Provide a priority class name to the webhook patching job ## diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml index 487340a73..bf4ffce19 100644 --- a/deploy/static/provider/aws/deploy.yaml +++ b/deploy/static/provider/aws/deploy.yaml @@ -537,7 +537,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f imagePullPolicy: IfNotPresent name: create securityContext: @@ -586,7 +586,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f imagePullPolicy: IfNotPresent name: patch securityContext: diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml index 4763623c8..0b58831a3 100644 --- a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml +++ b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml @@ -549,7 +549,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f imagePullPolicy: IfNotPresent name: create securityContext: @@ -598,7 +598,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f imagePullPolicy: IfNotPresent name: patch securityContext: diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml index a642d67da..d141e8ca6 100644 --- a/deploy/static/provider/baremetal/deploy.yaml +++ b/deploy/static/provider/baremetal/deploy.yaml @@ -531,7 +531,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f imagePullPolicy: IfNotPresent name: create securityContext: @@ -580,7 +580,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f imagePullPolicy: IfNotPresent name: patch securityContext: diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml index 8b09efac1..97c22739b 100644 --- a/deploy/static/provider/cloud/deploy.yaml +++ b/deploy/static/provider/cloud/deploy.yaml @@ -533,7 +533,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f imagePullPolicy: IfNotPresent name: create securityContext: @@ -582,7 +582,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f imagePullPolicy: IfNotPresent name: patch securityContext: diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml index 7461d9794..5b7c86670 100644 --- a/deploy/static/provider/do/deploy.yaml +++ b/deploy/static/provider/do/deploy.yaml @@ -536,7 +536,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f imagePullPolicy: IfNotPresent name: create securityContext: @@ -585,7 +585,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f imagePullPolicy: IfNotPresent name: patch securityContext: diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml index be0e2f587..c8236ef20 100644 --- a/deploy/static/provider/exoscale/deploy.yaml +++ b/deploy/static/provider/exoscale/deploy.yaml @@ -542,7 +542,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f imagePullPolicy: IfNotPresent name: create securityContext: @@ -591,7 +591,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f imagePullPolicy: IfNotPresent name: patch securityContext: diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml index abb310999..a8fd055c9 100644 --- a/deploy/static/provider/kind/deploy.yaml +++ b/deploy/static/provider/kind/deploy.yaml @@ -547,7 +547,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f imagePullPolicy: IfNotPresent name: create securityContext: @@ -596,7 +596,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f imagePullPolicy: IfNotPresent name: patch securityContext: diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml index fdc3c6cde..1f04b9b9e 100644 --- a/deploy/static/provider/scw/deploy.yaml +++ b/deploy/static/provider/scw/deploy.yaml @@ -536,7 +536,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f imagePullPolicy: IfNotPresent name: create securityContext: @@ -585,7 +585,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f imagePullPolicy: IfNotPresent name: patch securityContext: From 1f4fb4133240794cdd2fcc2c1b5171ff5b8b9d01 Mon Sep 17 00:00:00 2001 From: Saumya <76432998+SaumyaBhushan@users.noreply.github.com> Date: Sun, 19 Mar 2023 21:33:16 +0530 Subject: [PATCH 222/405] updated digest and sha for e2e-test-cfssl (#9757) --- test/e2e/settings/ocsp/ocsp.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/settings/ocsp/ocsp.go b/test/e2e/settings/ocsp/ocsp.go index adf4351e7..483013f59 100644 --- a/test/e2e/settings/ocsp/ocsp.go +++ b/test/e2e/settings/ocsp/ocsp.go @@ -290,7 +290,7 @@ func ocspserveDeployment(namespace string) (*appsv1.Deployment, *corev1.Service) Containers: []corev1.Container{ { Name: name, - Image: "registry.k8s.io/ingress-nginx/e2e-test-cfssl@sha256:c1b273763048944dd7d22d37adfc65be4fa6a5f6068204292573c6cdc5ea3457", + Image: "registry.k8s.io/ingress-nginx/e2e-test-cfssl@sha256:d02c1e18f573449966999fc850f1fed3d37621bf77797562cbe77ebdb06a66ea", Command: []string{ "/bin/bash", "-c", From 18c3a91a0462b8182a2ff61461f002f32749aaef Mon Sep 17 00:00:00 2001 From: Saumya <76432998+SaumyaBhushan@users.noreply.github.com> Date: Mon, 20 Mar 2023 01:13:16 +0530 Subject: [PATCH 223/405] updated digest and sha for opentelemetry (#9758) --- charts/ingress-nginx/README.md | 2 +- charts/ingress-nginx/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 6725bb2bb..6da71a144 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -395,7 +395,7 @@ Kubernetes: `>=1.20.0-0` | controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ # | | controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | | controller.opentelemetry.enabled | bool | `false` | | -| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230107-helm-chart-4.4.2-2-g96b3d2165@sha256:331b9bebd6acfcd2d3048abbdd86555f5be76b7e3d0b5af4300b04235c6056c9"` | | +| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:40f766ac4a9832f36f217bb0e98d44c8d38faeccbfe861fbc1a76af7e9ab257f"` | | | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # | | controller.podLabels | object | `{}` | Labels to add to the pod container metadata | | controller.podSecurityContext | object | `{}` | Security Context policies for controller pods | diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index f6064911a..f043c17cb 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -536,7 +536,7 @@ controller: opentelemetry: enabled: false - image: registry.k8s.io/ingress-nginx/opentelemetry:v20230107-helm-chart-4.4.2-2-g96b3d2165@sha256:331b9bebd6acfcd2d3048abbdd86555f5be76b7e3d0b5af4300b04235c6056c9 + image: registry.k8s.io/ingress-nginx/opentelemetry:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:40f766ac4a9832f36f217bb0e98d44c8d38faeccbfe861fbc1a76af7e9ab257f containerSecurityContext: allowPrivilegeEscalation: false admissionWebhooks: From f75b12e690151d6a2e1f692ff22fc01152cbd162 Mon Sep 17 00:00:00 2001 From: Saumya <76432998+SaumyaBhushan@users.noreply.github.com> Date: Mon, 20 Mar 2023 01:17:16 +0530 Subject: [PATCH 224/405] updated digest and sha for e2e-test-fastcgi-helloserver (#9759) --- test/e2e/framework/fastcgi_helloserver.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/framework/fastcgi_helloserver.go b/test/e2e/framework/fastcgi_helloserver.go index c3e89c7f5..719048c06 100644 --- a/test/e2e/framework/fastcgi_helloserver.go +++ b/test/e2e/framework/fastcgi_helloserver.go @@ -58,7 +58,7 @@ func (f *Framework) NewNewFastCGIHelloServerDeploymentWithReplicas(replicas int3 Containers: []corev1.Container{ { Name: "fastcgi-helloserver", - Image: "registry.k8s.io/ingress-nginx/e2e-test-fastcgi-helloserver@sha256:723b8187e1768d199b93fd939c37c1ce9427dcbca72ec6415f4d890bca637fcc", + Image: "registry.k8s.io/ingress-nginx/e2e-test-fastcgi-helloserver@sha256:0e08c836cc58f1ea862578de99b13bc4264fe071e816f96dc1d79857bfba7473", Env: []corev1.EnvVar{}, Ports: []corev1.ContainerPort{ { From 2d3554794314139e87ac47c3f75e5f6f5d48a467 Mon Sep 17 00:00:00 2001 From: Saumya <76432998+SaumyaBhushan@users.noreply.github.com> Date: Mon, 20 Mar 2023 01:17:24 +0530 Subject: [PATCH 225/405] updated digest and sha for e2e-test-echo (#9760) --- .../customization/external-auth-headers/echo-service.yaml | 2 +- test/e2e/framework/deployment.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/examples/customization/external-auth-headers/echo-service.yaml b/docs/examples/customization/external-auth-headers/echo-service.yaml index 0fe37be56..57df4d628 100644 --- a/docs/examples/customization/external-auth-headers/echo-service.yaml +++ b/docs/examples/customization/external-auth-headers/echo-service.yaml @@ -18,7 +18,7 @@ spec: terminationGracePeriodSeconds: 60 containers: - name: echo-service - image: registry.k8s.io/ingress-nginx/e2e-test-echo:v20220819-ga98c63787@sha256:778ac6d1188c8de8ecabeddd3c37b72c8adc8c712bad2bd7a81fb23a3514934c + image: registry.k8s.io/ingress-nginx/e2e-test-echo:v20230318-helm-chart-4.5.2-44-gfec1dbe3a@sha256:4938d1d91a2b7d19454460a8c1b010b89f6ff92d2987fd889ac3e8fc3b70d91a ports: - containerPort: 8080 resources: diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go index 8115fd12e..4627a8892 100644 --- a/test/e2e/framework/deployment.go +++ b/test/e2e/framework/deployment.go @@ -93,7 +93,7 @@ func (f *Framework) NewEchoDeployment(opts ...func(*deploymentOptions)) { o(options) } - deployment := newDeployment(options.name, options.namespace, "registry.k8s.io/ingress-nginx/e2e-test-echo@sha256:778ac6d1188c8de8ecabeddd3c37b72c8adc8c712bad2bd7a81fb23a3514934c", 80, int32(options.replicas), + deployment := newDeployment(options.name, options.namespace, "registry.k8s.io/ingress-nginx/e2e-test-echo@sha256:4938d1d91a2b7d19454460a8c1b010b89f6ff92d2987fd889ac3e8fc3b70d91a", 80, int32(options.replicas), nil, nil, nil, []corev1.VolumeMount{}, []corev1.Volume{}, From 9a1cfc7181d0afc1e405962c5308abaa0501b751 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 Mar 2023 11:01:37 +0000 Subject: [PATCH 226/405] Bump securego/gosec from 2.14.0 to 2.15.0 Bumps [securego/gosec](https://github.com/securego/gosec) from 2.14.0 to 2.15.0. - [Release notes](https://github.com/securego/gosec/releases) - [Changelog](https://github.com/securego/gosec/blob/master/.goreleaser.yml) - [Commits](https://github.com/securego/gosec/compare/1af1d5bb49259b62e45c505db397dd2ada5d74f8...a459eb0ba387d9bd083d5c2e2354dbeef2465038) --- updated-dependencies: - dependency-name: securego/gosec dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 00049bddf..3d7c21c3d 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -68,7 +68,7 @@ jobs: uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - name: Run Gosec Security Scanner - uses: securego/gosec@1af1d5bb49259b62e45c505db397dd2ada5d74f8 # v2.14.0 + uses: securego/gosec@a459eb0ba387d9bd083d5c2e2354dbeef2465038 # v2.15.0 with: # G601 for zz_generated.deepcopy.go # G306 TODO: Expect WriteFile permissions to be 0600 or less From 12da492f0112a5833f6437e00a485c23562856b2 Mon Sep 17 00:00:00 2001 From: Ole-Martin Bratteng <1681525+omBratteng@users.noreply.github.com> Date: Mon, 20 Mar 2023 13:05:18 +0100 Subject: [PATCH 227/405] docs(helm): fix value key in readme for enabling certManager (#9640) --- charts/ingress-nginx/README.md | 2 +- charts/ingress-nginx/README.md.gotmpl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 6da71a144..9659df139 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -228,7 +228,7 @@ A validating and configuration requires the endpoint to which the request is sen #### Alternatives It should be possible to use [cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) if a more complete solution is required. -You can enable automatic self-signed TLS certificate provisioning via cert-manager by setting the `controller.admissionWebhooks.certManager.enable` value to true. +You can enable automatic self-signed TLS certificate provisioning via cert-manager by setting the `controller.admissionWebhooks.certManager.enabled` value to true. Please ensure that cert-manager is correctly installed and configured. diff --git a/charts/ingress-nginx/README.md.gotmpl b/charts/ingress-nginx/README.md.gotmpl index 78e4f38d4..99a2a62cb 100644 --- a/charts/ingress-nginx/README.md.gotmpl +++ b/charts/ingress-nginx/README.md.gotmpl @@ -227,7 +227,7 @@ A validating and configuration requires the endpoint to which the request is sen #### Alternatives It should be possible to use [cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) if a more complete solution is required. -You can enable automatic self-signed TLS certificate provisioning via cert-manager by setting the `controller.admissionWebhooks.certManager.enable` value to true. +You can enable automatic self-signed TLS certificate provisioning via cert-manager by setting the `controller.admissionWebhooks.certManager.enabled` value to true. Please ensure that cert-manager is correctly installed and configured. From 1936973ea9d95b62fe8077e1cb36b2471d2c16b8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 Mar 2023 09:33:19 -0700 Subject: [PATCH 228/405] Bump actions/add-to-project from 0.4.0 to 0.4.1 (#9765) Bumps [actions/add-to-project](https://github.com/actions/add-to-project) from 0.4.0 to 0.4.1. - [Release notes](https://github.com/actions/add-to-project/releases) - [Commits](https://github.com/actions/add-to-project/compare/960fbad431afda394cfcf8743445e741acd19e85...4756e6330fe1e0a736690d3cfd9f11c9399c2ed4) --- updated-dependencies: - dependency-name: actions/add-to-project dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/project.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/project.yml b/.github/workflows/project.yml index d75435712..35d6d3e5c 100644 --- a/.github/workflows/project.yml +++ b/.github/workflows/project.yml @@ -13,7 +13,7 @@ jobs: repository-projects: write issues: write steps: - - uses: actions/add-to-project@960fbad431afda394cfcf8743445e741acd19e85 # v0.4.0 + - uses: actions/add-to-project@4756e6330fe1e0a736690d3cfd9f11c9399c2ed4 # v0.4.1 with: project-url: https://github.com/orgs/kubernetes/projects/104 github-token: ${{ secrets.PROJECT_WRITER }} From 5c0b70764395832d243cd6647aa384c891c453da Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 21 Mar 2023 06:33:08 -0700 Subject: [PATCH 229/405] Bump actions/dependency-review-action from 3.0.3 to 3.0.4 (#9766) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.3 to 3.0.4. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/c090f4e553673e6e505ea70d6a95362ee12adb94...f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/depreview.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/depreview.yaml b/.github/workflows/depreview.yaml index 0ecdcd55c..571610dc6 100644 --- a/.github/workflows/depreview.yaml +++ b/.github/workflows/depreview.yaml @@ -11,4 +11,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - name: 'Dependency Review' - uses: actions/dependency-review-action@c090f4e553673e6e505ea70d6a95362ee12adb94 # v3.0.3 + uses: actions/dependency-review-action@f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e # v3.0.4 From 9b3599206c0b5789523678a7f09d8c12d9f41cb7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 21 Mar 2023 06:35:10 -0700 Subject: [PATCH 230/405] Bump k8s.io/component-base from 0.26.2 to 0.26.3 (#9764) Bumps [k8s.io/component-base](https://github.com/kubernetes/component-base) from 0.26.2 to 0.26.3. - [Release notes](https://github.com/kubernetes/component-base/releases) - [Commits](https://github.com/kubernetes/component-base/compare/v0.26.2...v0.26.3) --- updated-dependencies: - dependency-name: k8s.io/component-base dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 ++++---- go.sum | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index 4c4bc903a..f351bae17 100644 --- a/go.mod +++ b/go.mod @@ -30,14 +30,14 @@ require ( google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 - k8s.io/api v0.26.2 + k8s.io/api v0.26.3 k8s.io/apiextensions-apiserver v0.26.1 - k8s.io/apimachinery v0.26.2 + k8s.io/apimachinery v0.26.3 k8s.io/apiserver v0.26.1 k8s.io/cli-runtime v0.26.0 - k8s.io/client-go v0.26.2 + k8s.io/client-go v0.26.3 k8s.io/code-generator v0.26.1 - k8s.io/component-base v0.26.2 + k8s.io/component-base v0.26.3 k8s.io/klog/v2 v2.90.1 pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 sigs.k8s.io/controller-runtime v0.14.5 diff --git a/go.sum b/go.sum index c3a2152b7..00918fc47 100644 --- a/go.sum +++ b/go.sum @@ -741,22 +741,22 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.26.2 h1:dM3cinp3PGB6asOySalOZxEG4CZ0IAdJsrYZXE/ovGQ= -k8s.io/api v0.26.2/go.mod h1:1kjMQsFE+QHPfskEcVNgL3+Hp88B80uj0QtSOlj8itU= +k8s.io/api v0.26.3 h1:emf74GIQMTik01Aum9dPP0gAypL8JTLl/lHa4V9RFSU= +k8s.io/api v0.26.3/go.mod h1:PXsqwPMXBSBcL1lJ9CYDKy7kIReUydukS5JiRlxC3qE= k8s.io/apiextensions-apiserver v0.26.1 h1:cB8h1SRk6e/+i3NOrQgSFij1B2S0Y0wDoNl66bn8RMI= k8s.io/apiextensions-apiserver v0.26.1/go.mod h1:AptjOSXDGuE0JICx/Em15PaoO7buLwTs0dGleIHixSM= -k8s.io/apimachinery v0.26.2 h1:da1u3D5wfR5u2RpLhE/ZtZS2P7QvDgLZTi9wrNZl/tQ= -k8s.io/apimachinery v0.26.2/go.mod h1:ats7nN1LExKHvJ9TmwootT00Yz05MuYqPXEXaVeOy5I= +k8s.io/apimachinery v0.26.3 h1:dQx6PNETJ7nODU3XPtrwkfuubs6w7sX0M8n61zHIV/k= +k8s.io/apimachinery v0.26.3/go.mod h1:ats7nN1LExKHvJ9TmwootT00Yz05MuYqPXEXaVeOy5I= k8s.io/apiserver v0.26.1 h1:6vmnAqCDO194SVCPU3MU8NcDgSqsUA62tBUSWrFXhsc= k8s.io/apiserver v0.26.1/go.mod h1:wr75z634Cv+sifswE9HlAo5FQ7UoUauIICRlOE+5dCg= k8s.io/cli-runtime v0.26.0 h1:aQHa1SyUhpqxAw1fY21x2z2OS5RLtMJOCj7tN4oq8mw= k8s.io/cli-runtime v0.26.0/go.mod h1:o+4KmwHzO/UK0wepE1qpRk6l3o60/txUZ1fEXWGIKTY= -k8s.io/client-go v0.26.2 h1:s1WkVujHX3kTp4Zn4yGNFK+dlDXy1bAAkIl+cFAiuYI= -k8s.io/client-go v0.26.2/go.mod h1:u5EjOuSyBa09yqqyY7m3abZeovO/7D/WehVVlZ2qcqU= +k8s.io/client-go v0.26.3 h1:k1UY+KXfkxV2ScEL3gilKcF7761xkYsSD6BC9szIu8s= +k8s.io/client-go v0.26.3/go.mod h1:ZPNu9lm8/dbRIPAgteN30RSXea6vrCpFvq+MateTUuQ= k8s.io/code-generator v0.26.1 h1:dusFDsnNSKlMFYhzIM0jAO1OlnTN5WYwQQ+Ai12IIlo= k8s.io/code-generator v0.26.1/go.mod h1:OMoJ5Dqx1wgaQzKgc+ZWaZPfGjdRq/Y3WubFrZmeI3I= -k8s.io/component-base v0.26.2 h1:IfWgCGUDzrD6wLLgXEstJKYZKAFS2kO+rBRi0p3LqcI= -k8s.io/component-base v0.26.2/go.mod h1:DxbuIe9M3IZPRxPIzhch2m1eT7uFrSBJUBuVCQEBivs= +k8s.io/component-base v0.26.3 h1:oC0WMK/ggcbGDTkdcqefI4wIZRYdK3JySx9/HADpV0g= +k8s.io/component-base v0.26.3/go.mod h1:5kj1kZYwSC6ZstHJN7oHBqcJC6yyn41eR+Sqa/mQc8E= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d h1:U9tB195lKdzwqicbJvyJeOXV7Klv+wNAWENRnXEGi08= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= From 00bfb2e84a3cbbce501d5e23cf112772cae6eb0e Mon Sep 17 00:00:00 2001 From: Adam Jacques Date: Tue, 21 Mar 2023 06:37:08 -0700 Subject: [PATCH 231/405] Fix several Helm YAML issues with extraModules and extraInitContainers (#9709) * Fix indention issue for DaemonSets when using extraModules and extraInitContainers * Improve documentation * Unify and fix templating * Enable support for the opentelemetry from values.yaml --- .../templates/controller-daemonset.yaml | 19 ++++++++----------- .../templates/controller-deployment.yaml | 2 +- charts/ingress-nginx/values.yaml | 2 ++ 3 files changed, 11 insertions(+), 12 deletions(-) diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml index efa273dac..bce21a7d6 100644 --- a/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -178,17 +178,14 @@ spec: {{- end }} {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} - - name: {{ .Name }} - image: {{ .Image }} - command: ['sh', '-c', '/usr/local/bin/init_module.sh'] - {{- if (or $.Values.controller.containerSecurityContext .containerSecurityContext) }} - securityContext: {{ .containerSecurityContext | default $.Values.controller.containerSecurityContext | toYaml | nindent 14 }} - {{- end }} - volumeMounts: - - name: modules - mountPath: /modules_mount + {{ $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} +{{ include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | indent 8 }} {{- end }} {{- end }} + {{- if .Values.controller.opentelemetry.enabled}} + {{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }} + {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}} + {{- end}} {{- end }} {{- if .Values.controller.hostNetwork }} hostNetwork: {{ .Values.controller.hostNetwork }} @@ -207,9 +204,9 @@ spec: {{- end }} serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} volumes: - {{- if .Values.controller.extraModules }} + {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}} - name: modules emptyDir: {} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index 36d7670e3..323d87623 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -185,7 +185,7 @@ spec: {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} {{ $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext | nindent 8) }} +{{ include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | indent 8 }} {{- end }} {{- end }} {{- if .Values.controller.opentelemetry.enabled}} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index f043c17cb..1a538f810 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -527,6 +527,8 @@ controller: # -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module extraModules: [] + # - name: mytestmodule + # image: registry.k8s.io/ingress-nginx/mytestmodule # containerSecurityContext: # allowPrivilegeEscalation: false # From 9e097fb79d1e8f0eb792107167f6a707ee9f0b3c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 21 Mar 2023 06:39:07 -0700 Subject: [PATCH 232/405] Bump aquasecurity/trivy-action from 0.8.0 to 0.9.2 (#9767) Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.8.0 to 0.9.2. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](https://github.com/aquasecurity/trivy-action/compare/9ab158e8597f3b310480b9a69402b419bc03dbd5...1f0aa582c8c8f5f7639610d6d38baddfea4fdcee) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/vulnerability-scans.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index b19031ff6..88ba16fa2 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -60,7 +60,7 @@ jobs: - name: Scan image with AquaSec/Trivy id: scan - uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # v0.8.0 + uses: aquasecurity/trivy-action@1f0aa582c8c8f5f7639610d6d38baddfea4fdcee # v0.9.2 with: image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }} format: 'sarif' From e3c9382fc927cfbdfaa7a006b5ef2b0c332242d1 Mon Sep 17 00:00:00 2001 From: Taehyun Kim Date: Tue, 21 Mar 2023 22:41:08 +0900 Subject: [PATCH 233/405] fix: controller psp's volume config (#9740) * fix: controller psp's volume config * revert chart version --- charts/ingress-nginx/templates/controller-psp.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/ingress-nginx/templates/controller-psp.yaml b/charts/ingress-nginx/templates/controller-psp.yaml index 2e0499ce9..3c499b9d4 100644 --- a/charts/ingress-nginx/templates/controller-psp.yaml +++ b/charts/ingress-nginx/templates/controller-psp.yaml @@ -28,9 +28,9 @@ spec: volumes: - 'configMap' - 'emptyDir' - #- 'projected' + - 'projected' - 'secret' - #- 'downwardAPI' + - 'downwardAPI' {{- if .Values.controller.hostNetwork }} hostNetwork: {{ .Values.controller.hostNetwork }} {{- end }} From 43168a7fe119b8e6a8b99944fa29e94b46a1e216 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 21 Mar 2023 13:42:46 +0000 Subject: [PATCH 234/405] Bump actions/checkout from 3.2.0 to 3.4.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 3.2.0 to 3.4.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/755da8c3cf115ac066823e79a1e1788f8940201b...24cb9080177205b6e8c946b17badbe402adc938f) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yaml | 22 +++++++++++----------- .github/workflows/depreview.yaml | 2 +- .github/workflows/docs.yaml | 4 ++-- .github/workflows/helm.yaml | 4 ++-- .github/workflows/perftest.yaml | 2 +- .github/workflows/plugin.yaml | 2 +- .github/workflows/scorecards.yml | 2 +- .github/workflows/vulnerability-scans.yaml | 4 ++-- 8 files changed, 21 insertions(+), 21 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 3d7c21c3d..3ce77b419 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -39,7 +39,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter @@ -65,7 +65,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 - name: Run Gosec Security Scanner uses: securego/gosec@a459eb0ba387d9bd083d5c2e2354dbeef2465038 # v2.15.0 @@ -82,7 +82,7 @@ jobs: (needs.changes.outputs.go == 'true') steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 - name: Set up Go id: go @@ -101,7 +101,7 @@ jobs: (needs.changes.outputs.go == 'true') steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 - name: Set up Go id: go @@ -120,7 +120,7 @@ jobs: (needs.changes.outputs.go == 'true') steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 - name: Set up Go id: go @@ -141,7 +141,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 - name: Set up Go id: go @@ -208,7 +208,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 - name: Setup Go uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 @@ -288,7 +288,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 - name: cache uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 @@ -342,7 +342,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 - name: cache uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 @@ -391,7 +391,7 @@ jobs: PLATFORMS: linux/amd64,linux/arm64 steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter-images @@ -464,7 +464,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter-images diff --git a/.github/workflows/depreview.yaml b/.github/workflows/depreview.yaml index 571610dc6..46a587ded 100644 --- a/.github/workflows/depreview.yaml +++ b/.github/workflows/depreview.yaml @@ -9,6 +9,6 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 - name: 'Dependency Review' uses: actions/dependency-review-action@f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e # v3.0.4 diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 241921ecf..3ab49ef10 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter @@ -47,7 +47,7 @@ jobs: steps: - name: Checkout master - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 - name: Deploy uses: ./.github/actions/mkdocs diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml index b1db0c1d8..4e7fde34f 100644 --- a/.github/workflows/helm.yaml +++ b/.github/workflows/helm.yaml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 - name: Run Artifact Hub lint run: | @@ -61,7 +61,7 @@ jobs: steps: - name: Checkout master - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 with: # Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896 fetch-depth: 0 diff --git a/.github/workflows/perftest.yaml b/.github/workflows/perftest.yaml index 89dfdfad6..dd31420bf 100644 --- a/.github/workflows/perftest.yaml +++ b/.github/workflows/perftest.yaml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 - name: Install K6 run: | diff --git a/.github/workflows/plugin.yaml b/.github/workflows/plugin.yaml index 760420765..87ba6aca9 100644 --- a/.github/workflows/plugin.yaml +++ b/.github/workflows/plugin.yaml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 with: fetch-depth: 0 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 8a3af47de..529cc7c28 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -27,7 +27,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 with: persist-credentials: false diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index 88ba16fa2..9649140ec 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -22,7 +22,7 @@ jobs: versions: ${{ steps.version.outputs.TAGS }} steps: - name: Checkout code - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 with: fetch-depth: 0 @@ -52,7 +52,7 @@ jobs: versions: ${{ fromJSON(needs.version.outputs.versions) }} steps: - name: Checkout code - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 - shell: bash id: test From e4a66fd2f625de3bcc7aaa793b31f529a0662009 Mon Sep 17 00:00:00 2001 From: Sergei Kaznakhovskii Date: Tue, 21 Mar 2023 07:47:09 -0600 Subject: [PATCH 235/405] Fix canary-weight-total annotation ignored in rule backends (#9729) * Missed canary weight total - added canary weight total for spec rules * - added e2e test --- internal/ingress/controller/controller.go | 30 +++++++++++------------ test/e2e/annotations/canary.go | 27 ++++++++++++++++++++ 2 files changed, 42 insertions(+), 15 deletions(-) diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 1914765d8..20f8c8687 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -33,6 +33,7 @@ import ( "k8s.io/apimachinery/pkg/util/wait" clientset "k8s.io/client-go/kubernetes" "k8s.io/ingress-nginx/internal/ingress/annotations" + "k8s.io/ingress-nginx/internal/ingress/annotations/canary" "k8s.io/ingress-nginx/internal/ingress/annotations/log" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/ingress/annotations/proxy" @@ -968,14 +969,7 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B // configure traffic shaping for canary if anns.Canary.Enabled { upstreams[defBackend].NoServer = true - upstreams[defBackend].TrafficShapingPolicy = ingress.TrafficShapingPolicy{ - Weight: anns.Canary.Weight, - WeightTotal: anns.Canary.WeightTotal, - Header: anns.Canary.Header, - HeaderValue: anns.Canary.HeaderValue, - HeaderPattern: anns.Canary.HeaderPattern, - Cookie: anns.Canary.Cookie, - } + upstreams[defBackend].TrafficShapingPolicy = newTrafficShapingPolicy(anns.Canary) } if len(upstreams[defBackend].Endpoints) == 0 { @@ -1040,13 +1034,7 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B // configure traffic shaping for canary if anns.Canary.Enabled { upstreams[name].NoServer = true - upstreams[name].TrafficShapingPolicy = ingress.TrafficShapingPolicy{ - Weight: anns.Canary.Weight, - Header: anns.Canary.Header, - HeaderValue: anns.Canary.HeaderValue, - HeaderPattern: anns.Canary.HeaderPattern, - Cookie: anns.Canary.Cookie, - } + upstreams[name].TrafficShapingPolicy = newTrafficShapingPolicy(anns.Canary) } if len(upstreams[name].Endpoints) == 0 { @@ -1819,3 +1807,15 @@ func (n *NGINXController) getStreamSnippets(ingresses []*ingress.Ingress) []stri } return snippets } + +// newTrafficShapingPolicy creates new ingress.TrafficShapingPolicy instance using canary configuration +func newTrafficShapingPolicy(cfg canary.Config) ingress.TrafficShapingPolicy { + return ingress.TrafficShapingPolicy{ + Weight: cfg.Weight, + WeightTotal: cfg.WeightTotal, + Header: cfg.Header, + HeaderValue: cfg.HeaderValue, + HeaderPattern: cfg.HeaderPattern, + Cookie: cfg.Cookie, + } +} diff --git a/test/e2e/annotations/canary.go b/test/e2e/annotations/canary.go index 893a4dc8b..6dd81fdd8 100644 --- a/test/e2e/annotations/canary.go +++ b/test/e2e/annotations/canary.go @@ -830,6 +830,33 @@ var _ = framework.DescribeAnnotation("canary-*", func() { TestMainlineCanaryDistribution(f, host) }) + + ginkgo.It("should route requests split between mainline and canary if canary weight is 100 and weight total is 200", func() { + host := "foo" + annotations := map[string]string{} + + ing := framework.NewSingleIngress(host, "/", host, + f.Namespace, framework.EchoService, 80, annotations) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "server_name foo") + }) + + canaryIngName := fmt.Sprintf("%v-canary", host) + canaryAnnotations := map[string]string{ + "nginx.ingress.kubernetes.io/canary": "true", + "nginx.ingress.kubernetes.io/canary-weight": "100", + "nginx.ingress.kubernetes.io/canary-weight-total": "200", + } + + canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, + f.Namespace, canaryService, 80, canaryAnnotations) + f.EnsureIngress(canaryIng) + + TestMainlineCanaryDistribution(f, host) + }) }) ginkgo.Context("Single canary Ingress", func() { From c075793ae5ee52e28cf8420c33cf3b73022161e1 Mon Sep 17 00:00:00 2001 From: James Strong Date: Tue, 21 Mar 2023 16:34:12 -0400 Subject: [PATCH 236/405] drop k8s 1.23 support (#9772) Signed-off-by: James Strong --- .github/workflows/ci.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 3ce77b419..c2c108638 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -204,7 +204,7 @@ jobs: strategy: matrix: - k8s: [v1.23.13, v1.24.7, v1.25.3, v1.26.0] + k8s: [v1.24.7, v1.25.3, v1.26.0] steps: - name: Checkout @@ -284,7 +284,7 @@ jobs: strategy: matrix: - k8s: [v1.23.13, v1.24.7, v1.25.3, v1.26.0] + k8s: [v1.24.7, v1.25.3, v1.26.0] steps: - name: Checkout @@ -337,7 +337,7 @@ jobs: strategy: matrix: - k8s: [v1.23.13, v1.24.7, v1.25.3, v1.26.0] + k8s: [v1.24.7, v1.25.3, v1.26.0] steps: @@ -460,7 +460,7 @@ jobs: strategy: matrix: - k8s: [v1.23.13, v1.24.7, v1.25.3, v1.26.0] + k8s: [v1.24.7, v1.25.3, v1.26.0] steps: - name: Checkout From c8cb9167d3bfe6a2ed50796e179b3aec648a7e16 Mon Sep 17 00:00:00 2001 From: Ehsan Saei <71217171+esigo@users.noreply.github.com> Date: Wed, 22 Mar 2023 19:58:22 +0100 Subject: [PATCH 237/405] feat: OpenTelemetry module integration (#9062) * OpenTelemetry module integration * e2e test * e2e test fix * default OpentelemetryConfig * e2e values * mount otel module for otel test only * propagate IS_CHROOT * propagate IS_CHROOT e2e test * code doc * comments * golint * opentelemetry doc * zipkin * zipkin * typo * update e2e test OpenTelemetry value * use opentelemetry value * revert merge conflict * fix * format * review comments * clean --- docs/images/otel-grafana-demo.png | Bin 0 -> 123976 bytes docs/images/otel-jaeger-demo.png | Bin 0 -> 120283 bytes docs/images/otel-zipkin-demo.png | Bin 0 -> 133964 bytes docs/kubectl-plugin.md | 1 + .../nginx-configuration/annotations.md | 20 ++ .../nginx-configuration/configmap.md | 53 ++++ .../third-party-addons/opentelemetry.md | 260 ++++++++++++++++++ internal/ingress/annotations/annotations.go | 3 + .../ingress/annotations/opentelemetry/main.go | 101 +++++++ .../annotations/opentelemetry/main_test.go | 170 ++++++++++++ internal/ingress/controller/config/config.go | 55 ++++ internal/ingress/controller/controller.go | 1 + internal/ingress/controller/nginx.go | 43 +++ .../ingress/controller/template/template.go | 96 +++++++ .../controller/template/template_test.go | 153 +++++++++++ mkdocs.yml | 1 + pkg/apis/ingress/types.go | 4 + pkg/apis/ingress/types_equals.go | 4 + rootfs/etc/nginx/template/nginx.tmpl | 26 ++ test/e2e/framework/exec.go | 7 +- test/e2e/run-e2e-suite.sh | 1 + test/e2e/settings/opentelemetry.go | 119 ++++++++ test/e2e/wait-for-nginx.sh | 15 +- 23 files changed, 1131 insertions(+), 2 deletions(-) create mode 100644 docs/images/otel-grafana-demo.png create mode 100644 docs/images/otel-jaeger-demo.png create mode 100644 docs/images/otel-zipkin-demo.png mode change 100755 => 100644 docs/user-guide/nginx-configuration/configmap.md create mode 100644 docs/user-guide/third-party-addons/opentelemetry.md create mode 100644 internal/ingress/annotations/opentelemetry/main.go create mode 100644 internal/ingress/annotations/opentelemetry/main_test.go mode change 100755 => 100644 rootfs/etc/nginx/template/nginx.tmpl create mode 100644 test/e2e/settings/opentelemetry.go diff --git a/docs/images/otel-grafana-demo.png b/docs/images/otel-grafana-demo.png new file mode 100644 index 0000000000000000000000000000000000000000..61b50c8612dc1aaa80de0bc416dc683f39bd201a GIT binary patch literal 123976 zcmd43cQo7o`#-FUQlqWX(xQ{1cI??IYLD1z)r?pzp>~JSR?*sf6GX&{5qqmWB4*5@ zgxE8}Fa3PJpYNxApL3u4KKCE@xvz5^uROh8*Xud1`M9q5tfiquL&Z!*Mn*=X{NlL| z85vbN8QJ;F%jBeyGSP@o(yw!FI!e#Tiu&%XkUm_rd#e7FjI1Q$%8BJA(q~H77e;Pm zWGo@Sf6hfLZrPBLo#iM$f2#Y|Yz=$GLU-i-*%n)*+``4c^ov(6wvnCBxuvjK@>n?f zOXerxfe-1=3>LW16l3S%ij@`&H$sm^QCIY}xLUs$IzIWJV5Ix)x*^pk#cyP)AFf}$ z4vf5eMi3KnvlH}EyM8rt16tQp?TPQ1I*@+t@1_xjq5Rx&ku;}22|WN>y7uP)={oP) z`MiG&eWE(2`;VdLL1bM27|MJ`#_*3J?R)QjZ{8pDF7K+`@16OBGCeu zMXhsx4_#&We>ANeWn5sZRW9`(55IF&PpqQ5|BA#=!@r}@IMhU}9&+<_+y!Q&m&o_9QmR=Iid2NN>&M6nDS$+xR?X%k0ZUtAy~Yy9z8r>>3F@l+z5UI)&V z&wR=Fua$*Gu}BD80%ZeUWO=M|^pM`Jg`6-jY%YUpbmt)p$*%oY%>sep(l^Nvp6V7@$l=SVswJ* z?&O=8xEP~|8ROx4IOvpguCv)cb>Al@=jK9Fa^uGgaRTiL&IYf;W8+|jyXIU+xvdGd zI|d03Iur$h?w`D#h)UP%YP)hIIT0>)JRPn3vKYhx#rm zF~x5)M29GTS@Q)+cGKUNfn}h=P6f6eusnehE^hA8jE@vk96Z958L76c+{HCm&lac+ z7w1tsWyW=xKjj!&QM|b#P@{HugNzKo>k;P1nB7ab$))H#N~ZeUge`B z{upwtBysgZm7E-#z6XEIrZJ!AiLXQ4kJR&I@7lZaDTH6Y$@G{lA3vCy%1e`me>Sx% zco=95B13|PZ!HhvJ=p$ub{5Te&v#X7g0wAiRzER8_0s$BowpMp0f+1N99ILi9^?Vu zF|ReGePR6LA+eb8@sJmDK$Es_q@~C$%wj%>k8UF0W^KdXP4A&|i8z zi}viH)IIE$V5HUryv`*6e=B`h7`-G!#e*B#vF05K6fQlbypo}~`X%izBVj*qUYk-< zckb)h4=N7ZIVsW!12meBzhO=4vF8iULL@b20cwYUzce%bJr$UUrk8=Rkre1^9$Sz> z)O|?X#?!y11Tb`VoR8lNh|0a}MKW>k8vL#8)UYDjSZ|$deXY6--M?9$+ph3;5K!O{ znsaY+3DLrWelH+4N&osyp>B!8K|A+K7 zg+Dt4=Hj!4!{dZjgMlfXR-ID0XR@@h8B`cyJdc5wvRu#UfKHuVw6ZXWw7QEwXN?)D!IY zk?ktNk1dq{x-WMtqRvW zI#Wn0qsyh^1C23A{mbva3&t4+-VI90+N2}#2s298uqFaCoNsV`WBvyh+V|87BbFpT z^sc=F9l>?9uJQ06)47)4HvH*w2I*B*&u|Jcqmj?j?!EhxxU)C9Nw9NhM^iEn^{SC< z<$q{4TH!M3oB$q31f4J_<=d?i2wKDr31JQWLMt9IlkmD9yt4Ph_M!LWjM_+`xNUX` zlN9jEFz}~PR@-e`aI3s(kD*N@;NFe`jl|?vF7xj8h@rLGw=@A#s#YjrH;xVSoUbKJ z#>?R(BlaJ1eNzm)suA9NBbh=Ia9`@tV7Bu;v=IH2Z(FLg7fChKx9n$Ret4Y}xTftG znh2;TCF(5b`tRm(j?hjboF_FqrnnKBpDs;{#kl(m(B6;9@|1~th#;nT*| z3T+yODBVjN4H*V0za!#5D7{4dsAd+?^KQlXt&8k%o$q%{FLS}yn7+%k$F}yT=u-zL z#n4fW(N7@m9>c1KIkJSzV0Zp38yxi@G;OEZ8|!RNzHzLN`uy^(HPCY%uR_hG_EGOuFsbku>Emx~uj8bWT{0 zX$P98sp?s1G47OD?ODi9y^aWn7g8#@A%C??0{ZiRXb919Z+^|L>u zh#ya~**OfdYmV;EO=LT~Ja#qp@Q=K1BH{*R;nCYNs5Y*%E?TOM$?9@Tp=5ULejZlE z)n+WR0p2NpZIpYuX{?6`D?A_~>?au3dkiyV;$w4Hz`c1PE>k^} zn2^-*sOR*A_L>KhrGTHQYL$1|N5OgRVRwqUYs#bg8`f2*kl;x!o@8kgZt3@ikJQo0 zPzvrrrjpq8*Wht|$p?zH?b68SEq%!DBjcli$GuatQkD-v&z3@&-76&ZAy*Lp-II6Z z{WFGf4YN{jGq25YQvMEW(bsv>F?7aq@Y}|6(oOUIX$72>@tgU*5~nBP%K0I|(#bhT z2he=YNDg0z&@h8nZvw)OOk-^$aF*=B+ce3U;{BR~#q~d$HuK>ip`+_Q_5kaJ z4xHnKbW(G}iJuKNCeuc{8 z(~jy$GzUkX=4~Md%G!z^wc=KGD5wkFl)E^}++~s-;h9vL19?;6o%BZT#Q>0Nxs!q9=;Fp>RN=`IJLD2Zv5%4v$pS0)1(02B<~)l~wP zKiaRlXZ`Ym57&>g_cqlNhq;`87&g*^-Yw*6lWVbryg|NcQd9S{&&-vPF<=v;S6Z0} z{V+E?ub#l{*X@+(dd7lrO;S`d%QSt@Z!c+jV&(D)VAj$>qqi(~OHi{r^~G@UV3zyx zp*FLCcP69L6_3f8oZfAz3OD^B_f{f!K45I^HX%Y|514Vr0>z?-CU-U0;jRtp$s?Zl*3D)fPcru6{{3v`}BLAa*#4)M(0!iiXjmiA?f^{&tf0XyQkG9h?4s}Xd*H_4K>n{aK4sH_3V)oU z>;1g}no8MpAAb4`{|%23;=LX6x<(Gj>D8=X?L1_Y{&Ga}N= zW+}Z{Ckj1F)vJRg!ddh1sj)BOWW*=SYCYmTD{P<81zY%GkHPVr;1%0-K?USmHXFG< zkGfyv$4PWd_RfV#b!N196_!ed0Fz>){O_V0IiY7S=;sSpW+{C{HU!ivu}`fK9~wqPN|T>pXtl ztfhNRcDBchoGMg+1taS^k04GTp22;;Tzh4)nl#Q4t*vh3N}jP1zgKbS+3n+Cn8C8e zz)oZCBV$mPuy9@|$JH81C4@Kg%e~3HAJZ0c0K6k)w;}rw(S-$fIY581CCtCO@u;J^ z?E@05I~$$Id6cQGq0C$u?xa3A;anr4bg1>;rI9gzcI#6eVp4}c+o_O%5}5GMe~WeY zmPeC0gLx!5R?xJ}+%U5Z0UsE8)MPnUZJX-4)hlJ%c5|hX97z2gYO`arRauy$Ha zL&gNIKIj})-d~rI#fBSS;=@n+Bj>P;BusBXZc zRM3|Sx8ZXB=54;ZO7r3xU$8X2L{cWwbeiyFCORkFbSSw)#;+#+=*r%aq|wAGyB0%| zHBXIc)m;S^6N#wo$o_JH3G|ac7Q_K3PShUi5vx&_Z5_7$E1_7QU4#q#*|`7u={(qz zlqAI1Gt+08)$zKL*L?lenu5RLC|fgi>zW+R0#5j8*>Y_jrRY9zx%F)uIWVWApHjjz z^rmn2l-zk_3d($eT`R===Zb&BT_qQV;cZw}LgL8Qi;2UCl=m2It4R-SmmGV!HyE(_bp z5UWy;1Kf5G)@^^!R*d)?A{akNZsN^aT5AMV7GW<;_VbFiU*$T7zM7x7+o%N*!Pdhb zn%_20%g?6^8%=ot6t=c6VBFyEXAupW_~kxm-n;1>o*>JN`1Miq19sDM4f0XKA)0sJ zy}`VA%f<VcgN;dwS*Gh?_s~gm&R=yN%4wS%?R1`U$4>OCy%09T z@@bCnYgV4sRPYEq`eP-e%W%4Y!*bBDMR$}(wLq{IWx97*)zdnnDT>>?o0T~ypU(!o z5X>{daMGk@t&r1%UuSSRm^XKmJfJW>D>sLoScnp1Xk8R1)$74qtG!MAs{_D~ie~dG z{<4~EXOH@$vq}_?DAWh9-!{pvywBs-$#2m8Ovd4}%(&ARm7$}`eE>Wumg|6x{Uz#6 zPzCFo(0YxJBT%@kSQ28&^NSkOe<%Bnlt7z6`uW(3gUwficX|O?XD@tE!e7g4?(F4H z>Sei4t{)^F!RPSis}<#J+||{R0oF^9l_lZ*O*T)^u5es|RSe<+S-Rz?8!~&~ulGn< zFl)Wg{72KlxV4cYr`(tHs-oaH&I#<~L48pOr%w)O0>)kL{#ml8zD>;x4ijqg#%S!Hti$ zY+GS3x@C46l!PD~me*_l<(EvN_3g19^Z<1=ZI^&E!lk4=GkEOnKi9id{+9U5ZiRUY zR@e6l?7(iEC^E`4qdE9ZKs4Vjn;*2pwz^uf1esp8@^cu@Y4DfGMHt5`lj8R0b92Ly zkrri9r*EvTkPxrE$1==osb;TD-N#>$+}P6#?G1VNmJK~QZe&Kh+oxqW#xy+C+c_NZ#eRxJ-k17 zCuL$kEN6`&l*AH4l6NO|=t^|nc`&~~mn#@fh|C*fF-BWn(HpV_~<<*SKsK_v} zekMu0i$*y;mTM!*5%?Q`{|}8E*%Btbw?-V{XHPV1whQOdxRIM-$m8uif^SlGJr(<% zCn<=*OY3Ujd~=tf$T;&sN%1rkg6IgJ_S&N}jxW<(#NQ!%7o}FV)C*CBedG2C8$*2rTLdExIx!!G{KI))yHh^o{Fktx5w((y{9D_+vU0x`##SSdFavOH&`YGg~i>1 zsH9x3PI4)yL{0oyRxV;4`s)a|sqL&MD6pzm?7~ zQ8heF1%HDqdG>gp!LJr8shKKchyr5rZXY+9hPdP5K|E;G@GIyZBXj=)El|KOpW+n7&dZBjbp1HuZUYR9m#_ z-sfejvezemAhj&)@u{?=tWq8_2W;59>agu)n*2syflRmuBkpOxMsH*sXOJhj)6Ggs ze_l5+^7y@qRy^yaFaAo(7(c3yKQ@ywUBJg@dcoZETs!Hb%cmC_@po|2LxAIqCr-jq z@{Zj@=n_!k(J`|V-(xEO`kcaSts0RhgKIU4prMmHBRt$FMHi=iazoV^LPRyhSJULX z%-ekt>`BtNam77NidqI$yW2~vA1?s``}@>9G*=prd8U6-l5G&xy6-qkqGS^&A;T+2+-Pn{&YDp?|^HWL!wxu=JY;dA%|2 za~6=V19WHO7kKqU#Dvb1iRCL$ktzcUPJd&%a*GuWSxECcue_Di&Bud66=pbP!$wgO3XN{T^+T8yO_j|{6XK<;q40+V3 zZTEz|zRuh1^+$h+HM`>#;R|S?lIq=FnRUL`sYSENJCW|F6fJRhb>9kRH09QSg7Rne z6dkpsqT{EAoq%e26VWl|Nk!8>j`vh#dp~HCohPCfr~@^#Jj-ienp8NxA^%sLdg+gY zmm3N9E%02j;qn<~^>bpDheR`g&+K5k%U%IPcopUV!u*bu-ws^waR1Y`hvRDwa^KwA z^P*$Mr+XTH6(=z^Ho^fawQ+xG1hdsuf^L-RkG6WDpUiWuyH}o>Tl3DJyxZ=E4hP_$C#5n_$n6}fZXE{U5}qU zIe3q<@41Hg4VTY&LVs6(KXnf*6;||FX%F68{u9=m&9;NyO?*q$_mPA7T56>Ie9ud; zfIx{vmI61>V%yd%Q9lLRU~*>wHg_z&f;B-aa1tbI_#$?#5l}*no19#nB{( zR85OiXCoCkg>kwT%SBjO%CES2N`C~9b_di?67Wnm_Fu72#LEv$l*+J_E*o;em7TE_}$2c$7yypF1jI;bD3GrqYqJNe1*L}am z?~do+rjIoAe_t*ic)=nRLAo@anj8FW;+V_XV=g^T z)*|^Fxd%%KIwQJiiKvDf`Rcl|f7ec)Ub)DTY!Nhkxia+S)Z;FQ-@v;B?o*NuW*B&26LH#jR^cAkB z-?0;MLShAU=A?&{C)E5nv?xl+Ys{=ik`fKiV1~E1`!{6X{@q1Dqk8wfL%duNeW`0# zaDa%9|FSS<*5%q0{@*ORr1lc!x}mnk2^7$xpFInlNs-+>zwGJ^ez%5L0!{xfj46$? z#r^H9IW@sy=_q-{^L)tD*T$F2SW_qnY)Q9mA!c(ub~jI+k-|l?)z19aRcdt)wCJ`* zC6gsWf&7c#5~zg`y_~3>wjDQg9mqVW#@2odZpPDmAEmN`Gb zT4@SwQ=?LzS>x_Vi>&!wSBI@Y&5wMQRHwYe3%{$}e%ojvwYrx45U~+jUEQSjXvHp55$Bo{#}&2TTR*`HOuQaFj-hC zhag^1N-3eXr3W7jSW`M^N?3B8Zj0`b?X$?8*zqBSy6+}F=|YQfw{!894y;RqUynGB zml0YUB~+&%5g(M-bjppl8AqeCS$n>-!g#meg_Qpi^JB^Dme(0h-+>OZdWB3{z1EZn z%F9i%S(XvrUcYPKd7gS0=|YYaRA}X$l|k=`)DHi0qhXDMqrzwOEKg3lR^BvxmPQbx z3A39X4I5wSNtJ~E63wsx$HO^W?i0={8&((RG<`1I7O7ba7~(xXTK0UKM!GSNFO^EE z)%%5EN}G8^$vE9UaC+1$+28xha(;6&5z}4B1i$7ohF-d;^)c%oGv|`@UDZ?;u1kUm9*;WqgkYyt9ZyT+`?*(6f$Br1$S28Q|&> z*~}Kd8Mm%fW8HO%(Z>FGUm5_=qSClrx*T>$YLaN&vKWy}K30mCgS7I9olTq_F7L&q zu>HK)0`(XtHib)n)cbjs>g#tGb`zvw_Gw04;lM*g3SF^q`+>t=lim!qk;eO5$_avP0Ql4^UHv|LntHpn35r; zqwpLqtJ52Mpp|e2L`u=MVg0HH?eFqc0VOWAl5gz8Y{OGCqh1aEPh2^hy-d#Y@^tL^ zSQTaN1n?tv*f=>eK~#sIRFj;2UWVgwzGs+Iawv)MJl!JKWXV{NF~71r$Rr5^-3uK*Hy_o_A3_zdJG=Us@-YHTiNc?z?aeV6iG`%O2`(K>>EsBg>&gbpf<>m6kr%(4OPG>4qejTj^&dtuJ z{?Bm%bUF&pL@90gPwsu~${m-YyO%){}n(7fm$xGs@b` zUkB`bTF5(CUtxapG}5@z5!!cQSlFi6>wM#n9FS1k#4>0mL*)#6oyYgp2i~#^fW5|1 zaG`B&`SboTO<)=;X0P$K401dT%cWcg2S0D0a_mh=%*8Kp-eGHTVS#l=PX4fSI*@t5 z&MEyv>Kx#F7}8mAZ9A1z^P^30KB|%R{o)Pr3)tg7=$r5D)(qRs5Aq?Iu-`ObC@gS} zIv^UYVSEu27oC9F3|Jq(ABUkj7GwaGj6~J_hDqs%EA# ziesi$I1@}WVLm#Vo$X_sHNwA;pY_vx!;=_fmP9X+c%O8RU8v74g}jn8g$EhE-W-!W znKEtQo`yZ$LXzNP8u(tTK+ogdwHsd@34EVN-gy1@}OpAuc30l`|_aGwWzNBq5-!9%~8R` zspi-2C!{+3w3v(M@gADN)!tyoxsvGCV+hHdWOTlHw9*n%;Q5OGlTK_>4&{NJLmX2? z*E{OohRO!xByGu7lVZ!yjHjdB#uby3Z2=!7=uk!nUs((Ka$zD*!!VOiohi;{U3whm^H_+~>&K1Ww<#08=a(7lEi>t9iDIYW ze~@R;)-41$Ry>%H`jCE&IZ4q#RC(yv6{2im=kTgQ-5d}d7oJ5(xQZwTuTKHleI5Ro zG_BPk$$DRWAa=OG{NC%<|Byyk6TB{P)Mg6$VJFbd3^<&tNka;VwVD`vz21DTpg?U$ z7({drt5q-gK5)S-eztAZDPFs0V|_ERMCHcvW1+P&A9Ep*f#b(y>5RwWBa19*UY_C8 zT|zeKEE41|`XhR$d<)@d{clwwqj@izK1b`U+d@D83Gh6=wejDiwISd7xv2?W8Hlkd zfb@8q(%A0&HqGCE))j`;sE=QtEP?V0EhduI+U@fg^L4ywsIA{w;K4{|H@dX9iBZQ& z68g)Sg!?{6^uJ5Z6<*bGGLJo8YV~oW!wwft}yePUfEb*u5f+(Z&wq8S>9(7cxt5s@0S)bD^X7o z*VEU@J5lE@=NAHUAJhz=_XQ>Ho3E^{yKrsIa`o0eYVk&NqGtBK*it*#wW}a;Z~|oc ziZFF26GNp>t+#nn(cI`RFrtk9d^f!GK7%i*z2K&`!%FUEQ3r8I*he{W1vTQ>p`Ndj zCZ;dDI;0`vLty1WcX12>+>k<1ABEt$Jo zn+ERk2`fEBl6oUTs)NInq3y_6~TEYs&pF6uduhIbz80Ib&@n@&RQ zehE+1>pPp|1eMtt)ao-2k}~~7U!oxmK{*@z6{2Z$T)Naytw_=HQwvgE;Z>pJ12*fg zD_nD}uP7wIAf~-TC>2b}c^{uJjbUV5Zk}nVZ7R4N$r>~Q4|z01EKo0K&!HQ&S?1s@ z$+2U*(=*)eX^vqtGuB=qcpW_5npj~La8g(#1Zalq+xDXGY@8xsDzT=IFw)?DTfc89 z`37;zBk4sJpLfmP6L*6d#rH0GzNz|V^;#)5cxtEAdj_DrGP-w#b#&5f@Kc2MFB=?c z);ZRf=eDd$8I1bq5hro{rf_TdiIHtxM=xCuWE6@*Dc`Em*ef$}&Z|mOue07#vid72u@acR0$_b(7F-bwDShmPw_$-o~IN7+*#&{PTSO&B2P?-k+*#8BZ(wb(elNz2^&fKni+5 zzdMW+HOX2(IgM*zDKrMk#S!-NjUo&k9D~i*HALTMQX>+N2=7xC zLM~{&tRMVRRA>+(raBzwsGYuy*C&$NR9I~vs#Q`ZZaxUG7&?`aG%3rXPSYPKZ(x^7 z$pKZ;>2J`cUVYCaV)j{@oSW!rSyBYYcka&}=0`6C*XhZ-h zZ@Sg>OA;iF{G5~XmJ9uaZCpQi-OoGhr6zirV9(JUgrqM$O15%Wj8|tqtHy znKUk2;39=nG3e`PKRH=oc;SLD=ljikmixztdI9_bW?3PqIbaf>SDthIG|$3~sKmAL z4uxZ1zZ;}hsr?&ar{fkhZoyyXhJ!mt9g5qfP|tTZNO6{Rzn4o{-y()Z2k`UM0I=+T zFtJ|KDub}&^0W9wchRvAx&0v{@zC5TQE=em7l$9eW3--ro%X7(A_0uF&6Im@nk2A= ztJ)(lZw}c@tE>K2Lb6J_8E;bpk3{=epaf6BpKZU=1}AV06Wdo3ty~aIcxj$pX4BBU z;_~{}xl3oGH)wE4cbI3($GS(C+c~vs%|DPD%=C^vjH|uSZdx1eQ zPip21ee_HBycW#S-I|(c8$IW#x27JWp~h08%|4g*qZ;b9qO3|1$kqL{hZPU#q>GY- zfm=9O`J=0^oS@UAM>Ud&=R-6Y0dN;d+q%!2?d4*Awj}f2%(4NaR9ANIi)y{`N`wD%&A!Bp@qKxyygy7q8TzFT!KH2Nt z3&06aA0;y)w)M0a5#iIZR4fV;DA!VUp34Nsna90vf6RP=Bb7a@LCw+$8K%3z{ZWBcyV1I$zjnbOfnl^Du3rd zIeGIEH(+mnWx`$&wopS<;Hky1(U$djIx3K}rTLw`(!M?P zc?XhKG#@F-z~hvv;Gv4fiUvd%tC_}?t~)cD@ZPGH9kXeiQi8AmMxyf0wF)3)QegM! z8H;_w)src%qJV2AVsN**or@(cZ)91Do^q~_D(zT$4oqxM_nWegiM%&&V)Q&Yc6JV|40OOYttc zjbSJoFGh8|x^(GOqwUeIP8v+d9n_C^NRU)&@Om^V1q_O3Tz%aJK^3@^N>qX}Zh?^= zwZh6}u}RBy^O3^VyZoj@)o^2xN{(n)t!spgzuosznF+hFk&oRQ15u)ny4OlR(ZYSE zjVhlW^bCB{uziK}a9FA9w@+Y-;vL2c1?PkH*xbdG`lYHGu?HLvB;R?%k>@ha`WR6T zCpWMI;&08O4R3~~U?y;;%?0yjB{cUh+Xq{s`nh zZ7J^(vo7gAzyxa2ImW}jmgMJNdJ3+3otN9!zvUh@u9m{rU{u#@s8t&*3%K`F^>}{j zQKH}Iz^o58x?oV#8U({CfU?tHz!Nq>%Biu^eo2Z`_A>pWu#IXJz@>Xl^6*MFs= z$HC?Am+-SlbkS-^mY4T)S2|lS}ED zLvpowcwY&Vn)5TxZ7{;8{KT=*ug44xnO_Sna3v+nv?GDn*sW(jjTZlCxp0q6vYb$9 zS9|Z>{W=t8_}DQimHEaglfMiue&-_I!^yjaUaWX}dF0WAe=#Y^-$ykR#*w0c%+!Zr zdTjmvT$2YzVJ*;#(Eja<6s0+0e-NPbSR#OSzi((#d zI83u^dSWmT*T((==NPg3IA)<04b4MzgQIAWnbk8qH^z>p#`6^e4-;l~BA1m}wAY7@ zORs5l9OYJy^sh8blk|^PJn2DENJ|;qzJRqB1tjC{V2w_Rd`jF5s8vGeACd=$r`@T>6 zcqR%m8cvSU<}t%bh(y=kH4Kv7*GkyKb!^{tl?sH~Ih_RbP4w*(JwVRIlN)1h!+?8r z^ZUPK@RZmU$}~oo?l(A=Y2t1mgl?OyR-N8`ypwa)O7Vdp%!1XmuT(QQ>CB$X&`%q-x`T$FJ8>sLc){#(E5Cp>Lm z-}=VkUOpw6A+8sslv90lp9|gY$%WIH?siUdgbZeljCLSWga*m>S>F*czWMnAN_1kx4UQiL*hxKhDPTPT8)@!k^%6# z^2nn>XMx?ge~()88oT|#;SZG0z>%{Y?vt0g+Sdv9RalymZy5Sa=_cwN{G)iHkWC~$ zX*(T%B~Y_}G(JCdv3O?ZlW?_y$=)sZ5W#k6L74OmrEQ1?f*BH$dy3bV-k%gusi}>V zC@-jT{@&`&oJqmzrL{7elLyYcEd!}QAk9eMcPj8bJLVwLNqn%6Y&J zTJ7&c2m*|)UY7{_r$xG~5siCi&EuNS2c53*X_V}hHbT?)FO1Akrp1Dl_NlR=pi+Nf zo6^)DpNolH)EKXywaV4oJN2$A74fN{LzemK?0^s*S5DFVl(GL~QaQYiQ_#pRUR2 z85f(3c&~WN-X-;c*2|Of+PBZ@V_%8h6gdl8*8J4#4N8}oV{oY3(&wZD#X;Xa@ef#k1#l6$l1)L$bmA1<~d$O)TAh4Gm7lHBeOZC`S1B zD$jZ~T)>$RqQCik^T9H|YCj2nIjQ+M*U=@(>%i6?G)8c>elw*JN(|5g)W7@(r zc!^a9c&XWuWL@NoD1X9xJpxYV^D=Lreq)nF18)2h))j>Y!_$xm1CmWC+d$2f!MX5B zR0m+(%fwUtpF18~wEcdE9P}_+97e7KtaHA*lmxq}7_&z-%4j~ofYuh1^Xa4}?`;Dm$ZzZy?FwIj2PC*SAB=BJMjc)Hq)z2c+yJ-q|`X z+0NOr9E~`hONL_h3l0z7L;CnSDKTDFQRoNHZgxZ9o~-6PfS(x4RR_NQCiUZCtEiOO zXqMO-m#!UePt9ujyoTLi+|QZ4iumqfcZgjLC$?px$~72Ifb1c@M?&xi*hVy-?xxpi zUrAfu8K3j({+tJrNVFL(K{`NMnXUn)>>jS^2x!zM)o01r1!|j*wrzGo(E#@ zTSbV9tFc#btYWytU(PL&>Q?|w#;GqpHjMP@@r@CX1(w13ev3T?SlkT8x$@U)?5|*2 zRS~1T@11EvbJotpa$Z!W=O}TLo#>PRU7VO|OJsa4=^dBEf|18jU~YBCTL zfS9g>TBu#JTW{jQXq2#1#@WfOyfkyXxQqntFm}|VwC~Bvz_Hiy$aB$)J~P>NAC`ah zD-}c>d@E=Jzv3+q?>==(nO(sjq>3U0x?}5xjSk{948T)Jo~fJ3cahQ_CT2;wPuJHO zqzWN!Z0NvEa1x|<&C2QH0Go&b#0eHQVH)?Jo+Ghq%+_Qhw0bfJ&)&XxY>zAG<>I%I zd_0DK1q65>Y|MkyIW+@(1a&HFe)oYcA@X<2G7YjJJ5U4amO}(O65*WrJwEV$Zn0KW2S$9j9B{R?IJQppj7y%TCRP(@ zo3kOR+rsN$*M+fjG0tY{=00PCNc)Fi8r4+tw7cm^`WmDJzBiZ#)a!vB;OX;Y02 z(`(}8CQ=4$zVk*6JHQktRxUHyx<>k6;}wbs%uExh^FC$Dyk*GFp)WZhwKzQG`wx9~ zoqz#T6RWy)L@fI>$5HlB8rs>_>RJvMI_Bb{S4%FY;jama4_|PF^(DQ`G&cra1Cm?J9P)dRAtu;km!> zYO%w`Q?#2%zb?`}Jj2#oAcbbAcf_Ff>T|zbbeN`655NwuTE@>W0s$SjpW(k{f??F< z`uC@Y9lU;+t$#s7P*$N!g$GjOf=%u$_*F6QbSR|xB@aBaNUPQtHNADQH%aw5nizbZW~TG~>b0sZqrITzg1jq6lMegW zHS1vVnlyrKR0lX@LRa4I%hHOY^O{=4>Njbs8l%B&KCH{21#@ofxTOkGx~5>qJxt$! zNn9W9_Nbie$h63<>bM~{5Vuoi(I{K4cTg~v(Iu-}5?1-EuKyWADPvMh;XE&K|7wvET6#!_LP(Cl|!6_eTj zg*`JX(3I{_YErtg8|>!WnulvMkXX)v;~46ut~%C3PI_loXDgM;cyg zsXJGXY5$9HwO#f7uHj@l>3do;;}Q)+-xR)6$>hIkF`t>C|H?UpSu{%ZV;(OO??yh_ z^wa*(hhxi-94*FJnV1Xe16kwK&%Ix|u!D5O^r%E2+F+s-aalH+G~?bIbHZ(40}-}6^)W%18jV&&*(w>v4p@E` zJwx}NymIcW=-fD}o^!?JQl%;*g2k?lJdB0VHFbbw#m<3c`m1iaKF{@S;I z&CY!>uTqx}&PBEKvpbX|I8$`hVkhIA%(Dz&h1@q*`m3AxP1nXT#HMKOu{aYagQMGJ zZ$3=kdnJ0Zb!>#NP{mwIibK~fYFcSU%tkya7gY*{!T79Qw9RIj=@FQ?q?HTDoZ`jr z!2{QE6T-(*-&7o+*`aDBBFD7)o^GshP9}POe!S_rL1_lkI~0V1Dl@-0+#S5wOW?D; zvc5}hIgckZ>AyM)4)WY=^5mX%zAja zr6)t;rbV(bc`Oovl9{t6)&tB_!vCkL0aju*>m*Y5o)A#c| z!4@PrdAumR;2=(Ln0U^vA%J6mYgy8icfuD9UyB|an#96wEz==c9QHvqIs=KrISp*S z@*DL8}k0ZXqpbHwRA9jcbiGd9Z2kp&x=bJ{4A4{Q)l6bAQ z+GSy0rr;itIY>8EtK?}gf6LIC19soRUn z4@~HyTF=`#8TOvQZLN#7!I7^+mxf(=BzW|LpJ?WdW6k6atNV(nlut|O#u(;venj_J|3|<`XIwytS zI-*;Bzq3=lKG_-VtIV`q6y3 z!NJy%vabVkzX)B@IlFTzI9tyC1b+jWo##YNUZM5jdp)G#>mc|UznRe=z#hVn;epd{ zeqOj#_0IlQ*+_HGc(%xj-bhDsk#pf?U*@%<wsUu1RY4Yq1yTP?{C|( z!&(;7Qu9uwhHSi0-mK-A+mwGhX!+)d-&|Kv-{__2a6e4obZM8`-7X>CyHdW(P(1I{Tg)7 z`zOXe4s5N?w_qDH&nnwS-bdKCxzqM&Zx4uL6l z6W$Xgj8@IFg6&9G@apym9Wt|ud5bMQb&q9Memo9FYc<)$^kw-Q86v%M zo||Zl{{b5=?zRb=Q_VPc8=|pj>=ibNirLhu9R+Vv=OQ2$c@A*!h74qONQ`> zmAV^%jRC>ai}2~;iey;$hj6bf0}DB`n|YWjsX0J8#Ume(o-v{!^H6a_EC)~-kco2v zX5I32*^Hig%8=95+m!25g*<=4o%?e9Z-*9Ve*9q01Q5zByhlcfqDGkl$Oh=d^hrDD z%7S<3^X3`tkmg>%yDJjfa#fAM>z^W(S31RyV8Ezs-fnuVGalF0i(83^FhqSKs}cFTKoZsk~G4Mo4yWkLQaSJ|)0+`tz+g^5ez+Ap;1x)?va=h9X}P zO-z4ur%>zEL&xqiww_q0!(9z(j2%J8Fg{G5&?F*E_^k3Zc_%x#74lHPfBQ!zJ=)78 zhgF*mlXHp#2?}}v+URPYuN6$3up7>ybF&6cDsPDH!qEP%Z5r<4iCRO|oTu%Zu78>$ zFVHcM$}j4$@Zu#qA~EZz|hQq|CInW-Fm7mn}E>VacTv zQvz6jPm{IIX2PgJ;guBU*c4aa-LLxOkAgRuL?8=I>DkAF>zk#+; z6Q@CGjrLo=y}gRpjGPNMKN}Ke8RRU=mu`XrOk}@@`Rb5u@{Y(K*31%HzDFxB6=_=T zcM2|rcU|tsi6@%l;TCVZpy58Hdgw~zVK}6x#HD{CIo8yQhU{2$XzO>#>_*S|JAVDk zHve#3+3jiDQxy}y#RFr2Y`6M-jYc%gR!er6`WWOXR|_^FDbhUoCiR13&ZF0_UzcU9 zrZ^N)L^xOZd}YjGa6$xqv<8kdHOb51V~TQe6!akZ=4@n~+sLVz_2LCBdz zozFrs%N~J>fwU00)mWQMq1^XGx`40Dde^l1J=V|1HU3Bfn~3SB=RY2SLAAdHJb`95 z{+)%>sJ%0CS1|?vaMA7nrb^@2H_8zpVxnqoa4|f%)+$FlrfXy{Xo~_Oar|*KClUYQ zoRxvkDHJ^l1e=Dn-yZ`0h`JZt^YJwE4C(WjZUuo_(^($xs+by-sb8r{vp=@<(o@aK zfnKc<3%QIHCRTsO;)vDKNl|&-ipTbSAZh+Ne=7O9B815Py6*h(jb|1eFG3EDntlr}d>u^|Ik7IqQ;+ zcAcwbgsG9$0({}69W9Rcs2jgZ0i`sJa=a&DF_4w}t}%E;{3DN0e!+ZUsM_vL2$tCr zp*EzqdJ+8XL-AIJIy+iLi%AS#xQ$SZ5`1zTt8Rx3O(_$?Ta4~#m7Qw4y4rw*$N5PX!7)3Q=N2n@FvLIMDfY;5Z39Hf z=RPeyXv)i-AtL-D$J0EcEA?Z!Uerjk3W4aJXffzUPd%qLiz8A6>+!K5pwO}MXh<7^ zy8o+`_6l*!PynEe0<2^6Ek5Hj+&!MAr^iS7{}NuFaSsZ9V33m1)NXUjm(U2HhnZLH zbSzhInzy%biarz8+O^e?5m*Z3)-uvnNdBX z(^)G?WiZb9uS@UMR-0T*M)gom*G(;z_51Y)##%ZB2HRzj%;=dV{hqX}(f&;G&DIZ$ zIg4tis@*M=BWvWM<(`Vi@446fTQ{>+CRxkN_N%|93~V43lUEPl?c#&-998@Le8A`YikJUvWP2sZn;r^P7JR_ZR|76Op(@58Wt@7&zW8A0-5eEr|i9zEze zs>d~Q0sOgZ$wWHSlGjQ^_3SiJPVru%aO;vcA)TuZ{*xVIqkCGq#KtfVD znqPf_1nBhva#-+g!soMwg4Fr^-zUWwkq*&_@}#DqKGx7FjkwVTCFB zx;m^-J4RFl*5qX6_VhD?OI_X;qrf%jEtCxYZJ}nO<>+Wk`NJ^IK>--dDXP5YG+J-+ zw5~eln#}K@)-3VFjmx9mz3XBcSM3UDIi+De1W&LFCe|S0!b2)s(m-t0%7cE4c1{(8PM5WO^B_*DWqe&aLK<#CL0!TMq4>}&y@{{P zt*Vi3w@j#@B_TKDYizjl2Cj*jjl`YT`AI;f_M-`TyGMPu7!IrT3P#$Qy-xZ4OJ4dH zk<2hg><2LWrQqM^0I;n@s^8rTV5c|W70M(q@-VIaQpa&S?!4T{@WNyM_~>-H$D4jm z*Ij{)7&!tWx3Ax*9%mOCZ%g~aNU)xjk)|VugbiF(;O{2!H?XYR$iH`4x#7u>_^P8A z#}*k+C2QFkhFIwu za!TIa$a{c=ym3SVs^QUBr7~9{`dbB;*9q#4lRr8kfdHSaNC~|j-mB7V_HXt%Ds0^veP|dI(_l$g!7I-B)GKp6#HnTBJtn{ zvM0_yRQ&ew82naKi?O3c4|22i@;4||?{QsCWg!W!|F32B#~Dm` zKOoJk=vSN}|9Crmr|`(H6AEAs?dkT$leHk%xn!$0%GUf8zPS7-_%nLoseqJ*ZOFi< zglcC+PM=kL14rFFUEL;4xwr16nW9TpLA-eRj5s2;0lZ9Z{+4hUpexoN*Zv{jfrTP}lqZ&Jo~$<#ZY!5r zXt%!G#7D+(RA?@RJ7DvjeLEKT#;f!Q^L5i^Z+i%FSI$(*zQH{_*Q~h59sIfZTf}8k%8_niLPcfAq$rUd#?dZ! zQ&tXbe(g79Y!E>&$i$WV{{1eMxFaK%7x#TUqc*ye!fj&dG5uJ zN2e)1A_z*3$}-gE(~ifYA9H`~j?3L@1ub(9V*dwlD8mN2032y5?epu~OuOS37o(CD z9DqRNDmxq%S!kHir}z&Cj6_lNA-7{snU>Q-7mhAxdiGDMDv#_viFad^BOw*42IU;t z4^_sS+!12Ekkn}Tie>PRoZ!pj1$IFmX-~>WXCj{`(`X-if(>Fh<1)mCUFwmZ`T78E zL6iUR1uu7CXZ zLC4T;#9T*jIhz#VW>^Y1+~GSBx#e1fvu}LkY9C~YYx#uDoY7Tp(@HIOUGADDp*HGp z8V9BK>4P`Z53Q_ubttb~acc}|p}$%1Wzcx(@&r-5Zl8#Ux(_vhc}4Ad2n%j! z@VFi!f^bXIi?1aNoCI|Xx3coJE7uS}>oVYY<;RMN%k=HS5Zjl* z>*3Gul|&vwUBP{?0K%f4$EE;Bi!0?Eyh{4DNv9R}^F%c-pFBlW>=_v*1nxP1a5{R) zu2xdK7R(j%)o^R4+vZSWmWP$N1Yz$vZ3VNl0uCv96C%exw}&(v3d#H4JSm$c7zzdK zn%*N*%&U%IObz8YjKix>;QFd+CgK~qIV20R0E!EBtv|wQV|?A|KB6~ru*e6*j6^-; zi-Rak1=UX( z>01xnq9lCiPn^{FbBh;sr~q+T?L)`4MS)8LLmkvrcDAB*&G&*KHMWLufOYGRuIDEp2UCEKBu;6zr=6dVQ~UI+2j0Lg_kgT*BAux z^%Fj#vE+|FW-1B505Y-!O{`)bd%Q!p4G;zp>{qLjqoxx5uW*E&MvK(l)dvzn?sZ4J ztGKf6Jc6wmXO5LhY)yh3ywyfZDKpPYD&124 z@>;D0AcOEiQ`K(HJgzkc-+CHv9y(z5fnt zEiT-qE|X+gfTV=gNjf!^=s!fsQGt2mX+di6u9O>>@-djvipHn$hxfT&Zims0eVu~B zg5vA;VU&%nXq1sMfsv4Np?7lauCwEa1N@*{Df&f7VI+3IYGIc@7oDO1%BBtP8VABR zeF3MJcB-`{uORxkeSnZiC)c)6*Ci*g4ypq^lDKN-5UTp}z4Mej95ekPOT;H8J#hYj zK%=8Ug~akP{UxU!rJhX@uQ?Z+y5SV^6 z%KBHAUN|8?1joOeT$JP)RG9M_N7X5QjD0uWL&j0MW;;)pif@uLM25QS7Tb1Ywa$8J z&QP4AS(u_T@B>@6;9}b{6q201_O>z>1+Fc2#P^FPpwur+t~@TUBsjFzh;i-rQu@9+ z&ujaiEe@fY|1A6Y_VC`i!L!N1kje93vzUXa7Wzarhj++A<=(-{U0|Cf)M~`#sZ-9y zU_xWRlZbcd(?2%XiXI$&o_s9reEp|3;@YEMJA2xW3g?fhc}RTrGgH3lyF1f;CC1Ew zIHTxGoT=8=rI)N`c;b14L~r~zw0y&r@iHLbxX9vB4~xXf9_dPh2Osmw59uO|Y@H<= zq;BiQL*=M^PH-x?GsfRxxZBVCoPApJ;gtgl60Jt@qlF9^&Vz)7-H>X@?4^({+Hndh z{f11w3vaH4S1>x94~KoEvQz#Ql;Mv*UIk=HTI#x@B<^Y4tiBnsB9eTY30|d zjBrdpq~hy-)>hkH(`+Opr;#vrJS#EuZ|sqziXJ>`l0Ov1FEUOtu+g$(Ypzw+nZqiI=|_k_9Q0<^gGB@ccv?(K|U-w104Tg2lN< z8c4nBJXhv9Goj({d`EqN6R`s{9W0qU@5WjKBjM6_nI9}Qm z9dcGzE{^eI}k(RG41h z*9(^uQ$;mB013v!9=%@B*Xb5W9(`Yk5PbPq+eO7z*UYbU-wd57`X^Xp3tEYDge*>DQG{MVn4{kgj72Qc%Qv5 zSIO{p1$Skw?&xno+0id~QjCa5jEdGUj!s&ccKlqeHZ zjxK-xv1gR6Lw+@!VCntQqGDAop!M2<5}&hP&GGF^$9C<*fu#+}7n;~5-+ji2=V&f! zS|J(G1g^=un)&JUTQV)|lPeT%?cs9T~-G4$XJLzX)##7FU zo59vTF&$U4Kjz+)xP@)-gWqX#*U`0xdvDDz96pUtAAX*=;O+jGPg=32@?)@rE`PS> zL`L~TL8Bv<-;qpn)#M$i>>CD-6)AnCWBK;i@VeR#ls%l27fS{ZEhS#kEe~ZKC<+%n ze@k4?-OX75&zsgL)Z&H3h>D{Jj}{%o_V)LT2K8+0`7=QbElHt@Y5oNguPIx-N<6-- zr=icUp#$^DtChv@DB9hml)m24rYLv*zU0tUGyn%I?S23E3h61N<$}3T_Wk^`8ew}z z+;)iQ$qxbFd^mGG*>De_>u`=khq>HCb{_^~PFR7lVSr4R!qgh`Mv+)ionq|#P8+yy zbcZFoHL?9wxG9cF7b|?@D5S&85mF-J4dy{9EYzJ&W;8Gc9*F4EV% zV*s^l(Wu2d`B3CY=6wG36peXMUSw{{to;QrQb_eIKuED?`!?`0`+QG(EX@mNOWpg} zWEJh}Mx|`Yx{R)U5j2afUH6|7QHiVNOC1k>3wGBZXpmXCUc2*--=K0bv;b| zO1Zs#L2B1_jdc6g`6F6b?Cb}N7NO>TTqyw@>-+r%{Ys_cR7;D+O>)zi8n2Rgro>~M z;s%=jMo_r9*Ds7%8f8Dmn683WhT6{zzEu9@e6e2##F17LCI!4&&3>9F`SH3leC3&4 z6}>COfkxFT1%JW@0b~yD31MS5WUKMZBf1RN%qEw&_o@neRc%J;X3bV5RPnMya(FAV zfg}^`cWy?(ZSiS(ur)@HFIv6hjnpG#Nj0|jtCElgxk*Fk;OXQFgV}aMsnK`Q3nd1f zgZ9P+sRae~F8mK|T z&_|C+N9pl!XUJ-y!ru}OqFeVI$Wceoq{nAnGnx{UzB`Xi`TmKQX3;C#xQSq7P^PPv zZN^v8rkk`tFpN{FDkrbPiCKIE8|n$7&rHkfJB0X8ElDz|FqjAS1Fg%B zo|SOHb8wPSisVG@qM-$btsiVR(?4#iEj(B0*DVYulc2jx!mF54`%EGv_A{-&1t6+T zs0^gCdUY4TK`jSyYh#?2FPB4|AgiKF@kB~~zuy)0Wqg*RZ-2s*tm=w`sUbnrLHw*~ zHKL*qqIn`a{(>R=oxGQ>=s$7krIR<}OYX)=2?)gRyo>SvR>KEe+G(Hh6ySq{ciAJO zt>5ZnrqQ4AA7X>HSS!Nr-^bLQg7mg(R~&MH>-@6m>&uF8-`5K|oECTe3^!k-OuD+( z9n@aXUn$-&hSW9L#$aQI1sIF$9Ald%TuB5HOx9iH@d64o06>|8`!Cj|xH8g=y?{vv?e38%FFa(`! z+7rPlB)58B)6v4WoH;qpUKKQre9jpQSyqJ>iC`8QJFXMzBTTjsSf_W$_L>QiVz7VQ zRn-<|uDivV;p0Wh;WKyoB4+RO)ib8QO~>2ie1Gs|^NUeUa@CaBH^a$m~9`#N@e_;@cQXm^% z76raWF8vI%zQBM?OmzrX%tg)jMVz~zQF`_vVKH6a<+|fQSX6;=lv+SVt8VqygwR)Z ziqPQEaDV@-7~wsYcL3_t^S?FrOIOw9?3S=Klq1>9>Qr7{)pL7Is?>wa5lX6KQ12|% zkW)sR)_EnanH2u~K59Lr|5_jE#Dska@W;6QCMW<;YfPPh>wXXF(^|7GD#D%(Ip^0i z`m0w>>wzJaGr=*WT(4!+@IKZhX0&gDMqfNPem+Qhjt-*7%)5W$%OD^D9zhe-fuULG z*a37%KEBa#c{BY~rHbed;xFrxcz+zV^ETvOX5mthE@`Y0(?}6+7--Ede67J)8@*|H zsj@4f1se0K8-i?f`2`3mZIlE|T zY6a+A?YG^Y?Du8$=S38NW`_PinM@4IIVe>^reSDVN7tbuIw^Z}tg-TOBd05afJx{US!(?CJ1HS98-5TWudUsafsE z?$_F76x#1g`JLE^fPoW2k-_cvM`ahg+FUpYt- z(st&{892+5=2_lU2UQ4@oiQ=*jVSC$T)Uh~@BVJuaf!MIX3`i^?&y*ixAF0)&HS}j z&e_ON-pYly3iV`N-(Wun;Y0=U^>fP+Av^tOR>r11=+g8=q?WUag~R>?((mb`%%X%X zC8Tv6y^_vN^r}1`8a5!y-WDruM!8Pg^G6MAjcGe}cL(40m|Y5-94-T4`-s{77=NTf z#LQ$iBSO3s3?mAe)b6yQlhr1?UfX22I4E%H-(UOmo?dFiT$P|Ebom0yq6D zoHeGZCXhpvU)6@`ziHewVT#>ru|w{P7m2V*l^vaaJ1_t_+%OY*tcGiGbj3doot>H> zQEZyEf`nLxV_zzELTwu?+8sM_S#7y`ux}Rj41sKkaj3f#mOgA;#lp=8)KJ13ey0gMJ}URgqZ%06o{KWbhLi;btCJq z6SqrpDz@VY%0u0)7heg9SAPHW7_$17zcLc;Q32|}_vA6)8$58mXgqy)ZQ=pNpRcUu zM=|tqW9qNXh~h_7q~KK}uUpXr$B$A|e1~$R`eHv@5gFIx$vwBoveSptZ7q6Z&IC}X}~fLK`E1Jf|tfKRAO zb6Zxy_(|HGke^rQ(2By@L5Y8=J|g85Xez^K9@J44+-d1_oj&O8qYyfN%IT$q z1A}dmlkb)!(hoMO6Y*8)gt`#|dY%iUrRynfG~wS!oNF~mLmCWpjy3Fqm?b=!mhT#= zHbQM)dGr$!w=fZeU3ig2I!_bE#24d7RAwL6ms165Mg03K#=PB7zr5BBPS)9(QpP^x zD_xP7658f%%E>97%}nQwb0drZA)lrG3Wdj)bh|kd0l^4}27C33?D$vw1+28}qbzVa zrb5ox6;g^tlQE zXw{x5L(Te(=L$GNccTU6Ur<7@+?HxHaDhZci$P-F(@|;@i3e=~l z)fw;6d*!AcSRa+4U;JqCO4!FDB1J#wr6ikrMqoMn0m|`p2$uau5+<#4-J!yc$9ZQj zJmx=qtJP?m8P&>>9NJ45zgd3@&Z;PG@B9+j_}qrZNY~0w72le~IB&`aTTk6`0L{O= z0T$ttE5w7Q@W;V>8#nT7h04`;F5xInYrWn-5rB5Y(5Ufe6If>(M`b5*Qh}zF7+K-iu-J}Bb70Gc%fNG z`jc8=HD5Uj%$t|T3bWe6EeA{Vnr4-!%hQ&;(pk6a)K`^k(=?7*@f~**$GdmU(^tbo z>{?$c#A>wWm*OM3Kf3A>GTvzd%4Q>-Q80MXYApk|werB!ui`0?al_LylnrwCw01k% z5LmPT+j9(8C)pfQv(d}cVx$^U790p~+!918ejMJ{6pQk$dy01IkgK?E6ju~K{JF~J znnzedi16v?Z0WjF?5BMr9Za$}18AT&TOkLiU3z@D_nJ$4#)9|oqDh5{TcOrxZ6nhh zjJZa!ho{$8X?iymls7(y0xyj4!PptfywLB*DMb5_K`r|f5Ba(281Lb5O4GyavXZ;v zQbT7VIAWZ87Lyw`h@ta`{UAe6op*tY-*oWUidzl{ixcz7c_&e5;FpF-KzkWI- zr#8iZk}@*ML|Ol=zPou*5Vt7X%X$gy5&VT3n&rb>Sb61IbyvU&qr;s>OAF2JhRz`{ z>;alYy%)pCE-S{Vc1){Y0j^AGsY^_9Q#KoYCFUP@Y5w+9t-6z|oxeh} zUM-wHA$Bf?KQ%PuV_vf2T%G8}ZpFKMEsT9dmnd9VBDxqCWftQqD^%ub_;n!p60S|H zkWZx8VE)ALHB&U5UtsOGzCdgy#p)A|v~ZP+ z!8UH{?!NPCtd6{e>JGm>B2s}%xJ6M@QR%15l@p}ow{Q1kqqAWgA+T2zqq4g0tE(gH ziAP>{56X?(87&RC$>J)7OH zM&ZzUO0Y4EpG*qS@K=0xa7X%B17v!K7W?{^j|ZiJ_z*=<<(&<2_U#$2O>@VN(cQry zz`^H7>HwWTYr}{?Uu@2f=Ec?gRY5FA_%aYP#GlpeW1YoneU5eYYG7g{;GDAJHP0KN zvZo!ho9+D%M#k8U(d)9q<$W46oGLYXvew_}+e&t1W@z1elqF;jCoA(?><4p(#kG<5 z7d>6(ydYW~K0K3{5vm$rKO4gZC!;L_`mzL&rzjIZmhFq6PaZ7PO2Zjc>CI{m!jl&Td+|& zvfY3-c&>P2Egt3_{W6P^@-Kfe`dO&g9|s0TzipkC9doLq3Qz8SnV1t-`t#YG*Oy?$ zminBXs#}w^(0}oWE}EgGO$}DNf_rY%{$o^@8mc^$71~$Sz78c=+ALTQ+(JOq?vdg3 zdbygWXSNrP5s)jb+OHY?29FQYbt@bLpgi?cyjL8c0ep2e79QfY~nX&149@$s)PcX>;%#x#fN|M(F@Slo7LvNCFdtaCYXXJum z2cpW_LBAIF+89a`LL)1->TB(O4}uRS^AYx)ZQWi5zr9)1?$b3^>pMHU<-}%u=4=JD zjRC<-zL{5VZ?RfYMw->@RX#~j@_DXz(uR8Z)&Hn=`Ck;sFK}P7v&qgb(es_f!M~3H zw!iNaxT2`Hza2UE{Q=}y`{4Wc+^@m!%8lYYi zOXsbK@mcPFJkw%7jaQGbTTaR7KyLn&OXoG&3Bs1{^wlj>23j8{ld&a- z_eRawB>(bW3Q8lo8U8cU|NBu4_>aQx|I8kD>jf1=o>J{PC7zm_(ABj(!S{}M?q99w zwgX@ebJDMP#HBqmlvAJ5GEA4ND?MAEJny|UH-cVyyjaXPYt7BO)Q|6l6?;w*e}GP58@Yef@2nZRE7AT`OgJ0`~!XO4sn}!I$k`KPfNI;7vFr; zPGmcT6v%hzH(;?($Ht_NvuF(ch}S!P)ep zf1QGTp?#w*%%ECIuAM%U(C#DiU&maJ%g2%o|D62x|ItA$*X4h5MF{@EC$9gu>qgse zfL_=HZ(fgFbvG=@NiRd056rD*_odE{{X7ro^PmsMlARGUjI+e?%(&{(7mKf z{Qki^M&y6?Cx0^W-@(588~(Q%oBtpB+W%iY)(zAJ`T1oe1g*BEKj2Z6cYZC4Fg;%B z0Lpqq{lAZo+rytAw`Nsrjt~6@<6l*mt`@(|z=1RJk;>&%g3kW#Fzrs3XzcpZ%4R>I z(WBmem-%So`+EKK^4+fU!rbZO@TP(rGSgZ?x7L>-eOXOjPxP~@ zm4M&Tp{her`1nk?FF+GC(Cd^J-MsZY--3hES zwqHi`aW9L-+XF>jD+LO@LdgM%gd_sffvmp%d=58Gkm?_$X1Y7YIC5+ zOC9WNRcT@LGNO1DQ-N)Qc+2MS)cSYcA`_?5D;>DiMHW40LZ_0O0<839LOqcpeSP0I z0wt7saV+6+05?%rUgf>?YrgI;3ZY}w+HYxlYx7L#>`-9xIbwmOJ+?rDM;4M$3Y8@| zI>QQ`HE(btK9(~)YOOL`Tf+Rovn%tfo5@e`>%<;N#G^>I7%8cZSPw(mD@6don@Gnm z4Ud6gZ4ZD`1+AxMBPmax@XHYpH^<@k@6-% zQYtp$4I<>FcX0zYJq5htcqFehk~O_JomNJ3I!f=<_W*}VtZHj;xW4f#Vl7#cr{oQeS6l-^%RFDOn?k<4&LF`27&~fi>3GW6)r}So23d3T1 zM_E>M45~l0I^MhMcrGKcn0z1O2PS=Yn%TB z7SGEuSA=l>PU_ZO+s!g!Bd6|um^j|M2XhD%zSD2R z;{tz$&)0E%=SO!Nw3JRMHvr_Q<+s*70O;jS`KU~5z9}+rq)1+^bonixl%jf#Teb2k zhf2{fPMp%Xex^Sz_p*kmpx#<$UD|r?Q(z!jwTanjTsAw8A8$1onA&`6fBXJ3KMkEc zP`rt?0^;*u@AxwGoi!?JuGqchcsTW-f^Y93V8FwBYpQ~%p>ikW;gAqMd<=`RX$9~F zoMrb1JhLWxykhbUDR{~~$isV)Y3>rUQkEl&@_S2kuWc}~1ashA-_w2c1_7XP6MbDY z7+y_2S9ctY;Vz5Bv0>^Yie^9})wZc;V1?SPI z*N>;1M>k+Qn}H`KxVJ0y+0(3_3aTy&0VWuhNIc8B8t@_~!|s69q+81f!0^4@tK8e# zH6BY#!bwpED#iq_T?vP>R{aLCn_UU@YLxN$vgt+Zz9_lr2u?H}#k(C{9LUH&!0dkT z><()Kk-8+sBba?>@V$02FP_Q0a} zvxz0PY7w%)0!i z?Lgo!@*-7$&LbeQ_LQigg1PN*NdH;8P_3X}NXxB6I%x5P{t;9SZ6W-h6Z7Y<4d6bj zjE?qpkB@<`M&PR&CWVC%_QlU$zS=v=J0{H=Afm_y>R!U#Vn*~L6KZ*-dAmvF@r zb6kpJkA8zuKcwPo6MTnuTdgLsRQh0YDjQ2|S+beeB6(C|bcS!EP65isz50SX#wBpG zR@obIZ5X4CWeVAt?vh!|ZKn_j?`ae={k)qtl5r zo`t`bSIo++aWb{1J&`>#=?62kIglfMYPQO0yqAQqUB@*13=4+J7VfSE!?*gI-d>4T zrdyk{nR?#yn$vr75KZ(QuH7qht9rdGI>OXme!wg?R@t~zV**8zH5u5~+*AUi11PT`)*o<4Op}drk9* zdquZh#DmH@1YNm3LU~LpIX$OzmD~y5*2{Zdzd+yvCYcliG7X$06{x5r$ZX zt(wA2%E?T;!+u(BJ{5{&ceZ< z*Xdz2?Y@C~iBchh9;Oanm1(v?rD7YK3c+=}+n40*9CxhY;sM(LZ9P_vUhET-oqNU0 zuh|i0zf^BkJiza9qB#I|C}OoAZx`-5`D=u;s3#>Rl94>UqDT( zCs&TNFYi#r0ab;gW=KH+vWpdG`mc2@?HwNq2qr?&dYa4Snv}kyx$ADQXO>q4k}_D! z*hjO!zI&&&bS9z3K??hy;D1@ z6L!#K<+$eZbMhGlKGr&5+ZFA2OBNESmwSJw(H=<3a&8?7*P^}afw-8m6W9IiGINlq z3~ni^QG3Gotv_e}1Ob4uNVM)<@+fm9xe}W@wd%w+5noD>w3Yv1TM68{Ke?x*FTIgh z)%q(V9l<a}KRxKo9+QNryr-I1UOgpYl zpMjwb^;1xj&uK{+OB39=;JmY&lq<^sdY~#Pb-)IReT0$A9m0m z=U>a!?Rqm7u0g>gb+$XTi(8b5_948nC&<9tF zyES%4tg(KQ6C0cmyT!83__CaeoiJfV4|}(5|6sy^4G!h22tv@W0|V>ikha=fDAq8s z$yi9T!Oqplxza=bxRQs@#sdx;=Y9de-x-P~^^K+3Oe@kC6`|-jS+CLdZ2UcaxTD}C zv~`%)Xtz{QNiaZ6o!So6VPxhtq3hVhp46g)6*OyzLQDjv%B1Qa+wBn8Ap(BxF-2+-|y$L{dJrU(vY397C9(dG4$)(rw; z`ptDBr9(>Qpp&p}gK?ZY*AScS-pUnBq|B6J@d#d0Lyh_s-3~h|5NX7_3vusIR6I0ds zl1xR=&)b)(S5Xe&? zR+(kv5%uz6BPWd2%*^2CRt|E?&H@8N{ibG+bCyn9{%KSj%9*A!NIkX7BT?>vxjFWZ zCvY~z^PwDWRd^&*%Z#P#$6<7UJiKCxBS?z$)MdAhWeH~F-0U}Pf2;a0Xp~ik%VE63 zh(CJSWuU@(?U-k=X#})Jj*vAO9losxd3luwnwc)UJiLjwn))N+g>}|~1hg!!G*g1* zgSPkGc7|b<4*NvCt7I;}had=L1HG1GfM9DrNcY!;d^#}uKSn>-Lc-e#C(zeTJ<@dC z*845(tj1Hr=l2u0yHfoc9S=gZ+#>hW!E1N2*T`Hu=z@OgQ%q)c-AwvfD1#HO>h3jS zEE>J{95Ff_WAZe2|wHMbXbY+au0cTYrMA8CCBCR`Pw|wPQ3cQPscX7-ckH>DJ zecOYez6H#hvXGHy*?yFE^=3Am*S}tS!S<7IVn3ni%ZsNF3uCo;t?ON>HBYBSP*3^3 z(Pa;X%2J(is%O-dx~%bte)?t8B=yz}u-kqHLKV{Nld1JlMZZ~L`Cw6NuB;^D7H_Ju z>6v%SJ(@W6u&VuBaq5fk9d=@vYOVYyhy^=*O>%%*J~w`vGy4ugUkoms-Z?73tPA#T zUin+*;BY}SAcrnGe;~ovDKBNfNg@zaYpH&R6qbsFfo<#?1068==!*~LGi3aDkk41mok$ z9%ge1=&nA8N}rpenvX+c6vqMEmNfA(l4oHgZO{d%bR;ZFD1Y~hETB2>3vpItI&3-X z_S)=+fN?b~{lUWji>Pn$XZnx7@9vY5PoYAnltQSG>s%6wm@wBy$Yth|%iJ%Oq~wxv zzuzyLO)fLHk;)~^-R3^IGn<%gnAvaN-|zALeIDDN@P55s=XuU~o`ZoAgIBI$FZvRz ztG*U6a(?xr8#n7rYQNKN*f$qZBsA@mSY0MLq(%v3BweCJbDxu5Yeo%y_;X>z+BMU! zH7G`7#uB3Y>?C`-QZ7f`I!@L9l`6VR^14h1-vwfuUSwE+?qilko<^CqG=Mf$Z^6Rz z18-1HqQ~ryhn^rkcFsElC9)@M?a{`Y0$*vJngGpx$dqnc`u&8eck;N_y?U*@&A*fs zla4&LnSFYwGotuhdzCM?jeWmlzw>)IuIX(TV|`!Vwg1ilwXe@R_m;kygtK&LSn2(^z0T4bQV*tq zF(lHM?`SSctX=$zV#GSXQO0MaPljO6Wi^YUh3f*t)>TcN=Xgd7bBTY0;&bkHSYb~0 z2(4r)Jv{V`@h=aa3ub<}f;@8}=M6B1zBzdK{%}PDuk!q3z)1VgOgduc#phwa6{tmh z^*MTwnN{IE50AvNPE%r2_HYdu!~JNfh>aUY8LHNNHQ7_L;+}Q$g*v0p?8_t)$)`iA zBjWDQ%Gm|(|BD3DH+7b@onj zjTTPipt^7L5bS~Ro3Xs+U1P99&+IUd?apMCMLBSRgcetT{m})J*6iDwn?KSM!;S4P zZ-&g(1BD|F3Lnr9*T^M3EsGM)lgN55v_+7IDyw0*4C+D(VJ%g}&=yt>D+PqP`BfMa zI3FbYwb9hdI$vJn!{68X3-;e?lJ*#(z($?(DoPOd?AnjNuC}>g*~{+4tUsDR3GzV4w> zAWiIiKE16CWrQa_RoRc!+)b4=_+(-3UwGfIX7umC(t7CV)H0xW(=JOA>NmOqadL)V z024PWPDix;tE*sH-ryFqWsP94tMa{Tr(#N1Yk;skd75tI;5J2IbXrb5KM{DjVs$l1 zNYSD40AB^FM&P^q1NIa_PzGhD)Ag&yxYYzE_&{7TGXSJ#nNKO0=|#_?RT2eH2ixZK zRPJdGm&S+s=L6%D9WsM{@1R&i7M%X+M#A;5=SMR`sVfRN5YpeNHJ80fFkki@n^v)O z^C1|c1~Z9BkfpB^RPA3xMOyL18}4@ZiV*#*=J^k$Yq8L-K-OWbV%x~%>=|X#lJVbZ zQaEGFC|kr%zXV3Bm~S3`!>bJ^pay#&X70LiIbPx1w-;S^L7RZ93{(As(UUzn?!~l^ zU3G1FOUlE3ijfxeNw?l1sx7GvU}{#dF0Aart-jHX3cgD9Nry!>5QUGKoTw7kE8VN5w5MuR z4B+aivvh;--R&&j^V<8O;rI34;eOW6M?;D3Hjf-`I4(ccZE1F^p*5UgNsAtcY)>CZ zUv2`f*JLY;Otu)8uypgf`UpsdMrGA34K%ZDO=WI4541hv<7ABWE(3%nWBtSxL&CoN zz@=UiqC@p{bvOkA{Z2x;FY^X|W~%4Kg!c?MrKDblCPxa74vxZ$L@!26`_(EwyJY86 zU3&Rv(E$RD!Bc4;?1!V9_6sFD0~1WO#_UACIewb%2Qqvey+!+jt9n@x?Xi~??NrQ4 zZ>vq+#xyPSkj-^;qHMU*m6TPD_-+A*ZxCodd@yM`5I@p$(lm(p>Q zO2UMr77;C5BG~HM&1&M^HTQ5h;;eO<2%zW8E%(*!w_c*dPvmnF{#x4pyrvl1FuSUX zzn%$tK1Ok9>yVtcsy+9hZfBa_`aG%uoM&V7SB(3WsI5w8^-_ef|0oX7kFYqgk43{R$wUJ8NpnoI!%P3()jn=0Q zANyI3lq#oXMbAw+id>?|u1)wWqrX`Y!%WA%gQ~G^X~vbyS9!csB9p`8PQuFj$!e#< zH|P&e5Y|#;3Jh9aH2H>sa}+2<76 zBQNOQSaG9wm?f)U|GrnmItV$~HCfn9!(|~pN+$W9fU!H|x(m9C@8GhPfP7%IF715& z_(!V$MD|C6kG{9RD>iS5w2M2YJP6K3rGK6E{`w_hG^6R@%N1vdN4Ljm0{E7#p6my} zG$1DwSd$v!zxu+GN5A^?lNlqU(BT%t;NDb7#@6qtCDxk-*{f29epTsZ*?mE}Cz_FN zTHmhgl|p)Mra@iSztbA8c(a3Us#^bER(a7UoRK}}%yVDYhKh&U?3c2vu`{AXL;oPl z*U$27#+N1hPY!3GTSYcRR-HN1G14|(`ur0x3FFE_%n;f5&`F2HP03EApkqY{k-K@| z+ZvLxM-0;u3z?43;I2I`Wkdr_ZD@$G793{S<0CfDHVp6P_CD%pzCM4J3qjpz&3!-# zw5=DnSs>fxW&a`VZ4Xce6Av5ALqkT-t~W17sgYal9$2pD&p^lSst!=lk9z+E-0ALC z-q*BrS!>PmC2Ms`c(PU&ycGB7;_REOWejj4FRgA!l-%!Q^u9@otT<3+$H&9#14KVm z3~QKyO7&ufrB`kdkrxNNj;a(*r`nf=i%nol_a7qHGb2;DL(REdg@fPd!9aGC1#m3u z{R-WwRH7_^{XU$OR{rX>D;4W}!=Er$tmnic&x)@1g2n{;F2YwYV?0wuy*HfG^u~hY zq&>~|-cZ~c2G8F+z9MkT2w~8>k=dZLAV35|HU{qxPiL!86>h2&N+$*kIK96vrgkmj zTuEQcb84xxRK%li8SxVfGd;)T%@U>*(8Le^xEv)jYtbG)>sncm@pDe#T2}HM(k-q> z?*4Dn+N%944u@g6npFb1g-V@9U#lBEJ*DIVdNC~m=SOoG^$PGF3JqWUNxu15^;iqo zFp^}p>(1+QhFxe+#8@pX{NP^=V`y#jesLPT6TbY1NP4q(21b;R911^EBj8#YnD+f{ z2l$&618|tW96H{Tu$Q>H=PEi}C@2~0-@Afz?s9gUMDwl@I*9?pq!fhEZ7kq%(%(==S4X(5yLW2-(*T)Rj=olkhh*SBWFKJ2-$ePB*e=L!u*w+eKy zQIKe-D4B1L#RP0ttmxVe+N(lJM^0z-+#6my^K}MTX!qlSf-_#7mnrjb%UT{b(ZMI6 zHrF^;a&;jzj-*E#Uk^9FOn6s20?6)*YI-j@7JI3Qv1P9=@oOS8dm}biabXwJ>sLYF z*~)&O&g_6`@c8pkZi+|tX8P%B23JyTX0p`rp)z_xP)@7ve9DWqBjb5+Ba|7K3rF-vx>D%uUJ>)0f z8)Xz^?ar^8Q{R{hcurN~q6KDfR}-_#KS^}j@~W!xrbw|_81!`5KXnJ5$o>4sFqi3k z`|>Yk#-=SXF=`1r8DL(Z4KF{0720{wn+DnI8Jm1Q>k)>y$NcaVmvM!7>-(*%vig3q zAL=_XqPKk_7~4xB%p6Ma@p%dNWo68Vh6RWW!OoI7(&^oslZ$d|K2@{e$E$FAom-)N zay8^`YMH1H{F-E@hPcuB<)l%Yk{^nQN@8o@0nes4J^~RtaYWbtt`Q56b)VK832%0l)!mFXsZ=*AL?qNPDbG;h({-C+ z&oskXC$cINeh+R4i;nQ+;nr+6mvQXTTCDro2nLx3ug#lM65?Vu3-li@aK~G8PG`~3 zq+7pf%FRAhQ<<%R!`H7mjGpH=Z{`w2zT0e}?4ElvLZxq+6*XO8hEMKq2H~35yuz77 zd26nkei0D|-N*Om3!iLXCN6S&37ZtDPQSGgcO2Q!h-y=k{8IhS0(0_FXRqh!GV_&! zQ)-&$K<@-z!Y-T*Jf#48fG@9e%X;7~X&#LT!D=r#X)LE4=Qi1{d+w~C#TAvro9aDc zgSg@l#twy|kv|$?#|mpeU@QBo1EVJz?G^_xKYH8-2MpB zay`W|JFl(nZ%xD@ZNU9Y*SovAX)pb`2#T9wz$G!}d(lvrCxnBlmb#|{>;b1HMS{%g zRMFj=iH6_sB{SW<$i&e2u*0EDR*LuKwG#QiqYDa2wfvV6mB~8)7Y=+31YawA9ya zQP55pVFG6VsD;l9)kIQhi_SN zPBK34eBw>qy+Y-~!}Jk&kJ=SQc5daFnM9C1N_$$_R6gbMcp?0{lL*p(R|Gk01wX}v zULU@7yM(d!pd6b1<}w6-@(isc@6d|MM}DSnNTX9D>$&>>6|eCh@@MMyTDZ<~I50h- z?fOQXK~q(G8FpunQ&-7qMjBHWI)Aq4 zsbfT-Eu&R&qz4sFQgsb2snxNQRk8h#I_P(dia6(sU-K{-%3SJU=4&>W8g{NNy$z5wEwGbY*}Xn8EC3PJ%~708O{@B%BZK!=Vw2pa zt8k<@Hr?8{4YSi0kF4J!AXifi#{2mgu|0*iG)&Aj5Yq z8n4Pwjd#&qpN}3G?`T@TJtPP~;K8WT$nzJ_Ru=rGJ?i*Yj+Z{gywCUaZ3v!SzbtQ*vFz=Gv$d4Y?IHF# zh8vA^6(|$hqxekWiWo6y#Q> zl5oQtnn!!+RG=|FF~`|JzG9H84zvU(Ape4DtV&I zy3%>Tg}hz{>5saZg%19-HBqNe%gtREEl)y}Y<&Bh%j_k07Yj;HFt{{m{m0u?o*4q2ERN-~ODSP?d)}P>wh^V3qDJsGB z%iwA)OI#LmWAPtXYQU|0=g0!TDbG9R(Pd(klAvIb?p4Qi<$fy81X|vgdf~?sf=hO%=z>0hSt5&9epYsJ=AB zTc_G!)*dn3!ag(4QKTs0nM=G&C-Z;+J6^G7si4%PGP{ zeR0&kCF~b$0ZOlu;%zHvY#K&=l(8yc;ll1K@I%QY_9*wJJW}+EHm5BCKU=yV-XT@x zwQk*9E^bSRBp0AEJ96}-`pD+~zs8Tsl8xZ9G9WA#kn>hyIdgNhRgj*~wd5Uc)Hbo4 z%2rxgOY5yi%!n$C^oUf^GfU};*p>+ptnivF=+Y#%^j?xzmzg25=Xtb|;a7`0*6{d_ zj!CERI8B%FNTCZN@W~njM168E=wq(^*N~N;Tmx~_%>A2vS4TzDdV}Gb+G#t#QWG+7S zvF+tnPXol?-|5HFRpaBnvSi-7#aD|X)TCnfGceCXH{RV)xL3hk5~F_U1uau<;SiEj z6)XW}JP;Y)n#=78pQXd?Y)xPA=IODPPwJ_vbb9H|n^bed0XKYeXp?4+;Cq5A)?YTj z(}qYX_5LaNw&zUyE0!q2Zk>@?imE4tY`<*v80z9&9oFnXY~#EF*JZ|o`?@GR0m`iu z+Sgo3ns})88K7V-N$(ZXfFR8aGP=C?OrirqhRqP}aBxQ0JD(*5|I9#6OdKr$*Ijxf z#Cvj%YRpLxg-PF@fI-<0F zq$lTw>-v9VnlAh3r{i83|y<4Sj2|rBJ`iQyu!kbu0Qc;IC*p8iEDg-mx5TB zCmuCP5%`!;Ep|cCq5|H=wSweVba{>m9zj`z%9Q9w;eo6vI^uc(EyqTpman7N+otVye= zPu;?>FqHHmFybleeHrcLCYKjQkwDv1N7#~o8#mWF1Az5Bz_k({FNc(bvoZ%gn@CS; znSH~UTfng|nvqqgS0`n%(3cMBCytrXH_=gLaRaSQsQl{hzpjAUxU@uj(%jaS@v?bv zM?X*(Z28JnYx)M5Iu-+C9L$bcFow-h7YGN=V_>wSq&mpYn^oT$?u0+h6%$}yIV?|P zrMA*mzlLm=C9c{M*-_hMWkIv=4WH0=e~W(q?NiBq>QcU4t$q3fs1hu1YuKS>^g*e- zZ|qTE@;zWAmvh_FzqPp?U&~v~)t;{eLrOBi?FHurd$0?Uv;(C}=inBNyzKqD!y3n& zfDOcGu0Z1YnLL|(x#{qj){vF!;p=!Ny6zY9)NsS|nO7rP1v;?F{U5CT>9UJ!{h{7t zm%QwXV~BSG&RjJb+<_xZ)bT`)1LQcdqUnGT4vZXJPZfuV(JE zw#GTKo5dI^3~AT+yq9Q)q(zs&H61nYZhtbF?0dfS3kJ9*#^3g5%OFqPwlU4F01;9d ziMl_~$>CnEg#WG#t|O_q<~-0~DzXlf6~``>KC#~rQQuE)WvFc)KPrAnz0|vD?A?Uj z_LqolD@`17;m$Be5f2Bp5lz-EDlc_<7zBdfOhtH^`mygl2v^ZSRE15$rbi*q5s7s^B=5FTLO?*w=ToH|&)iI;lmeTwX+yFgK^9Lctx9t&H2;rHn2)68 zsCf<6QP!1!xyD7=HdwS~b60uXB6IuPS#R5V9X56>J^7?dOk)L9Tj z>Mjc5X~GxEg7>lg10X)KO?+q$LNVGFO|%(1(&2)`J6nQFq#N9T;AS;Tqrr-acnC?XtxPQEN9lfF zrePbknld-E?+Ik`tFNcC(+`;m*1jDx=uKPrtu|)eiq=C$CTTy6K8Ze;bF@E|rhb#V zZn1h`^-Q29rBY;Y^3+~WC=J3|?bi)?g%ON(hE|zn5YWrfkRc`S(IDn`Xn&+}+w-Lj zvHQ5a{a#*s*cl%>pm?tRqlv!YZ^S?TDhPiQLeVS`U=Xf^37IXanuNC8iT9>bBANV?I{jD zO?B)^T`uHaaCk$P%xeV+B=Jbo^3PnmIk#bZZUb_Jj$7P3aLrI&dS@hblVBgxW-=#M z-2H4KvwluCd_}2ur!Pv$t%X(g6;-Rl!)0LpjUplw>54Ttr^0*q`rQ>HAmGhhl{VBw zw?rQN%KN>h>a})3HxT$wBV>IO&Fr6TNC|DWt$|1p8a%yj;c z9@+j(44_I3Ydsjg5uaHiY`hr#i4QhOed`Bg)x^*$ZIOEk8`3cBOr*x?4?V-v(#w*! za#GgfY_o%w8U~NR3^GA&_vfVOxQ?ED0()+ z+mCUE=O{<4%qZ;pD4!DA0c!FHX)?~gb}`TAzfW!Z-`DOR`dc6KE%cR%iNK|8ssdBx zMz&KnS91cvdC2v)0^Bu|j4J2eR1tP9#7$?zhQygmtxBnaLB(I@!y}LJXRCs1yB=9_ znHqMuEMYw>SEeXaUf3onadqjJ&>`Ls#ZdM>W9Kj8_^A5i>~f<-k6q!z=7+~h_6Iw65kUNR&8o@~v!tKc^Nrbp2HF}3 zks~Cp%38O|{@INMt>EX~g5qq)vk`mSN28^`BkASuGcPm`yc*5o|84c~+tjgj#A5wB zGbv@&P88@H2p3A|WC+d6&zQoxk%AHWb)Dl_yD3`|-B-VE zzHACxX5iOq7qKC~Kbl4vlw&tNwEbiVA}$1-F`bTU-igYag{?!&JdkF8-s9jkQMK3k z=9zetiRZ=YKxh1HUJKZ+?a_#>PH>~2oqmfWGOgsgfYNYA#F)87&ik}qnV{sAKT7ny zMTq65*vtgH=}VY&j&-Xq8t*M_S}~zszbAg||IXEEK(h7J#_!RV;%@TE+!HtRI**up zZ@-1d=hpiXfe~oH@w$6$<;>|bPY1{Og36XF`M(sd$q(~8xNOHTpj2ir+GEcbqkbrY zB+8GEuAP9@mxnEc2u#?Eeg6D%@uAMj)7wOUp{ePR0*AdR8}zb{0HvbF)^W@1Z}(G< z%xk$;_U-&@>fwKe*c;c5jLF$mJn8Rhk+~`6#zLv0Ls&POb-@BVyVLJp#Ry_n`9<-d zqLGh&w*dq%3ppiLLoc}!k%TC0(_*+uR4FHCJI1Jpj+Zhp8=GFGJC*#Ud%TBQ7-N6H zzI+t0t(2Ka*kG;qpgi4V#oa4yUpS`m$0u-P5l`>(zn4Ea;Ggf~23E=u%fnyNcCcLg z6^)}`eFE3G>}|^zQE)TDS{lcZAW*i}=nkARU$R(mdj2D z#n*~S20~_cDNe{RDiP$x5VL$_5{RpaQdpxVu6@kYARUA;WQ}UN7^B5>ZN0PcO*WnWX~Sh43!82Ym!{=ID96#O3f0$&0ik=6mVtGlM7b=X(kM= zUevOAzV;w8sBT#OCNAlB?56ublP(PH^>Gs=g;{3(6aY+)9Q%=?Uem0-k*b64Pdjhi z_~NF-gyd`z3$DJn0e~6%Y2YW}KRF2kyWdsno!*gNt9bMWgvbPyGu7E^I_p(`nDu-U zsb-Ynz?R*Fo!c07!sAbjaV&PkSO2A^qD)z5LrRJiNMjVO5sIj{lC}#m=hb|LXnjRp z+W*0uXECdRnFP!G##9Cv=!bY&QhV3Bq;Cg|mUp5>W-gOdosX*Vt28 zckSVm(|VB5M{h6Sv_|`dK<3PJE8&xYD{Fj}gOnSCYB}Tp)isk}|ME|(O$nJ>wi=!k zYjA()FAKPO%~0^xmCq?fwrwQU$lS5OxSA4u+${DHY@6rvCI7lWH zKk|zFjN=R;MNb34yf|JI%IN}$vu2hq1wlU8KO*em6%%bx>r z=ZO3Nf#~zEg*cdJ5K+)CW7?i$ADLBQ#>G3C6#lF_maG&ZZ)%;UD)tc9>km-&1Yr@e z()u-eyw*4|oVzb*`jSvZ`9eqXDK2Qk45|4Wit8Lk7w;(ZXENiD3ih? zG$Ig|S;Z-{YL~yUJDObfW1I3qsB7F%0Y}-ax4OhR9&bEkiL2p%7e8}8?vdmA39bH{ z^Ax9itkx!W4&Sn~m3$G37|V`i=eaW$DjJ7H+rUc!+iQ>eM$_ZYuDH&hFxuvqp1+$g z64XpIv2Vsv)LI7{6r77)l{NWfP2gn;vM)-99XT(x6HcRf;I5-N<6zCY=|vr&HO38m zw@2oghE<7UGeO!mc9a%>6w>snHReRbj)HT8aexjOZObaMH5dg4XH~b>G7r1|st9_$ zL5@vgI1Ijr`IC|v=w(GO7vkj3bvaYLw=>@5vZU(QW)fE=Z3V@%Sv)sGN7XJ-&iS4p zX;!T(CDJ<~{at-?8cd#3`rB@e9XA*k3WlBp)J+%IjAc`f#5RmlsOsYSUtPu*Lc8&c zFEMk2$5UnrogN=8d^qA`Zpw`hIXyw!a-@!wyKqf3)*A0TdqfAMb=XP zVa%t66^Ll17Cj;iAgac+)dFNRCc0i%BuzAJ4EM$jc$5V9T*77k`-$EY?ELR~=qnE~ zhgjhS)yVq_l4@n%6Qgqt4}KzDW>i6Y$rC&|N2zb|`zV_?T*kM6S|5BwTwU)YV}v%Y zF3E$x*a|^57CzQ)Yysl)(%0)ZN#@u|3IMmxJE}~bUMRj6ar%kxML{)lzx+HX?Wq4r z8O$i@MO((fzhw?M9fxjlg|ARF3Y7@Y?fiN%h`mbNXAzBym$2WZFQB|#(3^H2mWtSARa79A? z_?OPx6YlrxbU`UIL$*AjjB)CFDNo;~E250|dDri|Lg~AY6MN~!@RsR_eAmj6#h20a z=CtGdc`BU||BMtw#hm(JzO%d3Sznvyq7vu1vNn_<4ts0LCH7~1;#+~HM;DP!Y!X*0 zK;Sd>VZgQaGO9Y>bkefIZfaU&@scvd2Jp(W9`LdUk7UShM0_XO<@4HaoQthaS4^9| zXYYd&P`0bx!>U|dS0nCMb~fjhqxqq~6E_K8a_D~r9e=NrXQmWfQYpIzs3{$-+EbGQ zjVJGLVEvTz#-SO>!+OALC^G=3wDU_YZ}5kL`?>k4{JWsCGYeJOylT22JKZw zde(N2yktMBDCs3FsQN^SIRC(2zgpw@(nTQ?HmcryoYi?CNcA4;OQPpP76qDU^OW-D z1hClpjA+uy_>jO*M%CHJZKfFdc*0QAJT)zVAUefl0+Z%ArpN9S@A~BO{5tP$pk;ox zeVt=bHWqN=7j$}+@3igZ`LMpJxF$nHPw&Q8DFq`wW<|nqlEyO#eV}r}He^4lXm*Bj z@vr_0ZD`4WFKEPks zkqa_hsPE5u#JD=@A+w&8s!;KY#u5BShLs2~E2(Yi zZdWn%B)Mw6^Xkd>nR$1em*@u4JPEyKqv7M2jC)2p3*YS;XKO!*DCzz_p8fEs&w@gy zT~$I9SMxBVzXveW+nrgs8aFD$>6gD@>hj(+wby64y@-zMnu${7>}sB;&;MSXjU zELnY=m+SE@WG4SgpM^!6_Sijx?S_G4$>})`T=n&C?AD`iuK<52cF$o89%2~K>njmD zMC-xYM;9`fJmE`UC>W#3Kon@ed|N@)1n%3cMer7KT--9N+3>3_d0v8gtqa^geVrVV z)N#JbiWJh4_LtvCxxn`w7j9`1+O--ZwDy$UReVhyyoOSWJ%^_UpYMX)?V>=Mj4^fP z=$}tFYc?hbfWZ)s74@g>UnZm3t04eHGgHYb(-W<#1EqBvvOo89npvb7TkLx z^feb1gy|kk1qa)JM*UP0b{czd{u=ubfJrg#WGE=IL5KT;iAPAPMEu8kQFy>*5))P3 zO0T{8iP@ssVn6j@)7;tV(>|tsTkM z=2D!(Lv4)^2k%8dz2`%nk2xydV?4ac6$p3eVscdZxuwP%k%!g*A5T5T@!eEavXA$} zsjr=3tiu=}qPhS3UdY^DjKY*mX+E~qe2GUp*6``)BIqBNSEQo-AHeBj7dfz#FL5US z9(X`w%G};`GExSRYU3H+F0kVo#_*2Y3^;QLnYFB3N8JVt^jOXo+)A4`e(Nfu{brN* zdlCN8Z^ppc{kbDY)g_x~WdrWd^a8&pT7PocJA4q$+0-tcq7v!zY5wfvKn~0*bft&% z69OaHpGzm6Xj9+o(;B-HE{$d)m=SC0%Y8>mXV(b;RC8p_sLsEz1WM@g>7^#o0Hqa@ zQeLxtIBAi#foI!Qa7Iq8--b;TC~)eytZ4nrvxRh&LIOlrTIHI}n?rh#4zquS7VXVy z>XgN?F!o5lrzx;2Liw{;Ot0hm70U-KC4HzkXkv+@bJ@ z%_l7XCyA1AC!o2M!%js5n5~7r6M9|shk(d=_-mBsU;)-J5^i6)nz9_%{EU})Z)6w! zz)6GzHyFL}Z`E%4E6koS`fx&j$1(2(_3X@Uj+)|#jM4vSfH#f8Bb^rZU3a=a=~$C< zbk-UhYorb|JQhVraVGJHI8|tR_=GegS;t=vO*bK zke6bf@Ev`}Scy2pfY9I~gT3DEcy@CKkb|@3@%fF9gM*vZvw3f2CJMH6OCy(q%B&l6 zVz;+P<(to#%-8iQ-t0fPmg6o7Nty&zlrLo?0 zOn-kl6mC}_HnUg$U@|K8BybfN=+E^FRMli3sFC8$`#*-0Qv0xyW|voHmb0ooyXP2n zzaA&Hx)$qWp*)PbTpAk2eO75X(6BfDky%^I6c+zV+&iM9JBwTZsIo^fBVBnL`Z(r^ zCf8J!aAw_Bh3@{dO^E~VP>ZVPUmbWk5C9gq%AkK zI?gYStz$3x2{NFt(U5A9EnCw$B5PJm&QI#~Mhnp^)(y}gmX(*JRFdDe0xa!4XVxy3$a94LCWXZ?R{ zMPrjo?$+NIHL8*#2;>R)4}c2!YJWVA7*?^Bg+n^$uAH1~ zYBuG;(;j~NQP_1G>X=!GTdGfivYMyN3ACvz23dYdHF~=h=mQ<(q{RaG8>bOCY#Qkj z_BA*z!+APM(jdWKPOT2oWnV>zlB0!aufIF%VE5wG$$@*R&aSaC0#kL34Fr1D3lB}d zXEG%=S(Y!_7FPl)Gvb`EUfyr8198?d`cjIavGhhj}V`2TIxxrO)qs-*B>9WrBZQfaYy~fdUueG;6t*IV;1ks|nxv~Is-6Yrd z?vG85A-;jCpa!#0sO>1E)TgKm^3=EZE%H&nc?qtUiYAgzkPZRiy_b*s7P~E1daS5; z=2BCd&0ETTNZDH*=m>a*MOwJmu~;%v*0l!FF_mpL#yjJHJ&xY|8HOwnM}yF;&XFw=$|W@6auz$OxW!k&z_ur z!+lw_=vjqRN^VlYPIXbrWdV0UkT<|2AC@IGIw>tm$Y#7|KfbAZ5^D9LVV+atSvjV# zV-^48iTUE+Bi1{xvEdAQ z=7`)N3?oQ{;z<1be;~QJdHu1PZhI1;@A*DwhJIacsJAC+Aj#F>5Vc|>1T;l;^ZLzZ z_vzEzW{-CMiEiL}Ji5G=!6im;@easO>))VVK^UU2k3Q1<=IF8NEGjWH`#7s-R6xnD zbn!0cc%OgW6Sc#=xg(0Z#)ATcz{s@sBBKduMDsU*Aa%2A%9i<*VDsW`9 z6uYO(Evjh^5#Px9<9domS6X%YvG+_Wv4$!D*xFd9dr zfbR1`tMv&Y@I%HX?Nf%(3{EpE8@(+xSPWhcE8iPmb@l z2Y^JXPche(i=$%A+~a({@5e|<{Lbi#6O^|p($l-WYK0KWOpqGie};qKL2XpG{k(8L zdA0AQ`6Mv+mE&G|`==Jugh$TGmXBa1UJEig?r^xd?da`}_xr+Yfp3%S%cOta(ZAd# zf9-mA_gLRt(lIPsyTT@9WlVd>z$m_Y`|~oZW83PE(2LB5K8V2sjzj;Xbe$*Lhw7L% z%)nIKgw~e^3n;rdFyS(1@b7wuPY>#Ua#N#Zjadc&T8cV zj~cy%yTgW1si?*X&0v$>P<~P4zUrTfQV5EP`N8ApQ>Sjfe1|xIMw;qDio-WD+I3En zG)=6lsCBiCrp&~5(mpTKj~#m`kfA(j6c!&b5R1S@pbcBS%rL#0z&^5f7qqajD!!8;IC#Mza!KCI4v$7&j=%%`@vGCfk%edqcu%v^(=aPI>{Nc2* zsZ%c{XiYfe?(6`{9?AQmD`AR$1ZYM(ddM(t4XMRi(cVy)3wvb*Z5#&I6X_S{<{;#Ew z;KrRQ)weTz^BilRUrg=+M*7FW;^|mp#chxO_r^g0`Qb4Slhgk#&{`N*pav0OuWU@? z{PJuF?ZJ})-+w0D8;L#_W6Jk)$#u~oDM0XAeNka3Qxs(e{{Hx8Rz}OSgb#5*j^p`k zCS>}bxpC zxbkehnZA2(U0LC?oc43k(I=$8&${FwajNFkX2Mhqybr#GyVNym(+0d5%0O(neSWAD zM-=!s-+_J)KQRgK-1imm>?foGVD5|tuP*-vm$u9(CxJ^BU*e`F@Wt!f;i`+1$vOJ| zFYGhcCu5}5!y4Wq%iKCwQ$te7uhn)Hr)C(9aas3>JQ9m_u_O17uocDA`EPI~> zznoMtB<>V)LOWe?N}z?=7V?)lKoXbBQw$;X*$uRx$Zx`p443Y&i%41Rg#zf~ytDyc zX|8{sj~BtqKPlW2x6zL9gxj%hv3xzN1K*r`zrd9*G--%-m_SIm#f^6FUe;BcJ_ek^ zO`2dU*Q+eB7s*qOcuu}(`ReUx!9B30iHm-W5bp+lIg+J4aOjDZ0^Gzh zh4>$A9g9DAM&Tl;GVrkec{BNCH+ZEW$0iH&g!bpRK^%`+xwMZG)I)|?iD7TYaU$nx zx^w~qWkT`N-iFxg^G*VPS`(1*@Y!Z-Z*_LuVI%Cd`rp4^NKC7yUA6f2IECMb5w)F` zRHfEETL5(cIm=}hgp*k<=N0z`_*(JkX~hrAM2K`K|LmBYxGPinUL_Nn(Av+9V+D0c6}NWNZmWwUL{)FNHXpUU7H{$ zTk+`Kb4QVyt^vTEGn&sP)CKVIcBfyZSzPcYfRr}K$UJ$-^*sDdAv@|U^7esuuyYcD zrpD9*G+))@rmb(((C#AYdGwXt-5%M7HV3W3 zleT_u_`t3Ue{PO`&{j%437-`ORAENtdNiS)i8zCx1)~q|+?4nl`9IWs;u#@-JZ7U! z9iR1xkH9r6L6(38a0lv{_Odf{#^7(*ChtSa9hn* z@#B8$)rF_F5Vny9siK-^VK(S1=Iqdoft`|_t%aOS>BA+l&?N^QJ)4h1-ySaJK06kO z%b(_oVsIsZtgXHoiQZDvQwsSMNWJ3oEba2IfT^IRV#owN-dqKedx6glGeg4Z;yqxT!XWvn? zQi`@oBX%HANzDhc#cikEzjQ!(*-kcS!uP{{a`HEBHa3vLBB8v03id1UfPm~T&;9RI zMMX|V2kzP0e!wEww=O6kpo?nya*G6x`^zgmL9WvnY&JCABnm01feVaikI^9g3IFn= z)T9IIe+nwQoN-BxEwCSO8a;`(YCy&IU1 zeh*rZ^a`*C%75lEAI>PMs|}oC_%w6Y>Q1*o6DB3uc?j0T7b*A3eoxQ4?3ExEw&9@86W$du?71l2?F(*eYj^25aVUuN> zgE(8s$e1>)Ns zm2@4mS!BmQ;H@7G&~y{JB`{vR(Dg+IL46UvG6BK12Vj_2Z@2~BBesErUUQJ>dXmNK zD{*1e74_Ldgw*JC`*bzygeL+TooYV`iC5kFx1Qc5U!J!5W0fu65kQ=t7@E`Gid0vy z3&g~Z$ltW?3MGmIdk5~#7($&><(Gi&gj27EClt0)FthDgWwK+U^Vj97WGq8RJMQHB zZiDbHM%gt*YL}y;aitUTwG>suQRh-t((Q>d=l@1awOjT2^{~;wJ z(DW$ReblCVFQy$qx$8uAcOq_M;eJ?f1Tw$QEEPlwJ?ObAeWY-svLV}?;jmr~fTqTq zJNr7iNGo%tzR~gVI~(RKIwg6XiHZGZcW+YDQCX23lIOK-=F1at4MN5QAsNGz0;Efd zz|fN(oW}4kfO=`}XJm4@O(MqXaw#$gtzY%wqRed$Cld&_15_Ey%ICUlrKtjkG7AqO z5L-6Xy;lX{Ngkof;hlxvAVZN3PX8 zWmHrWn;rQkAPp%f)L5E9O-}H?h?i-4>OSs=&Z54+#CN2HY;k~BG&p;dTQB?6_l9d) z&WqZRuBEu7qL1%_^xb3f`WogbMMQK&b}vE3cRtNb8m1>qUSXfr$QpXnNgYQCEr}JM zv{TtkwTRXj7LV4T33Faw)oneYQ+?k0#%A*Ds65o4zc)ol=4Y?8*GBIldqKhQdk8NX znGhShY4p782{gwMk#~oPfZ+9S%)LXbD`6UnazX3v4udJ-FIz<>HMQ!dPF%t$DwQJO zg865vA66pN`g%IU)eHt@e0A6A+C~1hat~S8ht_rpArlaxnaRAj8!5)s?i5;VPXv^9 z8D;Y_ZLz!EG0P$QI!ljc5PG#UV1sVSM?*8dWbDN*U}ZnWLM8gHB#fo*9+MK~L{SED zqB(^)5U95AS!9B!L&CSq8`0;*F(;1Om*@%#wXI)8LN04WOMs$(PbwY_WybrbO4~s`8>uRUJ7s=GKh;d)NcFh14 z+dL!bDUo?a^*+qv5m%X7AWa4K(K`=%kk)vWCbO`AaZ| z&f>Lr#L5Twl!=ps4pea(MT^P8a+HvZHz^*8aT%u<3P6Nk!XXz>CyD!!0m_}3)hI6N z{%UFmx+yZT^ebH5TfnqPq>((lGrdog#eERK}Sk`(HF2 zC~ADz8D-4Y7DBiO4@#uicU8vfLM*Md`>rZ=b*Vb*hOl$cAjxT=H(gxZCPLZzoQ?IP zHBIspn#C17r&+HN5KwyEHO;kpYgp1HRA2lStG^imUv+f+($@MZzaD}+GXrO^^o^8% ze8X;njUA1yoG|sh^EHbK*3O;*f@yEruGXj|JY5m>^|8+g*P>VNL5kG4YKP}2I&<^g z*3booKSsFbSSYS(^|?kI?|3}2^D26roSaE(>St5aVG1dRXcWI?1xQuni*Nka>H(i< z%(LnqR<6{3YCbDXh`v{3dT7oL5mAnRWE)+^XPOOpOI9;$w$Jps++rn%qpno7TYGCD z{ZbdVl(ydjZmck0#-;U=l3@rR;T;eRLIYE<2e(@u^m2g!-Ba+PLMZ zz|_M;ttwdVkUy}@F8-7z7p6>CSU&y}^VvRJ*VJeIk#x0y$ZNs&lU)T^3@I`XA7~I` zqMQEVY_KcI7fxQ{F$)&>oVcIU9Fihb7wSw`}I-)m3)Mi&dAo~C5Nd($fzT;O1)-?CG)sa zFF@~;f^KVD>Da--Q$mB5(@h1OT+=48TiU@>G*TbfEyGg^Z7f~^5+T2!Ls)MTN(i?=gY1gRWDf@S&$28_ zyA*}w1A3V!wMDC}J`R-X$=|jeE1Kuspf^>COz@e=?xOb7#dV>1Gn@4+lK5;=)cO<$ z)O18(z5RN9{B3S1z5}AMkH46c<-4#aZpJZzl)JU74vuijJ&;D3oxC$|a{}LRj!| z%hhXwTKSH{+GJajOy}QA6JR@g^jLHsxuqk)`m^wk<5S6(=@y&*{j}6V4?4$_1@sXI zMoV^V>OW)QUN&pjV`$oqG_`Z)(QE+KbF6?MF#%p|oC+?vZR|+)5gdmrlHce%$j}){ z3Mm;)7*O9;dw<(ql>ZHesa1?M7Hsv+LRmrMwPkX}b{?!PKH&?I)(kuIN{^P;N8jo@ zck&DL^uDOqx}!I})sTrQ-By#?cIGnA-H@8SG&GOFFw*Un;yfolex9zXcauh0Mjvc1 zKU@p2l|H6Z8}xRt9+5FkB()uaEOEf=o2pJ<^$v|ckEsL(`sC};O^f(qH5b_e0AfsM2c8u}-sdkv|yCMt<@+2at0bZ*oc+A#}$Kzhxg8w?=)}-IvhIW~ctf zzu#r!nkj+~3vt88z+$MZXHz$pK6a_RSsM*mgUsX!g_B~7&Z1)I3VXT5S}nVC zYE}IUPX`Cp#dA{k_xlKKe4XU1NpF1Yg-0e!M*DUH$$; z>n5a?fbT((F)pnwrO(4}lc6E`XTS-Tz>+7tgqe)H^W@?_HD z-QRPXqWL%!wC0WDr7W}A3)aG|bl$|P4Q-4X8?eGk^9PD5PpVabbBiM=UclHWi&M5% zevim?fPSiYM-D1IFi;9}JH8evs;-sut==3WOq&s@=W@8Kx7_^_Po&tZ=~be3Fg>wh zY!xRH6D>H2SLTW#(~eh*ksei8Hxk{@G_B9vR{abO%zo3C7K&lq%2v+*ndx!3{!Qr6 zKA7SXu)YK-p$X_ZA&YC_791yYEcLr>ELxsw3i%r|Ixh|DF4I6l_cXF^Q@6&He6%(4 zJG5o?AWQop@b=?`(!jwnU-YsGlsB_Lt8DwLs0@?!3EBQrq?}j4600Pvi%H7HpdaVH zM01d!=I3SV;*l+9Nwnd#f1EogtlQJEz_euSo$U-8CS{-L znZz;dlNEy?>chsnFmfc30CQ6!_kk_K>F$WVp`lX4o@tG2K zi<|(@^yFL**p=Vg$i0b7e`M)yJ+^B=wIIO;+{q`6OomPmz6Y`UnAouUJhG1GX6JGm z$$>wI#v%$&so5M40=r(7bC&*xt#m!Bi~7U4zPN4uMXKg5x$OyK~q% z*!17@C5Fi8?R}oSF#!S&V*cyypx#O1(S6k3BqO2XcL>zkTO5X#Rp<=TKW@5Sc#0T1 zI1#f@%7(%>1u{9cY)6MuvL-Z6MtQwT=D6xtL9bTv9)~9gg#zkVtR}+R=@|a@C8gv1 zH>vXLVOy&cHBL>oN|ZFvyw{nhNKZ|)%yE7;ezTUwBlbpG1=Q}V0Iz^gxq5L!t=3Xd z5QpbHzmeaFK+UdXPtaB-nR~3mh3J9ua%f0U2p`#qVV=-g|3uR2W0>c$xdXdHDq=pj zS4%lmyzn&UDgL3kG+jla^f=@Ps&6^t?AR~xawt)PXOvNIwESH?7Xg=OMAulunyo&l z5@!8TCypZTfo;KZ?<<;;Zo23j&Iw(IQ$TB&vH2L92;A~|A}LNo=Tp< z?AH1qp=rE>y{cL=X$;S+{biHFjdRmd2?Y+ePepY#pS3_duyi$E>q49es z4FRD{9h#FASAGb{BOc0EC-z04?PZ3XrG_Ev^A6N5>yY8oA`>sJM7M?FY5BS=%imzW$(&i{vm#@$(u5%lB_@p`f4Wg>BJ%y~P6<3QY=)T{Kg=414o7VC) zJCp5|<}aBdDjo-5&}$PPArqQ@Z`88YASwgnn%s{oPMpf~6&dRGbBukC0oVDbD#zX= z-8^33icZJNA2eLZUxX2X;k{*Dc`1p{=)O2F&pD=&0&}-WNGo7KWWhvvttm{uq9|iU zyrBtHP?_LGOoS!%r_SivWV%Le-u(l`T1|DD*~>n0RAh{A=kVHv$LLq*zw8ZXS~9G7 z#)m6R24J&Mh*->{+Xv6W{-9~%BmT9kAf%{sRpupz@Y!LOTF~uyl%vRxg1b_=`=251 zMI$uDluNnbGX;l2uA%pDer-OB4ptJg-aAAaEP@!VzwIkD3@O?XMn+QU2~`U;+#`i^^466 zU1L!k4iI^@C#IXW1XVyTD%fSgM?_z{KFnamUDy98c7>Jt_F+L`_qVTw!D{NmeV1dB z$}M*AWRXwwt=USA1XdXA3Ux;M!n_v5_XDBNvU8nXfW&4;zdux9Kc;7eyC8t+BFjr`ZLmW_-O$)9vxcLpO-NmYT#}){V|JPN#R;f7Dp@PpxJ4C z|5;dwmU@HelU3fVZLYGb9ju*1U}?99Hd{VY287ttxPW(WLG5E$l?q@Ww{%}Yy%Y*yx8d_n-S*C?iR2(cED z=gS<%J*~Y(lgI))7{?D$(8%2<@Bu|`5 zNi{b(V6ji8e->QJFDx8cPazKra<$d0`8FRV!16%xteIB6FQtG=&xz0;I#46fiV8fK zi=>Xb3w?bq7xv|8&g3VSYtk$m0oHs1Y@?hr75R{Nm7t!~VJFoa;mn}vRkJV}nqtR= zN4Gvx7qanLSQ%!ePGXmBdS_VZVC1(hPKoLp&jDhoq5mR4YdM7XvBarN=ulSvaCFpD zLkRbPcOnQ0B0HJX^bpoGjarC_mXHZndq7An_#%^4d9)|^l`}1LEOsPO%bX&NhFUcG zDT~@J8VHyu zyd@_;oL6NQ#z2=n@H;rLEysGVoG6COG#W^#!d_gZ)|cNLBl^W<;R@P{X^2lE^98&I$gJ052fP#Zn;2G`d$^-bnB$KZ*8IcRgG zEmOt(4EyvCZs-}h_cH)mMmD0C`y+szn2095<8Hm=C6GAs z;eK-JqR4rAARml$xLm`Vq+0%UvZ$_;oSNxyOk{jcOP*XSYnb{;3oQxunqB05*WGAJ z;whNgHkEnx**hZ(*J1CJJTT5;tAp!fjo`PD+qNpXOU%l$nrdMxXn5t$g)LB&2K%gc%(GT zH9J(W%R~EV7UHdp3bJ5g?aP6U&a1Nlh3R;>oO&~cWh%u3I{1cz&#u9{^twOAdMUe~fUfRY)23SL}zqV!p`BXvt_p*<90?1Sw4BB#K< zU>4ZhrD^usdssvWZ0V?3M+IbL#N0{DQ)BBZv(%7&KU#-P$5h3Y8f<9Rt@w+6l4X~W zQ0wdr{t|IZ%iAbe!tk)60$CHo5)}C8vA7nGEQyuJpkMX;HJ=Oclu#|x5wN>0-QI4k zIrJ#(OUTepxEHz$tg>wjb>TovUdluFf_5Tw+Ny4aF^K60r^8Ru($q5Nn^Bilv-{ed z(fMntx|#*|WWv3!H3Z%Y$E-v2=aJ3DUm$`K271*cQT^UG&OiTeg< z!s@3X?>YGGL)%`u=Xq^EM!O)`#wPNH>TkGm@-{t!hH1JYecYMV+KxVx?oa$y@m!h>xs z1I-B-f%z;0k(!Tl#y!)AWK`r?qx$=PhW&dzU!zmQ;rTf&R3udQfpA#SX3R1{5LmkU z)abIc#>iSdjnH=j;{LsS8W*Ads~XKeDv;o>8nYuaT}{_ho?1lE_ih{Hk;w^T2T|ko1*cE^Kw#8EUX1S5X6e^RKMpz6o4S z3Xkwnz@whfu_@o&+XBDTfGlGi+Vm#yKc~e%${+U)_^ELJuOa)p^p_YL0pBl*@WiiX z{P%BN%KM|{@Beph{;Cqj4ge;Hzly&`*uQUxM9JvSNfRFVZ*HgOm!HYDN$cMgj_gZ) z$=2AzXu*Bw+KW6TtFw6>Kjo?KLcU0GP3nNh=>hEr0qtxkk`h|`#-VTo*ryQGwfepS zE=LeEygcBQTsN|TZqQ)m0@TI)&ST5Lwg4h3y%eYQAgq&;W z8?(Z}q)qXJDKJ6)3*KARD+OEV%31qgQ0Cxda*=|xLBHhnd(_zQ#6ACYOOL;RA3^bd z0AT;B%HO50)U@5p_0Klu%oZA$fDZbE{*?}RE{V@}yoCOrz<~IVHDCGXHJ|<0ec%3P zF!;Z#9er?ZUX;JX;2)j;QTfOJzrpgqd@rD#fBh1w!+*B*cLezFos9oWU!wOH zA{GBLB9+@t@B)a`=Wyx$*_YsmSVo^J@#_S0Ti>epLwT2;E)^PQV?!?xZLTn=;Y=Jb z2<`X#gGl}YUu8qtb~Umcr%6 zV6o}x4B~BDWO#2Y@RV@nU4O587hrfLgjVFmn9mkS>AT;LI51rof# zW&g^z5yB>zf}3pce88I6gGgI`uAC{~IY+z6^{O7_^VnuiJeh&0c?F zCjTp#D5atEXNSrHe`$!{?ShH{Wlr<|7^DAl?Oa%Nh&T9?-KVj1OH80H*vfa`&n?!m zw$2|x0FVI?J4ZsAp94u8mY|*^QecG}jhr!^QE~KI(z%UPacAx_T{%1aKUf^7j7Er>IXk&jVn%6;3Xx$K@AKv?A+>~1Jjih zc=^=jR?2+TIPPV2!Yg&%#D!pR%{u9v0@Y^%Gx4($p>k@Kq;{xdra_i1-%wA~t z*k&m(w#Hp??6iwE7Bl5g`EL+G;NK)_a77irc>#0(Smww8s0FrCeIo8XdYy=0l>g#B zD-H09Kz+l%G*Mbfdei*raP?2t+t}ImivcA${Pyh6mHb;b{wlw!8bwydOHIWu#&l5} z%l=>uD>Q!&AU&Alk2?gp)c>yU6xPBW`nLI8z7l|j|J@7^m|kI_TOnVbn~Qd}zX=Pu^^ zu!GI6JRJz)etRxjx7;f70&vHSy_FPVIZN9wAgCRH*?v9Llmh~_e(`-~{uf)nZqpQS zOKaKY^GgE^$I&MmfY_GY2m+x40m)y^DRpe|KrYX&hQT+^^Xwo zUpM>vFWU?LCms~eb#-@NRn>ssM#iP^q+-Igz0v8I3iwL12jnZj{Zvo!ZEG6N(0O+sN-1tiN z-i}$8tO<9q17B4a?sHCtF3`I zCQONw?LZEBnm^mJz3>j))~3ngXGs(}6P1z$D*c_Bs&*-7yB}D~GbYZ4MS6HZ=@Py; z;sn0O(vc4^atoAJ5~>C8;&WxNVM4J+Db_?U zT(Fnwe%1#X;{hxfeh^JdLEx`px!4h@jct5?IR3t47aPH{LZnowUCl#4)}_>(<$P zB2zp!jA@gP*@kX7-4bp?6*%~qHi+}LY%UB!=QK3r0&;w}EKf%2iEi9V2=s79972r! zj_p=fEKMrfy_SD-mlXR!y8H$C4^lw@u#>*RekX8iXgF&mrd|M9pbAi~-3neODK>6+ zC5B<8RJf#&aXPoeiI`o1Ei5g*^YtA5y9Wkj$rZ>)qtY+9LcytUlf9v4N|!m}(X#8*Qj~;k_w{o#N23n&9a3BT&9A z``x~7cfaOf2)fC$a(&+e<+Win+P*1CZ;}g$ME_nI^#-mY7KSCq9E$t3(*%$?d)X#q z_5H-iXwPzTiGxu4{@{urYj@oAuDSTx9x=5k$w;xMoQcodWbs8_1rsnvt+&D*oalav zHuYLH-yo6tT{`u=lTSZ-3!*hFOh4{Pin7-T z?AtdZucM#1k!f2*!C(lL<4Fgj$|Ei=6ty1~wRAFjj?W*7fL&3#e2Ku(osk;={pn{Z zw+R|2B2H-m9oOudRls>D$us<^%FO6POU2K~DrFTE=Ih>Olb?wFKr`Z`3`m~>MvH-S z6B~RVkKOW0`MzJ`=M640x&n$4JUi9Lk9m(iBS}4vck0O!!C_Bl$xhm~lku#Z-((Mi ziu=|fYL#anSY7)g;xG(8>%3d`_=Yj(|O+fAm!K@ zLRH`Uc(T{+Fy*U^zm|@DzepsA{nHz{n$PoATu}tu4#H&f1x$6#a5w>*zPc! z1|S^7EuJyBu0jz)1MGTsT;Op*J$6`*T*xR)u?ZlB2nHVz$nVv$_jJO%N{?Xd$Ngp> zW)C_(I}mkQ9IR*g+@*%7p!ZmRkBB=!MM(^tF6lSmE6eU^SR^4nNl)NEY=*=1Lh|#= zf|4HBZi0N5IA%+N`iw2Oa<+O1H24OP^`7{%02S|k@0=%NSipoEezp^&gF7Wx@!R=u zUUAu}J|0u|Wb3;4DRQ9(zqh&d`filTS6U~k1blq^A@saPX#qV5Z0c{BEw89x;!-Vb z&d}|h{VLegD}=+FVyR=p*qJozOw?r~#Rr2xV2}@6$4jYh{Y&_`4O-aN*!k({bFPFf zavu=yD7Q1PP&L^83j*is2WayfJMYE2eAqe}Og#*;q#s%7Jw4<%Q}31alKqzQE(L&^ zYHr2-Fd%`4AHYzQJ%}U(;>Xf5oeOLha~nLGZ_cJ9vJgw`?B}&=%6ZtVq@bRm*eNX zZP%4-J0pv(E~2dCtGkY*MeRe|V>S%Q@;3!g&a>QggeQr1q+VO`TcA$}T?Gl87Jh_& zokKB-+)rw9*=ORSK7qGml1V!6SuPXFQbY!TdMd0Nn<5{wo!nrC-)8)e(>q&Y+; z*rE;*l4GY=ZQjBiaB%yRGljnQXNLHyvmIug9n<8|vm+V&<`tX9f&E@%hlka4ndIwH zsRjiT3mRTe`K=|@b0Kyd2Pdh<17Cb+;>rsu-xqg|yu(%|P6A< JJM)-1$N#-{jZ z&TgwH?L;6BseI4xQz!`ba4hB9ihJz*v8o*}`*A=Taa(_If2E?c65^N$>15 z8|Us?uT|S+>3Udh?C=}EHVFGE?x0e#E~l`;)(|QfP2;tN>l1_vX+j(qY`m6)yIqQn zMvvX!H8>*O{a6Pp%xQYqW#5XHXxC%!lBiS8hPGjEt-!#QEZz;w;kUcYca1cv*TY zkQ%N-ZUW)OXZu^IWgGyOGum#R=7y$|^I6KsFOIq z!Z}LeU|hh1A?{cQOJ<#)rp}CQ02J=Mh{SG{pBvP7c112*umNPqP~54bB^SOtyJK!7 zDcBelGiU18lmYmb!T zPEA~TLD0Ciq?NKIH+Z_yP++s%t6m1nhtVrb6PtCKcp0C&xP2Mafn;NSpZCXzv?nSH zs{o>5&J`uUnSD>6Qti5f0PW=!s3BVd|B6MW&A|QYm6XE%^F>SjXnRR0+E)Fr&rN@K zix*uGo6xlnU%8qBeSA6tt?_mKUV0`)bwLfG$0sKa3`pAz>V7|R+&ZCeRkpHPlqDN> zG7;`rwyzKI9aA`I69U^UQb{D7ruiM#AM-W?q1V7w{UVc531NtVZ$93Qs4DJ_-EAO> zS5X``kps>M&etyDRE1M(Rb(Gs1zCy1lESG~@&9Iba!bbA#s&^}RL+4PUdoI4lDccH z6uj?oJNz@U166Eg6zJmk`;v{xpro;9(;4T8ptlc$1u4c8NLe*{WHtvcCTle)geaieeM4BLW7HfD!F)ilIXHx| z%NjwhQ85+_p4~kY-Rm-#d_(M6v9nxkrCn!K1@Y05#G$F(g09tqD>V`O5neV?;sZg) zu>%eVC~l+d%`7XC03(i-MTR?&&sjGUN_Rwi!yaqR+{gx1o-ao->UiJ}s8HUAfF`*X zuN{Rzym)v|z%6a)lz0iD`YcEc>KGzv$RvkMCqO zfT!I}V2qZl!o8oZ_@4>zp~5M4ir zATvn5Vl<64Pj=s?D>m>uO0D7NQ@i`19;4;>T_!v}TYiwZkl>ZSf=37PusmYxuqw=eE@$b^VD0 zHq6uqi~Hlhh&A*=cn0zds-w@9j}uacHsnITC(<9ugsW7AmnDtg;S) zN~9|#3g$JOrQvn9t1dH~FG$)CWw(hSybfzET?bN+aeMnhtMeh;IjZ6e?IJ{K%PT9_@Yq=`<-S|eGBra4diZ5wzGwTkgc1Tu-=DOeR8{$f9E4tA`gO4s+G4Y7nTlmZl33tB0D`zi-V8J%Ao!E==`WybkXpFT?3qvJN! z@7ZEob;_OT7Aa>!c(YgUr})0!?~eiwf>U&ok|qV`9X>9_|w&fT^g?c^ITr|ZRE0NEw>}I@D0pun)$G3@lO;*L?tvs?JP)YyatGFq7Iji zH-?p;`LW#DAdfR?Lx!6;4M@CUm&h%X?89&t9r!%K?`+*`X~p|&bLU;WpaS-E$6l$l zELJe4_%y!(GjQL_1+8sr)LYkTIO`%Sn~UO;d;YvhyK<=n>tJ--lX*$Xt}_8`FYu7% z5q4(9ZLAg5#KhVXYVWt$ov_$Yg<;W(BZJn>JYuRw-;o{dJvmcpnAZAWejdQTHY{Wn z%11bqxo5si^Q_|Q&938*sO`bGy^7oRec3+y3JtOW24(P7T>mOY1Vd9J2*b4Q8D&ER z2?J39(LSxsUh4)|_KQZwTKQ3`b|7@}u zG65qpa1UO+t|$`1%)WzuS)@2T;!j9dZeH)cB_A5%qHT>dAx^l$lk1k+ZurSNEXI^}jg3J!X3h-XiHdx9A3x`9KkIKyIJ^6NND zb~pwIp)y*Is?$`#Pu&)AQyl2I)NKyzoL#@WKF>%_6|!#cihH`eQtVK%&3Qe?%BR?7 z5)TS4>qrkVY;+t5qMzN`igie)ht%h(c*W zJ!WC^3c=jL6PqU-h7d^!ugoIE63h!Yo*dR_cnt|l_`)8Sr`#B^-Z($(8&-LG!TXc2 z!67l`k_?5$SewFCm-n_$ik|CimAGJcG?i%4n}?ID+#5N17&rSRb^KUmD&>$iQ!c7{ zU}D|c`~BWiBdIF{K4q`Vj5sPHi;8x1H{7CP>sG$t6;${5q3uGZrZrpr^at5x&kXho zE3GSh>vih)9*7@6$yOBYaxK5`Nf2nAd%Zj#pC`Zb_S$rPp5)WxJPEMp7hiwk0IFxl z{sw7Q-r1uP*lQ@~VfaZuZVOp&a{ArA22FFaQL#0o`1<56$_>AJStx+i>M;!VYKfsP zM^a*!SbXmaKmhT(QY)nFxa3i^D@y&Q`se}8rXR`U`212M$ueD<^Z5 zoX*-tkOGUO(^<{wpULw^9G_3rlI%R{I^13ms%QHB>Tg^JGf@6ZWM5}AUtX2IOV$!V z|1)n6IwzugwyM^0`C-~;f70x{OV>E_G;bQo{~k^7z*WxblFy2tyE|-Rlcn}S^vCTW zo8tJMtsdo6)RGW(KkwH1n3~tq-5gFQXqH~uPXel;iK#v9xCX}5$de)#=XtZKx}STx z{o#A#uWeAo>yJqeHrY&LYqV5}tsjs)9UBKSAlrg<+CH)>3&~F4%#gYLa#3&lem6^c z85j}Wlv#gOvFKU#W&4ev2WqdHj}_mdJ}5m8%*sM-M7g=Lv=l|Jok&ez0S*;u5|bUx zA7*2ianpX^y4BQbBya(;R(xtPvNMtG)HQZEG;EO=g^3Vnmr4bz(pTghkK=v@Ystbs z$we7+D}YvfEa5Fjz8uV_`;izw3C)=!-qQT0GYJVd(O zzZ#=AC2!f7z>T5BW9>K0xae!sm!(XZ##`?jHmAXJ3SV|I4y-sWd7^7IRoCb%zaKSFG zGVzC0^^#xLG{7bF8s?4~-rrfrZ2Z2e)uZ2}ywF!T*J16n)S&3zoWPhalkCO&S7$ekNoZ7#&YpVIx2x!tES7^4zewI&Td2Ghkti#Eb*UVDe{hz= z=allEcNe-gH;AQQ2`<^~^E=6S^Hb)AwlT|$*ZFS!HoPYb)x5qI^DD_~QMp}t&rw<0 z3E;*n1ZM2}vtNN2UvbZi>p1oqhj?Di$E}ZIx7WkZDNzVTivpf2D8ruu)k}|#e>9wh z`L)zYjBPSX%_PPj)ErGPQ8`DTS`e)pHV2c(?`)j#*bt%9HUfewW5N|!$Z^Z71M=DG zz=fh0Peqs?9TJ+nLT*n?_BqleLzx{eTW9j^V>lDvHl6@4*p zxTFdB!7?(QKK=Ol1(Gbp)Zyrq&C}vzV<+(&Utc8!JCUY^OqT1_O}DQ&4sPkc2!U7N zPAQ_fcK!wAO&`A1&&` zk}emAu$bd+Mze+MzP6E8V=aZ|lXv1NGYZD#Y9{e1_n_{2QK$y><*cI z?z#7W6EdbvJXKCNRalH_k}?a1(w4$qW=FX7M#j?UuVjCK?k!ylKC%CP>)bh8R`m2c zC+uyo09O!yXECqrFd!|U!N-5QGxF>g_j?I-khi9_RxVkXQwtjnptXn zJ%5XZC~5p=o-4$?Vbzird2dVq_7u;?kvCrLxWz8DPwiNOYTmBiTeMW2MZzYm7P&yX zVCX&;5i7!6Ab+ElVJzX3H28Q)7RP-9{35U6g|8@A;mdfn>Cgwr(0dYYgiIf)tzHZ4 zgE*y=Q?be|9fY+)@x<+hD=TTgTVCTa=u7(6d_wz`(WB&Q^=livr21X@Q82nd7%O}$ZPsf*M$V=4*X zi%*@(c5^$8^%H9MY|1oLmq->D?vCPO%8a-Dj5t;G6AtLPGE?n1wY-ksg&B)Y)pKqi zS*3^10yZjRBc~qUC}#H_=2kQp+58X8*?pOo%LiKGoi}ueAwAAzHTfP4Evf@CRJiuGmz5+rz95LRq`@WgVzV0kN-2OcNTSU?ovG zs}H-bU^QaTd-Q>1apvo7-f@6*oX)(Ur`&=DZiJrWAXA*P9Tgo1Z%Dd2tT~uR_qWth zU&*Kyf@F=Ou&h(TKfUr%cZZZ}kP5dbT8gQ-9XJokBqkneSX5oxf5HALWYQf$GN>^7 zH8@fIHmt>9*i~?3zLx52bSOi99{hT9axObwNb>3-2+bZ?%#h=UbFH(5oy*&Y_>?tr zp^eHum6v(befvas-@QMIMPC8747$Yqbp1&9l$cb(pH(q~72pR4b{byFD7tay9yTX8X|$W>;Z0 zn%O?avwKWgqMiv8)crk}4Mn9Y698it6k;Ib>Bjm|NGd!`>b<1zO!_#P^T-Fzq$itC z&oC;1AAP6iJ$a_lTvmxySZYSVxpM2-ex@`Tu-Z%rp_L3VX#v@22}2SFza#LaKvfOG z)b(=Sgy)S1iOx_+K&z|t$g9_)R^Rh8612n>I;ejl znz$lXFQx5ux-xo5FKPZWc=o1(Q0$qp-^*LxS#V8(^9Sa>m1knpw_GaCqV`!pXshl1IRTx;4)0+p0*k&o}CFp7ilrKG^ z8fo_GT@nt~7d4(KHK0&9O>V4l72IT15p+GM-Jt=twq9c7YuQJ!x%NYKWeevF_c9)u zrLXO4sJgJN*gibo_PmGO3d|ajwmkb7Mq)NeaXL z2m9?JMZ=6HV4Y=$&!q_PN;JE;Wmi;h$g6Oda2w}68$V^XG5gnhmyHbjFHO5b6lTNS zwN^iJm0@W3p8TGEjP4noNK)Ttj#wWY7U%fNLgs42>}06_)@>$N8xnWEP03$=?J zTv`P;TkXFyr;gA5lnGB{rZGitM^;0-uPhjUB~KSA9Il-@Y{m->(UN61Gj{UH#Q(&O z+`9Kn3!oy2KY3T1Quf+bewJ~Kc9UE!YS~ddo=20qhcop~GDL-iXuQ%X)?=e)l8~gF**+)4&vF53Whxs-}0;M&XescO>=Y!a~ zA8uU9q@z|8rr^AWf_h(d`wA(lSm5p`5-{fgLo3|? z2hrz0rnj&17Oc?k#*p@>P0Oo#!yW1h9Et3%lR+QDH~oTMTWc}%yo|a72e_l|7g6Qq zZC5+aPPMw4@)BHqu%s25)g9r{ZPqg!+}lf%{C&?Ua-8%7^P?8ak=O$*{Tieb5jEO4 zwkwX<-1mXrT186NNE8Nmg6AHZZ*J>r7F)~oCC^w9?Y*O#YPI@3UYmd=ytm^IO;Lp z9f*xSX@U8Wx$$4Uhd{FmwL{MU6I3)Z*MGEcBjr>Pk`Obxcx4M0Z_e6zA2%#YO06Is zsG+Az!qL(}kxP~%>qnGD63Qy!i^~N7^oz0f2~k!-_xARejKs`)9da&=f;7%&C4-Kh zLJLzfZzC5e>50DAxNU-H>S1P0b!*3+#}erRfQN2 zkfd@{y!W9!{xN=~`+TXMxV{oxm2B{Z@c>!1{@s9 z;(sFCCxp^S`?7u(ZcCVfHIJ^AYgQY*^_HQtZK>z#PY!u)euw{6>R;R|aQFug_K|JL z_~e*aiKvV5XJ$SZWEWtdg?#jO8JWWLJwg+l61Kh?c(n1vT{UDADbZuKdkf?3?MIqv zMgiYstzs3^qx~D~Nx2688(bL`37o>PYUoQ0~R^!F=kMPlKol$Nn;V&X7+3PD2@3h$L2b|W%p zDXsI2-fC0aNh!cjQ)!Oy@p=bf60~I$dofQ_Pts}AcL$#tD(bUAQMVcCcTp+18+_o~ zW-0lpiP+zlEz*ta_xLmu46lpUhiS|bv7<8HW`vl1B$b+E*rVCV;Vm~9zaIaeY7vMMD)8|C@ynNCz0w>Z@g2%c^#nl8nSL^2}*ol{wa>UbU1D z18EZt@6H4Tuy?t}f=#SJ=odRP?7cgAWMsxt-{FlO(h6}R=24F`lApUCMppMz?N28U z+!l}#aUp-@aCHqFnUxIiW5)o|Va=Pjx|Y}K`vc)8FMp$Z{fRMB z!NXKgin7KpXd6Fbc83#@O6moVW=*Psr5t;ambE4uK&8Xt@ zKt>blO6Z5J*+4dJ)&HzRtetl(r7F?ZMy{W!yP&(PT1hW3f7@EY(Xk4(o*%no7cPQ=9WkeDGh{-H&pM3C9=`wQCQ zy%kySjxvPYT{SlM_wtd~V))#DbVQub0CDKGfRx^aX6gs6XeG1y<>IpqLu62(zhT4c zCJE|Kmcx7E$+|k*v`vk|P9~tiU25&mmse}SeEVG96M=TxPtD$m>TmFIBu) ziYt(`VGwmI+S2)m`vBkVxV;}9(*{~lj>(KzG-iMCaaNO*=fvqZ3sPbk6+23O<^Q{k zH_&pg9HPqYpeIc39D6vSaq;eB2^t^Uh}h#||Jv1NAoS20j$L<$POxDWxj&_+brr*Y zG|mT;qJQ?Z>Djfo;n3oJxV@&wyN9hlbMykS&khP4G8wZxWX7FVod=UC>-@0(KrUle zjfgCfA#L{xJZ^E%plaLIt(qrX+MF(H=xr2xUi5|Gk-S+03+qsQ_yw}}mLJ_)i7boV zp*IrZ_);*K1{C;AdqvT0NfLh}fjxy7F5YU~8Q`1ZD#yQ~xGHK_r}>p?sxvKd>wbPV zRAUQDJTrgnKelhM-n}Sf6(W6;?7c&wwv3(CT^@^2cM`XhP#GBja*@;q0nl)%({mjx6)tt=X4a z=vQwh|FXwzQ%rs^d|+Wp&#ko-HMeKU7WH9>3O zac8ylHdz_;qyw-}o7LJ2@>Zvu&5a0)a6@;%6P{KXx)$VpA4OzEnm+0;dDQT z-W-AGPc^Tht~DB(vqgMI+^~bHJlgs+?Q2(YlVOYHeWVNzVP}qa>F9zu@rufK&quRN z+VweK(kpcIPJt|@Q0;HS6Hk090qfnRR8%MDcRYSDwomsQcT>drXs?uiex;vvI(T-% za}LvzUr9{CSZPWQ31|A{>&fB7MwKrWx^xoDh$-^Q)d*|6TXcn=UQu;}42G_R-{hKF zf`Ik;{hVmLY#8Mhd*#j=_yUu}ICqN1LpHJJYq5+#G0&Dgw&STbDD5s=?Rtel zjnV05M#Cme_yF>F_t-Rl5ifaD;uCA&cdr{Zh33D%?R z^}(GC9}vDYtX_drqCCjbrf&P?n=x+w?(%;cEH&$|db{qbihfs+&`^DDZqCxN00eIa zn9jzaN5l3}FngQEB(@)NMymCYy*&U<9hhHMYm1C(Zra`O^awKRrlP^-{ z#NS$z(NR{xMn-&CTn49127ZW$0j28OX-6vQ^FmQBg@u;p&CraP9-u;U9ND7hqxSoX zMD6I{k>bAFYGFo*VF#y$=?=Tj!Q`dKTt^B6J@e~IzAYfmK`w6y`IxxzIyC{Ae$$=B zvy^;blR^~T7A^Je_<`2Jo#$RY!k;vR;RkkOr{#JiJJRZc(_}!Xu+|h3Wn}+B)5N=2 z)-^YrEt@$b#A%%QAzCKj_&MP zNm`9d_LqAi+C`6J;vPA;b9uk&OArVj$VJ&GC7wUZ<0C#3{I+~;{B7%TJfR>m?VBli z@Qxfk-m1lM#!hV^6-NZ``_khN|AJD;0(sl6!KTr`m(-x9*pxhf`ICbV_a7pmj}q9; z1j);14ckCM%AgDhtyeO0>Gyfa7N%}&aqXa=!d(6&iNZ%|rkJXe^Z>rUlg+EN<8om{ z0*Jeq&x7-4Umf{eNdAY``}@}dh%&D-hvqjOYXx3Jiq(Jv?Itt~lfBMZWgUNRdk&fu zFazc(PQLC^Tz!~$YZ0urrhJ0}g!h$PLuM}7^z*M5vOW35EX=)GQQOft8($X;0@ebpR?eFOZDK`^VQ-9_(g8AgG@Jt5UdG_xzAg?L9 zpt%Zr|E>s4yR1H+fv*bIIeciQ&OlykY<~4HSqDkd-hB2v47bZgX^bDcH+f{k!22zz zS>3z!b_q}@F@3M&rQ!wQaSrvc$cL}zJN@GO9wFDKosN?^3{TmKUs_gH5f@MH^>2u~ zI8r|pktFm6bBFcW>sK%tT~77!UcI`X&O&U+otk#<7^TeCDA`pJ^q4?&l#(1&@3`Y6 z-&;V4&x}p`N3l3(mJOw0n}=CX;*T_O`$ClLrNU1dmvjs%ro>f#vUW-$mNd>lx&V52 z=85mX;vX9{nOFauy1SbTq(vWYK`ixogI-@GyWe^TURFd5m9$P%HP~7f|4^&)aNzKo zN~Nwd-;nX~zLuNDjna3p3A4CLl^*}rOY?Ps?L%f5-+3l0BgK@57vLaxLEW+p{B~35 z;EQTffAh$v={BAcF~K`YU55*QFqEN+{BwBw*k)vQgkNy6p%2*ZQbsgB1v z?T{u4pf#vKCn?-;8Z~KgfD$(=oVmG2X9lTe4zeI4n|Y!d#Wt!K2>C3*>A-a}QP8wg zoX{^F6*s%Y`$y?&T`s;o0%$MBHx;Ln!HUT~O>(Y+XWrgEo0VnL=A1w}kxmoMl7BfxZFyF*h%p zCMo+)1o+ssCp${Rvd;MsS+ z+dCU-{Gi$cznHhjtW-dJ<#u=j$9I5UeGP5`cj(_)ZoeX?))|CX-SMQ_QCYM` z%^$S|jkYdjK(uJNej9aJjr4W_b-Qf%a)h{5e^4)m`)_h=t;d0ktSZzQUS1lQ^@r3c zI3PU+a2|~1BpPT6HqrUR57rt1Gg=utnb=&6l}@x@vNTj%{V8o74@2Z80~9_dJVIy~ zPA0urCYe4M(`sj2m0a|vx-VbO6&M~1`R!s9YXhC^YM0<7AIUWpgQANKsiWOhgHOmx zt*Eg@mU2=U*VB@1pF{fT*a^A90IPz!(TwXM918ETUO3C4c|Dg6vaLu;@NJADf`T&k z#4L|Z=?P}WPEYvw)roa8=}AoyAx;btM0_Fe#dTQYb?BPAOa0HaV~ggYlt%AhL%vCd zw0kXly7E(n-g?fZRPaJ0@y%aytd$V$*d)sGhf|0|ry6a$RkOF4$QR5WP+^G|Kb%z- z)pJf<{gz4F)~*RpIeFK<;E1d*OCuqhozCi+vAO>47!T$%qoaXK049nc;S*~D4F=SR zC%h#&;{qusi;^JgCjqHqefgl*jYk(kt*iA{mz;H;$0|AU$n34Q^K)T4>fS=I z*W}S6TCI(TYIR-UF`y=;^sMvYiQV4Hrl5(AUE9PleEXn^ivjwzj(ag13nov*?#mz&J26n=chaHfEz%HQ}mtGNFvO z26SpzMA1dRJOe+kxQbzz-WL8|ma}3St42LfCk#QoAnq@>=T0n?3>y@OSnfa! zvjSEw0o3Bbh>FU#se$#eDNWkS-~Ngx%6ibSnIdL&Dmo4*;{OF|xYEeL!MwfJtNmln zOK5&qe5o^mZki_8k=jZ40peg)uF@1T3QGklLdTtvq4P&-$&JvR^IT;(!cVUXCuh5y zc^xXVvvl_{q;iB59S4V7yDD?|$*+9iGJ;;LF%17ZO{S|thxIK;rl*JB6Ilz zQlruirlfJ2C$Z_Y+eSRoGe;pjPNvC7ZZ%tio=~9G(ldtITXl~@sdIu1M0At4RcBm2 zZb`GVpBC4tvdvmfbYdXxRo({{mfhkInve?66_v^=Zl~h6c0^-wsM38pE~qXi=~uhs z{=m=3MmgNdhxpPYiz@!W`E1^tjwuEELOY9A3Gb=XwnfXpr@PyPdt(+yAN)&Mr~54j z)0zSY)DBZrEREhhH!=jp5BLY$y&rGRutVZtIKAK|E+HC9tX~*|aM@k60BNl-jjVt_ zgm|Ls+VOnwvSAFOoTTcO9enN=?>M>i2wypyAs(<*vwzH71r2rZI&xoDeSK|ndI;9f z9TfiJqi;5)1x|w%`AtSedR;~njXA*2juKt!geJKkcNJ~qz1HleY?Z|W~BP0 zkYNy_))DMeAygBBmU8zj0CW5TN~Hr|o1X@gQ36w0PdS>FmiRY7t;N|yqc>+PliPC? zy)dsT#?TOZ@3?F2L66CktBysyXI<-ELaK9KS7LUfJ7&+AADiO?wNq;6&OX|8l%$Ry zxIx@s+k()L#2tTet1DzJN+QXo!#t6#BCJN-9@fR@(7yj=>5mRcDhi78>8Dq;yNcy4 zH`X`*0*S8mf4ojm@vTK3q^2-Ee_ftZ*qC)iX~NlLT`lLX9I+sfx!339(~inYJ+Hl& zScfY>ZBIUi43GTqWdlmErgNmx24xbJCIaRs6F0A}bC{E{GovMF2cIWkVs%b^>Rn`M zBW7VDo0OlOC%b-4=iuCT8><{fp9W8N+@F2`6Oyk^Q#~MTMKjALB^^v|Cq*DsJQ9_Id`IEoZ^_+v)%t(r*wMa-aeg96W2nyO9v^Gxar(@3iznPJTssjN8+<<}aPP~w&yM!#g)>U}<@Io* zS#|a~FdN<*zExhWp1?JGF@qf1WwrExK<(quV@S|_2R)9lgFR;6F1k8HSAtS7B^+Mb zG-T7K7~kcpj%JFx_d-1?DgO4(lr6wxj6S7byY-xkXHxDICW(-Q&BRV7W<6a$vM?|0 zL8dTbNci>UlYSwq{key|;Z?_$>-S7B0@0A(1nv4P4veo6M)vCK{8!A}ngu05!fs8G zBUwoMeE89#Rw1?|$p?IB%MRr7_GQ?!t#Xo3HDY&|2_%YCO`hLoRQza96&G7MDqC5; zy;78p3w7gVim$sSp7_{u@cqn(fK4?F$&-e7K-|1AW!vk_Jdr5lKD6* zD;?$>s13~C9x_-2R#m_cL1>S`LHJJ=Y45S;28$cOGn@QwLRRNOC|pB-J;ZW+nYlps zO2>Oc6m}{Glf*vtwCnz@I?r_QODtL%<~51RNVnlno)lgmcruzH9L$Jmn-o=81qruNWTI89o^TE_lz1bT1ykv>&y2Y$46~y|iR`ZVUnRi+D$FKl< zle-lTU3a@WE{aOd5s@9rGFule!K18)o{<_l3o@KKcS7-9 zqlK!j4Yl-;nzNOFQmf{Zf(;q(;M<{*6JEEL)YF^|S4ZNzcU7P~v#$n!fp7)yZH$i& zt|+-WUWzLEuw$B%h-vv<7G?1)#04p`9Q#vo+YXKY^-l9iUwYLvAzL3?bu)-}X8F

W1tRUt>+i$rx4ugd3{blqTZ_;&ayzz7XSZ)0_Yi8c4V%5olubQZEyRb53 zgL%_v8f5E8UTm@Qy25LZwhq)lr+At}&ZTQOC^_X};ADsZ{Iiutlyj_>;O)S}k1I7r zdLqGauap{a@|Sx;Af-|Z(q@)6WJRfYFUO5v{T+3$KK9<@yq7cSP>(i8X=7}hy3gCq zx=wpOa2;{ju*U;Ql{ReXe2jai;ugrD)LbZaytC43%E6|&)+zS7$g!EEUetCNxXuhE z|MY@z2$q$Ib0$&eA9d zp-Hks6SOIA+^*iS=x{Kp!k56*Y~5kB{(hsIh0uw+V(q;idBlno!qp`ApYxXfwfQ6< z^YHk(XmQJ2EFVN8o0VIo9T>ZpzY=A`IDNM#aSoN&t>R(jDo>C(sjydlEJ}*fV4A@fV?TBH*SC!+5UuZ!u2Pp3HJGLprFbSGeA4Uy=1zLg{_Bn$HdIvo< z{rxh<4_lKbD$p^@;KV?u8h%G|iHaaVfXt?rrvp?2>(kaa5A9d`p^o-|N7)fGFO$jk ztfCrcmPT>fBQKRtjN~o95UPOtk-saMeR z%Fm_SkQ9=noH(p9pIHZzjt)Fte6`@UT2krac(xDHVedbiWSXz<*0y>>j$F@TLasAc zcY^W4q?FkHNVnJlDHZ$~C0SY$peSuQ6QqJ8k{GFWJ2i6jLB=d#pTgzXhsr7>K}dnT zQn|Q!)R5n{LE5g%(u#6bzw_WCp&9#=bZL*6judh{7>voV@)=EFk?)bZI{kODB3c+E zeM}@x!Z?VXnw?eaNre8A#lV8d(HnDulP6Zn!{Y#^)od{*?-XUEI z2;$#I*Q*Sm0{(zX#!7YR)8EM3TO10jw_O5d7_9kj-11DV;EtlIp3sJ)in zByBy~e9ab$v0pzLNT?kh;NtBdou_WK9>4gcito%5nzvCO@HyhzKSt0V$W=KEAxMEZ z(>f(($m$NCWl9+Cr)jBx3pP0xZ)oupi^ z@5jtyU(6(DrrrasBhF<*HAVEahK2(=kNEQN+pj;k$$h;Wdw3h9Ch&)guM(-`&_wzd z!K(XA(?|dv+VYIEHlc(AXeGL>oA(aBx4HUs@+i7-M2kYjnN>jEj8VYBVrI>tS>b|- zPt0a(I8NR1UhtJgEjlihxjL$XJ;exA?pLi{0BGyH8Av*~nPVC^Aqugw?6lzs$njvo z@t2w-HSBf=fIHP`0)>ivvzk1*_NY;3V$$&I$meClolp_8#i=dPOWl%x< ziu?IC)9ZuA=Vq~$CMzM**nZv6dhFq@&uKy9#j?U#Tl|un0?jJp)c?!{Z6W2h`|t|Xl;NcO5%?NK}&30m?F$a>mhkUYxBE1bNW zbW&8^ZzJ$fS4^$-qN~^D>5soQr)nB#UDZb=&&7krOkTC6WE?>++CRwY4eyWEv^V~iSLbZ4icKHe&Oet35ddg zJma<2mW}HX%Hi|C6L)E>C{Ms_K!CF(vkXAxU$hUqk$W*sPx4CI1+tb1V=NgD%9@M} zPDg6>BH|G*XvxS*7t*PKfYXZuo+|$m%XtFyy2O2%3sBne`}gzpKu4v;{r@iE z`TqT1|6Kq?R`&Yenwl`C8TL0)?3KON5g>DFK>Dfgh5GiqWANN0d-#s|zdrUP-zMmoeFP*RddeeKxn-~5lkNk68{`8+BCBXkKKL6jQC|+Rue{jA3`1t$x zFaP%;gn#|@fBDV-@uok&{tv%a|NjD$pVFO;XSm1I%4a0%{uX|bJ>@ZOso7+aaQ_LY zTgvwQXau%(=!1hK85un*0DZ}XU>@YA`ME(is774c6sUXCt7J<4f4xk_u1+Z=GR33)>btZFz=2^bw2#w zRdfT`vO86)z;UKB9=kx+chUk7sqg=9?-6h${^N50$Ab3b1ZZ3-MG@3A@P zp0g2IHXW${Y{Wm7BK?K&4E>HauZQ5H?F5m@cw2Y zQ@J}pJ;pgHUv2E_8Z;*D{}ky-l)Iu$_Kl9)xFl}8)I{rG^+r=T8C9$MYJ#C?xr)A0 zuNoJ<+D^KtWgm7_asC=>+)S&-w0t#{8ODomosInlx8ZYBl4H>!!{NuoO2d#nfHC;j zx<3Xd(V$3-C=xr0#7oWhW*}&7D*s{`wYF^caG7eFCcHz1tJRfFt|(aANImnJoeU)N zYW~z5LV0OFfCDi3I#z}+i86z!*FhOW z9F-yUm1-5QVk)OC5$T;n2UmDp=AOX|ephO?y1yhJ$k3~^?0=BLZ<5fZ5Yw05`M{D8 zljV*-up%HLcH8qqfqp*J`C#*>PnXl63*gCm8?$uO^0v#`WUvWitNU6a0RvTdE+5r5 zV)Eu-rya9xLl!@6G{e~}Rw3ZFzrV)hcCdoLtH!e&p1?YLr4z=cifx9{E!GfzF;UV1 zFRVw-bw{$KY&s>0c>ih#LF&0=Y4+a~B^n)~rpme{@2LOf@`3xduvQC3Tl?W^vyaT| z6t0Zl{Az^azg=rx=tu(R2Y~E8((>x6&fz=7t#Fa^R@2Fp)+b?~5kek4dhnLtl}Gw> zh)OLZ&Mzc=WR;Hk^iD0)VF#{tm=QU!V3S=J zF1ax;X`I7~%ZWFgS0KnRAIED~=znJ!luNPM%}ld44xA;B7@cGw<1Mkh>FYSJ`JwDv zulIgQVA_m_T^u;OOi!E7+77w!;4w+zfWe;Y22WgKW>Cv4;4dpPs9_T)!wf5f;}i?% zMoYHm`8n?Ft-73?6);lSU*{HI)wv->F2KzCPp8^_dU}` zHakuSo(Rvherb!DJHeo>Q^kdg0_{wTv4`-^@Co_qoO+wl{xo45$g`0g8JCN>r@w+m z*S(m~1`=TYP1iu<7T52p$MDs`{_L^vFfr-Pr`gqGZ#VdwS5i2mU4ZV9ZKpEtt6%Mt z0PZb5ydbDU@-`E#<(ytIuR)z+?bnxuTH)UAKFuRVOZfr}y0}b%(cZ$Slp%+)HkRtf z8%Y1B{%0))oeHrm_2Cz(YHP!XgMv>zGaE-GV^$e;(liST-hRL6{)DsV6T*d)K5){= zbLZvBKYWAh7~H;u87yN@@^X4}0TEtqa6#u%3A<@v_hklD<^26C6f+O31`}&@)Oa{K zUzz%O6`VC~`+ya{vK-Ix2|OcZ((=&0qgLAb_929m_Rbw$O)6%|hom68md9qb@F3(Z zS4U(+1UWoV(){ZedO|$$3;X-ipUXrJAbmd=tnO5*OcxD=jUt_7awp^fz?biyqnl8H>)2FyOS+0?=uU#&Md2+#gR;-OlfD+t|hTZ`@@|!&# zYYl|`+zV5D7*l0W{r1|xQ8^M5#Ud|kS#;jXcz$D>6ZY<->nPxs2 zmBjrY!i=sSJV5N6^>MNqgm69evr|-=%e_C=;kwwqS=9Wo`RQ{HF7=|haR*oc-gwyc z8c*f&9MKlexhWkewP^traMdZ-j+b(F;g;}NdlF1)4G1lb#1B>vS`N+|solq(wPM}T zm6WRQHCY`{Rgj5^pO*WOOF2)}wjAzjmV4P>fzz9fCOAzuWo!=P*NjSa%8L>yZU|RL z#KxxN+!09H*dQL!zG(A7^AswFrjgB>Ij~!SRWFVxurl6v zI5*_Y5OYe#1Yb}2c!ff7I9>E16qoL3P(Sb`t$w?fS;TX)-A|bNZAaDH?;owx4g;?m zV5`iPvyMhgpew`83WI=N{7&uJa;8t=gj&slUe`fBz^*ZBd%sFG zFs8R}-+qUT)%_gkcS3^1ll;0a`vqS&v+Yz~>CTg1X|h%uLW^WdZlry;4%}!%;_`?i z#{(JSv9#RA`akaSxp$=S8yz`L4j+x%7oDD+QZhd5@gFr8=(PP<*%lLQ*#2UU6`Mz| zu!)Ukoab2`OcEY+Jy_wUIrAzee9#?LYw>;a<1W9@U{GPh0~Z8O(ki@gu+9#9N5W_B zSR&WfwnV$+^~hrf=6Ti0&ae`7aZ1DibWJUfE^{K-_8qqOxi0#fvGfe&A~nJvjj zn28Zx7qShV;0t!C55KyrjLe5G=gxOg4^$#+JA5#pQnSt~&)r|@&Mtl#ULd=NNxTv~ z7acq{Pp7DMFbPyUQ;HrAB$t_zJcGNn;nZ9XTV}kY-j4IS?yDn7j)C?qZO&PS@P2<7 zf|+l%sVKS-h)sCCWG%}C23TRnp! zPMv|tWxgr8!O5ezp=Lzbze2lGQ)whqg10vYER(Y#p~uVRv-L~Y*~QH$68p8`U`0OA zKTXzcC{G_7G=lq`8zjwbIUM3_LkWkDMK(+C?ph-ieuQ4ul5SQ*OAYz@W8YJujy`BS~p#uGzV-t&M@Z3CT#I;)d+Z!SX!t ztRB>7=b@9~EL##!qBtR=N_>`up=ln*4rk$gbIBoiD=?TEovHg>Qa~Zy0uh)#V!o?v zh;EXHLMwJA1{!lV-3r##W~n=V2Ws(tY=V|IT1*oJ)$O-XJa^;%s@gLd%Z-^b)bh@rPOwJw$ zSI$*n7BO{Fv7+nv?$()bYSyG9q+r2%R7;DmaPa2hTyJ*mpQ#T2S}hV*!|6MbLeV@n zBgRGGBh~iJ)8(-0_x_`^vnweaQL1qwuQ^nbpDb^QIBOd^IgV$za5)$Tjx^5?d=C*U zk|FWo)#{hj4doilyG}VLyw1=3Xx@((oy~3@!ZIcK7Ty+%Gm1NjscnGa_8Gl9WRS4$ z3}TLN0iS+P%4^G0iyIKe$dd9&oK6=_ayEgc$`(?QPSKM}>ATd4S6S~0m~MID8+zD7%kOSMgx3Lc6y|V+v>>?{nQapp(f7?E- z0Ha3WC&;S_d|)xu=`Ytq=~-wxS;kd4(I-Xb%~+)5*f-zMgVhxnxJ?C6xgJ7m#Zxy z%NLhoOUK|vKSdMEx@I>$sAVRmAJ=Ecio7WAO?EcQx=Z=RK5mq;GPxYHZp_-oBxxpE zrUxN_XLdZ=BUcAi06~WMcQ55vKQ_jQmXuXHz2nOmDPDh8^l(TrTzVXuVsNyL6dSXG zz0D#y*H%$8_#$xIPHA2+QL>74<564zo3TlAw#bXX=EmTS^S9Z}EK`WR27dYdcipP@ zkbomcaqnz-4d+-ddBOY*(bb-%PlQdfWOnTJjl$8`>_cgmEsxI9_R2GQF3~objV6Sh z1n+Aw#Xtti(P38ary<8~?+erjbNlWkJquIm&4yFZ$@??`>8e9%Pty3nMCGod9rLKk z5NJ0_W{^d*CKr%dH1Q@9cAZUzYKw@HGHvsAZ*ed%G-H|kU-k|Bw4@RbAj1JUmgx=ljxNv}@qG z{qOhNN6b>H!E^0?CQ0nlc7+<1rklf+&0->phJ^@=y8)z-&EtX#6F5e(^z&za2fl&T zqn#)4PuikGQ$@He&QE2FtTe`%*h&;};aKL}Q)gzJ$G38~rR%VqQ;i`_`IB-AWbK#; z5w;njy=0J`X|7TU@|}}3)%w~Sp&N6^72qRncTdovsp0@v;bOV1uxz#6n=_Cy21{;f zc}i0;K9I|xoFy4pX>~Yj=jTiAP`K}UdyQ*0^Q(`{qvc~^p?9}(nMrg5qbhvim zriTBGcUx`^=F6OEhuzx3F}e%d4A+rwv%+jib8RLd2J!FDNO__=tar{I-sOL&ILv@h zv(n-laut;t5k=$oIw@Vz`;1aW07A_iyPnX*eQnay7;&Tw(2 zebohxTOI~S<6Se)oU^J04A#{sF?dGVaXjjEO&H#LH&VH7NQMtT`H5jLMId9PJ%9a9 zC9({=(3+jOJYHsC5_wm^IyPQ0mb#Manag)->r9FHAz?zu9Ie~dxE;+W6gFOp@*cYF zmsee&!j?E)BDcwaq08`)s6UW_uXJf_;JUnWl?_6+^4q~+sT>s9P#tV&|P`|j$@xmG@{h$;@D|B3)hIn zT7AD(#pq*&p?zRl*T0ugI3S;JdaUbL<04b4TUj>GrX3g!)9wB3=EaZ}5k@8YqF6oq z88_f_g^1#10!6B#Y|4~xbgH!bFF(P#Fz?#!32XGPQ94)=<{2T<$;3MSbTK=}PPh!= zXh+ywk8*~NpUD>?S~;|Slh?Wak}GU`u47u;5|OJ>s#&<57a>w`x?`*mr*izp=C9*w zpdxYhDdMO+0Uqhe@OBJkH__KI;E1zFsP?JO3qJsKTSbVr3tP1cgn_vAoPGSSqC#N? z%2#wvF>I9D-AspbnJ{r6F-e$D`t>BW8CMefU4uGN$SMINt``zU9ei$;W(S(%7CWl3 z`)Fj>_yZ7+)S_aJ6b&x#AbjN*sERA0lh(@r-o}%}n-+LHO2=!m%tP73hhG(^NkG}r zQF>k8nzhR%6mxW@@{Ej>#gv(58FFU&|B?(pYp^UO&*TZr;X}3tb(bO5Fp`Z9=@zem zc}#YRx^4+kr-EKb*^<>hHc-2kU7 z`r(&+ZEZgi5|cmNk8Z8hjb1T-Hw(hv{WKWUmt~zM8c?}xrxz007Q>^f$RPRnO?%5q z?TA9J22)B`xR$f7Ns38xY*-eK>9{wC*F@adR*!`AD*j;PG%{cM28hID9Ukla21kU0 zhs%%6T9w~b9wTZB*4qnTtiMDh!Pj=YBme;7^_}_#go&n&s*$HooqasNY#ouRr=i26 zC-QwB!lltq9Tg-rJ**V#G<)os1LVlwdNolvCe90EZGDYk0DlgBe z^64bZiIGMT6matSg~9Z;A$*~@8MhH&+~(UKw2CNXYw=iz=-GL(2pG1$M#UCm?=q?3 z)`uYq?vrf3W(|06%D;NLyEDqNvKzK)#5SwG>$-ezW)F|$WUN|js!8A&-iyv?@|B)@ z;Io?`j10;UcsfDXHnz+a@cW&?9`QNNQ(OVI#FO=RU>8IecIbWPAPbC9^gCD)8%_i( z*Yx~$+Erf_u-=GeIxR{cF-osv@h)YR|-BBL+sjkSsGs_Leo`G414{=DifnG9 z_tDkj*7YRH3f!`R`Qc>oRmBWlpH#1)!wo?^f52}#@uYd6pxZyEz&bSp6=%4PZDPR* zn#1oFC9L8+@i~M2Kio|Xr2La&f2>>R@4-8d)*I)Y8Rv3kWlY zL&V#{Y~cn9>kmfG@mx6@IhL&O@Ler(u~5$b9s*c+A?xE zL$Rc9?1(EUHJ0fJ1)g}4K3uA@|7tk7{R-8pb!`*gnolmtz2j{=ufA(PHg&ecFXUeQ z_~iUrns~5WUHDbO#su^G&*kOS?r~P~o55BnRwT+tPBrUZkfXqMt5PnezULAStX|su zI?XfgQO_m_7qk%LcTLtr9gyjE_K+pq79t7o_ZbUuS7ExwA7bv%ga-sbSipLeqet^d(|}U4e!UJ z;1xESsiAa^^6g3JsP@EoICyLc)g^=M1m3$_e)@|zsFX36BSA2tK@K}thPYb|rv6oW zRgZOhRx6T@&%RTLyB_qc2z~x*VNnJ&qBpmJ7Og2+-=|m|OgDd7iLJ=)qGFZc32)a< z#d)fHI7<+=nHm}N2O+W9%~o!p8I+N-C(D4*VD7Txbki(LdJx>h6xdx+jop<+3yl$; z&E4LQZBv6m_&QcO?|*Db+@e(pSsDE8<^;7&GI)14`5}Nh$DmLj(NU|Tfnvaq`h@B> z_!o)w2Ia$FCtQ6jYFj$|rrH3Tvbhy-j5&6V{62X2y3Ue(4DoF@p1nVVRwG)By6VCM zog!7cFoFa4TW^ zY+V^d(Mh9Oas9hh9)gbRREu8}iYH&#dPGpInLu$JoUis9Ek;Q}mC(*YKp!tgC8(P5 zX8!oDr_;lmr0(nWZU~(}LAe z#JoIR%F?S3?2lQ{?Y?r#v;xjZr*4YXVL!EUK?2PWkl&Ja+3+FZE5cZ2&f6f+jzXhxB+GaSoTk$nhwA_S>=^uMz zX;07pzN{zcFd{(82gdtp>t@c@lR*A@qgMMQCdn1sI>Qi!o#{ENQ|Z-yh(eu>1{gPb z_+%lXw@|k-y(oCP$?2dvPav%dzIb|ufHx>vl)i>#ZpwJ9ec|1s|BNU{rGBf1$LXY~ zGpltLN7C^sMl&E(NdSig=|~}8I`aE=*+n#$4(1vkAh{?k;dfB5(wA)_>Fp>0)NGs0 zvNCl;qno;-S1YaH;Zrb+@Cu{O?}y78|W3uBsfk@ zzst#S+WJb4kk)z{8LX-RKbop5-&pz^mycFLrBsQVH2saha)Og0ax?^!0=@i!qV$t$ z)VB`Z3%VT2wBoae1$o;Ry|EdQ4GjK#rWGaRKX&IjdV^jLWMYf+5bdBcU;8-ylu19x zM-L`SeE1#icVQ;vCb54on%p_Fly~|sOMfMdAMVxs@{C09@GV#wB{aM?mPO@en(45W zPuNdfOJ9z_1dBh;q%9SgY5$KsOzXy-c4BYR%jyWgp3Trb_X^YSni!VNury<=9r+aJ zzB<5R0`*L8^Rk~Fm9({8&$|XzQB;%z_ca!OP@WZI`0?8nxh*lTtg8BDb8B9*Jwp`3 zK&!@^^$LxwR3#hF;wRC>9*e8(l?VR*eK1{TRV4El!>)0weIt3r>S&G`OLNiY&i}#O zc>p!Jwr^gKilQP%5s`?13W!wc9TXI$_ZFH+2LUMo352L9D2ntJnh1oJfYJ#iDo5!Z zLJgpl2mwM%D531b+5h>z^Zm>2&hG5aX2y|mB1zu7@AE$Qb^osGu4iE4;Lg>OD`fU0 z;&f&^Q@w!p;xhX2HlhzND4>b%*n~FFmB&zd6CLGJIsKF$4YPr^<-G+AL`mZuW~QH5 z>q~YjZ;I{~9dYBeV)7u4yw6~ixC#r8;tlJ(QK@!FtYZZ>CdZIlk|nP!%nL5J46#!=7#mW>hWU>-wUfRAO30leTRj zssl5MKI{2Pk}(X9N+g4c5}(|N*_yaK-ITRJHvzLk?p?YP&&Edes8Ff`mIuyH_>=}$ z(uaEt)eaiGta&utYnb!cu8*Qino6`>P4#>)X~oW3F`9-XTMTj%!93xp;b#;5F0vN3 zC5M|e38jIZp?k#2j`Y=`Y(%czF5D^ElRnh=Zgv+o>ONzlhbvy&Vh66b$qPnTEY(_r z>WncB=jN13#(znVpPf4ql_+XScoCtYwO&Kw=@FqdA zI6*VCHxNTMgTEOrYx_G(F*#c zr6YT>?ree71Uqr$5{E0HTm$v>?%drY2@p*G)3>JQ(xrFZC9G;esVZuU$yZ!4M@lGS z3yq6;rc}1{!y1RJf{xFWH#y|5VRtnC+SooCYE?%~o}d zKKN=W4{1)`Tc496ip>)Zy;NL=+W4H>0fcAD_)sViV?lyl{# z0JRr&C?o88g=--4E@r}|@N{^B&=ssDQAEyHzEF`&H!d+XK}q5UcCa1uO~WP{6#`Q) zUmRU)=t!0Fj?6|@d5uEdMh4y>dOnX|Mlrwz7kQ|D3k zh8sb-ZNyJRYqRrpRL90lFrwsd%gk7ssgSkHhP5R-@Qg}6ftS71OJKODa*>`@z+YJI zx^Wy%jqmZo+o9m1tQVXFVqCdb;oaQ13<6S5J|s-0f$*h+53t4r>5n@cl_&h7ko7i9 zu2C~FzKJWSUugeh(jFMoZYtJCIMiJicq+CY$?azy1)mZg2G_yBFC3L-137^RTCYWy z7AX9ABHhJUdi_?Y3$>%xa(&hDZH1hytqrPj7@drHUbQ5i~Zp(`$xc~PpiBN`SUmC6NXG8+G$M+6c@X3wIiuOcKKwRB2J|2 znK$&NQO1(C3Z6x2;2RL_Tec)ML3;()O}`#JEp2XnwdiemMEyIN=6O@BVN0D8aXXTB z@tGWap_-#~99)-1))}`BHj^VNd;OAyjK^vTF#`j57;%?I&vdFulf>+|dEryna+g$a zTylec=ZPrldn9RdPw>5rZb_aJ4wA3k` z#wPlQjZ`Xz-hjK%*6>xH69{YKP2rqz@+#ZiGX(dnrKUNL;T`r;BuSbs`nQwK6BKox ziCk!%(tTW|I1pByDxb7;tuFYAHkaUq<3O8%e_Um!eji1v5-ZTGDwLYq zT1I2H$K<@s#N_21g+EWZk+hxqjq!AhYY_6+Y9~tSUPH3@z)@)WZE2?JN23kaHv5!I zv);Mo?0XsY+sPX}4`L*4Wm5vCn+-rE@Jw;NIUC(uSeus#?>+iR>V2Wzq(vEtr|1v) zy*@@Kn}o2~^1?z*TP{#^>=vgO8VAkG~f`2J*Z6(>ZB!Wc@A*q+4NVrxdhqP+hHj`(D$Pf4~ z@9iFsHFl;Yh1oho$$EoDYeU_|BH1EERZl%*sSnamrIT-Oh%)hYp(F-Lw8y=vCr+{n zI22MiKW&5;T~V5qlEN*a%}Kn(?~H6B$zXwM9}Kd3<2ZzcOmFaefQJ6{m~{HEZ?^ZNNOTBk9b|Db>^v;~+p2#4{rtJ_-_pg2>!!ti zjD3+KL7)A+B#lD!@$aRB-4=s-xzg1ksifnvS221&z+3E~iJCdZ-7e zp}~2dOxqt97vNy^IN z=Qx!(+;Mx{Pv_Ot0gOk$6u8Qdm`N-g$$X-n0g>!BCil6e)Whk;n3SHew}<;h(&by- zOU@+iY^}A$=Bl*C=_$FZ9GP?jIPX#2qM<|)Rwo+Lxo=h8~eif0R4V*SSfENVjbv&=7s{Z>r)NP7LD28Ve0>R+AEVVZ(YEQ{TrDtG`=1Z) z?5j^vw-M_rvMExeOMN`$rcI9qX(EAB_>#6?RTI%6QR@k+FIBbsstgQjXNddtqO}2( zPfd5!4eHFrYHBUnYVah4VXluOi*n@a*D+B|2!WLq=LIw1?VpkbyVYPZ7z$%v1MM^) zEL05i(OMd-nQ0#`E0um&A1q~$4*YA7`@uVE-uz$3Bpb*@-r1HjUzC}Xi>13Vge|3O zo~(TM<2z>}ugbmUU(0 zv3YXA`6}3`G=OWkx_7`7anG+2Y+}S;p^{|gL$}ob`1j!P?;L3peo>t7q^yy@-=bd0 z{*#gRblTx&0GRUkfB)?0#6to)%K#hy`{REftme`B68&L+XjkLBz&SUZw|AblOnri& z^;f@a8s|-G@EY9u|6dcg2h)uI_Bc2YM~uPxw)VGwJovHN;_QC~+A`VIJ*1#jQOXcvoLX!DiU<~z=#`hOq7QLB$C*>X2;pY)>O`>C z$UW9Meu#T&3V!C$p?|YweL|C&1^%=b{6G9OSDr>((j6{!bO79EDQpeC74oIZ5G;Lk z_Q~xBnSXDf9eSE`;{DGsqdb3)8%F524jm{H&6h7V>fx|O=cnXQ#JRt{YY>Ke75w5( zK=?Rx0TvLDx5I3gh0mTPFZ^fEZT*kT|NroievT|UV7Eb>_ZQh ziHG0IW@~Xn1%N?XwC=Z}m?vlZB9)&E`5kt!xeO;>iCn@6<_erodNf=%to9d$`&325 zx{inL&lzu`QWCe!jvrDx%x&x7S&WuOd^Hw&@Co ztO_0lt{#p0NRMm2blw5SCXxoE8q?*(V06&WY1h6Ee$Vx-rM>%>wOzG=nfopqhi`rF zud`rr9sVhO!?N=2!mF_xq%PZZaz7P)Tc2sfP5&{OcG(92%?0<1Bf`QoL3zfr*Umm% z=U8M__oU~vD5&HMpt+@1I6n&jXkH~1f5C|WY0htP%m!%4JQMA^x(9s?m20uQS{Dke z3O@LK%D}I^OLVez8QU~<=M?-C)~%D)$7Q$=iWb;*~pF z9GMn+-_pgb52bWP2QVaa{qff+cx#(qUlwm%XrUXj>-kdY=%G74v+a&J=dM3ei&b2n ztK5?DW!WL({A13RG+e!XJ8CT3D}7T zVay@3u5&}5>d&8K6g$ktBz<>rT-diEMKF#JX{V=T05I#B{c#8{7$csb7JjA$ZwnD= zGsBc;>P)BkkJgUd2RKYihElDo;pXNF%fVKmd4HTsP)tmWR>X2ZYabxk+H~rE!;KAU z^*so2M1OU*LvXaxD@la7RAD>!o+5FeQu;QXF~pen@K6rq-jvlD<1)+**APpIx&2?) z3~T*`8PA*)CuJzB8aTFLt+?z9kojw@49c5N$%u@~dYB2gmBj5L8(x`-@}j5{U{ z)`$cwjW~8Rnu)v9WN79Za!E3vX`r~hd24IXx9k3!*$$m2nk2QxAfy+Oj|PiE*(cv4yZAgg&;HTVcP#tVv zW8@|}Wyt&zy%E{WV-t>iNcw7P;Qm7P5`4xMAiQm($xWZ9_>Db?!1EzT^_ zsJT8rf`1CN2Cn#F9@*|;gU@o_aK0S+TWsFLpup;T*Q#7?;>*IXI&N)Dw2nnKwY$f* za0=*97H@cv6Jk`~QC|3njiaKZPB{|BB7OSB_|fg-R$P!>YQB0 z5P|m$znqGnLMt>`Yo=(4e5Z3wRu719;{wCsqe#iqIg&@sK_|ZkYa#JkDcF3RgUSUW z_H2J-?$89$BhkJYR>an2L4_Oq7hvLULV z3E8+VNTQcl%-&N|$e(`SXHoBj#q0^H0uq(?8+PhWQ4ptc@E>E`lO?5&npzvh>FwS{Q^MP> zpI(SUg^En~9cfZ}@V$lZB@q@=VvS%c&Z#|~wTO@$DChk%Ctk!vGvd6617YAxXp7hL z>hX2-5n^7eUUrZqQ+PkZa@U~=Z$qDj*?0gF4OP>H)mIfx zB?5?W72!pJ3(<9idmrDBx>~oiEO^W^f(>&XU3Sd~+p3OP4@B42oVxVaX`h3C9~@Zl z{N!g|VOD*{_YAKN6<&J^1;{PSgC4g$BXkJwnO5D zHYe7ybe%w_Qslg?Y{u-cR7`5!ztrPJkK%Jm@a;~R(EvQ%FJS(=5gZGP1@SkA;Bz^qd< zRf$GbcL8(RA-(DD@j|IG)HiT#y2YNLq1}FEYl+U)PLqYN=g0Hgj2$iXt99EXPlE3^ z@tPDQqyJy2At^R)H`)^10-6P>=Dg0q&$Q%RKEAfr<8X zugWrpDZd&RvcRh5gT?;Rl`%n!5C%R?qzx3QEu>(yh&TUJ?%X7nHZBue5$$}NKH zQ|uyP!8?wZ`*h*$iz<&lAJw2<>@CcOKI`Y&&R86&jCoF|c(9RCFAk^@zRxH_Zh)fz z1wX!w)Y%fCA|y^al?R+>_wRpsPS_TDSbWKHPZu)@zt*#sZ0bGmaZj1d0o(TbzAZHS z`j9|z_yUzH9tjf?l$-u=XJ7udI^w3**Q6bxH*EVt?s^vza8hqHGbRlU<#;p`w+o^3 zSArtPSA9wfW1CR3S*%7gDij@wKC5!S`ZRtUOE=bzYsUnWk{$_~HTzfnoPcq{P34n1 zuK0xDg)Z;Edz-QqC&i^Topj__jz2Xvc0bY3P^9a^7M1cg5Tmj_Ml8M*^w*VfYrEBq z`~Iw+#iRXWlTP;zQ6VQB8l)bhb&lrUg*Jgcp)nJ?ZraYvy3O9leLFj7ozxjR*VmcM zwj@BU^pUg>vQX7Set7To$1bnFX#QrRnr;rB%4XoHfQ^L%6I?t9;l(a zlIKol7P5t(5xW9Kq)R_jJ}@4PQxSxn3c|X=#JwYFcTch#)8g2}p&8y-QEO4iAN^n~ZUju(uU2?->3Gni zeZ`Fh3B!h9ISt@jXh2CfLi0*cf&JmdMof4&su5H8d;_+vIN>)FeSMoi$4xCKc1cScP%jYR%g!9O>uFg(8bs1Z+tLZ!D*>E}HOKXU%h7w1lI=pvxzjE!4NZavhCGW1hkYWZ< zgl6SF>&YAZ0Cx~SY*Mc-m-++LJr{bXmORl=_pisWgfWAW@`lC*F3|6g7`V^Oq3Dv{ zv=;-1xogQ(d0^=~Dul;gWaEu0$Uu=M>CB?`Q?n>3?1dtePZj63hRZx}NTp_kuA_3v zS}N`fXUn%C;ZoiqR8;Bh*o{O?>Dr($d+Ck6S}u=&+NgkByuXj+wYYjH zMGN{{etc|==2A^<>Q1Rc4CCmrLWh=fPFCsPBQ;Zh-}n3KOtXDmKKIahK%Qx4=l6#D zA(ph-tx=7lZ?3*;kPH3X?@b@9nGKhY)FF*nn&km+5v=5!ct?GyJQLPEhg|Eh>WT1# zXZ25J%aA(LC9aGBgI;AgPoZUArE7?7lL~A;UOV|_51IaUYf{b3cYb66&!C>}XCt*- zFktK4nQ;xjo8hOFe{5o(8@M)g@TT?yzXNjm4`|(!0!BKnFEDv$>pZZF8CYm-q$dhP zlSA}C^CH2kA>H}6=SzMyeoFJ(#-QAZhf2AlLXfP&5H}oKr|r!wBRw3m%Y#0P8y_G4 z_=+xqt8{A#nC3s&-dG}D=Zd2Duh-Jo%QVnmvji+FF%@q+bnw@iQXAxd!UpNpmfLNj z#ohT~&!ryE7Xtxf=AZ+=>(ha%u*v%o*{QV%tH=5q zPg!2N-^Ce_s{i4-QsPKujZvX#fde}0w(2KN$oc-K8K!!Kn-~S_Jm`R7E&W4w2R%nU z^rJj8pdfy$$7zoYyiY$fNK%>$QtT&%us}@q-cG#{No6=*>*wYrFm6*$$kWxETVI+R zH)*vXh28pv>*N05$zomANqzsU?TiOyRla`RiqF;$dO$oBniUBE|Aya!3h0ms3?6tC zgx%T7@bsd$6&--^a8-?iynqF?%4h1);fcX}AUs)?#yQm+T__K4$7_Zb2G@u??W!-1 zPsvB2)sNKS(jW|j9+SEoCZsL>lFQ?sJOvNZNw7;U-)7fHovDi-+OT%y&dZ~<&xts! zlp=g96WRVLYt&Zl=aL_i++7@5?lr2es(KQ&(YF}gfvcRSug}3UhuP}DEu%zk!gbTS zvGdSx1_lwtSZ+4a*9)VxJf6rb1rB0^t+uhUUWf)9y`1%V(J(KE_DAcg*VQ_0U%d8y zmwq5^D`}>Y=kAyq558t0Bf;oXOOrf&IoTe%rJ9q^{|D0^m0njmEQNK|hh zFViuxy*Yu*jBC(Q<*jYF8N}{N|3g18sC=r1SsgFZ$kkvSfw~^oYJ-VUTpnv%RUx^< zpe4)+&xr1U2&KPn-v<#9hvrQlqLw;i@1jG*ZoL1!uz@!9$-ce1a~AJ)2LfHW0GQIC zsDcG_XC{8qmmL7`uBtMv?1YtjScp{4qU0`g*Ff-?{2cBgXkd!3f3rguA#Ir;OZ|Kk3DP8r zGV@+9^_P|2u~QeK1xy4|LXfTxv;l@?S$^_Eo|OAutpDZO`}JXwI%fO+gD}}j+{H9R>HdYYAZdw*Z;E;jW$GcDj1c_g~GMYkc?p@N5Jcuk-A_fDA>Wz07QEL8wNca);)GP{<)#pzWht=XXOrke5%6XC#qDGcT^ zj}mYfI^8!6bXOM6&Ttb>z#52VD7mXv42NoJHqtYbo(a2YO#IN(BDrP7PW4*I72W+< zMvD0WQ)qjmH!iYd7PBA)Z+pc?i9s0iZ-vmSd$G zDK^&qwm43EW;xXy`N&va&E&nV>pJ(vOO}`sovuAmDm4O~{!9G^iTis+b^G`ppMVX3 zA0?l2rmADlKpe4Jw&kvFxmOIZLMa!3^65BhlxI-oc{wQmKF~I?9;8=yT_(+oa<_|s zl3CW--+*Wc^}_FLr>-vyG%dvKQz`}*vj+XQh_2BljRBA$%c_uU#*a6MQPPjbgnH=A z$&2g|RJDrhW1}MLd3UzG@;hg0kGWRZ9tn_dVECz6^xp01@`j43d5MLi>I+DB|750r z_69}fN?QbL>u8C8_bs~&&?DS@J>@fWMvnfW$u@mNN{8D>tq!;md+YLgi}w(dpKnXp zjs)Y3vcsr4FhG7td1UVx-&@v^R>RN1V3_0?;W2+fGzCIrsJSLn`m?%#gL zK^^a|SPI95q&1~^CM5_CR(rncCL#BIUkbVumGmvwnKpE!DHB&$yZ8tp0Ml#~lhVc)vs1n-Y>8qJjdTGZ3pA8oxKg0P?k z8`g)yJl#I@)$<$RMK5?|8b&03QVw6(H&N!GmF~C?6|I&eska##38~Z?H{_K_w%a2_ zw(p1I1wr0@6#DxOYUSx^`j|K*Y3TuS@BCd+*F>dY>y7! zT#@a2QBf?zB<;V@Z8IL?8;^nR)wa|9D-}m5cJu*_nerpwpplP%o$3l=s-2%|;M_`37%+{@t(O;g zGL6f*e)govtWBqHd~fZ-^Hi=`V$8*iW@tm+OfUFAigo!pG{cDG{a@@K`)?9s?8lD; z#wcXB?-dR3g|6~3%%pW>Q^w1>NMf_`GJ2dh468p5hgnv62E5!zTc>nb?p2PvC&6}H z8D*N}MWN;S?9NT^(w%CEb3scgkGmh)dU%2!glVyK0)NGCW!J4IfN@xy^i+}aFfslY z&fApTKVW|S##&k!zm#@C@ptjS-mSskOa8lQMHSdu`|X?blD8O7NqA`HHM27eZ0S}f zuU67>Oq>Nx3Lg}{bDJdij?zC|v0}2FS4Ov$KA96OcKZZ{8F#V5J6wa^LmhM$NvF<8 zC+NYff6?bEmAquCxXzzg!z9p@F!m$%CeEe2q1L@=wa(>F0 z{c|hjJ7%e$xpoUrKeAL`O^ZyBl2C68!lT3sTCCs3drj=?Rw|Tk5GFo}2fQqU(C-fK z?S_lX^ip#;PTKO;w%_agow3M{0UDwCs^wE=;-b3@)HnUt!gp8kfNZJh;OFNBEP6Ok z{_`GE#trTvh_%H!o-4+-Xx)?rFg8`TS=MK|S)?;9Cg_zO6LO2!HOTA|3#9k)>`;_) zOk%(|Zv~m?hRPmn8gN6YD81cZmtf!id9wtp{lw|6yk?@(Qj#~}v4@+DTBYU@8vrJP zi>!fL!Z|oWgw?j>4;%~-n3}1dik;1FV}VRw@Hv0Lzzk#M80P4YLx45h;khSdGRSRm z%7;R<&h_trv=k=E1J~n2RTz|g75IOW(XB+TD5a6X7sXWB=Cik0)*!F?xzibbdo!AK zAM0cRzz`!bzog3$-PcRbkXb3a&%R4NNq0ux)`Y25)cEECdq~~<4zSLM46pvmzFm)- zt>`?Nt+X_kxFDsc+@qo~X_}X3B0;AvUh7g(Xr{`OwrfzmrP|MWVb}!Ofu3tk+JkXR zws6H8*mEd|$5mxeZ^cGGHqcF9JsZ2KI=FVZsw(;o;mMm2=zQ6HzKlhwlNia9soo7{ zvvINvvbp2hB8rB%1J|i5WI`h<3djlfW3Ik*Y(#gg_Q>9IfgPBEJFC_@wsIZYM%%q- zM7!R96ov0N0;_rYaE*HsM?_@8-7jW0_jXf(C;BH(qiF|8Zx zNlTpHmde;_b(TEMv?4}8QmCeFDqd#wg=VC}h?bGRr4Z{?iAoi^HN4tn2P zZ}`qPi^y4Vu`SGQ@n-ff_L@NlPI?<7E3hf+g^KRNZO!as5B?b&<{*7kzvS>gTt@ec z?zr8GT6Ucmv2Iuh&?jkHH3YX%l_8uuucggOo(avI7A*k$y%wNov|(~gC+as>AG6bc zG@WCy2e)OjtgNi!!23n9yq7zcYAqWc=C-HeKaJ%Pt7?OiqZjS<6kSoI z!H5r#v|i2ZMq7AK2+R;v-7(C-R3^MIzm*IG^B~M;EVTZBi>HDHhBauyqd}_0H^n?w z#R^R~?y-#oL2qp0L^{LLLGad@?;NoUa-~`|rH(m^)>!TLt6#>Ia?N`_&;;XrOoO%O zyyre3P52YSSSz+3E13$!2OQmvfYQsuq?ozn+%Bu!kinOD-iV%faj{ReDwDywUO0R$ zE5SO!KTauN3A1CrYXs3~;h8Eq{z8v-7)Ihl9i4lp?+ai96nX^t0Oen&Z+w zx)~DJ#hf6IB?@S9US3tClYr(w@VnDpBSeaDf{pQ_Wc6(mfU9o zxqU;($)|I8LtJ~;>Aj>KdahmZ?3OzLBXW79s?7EZ-}}6BXlAjmmz`Nx(|4WJc3Ia? z>m*yu;*S%lu6=6&89T^U;!~`XewfbAd4lQQyu8st3Qw`jNHBt=d%0bC7}$b>epT3p z=s`Zx-L|#2CL6uQ7sss}sU)X6l4BTA{)HfE<^8)-a$`m9_3*AAtzUgXW%3ZnX2GRC@#q?{?< zF>o63W)y{j1#B*#O}V*ps!X>6oOc&Qx4sEYRs7y8er!IiBGc`cwA4#g4il-VpFeeE zc%88b-KsLv+tlm#F+ci%_K`Zd4pRH=zV<)s)hvQ+_O4Z#PEcoejy1tP*Fztd zhrfh|*Dd*iE>@f`sZ$G(jX96ARB7Es_egfb6eP++-t(&i01I+wFAhX})`3XHixA*f zU!1h^xYE1+BWpFdD3&i6?$>diUCK3K(>88+Tk-LTatWAvVY>4}xDs;1-CtJV4x50@ zfS-wZt&^dyo!BJtZR3*lQms`Z@zR{#aV>XwWZbg7LsEOz1xT2+!-jazh_pV<>3P# zt-Oq$;L=l}<~)M#Cmm$@X>SF807V?gb^@H2dFF7L0!lMrWM|{TL3hB1)G1sw48GzX zx7<0qMI3Ba>C}0C?tpRcT9C=sB(y<6?zrN=A};~ot`xfsh|F*u{!lZw(GLPI#OGD6 zbtrHBVZRHiFXycU&m$hvHmPibH`BxR&v3}{YlZBY@P#OUJ9^*Og6;$~`~|Udp)abY zySz|=dU}u{MW@AUkfZ(GMbc{}w}*%!rWO6aFTXs+rrj-45;dQOdk0HN{{kb)LT;TF zHvHps?YSBZtT4fHU^_CEM?{%A=?K@NIIgNss2xdcHS1dh_MZ`YbC3Oa>RdqHl~%1J zk<`V!0ezznB!YiHh4}4(SFfmql{#e|lUJf?_y?*JKwev`Q6aU?oyd^)y071PlQe@o zCumdKcd}Ssg<$81+QLKEs|TjcHe5+^CPkH=L**6?8PrI|i|)VI7#GA6LQ;ZlyLY8Z zU`s~#qH-D{4{b)*7mjW8>Ic3r&S37+G~RS!rw*taF-iU|_RfEidgiywcyh=r0-Sv4j*kjz`JKxJXF`#ZZ)r`LZ93+1qjqJx6+BFn8$-5?FU}RGp(ho-W@p8tH3Q>7z zh-GE_dQfj6&=6qWFDYq$C}!YH1nhKof92xnkwOrn`x#?Uk5cR|$~*X;hC!T@4qmz{ zWV?Kd>bCMT*N1;Ldd>^vnx01d2<)S1gzKe?Ybev#S&VenH8Ic%b&&SsS_mOv42Y*k z%K}OY-a+`Wt2nzU^|GattS4gt9;{RO4i++6k)KJ&E%yO&@F3vhd4715 z3qSS6ZbW>#To9qoMzF=SG*PE9aA}=V>9G{w#JMQQgr#DBcBRGqX-F$FEBaYcGX<>8dgvRe8yM?aw4nKXPMb;T9dC)83CitoiS>#*v2jO@gObH%zE<=xMFx2W^WiPC@&xBJPn zHgaq3$!NeGR0xUga-w^bo~9URh}KON0Z?~4*<|zU-O@%*+ti=P#epBIU+9$9&(}F6 zh$U$4#4x5y)z5uKT4EaS{rvpXof9SH@eu7TFQN+qE2LW#tNR9jxjSpqd)q^G)do{_ zjqxcZ3`nXOIpE(U}!da)Sm5?`!M6b7D36-XoWISWL_;jRq=ix$l`HQ~IBW6EyZ#}b| zt{g@2Fh+*GI3Hh{tChN!toDw(u-E&8KShd+vFQ75SPwNB+$(CFClok_Ln$keU~L`X zgX8;X4sr<(;J<~45f7Rm@>fGeNFyIhbrH}^B|*2dJr1Z>*v1OOl?hLi=lc=nUIYYy z^KzJkqK?;5XJ8`I(VZiw&{Hl~>QhPj-!;BMUj_4^sx6Bk{GMlvAau(sw!e2k^SlLC?S`V2|zPZw1c_#m{;#F8fe zZeqs-qM_!MbkV&|e&#aiS2q1}rdFTzw_3-|OJ1!2yyO;+?P$C!S1xE;hm@yw6=n_& z|HJFYUB9BB_*5`KSTAGpEErT182Vg$moSgfNzF2bXKZF0A9w<8FFO@SGENWBQ zuh?t3ac^VW< zhb<32zuc^9Vi2tvd9R-LEaw+h8?)5@>fH!?73-!w{9 zAh>1gq)LlfGqJcmHc7%qOCc%_vTHv1B+QwCbw9x{_pA0T!_@18+zG`pU4h*<`(-9N zWL*+dv^IZ~$E;XjaSv ztfsEx*)~LZCri|FK}E4`pvMb~swGpbjr~_QDfj-5-@6=9VuLfjB6$q;lKQaa2XA+r z`!4}s34YifT_>8GqdnK_H14OEp4nonEoP!$ui=r|zw!>+mv3E!9wr=IeH5!Ew<&ao z_`-fYU%29Lfo7#UuDMwXOdnl+H^63D;#tc!VcW&e9Z@p?&4k*?9%LKEs$9A9sTXDX zRtPwGEA&|7H3=b@FEUvEksNO|u(vg`YVfI8n4nZ^X>No=rHWFibujuF_e>D!^D+CR z6NqK$<@;9gVXjmqG4)pAb!!z?fp`g4AsMe>w|C6BeT19VH6Z(RNS~w=WszP5@UCWF zG7JKJ8=?7#un!!(Wg>n`zr4*SAWb!#fY<$Od}|yz`F^M7p<^s{^34(#t6;p0od#3- zyrd+i$RwJ2vEN>&%5l1r-&Z@2rvjGu!w!3=NN3P%r0yF=B_YvqwL%wBA71QCjA}~| zbVqFmG=vwsE1g*nuIiFk4}q?hS$HCU`49TO%IHe_fec8OuZ+8?;9${>5+zbRJzN$` zY&hZRy&HpDzX-Y6@fDRwJ92gZa=!0yJOd53=Z6G58!p684h0?69!zIIvF%mMYP>QX zEO}?7-gF~F_8q;ni9?=8MQBH?rIf6k-!#HVuEWnzJU}E3o_$-~m zSt(%2y;sOX#_+fEE9NQ#r2#sVQ;lx^C+T z>{2Wy=`9~pxyhMeiRPfJ5& z?ey}ornuoXlZ0Zu4ez%B%7zX5)6T>0QD#{hmIYRyA;FWP7Py{kFKnt4%iYYad|EVy z8(b1(J?TCtW8?#*b(McO&#fysCc7JBTbsV>u6qT zzrcfz#u#DofML^>U5(GR%{sNYo_+I%?;k@U%m3IJf+VmD!kP6mO7tU>v+)vn*}2nY z&K$>vc4EvcPc`2v58MGBO%R=eZUtbw^%r(*V!nwYe#Z^9j+hoRnp@S(Syu+>%?W{P zY|Uy>if#f?@NCNd7(Oi7Eg$q9#jj{1TypWYNK3vb=8HV!K?Ri8Ai7DadM;8~#ht(* z!G#O%ER2>{8FAPn?;{!&4L@`g?o)Qf{!AR+EbKFe(0T>ZLNkMI^93hXx_yHDgg=}# zTAh#?j}->o+Br!7dsLVd(0TdmxfTRt{HahqdzBq?hBNSy7te_#y(ELAz}W>kA0#E* zVI?-RV_7hlyubY88X5@*2(!A9U+~4P&uRy|*fOtbuWQzOV)iPr;dCnAF45Lwto&|6 z8m)q{d~U~$Rf`Gdy6HPJk9P>G=t`H1D@Ud7DYnXnDU{9=O(+6vmpHJri2wW81l zlvrDZu9P{ZX&f-Zt>x@xIztwudupL(MsSfhQQW&c?R3vX;V<%?R3%^-NSWOjvd1bg z1-reM0>+Xcm#fxZnrd~B$-#{^YIBNUULaOFv}E*7XwP-sv}H&bY{EJIT?tuxkO=Ip zn*B?Ed@hZX-dC9-56{YxK22HCfMDT@4#*`BaxFDwH&k_ocD^YVw9ZH=YY zI*lDjtv^RyW>pX)3oUQd}^&=$D0PPzqs{BBOr2v+-9}Z_QgNW|F<*@Yu0)ix;mv$b7rg zyK~|n_SD|+y`^G2{>bNq1LscuAkF<0E29*#y84!T|7M=m+&T26ijAjpPUmH|gZ1`i zE(0q{NWke&^ysq(iT19&)@nw;gzBRD_Sv@G7b_!g6SWW5Z1zhSJAV5dsa_OBtIn%E zF9;C;I;}uz)sBZs=sNn!00`r>FO)}0cs*kbc6RvhhPK=H9L*;SYdxOsl-#?!LimaB z37W1Yshl^vbQE%H(fIrP%EhHv>j>!@%ca`v#CTCu(+VeBS8LYgqUqYLQ;vwY8|PhV z4=Zwf2Wh<@gY%~Y#^U+ex-t{9YfW1)qHL}HQQE9s}q z43C{4E1JePlrTq!ZDA;C6U+%47e+&c0|mxKHejB7QV}oja|Ut#feKesp1mS0zm8Lb z5G~9!P54EIOBFn||I#ZC?bZ0L#4d~mc1zZBDNnJ12@yOe&-j;XK3RX6a)RSvSjXeW1Hb2iS9rQP#z@}ZMexg)FEoj2LqG@WfSoe$XeA}O;w*VF z>u;}o$W`sYpF5@x_SP|!5OaR8(#4))>l{_{&h1Q75?-;aV)^6TZ-=5Un6!=YIY#uyTduMuU@S_9)%s>vRg$Ks=hR9`%Y4H)5_1rL@PC+< zbmCv9Lfztv0a8C$Q%jBcZFRxGn1{^uVq<~#PW@@(1kr`GXu-JgKCRac;SEU*c?!0T zC49u<0~>#pbpG|bYH#jWVuIt39GcWTN@9%hXF7hLc+w;H!QMGDF#b=TDLwH(%b@&Y zJ&b0Lfr1q^u6x|w(pd~!@h2NCCt zEy`PWkT*aGKTSeoraeXNz%{9N=9j3b;zoJkZl9jA=b~1C2FOZYFw5;^Z>ExBdUwE* zD@-(uV<}i&1bGTRg@-yn#eV@K~iQcPhw*G2uW}x}Bsu!CHr`}{&Y)gy9)J0;%$2`(1ZzzvazKHKrr#NU zsa{JmD*Dq@m%=@2V0n0ZHDOHh;X-VJzquITLB)PmNdMsh7#Ea{*GM>709ppMt-~%& zPBY9_l@#`i4(ynuLw)W8&divL1cL>PZT+1|j>z;UEm%hD9#2$E~Lo_B=}wO(wtZP++5 zxH-uT$PW1|H`sS!tE!@^zNCvf6M)`l{5E=J7~GY9c;|x{G{Z6bI_xp*l=b2Hb^5*2 zu4?-hOx<}+@?@J9Ggx5mzpC*mH| z)%tEIwLv(hu#uY%4nxb~+~CQll3q6F(6Ve) zbaabt21al$C5yfZESk~RmsGw&zb&m?H|g?LJBAnmpDAvrV~xg4x+;hNg5Xc@&lg5y z4OHkf?09OlU3XitpEW^A;U$%@x(@c?kD?h-WD*u+e)j@)%2>H$m&;x{fQQ0sN=iz_ zhAOpzm*aI7gxH^rTe!RX0la1T^=T8_h}q8Z#Wb)z9Dd*#n7j zc{sIrU^uc5&`#-Xyr-ZYiew9_Hu8!t-)f3*U?LarlqVoOMVpQAydC}-{mp6yIck+J zhHwRfWS{oe^71Pw8<%Aa_4|f_-oeBQm>cQL1||06`_#aoU~}P@k9+UXttT)fRK{T- z={rxCuAbuf3?47_)itFb4-rCYZ{xB%s`v!u)^q?uq5Zi2b>o2-*&)>x`;)&u08D>J zst5_%xwRrWJjF=!<+J;SX3;=mvaP&egoy=aPV({Q_z|6ruguiDLMvqoi_W}Way?ke zPx1hHcnw@ov_xL!$6tSrY)IMoVCDH0DdIsxLnDd$ z5eh@RpMZ-_eSu4ieW^84^(O~Uqh~&O9r7@QQSZwY2&GV~9!pXvbS(OPljD$iNJQLju|dU`|7^YA&Evfdxpl<0IKVSpK;gyL7?%Ik9T zTnpfx1mA(5qFMeR{FVu^(Ut+W4|1x8fx}D2!z?o~B55!}M|CvKOVkVGxgBWjRW)aE zlgOpoE~CXIC&#jt=-&2c@SJ|RXmHy2n=7_zP!C2+#k(mpsLI;EKG&$gGc(0rqrTl; zTgxY61T>^f`L{A4Yg=7%XC4rQh#}^b>L(+o&2l@_!=<*>y{)pIZ$FLXo$HQoY6;w~ zLffY;uYMAL8U2Oem<$1XlmuK4OD?-w*JeFai=)tq++-0fTVO4jsQcZ5;cXVdUpoWfS%*@1u3SxbK?hR0+&p!7q zC@PW#bmci>!%ww8vWo)Kdcqbr*7u_~jIDV}pA?*?b~)KCPCnKEVgfcQ%2A}e%=Yii zJJaf$K;(Hb`s_DYNm34i_RkFze!Kx_>QfH>_UrHlFX^`CI7ehhkgkyd>=C%0fcb`D z<&TVvjAEP(pKI@MW=quRD{7z=Fo9<#D{Gm>_3MZ@gcNo(=-g}?x18w7L1L5nZ%K7VK#9q>&Ez+*5q}ThMBc_|< zYBkPto;>ggVbZ4_VQ$hTiOW#^3qH={A%{8ZTY*MyC@k9QbAxH4s_Q`Vnov}V-Nl#G zs?#K-7**0+=}P?tx`d@W%_35`X1jONzWlS;?cm3sf4@@&>n|~;Qz?`1!yLPY z+Bs~e-@t24A(h<)FgSTpJf-NTd6tiM0S4RHTgU6ux__Lx@C}RABddOCEf9-dg#BE%Bj#QA%>duUX6r@VCx8yNYFw9G$|ly!cI58;b{$+xOY7vgQE8ou%BOrq z#2Tf?n|UWg9ZkZ$G~ihOTh4lu(??kr9h4G(*-Dl+exTNvT?(6Rw5T1tw-r$&8{HC2 zV(iPy_U)fS+dHOt71p1uB*e#23>{^`FsAtxrpz|~?G&=zlRc!tXEysx3=sEay%ylp z`8t?kbGDN{FS#&UjA5F4!|)^)!+3R;MZZqoAPO8{*NP0MLNj+RGOT-^Dy(?q)m?^-;3=B! za#SAatEwho#yxH_qAq-XgWGB`Rm1I=lJqv--Kp-mjXajV7$`Cs;{?q zR2lAbxm2MRdYtvm7orAx)q*R;Eo~ghMIqp-3(BIgzv>nHUMS;i0?3tVX8p>kvNPRT zs;^y|UmlaxhFIISN=?TNq||b}*~jQsM_+5J(ulF`_A=Bd)?W*?F?^xYbGbJm*X+7O z@Am3YV=RiS51!SqwUZw(Yl|y#OS#x0JHpqpdy&Q!hA*_HsYJTA*uMPeFs9^YuF8&O zjnuNLieY=>u9#ZNr$j%kSTAze69akEZ6BFLHSX->QJQZdd0S zz)?yXqfPS2WVG^yF8&-0eJH%Q={_9tbfIx7UA7nc8H%AlO;3jFw1=PCrBdq({ELsuGFa#(#a(tFG`ov#1j#g zPdO+bRhBoa6z14d~>a%n=*x)KpZx zRZRXfk?f0ujXm|KmKGzu{raMX2T@(`c)pu4N-z2wBV*ojtTj~?yk4>9h`7kaX;{IS zAE#%O6*J<-<)*r*lAyZ3JvGM8qFD&rxvG#oxq9~f^;t&KDOT&(M@j1Vk<6GFAxmB( zdZgp!n$-dNZszDWk8?ZG(U#t+-QEtG>HNJpm}w~nbdElWO}S&+ZU_hznw}PszLoef z5tq!ACR1C))_t*fo{`9;qQ1I{v$y91LcBuMpgP!0m0OguM_P@MMlxe`MBqLr&sh=w z__3APbO%8Zoo{zYIi9Phv)I7IA8aBK`qIe3Okd>(V7=8VaEI7YJ<*7&4)UkJdFnG+ zCglc~(#Wwx!?}tGem};gIwdZY=g9h`^a3X4HFnT)xSL-!#I;mxuiMbnvgKtPk*EJ9 z(Ds>#(SVoVLAx0J)SO9I3Zkuh+_FG>ho|?X z@Uf0Lh_c1FRqEwCZ!GRZpj+Je;{nSQe4?Oq4l;JlwCm6UyHp0NXZ=w(o)Nw$gZ;4u z{LAUQEHb6ZNlU)T(6De?UqS%S7FUh0r9?d=IGHY@_xB01vHGO1ajUSUi818~rQ0)W>hHmAj8rjQYss*l!{}JE8z~w8^y@c3 zX#A@&;y=$B_ah2)BY%3fx<k>}L9-FCccy z)NU8MAhsdxT>)PR7|0HTUwi^|8AkYa-=V%$%Hl2@z+jWybc)0n+axCM^0Yc45m7-^ zwBZc5ETR50I5?;a2g&D4ep-dwlty~5Z;$bRvjRm*=;Agi$;hzHB<~*+Z_d~6k;Xfr znkeZxwCtjMV{SLpG{ zS1Iw2AUPi+kpw1$tMx&9M>Df+>>mBj*ZTuuj;sei3$mcVl6i~sEIby%bSCiR`zvB} zT#D&aWjtLfH`l#9k!}?9wMbWm(Ywg|eUMhObs-upKD$Kd1QtTrpK$FDl5;@4eEhPb zB>22gyI%N|XjtSmF_Dhz2Q7dijn$N9APZEdQ93(jEsgb8l1TiM%g|l|lmu{UZrR5BjOh%kW-Mv&deF1~jxU^jOsN^%1 zTtz6qZ~x;j{4t>Ul@`o(fAEsjSv^t<^VO6mTP3gz?{%@Yp-TDvDXW_*$?D6(KJDhb zcLqO;Hf*6RcoKRnz^j6dS@BiIxG0NZbJ7qaM z_ceCeae=;AlKeEF2uJnN3#>Xgj;r&5OBai%jy_7M)d`Kbs33olH|K5o-XO zlr%#uNC38*H!LcYC07$DT@CmbFp1Oxuww6&I*g36R{Lh4CL_Go$MZ5?VQ;2aNQe^T zc6nI*tt!Cq#!lE}bWPG=bL%YigJ(=^Nj6VrYZ=65IT!wiD=*&;by^wzVU~N#AMY)= zkoVbyVgAV9^}g2o7uNNjL)uMte^Gef-Xo`5Hs@C<0E>?vEsPIOEBC&wyXIUUTFwbb7DCl1Qi`E6i{u-V}7^p{}`9=aC+L9?H9dQWC%P!APn#e1wI-w-{cRc5YzeSK~D8h_?jskq#uhSw!%yBlg_=5pY2&3Z`~<}6o{ zsZ=P@od#6Dpb|aM9=|}`W!n^_zUetsRgGAmJ$4sBmY|(Gx7CgYQ~BwGdoVG^4z69Q zAdh`0N$@LwE12mu+JAaU0;^S|in)OE*(-w(#*rFa!wEz;?OF-uB6ZF~&Dhgz_tD^C-T_hwzY`aO(sJ(n$z}!YY^ytp)Y2cqT2c}rC}Pe9U8cg*Z%I~6 zjS-ytX%TTy#fnkNtlz9#`N{<6+r$bBKZvF6D&y>6POsrP_Y^ZQQr4&xMm&d;G270Covam5(V4wP+>&e4SP{meou>?sV8^*q>j(6frfcZ! zd^oePh>GFWAo#M_-ytNoIifJXxIF#2>1-b@wf;A=Pa4a|V;l=wF-e?+;Vb5esfijJ zJsDN$%XmrwlRq#`*<~Iz$@W`tq&HlFKanaH_775oxOZuPgTvEX5FY8R0 z2+~piu2xuKJ?F@S5RvE%$e9OozA(jI8SsljNK3|eYNT=5# z3JP9&@lE@id>Tv>km~lk2tu10wZo7(-<=cdj-;g1`B;&1NIaO(L+LZ??P^={2D5~K zXVtEgBACH}%>Gc|h99-5we|g!k8Ztt-{%Ta49@T0or-Gg7U*S1qUe4R>lm^QWx+KW z!qYu&gG9^;!%4rmq7unbb2kR7mMe>-RN!?Z%omE;U2fjDy?xEfstnr6g4&D3C)fol zRS*y=S-ImS8REaKONr0eWleNj{UhT;(GlzW)x`v3>}OL;u-(MO2OwQtnU~epv!87+yG!~Lj$5Msl#e$p!IUcd zOLsWSW@9rcwKadrj3qFg^U}DoLaesk*6s+B^eC#cJ(t^+PQD+1`^7XL#buSmx)!_v zvvo??okG#$g+}M3G0umu80KJc1M`1VzecmrtXc51G@Ogc_Ria~cwf);E< z2BMVs{MAK~ce%=#5Hlb?AUi#$$G(?;Tyv6leU^vOuEQHbJD5u6mCTDD9#lCp@NP|V z0MU7n{PkN_H~QiCn)xf;w!V|N_8(9F5bvn;#WrSEOP1O8hG#N7Gl}BV@Fj+lu54=m zYyJlw8JW?P!;o^+nqP*f@}87b%ozAc0Caxvw|A&Df_Il&;A zU>f*xev*vz9$LYUnY+13FLk_ZyBr|y_6$5K|IHmpf}chT^cQxsi%5dfD{XQ>!g%Z_ za}jzBTUpKnJ_%CJ(Ln~St4^gF-?gvU+{U_Utlt}eCFP(Kf1}Icv=&u^;@ncHNelmo z$MLmUq$^+LPiq#qadR+dwSW@3nz5WH9g7_tH&8j-cXf;(?t`pS3iq30Og{a>Uq!zl zuuy+*-&SO%39gxMiF^%pV74#Epd;>HbCoO93$*;?GE3Q=1yVWGS#c@x43{kjAoP>- zNs^O8mbbg`0ZfB|oe8ry?0L~=t+i#4ditX*H5PVJgvnN=fc6}K)r9J<&0IR{5U#$R z!yGW(JvrT+?`V_}hP99L%^QHS`>B$5wkwwJPoI~AG7qh(B@q4CjWR913h%3w7U-Sa z_WA(}P%l}C?@E_-sFL0e_Z9w*dW(5Br(>rxqVY0*yIrinDY0tS7rY>Nt>Cee^l>9| z4tX+ zx>GCOl9Kp@TBmGrcCI0rHZqL;?Wa;C(&0r>9drokT6xVlW3vd+Ly6n2`tid&%yL$F zS5mu3PRd0=RmLR<7-ORI$f0Fh#jI0hY7<_nBl6X$H|^Yb-RW#z(TXWqcU}GKcXDQF9K*?;o$|1%sz}Ba;Dj`yp(w4OoMQY zgk%;w0w{=yroyCJ0n)04*n5K=!Hdc;oB6O zpy}J$U{wme28mQpDrKz(+b@A=ekoPD2`UP&*je=A4S=Lh7W~Sqk?84su;6b_mlM^M zwTDrCUmPcPCG#!{7fA*N~xC4cEB-nX^Et`oeaccq<#C4Idu;v!DZ&U(ba{*cKD=u ziILSMcwsfpclZ_FyD#zR?x?)fy1hBHm;5#?NX9=%cC>~&7yRq)1COeYfPuj_An*zm zn_R?D*k4`L8FlY)e@WqBcSZx?oY+;mPVrc6@N(Iub1A+XVDZB=#do{6A*GfkJ>G3@2*~*mz0?N zGhwzK&oksL;`?DZ=EKOqNE+uJ1!crJm)X)2A3w39F=TZf`QecNp65y8j>o)}7oR=- zus6hNeBwi-)j;`n5^e_cANfuE3}F6wHnzy^B@dmm={_6bPi?8$^Y^;h z^AcEM`4mRHr(E&!$&=fziBs3U-oa79>JVW@@R2c01g8TT#9*+b0tkZTK+P@=_;N%v zfPvicn~oj{`_CYElW+u2!WX^YRBYChu}g3<4$ZW7r*QAqQG))u-sFOz52l0U124{( zhCHQXXi$aP4kP1P-+$>Dpxh!$mb;j%U_Z~7i1$APHEE={W?E@d(g&Y$8uY{N^{EjF zHIcNOiB5!v{`MBrK0lxPxz$B_c=&TLXBs2^t?S$;y%MHt#x%Z!CnSE6V`XM#6~0-X zQc8i>TaSq@`JQ5v@NJ@8!{k`ftTG#HU>6x!t|h!P4Q?y|&atyj#!*r{@FVy*M`5&o z846AWnR!_KRD{{!R`qa9bbSN5S)xB<8pOt4{ZPM+WAs_ct=smfk)CV!>Bybh#lal4 z1G=&4?#G0|`X(lw_Kw-gLZQV4TX_>41kQfSa&0ZA^fW}l%BjMnL|vNzsMu5>&W?}c z6e;*Zi;IgXF9C(^Av5m783Pkedi0fgD>;O#+jdP`C7@)W|60Qo%?> z31QX*vz74A_y)IXa1?KVY;o~O##qklXrd%~e29SeddYQU0JXXI)bn3k9~b$$AwUJN zdyR|71 z!rmhIrd;=Q#@?v%_UpCrv~pX0wsrdr(0o>dmU4*s3dK9V#3A%VA^^_gyd1>s)N-q-P5SY7_%zN98CwrkTt{ zpDrYM;=X8=uiH^7vzbz80eYFCmQ{!SjU+<-&5L32me<^LS)AIvYa{1)J=x>`llq4C zs{LbLIzGm%0SutA$#QoW?=G=N@c^@+xSO+sLL&;*`UU8H&UNUi>*2K;#Cox)>JnJs zzsvSsSnRYHpVq|KY_K}BOmilulTbiN3aJ$1u{-WE|)6YKBQk)+0iI%OaoH(B{I*ie_^B$1gI!TNr2(gI3|;GL1F;U< z>%ls>@U|t)PXUU-lB`&~!-2BG%ik8NoUW6ub=WhSpK|BlgQtyQ=X(;HrJ7h*0m2?8 zx@KR#_G{Iq*^3fHfAJbI+Y^M>oKy1e{gEd-E9pMhXSWPfyRM*y7^j8$>NdSci@C@;OF*uD010g#cnewt{wWs&^}9cwLoH&Dpaz z*NZh3snej%W}3Tpmk)v_KOz*ZsPWT;hLRIPTzArL>%3O=NKRKYNlrB*o4T{Aole(= zHsqoO?OtW8kP}H_pE2=^r)5(2G*rbksUR5+TTj4|H*{kJ-4*!E6=#_LHW2Qo*d@Y%tXSSRm0#jHfkgtvQ6dOVkYb_q@c1o3F==tW}NuSWYMwZ7eW?MGfxs}CqxrL(rGq(n!BbMar z`do!Q^=53;vdtlb*fMO$5jnrx#h}GJnl;K@u#GXyo|#AM>+p?wN@mcbO<<_wFb~1o z8<0c@BDbj=4-F2ceOh@P10zZ9+EGza&9AUT^k6yfI@+JT^sUMj3!K9Hn<3PDT5 zsyc9YS3=UVk#r*2V7Mj{_Q5P+-Tf9*fCb3q69G#yOX!nniI36oJybr@2hhtb{uMd1 z3~mouv0|iJnYlk9(I-93GdRpo7^q0n{aQ8vQkN7$Q3yTU>Gx$7V88x1~&T^qs2>;z8SiNvS{;3)v<`50GZXnzLk$DlrjQcpoI=e@kGd91BsofJjVUP(>5q%*m*?GP=~u_wxyf)LGp?koNgRg^hx3(U4-^WglLzMVtH6U*&_})d| z@BSO4oR`PAwWD=xN5)pS2Kx=Kfb<(%jPn6W~p3fH~5qdCPN3(o=6 z4aOMCS@fFU3?x@gTIQ+GUIHb2I!5rf1N4<)pq?OiX{%STNMXadA87yCTQs0mXjg2` zl=!`Kk82OH}bGix5qFkBc5g`jcdxVD5RxDoy=yjIcbSjKJ+hRG*!~^ zqlqlLr5d%A+lHT1$}q z#6BY{;_czWGtA_;Cc_qMe%Ook8Bp7>0Ws1@iciKdXY%a`8t0MiHBBCsj?LJ$or@1qnUh#E3kEm?EG7~cH6YK>2H(L*BCCjHtrPjr{{^K z+E1tAI=bKJr&wC&e^M0_nBiubzR*Fu!lU$pAKF>aPpJR1<{uj$&uBLCR;J$ao2S4U zxskk1&!dh3mEw_Dz^d#=)qBbeC)NJv&oIY!e`3UNh1tFtiaHG%)id;mvbk3EhbLK` z@z#h=4gC7`D1RuaFxsJl!-jxqDAE;TIVbNYX}YSQ1CcRaCGiow!I^Tyr{}lStp$>E zmp0l)96Uh@Die=3HdlO{`mHq;8PHGUaS!KQiyc&P2&d$41SEI{CxNuv!(y7Fo4cr6 z5|$<>uy$?QpBxA0bM4DAFgd^W-y`&iv6y5NfcgmK2oSRr^?^C}oDo4HoO8R~JmNnH zOe!R5izM&G<;YBQN+6Nd0lu0ow)t7#J7#U|?!Sp`&XeJtiTmYzw)Vb_vRbcWqpYU1 z!6+pu-@;tO^ueFXX;0*=WI`3g?b7O4id}}B=)|z4rp7S=`v!cN28OG~h}$c+6nKt-sOk>O+Dyrt=yptbu| z{YFn(h)D78 zG-U3*$9fL&U{h%c{!XvnQ8Qi{7q_*L$ToJX{sS@?n1C)bU5(Its;fn^(VcvW8GT|@ z_9N!@Q33xHoA7&sW0{1;LLCX{t_PAUZ2JZ6lt7e^L~??USG06<6N|%X$^q^I-6uiQ zC_<>g%St|a4YVm()ia-u&!+VH+p-&3nBx2U+-N*L>-YOrptYbO8o zS#6D3jOmT5YJj-?1U|o@+kv+YdNeKqy$)Sv6N*5hdx9{)NT1sgzdqau-^ssaoaI5v zFTnQg-1~OyM#f{{E}AzNlOIO<5LDjuh)b$oqP!N*b8s*xG=o(JO^91O`p1+N+=mzW z!DDl7i}QswOpu&5+GDu&+VTEx$d~JIwdVH5(fhtW?P2NFwY3NV_0g(JY|npWpV8Pb zr@*!Qnd1B85GtQrA_^e~4}jL?+A-#4Et7Jb^TBOUjU&+wjow0(Rj2j_VO1(n!U|h#G4Nv!rxr+J*93FkN+u_diHLv*14y{(&C$q7?&^-1{v|lX)+_bU;2TOqk1FwrqqVk0&!h3o1JVY59$$?coZQX8KdBs(VL z;KU3dsG^hEs0?{;$4-zc6mKx@@3(K&Q@I`TO|@^x0UjJs6b*AATbj}}Eml`^IzgPu ztX^5gan*e6C!T=Ff{&|vDkRZ8kl(9Msv#!jksg&1fh)`PH3VPg_UW#zL9nZ;U}s9M zdGAGYk2b$Xcm3awe`3QMJix+5)A}^kb<%JX#I*aX-3DfCAXR zTFH-o)eCI-A}Shm2(DN zeLX?V9H&Skg{HB}h(%W3c#MfwG=|4+!w%c4a_V+qZ z)ylw^#l!0c5gRnV3)#^JTE}gEKORRh{a)|vp;!1@|2*#;+wpdw|Hk-6Se=mSVv^x zEd=JVt+`_$_Xgxz6q(UFpsT~$@QZ$DqAG-=Y=dPfnMH{V&i&4TFQvB#ZpN9Dw&&)t zZs>8J`sz3t_4+s){f)7-M%YnT>&;wzlCyBKZvuUkR9&(s1%zzVCZ#^k_=L+HJ@1(fK_w z09}R3s;9D>7PyV@(XrF$s#oc;@VOpvQBfmt*&awC>7C0PkjJVm{tUob?|6>?n<|nK zkPY0yZKZ>o^Sv6=J=Z4Z>l%(Q+xJO~sVd6^zekQFbGlpj=Q58O3 zD#pj4QRzN`0t|Nl(TLDdN*>k-4WWx(#-=e2WkA|U0b8av9XQD+|BqJ!U(AfPUijg} z5x-P#%VsK505af?^DV&7{y;_jZz%r5pUq7V9j(!pd23Z;%HZ(Bhl%s{f}nr)w2Wzl z&Qq8kFPf`wkFKNjMSsH}5Lh&MWC38cDTIny{CO5|wYE&RdH@mb>>kCh82HwUH&=)Z z;NOhuXVZwubtixo3JlHv^{M|jO!?>KKU~#+G-jhm|5mp8S405lcE=;e|GLtD95xlm zn=bqBZ8|dhs@&sZ<^1;zd-$|CIRK^l|MhADAFKXv=Xb>X zX9sw=mVa;S@$5-HD3$30O;>8?Gl;=K=QbAbG*j9S0E79zo9Z~1&7uV}kwRDal4o|B zx8h;uZ>)cGtp9%Pdi>|Ae{|3PenQ+&zx;oHqA>dZc61zB9HsWzC{@cMe#~e!+`$-e1N6H literal 0 HcmV?d00001 diff --git a/docs/images/otel-jaeger-demo.png b/docs/images/otel-jaeger-demo.png new file mode 100644 index 0000000000000000000000000000000000000000..006b23c34de68375ed40377e14707493112ef2f4 GIT binary patch literal 120283 zcmeFY_dDBd{|Bs7b!n*;>*_#JtM<%QilX-3RkcFw*rbDM)u@@;MeRKjJ83COY+^;E z_KcVbVm#^n{a)Yue(pcu`RVx_ha>r%M6D>ZO><*`$ z8u*N0+$}7d5EbUdmP;0=@W(>vu&J~$P=({_`_$Qi;VNwh;|C(eepl0PXKR z=lGuO%bRnwA&SAzcNN>MP|Llt`1!zrWh-ye#-we;>y)f4_h$E*mPP`A`t|+<(4^`uyUf^8^32M01|` zjnjXxo%{4%{J+*-zgGRt_Frp%f4}$tf4%;Vn1XSk%=3y}CiJB`b_?1a9b9xa5U9_$lYwv#{B` zaTF?|dsqp*YcrB2afiUdE%{M@Sq)>{tRWBCoY3Kv_cJhhcWXV4MQ@Xiprt)LR*r>( zN8IzBHpiD*&BwTJ*a?j`LcRcOvDyS|y=i2u7>EsY(r2n};yPMBzt}KwWF1fZ5n=6K z!i?CZv8uLtSi2C|SCPV4QF z{l#9JtM$AW`ViyuzGOGoV~Jy-{OC`{G|@Xfbok(ZjL*|6uZ?P*MN`8G@Ib=^hMDxj zZe4}4nR-8?X%+E05Rq>ECX*l^By&kY@~Ic6oM712e440zP6~iHz`xvQnE@^Eo+ioany*Bq@%gRXEHJAsauv?>aK~ns)ZTPz7w1M-Y>eO&Ff}(5n&E}DBy!ujsYkr`ygz-2w-Svj6g0LniH?! z7!}UkD?KJ^tG1ORj-}-Xeo>B6=l?lIBNtePVlc_HG=?TQ%f0g4I9%VBlR-FrN)P{E#U=A@n4b80<93bMp0V$(!BbjM-h z!Ti%{kLXXs`W}w9a_Y?{w%-9-kqM@~=DE=yJOo(P!op9NS!GmzC= zb%&P#{F_-63D3W!A?{<(;JD0pxBy~mBx0o&Dl|TQX?@x#B6etk=d5%{j3?v!$uCe$ z6QqTM1zWA<2Z*cXJ^wwz%tVm>f6eY%VYMoZUo)f@1;7?wSM3UVgXr7KT;G{H6lY@d zzqCP`2vmY(9aqn=4gONnci3*F{pVa*qy-c%7%NAs5vPhzF0tGUI{){ZueUH2m}mMZ z&Vokn&@%H-D?vVw(cXG#fv&Wj!ad1>20Ho3;$7~7^>z`ZF-u)~gOG2LRkhs##M!=P zm){Mrq=QA;G|8WmsYzw2BP;?u<7rQsI{dg^3yxjO_g8L43SZw-gM9M4BA+)bQ*CK^ zO?fpws=1;hGE+N*_>WC|?}+&mlp6vrN*ZJr+K!pQrahN}(a8Zn)3#uBi)qI{L9i;H z==aE-*cmpwmVVBd_Dl&zIW+6ow)LzCovxczepbI$B}x5%QOW7KeMEC`#A@u9XQeSc z5B${=n5nn8g4kZQf6n2xK-|ARuVM7V(BSQp@{b|wb&`wW7*gb;@*tN4hI0O9(fvTL zCf+l|Bc>}Vqo+BmswGBz$R_3V;+^X>e|H5YlN|zM z?wvjMgUp`uFeHWXRD8*yBgg55kdG-H{9y-Iw7*naeZ;3!pLaGXVTe*V<7}dwYNR1v z=8+sM$+i5mt<0W{wtMpyke^41pL!+Zu2!{ZcuwI;`u0Kl)aQ$&WmO)FOPL}3y-CKvot!=Ch z8x*ZQ{2YdoCBy4=9?tSFFQ+0tdh+#rH33Ih_MHc2^B*=ZCo^hVNe%>ta!NgeaslR1 zqB^gjI4BH*=*8FIKsgdoc%>A(=FjQ*;IX5rz~-|CUJ*asX7JpJ-%MhLM`9hQdi|jN zlub=h-cn0?)3jf9y}x5?LU*~QE^yl@X2mJyTrVNM-kvru&OixHCbk~N)mxW^rGbg_ zkD)+aPDE?}Fey zlD02n%W7ZbqBG!Azf@=et>s@2`oT&rtQZ-d?A%%13;l&BiYsPG0Mn5y)?9XZR-%U&NQ@}*d^--9 zuVgp&O*_Rz5vcodCOmRD#dT*PW-Qz~AiHqyn{7#M&|Uk?A^KJ(^5BC$+xTzbo9B}E zUM)Mkz|`jhHM37Ajc~Zoa9&h>^$Xcw)9K&B$&Svwzh$&3z3u1x#9xR{n#D#h?#=Ky zI_tmP4K^AJ153g3m%G+CvGRcI_JHi*Pe3zn2F2&lV1>@Kng;`8;%B~^n1IiveLh{T z$Pq6BYfPrhbAl^t-)A%2<6kazdTmV)=xMh;c`cmn{kU2Rz8b9O#c7?FSMlS)?i_={ zg{WQY6zEv1iz|H8D^T+3jrGa~J=Zo7Q1Pw@ZSkVeJBitj@x9rpO8D8f*}BJ8VTLsk zG)k0%HCTTL1~rmWfqR~xPgk$wf`c1*b|7wUQ1{*(5~ZjIP$92=i2cJB+xf< zip-TGHqaak+{nH=+Zvd*rDqFA?b>Nm>h3(ri;hWCkkBD3omDW9Ep*-8<951kin#fn z;pD1q=_=XnD{p$Oo$v*px%Wd`VlcXuSV}`M&_1}f!{yz4<}rBrhW~_()70C=PQ+vL z)v@f|)X?g{4rT4Im*HZz(F5Y4a8j}y(NCHGQ_R3v=!eeU08=_k5{o;9gVM=inhcpX zePYj&oobI~qZjO7Avb4#S+hG$BYKo{UYAZmS*klvrJW$j5n|BgxKChJ@U*q(Bq(pm5}fY-?hdyL9R2W5$+7AbO`!lQsM|po zj*#y{QC(j|I+w*z{-68~cT{C^LS3UF`0`99;B;SD1e!dBuu2g%*)P4{tvO9CPPDzi znO(&lXtlqVp7F%U3#n$6+GP)R%^7ivtirWa^{;=-M8Uvi|B=v&o>SHuIp=T zt?W$NIdR&YF6uL}#5EO%UMM9nktmbI|I6UXOmCdN`wAHEa<7&*JCzACgn4ycr;Gkm zASJY3kNNWCYka8W68FqSMS4NI&RaMoJNU5R%5ON^H0v-HdnGQ5Wj=kVvDL8TKqZGv~RbqEtH|Ygjd-k2XiBrGj z4X7*bm&khB-Z#nqb+Hc6ipNQkfsY;~<)dZ*Bv*~JQBZURd28{mqFut#^^B5mhOvl( zJ*GroVr?e^E0tUd_J|#P4HOz(Vvy$VL=cN_1F9#|xl<43!U>Ag?(f5;gBr^33;}hyt0OB1I;sLiOJU7cjF(B6qRE+<*5|2?0l^2jCVvE( zSov4RT03GySS$TZ%x3!n-yxTuIOTLda+DJ2p_DGU8T=~8!0P<2P4U<2PXjuv=m=So zb=A=Nq3g9ErJ-@w3oIwwulZK9r6}o z(icL36B&a`x-1sp=7s|^NyJpX-)5DGA|#UOG0Ab-<7`HoYr@h#C2+evnvoP*a=_PO zPM(}>A8(bM<1Xd_qPQ0}rVV5YHilI))6ED8tf8=jWA4^7H<$J3F!9dcHX`XvCo!?EKyTi&!9i|;HMVsZpN;J353<3TBl0h$+} zl5(9R!4jo6(+f#(-k5 zepa#3ht1GD25C9dx3$*{m%D7oEXiHJ>^%yEM{y@kGLZq%4#GobOVjVK)JTK8@saRf z+wkcbpz$sRU+!`e*HXOM*82@?DfVLt!&(a9rfyIc;gtjFLYJ_U)b-#*(WyQZk4R{p2)F#L?%U5MN7 ze_dme>{A=!o0|JmngUZSGGTUCB2Mtg$3S3`w`qib)~ppR5b~;#t)-Eh&UWr(g}57Y zw#R0S64<~@aJ1m%Q<4BC5o#!jh#57jq> z0f7Cm>%#{Xu)38-u8y!u1!U|HZ6@|<@jEy{qU%wlzuWjyB@PU{(INb)0)I#=={gk_ zllr@%-`m_z$-FRMhslG`MtMG7W+q`_Y`9X&N0QBAVD4r|q6Y*MPoCp7~U zVyqQp?4qmPB|6Q(MDW8qmH>pz1cyUSiA$Ij@13f_8F5 zoy|=XXu!{6@{F(Go~q& zz$}`SHhzYcr%_t6$VRtIIBte8*Ptr-xHs~P^wtZ`^VNBDT#pF>HSRt+{*`-|mv8fY zwOHI*`z3mT9{4+4I2bLt_nQIW{Zfebe$3+c?nXvUb4isvE6Uw6*phH&ML_*IM(J7g zbkU9&sCDh>EtiP$N0XG8W%r!Uo4bGck1O0@TLDafzP-`a8J`G#d57y2&gi>B@_~YO z)~3aqitw*dIV(S$bmP2yUNnFCs@enGl*$^v8;=1;G1!tH)1*<$@UUgQbG`H4%N3P$ z3XB1MBB34aQNcai5>s}7<_AOc=YGHHlNjsrDdRV6s16BPja5^j$#}5b7xJa8wq^snUF8m-%+&%2O^RaUBj~J=*2K(qu)cfP*2`sT zcaoGUYSY@)ba6R~ZGNGke56-npwTEKdMJGH)2HxX3j2l!Li2m5k!VQm{6y!3`zGZH zh;7z$J{|%P-||{k5g(5in-O-{t>^Kg}`1|@T)#W%7Lw2mey4}s~xVo z7$Rj%;0_#5dpy0LfKVK7Kim(o5Lpmd>;smNwfZ%Bw{+U~77l1Jd^Ia9B7BF|C;OGc zOq=bOSIg;n1uA|a-!_XvyeP~|A-coIPF=1`PW^HGE@c+HjT&iVcHv7{-YD!Q3%S+( z+kuy%M8`C5L+p>f(8kFD=iZmFFyxsKI6z^nJ*Y4@WjUAf{gh6j8H<;MmD5T(^oVvy zd(|39mo@@{#m+qIFY(ZvX>IX45R~yb#a>ow*)1_9a+G@Q&Nym=Y+6oDms`KPxS>WV z)p#nh_PT@$K<-+%+9}}Bo5nq`PYz0b*_+dP4-NU69HWehH z;DTpYdJ3j*h5(4JQ}St;!h@ayRl&Gqj$0BJ*z19FtU>WpaZp>L{ADF?LrJFtT>r`1 z;yI$h?j1l>pdPU|)F=~oQG937Ewd1K6LOO$;O657`sV?Ljf29*yR_8Aqr%iRHHH{wJ}%2vD!Jyj{K9M7cw6Agn`MT;X(gny8+UNfjM7qwoCe{n zZaU3d?Ur6;AqWP8<`)zwpJKT7_sFVmMHZ6M$tnQuY_!eHRpNYF&}0OGj-rZETU_n z;|p=xt~{tm@_|J!rL3x2%lyubBW7-fI#x8kH%BF-#5nl+mF8=;!L`xs-YDw|)J^}> zc;yT+5B!eZ47G4W;~rb$A_oLH1e5QuKJrwi(}j!`F^zru5z2j3W%KayP4Oj^x&CpZ z4ajOC(&uJ0ciX z%Dq>4U{)`i2`_ioD^XJdLfJB2ZKQWE4Exd~nQqVa@gKCPQ!|CBYB`_gy1_c2;a7)q zn>Y`*kx2~e4bCBaTGfLPL2154NsckvGf#yT{s{bTS;3v)!I3+;DHl!)%-aQpIh=xR zc`h@2>r{+v4v(s-TmMYa&8{Q~L5J}~uhU1^0#sT4CCps!JKTUA_g>wSdI$I3Mvl1% zGdJsF%;t-%3S^|D1MF}Kz~gAi$g@_E6WUt(BDr~yvCn@kT{I?RNp)iK&X9KEnUbm( z6+9Sg4uT}x=e8MtQ&SS}m;G#~uvEF57%l4{Tca}oB!;}0L0o4tjj7Zqn`<@)r^jd> zG#xl}ZB|KDdX=?dwL@Pj3YFTeiTf0ih~6y$S75*A983u8iwu5Jb=+Q-lkNQlW$ijS zFAaTvUb-nCEb8NF3I9MEaEKiVD!JOY&achSyWv(6YN#7iHxU2YFb5t`~Sfs80eI49l;f|kF zd!P;V?UGbqxHcj=yt`U%3glbM zfoWZ7VtWfH9vBgEts9vDJU%EaXLB~oMeCwkN9Bwak@s(d=oAb_yS(AHn@!6wMNW!F2gW{VMas)?cXkc||; z0zr??Y&I;P!AB3bSJRec)Osz74l9zOC;!4xx7QV`qex!O+(2*;ot;zSb}Mp#XCe!3 zxyojO?TE0>La$XRofi6h$0&T#>b7$-{L{7?#D~s+J%mK;T9ZmDf&A04*9okP7;^P3 z%E<=#Lc>HVt#j|Ya>s_lwbDwHlcRkwru~ZiAJpr6gx%!~PC@zfb1T`<)5$RsZEc(9 zY1oUA0&ON{X2;;xPqMzQVScsry+~2Y&kgq4xL)KA%MoYMw7^S6eP$}JX?Xl%UkLfx z=*?7lSYE#g)*UsB3(X!$sOu3cEOrM3+e*U>^@AC5`|oED|Ls~565-;^?SVHHSCxkb z@PwEe&=jT2oo)d1sO45=c`fIiejHqHpdrHsd!4ZX2o5=n0+99SX6uw=<|AFpMuM#> z=%pGTJXBnzc8IN4tuqIgE=KmeE@;jgUJ+K}xa~e{3*}m#PQ}hl{SG;DHH~kVaIGI8?rti z-sF>WPOQm@u%T>WnPc%QelNJzAbDsuitLSLW*E^@u@1|q3G~;%BFsAc_jo5B=09k9 zFWj{{;4T;+q<7yWFWc+pR|jOh)kpVEyM1|`(eTL2{79{`Dd~@xLHyAUC%r!U;W9Yo zCWqe)7fUIMi*0SO_z;{UH~zN^9oB`GNy=|KP0YkIsE1K*-r=Ce?-gH%^hbRs`wWS_ z9Iv#&+Wa*$sGzSIw}_8T=R8;7=(>_%3qvSYxxkx{}dEuQ>0x%NpV?WCtL!9VDpKxnUyaND;i$?-At?t!n ze(On_q*A{(u;rS^U8_2j=J>R&04OyM98PcSI<}VPca+11{rIb2NRjj+A96#le-8sv zPH2Qdj_|6oM-)F^1%;Mroy30;^jn#1A^mt=aWX#aaFNBb`B8s{Y~FlV9Cm6c&ZcjR zDFffvhmVVe3r&gQ){HGBSC&0+ zA=gwQey%XX@)qfAiGGF-!!h`}J>e^#sg%#n!f@%Bja9;vHDxN7wGdLJw9Xi6tvpk( z{rY1+hD0T&YJtN`k|Ll4!zo!c`|QB)rGw7{VDg#tOCA!)`#eTBwI_Gt4SzfQevJ*i zqW^WxqEM{9sZwHNlL2C%F-Hrm=q7@F8EeR4Y$P=u1b2x6mwCCqyHcbyOu*9R@NI)O z=Tt!L1sknd(spRh3?ZX5ILM$BL7u1g$e1WE*Wu~BkCE=L|82L7_cKK6R7atfpJ)eo zHyt4aR)+|qJ*C?*J`;nZhgn=R`-$&znc(9tu2HTHl_|MFH-~?z^MN+gJyuVksKro- z6YvTORXC?v)Uffe#S(f0J|$)2R!9)=+?az0fsQRpT@t^gRtk+PdAvQo-6}!Gf7ya%MFlB+uQHSL@adtP(rM_%-2lI#asCLWnuoFV_A*)&nPp8BKX-_^ z^5^k=^=o#3iTq4@yq&Z`{i=Q8u`_g^FlQA3H@iz1ZS=nnCo+`2Y437r^U+;RscM_i zoNSt2?V_QAc!o~g^~H{o8%Pr@FC@<|NZ)#fZ>h#`>wc422Yf$={&}nX;Vp$YJuMh_ z+d@_?AXa#9$4YHgUP?}6!1^-(Or&u_OnT_d+?ZCXyfpKsz5i+f=|&j>HbJaU<0aQ4cu^C&dZ*|J(!;FxsJ!k@sGB6AsWdNcwzl(vjbYo{dI|EXx}^6rkq$|b9LBkH zcFXG`ukt~)_8noW0-H?+7c-S}M<-n@?+G0(S(Y-f9{KHveYGe}m6M4GH-xY2X<%Jc zF2!26j6WlIc*$!0EYXM}o>lRRn3eb8vmP4W68ArImvuO5pDN0ad!ueR&rB#waoBYy z)Tec92VIAW?5Hh+YKpmC4880~_ce|twlBQDF)WnXgOKW0sKd%89bt8%cJ6-msF;_F zqnHsRd>KB6;Mp3+No{cG z@#fF^*oPxQp?G>#)CfyZpm6%5d^gApK4y*CI_jk1ma0F;E4UCbKOo?YuWo%EV$$qe z*%gMukd%{gL|RXMal!CZ(CF5P$p5H|!dN&s+?q-15z8Zmy4VU=%+$Zh6ZYGB>=Ei(VoL2B~Y0xIVCvJ1}x;~`T9H~4Sn6%FC&KXfW zkf?j$d({cGQ~feq`>BsClLvaLJakjXXCv3E$p1ofMxJ?p;Xqup-ibjB9WEn5MyMUc zl&1mJ&f4Ix@MhR8I+dD+_2f{?oci`M1a1kg;V!UgVSq|9oT0{zwGG3+X}7+`&%M_* zZBzGf@ufZ6bjBcuyQ1P*1}Atn-;whhqhqVH>I907TSu{7opvmavZC)|bg(gaDQQH- z;>MaNv0vdc#Eeo_U>yv9gpop}SUhbq%AEF@IP`&y6+a?q*%aoB^RCWLM&!uh_w;-X zZD~_tMkn$|_e(BNV~`*<1bynPN{~6hz)4n8tE)9Ya3*&4s;a;#SJ$GXF}E8jBcT8Ih_R5yZM15$ zQ##-6CbtQMk6Jc6D0Tzp!t&Z?e`2JdP0Tjg>Nu?aHM=H-gW42Vy?nA2577JVg4!N!RoU-Qp#@@MKxIEilxK7-j z>HYAk@1uJuvy%0aY^Kt9=0U-JSqi;!yVd#oe7>EZJf9HKW;o5d6$uP@f&CT%i_lTa z7~1Efk6?!0Sjb2nihXyu%l_$I&Sq-O;5JjImadplqu{WsuERv9eu_x+&yoACI{(EC zvN>#fze{^)nupsNI~KP;)?fo##h2AuKYJDr$!IQ#ExOopW9RZ`@d}_{M^n~ogD#}1CU{XFLXs#$PgV8_ zGK1Q(-#~`i+-E|?=ynuu~~9SMk7a- z?7PZRxEBhXYgP38oSpE{d`8Y$GH2&CqykL4!rOYu{2)2sN;=qBV=|zFQ^VpFyl-vU zIwUKGisDrKL2*#W?-ma+ZGS9+h9y!A;ZTp^TPKWqdR^!8NJNCler{k;s4?ENGC$OE}(Gp%^n${hp< zc&2~$TML2BpWA#Or0HwADr%lBT1~c}*(cK|~H$HEYc!)bI7D8%o#( zKs&nX^awjvN%t&@@-V&i#1Cun8=^FvX*!?${q)j7Q;KDEctTFx*+S1j(7E#>h zLMlW*r0J?K{RTPsP8BuH|L^tH;QrS2ugZ(=7DdbBW{fwP6(udxbbVu*m;dkx)_5~66ue%}4N-K_#rC%}v?=1T6U^+mS z1_&Z~hxRg!X1>;!X*HPv2bbNqT}U1AhlP5B|!(S3wal zX2~?vNRze8q5QTTQ;tbZH=0|;Ug-JA0UI#*C=e8A-Y5||X{7C`sDf=AV z?_p%y#bF+=8QC~>JlRa8ii+dCkl8^T4WfWzur%!Jt2SnE`Qsmo7i+45s!h<|4|nIT zV8=@;?!jYq^FgQf{_8Vrovgi0-I-e^)oUEUXL*0($0efRHkv9fpq7;6b3CTJq{7}u zFj2pCwMD~B%K2z(Wx&s(0Tsi&Q-r)rRa2vXPk@i6=;N(GB2ATj?rKX9{ zOCi}JBE`BF)@9L82(dVcK~TB@v-_Y_DcIjEeO%^dLlZwT518`9;wowiWPxxzD9>nQ zM`pgsnLw+Y0w|ng{V@?2`lwQsmg6D(B|VLl%BBDNvLHU zOX3p)5J=y{ykNALnV>qp{HxG~g_R;q-8EAJz+{A8S=j%hT(Vq)pK_Nq7c19->a;Al zkyqF6IzGJEi?Qoca31e5#BOMG7|yrPK{HfF~iO;Z4TI( zZ|U!2(<|yzLcWUhy{HvaJMdn#402j}8pAnbyPbIt(_mum`aY~QFQ3(5fy=+*fZaH6 zfvnGE58KKTX^hU%MD`L^5lDpP-P`d|>$1-iorF#1pr|nzH!|OR{xW|>a{BVKta8~x<(s={5I-~88}h*XPcLX(CXp;5Bp}&k`F(i}C9Gqs=lvMof5@Od&dpNtA zOk}%(KkV_-gdFSjvV#0tL(j>~c8jCq2Ze^Ef~RysX=mYcGUBa^r~%aCy4ywxlE8w5wV&_`m~pp*_i#+y0J_*$vM;hv>E zdM)oh72oz(@g<(bx$bO4q@nIjE)()BZwrkMfu=%pt@CBIUT=RK_LukYZ%c1BQqiG2 zt3+;wWOw>&o6f0My6kM(M169}*?LTyt~hBM1>UzKoK#}!eBC(g;0o7%R)5lcs~jE3 zQmWL>w^p9~@n~m17pQ01B;4)th-2nwe$-*Xi5k)P^4&Gh-FG+9#bQf1t1kgM8X@(f zy)LW)T4nf>Tanhdc91!VOBk`%XxY8%Ymd6!8Dy7GAY@jgn$3wYb-LmDEk#GA=Mh29 zsN@Hzv0G!(rlD8e&(IQevHK)%M|hy%3f#>}Qiz*~uChROON?ph0KZ;$t?1N2W9SG+ zO`cA?C6>O`Oml+Fl#`0{q5t+sBlnA0Z@h086y5Bnt&-*|JYv=C##B_|;Zw<0BsFax z*?jP*imt0~q$r$wJ6uhUYp_4a6q?yO1e_JHEyGq=D>1id9TL?|(89+E(&>#QDcAeU z^UI}hh%SH0PCjASv2a725q`13!I7B|Poj7_lK z>RQX5oZ zxK|TV`K6r8*Y+*JU7QHKZ%h+YK+ggE`B#Vkj_uV}uTN6_*gV~OS5#bt@d(*Xe`)4{ zeQTA~u2b*eLgnte^4n2<-G+Q_Q#Mh^=a}PD|CLROy7Opltt9k^H&|&dPN-n_Gzs6e z=3tZxbF$B`V2ggSF(%mI`#r20vcI&4mdIs@>g-VU=YM4$MVy53 zCENXn34s2X!0r_m>OCL~`< z2G#h8ite@+O4jD;dZojy(i20km@M$F*7|2EC0+L0+WkTP{1Afd0$DDhQ2kwNwvAJW z&PLGJHh06Wxf#%!vZ6R{TVdT`dckYWez6-sAMl*<3Bhu6BvEH^FdtmYJz_habniD^fZ!v8%*?RFgc5ow zN(whfuW|m<%mpI85z?^dLDDIR-BpYc-54R z24-C6qYM54?}NiTM_Ty3cpuE7J8l&D1|zIP6Km~lh{qHaIy(0Uuh#{l!+6|vNG{XE zHQIcoi%%9}*4Fn@3?)R5~N)f3#@| zEZ3UujgvFlB~|!DM9#aZYI;E(@m3A5`CqT#eN^ zRZH)(Ur@2!77S5G_0UwY0~!XO){3mYlvGaD!i zdijmFY=UV2r8|a^0td~a>M&^+Hvnwd8_NR6{Ngs_CC4wzc*Nd0dB}mMN9z;M5*+ls z-raG6gAJV4F~&;ASAH8MEb00ew}gymM)_Q&%{Jb2DNQ9BRp{ay_Z&oA(>&58oYR7u+YtK)~UV4PqGFq1Bd>c>V4o+q2z6SlmTrebEU)%OGjA2+O zljyzKk?+F-!t%T3UTo|xh5sr>9hLe}+MfCmVmp=MMn>2v3YFy~rM+y|XhmB{#g)=8 zr%}6IC47+P6y`^}??w;hpm7*%rt2F;Ff>i6AEoG@+In`;&EN2hjQd@ki(n%_4S zd8@dZ-8U#MB5OKPoY~Ffq-M`|Q($LOIXBW}PNjdK7JO8jHji%HSFvaEhhe06+{S4w5%L%7j|407 zfLa{qnI7fB3R(`nqUo>SbX_$JWdi!;FpOyG4+#gO7-GO0$C-cBoEl8cu}|{{87^t%cyWv-jTurLzVVeFHq6Y z8=C&uWc_g2v^m^0(&a_{Re(o>(H^eFDlJJ8l3le4o<=|T+7)X6A-igvQa{?&E0aV%u!A#%?=QBmPu`w zlU1qB)XgW8>6p7Tk;%zHfl?%Y;sN(^RO^&;nM$_Bvg(TL_yjS)idq-)g<^q9zXA^p zN|2}Dwv<#nO1_HL>rN0Weg84Nzu6W!ElSPj)m+wEFq+T1KP$#<(8$6$*tUsKo@U ze8ewKy6@{`-Q?{Zw$I~r>92W8(5ye-Kgl))w<}&!5Z8=rZ84#31)5!=F*ZrQqJY}& zWDhz$T!wq)rF)+DJQv~1X7cUrPzfD*ZDx|n%Lp&0r04f}D3zUyYgxClt2glW*TmWc z?Zk8S({}8t?hS``_Z#zzn<^GAGiK1gh1FA~ta{ni*Wi;lbk?pYv`Kp?JWF_10Oe(< zEi0%YPD{oVUDD|BrJ%nvYM%KbHaU;0m>VxXJBo%HZD;8uW;azmV=Xz!gAP5bcNkS3 z4g1LmSOpAzY0~4jamsS#uUHl>1qYdqa0vR(jHqO0o~P##L)zM7OH}LT9c-8mgmWI3 z;#T$hf*^YFC2Om6;u3TInN-ERki=o0a(kBZSQ#az~sKQ4qN5IWK-~hQMo3ByJkSKMqgZgrc|tygQbjBJK!sf0`@Cr zTR)-A@-7YuGt=q<*ypWwdJ|@)X;Qn1Amy`WNrL$DCH#m~iRyDGj0}E{j2S?U@5WvC zM&gPN?TLERjA$I~zLKJwn?uNFxCP_;xZyfU3hup<52<2oA-*D;|M~qhh3ACO-sa0= z6Zy_t16HS8T#D`UJ5Dv^u3LRxWo6X4koz7!3hm)Mb?Iur)f%_76C5Qjt>xb2{Dd<; zjjeOSxg~?yM_dAkT%m97(fu|@gs>9B@6bu(w74m%Ia;w~x7?)ArF$%W<4vo1Nt26x%5Z zIk#1n6Y{;xsLY43-Zm%p;tRboy<(V?KT~jwSbtQPBrd9+d{ zggsCS`YJEm^Y4EQns1cei-4i_2B!Dk+XPSq9ZHhtHq(n>XXB?KTFkBGuxvmsJAjp} zVNt~5ScZABE=J>7U9$JaNqi%N+t<(S!kfF#x977V#Z$@oeU-q926o~g&b|<|^p@KD zyg=|$KepkfR}(qE?E-4nZt?chV%Ai;fyRtslc=-ZyfsEU?S`R%?@zUT&!_^%dJ>wM`zlaW*#^-4l}7sn0ww{^k5Z(Y6rdK1z#E0QnK}?%iGt z5ww%NDTScp#N3-YP{IS1$xF7E@pjiX)!DG0W}s=`4qZvjofxR#*wJj~So$bT&6M9sPFIz`Io6?1jf7uG4~RJ@Um%B~LO*w{KOClnk42*JQImz&82>|JEfiVvl=W03BvogR)~ zcRwOQXU%s3`x_f?mAHpQbO@9f|3m$RP-{8t`Dihsr9UNaSC zY-LG*p`S*N+NA74=Ch^7tc5-Bq)h5K#wJ2msEK}Pfk}9G#!4jBsiVkF+w$Kq#LNi2 zw1^Ce!g*;g4ER6LoE|SN+;7%^AZby4`T0EdgF zas%2d+@%bE;tUwB2e5UYdZ< z54wtTwgb(l>Kz)FuuB8i`)p?wpl&azvPqtiPl{jGMPh<=#%oL?i+$qlXJgUvhf0al zreUEwp+clv*Aodz!>YP`N;?Decj!19yjeg~q~Y2$6dL`@=b1bNiS9dhN}UNAug<-| z{`X-qr{XgopysIje9#@ng~!N&^n^OuvjnT-;=y+L{qa}!e23^u^P`2vFH97EMlj@( z=uaw@IPm4qARWD})Y-7_$i6S6qh`&AH5pX$Y@uG^?C(zcKk)P1;%3;z-z|j9-5EKs z51m{(v2vH&W~9cYBjR4n_Ro>cP8)-un)c;-M0$Uv9p14b?eMdl3^cI`7l95w*SHGM>st#gW$|K~9~@LXi4UaabP< zpFqFvo3V@}g22NpPAaX5E2BTJ&SR5B6>TlrpHk8|Z1?0Xcci*F2CnZ`*~sNs+p=Vx z@RV5ALEE+#sl9dc-}wIt_g^`vL(nFTjg4~9(-z3J*8;A1zw#L;t4PwwcX`WV(Y1|- zX62hLrWeuyeFRtd;^z|+-J4->6Ku@7>*eWE8zCGp4^(GR8GO`TrcrZpBI5SOm8QYW zchT!0bJ^v4T-x=1_wzcctZoxv? z7DPb6vPFu3fb?bqwkSm)p@xV^3tb>cR}oMYu+UrRB_RX|2{lAz15!f^p(7v!5<&~1 zg>o03ea`ot^WEn@&;5Px`XPBHm}Jd0=a^%>;~npSC5hS#t^RmC!t0=K>$uQS{zF~p ztg9QpY^cR)fXc|9qP@7{(2&$pk%EFiiLSVqfKY4p@wt%-WJxW-O}? z6(QyO;1VNlqrJ90A{DJlU(jd9zPO$5&#asZokbMCBXGvhjs2om&Sc?F#KJta!=J3n zIN1E=biaN4#{Fby2}kBJb@qf$7^1XkY1fpvw~Z3hP$>R-o3v#|-FF*9nid+)k8AHeES^{> z-?M7!hh=L`PxMBz-YU{t0ZPl2=E<9n0QL%y7)1mbyn%);sQ&1=F-p&(M|@0K&Jj}; zWtp*8jM!dQJHP92Z@tx3ADak`9s${c!PnmINR})SRSfS;3(r2ZIN=v7ns-dL!68l0 zC#pqKC!DMyaX0^FOeI4M~7AmIMoq0p$zU?LfjRO#5fmzKxHh zTBAD7n$`R2$eZEyN!Qf%?h8$I*PLSPA1iuo-tDydSj5c-ksduS6r<3r1r5&fw@okl z;4jb~Bo!5(SHn+ zmpP2Uz8l#?Mo;N z#hyC*fbs+@YD4jvt!_$fS;8nbOJmsMqIicLKl|NkrLcDld8G;6lA5$|xuHmYRmQtnXOPFuZ4z85ywr~Ec(;%v@% z{=#Xz(4p@+zO4YuAPm63zc!tN8yZ#VNu?@#dep5~rC>S+(gT(8z(%Cm|KPz2gEn_?1t}E{G^rNB!*K3h5D0Cbez%$5M z`6B=(_YALS_Zm?u>$HA+^Kd)J6gj&=wC*!Ow|?{9_S!1bH-5u===n9YpirUQv4K3h zg^wA65E0^t-NLVjK&OE4*;sCUp`3rnd8`)4P7*y%Mtu%jZ3zMB;8;i!r^1i)PoJjcM%^5xORJ}jlZ#FDl5DM9 zjB0Ijm{gMaJjtA#()7E*>?#dap)nvdyU}ijvDF;$b4h3keKfmW9O$+uGhZrUC7+ex zhYE6xn0kl_y~2HcF(|2!y-05R@~P5H*?A3R-_O#gJ65g3ioGWiq6ZFRfm7s#9~QBR zBJQv>0<=Z?Ger%pOk)jQD4f{Jr%^rie#v5R@38G}-OWAGN8}T9TGdbauv@KdXhuOXl+{mwuti55O3szsYk$`|*pte(FrOaK|6KB8r^6(7auu@b ztFC{=crOHP5~EeLun>0Qth6M+|4um^?|nM6pHnpC$=DQh_Iuc0jk(bPJA0@l&b2$F z(RaD~B0ce~`2cSOr>24MrCzK>E#Z&-Q`b=gUYVoE+~8t0*tkTqvKiY)}aoobQSO00s;bR0lg3l z%&NlS;wWBGnWF_cPg~pD`!*)RFrr~QJ$M`T*LvcX3Ug(aY2)@a?e0h;0^#0QdVFs) zKw>1`S?P8z-z2rn=fd%ZRY4s+ow}Mz6QC&Fkd<1qRk!?b>tV`8pA>q3Mbg_sNon z??7>n$&&Q5``4lVKZ<&W(|-gTlX~K`ck{@iVQvN>lUC*#ro(U?2nOS zZYC_8d*w&j2R#O=%Wsfk=4sltMQ2>wH1dNGgVE~w>Id@{FL(d}X*>T8woXckp|O1V z$O*s({5D_~@~Diy zzCL$KXPR;qgl*~wPTX^v6ZI9B?ySuh_jxaGKg^^BQ8Nal^OK-MHPvNUm(A|%KpJKm zU0g9z?wYjCy(0>c#TO=UeK5<|l7S-Y7Su8qwQ;R$z?*jdu|eVm|2{51Vpz63+Qlf& z^W@k7Ec=hsndb^WG)4|x{YX%k*4VXH(`n$%e1hqFRT|f>@#0k{MAl`*N7HO1wZlJ~ zdMC~GGL9`2CEx!%97aZNF+^`0mka9MFbQn7b3HC@*~73-1joemC4c<|(JV7m+#@&e zD*whv`6UeBXM6sJ`$fl*=9p3ir_l^5cR~}H8`JAQvH!>*fp?wVj@a@vQYhRXOa1lG zesQv?M=D>!PmiYRjMep%G#r!Q9reAmB;l^G>S#enwCF#0wD)rKE=n^=_eXrcYYCpZC&`+=5%EE|%C4 z02Nu4ib~tHI6H$EeddfVFoYIChD@F<{H}R@6Rs1*X&rVgp5T(GOW01h@hCcRbVeel z-du{)sMlmHs|QnCd^1SKC}pCAtnMi@V6Kl#2#m$s_lLhC_kP@6c_!{}EQG>BAyxPi-sN>I~=fk;IsgTTy4fh`Y{VJUi z;t&cl?^r+Dot5BGUHVCFY!n2sK5M$PIVvGMx}9=L*}Vs!N5F?Mx!upB;mXbPiPp8q zgqEmGlV)?o{OP0?T@Lxp{bq4VaoO{JKPG?I(SN=4rxlDu zPn<_;sI#2RLFyF{1lk7u*AIv;B6X=QLv3vM{%+u1sT<#dpKlEf!2G`Q4`+U~>rl;| zuved7pP0xmjd{CeGgKE}J$oYLL;YAPZ}W8NTX2wlW>XWsB6CD%FUV(CCZLv(rOg3r z`xpxIle`1HQZg_si>7eJ82dgj9~)=F$BajV6w~$h^${VfHTZ>1{h*koVn#VdmmaxD z@HMSle%Uq*y4AG9wrc%#kE&z_mw`?;e`X@y?qwGkXzbHbs$K%hllMZFd-Q-!<&*uj zi~m8mZZur7qtf{8sd}!LPf7-$S5-vTZp@N*$NImthZo$Od5>~mk{0JumwJ%P_LVvX z2bSTX=g680^hpWXtDfGghbtThw^rL_t3X&K zOy@|aJ}LI%T-#T!&D2}&SV4a{9DeJFCp0BaLDW;r=+8g@%r6RdlgV}bHpC^HWHw)O zsj(~JcHamqX{FKk&S41!m+}HFID&&$#OBB26Y6P+22a`k>?SVtw1(bvz0sYJxsbpG z)u2ID4S4dNe0}iOE)cZf6f`ZbxV@tc8xpt_ncIf4i^w3I@23gGx%4aeR6ZLskFay< z`#{)+jXmxRn7wDP`}q!Nse@sq;*gh_jg>sT*c?3W-BwHf0vwmy zqbiz{v))j&brFB_yS@{yJYbtE-l9*$2-(N%ZM&zq*UPZLf2k}2M^04;eR=^bN43suuJ2;U_bR!X4hW>ST;^1(X?yY*U02T#hy zq?KE7wwt(8->nR7IBZvQ{gCiMlxu({1+{-6BwSgrkqbVixgW%^qMw~eRzJiK8XOWc zfpF*mvJ9_|T~>tM`Y5j%`^hJv#vxlb<~#;uIbcu#l!wcUgU@f=bx26d$nQ8EaU#?M zjszQs=0`bQwXQn%I1)%%UYj{MiX=|}b$ACairP99f>SRVnP#Z@je-v;E!lI}LK<@% z=g3@|(5J0e@Gc71tt?Y+*Tb7;Ay_}tk`f!$42DvoTHc)N{PSi-S;^C3lNw{aq z28s7&8fnJhf|hY|wu3^wjm=z288+yPfhQ$dz(;ZB!;9#*(c&e~>7I`HgNuh1w>^DW ztM*m&RN4Sz*`U`%dhA^3h-kn=X418uk2*}&)Y=P}6T3FEcm0a2^U8o*E^)-=yQwUl zq0=1Vwh?6QQy4SAz{9=`4YNr8YnHV`a4*NCvqpipTsH(59LmnG8>c5i{cgYcf4z*f0qoa!k_ zF&nUkOrTbid_=#4SAqXq-#A~NqFGS~-!-hHX0(2%|M!u&OBGcz11C;2 zh#$qWCDj9p#WWRK3mrZ$=rQH)e_|e<1{r-mh*r(7dEOz##RPq&c4JjP2YvsbCsP5e z`@4*#fCqOnkeb5aukTLQmN)(_&;^jAM`W;y0SiZ){FjP;DkP=)`KO)Z4p}_bBqVh^ ztK#_9I%Mpbz1~Q1a_4;E{L0< zYuEY?8xe|Xz<>6x$ZvcQTG$Y}p8sv)xUA`oZg`>4jct%}7=oQ6rZs2;u}-wk+s-*T z?4K3s`^K2t=TcGRCBdjRyqJ20jw>bQOSdsA@Y%aR^L&oKNCb z7yU~2+*GPP%E2Qd*$QDZuRY5n6G@sR3L0mwsO52s>3|&!WoKY(1ji;!x zZDXxX?#}JuFXs5Z&)Qs-`!~OL!-ajhP9g?N$xFd@!B)lO=W^Ta1c;x3H2p<$I?}Eq z>f&_sAp7ZriL?b(FiA#w8e5bkrltD8yLqGJJ6~hWM&SNU*9K2YX}HYfuq~Zn6I)x`)8C@4d#dF zj~@){Vsq&3ZJLtRVSChK;Pff`MjF5u1nMF+I`p0H?u?F$ik{chX#ZBLb23}nZt!+pjdfOKkpVS{g8w-mxDY<9P z5QUU9@irNEavd^med0nMREfD)CdO@_w9r3y&h;zeTpb_?dw?wcI+3XvVs*e^HpKWQ(z4wR%YYD+pwA}w))z|r|-JlOFwnM(cYE@>R+C{!#hJUxSv%?2KEmQ1*eY6m&KFvz|9a`6^^oXPCX&6^|qO8M1IrfW8 z2hY@eAg*=b)tDdy2P)YXeO}|(PcGj^x#C5RB zBphK0b6rne#z)#Di8@L9!q_IA+Z(nHqA@`HyWP5r74D}UGlH#LlvoSPq>MIDEUJW< zp7C<~75T0l+8F9m2XV}DHj;mBv@ifU@rNPry9MNOJ#dx}nxSuqP!_)=v62=uW7qk# z_POIa$jLGeN6Yp$BOEp5^_ou=zX-E_46=fIE=7Myt?Y3AD|TSCrK20yl&uZyB50#p zwWBn%(zP`tb^AjPmvE7U&)8aF)P~)9k3ADF6h|+7Bg<>%+hgfqx=eT)viEXh_8^F^ zYh+i?+S-q^e3h5v6I2*-gz`qe1|b9!5$8hVoaG9>DZ78AYkFmvAf+o1;xbCY$%fd0 z4~LCg@Kn^o*5Z3;wD~4^AU|`@XH6%$N7+a)#FU3`Qg$s+5&9YQ49*W%5?1s56F?57 zliqHPmN5%@0YeS^t6=9;_kMO)k)F$YgU(y7^_$7p{tBuJ0lOp36PN=l5-M#5_kq|K zF)nBSQHhpt1_&*muln1zz{85ACxSgss6$hstoc!anc)4HJ?!rLQA8)}o%}~-m-bR$ zVReUy3|WF%(q5pglaX-W3p5l~rFs9rZ1X!F>gU3x+MJk6xn*wD@x8>dQx#!(OGW#r zYvett(@bpgEk~?q$DxwK3s`}p#Hna0w+)3QPp#4lIqC<2r%HE59P?ocbJpoQNXqPP zXA5W+aC&gPOd!BFa&R)cs63a78olc5S}9cY=Cl}1Cl088F1n4WsHz~Tn+<6K?ARg4 z%VrrlqkvxLzNP(@BN(M7^|@-o*@Z=#`&m|HX=EG z2CwSAR(wIiYsmFVqfuc}+WGHxM;M)SYg7uL9x73(6Escc9kAyrgD$&ZcoN|pV9)%}xLB}xNVY209EPdOekBl{so7Gk zXC4z;33#tB{>b{3fJ}e20_j!{bb?a&l+f zcKkCCwZ8WxQ)$C3j(>h=WtG~%UQ~BQ z7JdAckomIH@p*snB2Z{+UGx^#?dS# zq|ogi8vF6($SlM0`_PkdqCB_~-omArHp$rW!qRUT7tic_4GIMm`qIn_cnaJo{KxL& zyqe9Vm8A6R)IOjgcwMOowsGx7zua_){jcip!fc_qy-ohvJ3L-4qaSo}g= zZrh-%B88Ck!Gry^_FX_DjTznyZyONDrY5mB?F=2H`i@(R22<~CEcMlnD!b!$W4G^J zZC_0*TrL%S=4l?WXpOWy(eP2zBSY2{dM!CWpKayxeUMYb{CVl^UnQ4E(bmc%NBA?V zvZ)W_v~B-bdoWmYE*ns0rd}|3wkS=&{;+3E;IQ9UXY{A>)MgiFk_GNsqvg@>`N^Ca z+hN*;uVkHK&M13Ck6WfVv$k3SCoIM};Zt*3hqB~Pm?BbmrjJd_t2J+bBFe#kdEWK{ zpqM|uNFBL*MXZ+SHq59I%(_bav6my23dQhr(u%G29%i(c8c!!XD;7B-cD5{PnO{f% z<8R~jZX%33$1f!9DCFUL(`qwvsarv^5Ju`5pyGb${nCL>Mr&&ifFuEUgQE4EqIl6} zW!9EIGZff`H_Ns*ca9Gw+zZ9Q6nO198aj90UT(Qi9iYwJ14V45bZjMxf|W6yE=+h9 zOg+DY@y1HS6PbBV(IR{asN=XS+V_b>$Wryh^bey2WPa(ZPz`F{2;(mrUX7;~!aDh; zI_^PUtDYO5`6Wi6TYpH1-+86r0ewJ2c;`E)b0`@NKD-FRB!(K~aF#qju8}74?E5dk zbQc(;(ORz}t{s>@apa9`C!f@^e<`Jhnh;)CDSP{C_14zX^rgzv{lT$U$M&|O>?`cK8)5Hm=f1Jn`l1<}Wk9V@p2K5|h5u5kD-F@^K4T2+>O zD(`mz_Yx25cYIv~=!hI&uZS-^n1R{p4(d0|OPiErGSZb&>VCo_?S&_{*C+HlrCzBJ z2#jF^v%xo(pnS>gMO#CL8EOt}H*UcjWsn2+bgTWkG3yEKEv0$BoPWHV#$6Y0cV9_} z-9yolTI{+Q_^9IyL1oDyCKfj~r2TR=EMOF5KP%Jo@rtdD2px&EzSB6^Y#}NG9Etw> zTVpocxJvDUuMjJPBRcn1+ zdG?qt{X?Bqie|vWqt&0Wt&q8`?(93m)!w-0F8}6 z9Q&yp0ZiH<889xbMM9=)H~)TG?EsUbig9Dgi{jUY05QrI~w0W2%PD}oN|kFKAa)os};Ia z&A_H1uz6lpQa|UpC5>dS1$D6RV()xk2e=0Ah{lelWXf#imcPP+jR~3F_SHtW6G@(} zmrsH)v1!bne>?%==|EkOuU8B~tyJJ?Y@KJc?H*JieY>LIL2?l%$A-x$H~P#&dR|3X z*~G*>ud>o|#dS$+^{MVCFuhgo(+$7j$L`9D{DLBOGeHWzYt?A)4<|r>`K^Q3%iUBx zy$>5ZS6?czyBWC>Dg~~t_9cHdXyL|8$8$FT zse?cLpbF<<*ae9&wLK~6an)PwqN_Lj#`QzWF*$b<_}_*P}cZrMDx!BLQ#ZdGCS34`Y~XQH>+Xz_Gf48ivop8`gTio{JUW>1-`WL^aljg}%RGoU%lKGlpwd+oarI%=EVL9!cY82ApT- z$;%y{n02~N4f817<&SVU_L5VOQifHXfFwQi8LrRh#$xO5xGK7iiW_89S-p`EkgQU9 z3Xg=lTOd_Q?|SWJG2~n9H^JZa0=D=P!^6>$C=CW=;{%{x>V)nuEhIEEOE;2eC;U^W z3PG%)mJ#<(*Fe02h}}^SG(3cH`4#ECtOP&!TI<^#y|`= z^j-Akv!oVDQi_n%P}tGy?%567J+$+WPT|j*O3J&6m*q zUra~$#zIqaUf|V#V$ECZoGR9;>79STh1s?i%MluslaWi8`jK^-&r0GFVJijUY6(t= z{u&L3uqp@&DpGi_T_Y+6GcR|S&{6np@3xPltl3n9+l;o3?W_zs*e?;BO3uC$3SZ26@aVLgEnb?B-!98@QT*0w$L<)OdJTE@Bq6&3L51}j6>cllK# zyK@xvR~4c!kB>9|auDb;{*%=a%doXi-5C=L{jcz809=Y0M#&C@>t*@MTB zmD5k=Q(TA&>zaKs?_}Lh=;%PKy(I&9?ahad#;SwJoq&bG@=FPsV_Sg7XA>jI?dwE)_Ie8MIvVmLt>CwN^)L4=+^x5{;%=x;XC$^u ziF301_7Mqvv1;aPr6TByrh7RfFK-Twlc2v+1W3_NF*rl=l*cx1grO>m1aG z=;P_l>IH}uV|6%AlNmX%sIYf-*zit)=F^8}E8IlCcbUYh4D{2dj=hf!LKd`w!jeO_ zzMl@9M2xtHOi1p@3MynJ$Zg2{VLv3Gp%eB-Ieczt80Q$98QeX&tEF_$^N-|PTgJG$ zjR4JF#-(eGHnEbO0hfO%23VGbP?$a3JxUlJUQhL z%&d5$yI~<&?BE*AqHn8)N=Q?3}Qdyh0P4%?xMdAAuWW zT*>sCb{wll2rY)+pen+CZYa2ZOM^cn1nN8wpH{0xaEx2Nc+pNn_tP^&@fYUSH;C`4 zfsMpZHSzQTv^AjB*>cg{KqKpXF6baR_AKb*UzKS6oq=a& zIF9J~UfqbRYWw%*$v1YUq@>`DvC19#pB+`=%M^b7An;B3 z&QAU@@3e^sA8Hq$nbt;C`gx!IW?KQmwKjY0>pr_?no40wzLYc40*}CO*0rF%YcYW= zDVOKo6LlJ6{unS%W?p{ntz4*ZZmGGIavje6ehjb?XYbd6*nlQyZ>}2NVvl3Bv+;fAlh9d*zw3YoP+y} zh=>Pjo&H9^R|%!2clYk^aNW=Hjcxg83wN#3dLVk0VQ-9r6cO@a;hwjd)dR3p$gx1?pH5^3s2dJW9MPa+HDT&fp87VNV^J-dru=q%I)KXW* zmaV#SSdOC9K4>$&eJ?*OBsq)QdVQ`a&M4L2H}2yArl*aMXK7_O%w?v{C_deNOk$!& zVS6v_5BFuJ(?8o+#ADmjkc}~Nu%0YDlG8FOyeor}e+y`(Gl`>}8PR2F2wy>tnQ_wx zjocxGTbC6paSyo3MK1_&rh}g#(#74n@B2LbKq^=$aV=-;A&g=+D&*2 zW~(PvnaJQcR4x9u=rlavo+G_83wv4Ns5?gv>f_p)?}*<|1?m^#3R3s?71nrbaX}kz z6&7}wzqoG`_r<646dCte+pv)tFF;_*wAL$}ex1)HQlFYj1q8Rn=Las-Bs9D7_Q%)k_P5oJ zL3hZ|g|NdQ^Q>T^6w9b>6cp&uC#GHcCi)3D&~}BiA=6vN^g!?DIS;Cet5|&ba;xj& z4+TA(&#vH=5dW^)FQ0t2L)!(>{@m(NM=htamonuA2E@#sjaGW)Mck`OR!zvZQFI|d zH3>AB;pI149LXZ5jRJlKbYkU>CBmie%g5dWXZoL)nXscGPy^s5qQ`06gmWvjm5!k= zBv@_t*z#_rX)t!@grzl~+!z@vH9Qb7q>Osi4GT~>lL)zFw#FZUhKvL9L)*1q#}*e$ zLwVH?-*h;&w$^84gda{YX^9n1NJz-9th`b6%N+8;KIQ)GP1W}xqIeiO8SRb;EqADTM#lod6kpe+t9xa z(YD-Be${W9mNw!8OZ)67G@6uKoH*?>kNfUo zp0`n5R`&oc*j0IKa8XT1XbGp&hccs9T$ukB7XLmz8#}Q3;ENsFZ`xoihOIjUCB}H~ z2lkdJ>0@p=>6OEh%q(^30h$ zAf|heWHV)fyjA3E zXWB^VNtLd=Qc9|DOFR@)1E)V@y)I_hkcU3{FZ-bPXzZ8JXJog~v_QD8GFR(B*g$a3 z;jJT|P|7_9n)c-Gu}{Ou`%C@h(31IXC0dBJHK?^#|$pgNrZ1lm^%`oAdu< znjJ0*UVVEzQPJ2ull>wfYJf&gI!i-c9^ft&{A>Qj)kvvDn5PtxI{)Y^DwVZv-d5@1 z%_pM%z+R*tLaFBdEg^%r{dU(gi*`JIsVZu_BEbm6t$z7^Mvt-!kP#=l6YpElKc>$(l6xw*KjezQqCMc(gUA}MABj?Vsq5LdGQMkA_kLMnhQ zBCMI2d%7_1wNQ}MI*jfqlILz!ocB(HeU~Lh8&?Oj7^aC!32T#7eRX@p@z~dj9Cr*B zPB#s1gzfj@FAoF}bMigdkf5MVH9tZkL&dSK#$q6-Cy^I7`JOd}EKL5Tsx9r(nx3$z ze}IA?kr|jonz^=Acq2bAH1{1K+$4{=FpkdpPD5H&HKgL^vj#lW3FiWa^zYy6Q5MjP z+4@lEv*n6!e+k-Mtwm0h#HiU=L$$P|{_&ij>&O1j#ryQ>Q#T5WMg};OXW1_rR?NeC zmTr>y#3wu@HKucb_I4ibo6AuB!Fp>KJs%);FYrQ} zxr{nGUOkY$L6lWpDDiPoO9wI!28ynzZ_5j74;`q~7;eQomrKAaUty|dv3pxr6Y$N< zR-32|bAsbBK9r_P#^tz^bf1>WpvEYx8ku`RJWlGs8&Frf#Hr4yAC*h`qlDmeiw}nW z)b!YVx9%v>;G8^7fi|uA-{DHT9}5+(#!51XLY1qH+{28qPyh5c{=V}=x4sMT=le`t zap~O7P^0}WqjUsvw&eTwM@LjMZKo&-+gbq`N_m-;9^w%`s>6gy?Y3{Y0=|;hiD=M| zYiG4HdMr^c~Av@9=5lULmnuBDVzOj z-=0U)tT+n;J#EqMf-nrF>r#fu6M{CC6gWF)h~D226W$!E{eu3aR^}2ju%w1mFvQWq zOGr*O)>VV)s>lpF#kuc`e8bd|>gv1$#JQXh=3`I3_psDzN(7Ib0f7g7+ zn`FP*NUSWzX z{!P1CT`{X#Ds50Jj`6hhWd0cqe@&f@{fyd~eYDOU@(qtp^;+n}o--(5Z^j(t=@D#8 z<*F2-#;d)?q7a7!u|IIBFpSs7N~hrbcqkZS@`=PV8NeAJ#Ujzrr6#q z(~S`Xyr{?8-O9kx1gLJ+{yM`ph;Xv;mB$y(B_|XrO8r848*5HlbSIb9+Dm`GK=u$p ziIf|he~DLBE4$nX>_Ls@2g+*B! zAkuqUr@?)C+2$0V?RppW)%!a9)6@)oEQWNgnLeVheWVMZl(ElCDw=!t>JU8QK<%|% zF0?EfHyIyf)TBp|T0kH+=25~jplpLee;O);Cm~hVGe?Fn#W!-v%#b8#2I0=FLs8w` zL71#I);$KBWH_Di9~ zTAOOlGsY{RGFy)PdI`bTM_@uQCDW?Gqg3OHPZ!9sv>YYYaqVFEwxOy&8k>F*RMm2|W;T z3c2ns-1yBY9`AxXgTsV}SbR?k5QB*Z6mnT2|j!>1NZT=r* zazXJOm8~BSg}wAOg!=T(BP!nv2YQ2ZXdevBl5@3+b7OD0{k_~kChu8sl>q@wXMR$t z51FYRRFaTiUY+UDTT?g2{nqQB`dL9nQZKCIp2dqr!TciVWvR$WJZ41wMidsQ)9BfO(CvLHjjbd*VLx|h4Q!laXI^PPmyHQi{ zRWN8v0K=oWn6Z=>y8Q)~Y8Zxbi>mkOEYrR68-=N8G6x7Sd94;Mq0jzpP?3^<{P7n& z0{~d+e!51#WiqLZLIu)(56sdG1@450tS>~!Xq?+zWs4I@Z7%`wUa_#!t8KJX)1Awo zq7NngS4-dgDk|1NzpFwFsr+zbyd3FikVw>U_#>pmz$N0|*!R~Kti|5E>o)1Nw(aoq zSTR~L6H`)(5uw}nva_?1P(&Cv&^NIN33Mv9uk$!y zbqL;^dA#>0xjtFjiZFFN3I@;j0@(4w+Mzb)wgLG71GvO`(hv+z4Bc7LJ19%w7PPQK znB@FZ=`rUkuqck)qMW#7ak9J|Hf0>GvJ`b#?Gf&+T5Z3se_qY$wkCc;N`8q)?0~w>PeCOVRu7zN*uY&5@D|QOn-z_o7TXB7Fh^@TPi+ z!4h2R{N6ixcgW6-vWp^1dr$3>{tg%p@u2}s9Zz3aaQm4PYaoTY8~tJ6u3SYGy5}m}aQNy=8ftf`4wWB*eBVbOFdg}&3K^pa0=uMv zB_%GCw7h>ha@#LMHEUM($Y3F|MiQ%@E-kc>Sz%o0X^5}AG$x*R_022c|;O#MT}*L&~Fg2rn7 z+}*>xM|takvqMgc_2%>uK5Kx2RQ&q&QR@-toPX9T zvWRup<>a%{-;Qdq<4iZftTPJV!8m+DaKdhEWW&r>)67y6H=+#e@h;k;=}0Dv z@KI~W#^uP?_q2X>{Eug4rtj+vU0Ds9%{3;K#iPHH^kO#Zv%hO{Dmr5(CTz}C!H?Uc z@KzH7nB;bJYj4|lfg)nT^b6K@#CnBTvrN43_Zs|tu;Z|zrRCOsGLXJ_jw}KY4)BSa z4t9IzSkY3YWd%F*ZyzqJ0VzktBYKWa103APZ{H8qAszyL5T&|qE>FPx+8TOyT;qb(A>>bo0?Uq72YjhDWFd~YGaMtvx*7NGc0D6^Ggmzo8-HGIa(D4R#e{Auh0 z7O9!^$DK5=0P|_YiU1`zhZ`#Tz7hNPQC&3E(PmPs*m9D2gR0(f_igM_hd%S~Mihq1C9S`wt+F9R#ymJgRH&Mm27{;S!u^<1Ai z+#Xat0ZLUV3Jqd0#(OXR#)uTCA4|78Vjs?Ta>NMIVbZ0&tLHi(EM6qPK=#?Kw?>qV z6)*SFcUe)#zK9wyKQu}S|q~o_|pX3*uF37cmQ9(-<7|zM#7b`0$SYy`3mUh)9Vq%ki>ez5DjmqG@$RhUx>^d4AbULb}#GI5c_d6W?o>sL7NTLt* z=Kv9={tc?cG@W~R7ppi=qmB(%)?Ekm+r?mXnS}*hB8+b_r?kfNG-XJrdN;<%$E@F?Bs=i5 zF2=~2T^ql!+;szC56z71{os#T1{1*;g)SrH!ft7ZgN7@X2R6N&`R`Bf=A+vGO)M^6 z=QFXZcg!)tE-7DouHq3S@Qv?YaAuckgkwI!En)~FgcLH_O`sK?Q zs(dMF|FK3Ao&E|B-mtbeBSFT8noBb4n^le7jvqH!&QGch2)l*!htzw-_=>9F??EsQ z>amumS^e%+{KiX+AD1li?Ep)FRPy9L+8I7I*5c=@dqP`6Xco zP0TxLr%!{17>EVY1%-YC|a95ONl5JB|HOSQ6V;)qA@a^*1S6<2iTDSbu z1Ng`HExJ*(Y;(+bvPNS@f^8gavi@Xlj^uRyYyGX`NLy2u;0@EXbu?(=N-li>K>0(V z73=3!koJXLXCgn!9y9TZu|kG{6cpdW3L?pG4b=F(7oSA}CHvyj-;QNmJ9;E(YIh5G z@0;Tf8AEt$&e-#PtqRoRl3JWcC}wDmleJ3n`UbQ>=2X{esJ^K_O&L$}ZQguvu7)ivPJ)P z*_9s>7m4ZbU*5b41RnqG4-a1cKR2KMH+$K5CPOo50RD?{ z%?d;}%P!^BUu3C1heb1*qbs5qL*6hbZAg;8j#Et1+ z7^4JeltLW+!FT{2Jm34ChBU=|u&Q)HIhu1=SJnE<+ovfN+9G3#F+CCUWahTZl9;=e zV0I=X&9W*1oEaNd2fCM51=F)iH6eCZc<`FOEfRyBBHt2L+tK|nnPgp+gq<$lb|Y`V zDY+Uc^&&gdGv<{q4bfph2nZBEz5R6kyWS}LiaTECC z=-fz(Z6RIFzgt?k)YQUTHdO7tIzF@j&9j@cE#3cR$Iv$xeo|zI- ztxuPBWq^mnD0Hk*%*Nc3gA6pY+{V)eP5KCTM!6Fl5gX-10;CG>X|eOvNhPDffUXVk zycSfvJsup64-iFJFV^dPa9C_)ss$}PH`&h9{GEXF`6L`nsoR z$V4*`PrPaWu~({U$rAk0Htjmp8hwwnJ&*BR|2TrqbJxT@L|oa8YZL;$Np}&3*;Fdg;*?WHWb7RSGpCYCM*Umlr_M-2ppp}11o`7jGGyy zn4P)@BHfV=`w!m)jU*jGZS&bRKOM3{TlbrH9@-PYw(OE$hM5-?ClVRO>*m9r>vhrR z=&H*jt6tgrV>3yJN?8|dXmxF&$0`*z-QsS=oYzW0EVHnuc`)hkWwHiW_8 zE&;wB)3*F1NtL|VuYx$^v^htl`Hpt}=ZxdFVgG_PH={o@BfR#K;i344bzvP?kL7Ed zZA!FW0-9EL%siOrkPmpZ8ZAdo@MrXA8d1c72EmrihnnWY5iXNy_bbV7b)-tB55?4P zz;V@IYrjmyE>Wn*q;RXB%!FlSo}1}{G?&vi7_eQUixh4mRYq<(9e3ycc(4v4#1*I& z3w^uiyZ;En?`Xiz$)hUuzY%z(vCn{=dOY_1f>gkpS>m?kq?32g)PT0jk1YC+J+y;M zOC6Kd7HAZw)L&zGSR}}zN?9h*OiMNdZ5tGj0{>CyKPJA%+P&)99=yBTnfLO7clitI z=nb^ucCckdp|VIp+TuQTk^Y0~pOJ=iIK7V;P^&L#`OG90TWxIzqxYH{gG$0a>BiI; zG1`~UGDA0Q?mH6EB+Zf$n#~BHj|nTWAHC-9_(+2lUX!~2p+@Fu%UomBJFNwaVdZC5 z^VXl%I^&2y`(X%t1{clf9yF-Vz80sb6rM66?&4Hyn2Gi9;xjXi8EK{sd+lGTmihDh zP*1)h`N#HRw7XSbZFYr3Xc{!&FllB-bEL{-!wBkbaHgg4S*}J^OoCa!Z<(aLD=xd{ zE^3yW>^mEhGaH*z$2F4N>#WuI|5#oS&nq1seTEty;H~fXDQBbj0AS*Ic_vEoQsK5}MLO z2t7o)WdP|Sz4w+vXi4Z%5s+R&5=ekZFCic;bojXITkrec{7im5S?la)pS{mH+ozly z+Gede4g%}Zp)iXTW;%J$Qa$p1m)cbE^Ii2|DA?!h8T&+l1`nzbXjZ#M!| zk3S}4U&?#7g6xN(Nn`z?+zKd+O1iyM=~7P4@cVei4*ik%Y6uucLenk#LGpFG7JHnC zfNo5WdZ-TJNGw+~w^S=Ce3*o;61&OWOC@O0Gj-XJwv`KL$>-SIWIg?3bKC@r(?Yxn zynL;~CG;3~q5;9Og75OG?u5o@oNg8%@XH0a!=xZ@ZC+lPEVuf$+4EC{r=fDs$fDPYro{N#JsSrXaA7U->yxg* zdvotWwnEeo2l>cNKlzHUpZXa;g*wI$E;4d7A!-51tfM(m9}oD+w)FAaszUDOl%J{_ z{kMe#YAyw-Necwe8B}C7na^wHS3&JVkvTJV2Nbn=r{jv=ssv*`O`w@NeBk86)2AnU zX*t8!gVD_VE@>lM+py)*rU&aK0~w9pv$A}HN);$>%2Jk|)k@2kv`DByBdf}GGSOP1^zrWn2;y@lO%6VeyTj!dzEP{c-P=vRL*AN==yt8jor-i z)ZfeDut(v4fm*9p6g|tx6ggbzLN$mK=i^fKD(gJPevn~6zE_&t3_^1Q(oDK9_`fIT z|DQtpPupheSU)E_sTQb@Pe0ht#P+(2fA6RF>nDp#ZEnSsL5XC+g=uwBrAIpO36izC zXPX^#>+oT1tAp2C;Z$fd(lE^axJ8%7q6(OiGJx+E2`7!r?NtrsHmzQ}Fzc5Znm6W| zdkLur;onwS9Z)9ha{!fnr^kOuD5t;P--#g=$VY(iEur9QTM^1 zJNgw~IL5@kQFg9$WozF0?8j9~PvVylyQnglsYg-Cf2I?S>~5>7&^T^E-`M z8>{(pUw8aBU7pCjiE4?RENsa=c@sr$(|9^-XN3kx$+iV_?a)gG(YVS4hbRrSg`MK! zsrUhH$Z|IAnKfZ-T5HLJ5D@ak1#6fvcwDy7_FH7f-SfD6p}~9|)^KWcN=mo4gqr1A zPVV-Jv*tHb3CnE*uhtFn*S*7B50fc9%Oq8LdAX}q@6N>C1GB-~Wc$?w%((sAa0=yY zUGRVy_hG$5d~l-NvMZf(jj8m@tSkK=qb|a+O|Od@+V%FqX7RtXdXp=6e*3L$S>)ZV zwB|iL+5?5Atw!yhz35XH^|rEa1% z%#VhIHO}IeR}&Au6@FjcuNT-Zp8fdIz4GN@HVl%;AHx`Wj^&NLoTphOFv2VT^t3`N za{$70-@yPqY_9J#VC#xjRP#@cJr>@i8t1g$YyiLnPc?&g&!+=JPft%pKYaL<{#Q{! z(I+;s4DQayeGlu(dY2r@X*BozaaU4WzES=G?#N?jvRvbkOa&2)Ld`?dXujFQ zWKNw-U6M|pT;Mc$Zv5xp=gvJn%Js8d{J{8dWiCG`Gcj1PX#mzT06Vc+Y#C(aY^h-U zK6+-}n0X5kE_I%7oS1m0KmXm+wd`gp2Pn6U#t*MQ$A9X=Basw4YY%Skk`%1(Xu_H$ z(*O24{@6VRcV4J{1=F!jiV^3{4Qs!ZGSqqN(jQSGqCO2f>+(@4*1wki#V=9Ac5CNu zRTN&XlT+^jNyYCdLoBwM*Q)?rg5>rNAZq5O_<#5wzalz(;GN{(`?mvp@YZz#h&Ufi z2yiuR8s{7f`#gSZp}MIVHJK=@S!0N#8&O!3LMyUi)nYOlWRYyb$bfBg zYG}a=&en@yH*d2MGcD(&T6kC`Mh53j8?dFe2IG&Vg6VJg&?vJ4Xu%(oekBv5xnme; zerTZ-4r*2=eeJM1u=6eVf!Nz81wlL28e<0S-Ny$jM3?q?e)7gjUTs8HA_A{5cCO

+ + Video Thumbnail + +

+ +

Demo: OpenTelemetry in Ingress NGINX.

+ ## Usage To enable the instrumentation we must enable OpenTelemetry in the configuration ConfigMap: @@ -258,3 +270,45 @@ To install the example and collectors run: ``` In the Zipkin interface we can see the details: ![zipkin screenshot](../../images/otel-zipkin-demo.png "zipkin screenshot") + +## Migration from OpenTracing, Jaeger, Zipkin and Datadog + +If you are migrating from OpenTracing, Jaeger, Zipkin, or Datadog to OpenTelemetry, +you may need to update various annotations and configurations. Here are the mappings +for common annotations and configurations: + +### Annotations + +| Legacy | OpenTelemetry | +|--------------------------------------------------|--------------------------------------------------| +| `nginx.ingress.kubernetes.io/enable-opentracing` | `nginx.ingress.kubernetes.io/enable-opentelemetry` | +| `opentracing-trust-incoming-span` | `opentracing-trust-incoming-span` | + +### Configs + +| Legacy | OpenTelemetry | +|---------------------------------------|----------------------------------------------| +| `opentracing-operation-name` | `opentelemetry-operation-name` | +| `opentracing-location-operation-name` | `opentelemetry-operation-name` | +| `opentracing-trust-incoming-span` | `opentelemetry-trust-incoming-span` | +| `zipkin-collector-port` | `otlp-collector-port` | +| `zipkin-service-name` | `otel-service-name` | +| `zipkin-sample-rate` | `otel-sampler-ratio` | +| `jaeger-collector-port` | `otlp-collector-port` | +| `jaeger-endpoint` | `otlp-collector-port`, `otlp-collector-host` | +| `jaeger-service-name` | `otel-service-name` | +| `jaeger-propagation-format` | `N/A` | +| `jaeger-sampler-type` | `otel-sampler` | +| `jaeger-sampler-param` | `otel-sampler` | +| `jaeger-sampler-host` | `N/A` | +| `jaeger-sampler-port` | `N/A` | +| `jaeger-trace-context-header-name` | `N/A` | +| `jaeger-debug-header` | `N/A` | +| `jaeger-baggage-header` | `N/A` | +| `jaeger-tracer-baggage-header-prefix` | `N/A` | +| `datadog-collector-port` | `otlp-collector-port` | +| `datadog-service-name` | `otel-service-name` | +| `datadog-environment` | `N/A` | +| `datadog-operation-name-override` | `N/A` | +| `datadog-priority-sampling` | `otel-sampler` | +| `datadog-sample-rate` | `otel-sampler-ratio` | From bcfed2e912e1eb81013fc886062607ef900d22ed Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 May 2023 21:27:44 -0700 Subject: [PATCH 323/405] Bump github.com/imdario/mergo from 0.3.15 to 0.3.16 (#10008) Bumps [github.com/imdario/mergo](https://github.com/imdario/mergo) from 0.3.15 to 0.3.16. - [Release notes](https://github.com/imdario/mergo/releases) - [Commits](https://github.com/imdario/mergo/compare/v0.3.15...v0.3.16) --- updated-dependencies: - dependency-name: github.com/imdario/mergo dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 721a3c16b..99849f00b 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a github.com/eapache/channels v1.1.0 github.com/fsnotify/fsnotify v1.6.0 - github.com/imdario/mergo v0.3.15 + github.com/imdario/mergo v0.3.16 github.com/json-iterator/go v1.1.12 github.com/kylelemons/godebug v1.1.0 github.com/mitchellh/go-ps v1.0.0 diff --git a/go.sum b/go.sum index 003ad5fb8..dda3e809f 100644 --- a/go.sum +++ b/go.sum @@ -200,8 +200,8 @@ github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= -github.com/imdario/mergo v0.3.15 h1:M8XP7IuFNsqUx6VPK2P9OSmsYsI/YFaGil0uD21V3dM= -github.com/imdario/mergo v0.3.15/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= +github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= +github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= From 3476232f5c38383dd157ddaff3b4c7cebd57284e Mon Sep 17 00:00:00 2001 From: James Strong Date: Tue, 30 May 2023 14:39:50 -0400 Subject: [PATCH 324/405] release controller 1.8.0 and chart 4.7.0 (#10017) Signed-off-by: James Strong --- README.md | 75 ++-- changelog/Changelog-1.8.0.md | 67 +++ charts/ingress-nginx/Chart.yaml | 10 +- charts/ingress-nginx/README.md | 8 +- .../changelog/Changelog-4.7.0.md | 14 + charts/ingress-nginx/values.yaml | 6 +- deploy/static/provider/aws/deploy.yaml | 48 +- .../aws/nlb-with-tls-termination/deploy.yaml | 48 +- deploy/static/provider/baremetal/deploy.yaml | 48 +- deploy/static/provider/cloud/deploy.yaml | 48 +- deploy/static/provider/do/deploy.yaml | 48 +- deploy/static/provider/exoscale/deploy.yaml | 48 +- deploy/static/provider/kind/deploy.yaml | 48 +- deploy/static/provider/scw/deploy.yaml | 48 +- docs/deploy/index.md | 20 +- docs/e2e-tests.md | 409 +++++++++--------- magefiles/release.go | 8 +- 17 files changed, 546 insertions(+), 455 deletions(-) create mode 100644 changelog/Changelog-1.8.0.md create mode 100644 charts/ingress-nginx/changelog/Changelog-4.7.0.md diff --git a/README.md b/README.md index 86f95cb9b..dc7ff3c38 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ ## Overview -ingress-nginx is an Ingress controller for Kubernetes using [NGINX](https://www.nginx.org/) as a reverse proxy and load +ingress-nginx is an Ingress controller for Kubernetes using [NGINX](https://www.nginx.org/) as a reverse proxy and load balancer. [Learn more about Ingress on the main Kubernetes documentation site](https://kubernetes.io/docs/concepts/services-networking/ingress/). @@ -20,67 +20,72 @@ See the [Getting Started](https://kubernetes.github.io/ingress-nginx/deploy/) do ## Troubleshooting -If you encounter issues, review the [troubleshooting docs](docs/troubleshooting.md), -[file an issue](https://github.com/kubernetes/ingress-nginx/issues), or talk to us on the +If you encounter issues, review the [troubleshooting docs](docs/troubleshooting.md), +[file an issue](https://github.com/kubernetes/ingress-nginx/issues), or talk to us on the [#ingress-nginx channel](https://kubernetes.slack.com/messages/ingress-nginx) on the Kubernetes Slack server. ## Changelog See [the list of releases](https://github.com/kubernetes/ingress-nginx/releases) to find out about feature changes. For detailed changes for each release; please check the [Changelog.md](Changelog.md) file. -For detailed changes on the `ingress-nginx` helm chart, please check the following +For detailed changes on the `ingress-nginx` helm chart, please check the following [CHANGELOG.md](charts/ingress-nginx/CHANGELOG.md) file. -### Supported Versions table +### Supported Versions table Supported versions for the ingress-nginx project mean that we have completed E2E tests, and they are passing for the versions listed. Ingress-Nginx versions may work on older versions but the project does not make that guarantee. -| | Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | Helm Chart Version | -|:-----:|------------------------|------------------------------|----------------|---------------|--------------------| -| 🔄 | **v1.7.1** | 1.27,1.26, 1.25, 1.24 | 3.17.2 | 1.21.6 | 4.6.* | -| 🔄 | **v1.7.0** | 1.26, 1.25, 1.24 | 3.17.2 | 1.21.6 | 4.6.* | -| 🔄 | **v1.6.4** | 1.26, 1.25, 1.24, 1.23 | 3.17.0 | 1.21.6 | 4.5.* | -| 🔄| **v1.5.1** | 1.25, 1.24, 1.23 | 3.16.2 | 1.21.6 | 4.4.* | -| | v1.4.0 | 1.25, 1.24, 1.23, 1.22 | 3.16.2 | 1.19.10† | 4.3.0 | -| | v1.3.1 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.2 | 1.19.10† | 4.2.5 | -| | v1.3.0 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.0 | 1.19.10† | 4.2.3 | -| | v1.2.1 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.6 | 1.19.10† | 4.1.4 | -| | v1.1.3 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.4 | 1.19.10† | 4.0.19 | -| | v1.1.2 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.18 | -| | v1.1.1 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.17 | -| | v1.1.0 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.13 | -| | v1.0.5 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.9 | -| | v1.0.4 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.6 | -| | v1.0.3 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.5 | -| | v1.0.2 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.3 | -| | v1.0.1 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.2 | -| | v1.0.0 | 1.22, 1.21, 1.20, 1.19 | 3.13.5 | 1.20.1 | 4.0.1 | +| | Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | Helm Chart Version | +|:--:|-----------------------|------------------------------|----------------|---------------|--------------------| +| 🔄 | **v1.8.0** | 1.27,1.26, 1.25, 1.24 | 3.18.0 | 1.21.6 | 4.7.* | +| 🔄 | **v1.7.1** | 1.27,1.26, 1.25, 1.24 | 3.17.2 | 1.21.6 | 4.6.* | +| 🔄 | **v1.7.0** | 1.26, 1.25, 1.24 | 3.17.2 | 1.21.6 | 4.6.* | +| 🔄 | **v1.6.4** | 1.26, 1.25, 1.24, 1.23 | 3.17.0 | 1.21.6 | 4.5.* | +| | v1.5.1 | 1.25, 1.24, 1.23 | 3.16.2 | 1.21.6 | 4.4.* | +| | v1.4.0 | 1.25, 1.24, 1.23, 1.22 | 3.16.2 | 1.19.10† | 4.3.0 | +| | v1.3.1 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.2 | 1.19.10† | 4.2.5 | +| | v1.3.0 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.0 | 1.19.10† | 4.2.3 | +| | v1.2.1 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.6 | 1.19.10† | 4.1.4 | +| | v1.1.3 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.4 | 1.19.10† | 4.0.19 | +| | v1.1.2 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.18 | +| | v1.1.1 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.17 | +| | v1.1.0 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.13 | +| | v1.0.5 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.9 | +| | v1.0.4 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.6 | +| | v1.0.3 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.5 | +| | v1.0.2 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.3 | +| | v1.0.1 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.2 | +| | v1.0.0 | 1.22, 1.21, 1.20, 1.19 | 3.13.5 | 1.20.1 | 4.0.1 | -† _This build is +† _This build is [patched against CVE-2021-23017](https://github.com/openresty/openresty/commit/4b5ec7edd78616f544abc194308e0cf4b788725b#diff-42ef841dc27fe0b5aa2d06bd31308bb63a59cdcddcbcddd917248349d22020a3)._ -See [this article](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) if you want upgrade to the stable -Ingress API. +See [this article](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) if you want upgrade to the stable +Ingress API. ## Get Involved Thanks for taking the time to join our community and start contributing! -- This project adheres to the [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md). +- This project adheres to the [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md). By participating in this project, you agree to abide by its terms. - **Contributing**: Contributions of all kind are welcome! - - - Read [`CONTRIBUTING.md`](CONTRIBUTING.md) for information about setting up your environment, the workflow that we + + - Read [`CONTRIBUTING.md`](CONTRIBUTING.md) for information about setting up your environment, the workflow that we expect, and instructions on the developer certificate of origin that we require. - Join our Kubernetes Slack channel for developer discussion : [#ingress-nginx-dev](https://kubernetes.slack.com/archives/C021E147ZA4). - - Submit GitHub issues for any feature enhancements, bugs or documentation problems. Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines **may be closed immediately**. - - **Support**: Join the [#ingress-nginx-users](https://kubernetes.slack.com/messages/CANQGM8BA/) channel inside the [Kubernetes Slack](http://slack.kubernetes.io/) to ask questions or get support from the maintainers and other users. + - Submit GitHub issues for any feature enhancements, bugs or documentation problems. + - Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines **may be closed immediately**. + - Join our [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w) + +- **Support**: + - Join the [#ingress-nginx-users](https://kubernetes.slack.com/messages/CANQGM8BA/) channel inside the [Kubernetes Slack](http://slack.kubernetes.io/) to ask questions or get support from the maintainers and other users. - The [GitHub issues](https://github.com/kubernetes/ingress-nginx/issues) in the repository are **exclusively** for bug reports and feature requests. - - **Discuss**: Tweet using the `#IngressNginx` hashtag. + - **Discuss**: Tweet using the `#IngressNginx` hashtag or sharing with us [@IngressNginx](https://twitter.com/IngressNGINX). ## License -[Apache License 2.0](https://github.com/kubernetes/ingress-nginx/blob/main/LICENSE) +[Apache License 2.0](https://github.com/kubernetes/ingress-nginx/blob/main/LICENSE) \ No newline at end of file diff --git a/changelog/Changelog-1.8.0.md b/changelog/Changelog-1.8.0.md new file mode 100644 index 000000000..a109c68ba --- /dev/null +++ b/changelog/Changelog-1.8.0.md @@ -0,0 +1,67 @@ +# Changelog + +### 1.8.0 +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.8.0@sha256:a45e41cd2b7670adf829759878f512d4208d0aec1869dae593a0fecd09a5e49e + +### Important Changes: + +* Validate path types (#9967) +* images: upgrade to Alpine 3.18 (#9997) +* Update documentation to reflect project name; Ingress-Nginx Controller + +For improving security on our 1.8.0 release includes a +[new, **optional** validation ](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type) +that limits the characters accepted on ".spec paths.path" when pathType=Exact or pathType=Prefix, +to alphanumeric characters only. More information can be found on our +[Google doc](https://docs.google.com/document/d/1HPvaEwHRuMSkXYkVIJ-w7IpijKdHfNynm_4N2Akt0CQ/edit?usp=sharing) +, our new [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w) +or in our [docs](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type) + +### Community Updates + +We are now posting updates and release to our twitter handle, [@IngressNginx](https://twitter.com/IngressNGINX) and +on our new [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w) + +### All Changes: + +* Add legacy to OpenTelemetry migration doc (#10011) +* changed tagsha to recent builds (#10001) +* change to alpine318 baseimage (#10000) +* images: upgrade to Alpine 3.18 (#9997) +* openssl CVE fix (#9996) +* PodDisruptionBudget spec logic update (#9904) +* Admission warning (#9975) +* Add OPA examples on pathType restrictions (#9992) +* updated testrunner image tag+sha (#9987) +* bumped ginkgo to v2.9.5 (#9985) +* helm: Fix opentelemetry module installation for daemonset (#9792) +* OpenTelemetry default config (#9978) +* Correct annotations in monitoring docs (#9976) +* fix: avoid builds and tests for changes to markdown (#9962) +* Validate path types (#9967) +* HPA: Use capabilites & align manifests. (#9521) +* Use dl.k8s.io instead of hardcoded GCS URIs (#9946) +* add option for annotations in PodDisruptionBudget (#9843) +* chore: update httpbin to httpbun (#9919) +* image_update (#9942) +* Add geoname id value into $geoip2_*_geoname_id variables (#9527) +* Update annotations.md (#9933) +* Update charts/* to keep project name display aligned (#9931) +* Keep project name display aligned (#9920) + +### Dependencies updates: +* Bump github.com/imdario/mergo from 0.3.15 to 0.3.16 (#10008) +* Bump github.com/prometheus/common from 0.43.0 to 0.44.0 (#10007) +* Bump k8s.io/klog/v2 from 2.90.1 to 2.100.1 (#9913) +* Bump github.com/onsi/ginkgo/v2 from 2.9.0 to 2.9.5 (#9980) +* Bump golang.org/x/crypto from 0.8.0 to 0.9.0 (#9982) +* Bump actions/setup-go from 4.0.0 to 4.0.1 (#9984) +* Bump securego/gosec from 2.15.0 to 2.16.0 (#9983) +* Bump github.com/prometheus/common from 0.42.0 to 0.43.0 (#9981) +* Bump github.com/prometheus/client_model from 0.3.0 to 0.4.0 (#9937) +* Bump google.golang.org/grpc from 1.54.0 to 1.55.0 (#9936) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.7.1...controller-controller-v1.8.0 \ No newline at end of file diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 81ebfc875..9786f705c 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -1,11 +1,11 @@ annotations: artifacthub.io/changes: | - - "[helm] Support custom port configuration for internal service (#9846)" - - "Adding resource type to default HPA configuration to resolve issues with Terraform helm chart usage (#9803)" - - "Update Ingress-Nginx version controller-v1.7.1" + - "helm: Fix opentelemetry module installation for daemonset (#9792)" + - "Update charts/* to keep project name display aligned (#9931)" + - "Update Ingress-Nginx version controller-v1.8.0" artifacthub.io/prerelease: "false" apiVersion: v2 -appVersion: 1.7.1 +appVersion: 1.8.0 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer engine: gotpl @@ -22,4 +22,4 @@ maintainers: name: ingress-nginx sources: - https://github.com/kubernetes/ingress-nginx -version: 4.6.1 +version: 4.7.0 diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 391eb4159..4a00815fd 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.6.1](https://img.shields.io/badge/Version-4.6.1-informational?style=flat-square) ![AppVersion: 1.7.1](https://img.shields.io/badge/AppVersion-1.7.1-informational?style=flat-square) +![Version: 4.7.0](https://img.shields.io/badge/Version-4.7.0-informational?style=flat-square) ![AppVersion: 1.8.0](https://img.shields.io/badge/AppVersion-1.8.0-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -309,13 +309,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.image.allowPrivilegeEscalation | bool | `true` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `"sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407"` | | -| controller.image.digestChroot | string | `"sha256:e35d5ab487861b9d419c570e3530589229224a0762c7b4d2e2222434abb8d988"` | | +| controller.image.digest | string | `"sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3"` | | +| controller.image.digestChroot | string | `"sha256:a45e41cd2b7670adf829759878f512d4208d0aec1869dae593a0fecd09a5e49e"` | | | controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.registry | string | `"registry.k8s.io"` | | | controller.image.runAsUser | int | `101` | | -| controller.image.tag | string | `"v1.7.1"` | | +| controller.image.tag | string | `"v1.8.0"` | | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass | diff --git a/charts/ingress-nginx/changelog/Changelog-4.7.0.md b/charts/ingress-nginx/changelog/Changelog-4.7.0.md new file mode 100644 index 000000000..7399da777 --- /dev/null +++ b/charts/ingress-nginx/changelog/Changelog-4.7.0.md @@ -0,0 +1,14 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.7.0 + +* helm: Fix opentelemetry module installation for daemonset (#9792) +* Update charts/* to keep project name display aligned (#9931) +* HPA: Use capabilites & align manifests. (#9521) +* PodDisruptionBudget spec logic update (#9904) +* add option for annotations in PodDisruptionBudget (#9843) +* Update Ingress-Nginx version controller-v1.8.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.6.1...helm-chart-4.7.0 diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 962567e07..7ca41e79e 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -23,9 +23,9 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: "v1.7.1" - digest: sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 - digestChroot: sha256:e35d5ab487861b9d419c570e3530589229224a0762c7b4d2e2222434abb8d988 + tag: "v1.8.0" + digest: sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3 + digestChroot: sha256:a45e41cd2b7670adf829759878f512d4208d0aec1869dae593a0fecd09a5e49e pullPolicy: IfNotPresent # www-data -> uid 101 runAsUser: 101 diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml index 41006c016..48f7f11b1 100644 --- a/deploy/static/provider/aws/deploy.yaml +++ b/deploy/static/provider/aws/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -344,7 +344,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -377,7 +377,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -400,7 +400,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -418,7 +418,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 spec: containers: - args: @@ -442,7 +442,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 + image: registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -514,7 +514,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -525,7 +525,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-create spec: containers: @@ -539,7 +539,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b imagePullPolicy: IfNotPresent name: create securityContext: @@ -561,7 +561,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -572,7 +572,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-patch spec: containers: @@ -588,7 +588,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b imagePullPolicy: IfNotPresent name: patch securityContext: @@ -610,7 +610,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -623,7 +623,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml index 4e4f9ca9b..b4e2cd5f6 100644 --- a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml +++ b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -335,7 +335,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -353,7 +353,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -386,7 +386,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -409,7 +409,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -427,7 +427,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 spec: containers: - args: @@ -451,7 +451,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 + image: registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -526,7 +526,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -537,7 +537,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-create spec: containers: @@ -551,7 +551,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b imagePullPolicy: IfNotPresent name: create securityContext: @@ -573,7 +573,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -584,7 +584,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-patch spec: containers: @@ -600,7 +600,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b imagePullPolicy: IfNotPresent name: patch securityContext: @@ -622,7 +622,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -635,7 +635,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml index 3f015f001..74292b82b 100644 --- a/deploy/static/provider/baremetal/deploy.yaml +++ b/deploy/static/provider/baremetal/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -372,7 +372,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -395,7 +395,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -413,7 +413,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 spec: containers: - args: @@ -436,7 +436,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 + image: registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -508,7 +508,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -519,7 +519,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-create spec: containers: @@ -533,7 +533,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b imagePullPolicy: IfNotPresent name: create securityContext: @@ -555,7 +555,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -566,7 +566,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-patch spec: containers: @@ -582,7 +582,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b imagePullPolicy: IfNotPresent name: patch securityContext: @@ -604,7 +604,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -617,7 +617,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml index a914aca5e..6dac63865 100644 --- a/deploy/static/provider/cloud/deploy.yaml +++ b/deploy/static/provider/cloud/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -373,7 +373,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -396,7 +396,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -414,7 +414,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 spec: containers: - args: @@ -438,7 +438,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 + image: registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -510,7 +510,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -521,7 +521,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-create spec: containers: @@ -535,7 +535,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b imagePullPolicy: IfNotPresent name: create securityContext: @@ -557,7 +557,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -568,7 +568,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-patch spec: containers: @@ -584,7 +584,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b imagePullPolicy: IfNotPresent name: patch securityContext: @@ -606,7 +606,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -619,7 +619,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml index 676ae1229..0e3f4b46f 100644 --- a/deploy/static/provider/do/deploy.yaml +++ b/deploy/static/provider/do/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -329,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -343,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -376,7 +376,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -399,7 +399,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -417,7 +417,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 spec: containers: - args: @@ -441,7 +441,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 + image: registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -513,7 +513,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -524,7 +524,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-create spec: containers: @@ -538,7 +538,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b imagePullPolicy: IfNotPresent name: create securityContext: @@ -560,7 +560,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -571,7 +571,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-patch spec: containers: @@ -587,7 +587,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b imagePullPolicy: IfNotPresent name: patch securityContext: @@ -609,7 +609,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -622,7 +622,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml index e9d3522f0..a1bd4ed00 100644 --- a/deploy/static/provider/exoscale/deploy.yaml +++ b/deploy/static/provider/exoscale/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -349,7 +349,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -382,7 +382,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -405,7 +405,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -423,7 +423,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 spec: containers: - args: @@ -447,7 +447,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 + image: registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -519,7 +519,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -530,7 +530,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-create spec: containers: @@ -544,7 +544,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b imagePullPolicy: IfNotPresent name: create securityContext: @@ -566,7 +566,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -577,7 +577,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-patch spec: containers: @@ -593,7 +593,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b imagePullPolicy: IfNotPresent name: patch securityContext: @@ -615,7 +615,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -628,7 +628,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml index 6a327b97f..41d17d8d1 100644 --- a/deploy/static/provider/kind/deploy.yaml +++ b/deploy/static/provider/kind/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -372,7 +372,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -395,7 +395,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -417,7 +417,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 spec: containers: - args: @@ -442,7 +442,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 + image: registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -524,7 +524,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -535,7 +535,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-create spec: containers: @@ -549,7 +549,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b imagePullPolicy: IfNotPresent name: create securityContext: @@ -571,7 +571,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -582,7 +582,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-patch spec: containers: @@ -598,7 +598,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b imagePullPolicy: IfNotPresent name: patch securityContext: @@ -620,7 +620,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -633,7 +633,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml index 389e2a920..e303a52f5 100644 --- a/deploy/static/provider/scw/deploy.yaml +++ b/deploy/static/provider/scw/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -329,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -343,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -376,7 +376,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -399,7 +399,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -417,7 +417,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 spec: containers: - args: @@ -441,7 +441,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 + image: registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -513,7 +513,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -524,7 +524,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-create spec: containers: @@ -538,7 +538,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b imagePullPolicy: IfNotPresent name: create securityContext: @@ -560,7 +560,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -571,7 +571,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-patch spec: containers: @@ -587,7 +587,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b imagePullPolicy: IfNotPresent name: patch securityContext: @@ -609,7 +609,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -622,7 +622,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/docs/deploy/index.md b/docs/deploy/index.md index e33ee5dbe..655c6fae9 100644 --- a/docs/deploy/index.md +++ b/docs/deploy/index.md @@ -62,7 +62,7 @@ It will install the controller in the `ingress-nginx` namespace, creating that n **If you don't have Helm** or if you prefer to use a YAML manifest, you can run the following command instead: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.0/deploy/static/provider/cloud/deploy.yaml ``` !!! info @@ -225,7 +225,7 @@ In AWS, we use a Network load balancer (NLB) to expose the Ingress-Nginx Control ##### Network Load Balancer (NLB) ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/aws/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.0/deploy/static/provider/aws/deploy.yaml ``` ##### TLS termination in AWS Load Balancer (NLB) @@ -233,10 +233,10 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS using an NLB. -1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template +1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.0/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template ```console - wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml + wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.0/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml ``` 2. Edit the file and change the VPC CIDR in use for the Kubernetes cluster: @@ -282,7 +282,7 @@ Then, the ingress controller can be installed like this: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.0/deploy/static/provider/cloud/deploy.yaml ``` !!! warning @@ -299,7 +299,7 @@ Proxy-protocol is supported in GCE check the [Official Documentations on how to #### Azure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.0/deploy/static/provider/cloud/deploy.yaml ``` More information with regard to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller). @@ -307,7 +307,7 @@ More information with regard to Azure annotations for ingress controller can be #### Digital Ocean ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/do/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.0/deploy/static/provider/do/deploy.yaml ``` - By default the service object of the ingress-nginx-controller for Digital-Ocean, only configures one annotation. Its this one `service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"`. While this makes the service functional, it was reported that the Digital-Ocean LoadBalancer graphs shows `no data`, unless a few other annotations are also configured. Some of these other annotations require values that can not be generic and hence not forced in a out-of-the-box installation. These annotations and a discussion on them is well documented in [this issue](https://github.com/kubernetes/ingress-nginx/issues/8965). Please refer to the issue to add annotations, with values specific to user, to get graphs of the DO-LB populated with data. @@ -315,7 +315,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont #### Scaleway ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/scw/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.0/deploy/static/provider/scw/deploy.yaml ``` #### Exoscale @@ -330,7 +330,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale #### Oracle Cloud Infrastructure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.0/deploy/static/provider/cloud/deploy.yaml ``` A @@ -357,7 +357,7 @@ For quick testing, you can use a This should work on almost every cluster, but it will typically use a port in the range 30000-32767. ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/baremetal/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.0/deploy/static/provider/baremetal/deploy.yaml ``` For more information about bare metal deployments (and how to use port 80 instead of a random port in the 30000-32767 range), diff --git a/docs/e2e-tests.md b/docs/e2e-tests.md index 9b3c5f2ff..025ff686d 100644 --- a/docs/e2e-tests.md +++ b/docs/e2e-tests.md @@ -7,19 +7,38 @@ Do not try to edit it manually. -### [[Admission] admission controller](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L35) +### [[Admission] admission controller](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L37) -- [reject ingress with global-rate-limit annotations when memcached is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L43) -- [should not allow overlaps of host and paths without canary annotations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L70) -- [should allow overlaps of host and paths with canary annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L87) -- [should block ingress with invalid path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L108) -- [should return an error if there is an error validating the ingress definition](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L125) -- [should return an error if there is an invalid value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L136) -- [should return an error if there is a forbidden value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L150) -- [should not return an error if the Ingress V1 definition is valid with Ingress Class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L164) -- [should not return an error if the Ingress V1 definition is valid with IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L180) -- [should return an error if the Ingress V1 definition contains invalid annotations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L196) -- [should not return an error for an invalid Ingress when it has unknown class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L207) +- [reject ingress with global-rate-limit annotations when memcached is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L45) +- [should not allow overlaps of host and paths without canary annotations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L72) +- [should allow overlaps of host and paths with canary annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L89) +- [should block ingress with invalid path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L110) +- [should return an error if there is an error validating the ingress definition](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L127) +- [should return an error if there is an invalid value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L138) +- [should return an error if there is a forbidden value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L152) +- [should return an error if there is an invalid path and wrong pathType is set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L166) +- [should not return an error if the Ingress V1 definition is valid with Ingress Class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L201) +- [should not return an error if the Ingress V1 definition is valid with IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L217) +- [should return an error if the Ingress V1 definition contains invalid annotations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L233) +- [should not return an error for an invalid Ingress when it has unknown class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L244) + +### [affinity session-cookie-name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L35) + +- [should set sticky cookie SERVERID](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L42) +- [should change cookie name on ingress definition change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L64) +- [should set the path to /something on the generated cookie](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L99) +- [does not set the path to / on the generated cookie if there's more than one rule referring to the same backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L121) +- [should set cookie with expires](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L194) +- [should set cookie with domain](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L225) +- [should not set cookie without domain annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L248) +- [should work with use-regex annotation and session-cookie-path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L270) +- [should warn user when use-regex is true and session-cookie-path is not set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L294) +- [should not set affinity across all server locations when using separate ingresses](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L320) +- [should set sticky cookie without host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L352) +- [should work with server-alias annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L372) +- [should set secure in cookie with provided true annotation on http](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L412) +- [should not set secure in cookie with provided false annotation on http](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L435) +- [should set secure in cookie with provided false annotation on https](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L458) ### [affinitymode](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinitymode.go#L31) @@ -36,6 +55,42 @@ Do not try to edit it manually. - [should redirect to /foo](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/approot.go#L35) +### [auth-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L40) + +- [should return status code 200 when no authentication is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L47) +- [should return status code 503 when authentication is configured with an invalid secret](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L66) +- [should return status code 401 when authentication is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L90) +- [should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L117) +- [should return status code 401 and cors headers when authentication and cors is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L145) +- [should return status code 200 when authentication is configured and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L173) +- [should return status code 200 when authentication is configured with a map and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L200) +- [should return status code 401 when authentication is configured with invalid content and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L228) +- [ when external auth is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L267) +- [ when external auth is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L285) +- [ when auth-headers are set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L302) +- [should set cache_key when external auth cache is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L323) +- [user retains cookie by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L412) +- [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L423) +- [user with annotated ingress retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L434) +- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L486) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L495) +- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L506) +- [should overwrite Foo header with auth response](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L530) +- [should not create additional upstream block when auth-keepalive is not set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L553) +- [should not create additional upstream block when host part of auth-url contains a variable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L571) +- [should not create additional upstream block when auth-keepalive is negative](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L591) +- [should not create additional upstream block when auth-keepalive is set with HTTP/2](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L610) +- [should create additional upstream block when auth-keepalive is set with HTTP/1.x](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L624) +- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L679) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L688) +- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L699) +- [should return status code 200 when signed in after auth backend is deleted ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L773) +- [should deny login for different location on same server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L793) +- [should deny login for different servers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L821) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L850) +- [should return 503 (location was denied)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L880) +- [should add error to the config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L888) + ### [auth-tls-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L29) - [should set sslClientCertificate, sslVerifyClient and sslVerifyDepth with auth-tls-secret](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L36) @@ -56,6 +111,34 @@ Do not try to edit it manually. - [should set backend protocol to '' and use fastcgi_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L94) - [should set backend protocol to '' and use ajp_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L109) +### [canary-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L36) + +- [should response with a 200 status from the mainline upstream when requests are made to the mainline ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L48) +- [should return 404 status for requests to the canary if no matching ingress is found](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L80) +- [should return the correct status codes when endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L107) +- [should route requests to the correct upstream if mainline ingress is created before the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L161) +- [should route requests to the correct upstream if mainline ingress is created after the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L206) +- [should route requests to the correct upstream if the mainline ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L250) +- [should route requests to the correct upstream if the canary ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L307) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L372) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L426) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L490) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L532) +- [should routes to mainline upstream when the given Regex causes error](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L566) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L604) +- [respects always and never values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L643) +- [should route requests only to mainline if canary weight is 0](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L705) +- [should route requests only to canary if canary weight is 100](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L743) +- [should route requests only to canary if canary weight is equal to canary weight total](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L775) +- [should route requests split between mainline and canary if canary weight is 50](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L808) +- [should route requests split between mainline and canary if canary weight is 100 and weight total is 200](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L834) +- [should not use canary as a catch-all server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L863) +- [should not use canary with domain as a server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L891) +- [does not crash when canary ingress has multiple paths to the same non-matching backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L915) +- [always routes traffic to canary if first request was affinitized to canary (default behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L943) +- [always routes traffic to canary if first request was affinitized to canary (explicit sticky behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1000) +- [routes traffic to either mainline or canary backend (legacy behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1058) + ### [client-body-buffer-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L28) - [should set client_body_buffer_size to 1000](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L35) @@ -109,6 +192,13 @@ Do not try to edit it manually. - [disable-http-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L53) - [disable-stream-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L71) +### [backend-protocol - FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L30) + +- [should use fastcgi_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L37) +- [should add fastcgi_index in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L54) +- [should add fastcgi_param in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L71) +- [should return OK for service with backend protocol FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L102) + ### [force-ssl-redirect](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/forcesslredirect.go#L27) - [should redirect to https](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/forcesslredirect.go#L34) @@ -133,6 +223,11 @@ Do not try to edit it manually. - [enable the http2-push-preload directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/http2pushpreload.go#L34) +### [denylist-source-range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L28) + +- [only deny explicitly denied IPs, allow all others](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L35) +- [only allow explicitly allowed IPs, deny all others](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L86) + ### [whitelist-source-range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipwhitelist.go#L27) - [should set valid ip whitelist range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipwhitelist.go#L34) @@ -203,6 +298,14 @@ Do not try to edit it manually. - [should respond with a standard redirect code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/redirect.go#L33) - [should respond with a custom redirect code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/redirect.go#L61) +### [rewrite-target use-regex enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L30) + +- [should write rewrite logs](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L37) +- [should use correct longest path match](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L66) +- [should use ~* location modifier if regex annotation is present](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L111) +- [should fail to use longest match for documented warning](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L158) +- [should allow for custom rewrite parameters](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L190) + ### [satisfy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/satisfy.go#L35) - [should configure satisfy directive correctly](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/satisfy.go#L42) @@ -247,108 +350,6 @@ Do not try to edit it manually. - [should set the X-Forwarded-Prefix to the annotation value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L35) - [should not add X-Forwarded-Prefix if the annotation value is empty](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L57) -### [denylist-source-range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L28) - -- [only deny explicitly denied IPs, allow all others](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L35) -- [only allow explicitly allowed IPs, deny all others](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L86) - -### [affinity session-cookie-name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L35) - -- [should set sticky cookie SERVERID](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L42) -- [should change cookie name on ingress definition change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L64) -- [should set the path to /something on the generated cookie](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L99) -- [does not set the path to / on the generated cookie if there's more than one rule referring to the same backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L121) -- [should set cookie with expires](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L194) -- [should set cookie with domain](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L225) -- [should not set cookie without domain annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L248) -- [should work with use-regex annotation and session-cookie-path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L270) -- [should warn user when use-regex is true and session-cookie-path is not set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L294) -- [should not set affinity across all server locations when using separate ingresses](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L320) -- [should set sticky cookie without host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L352) -- [should work with server-alias annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L372) -- [should set secure in cookie with provided true annotation on http](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L412) -- [should not set secure in cookie with provided false annotation on http](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L435) -- [should set secure in cookie with provided false annotation on https](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L458) - -### [rewrite-target use-regex enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L30) - -- [should write rewrite logs](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L37) -- [should use correct longest path match](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L66) -- [should use ~* location modifier if regex annotation is present](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L111) -- [should fail to use longest match for documented warning](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L158) -- [should allow for custom rewrite parameters](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L190) - -### [backend-protocol - FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L30) - -- [should use fastcgi_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L37) -- [should add fastcgi_index in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L54) -- [should add fastcgi_param in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L71) -- [should return OK for service with backend protocol FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L102) - -### [auth-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L39) - -- [should return status code 200 when no authentication is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L46) -- [should return status code 503 when authentication is configured with an invalid secret](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L65) -- [should return status code 401 when authentication is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L89) -- [should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L116) -- [should return status code 401 and cors headers when authentication and cors is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L144) -- [should return status code 200 when authentication is configured and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L172) -- [should return status code 200 when authentication is configured with a map and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L199) -- [should return status code 401 when authentication is configured with invalid content and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L227) -- [ when external auth is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L266) -- [ when external auth is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L284) -- [ when auth-headers are set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L301) -- [should set cache_key when external auth cache is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L322) -- [user retains cookie by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L411) -- [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L422) -- [user with annotated ingress retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L433) -- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L485) -- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L494) -- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L505) -- [should overwrite Foo header with auth response](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L529) -- [should not create additional upstream block when auth-keepalive is not set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L552) -- [should not create additional upstream block when host part of auth-url contains a variable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L570) -- [should not create additional upstream block when auth-keepalive is negative](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L590) -- [should not create additional upstream block when auth-keepalive is set with HTTP/2](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L609) -- [should create additional upstream block when auth-keepalive is set with HTTP/1.x](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L623) -- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L678) -- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L687) -- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L698) -- [should return status code 200 when signed in after auth backend is deleted ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L772) -- [should deny login for different location on same server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L792) -- [should deny login for different servers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L820) -- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L849) -- [should return 503 (location was denied)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L879) -- [should add error to the config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L887) - -### [canary-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L36) - -- [should response with a 200 status from the mainline upstream when requests are made to the mainline ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L48) -- [should return 404 status for requests to the canary if no matching ingress is found](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L80) -- [should return the correct status codes when endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L107) -- [should route requests to the correct upstream if mainline ingress is created before the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L161) -- [should route requests to the correct upstream if mainline ingress is created after the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L206) -- [should route requests to the correct upstream if the mainline ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L250) -- [should route requests to the correct upstream if the canary ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L307) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L372) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L426) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L490) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L532) -- [should routes to mainline upstream when the given Regex causes error](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L566) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L604) -- [respects always and never values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L643) -- [should route requests only to mainline if canary weight is 0](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L705) -- [should route requests only to canary if canary weight is 100](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L743) -- [should route requests only to canary if canary weight is equal to canary weight total](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L775) -- [should route requests split between mainline and canary if canary weight is 50](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L808) -- [should route requests split between mainline and canary if canary weight is 100 and weight total is 200](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L834) -- [should not use canary as a catch-all server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L863) -- [should not use canary with domain as a server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L891) -- [does not crash when canary ingress has multiple paths to the same non-matching backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L915) -- [always routes traffic to canary if first request was affinitized to canary (default behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L943) -- [always routes traffic to canary if first request was affinitized to canary (explicit sticky behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1000) -- [routes traffic to either mainline or canary backend (legacy behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1058) - ### [Debug CLI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L29) - [should list the backend servers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L37) @@ -373,6 +374,10 @@ Do not try to edit it manually. - [should apply the annotation to the default backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/with_hosts.go#L38) +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) + ### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e_test.go#L) - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e_test.go#L) @@ -385,10 +390,30 @@ Do not try to edit it manually. - [should return 200 when service has topology hints](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/topology.go#L43) +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/fastcgi_helloserver.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/fastcgi_helloserver.go#L) + +### [[Setting] ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L194) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L) + ### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/grpc_fortune_teller.go#L) - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/grpc_fortune_teller.go#L) +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) + ### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/array.go#L) - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/array.go#L) @@ -413,6 +438,10 @@ Do not try to edit it manually. - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/reporter.go#L) +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/request.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/request.go#L) + ### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/response.go#L) - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/response.go#L) @@ -425,14 +454,18 @@ Do not try to edit it manually. - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/value.go#L) -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/request.go#L) +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/k8s.go#L) -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/request.go#L) +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/k8s.go#L) ### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/logs.go#L) - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/logs.go#L) +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) + ### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/ssl.go#L) - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/ssl.go#L) @@ -445,34 +478,6 @@ Do not try to edit it manually. - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/util.go#L) -### [[Setting] ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L194) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/k8s.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/k8s.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/fastcgi_helloserver.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/fastcgi_helloserver.go#L) - ### [[Shutdown] Grace period shutdown](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/grace_period.go#L32) - [/healthz should return status code 500 during shutdown grace period](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/grace_period.go#L35) @@ -546,6 +551,11 @@ Do not try to edit it manually. - [handles endpoints only changes consistently (down scaling of replicas vs. empty service)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L125) - [handles an annotation change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L171) +### [[metrics] exported prometheus metrics](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/metrics/metrics.go#L36) + +- [exclude socket request metrics are absent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/metrics/metrics.go#L50) +- [exclude socket request metrics are present](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/metrics/metrics.go#L72) + ### [nginx-configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L99) - [start nginx with default configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L102) @@ -561,15 +571,15 @@ Do not try to edit it manually. - [should return 503 when backend service does not exist](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L36) - [should return 503 when all backend service endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L54) -### [[Service] Type ExternalName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L59) +### [[Service] Type ExternalName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L37) -- [works with external name set to incomplete fqdn](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L62) -- [should return 200 for service type=ExternalName without a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L95) -- [should return 200 for service type=ExternalName with a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L129) -- [should return status 502 for service type=ExternalName with an invalid host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L153) -- [should return 200 for service type=ExternalName using a port name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L184) -- [should return 200 for service type=ExternalName using FQDN with trailing dot](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L217) -- [should update the external name after a service update](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L248) +- [works with external name set to incomplete fqdn](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L40) +- [should return 200 for service type=ExternalName without a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L72) +- [should return 200 for service type=ExternalName with a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L110) +- [should return status 502 for service type=ExternalName with an invalid host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L138) +- [should return 200 for service type=ExternalName using a port name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L169) +- [should return 200 for service type=ExternalName using FQDN with trailing dot](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L206) +- [should update the external name after a service update](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L241) - [should sync ingress on external name service addition/deletion](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L311) ### [[Service] Nil Service Backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_nil_backend.go#L31) @@ -595,6 +605,10 @@ Do not try to edit it manually. - [ condition](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/brotli.go#L39) +### [Configmap change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L29) + +- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L36) + ### [add-headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L30) - [Add a custom header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L40) @@ -616,6 +630,12 @@ Do not try to edit it manually. - [should ignore services of external-name type](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_service_external_name.go#L52) +### [[Flag] disable-sync-events](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_sync_events.go#L32) + +- [should create sync events (default)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_sync_events.go#L35) +- [should create sync events](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_sync_events.go#L53) +- [should not create sync events](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_sync_events.go#L80) + ### [enable-real-ip](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L30) - [trusts X-Forwarded-For header only when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L40) @@ -661,6 +681,15 @@ Do not try to edit it manually. - [generates correct NGINX configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/globalratelimit.go#L38) +### [gzip](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L29) + +- [should be disabled by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L32) +- [should be enabled with default settings](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L39) +- [should set gzip_comp_level to 4](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L56) +- [should set gzip_disable to msie6](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L67) +- [should set gzip_min_length to 100](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L78) +- [should set gzip_types to application/javascript](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L89) + ### [hash size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L27) - [should set server_names_hash_bucket_size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L40) @@ -734,6 +763,16 @@ Do not try to edit it manually. - [should be enabled when set to true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/multi_accept.go#L39) - [should be disabled when set to false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/multi_accept.go#L49) +### [[Flag] watch namespace selector](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/namespace_selector.go#L30) + +- [should ingore Ingress of namespace without label foo=bar and accept those of namespace with label foo=bar](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/namespace_selector.go#L63) + +### [[Security] no-auth-locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L33) + +- [should return status code 401 when accessing '/' unauthentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L54) +- [should return status code 200 when accessing '/' authentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L68) +- [should return status code 200 when accessing '/noauth' unauthenticated](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L82) + ### [Add no tls redirect locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L28) - [Check no tls redirect locations config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L31) @@ -742,6 +781,14 @@ Do not try to edit it manually. - [should enable OCSP and contain stapling information in the connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L49) +### [Configure Opentelemetry](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L37) + +- [should not exists opentelemetry directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L47) +- [should exists opentelemetry directive when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L60) +- [should include opentelemetry_trust_incoming_spans on directive when enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L74) +- [should not exists opentelemetry_operation_name directive when is empty](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L89) +- [should exists opentelemetry_operation_name directive when is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L104) + ### [Configure OpenTracing](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L48) - [should not exists opentracing directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L58) @@ -821,6 +868,11 @@ Do not try to edit it manually. - [Add ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_ciphers.go#L31) +### [With enable-ssl-passthrough enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L36) + +- [should enable ssl-passthrough-proxy-port on a different port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L56) +- [should pass unknown traffic to default backend and handle known traffic](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L79) + ### [configmap stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/stream_snippet.go#L35) - [should add value of stream-snippet via config map to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/stream_snippet.go#L42) @@ -835,48 +887,6 @@ Do not try to edit it manually. - [should not use ports during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L187) - [should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L205) -### [[Flag] disable-sync-events](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_sync_events.go#L32) - -- [should create sync events (default)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_sync_events.go#L35) -- [should create sync events](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_sync_events.go#L53) -- [should not create sync events](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_sync_events.go#L80) - -### [gzip](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L29) - -- [should be disabled by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L32) -- [should be enabled with default settings](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L39) -- [should set gzip_comp_level to 4](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L56) -- [should set gzip_disable to msie6](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L67) -- [should set gzip_min_length to 100](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L78) -- [should set gzip_types to application/javascript](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L89) - -### [Configmap change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L29) - -- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L36) - -### [[Flag] watch namespace selector](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/namespace_selector.go#L30) - -- [should ingore Ingress of namespace without label foo=bar and accept those of namespace with label foo=bar](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/namespace_selector.go#L63) - -### [With enable-ssl-passthrough enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L36) - -- [should enable ssl-passthrough-proxy-port on a different port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L56) -- [should pass unknown traffic to default backend and handle known traffic](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L79) - -### [[Security] no-auth-locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L33) - -- [should return status code 401 when accessing '/' unauthentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L54) -- [should return status code 200 when accessing '/' authentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L68) -- [should return status code 200 when accessing '/noauth' unauthenticated](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L82) - -### [Configure Opentelemetry](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L37) - -- [should not exists opentelemetry directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L47) -- [should exists opentelemetry directive when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L60) -- [should include opentelemetry_trust_incoming_spans on directive when enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L74) -- [should not exists opentelemetry_operation_name directive when is empty](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L89) -- [should exists opentelemetry_operation_name directive when is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L104) - ### [[SSL] redirect to HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/http_redirect.go#L29) - [should redirect from HTTP to HTTPS when secret is missing](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/http_redirect.go#L36) @@ -894,13 +904,4 @@ Do not try to edit it manually. - [should expose a TCP service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L46) - [should expose an ExternalName TCP service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L80) -- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L169) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) - -### [[metrics] exported prometheus metrics](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/metrics/metrics.go#L36) - -- [exclude socket request metrics are absent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/metrics/metrics.go#L50) -- [exclude socket request metrics are present](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/metrics/metrics.go#L72) \ No newline at end of file +- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L169) \ No newline at end of file diff --git a/magefiles/release.go b/magefiles/release.go index c02b88cfd..6e5efb490 100644 --- a/magefiles/release.go +++ b/magefiles/release.go @@ -136,12 +136,16 @@ func (Release) NewRelease(version string) { //controller tag updateChartValue("controller.image.tag", fmt.Sprintf("v%s", releaseNotes.Version)) + Debug("releaseNotes.ControllerImages[0].Name %s", releaseNotes.ControllerImages[0].Name) + Debug("releaseNotes.ControllerImages[1].Name %s", releaseNotes.ControllerImages[1].Name) //controller digest - if releaseNotes.ControllerImages[0].Name == "controller" { + if releaseNotes.ControllerImages[0].Name == "ingress-nginx/controller" { + Debug("Updating Chart Value %s with %s", "controller.image.digest", releaseNotes.ControllerImages[0].Digest) updateChartValue("controller.image.digest", releaseNotes.ControllerImages[0].Digest) } //controller chroot digest - if releaseNotes.ControllerImages[1].Name == "controller-chroot" { + if releaseNotes.ControllerImages[1].Name == "ingress-nginx/controller-chroot" { + Debug("Updating Chart Value %s with %s", "controller.image.digestChroot", releaseNotes.ControllerImages[1].Digest) updateChartValue("controller.image.digestChroot", releaseNotes.ControllerImages[1].Digest) } From 057c1b26fb1e9f7bcd073ab8c5e6f3eb346a9885 Mon Sep 17 00:00:00 2001 From: Long Wu Yuan Date: Wed, 31 May 2023 02:03:46 +0530 Subject: [PATCH 325/405] added helmshowvalues example (#10019) --- docs/deploy/index.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/deploy/index.md b/docs/deploy/index.md index 655c6fae9..dcdfeb7c0 100644 --- a/docs/deploy/index.md +++ b/docs/deploy/index.md @@ -59,6 +59,12 @@ It will install the controller in the `ingress-nginx` namespace, creating that n - if the ingress controller is not installed, it will install it, - if the ingress controller is already installed, it will upgrade it. +**If you want a full list of values that you can set, while installing with Helm,** then run: + +```console +helm show values ingress-nginx --repo https://kubernetes.github.io/ingress-nginx +``` + **If you don't have Helm** or if you prefer to use a YAML manifest, you can run the following command instead: ```console From 19de8af3508c50c19eccc647eb9f259ac9008a74 Mon Sep 17 00:00:00 2001 From: Long Wu Yuan Date: Thu, 1 Jun 2023 13:11:46 +0530 Subject: [PATCH 326/405] added note on dns for localtesting (#10021) --- docs/deploy/index.md | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/docs/deploy/index.md b/docs/deploy/index.md index dcdfeb7c0..76a28b6ad 100644 --- a/docs/deploy/index.md +++ b/docs/deploy/index.md @@ -76,10 +76,9 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont resources as if you had used Helm to install the controller. !!! attention - If you are running an old version of Kubernetes (1.18 or earlier), please read - [this paragraph](#running-on-Kubernetes-versions-older-than-1.19) for specific instructions. - Because of api deprecations, the default manifest may not work on your cluster. - Specific manifests for supported Kubernetes versions are available within a sub-folder of each provider. + If you are running an old version of Kubernetes (1.18 or earlier), please read [this paragraph](#running-on-Kubernetes-versions-older-than-1.19) for specific instructions. + Because of api deprecations, the default manifest may not work on your cluster. + Specific manifests for supported Kubernetes versions are available within a sub-folder of each provider. ### Pre-flight check @@ -99,6 +98,7 @@ kubectl wait --namespace ingress-nginx \ --timeout=120s ``` + ### Local testing Let's create a simple web server and the associated service: @@ -121,7 +121,19 @@ Now, forward a local port to the ingress controller: kubectl port-forward --namespace=ingress-nginx service/ingress-nginx-controller 8080:80 ``` -At this point, if you access http://demo.localdev.me:8080/, you should see an HTML page telling you "It works!". +!!! info + A note on DNS & network-connection. + This documentation assumes that a user has awareness of the DNS and the network routing aspects involved in using ingress. + The port-forwarding mentioned above, is the easiest way to demo the working of ingress. The "kubectl port-forward..." command above has forwarded the port number 8080, on the localhost's tcp/ip stack, where the command was typed, to the port number 80, of the service created by the installation of ingress-nginx controller. So now, the traffic sent to port number 8080 on localhost will reach the port number 80, of the ingress-controller's service. + Port-forwarding is not for a production environment use-case. But here we use port-forwarding, to simulate a HTTP request, originating from outside the cluster, to reach the service of the ingress-nginx controller, that is exposed to receive traffic from outside the cluster. + [This issue](https://github.com/kubernetes/ingress-nginx/issues/10014#issuecomment-1567791549described) shows a typical DNS problem and its solution. + +At this point, you can access your deployment using curl ; +```console +curl --resolve demo.localdev.me:8080:127.0.0.1 http://demo.localdev.me:8080 +``` + +You should see a HTML response containing text like **"It works!"**. ### Online testing From d02ba28b9609c106ea4de8e0f3dbf5abc3d06fdc Mon Sep 17 00:00:00 2001 From: Eng Zer Jun Date: Thu, 1 Jun 2023 22:29:47 +0800 Subject: [PATCH 327/405] perf: avoid unnecessary byte/string conversion (#10012) We can use alternative functions to avoid unnecessary byte/string conversion calls and reduce allocations. Signed-off-by: Eng Zer Jun --- internal/ingress/annotations/auth/main.go | 2 +- internal/ingress/annotations/authreq/main.go | 6 +++--- internal/net/ssl/ssl.go | 6 +++--- test/e2e/settings/ocsp/ocsp.go | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/internal/ingress/annotations/auth/main.go b/internal/ingress/annotations/auth/main.go index 58486c6e8..62d70873e 100644 --- a/internal/ingress/annotations/auth/main.go +++ b/internal/ingress/annotations/auth/main.go @@ -197,7 +197,7 @@ func dumpSecretAuthMap(filename string, secret *api.Secret) error { for user, pass := range secret.Data { builder.WriteString(user) builder.WriteString(":") - builder.WriteString(string(pass)) + builder.Write(pass) builder.WriteString("\n") } diff --git a/internal/ingress/annotations/authreq/main.go b/internal/ingress/annotations/authreq/main.go index 6a8a4611a..2ab389146 100644 --- a/internal/ingress/annotations/authreq/main.go +++ b/internal/ingress/annotations/authreq/main.go @@ -143,7 +143,7 @@ func ValidMethod(method string) bool { // ValidHeader checks is the provided string satisfies the header's name regex func ValidHeader(header string) bool { - return headerRegexp.Match([]byte(header)) + return headerRegexp.MatchString(header) } // ValidCacheDuration checks if the provided string is a valid cache duration @@ -159,13 +159,13 @@ func ValidCacheDuration(duration string) bool { if len(element) == 0 { continue } - if statusCodeRegex.Match([]byte(element)) { + if statusCodeRegex.MatchString(element) { if seenDuration { return false // code after duration } continue } - if durationRegex.Match([]byte(element)) { + if durationRegex.MatchString(element) { seenDuration = true } } diff --git a/internal/net/ssl/ssl.go b/internal/net/ssl/ssl.go index 05ec10bc5..fdee2f46e 100644 --- a/internal/net/ssl/ssl.go +++ b/internal/net/ssl/ssl.go @@ -81,7 +81,7 @@ func CreateSSLCert(cert, key []byte, uid string) (*ingress.SSLCert, error) { } } - pemCertBuffer.Write([]byte("\n")) + pemCertBuffer.WriteString("\n") pemCertBuffer.Write(key) pemBlock, _ := pem.Decode(pemCertBuffer.Bytes()) @@ -195,12 +195,12 @@ func StoreSSLCertOnDisk(name string, sslCert *ingress.SSLCert) (string, error) { func ConfigureCACertWithCertAndKey(name string, ca []byte, sslCert *ingress.SSLCert) error { var buffer bytes.Buffer - _, err := buffer.Write([]byte(sslCert.PemCertKey)) + _, err := buffer.WriteString(sslCert.PemCertKey) if err != nil { return fmt.Errorf("could not append newline to cert file %v: %v", sslCert.CAFileName, err) } - _, err = buffer.Write([]byte("\n")) + _, err = buffer.WriteString("\n") if err != nil { return fmt.Errorf("could not append newline to cert file %v: %v", sslCert.CAFileName, err) } diff --git a/test/e2e/settings/ocsp/ocsp.go b/test/e2e/settings/ocsp/ocsp.go index ea444444b..0173f41ac 100644 --- a/test/e2e/settings/ocsp/ocsp.go +++ b/test/e2e/settings/ocsp/ocsp.go @@ -68,7 +68,7 @@ var _ = framework.DescribeSetting("OCSP", func() { var pemCertBuffer bytes.Buffer pemCertBuffer.Write(leafCert) - pemCertBuffer.Write([]byte("\n")) + pemCertBuffer.WriteString("\n") pemCertBuffer.Write(intermediateCa) f.EnsureSecret(&corev1.Secret{ From 9e125c597e17781b7df12b03987f98360ad6e20c Mon Sep 17 00:00:00 2001 From: James Strong Date: Thu, 1 Jun 2023 13:33:20 -0400 Subject: [PATCH 328/405] adding a tag here so we force nginx builds to cloudbuild Signed-off-by: James Strong --- images/nginx/TAG | 1 + 1 file changed, 1 insertion(+) create mode 100644 images/nginx/TAG diff --git a/images/nginx/TAG b/images/nginx/TAG new file mode 100644 index 000000000..77d6f4ca2 --- /dev/null +++ b/images/nginx/TAG @@ -0,0 +1 @@ +0.0.0 From 8a61027f1a65bfd588ac85c960ab00db164d7a59 Mon Sep 17 00:00:00 2001 From: Stilian Stoilov Date: Fri, 2 Jun 2023 04:07:46 +0300 Subject: [PATCH 329/405] Upgrade to Golang 1.20.4 (#10016) * Upgrade to Golang 1.20.4 and alpine 3.18.0 * Handle Review comments --- images/custom-error-pages/rootfs/Dockerfile | 2 +- images/ext-auth-example-authsvc/rootfs/Dockerfile | 2 +- images/fastcgi-helloserver/rootfs/Dockerfile | 2 +- images/go-grpc-greeter-server/rootfs/Dockerfile | 2 +- images/test-runner/Makefile | 4 ++-- images/test-runner/rootfs/Dockerfile | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/images/custom-error-pages/rootfs/Dockerfile b/images/custom-error-pages/rootfs/Dockerfile index b34bb6977..30ac54693 100755 --- a/images/custom-error-pages/rootfs/Dockerfile +++ b/images/custom-error-pages/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.20.1-alpine3.17 as builder +FROM golang:1.20.4-alpine3.18 as builder RUN apk update \ && apk upgrade && apk add git diff --git a/images/ext-auth-example-authsvc/rootfs/Dockerfile b/images/ext-auth-example-authsvc/rootfs/Dockerfile index c604651d4..96dcd9a39 100644 --- a/images/ext-auth-example-authsvc/rootfs/Dockerfile +++ b/images/ext-auth-example-authsvc/rootfs/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.20.1-alpine3.17 as builder +FROM golang:1.20.4-alpine3.18 as builder RUN mkdir /authsvc WORKDIR /authsvc COPY . ./ diff --git a/images/fastcgi-helloserver/rootfs/Dockerfile b/images/fastcgi-helloserver/rootfs/Dockerfile index 7d9220ddf..a11834373 100755 --- a/images/fastcgi-helloserver/rootfs/Dockerfile +++ b/images/fastcgi-helloserver/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.20.1-alpine3.17 as builder +FROM golang:1.20.4-alpine3.18 as builder WORKDIR /go/src/k8s.io/ingress-nginx/images/fastcgi diff --git a/images/go-grpc-greeter-server/rootfs/Dockerfile b/images/go-grpc-greeter-server/rootfs/Dockerfile index 67aed038e..d457b43e5 100644 --- a/images/go-grpc-greeter-server/rootfs/Dockerfile +++ b/images/go-grpc-greeter-server/rootfs/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.20.1-alpine3.17 as build +FROM golang:1.20.4-alpine3.18 as build WORKDIR /go/src/greeter-server diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile index a004ad932..1d1f4f638 100644 --- a/images/test-runner/Makefile +++ b/images/test-runner/Makefile @@ -43,7 +43,7 @@ image: --pull \ --push \ --build-arg BASE_IMAGE=${NGINX_BASE_IMAGE} \ - --build-arg GOLANG_VERSION=1.20.1 \ + --build-arg GOLANG_VERSION=1.20.4 \ --build-arg ETCD_VERSION=3.4.3-0 \ --build-arg K8S_RELEASE=v1.26.0 \ --build-arg RESTY_CLI_VERSION=0.27 \ @@ -64,7 +64,7 @@ build: ensure-buildx --progress=${PROGRESS} \ --pull \ --build-arg BASE_IMAGE=${NGINX_BASE_IMAGE} \ - --build-arg GOLANG_VERSION=1.20.1 \ + --build-arg GOLANG_VERSION=1.20.4 \ --build-arg ETCD_VERSION=3.4.3-0 \ --build-arg K8S_RELEASE=v1.26.0 \ --build-arg RESTY_CLI_VERSION=0.27 \ diff --git a/images/test-runner/rootfs/Dockerfile b/images/test-runner/rootfs/Dockerfile index 8574f8752..40017f775 100644 --- a/images/test-runner/rootfs/Dockerfile +++ b/images/test-runner/rootfs/Dockerfile @@ -15,7 +15,7 @@ ARG BASE_IMAGE ARG GOLANG_VERSION ARG ETCD_VERSION -FROM golang:${GOLANG_VERSION}-alpine3.17 as GO +FROM golang:${GOLANG_VERSION}-alpine3.18 as GO FROM registry.k8s.io/etcd:${ETCD_VERSION} as etcd FROM ${BASE_IMAGE} From e97e9285428bf78b3ddc334c1f670636fd7c2427 Mon Sep 17 00:00:00 2001 From: Jintao Zhang Date: Fri, 2 Jun 2023 15:36:53 +0800 Subject: [PATCH 330/405] chore(dep): upgrade github.com/emicklei/go-restful/v3 to 3.10 (#10028) Signed-off-by: Jintao Zhang --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 99849f00b..6d8bcce61 100644 --- a/go.mod +++ b/go.mod @@ -53,7 +53,7 @@ require ( github.com/cyphar/filepath-securejoin v0.2.3 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/eapache/queue v1.1.0 // indirect - github.com/emicklei/go-restful/v3 v3.9.0 // indirect + github.com/emicklei/go-restful/v3 v3.10.2 // indirect github.com/evanphx/json-patch v4.12.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.6.0 // indirect github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b // indirect diff --git a/go.sum b/go.sum index dda3e809f..d04cc680a 100644 --- a/go.sum +++ b/go.sum @@ -71,8 +71,8 @@ github.com/eapache/channels v1.1.0 h1:F1taHcn7/F0i8DYqKXJnyhJcVpp2kgFcNePxXtnyu4 github.com/eapache/channels v1.1.0/go.mod h1:jMm2qB5Ubtg9zLd+inMZd2/NUvXgzmWXsDaLyQIGfH0= github.com/eapache/queue v1.1.0 h1:YOEu7KNc61ntiQlcEeUIoDTJ2o8mQznoNvUhiigpIqc= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= -github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= -github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.10.2 h1:hIovbnmBTLjHXkqEBUz3HGpXZdM7ZrE9fJIZIqlJLqE= +github.com/emicklei/go-restful/v3 v3.10.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= From 179aa898f4b7b5e43175aad7220f1aa76c69c4fb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 2 Jun 2023 08:04:55 -0700 Subject: [PATCH 331/405] Bump github.com/stretchr/testify from 1.8.2 to 1.8.3 (#10005) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.2 to 1.8.3. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.8.2...v1.8.3) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 8 ++------ 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index 6d8bcce61..e1f8cd8c6 100644 --- a/go.mod +++ b/go.mod @@ -22,7 +22,7 @@ require ( github.com/prometheus/common v0.44.0 github.com/spf13/cobra v1.7.0 github.com/spf13/pflag v1.0.5 - github.com/stretchr/testify v1.8.2 + github.com/stretchr/testify v1.8.3 github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a golang.org/x/crypto v0.9.0 diff --git a/go.sum b/go.sum index d04cc680a..a867674d6 100644 --- a/go.sum +++ b/go.sum @@ -347,9 +347,7 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c= -github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.1.3/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= @@ -357,10 +355,8 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81P github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= -github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.3 h1:RP3t2pwF7cMEbC1dqtB6poj3niw/9gnV4Cjg5oW5gtY= +github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/urfave/cli v1.17.1-0.20160602030128-01a33823596e/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/xlab/treeprint v1.1.0 h1:G/1DjNkPpfZCFt9CSh6b5/nY4VimlbHF3Rh4obvtzDk= github.com/xlab/treeprint v1.1.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= From 1503695b3041505c93335c1ddf5801bd6734e970 Mon Sep 17 00:00:00 2001 From: Chen Chen Date: Sun, 4 Jun 2023 01:50:41 +0800 Subject: [PATCH 332/405] Fix typo in controller_test (#10034) Signed-off-by: z1cheng --- internal/ingress/controller/controller_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go index 06e1e8db0..41ce9de87 100644 --- a/internal/ingress/controller/controller_test.go +++ b/internal/ingress/controller/controller_test.go @@ -387,7 +387,7 @@ func TestCheckWarning(t *testing.T) { t.Errorf("no error should be returned, but %s was returned", err) } if len(warnings) != 1 { - t.Errorf("expected 1 warning to occur but %d occured", len(warnings)) + t.Errorf("expected 1 warning to occur but %d occurred", len(warnings)) } else { t.Logf("got warning %s correctly", warnings[0]) } @@ -424,7 +424,7 @@ func TestCheckWarning(t *testing.T) { t.Errorf("no error should be returned, but %s was returned", err) } if len(warnings) != 1 { - t.Errorf("expected 1 warning to occur but %d occured", len(warnings)) + t.Errorf("expected 1 warning to occur but %d occurred", len(warnings)) } else { t.Logf("got warnings %v correctly", warnings) } @@ -441,7 +441,7 @@ func TestCheckWarning(t *testing.T) { t.Errorf("no error should be returned, but %s was returned", err) } if len(warnings) != 4 { - t.Errorf("expected 4 warning to occur but %d occured", len(warnings)) + t.Errorf("expected 4 warning to occur but %d occurred", len(warnings)) } else { t.Logf("got warnings %v correctly", warnings) } From 7d27f39953fb131b75088a9f34c4c069492ae2e0 Mon Sep 17 00:00:00 2001 From: Long Wu Yuan Date: Mon, 5 Jun 2023 20:37:27 +0530 Subject: [PATCH 333/405] ensured hpa mem spec before cpu spec (#10043) --- .../ingress-nginx/templates/controller-hpa.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/ingress-nginx/templates/controller-hpa.yaml b/charts/ingress-nginx/templates/controller-hpa.yaml index 96a91f533..f212bc4f5 100644 --- a/charts/ingress-nginx/templates/controller-hpa.yaml +++ b/charts/ingress-nginx/templates/controller-hpa.yaml @@ -21,14 +21,6 @@ spec: minReplicas: {{ .Values.controller.autoscaling.minReplicas }} maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} metrics: - {{- with .Values.controller.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ . }} - {{- end }} {{- with .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: @@ -37,6 +29,14 @@ spec: type: Utilization averageUtilization: {{ . }} {{- end }} + {{- with .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} {{- with .Values.controller.autoscalingTemplate }} {{- toYaml . | nindent 2 }} {{- end }} From ba1a4fac998f14d1718d507492ceb3917c8abb99 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Jun 2023 14:13:08 -0700 Subject: [PATCH 334/405] Bump github.com/stretchr/testify from 1.8.3 to 1.8.4 (#10041) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.3 to 1.8.4. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.8.3...v1.8.4) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index e1f8cd8c6..1bdcdbc61 100644 --- a/go.mod +++ b/go.mod @@ -22,7 +22,7 @@ require ( github.com/prometheus/common v0.44.0 github.com/spf13/cobra v1.7.0 github.com/spf13/pflag v1.0.5 - github.com/stretchr/testify v1.8.3 + github.com/stretchr/testify v1.8.4 github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a golang.org/x/crypto v0.9.0 diff --git a/go.sum b/go.sum index a867674d6..9e65d666f 100644 --- a/go.sum +++ b/go.sum @@ -355,8 +355,8 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81P github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.8.3 h1:RP3t2pwF7cMEbC1dqtB6poj3niw/9gnV4Cjg5oW5gtY= -github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/urfave/cli v1.17.1-0.20160602030128-01a33823596e/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/xlab/treeprint v1.1.0 h1:G/1DjNkPpfZCFt9CSh6b5/nY4VimlbHF3Rh4obvtzDk= github.com/xlab/treeprint v1.1.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= From 712e10d4176da06e28a11eb6f9e2d7a263b887cb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Jun 2023 14:15:06 -0700 Subject: [PATCH 335/405] Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#10042) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.4 to 3.0.6. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e...1360a344ccb0ab6e9475edef90ad2f46bf8003b1) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/depreview.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/depreview.yaml b/.github/workflows/depreview.yaml index de9243f16..4f04bdaed 100644 --- a/.github/workflows/depreview.yaml +++ b/.github/workflows/depreview.yaml @@ -11,4 +11,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: 'Dependency Review' - uses: actions/dependency-review-action@f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e # v3.0.4 + uses: actions/dependency-review-action@1360a344ccb0ab6e9475edef90ad2f46bf8003b1 # v3.0.6 From c3ea3b861e04db08a9edb67d25fc96502b32a657 Mon Sep 17 00:00:00 2001 From: Jintao Zhang Date: Wed, 7 Jun 2023 22:58:13 +0800 Subject: [PATCH 336/405] docs: Updated the content of deploy/rbac.md (#10054) Due to Kubernetes having deprecated the use of configmap as a mechanism for elections, we have migrated to a mechanism based on leases resources. However, the documentation has not been updated, resulting in inconsistencies. Signed-off-by: Jintao Zhang --- docs/deploy/rbac.md | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/docs/deploy/rbac.md b/docs/deploy/rbac.md index 8c36d19a7..70af8ba92 100644 --- a/docs/deploy/rbac.md +++ b/docs/deploy/rbac.md @@ -29,39 +29,38 @@ namespace specific permissions defined by the `Role` named `ingress-nginx`. These permissions are granted in order for the ingress-nginx-controller to be able to function as an ingress across the cluster. These permissions are -granted to the ClusterRole named `ingress-nginx` +granted to the `ClusterRole` named `ingress-nginx` * `configmaps`, `endpoints`, `nodes`, `pods`, `secrets`: list, watch * `nodes`: get -* `services`, `ingresses`: get, list, watch +* `services`, `ingresses`, `ingressclasses`, `endpointslices`: get, list, watch * `events`: create, patch * `ingresses/status`: update +* `leases`: list, watch ### Namespace Permissions These permissions are granted specific to the ingress-nginx namespace. These -permissions are granted to the Role named `ingress-nginx` +permissions are granted to the `Role` named `ingress-nginx` * `configmaps`, `pods`, `secrets`: get * `endpoints`: get Furthermore to support leader-election, the ingress-nginx-controller needs to -have access to a `configmap` using the resourceName `ingress-controller-leader-nginx` +have access to a `leases` using the resourceName `ingress-nginx-leader` > Note that resourceNames can NOT be used to limit requests using the “create” > verb because authorizers only have access to information that can be obtained > from the request URL, method, and headers (resource names in a “create” request > are part of the request body). -* `configmaps`: get, update (for resourceName `ingress-controller-leader-nginx`) -* `configmaps`: create +* `leases`: get, update (for resourceName `ingress-controller-leader`) +* `leases`: create -This resourceName is the concatenation of the `election-id` and the -`ingress-class` as defined by the ingress-controller, which defaults to: +This resourceName is the `election-id` defined by the ingress-controller, which defaults to: * `election-id`: `ingress-controller-leader` -* `ingress-class`: `nginx` -* `resourceName` : `-` +* `resourceName` : `` Please adapt accordingly if you overwrite either parameter when launching the ingress-nginx-controller. From 4c00085c173566519f0509cd8c1b0a4aa0f81aa0 Mon Sep 17 00:00:00 2001 From: Mitchell Mohorovich Date: Thu, 8 Jun 2023 11:52:14 -0400 Subject: [PATCH 337/405] fix broken kubernetes.io/user-guide/ docs links (#10055) --- charts/ingress-nginx/README.md | 10 +++++----- charts/ingress-nginx/values.yaml | 10 +++++----- docs/index.md | 2 +- docs/troubleshooting.md | 4 ++-- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 4a00815fd..c6859d1ad 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -352,7 +352,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.metrics.prometheusRule.enabled | bool | `false` | | | controller.metrics.prometheusRule.rules | list | `[]` | | | controller.metrics.service.annotations | object | `{}` | | -| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # | +| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # | | controller.metrics.service.labels | object | `{}` | Labels to be added to the metrics service resource | | controller.metrics.service.loadBalancerSourceRanges | list | `[]` | | | controller.metrics.service.servicePort | int | `10254` | | @@ -368,7 +368,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. | | controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | controller.name | string | `"controller"` | | -| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ # | +| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | | controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | | controller.opentelemetry.enabled | bool | `false` | | | controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230527@sha256:fd7ec835f31b7b37187238eb4fdad4438806e69f413a203796263131f4f02ed0"` | | @@ -401,7 +401,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.service.enableHttps | bool | `true` | | | controller.service.enabled | bool | `true` | | | controller.service.external.enabled | bool | `true` | | -| controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # | +| controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # | | controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. | | controller.service.internal.enabled | bool | `false` | Enables an additional internal load balancer (besides the external one). | | controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. | @@ -463,7 +463,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.minAvailable | int | `1` | | | defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | defaultBackend.name | string | `"defaultbackend"` | | -| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ # | +| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | | defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # | | defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata | | defaultBackend.podSecurityContext | object | `{}` | Security Context policies for controller pods See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # | @@ -477,7 +477,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.replicaCount | int | `1` | | | defaultBackend.resources | object | `{}` | | | defaultBackend.service.annotations | object | `{}` | | -| defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # | +| defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # | | defaultBackend.service.loadBalancerSourceRanges | list | `[]` | | | defaultBackend.service.servicePort | int | `80` | | | defaultBackend.service.type | string | `"ClusterIP"` | | diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 7ca41e79e..708469fab 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -257,7 +257,7 @@ controller: ## terminationGracePeriodSeconds: 300 # -- Node labels for controller pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: kubernetes.io/os: linux @@ -417,7 +417,7 @@ controller: # clusterIP: "" # -- List of IP addresses at which the controller services are available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips ## externalIPs: [] # -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer @@ -652,7 +652,7 @@ controller: # clusterIP: "" # -- List of IP addresses at which the stats-exporter service is available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips ## externalIPs: [] # loadBalancerIP: "" @@ -810,7 +810,7 @@ defaultBackend: # key: value # -- Node labels for default backend pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: kubernetes.io/os: linux @@ -849,7 +849,7 @@ defaultBackend: # clusterIP: "" # -- List of IP addresses at which the default backend service is available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips ## externalIPs: [] # loadBalancerIP: "" diff --git a/docs/index.md b/docs/index.md index 0a0f488cf..bd6a825e1 100644 --- a/docs/index.md +++ b/docs/index.md @@ -4,7 +4,7 @@ This is the documentation for the Ingress NGINX Controller. It is built around the [Kubernetes Ingress resource](https://kubernetes.io/docs/concepts/services-networking/ingress/), using a [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) to store the controller configuration. -You can learn more about using [Ingress](http://kubernetes.io/docs/user-guide/ingress/) in the official [Kubernetes documentation](https://docs.k8s.io). +You can learn more about using [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) in the official [Kubernetes documentation](https://docs.k8s.io). # Getting Started diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index 4b9820200..e1fd6956e 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -137,7 +137,7 @@ The Ingress controller needs information from apiserver. Therefore, authenticati * _Kubeconfig file:_ In some Kubernetes environments service accounts are not available. In this case a manual configuration is required. The Ingress controller binary can be started with the `--kubeconfig` flag. The value of the flag is a path to a file specifying how to connect to the API server. Using the `--kubeconfig` does not requires the flag `--apiserver-host`. The format of the file is identical to `~/.kube/config` which is used by kubectl to connect to the API server. See 'kubeconfig' section for details. -* _Using the flag `--apiserver-host`:_ Using this flag `--apiserver-host=http://localhost:8080` it is possible to specify an unsecured API server or reach a remote kubernetes cluster using [kubectl proxy](https://kubernetes.io/docs/user-guide/kubectl/kubectl_proxy/). +* _Using the flag `--apiserver-host`:_ Using this flag `--apiserver-host=http://localhost:8080` it is possible to specify an unsecured API server or reach a remote kubernetes cluster using [kubectl proxy](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#proxy). Please do not use this approach in production. In the diagram below you can see the full authentication flow with all options, starting with the browser @@ -230,7 +230,7 @@ If it is not working, there are two possible reasons: More information: -- [User Guide: Service Accounts](http://kubernetes.io/docs/user-guide/service-accounts/) +- [User Guide: Service Accounts](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) - [Cluster Administrator Guide: Managing Service Accounts](http://kubernetes.io/docs/admin/service-accounts-admin/) ## Kube-Config From 5bfc56618ed512d5a2c95bdbd5481b82c6853661 Mon Sep 17 00:00:00 2001 From: Chen Chen Date: Thu, 8 Jun 2023 23:54:13 +0800 Subject: [PATCH 338/405] Update Internal Load Balancer docs (#10062) * Update internal load balancer doc Signed-off-by: z1cheng * Fix incorrect description Signed-off-by: z1cheng * GenerateREADME.md using helm-docs Signed-off-by: z1cheng * Regenerate the docs Signed-off-by: z1cheng --------- Signed-off-by: z1cheng --- charts/ingress-nginx/README.md | 8 ++++++-- charts/ingress-nginx/README.md.gotmpl | 8 ++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index c6859d1ad..363970f60 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -143,8 +143,10 @@ controller: internal: enabled: true annotations: - # Create internal ELB - service.beta.kubernetes.io/aws-load-balancer-internal: "true" + # Create internal NLB + service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" + # Create internal ELB(Deprecated) + # service.beta.kubernetes.io/aws-load-balancer-internal: "true" # Any other annotation can be declared here. ``` @@ -187,6 +189,8 @@ controller: # Any other annotation can be declared here. ``` +The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer). + An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object. Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`. diff --git a/charts/ingress-nginx/README.md.gotmpl b/charts/ingress-nginx/README.md.gotmpl index 4a35a40b3..9b6f8c9c9 100644 --- a/charts/ingress-nginx/README.md.gotmpl +++ b/charts/ingress-nginx/README.md.gotmpl @@ -140,8 +140,10 @@ controller: internal: enabled: true annotations: - # Create internal ELB - service.beta.kubernetes.io/aws-load-balancer-internal: "true" + # Create internal NLB + service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" + # Create internal ELB(Deprecated) + # service.beta.kubernetes.io/aws-load-balancer-internal: "true" # Any other annotation can be declared here. ``` @@ -184,6 +186,8 @@ controller: # Any other annotation can be declared here. ``` +The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer). + An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object. Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`. From adbad99a71234f1f570133c36c1961c7dd383e94 Mon Sep 17 00:00:00 2001 From: Brendan Kamp Date: Fri, 9 Jun 2023 13:58:15 +0200 Subject: [PATCH 339/405] docs: canary weighted deployments example (#10067) Signed-off-by: Spazzy --- docs/examples/canary/README.md | 231 +++++++++++++++++++++++++++++++++ docs/examples/index.md | 1 + 2 files changed, 232 insertions(+) create mode 100644 docs/examples/canary/README.md diff --git a/docs/examples/canary/README.md b/docs/examples/canary/README.md new file mode 100644 index 000000000..4124faf6f --- /dev/null +++ b/docs/examples/canary/README.md @@ -0,0 +1,231 @@ +# Canary + +Ingress Nginx Has the ability to handle canary routing by setting specific +annotations, the following is an example of how to configure a canary +deployment with weighted canary routing. + +## Create your main deployment and service + +This is the main deployment of your application with the service that will be +used to route to it + +```bash +echo " +--- +# Deployment +apiVersion: apps/v1 +kind: Deployment +metadata: + name: production + labels: + app: production +spec: + replicas: 1 + selector: + matchLabels: + app: production + template: + metadata: + labels: + app: production + spec: + containers: + - name: production + image: registry.k8s.io/ingress-nginx/e2e-test-echo@sha256:6fc5aa2994c86575975bb20a5203651207029a0d28e3f491d8a127d08baadab4 + ports: + - containerPort: 80 + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP +--- +# Service +apiVersion: v1 +kind: Service +metadata: + name: production + labels: + app: production +spec: + ports: + - port: 80 + targetPort: 80 + protocol: TCP + name: http + selector: + app: production +" | kubectl apply -f - +``` + +## Create the canary deployment and service + +This is the canary deployment that will take a weighted amount of requests +instead of the main deployment + +```bash +echo " +--- +# Deployment +apiVersion: apps/v1 +kind: Deployment +metadata: + name: canary + labels: + app: canary +spec: + replicas: 1 + selector: + matchLabels: + app: canary + template: + metadata: + labels: + app: canary + spec: + containers: + - name: canary + image: registry.k8s.io/ingress-nginx/e2e-test-echo@sha256:6fc5aa2994c86575975bb20a5203651207029a0d28e3f491d8a127d08baadab4 + ports: + - containerPort: 80 + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP +--- +# Service +apiVersion: v1 +kind: Service +metadata: + name: canary + labels: + app: canary +spec: + ports: + - port: 80 + targetPort: 80 + protocol: TCP + name: http + selector: + app: canary +" | kubectl apply -f - +``` + +## Create Ingress Pointing To Your Main Deployment + +Next you will need to expose your main deployment with an ingress resource, +note there are no canary specific annotations on this ingress + +```bash +echo " +--- +# Ingress +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: production + annotations: +spec: + ingressClassName: nginx + rules: + - host: echo.prod.mydomain.com + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: production + port: + number: 80 +" | kubectl apply -f - +``` + +## Create Ingress Pointing To Your Canary Deployment + +You will then create an Ingress that has the canary specific configuration, +please pay special notice of the following: + +- The host name is identical to the main ingress host name +- The `nginx.ingress.kubernetes.io/canary: "true"` annotation is required and + defines this as a canary annotation (if you do not have this the Ingresses + will clash) +- The `nginx.ingress.kubernetes.io/canary-weight: "50"` annotation dictates the + weight of the routing, in this case there is a "50%" chance a request will + hit the canary deployment over the main deployment +```bash +echo " +--- +# Ingress +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: canary + annotations: + nginx.ingress.kubernetes.io/canary: \"true\" + nginx.ingress.kubernetes.io/canary-weight: \"50\" +spec: + ingressClassName: nginx + rules: + - host: echo.prod.mydomain.com + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: canary + port: + number: 80 +" | kubectl apply -f - +``` + +## Testing your setup + +You can use the following command to test your setup (replacing +INGRESS_CONTROLLER_IP with your ingresse controllers IP Address) + +```bash +for i in $(seq 1 10); do curl -s --resolve echo.prod.mydomain.com:80:$INGRESS_CONTROLLER_IP echo.prod.mydomain.com | grep "Hostname"; done +``` + +You will get the following output showing that your canary setup is working as +expected: + +```bash +Hostname: production-5c5f65d859-phqzc +Hostname: canary-6697778457-zkfjf +Hostname: canary-6697778457-zkfjf +Hostname: production-5c5f65d859-phqzc +Hostname: canary-6697778457-zkfjf +Hostname: production-5c5f65d859-phqzc +Hostname: production-5c5f65d859-phqzc +Hostname: production-5c5f65d859-phqzc +Hostname: canary-6697778457-zkfjf +Hostname: production-5c5f65d859-phqzc +``` diff --git a/docs/examples/index.md b/docs/examples/index.md index 8a5fd5f51..3af4266ff 100644 --- a/docs/examples/index.md +++ b/docs/examples/index.md @@ -23,6 +23,7 @@ Customization | [External authentication with response header propagation](custo Customization | [Sysctl tuning](customization/sysctl/README.md) | TODO | TODO Features | [Rewrite](rewrite/README.md) | TODO | TODO Features | [Session stickiness](affinity/cookie/README.md) | route requests consistently to the same endpoint | Advanced +Features | [Canary Deployments](canary/README.md) | weigthed canary routing to a seperate deployment | Intermediate Scaling | [Static IP](static-ip/README.md) | a single ingress gets a single static IP | Intermediate TLS | [Multi TLS certificate termination](multi-tls/README.md) | TODO | TODO TLS | [TLS termination](tls-termination/README.md) | TODO | TODO From 388987c4e7500478ce76ff0c845d43256b603a00 Mon Sep 17 00:00:00 2001 From: Brendan Kamp Date: Sun, 11 Jun 2023 20:39:47 +0200 Subject: [PATCH 340/405] docs: add lua testing documentation (#10060) Signed-off-by: Spazzy --- docs/lua_tests.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 docs/lua_tests.md diff --git a/docs/lua_tests.md b/docs/lua_tests.md new file mode 100644 index 000000000..4d3d1fe70 --- /dev/null +++ b/docs/lua_tests.md @@ -0,0 +1,19 @@ +# Lua Tests + +## Running the Lua Tests + +To run the Lua tests you can run the following from the root directory: + +```bash +make lua-test +``` + +This command makes use of docker hence does not need any dependency +installations besides docker + +## Where are the Lua Tests? + +Lua Tests can be found in the [rootfs/etc/nginx/lua/test](../rootfs/etc/nginx/lua/test) directory + + +[1]: https://openresty.org/en/installation.html From dd4a703637f723c34081cd67d51dc5451a3a7771 Mon Sep 17 00:00:00 2001 From: Brendan Kamp Date: Sun, 11 Jun 2023 20:41:46 +0200 Subject: [PATCH 341/405] fix: add canary to sidebar in examples (#10068) Signed-off-by: Spazzy --- mkdocs.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/mkdocs.yml b/mkdocs.yml index 992c04d45..3243f8247 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -127,6 +127,7 @@ nav: - TLS termination: "examples/tls-termination/README.md" - Pod Security Policy (PSP): "examples/psp/README.md" - Open Policy Agent rules: "examples/openpolicyagent/README.md" + - Canary Deployments: "examples/canary/README.md" - Developer Guide: - Getting Started: "developer-guide/getting-started.md" - Code Overview: "developer-guide/code-overview.md" From 05e5956545afa74ce332791075db14ac7ffa54ff Mon Sep 17 00:00:00 2001 From: David Goffredo Date: Sun, 11 Jun 2023 14:45:47 -0400 Subject: [PATCH 342/405] tracing: upgrade to dd-opentracing-cpp v1.3.7 (#10031) --- images/nginx/rootfs/build.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh index 44c7b20f8..e2a5fd8c6 100755 --- a/images/nginx/rootfs/build.sh +++ b/images/nginx/rootfs/build.sh @@ -53,8 +53,8 @@ export JAEGER_VERSION=0.7.0 # Check for recent changes: https://github.com/msgpack/msgpack-c/compare/cpp-3.3.0...master export MSGPACK_VERSION=3.3.0 -# Check for recent changes: https://github.com/DataDog/dd-opentracing-cpp/compare/v1.3.2...master -export DATADOG_CPP_VERSION=1.3.2 +# Check for recent changes: https://github.com/DataDog/dd-opentracing-cpp/compare/v1.3.7...master +export DATADOG_CPP_VERSION=1.3.7 # Check for recent changes: https://github.com/SpiderLabs/ModSecurity-nginx/compare/v1.0.3...master export MODSECURITY_VERSION=1.0.3 @@ -265,7 +265,7 @@ get_src d3f2c870f8f88477b01726b32accab30f6e5d57ae59c5ec87374ff73d0794316 \ "https://github.com/openresty/luajit2/archive/v$LUAJIT_VERSION.tar.gz" fi -get_src 586f92166018cc27080d34e17c59d68219b85af745edf3cc9fe41403fc9b4ac6 \ +get_src 8d39c6b23f941a2d11571daaccc04e69539a3fcbcc50a631837560d5861a7b96 \ "https://github.com/DataDog/dd-opentracing-cpp/archive/v$DATADOG_CPP_VERSION.tar.gz" get_src 4c1933434572226942c65b2f2b26c8a536ab76aa771a3c7f6c2629faa764976b \ From 114ae77fb7ca30cb97326f41a18a1cb75ecc5665 Mon Sep 17 00:00:00 2001 From: guangwu Date: Mon, 12 Jun 2023 02:49:47 +0800 Subject: [PATCH 343/405] chore: pkg imported more than once (#10048) --- .../ingress/controller/controller_test.go | 31 +++++++++---------- internal/ingress/controller/store/store.go | 3 +- internal/net/ssl/ssl_test.go | 5 ++- test/e2e/annotations/grpc.go | 7 ++--- test/e2e/framework/framework.go | 14 ++++----- 5 files changed, 27 insertions(+), 33 deletions(-) diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go index 41ce9de87..355f5da95 100644 --- a/internal/ingress/controller/controller_test.go +++ b/internal/ingress/controller/controller_test.go @@ -33,7 +33,7 @@ import ( "github.com/eapache/channels" corev1 "k8s.io/api/core/v1" - v1 "k8s.io/api/core/v1" + discoveryv1 "k8s.io/api/discovery/v1" networking "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -48,7 +48,6 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/ingress/annotations/proxyssl" "k8s.io/ingress-nginx/internal/ingress/annotations/sessionaffinity" - "k8s.io/ingress-nginx/internal/ingress/controller/config" ngx_config "k8s.io/ingress-nginx/internal/ingress/controller/config" "k8s.io/ingress-nginx/internal/ingress/controller/ingressclass" "k8s.io/ingress-nginx/internal/ingress/controller/store" @@ -146,7 +145,7 @@ func (ntc testNginxTestCommand) Test(cfg string) ([]byte, error) { type fakeTemplate struct{} -func (fakeTemplate) Write(conf config.TemplateConfig) ([]byte, error) { +func (fakeTemplate) Write(conf ngx_config.TemplateConfig) ([]byte, error) { r := []byte{} for _, s := range conf.Servers { if len(r) > 0 { @@ -1529,7 +1528,7 @@ func TestGetBackendServers(t *testing.T) { testCases := []struct { Ingresses []*ingress.Ingress Validate func(ingresses []*ingress.Ingress, upstreams []*ingress.Backend, servers []*ingress.Server) - SetConfigMap func(namespace string) *v1.ConfigMap + SetConfigMap func(namespace string) *corev1.ConfigMap }{ { Ingresses: []*ingress.Ingress{ @@ -2299,8 +2298,8 @@ func TestGetBackendServers(t *testing.T) { t.Errorf("location cafilename should be '%s', got '%s'", ingresses[1].ParsedAnnotations.ProxySSL.CAFileName, s.Locations[0].ProxySSL.CAFileName) } }, - SetConfigMap: func(ns string) *v1.ConfigMap { - return &v1.ConfigMap{ + SetConfigMap: func(ns string) *corev1.ConfigMap { + return &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "config", SelfLink: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/config", ns), @@ -2360,8 +2359,8 @@ func TestGetBackendServers(t *testing.T) { t.Errorf("backend should be upstream-default-backend, got '%s'", s.Locations[0].Backend) } }, - SetConfigMap: func(ns string) *v1.ConfigMap { - return &v1.ConfigMap{ + SetConfigMap: func(ns string) *corev1.ConfigMap { + return &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "config", SelfLink: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/config", ns), @@ -2438,8 +2437,8 @@ func TestGetBackendServers(t *testing.T) { } }, - SetConfigMap: func(ns string) *v1.ConfigMap { - return &v1.ConfigMap{ + SetConfigMap: func(ns string) *corev1.ConfigMap { + return &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "config", SelfLink: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/config", ns), @@ -2459,8 +2458,8 @@ func TestGetBackendServers(t *testing.T) { } } -func testConfigMap(ns string) *v1.ConfigMap { - return &v1.ConfigMap{ +func testConfigMap(ns string) *corev1.ConfigMap { + return &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "config", SelfLink: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/config", ns), @@ -2469,11 +2468,11 @@ func testConfigMap(ns string) *v1.ConfigMap { } func newNGINXController(t *testing.T) *NGINXController { - ns := v1.NamespaceDefault + ns := corev1.NamespaceDefault clientSet := fake.NewSimpleClientset() - configMap := &v1.ConfigMap{ + configMap := &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "config", SelfLink: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/config", ns), @@ -2540,8 +2539,8 @@ func fakeX509Cert(dnsNames []string) *x509.Certificate { } } -func newDynamicNginxController(t *testing.T, setConfigMap func(string) *v1.ConfigMap) *NGINXController { - ns := v1.NamespaceDefault +func newDynamicNginxController(t *testing.T, setConfigMap func(string) *corev1.ConfigMap) *NGINXController { + ns := corev1.NamespaceDefault clientSet := fake.NewSimpleClientset() configMap := setConfigMap(ns) diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go index 7157332c3..78fab62dc 100644 --- a/internal/ingress/controller/store/store.go +++ b/internal/ingress/controller/store/store.go @@ -36,7 +36,6 @@ import ( "k8s.io/apimachinery/pkg/labels" k8sruntime "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/runtime" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/client-go/informers" clientset "k8s.io/client-go/kubernetes" "k8s.io/client-go/kubernetes/scheme" @@ -1138,7 +1137,7 @@ func (s *k8sStore) Run(stopCh chan struct{}) { var runtimeScheme = k8sruntime.NewScheme() func init() { - utilruntime.Must(networkingv1.AddToScheme(runtimeScheme)) + runtime.Must(networkingv1.AddToScheme(runtimeScheme)) } func toIngress(obj interface{}) (*networkingv1.Ingress, bool) { diff --git a/internal/net/ssl/ssl_test.go b/internal/net/ssl/ssl_test.go index e251d01d1..9d1aedf16 100644 --- a/internal/net/ssl/ssl_test.go +++ b/internal/net/ssl/ssl_test.go @@ -20,7 +20,6 @@ import ( "bytes" "crypto" "crypto/rand" - cryptorand "crypto/rand" "crypto/rsa" "crypto/tls" "crypto/x509" @@ -336,7 +335,7 @@ const ( // newPrivateKey creates an RSA private key func newPrivateKey() (*rsa.PrivateKey, error) { - return rsa.GenerateKey(cryptorand.Reader, rsaKeySize) + return rsa.GenerateKey(rand.Reader, rsaKeySize) } // newSignedCert creates a signed certificate using the given CA certificate and key @@ -365,7 +364,7 @@ func newSignedCert(cfg certutil.Config, key crypto.Signer, caCert *x509.Certific KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, ExtKeyUsage: cfg.Usages, } - certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey) + certDERBytes, err := x509.CreateCertificate(rand.Reader, &certTmpl, caCert, key.Public(), caKey) if err != nil { return nil, err } diff --git a/test/e2e/annotations/grpc.go b/test/e2e/annotations/grpc.go index 046191b21..2bdac553b 100644 --- a/test/e2e/annotations/grpc.go +++ b/test/e2e/annotations/grpc.go @@ -29,7 +29,6 @@ import ( "google.golang.org/grpc" "google.golang.org/grpc/credentials" "google.golang.org/grpc/metadata" - core "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" @@ -70,7 +69,7 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { host := "echo" - svc := &core.Service{ + svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ Name: "grpcbin-test", Namespace: f.Namespace, @@ -129,7 +128,7 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { host := "echo" - svc := &core.Service{ + svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ Name: "grpcbin-test", Namespace: f.Namespace, @@ -201,7 +200,7 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { host := "echo" - svc := &core.Service{ + svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ Name: "grpcbin-test", Namespace: f.Namespace, diff --git a/test/e2e/framework/framework.go b/test/e2e/framework/framework.go index cac6dfd20..7ed3da3e0 100644 --- a/test/e2e/framework/framework.go +++ b/test/e2e/framework/framework.go @@ -27,7 +27,6 @@ import ( "github.com/onsi/ginkgo/v2" "github.com/stretchr/testify/assert" appsv1 "k8s.io/api/apps/v1" - corev1 "k8s.io/api/core/v1" v1 "k8s.io/api/core/v1" networking "k8s.io/api/networking/v1" apiextcs "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset" @@ -38,7 +37,6 @@ import ( "k8s.io/client-go/kubernetes" "k8s.io/client-go/kubernetes/scheme" "k8s.io/client-go/rest" - restclient "k8s.io/client-go/rest" "k8s.io/klog/v2" ) @@ -62,13 +60,13 @@ type Framework struct { // A Kubernetes and Service Catalog client KubeClientSet kubernetes.Interface - KubeConfig *restclient.Config + KubeConfig *rest.Config APIExtensionsClientSet apiextcs.Interface Namespace string IngressClass string - pod *corev1.Pod + pod *v1.Pod } // NewDefaultFramework makes a new framework and sets up a BeforeEach/AfterEach for @@ -233,7 +231,7 @@ func (f *Framework) GetURL(scheme RequestScheme) string { } // GetIngressNGINXPod returns the ingress controller running pod -func (f *Framework) GetIngressNGINXPod() *corev1.Pod { +func (f *Framework) GetIngressNGINXPod() *v1.Pod { return f.pod } @@ -413,13 +411,13 @@ func (f *Framework) WaitForReload(fn func()) { assert.Nil(ginkgo.GinkgoT(), err, "while waiting for ingress controller reload") } -func getReloadCount(pod *corev1.Pod, namespace string, client kubernetes.Interface) int { +func getReloadCount(pod *v1.Pod, namespace string, client kubernetes.Interface) int { events, err := client.CoreV1().Events(namespace).Search(scheme.Scheme, pod) assert.Nil(ginkgo.GinkgoT(), err, "obtaining NGINX Pod") reloadCount := 0 for _, e := range events.Items { - if e.Reason == "RELOAD" && e.Type == corev1.EventTypeNormal { + if e.Reason == "RELOAD" && e.Type == v1.EventTypeNormal { reloadCount++ } } @@ -793,7 +791,7 @@ func Sleep(duration ...time.Duration) { time.Sleep(sleepFor) } -func loadConfig() (*restclient.Config, error) { +func loadConfig() (*rest.Config, error) { config, err := rest.InClusterConfig() if err != nil { return nil, err From 7043f6ae296ef85bbb4066d5e33e72b5e15dc970 Mon Sep 17 00:00:00 2001 From: guangwu Date: Mon, 12 Jun 2023 02:49:54 +0800 Subject: [PATCH 344/405] unnecessary use of fmt.Sprint (S1039) (#10049) --- internal/ingress/controller/checker_test.go | 2 +- test/e2e/annotations/connection.go | 3 +- test/e2e/framework/framework.go | 4 +- test/e2e/settings/enable_real_ip.go | 30 +++++++------- test/e2e/settings/forwarded_headers.go | 39 +++++++++---------- test/e2e/settings/keep-alive.go | 5 +-- test/e2e/settings/listen_nondefault_ports.go | 4 +- .../e2e/settings/no_tls_redirect_locations.go | 5 +-- test/e2e/settings/proxy_host.go | 2 +- test/e2e/settings/proxy_protocol.go | 20 +++++----- test/e2e/settings/tls.go | 6 +-- 11 files changed, 58 insertions(+), 62 deletions(-) diff --git a/internal/ingress/controller/checker_test.go b/internal/ingress/controller/checker_test.go index a0d2baafa..bea1c9cd0 100644 --- a/internal/ingress/controller/checker_test.go +++ b/internal/ingress/controller/checker_test.go @@ -109,7 +109,7 @@ func TestNginxCheck(t *testing.T) { }) // pollute pid file - pidFile.Write([]byte(fmt.Sprint("999999"))) + pidFile.Write([]byte("999999")) pidFile.Close() t.Run("bad pid", func(t *testing.T) { diff --git a/test/e2e/annotations/connection.go b/test/e2e/annotations/connection.go index 9cfcbacd0..428d85876 100644 --- a/test/e2e/annotations/connection.go +++ b/test/e2e/annotations/connection.go @@ -17,7 +17,6 @@ limitations under the License. package annotations import ( - "fmt" "net/http" "strings" @@ -52,6 +51,6 @@ var _ = framework.DescribeAnnotation("connection-proxy-header", func() { WithHeader("Host", host). Expect(). Status(http.StatusOK). - Body().Contains(fmt.Sprintf("connection=keep-alive")) + Body().Contains("connection=keep-alive") }) }) diff --git a/test/e2e/framework/framework.go b/test/e2e/framework/framework.go index 7ed3da3e0..a3d5ea760 100644 --- a/test/e2e/framework/framework.go +++ b/test/e2e/framework/framework.go @@ -160,7 +160,7 @@ func (f *Framework) AfterEach() { return } - cmd := fmt.Sprintf("cat /etc/nginx/nginx.conf") + cmd := "cat /etc/nginx/nginx.conf" o, err := f.ExecCommand(f.pod, cmd) if err != nil { Logf("Unexpected error obtaining nginx.conf file: %v", err) @@ -277,7 +277,7 @@ func (f *Framework) matchNginxConditions(name string, matcher func(cfg string) b return func() (bool, error) { var cmd string if name == "" { - cmd = fmt.Sprintf("cat /etc/nginx/nginx.conf") + cmd = "cat /etc/nginx/nginx.conf" } else { cmd = fmt.Sprintf("cat /etc/nginx/nginx.conf | awk '/## start server %v/,/## end server %v/'", name, name) } diff --git a/test/e2e/settings/enable_real_ip.go b/test/e2e/settings/enable_real_ip.go index 9be2e52d9..778011b9f 100644 --- a/test/e2e/settings/enable_real_ip.go +++ b/test/e2e/settings/enable_real_ip.go @@ -64,15 +64,15 @@ var _ = framework.DescribeSetting("enable-real-ip", func() { Body(). Raw() - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=myhost")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-host=myhost")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-proto=myproto")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-port=1234")) + assert.NotContains(ginkgo.GinkgoT(), body, "host=myhost") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-host=myhost") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-proto=myproto") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-port=1234") assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=%s", host)) assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-host=%s", host)) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-proto=http")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-port=80")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-for=1.2.3.4")) + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-proto=http") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-port=80") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-for=1.2.3.4") }) ginkgo.It("should not trust X-Forwarded-For header when setting is false", func() { @@ -101,13 +101,13 @@ var _ = framework.DescribeSetting("enable-real-ip", func() { Raw() assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=%s", host)) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-port=80")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-proto=http")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-original-forwarded-for=1.2.3.4")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=myhost")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-host=myhost")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-proto=myproto")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-port=1234")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-for=1.2.3.4")) + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-port=80") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-proto=http") + assert.Contains(ginkgo.GinkgoT(), body, "x-original-forwarded-for=1.2.3.4") + assert.NotContains(ginkgo.GinkgoT(), body, "host=myhost") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-host=myhost") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-proto=myproto") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-port=1234") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-for=1.2.3.4") }) }) diff --git a/test/e2e/settings/forwarded_headers.go b/test/e2e/settings/forwarded_headers.go index b929e683b..d4ffee545 100644 --- a/test/e2e/settings/forwarded_headers.go +++ b/test/e2e/settings/forwarded_headers.go @@ -17,7 +17,6 @@ limitations under the License. package settings import ( - "fmt" "net/http" "strings" @@ -65,12 +64,12 @@ var _ = framework.DescribeSetting("use-forwarded-headers", func() { Body(). Raw() - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=myhost")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-host=myhost")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-proto=myproto")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-scheme=myproto")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-port=1234")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-for=1.2.3.4")) + assert.Contains(ginkgo.GinkgoT(), body, "host=myhost") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-host=myhost") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-proto=myproto") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-scheme=myproto") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-port=1234") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-for=1.2.3.4") ginkgo.By("ensuring that first entry in X-Forwarded-Host is used as the best host") body = f.HTTPTestClient(). @@ -85,8 +84,8 @@ var _ = framework.DescribeSetting("use-forwarded-headers", func() { Body(). Raw() - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=myhost.com")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-host=myhost.com")) + assert.Contains(ginkgo.GinkgoT(), body, "host=myhost.com") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-host=myhost.com") }) ginkgo.It("should not trust X-Forwarded headers when setting is false", func() { @@ -115,16 +114,16 @@ var _ = framework.DescribeSetting("use-forwarded-headers", func() { Body(). Raw() - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=forwarded-headers")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-port=80")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-proto=http")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-scheme=http")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-original-forwarded-for=1.2.3.4")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=myhost")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-host=myhost")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-proto=myproto")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-scheme=myproto")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-port=1234")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-for=1.2.3.4")) + assert.Contains(ginkgo.GinkgoT(), body, "host=forwarded-headers") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-port=80") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-proto=http") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-scheme=http") + assert.Contains(ginkgo.GinkgoT(), body, "x-original-forwarded-for=1.2.3.4") + assert.NotContains(ginkgo.GinkgoT(), body, "host=myhost") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-host=myhost") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-proto=myproto") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-scheme=myproto") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-port=1234") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-for=1.2.3.4") }) }) diff --git a/test/e2e/settings/keep-alive.go b/test/e2e/settings/keep-alive.go index 510a90125..d139f61c0 100644 --- a/test/e2e/settings/keep-alive.go +++ b/test/e2e/settings/keep-alive.go @@ -17,7 +17,6 @@ limitations under the License. package settings import ( - "fmt" "regexp" "strings" @@ -41,7 +40,7 @@ var _ = framework.DescribeSetting("keep-alive keep-alive-requests", func() { f.UpdateNginxConfigMapData("keep-alive", "140") f.WaitForNginxConfiguration(func(server string) bool { - return strings.Contains(server, fmt.Sprintf(`keepalive_timeout 140s;`)) + return strings.Contains(server, `keepalive_timeout 140s;`) }) }) @@ -49,7 +48,7 @@ var _ = framework.DescribeSetting("keep-alive keep-alive-requests", func() { f.UpdateNginxConfigMapData("keep-alive-requests", "200") f.WaitForNginxConfiguration(func(server string) bool { - return strings.Contains(server, fmt.Sprintf(`keepalive_requests 200;`)) + return strings.Contains(server, `keepalive_requests 200;`) }) }) diff --git a/test/e2e/settings/listen_nondefault_ports.go b/test/e2e/settings/listen_nondefault_ports.go index 8b5d22f6e..e682cef06 100644 --- a/test/e2e/settings/listen_nondefault_ports.go +++ b/test/e2e/settings/listen_nondefault_ports.go @@ -92,7 +92,7 @@ var _ = framework.IngressNginxDescribe("[Flag] custom HTTP and HTTPS ports", fun Expect(). Status(http.StatusOK). Body(). - Contains(fmt.Sprintf("x-forwarded-port=443")) + Contains("x-forwarded-port=443") }) ginkgo.Context("when external authentication is configured", func() { @@ -141,7 +141,7 @@ var _ = framework.IngressNginxDescribe("[Flag] custom HTTP and HTTPS ports", fun Expect(). Status(http.StatusOK). Body(). - Contains(fmt.Sprintf("x-forwarded-port=443")) + Contains("x-forwarded-port=443") }) }) }) diff --git a/test/e2e/settings/no_tls_redirect_locations.go b/test/e2e/settings/no_tls_redirect_locations.go index 2fca545ff..332d764d6 100644 --- a/test/e2e/settings/no_tls_redirect_locations.go +++ b/test/e2e/settings/no_tls_redirect_locations.go @@ -17,7 +17,6 @@ limitations under the License. package settings import ( - "fmt" "strings" "github.com/onsi/ginkgo/v2" @@ -34,7 +33,7 @@ var _ = framework.DescribeSetting("Add no tls redirect locations", func() { f.EnsureIngress(ing) f.WaitForNginxConfiguration(func(server string) bool { - return !strings.Contains(server, fmt.Sprintf("force_no_ssl_redirect = true,")) + return !strings.Contains(server, "force_no_ssl_redirect = true,") }) wlKey := "no-tls-redirect-locations" @@ -43,7 +42,7 @@ var _ = framework.DescribeSetting("Add no tls redirect locations", func() { f.UpdateNginxConfigMapData(wlKey, wlValue) f.WaitForNginxConfiguration(func(server string) bool { - return strings.Contains(server, fmt.Sprintf("force_no_ssl_redirect = true,")) + return strings.Contains(server, "force_no_ssl_redirect = true,") }) }) diff --git a/test/e2e/settings/proxy_host.go b/test/e2e/settings/proxy_host.go index 8f564414a..efc254e45 100644 --- a/test/e2e/settings/proxy_host.go +++ b/test/e2e/settings/proxy_host.go @@ -66,7 +66,7 @@ var _ = framework.IngressNginxDescribe("Dynamic $proxy_host", func() { f.WaitForNginxConfiguration( func(server string) bool { return strings.Contains(server, fmt.Sprintf("server_name %v", test)) && - strings.Contains(server, fmt.Sprintf("set $proxy_host $proxy_upstream_name")) + strings.Contains(server, "set $proxy_host $proxy_upstream_name") }) f.HTTPTestClient(). diff --git a/test/e2e/settings/proxy_protocol.go b/test/e2e/settings/proxy_protocol.go index 8b0e56fe4..f48ee5c8c 100644 --- a/test/e2e/settings/proxy_protocol.go +++ b/test/e2e/settings/proxy_protocol.go @@ -71,9 +71,9 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() { body := string(data) assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=%v", "proxy-protocol")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-port=1234")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-proto=http")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-for=192.168.0.1")) + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-port=1234") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-proto=http") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-for=192.168.0.1") }) ginkgo.It("should respect proto passed by the PROXY Protocol server port", func() { @@ -104,9 +104,9 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() { body := string(data) assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=%v", "proxy-protocol")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-port=443")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-proto=https")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-for=192.168.0.1")) + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-port=443") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-proto=https") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-for=192.168.0.1") }) ginkgo.It("should enable PROXY Protocol for HTTPS", func() { @@ -146,10 +146,10 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() { body := string(data) assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=%v", "proxy-protocol")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-port=1234")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-proto=https")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-scheme=https")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-for=192.168.0.1")) + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-port=1234") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-proto=https") + assert.Contains(ginkgo.GinkgoT(), body, "x-scheme=https") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-for=192.168.0.1") }) ginkgo.It("should enable PROXY Protocol for TCP", func() { diff --git a/test/e2e/settings/tls.go b/test/e2e/settings/tls.go index a249f8bad..a820e41dd 100644 --- a/test/e2e/settings/tls.go +++ b/test/e2e/settings/tls.go @@ -112,7 +112,7 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f f.UpdateNginxConfigMapData(hstsMaxAge, "86400") f.WaitForNginxConfiguration(func(server string) bool { - return strings.Contains(server, fmt.Sprintf(`hsts_max_age = 86400,`)) + return strings.Contains(server, `hsts_max_age = 86400,`) }) f.HTTPTestClientWithTLSConfig(tlsConfig). @@ -131,7 +131,7 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f }) f.WaitForNginxConfiguration(func(server string) bool { - return strings.Contains(server, fmt.Sprintf(`hsts_include_subdomains = false,`)) + return strings.Contains(server, `hsts_include_subdomains = false,`) }) f.HTTPTestClientWithTLSConfig(tlsConfig). @@ -151,7 +151,7 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f }) f.WaitForNginxConfiguration(func(server string) bool { - return strings.Contains(server, fmt.Sprintf(`hsts_preload = true,`)) + return strings.Contains(server, `hsts_preload = true,`) }) f.HTTPTestClientWithTLSConfig(tlsConfig). From 051aa6d40d88aaf390ba280fa86fd90fc3c25986 Mon Sep 17 00:00:00 2001 From: Micah Huber Date: Sun, 11 Jun 2023 13:51:46 -0500 Subject: [PATCH 345/405] add support for keda fallback settings (#9993) --- charts/ingress-nginx/templates/controller-keda.yaml | 5 +++++ charts/ingress-nginx/values.yaml | 3 +++ 2 files changed, 8 insertions(+) diff --git a/charts/ingress-nginx/templates/controller-keda.yaml b/charts/ingress-nginx/templates/controller-keda.yaml index 875157ea4..c0d95a98e 100644 --- a/charts/ingress-nginx/templates/controller-keda.yaml +++ b/charts/ingress-nginx/templates/controller-keda.yaml @@ -25,6 +25,11 @@ spec: cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} minReplicaCount: {{ .Values.controller.keda.minReplicas }} maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} +{{- with .Values.controller.keda.fallback }} + fallback: + failureThreshold: {{ .failureThreshold | default 3 }} + replicas: {{ .replicas | default $.Values.controller.keda.maxReplicas }} +{{- end }} triggers: {{- with .Values.controller.keda.triggers }} {{ toYaml . | indent 2 }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 708469fab..8080a1fc3 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -368,6 +368,9 @@ controller: maxReplicas: 11 pollingInterval: 30 cooldownPeriod: 300 + # fallback: + # failureThreshold: 3 + # replicas: 11 restoreToOriginalReplicaCount: false scaledObject: annotations: {} From 4d3e64258c6fa581b1bf92b6a541e718977040fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Neto?= <53952575+josenetoo@users.noreply.github.com> Date: Sun, 11 Jun 2023 15:55:47 -0300 Subject: [PATCH 346/405] Adding feature to upgrade Oracle Cloud Infrastructure's Flexible Load Balancer and adjusting Health Check that were critical in the previous configuration (#9961) * Create deploy.yaml * Create kustomization.yaml --- deploy/static/provider/oci/deploy.yaml | 648 ++++++++++++++++++ deploy/static/provider/oci/kustomization.yaml | 11 + 2 files changed, 659 insertions(+) create mode 100644 deploy/static/provider/oci/deploy.yaml create mode 100644 deploy/static/provider/oci/kustomization.yaml diff --git a/deploy/static/provider/oci/deploy.yaml b/deploy/static/provider/oci/deploy.yaml new file mode 100644 index 000000000..77de50247 --- /dev/null +++ b/deploy/static/provider/oci/deploy.yaml @@ -0,0 +1,648 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + name: ingress-nginx +--- +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.1 + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.1 + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.1 + name: ingress-nginx + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - coordination.k8s.io + resourceNames: + - ingress-nginx-leader + resources: + - leases + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.1 + name: ingress-nginx-admission + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.1 + name: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + - namespaces + verbs: + - list + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.1 + name: ingress-nginx-admission +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.1 + name: ingress-nginx + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.1 + name: ingress-nginx-admission + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.1 + name: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.1 + name: ingress-nginx-admission +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: v1 +data: + allow-snippet-annotations: "true" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.1 + name: ingress-nginx-controller + namespace: ingress-nginx +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.1 + name: ingress-nginx-controller + namespace: ingress-nginx + annotations: + service.beta.kubernetes.io/oci-load-balancer-shape: "flexible" + service.beta.kubernetes.io/oci-load-balancer-shape-flex-min: "10" + service.beta.kubernetes.io/oci-load-balancer-shape-flex-max: "100" +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - appProtocol: http + name: http + port: 80 + protocol: TCP + targetPort: http + - appProtocol: https + name: https + port: 443 + protocol: TCP + targetPort: https + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: LoadBalancer +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.1 + name: ingress-nginx-controller-admission + namespace: ingress-nginx +spec: + ports: + - appProtocol: https + name: https-webhook + port: 443 + targetPort: webhook + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.1 + name: ingress-nginx-controller + namespace: ingress-nginx +spec: + minReadySeconds: 0 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + template: + metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.1 + spec: + containers: + - args: + - /nginx-ingress-controller + - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller + - --election-id=ingress-nginx-leader + - --controller-class=k8s.io/ingress-nginx + - --ingress-class=nginx + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + image: registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: controller + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 8443 + name: webhook + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 90Mi + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + runAsUser: 101 + volumeMounts: + - mountPath: /usr/local/certificates/ + name: webhook-cert + readOnly: true + dnsPolicy: ClusterFirst + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: ingress-nginx + terminationGracePeriodSeconds: 300 + volumes: + - name: webhook-cert + secret: + secretName: ingress-nginx-admission +--- +apiVersion: batch/v1 +kind: Job +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.1 + name: ingress-nginx-admission-create + namespace: ingress-nginx +spec: + template: + metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.1 + name: ingress-nginx-admission-create + spec: + containers: + - args: + - create + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f + imagePullPolicy: IfNotPresent + name: create + securityContext: + allowPrivilegeEscalation: false + nodeSelector: + kubernetes.io/os: linux + restartPolicy: OnFailure + securityContext: + fsGroup: 2000 + runAsNonRoot: true + runAsUser: 2000 + serviceAccountName: ingress-nginx-admission +--- +apiVersion: batch/v1 +kind: Job +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.1 + name: ingress-nginx-admission-patch + namespace: ingress-nginx +spec: + template: + metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.1 + name: ingress-nginx-admission-patch + spec: + containers: + - args: + - patch + - --webhook-name=ingress-nginx-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name=ingress-nginx-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f + imagePullPolicy: IfNotPresent + name: patch + securityContext: + allowPrivilegeEscalation: false + nodeSelector: + kubernetes.io/os: linux + restartPolicy: OnFailure + securityContext: + fsGroup: 2000 + runAsNonRoot: true + runAsUser: 2000 + serviceAccountName: ingress-nginx-admission +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.1 + name: nginx +spec: + controller: k8s.io/ingress-nginx +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.1 + name: ingress-nginx-admission +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: ingress-nginx-controller-admission + namespace: ingress-nginx + path: /networking/v1/ingresses + failurePolicy: Fail + matchPolicy: Equivalent + name: validate.nginx.ingress.kubernetes.io + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + sideEffects: None diff --git a/deploy/static/provider/oci/kustomization.yaml b/deploy/static/provider/oci/kustomization.yaml new file mode 100644 index 000000000..d477ec405 --- /dev/null +++ b/deploy/static/provider/oci/kustomization.yaml @@ -0,0 +1,11 @@ +# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases. +# https://kubectl.docs.kubernetes.io/references/kustomize/bases/ +# +# ``` +# namespace: ingress-nginx +# bases: +# - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/cloud +# ``` + +resources: + - deploy.yaml From db49b9da6f61bd477bcaa519bb537f6bfaa71252 Mon Sep 17 00:00:00 2001 From: Gerald Pape Date: Sun, 11 Jun 2023 20:59:47 +0200 Subject: [PATCH 347/405] Fix mirror-target values without path separator and port (#9889) * Remove variables with $ before feeding into url.Parse Signed-off-by: Gerald Pape * Do not render invalid request mirroring config Signed-off-by: Gerald Pape * Remove additional note from docs again Signed-off-by: Gerald Pape * Include quotes in e2e test for mirror proxy_pass --------- Signed-off-by: Gerald Pape --- internal/ingress/annotations/mirror/main.go | 7 ++++--- .../ingress/annotations/mirror/main_test.go | 18 ++++++++++++++++++ .../ingress/controller/template/template.go | 6 +++--- test/e2e/annotations/mirror.go | 2 +- 4 files changed, 26 insertions(+), 7 deletions(-) diff --git a/internal/ingress/annotations/mirror/main.go b/internal/ingress/annotations/mirror/main.go index cd54a9826..9cb1b0ede 100644 --- a/internal/ingress/annotations/mirror/main.go +++ b/internal/ingress/annotations/mirror/main.go @@ -93,12 +93,13 @@ func (a mirror) Parse(ing *networking.Ingress) (interface{}, error) { config.Host, err = parser.GetStringAnnotation("mirror-host", ing) if err != nil { if config.Target != "" { - url, err := parser.StringToURL(config.Target) + target := strings.Split(config.Target, "$") + + url, err := parser.StringToURL(target[0]) if err != nil { config.Host = "" } else { - hostname := strings.Split(url.Hostname(), "$") - config.Host = hostname[0] + config.Host = url.Hostname() } } } diff --git a/internal/ingress/annotations/mirror/main_test.go b/internal/ingress/annotations/mirror/main_test.go index f744ab552..add90d768 100644 --- a/internal/ingress/annotations/mirror/main_test.go +++ b/internal/ingress/annotations/mirror/main_test.go @@ -48,6 +48,24 @@ func TestParse(t *testing.T) { Target: "https://test.env.com/$request_uri", Host: "test.env.com", }}, + {map[string]string{backendURL: "https://test.env.com$request_uri"}, &Config{ + Source: ngxURI, + RequestBody: "on", + Target: "https://test.env.com$request_uri", + Host: "test.env.com", + }}, + {map[string]string{backendURL: "https://test.env.com:8080$request_uri"}, &Config{ + Source: ngxURI, + RequestBody: "on", + Target: "https://test.env.com:8080$request_uri", + Host: "test.env.com", + }}, + {map[string]string{backendURL: "https://test.env.com:8080/$request_uri"}, &Config{ + Source: ngxURI, + RequestBody: "on", + Target: "https://test.env.com:8080/$request_uri", + Host: "test.env.com", + }}, {map[string]string{requestBody: "off"}, &Config{ Source: "", RequestBody: "off", diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go index 6aadab48e..2d941f95d 100644 --- a/internal/ingress/controller/template/template.go +++ b/internal/ingress/controller/template/template.go @@ -1727,7 +1727,7 @@ func buildMirrorLocations(locs []*ingress.Location) string { mapped := sets.Set[string]{} for _, loc := range locs { - if loc.Mirror.Source == "" || loc.Mirror.Target == "" { + if loc.Mirror.Source == "" || loc.Mirror.Target == "" || loc.Mirror.Host == "" { continue } @@ -1738,8 +1738,8 @@ func buildMirrorLocations(locs []*ingress.Location) string { mapped.Insert(loc.Mirror.Source) buffer.WriteString(fmt.Sprintf(`location = %v { internal; -proxy_set_header Host %v; -proxy_pass %v; +proxy_set_header Host "%v"; +proxy_pass "%v"; } `, loc.Mirror.Source, loc.Mirror.Host, loc.Mirror.Target)) diff --git a/test/e2e/annotations/mirror.go b/test/e2e/annotations/mirror.go index ad178a947..787cbfa3b 100644 --- a/test/e2e/annotations/mirror.go +++ b/test/e2e/annotations/mirror.go @@ -60,7 +60,7 @@ var _ = framework.DescribeAnnotation("mirror-*", func() { func(server string) bool { return strings.Contains(server, fmt.Sprintf("mirror /_mirror-%v;", ing.UID)) && strings.Contains(server, "mirror_request_body on;") && - strings.Contains(server, "proxy_pass https://test.env.com/$request_uri;") + strings.Contains(server, `proxy_pass "https://test.env.com/$request_uri";`) }) }) From 90ed0ccdbe4edd55ad4ab16ffec40be64f3308d9 Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Sun, 11 Jun 2023 17:33:47 -0300 Subject: [PATCH 348/405] Remove fastcgi feature (#9864) --- .github/workflows/ci.yaml | 6 - MANUAL_RELEASE.md | 2 - docs/e2e-tests.md | 131 +++++++- docs/kubectl-plugin.md | 1 - docs/user-guide/fcgi-services.md | 118 +------- .../nginx-configuration/annotations.md | 2 +- images/fastcgi-helloserver/Makefile | 59 ---- images/fastcgi-helloserver/cloudbuild.yaml | 22 -- images/fastcgi-helloserver/rootfs/Dockerfile | 32 -- images/fastcgi-helloserver/rootfs/main.go | 30 -- internal/ingress/annotations/annotations.go | 62 ++-- .../annotations/backendprotocol/main.go | 2 +- internal/ingress/annotations/fastcgi/main.go | 106 ------- .../ingress/annotations/fastcgi/main_test.go | 285 ------------------ internal/ingress/annotations/parser/main.go | 1 - internal/ingress/controller/controller.go | 3 +- .../ingress/controller/template/template.go | 3 - .../controller/template/template_test.go | 2 - pkg/apis/ingress/types.go | 4 - pkg/apis/ingress/types_equals.go | 4 - rootfs/etc/nginx/template/nginx.tmpl | 11 - test/e2e/annotations/backendprotocol.go | 15 - test/e2e/annotations/fastcgi.go | 125 -------- test/e2e/framework/fastcgi_helloserver.go | 104 ------- 24 files changed, 156 insertions(+), 974 deletions(-) delete mode 100644 images/fastcgi-helloserver/Makefile delete mode 100644 images/fastcgi-helloserver/cloudbuild.yaml delete mode 100755 images/fastcgi-helloserver/rootfs/Dockerfile delete mode 100644 images/fastcgi-helloserver/rootfs/main.go delete mode 100644 internal/ingress/annotations/fastcgi/main.go delete mode 100644 internal/ingress/annotations/fastcgi/main_test.go delete mode 100644 test/e2e/annotations/fastcgi.go delete mode 100644 test/e2e/framework/fastcgi_helloserver.go diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 4d443f8d5..3406b250f 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -391,8 +391,6 @@ jobs: - 'images/custom-error-pages/**' cfssl: - 'images/cfssl/**' - fastcgi-helloserver: - - 'images/fastcgi-helloserver/**' echo: - 'images/echo/**' go-grpc-greeter-server: @@ -412,10 +410,6 @@ jobs: if: ${{ steps.filter-images.outputs.cfssl == 'true' }} run: | cd images/cfssl && make build - - name: fastcgi-helloserver - if: ${{ steps.filter-images.outputs.fastcgi-helloserver == 'true' }} - run: | - cd images/fastcgi-helloserver && make build - name: echo image build if: ${{ steps.filter-images.outputs.echo == 'true' }} run: | diff --git a/MANUAL_RELEASE.md b/MANUAL_RELEASE.md index d7144b85d..4b4df0ec6 100644 --- a/MANUAL_RELEASE.md +++ b/MANUAL_RELEASE.md @@ -56,8 +56,6 @@ - [cfssl](https://github.com/kubernetes/ingress-nginx/tree/main/images/cfssl) - - [fastcgi-helloserver](https://github.com/kubernetes/ingress-nginx/tree/main/images/fastcgi-helloserver) - - [httpbin](https://github.com/kubernetes/ingress-nginx/tree/main/images/httpbin) - [kube-webhook-certgen](https://github.com/kubernetes/ingress-nginx/tree/main/images/kube-webhook-certgen) diff --git a/docs/e2e-tests.md b/docs/e2e-tests.md index 025ff686d..64d35c79a 100644 --- a/docs/e2e-tests.md +++ b/docs/e2e-tests.md @@ -108,7 +108,6 @@ Do not try to edit it manually. - [should set backend protocol to $scheme:// and use proxy_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L49) - [should set backend protocol to grpc:// and use grpc_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L64) - [should set backend protocol to grpcs:// and use grpc_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L79) -- [should set backend protocol to '' and use fastcgi_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L94) - [should set backend protocol to '' and use ajp_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L109) ### [canary-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L36) @@ -192,13 +191,6 @@ Do not try to edit it manually. - [disable-http-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L53) - [disable-stream-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L71) -### [backend-protocol - FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L30) - -- [should use fastcgi_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L37) -- [should add fastcgi_index in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L54) -- [should add fastcgi_param in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L71) -- [should return OK for service with backend protocol FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L102) - ### [force-ssl-redirect](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/forcesslredirect.go#L27) - [should redirect to https](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/forcesslredirect.go#L34) @@ -350,6 +342,101 @@ Do not try to edit it manually. - [should set the X-Forwarded-Prefix to the annotation value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L35) - [should not add X-Forwarded-Prefix if the annotation value is empty](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L57) +### [denylist-source-range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L28) + +- [only deny explicitly denied IPs, allow all others](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L35) +- [only allow explicitly allowed IPs, deny all others](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L86) + +### [affinity session-cookie-name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L35) + +- [should set sticky cookie SERVERID](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L42) +- [should change cookie name on ingress definition change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L64) +- [should set the path to /something on the generated cookie](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L99) +- [does not set the path to / on the generated cookie if there's more than one rule referring to the same backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L121) +- [should set cookie with expires](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L194) +- [should set cookie with domain](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L225) +- [should not set cookie without domain annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L248) +- [should work with use-regex annotation and session-cookie-path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L270) +- [should warn user when use-regex is true and session-cookie-path is not set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L294) +- [should not set affinity across all server locations when using separate ingresses](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L320) +- [should set sticky cookie without host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L352) +- [should work with server-alias annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L372) +- [should set secure in cookie with provided true annotation on http](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L412) +- [should not set secure in cookie with provided false annotation on http](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L435) +- [should set secure in cookie with provided false annotation on https](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L458) + +### [rewrite-target use-regex enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L30) + +- [should write rewrite logs](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L37) +- [should use correct longest path match](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L66) +- [should use ~* location modifier if regex annotation is present](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L111) +- [should fail to use longest match for documented warning](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L158) +- [should allow for custom rewrite parameters](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L190) + +### [auth-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L39) + +- [should return status code 200 when no authentication is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L46) +- [should return status code 503 when authentication is configured with an invalid secret](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L65) +- [should return status code 401 when authentication is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L89) +- [should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L116) +- [should return status code 401 and cors headers when authentication and cors is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L144) +- [should return status code 200 when authentication is configured and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L172) +- [should return status code 200 when authentication is configured with a map and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L199) +- [should return status code 401 when authentication is configured with invalid content and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L227) +- [ when external auth is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L266) +- [ when external auth is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L284) +- [ when auth-headers are set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L301) +- [should set cache_key when external auth cache is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L322) +- [user retains cookie by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L411) +- [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L422) +- [user with annotated ingress retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L433) +- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L485) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L494) +- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L505) +- [should overwrite Foo header with auth response](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L529) +- [should not create additional upstream block when auth-keepalive is not set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L552) +- [should not create additional upstream block when host part of auth-url contains a variable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L570) +- [should not create additional upstream block when auth-keepalive is negative](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L590) +- [should not create additional upstream block when auth-keepalive is set with HTTP/2](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L609) +- [should create additional upstream block when auth-keepalive is set with HTTP/1.x](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L623) +- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L678) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L687) +- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L698) +- [should return status code 200 when signed in after auth backend is deleted ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L772) +- [should deny login for different location on same server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L792) +- [should deny login for different servers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L820) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L849) +- [should return 503 (location was denied)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L879) +- [should add error to the config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L887) + +### [canary-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L36) + +- [should response with a 200 status from the mainline upstream when requests are made to the mainline ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L48) +- [should return 404 status for requests to the canary if no matching ingress is found](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L80) +- [should return the correct status codes when endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L107) +- [should route requests to the correct upstream if mainline ingress is created before the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L161) +- [should route requests to the correct upstream if mainline ingress is created after the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L206) +- [should route requests to the correct upstream if the mainline ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L250) +- [should route requests to the correct upstream if the canary ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L307) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L372) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L426) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L490) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L532) +- [should routes to mainline upstream when the given Regex causes error](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L566) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L604) +- [respects always and never values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L643) +- [should route requests only to mainline if canary weight is 0](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L705) +- [should route requests only to canary if canary weight is 100](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L743) +- [should route requests only to canary if canary weight is equal to canary weight total](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L775) +- [should route requests split between mainline and canary if canary weight is 50](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L808) +- [should route requests split between mainline and canary if canary weight is 100 and weight total is 200](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L834) +- [should not use canary as a catch-all server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L863) +- [should not use canary with domain as a server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L891) +- [does not crash when canary ingress has multiple paths to the same non-matching backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L915) +- [always routes traffic to canary if first request was affinitized to canary (default behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L943) +- [always routes traffic to canary if first request was affinitized to canary (explicit sticky behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1000) +- [routes traffic to either mainline or canary backend (legacy behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1058) + ### [Debug CLI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L29) - [should list the backend servers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L37) @@ -398,10 +485,6 @@ Do not try to edit it manually. - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/fastcgi_helloserver.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/fastcgi_helloserver.go#L) - ### [[Setting] ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L194) - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L) @@ -478,6 +561,30 @@ Do not try to edit it manually. - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/util.go#L) +### [[Setting] ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L194) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/k8s.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/k8s.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) + ### [[Shutdown] Grace period shutdown](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/grace_period.go#L32) - [/healthz should return status code 500 during shutdown grace period](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/grace_period.go#L35) diff --git a/docs/kubectl-plugin.md b/docs/kubectl-plugin.md index 9e5a5dcc6..9dc808642 100644 --- a/docs/kubectl-plugin.md +++ b/docs/kubectl-plugin.md @@ -200,7 +200,6 @@ kubectl ingress-nginx conf -n ingress-nginx --host testaddr.local ```console $ kubectl ingress-nginx exec -i -n ingress-nginx -- ls /etc/nginx -fastcgi_params geoip lua mime.types diff --git a/docs/user-guide/fcgi-services.md b/docs/user-guide/fcgi-services.md index db4d9428b..d4f1d1f1e 100644 --- a/docs/user-guide/fcgi-services.md +++ b/docs/user-guide/fcgi-services.md @@ -2,118 +2,10 @@ # Exposing FastCGI Servers -> **FastCGI** is a [binary protocol](https://en.wikipedia.org/wiki/Binary_protocol "Binary protocol") for interfacing interactive programs with a [web server](https://en.wikipedia.org/wiki/Web_server "Web server"). [...] (It's) aim is to reduce the overhead related to interfacing between web server and CGI programs, allowing a server to handle more web page requests per unit of time. -> -> — Wikipedia +**This feature has been removed from Ingress NGINX** -The _ingress-nginx_ ingress controller can be used to directly expose [FastCGI](https://en.wikipedia.org/wiki/FastCGI) servers. Enabling FastCGI in your Ingress only requires setting the _backend-protocol_ annotation to `FCGI`, and with a couple more annotations you can customize the way _ingress-nginx_ handles the communication with your FastCGI _server_. +People willing to use fastcgi servers, should create an NGINX + FastCGI service and expose +this service via Ingress NGINX. - -## Example Objects to Expose a FastCGI Pod - -The _Pod_ example object below exposes port `9000`, which is the conventional FastCGI port. - -```yaml -apiVersion: v1 -kind: Pod -metadata: - name: example-app -labels: - app: example-app -spec: - containers: - - name: example-app - image: example-app:1.0 - ports: - - containerPort: 9000 - name: fastcgi -``` - -The _Service_ object example below matches port `9000` from the _Pod_ object above. - -```yaml -apiVersion: v1 -kind: Service -metadata: - name: example-service -spec: - selector: - app: example-app - ports: - - port: 9000 - targetPort: 9000 - name: fastcgi -``` - -And the _Ingress_ and _ConfigMap_ objects below demonstrates the supported _FastCGI_ specific annotations (NGINX actually has 50 FastCGI directives, all of which have not been exposed in the ingress yet), and matches the service `example-service`, and the port named `fastcgi` from above. The _ConfigMap_ **must** be created first for the _Ingress Controller_ to be able to find it when the _Ingress_ object is created, otherwise you will need to restart the _Ingress Controller_ pods. - -```yaml -# The ConfigMap MUST be created first for the ingress controller to be able to -# find it when the Ingress object is created. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: example-cm -data: - SCRIPT_FILENAME: "/example/index.php" - ---- - -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - nginx.ingress.kubernetes.io/backend-protocol: "FCGI" - nginx.ingress.kubernetes.io/fastcgi-index: "index.php" - nginx.ingress.kubernetes.io/fastcgi-params-configmap: "example-cm" - name: example-app -spec: - ingressClassName: nginx - rules: - - host: app.example.com - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: example-service - port: - name: fastcgi -``` - -## FastCGI Ingress Annotations - -To enable FastCGI, the `nginx.ingress.kubernetes.io/backend-protocol` annotation needs to be set to `FCGI`, which overrides the default `HTTP` value. - -> `nginx.ingress.kubernetes.io/backend-protocol: "FCGI"` - -**This enables the _FastCGI_ mode for all paths defined in the _Ingress_ object** - -### The `nginx.ingress.kubernetes.io/fastcgi-index` Annotation - -To specify an index file, the `fastcgi-index` annotation value can optionally be set. In the example below, the value is set to `index.php`. This annotation corresponds to [the _NGINX_ `fastcgi_index` directive](https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_index). - -> `nginx.ingress.kubernetes.io/fastcgi-index: "index.php"` - -### The `nginx.ingress.kubernetes.io/fastcgi-params-configmap` Annotation - -To specify [_NGINX_ `fastcgi_param` directives](https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_param), the `fastcgi-params-configmap` annotation is used, which in turn must lead to a _ConfigMap_ object containing the _NGINX_ `fastcgi_param` directives as key/values. - -> `nginx.ingress.kubernetes.io/fastcgi-params-configmap: "example-configmap"` - -And the _ConfigMap_ object to specify the `SCRIPT_FILENAME` and `HTTP_PROXY` _NGINX's_ `fastcgi_param` directives will look like the following: - -```yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: example-configmap -data: - SCRIPT_FILENAME: "/example/index.php" - HTTP_PROXY: "" -``` -Using the _namespace/_ prefix is also supported, for example: - -> `nginx.ingress.kubernetes.io/fastcgi-params-configmap: "example-namespace/example-configmap"` +We recommend using images like `cgr.dev/chainguard/nginx:latest` and expose your fast_cgi application +as another container on this Pod. diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md index b515a9f3b..fc43a47b2 100755 --- a/docs/user-guide/nginx-configuration/annotations.md +++ b/docs/user-guide/nginx-configuration/annotations.md @@ -894,7 +894,7 @@ Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf ### Backend Protocol Using `backend-protocol` annotations is possible to indicate how NGINX should communicate with the backend service. (Replaces `secure-backends` in older versions) -Valid Values: HTTP, HTTPS, GRPC, GRPCS, AJP and FCGI +Valid Values: HTTP, HTTPS, GRPC, GRPCS, AJP By default NGINX uses `HTTP`. diff --git a/images/fastcgi-helloserver/Makefile b/images/fastcgi-helloserver/Makefile deleted file mode 100644 index 4d277a19d..000000000 --- a/images/fastcgi-helloserver/Makefile +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright 2020 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Docker image for e2e testing. - -# set default shell -SHELL=/bin/bash -o pipefail -o errexit - -DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) -INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh - -SHORT_SHA ?=$(shell git rev-parse --short HEAD) -TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA) - -REGISTRY ?= local - -IMAGE = $(REGISTRY)/e2e-test-fastcgi-helloserver - -# required to enable buildx -export DOCKER_CLI_EXPERIMENTAL=enabled - -# build with buildx -PLATFORMS?=linux/amd64,linux/arm,linux/arm64 -OUTPUT= -PROGRESS=plain - -build: ensure-buildx - docker buildx build \ - --platform=${PLATFORMS} $(OUTPUT) \ - --progress=$(PROGRESS) \ - --pull \ - -t $(IMAGE):$(TAG) rootfs - -# push the cross built image -push: OUTPUT=--push -push: build - -# enable buildx -ensure-buildx: -# this is required for cloudbuild -ifeq ("$(wildcard $(INIT_BUILDX))","") - @curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/init-buildx.sh | bash -else - @exec $(INIT_BUILDX) -endif - @echo "done" - -.PHONY: build push ensure-buildx diff --git a/images/fastcgi-helloserver/cloudbuild.yaml b/images/fastcgi-helloserver/cloudbuild.yaml deleted file mode 100644 index a4c9d5eff..000000000 --- a/images/fastcgi-helloserver/cloudbuild.yaml +++ /dev/null @@ -1,22 +0,0 @@ -timeout: 1800s -options: - substitution_option: ALLOW_LOOSE -steps: - - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90 - entrypoint: bash - env: - - DOCKER_CLI_EXPERIMENTAL=enabled - - SHORT_SHA=$SHORT_SHA - - BASE_REF=$_PULL_BASE_REF - - REGISTRY=gcr.io/k8s-staging-ingress-nginx - # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx - # set the home to /root explicitly to if using docker buildx - - HOME=/root - args: - - -c - - | - gcloud auth configure-docker \ - && cd images/fastcgi-helloserver && make push -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "master" diff --git a/images/fastcgi-helloserver/rootfs/Dockerfile b/images/fastcgi-helloserver/rootfs/Dockerfile deleted file mode 100755 index a11834373..000000000 --- a/images/fastcgi-helloserver/rootfs/Dockerfile +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright 2017 The Kubernetes Authors. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM golang:1.20.4-alpine3.18 as builder - -WORKDIR /go/src/k8s.io/ingress-nginx/images/fastcgi - -COPY . . - -RUN CGO_ENABLED=0 go build -a -installsuffix cgo \ - -ldflags "-s -w" \ - -o fastcgi-helloserver main.go - -# Use distroless as minimal base image to package the binary -# Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM gcr.io/distroless/static:nonroot - -COPY --from=builder /go/src/k8s.io/ingress-nginx/images/fastcgi/fastcgi-helloserver / -USER nonroot:nonroot - -CMD ["/fastcgi-helloserver"] diff --git a/images/fastcgi-helloserver/rootfs/main.go b/images/fastcgi-helloserver/rootfs/main.go deleted file mode 100644 index 91db60c26..000000000 --- a/images/fastcgi-helloserver/rootfs/main.go +++ /dev/null @@ -1,30 +0,0 @@ -package main - -import ( - "fmt" - "net" - "net/http" - "net/http/fcgi" -) - -func hello(w http.ResponseWriter, r *http.Request) { - keys, ok := r.URL.Query()["name"] - - if !ok || len(keys[0]) < 1 { - fmt.Fprintf(w, "Hello world!") - return - } - - key := keys[0] - fmt.Fprintf(w, "Hello "+string(key)+"!") -} - -func main() { - http.HandleFunc("/hello", hello) - - l, err := net.Listen("tcp", "0.0.0.0:9000") - if err != nil { - panic(err) - } - fcgi.Serve(l, nil) -} diff --git a/internal/ingress/annotations/annotations.go b/internal/ingress/annotations/annotations.go index 5bb2bf5e6..ad7dad37d 100644 --- a/internal/ingress/annotations/annotations.go +++ b/internal/ingress/annotations/annotations.go @@ -41,7 +41,6 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/cors" "k8s.io/ingress-nginx/internal/ingress/annotations/customhttperrors" "k8s.io/ingress-nginx/internal/ingress/annotations/defaultbackend" - "k8s.io/ingress-nginx/internal/ingress/annotations/fastcgi" "k8s.io/ingress-nginx/internal/ingress/annotations/globalratelimit" "k8s.io/ingress-nginx/internal/ingress/annotations/http2pushpreload" "k8s.io/ingress-nginx/internal/ingress/annotations/ipdenylist" @@ -86,37 +85,35 @@ type Ingress struct { CorsConfig cors.Config CustomHTTPErrors []int DefaultBackend *apiv1.Service - //TODO: Change this back into an error when https://github.com/imdario/mergo/issues/100 is resolved - FastCGI fastcgi.Config - Denied *string - ExternalAuth authreq.Config - EnableGlobalAuth bool - HTTP2PushPreload bool - Opentracing opentracing.Config - Opentelemetry opentelemetry.Config - Proxy proxy.Config - ProxySSL proxyssl.Config - RateLimit ratelimit.Config - GlobalRateLimit globalratelimit.Config - Redirect redirect.Config - Rewrite rewrite.Config - Satisfy string - ServerSnippet string - ServiceUpstream bool - SessionAffinity sessionaffinity.Config - SSLPassthrough bool - UsePortInRedirects bool - UpstreamHashBy upstreamhashby.Config - LoadBalancing string - UpstreamVhost string - Whitelist ipwhitelist.SourceRange - Denylist ipdenylist.SourceRange - XForwardedPrefix string - SSLCipher sslcipher.Config - Logs log.Config - ModSecurity modsecurity.Config - Mirror mirror.Config - StreamSnippet string + Denied *string + ExternalAuth authreq.Config + EnableGlobalAuth bool + HTTP2PushPreload bool + Opentracing opentracing.Config + Opentelemetry opentelemetry.Config + Proxy proxy.Config + ProxySSL proxyssl.Config + RateLimit ratelimit.Config + GlobalRateLimit globalratelimit.Config + Redirect redirect.Config + Rewrite rewrite.Config + Satisfy string + ServerSnippet string + ServiceUpstream bool + SessionAffinity sessionaffinity.Config + SSLPassthrough bool + UsePortInRedirects bool + UpstreamHashBy upstreamhashby.Config + LoadBalancing string + UpstreamVhost string + Whitelist ipwhitelist.SourceRange + Denylist ipdenylist.SourceRange + XForwardedPrefix string + SSLCipher sslcipher.Config + Logs log.Config + ModSecurity modsecurity.Config + Mirror mirror.Config + StreamSnippet string } // Extractor defines the annotation parsers to be used in the extraction of annotations @@ -138,7 +135,6 @@ func NewAnnotationExtractor(cfg resolver.Resolver) Extractor { "CorsConfig": cors.NewParser(cfg), "CustomHTTPErrors": customhttperrors.NewParser(cfg), "DefaultBackend": defaultbackend.NewParser(cfg), - "FastCGI": fastcgi.NewParser(cfg), "ExternalAuth": authreq.NewParser(cfg), "EnableGlobalAuth": authreqglobal.NewParser(cfg), "HTTP2PushPreload": http2pushpreload.NewParser(cfg), diff --git a/internal/ingress/annotations/backendprotocol/main.go b/internal/ingress/annotations/backendprotocol/main.go index d8ea72386..0140c30a3 100644 --- a/internal/ingress/annotations/backendprotocol/main.go +++ b/internal/ingress/annotations/backendprotocol/main.go @@ -31,7 +31,7 @@ import ( const HTTP = "HTTP" var ( - validProtocols = regexp.MustCompile(`^(AUTO_HTTP|HTTP|HTTPS|AJP|GRPC|GRPCS|FCGI)$`) + validProtocols = regexp.MustCompile(`^(AUTO_HTTP|HTTP|HTTPS|AJP|GRPC|GRPCS)$`) ) type backendProtocol struct { diff --git a/internal/ingress/annotations/fastcgi/main.go b/internal/ingress/annotations/fastcgi/main.go deleted file mode 100644 index 84bac4109..000000000 --- a/internal/ingress/annotations/fastcgi/main.go +++ /dev/null @@ -1,106 +0,0 @@ -/* -Copyright 2018 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package fastcgi - -import ( - "fmt" - "reflect" - - networking "k8s.io/api/networking/v1" - "k8s.io/client-go/tools/cache" - - "k8s.io/ingress-nginx/internal/ingress/annotations/parser" - ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" - "k8s.io/ingress-nginx/internal/ingress/resolver" -) - -type fastcgi struct { - r resolver.Resolver -} - -// Config describes the per location fastcgi config -type Config struct { - Index string `json:"index"` - Params map[string]string `json:"params"` -} - -// Equal tests for equality between two Configuration types -func (l1 *Config) Equal(l2 *Config) bool { - if l1 == l2 { - return true - } - - if l1 == nil || l2 == nil { - return false - } - - if l1.Index != l2.Index { - return false - } - - return reflect.DeepEqual(l1.Params, l2.Params) -} - -// NewParser creates a new fastcgiConfig protocol annotation parser -func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return fastcgi{r} -} - -// ParseAnnotations parses the annotations contained in the ingress -// rule used to indicate the fastcgiConfig. -func (a fastcgi) Parse(ing *networking.Ingress) (interface{}, error) { - - fcgiConfig := Config{} - - if ing.GetAnnotations() == nil { - return fcgiConfig, nil - } - - index, err := parser.GetStringAnnotation("fastcgi-index", ing) - if err != nil { - index = "" - } - fcgiConfig.Index = index - - cm, err := parser.GetStringAnnotation("fastcgi-params-configmap", ing) - if err != nil { - return fcgiConfig, nil - } - - cmns, cmn, err := cache.SplitMetaNamespaceKey(cm) - if err != nil { - return fcgiConfig, ing_errors.LocationDenied{ - Reason: fmt.Errorf("error reading configmap name from annotation: %w", err), - } - } - - if cmns != "" && cmns != ing.Namespace { - return fcgiConfig, fmt.Errorf("different namespace is not supported on fast_cgi param configmap") - } - - cm = fmt.Sprintf("%v/%v", ing.Namespace, cmn) - cmap, err := a.r.GetConfigMap(cm) - if err != nil { - return fcgiConfig, ing_errors.LocationDenied{ - Reason: fmt.Errorf("unexpected error reading configmap %s: %w", cm, err), - } - } - - fcgiConfig.Params = cmap.Data - - return fcgiConfig, nil -} diff --git a/internal/ingress/annotations/fastcgi/main_test.go b/internal/ingress/annotations/fastcgi/main_test.go deleted file mode 100644 index 35c5bbc12..000000000 --- a/internal/ingress/annotations/fastcgi/main_test.go +++ /dev/null @@ -1,285 +0,0 @@ -/* -Copyright 2018 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package fastcgi - -import ( - "fmt" - "testing" - - api "k8s.io/api/core/v1" - networking "k8s.io/api/networking/v1" - meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/client-go/tools/cache" - "k8s.io/ingress-nginx/internal/ingress/annotations/parser" - "k8s.io/ingress-nginx/internal/ingress/resolver" -) - -func buildIngress() *networking.Ingress { - return &networking.Ingress{ - ObjectMeta: meta_v1.ObjectMeta{ - Name: "foo", - Namespace: api.NamespaceDefault, - }, - Spec: networking.IngressSpec{ - DefaultBackend: &networking.IngressBackend{ - Service: &networking.IngressServiceBackend{ - Name: "default-backend", - Port: networking.ServiceBackendPort{ - Number: 80, - }, - }, - }, - }, - } -} - -type mockConfigMap struct { - resolver.Mock -} - -func (m mockConfigMap) GetConfigMap(name string) (*api.ConfigMap, error) { - if name != "default/demo-configmap" && name != "otherns/demo-configmap" { - return nil, fmt.Errorf("there is no configmap with name %v", name) - } - - cmns, cmn, err := cache.SplitMetaNamespaceKey(name) - if err != nil { - return nil, fmt.Errorf("invalid configmap name") - } - - return &api.ConfigMap{ - ObjectMeta: meta_v1.ObjectMeta{ - Namespace: cmns, - Name: cmn, - }, - Data: map[string]string{"REDIRECT_STATUS": "200", "SERVER_NAME": "$server_name"}, - }, nil -} - -func TestParseEmptyFastCGIAnnotations(t *testing.T) { - ing := buildIngress() - - i, err := NewParser(&mockConfigMap{}).Parse(ing) - if err != nil { - t.Errorf("unexpected error parsing ingress without fastcgi") - } - - config, ok := i.(Config) - if !ok { - t.Errorf("Parse do not return a Config object") - } - - if config.Index != "" { - t.Errorf("Index should be an empty string") - } - - if len(config.Params) != 0 { - t.Errorf("Params should be an empty slice") - } -} - -func TestParseFastCGIIndexAnnotation(t *testing.T) { - ing := buildIngress() - - const expectedAnnotation = "index.php" - - data := map[string]string{} - data[parser.GetAnnotationWithPrefix("fastcgi-index")] = expectedAnnotation - ing.SetAnnotations(data) - - i, err := NewParser(&mockConfigMap{}).Parse(ing) - if err != nil { - t.Errorf("unexpected error parsing ingress without fastcgi") - } - - config, ok := i.(Config) - if !ok { - t.Errorf("Parse do not return a Config object") - } - - if config.Index != "index.php" { - t.Errorf("expected %s but %v returned", expectedAnnotation, config.Index) - } -} - -func TestParseEmptyFastCGIParamsConfigMapAnnotation(t *testing.T) { - ing := buildIngress() - - data := map[string]string{} - data[parser.GetAnnotationWithPrefix("fastcgi-params-configmap")] = "" - ing.SetAnnotations(data) - - i, err := NewParser(&mockConfigMap{}).Parse(ing) - if err != nil { - t.Errorf("unexpected error parsing ingress without fastcgi") - } - - config, ok := i.(Config) - if !ok { - t.Errorf("Parse do not return a Config object") - } - - if len(config.Params) != 0 { - t.Errorf("Params should be an empty slice") - } -} - -func TestParseFastCGIInvalidParamsConfigMapAnnotation(t *testing.T) { - ing := buildIngress() - - invalidConfigMapList := []string{"unknown/configMap", "unknown/config/map"} - for _, configmap := range invalidConfigMapList { - - data := map[string]string{} - data[parser.GetAnnotationWithPrefix("fastcgi-params-configmap")] = configmap - ing.SetAnnotations(data) - - i, err := NewParser(&mockConfigMap{}).Parse(ing) - if err == nil { - t.Errorf("Reading an unexisting configmap should return an error") - } - - config, ok := i.(Config) - if !ok { - t.Errorf("Parse do not return a Config object") - } - - if len(config.Params) != 0 { - t.Errorf("Params should be an empty slice") - } - } -} - -func TestParseFastCGIParamsConfigMapAnnotationWithoutNS(t *testing.T) { - ing := buildIngress() - - data := map[string]string{} - data[parser.GetAnnotationWithPrefix("fastcgi-params-configmap")] = "demo-configmap" - ing.SetAnnotations(data) - - i, err := NewParser(&mockConfigMap{}).Parse(ing) - if err != nil { - t.Errorf("unexpected error parsing ingress without fastcgi") - } - - config, ok := i.(Config) - if !ok { - t.Errorf("Parse do not return a Config object") - } - - if len(config.Params) != 2 { - t.Errorf("Params should have a length of 2") - } - - if config.Params["REDIRECT_STATUS"] != "200" || config.Params["SERVER_NAME"] != "$server_name" { - t.Errorf("Params value is not the one expected") - } -} - -func TestParseFastCGIParamsConfigMapAnnotationWithNS(t *testing.T) { - ing := buildIngress() - - data := map[string]string{} - data[parser.GetAnnotationWithPrefix("fastcgi-params-configmap")] = "default/demo-configmap" - ing.SetAnnotations(data) - - i, err := NewParser(&mockConfigMap{}).Parse(ing) - if err != nil { - t.Errorf("unexpected error parsing ingress without fastcgi") - } - - config, ok := i.(Config) - if !ok { - t.Errorf("Parse do not return a Config object") - } - - if len(config.Params) != 2 { - t.Errorf("Params should have a length of 2") - } - - if config.Params["REDIRECT_STATUS"] != "200" || config.Params["SERVER_NAME"] != "$server_name" { - t.Errorf("Params value is not the one expected") - } -} - -func TestParseFastCGIParamsConfigMapAnnotationWithDifferentNS(t *testing.T) { - ing := buildIngress() - - data := map[string]string{} - data[parser.GetAnnotationWithPrefix("fastcgi-params-configmap")] = "otherns/demo-configmap" - ing.SetAnnotations(data) - - _, err := NewParser(&mockConfigMap{}).Parse(ing) - if err == nil { - t.Errorf("Different namespace configmap should return an error") - } - -} - -func TestConfigEquality(t *testing.T) { - - var nilConfig *Config - - config := Config{ - Index: "index.php", - Params: map[string]string{"REDIRECT_STATUS": "200", "SERVER_NAME": "$server_name"}, - } - - configCopy := Config{ - Index: "index.php", - Params: map[string]string{"REDIRECT_STATUS": "200", "SERVER_NAME": "$server_name"}, - } - - config2 := Config{ - Index: "index.php", - Params: map[string]string{"REDIRECT_STATUS": "200"}, - } - - config3 := Config{ - Index: "index.py", - Params: map[string]string{"SERVER_NAME": "$server_name", "REDIRECT_STATUS": "200"}, - } - - config4 := Config{ - Index: "index.php", - Params: map[string]string{"SERVER_NAME": "$server_name", "REDIRECT_STATUS": "200"}, - } - - if !config.Equal(&config) { - t.Errorf("config should be equal to itself") - } - - if nilConfig.Equal(&config) { - t.Errorf("Foo") - } - - if !config.Equal(&configCopy) { - t.Errorf("config should be equal to configCopy") - } - - if config.Equal(&config2) { - t.Errorf("config2 should not be equal to config") - } - - if config.Equal(&config3) { - t.Errorf("config3 should not be equal to config") - } - - if !config.Equal(&config4) { - t.Errorf("config4 should be equal to config") - } -} diff --git a/internal/ingress/annotations/parser/main.go b/internal/ingress/annotations/parser/main.go index 107a278b0..8a0ea4b87 100644 --- a/internal/ingress/annotations/parser/main.go +++ b/internal/ingress/annotations/parser/main.go @@ -160,7 +160,6 @@ func normalizeString(input string) string { var configmapAnnotations = sets.NewString( "auth-proxy-set-header", - "fastcgi-params-configmap", ) // AnnotationsReferencesConfigmap checks if at least one annotation in the Ingress rule diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 20de63fd1..e93d3b5de 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -608,7 +608,7 @@ func (n *NGINXController) getConfiguration(ingresses []*ingress.Ingress) (sets.S for _, server := range servers { // If a location is defined by a prefix string that ends with the slash character, and requests are processed by one of - // proxy_pass, fastcgi_pass, uwsgi_pass, scgi_pass, memcached_pass, or grpc_pass, then the special processing is performed. + // proxy_pass, uwsgi_pass, scgi_pass, memcached_pass, or grpc_pass, then the special processing is performed. // In response to a request with URI equal to // this string, but without the trailing slash, a permanent redirect with the // code 301 will be returned to the requested URI with the slash appended. If this is not desired, an exact match of the // URIand location could be defined like this: @@ -1519,7 +1519,6 @@ func locationApplyAnnotations(loc *ingress.Location, anns *annotations.Ingress) loc.Logs = anns.Logs loc.DefaultBackend = anns.DefaultBackend loc.BackendProtocol = anns.BackendProtocol - loc.FastCGI = anns.FastCGI loc.CustomHTTPErrors = anns.CustomHTTPErrors loc.ModSecurity = anns.ModSecurity loc.Satisfy = anns.Satisfy diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go index 2d941f95d..15ae438ab 100644 --- a/internal/ingress/controller/template/template.go +++ b/internal/ingress/controller/template/template.go @@ -739,9 +739,6 @@ func buildProxyPass(host string, b interface{}, loc interface{}) string { case "AJP": proto = "" proxyPass = "ajp_pass" - case "FCGI": - proto = "" - proxyPass = "fastcgi_pass" } upstreamName := "upstream_balancer" diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go index 1980d7e52..1b88c3fe7 100644 --- a/internal/ingress/controller/template/template_test.go +++ b/internal/ingress/controller/template/template_test.go @@ -1138,7 +1138,6 @@ func TestOpentracingPropagateContext(t *testing.T) { {BackendProtocol: "GRPC"}: "opentracing_grpc_propagate_context;", {BackendProtocol: "GRPCS"}: "opentracing_grpc_propagate_context;", {BackendProtocol: "AJP"}: "opentracing_propagate_context;", - {BackendProtocol: "FCGI"}: "opentracing_propagate_context;", nil: "", } @@ -1158,7 +1157,6 @@ func TestOpentelemetryPropagateContext(t *testing.T) { {BackendProtocol: "GRPC"}: "opentelemetry_propagate;", {BackendProtocol: "GRPCS"}: "opentelemetry_propagate;", {BackendProtocol: "AJP"}: "opentelemetry_propagate;", - {BackendProtocol: "FCGI"}: "opentelemetry_propagate;", nil: "", } diff --git a/pkg/apis/ingress/types.go b/pkg/apis/ingress/types.go index e50666c18..68cacc25b 100644 --- a/pkg/apis/ingress/types.go +++ b/pkg/apis/ingress/types.go @@ -27,7 +27,6 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/authtls" "k8s.io/ingress-nginx/internal/ingress/annotations/connection" "k8s.io/ingress-nginx/internal/ingress/annotations/cors" - "k8s.io/ingress-nginx/internal/ingress/annotations/fastcgi" "k8s.io/ingress-nginx/internal/ingress/annotations/globalratelimit" "k8s.io/ingress-nginx/internal/ingress/annotations/ipdenylist" "k8s.io/ingress-nginx/internal/ingress/annotations/ipwhitelist" @@ -340,9 +339,6 @@ type Location struct { // BackendProtocol indicates which protocol should be used to communicate with the service // By default this is HTTP BackendProtocol string `json:"backend-protocol"` - // FastCGI allows the ingress to act as a FastCGI client for a given location. - // +optional - FastCGI fastcgi.Config `json:"fastcgi,omitempty"` // CustomHTTPErrors specifies the error codes that should be intercepted. // +optional CustomHTTPErrors []int `json:"custom-http-errors"` diff --git a/pkg/apis/ingress/types_equals.go b/pkg/apis/ingress/types_equals.go index 84b1a186a..fee8c31d5 100644 --- a/pkg/apis/ingress/types_equals.go +++ b/pkg/apis/ingress/types_equals.go @@ -435,10 +435,6 @@ func (l1 *Location) Equal(l2 *Location) bool { return false } - if !(&l1.FastCGI).Equal(&l2.FastCGI) { - return false - } - match := compareInts(l1.CustomHTTPErrors, l2.CustomHTTPErrors) if !match { return false diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 9b3a47de3..638333407 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -305,7 +305,6 @@ http { keepalive_requests {{ $cfg.KeepAliveRequests }}; client_body_temp_path /tmp/nginx/client-body; - fastcgi_temp_path /tmp/nginx/fastcgi-temp; proxy_temp_path /tmp/nginx/proxy-temp; ajp_temp_path /tmp/nginx/ajp-temp; @@ -1489,16 +1488,6 @@ stream { {{ range $errCode := $location.CustomHTTPErrors }} error_page {{ $errCode }} = @custom_{{ $location.DefaultBackendUpstreamName }}_{{ $errCode }};{{ end }} - {{ if (eq $location.BackendProtocol "FCGI") }} - include /etc/nginx/fastcgi_params; - {{ end }} - {{- if $location.FastCGI.Index -}} - fastcgi_index {{ $location.FastCGI.Index | quote }}; - {{- end -}} - {{ range $k, $v := $location.FastCGI.Params }} - fastcgi_param {{ $k }} {{ $v | quote }}; - {{ end }} - {{ if not (empty $location.Redirect.URL) }} return {{ $location.Redirect.Code }} {{ $location.Redirect.URL }}; {{ end }} diff --git a/test/e2e/annotations/backendprotocol.go b/test/e2e/annotations/backendprotocol.go index bccb03afb..8256befd2 100644 --- a/test/e2e/annotations/backendprotocol.go +++ b/test/e2e/annotations/backendprotocol.go @@ -91,21 +91,6 @@ var _ = framework.DescribeAnnotation("backend-protocol", func() { }) }) - ginkgo.It("should set backend protocol to '' and use fastcgi_pass", func() { - host := "backendprotocol.foo.com" - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/backend-protocol": "FCGI", - } - - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, "fastcgi_pass upstream_balancer;") - }) - }) - ginkgo.It("should set backend protocol to '' and use ajp_pass", func() { host := "backendprotocol.foo.com" annotations := map[string]string{ diff --git a/test/e2e/annotations/fastcgi.go b/test/e2e/annotations/fastcgi.go deleted file mode 100644 index 572eca548..000000000 --- a/test/e2e/annotations/fastcgi.go +++ /dev/null @@ -1,125 +0,0 @@ -/* -Copyright 2019 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package annotations - -import ( - "net/http" - "strings" - - "github.com/onsi/ginkgo/v2" - corev1 "k8s.io/api/core/v1" - - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/ingress-nginx/test/e2e/framework" -) - -var _ = framework.DescribeAnnotation("backend-protocol - FastCGI", func() { - f := framework.NewDefaultFramework("fastcgi") - - ginkgo.BeforeEach(func() { - f.NewFastCGIHelloServerDeployment() - }) - - ginkgo.It("should use fastcgi_pass in the configuration file", func() { - host := "fastcgi" - - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/backend-protocol": "FCGI", - } - - ing := framework.NewSingleIngress(host, "/hello", host, f.Namespace, "fastcgi-helloserver", 9000, annotations) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, "include /etc/nginx/fastcgi_params;") && - strings.Contains(server, "fastcgi_pass") - }) - }) - - ginkgo.It("should add fastcgi_index in the configuration file", func() { - host := "fastcgi-index" - - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/backend-protocol": "FCGI", - "nginx.ingress.kubernetes.io/fastcgi-index": "index.php", - } - - ing := framework.NewSingleIngress(host, "/hello", host, f.Namespace, "fastcgi-helloserver", 9000, annotations) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, "fastcgi_index \"index.php\";") - }) - }) - - ginkgo.It("should add fastcgi_param in the configuration file", func() { - configuration := &corev1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{ - Name: "fastcgi-configmap", - Namespace: f.Namespace, - }, - Data: map[string]string{ - "SCRIPT_FILENAME": "/home/www/scripts/php$fastcgi_script_name", - "REDIRECT_STATUS": "200", - }, - } - - f.EnsureConfigMap(configuration) - - host := "fastcgi-params-configmap" - - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/backend-protocol": "FCGI", - "nginx.ingress.kubernetes.io/fastcgi-params-configmap": "fastcgi-configmap", - } - - ing := framework.NewSingleIngress(host, "/hello", host, f.Namespace, "fastcgi-helloserver", 9000, annotations) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, "fastcgi_param SCRIPT_FILENAME \"/home/www/scripts/php$fastcgi_script_name\";") && - strings.Contains(server, "fastcgi_param REDIRECT_STATUS \"200\";") - }) - }) - - ginkgo.It("should return OK for service with backend protocol FastCGI", func() { - host := "fastcgi-helloserver" - path := "/hello" - - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/backend-protocol": "FCGI", - } - - ing := framework.NewSingleIngress(host, path, host, f.Namespace, "fastcgi-helloserver", 9000, annotations) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, "fastcgi_pass") - }) - - f.HTTPTestClient(). - GET(path). - WithHeader("Host", host). - Expect(). - Status(http.StatusOK). - Body().Contains("Hello world!") - }) -}) diff --git a/test/e2e/framework/fastcgi_helloserver.go b/test/e2e/framework/fastcgi_helloserver.go deleted file mode 100644 index 719048c06..000000000 --- a/test/e2e/framework/fastcgi_helloserver.go +++ /dev/null @@ -1,104 +0,0 @@ -/* -Copyright 2017 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package framework - -import ( - "github.com/onsi/ginkgo/v2" - "github.com/stretchr/testify/assert" - appsv1 "k8s.io/api/apps/v1" - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/fields" - "k8s.io/apimachinery/pkg/util/intstr" -) - -// NewFastCGIHelloServerDeployment creates a new single replica -// deployment of the fortune teller image in a particular namespace -func (f *Framework) NewFastCGIHelloServerDeployment() { - f.NewNewFastCGIHelloServerDeploymentWithReplicas(1) -} - -// NewNewFastCGIHelloServerDeploymentWithReplicas creates a new deployment of the -// fortune teller image in a particular namespace. Number of replicas is configurable -func (f *Framework) NewNewFastCGIHelloServerDeploymentWithReplicas(replicas int32) { - deployment := &appsv1.Deployment{ - ObjectMeta: metav1.ObjectMeta{ - Name: "fastcgi-helloserver", - Namespace: f.Namespace, - }, - Spec: appsv1.DeploymentSpec{ - Replicas: NewInt32(replicas), - Selector: &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "app": "fastcgi-helloserver", - }, - }, - Template: corev1.PodTemplateSpec{ - ObjectMeta: metav1.ObjectMeta{ - Labels: map[string]string{ - "app": "fastcgi-helloserver", - }, - }, - Spec: corev1.PodSpec{ - TerminationGracePeriodSeconds: NewInt64(0), - Containers: []corev1.Container{ - { - Name: "fastcgi-helloserver", - Image: "registry.k8s.io/ingress-nginx/e2e-test-fastcgi-helloserver@sha256:0e08c836cc58f1ea862578de99b13bc4264fe071e816f96dc1d79857bfba7473", - Env: []corev1.EnvVar{}, - Ports: []corev1.ContainerPort{ - { - Name: "fastcgi", - ContainerPort: 9000, - }, - }, - }, - }, - }, - }, - }, - } - - d := f.EnsureDeployment(deployment) - - err := waitForPodsReady(f.KubeClientSet, DefaultTimeout, int(replicas), f.Namespace, metav1.ListOptions{ - LabelSelector: fields.SelectorFromSet(fields.Set(d.Spec.Template.ObjectMeta.Labels)).String(), - }) - assert.Nil(ginkgo.GinkgoT(), err, "failed to wait for to become ready") - - service := &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: "fastcgi-helloserver", - Namespace: f.Namespace, - }, - Spec: corev1.ServiceSpec{ - Ports: []corev1.ServicePort{ - { - Name: "fastcgi", - Port: 9000, - TargetPort: intstr.FromInt(9000), - Protocol: "TCP", - }, - }, - Selector: map[string]string{ - "app": "fastcgi-helloserver", - }, - }, - } - - f.EnsureService(service) -} From 60bf6ba6429feb4a5d8b485d1bcee87187fbc368 Mon Sep 17 00:00:00 2001 From: Brendan Kamp Date: Mon, 12 Jun 2023 12:25:49 +0200 Subject: [PATCH 349/405] chore: move httpbun to be part of framework (#9955) Signed-off-by: Spazzy --- test/e2e/HTTPBUN_IMAGE | 1 + test/e2e/annotations/auth.go | 53 +----- test/e2e/annotations/grpc.go | 17 +- test/e2e/annotations/satisfy.go | 17 +- test/e2e/framework/deployment.go | 111 +++++++++---- test/e2e/framework/framework.go | 29 +++- test/e2e/run-e2e-suite.sh | 2 + .../servicebackend/service_externalname.go | 153 +++++++++++------- test/e2e/settings/brotli.go | 9 +- .../settings/disable_service_external_name.go | 16 +- test/e2e/settings/global_external_auth.go | 10 +- test/e2e/settings/listen_nondefault_ports.go | 19 +-- test/e2e/settings/ssl_passthrough.go | 32 +++- 13 files changed, 265 insertions(+), 204 deletions(-) create mode 100644 test/e2e/HTTPBUN_IMAGE diff --git a/test/e2e/HTTPBUN_IMAGE b/test/e2e/HTTPBUN_IMAGE new file mode 100644 index 000000000..2d95865c7 --- /dev/null +++ b/test/e2e/HTTPBUN_IMAGE @@ -0,0 +1 @@ +registry.k8s.io/ingress-nginx/e2e-test-httpbun:v20230505-v0.0.1 diff --git a/test/e2e/annotations/auth.go b/test/e2e/annotations/auth.go index 4ca034825..8011186a1 100644 --- a/test/e2e/annotations/auth.go +++ b/test/e2e/annotations/auth.go @@ -23,7 +23,6 @@ import ( "net/url" "regexp" "strings" - "time" "golang.org/x/crypto/bcrypt" @@ -38,7 +37,7 @@ import ( ) var _ = framework.DescribeAnnotation("auth-*", func() { - f := framework.NewDefaultFramework("auth") + f := framework.NewDefaultFramework("auth", framework.WithHTTPBunEnabled()) ginkgo.BeforeEach(func() { f.NewEchoDeployment() @@ -390,10 +389,10 @@ http { assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint") assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint") - httpbunIP := e.Subsets[0].Addresses[0].IP + nginxIP := e.Subsets[0].Addresses[0].IP annotations = map[string]string{ - "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/cookies/set/alma/armud", httpbunIP), + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/cookies/set/alma/armud", nginxIP), "nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start", } @@ -457,21 +456,8 @@ http { var ing *networking.Ingress ginkgo.BeforeEach(func() { - f.NewHttpbunDeployment() - - err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBunService, f.Namespace, 1) - assert.Nil(ginkgo.GinkgoT(), err) - - e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBunService, metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err) - - assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint") - assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint") - - httpbunIP := e.Subsets[0].Addresses[0].IP - annotations = map[string]string{ - "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbunIP), + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", f.HTTPBunIP), "nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start", } @@ -650,20 +636,8 @@ http { var ing *networking.Ingress ginkgo.BeforeEach(func() { - f.NewHttpbunDeployment() - - var httpbunIP string - - err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBunService, f.Namespace, 1) - assert.Nil(ginkgo.GinkgoT(), err) - - e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBunService, metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err) - - httpbunIP = e.Subsets[0].Addresses[0].IP - annotations = map[string]string{ - "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbunIP), + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", f.HTTPBunIP), "nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start", "nginx.ingress.kubernetes.io/auth-signin-redirect-param": "orig", } @@ -729,23 +703,8 @@ http { barPath := "/bar" ginkgo.BeforeEach(func() { - f.NewHttpbunDeployment() - - err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBunService, f.Namespace, 1) - assert.Nil(ginkgo.GinkgoT(), err) - - framework.Sleep(1 * time.Second) - - e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBunService, metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err) - - assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint") - assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint") - - httpbunIP := e.Subsets[0].Addresses[0].IP - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbunIP), + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", f.HTTPBunIP), "nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start", "nginx.ingress.kubernetes.io/auth-cache-key": "fixed", "nginx.ingress.kubernetes.io/auth-cache-duration": "200 201 401 30m", diff --git a/test/e2e/annotations/grpc.go b/test/e2e/annotations/grpc.go index 2bdac553b..c8e530ead 100644 --- a/test/e2e/annotations/grpc.go +++ b/test/e2e/annotations/grpc.go @@ -37,7 +37,7 @@ import ( ) var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { - f := framework.NewDefaultFramework("grpc") + f := framework.NewDefaultFramework("grpc", framework.WithHTTPBunEnabled()) ginkgo.It("should use grpc_pass in the configuration file", func() { f.NewGRPCFortuneTellerDeployment() @@ -124,8 +124,6 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { ginkgo.It("authorization metadata should be overwritten by external auth response headers", func() { f.NewGRPCBinDeployment() - f.NewHttpbunDeployment() - host := "echo" svc := &corev1.Service{ @@ -148,19 +146,8 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { } f.EnsureService(svc) - err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBunService, f.Namespace, 1) - assert.Nil(ginkgo.GinkgoT(), err) - - e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBunService, metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err) - - assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint") - assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint") - - httpbunIP := e.Subsets[0].Addresses[0].IP - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/response-headers?authorization=foo", httpbunIP), + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/response-headers?authorization=foo", f.HTTPBunIP), "nginx.ingress.kubernetes.io/auth-response-headers": "Authorization", "nginx.ingress.kubernetes.io/backend-protocol": "GRPC", } diff --git a/test/e2e/annotations/satisfy.go b/test/e2e/annotations/satisfy.go index 758ad21a4..6ba6db33e 100644 --- a/test/e2e/annotations/satisfy.go +++ b/test/e2e/annotations/satisfy.go @@ -17,7 +17,6 @@ limitations under the License. package annotations import ( - "context" "fmt" "net/http" "net/url" @@ -27,13 +26,12 @@ import ( "github.com/stretchr/testify/assert" networking "k8s.io/api/networking/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/ingress-nginx/test/e2e/framework" ) var _ = framework.DescribeAnnotation("satisfy", func() { - f := framework.NewDefaultFramework("satisfy") + f := framework.NewDefaultFramework("satisfy", framework.WithHTTPBunEnabled()) ginkgo.BeforeEach(func() { f.NewEchoDeployment() @@ -84,17 +82,6 @@ var _ = framework.DescribeAnnotation("satisfy", func() { ginkgo.It("should allow multiple auth with satisfy any", func() { host := "auth" - // setup external auth - f.NewHttpbunDeployment() - - err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBunService, f.Namespace, 1) - assert.Nil(ginkgo.GinkgoT(), err) - - e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBunService, metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err) - - httpbunIP := e.Subsets[0].Addresses[0].IP - // create basic auth secret at ingress s := f.EnsureSecret(buildSecret("uname", "pwd", "basic-secret", f.Namespace)) @@ -105,7 +92,7 @@ var _ = framework.DescribeAnnotation("satisfy", func() { "nginx.ingress.kubernetes.io/auth-realm": "test basic auth", // annotations for external auth - "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbunIP), + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", f.HTTPBunIP), "nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start", // set satisfy any diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go index 565b8f4ac..d4e20fbf5 100644 --- a/test/e2e/framework/deployment.go +++ b/test/e2e/framework/deployment.go @@ -43,12 +43,28 @@ const HTTPBunService = "httpbun" // NipService name of external service using nip.io const NIPService = "external-nip" +// HTTPBunImage is the default image that is used to deploy HTTPBun with the framwork +var HTTPBunImage = os.Getenv("HTTPBUN_IMAGE") + +// EchoImage is the default image to be used by the echo service +const EchoImage = "registry.k8s.io/ingress-nginx/e2e-test-echo@sha256:4938d1d91a2b7d19454460a8c1b010b89f6ff92d2987fd889ac3e8fc3b70d91a" + +// TODO: change all Deployment functions to use these options +// in order to reduce complexity and have a unified API accross the +// framework type deploymentOptions struct { - namespace string name string - replicas int - svcAnnotations map[string]string + namespace string image string + port int32 + replicas int + command []string + args []string + env []corev1.EnvVar + volumeMounts []corev1.VolumeMount + volumes []corev1.Volume + svcAnnotations map[string]string + setProbe bool } // WithDeploymentNamespace allows configuring the deployment's namespace @@ -100,22 +116,25 @@ func (f *Framework) NewEchoDeployment(opts ...func(*deploymentOptions)) { namespace: f.Namespace, name: EchoService, replicas: 1, - image: "registry.k8s.io/ingress-nginx/e2e-test-echo@sha256:6fc5aa2994c86575975bb20a5203651207029a0d28e3f491d8a127d08baadab4", + image: EchoImage, } for _, o := range opts { o(options) } - deployment := newDeployment(options.name, options.namespace, options.image, 80, int32(options.replicas), + f.EnsureDeployment(newDeployment( + options.name, + options.namespace, + options.image, + 80, + int32(options.replicas), nil, nil, nil, []corev1.VolumeMount{}, []corev1.Volume{}, true, - ) + )) - f.EnsureDeployment(deployment) - - service := &corev1.Service{ + f.EnsureService(&corev1.Service{ ObjectMeta: metav1.ObjectMeta{ Name: options.name, Namespace: options.namespace, @@ -134,11 +153,15 @@ func (f *Framework) NewEchoDeployment(opts ...func(*deploymentOptions)) { "app": options.name, }, }, - } + }) - f.EnsureService(service) - - err := WaitForEndpoints(f.KubeClientSet, DefaultTimeout, options.name, options.namespace, options.replicas) + err := WaitForEndpoints( + f.KubeClientSet, + DefaultTimeout, + options.name, + options.namespace, + options.replicas, + ) assert.Nil(ginkgo.GinkgoT(), err, "waiting for endpoints to become ready") } @@ -147,6 +170,12 @@ func BuildNIPHost(ip string) string { return fmt.Sprintf("%s.nip.io", ip) } +// GetNipHost used to generate a nip host for external DNS resolving +// for the instance deployed by the framework +func (f *Framework) GetNIPHost() string { + return BuildNIPHost(f.HTTPBunIP) +} + // BuildNIPExternalNameService used to generate a service pointing to nip.io to // help resolve to an IP address func BuildNIPExternalNameService(f *Framework, ip, portName string) *corev1.Service { @@ -177,22 +206,27 @@ func (f *Framework) NewHttpbunDeployment(opts ...func(*deploymentOptions)) strin namespace: f.Namespace, name: HTTPBunService, replicas: 1, - image: "registry.k8s.io/ingress-nginx/e2e-test-httpbun:v20230505-v0.0.1", + image: HTTPBunImage, } for _, o := range opts { o(options) } - deployment := newDeployment(options.name, options.namespace, options.image, 80, int32(options.replicas), + // Create the HTTPBun Deployment + f.EnsureDeployment(newDeployment( + options.name, + options.namespace, + options.image, + 80, + int32(options.replicas), nil, nil, nil, []corev1.VolumeMount{}, []corev1.Volume{}, true, - ) + )) - f.EnsureDeployment(deployment) - - service := &corev1.Service{ + // Create a service pointing to deployment + f.EnsureService(&corev1.Service{ ObjectMeta: metav1.ObjectMeta{ Name: options.name, Namespace: options.namespace, @@ -211,14 +245,26 @@ func (f *Framework) NewHttpbunDeployment(opts ...func(*deploymentOptions)) strin "app": options.name, }, }, - } + }) - s := f.EnsureService(service) - - err := WaitForEndpoints(f.KubeClientSet, DefaultTimeout, options.name, options.namespace, options.replicas) + // Wait for deployment to become available + err := WaitForEndpoints( + f.KubeClientSet, + DefaultTimeout, + options.name, + options.namespace, + options.replicas, + ) assert.Nil(ginkgo.GinkgoT(), err, "waiting for endpoints to become ready") - return s.Spec.ClusterIPs[0] + // Get cluster ip for HTTPBun to be used in tests + e, err := f.KubeClientSet. + CoreV1(). + Endpoints(f.Namespace). + Get(context.TODO(), HTTPBunService, metav1.GetOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "failed to get httpbun endpoint") + + return e.Subsets[0].Addresses[0].IP } // NewSlowEchoDeployment creates a new deployment of the slow echo server image in a particular namespace. @@ -276,13 +322,16 @@ func (f *Framework) NGINXDeployment(name string, cfg string, waitendpoint bool) "nginx.conf": cfg, } - _, err := f.KubeClientSet.CoreV1().ConfigMaps(f.Namespace).Create(context.TODO(), &corev1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: f.Namespace, - }, - Data: cfgMap, - }, metav1.CreateOptions{}) + _, err := f.KubeClientSet. + CoreV1(). + ConfigMaps(f.Namespace). + Create(context.TODO(), &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: f.Namespace, + }, + Data: cfgMap, + }, metav1.CreateOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "creating configmap") deployment := newDeployment(name, f.Namespace, f.GetNginxBaseImage(), 80, 1, diff --git a/test/e2e/framework/framework.go b/test/e2e/framework/framework.go index a3d5ea760..69f6dae78 100644 --- a/test/e2e/framework/framework.go +++ b/test/e2e/framework/framework.go @@ -67,16 +67,32 @@ type Framework struct { IngressClass string pod *v1.Pod + // We use httpbun as a service that we route to in our tests through + // the ingress controller. We add it as part of the framework as it + // is used extensively + HTTPBunIP string + HTTPBunEnabled bool +} + +// WithHTTPBunEnabled deploys an instance of HTTPBun for the specific test +func WithHTTPBunEnabled() func(*Framework) { + return func(f *Framework) { + f.HTTPBunEnabled = true + } } // NewDefaultFramework makes a new framework and sets up a BeforeEach/AfterEach for // you (you can write additional before/after each functions). -func NewDefaultFramework(baseName string) *Framework { +func NewDefaultFramework(baseName string, opts ...func(*Framework)) *Framework { defer ginkgo.GinkgoRecover() f := &Framework{ BaseName: baseName, } + // set framework options + for _, o := range opts { + o(f) + } ginkgo.BeforeEach(f.BeforeEach) ginkgo.AfterEach(f.AfterEach) @@ -86,12 +102,16 @@ func NewDefaultFramework(baseName string) *Framework { // NewSimpleFramework makes a new framework that allows the usage of a namespace // for arbitraty tests. -func NewSimpleFramework(baseName string) *Framework { +func NewSimpleFramework(baseName string, opts ...func(*Framework)) *Framework { defer ginkgo.GinkgoRecover() f := &Framework{ BaseName: baseName, } + // set framework options + for _, o := range opts { + o(f) + } ginkgo.BeforeEach(f.CreateEnvironment) ginkgo.AfterEach(f.DestroyEnvironment) @@ -140,6 +160,11 @@ func (f *Framework) BeforeEach() { assert.Nil(ginkgo.GinkgoT(), err, "updating ingress controller pod information") f.WaitForNginxListening(80) + + // If HTTPBun is enabled deploy an instance to the namespace + if f.HTTPBunEnabled { + f.HTTPBunIP = f.NewHttpbunDeployment() + } } // AfterEach deletes the namespace, after reading its events. diff --git a/test/e2e/run-e2e-suite.sh b/test/e2e/run-e2e-suite.sh index a3bf589cd..b56312afd 100755 --- a/test/e2e/run-e2e-suite.sh +++ b/test/e2e/run-e2e-suite.sh @@ -51,6 +51,7 @@ fi BASEDIR=$(dirname "$0") NGINX_BASE_IMAGE=$(cat $BASEDIR/../../NGINX_BASE) +HTTPBUN_IMAGE=$(cat $BASEDIR/HTTPBUN_IMAGE) echo -e "${BGREEN}Granting permissions to ingress-nginx e2e service account...${NC}" kubectl create serviceaccount ingress-nginx-e2e || true @@ -79,6 +80,7 @@ kubectl run --rm \ --env="IS_CHROOT=${IS_CHROOT:-false}"\ --env="E2E_CHECK_LEAKS=${E2E_CHECK_LEAKS}" \ --env="NGINX_BASE_IMAGE=${NGINX_BASE_IMAGE}" \ + --env="HTTPBUN_IMAGE=${HTTPBUN_IMAGE}" \ --overrides='{ "apiVersion": "v1", "spec":{"serviceAccountName": "ingress-nginx-e2e"}}' \ e2e --image=nginx-ingress-controller:e2e diff --git a/test/e2e/servicebackend/service_externalname.go b/test/e2e/servicebackend/service_externalname.go index 2fd6cd080..89ae77b10 100644 --- a/test/e2e/servicebackend/service_externalname.go +++ b/test/e2e/servicebackend/service_externalname.go @@ -35,7 +35,7 @@ import ( ) var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { - f := framework.NewDefaultFramework("type-externalname") + f := framework.NewDefaultFramework("type-externalname", framework.WithHTTPBunEnabled()) ginkgo.It("works with external name set to incomplete fqdn", func() { f.NewEchoDeployment() @@ -43,7 +43,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ - Name: framework.HTTPBunService, + Name: framework.NIPService, Namespace: f.Namespace, }, Spec: corev1.ServiceSpec{ @@ -51,10 +51,15 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { Type: corev1.ServiceTypeExternalName, }, } - f.EnsureService(svc) - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBunService, 80, nil) + ing := framework.NewSingleIngress(host, + "/", + host, + f.Namespace, + framework.NIPService, + 80, + nil) f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -70,10 +75,6 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { }) ginkgo.It("should return 200 for service type=ExternalName without a port defined", func() { - // This is a workaround so we only depend on a self hosted instance of - // httpbun - ip := f.NewHttpbunDeployment() - host := "echo" svc := &corev1.Service{ @@ -82,17 +83,23 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { Namespace: f.Namespace, }, Spec: corev1.ServiceSpec{ - ExternalName: framework.BuildNIPHost(ip), + ExternalName: f.GetNIPHost(), Type: corev1.ServiceTypeExternalName, }, } - f.EnsureService(svc) annotations := map[string]string{ - "nginx.ingress.kubernetes.io/upstream-vhost": framework.BuildNIPHost(ip), + "nginx.ingress.kubernetes.io/upstream-vhost": f.GetNIPHost(), } - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBunService, 80, annotations) + + ing := framework.NewSingleIngress(host, + "/", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations) f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -108,19 +115,21 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { }) ginkgo.It("should return 200 for service type=ExternalName with a port defined", func() { - // This is a workaround so we only depend on a self hosted instance of - // httpbun - ip := f.NewHttpbunDeployment() - host := "echo" - svc := framework.BuildNIPExternalNameService(f, ip, host) + svc := framework.BuildNIPExternalNameService(f, f.HTTPBunIP, host) f.EnsureService(svc) annotations := map[string]string{ - "nginx.ingress.kubernetes.io/upstream-vhost": framework.BuildNIPHost(ip), + "nginx.ingress.kubernetes.io/upstream-vhost": f.GetNIPHost(), } - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBunService, 80, annotations) + ing := framework.NewSingleIngress(host, + "/", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations) f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -140,7 +149,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ - Name: framework.HTTPBunService, + Name: framework.NIPService, Namespace: f.Namespace, }, Spec: corev1.ServiceSpec{ @@ -148,10 +157,15 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { Type: corev1.ServiceTypeExternalName, }, } - f.EnsureService(svc) - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBunService, 80, nil) + ing := framework.NewSingleIngress(host, + "/", + host, + f.Namespace, + framework.NIPService, + 80, + nil) f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -167,19 +181,22 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { }) ginkgo.It("should return 200 for service type=ExternalName using a port name", func() { - // This is a workaround so we only depend on a self hosted instance of - // httpbun - ip := f.NewHttpbunDeployment() - host := "echo" - svc := framework.BuildNIPExternalNameService(f, ip, host) + svc := framework.BuildNIPExternalNameService(f, f.HTTPBunIP, host) f.EnsureService(svc) annotations := map[string]string{ - "nginx.ingress.kubernetes.io/upstream-vhost": framework.BuildNIPHost(ip), + "nginx.ingress.kubernetes.io/upstream-vhost": f.GetNIPHost(), } - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBunService, 80, annotations) + ing := framework.NewSingleIngress(host, + "/", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations) + namedBackend := networking.IngressBackend{ Service: &networking.IngressServiceBackend{ Name: framework.NIPService, @@ -188,6 +205,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { }, }, } + ing.Spec.Rules[0].HTTP.Paths[0].Backend = namedBackend f.EnsureIngress(ing) @@ -204,10 +222,6 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { }) ginkgo.It("should return 200 for service type=ExternalName using FQDN with trailing dot", func() { - // This is a workaround so we only depend on a self hosted instance of - // httpbun - ip := f.NewHttpbunDeployment() - host := "echo" svc := &corev1.Service{ @@ -216,14 +230,19 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { Namespace: f.Namespace, }, Spec: corev1.ServiceSpec{ - ExternalName: framework.BuildNIPHost(ip), + ExternalName: f.GetNIPHost(), Type: corev1.ServiceTypeExternalName, }, } - f.EnsureService(svc) - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBunService, 80, nil) + ing := framework.NewSingleIngress(host, + "/", + host, + f.Namespace, + framework.HTTPBunService, + 80, + nil) f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -239,20 +258,23 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { }) ginkgo.It("should update the external name after a service update", func() { - // This is a workaround so we only depend on a self hosted instance of - // httpbun - ip := f.NewHttpbunDeployment() - host := "echo" - svc := framework.BuildNIPExternalNameService(f, ip, host) + svc := framework.BuildNIPExternalNameService(f, f.HTTPBunIP, host) f.EnsureService(svc) annotations := map[string]string{ - "nginx.ingress.kubernetes.io/upstream-vhost": framework.BuildNIPHost(ip), + "nginx.ingress.kubernetes.io/upstream-vhost": f.GetNIPHost(), } - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBunService, 80, annotations) + ing := framework.NewSingleIngress(host, + "/", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations) + namedBackend := networking.IngressBackend{ Service: &networking.IngressServiceBackend{ Name: framework.NIPService, @@ -279,14 +301,20 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { assert.Contains(ginkgo.GinkgoT(), body, `"X-Forwarded-Host": "echo"`) - svc, err := f.KubeClientSet.CoreV1().Services(f.Namespace).Get(context.TODO(), framework.NIPService, metav1.GetOptions{}) + svc, err := f.KubeClientSet. + CoreV1(). + Services(f.Namespace). + Get(context.TODO(), framework.NIPService, metav1.GetOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error obtaining external service") - ip = f.NewHttpbunDeployment(framework.WithDeploymentName("eu-server")) - + //Deploy a new instance to switch routing to + ip := f.NewHttpbunDeployment(framework.WithDeploymentName("eu-server")) svc.Spec.ExternalName = framework.BuildNIPHost(ip) - _, err = f.KubeClientSet.CoreV1().Services(f.Namespace).Update(context.Background(), svc, metav1.UpdateOptions{}) + _, err = f.KubeClientSet. + CoreV1(). + Services(f.Namespace). + Update(context.Background(), svc, metav1.UpdateOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error updating external service") framework.Sleep() @@ -302,21 +330,31 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { assert.Contains(ginkgo.GinkgoT(), body, `"X-Forwarded-Host": "echo"`) ginkgo.By("checking the service is updated to use new host") - curlCmd := fmt.Sprintf("curl --fail --silent http://localhost:%v/configuration/backends", nginx.StatusPort) + curlCmd := fmt.Sprintf( + "curl --fail --silent http://localhost:%v/configuration/backends", + nginx.StatusPort, + ) + output, err := f.ExecIngressPod(curlCmd) assert.Nil(ginkgo.GinkgoT(), err) - assert.Contains(ginkgo.GinkgoT(), output, fmt.Sprintf("{\"address\":\"%s\"", framework.BuildNIPHost(ip))) + assert.Contains( + ginkgo.GinkgoT(), + output, + fmt.Sprintf("{\"address\":\"%s\"", framework.BuildNIPHost(ip)), + ) }) ginkgo.It("should sync ingress on external name service addition/deletion", func() { - // This is a workaround so we only depend on a self hosted instance of - // httpbun - ip := f.NewHttpbunDeployment() - host := "echo" // Create the Ingress first - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.NIPService, 80, nil) + ing := framework.NewSingleIngress(host, + "/", + host, + f.Namespace, + framework.NIPService, + 80, + nil) f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -332,7 +370,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { Status(http.StatusServiceUnavailable) // Now create the service - svc := framework.BuildNIPExternalNameService(f, ip, host) + svc := framework.BuildNIPExternalNameService(f, f.HTTPBunIP, host) f.EnsureService(svc) framework.Sleep() @@ -345,7 +383,10 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { Status(http.StatusOK) // And back to 503 after deleting the service - err := f.KubeClientSet.CoreV1().Services(f.Namespace).Delete(context.TODO(), framework.NIPService, metav1.DeleteOptions{}) + err := f.KubeClientSet. + CoreV1(). + Services(f.Namespace). + Delete(context.TODO(), framework.NIPService, metav1.DeleteOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error deleting external service") framework.Sleep() diff --git a/test/e2e/settings/brotli.go b/test/e2e/settings/brotli.go index a13678f66..aacaddec5 100644 --- a/test/e2e/settings/brotli.go +++ b/test/e2e/settings/brotli.go @@ -28,14 +28,13 @@ import ( ) var _ = framework.IngressNginxDescribe("brotli", func() { - f := framework.NewDefaultFramework("brotli") + f := framework.NewDefaultFramework( + "brotli", + framework.WithHTTPBunEnabled(), + ) host := "brotli" - ginkgo.BeforeEach(func() { - f.NewHttpbunDeployment() - }) - ginkgo.It("should only compress responses that meet the `brotli-min-length` condition", func() { brotliMinLength := 24 contentEncoding := "application/octet-stream" diff --git a/test/e2e/settings/disable_service_external_name.go b/test/e2e/settings/disable_service_external_name.go index 7f03e5355..4ecf69e81 100644 --- a/test/e2e/settings/disable_service_external_name.go +++ b/test/e2e/settings/disable_service_external_name.go @@ -33,7 +33,10 @@ import ( ) var _ = framework.IngressNginxDescribe("[Flag] disable-service-external-name", func() { - f := framework.NewDefaultFramework("disabled-service-external-name") + f := framework.NewDefaultFramework( + "disabled-service-external-name", + framework.WithHTTPBunEnabled(), + ) ginkgo.BeforeEach(func() { f.NewEchoDeployment(framework.WithDeploymentReplicas(2)) @@ -54,21 +57,18 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-service-external-name", f externalhost := "echo-external-svc.com" - ip := f.NewHttpbunDeployment() - svc := framework.BuildNIPExternalNameService(f, ip, "echo") - f.EnsureService(svc) + f.EnsureService(framework.BuildNIPExternalNameService(f, f.HTTPBunIP, "echo")) - svcexternal := &corev1.Service{ + f.EnsureService(&corev1.Service{ ObjectMeta: metav1.ObjectMeta{ Name: "external", Namespace: f.Namespace, }, Spec: corev1.ServiceSpec{ - ExternalName: framework.BuildNIPHost(ip), + ExternalName: f.GetNIPHost(), Type: corev1.ServiceTypeExternalName, }, - } - f.EnsureService(svcexternal) + }) ingexternal := framework.NewSingleIngress(externalhost, "/", externalhost, f.Namespace, "external", 80, nil) f.EnsureIngress(ingexternal) diff --git a/test/e2e/settings/global_external_auth.go b/test/e2e/settings/global_external_auth.go index c5964299f..cc98099ae 100644 --- a/test/e2e/settings/global_external_auth.go +++ b/test/e2e/settings/global_external_auth.go @@ -32,7 +32,10 @@ import ( ) var _ = framework.DescribeSetting("[Security] global-auth-url", func() { - f := framework.NewDefaultFramework("global-external-auth") + f := framework.NewDefaultFramework( + "global-external-auth", + framework.WithHTTPBunEnabled(), + ) host := "global-external-auth" @@ -50,7 +53,6 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { ginkgo.BeforeEach(func() { f.NewEchoDeployment() - f.NewHttpbunDeployment() }) ginkgo.Context("when global external authentication is configured", func() { @@ -307,9 +309,9 @@ http { assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint") assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint") - httpbunIP := e.Subsets[0].Addresses[0].IP + nginxIP := e.Subsets[0].Addresses[0].IP - f.UpdateNginxConfigMapData(globalExternalAuthURLSetting, fmt.Sprintf("http://%s/cookies/set/alma/armud", httpbunIP)) + f.UpdateNginxConfigMapData(globalExternalAuthURLSetting, fmt.Sprintf("http://%s/cookies/set/alma/armud", nginxIP)) ing1 = framework.NewSingleIngress(host, "/", host, f.Namespace, "http-cookie-with-error", 80, nil) f.EnsureIngress(ing1) diff --git a/test/e2e/settings/listen_nondefault_ports.go b/test/e2e/settings/listen_nondefault_ports.go index e682cef06..7e3b11b21 100644 --- a/test/e2e/settings/listen_nondefault_ports.go +++ b/test/e2e/settings/listen_nondefault_ports.go @@ -17,14 +17,12 @@ limitations under the License. package settings import ( - "context" "fmt" "net/http" "strings" "github.com/onsi/ginkgo/v2" "github.com/stretchr/testify/assert" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/ingress-nginx/test/e2e/framework" ) @@ -33,7 +31,7 @@ var _ = framework.IngressNginxDescribe("[Flag] custom HTTP and HTTPS ports", fun host := "forwarded-headers" - f := framework.NewDefaultFramework("forwarded-port-headers") + f := framework.NewDefaultFramework("forwarded-port-headers", framework.WithHTTPBunEnabled()) ginkgo.BeforeEach(func() { f.NewEchoDeployment() @@ -98,21 +96,8 @@ var _ = framework.IngressNginxDescribe("[Flag] custom HTTP and HTTPS ports", fun ginkgo.Context("when external authentication is configured", func() { ginkgo.It("should set the X-Forwarded-Port header to 443", func() { - f.NewHttpbunDeployment() - - err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBunService, f.Namespace, 1) - assert.Nil(ginkgo.GinkgoT(), err) - - e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBunService, metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err) - - assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint") - assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint") - - httpbunIP := e.Subsets[0].Addresses[0].IP - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbunIP), + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", f.HTTPBunIP), "nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start", } diff --git a/test/e2e/settings/ssl_passthrough.go b/test/e2e/settings/ssl_passthrough.go index a906a2d11..f0859f878 100644 --- a/test/e2e/settings/ssl_passthrough.go +++ b/test/e2e/settings/ssl_passthrough.go @@ -34,7 +34,7 @@ import ( ) var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { - f := framework.NewDefaultFramework("ssl-passthrough") + f := framework.NewDefaultFramework("ssl-passthrough", framework.WithHTTPBunEnabled()) ginkgo.BeforeEach(func() { err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error { @@ -86,7 +86,14 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { "nginx.ingress.kubernetes.io/ssl-passthrough": "true", } - ingressDef := framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, echoName, 80, annotations) + ingressDef := framework.NewSingleIngressWithTLS(host, + "/", + host, + []string{host}, + f.Namespace, + echoName, + 80, + annotations) tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet, ingressDef.Spec.TLS[0].Hosts, ingressDef.Spec.TLS[0].SecretName, @@ -119,7 +126,17 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { Value: "/certs/tls.key", }, } - f.NewDeploymentWithOpts("echopass", "ghcr.io/sharat87/httpbun:latest", 80, 1, nil, nil, envs, volumeMount, volume, false) + + f.NewDeploymentWithOpts("echopass", + framework.HTTPBunImage, + 80, + 1, + nil, + nil, + envs, + volumeMount, + volume, + false) f.EnsureIngress(ingressDef) @@ -133,7 +150,14 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { /* This one should not receive traffic as it does not contain passthrough annotation */ hostBad := "noannotationnopassthrough.com" - ingBad := f.EnsureIngress(framework.NewSingleIngressWithTLS(hostBad, "/", hostBad, []string{hostBad}, f.Namespace, echoName, 80, nil)) + ingBad := f.EnsureIngress(framework.NewSingleIngressWithTLS(hostBad, + "/", + hostBad, + []string{hostBad}, + f.Namespace, + echoName, + 80, + nil)) tlsConfigBad, err := framework.CreateIngressTLSSecret(f.KubeClientSet, ingBad.Spec.TLS[0].Hosts, ingBad.Spec.TLS[0].SecretName, From 436df32c2c50dee5b984e06b86b2660f32a5a384 Mon Sep 17 00:00:00 2001 From: Ehsan Saei <71217171+esigo@users.noreply.github.com> Date: Mon, 12 Jun 2023 12:47:48 +0200 Subject: [PATCH 350/405] add distroless otel init (#10035) add distroless otel init --- charts/ingress-nginx/templates/_helpers.tpl | 6 +- .../templates/controller-deployment.yaml | 2 +- images/opentelemetry/rootfs/Dockerfile | 18 ++- images/opentelemetry/rootfs/build.sh | 3 + images/opentelemetry/rootfs/go.mod | 3 + images/opentelemetry/rootfs/init_module.go | 104 ++++++++++++++++++ images/opentelemetry/rootfs/init_module.sh | 22 ---- 7 files changed, 131 insertions(+), 27 deletions(-) create mode 100644 images/opentelemetry/rootfs/go.mod create mode 100644 images/opentelemetry/rootfs/init_module.go delete mode 100755 images/opentelemetry/rootfs/init_module.sh diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl index 7db5b2ca8..548e8cf12 100644 --- a/charts/ingress-nginx/templates/_helpers.tpl +++ b/charts/ingress-nginx/templates/_helpers.tpl @@ -201,8 +201,12 @@ Extra modules. - name: {{ .name }} image: {{ .image }} + {{- if .distroless | default false }} + command: ['/init_module'] + {{- else }} command: ['sh', '-c', '/usr/local/bin/init_module.sh'] - {{- if (.containerSecurityContext) }} + {{- end }} + {{- if .containerSecurityContext }} securityContext: {{ .containerSecurityContext | toYaml | nindent 4 }} {{- end }} volumeMounts: diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index 323d87623..7fe8804ea 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -190,7 +190,7 @@ spec: {{- end }} {{- if .Values.controller.opentelemetry.enabled}} {{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}} + {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" false) | nindent 8}} {{- end}} {{- end }} {{- if .Values.controller.hostNetwork }} diff --git a/images/opentelemetry/rootfs/Dockerfile b/images/opentelemetry/rootfs/Dockerfile index 69d82cda2..d15c28bbf 100644 --- a/images/opentelemetry/rootfs/Dockerfile +++ b/images/opentelemetry/rootfs/Dockerfile @@ -21,9 +21,11 @@ COPY . /opt/third_party/ # install build tools RUN apk update \ && apk upgrade \ - && apk add -U bash cmake \ + && apk add -U bash cmake ninja \ && bash /opt/third_party/build.sh -p +ENV NINJA_STATUS "[%p/%f/%t]" + # install gRPC FROM base as grpc RUN bash /opt/third_party/build.sh -g v1.49.2 @@ -39,7 +41,17 @@ COPY --from=grpc /opt/third_party/install/ /usr COPY --from=otel-cpp /opt/third_party/install/ /usr RUN bash /opt/third_party/build.sh -n -FROM alpine:3.18.0 as final -COPY --from=base /opt/third_party/init_module.sh /usr/local/bin/init_module.sh +FROM cgr.dev/chainguard/go:latest as build-init + +WORKDIR /go/src/app +COPY . . + +RUN go mod download +RUN CGO_ENABLED=0 go build -o /go/bin/init_module + +FROM cgr.dev/chainguard/static as final +COPY --from=build-init /go/bin/init_module / COPY --from=nginx /etc/nginx/modules /etc/nginx/modules COPY --from=nginx /opt/third_party/install/lib /etc/nginx/modules + +CMD ["/init_module"] diff --git a/images/opentelemetry/rootfs/build.sh b/images/opentelemetry/rootfs/build.sh index 6ad4601c6..30faad304 100755 --- a/images/opentelemetry/rootfs/build.sh +++ b/images/opentelemetry/rootfs/build.sh @@ -70,6 +70,7 @@ install_grpc() mkdir -p $BUILD_PATH/grpc cd ${BUILD_PATH}/grpc cmake -DCMAKE_INSTALL_PREFIX=${INSTAL_DIR} \ + -G Ninja \ -DGRPC_GIT_TAG=${GRPC_GIT_TAG} /opt/third_party \ -DgRPC_BUILD_GRPC_NODE_PLUGIN=OFF \ -DgRPC_BUILD_GRPC_OBJECTIVE_C_PLUGIN=OFF \ @@ -92,6 +93,7 @@ install_otel() cd .build cmake -DCMAKE_BUILD_TYPE=Release \ + -G Ninja \ -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE \ -DWITH_ZIPKIN=OFF \ -DWITH_JAEGER=OFF \ @@ -143,6 +145,7 @@ install_nginx() mkdir -p build cd build cmake -DCMAKE_BUILD_TYPE=Release \ + -G Ninja \ -DCMAKE_INSTALL_PREFIX=${INSTAL_DIR} \ -DBUILD_SHARED_LIBS=ON \ -DNGINX_VERSION=${NGINX_VERSION} \ diff --git a/images/opentelemetry/rootfs/go.mod b/images/opentelemetry/rootfs/go.mod new file mode 100644 index 000000000..f636c81b7 --- /dev/null +++ b/images/opentelemetry/rootfs/go.mod @@ -0,0 +1,3 @@ +module init-otel + +go 1.20 diff --git a/images/opentelemetry/rootfs/init_module.go b/images/opentelemetry/rootfs/init_module.go new file mode 100644 index 000000000..bebec728f --- /dev/null +++ b/images/opentelemetry/rootfs/init_module.go @@ -0,0 +1,104 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package main + +import ( + "fmt" + "io" + "os" + "path/filepath" +) + +func main() { + // Enable error handling for all operations + err := run() + if err != nil { + fmt.Fprintf(os.Stderr, "Error: %v\n", err) + os.Exit(1) + } +} + +func run() error { + // Create the target directory if it doesn't exist + targetDir := "/modules_mount/etc/nginx/modules/otel" + err := os.MkdirAll(targetDir, os.ModePerm) + if err != nil { + return fmt.Errorf("failed to create target directory: %w", err) + } + + // Copy files from source directory to target directory + sourceDir := "/etc/nginx/modules/" + err = filepath.Walk(sourceDir, func(path string, info os.FileInfo, err error) error { + if err != nil { + return err + } + + // Skip directories + if info.IsDir() { + return nil + } + + // Calculate the destination path + relPath, err := filepath.Rel(sourceDir, path) + if err != nil { + return err + } + destPath := filepath.Join(targetDir, relPath) + + // Create the destination directory if it doesn't exist + destDir := filepath.Dir(destPath) + err = os.MkdirAll(destDir, os.ModePerm) + if err != nil { + return err + } + + // Copy the file + err = copyFile(path, destPath) + if err != nil { + return err + } + + return nil + }) + + if err != nil { + return fmt.Errorf("failed to copy files: %w", err) + } + + return nil +} + +func copyFile(sourcePath, destPath string) error { + sourceFile, err := os.Open(sourcePath) + if err != nil { + return err + } + defer sourceFile.Close() + + destFile, err := os.Create(destPath) + if err != nil { + return err + } + defer destFile.Close() + + _, err = io.Copy(destFile, sourceFile) + if err != nil { + return err + } + + return nil +} diff --git a/images/opentelemetry/rootfs/init_module.sh b/images/opentelemetry/rootfs/init_module.sh deleted file mode 100755 index 5a675aa2b..000000000 --- a/images/opentelemetry/rootfs/init_module.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/sh - -# Copyright 2021 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -o errexit -set -o nounset -set -o pipefail - -mkdir -p /modules_mount/etc/nginx/modules/otel -cp -R /etc/nginx/modules/* /modules_mount/etc/nginx/modules/otel From dd6d8e0d9f3def3bf9a85a1bac972418e67e5212 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Jun 2023 05:03:48 -0700 Subject: [PATCH 351/405] Bump docker/setup-buildx-action from 2.5.0 to 2.6.0 (#10077) Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c...6a58db7e0d21ca03e6c44877909e80e45217eed2) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 3406b250f..756d65c3e 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -158,7 +158,7 @@ jobs: - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0 + uses: docker/setup-buildx-action@6a58db7e0d21ca03e6c44877909e80e45217eed2 # v2.6.0 with: version: latest From 18e6bfdebfcc2ba1bf2f369e7fd10af72bd2f428 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Jun 2023 05:05:47 -0700 Subject: [PATCH 352/405] Bump aquasecurity/trivy-action from 0.10.0 to 0.11.2 (#10078) Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.10.0 to 0.11.2. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](https://github.com/aquasecurity/trivy-action/compare/e5f43133f6e8736992c9f3c1b3296e24b37e17f2...41f05d9ecffa2ed3f1580af306000f734b733e54) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/vulnerability-scans.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index 069c9f974..9814c2c95 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -60,7 +60,7 @@ jobs: - name: Scan image with AquaSec/Trivy id: scan - uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 # v0.10.0 + uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # v0.11.2 with: image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }} format: 'sarif' From 5544c1f1f639e4f13905b927854d4e48e83d5658 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Jun 2023 05:33:49 -0700 Subject: [PATCH 353/405] Bump docker/setup-qemu-action from 2.1.0 to 2.2.0 (#10075) Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 2.1.0 to 2.2.0. - [Release notes](https://github.com/docker/setup-qemu-action/releases) - [Commits](https://github.com/docker/setup-qemu-action/compare/e81a89b1732b9c48d79cd809d8d81d79c4647a18...2b82ce82d56a2a04d2637cd93a637ae1b359c0a7) --- updated-dependencies: - dependency-name: docker/setup-qemu-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 756d65c3e..9e3e97edf 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -154,7 +154,7 @@ jobs: check-latest: true - name: Set up QEMU - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0 + uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 - name: Set up Docker Buildx id: buildx From 4eeee031c76ac3403f845c8bf85e95caef87fee0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Jun 2023 05:35:49 -0700 Subject: [PATCH 354/405] Bump actions/checkout from 3.5.2 to 3.5.3 (#10076) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.2 to 3.5.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/8e5e7e5ab8b370d6c329ec480221332ada57f0ab...c85c95e3d7251135ab7dc9ce3241c5835cc595a9) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yaml | 22 +++++++++++----------- .github/workflows/depreview.yaml | 2 +- .github/workflows/docs.yaml | 4 ++-- .github/workflows/helm.yaml | 4 ++-- .github/workflows/perftest.yaml | 2 +- .github/workflows/plugin.yaml | 2 +- .github/workflows/scorecards.yml | 2 +- .github/workflows/vulnerability-scans.yaml | 4 ++-- 8 files changed, 21 insertions(+), 21 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 9e3e97edf..abb2af532 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -42,7 +42,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter @@ -68,7 +68,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Run Gosec Security Scanner uses: securego/gosec@c5ea1b7bdd9efc3792e513258853552b0ae31e06 # v2.16.0 @@ -85,7 +85,7 @@ jobs: (needs.changes.outputs.go == 'true') steps: - name: Checkout - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Set up Go id: go @@ -104,7 +104,7 @@ jobs: (needs.changes.outputs.go == 'true') steps: - name: Checkout - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Set up Go id: go @@ -123,7 +123,7 @@ jobs: (needs.changes.outputs.go == 'true') steps: - name: Checkout - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Set up Go id: go @@ -144,7 +144,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Set up Go id: go @@ -211,7 +211,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Setup Go uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 @@ -286,7 +286,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: cache uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 @@ -336,7 +336,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: cache uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 @@ -380,7 +380,7 @@ jobs: PLATFORMS: linux/amd64,linux/arm64 steps: - name: Checkout - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter-images @@ -447,7 +447,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter-images diff --git a/.github/workflows/depreview.yaml b/.github/workflows/depreview.yaml index 4f04bdaed..625c2f461 100644 --- a/.github/workflows/depreview.yaml +++ b/.github/workflows/depreview.yaml @@ -9,6 +9,6 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: 'Dependency Review' uses: actions/dependency-review-action@1360a344ccb0ab6e9475edef90ad2f46bf8003b1 # v3.0.6 diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 1a2ceaa83..f7aee6610 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter @@ -47,7 +47,7 @@ jobs: steps: - name: Checkout master - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Deploy uses: ./.github/actions/mkdocs diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml index 2a82fa124..6303b6a27 100644 --- a/.github/workflows/helm.yaml +++ b/.github/workflows/helm.yaml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Run Artifact Hub lint run: | @@ -61,7 +61,7 @@ jobs: steps: - name: Checkout master - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: # Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896 fetch-depth: 0 diff --git a/.github/workflows/perftest.yaml b/.github/workflows/perftest.yaml index 9e87bf1b2..36f1f1ede 100644 --- a/.github/workflows/perftest.yaml +++ b/.github/workflows/perftest.yaml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Install K6 run: | diff --git a/.github/workflows/plugin.yaml b/.github/workflows/plugin.yaml index c5c6fc2b1..6088f77f8 100644 --- a/.github/workflows/plugin.yaml +++ b/.github/workflows/plugin.yaml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 72acf608a..72a112ac4 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -27,7 +27,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: persist-credentials: false diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index 9814c2c95..af7d8bda1 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -22,7 +22,7 @@ jobs: versions: ${{ steps.version.outputs.TAGS }} steps: - name: Checkout code - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 @@ -52,7 +52,7 @@ jobs: versions: ${{ fromJSON(needs.version.outputs.versions) }} steps: - name: Checkout code - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - shell: bash id: test From f1e3f2fa3c38a8a5473bd253175c3f6525bc3f53 Mon Sep 17 00:00:00 2001 From: Jintao Zhang Date: Tue, 13 Jun 2023 10:45:58 +0800 Subject: [PATCH 355/405] docs: add netlify configuration (#10073) Signed-off-by: Jintao Zhang --- Makefile | 5 +++++ netlify.toml | 10 ++++++++++ 2 files changed, 15 insertions(+) create mode 100644 netlify.toml diff --git a/Makefile b/Makefile index fc40a39bb..7b413141a 100644 --- a/Makefile +++ b/Makefile @@ -262,3 +262,8 @@ release: ensure-buildx clean --build-arg COMMIT_SHA="$(COMMIT_SHA)" \ --build-arg BUILD_ID="$(BUILD_ID)" \ -t $(REGISTRY)/controller-chroot:$(TAG) rootfs -f rootfs/Dockerfile-chroot + +.PHONY: build-docs +build-docs: + pip install -U mkdocs-material==6.2.4 mkdocs-awesome-pages-plugin mkdocs-minify-plugin mkdocs-redirects + mkdocs build --config-file mkdocs.yml diff --git a/netlify.toml b/netlify.toml new file mode 100644 index 000000000..add8d4fc3 --- /dev/null +++ b/netlify.toml @@ -0,0 +1,10 @@ +# netlify configuration +[build] +publish = "site" +command = "make build-docs" +# available here https://github.com/netlify/build-image/blob/focal/included_software.md#languages +environment = { PYTHON_VERSION = "3.8" } + +[context.deploy-preview] + publish = "site/" + command = "make build-docs" From cccba35005962f9eee96d2b592cc5b7b1485d965 Mon Sep 17 00:00:00 2001 From: Jintao Zhang Date: Wed, 14 Jun 2023 03:55:59 +0800 Subject: [PATCH 356/405] Revert "Remove fastcgi feature" (#10081) * Revert "Remove fastcgi feature (#9864)" This reverts commit 90ed0ccdbe4edd55ad4ab16ffec40be64f3308d9. * revert fastcgi* annotations warning Signed-off-by: Jintao Zhang --------- Signed-off-by: Jintao Zhang --- .github/workflows/ci.yaml | 6 + MANUAL_RELEASE.md | 2 + docs/e2e-tests.md | 131 +------- docs/kubectl-plugin.md | 1 + docs/user-guide/fcgi-services.md | 118 +++++++- .../nginx-configuration/annotations.md | 2 +- images/fastcgi-helloserver/Makefile | 59 ++++ images/fastcgi-helloserver/cloudbuild.yaml | 22 ++ images/fastcgi-helloserver/rootfs/Dockerfile | 32 ++ images/fastcgi-helloserver/rootfs/main.go | 30 ++ internal/ingress/annotations/annotations.go | 62 ++-- .../annotations/backendprotocol/main.go | 2 +- internal/ingress/annotations/fastcgi/main.go | 106 +++++++ .../ingress/annotations/fastcgi/main_test.go | 285 ++++++++++++++++++ internal/ingress/annotations/parser/main.go | 1 + internal/ingress/controller/controller.go | 5 +- .../ingress/controller/controller_test.go | 2 +- .../ingress/controller/template/template.go | 3 + .../controller/template/template_test.go | 2 + pkg/apis/ingress/types.go | 4 + pkg/apis/ingress/types_equals.go | 4 + rootfs/etc/nginx/template/nginx.tmpl | 11 + test/e2e/annotations/backendprotocol.go | 15 + test/e2e/annotations/fastcgi.go | 125 ++++++++ test/e2e/framework/fastcgi_helloserver.go | 104 +++++++ 25 files changed, 975 insertions(+), 159 deletions(-) create mode 100644 images/fastcgi-helloserver/Makefile create mode 100644 images/fastcgi-helloserver/cloudbuild.yaml create mode 100755 images/fastcgi-helloserver/rootfs/Dockerfile create mode 100644 images/fastcgi-helloserver/rootfs/main.go create mode 100644 internal/ingress/annotations/fastcgi/main.go create mode 100644 internal/ingress/annotations/fastcgi/main_test.go create mode 100644 test/e2e/annotations/fastcgi.go create mode 100644 test/e2e/framework/fastcgi_helloserver.go diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index abb2af532..9764a5e74 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -391,6 +391,8 @@ jobs: - 'images/custom-error-pages/**' cfssl: - 'images/cfssl/**' + fastcgi-helloserver: + - 'images/fastcgi-helloserver/**' echo: - 'images/echo/**' go-grpc-greeter-server: @@ -410,6 +412,10 @@ jobs: if: ${{ steps.filter-images.outputs.cfssl == 'true' }} run: | cd images/cfssl && make build + - name: fastcgi-helloserver + if: ${{ steps.filter-images.outputs.fastcgi-helloserver == 'true' }} + run: | + cd images/fastcgi-helloserver && make build - name: echo image build if: ${{ steps.filter-images.outputs.echo == 'true' }} run: | diff --git a/MANUAL_RELEASE.md b/MANUAL_RELEASE.md index 4b4df0ec6..d7144b85d 100644 --- a/MANUAL_RELEASE.md +++ b/MANUAL_RELEASE.md @@ -56,6 +56,8 @@ - [cfssl](https://github.com/kubernetes/ingress-nginx/tree/main/images/cfssl) + - [fastcgi-helloserver](https://github.com/kubernetes/ingress-nginx/tree/main/images/fastcgi-helloserver) + - [httpbin](https://github.com/kubernetes/ingress-nginx/tree/main/images/httpbin) - [kube-webhook-certgen](https://github.com/kubernetes/ingress-nginx/tree/main/images/kube-webhook-certgen) diff --git a/docs/e2e-tests.md b/docs/e2e-tests.md index 64d35c79a..025ff686d 100644 --- a/docs/e2e-tests.md +++ b/docs/e2e-tests.md @@ -108,6 +108,7 @@ Do not try to edit it manually. - [should set backend protocol to $scheme:// and use proxy_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L49) - [should set backend protocol to grpc:// and use grpc_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L64) - [should set backend protocol to grpcs:// and use grpc_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L79) +- [should set backend protocol to '' and use fastcgi_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L94) - [should set backend protocol to '' and use ajp_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L109) ### [canary-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L36) @@ -191,6 +192,13 @@ Do not try to edit it manually. - [disable-http-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L53) - [disable-stream-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L71) +### [backend-protocol - FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L30) + +- [should use fastcgi_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L37) +- [should add fastcgi_index in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L54) +- [should add fastcgi_param in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L71) +- [should return OK for service with backend protocol FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L102) + ### [force-ssl-redirect](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/forcesslredirect.go#L27) - [should redirect to https](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/forcesslredirect.go#L34) @@ -342,101 +350,6 @@ Do not try to edit it manually. - [should set the X-Forwarded-Prefix to the annotation value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L35) - [should not add X-Forwarded-Prefix if the annotation value is empty](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L57) -### [denylist-source-range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L28) - -- [only deny explicitly denied IPs, allow all others](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L35) -- [only allow explicitly allowed IPs, deny all others](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L86) - -### [affinity session-cookie-name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L35) - -- [should set sticky cookie SERVERID](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L42) -- [should change cookie name on ingress definition change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L64) -- [should set the path to /something on the generated cookie](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L99) -- [does not set the path to / on the generated cookie if there's more than one rule referring to the same backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L121) -- [should set cookie with expires](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L194) -- [should set cookie with domain](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L225) -- [should not set cookie without domain annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L248) -- [should work with use-regex annotation and session-cookie-path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L270) -- [should warn user when use-regex is true and session-cookie-path is not set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L294) -- [should not set affinity across all server locations when using separate ingresses](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L320) -- [should set sticky cookie without host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L352) -- [should work with server-alias annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L372) -- [should set secure in cookie with provided true annotation on http](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L412) -- [should not set secure in cookie with provided false annotation on http](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L435) -- [should set secure in cookie with provided false annotation on https](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L458) - -### [rewrite-target use-regex enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L30) - -- [should write rewrite logs](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L37) -- [should use correct longest path match](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L66) -- [should use ~* location modifier if regex annotation is present](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L111) -- [should fail to use longest match for documented warning](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L158) -- [should allow for custom rewrite parameters](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L190) - -### [auth-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L39) - -- [should return status code 200 when no authentication is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L46) -- [should return status code 503 when authentication is configured with an invalid secret](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L65) -- [should return status code 401 when authentication is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L89) -- [should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L116) -- [should return status code 401 and cors headers when authentication and cors is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L144) -- [should return status code 200 when authentication is configured and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L172) -- [should return status code 200 when authentication is configured with a map and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L199) -- [should return status code 401 when authentication is configured with invalid content and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L227) -- [ when external auth is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L266) -- [ when external auth is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L284) -- [ when auth-headers are set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L301) -- [should set cache_key when external auth cache is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L322) -- [user retains cookie by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L411) -- [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L422) -- [user with annotated ingress retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L433) -- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L485) -- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L494) -- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L505) -- [should overwrite Foo header with auth response](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L529) -- [should not create additional upstream block when auth-keepalive is not set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L552) -- [should not create additional upstream block when host part of auth-url contains a variable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L570) -- [should not create additional upstream block when auth-keepalive is negative](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L590) -- [should not create additional upstream block when auth-keepalive is set with HTTP/2](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L609) -- [should create additional upstream block when auth-keepalive is set with HTTP/1.x](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L623) -- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L678) -- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L687) -- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L698) -- [should return status code 200 when signed in after auth backend is deleted ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L772) -- [should deny login for different location on same server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L792) -- [should deny login for different servers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L820) -- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L849) -- [should return 503 (location was denied)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L879) -- [should add error to the config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L887) - -### [canary-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L36) - -- [should response with a 200 status from the mainline upstream when requests are made to the mainline ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L48) -- [should return 404 status for requests to the canary if no matching ingress is found](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L80) -- [should return the correct status codes when endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L107) -- [should route requests to the correct upstream if mainline ingress is created before the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L161) -- [should route requests to the correct upstream if mainline ingress is created after the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L206) -- [should route requests to the correct upstream if the mainline ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L250) -- [should route requests to the correct upstream if the canary ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L307) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L372) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L426) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L490) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L532) -- [should routes to mainline upstream when the given Regex causes error](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L566) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L604) -- [respects always and never values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L643) -- [should route requests only to mainline if canary weight is 0](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L705) -- [should route requests only to canary if canary weight is 100](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L743) -- [should route requests only to canary if canary weight is equal to canary weight total](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L775) -- [should route requests split between mainline and canary if canary weight is 50](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L808) -- [should route requests split between mainline and canary if canary weight is 100 and weight total is 200](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L834) -- [should not use canary as a catch-all server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L863) -- [should not use canary with domain as a server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L891) -- [does not crash when canary ingress has multiple paths to the same non-matching backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L915) -- [always routes traffic to canary if first request was affinitized to canary (default behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L943) -- [always routes traffic to canary if first request was affinitized to canary (explicit sticky behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1000) -- [routes traffic to either mainline or canary backend (legacy behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1058) - ### [Debug CLI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L29) - [should list the backend servers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L37) @@ -485,6 +398,10 @@ Do not try to edit it manually. - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/fastcgi_helloserver.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/fastcgi_helloserver.go#L) + ### [[Setting] ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L194) - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L) @@ -561,30 +478,6 @@ Do not try to edit it manually. - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/util.go#L) -### [[Setting] ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L194) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/k8s.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/k8s.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) - ### [[Shutdown] Grace period shutdown](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/grace_period.go#L32) - [/healthz should return status code 500 during shutdown grace period](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/grace_period.go#L35) diff --git a/docs/kubectl-plugin.md b/docs/kubectl-plugin.md index 9dc808642..9e5a5dcc6 100644 --- a/docs/kubectl-plugin.md +++ b/docs/kubectl-plugin.md @@ -200,6 +200,7 @@ kubectl ingress-nginx conf -n ingress-nginx --host testaddr.local ```console $ kubectl ingress-nginx exec -i -n ingress-nginx -- ls /etc/nginx +fastcgi_params geoip lua mime.types diff --git a/docs/user-guide/fcgi-services.md b/docs/user-guide/fcgi-services.md index d4f1d1f1e..db4d9428b 100644 --- a/docs/user-guide/fcgi-services.md +++ b/docs/user-guide/fcgi-services.md @@ -2,10 +2,118 @@ # Exposing FastCGI Servers -**This feature has been removed from Ingress NGINX** +> **FastCGI** is a [binary protocol](https://en.wikipedia.org/wiki/Binary_protocol "Binary protocol") for interfacing interactive programs with a [web server](https://en.wikipedia.org/wiki/Web_server "Web server"). [...] (It's) aim is to reduce the overhead related to interfacing between web server and CGI programs, allowing a server to handle more web page requests per unit of time. +> +> — Wikipedia -People willing to use fastcgi servers, should create an NGINX + FastCGI service and expose -this service via Ingress NGINX. +The _ingress-nginx_ ingress controller can be used to directly expose [FastCGI](https://en.wikipedia.org/wiki/FastCGI) servers. Enabling FastCGI in your Ingress only requires setting the _backend-protocol_ annotation to `FCGI`, and with a couple more annotations you can customize the way _ingress-nginx_ handles the communication with your FastCGI _server_. -We recommend using images like `cgr.dev/chainguard/nginx:latest` and expose your fast_cgi application -as another container on this Pod. + +## Example Objects to Expose a FastCGI Pod + +The _Pod_ example object below exposes port `9000`, which is the conventional FastCGI port. + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: example-app +labels: + app: example-app +spec: + containers: + - name: example-app + image: example-app:1.0 + ports: + - containerPort: 9000 + name: fastcgi +``` + +The _Service_ object example below matches port `9000` from the _Pod_ object above. + +```yaml +apiVersion: v1 +kind: Service +metadata: + name: example-service +spec: + selector: + app: example-app + ports: + - port: 9000 + targetPort: 9000 + name: fastcgi +``` + +And the _Ingress_ and _ConfigMap_ objects below demonstrates the supported _FastCGI_ specific annotations (NGINX actually has 50 FastCGI directives, all of which have not been exposed in the ingress yet), and matches the service `example-service`, and the port named `fastcgi` from above. The _ConfigMap_ **must** be created first for the _Ingress Controller_ to be able to find it when the _Ingress_ object is created, otherwise you will need to restart the _Ingress Controller_ pods. + +```yaml +# The ConfigMap MUST be created first for the ingress controller to be able to +# find it when the Ingress object is created. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: example-cm +data: + SCRIPT_FILENAME: "/example/index.php" + +--- + +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "FCGI" + nginx.ingress.kubernetes.io/fastcgi-index: "index.php" + nginx.ingress.kubernetes.io/fastcgi-params-configmap: "example-cm" + name: example-app +spec: + ingressClassName: nginx + rules: + - host: app.example.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: example-service + port: + name: fastcgi +``` + +## FastCGI Ingress Annotations + +To enable FastCGI, the `nginx.ingress.kubernetes.io/backend-protocol` annotation needs to be set to `FCGI`, which overrides the default `HTTP` value. + +> `nginx.ingress.kubernetes.io/backend-protocol: "FCGI"` + +**This enables the _FastCGI_ mode for all paths defined in the _Ingress_ object** + +### The `nginx.ingress.kubernetes.io/fastcgi-index` Annotation + +To specify an index file, the `fastcgi-index` annotation value can optionally be set. In the example below, the value is set to `index.php`. This annotation corresponds to [the _NGINX_ `fastcgi_index` directive](https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_index). + +> `nginx.ingress.kubernetes.io/fastcgi-index: "index.php"` + +### The `nginx.ingress.kubernetes.io/fastcgi-params-configmap` Annotation + +To specify [_NGINX_ `fastcgi_param` directives](https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_param), the `fastcgi-params-configmap` annotation is used, which in turn must lead to a _ConfigMap_ object containing the _NGINX_ `fastcgi_param` directives as key/values. + +> `nginx.ingress.kubernetes.io/fastcgi-params-configmap: "example-configmap"` + +And the _ConfigMap_ object to specify the `SCRIPT_FILENAME` and `HTTP_PROXY` _NGINX's_ `fastcgi_param` directives will look like the following: + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: example-configmap +data: + SCRIPT_FILENAME: "/example/index.php" + HTTP_PROXY: "" +``` +Using the _namespace/_ prefix is also supported, for example: + +> `nginx.ingress.kubernetes.io/fastcgi-params-configmap: "example-namespace/example-configmap"` diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md index fc43a47b2..b515a9f3b 100755 --- a/docs/user-guide/nginx-configuration/annotations.md +++ b/docs/user-guide/nginx-configuration/annotations.md @@ -894,7 +894,7 @@ Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf ### Backend Protocol Using `backend-protocol` annotations is possible to indicate how NGINX should communicate with the backend service. (Replaces `secure-backends` in older versions) -Valid Values: HTTP, HTTPS, GRPC, GRPCS, AJP +Valid Values: HTTP, HTTPS, GRPC, GRPCS, AJP and FCGI By default NGINX uses `HTTP`. diff --git a/images/fastcgi-helloserver/Makefile b/images/fastcgi-helloserver/Makefile new file mode 100644 index 000000000..4d277a19d --- /dev/null +++ b/images/fastcgi-helloserver/Makefile @@ -0,0 +1,59 @@ +# Copyright 2020 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Docker image for e2e testing. + +# set default shell +SHELL=/bin/bash -o pipefail -o errexit + +DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) +INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh + +SHORT_SHA ?=$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA) + +REGISTRY ?= local + +IMAGE = $(REGISTRY)/e2e-test-fastcgi-helloserver + +# required to enable buildx +export DOCKER_CLI_EXPERIMENTAL=enabled + +# build with buildx +PLATFORMS?=linux/amd64,linux/arm,linux/arm64 +OUTPUT= +PROGRESS=plain + +build: ensure-buildx + docker buildx build \ + --platform=${PLATFORMS} $(OUTPUT) \ + --progress=$(PROGRESS) \ + --pull \ + -t $(IMAGE):$(TAG) rootfs + +# push the cross built image +push: OUTPUT=--push +push: build + +# enable buildx +ensure-buildx: +# this is required for cloudbuild +ifeq ("$(wildcard $(INIT_BUILDX))","") + @curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/init-buildx.sh | bash +else + @exec $(INIT_BUILDX) +endif + @echo "done" + +.PHONY: build push ensure-buildx diff --git a/images/fastcgi-helloserver/cloudbuild.yaml b/images/fastcgi-helloserver/cloudbuild.yaml new file mode 100644 index 000000000..a4c9d5eff --- /dev/null +++ b/images/fastcgi-helloserver/cloudbuild.yaml @@ -0,0 +1,22 @@ +timeout: 1800s +options: + substitution_option: ALLOW_LOOSE +steps: + - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90 + entrypoint: bash + env: + - DOCKER_CLI_EXPERIMENTAL=enabled + - SHORT_SHA=$SHORT_SHA + - BASE_REF=$_PULL_BASE_REF + - REGISTRY=gcr.io/k8s-staging-ingress-nginx + # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx + # set the home to /root explicitly to if using docker buildx + - HOME=/root + args: + - -c + - | + gcloud auth configure-docker \ + && cd images/fastcgi-helloserver && make push +substitutions: + _GIT_TAG: "12345" + _PULL_BASE_REF: "master" diff --git a/images/fastcgi-helloserver/rootfs/Dockerfile b/images/fastcgi-helloserver/rootfs/Dockerfile new file mode 100755 index 000000000..a11834373 --- /dev/null +++ b/images/fastcgi-helloserver/rootfs/Dockerfile @@ -0,0 +1,32 @@ +# Copyright 2017 The Kubernetes Authors. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM golang:1.20.4-alpine3.18 as builder + +WORKDIR /go/src/k8s.io/ingress-nginx/images/fastcgi + +COPY . . + +RUN CGO_ENABLED=0 go build -a -installsuffix cgo \ + -ldflags "-s -w" \ + -o fastcgi-helloserver main.go + +# Use distroless as minimal base image to package the binary +# Refer to https://github.com/GoogleContainerTools/distroless for more details +FROM gcr.io/distroless/static:nonroot + +COPY --from=builder /go/src/k8s.io/ingress-nginx/images/fastcgi/fastcgi-helloserver / +USER nonroot:nonroot + +CMD ["/fastcgi-helloserver"] diff --git a/images/fastcgi-helloserver/rootfs/main.go b/images/fastcgi-helloserver/rootfs/main.go new file mode 100644 index 000000000..91db60c26 --- /dev/null +++ b/images/fastcgi-helloserver/rootfs/main.go @@ -0,0 +1,30 @@ +package main + +import ( + "fmt" + "net" + "net/http" + "net/http/fcgi" +) + +func hello(w http.ResponseWriter, r *http.Request) { + keys, ok := r.URL.Query()["name"] + + if !ok || len(keys[0]) < 1 { + fmt.Fprintf(w, "Hello world!") + return + } + + key := keys[0] + fmt.Fprintf(w, "Hello "+string(key)+"!") +} + +func main() { + http.HandleFunc("/hello", hello) + + l, err := net.Listen("tcp", "0.0.0.0:9000") + if err != nil { + panic(err) + } + fcgi.Serve(l, nil) +} diff --git a/internal/ingress/annotations/annotations.go b/internal/ingress/annotations/annotations.go index ad7dad37d..5bb2bf5e6 100644 --- a/internal/ingress/annotations/annotations.go +++ b/internal/ingress/annotations/annotations.go @@ -41,6 +41,7 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/cors" "k8s.io/ingress-nginx/internal/ingress/annotations/customhttperrors" "k8s.io/ingress-nginx/internal/ingress/annotations/defaultbackend" + "k8s.io/ingress-nginx/internal/ingress/annotations/fastcgi" "k8s.io/ingress-nginx/internal/ingress/annotations/globalratelimit" "k8s.io/ingress-nginx/internal/ingress/annotations/http2pushpreload" "k8s.io/ingress-nginx/internal/ingress/annotations/ipdenylist" @@ -85,35 +86,37 @@ type Ingress struct { CorsConfig cors.Config CustomHTTPErrors []int DefaultBackend *apiv1.Service - Denied *string - ExternalAuth authreq.Config - EnableGlobalAuth bool - HTTP2PushPreload bool - Opentracing opentracing.Config - Opentelemetry opentelemetry.Config - Proxy proxy.Config - ProxySSL proxyssl.Config - RateLimit ratelimit.Config - GlobalRateLimit globalratelimit.Config - Redirect redirect.Config - Rewrite rewrite.Config - Satisfy string - ServerSnippet string - ServiceUpstream bool - SessionAffinity sessionaffinity.Config - SSLPassthrough bool - UsePortInRedirects bool - UpstreamHashBy upstreamhashby.Config - LoadBalancing string - UpstreamVhost string - Whitelist ipwhitelist.SourceRange - Denylist ipdenylist.SourceRange - XForwardedPrefix string - SSLCipher sslcipher.Config - Logs log.Config - ModSecurity modsecurity.Config - Mirror mirror.Config - StreamSnippet string + //TODO: Change this back into an error when https://github.com/imdario/mergo/issues/100 is resolved + FastCGI fastcgi.Config + Denied *string + ExternalAuth authreq.Config + EnableGlobalAuth bool + HTTP2PushPreload bool + Opentracing opentracing.Config + Opentelemetry opentelemetry.Config + Proxy proxy.Config + ProxySSL proxyssl.Config + RateLimit ratelimit.Config + GlobalRateLimit globalratelimit.Config + Redirect redirect.Config + Rewrite rewrite.Config + Satisfy string + ServerSnippet string + ServiceUpstream bool + SessionAffinity sessionaffinity.Config + SSLPassthrough bool + UsePortInRedirects bool + UpstreamHashBy upstreamhashby.Config + LoadBalancing string + UpstreamVhost string + Whitelist ipwhitelist.SourceRange + Denylist ipdenylist.SourceRange + XForwardedPrefix string + SSLCipher sslcipher.Config + Logs log.Config + ModSecurity modsecurity.Config + Mirror mirror.Config + StreamSnippet string } // Extractor defines the annotation parsers to be used in the extraction of annotations @@ -135,6 +138,7 @@ func NewAnnotationExtractor(cfg resolver.Resolver) Extractor { "CorsConfig": cors.NewParser(cfg), "CustomHTTPErrors": customhttperrors.NewParser(cfg), "DefaultBackend": defaultbackend.NewParser(cfg), + "FastCGI": fastcgi.NewParser(cfg), "ExternalAuth": authreq.NewParser(cfg), "EnableGlobalAuth": authreqglobal.NewParser(cfg), "HTTP2PushPreload": http2pushpreload.NewParser(cfg), diff --git a/internal/ingress/annotations/backendprotocol/main.go b/internal/ingress/annotations/backendprotocol/main.go index 0140c30a3..d8ea72386 100644 --- a/internal/ingress/annotations/backendprotocol/main.go +++ b/internal/ingress/annotations/backendprotocol/main.go @@ -31,7 +31,7 @@ import ( const HTTP = "HTTP" var ( - validProtocols = regexp.MustCompile(`^(AUTO_HTTP|HTTP|HTTPS|AJP|GRPC|GRPCS)$`) + validProtocols = regexp.MustCompile(`^(AUTO_HTTP|HTTP|HTTPS|AJP|GRPC|GRPCS|FCGI)$`) ) type backendProtocol struct { diff --git a/internal/ingress/annotations/fastcgi/main.go b/internal/ingress/annotations/fastcgi/main.go new file mode 100644 index 000000000..84bac4109 --- /dev/null +++ b/internal/ingress/annotations/fastcgi/main.go @@ -0,0 +1,106 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package fastcgi + +import ( + "fmt" + "reflect" + + networking "k8s.io/api/networking/v1" + "k8s.io/client-go/tools/cache" + + "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" + "k8s.io/ingress-nginx/internal/ingress/resolver" +) + +type fastcgi struct { + r resolver.Resolver +} + +// Config describes the per location fastcgi config +type Config struct { + Index string `json:"index"` + Params map[string]string `json:"params"` +} + +// Equal tests for equality between two Configuration types +func (l1 *Config) Equal(l2 *Config) bool { + if l1 == l2 { + return true + } + + if l1 == nil || l2 == nil { + return false + } + + if l1.Index != l2.Index { + return false + } + + return reflect.DeepEqual(l1.Params, l2.Params) +} + +// NewParser creates a new fastcgiConfig protocol annotation parser +func NewParser(r resolver.Resolver) parser.IngressAnnotation { + return fastcgi{r} +} + +// ParseAnnotations parses the annotations contained in the ingress +// rule used to indicate the fastcgiConfig. +func (a fastcgi) Parse(ing *networking.Ingress) (interface{}, error) { + + fcgiConfig := Config{} + + if ing.GetAnnotations() == nil { + return fcgiConfig, nil + } + + index, err := parser.GetStringAnnotation("fastcgi-index", ing) + if err != nil { + index = "" + } + fcgiConfig.Index = index + + cm, err := parser.GetStringAnnotation("fastcgi-params-configmap", ing) + if err != nil { + return fcgiConfig, nil + } + + cmns, cmn, err := cache.SplitMetaNamespaceKey(cm) + if err != nil { + return fcgiConfig, ing_errors.LocationDenied{ + Reason: fmt.Errorf("error reading configmap name from annotation: %w", err), + } + } + + if cmns != "" && cmns != ing.Namespace { + return fcgiConfig, fmt.Errorf("different namespace is not supported on fast_cgi param configmap") + } + + cm = fmt.Sprintf("%v/%v", ing.Namespace, cmn) + cmap, err := a.r.GetConfigMap(cm) + if err != nil { + return fcgiConfig, ing_errors.LocationDenied{ + Reason: fmt.Errorf("unexpected error reading configmap %s: %w", cm, err), + } + } + + fcgiConfig.Params = cmap.Data + + return fcgiConfig, nil +} diff --git a/internal/ingress/annotations/fastcgi/main_test.go b/internal/ingress/annotations/fastcgi/main_test.go new file mode 100644 index 000000000..35c5bbc12 --- /dev/null +++ b/internal/ingress/annotations/fastcgi/main_test.go @@ -0,0 +1,285 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package fastcgi + +import ( + "fmt" + "testing" + + api "k8s.io/api/core/v1" + networking "k8s.io/api/networking/v1" + meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/tools/cache" + "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/resolver" +) + +func buildIngress() *networking.Ingress { + return &networking.Ingress{ + ObjectMeta: meta_v1.ObjectMeta{ + Name: "foo", + Namespace: api.NamespaceDefault, + }, + Spec: networking.IngressSpec{ + DefaultBackend: &networking.IngressBackend{ + Service: &networking.IngressServiceBackend{ + Name: "default-backend", + Port: networking.ServiceBackendPort{ + Number: 80, + }, + }, + }, + }, + } +} + +type mockConfigMap struct { + resolver.Mock +} + +func (m mockConfigMap) GetConfigMap(name string) (*api.ConfigMap, error) { + if name != "default/demo-configmap" && name != "otherns/demo-configmap" { + return nil, fmt.Errorf("there is no configmap with name %v", name) + } + + cmns, cmn, err := cache.SplitMetaNamespaceKey(name) + if err != nil { + return nil, fmt.Errorf("invalid configmap name") + } + + return &api.ConfigMap{ + ObjectMeta: meta_v1.ObjectMeta{ + Namespace: cmns, + Name: cmn, + }, + Data: map[string]string{"REDIRECT_STATUS": "200", "SERVER_NAME": "$server_name"}, + }, nil +} + +func TestParseEmptyFastCGIAnnotations(t *testing.T) { + ing := buildIngress() + + i, err := NewParser(&mockConfigMap{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error parsing ingress without fastcgi") + } + + config, ok := i.(Config) + if !ok { + t.Errorf("Parse do not return a Config object") + } + + if config.Index != "" { + t.Errorf("Index should be an empty string") + } + + if len(config.Params) != 0 { + t.Errorf("Params should be an empty slice") + } +} + +func TestParseFastCGIIndexAnnotation(t *testing.T) { + ing := buildIngress() + + const expectedAnnotation = "index.php" + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix("fastcgi-index")] = expectedAnnotation + ing.SetAnnotations(data) + + i, err := NewParser(&mockConfigMap{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error parsing ingress without fastcgi") + } + + config, ok := i.(Config) + if !ok { + t.Errorf("Parse do not return a Config object") + } + + if config.Index != "index.php" { + t.Errorf("expected %s but %v returned", expectedAnnotation, config.Index) + } +} + +func TestParseEmptyFastCGIParamsConfigMapAnnotation(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix("fastcgi-params-configmap")] = "" + ing.SetAnnotations(data) + + i, err := NewParser(&mockConfigMap{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error parsing ingress without fastcgi") + } + + config, ok := i.(Config) + if !ok { + t.Errorf("Parse do not return a Config object") + } + + if len(config.Params) != 0 { + t.Errorf("Params should be an empty slice") + } +} + +func TestParseFastCGIInvalidParamsConfigMapAnnotation(t *testing.T) { + ing := buildIngress() + + invalidConfigMapList := []string{"unknown/configMap", "unknown/config/map"} + for _, configmap := range invalidConfigMapList { + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix("fastcgi-params-configmap")] = configmap + ing.SetAnnotations(data) + + i, err := NewParser(&mockConfigMap{}).Parse(ing) + if err == nil { + t.Errorf("Reading an unexisting configmap should return an error") + } + + config, ok := i.(Config) + if !ok { + t.Errorf("Parse do not return a Config object") + } + + if len(config.Params) != 0 { + t.Errorf("Params should be an empty slice") + } + } +} + +func TestParseFastCGIParamsConfigMapAnnotationWithoutNS(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix("fastcgi-params-configmap")] = "demo-configmap" + ing.SetAnnotations(data) + + i, err := NewParser(&mockConfigMap{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error parsing ingress without fastcgi") + } + + config, ok := i.(Config) + if !ok { + t.Errorf("Parse do not return a Config object") + } + + if len(config.Params) != 2 { + t.Errorf("Params should have a length of 2") + } + + if config.Params["REDIRECT_STATUS"] != "200" || config.Params["SERVER_NAME"] != "$server_name" { + t.Errorf("Params value is not the one expected") + } +} + +func TestParseFastCGIParamsConfigMapAnnotationWithNS(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix("fastcgi-params-configmap")] = "default/demo-configmap" + ing.SetAnnotations(data) + + i, err := NewParser(&mockConfigMap{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error parsing ingress without fastcgi") + } + + config, ok := i.(Config) + if !ok { + t.Errorf("Parse do not return a Config object") + } + + if len(config.Params) != 2 { + t.Errorf("Params should have a length of 2") + } + + if config.Params["REDIRECT_STATUS"] != "200" || config.Params["SERVER_NAME"] != "$server_name" { + t.Errorf("Params value is not the one expected") + } +} + +func TestParseFastCGIParamsConfigMapAnnotationWithDifferentNS(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix("fastcgi-params-configmap")] = "otherns/demo-configmap" + ing.SetAnnotations(data) + + _, err := NewParser(&mockConfigMap{}).Parse(ing) + if err == nil { + t.Errorf("Different namespace configmap should return an error") + } + +} + +func TestConfigEquality(t *testing.T) { + + var nilConfig *Config + + config := Config{ + Index: "index.php", + Params: map[string]string{"REDIRECT_STATUS": "200", "SERVER_NAME": "$server_name"}, + } + + configCopy := Config{ + Index: "index.php", + Params: map[string]string{"REDIRECT_STATUS": "200", "SERVER_NAME": "$server_name"}, + } + + config2 := Config{ + Index: "index.php", + Params: map[string]string{"REDIRECT_STATUS": "200"}, + } + + config3 := Config{ + Index: "index.py", + Params: map[string]string{"SERVER_NAME": "$server_name", "REDIRECT_STATUS": "200"}, + } + + config4 := Config{ + Index: "index.php", + Params: map[string]string{"SERVER_NAME": "$server_name", "REDIRECT_STATUS": "200"}, + } + + if !config.Equal(&config) { + t.Errorf("config should be equal to itself") + } + + if nilConfig.Equal(&config) { + t.Errorf("Foo") + } + + if !config.Equal(&configCopy) { + t.Errorf("config should be equal to configCopy") + } + + if config.Equal(&config2) { + t.Errorf("config2 should not be equal to config") + } + + if config.Equal(&config3) { + t.Errorf("config3 should not be equal to config") + } + + if !config.Equal(&config4) { + t.Errorf("config4 should be equal to config") + } +} diff --git a/internal/ingress/annotations/parser/main.go b/internal/ingress/annotations/parser/main.go index 8a0ea4b87..107a278b0 100644 --- a/internal/ingress/annotations/parser/main.go +++ b/internal/ingress/annotations/parser/main.go @@ -160,6 +160,7 @@ func normalizeString(input string) string { var configmapAnnotations = sets.NewString( "auth-proxy-set-header", + "fastcgi-params-configmap", ) // AnnotationsReferencesConfigmap checks if at least one annotation in the Ingress rule diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index e93d3b5de..4a4417130 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -271,8 +271,6 @@ func (n *NGINXController) CheckWarning(ing *networking.Ingress) ([]string, error "influxdb-host", "influxdb-server-name", "secure-verify-ca-secret", - "fastcgi-params-configmap", - "fastcgi-index", ) // Skip checks if the ingress is marked as deleted @@ -608,7 +606,7 @@ func (n *NGINXController) getConfiguration(ingresses []*ingress.Ingress) (sets.S for _, server := range servers { // If a location is defined by a prefix string that ends with the slash character, and requests are processed by one of - // proxy_pass, uwsgi_pass, scgi_pass, memcached_pass, or grpc_pass, then the special processing is performed. + // proxy_pass, fastcgi_pass, uwsgi_pass, scgi_pass, memcached_pass, or grpc_pass, then the special processing is performed. // In response to a request with URI equal to // this string, but without the trailing slash, a permanent redirect with the // code 301 will be returned to the requested URI with the slash appended. If this is not desired, an exact match of the // URIand location could be defined like this: @@ -1519,6 +1517,7 @@ func locationApplyAnnotations(loc *ingress.Location, anns *annotations.Ingress) loc.Logs = anns.Logs loc.DefaultBackend = anns.DefaultBackend loc.BackendProtocol = anns.BackendProtocol + loc.FastCGI = anns.FastCGI loc.CustomHTTPErrors = anns.CustomHTTPErrors loc.ModSecurity = anns.ModSecurity loc.Satisfy = anns.Satisfy diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go index 355f5da95..c631461c0 100644 --- a/internal/ingress/controller/controller_test.go +++ b/internal/ingress/controller/controller_test.go @@ -431,7 +431,7 @@ func TestCheckWarning(t *testing.T) { t.Run("adding invalid annotations increases the warning count", func(t *testing.T) { ing.ObjectMeta.Annotations[parser.GetAnnotationWithPrefix("enable-influxdb")] = "true" ing.ObjectMeta.Annotations[parser.GetAnnotationWithPrefix("secure-verify-ca-secret")] = "true" - ing.ObjectMeta.Annotations[parser.GetAnnotationWithPrefix("fastcgi-index")] = "blabla" + ing.ObjectMeta.Annotations[parser.GetAnnotationWithPrefix("influxdb-host")] = "blabla" defer func() { ing.ObjectMeta.Annotations = map[string]string{} }() diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go index 15ae438ab..2d941f95d 100644 --- a/internal/ingress/controller/template/template.go +++ b/internal/ingress/controller/template/template.go @@ -739,6 +739,9 @@ func buildProxyPass(host string, b interface{}, loc interface{}) string { case "AJP": proto = "" proxyPass = "ajp_pass" + case "FCGI": + proto = "" + proxyPass = "fastcgi_pass" } upstreamName := "upstream_balancer" diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go index 1b88c3fe7..1980d7e52 100644 --- a/internal/ingress/controller/template/template_test.go +++ b/internal/ingress/controller/template/template_test.go @@ -1138,6 +1138,7 @@ func TestOpentracingPropagateContext(t *testing.T) { {BackendProtocol: "GRPC"}: "opentracing_grpc_propagate_context;", {BackendProtocol: "GRPCS"}: "opentracing_grpc_propagate_context;", {BackendProtocol: "AJP"}: "opentracing_propagate_context;", + {BackendProtocol: "FCGI"}: "opentracing_propagate_context;", nil: "", } @@ -1157,6 +1158,7 @@ func TestOpentelemetryPropagateContext(t *testing.T) { {BackendProtocol: "GRPC"}: "opentelemetry_propagate;", {BackendProtocol: "GRPCS"}: "opentelemetry_propagate;", {BackendProtocol: "AJP"}: "opentelemetry_propagate;", + {BackendProtocol: "FCGI"}: "opentelemetry_propagate;", nil: "", } diff --git a/pkg/apis/ingress/types.go b/pkg/apis/ingress/types.go index 68cacc25b..e50666c18 100644 --- a/pkg/apis/ingress/types.go +++ b/pkg/apis/ingress/types.go @@ -27,6 +27,7 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/authtls" "k8s.io/ingress-nginx/internal/ingress/annotations/connection" "k8s.io/ingress-nginx/internal/ingress/annotations/cors" + "k8s.io/ingress-nginx/internal/ingress/annotations/fastcgi" "k8s.io/ingress-nginx/internal/ingress/annotations/globalratelimit" "k8s.io/ingress-nginx/internal/ingress/annotations/ipdenylist" "k8s.io/ingress-nginx/internal/ingress/annotations/ipwhitelist" @@ -339,6 +340,9 @@ type Location struct { // BackendProtocol indicates which protocol should be used to communicate with the service // By default this is HTTP BackendProtocol string `json:"backend-protocol"` + // FastCGI allows the ingress to act as a FastCGI client for a given location. + // +optional + FastCGI fastcgi.Config `json:"fastcgi,omitempty"` // CustomHTTPErrors specifies the error codes that should be intercepted. // +optional CustomHTTPErrors []int `json:"custom-http-errors"` diff --git a/pkg/apis/ingress/types_equals.go b/pkg/apis/ingress/types_equals.go index fee8c31d5..84b1a186a 100644 --- a/pkg/apis/ingress/types_equals.go +++ b/pkg/apis/ingress/types_equals.go @@ -435,6 +435,10 @@ func (l1 *Location) Equal(l2 *Location) bool { return false } + if !(&l1.FastCGI).Equal(&l2.FastCGI) { + return false + } + match := compareInts(l1.CustomHTTPErrors, l2.CustomHTTPErrors) if !match { return false diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 638333407..9b3a47de3 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -305,6 +305,7 @@ http { keepalive_requests {{ $cfg.KeepAliveRequests }}; client_body_temp_path /tmp/nginx/client-body; + fastcgi_temp_path /tmp/nginx/fastcgi-temp; proxy_temp_path /tmp/nginx/proxy-temp; ajp_temp_path /tmp/nginx/ajp-temp; @@ -1488,6 +1489,16 @@ stream { {{ range $errCode := $location.CustomHTTPErrors }} error_page {{ $errCode }} = @custom_{{ $location.DefaultBackendUpstreamName }}_{{ $errCode }};{{ end }} + {{ if (eq $location.BackendProtocol "FCGI") }} + include /etc/nginx/fastcgi_params; + {{ end }} + {{- if $location.FastCGI.Index -}} + fastcgi_index {{ $location.FastCGI.Index | quote }}; + {{- end -}} + {{ range $k, $v := $location.FastCGI.Params }} + fastcgi_param {{ $k }} {{ $v | quote }}; + {{ end }} + {{ if not (empty $location.Redirect.URL) }} return {{ $location.Redirect.Code }} {{ $location.Redirect.URL }}; {{ end }} diff --git a/test/e2e/annotations/backendprotocol.go b/test/e2e/annotations/backendprotocol.go index 8256befd2..bccb03afb 100644 --- a/test/e2e/annotations/backendprotocol.go +++ b/test/e2e/annotations/backendprotocol.go @@ -91,6 +91,21 @@ var _ = framework.DescribeAnnotation("backend-protocol", func() { }) }) + ginkgo.It("should set backend protocol to '' and use fastcgi_pass", func() { + host := "backendprotocol.foo.com" + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/backend-protocol": "FCGI", + } + + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "fastcgi_pass upstream_balancer;") + }) + }) + ginkgo.It("should set backend protocol to '' and use ajp_pass", func() { host := "backendprotocol.foo.com" annotations := map[string]string{ diff --git a/test/e2e/annotations/fastcgi.go b/test/e2e/annotations/fastcgi.go new file mode 100644 index 000000000..572eca548 --- /dev/null +++ b/test/e2e/annotations/fastcgi.go @@ -0,0 +1,125 @@ +/* +Copyright 2019 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package annotations + +import ( + "net/http" + "strings" + + "github.com/onsi/ginkgo/v2" + corev1 "k8s.io/api/core/v1" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.DescribeAnnotation("backend-protocol - FastCGI", func() { + f := framework.NewDefaultFramework("fastcgi") + + ginkgo.BeforeEach(func() { + f.NewFastCGIHelloServerDeployment() + }) + + ginkgo.It("should use fastcgi_pass in the configuration file", func() { + host := "fastcgi" + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/backend-protocol": "FCGI", + } + + ing := framework.NewSingleIngress(host, "/hello", host, f.Namespace, "fastcgi-helloserver", 9000, annotations) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "include /etc/nginx/fastcgi_params;") && + strings.Contains(server, "fastcgi_pass") + }) + }) + + ginkgo.It("should add fastcgi_index in the configuration file", func() { + host := "fastcgi-index" + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/backend-protocol": "FCGI", + "nginx.ingress.kubernetes.io/fastcgi-index": "index.php", + } + + ing := framework.NewSingleIngress(host, "/hello", host, f.Namespace, "fastcgi-helloserver", 9000, annotations) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "fastcgi_index \"index.php\";") + }) + }) + + ginkgo.It("should add fastcgi_param in the configuration file", func() { + configuration := &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: "fastcgi-configmap", + Namespace: f.Namespace, + }, + Data: map[string]string{ + "SCRIPT_FILENAME": "/home/www/scripts/php$fastcgi_script_name", + "REDIRECT_STATUS": "200", + }, + } + + f.EnsureConfigMap(configuration) + + host := "fastcgi-params-configmap" + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/backend-protocol": "FCGI", + "nginx.ingress.kubernetes.io/fastcgi-params-configmap": "fastcgi-configmap", + } + + ing := framework.NewSingleIngress(host, "/hello", host, f.Namespace, "fastcgi-helloserver", 9000, annotations) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "fastcgi_param SCRIPT_FILENAME \"/home/www/scripts/php$fastcgi_script_name\";") && + strings.Contains(server, "fastcgi_param REDIRECT_STATUS \"200\";") + }) + }) + + ginkgo.It("should return OK for service with backend protocol FastCGI", func() { + host := "fastcgi-helloserver" + path := "/hello" + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/backend-protocol": "FCGI", + } + + ing := framework.NewSingleIngress(host, path, host, f.Namespace, "fastcgi-helloserver", 9000, annotations) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "fastcgi_pass") + }) + + f.HTTPTestClient(). + GET(path). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK). + Body().Contains("Hello world!") + }) +}) diff --git a/test/e2e/framework/fastcgi_helloserver.go b/test/e2e/framework/fastcgi_helloserver.go new file mode 100644 index 000000000..719048c06 --- /dev/null +++ b/test/e2e/framework/fastcgi_helloserver.go @@ -0,0 +1,104 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package framework + +import ( + "github.com/onsi/ginkgo/v2" + "github.com/stretchr/testify/assert" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/fields" + "k8s.io/apimachinery/pkg/util/intstr" +) + +// NewFastCGIHelloServerDeployment creates a new single replica +// deployment of the fortune teller image in a particular namespace +func (f *Framework) NewFastCGIHelloServerDeployment() { + f.NewNewFastCGIHelloServerDeploymentWithReplicas(1) +} + +// NewNewFastCGIHelloServerDeploymentWithReplicas creates a new deployment of the +// fortune teller image in a particular namespace. Number of replicas is configurable +func (f *Framework) NewNewFastCGIHelloServerDeploymentWithReplicas(replicas int32) { + deployment := &appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{ + Name: "fastcgi-helloserver", + Namespace: f.Namespace, + }, + Spec: appsv1.DeploymentSpec{ + Replicas: NewInt32(replicas), + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "app": "fastcgi-helloserver", + }, + }, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{ + "app": "fastcgi-helloserver", + }, + }, + Spec: corev1.PodSpec{ + TerminationGracePeriodSeconds: NewInt64(0), + Containers: []corev1.Container{ + { + Name: "fastcgi-helloserver", + Image: "registry.k8s.io/ingress-nginx/e2e-test-fastcgi-helloserver@sha256:0e08c836cc58f1ea862578de99b13bc4264fe071e816f96dc1d79857bfba7473", + Env: []corev1.EnvVar{}, + Ports: []corev1.ContainerPort{ + { + Name: "fastcgi", + ContainerPort: 9000, + }, + }, + }, + }, + }, + }, + }, + } + + d := f.EnsureDeployment(deployment) + + err := waitForPodsReady(f.KubeClientSet, DefaultTimeout, int(replicas), f.Namespace, metav1.ListOptions{ + LabelSelector: fields.SelectorFromSet(fields.Set(d.Spec.Template.ObjectMeta.Labels)).String(), + }) + assert.Nil(ginkgo.GinkgoT(), err, "failed to wait for to become ready") + + service := &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: "fastcgi-helloserver", + Namespace: f.Namespace, + }, + Spec: corev1.ServiceSpec{ + Ports: []corev1.ServicePort{ + { + Name: "fastcgi", + Port: 9000, + TargetPort: intstr.FromInt(9000), + Protocol: "TCP", + }, + }, + Selector: map[string]string{ + "app": "fastcgi-helloserver", + }, + }, + } + + f.EnsureService(service) +} From 686aeac5961f37eaf1ddfa2fa320df4ccf0cf005 Mon Sep 17 00:00:00 2001 From: Hansuk Hong Date: Thu, 15 Jun 2023 16:32:18 +0900 Subject: [PATCH 357/405] docs: change Dockefile url ref main (#10087) --- docs/examples/grpc/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/examples/grpc/README.md b/docs/examples/grpc/README.md index cf4597fcd..508b23fb8 100644 --- a/docs/examples/grpc/README.md +++ b/docs/examples/grpc/README.md @@ -20,7 +20,7 @@ This example demonstrates how to route traffic to a gRPC service through the Ing - As an example gRPC application, we can use this app . -- To create a container image for this app, you can use [this Dockerfile](https://github.com/kubernetes/ingress-nginx/blob/5a52d99ae85cfe5ef9535291b8326b0006e75066/images/go-grpc-greeter-server/rootfs/Dockerfile). +- To create a container image for this app, you can use [this Dockerfile](https://github.com/kubernetes/ingress-nginx/blob/main/images/go-grpc-greeter-server/rootfs/Dockerfile). - If you use the Dockerfile mentioned above, to create a image, then you can use the following example Kubernetes manifest to create a deployment resource that uses that image. If necessary edit this manifest to suit your needs. From 30de5999c15fb0dc1581950685f1e027957515d5 Mon Sep 17 00:00:00 2001 From: Brendan Kamp Date: Sun, 18 Jun 2023 21:16:21 +0200 Subject: [PATCH 358/405] fix: obsolete warnings (#10029) Signed-off-by: Spazzy --- .../nginx-configuration/configmap.md | 410 +++++++++--------- internal/ingress/controller/config/config.go | 9 +- rootfs/etc/nginx/template/nginx.tmpl | 6 + 3 files changed, 217 insertions(+), 208 deletions(-) diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index 782b9bc92..c55b7502a 100644 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -25,211 +25,211 @@ data: The following table shows a configuration option's name, type, and the default value: -|name|type|default| -|:---|:---|:------| -|[add-headers](#add-headers)|string|""| -|[allow-backend-server-header](#allow-backend-server-header)|bool|"false"| -|[allow-snippet-annotations](#allow-snippet-annotations)|bool|true| -|[annotation-value-word-blocklist](#annotation-value-word-blocklist)|string array|""| -|[hide-headers](#hide-headers)|string array|empty| -|[access-log-params](#access-log-params)|string|""| -|[access-log-path](#access-log-path)|string|"/var/log/nginx/access.log"| -|[http-access-log-path](#http-access-log-path)|string|""| -|[stream-access-log-path](#stream-access-log-path)|string|""| -|[enable-access-log-for-default-backend](#enable-access-log-for-default-backend)|bool|"false"| -|[error-log-path](#error-log-path)|string|"/var/log/nginx/error.log"| -|[enable-modsecurity](#enable-modsecurity)|bool|"false"| -|[modsecurity-snippet](#modsecurity-snippet)|string|""| -|[enable-owasp-modsecurity-crs](#enable-owasp-modsecurity-crs)|bool|"false"| -|[client-header-buffer-size](#client-header-buffer-size)|string|"1k"| -|[client-header-timeout](#client-header-timeout)|int|60| -|[client-body-buffer-size](#client-body-buffer-size)|string|"8k"| -|[client-body-timeout](#client-body-timeout)|int|60| -|[disable-access-log](#disable-access-log)|bool|false| -|[disable-ipv6](#disable-ipv6)|bool|false| -|[disable-ipv6-dns](#disable-ipv6-dns)|bool|false| -|[enable-underscores-in-headers](#enable-underscores-in-headers)|bool|false| -|[enable-ocsp](#enable-ocsp)|bool|false| -|[ignore-invalid-headers](#ignore-invalid-headers)|bool|true| -|[retry-non-idempotent](#retry-non-idempotent)|bool|"false"| -|[error-log-level](#error-log-level)|string|"notice"| -|[http2-max-field-size](#http2-max-field-size)|string|"4k"| -|[http2-max-header-size](#http2-max-header-size)|string|"16k"| -|[http2-max-requests](#http2-max-requests)|int|1000| -|[http2-max-concurrent-streams](#http2-max-concurrent-streams)|int|128| -|[hsts](#hsts)|bool|"true"| -|[hsts-include-subdomains](#hsts-include-subdomains)|bool|"true"| -|[hsts-max-age](#hsts-max-age)|string|"15724800"| -|[hsts-preload](#hsts-preload)|bool|"false"| -|[keep-alive](#keep-alive)|int|75| -|[keep-alive-requests](#keep-alive-requests)|int|1000| -|[large-client-header-buffers](#large-client-header-buffers)|string|"4 8k"| -|[log-format-escape-none](#log-format-escape-none)|bool|"false"| -|[log-format-escape-json](#log-format-escape-json)|bool|"false"| -|[log-format-upstream](#log-format-upstream)|string|`$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] [$proxy_alternative_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status $req_id`| -|[log-format-stream](#log-format-stream)|string|`[$remote_addr] [$time_local] $protocol $status $bytes_sent $bytes_received $session_time`| -|[enable-multi-accept](#enable-multi-accept)|bool|"true"| -|[max-worker-connections](#max-worker-connections)|int|16384| -|[max-worker-open-files](#max-worker-open-files)|int|0| -|[map-hash-bucket-size](#max-hash-bucket-size)|int|64| -|[nginx-status-ipv4-whitelist](#nginx-status-ipv4-whitelist)|[]string|"127.0.0.1"| -|[nginx-status-ipv6-whitelist](#nginx-status-ipv6-whitelist)|[]string|"::1"| -|[proxy-real-ip-cidr](#proxy-real-ip-cidr)|[]string|"0.0.0.0/0"| -|[proxy-set-headers](#proxy-set-headers)|string|""| -|[server-name-hash-max-size](#server-name-hash-max-size)|int|1024| -|[server-name-hash-bucket-size](#server-name-hash-bucket-size)|int|`` -|[proxy-headers-hash-max-size](#proxy-headers-hash-max-size)|int|512| -|[proxy-headers-hash-bucket-size](#proxy-headers-hash-bucket-size)|int|64| -|[plugins](#plugins)|[]string| | -|[reuse-port](#reuse-port)|bool|"true"| -|[server-tokens](#server-tokens)|bool|"false"| -|[ssl-ciphers](#ssl-ciphers)|string|"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"| -|[ssl-ecdh-curve](#ssl-ecdh-curve)|string|"auto"| -|[ssl-dh-param](#ssl-dh-param)|string|""| -|[ssl-protocols](#ssl-protocols)|string|"TLSv1.2 TLSv1.3"| -|[ssl-session-cache](#ssl-session-cache)|bool|"true"| -|[ssl-session-cache-size](#ssl-session-cache-size)|string|"10m"| -|[ssl-session-tickets](#ssl-session-tickets)|bool|"false"| -|[ssl-session-ticket-key](#ssl-session-ticket-key)|string|`` -|[ssl-session-timeout](#ssl-session-timeout)|string|"10m"| -|[ssl-buffer-size](#ssl-buffer-size)|string|"4k"| -|[use-proxy-protocol](#use-proxy-protocol)|bool|"false"| -|[proxy-protocol-header-timeout](#proxy-protocol-header-timeout)|string|"5s"| -|[use-gzip](#use-gzip)|bool|"false"| -|[use-geoip](#use-geoip)|bool|"true"| -|[use-geoip2](#use-geoip2)|bool|"false"| -|[enable-brotli](#enable-brotli)|bool|"false"| -|[brotli-level](#brotli-level)|int|4| -|[brotli-min-length](#brotli-min-length)|int|20| -|[brotli-types](#brotli-types)|string|"application/xml+rss application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component"| -|[use-http2](#use-http2)|bool|"true"| -|[gzip-disable](#gzip-disable)|string|""| -|[gzip-level](#gzip-level)|int|1| -|[gzip-min-length](#gzip-min-length)|int|256| -|[gzip-types](#gzip-types)|string|"application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component"| -|[worker-processes](#worker-processes)|string|``| -|[worker-cpu-affinity](#worker-cpu-affinity)|string|""| -|[worker-shutdown-timeout](#worker-shutdown-timeout)|string|"240s"| -|[load-balance](#load-balance)|string|"round_robin"| -|[variables-hash-bucket-size](#variables-hash-bucket-size)|int|128| -|[variables-hash-max-size](#variables-hash-max-size)|int|2048| -|[upstream-keepalive-connections](#upstream-keepalive-connections)|int|320| -|[upstream-keepalive-time](#upstream-keepalive-time)|string|"1h"| -|[upstream-keepalive-timeout](#upstream-keepalive-timeout)|int|60| -|[upstream-keepalive-requests](#upstream-keepalive-requests)|int|10000| -|[limit-conn-zone-variable](#limit-conn-zone-variable)|string|"$binary_remote_addr"| -|[proxy-stream-timeout](#proxy-stream-timeout)|string|"600s"| -|[proxy-stream-next-upstream](#proxy-stream-next-upstream)|bool|"true"| -|[proxy-stream-next-upstream-timeout](#proxy-stream-next-upstream-timeout)|string|"600s"| -|[proxy-stream-next-upstream-tries](#proxy-stream-next-upstream-tries)|int|3| -|[proxy-stream-responses](#proxy-stream-responses)|int|1| -|[bind-address](#bind-address)|[]string|""| -|[use-forwarded-headers](#use-forwarded-headers)|bool|"false"| -|[enable-real-ip](#enable-real-ip)|bool|"false"| -|[forwarded-for-header](#forwarded-for-header)|string|"X-Forwarded-For"| -|[compute-full-forwarded-for](#compute-full-forwarded-for)|bool|"false"| -|[proxy-add-original-uri-header](#proxy-add-original-uri-header)|bool|"false"| -|[generate-request-id](#generate-request-id)|bool|"true"| -|[enable-opentracing](#enable-opentracing)|bool|"false"| -|[opentracing-operation-name](#opentracing-operation-name)|string|""| -|[opentracing-location-operation-name](#opentracing-location-operation-name)|string|""| -|[zipkin-collector-host](#zipkin-collector-host)|string|""| -|[zipkin-collector-port](#zipkin-collector-port)|int|9411| -|[zipkin-service-name](#zipkin-service-name)|string|"nginx"| -|[zipkin-sample-rate](#zipkin-sample-rate)|float|1.0| -|[jaeger-collector-host](#jaeger-collector-host)|string|""| -|[jaeger-collector-port](#jaeger-collector-port)|int|6831| -|[jaeger-endpoint](#jaeger-endpoint)|string|""| -|[jaeger-service-name](#jaeger-service-name)|string|"nginx"| -|[jaeger-propagation-format](#jaeger-propagation-format)|string|"jaeger"| -|[jaeger-sampler-type](#jaeger-sampler-type)|string|"const"| -|[jaeger-sampler-param](#jaeger-sampler-param)|string|"1"| -|[jaeger-sampler-host](#jaeger-sampler-host)|string|"http://127.0.0.1"| -|[jaeger-sampler-port](#jaeger-sampler-port)|int|5778| -|[jaeger-trace-context-header-name](#jaeger-trace-context-header-name)|string|uber-trace-id| -|[jaeger-debug-header](#jaeger-debug-header)|string|uber-debug-id| -|[jaeger-baggage-header](#jaeger-baggage-header)|string|jaeger-baggage| -|[jaeger-trace-baggage-header-prefix](#jaeger-trace-baggage-header-prefix)|string|uberctx-| -|[datadog-collector-host](#datadog-collector-host)|string|""| -|[datadog-collector-port](#datadog-collector-port)|int|8126| -|[datadog-service-name](#datadog-service-name)|string|"nginx"| -|[datadog-environment](#datadog-environment)|string|"prod"| -|[datadog-operation-name-override](#datadog-operation-name-override)|string|"nginx.handle"| -|[datadog-priority-sampling](#datadog-priority-sampling)|bool|"true"| -|[datadog-sample-rate](#datadog-sample-rate)|float|1.0| -|[enable-opentelemetry](#enable-opentelemetry)|bool|"false"| -|[opentelemetry-trust-incoming-span](#opentelemetry-trust-incoming-span)|bool|"true"| -|[opentelemetry-operation-name](#opentelemetry-operation-name)|string|""| -|[opentelemetry-config](#/etc/nginx/opentelemetry.toml)|string|"/etc/nginx/opentelemetry.toml"| -|[otlp-collector-host](#otlp-collector-host)|string|""| -|[otlp-collector-port](#otlp-collector-port)|int|4317| -|[otel-max-queuesize](#otel-max-queuesize)|int|| -|[otel-schedule-delay-millis](#otel-schedule-delay-millis)|int|| -|[otel-max-export-batch-size](#otel-max-export-batch-size)|int|| -|[otel-service-name](#otel-service-name)|string|"nginx"| -|[otel-sampler](#otel-sampler)|string|"AlwaysOff"| -|[otel-sampler-parent-based](#otel-sampler-parent-based)|bool|"false"| -|[otel-sampler-ratio](#otel-sampler-ratio)|float|0.01| -|[main-snippet](#main-snippet)|string|""| -|[http-snippet](#http-snippet)|string|""| -|[server-snippet](#server-snippet)|string|""| -|[stream-snippet](#stream-snippet)|string|""| -|[location-snippet](#location-snippet)|string|""| -|[custom-http-errors](#custom-http-errors)|[]int|[]int{}| -|[proxy-body-size](#proxy-body-size)|string|"1m"| -|[proxy-connect-timeout](#proxy-connect-timeout)|int|5| -|[proxy-read-timeout](#proxy-read-timeout)|int|60| -|[proxy-send-timeout](#proxy-send-timeout)|int|60| -|[proxy-buffers-number](#proxy-buffers-number)|int|4| -|[proxy-buffer-size](#proxy-buffer-size)|string|"4k"| -|[proxy-cookie-path](#proxy-cookie-path)|string|"off"| -|[proxy-cookie-domain](#proxy-cookie-domain)|string|"off"| -|[proxy-next-upstream](#proxy-next-upstream)|string|"error timeout"| -|[proxy-next-upstream-timeout](#proxy-next-upstream-timeout)|int|0| -|[proxy-next-upstream-tries](#proxy-next-upstream-tries)|int|3| -|[proxy-redirect-from](#proxy-redirect-from)|string|"off"| -|[proxy-request-buffering](#proxy-request-buffering)|string|"on"| -|[ssl-redirect](#ssl-redirect)|bool|"true"| -|[force-ssl-redirect](#force-ssl-redirect)|bool|"false"| -|[denylist-source-range](#denylist-source-range)|[]string|[]string{}| -|[whitelist-source-range](#whitelist-source-range)|[]string|[]string{}| -|[skip-access-log-urls](#skip-access-log-urls)|[]string|[]string{}| -|[limit-rate](#limit-rate)|int|0| -|[limit-rate-after](#limit-rate-after)|int|0| -|[lua-shared-dicts](#lua-shared-dicts)|string|""| -|[http-redirect-code](#http-redirect-code)|int|308| -|[proxy-buffering](#proxy-buffering)|string|"off"| -|[limit-req-status-code](#limit-req-status-code)|int|503| -|[limit-conn-status-code](#limit-conn-status-code)|int|503| -|[enable-syslog](#enable-syslog)|bool|false| -|[syslog-host](#syslog-host)|string|""| -|[syslog-port](#syslog-port)|int|514| -|[no-tls-redirect-locations](#no-tls-redirect-locations)|string|"/.well-known/acme-challenge"| -|[global-auth-url](#global-auth-url)|string|""| -|[global-auth-method](#global-auth-method)|string|""| -|[global-auth-signin](#global-auth-signin)|string|""| -|[global-auth-signin-redirect-param](#global-auth-signin-redirect-param)|string|"rd"| -|[global-auth-response-headers](#global-auth-response-headers)|string|""| -|[global-auth-request-redirect](#global-auth-request-redirect)|string|""| -|[global-auth-snippet](#global-auth-snippet)|string|""| -|[global-auth-cache-key](#global-auth-cache-key)|string|""| -|[global-auth-cache-duration](#global-auth-cache-duration)|string|"200 202 401 5m"| -|[no-auth-locations](#no-auth-locations)|string|"/.well-known/acme-challenge"| -|[block-cidrs](#block-cidrs)|[]string|""| -|[block-user-agents](#block-user-agents)|[]string|""| -|[block-referers](#block-referers)|[]string|""| -|[proxy-ssl-location-only](#proxy-ssl-location-only)|bool|"false"| -|[default-type](#default-type)|string|"text/html"| -|[global-rate-limit-memcached-host](#global-rate-limit)|string|""| -|[global-rate-limit-memcached-port](#global-rate-limit)|int|11211| -|[global-rate-limit-memcached-connect-timeout](#global-rate-limit)|int|50| -|[global-rate-limit-memcached-max-idle-timeout](#global-rate-limit)|int|10000| -|[global-rate-limit-memcached-pool-size](#global-rate-limit)|int|50| -|[global-rate-limit-status-code](#global-rate-limit)|int|429| -|[service-upstream](#service-upstream)|bool|"false"| -|[ssl-reject-handshake](#ssl-reject-handshake)|bool|"false"| -|[debug-connections](#debug-connections)|[]string|"127.0.0.1,1.1.1.1/24"| -|[strict-validate-path-type](#strict-validate-path-type)|bool|"false" (v1.7.x)| +|name|type|default|notes| +|:---|:---|:------|:----| +|[add-headers](#add-headers)|string|""|| +|[allow-backend-server-header](#allow-backend-server-header)|bool|"false"|| +|[allow-snippet-annotations](#allow-snippet-annotations)|bool|true|| +|[annotation-value-word-blocklist](#annotation-value-word-blocklist)|string array|""|| +|[hide-headers](#hide-headers)|string array|empty|| +|[access-log-params](#access-log-params)|string|""|| +|[access-log-path](#access-log-path)|string|"/var/log/nginx/access.log"|| +|[http-access-log-path](#http-access-log-path)|string|""|| +|[stream-access-log-path](#stream-access-log-path)|string|""|| +|[enable-access-log-for-default-backend](#enable-access-log-for-default-backend)|bool|"false"|| +|[error-log-path](#error-log-path)|string|"/var/log/nginx/error.log"|| +|[enable-modsecurity](#enable-modsecurity)|bool|"false"|| +|[modsecurity-snippet](#modsecurity-snippet)|string|""|| +|[enable-owasp-modsecurity-crs](#enable-owasp-modsecurity-crs)|bool|"false"|| +|[client-header-buffer-size](#client-header-buffer-size)|string|"1k"|| +|[client-header-timeout](#client-header-timeout)|int|60|| +|[client-body-buffer-size](#client-body-buffer-size)|string|"8k"|| +|[client-body-timeout](#client-body-timeout)|int|60|| +|[disable-access-log](#disable-access-log)|bool|false|| +|[disable-ipv6](#disable-ipv6)|bool|false|| +|[disable-ipv6-dns](#disable-ipv6-dns)|bool|false|| +|[enable-underscores-in-headers](#enable-underscores-in-headers)|bool|false|| +|[enable-ocsp](#enable-ocsp)|bool|false|| +|[ignore-invalid-headers](#ignore-invalid-headers)|bool|true|| +|[retry-non-idempotent](#retry-non-idempotent)|bool|"false"|| +|[error-log-level](#error-log-level)|string|"notice"|| +|[http2-max-field-size](#http2-max-field-size)|string|""|DEPRECATED in favour of [large_client_header_buffers](#large-client-header-buffers)| +|[http2-max-header-size](#http2-max-header-size)|string|""|DEPRECATED in favour of [large_client_header_buffers](#large-client-header-buffers)| +|[http2-max-requests](#http2-max-requests)|int|0|DEPRECATED in favour of [keepalive_requests](#keepalive-requests)| +|[http2-max-concurrent-streams](#http2-max-concurrent-streams)|int|128|| +|[hsts](#hsts)|bool|"true"|| +|[hsts-include-subdomains](#hsts-include-subdomains)|bool|"true"|| +|[hsts-max-age](#hsts-max-age)|string|"15724800"|| +|[hsts-preload](#hsts-preload)|bool|"false"|| +|[keep-alive](#keep-alive)|int|75|| +|[keep-alive-requests](#keep-alive-requests)|int|1000|| +|[large-client-header-buffers](#large-client-header-buffers)|string|"4 8k"|| +|[log-format-escape-none](#log-format-escape-none)|bool|"false"|| +|[log-format-escape-json](#log-format-escape-json)|bool|"false"|| +|[log-format-upstream](#log-format-upstream)|string|`$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] [$proxy_alternative_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status $req_id`|| +|[log-format-stream](#log-format-stream)|string|`[$remote_addr] [$time_local] $protocol $status $bytes_sent $bytes_received $session_time`|| +|[enable-multi-accept](#enable-multi-accept)|bool|"true"|| +|[max-worker-connections](#max-worker-connections)|int|16384|| +|[max-worker-open-files](#max-worker-open-files)|int|0|| +|[map-hash-bucket-size](#max-hash-bucket-size)|int|64|| +|[nginx-status-ipv4-whitelist](#nginx-status-ipv4-whitelist)|[]string|"127.0.0.1"|| +|[nginx-status-ipv6-whitelist](#nginx-status-ipv6-whitelist)|[]string|"::1"|| +|[proxy-real-ip-cidr](#proxy-real-ip-cidr)|[]string|"0.0.0.0/0"|| +|[proxy-set-headers](#proxy-set-headers)|string|""|| +|[server-name-hash-max-size](#server-name-hash-max-size)|int|1024|| +|[server-name-hash-bucket-size](#server-name-hash-bucket-size)|int|``| +|[proxy-headers-hash-max-size](#proxy-headers-hash-max-size)|int|512|| +|[proxy-headers-hash-bucket-size](#proxy-headers-hash-bucket-size)|int|64|| +|[plugins](#plugins)|[]string| || +|[reuse-port](#reuse-port)|bool|"true"|| +|[server-tokens](#server-tokens)|bool|"false"|| +|[ssl-ciphers](#ssl-ciphers)|string|"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"|| +|[ssl-ecdh-curve](#ssl-ecdh-curve)|string|"auto"|| +|[ssl-dh-param](#ssl-dh-param)|string|""|| +|[ssl-protocols](#ssl-protocols)|string|"TLSv1.2 TLSv1.3"|| +|[ssl-session-cache](#ssl-session-cache)|bool|"true"|| +|[ssl-session-cache-size](#ssl-session-cache-size)|string|"10m"|| +|[ssl-session-tickets](#ssl-session-tickets)|bool|"false"|| +|[ssl-session-ticket-key](#ssl-session-ticket-key)|string|``| +|[ssl-session-timeout](#ssl-session-timeout)|string|"10m"|| +|[ssl-buffer-size](#ssl-buffer-size)|string|"4k"|| +|[use-proxy-protocol](#use-proxy-protocol)|bool|"false"|| +|[proxy-protocol-header-timeout](#proxy-protocol-header-timeout)|string|"5s"|| +|[use-gzip](#use-gzip)|bool|"false"|| +|[use-geoip](#use-geoip)|bool|"true"|| +|[use-geoip2](#use-geoip2)|bool|"false"|| +|[enable-brotli](#enable-brotli)|bool|"false"|| +|[brotli-level](#brotli-level)|int|4|| +|[brotli-min-length](#brotli-min-length)|int|20|| +|[brotli-types](#brotli-types)|string|"application/xml+rss application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component"|| +|[use-http2](#use-http2)|bool|"true"|| +|[gzip-disable](#gzip-disable)|string|""|| +|[gzip-level](#gzip-level)|int|1|| +|[gzip-min-length](#gzip-min-length)|int|256|| +|[gzip-types](#gzip-types)|string|"application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component"|| +|[worker-processes](#worker-processes)|string|``|| +|[worker-cpu-affinity](#worker-cpu-affinity)|string|""|| +|[worker-shutdown-timeout](#worker-shutdown-timeout)|string|"240s"|| +|[load-balance](#load-balance)|string|"round_robin"|| +|[variables-hash-bucket-size](#variables-hash-bucket-size)|int|128|| +|[variables-hash-max-size](#variables-hash-max-size)|int|2048|| +|[upstream-keepalive-connections](#upstream-keepalive-connections)|int|320|| +|[upstream-keepalive-time](#upstream-keepalive-time)|string|"1h"|| +|[upstream-keepalive-timeout](#upstream-keepalive-timeout)|int|60|| +|[upstream-keepalive-requests](#upstream-keepalive-requests)|int|10000|| +|[limit-conn-zone-variable](#limit-conn-zone-variable)|string|"$binary_remote_addr"|| +|[proxy-stream-timeout](#proxy-stream-timeout)|string|"600s"|| +|[proxy-stream-next-upstream](#proxy-stream-next-upstream)|bool|"true"|| +|[proxy-stream-next-upstream-timeout](#proxy-stream-next-upstream-timeout)|string|"600s"|| +|[proxy-stream-next-upstream-tries](#proxy-stream-next-upstream-tries)|int|3|| +|[proxy-stream-responses](#proxy-stream-responses)|int|1|| +|[bind-address](#bind-address)|[]string|""|| +|[use-forwarded-headers](#use-forwarded-headers)|bool|"false"|| +|[enable-real-ip](#enable-real-ip)|bool|"false"|| +|[forwarded-for-header](#forwarded-for-header)|string|"X-Forwarded-For"|| +|[compute-full-forwarded-for](#compute-full-forwarded-for)|bool|"false"|| +|[proxy-add-original-uri-header](#proxy-add-original-uri-header)|bool|"false"|| +|[generate-request-id](#generate-request-id)|bool|"true"|| +|[enable-opentracing](#enable-opentracing)|bool|"false"|| +|[opentracing-operation-name](#opentracing-operation-name)|string|""|| +|[opentracing-location-operation-name](#opentracing-location-operation-name)|string|""|| +|[zipkin-collector-host](#zipkin-collector-host)|string|""|| +|[zipkin-collector-port](#zipkin-collector-port)|int|9411|| +|[zipkin-service-name](#zipkin-service-name)|string|"nginx"|| +|[zipkin-sample-rate](#zipkin-sample-rate)|float|1.0|| +|[jaeger-collector-host](#jaeger-collector-host)|string|""|| +|[jaeger-collector-port](#jaeger-collector-port)|int|6831|| +|[jaeger-endpoint](#jaeger-endpoint)|string|""|| +|[jaeger-service-name](#jaeger-service-name)|string|"nginx"|| +|[jaeger-propagation-format](#jaeger-propagation-format)|string|"jaeger"|| +|[jaeger-sampler-type](#jaeger-sampler-type)|string|"const"|| +|[jaeger-sampler-param](#jaeger-sampler-param)|string|"1"|| +|[jaeger-sampler-host](#jaeger-sampler-host)|string|"http://127.0.0.1"|| +|[jaeger-sampler-port](#jaeger-sampler-port)|int|5778|| +|[jaeger-trace-context-header-name](#jaeger-trace-context-header-name)|string|uber-trace-id|| +|[jaeger-debug-header](#jaeger-debug-header)|string|uber-debug-id|| +|[jaeger-baggage-header](#jaeger-baggage-header)|string|jaeger-baggage|| +|[jaeger-trace-baggage-header-prefix](#jaeger-trace-baggage-header-prefix)|string|uberctx-|| +|[datadog-collector-host](#datadog-collector-host)|string|""|| +|[datadog-collector-port](#datadog-collector-port)|int|8126|| +|[datadog-service-name](#datadog-service-name)|string|"nginx"|| +|[datadog-environment](#datadog-environment)|string|"prod"|| +|[datadog-operation-name-override](#datadog-operation-name-override)|string|"nginx.handle"|| +|[datadog-priority-sampling](#datadog-priority-sampling)|bool|"true"|| +|[datadog-sample-rate](#datadog-sample-rate)|float|1.0|| +|[enable-opentelemetry](#enable-opentelemetry)|bool|"false"|| +|[opentelemetry-trust-incoming-span](#opentelemetry-trust-incoming-span)|bool|"true"|| +|[opentelemetry-operation-name](#opentelemetry-operation-name)|string|""|| +|[opentelemetry-config](#/etc/nginx/opentelemetry.toml)|string|"/etc/nginx/opentelemetry.toml"|| +|[otlp-collector-host](#otlp-collector-host)|string|""|| +|[otlp-collector-port](#otlp-collector-port)|int|4317|| +|[otel-max-queuesize](#otel-max-queuesize)|int||| +|[otel-schedule-delay-millis](#otel-schedule-delay-millis)|int||| +|[otel-max-export-batch-size](#otel-max-export-batch-size)|int||| +|[otel-service-name](#otel-service-name)|string|"nginx"|| +|[otel-sampler](#otel-sampler)|string|"AlwaysOff"|| +|[otel-sampler-parent-based](#otel-sampler-parent-based)|bool|"false"|| +|[otel-sampler-ratio](#otel-sampler-ratio)|float|0.01|| +|[main-snippet](#main-snippet)|string|""|| +|[http-snippet](#http-snippet)|string|""|| +|[server-snippet](#server-snippet)|string|""|| +|[stream-snippet](#stream-snippet)|string|""|| +|[location-snippet](#location-snippet)|string|""|| +|[custom-http-errors](#custom-http-errors)|[]int|[]int{}|| +|[proxy-body-size](#proxy-body-size)|string|"1m"|| +|[proxy-connect-timeout](#proxy-connect-timeout)|int|5|| +|[proxy-read-timeout](#proxy-read-timeout)|int|60|| +|[proxy-send-timeout](#proxy-send-timeout)|int|60|| +|[proxy-buffers-number](#proxy-buffers-number)|int|4|| +|[proxy-buffer-size](#proxy-buffer-size)|string|"4k"|| +|[proxy-cookie-path](#proxy-cookie-path)|string|"off"|| +|[proxy-cookie-domain](#proxy-cookie-domain)|string|"off"|| +|[proxy-next-upstream](#proxy-next-upstream)|string|"error timeout"|| +|[proxy-next-upstream-timeout](#proxy-next-upstream-timeout)|int|0|| +|[proxy-next-upstream-tries](#proxy-next-upstream-tries)|int|3|| +|[proxy-redirect-from](#proxy-redirect-from)|string|"off"|| +|[proxy-request-buffering](#proxy-request-buffering)|string|"on"|| +|[ssl-redirect](#ssl-redirect)|bool|"true"|| +|[force-ssl-redirect](#force-ssl-redirect)|bool|"false"|| +|[denylist-source-range](#denylist-source-range)|[]string|[]string{}|| +|[whitelist-source-range](#whitelist-source-range)|[]string|[]string{}|| +|[skip-access-log-urls](#skip-access-log-urls)|[]string|[]string{}|| +|[limit-rate](#limit-rate)|int|0|| +|[limit-rate-after](#limit-rate-after)|int|0|| +|[lua-shared-dicts](#lua-shared-dicts)|string|""|| +|[http-redirect-code](#http-redirect-code)|int|308|| +|[proxy-buffering](#proxy-buffering)|string|"off"|| +|[limit-req-status-code](#limit-req-status-code)|int|503|| +|[limit-conn-status-code](#limit-conn-status-code)|int|503|| +|[enable-syslog](#enable-syslog)|bool|false|| +|[syslog-host](#syslog-host)|string|""|| +|[syslog-port](#syslog-port)|int|514|| +|[no-tls-redirect-locations](#no-tls-redirect-locations)|string|"/.well-known/acme-challenge"|| +|[global-auth-url](#global-auth-url)|string|""|| +|[global-auth-method](#global-auth-method)|string|""|| +|[global-auth-signin](#global-auth-signin)|string|""|| +|[global-auth-signin-redirect-param](#global-auth-signin-redirect-param)|string|"rd"|| +|[global-auth-response-headers](#global-auth-response-headers)|string|""|| +|[global-auth-request-redirect](#global-auth-request-redirect)|string|""|| +|[global-auth-snippet](#global-auth-snippet)|string|""|| +|[global-auth-cache-key](#global-auth-cache-key)|string|""|| +|[global-auth-cache-duration](#global-auth-cache-duration)|string|"200 202 401 5m"|| +|[no-auth-locations](#no-auth-locations)|string|"/.well-known/acme-challenge"|| +|[block-cidrs](#block-cidrs)|[]string|""|| +|[block-user-agents](#block-user-agents)|[]string|""|| +|[block-referers](#block-referers)|[]string|""|| +|[proxy-ssl-location-only](#proxy-ssl-location-only)|bool|"false"|| +|[default-type](#default-type)|string|"text/html"|| +|[global-rate-limit-memcached-host](#global-rate-limit)|string|""|| +|[global-rate-limit-memcached-port](#global-rate-limit)|int|11211|| +|[global-rate-limit-memcached-connect-timeout](#global-rate-limit)|int|50|| +|[global-rate-limit-memcached-max-idle-timeout](#global-rate-limit)|int|10000|| +|[global-rate-limit-memcached-pool-size](#global-rate-limit)|int|50|| +|[global-rate-limit-status-code](#global-rate-limit)|int|429|| +|[service-upstream](#service-upstream)|bool|"false"|| +|[ssl-reject-handshake](#ssl-reject-handshake)|bool|"false"|| +|[debug-connections](#debug-connections)|[]string|"127.0.0.1,1.1.1.1/24"|| +|[strict-validate-path-type](#strict-validate-path-type)|bool|"false" (v1.7.x)|| ## add-headers diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index ad4bebde0..ec44b08ed 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -215,16 +215,19 @@ type Configuration struct { // https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_field_size // HTTP2MaxFieldSize Limits the maximum size of an HPACK-compressed request header field + // NOTE: Deprecated HTTP2MaxFieldSize string `json:"http2-max-field-size,omitempty"` // https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_header_size // HTTP2MaxHeaderSize Limits the maximum size of the entire request header list after HPACK decompression + // NOTE: Deprecated HTTP2MaxHeaderSize string `json:"http2-max-header-size,omitempty"` // http://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_requests // HTTP2MaxRequests Sets the maximum number of requests (including push requests) that can be served // through one HTTP/2 connection, after which the next client request will lead to connection closing // and the need of establishing a new connection. + // NOTE: Deprecated HTTP2MaxRequests int `json:"http2-max-requests,omitempty"` // http://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_concurrent_streams @@ -882,9 +885,9 @@ func NewDefault() Configuration { ComputeFullForwardedFor: false, ProxyAddOriginalURIHeader: false, GenerateRequestID: true, - HTTP2MaxFieldSize: "4k", - HTTP2MaxHeaderSize: "16k", - HTTP2MaxRequests: 1000, + HTTP2MaxFieldSize: "", + HTTP2MaxHeaderSize: "", + HTTP2MaxRequests: 0, HTTP2MaxConcurrentStreams: 128, HTTPRedirectCode: 308, HSTS: true, diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 9b3a47de3..a1e02aae3 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -315,9 +315,15 @@ http { client_body_buffer_size {{ $cfg.ClientBodyBufferSize }}; client_body_timeout {{ $cfg.ClientBodyTimeout }}s; + {{ if and (ne $cfg.HTTP2MaxHeaderSize "") (ne $cfg.HTTP2MaxFieldSize "") }} http2_max_field_size {{ $cfg.HTTP2MaxFieldSize }}; http2_max_header_size {{ $cfg.HTTP2MaxHeaderSize }}; + {{ end }} + + {{ if (gt $cfg.HTTP2MaxRequests 0) }} http2_max_requests {{ $cfg.HTTP2MaxRequests }}; + {{ end }} + http2_max_concurrent_streams {{ $cfg.HTTP2MaxConcurrentStreams }}; types_hash_max_size 2048; From 910ca9ec0bd55aa651a593425929ebcfba0bf464 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Jun 2023 05:04:22 -0700 Subject: [PATCH 359/405] Bump docker/setup-buildx-action from 2.6.0 to 2.7.0 (#10102) Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2.6.0 to 2.7.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/6a58db7e0d21ca03e6c44877909e80e45217eed2...ecf95283f03858871ff00b787d79c419715afc34) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 9764a5e74..f27ac4f9b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -158,7 +158,7 @@ jobs: - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@6a58db7e0d21ca03e6c44877909e80e45217eed2 # v2.6.0 + uses: docker/setup-buildx-action@ecf95283f03858871ff00b787d79c419715afc34 # v2.7.0 with: version: latest From 7028bce2f2b9f384bebb1c1f0b044d21ed1a202a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Jun 2023 05:06:22 -0700 Subject: [PATCH 360/405] Bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 (#10101) Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 4.2.0 to 4.3.0. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](https://github.com/goreleaser/goreleaser-action/compare/f82d6c1c344bcacabba2c841718984797f664a6b...336e29918d653399e599bfca99fadc1d7ffbc9f7) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/plugin.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/plugin.yaml b/.github/workflows/plugin.yaml index 6088f77f8..d8769f439 100644 --- a/.github/workflows/plugin.yaml +++ b/.github/workflows/plugin.yaml @@ -28,7 +28,7 @@ jobs: check-latest: true - name: Run GoReleaser - uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0 + uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0 with: version: latest args: release --rm-dist From b47409afe7d75d435d919a84d0ad6011670264d1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Jun 2023 05:08:22 -0700 Subject: [PATCH 361/405] Bump google.golang.org/grpc from 1.55.0 to 1.56.0 (#10103) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.55.0 to 1.56.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.55.0...v1.56.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 1bdcdbc61..d558077f5 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a golang.org/x/crypto v0.9.0 - google.golang.org/grpc v1.55.0 + google.golang.org/grpc v1.56.0 google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 @@ -109,7 +109,7 @@ require ( golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.9.1 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 // indirect + google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect google.golang.org/protobuf v1.30.0 // indirect gopkg.in/go-playground/assert.v1 v1.2.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index 9e65d666f..47454259b 100644 --- a/go.sum +++ b/go.sum @@ -647,8 +647,8 @@ google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 h1:DdoeryqhaXp1LtT/emMP1BRJPHHKFi5akj/nbx/zNTA= -google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4/go.mod h1:NWraEVixdDnqcqQ30jipen1STv2r/n24Wb7twVTGR4s= +google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A= +google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= @@ -661,8 +661,8 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.55.0 h1:3Oj82/tFSCeUrRTg/5E/7d/W5A1tj6Ky1ABAuZuv5ag= -google.golang.org/grpc v1.55.0/go.mod h1:iYEXKGkEBhg1PjZQvoYEVPTDkHo1/bjTnfwTeGONTY8= +google.golang.org/grpc v1.56.0 h1:+y7Bs8rtMd07LeXmL3NxcTLn7mUkbKZqEpPhMNkwJEE= +google.golang.org/grpc v1.56.0/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 h1:pPsdyuBif+uoyUoL19yuj/TCfUPsmpJHJZhWQ98JGLU= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7/go.mod h1:8pQa1yxxkh+EsxUK8/455D5MSbv3vgmEJqKCH3y17mI= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= From 22e855d413ce1f30478811cbd0283199454e2b8d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 20 Jun 2023 02:32:23 -0700 Subject: [PATCH 362/405] Bump golang.org/x/crypto from 0.9.0 to 0.10.0 (#10105) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.9.0 to 0.10.0. - [Commits](https://github.com/golang/crypto/compare/v0.9.0...v0.10.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 ++++---- go.sum | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index d558077f5..a28d70f0b 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/stretchr/testify v1.8.4 github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a - golang.org/x/crypto v0.9.0 + golang.org/x/crypto v0.10.0 google.golang.org/grpc v1.56.0 google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 @@ -103,9 +103,9 @@ require ( golang.org/x/mod v0.10.0 // indirect golang.org/x/net v0.10.0 // indirect golang.org/x/oauth2 v0.8.0 // indirect - golang.org/x/sys v0.8.0 // indirect - golang.org/x/term v0.8.0 // indirect - golang.org/x/text v0.9.0 // indirect + golang.org/x/sys v0.9.0 // indirect + golang.org/x/term v0.9.0 // indirect + golang.org/x/text v0.10.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.9.1 // indirect google.golang.org/appengine v1.6.7 // indirect diff --git a/go.sum b/go.sum index 47454259b..3bc76ed7f 100644 --- a/go.sum +++ b/go.sum @@ -390,8 +390,8 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.9.0 h1:LF6fAI+IutBocDJ2OT0Q1g8plpYljMZ4+lty+dsqw3g= -golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0= +golang.org/x/crypto v0.10.0 h1:LKqV2xt9+kDzSTfOhx4FrkEBcMrAgHSYgzywV9zcGmM= +golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -524,19 +524,19 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU= -golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s= +golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols= -golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.9.0 h1:GRRCnKYhdQrD8kfRAdQ6Zcw1P0OcELxGLKJvtjVMZ28= +golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE= -golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.10.0 h1:UpjohKhiEgNc0CSauXmwYftY1+LlaC75SJwh0SgCX58= +golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From a53cfba348e0424326f33a89bc2a0f05bb24dd52 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 20 Jun 2023 02:34:22 -0700 Subject: [PATCH 363/405] Bump github.com/prometheus/client_golang from 1.15.1 to 1.16.0 (#10106) Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.15.1 to 1.16.0. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](https://github.com/prometheus/client_golang/compare/v1.15.1...v1.16.0) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index a28d70f0b..cbcc28cc8 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/onsi/ginkgo/v2 v2.9.5 github.com/opencontainers/runc v1.1.7 github.com/pmezard/go-difflib v1.0.0 - github.com/prometheus/client_golang v1.15.1 + github.com/prometheus/client_golang v1.16.0 github.com/prometheus/client_model v0.4.0 github.com/prometheus/common v0.44.0 github.com/spf13/cobra v1.7.0 @@ -93,7 +93,7 @@ require ( github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/prometheus/procfs v0.9.0 // indirect + github.com/prometheus/procfs v0.10.1 // indirect github.com/sergi/go-diff v1.1.0 // indirect github.com/sirupsen/logrus v1.8.1 // indirect github.com/xlab/treeprint v1.1.0 // indirect diff --git a/go.sum b/go.sum index 3bc76ed7f..5924b2d1c 100644 --- a/go.sum +++ b/go.sum @@ -306,8 +306,8 @@ github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= -github.com/prometheus/client_golang v1.15.1 h1:8tXpTmJbyH5lydzFPoxSIJ0J46jdh3tylbvM1xCv0LI= -github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk= +github.com/prometheus/client_golang v1.16.0 h1:yk/hx9hDbrGHovbci4BY+pRMfSuuat626eFsHb7tmT8= +github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= @@ -326,8 +326,8 @@ github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsT github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= -github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI= -github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY= +github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg= +github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE= From 1eeabe97b5cf8ad04d25f6b435579dce388da4bd Mon Sep 17 00:00:00 2001 From: Brendan Kamp Date: Tue, 20 Jun 2023 11:42:22 +0200 Subject: [PATCH 364/405] chore: remove echo friom canary tests (#10089) Signed-off-by: Spazzy --- test/e2e/annotations/canary.go | 700 +++++++++++++++++++++---------- test/e2e/framework/deployment.go | 9 +- 2 files changed, 493 insertions(+), 216 deletions(-) diff --git a/test/e2e/annotations/canary.go b/test/e2e/annotations/canary.go index 6dd81fdd8..15cbeffa7 100644 --- a/test/e2e/annotations/canary.go +++ b/test/e2e/annotations/canary.go @@ -30,18 +30,15 @@ import ( ) const ( - canaryService = "echo-canary" + canaryService = "httpbun-canary" ) var _ = framework.DescribeAnnotation("canary-*", func() { - f := framework.NewDefaultFramework("canary") + f := framework.NewDefaultFramework("canary", framework.WithHTTPBunEnabled()) ginkgo.BeforeEach(func() { - // Deployment for main backend - f.NewEchoDeployment() - // Deployment for canary backend - f.NewEchoDeployment(framework.WithDeploymentName(canaryService)) + f.NewHttpbunDeployment(framework.WithDeploymentName(canaryService)) }) ginkgo.Context("when canary is created", func() { @@ -49,9 +46,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { host := "foo" annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, - framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -65,16 +67,23 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body(). + Contains(framework.HTTPBunService). + NotContains(canaryService) }) ginkgo.It("should return 404 status for requests to the canary if no matching ingress is found", func() { @@ -87,13 +96,17 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "always"). Expect(). @@ -108,7 +121,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { host := "foo" annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + ing := framework.NewSingleIngress(host, "/info", host, f.Namespace, framework.HTTPBunService, 80, annotations) f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -123,7 +136,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, f.Namespace, canaryService, + canaryIng := framework.NewSingleIngress(canaryIngName, "/info", host, f.Namespace, canaryService, 80, canaryAnnotations) f.EnsureIngress(canaryIng) @@ -162,9 +175,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { host := "foo" annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, - framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -178,29 +196,37 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) ginkgo.By("routing requests destined for the mainline ingress to the maineline upstream") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "never"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body(). + Contains(framework.HTTPBunService). + NotContains(canaryService) ginkgo.By("routing requests destined for the canary ingress to the canary upstream") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "always"). Expect(). Status(http.StatusOK). - Body().Contains(canaryService) + Body(). + Contains(canaryService) }) ginkgo.It("should route requests to the correct upstream if mainline ingress is created after the canary ingress", func() { @@ -213,15 +239,25 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, - framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -230,30 +266,38 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.By("routing requests destined for the mainline ingress to the mainelin upstream") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "never"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body(). + Contains(framework.HTTPBunService). + NotContains(canaryService) ginkgo.By("routing requests destined for the canary ingress to the canary upstream") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "always"). Expect(). Status(http.StatusOK). - Body().Contains(canaryService) + Body(). + Contains(canaryService) }) ginkgo.It("should route requests to the correct upstream if the mainline ingress is modified", func() { host := "foo" annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, - framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -267,18 +311,27 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) modAnnotations := map[string]string{ "foo": "bar", } - modIng := framework.NewSingleIngress(host, "/", host, f.Namespace, - framework.EchoService, 80, modAnnotations) - - f.UpdateIngress(modIng) + f.UpdateIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + modAnnotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -287,30 +340,38 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.By("routing requests destined fro the mainline ingress to the mainline upstream") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "never"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body(). + Contains(framework.HTTPBunService). + NotContains(canaryService) ginkgo.By("routing requests destined for the canary ingress to the canary upstream") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "always"). Expect(). Status(http.StatusOK). - Body().Contains(canaryService) + Body(). + Contains(canaryService) }) ginkgo.It("should route requests to the correct upstream if the canary ingress is modified", func() { host := "foo" annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, - framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -324,9 +385,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -338,10 +404,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/canary-by-header": "CanaryByHeader2", } - modIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, newAnnotations) - - f.UpdateIngress(modIng) + f.UpdateIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + newAnnotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -350,21 +420,24 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.By("routing requests destined for the mainline ingress to the mainline upstream") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader2", "never"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body(). + Contains(framework.HTTPBunService). + NotContains(canaryService) ginkgo.By("routing requests destined for the canary ingress to the canary upstream") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader2", "always"). Expect(). Status(http.StatusOK). - Body().Contains(canaryService) + Body(). + Contains(canaryService) }) }) @@ -372,9 +445,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.It("should route requests to the correct upstream", func() { host := "foo" - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, - framework.EchoService, 80, nil) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + nil)) f.WaitForNginxServer(host, func(server string) bool { @@ -388,37 +466,46 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) ginkgo.By("routing requests to the canary upstream when header is set to 'always'") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "always"). Expect(). Status(http.StatusOK). - Body().Contains(canaryService) + Body(). + Contains(canaryService) ginkgo.By("routing requests to the mainline upstream when header is set to 'never'") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "never"). Expect(). Status(http.StatusOK). Body(). - Contains(framework.EchoService).NotContains(canaryService) + Contains(framework.HTTPBunService). + NotContains(canaryService) ginkgo.By("routing requests to the mainline upstream when header is set to anything else") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "badheadervalue"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body(). + Contains(framework.HTTPBunService). + NotContains(canaryService) }) }) @@ -427,9 +514,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { host := "foo" annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, - f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -444,45 +536,57 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) ginkgo.By("routing requests to the canary upstream when header is set to 'DoCanary'") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "DoCanary"). Expect(). Status(http.StatusOK). - Body().Contains(canaryService) + Body(). + Contains(canaryService) ginkgo.By("routing requests to the mainline upstream when header is set to 'always'") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "always"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body(). + Contains(framework.HTTPBunService). + NotContains(canaryService) ginkgo.By("routing requests to the mainline upstream when header is set to 'never'") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "never"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body(). + Contains(framework.HTTPBunService). + NotContains(canaryService) ginkgo.By("routing requests to the mainline upstream when header is set to anything else") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "otherheadervalue"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body(). + Contains(framework.HTTPBunService). + NotContains(canaryService) }) }) @@ -491,8 +595,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { host := "foo" annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -507,13 +617,18 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, f.Namespace, canaryService, - 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) ginkgo.By("routing requests to the canary upstream when header pattern is matched") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "DoCanary"). Expect(). @@ -522,19 +637,25 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.By("routing requests to the mainline upstream when header failed to match header value") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "Docanary"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body().Contains(framework.HTTPBunService).NotContains(canaryService) }) ginkgo.It("should route requests to the correct upstream", func() { host := "foo" annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -550,25 +671,36 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, f.Namespace, canaryService, - 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) ginkgo.By("routing requests to the mainline upstream when header is set to 'DoCananry' and header-value is 'DoCanary'") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "DoCananry"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body().Contains(framework.HTTPBunService).NotContains(canaryService) }) ginkgo.It("should routes to mainline upstream when the given Regex causes error", func() { host := "foo" annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -584,19 +716,24 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, f.Namespace, canaryService, - 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) ginkgo.By("routing requests to the mainline upstream when the given Regex causes error") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "DoCanary"). WithCookie("CanaryByCookie", "always"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body().Contains(framework.HTTPBunService).NotContains(canaryService) }) }) @@ -605,9 +742,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { host := "foo" annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, - f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -623,13 +765,18 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) ginkgo.By("routing requests to the canary upstream when header value does not match and cookie is set to 'always'") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "otherheadervalue"). WithCookie("CanaryByCookie", "always"). @@ -644,9 +791,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { host := "foo" annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, - f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -660,14 +812,19 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) ginkgo.By("routing requests to the canary upstream when cookie is set to 'always'") for i := 0; i < 50; i++ { f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithCookie("Canary-By-Cookie", "always"). Expect(). @@ -678,12 +835,12 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.By("routing requests to the mainline upstream when cookie is set to 'never'") for i := 0; i < 50; i++ { f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithCookie("Canary-By-Cookie", "never"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body().Contains(framework.HTTPBunService).NotContains(canaryService) } ginkgo.By("routing requests to the mainline upstream when cookie is set to anything else") @@ -691,12 +848,12 @@ var _ = framework.DescribeAnnotation("canary-*", func() { // This test relies on canary cookie not parsing into the valid // affinity data and canary weight not being specified at all. f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithCookie("Canary-By-Cookie", "badcookievalue"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body().Contains(framework.HTTPBunService).NotContains(canaryService) } }) }) @@ -706,9 +863,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { host := "foo" annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, - f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -721,9 +883,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/canary-weight": "0", } - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -731,12 +898,12 @@ var _ = framework.DescribeAnnotation("canary-*", func() { }) f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). Expect(). Status(http.StatusOK). Body(). - Contains(framework.EchoService). + Contains(framework.HTTPBunService). NotContains(canaryService) }) @@ -744,9 +911,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { host := "foo" annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, - f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -759,12 +931,17 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/canary-weight": "100", } - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). Expect(). Status(http.StatusOK). @@ -776,9 +953,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { host := "foo" annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, - f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -792,12 +974,17 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/canary-weight-total": "1000", } - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). Expect(). Status(http.StatusOK). @@ -809,9 +996,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { host := "foo" annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, - f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -824,9 +1016,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/canary-weight": "50", } - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) TestMainlineCanaryDistribution(f, host) }) @@ -835,9 +1032,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { host := "foo" annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, - f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -851,9 +1053,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/canary-weight-total": "200", } - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) TestMainlineCanaryDistribution(f, host) }) @@ -868,17 +1075,23 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/canary-by-header": "CanaryByHeader", } - ing := framework.NewSingleCatchAllIngress(canaryIngName, - f.Namespace, canaryService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleCatchAllIngress( + canaryIngName, + f.Namespace, + canaryService, + 80, + annotations)) - ing = framework.NewSingleCatchAllIngress(host, f.Namespace, - framework.EchoService, 80, nil) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleCatchAllIngress( + host, + f.Namespace, + framework.HTTPBunService, + 80, + nil)) f.WaitForNginxServer("_", func(server string) bool { - upstreamName := fmt.Sprintf(`set $proxy_upstream_name "%s-%s-%s";`, f.Namespace, framework.EchoService, "80") + upstreamName := fmt.Sprintf(`set $proxy_upstream_name "%s-%s-%s";`, f.Namespace, framework.HTTPBunService, "80") canaryUpstreamName := fmt.Sprintf(`set $proxy_upstream_name "%s-%s-%s";`, f.Namespace, canaryService, "80") return strings.Contains(server, fmt.Sprintf(`set $ingress_name "%v";`, host)) && @@ -896,14 +1109,24 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/canary-by-header": "CanaryByHeader", } - ing := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + annotations)) otherHost := "bar" - ing = framework.NewSingleIngress(otherHost, "/", otherHost, - f.Namespace, framework.EchoService, 80, nil) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + otherHost, + "/info", + otherHost, + f.Namespace, + framework.HTTPBunService, + 80, + nil)) f.WaitForNginxConfiguration(func(cfg string) bool { return strings.Contains(cfg, "server_name "+otherHost) && @@ -921,13 +1144,22 @@ var _ = framework.DescribeAnnotation("canary-*", func() { } paths := []string{"/foo", "/bar"} - ing := framework.NewSingleIngressWithMultiplePaths(canaryIngName, paths, host, - f.Namespace, "httpy-svc-canary", 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngressWithMultiplePaths( + canaryIngName, + paths, + host, + f.Namespace, + "httpy-svc-canary", + 80, + annotations)) - ing = framework.NewSingleIngress(host, "/", host, f.Namespace, - framework.EchoService, 80, nil) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, f.Namespace, + framework.HTTPBunService, + 80, + nil)) f.WaitForNginxServer(host, func(server string) bool { @@ -946,9 +1178,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/session-cookie-name": affinityCookieName, } - ing := framework.NewSingleIngress(host, "/", host, - f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -964,14 +1201,19 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/canary-weight": "1", } - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) // This request will produce affinity cookie coming from the canary // backend. forcedRequestToCanary := f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("ForceCanary", "yes"). Expect(). @@ -988,7 +1230,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { // routed to a specific backend. for i := 0; i < 50; i++ { f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithCookie(affinityCookieName, affinityCookie.Raw().Value). Expect(). @@ -1003,9 +1245,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/session-cookie-name": affinityCookieName, } - ing := framework.NewSingleIngress(host, "/", host, - f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -1022,14 +1269,19 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/affinity-canary-behavior": "sticky", } - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) // This request will produce affinity cookie coming from the canary // backend. forcedRequestToCanary := f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("ForceCanary", "yes"). Expect(). @@ -1046,7 +1298,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { // routed to a specific backend. for i := 0; i < 50; i++ { f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithCookie(affinityCookieName, affinityCookie.Raw().Value). Expect(). @@ -1061,9 +1313,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/session-cookie-name": affinityCookieName, } - ing := framework.NewSingleIngress(host, "/", host, - f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -1080,14 +1337,19 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/affinity-canary-behavior": "legacy", } - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) // This request will produce affinity cookie coming from the canary // backend. forcedRequestToCanary := f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("ForceCanary", "yes"). Expect(). @@ -1113,7 +1375,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { // This method assumes canary weight being configured at 50%. func TestMainlineCanaryDistribution(f *framework.Framework, host string) { - re := regexp.MustCompile(fmt.Sprintf(`%s.*`, framework.EchoService)) + re := regexp.MustCompile(fmt.Sprintf(`%s.*`, framework.HTTPBunService)) replicaRequestCount := map[string]int{} // The implementation of choice by weight doesn't guarantee exact @@ -1124,7 +1386,7 @@ func TestMainlineCanaryDistribution(f *framework.Framework, host string) { for i := 0; i < requestsToGet; i++ { body := f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). Expect(). Status(http.StatusOK).Body().Raw() @@ -1143,6 +1405,14 @@ func TestMainlineCanaryDistribution(f *framework.Framework, host string) { assert.Equal(ginkgo.GinkgoT(), 2, len(keys)) - assert.GreaterOrEqual(ginkgo.GinkgoT(), int(replicaRequestCount[keys[0].String()]), requestsNumberToTest) - assert.GreaterOrEqual(ginkgo.GinkgoT(), int(replicaRequestCount[keys[1].String()]), requestsNumberToTest) + assert.GreaterOrEqual( + ginkgo.GinkgoT(), + int(replicaRequestCount[keys[0].String()]), + requestsNumberToTest, + ) + assert.GreaterOrEqual( + ginkgo.GinkgoT(), + int(replicaRequestCount[keys[1].String()]), + requestsNumberToTest, + ) } diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go index d4e20fbf5..04faefc7f 100644 --- a/test/e2e/framework/deployment.go +++ b/test/e2e/framework/deployment.go @@ -219,7 +219,14 @@ func (f *Framework) NewHttpbunDeployment(opts ...func(*deploymentOptions)) strin options.image, 80, int32(options.replicas), - nil, nil, nil, + nil, nil, + //Required to get hostname information + []corev1.EnvVar{ + { + Name: "HTTPBUN_INFO_ENABLED", + Value: "1", + }, + }, []corev1.VolumeMount{}, []corev1.Volume{}, true, From 0b4c98b7c31f95e00dc93b7a346bfe3a6526af51 Mon Sep 17 00:00:00 2001 From: LucasBoisserie Date: Thu, 22 Jun 2023 16:59:40 +0200 Subject: [PATCH 365/405] feat(helm): Add loadBalancerClass (#9562) --- charts/ingress-nginx/README.md | 1 + charts/ingress-nginx/templates/controller-service.yaml | 3 +++ charts/ingress-nginx/values.yaml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 363970f60..a425ca33e 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -414,6 +414,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ | | controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack-ness requested or required by this Service. Possible values are SingleStack, PreferDualStack or RequireDualStack. The ipFamilies and clusterIPs fields depend on the value of this field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ | | controller.service.labels | object | `{}` | | +| controller.service.loadBalancerClass | string | `""` | Used by cloud providers to select a load balancer implementation other than the cloud provider default. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class | | controller.service.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer | | controller.service.loadBalancerSourceRanges | list | `[]` | | | controller.service.nodePorts.http | string | `""` | | diff --git a/charts/ingress-nginx/templates/controller-service.yaml b/charts/ingress-nginx/templates/controller-service.yaml index 2b28196de..36feb06c5 100644 --- a/charts/ingress-nginx/templates/controller-service.yaml +++ b/charts/ingress-nginx/templates/controller-service.yaml @@ -28,6 +28,9 @@ spec: {{- if .Values.controller.service.loadBalancerSourceRanges }} loadBalancerSourceRanges: {{ toYaml .Values.controller.service.loadBalancerSourceRanges | nindent 4 }} {{- end }} +{{- if .Values.controller.service.loadBalancerClass }} + loadBalancerClass: {{ toYaml .Values.controller.service.loadBalancerClass }} +{{- end }} {{- if .Values.controller.service.externalTrafficPolicy }} externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} {{- end }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 8080a1fc3..cc8bddf28 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -426,6 +426,8 @@ controller: # -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer loadBalancerIP: "" loadBalancerSourceRanges: [] + # -- Used by cloud providers to select a load balancer implementation other than the cloud provider default. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: "" enableHttp: true enableHttps: true ## Set external traffic policy to: "Local" to preserve source IP on providers supporting it. From 8cdbcfa61cefe2bd49ca45bf71b05a57b0a1d30d Mon Sep 17 00:00:00 2001 From: James Strong Date: Thu, 22 Jun 2023 13:25:41 -0400 Subject: [PATCH 366/405] golang 1.20.5 bump (#10120) Signed-off-by: James Strong --- images/test-runner/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile index 1d1f4f638..acf3dd660 100644 --- a/images/test-runner/Makefile +++ b/images/test-runner/Makefile @@ -43,7 +43,7 @@ image: --pull \ --push \ --build-arg BASE_IMAGE=${NGINX_BASE_IMAGE} \ - --build-arg GOLANG_VERSION=1.20.4 \ + --build-arg GOLANG_VERSION=1.20.5 \ --build-arg ETCD_VERSION=3.4.3-0 \ --build-arg K8S_RELEASE=v1.26.0 \ --build-arg RESTY_CLI_VERSION=0.27 \ @@ -64,7 +64,7 @@ build: ensure-buildx --progress=${PROGRESS} \ --pull \ --build-arg BASE_IMAGE=${NGINX_BASE_IMAGE} \ - --build-arg GOLANG_VERSION=1.20.4 \ + --build-arg GOLANG_VERSION=1.20.5 \ --build-arg ETCD_VERSION=3.4.3-0 \ --build-arg K8S_RELEASE=v1.26.0 \ --build-arg RESTY_CLI_VERSION=0.27 \ From 08158df8c0b9d869247aceed8fdfffe5ac55e929 Mon Sep 17 00:00:00 2001 From: Isaac Wilson <10012479+jukie@users.noreply.github.com> Date: Thu, 22 Jun 2023 11:35:40 -0600 Subject: [PATCH 367/405] Update typo in docs for lb scheme (#10117) --- charts/ingress-nginx/README.md | 2 +- charts/ingress-nginx/README.md.gotmpl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index a425ca33e..808601439 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -144,7 +144,7 @@ controller: enabled: true annotations: # Create internal NLB - service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" + service.beta.kubernetes.io/aws-load-balancer-scheme: "internal" # Create internal ELB(Deprecated) # service.beta.kubernetes.io/aws-load-balancer-internal: "true" # Any other annotation can be declared here. diff --git a/charts/ingress-nginx/README.md.gotmpl b/charts/ingress-nginx/README.md.gotmpl index 9b6f8c9c9..17b029bbf 100644 --- a/charts/ingress-nginx/README.md.gotmpl +++ b/charts/ingress-nginx/README.md.gotmpl @@ -141,7 +141,7 @@ controller: enabled: true annotations: # Create internal NLB - service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" + service.beta.kubernetes.io/aws-load-balancer-scheme: "internal" # Create internal ELB(Deprecated) # service.beta.kubernetes.io/aws-load-balancer-internal: "true" # Any other annotation can be declared here. From f8bf5a3086fc52114040a60335e2f483e819a14c Mon Sep 17 00:00:00 2001 From: Brendan Kamp Date: Fri, 23 Jun 2023 12:01:24 +0200 Subject: [PATCH 368/405] chore: remove echo from snippet tests (#10110) Signed-off-by: Spazzy --- test/e2e/annotations/snippet.go | 46 +++++++++++++++++++++------------ 1 file changed, 30 insertions(+), 16 deletions(-) diff --git a/test/e2e/annotations/snippet.go b/test/e2e/annotations/snippet.go index 367708302..2bbd3e33a 100644 --- a/test/e2e/annotations/snippet.go +++ b/test/e2e/annotations/snippet.go @@ -26,21 +26,25 @@ import ( ) var _ = framework.DescribeAnnotation("configuration-snippet", func() { - f := framework.NewDefaultFramework("configurationsnippet") + f := framework.NewDefaultFramework( + "configurationsnippet", + framework.WithHTTPBunEnabled(), + ) - ginkgo.BeforeEach(func() { - f.NewEchoDeployment() - }) - - ginkgo.It(`set snippet "more_set_headers "Foo1: Bar1";" in all locations"`, func() { + ginkgo.It("set snippet more_set_headers in all locations", func() { host := "configurationsnippet.foo.com" annotations := map[string]string{ - "nginx.ingress.kubernetes.io/configuration-snippet": ` - more_set_headers "Foo1: Bar1";`, + "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_headers "Foo1: Bar1";`, } - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -51,23 +55,32 @@ var _ = framework.DescribeAnnotation("configuration-snippet", func() { GET("/"). WithHeader("Host", host). Expect(). - Status(http.StatusOK).Headers(). + Status(http.StatusOK). + Headers(). ValueEqual("Foo1", []string{"Bar1"}) }) - ginkgo.It(`drops snippet "more_set_headers "Foo1: Bar1";" in all locations if disabled by admin"`, func() { + ginkgo.It("drops snippet more_set_header in all locations if disabled by admin", func() { host := "noconfigurationsnippet.foo.com" annotations := map[string]string{ - "nginx.ingress.kubernetes.io/configuration-snippet": ` - more_set_headers "Foo1: Bar1";`, + "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_headers "Foo1: Bar1";`, } - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + ing := framework.NewSingleIngress( + host, + "/", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations) + f.UpdateNginxConfigMapData("allow-snippet-annotations", "false") defer func() { // Return to the original value f.UpdateNginxConfigMapData("allow-snippet-annotations", "true") }() + // Sleep a while just to guarantee that the configmap is applied framework.Sleep() f.EnsureIngress(ing) @@ -81,7 +94,8 @@ var _ = framework.DescribeAnnotation("configuration-snippet", func() { GET("/"). WithHeader("Host", host). Expect(). - Status(http.StatusOK).Headers(). + Status(http.StatusOK). + Headers(). NotContainsKey("Foo1") }) }) From 44b006719150ac45f05e9fbb7f269110c3f3ec61 Mon Sep 17 00:00:00 2001 From: James Strong Date: Fri, 23 Jun 2023 09:31:00 -0400 Subject: [PATCH 369/405] add gcloud ignore Signed-off-by: James Strong --- .gcloudignore | 0 images/test-runner/cloudbuild.yaml | 6 ------ 2 files changed, 6 deletions(-) create mode 100644 .gcloudignore diff --git a/.gcloudignore b/.gcloudignore new file mode 100644 index 000000000..e69de29bb diff --git a/images/test-runner/cloudbuild.yaml b/images/test-runner/cloudbuild.yaml index 761ea7f28..b17de9b31 100644 --- a/images/test-runner/cloudbuild.yaml +++ b/images/test-runner/cloudbuild.yaml @@ -6,8 +6,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - SHORT_SHA=$SHORT_SHA - - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx # set the home to /root explicitly to if using docker buildx @@ -17,7 +15,3 @@ steps: - | gcloud auth configure-docker \ && cd images/test-runner && make push -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "master" - _PULL_BASE_SHA: '12345' \ No newline at end of file From cd610168be182844c8a9d73cd5540de2dc62b5d0 Mon Sep 17 00:00:00 2001 From: James Strong Date: Fri, 23 Jun 2023 14:17:24 -0400 Subject: [PATCH 370/405] update test runner (#10125) Signed-off-by: James Strong --- build/run-in-docker.sh | 2 +- test/e2e-image/Makefile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh index d2d6fcdd9..86e0e443f 100755 --- a/build/run-in-docker.sh +++ b/build/run-in-docker.sh @@ -44,7 +44,7 @@ function cleanup { } trap cleanup EXIT -E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20230527@sha256:a98ce8ab90f16bdd8539b168a4d000f366afa4eec23a220b3ce39698c5769bfd} +E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20230623-d50c7193b@sha256:e5c68dc56934c273850bfb75c0348a2819756669baf59fcdce9e16771537b247} if [[ "$RUNTIME" == podman ]]; then # Podman does not support both tag and digest diff --git a/test/e2e-image/Makefile b/test/e2e-image/Makefile index f74ea8c74..f68d6ea6e 100644 --- a/test/e2e-image/Makefile +++ b/test/e2e-image/Makefile @@ -1,6 +1,6 @@ DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) -E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v20230527@sha256:a98ce8ab90f16bdd8539b168a4d000f366afa4eec23a220b3ce39698c5769bfd" +E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v20230623-d50c7193b@sha256:e5c68dc56934c273850bfb75c0348a2819756669baf59fcdce9e16771537b247" image: echo "..entered Makefile in /test/e2e-image" From 58650d6aaab8452d9ceaa010db251c068a1d91f3 Mon Sep 17 00:00:00 2001 From: James Strong Date: Fri, 23 Jun 2023 15:29:48 -0400 Subject: [PATCH 371/405] rebuild nginx base container image Signed-off-by: James Strong --- TAG | 2 +- images/nginx/TAG | 2 +- images/nginx/cloudbuild.yaml | 6 ------ 3 files changed, 2 insertions(+), 8 deletions(-) diff --git a/TAG b/TAG index ba103d909..c9a0c1a83 100644 --- a/TAG +++ b/TAG @@ -1,2 +1,2 @@ -v1.8.0 +v1.8.1 diff --git a/images/nginx/TAG b/images/nginx/TAG index 77d6f4ca2..8acdd82b7 100644 --- a/images/nginx/TAG +++ b/images/nginx/TAG @@ -1 +1 @@ -0.0.0 +0.0.1 diff --git a/images/nginx/cloudbuild.yaml b/images/nginx/cloudbuild.yaml index c581700dd..71051f26d 100644 --- a/images/nginx/cloudbuild.yaml +++ b/images/nginx/cloudbuild.yaml @@ -8,8 +8,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - SHORT_SHA=$SHORT_SHA - - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx - HOME=/root args: @@ -17,7 +15,3 @@ steps: - | gcloud auth configure-docker \ && cd images/nginx && make push -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "master" - _PULL_BASE_SHA: '12345' From 643c475db08e216eebd8c17dfc069b1a257d2df1 Mon Sep 17 00:00:00 2001 From: Long Wu Yuan Date: Mon, 26 Jun 2023 07:03:11 +0530 Subject: [PATCH 372/405] bump pinned golang to 1.20.5 (#10127) --- images/custom-error-pages/rootfs/Dockerfile | 2 +- images/ext-auth-example-authsvc/rootfs/Dockerfile | 2 +- images/fastcgi-helloserver/rootfs/Dockerfile | 2 +- images/go-grpc-greeter-server/rootfs/Dockerfile | 2 +- images/httpbun/rootfs/Dockerfile | 2 +- images/kube-webhook-certgen/rootfs/Dockerfile | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/images/custom-error-pages/rootfs/Dockerfile b/images/custom-error-pages/rootfs/Dockerfile index 30ac54693..04bcb8e08 100755 --- a/images/custom-error-pages/rootfs/Dockerfile +++ b/images/custom-error-pages/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.20.4-alpine3.18 as builder +FROM golang:1.20.5-alpine3.18 as builder RUN apk update \ && apk upgrade && apk add git diff --git a/images/ext-auth-example-authsvc/rootfs/Dockerfile b/images/ext-auth-example-authsvc/rootfs/Dockerfile index 96dcd9a39..02d92d773 100644 --- a/images/ext-auth-example-authsvc/rootfs/Dockerfile +++ b/images/ext-auth-example-authsvc/rootfs/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.20.4-alpine3.18 as builder +FROM golang:1.20.5-alpine3.18 as builder RUN mkdir /authsvc WORKDIR /authsvc COPY . ./ diff --git a/images/fastcgi-helloserver/rootfs/Dockerfile b/images/fastcgi-helloserver/rootfs/Dockerfile index a11834373..096d31abb 100755 --- a/images/fastcgi-helloserver/rootfs/Dockerfile +++ b/images/fastcgi-helloserver/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.20.4-alpine3.18 as builder +FROM golang:1.20.5-alpine3.18 as builder WORKDIR /go/src/k8s.io/ingress-nginx/images/fastcgi diff --git a/images/go-grpc-greeter-server/rootfs/Dockerfile b/images/go-grpc-greeter-server/rootfs/Dockerfile index d457b43e5..46f916fb4 100644 --- a/images/go-grpc-greeter-server/rootfs/Dockerfile +++ b/images/go-grpc-greeter-server/rootfs/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.20.4-alpine3.18 as build +FROM golang:1.20.5-alpine3.18 as build WORKDIR /go/src/greeter-server diff --git a/images/httpbun/rootfs/Dockerfile b/images/httpbun/rootfs/Dockerfile index a1775d303..e88716bb8 100644 --- a/images/httpbun/rootfs/Dockerfile +++ b/images/httpbun/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.20 AS builder +FROM golang:1.20.5 AS builder ENV LC_ALL=C.UTF-8 ENV LANG=C.UTF-8 diff --git a/images/kube-webhook-certgen/rootfs/Dockerfile b/images/kube-webhook-certgen/rootfs/Dockerfile index 40a2c31ac..13226dbe2 100644 --- a/images/kube-webhook-certgen/rootfs/Dockerfile +++ b/images/kube-webhook-certgen/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM --platform=$BUILDPLATFORM golang:1.20.1 as builder +FROM --platform=$BUILDPLATFORM golang:1.20.5 as builder ARG BUILDPLATFORM ARG TARGETARCH From a21b5218a53476015c996e2588ac5837b20d37b0 Mon Sep 17 00:00:00 2001 From: Junrui Chen Date: Tue, 27 Jun 2023 16:30:30 +1000 Subject: [PATCH 373/405] Set grpc :authority header from request header (#8912) This is to fix that the `:authority` header is set to `upstream_balancer` --- rootfs/etc/nginx/template/nginx.tmpl | 2 -- test/e2e/annotations/grpc.go | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index a1e02aae3..ccc86702d 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -1388,13 +1388,11 @@ stream { {{ end }} {{/* By default use vhost as Host to upstream, but allow overrides */}} - {{ if not (eq $proxySetHeader "grpc_set_header") }} {{ if not (empty $location.UpstreamVhost) }} {{ $proxySetHeader }} Host {{ $location.UpstreamVhost | quote }}; {{ else }} {{ $proxySetHeader }} Host $best_http_host; {{ end }} - {{ end }} # Pass the extracted client certificate to the backend {{ if not (empty $server.CertificateAuth.CAFileName) }} diff --git a/test/e2e/annotations/grpc.go b/test/e2e/annotations/grpc.go index c8e530ead..243307df4 100644 --- a/test/e2e/annotations/grpc.go +++ b/test/e2e/annotations/grpc.go @@ -120,6 +120,7 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { metadata := res.GetMetadata() assert.Equal(ginkgo.GinkgoT(), metadata["content-type"].Values[0], "application/grpc") + assert.Equal(ginkgo.GinkgoT(), metadata[":authority"].Values[0], host) }) ginkgo.It("authorization metadata should be overwritten by external auth response headers", func() { From 0986c33378e8567059ce00d7dc8e7f36c56731e4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 27 Jun 2023 05:28:30 -0700 Subject: [PATCH 374/405] Bump google.golang.org/grpc from 1.56.0 to 1.56.1 (#10134) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.56.0 to 1.56.1. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.56.0...v1.56.1) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index cbcc28cc8..4b75cbd12 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a golang.org/x/crypto v0.10.0 - google.golang.org/grpc v1.56.0 + google.golang.org/grpc v1.56.1 google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 diff --git a/go.sum b/go.sum index 5924b2d1c..db879481c 100644 --- a/go.sum +++ b/go.sum @@ -661,8 +661,8 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.56.0 h1:+y7Bs8rtMd07LeXmL3NxcTLn7mUkbKZqEpPhMNkwJEE= -google.golang.org/grpc v1.56.0/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= +google.golang.org/grpc v1.56.1 h1:z0dNfjIl0VpaZ9iSVjA6daGatAYwPGstTjt5vkRMFkQ= +google.golang.org/grpc v1.56.1/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 h1:pPsdyuBif+uoyUoL19yuj/TCfUPsmpJHJZhWQ98JGLU= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7/go.mod h1:8pQa1yxxkh+EsxUK8/455D5MSbv3vgmEJqKCH3y17mI= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= From ef6163a0883e2be47d89a18b571aa128e24a19c1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 27 Jun 2023 05:30:31 -0700 Subject: [PATCH 375/405] Bump ossf/scorecard-action from 2.1.3 to 2.2.0 (#10133) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.1.3 to 2.2.0. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](https://github.com/ossf/scorecard-action/compare/80e868c13c90f172d68d1f4501dee99e2479f7af...08b4669551908b1024bb425080c797723083c031) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 72a112ac4..2e276a3f6 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -32,7 +32,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3 + uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0 with: results_file: results.sarif results_format: sarif From 002d7e90d76e2588a7b3babc671837e5803656d9 Mon Sep 17 00:00:00 2001 From: Fabio Formosa Date: Tue, 27 Jun 2023 14:34:32 +0200 Subject: [PATCH 376/405] Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406) * Update README.md #9403 Add documentation for controller.service.internal.loadBalancerIP in Helm chart * Update README.md removed a duplicated row in the helm chart values * #9403 added a doc to the internal loadBalancerIP removed a comment from an already supported helm value and added a doc line * #9403 Reverted a manual added line Removed a manual added line in favour of helm doc * #9403 re-generated the README with the last doc line added to the value.yaml * #9403 removed trailing spaces * removed trail spaces --- charts/ingress-nginx/README.md | 1 + charts/ingress-nginx/values.yaml | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 808601439..8b5d92d37 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -408,6 +408,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # | | controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. | | controller.service.internal.enabled | bool | `false` | Enables an additional internal load balancer (besides the external one). | +| controller.service.internal.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS. | | controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. | | controller.service.internal.ports | object | `{}` | Custom port mapping for internal service | | controller.service.internal.targetPorts | object | `{}` | Custom target port mapping for internal service | diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index cc8bddf28..b313643f3 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -478,7 +478,9 @@ controller: enabled: false # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. annotations: {} - # loadBalancerIP: "" + + # -- Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS. + loadBalancerIP: "" # -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. loadBalancerSourceRanges: [] From 8b24fc98d28dec4e1cdc247fac240cd237c0c8c9 Mon Sep 17 00:00:00 2001 From: kylekluever <39891060+kylekluever@users.noreply.github.com> Date: Tue, 27 Jun 2023 07:42:32 -0500 Subject: [PATCH 377/405] Fix loadBalancerClass value (#10139) --- charts/ingress-nginx/templates/controller-service.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/ingress-nginx/templates/controller-service.yaml b/charts/ingress-nginx/templates/controller-service.yaml index 36feb06c5..b2735d2e8 100644 --- a/charts/ingress-nginx/templates/controller-service.yaml +++ b/charts/ingress-nginx/templates/controller-service.yaml @@ -29,7 +29,7 @@ spec: loadBalancerSourceRanges: {{ toYaml .Values.controller.service.loadBalancerSourceRanges | nindent 4 }} {{- end }} {{- if .Values.controller.service.loadBalancerClass }} - loadBalancerClass: {{ toYaml .Values.controller.service.loadBalancerClass }} + loadBalancerClass: {{ .Values.controller.service.loadBalancerClass }} {{- end }} {{- if .Values.controller.service.externalTrafficPolicy }} externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} From 1ddecfc09945e265b88e510f8c0787519ab7b476 Mon Sep 17 00:00:00 2001 From: Long Wu Yuan Date: Tue, 27 Jun 2023 23:36:33 +0530 Subject: [PATCH 378/405] changed to updated baseimage and reverted tag (#10143) --- NGINX_BASE | 2 +- TAG | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/NGINX_BASE b/NGINX_BASE index 02a35039a..14a7ee54b 100644 --- a/NGINX_BASE +++ b/NGINX_BASE @@ -1 +1 @@ -registry.k8s.io/ingress-nginx/nginx:v20230527@sha256:cf77c71aa6e4284925ca2233ddf871b5823eaa3ee000347ae25096b07fb52c57 +registry.k8s.io/ingress-nginx/nginx:v20230623-427f3d2fb@sha256:7b479f66872c0b1cb0f1315e305b8a3e9c6da846c7dd3855db99bc8cfd6791e1 diff --git a/TAG b/TAG index c9a0c1a83..804a616da 100644 --- a/TAG +++ b/TAG @@ -1,2 +1 @@ -v1.8.1 - +v1.8.0 From a2f3036e20bcd500daee9d9eeebf807257c75c7b Mon Sep 17 00:00:00 2001 From: Jintao Zhang Date: Wed, 28 Jun 2023 02:50:32 +0800 Subject: [PATCH 379/405] netlify: Only trigger preview when there are changes in docs. (#10144) Signed-off-by: Jintao Zhang --- netlify.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/netlify.toml b/netlify.toml index add8d4fc3..dc4b0d1ca 100644 --- a/netlify.toml +++ b/netlify.toml @@ -2,6 +2,7 @@ [build] publish = "site" command = "make build-docs" +ignore = "git diff --quiet $CACHED_COMMIT_REF $COMMIT_REF ./docs" # available here https://github.com/netlify/build-image/blob/focal/included_software.md#languages environment = { PYTHON_VERSION = "3.8" } From b38a2c761283e16bff3f17f56ce135986b9716ab Mon Sep 17 00:00:00 2001 From: z1cheng Date: Fri, 30 Jun 2023 12:37:20 +0000 Subject: [PATCH 380/405] Fix OCI manifest templates and regenerate the deploy files Signed-off-by: z1cheng --- deploy/static/provider/oci/deploy.yaml | 57 ++++++++++--------- deploy/static/provider/oci/kustomization.yaml | 2 +- .../provider/oci/kustomization.yaml | 4 ++ .../provider/oci/values.yaml | 8 +++ 4 files changed, 42 insertions(+), 29 deletions(-) create mode 100644 hack/manifest-templates/provider/oci/kustomization.yaml create mode 100644 hack/manifest-templates/provider/oci/values.yaml diff --git a/deploy/static/provider/oci/deploy.yaml b/deploy/static/provider/oci/deploy.yaml index 77de50247..2518201bd 100644 --- a/deploy/static/provider/oci/deploy.yaml +++ b/deploy/static/provider/oci/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,26 +328,27 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx --- apiVersion: v1 kind: Service metadata: + annotations: + service.beta.kubernetes.io/oci-load-balancer-shape: flexible + service.beta.kubernetes.io/oci-load-balancer-shape-flex-max: "100" + service.beta.kubernetes.io/oci-load-balancer-shape-flex-min: "10" labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx - annotations: - service.beta.kubernetes.io/oci-load-balancer-shape: "flexible" - service.beta.kubernetes.io/oci-load-balancer-shape-flex-min: "10" - service.beta.kubernetes.io/oci-load-balancer-shape-flex-max: "100" spec: + externalTrafficPolicy: Local ipFamilies: - IPv4 ipFamilyPolicy: SingleStack @@ -376,7 +377,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -399,7 +400,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -417,7 +418,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 spec: containers: - args: @@ -441,7 +442,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 + image: registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -513,7 +514,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -524,7 +525,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-create spec: containers: @@ -538,7 +539,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b imagePullPolicy: IfNotPresent name: create securityContext: @@ -560,7 +561,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -571,7 +572,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission-patch spec: containers: @@ -587,7 +588,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b imagePullPolicy: IfNotPresent name: patch securityContext: @@ -609,7 +610,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -622,7 +623,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.1 + app.kubernetes.io/version: 1.8.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/oci/kustomization.yaml b/deploy/static/provider/oci/kustomization.yaml index d477ec405..632c0f80f 100644 --- a/deploy/static/provider/oci/kustomization.yaml +++ b/deploy/static/provider/oci/kustomization.yaml @@ -4,7 +4,7 @@ # ``` # namespace: ingress-nginx # bases: -# - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/cloud +# - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/oci # ``` resources: diff --git a/hack/manifest-templates/provider/oci/kustomization.yaml b/hack/manifest-templates/provider/oci/kustomization.yaml new file mode 100644 index 000000000..cd6ef95be --- /dev/null +++ b/hack/manifest-templates/provider/oci/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../common diff --git a/hack/manifest-templates/provider/oci/values.yaml b/hack/manifest-templates/provider/oci/values.yaml new file mode 100644 index 000000000..b4480531f --- /dev/null +++ b/hack/manifest-templates/provider/oci/values.yaml @@ -0,0 +1,8 @@ +controller: + service: + type: LoadBalancer + externalTrafficPolicy: Local + annotations: + service.beta.kubernetes.io/oci-load-balancer-shape: "flexible" + service.beta.kubernetes.io/oci-load-balancer-shape-flex-min: "10" + service.beta.kubernetes.io/oci-load-balancer-shape-flex-max: "100" From 155fc8daa468fd127b16118832279e0f6f42aa1b Mon Sep 17 00:00:00 2001 From: z1cheng Date: Fri, 30 Jun 2023 12:49:51 +0000 Subject: [PATCH 381/405] Rename OCI to oracle Signed-off-by: z1cheng --- deploy/static/provider/{oci => oracle}/deploy.yaml | 0 deploy/static/provider/{oci => oracle}/kustomization.yaml | 2 +- .../provider/{oci => oracle}/kustomization.yaml | 0 hack/manifest-templates/provider/{oci => oracle}/values.yaml | 0 4 files changed, 1 insertion(+), 1 deletion(-) rename deploy/static/provider/{oci => oracle}/deploy.yaml (100%) rename deploy/static/provider/{oci => oracle}/kustomization.yaml (94%) rename hack/manifest-templates/provider/{oci => oracle}/kustomization.yaml (100%) rename hack/manifest-templates/provider/{oci => oracle}/values.yaml (100%) diff --git a/deploy/static/provider/oci/deploy.yaml b/deploy/static/provider/oracle/deploy.yaml similarity index 100% rename from deploy/static/provider/oci/deploy.yaml rename to deploy/static/provider/oracle/deploy.yaml diff --git a/deploy/static/provider/oci/kustomization.yaml b/deploy/static/provider/oracle/kustomization.yaml similarity index 94% rename from deploy/static/provider/oci/kustomization.yaml rename to deploy/static/provider/oracle/kustomization.yaml index 632c0f80f..5c1dcff96 100644 --- a/deploy/static/provider/oci/kustomization.yaml +++ b/deploy/static/provider/oracle/kustomization.yaml @@ -4,7 +4,7 @@ # ``` # namespace: ingress-nginx # bases: -# - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/oci +# - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/oracle # ``` resources: diff --git a/hack/manifest-templates/provider/oci/kustomization.yaml b/hack/manifest-templates/provider/oracle/kustomization.yaml similarity index 100% rename from hack/manifest-templates/provider/oci/kustomization.yaml rename to hack/manifest-templates/provider/oracle/kustomization.yaml diff --git a/hack/manifest-templates/provider/oci/values.yaml b/hack/manifest-templates/provider/oracle/values.yaml similarity index 100% rename from hack/manifest-templates/provider/oci/values.yaml rename to hack/manifest-templates/provider/oracle/values.yaml From 652a80042222f881ce56b3b689498e2b6fe4de72 Mon Sep 17 00:00:00 2001 From: James Strong Date: Fri, 30 Jun 2023 17:37:24 -0400 Subject: [PATCH 382/405] release notes 1.8.1 (#10161) Signed-off-by: James Strong --- README.md | 7 +- changelog/Changelog-1.8.1.md | 67 ++++ charts/ingress-nginx/Chart.yaml | 11 +- charts/ingress-nginx/README.md | 8 +- .../changelog/Changelog-4.7.1.md | 12 + charts/ingress-nginx/values.yaml | 8 +- deploy/static/provider/aws/deploy.yaml | 44 +-- .../aws/nlb-with-tls-termination/deploy.yaml | 44 +-- deploy/static/provider/baremetal/deploy.yaml | 44 +-- deploy/static/provider/cloud/deploy.yaml | 44 +-- deploy/static/provider/do/deploy.yaml | 44 +-- deploy/static/provider/exoscale/deploy.yaml | 44 +-- deploy/static/provider/kind/deploy.yaml | 44 +-- deploy/static/provider/oracle/deploy.yaml | 44 +-- deploy/static/provider/scw/deploy.yaml | 44 +-- docs/deploy/index.md | 20 +- docs/e2e-tests.md | 356 +++++++++--------- 17 files changed, 482 insertions(+), 403 deletions(-) create mode 100644 changelog/Changelog-1.8.1.md create mode 100644 charts/ingress-nginx/changelog/Changelog-4.7.1.md diff --git a/README.md b/README.md index dc7ff3c38..812ddacb6 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,7 @@ the versions listed. Ingress-Nginx versions may work on older versions but the p | | Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | Helm Chart Version | |:--:|-----------------------|------------------------------|----------------|---------------|--------------------| +| 🔄 | **v1.8.1** | 1.27,1.26, 1.25, 1.24 | 3.18.2 | 1.21.6 | 4.7.* | | 🔄 | **v1.8.0** | 1.27,1.26, 1.25, 1.24 | 3.18.0 | 1.21.6 | 4.7.* | | 🔄 | **v1.7.1** | 1.27,1.26, 1.25, 1.24 | 3.17.2 | 1.21.6 | 4.6.* | | 🔄 | **v1.7.0** | 1.26, 1.25, 1.24 | 3.17.2 | 1.21.6 | 4.6.* | @@ -77,15 +78,15 @@ Thanks for taking the time to join our community and start contributing! - Read [`CONTRIBUTING.md`](CONTRIBUTING.md) for information about setting up your environment, the workflow that we expect, and instructions on the developer certificate of origin that we require. - Join our Kubernetes Slack channel for developer discussion : [#ingress-nginx-dev](https://kubernetes.slack.com/archives/C021E147ZA4). - - Submit GitHub issues for any feature enhancements, bugs or documentation problems. + - Submit GitHub issues for any feature enhancements, bugs or documentation problems. - Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines **may be closed immediately**. - Join our [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w) -- **Support**: +- **Support**: - Join the [#ingress-nginx-users](https://kubernetes.slack.com/messages/CANQGM8BA/) channel inside the [Kubernetes Slack](http://slack.kubernetes.io/) to ask questions or get support from the maintainers and other users. - The [GitHub issues](https://github.com/kubernetes/ingress-nginx/issues) in the repository are **exclusively** for bug reports and feature requests. - **Discuss**: Tweet using the `#IngressNginx` hashtag or sharing with us [@IngressNginx](https://twitter.com/IngressNGINX). ## License -[Apache License 2.0](https://github.com/kubernetes/ingress-nginx/blob/main/LICENSE) \ No newline at end of file +[Apache License 2.0](https://github.com/kubernetes/ingress-nginx/blob/main/LICENSE) diff --git a/changelog/Changelog-1.8.1.md b/changelog/Changelog-1.8.1.md new file mode 100644 index 000000000..c84a7ce18 --- /dev/null +++ b/changelog/Changelog-1.8.1.md @@ -0,0 +1,67 @@ +# Changelog + +### 1.8.1 +Images: + + * registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd + * registry.k8s.io/ingress-nginx/controller-chroot:v1.8.1@sha256:e0d4121e3c5e39de9122e55e331a32d5ebf8d4d257227cb93ab54a1b912a7627 + +### All Changes: + +* netlify: Only trigger preview when there are changes in docs. (#10144) +* changed to updated baseimage and reverted tag (#10143) +* Fix loadBalancerClass value (#10139) +* Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406) +* Set grpc :authority header from request header (#8912) +* bump pinned golang to 1.20.5 (#10127) +* update test runner (#10125) +* chore: remove echo from snippet tests (#10110) +* Update typo in docs for lb scheme (#10117) +* golang 1.20.5 bump (#10120) +* feat(helm): Add loadBalancerClass (#9562) +* chore: remove echo friom canary tests (#10089) +* fix: obsolete warnings (#10029) +* docs: change Dockefile url ref main (#10087) +* Revert "Remove fastcgi feature" (#10081) +* docs: add netlify configuration (#10073) +* add distroless otel init (#10035) +* chore: move httpbun to be part of framework (#9955) +* Remove fastcgi feature (#9864) +* Fix mirror-target values without path separator and port (#9889) +* Adding feature to upgrade Oracle Cloud Infrastructure's Flexible Load Balancer and adjusting Health Check that were critical in the previous configuration (#9961) +* add support for keda fallback settings (#9993) +* unnecessary use of fmt.Sprint (S1039) (#10049) +* chore: pkg imported more than once (#10048) +* tracing: upgrade to dd-opentracing-cpp v1.3.7 (#10031) +* fix: add canary to sidebar in examples (#10068) +* docs: add lua testing documentation (#10060) +* docs: canary weighted deployments example (#10067) +* Update Internal Load Balancer docs (#10062) +* fix broken kubernetes.io/user-guide/ docs links (#10055) +* docs: Updated the content of deploy/rbac.md (#10054) +* ensured hpa mem spec before cpu spec (#10043) +* Fix typo in controller_test (#10034) +* chore(dep): upgrade github.com/emicklei/go-restful/v3 to 3.10 (#10028) +* Upgrade to Golang 1.20.4 (#10016) +* perf: avoid unnecessary byte/string conversion (#10012) +* added note on dns for localtesting (#10021) +* added helmshowvalues example (#10019) +* release controller 1.8.0 and chart 4.7.0 (#10017) + +### Dependencies updates: +* Bump ossf/scorecard-action from 2.1.3 to 2.2.0 (#10133) +* Bump google.golang.org/grpc from 1.56.0 to 1.56.1 (#10134) +* Bump github.com/prometheus/client_golang from 1.15.1 to 1.16.0 (#10106) +* Bump golang.org/x/crypto from 0.9.0 to 0.10.0 (#10105) +* Bump google.golang.org/grpc from 1.55.0 to 1.56.0 (#10103) +* Bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 (#10101) +* Bump docker/setup-buildx-action from 2.6.0 to 2.7.0 (#10102) +* Bump actions/checkout from 3.5.2 to 3.5.3 (#10076) +* Bump docker/setup-qemu-action from 2.1.0 to 2.2.0 (#10075) +* Bump aquasecurity/trivy-action from 0.10.0 to 0.11.2 (#10078) +* Bump docker/setup-buildx-action from 2.5.0 to 2.6.0 (#10077) +* Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#10042) +* Bump github.com/stretchr/testify from 1.8.3 to 1.8.4 (#10041) +* Bump github.com/stretchr/testify from 1.8.2 to 1.8.3 (#10005) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.8.0...controller-controller-v1.8.1 diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 9786f705c..de5fe4df0 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -1,11 +1,12 @@ annotations: artifacthub.io/changes: | - - "helm: Fix opentelemetry module installation for daemonset (#9792)" - - "Update charts/* to keep project name display aligned (#9931)" - - "Update Ingress-Nginx version controller-v1.8.0" + - "Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406)" + - "feat(helm): Add loadBalancerClass (#9562)" + - "added helmshowvalues example (#10019)" + - "Update Ingress-Nginx version controller-v1.8.1" artifacthub.io/prerelease: "false" apiVersion: v2 -appVersion: 1.8.0 +appVersion: 1.8.1 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer engine: gotpl @@ -22,4 +23,4 @@ maintainers: name: ingress-nginx sources: - https://github.com/kubernetes/ingress-nginx -version: 4.7.0 +version: 4.7.1 diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 8b5d92d37..955091873 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.7.0](https://img.shields.io/badge/Version-4.7.0-informational?style=flat-square) ![AppVersion: 1.8.0](https://img.shields.io/badge/AppVersion-1.8.0-informational?style=flat-square) +![Version: 4.7.1](https://img.shields.io/badge/Version-4.7.1-informational?style=flat-square) ![AppVersion: 1.8.1](https://img.shields.io/badge/AppVersion-1.8.1-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -313,13 +313,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.image.allowPrivilegeEscalation | bool | `true` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `"sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3"` | | -| controller.image.digestChroot | string | `"sha256:a45e41cd2b7670adf829759878f512d4208d0aec1869dae593a0fecd09a5e49e"` | | +| controller.image.digest | string | `"sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd"` | | +| controller.image.digestChroot | string | `"sha256:e0d4121e3c5e39de9122e55e331a32d5ebf8d4d257227cb93ab54a1b912a7627"` | | | controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.registry | string | `"registry.k8s.io"` | | | controller.image.runAsUser | int | `101` | | -| controller.image.tag | string | `"v1.8.0"` | | +| controller.image.tag | string | `"v1.8.1"` | | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass | diff --git a/charts/ingress-nginx/changelog/Changelog-4.7.1.md b/charts/ingress-nginx/changelog/Changelog-4.7.1.md new file mode 100644 index 000000000..4d69a7117 --- /dev/null +++ b/charts/ingress-nginx/changelog/Changelog-4.7.1.md @@ -0,0 +1,12 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.7.1 + +* Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406) +* feat(helm): Add loadBalancerClass (#9562) +* added helmshowvalues example (#10019) +* Update Ingress-Nginx version controller-v1.8.1 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.0...helm-chart-4.7.1 diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index b313643f3..d091391a8 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -23,9 +23,9 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: "v1.8.0" - digest: sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3 - digestChroot: sha256:a45e41cd2b7670adf829759878f512d4208d0aec1869dae593a0fecd09a5e49e + tag: "v1.8.1" + digest: sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd + digestChroot: sha256:e0d4121e3c5e39de9122e55e331a32d5ebf8d4d257227cb93ab54a1b912a7627 pullPolicy: IfNotPresent # www-data -> uid 101 runAsUser: 101 @@ -478,10 +478,8 @@ controller: enabled: false # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. annotations: {} - # -- Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS. loadBalancerIP: "" - # -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. loadBalancerSourceRanges: [] ## Set external traffic policy to: "Local" to preserve source IP on diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml index 48f7f11b1..f22f3a9c1 100644 --- a/deploy/static/provider/aws/deploy.yaml +++ b/deploy/static/provider/aws/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -344,7 +344,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -377,7 +377,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -400,7 +400,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -418,7 +418,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 spec: containers: - args: @@ -442,7 +442,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3 + image: registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -514,7 +514,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -525,7 +525,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-create spec: containers: @@ -561,7 +561,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -572,7 +572,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-patch spec: containers: @@ -610,7 +610,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -623,7 +623,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml index b4e2cd5f6..e9ae85143 100644 --- a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml +++ b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -335,7 +335,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -353,7 +353,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -386,7 +386,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -409,7 +409,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -427,7 +427,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 spec: containers: - args: @@ -451,7 +451,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3 + image: registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -526,7 +526,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -537,7 +537,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-create spec: containers: @@ -573,7 +573,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -584,7 +584,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-patch spec: containers: @@ -622,7 +622,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -635,7 +635,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml index 74292b82b..b66da7d45 100644 --- a/deploy/static/provider/baremetal/deploy.yaml +++ b/deploy/static/provider/baremetal/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -372,7 +372,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -395,7 +395,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -413,7 +413,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 spec: containers: - args: @@ -436,7 +436,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3 + image: registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -508,7 +508,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -519,7 +519,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-create spec: containers: @@ -555,7 +555,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -566,7 +566,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-patch spec: containers: @@ -604,7 +604,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -617,7 +617,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml index 6dac63865..659da1d1b 100644 --- a/deploy/static/provider/cloud/deploy.yaml +++ b/deploy/static/provider/cloud/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -373,7 +373,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -396,7 +396,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -414,7 +414,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 spec: containers: - args: @@ -438,7 +438,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3 + image: registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -510,7 +510,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -521,7 +521,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-create spec: containers: @@ -557,7 +557,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -568,7 +568,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-patch spec: containers: @@ -606,7 +606,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -619,7 +619,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml index 0e3f4b46f..434f21ead 100644 --- a/deploy/static/provider/do/deploy.yaml +++ b/deploy/static/provider/do/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -329,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -343,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -376,7 +376,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -399,7 +399,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -417,7 +417,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 spec: containers: - args: @@ -441,7 +441,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3 + image: registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -513,7 +513,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -524,7 +524,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-create spec: containers: @@ -560,7 +560,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -571,7 +571,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-patch spec: containers: @@ -609,7 +609,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -622,7 +622,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml index a1bd4ed00..c9dff62cb 100644 --- a/deploy/static/provider/exoscale/deploy.yaml +++ b/deploy/static/provider/exoscale/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -349,7 +349,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -382,7 +382,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -405,7 +405,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -423,7 +423,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 spec: containers: - args: @@ -447,7 +447,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3 + image: registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -519,7 +519,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -530,7 +530,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-create spec: containers: @@ -566,7 +566,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -577,7 +577,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-patch spec: containers: @@ -615,7 +615,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -628,7 +628,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml index 41d17d8d1..f9965d0fe 100644 --- a/deploy/static/provider/kind/deploy.yaml +++ b/deploy/static/provider/kind/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -372,7 +372,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -395,7 +395,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -417,7 +417,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 spec: containers: - args: @@ -442,7 +442,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3 + image: registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -524,7 +524,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -535,7 +535,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-create spec: containers: @@ -571,7 +571,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -582,7 +582,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-patch spec: containers: @@ -620,7 +620,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -633,7 +633,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/oracle/deploy.yaml b/deploy/static/provider/oracle/deploy.yaml index 2518201bd..72556bb42 100644 --- a/deploy/static/provider/oracle/deploy.yaml +++ b/deploy/static/provider/oracle/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -344,7 +344,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -377,7 +377,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -400,7 +400,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -418,7 +418,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 spec: containers: - args: @@ -442,7 +442,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3 + image: registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -514,7 +514,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -525,7 +525,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-create spec: containers: @@ -561,7 +561,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -572,7 +572,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-patch spec: containers: @@ -610,7 +610,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -623,7 +623,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml index e303a52f5..8b4750992 100644 --- a/deploy/static/provider/scw/deploy.yaml +++ b/deploy/static/provider/scw/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -329,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -343,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -376,7 +376,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -399,7 +399,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -417,7 +417,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 spec: containers: - args: @@ -441,7 +441,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3 + image: registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -513,7 +513,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -524,7 +524,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-create spec: containers: @@ -560,7 +560,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -571,7 +571,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission-patch spec: containers: @@ -609,7 +609,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -622,7 +622,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.0 + app.kubernetes.io/version: 1.8.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/docs/deploy/index.md b/docs/deploy/index.md index 76a28b6ad..d719d4a57 100644 --- a/docs/deploy/index.md +++ b/docs/deploy/index.md @@ -68,7 +68,7 @@ helm show values ingress-nginx --repo https://kubernetes.github.io/ingress-nginx **If you don't have Helm** or if you prefer to use a YAML manifest, you can run the following command instead: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.0/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/cloud/deploy.yaml ``` !!! info @@ -243,7 +243,7 @@ In AWS, we use a Network load balancer (NLB) to expose the Ingress-Nginx Control ##### Network Load Balancer (NLB) ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.0/deploy/static/provider/aws/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/aws/deploy.yaml ``` ##### TLS termination in AWS Load Balancer (NLB) @@ -251,10 +251,10 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS using an NLB. -1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.0/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template +1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template ```console - wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.0/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml + wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml ``` 2. Edit the file and change the VPC CIDR in use for the Kubernetes cluster: @@ -300,7 +300,7 @@ Then, the ingress controller can be installed like this: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.0/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/cloud/deploy.yaml ``` !!! warning @@ -317,7 +317,7 @@ Proxy-protocol is supported in GCE check the [Official Documentations on how to #### Azure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.0/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/cloud/deploy.yaml ``` More information with regard to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller). @@ -325,7 +325,7 @@ More information with regard to Azure annotations for ingress controller can be #### Digital Ocean ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.0/deploy/static/provider/do/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/do/deploy.yaml ``` - By default the service object of the ingress-nginx-controller for Digital-Ocean, only configures one annotation. Its this one `service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"`. While this makes the service functional, it was reported that the Digital-Ocean LoadBalancer graphs shows `no data`, unless a few other annotations are also configured. Some of these other annotations require values that can not be generic and hence not forced in a out-of-the-box installation. These annotations and a discussion on them is well documented in [this issue](https://github.com/kubernetes/ingress-nginx/issues/8965). Please refer to the issue to add annotations, with values specific to user, to get graphs of the DO-LB populated with data. @@ -333,7 +333,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont #### Scaleway ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.0/deploy/static/provider/scw/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/scw/deploy.yaml ``` #### Exoscale @@ -348,7 +348,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale #### Oracle Cloud Infrastructure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.0/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/cloud/deploy.yaml ``` A @@ -375,7 +375,7 @@ For quick testing, you can use a This should work on almost every cluster, but it will typically use a port in the range 30000-32767. ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.0/deploy/static/provider/baremetal/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/baremetal/deploy.yaml ``` For more information about bare metal deployments (and how to use port 80 instead of a random port in the 30000-32767 range), diff --git a/docs/e2e-tests.md b/docs/e2e-tests.md index 025ff686d..ced8eaeaf 100644 --- a/docs/e2e-tests.md +++ b/docs/e2e-tests.md @@ -55,42 +55,6 @@ Do not try to edit it manually. - [should redirect to /foo](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/approot.go#L35) -### [auth-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L40) - -- [should return status code 200 when no authentication is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L47) -- [should return status code 503 when authentication is configured with an invalid secret](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L66) -- [should return status code 401 when authentication is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L90) -- [should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L117) -- [should return status code 401 and cors headers when authentication and cors is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L145) -- [should return status code 200 when authentication is configured and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L173) -- [should return status code 200 when authentication is configured with a map and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L200) -- [should return status code 401 when authentication is configured with invalid content and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L228) -- [ when external auth is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L267) -- [ when external auth is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L285) -- [ when auth-headers are set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L302) -- [should set cache_key when external auth cache is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L323) -- [user retains cookie by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L412) -- [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L423) -- [user with annotated ingress retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L434) -- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L486) -- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L495) -- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L506) -- [should overwrite Foo header with auth response](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L530) -- [should not create additional upstream block when auth-keepalive is not set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L553) -- [should not create additional upstream block when host part of auth-url contains a variable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L571) -- [should not create additional upstream block when auth-keepalive is negative](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L591) -- [should not create additional upstream block when auth-keepalive is set with HTTP/2](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L610) -- [should create additional upstream block when auth-keepalive is set with HTTP/1.x](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L624) -- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L679) -- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L688) -- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L699) -- [should return status code 200 when signed in after auth backend is deleted ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L773) -- [should deny login for different location on same server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L793) -- [should deny login for different servers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L821) -- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L850) -- [should return 503 (location was denied)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L880) -- [should add error to the config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L888) - ### [auth-tls-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L29) - [should set sslClientCertificate, sslVerifyClient and sslVerifyDepth with auth-tls-secret](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L36) @@ -111,34 +75,6 @@ Do not try to edit it manually. - [should set backend protocol to '' and use fastcgi_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L94) - [should set backend protocol to '' and use ajp_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L109) -### [canary-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L36) - -- [should response with a 200 status from the mainline upstream when requests are made to the mainline ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L48) -- [should return 404 status for requests to the canary if no matching ingress is found](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L80) -- [should return the correct status codes when endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L107) -- [should route requests to the correct upstream if mainline ingress is created before the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L161) -- [should route requests to the correct upstream if mainline ingress is created after the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L206) -- [should route requests to the correct upstream if the mainline ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L250) -- [should route requests to the correct upstream if the canary ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L307) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L372) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L426) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L490) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L532) -- [should routes to mainline upstream when the given Regex causes error](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L566) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L604) -- [respects always and never values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L643) -- [should route requests only to mainline if canary weight is 0](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L705) -- [should route requests only to canary if canary weight is 100](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L743) -- [should route requests only to canary if canary weight is equal to canary weight total](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L775) -- [should route requests split between mainline and canary if canary weight is 50](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L808) -- [should route requests split between mainline and canary if canary weight is 100 and weight total is 200](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L834) -- [should not use canary as a catch-all server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L863) -- [should not use canary with domain as a server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L891) -- [does not crash when canary ingress has multiple paths to the same non-matching backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L915) -- [always routes traffic to canary if first request was affinitized to canary (default behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L943) -- [always routes traffic to canary if first request was affinitized to canary (explicit sticky behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1000) -- [routes traffic to either mainline or canary backend (legacy behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1058) - ### [client-body-buffer-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L28) - [should set client_body_buffer_size to 1000](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L35) @@ -148,10 +84,6 @@ Do not try to edit it manually. - [should set client_body_buffer_size to 1M](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L123) - [should not set client_body_buffer_size to invalid 1b](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L145) -### [connection-proxy-header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/connection.go#L29) - -- [set connection header to keep-alive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/connection.go#L36) - ### [cors-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L28) - [should enable cors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L35) @@ -212,13 +144,6 @@ Do not try to edit it manually. - [generates correct configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/globalratelimit.go#L38) -### [backend-protocol - GRPC](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L40) - -- [should use grpc_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L43) -- [should return OK for service with backend protocol GRPC](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L68) -- [authorization metadata should be overwritten by external auth response headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L126) -- [should return OK for service with backend protocol GRPCS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L199) - ### [http2-push-preload](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/http2pushpreload.go#L27) - [enable the http2-push-preload directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/http2pushpreload.go#L34) @@ -245,12 +170,6 @@ Do not try to edit it manually. - [set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/log.go#L34) - [set rewrite_log on](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/log.go#L49) -### [mirror-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L28) - -- [should set mirror-target to http://localhost/mirror](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L36) -- [should set mirror-target to https://test.env.com/$request_uri](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L51) -- [should disable mirror-request-body](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L67) - ### [modsecurity owasp](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L28) - [should enable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L35) @@ -306,11 +225,6 @@ Do not try to edit it manually. - [should fail to use longest match for documented warning](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L158) - [should allow for custom rewrite parameters](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L190) -### [satisfy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/satisfy.go#L35) - -- [should configure satisfy directive correctly](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/satisfy.go#L42) -- [should allow multiple auth with satisfy any](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/satisfy.go#L84) - ### [server-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serversnippet.go#L28) - [add valid directives to server via server snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serversnippet.go#L35) @@ -322,11 +236,6 @@ Do not try to edit it manually. - [should use the Service Cluster IP and Port ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serviceupstream.go#L70) - [should not use the Service Cluster IP and Port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serviceupstream.go#L99) -### [configuration-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/snippet.go#L28) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/snippet.go#L35) -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/snippet.go#L58) - ### [ssl-ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/sslciphers.go#L28) - [should change ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/sslciphers.go#L35) @@ -350,6 +259,97 @@ Do not try to edit it manually. - [should set the X-Forwarded-Prefix to the annotation value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L35) - [should not add X-Forwarded-Prefix if the annotation value is empty](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L57) +### [auth-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L39) + +- [should return status code 200 when no authentication is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L46) +- [should return status code 503 when authentication is configured with an invalid secret](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L65) +- [should return status code 401 when authentication is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L89) +- [should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L116) +- [should return status code 401 and cors headers when authentication and cors is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L144) +- [should return status code 200 when authentication is configured and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L172) +- [should return status code 200 when authentication is configured with a map and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L199) +- [should return status code 401 when authentication is configured with invalid content and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L227) +- [ when external auth is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L266) +- [ when external auth is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L284) +- [ when auth-headers are set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L301) +- [should set cache_key when external auth cache is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L322) +- [user retains cookie by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L411) +- [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L422) +- [user with annotated ingress retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L433) +- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L472) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L481) +- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L492) +- [should overwrite Foo header with auth response](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L516) +- [should not create additional upstream block when auth-keepalive is not set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L539) +- [should not create additional upstream block when host part of auth-url contains a variable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L557) +- [should not create additional upstream block when auth-keepalive is negative](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L577) +- [should not create additional upstream block when auth-keepalive is set with HTTP/2](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L596) +- [should create additional upstream block when auth-keepalive is set with HTTP/1.x](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L610) +- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L653) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L662) +- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L673) +- [should return status code 200 when signed in after auth backend is deleted ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L732) +- [should deny login for different location on same server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L752) +- [should deny login for different servers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L780) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L809) +- [should return 503 (location was denied)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L839) +- [should add error to the config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L847) + +### [canary-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L36) + +- [should response with a 200 status from the mainline upstream when requests are made to the mainline ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L45) +- [should return 404 status for requests to the canary if no matching ingress is found](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L89) +- [should return the correct status codes when endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L120) +- [should route requests to the correct upstream if mainline ingress is created before the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L174) +- [should route requests to the correct upstream if mainline ingress is created after the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L232) +- [should route requests to the correct upstream if the mainline ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L289) +- [should route requests to the correct upstream if the canary ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L363) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L445) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L513) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L594) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L647) +- [should routes to mainline upstream when the given Regex causes error](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L692) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L741) +- [respects always and never values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L790) +- [should route requests only to mainline if canary weight is 0](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L862) +- [should route requests only to canary if canary weight is 100](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L910) +- [should route requests only to canary if canary weight is equal to canary weight total](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L952) +- [should route requests split between mainline and canary if canary weight is 50](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L995) +- [should route requests split between mainline and canary if canary weight is 100 and weight total is 200](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1031) +- [should not use canary as a catch-all server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1070) +- [should not use canary with domain as a server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1104) +- [does not crash when canary ingress has multiple paths to the same non-matching backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1138) +- [always routes traffic to canary if first request was affinitized to canary (default behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1175) +- [always routes traffic to canary if first request was affinitized to canary (explicit sticky behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1242) +- [routes traffic to either mainline or canary backend (legacy behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1310) + +### [connection-proxy-header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/connection.go#L28) + +- [set connection header to keep-alive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/connection.go#L35) + +### [mirror-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L28) + +- [should set mirror-target to http://localhost/mirror](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L36) +- [should set mirror-target to https://test.env.com/$request_uri](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L51) +- [should disable mirror-request-body](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L67) + +### [satisfy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/satisfy.go#L33) + +- [should configure satisfy directive correctly](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/satisfy.go#L40) +- [should allow multiple auth with satisfy any](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/satisfy.go#L82) + +### [configuration-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/snippet.go#L28) + +- [set snippet more_set_headers in all locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/snippet.go#L34) +- [drops snippet more_set_header in all locations if disabled by admin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/snippet.go#L63) + +### [backend-protocol - GRPC](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L39) + +- [should use grpc_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L42) +- [should return OK for service with backend protocol GRPC](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L67) +- [authorization metadata should be overwritten by external auth response headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L126) +- [should return OK for service with backend protocol GRPCS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L186) + ### [Debug CLI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L29) - [should list the backend servers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L37) @@ -390,10 +390,6 @@ Do not try to edit it manually. - [should return 200 when service has topology hints](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/topology.go#L43) -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) - ### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) @@ -402,10 +398,6 @@ Do not try to edit it manually. - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/fastcgi_helloserver.go#L) -### [[Setting] ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L194) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L) - ### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/grpc_fortune_teller.go#L) - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/grpc_fortune_teller.go#L) @@ -478,6 +470,14 @@ Do not try to edit it manually. - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/util.go#L) +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) + +### [[Setting] ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L217) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L) + ### [[Shutdown] Grace period shutdown](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/grace_period.go#L32) - [/healthz should return status code 500 during shutdown grace period](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/grace_period.go#L35) @@ -571,21 +571,21 @@ Do not try to edit it manually. - [should return 503 when backend service does not exist](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L36) - [should return 503 when all backend service endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L54) -### [[Service] Type ExternalName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L37) - -- [works with external name set to incomplete fqdn](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L40) -- [should return 200 for service type=ExternalName without a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L72) -- [should return 200 for service type=ExternalName with a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L110) -- [should return status 502 for service type=ExternalName with an invalid host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L138) -- [should return 200 for service type=ExternalName using a port name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L169) -- [should return 200 for service type=ExternalName using FQDN with trailing dot](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L206) -- [should update the external name after a service update](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L241) -- [should sync ingress on external name service addition/deletion](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L311) - ### [[Service] Nil Service Backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_nil_backend.go#L31) - [should return 404 when backend service is nil](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_nil_backend.go#L38) +### [[Service] Type ExternalName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L37) + +- [works with external name set to incomplete fqdn](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L40) +- [should return 200 for service type=ExternalName without a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L77) +- [should return 200 for service type=ExternalName with a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L117) +- [should return status 502 for service type=ExternalName with an invalid host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L147) +- [should return 200 for service type=ExternalName using a port name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L183) +- [should return 200 for service type=ExternalName using FQDN with trailing dot](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L224) +- [should update the external name after a service update](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L260) +- [should sync ingress on external name service addition/deletion](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L347) + ### [access-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L27) - [use the default configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L32) @@ -601,10 +601,6 @@ Do not try to edit it manually. - [[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L102) - [[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L133) -### [brotli](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/brotli.go#L30) - -- [ condition](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/brotli.go#L39) - ### [Configmap change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L29) - [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L36) @@ -626,26 +622,12 @@ Do not try to edit it manually. - [should delete Ingress updated to catch-all](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L81) - [should allow Ingress with rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L123) -### [[Flag] disable-service-external-name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_service_external_name.go#L35) - -- [should ignore services of external-name type](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_service_external_name.go#L52) - ### [[Flag] disable-sync-events](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_sync_events.go#L32) - [should create sync events (default)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_sync_events.go#L35) - [should create sync events](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_sync_events.go#L53) - [should not create sync events](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_sync_events.go#L80) -### [enable-real-ip](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L30) - -- [trusts X-Forwarded-For header only when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L40) -- [should not trust X-Forwarded-For header when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L78) - -### [use-forwarded-headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L30) - -- [should trust X-Forwarded headers when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L40) -- [should not trust X-Forwarded headers when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L92) - ### [Geoip2](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/geoip2.go#L37) - [should include geoip2 line in config when enabled and db file exists](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/geoip2.go#L46) @@ -657,21 +639,6 @@ Do not try to edit it manually. - [should block User-Agents defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L55) - [should block Referers defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L88) -### [[Security] global-auth-url](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L34) - -- [should return status code 401 when request any protected service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L85) -- [should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L102) -- [should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L126) -- [should still return status code 200 after auth backend is deleted using cache](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L155) -- [should proxy_method method when global-auth-method is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L197) -- [should add custom error page when global-auth-signin url is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L210) -- [should add auth headers when global-auth-response-headers is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L223) -- [should set request-redirect when global-auth-request-redirect is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L237) -- [should set snippet when global external auth is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L250) -- [user retains cookie by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L326) -- [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L337) -- [user with global-auth-always-set-cookie key in configmap retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L348) - ### [global-options](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L28) - [should have worker_rlimit_nofile option](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L31) @@ -715,25 +682,10 @@ Do not try to edit it manually. - [should watch Ingress with correct annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L631) - [should ignore Ingress with only IngressClassName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L652) -### [keep-alive keep-alive-requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L28) - -- [should set keepalive_timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L40) -- [should set keepalive_requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L48) -- [should set keepalive connection to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L59) -- [should set keep alive connection timeout to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L68) -- [should set keepalive time to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L77) -- [should set the request count to upstream server through one keep alive connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L86) - ### [Configmap - limit-rate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/limit_rate.go#L28) - [Check limit-rate config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/limit_rate.go#L36) -### [[Flag] custom HTTP and HTTPS ports](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L32) - -- [should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L48) -- [should set X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L70) -- [should set the X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L100) - ### [log-format-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L28) - [should not configure log-format escape by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L40) @@ -773,10 +725,6 @@ Do not try to edit it manually. - [should return status code 200 when accessing '/' authentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L68) - [should return status code 200 when accessing '/noauth' unauthenticated](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L82) -### [Add no tls redirect locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L28) - -- [Check no tls redirect locations config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L31) - ### [OCSP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L42) - [should enable OCSP and contain stapling information in the connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L49) @@ -822,22 +770,10 @@ Do not try to edit it manually. - [should set valid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L36) - [should not set invalid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L52) -### [Dynamic $proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L28) - -- [should exist a proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L36) -- [should exist a proxy_host using the upstream-vhost annotation value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L57) - ### [proxy-next-upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_next_upstream.go#L28) - [should build proxy next upstream using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_next_upstream.go#L36) -### [use-proxy-protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L36) - -- [should respect port passed by the PROXY Protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L46) -- [should respect proto passed by the PROXY Protocol server port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L79) -- [should enable PROXY Protocol for HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L112) -- [should enable PROXY Protocol for TCP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L155) - ### [proxy-read-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L28) - [should set valid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L36) @@ -868,15 +804,79 @@ Do not try to edit it manually. - [Add ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_ciphers.go#L31) +### [configmap stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/stream_snippet.go#L35) + +- [should add value of stream-snippet via config map to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/stream_snippet.go#L42) + +### [brotli](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/brotli.go#L30) + +- [ condition](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/brotli.go#L38) + +### [[Flag] disable-service-external-name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_service_external_name.go#L35) + +- [should ignore services of external-name type](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_service_external_name.go#L55) + +### [enable-real-ip](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L30) + +- [trusts X-Forwarded-For header only when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L40) +- [should not trust X-Forwarded-For header when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L78) + +### [use-forwarded-headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L29) + +- [should trust X-Forwarded headers when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L39) +- [should not trust X-Forwarded headers when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L91) + +### [[Security] global-auth-url](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L34) + +- [should return status code 401 when request any protected service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L87) +- [should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L104) +- [should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L128) +- [should still return status code 200 after auth backend is deleted using cache](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L157) +- [should proxy_method method when global-auth-method is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L199) +- [should add custom error page when global-auth-signin url is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L212) +- [should add auth headers when global-auth-response-headers is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L225) +- [should set request-redirect when global-auth-request-redirect is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L239) +- [should set snippet when global external auth is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L252) +- [user retains cookie by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L328) +- [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L339) +- [user with global-auth-always-set-cookie key in configmap retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L350) + +### [keep-alive keep-alive-requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L27) + +- [should set keepalive_timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L39) +- [should set keepalive_requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L47) +- [should set keepalive connection to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L58) +- [should set keep alive connection timeout to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L67) +- [should set keepalive time to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L76) +- [should set the request count to upstream server through one keep alive connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L85) + +### [[Flag] custom HTTP and HTTPS ports](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L30) + +- [should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L46) +- [should set X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L68) +- [should set the X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L98) + +### [Add no tls redirect locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L27) + +- [Check no tls redirect locations config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L30) + +### [Dynamic $proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L28) + +- [should exist a proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L36) +- [should exist a proxy_host using the upstream-vhost annotation value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L57) + +### [use-proxy-protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L36) + +- [should respect port passed by the PROXY Protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L46) +- [should respect proto passed by the PROXY Protocol server port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L79) +- [should enable PROXY Protocol for HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L112) +- [should enable PROXY Protocol for TCP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L155) + ### [With enable-ssl-passthrough enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L36) - [should enable ssl-passthrough-proxy-port on a different port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L56) - [should pass unknown traffic to default backend and handle known traffic](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L79) -### [configmap stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/stream_snippet.go#L35) - -- [should add value of stream-snippet via config map to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/stream_snippet.go#L42) - ### [[SSL] TLS protocols, ciphers and headers)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L31) - [setting cipher suite](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L65) From ebb631449474d12192304feacd180f1430035188 Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Sun, 2 Jul 2023 06:26:49 -0300 Subject: [PATCH 383/405] Deprecate and remove AJP support (#10158) --- docs/e2e-tests.md | 1 - .../user-guide/nginx-configuration/annotations.md | 4 ++-- images/nginx/rootfs/build.sh | 9 --------- .../ingress/annotations/backendprotocol/main.go | 2 +- internal/ingress/controller/template/template.go | 3 --- .../ingress/controller/template/template_test.go | 2 -- rootfs/etc/nginx/template/nginx.tmpl | 1 - test/e2e/annotations/backendprotocol.go | 15 --------------- 8 files changed, 3 insertions(+), 34 deletions(-) diff --git a/docs/e2e-tests.md b/docs/e2e-tests.md index ced8eaeaf..c45b1e72c 100644 --- a/docs/e2e-tests.md +++ b/docs/e2e-tests.md @@ -73,7 +73,6 @@ Do not try to edit it manually. - [should set backend protocol to grpc:// and use grpc_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L64) - [should set backend protocol to grpcs:// and use grpc_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L79) - [should set backend protocol to '' and use fastcgi_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L94) -- [should set backend protocol to '' and use ajp_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L109) ### [client-body-buffer-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L28) diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md index b515a9f3b..0916b4df5 100755 --- a/docs/user-guide/nginx-configuration/annotations.md +++ b/docs/user-guide/nginx-configuration/annotations.md @@ -38,7 +38,7 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz |[nginx.ingress.kubernetes.io/auth-proxy-set-headers](#external-authentication)|string| |[nginx.ingress.kubernetes.io/auth-snippet](#external-authentication)|string| |[nginx.ingress.kubernetes.io/enable-global-auth](#external-authentication)|"true" or "false"| -|[nginx.ingress.kubernetes.io/backend-protocol](#backend-protocol)|string|HTTP,HTTPS,GRPC,GRPCS,AJP| +|[nginx.ingress.kubernetes.io/backend-protocol](#backend-protocol)|string|HTTP,HTTPS,GRPC,GRPCS| |[nginx.ingress.kubernetes.io/canary](#canary)|"true" or "false"| |[nginx.ingress.kubernetes.io/canary-by-header](#canary)|string| |[nginx.ingress.kubernetes.io/canary-by-header-value](#canary)|string| @@ -894,7 +894,7 @@ Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf ### Backend Protocol Using `backend-protocol` annotations is possible to indicate how NGINX should communicate with the backend service. (Replaces `secure-backends` in older versions) -Valid Values: HTTP, HTTPS, GRPC, GRPCS, AJP and FCGI +Valid Values: HTTP, HTTPS, GRPC, GRPCS and FCGI By default NGINX uses `HTTP`. diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh index e2a5fd8c6..5e215bf72 100755 --- a/images/nginx/rootfs/build.sh +++ b/images/nginx/rootfs/build.sh @@ -80,11 +80,6 @@ export LUA_CJSON_VERSION=2.1.0.10 # Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/3.3...master export GEOIP2_VERSION=a26c6beed77e81553686852dceb6c7fdacc5970d -# Check for recent changes: https://github.com/msva/nginx_ajp_module/compare/fcbb2ccca4901d317ecd7a9dabb3fec9378ff40f...master -# This is a fork from https://github.com/yaoweibin/nginx_ajp_module -# Since it has not been updated and is not compatible with NGINX 1.21 -export NGINX_AJP_VERSION=fcbb2ccca4901d317ecd7a9dabb3fec9378ff40f - # Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20220411...v2.1-agentzh export LUAJIT_VERSION=2.1-20220411 @@ -271,9 +266,6 @@ get_src 8d39c6b23f941a2d11571daaccc04e69539a3fcbcc50a631837560d5861a7b96 \ get_src 4c1933434572226942c65b2f2b26c8a536ab76aa771a3c7f6c2629faa764976b \ "https://github.com/leev/ngx_http_geoip2_module/archive/$GEOIP2_VERSION.tar.gz" -get_src 778fcca851bd69dabfb382dc827d2ee07662f7eca36b5e66e67d5512bad75ef8 \ - "https://github.com/msva/nginx_ajp_module/archive/$NGINX_AJP_VERSION.tar.gz" - get_src 5d16e623d17d4f42cc64ea9cfb69ca960d313e12f5d828f785dd227cc483fcbd \ "https://github.com/openresty/lua-resty-upload/archive/v$LUA_RESTY_UPLOAD_VERSION.tar.gz" @@ -633,7 +625,6 @@ WITH_MODULES=" \ --add-module=$BUILD_PATH/lua-nginx-module-$LUA_NGX_VERSION \ --add-module=$BUILD_PATH/stream-lua-nginx-module-$LUA_STREAM_NGX_VERSION \ --add-module=$BUILD_PATH/lua-upstream-nginx-module-$LUA_UPSTREAM_VERSION \ - --add-module=$BUILD_PATH/nginx_ajp_module-${NGINX_AJP_VERSION} \ --add-dynamic-module=$BUILD_PATH/nginx-http-auth-digest-$NGINX_DIGEST_AUTH \ --add-dynamic-module=$BUILD_PATH/nginx-opentracing-$NGINX_OPENTRACING_VERSION/opentracing \ --add-dynamic-module=$BUILD_PATH/ModSecurity-nginx-$MODSECURITY_VERSION \ diff --git a/internal/ingress/annotations/backendprotocol/main.go b/internal/ingress/annotations/backendprotocol/main.go index d8ea72386..c749072e3 100644 --- a/internal/ingress/annotations/backendprotocol/main.go +++ b/internal/ingress/annotations/backendprotocol/main.go @@ -31,7 +31,7 @@ import ( const HTTP = "HTTP" var ( - validProtocols = regexp.MustCompile(`^(AUTO_HTTP|HTTP|HTTPS|AJP|GRPC|GRPCS|FCGI)$`) + validProtocols = regexp.MustCompile(`^(AUTO_HTTP|HTTP|HTTPS|GRPC|GRPCS|FCGI)$`) ) type backendProtocol struct { diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go index 2d941f95d..791ab7962 100644 --- a/internal/ingress/controller/template/template.go +++ b/internal/ingress/controller/template/template.go @@ -736,9 +736,6 @@ func buildProxyPass(host string, b interface{}, loc interface{}) string { case "GRPCS": proto = "grpcs://" proxyPass = "grpc_pass" - case "AJP": - proto = "" - proxyPass = "ajp_pass" case "FCGI": proto = "" proxyPass = "fastcgi_pass" diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go index 1980d7e52..f5d68178b 100644 --- a/internal/ingress/controller/template/template_test.go +++ b/internal/ingress/controller/template/template_test.go @@ -1137,7 +1137,6 @@ func TestOpentracingPropagateContext(t *testing.T) { {BackendProtocol: "AUTO_HTTP"}: "opentracing_propagate_context;", {BackendProtocol: "GRPC"}: "opentracing_grpc_propagate_context;", {BackendProtocol: "GRPCS"}: "opentracing_grpc_propagate_context;", - {BackendProtocol: "AJP"}: "opentracing_propagate_context;", {BackendProtocol: "FCGI"}: "opentracing_propagate_context;", nil: "", } @@ -1157,7 +1156,6 @@ func TestOpentelemetryPropagateContext(t *testing.T) { {BackendProtocol: "AUTO_HTTP"}: "opentelemetry_propagate;", {BackendProtocol: "GRPC"}: "opentelemetry_propagate;", {BackendProtocol: "GRPCS"}: "opentelemetry_propagate;", - {BackendProtocol: "AJP"}: "opentelemetry_propagate;", {BackendProtocol: "FCGI"}: "opentelemetry_propagate;", nil: "", } diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index ccc86702d..6ace87448 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -307,7 +307,6 @@ http { client_body_temp_path /tmp/nginx/client-body; fastcgi_temp_path /tmp/nginx/fastcgi-temp; proxy_temp_path /tmp/nginx/proxy-temp; - ajp_temp_path /tmp/nginx/ajp-temp; client_header_buffer_size {{ $cfg.ClientHeaderBufferSize }}; client_header_timeout {{ $cfg.ClientHeaderTimeout }}s; diff --git a/test/e2e/annotations/backendprotocol.go b/test/e2e/annotations/backendprotocol.go index bccb03afb..566a6921e 100644 --- a/test/e2e/annotations/backendprotocol.go +++ b/test/e2e/annotations/backendprotocol.go @@ -105,19 +105,4 @@ var _ = framework.DescribeAnnotation("backend-protocol", func() { return strings.Contains(server, "fastcgi_pass upstream_balancer;") }) }) - - ginkgo.It("should set backend protocol to '' and use ajp_pass", func() { - host := "backendprotocol.foo.com" - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/backend-protocol": "AJP", - } - - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, "ajp_pass upstream_balancer;") - }) - }) }) From f50431a9f9b98a7af14604dee6d7d4130d953c5a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 3 Jul 2023 04:40:53 -0700 Subject: [PATCH 384/405] Bump docker/setup-buildx-action from 2.7.0 to 2.8.0 (#10165) Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2.7.0 to 2.8.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/ecf95283f03858871ff00b787d79c419715afc34...16c0bc4a6e6ada2cfd8afd41d22d95379cf7c32a) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index f27ac4f9b..150ec29ae 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -158,7 +158,7 @@ jobs: - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@ecf95283f03858871ff00b787d79c419715afc34 # v2.7.0 + uses: docker/setup-buildx-action@16c0bc4a6e6ada2cfd8afd41d22d95379cf7c32a # v2.8.0 with: version: latest From d44a8e0045728729d6d604ea81f9ef582889d271 Mon Sep 17 00:00:00 2001 From: Chen Chen Date: Mon, 3 Jul 2023 20:50:52 +0800 Subject: [PATCH 385/405] Fix golang-ci linter errors (#10128) * Fix golang-ci linter errors Signed-off-by: z1cheng * Fix gofmt errors Signed-off-by: z1cheng * Add nolint comment to defaults.Backend in Configuration Signed-off-by: z1cheng * Add #nosec comment to rand.New func Signed-off-by: z1cheng * Fix errcheck warnings Signed-off-by: z1cheng * Fix gofmt check Signed-off-by: z1cheng * Fix unit tests and comments Signed-off-by: z1cheng --------- Signed-off-by: z1cheng --- cmd/dataplane/main.go | 9 +--- cmd/nginx/main.go | 3 -- cmd/plugin/commands/certs/certs.go | 6 ++- cmd/plugin/kubectl/kubectl.go | 4 +- images/fastcgi-helloserver/rootfs/main.go | 4 +- .../rootfs/pkg/k8s/k8s_test.go | 2 +- internal/admission/controller/main_test.go | 14 ++++--- internal/admission/controller/server.go | 4 +- internal/ingress/controller/checker_test.go | 24 ++++++++--- internal/ingress/controller/config/config.go | 2 +- .../ingress/controller/controller_test.go | 13 ++++-- internal/ingress/controller/nginx.go | 42 +------------------ .../controller/store/endpointslice_test.go | 20 ++++++--- internal/ingress/controller/store/store.go | 31 ++++++++++---- .../ingress/controller/store/store_test.go | 36 +++++++++++----- .../ingress/controller/template/template.go | 15 +++---- .../controller/template/template_test.go | 4 +- .../ingress/metric/collectors/process_test.go | 4 +- .../ingress/metric/collectors/socket_test.go | 4 +- internal/ingress/status/status.go | 5 ++- internal/ingress/status/status_test.go | 4 +- internal/net/dns/dns_test.go | 5 ++- internal/net/ssl/ssl.go | 2 +- internal/net/ssl/ssl_test.go | 8 +++- pkg/flags/flags.go | 10 ++--- pkg/tcpproxy/tcp.go | 4 +- pkg/util/file/file_test.go | 8 +++- pkg/util/file/file_watcher_test.go | 4 +- pkg/util/process/sigterm_test.go | 11 +++-- test/e2e/annotations/affinitymode.go | 2 +- test/e2e/endpointslices/topology.go | 4 +- test/e2e/framework/deployment.go | 7 ---- test/e2e/framework/httpexpect/chain.go | 16 ------- test/e2e/security/request_smuggling.go | 4 +- test/e2e/settings/proxy_protocol.go | 25 +++++++---- test/e2e/ssl/secret_update.go | 4 +- test/e2e/status/update.go | 4 +- 37 files changed, 206 insertions(+), 162 deletions(-) diff --git a/cmd/dataplane/main.go b/cmd/dataplane/main.go index 6fd559e4d..a1c4cbcc6 100644 --- a/cmd/dataplane/main.go +++ b/cmd/dataplane/main.go @@ -18,13 +18,10 @@ package main import ( "fmt" - "math/rand" // #nosec - "net/http" - "os" - "time" - "github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus/collectors" + "net/http" + "os" "k8s.io/klog/v2" @@ -41,8 +38,6 @@ import ( func main() { klog.InitFlags(nil) - rand.Seed(time.Now().UnixNano()) - fmt.Println(version.String()) var err error showVersion, conf, err := ingressflags.ParseFlags() diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go index 48dd933dc..508e940e1 100644 --- a/cmd/nginx/main.go +++ b/cmd/nginx/main.go @@ -19,7 +19,6 @@ package main import ( "context" "fmt" - "math/rand" // #nosec "net/http" "os" "path/filepath" @@ -54,8 +53,6 @@ import ( func main() { klog.InitFlags(nil) - rand.Seed(time.Now().UnixNano()) - fmt.Println(version.String()) showVersion, conf, err := ingressflags.ParseFlags() diff --git a/cmd/plugin/commands/certs/certs.go b/cmd/plugin/commands/certs/certs.go index 88b721ee3..1f08b5216 100644 --- a/cmd/plugin/commands/certs/certs.go +++ b/cmd/plugin/commands/certs/certs.go @@ -18,6 +18,7 @@ package certs import ( "fmt" + "os" "github.com/spf13/cobra" @@ -46,7 +47,10 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { } cmd.Flags().String("host", "", "Get the cert for this hostname") - cobra.MarkFlagRequired(cmd.Flags(), "host") + if err := cobra.MarkFlagRequired(cmd.Flags(), "host"); err != nil { + util.PrintError(err) + os.Exit(1) + } pod = util.AddPodFlag(cmd) deployment = util.AddDeploymentFlag(cmd) selector = util.AddSelectorFlag(cmd) diff --git a/cmd/plugin/kubectl/kubectl.go b/cmd/plugin/kubectl/kubectl.go index 3f31a2104..1171e9218 100644 --- a/cmd/plugin/kubectl/kubectl.go +++ b/cmd/plugin/kubectl/kubectl.go @@ -77,7 +77,9 @@ func execToWriter(args []string, writer io.Writer) error { return err } - go io.Copy(writer, op) + go func() { + io.Copy(writer, op) //nolint:errcheck + }() err = cmd.Run() if err != nil { return err diff --git a/images/fastcgi-helloserver/rootfs/main.go b/images/fastcgi-helloserver/rootfs/main.go index 91db60c26..a42c9a487 100644 --- a/images/fastcgi-helloserver/rootfs/main.go +++ b/images/fastcgi-helloserver/rootfs/main.go @@ -26,5 +26,7 @@ func main() { if err != nil { panic(err) } - fcgi.Serve(l, nil) + if err := fcgi.Serve(l, nil); err != nil { + panic(err) + } } diff --git a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go index deaeb3540..f11bef981 100644 --- a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go +++ b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go @@ -3,8 +3,8 @@ package k8s import ( "bytes" "context" + "crypto/rand" "errors" - "math/rand" "testing" "time" diff --git a/internal/admission/controller/main_test.go b/internal/admission/controller/main_test.go index 0a547d4be..8c42f87ef 100644 --- a/internal/admission/controller/main_test.go +++ b/internal/admission/controller/main_test.go @@ -67,7 +67,7 @@ func TestHandleAdmission(t *testing.T) { Checker: failTestChecker{t: t}, } - result, err := adm.HandleAdmission(&admissionv1.AdmissionReview{ + _, err := adm.HandleAdmission(&admissionv1.AdmissionReview{ Request: &admissionv1.AdmissionRequest{ Kind: v1.GroupVersionKind{Group: "", Version: "v1", Kind: "Pod"}, }, @@ -76,12 +76,12 @@ func TestHandleAdmission(t *testing.T) { t.Fatalf("with a non ingress resource, the check should not pass") } - result, err = adm.HandleAdmission(nil) + _, err = adm.HandleAdmission(nil) if err == nil { t.Fatalf("with a nil AdmissionReview request, the check should not pass") } - result, err = adm.HandleAdmission(&admissionv1.AdmissionReview{ + result, err := adm.HandleAdmission(&admissionv1.AdmissionReview{ Request: &admissionv1.AdmissionRequest{ Kind: v1.GroupVersionKind{Group: networking.GroupName, Version: "v1", Kind: "Ingress"}, Object: runtime.RawExtension{ @@ -114,7 +114,9 @@ func TestHandleAdmission(t *testing.T) { err: fmt.Errorf("this is a test error"), } - adm.HandleAdmission(review) + if _, err := adm.HandleAdmission(review); err != nil { + t.Errorf("unexpected error: %v", err) + } if review.Response.Allowed { t.Fatalf("when the checker returns an error, the request should not be allowed") } @@ -124,7 +126,9 @@ func TestHandleAdmission(t *testing.T) { err: nil, } - adm.HandleAdmission(review) + if _, err := adm.HandleAdmission(review); err != nil { + t.Errorf("unexpected error: %v", err) + } if !review.Response.Allowed { t.Fatalf("when the checker returns no error, the request should be allowed") } diff --git a/internal/admission/controller/server.go b/internal/admission/controller/server.go index 29449de50..3fa70971f 100644 --- a/internal/admission/controller/server.go +++ b/internal/admission/controller/server.go @@ -31,7 +31,9 @@ var ( ) func init() { - admissionv1.AddToScheme(scheme) + if err := admissionv1.AddToScheme(scheme); err != nil { + klog.ErrorS(err, "Failed to add scheme") + } } // AdmissionController checks if an object diff --git a/internal/ingress/controller/checker_test.go b/internal/ingress/controller/checker_test.go index bea1c9cd0..2d63efc09 100644 --- a/internal/ingress/controller/checker_test.go +++ b/internal/ingress/controller/checker_test.go @@ -76,7 +76,10 @@ func TestNginxCheck(t *testing.T) { }) // create pid file - os.MkdirAll("/tmp/nginx", file.ReadWriteByUser) + if err := os.MkdirAll("/tmp/nginx", file.ReadWriteByUser); err != nil { + t.Errorf("unexpected error creating pid file: %v", err) + } + pidFile, err := os.Create(nginx.PID) if err != nil { t.Fatalf("unexpected error: %v", err) @@ -90,14 +93,23 @@ func TestNginxCheck(t *testing.T) { // start dummy process to use the PID cmd := exec.Command("sleep", "3600") - cmd.Start() + if err := cmd.Start(); err != nil { + t.Errorf("unexpected error: %v", err) + } pid := cmd.Process.Pid - defer cmd.Process.Kill() + defer func() { + if err := cmd.Process.Kill(); err != nil { + t.Errorf("unexpected error killing the process: %v", err) + } + }() go func() { - cmd.Wait() + cmd.Wait() //nolint:errcheck }() - pidFile.Write([]byte(fmt.Sprintf("%v", pid))) + if _, err := pidFile.Write([]byte(fmt.Sprintf("%v", pid))); err != nil { + t.Errorf("unexpected error writing the pid file: %v", err) + } + pidFile.Close() healthz.InstallPathHandler(mux, tt.healthzPath, n) @@ -109,7 +121,7 @@ func TestNginxCheck(t *testing.T) { }) // pollute pid file - pidFile.Write([]byte("999999")) + pidFile.Write([]byte("999999")) //nolint:errcheck pidFile.Close() t.Run("bad pid", func(t *testing.T) { diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index ec44b08ed..000bfc730 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -91,7 +91,7 @@ const ( // Configuration represents the content of nginx.conf file type Configuration struct { - defaults.Backend `json:",squash"` + defaults.Backend `json:",squash"` //nolint:staticcheck // AllowSnippetAnnotations enable users to add their own snippets via ingress annotation. // If disabled, only snippets added via ConfigMap are added to ingress. diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go index c631461c0..44184f6b9 100644 --- a/internal/ingress/controller/controller_test.go +++ b/internal/ingress/controller/controller_test.go @@ -158,7 +158,7 @@ func (fakeTemplate) Write(conf ngx_config.TemplateConfig) ([]byte, error) { func TestCheckIngress(t *testing.T) { defer func() { - filepath.Walk(os.TempDir(), func(path string, info os.FileInfo, err error) error { + err := filepath.Walk(os.TempDir(), func(path string, info os.FileInfo, err error) error { if info.IsDir() && os.TempDir() != path { return filepath.SkipDir } @@ -167,6 +167,9 @@ func TestCheckIngress(t *testing.T) { } return nil }) + if err != nil { + t.Errorf("unexpected error: %v", err) + } }() err := file.CreateRequiredDirectories() @@ -176,9 +179,13 @@ func TestCheckIngress(t *testing.T) { // Ensure no panic with wrong arguments var nginx *NGINXController - nginx.CheckIngress(nil) + if err := nginx.CheckIngress(nil); err != nil { + t.Errorf("unexpected error: %v", err) + } nginx = newNGINXController(t) - nginx.CheckIngress(nil) + if err := nginx.CheckIngress(nil); err != nil { + t.Errorf("unexpected error: %v", err) + } nginx.metricCollector = metric.DummyCollector{} nginx.t = fakeTemplate{} diff --git a/internal/ingress/controller/nginx.go b/internal/ingress/controller/nginx.go index 80693db5c..4a5a07625 100644 --- a/internal/ingress/controller/nginx.go +++ b/internal/ingress/controller/nginx.go @@ -248,8 +248,7 @@ type NGINXController struct { store store.Storer - metricCollector metric.Collector - admissionCollector metric.Collector + metricCollector metric.Collector validationWebhookServer *http.Server @@ -799,45 +798,6 @@ func (n *NGINXController) setupSSLProxy() { }() } -// Helper function to clear Certificates from the ingress configuration since they should be ignored when -// checking if the new configuration changes can be applied dynamically if dynamic certificates is on -func clearCertificates(config *ingress.Configuration) { - var clearedServers []*ingress.Server - for _, server := range config.Servers { - copyOfServer := *server - copyOfServer.SSLCert = nil - clearedServers = append(clearedServers, ©OfServer) - } - config.Servers = clearedServers -} - -// Helper function to clear endpoints from the ingress configuration since they should be ignored when -// checking if the new configuration changes can be applied dynamically. -func clearL4serviceEndpoints(config *ingress.Configuration) { - var clearedTCPL4Services []ingress.L4Service - var clearedUDPL4Services []ingress.L4Service - for _, service := range config.TCPEndpoints { - copyofService := ingress.L4Service{ - Port: service.Port, - Backend: service.Backend, - Endpoints: []ingress.Endpoint{}, - Service: nil, - } - clearedTCPL4Services = append(clearedTCPL4Services, copyofService) - } - for _, service := range config.UDPEndpoints { - copyofService := ingress.L4Service{ - Port: service.Port, - Backend: service.Backend, - Endpoints: []ingress.Endpoint{}, - Service: nil, - } - clearedUDPL4Services = append(clearedUDPL4Services, copyofService) - } - config.TCPEndpoints = clearedTCPL4Services - config.UDPEndpoints = clearedUDPL4Services -} - // configureDynamically encodes new Backends in JSON format and POSTs the // payload to an internal HTTP endpoint handled by Lua. func (n *NGINXController) configureDynamically(pcfg *ingress.Configuration) error { diff --git a/internal/ingress/controller/store/endpointslice_test.go b/internal/ingress/controller/store/endpointslice_test.go index e12a98c2f..1342575ae 100644 --- a/internal/ingress/controller/store/endpointslice_test.go +++ b/internal/ingress/controller/store/endpointslice_test.go @@ -59,7 +59,9 @@ func TestEndpointSliceLister(t *testing.T) { }, }, } - el.Add(endpointSlice) + if err := el.Add(endpointSlice); err != nil { + t.Errorf("unexpected error %v", err) + } endpointSlice = &discoveryv1.EndpointSlice{ ObjectMeta: metav1.ObjectMeta{ Namespace: "namespace", @@ -69,7 +71,9 @@ func TestEndpointSliceLister(t *testing.T) { }, }, } - el.Add(endpointSlice) + if err := el.Add(endpointSlice); err != nil { + t.Errorf("unexpected error %v", err) + } endpointSlice = &discoveryv1.EndpointSlice{ ObjectMeta: metav1.ObjectMeta{ Namespace: "namespace", @@ -79,7 +83,9 @@ func TestEndpointSliceLister(t *testing.T) { }, }, } - el.Add(endpointSlice) + if err := el.Add(endpointSlice); err != nil { + t.Errorf("unexpected error %v", err) + } eps, err := el.MatchByKey(key) if err != nil { @@ -108,7 +114,9 @@ func TestEndpointSliceLister(t *testing.T) { }, }, } - el.Add(endpointSlice) + if err := el.Add(endpointSlice); err != nil { + t.Errorf("unexpected error %v", err) + } endpointSlice2 := &discoveryv1.EndpointSlice{ ObjectMeta: metav1.ObjectMeta{ Namespace: ns2, @@ -118,7 +126,9 @@ func TestEndpointSliceLister(t *testing.T) { }, }, } - el.Add(endpointSlice2) + if err := el.Add(endpointSlice2); err != nil { + t.Errorf("unexpected error %v", err) + } eps, err := el.MatchByKey(key) if err != nil { t.Errorf("unexpeted error %v", err) diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go index 78fab62dc..9b3700739 100644 --- a/internal/ingress/controller/store/store.go +++ b/internal/ingress/controller/store/store.go @@ -404,7 +404,10 @@ func New( return } - store.listers.IngressWithAnnotation.Delete(ing) + if err := store.listers.IngressWithAnnotation.Delete(ing); err != nil { + klog.ErrorS(err, "Error while deleting ingress from store", "ingress", klog.KObj(ing)) + return + } key := k8s.MetaNamespaceKey(ing) store.secretIngressMap.Delete(key) @@ -793,14 +796,26 @@ func New( }, } - store.informers.Ingress.AddEventHandler(ingEventHandler) - if !icConfig.IgnoreIngressClass { - store.informers.IngressClass.AddEventHandler(ingressClassEventHandler) + if _, err := store.informers.Ingress.AddEventHandler(ingEventHandler); err != nil { + klog.Errorf("Error adding ingress event handler: %v", err) + } + if !icConfig.IgnoreIngressClass { + if _, err := store.informers.IngressClass.AddEventHandler(ingressClassEventHandler); err != nil { + klog.Errorf("Error adding ingress class event handler: %v", err) + } + } + if _, err := store.informers.EndpointSlice.AddEventHandler(epsEventHandler); err != nil { + klog.Errorf("Error adding endpoint slice event handler: %v", err) + } + if _, err := store.informers.Secret.AddEventHandler(secrEventHandler); err != nil { + klog.Errorf("Error adding secret event handler: %v", err) + } + if _, err := store.informers.ConfigMap.AddEventHandler(cmEventHandler); err != nil { + klog.Errorf("Error adding configmap event handler: %v", err) + } + if _, err := store.informers.Service.AddEventHandler(serviceHandler); err != nil { + klog.Errorf("Error adding service event handler: %v", err) } - store.informers.EndpointSlice.AddEventHandler(epsEventHandler) - store.informers.Secret.AddEventHandler(secrEventHandler) - store.informers.ConfigMap.AddEventHandler(cmEventHandler) - store.informers.Service.AddEventHandler(serviceHandler) // do not wait for informers to read the configmap configuration ns, name, _ := k8s.ParseNameNS(configmap) diff --git a/internal/ingress/controller/store/store_test.go b/internal/ingress/controller/store/store_test.go index 9fe6e37bb..b91cadc6c 100644 --- a/internal/ingress/controller/store/store_test.go +++ b/internal/ingress/controller/store/store_test.go @@ -92,7 +92,7 @@ func TestStore(t *testing.T) { emptySelector, _ := labels.Parse("") - defer te.Stop() + defer te.Stop() //nolint:errcheck clientSet, err := kubernetes.NewForConfig(cfg) if err != nil { @@ -1377,14 +1377,18 @@ func TestUpdateSecretIngressMap(t *testing.T) { Namespace: "testns", }, } - s.listers.Ingress.Add(ingTpl) + if err := s.listers.Ingress.Add(ingTpl); err != nil { + t.Errorf("error adding the Ingress template: %v", err) + } t.Run("with TLS secret", func(t *testing.T) { ing := ingTpl.DeepCopy() ing.Spec = networking.IngressSpec{ TLS: []networking.IngressTLS{{SecretName: "tls"}}, } - s.listers.Ingress.Update(ing) + if err := s.listers.Ingress.Update(ing); err != nil { + t.Errorf("error updating the Ingress: %v", err) + } s.updateSecretIngressMap(ing) if l := s.secretIngressMap.Len(); !(l == 1 && s.secretIngressMap.Has("testns/tls")) { @@ -1397,7 +1401,9 @@ func TestUpdateSecretIngressMap(t *testing.T) { ing.ObjectMeta.SetAnnotations(map[string]string{ parser.GetAnnotationWithPrefix("auth-secret"): "auth", }) - s.listers.Ingress.Update(ing) + if err := s.listers.Ingress.Update(ing); err != nil { + t.Errorf("error updating the Ingress: %v", err) + } s.updateSecretIngressMap(ing) if l := s.secretIngressMap.Len(); !(l == 1 && s.secretIngressMap.Has("testns/auth")) { @@ -1410,7 +1416,9 @@ func TestUpdateSecretIngressMap(t *testing.T) { ing.ObjectMeta.SetAnnotations(map[string]string{ parser.GetAnnotationWithPrefix("auth-secret"): "otherns/auth", }) - s.listers.Ingress.Update(ing) + if err := s.listers.Ingress.Update(ing); err != nil { + t.Errorf("error updating the Ingress: %v", err) + } s.updateSecretIngressMap(ing) if l := s.secretIngressMap.Len(); !(l == 1 && s.secretIngressMap.Has("otherns/auth")) { @@ -1423,7 +1431,9 @@ func TestUpdateSecretIngressMap(t *testing.T) { ing.ObjectMeta.SetAnnotations(map[string]string{ parser.GetAnnotationWithPrefix("auth-secret"): "ns/name/garbage", }) - s.listers.Ingress.Update(ing) + if err := s.listers.Ingress.Update(ing); err != nil { + t.Errorf("error updating the Ingress: %v", err) + } s.updateSecretIngressMap(ing) if l := s.secretIngressMap.Len(); l != 0 { @@ -1457,7 +1467,9 @@ func TestListIngresses(t *testing.T) { }, }, } - s.listers.IngressWithAnnotation.Add(ingressToIgnore) + if err := s.listers.IngressWithAnnotation.Add(ingressToIgnore); err != nil { + t.Errorf("error adding the Ingress: %v", err) + } ingressWithoutPath := &ingress.Ingress{ Ingress: networking.Ingress{ @@ -1492,8 +1504,9 @@ func TestListIngresses(t *testing.T) { }, }, } - s.listers.IngressWithAnnotation.Add(ingressWithoutPath) - + if err := s.listers.IngressWithAnnotation.Add(ingressWithoutPath); err != nil { + t.Errorf("error adding the Ingress: %v", err) + } ingressWithNginxClassAnnotation := &ingress.Ingress{ Ingress: networking.Ingress{ ObjectMeta: metav1.ObjectMeta{ @@ -1531,8 +1544,9 @@ func TestListIngresses(t *testing.T) { }, }, } - s.listers.IngressWithAnnotation.Add(ingressWithNginxClassAnnotation) - + if err := s.listers.IngressWithAnnotation.Add(ingressWithNginxClassAnnotation); err != nil { + t.Errorf("error adding the Ingress: %v", err) + } ingresses := s.ListIngresses() if s := len(ingresses); s != 3 { diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go index 791ab7962..147455771 100644 --- a/internal/ingress/controller/template/template.go +++ b/internal/ingress/controller/template/template.go @@ -18,13 +18,14 @@ package template import ( "bytes" + "crypto/rand" "crypto/sha1" // #nosec "encoding/base64" "encoding/hex" "encoding/json" "fmt" "io" - "math/rand" // #nosec + "math/big" "net" "net/url" "os" @@ -34,7 +35,6 @@ import ( "strconv" "strings" text_template "text/template" - "time" networkingv1 "k8s.io/api/networking/v1" "k8s.io/apimachinery/pkg/util/sets" @@ -1184,14 +1184,15 @@ func buildAuthSignURLLocation(location, authSignURL string) string { var letters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ") -func init() { - rand.Seed(time.Now().UnixNano()) -} - func randomString() string { b := make([]rune, 32) for i := range b { - b[i] = letters[rand.Intn(len(letters))] // #nosec + idx, err := rand.Int(rand.Reader, big.NewInt(int64(len(letters)))) + if err != nil { + klog.Errorf("unexpected error generating random index: %v", err) + return "" + } + b[i] = letters[idx.Int64()] } return string(b) diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go index f5d68178b..a2c3b8299 100644 --- a/internal/ingress/controller/template/template_test.go +++ b/internal/ingress/controller/template/template_test.go @@ -767,7 +767,9 @@ func BenchmarkTemplateWithData(b *testing.B) { } for i := 0; i < b.N; i++ { - ngxTpl.Write(dat) + if _, err := ngxTpl.Write(dat); err != nil { + b.Errorf("unexpected error writing template: %v", err) + } } } diff --git a/internal/ingress/metric/collectors/process_test.go b/internal/ingress/metric/collectors/process_test.go index 45170572b..b21d95496 100644 --- a/internal/ingress/metric/collectors/process_test.go +++ b/internal/ingress/metric/collectors/process_test.go @@ -48,7 +48,7 @@ func TestProcessCollector(t *testing.T) { done := make(chan struct{}) go func() { - cmd.Wait() + cmd.Wait() //nolint:errcheck status := cmd.ProcessState.Sys().(syscall.WaitStatus) if status.Signaled() { t.Logf("Signal: %v", status.Signal()) @@ -69,7 +69,7 @@ func TestProcessCollector(t *testing.T) { defer func() { cm.Stop() - cmd.Process.Kill() + cmd.Process.Kill() //nolint:errcheck <-done close(done) }() diff --git a/internal/ingress/metric/collectors/socket_test.go b/internal/ingress/metric/collectors/socket_test.go index fe442aba0..6000f2685 100644 --- a/internal/ingress/metric/collectors/socket_test.go +++ b/internal/ingress/metric/collectors/socket_test.go @@ -58,7 +58,9 @@ func TestNewUDPLogListener(t *testing.T) { }() conn, _ := net.Dial("unix", tmpFile) - conn.Write([]byte("message")) + if _, err := conn.Write([]byte("message")); err != nil { + t.Errorf("unexpected error writing to unix socket: %v", err) + } conn.Close() time.Sleep(1 * time.Millisecond) diff --git a/internal/ingress/status/status.go b/internal/ingress/status/status.go index a7506705c..62b88da16 100644 --- a/internal/ingress/status/status.go +++ b/internal/ingress/status/status.go @@ -95,10 +95,13 @@ func (s statusSync) Run(stopCh chan struct{}) { // when this instance is the leader we need to enqueue // an item to trigger the update of the Ingress status. - wait.PollUntil(time.Duration(UpdateInterval)*time.Second, func() (bool, error) { + err := wait.PollUntil(time.Duration(UpdateInterval)*time.Second, func() (bool, error) { s.syncQueue.EnqueueTask(task.GetDummyObject("sync status")) return false, nil }, stopCh) + if err != nil { + klog.ErrorS(err, "error running poll") + } } // Shutdown stops the sync. In case the instance is the leader it will remove the current IP diff --git a/internal/ingress/status/status_test.go b/internal/ingress/status/status_test.go index 3dd56f37d..ce6b6a0bf 100644 --- a/internal/ingress/status/status_test.go +++ b/internal/ingress/status/status_test.go @@ -325,7 +325,9 @@ func TestStatusActions(t *testing.T) { // wait for the election time.Sleep(100 * time.Millisecond) // execute sync - fk.sync("just-test") + if err := fk.sync("just-test"); err != nil { + t.Errorf("unexpected error: %v", err) + } // PublishService is empty, so the running address is: ["11.0.0.2"] // after updated, the ingress's ip should only be "11.0.0.2" newIPs := []networking.IngressLoadBalancerIngress{{ diff --git a/internal/net/dns/dns_test.go b/internal/net/dns/dns_test.go index 708e3c6df..7e030e17a 100644 --- a/internal/net/dns/dns_test.go +++ b/internal/net/dns/dns_test.go @@ -40,13 +40,16 @@ func TestGetDNSServers(t *testing.T) { defer f.Close() defer os.Remove(f.Name()) - os.WriteFile(f.Name(), []byte(` + err = os.WriteFile(f.Name(), []byte(` # comment ; comment nameserver 2001:4860:4860::8844 nameserver 2001:4860:4860::8888 nameserver 8.8.8.8 `), file.ReadWriteByUser) + if err != nil { + t.Errorf("unexpected error: %v", err) + } defResolvConf = f.Name() s, err = GetSystemNameServers() diff --git a/internal/net/ssl/ssl.go b/internal/net/ssl/ssl.go index fdee2f46e..c74537fe9 100644 --- a/internal/net/ssl/ssl.go +++ b/internal/net/ssl/ssl.go @@ -228,7 +228,7 @@ func ConfigureCRL(name string, crl []byte, sslCert *ingress.SSLCert) error { return fmt.Errorf("CRL file %v contains invalid data, and must be created only with PEM formatted certificates", name) } - _, err := x509.ParseCRL(pemCRLBlock.Bytes) + _, err := x509.ParseRevocationList(pemCRLBlock.Bytes) if err != nil { return fmt.Errorf(err.Error()) } diff --git a/internal/net/ssl/ssl_test.go b/internal/net/ssl/ssl_test.go index 9d1aedf16..a86ecb87a 100644 --- a/internal/net/ssl/ssl_test.go +++ b/internal/net/ssl/ssl_test.go @@ -397,7 +397,9 @@ func newFakeCertificate(t *testing.T) ([]byte, string, string) { t.Errorf("failed to write test key: %v", err) } - certFile.Write(cert) + if _, err := certFile.Write(cert); err != nil { + t.Errorf("failed to write cert: %v", err) + } defer certFile.Close() keyFile, err := os.CreateTemp("", "key-") @@ -405,7 +407,9 @@ func newFakeCertificate(t *testing.T) ([]byte, string, string) { t.Errorf("failed to write test key: %v", err) } - keyFile.Write(key) + if _, err := keyFile.Write(key); err != nil { + t.Errorf("failed to write key: %v", err) + } defer keyFile.Close() return cert, certFile.Name(), keyFile.Name() diff --git a/pkg/flags/flags.go b/pkg/flags/flags.go index 370510380..489e24886 100644 --- a/pkg/flags/flags.go +++ b/pkg/flags/flags.go @@ -228,14 +228,10 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g flags.IntVar(&nginx.MaxmindRetriesCount, "maxmind-retries-count", 1, "Number of attempts to download the GeoIP DB.") flags.DurationVar(&nginx.MaxmindRetriesTimeout, "maxmind-retries-timeout", time.Second*0, "Maxmind downloading delay between 1st and 2nd attempt, 0s - do not retry to download if something went wrong.") - flag.Set("logtostderr", "true") - flags.AddGoFlagSet(flag.CommandLine) - flags.Parse(os.Args) - - // Workaround for this issue: - // https://github.com/kubernetes/kubernetes/issues/17162 - flag.CommandLine.Parse([]string{}) + if err := flags.Parse(os.Args); err != nil { + return false, nil, err + } pflag.VisitAll(func(flag *pflag.Flag) { klog.V(2).InfoS("FLAG", flag.Name, flag.Value) diff --git a/pkg/tcpproxy/tcp.go b/pkg/tcpproxy/tcp.go index 86850ad54..25cc39ee4 100644 --- a/pkg/tcpproxy/tcp.go +++ b/pkg/tcpproxy/tcp.go @@ -119,7 +119,9 @@ func (p *TCPProxy) Handle(conn net.Conn) { func pipe(client, server net.Conn) { doCopy := func(s, c net.Conn, cancel chan<- bool) { - io.Copy(s, c) + if _, err := io.Copy(s, c); err != nil { + klog.Errorf("Error copying data: %v", err) + } cancel <- true } diff --git a/pkg/util/file/file_test.go b/pkg/util/file/file_test.go index 93ec39cf9..9a43946b3 100644 --- a/pkg/util/file/file_test.go +++ b/pkg/util/file/file_test.go @@ -35,8 +35,12 @@ func TestSHA1(t *testing.T) { if err != nil { t.Fatal(err) } - f.Write(test.content) - f.Sync() + if _, err := f.Write(test.content); err != nil { + t.Error(err) + } + if err := f.Sync(); err != nil { + t.Error(err) + } sha := SHA1(f.Name()) f.Close() diff --git a/pkg/util/file/file_watcher_test.go b/pkg/util/file/file_watcher_test.go index 316cb6f1e..dd2755812 100644 --- a/pkg/util/file/file_watcher_test.go +++ b/pkg/util/file/file_watcher_test.go @@ -59,7 +59,9 @@ func TestFileWatcher(t *testing.T) { t.Fatalf("expected no events before writing a file") case <-timeoutChan: } - os.WriteFile(f.Name(), []byte{}, ReadWriteByUser) + if err := os.WriteFile(f.Name(), []byte{}, ReadWriteByUser); err != nil { + t.Errorf("unexpected error: %v", err) + } select { case <-events: case <-timeoutChan: diff --git a/pkg/util/process/sigterm_test.go b/pkg/util/process/sigterm_test.go index 2c2a6ee91..b7413bed4 100644 --- a/pkg/util/process/sigterm_test.go +++ b/pkg/util/process/sigterm_test.go @@ -42,9 +42,9 @@ func (f *FakeProcess) exiterFunc(code int) { f.exitCode = code } -func sendDelayedSignal(delay time.Duration) { +func sendDelayedSignal(delay time.Duration) error { time.Sleep(delay * time.Second) - syscall.Kill(syscall.Getpid(), syscall.SIGTERM) + return syscall.Kill(syscall.Getpid(), syscall.SIGTERM) } func TestHandleSigterm(t *testing.T) { @@ -66,7 +66,12 @@ func TestHandleSigterm(t *testing.T) { for _, tt := range tests { process := &FakeProcess{shouldError: tt.shouldError} t.Run(tt.name, func(t *testing.T) { - go sendDelayedSignal(2) // Send a signal after 2 seconds + go func() { + err := sendDelayedSignal(2) // Send a signal after 2 seconds + if err != nil { + t.Errorf("error sending delayed signal: %v", err) + } + }() HandleSigterm(process, tt.delay, process.exiterFunc) }) if tt.shouldError && process.exitCode != 1 { diff --git a/test/e2e/annotations/affinitymode.go b/test/e2e/annotations/affinitymode.go index cce2b004d..ad210cfa5 100644 --- a/test/e2e/annotations/affinitymode.go +++ b/test/e2e/annotations/affinitymode.go @@ -125,7 +125,7 @@ var _ = framework.DescribeAnnotation("affinitymode", func() { framework.Sleep() // validate, there is no backend to serve the request - response = request.WithCookies(cookies).Expect().Status(http.StatusServiceUnavailable) + request.WithCookies(cookies).Expect().Status(http.StatusServiceUnavailable) // create brand new backends replicas = 2 diff --git a/test/e2e/endpointslices/topology.go b/test/e2e/endpointslices/topology.go index 7cc67cedb..8dd0becfb 100644 --- a/test/e2e/endpointslices/topology.go +++ b/test/e2e/endpointslices/topology.go @@ -76,7 +76,9 @@ var _ = framework.IngressNginxDescribeSerial("[TopologyHints] topology aware rou status, err := f.ExecIngressPod(curlCmd) assert.Nil(ginkgo.GinkgoT(), err) var backends []map[string]interface{} - json.Unmarshal([]byte(status), &backends) + if err := json.Unmarshal([]byte(status), &backends); err != nil { + assert.Nil(ginkgo.GinkgoT(), err) + } gotBackends := 0 for _, bck := range backends { if strings.Contains(bck["name"].(string), "topology") { diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go index 04faefc7f..bcb1d3960 100644 --- a/test/e2e/framework/deployment.go +++ b/test/e2e/framework/deployment.go @@ -56,15 +56,8 @@ type deploymentOptions struct { name string namespace string image string - port int32 replicas int - command []string - args []string - env []corev1.EnvVar - volumeMounts []corev1.VolumeMount - volumes []corev1.Volume svcAnnotations map[string]string - setProbe bool } // WithDeploymentNamespace allows configuring the deployment's namespace diff --git a/test/e2e/framework/httpexpect/chain.go b/test/e2e/framework/httpexpect/chain.go index 79956fb33..33c4d15b7 100644 --- a/test/e2e/framework/httpexpect/chain.go +++ b/test/e2e/framework/httpexpect/chain.go @@ -36,19 +36,3 @@ func (c *chain) fail(message string, args ...interface{}) { c.failbit = true c.reporter.Errorf(message, args...) } - -func (c *chain) reset() { - c.failbit = false -} - -func (c *chain) assertFailed(r Reporter) { - if !c.failbit { - r.Errorf("expected chain is failed, but it's ok") - } -} - -func (c *chain) assertOK(r Reporter) { - if c.failbit { - r.Errorf("expected chain is ok, but it's failed") - } -} diff --git a/test/e2e/security/request_smuggling.go b/test/e2e/security/request_smuggling.go index 786a7a397..58b17c4d8 100644 --- a/test/e2e/security/request_smuggling.go +++ b/test/e2e/security/request_smuggling.go @@ -79,7 +79,9 @@ func smugglingRequest(host, addr string, port int) (string, error) { defer conn.Close() - conn.SetDeadline(time.Now().Add(time.Second * 10)) + if err := conn.SetDeadline(time.Now().Add(time.Second * 10)); err != nil { + return "", err + } _, err = fmt.Fprintf(conn, "GET /echo HTTP/1.1\r\nHost: %v\r\nContent-Length: 56\r\n\r\nGET /_hidden/index.html HTTP/1.1\r\nHost: notlocalhost\r\n\r\n", host) if err != nil { diff --git a/test/e2e/settings/proxy_protocol.go b/test/e2e/settings/proxy_protocol.go index f48ee5c8c..1567b2267 100644 --- a/test/e2e/settings/proxy_protocol.go +++ b/test/e2e/settings/proxy_protocol.go @@ -63,8 +63,12 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() { defer conn.Close() header := "PROXY TCP4 192.168.0.1 192.168.0.11 56324 1234\r\n" - conn.Write([]byte(header)) - conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n")) + if _, err := conn.Write([]byte(header)); err != nil { + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing header") + } + if _, err := conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n")); err != nil { + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing request") + } data, err := io.ReadAll(conn) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error reading connection data") @@ -96,8 +100,12 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() { defer conn.Close() header := "PROXY TCP4 192.168.0.1 192.168.0.11 56324 443\r\n" - conn.Write([]byte(header)) - conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n")) + if _, err := conn.Write([]byte(header)); err != nil { + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing header") + } + if _, err := conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n")); err != nil { + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing request") + } data, err := io.ReadAll(conn) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error reading connection data") @@ -205,9 +213,12 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() { defer conn.Close() header := "PROXY TCP4 192.168.0.1 192.168.0.11 56324 8080\r\n" - conn.Write([]byte(header)) - conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n")) - + if _, err := conn.Write([]byte(header)); err != nil { + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing header") + } + if _, err := conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n")); err != nil { + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing request") + } _, err = io.ReadAll(conn) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error reading connection data") diff --git a/test/e2e/ssl/secret_update.go b/test/e2e/ssl/secret_update.go index 77e64c6b2..242b370ee 100644 --- a/test/e2e/ssl/secret_update.go +++ b/test/e2e/ssl/secret_update.go @@ -73,7 +73,9 @@ var _ = framework.IngressNginxDescribe("[SSL] secret update", func() { dummySecret.Data["some-key"] = []byte("some value") - f.KubeClientSet.CoreV1().Secrets(f.Namespace).Update(context.TODO(), dummySecret, metav1.UpdateOptions{}) + if _, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace).Update(context.TODO(), dummySecret, metav1.UpdateOptions{}); err != nil { + assert.Nil(ginkgo.GinkgoT(), err, "updating secret") + } assert.NotContains(ginkgo.GinkgoT(), log, fmt.Sprintf("starting syncing of secret %v/dummy", f.Namespace)) assert.NotContains(ginkgo.GinkgoT(), log, fmt.Sprintf("error obtaining PEM from secret %v/dummy", f.Namespace)) diff --git a/test/e2e/status/update.go b/test/e2e/status/update.go index 5c6ea4977..046752d2b 100644 --- a/test/e2e/status/update.go +++ b/test/e2e/status/update.go @@ -71,7 +71,7 @@ var _ = framework.IngressNginxDescribe("[Status] status update", func() { f.NewEchoDeployment() - ing := f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)) + f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)) f.WaitForNginxConfiguration( func(cfg string) bool { @@ -84,7 +84,7 @@ var _ = framework.IngressNginxDescribe("[Status] status update", func() { err = cmd.Process.Kill() assert.Nil(ginkgo.GinkgoT(), err, "unexpected error terminating kubectl proxy") - ing, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{}) + ing, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error getting %s/%v Ingress", f.Namespace, host) ing.Status.LoadBalancer.Ingress = []v1.IngressLoadBalancerIngress{} From ff0cb504d672c2c576d99adcf7ae9abc98857f6d Mon Sep 17 00:00:00 2001 From: Chen Chen Date: Thu, 6 Jul 2023 19:31:03 +0800 Subject: [PATCH 386/405] Cleanup errcheck code (#10166) Signed-off-by: z1cheng --- test/e2e/endpointslices/topology.go | 5 ++--- test/e2e/settings/proxy_protocol.go | 34 ++++++++++++++--------------- test/e2e/ssl/secret_update.go | 5 ++--- 3 files changed, 20 insertions(+), 24 deletions(-) diff --git a/test/e2e/endpointslices/topology.go b/test/e2e/endpointslices/topology.go index 8dd0becfb..ff66f2ad1 100644 --- a/test/e2e/endpointslices/topology.go +++ b/test/e2e/endpointslices/topology.go @@ -76,9 +76,8 @@ var _ = framework.IngressNginxDescribeSerial("[TopologyHints] topology aware rou status, err := f.ExecIngressPod(curlCmd) assert.Nil(ginkgo.GinkgoT(), err) var backends []map[string]interface{} - if err := json.Unmarshal([]byte(status), &backends); err != nil { - assert.Nil(ginkgo.GinkgoT(), err) - } + err = json.Unmarshal([]byte(status), &backends) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error unmarshalling backends") gotBackends := 0 for _, bck := range backends { if strings.Contains(bck["name"].(string), "topology") { diff --git a/test/e2e/settings/proxy_protocol.go b/test/e2e/settings/proxy_protocol.go index 1567b2267..9939cad9e 100644 --- a/test/e2e/settings/proxy_protocol.go +++ b/test/e2e/settings/proxy_protocol.go @@ -63,12 +63,11 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() { defer conn.Close() header := "PROXY TCP4 192.168.0.1 192.168.0.11 56324 1234\r\n" - if _, err := conn.Write([]byte(header)); err != nil { - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing header") - } - if _, err := conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n")); err != nil { - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing request") - } + _, err = conn.Write([]byte(header)) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing header") + + _, err = conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n")) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing request") data, err := io.ReadAll(conn) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error reading connection data") @@ -100,12 +99,11 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() { defer conn.Close() header := "PROXY TCP4 192.168.0.1 192.168.0.11 56324 443\r\n" - if _, err := conn.Write([]byte(header)); err != nil { - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing header") - } - if _, err := conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n")); err != nil { - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing request") - } + _, err = conn.Write([]byte(header)) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing header") + + _, err = conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n")) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing request") data, err := io.ReadAll(conn) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error reading connection data") @@ -213,12 +211,12 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() { defer conn.Close() header := "PROXY TCP4 192.168.0.1 192.168.0.11 56324 8080\r\n" - if _, err := conn.Write([]byte(header)); err != nil { - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing header") - } - if _, err := conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n")); err != nil { - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing request") - } + _, err = conn.Write([]byte(header)) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing header") + + _, err = conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n")) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing request") + _, err = io.ReadAll(conn) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error reading connection data") diff --git a/test/e2e/ssl/secret_update.go b/test/e2e/ssl/secret_update.go index 242b370ee..fe7bfca0c 100644 --- a/test/e2e/ssl/secret_update.go +++ b/test/e2e/ssl/secret_update.go @@ -73,9 +73,8 @@ var _ = framework.IngressNginxDescribe("[SSL] secret update", func() { dummySecret.Data["some-key"] = []byte("some value") - if _, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace).Update(context.TODO(), dummySecret, metav1.UpdateOptions{}); err != nil { - assert.Nil(ginkgo.GinkgoT(), err, "updating secret") - } + _, err = f.KubeClientSet.CoreV1().Secrets(f.Namespace).Update(context.TODO(), dummySecret, metav1.UpdateOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "updating secret") assert.NotContains(ginkgo.GinkgoT(), log, fmt.Sprintf("starting syncing of secret %v/dummy", f.Namespace)) assert.NotContains(ginkgo.GinkgoT(), log, fmt.Sprintf("error obtaining PEM from secret %v/dummy", f.Namespace)) From c8f7cb052af9f6ddbcb3e92c677d88af13204889 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A1z=C3=A1r=20Gy=C3=B6rgy?= <55853197+lgyurci@users.noreply.github.com> Date: Fri, 7 Jul 2023 01:39:04 +0200 Subject: [PATCH 387/405] Exposed continent data as variable in the case of Maxmind city files (#10157) --- rootfs/etc/nginx/template/nginx.tmpl | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 6ace87448..189c13d6c 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -224,6 +224,8 @@ http { $geoip2_subregion_code source=$remote_addr subdivisions 1 iso_code; $geoip2_subregion_name source=$remote_addr subdivisions 1 names en; $geoip2_subregion_geoname_id source=$remote_addr subdivisions 1 geoname_id; + $geoip2_city_continent_code source=$remote_addr continent code; + $geoip2_city_continent_name source=$remote_addr continent names en; } {{ end }} @@ -245,6 +247,8 @@ http { $geoip2_subregion_code source=$remote_addr subdivisions 1 iso_code; $geoip2_subregion_name source=$remote_addr subdivisions 1 names en; $geoip2_subregion_geoname_id source=$remote_addr subdivisions 1 geoname_id; + $geoip2_city_continent_code source=$remote_addr continent code; + $geoip2_city_continent_name source=$remote_addr continent names en; } {{ end }} From 125b3be6f9960f86174fbcb842912e87d5f530bd Mon Sep 17 00:00:00 2001 From: Alex Matchneer Date: Thu, 6 Jul 2023 19:47:04 -0400 Subject: [PATCH 388/405] Clarify TCP/UDP service docs (#10146) In the current state, the docs on TCP/UDP aren't really clear on exactly whether/how TCP/UDP traffic is supported. This is an attempt to clarify the limitations inherent to k8s Ingress resources vs what can be accomplished with this controller. --- docs/user-guide/exposing-tcp-udp-services.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/user-guide/exposing-tcp-udp-services.md b/docs/user-guide/exposing-tcp-udp-services.md index 63293f0e5..089511ff9 100644 --- a/docs/user-guide/exposing-tcp-udp-services.md +++ b/docs/user-guide/exposing-tcp-udp-services.md @@ -1,6 +1,8 @@ # Exposing TCP and UDP services -Ingress does not support TCP or UDP services. For this reason this Ingress controller uses the flags `--tcp-services-configmap` and `--udp-services-configmap` to point to an existing config map where the key is the external port to use and the value indicates the service to expose using the format: +While the Kubernetes Ingress resource only officially supports routing external HTTP(s) traffic to services, ingress-nginx can be configured to receive external TCP/UDP traffic from non-HTTP protocols and route them to internal services using TCP/UDP port mappings that are specified within a ConfigMap. + +To support this, the `--tcp-services-configmap` and `--udp-services-configmap` flags can be used to point to an existing config map where the key is the external port to use and the value indicates the service to expose using the format: `::[PROXY]:[PROXY]` It is also possible to use a number or the name of the port. The two last fields are optional. From 6d55e1f3c42925db5e99f61457695778a681c8be Mon Sep 17 00:00:00 2001 From: David Goffredo Date: Thu, 6 Jul 2023 19:51:04 -0400 Subject: [PATCH 389/405] revise Datadog trace sampling configuration (#10151) * datadog: sample_rate omitted by default * config: use *float32 with nil instead of float32 with sentinel value * change some names * gofmt -s -w internal/ingress/controller/nginx.go --- internal/ingress/controller/config/config.go | 14 +--- internal/ingress/controller/nginx.go | 80 ++++++++++++-------- 2 files changed, 52 insertions(+), 42 deletions(-) diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index 000bfc730..345ce89b4 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -706,16 +706,9 @@ type Configuration struct { // Default: nginx.handle DatadogOperationNameOverride string `json:"datadog-operation-name-override"` - // DatadogPrioritySampling specifies to use client-side sampling - // If true disables client-side sampling (thus ignoring sample_rate) and enables distributed - // priority sampling, where traces are sampled based on a combination of user-assigned - // Default: true - DatadogPrioritySampling bool `json:"datadog-priority-sampling"` - // DatadogSampleRate specifies sample rate for any traces created. - // This is effective only when datadog-priority-sampling is false - // Default: 1.0 - DatadogSampleRate float32 `json:"datadog-sample-rate"` + // Default: use a dynamic rate instead + DatadogSampleRate *float32 `json:"datadog-sample-rate",omitempty` // MainSnippet adds custom configuration to the main section of the nginx configuration MainSnippet string `json:"main-snippet"` @@ -1001,8 +994,7 @@ func NewDefault() Configuration { DatadogEnvironment: "prod", DatadogCollectorPort: 8126, DatadogOperationNameOverride: "nginx.handle", - DatadogSampleRate: 1.0, - DatadogPrioritySampling: true, + DatadogSampleRate: nil, LimitReqStatusCode: 503, LimitConnStatusCode: 503, SyslogPort: 514, diff --git a/internal/ingress/controller/nginx.go b/internal/ingress/controller/nginx.go index 4a5a07625..6c25aa34f 100644 --- a/internal/ingress/controller/nginx.go +++ b/internal/ingress/controller/nginx.go @@ -1011,16 +1011,6 @@ const jaegerTmpl = `{ } }` -const datadogTmpl = `{ - "service": "{{ .DatadogServiceName }}", - "agent_host": "{{ .DatadogCollectorHost }}", - "agent_port": {{ .DatadogCollectorPort }}, - "environment": "{{ .DatadogEnvironment }}", - "operation_name_override": "{{ .DatadogOperationNameOverride }}", - "sample_rate": {{ .DatadogSampleRate }}, - "dd.priority.sampling": {{ .DatadogPrioritySampling }} -}` - const otelTmpl = ` exporter = "otlp" processor = "batch" @@ -1044,37 +1034,65 @@ ratio = {{ .OtelSamplerRatio }} parent_based = {{ .OtelSamplerParentBased }} ` -func createOpentracingCfg(cfg ngx_config.Configuration) error { - var tmpl *template.Template - var err error +func datadogOpentracingCfg(cfg ngx_config.Configuration) (string, error) { + m := map[string]interface{}{ + "service": cfg.DatadogServiceName, + "agent_host": cfg.DatadogCollectorHost, + "agent_port": cfg.DatadogCollectorPort, + "environment": cfg.DatadogEnvironment, + "operation_name_override": cfg.DatadogOperationNameOverride, + } - if cfg.ZipkinCollectorHost != "" { - tmpl, err = template.New("zipkin").Parse(zipkinTmpl) - if err != nil { - return err - } - } else if cfg.JaegerCollectorHost != "" || cfg.JaegerEndpoint != "" { - tmpl, err = template.New("jaeger").Parse(jaegerTmpl) - if err != nil { - return err - } - } else if cfg.DatadogCollectorHost != "" { - tmpl, err = template.New("datadog").Parse(datadogTmpl) - if err != nil { - return err - } - } else { - tmpl, _ = template.New("empty").Parse("{}") + // Omit "sample_rate" if the configuration's sample rate is unset (nil). + // Omitting "sample_rate" from the plugin JSON indicates to the tracer that + // it should use dynamic rates instead of a configured rate. + if cfg.DatadogSampleRate != nil { + m["sample_rate"] = *cfg.DatadogSampleRate + } + + buf, err := json.Marshal(m) + if err != nil { + return "", err + } + + return string(buf), nil +} + +func opentracingCfgFromTemplate(cfg ngx_config.Configuration, tmplName string, tmplText string) (string, error) { + tmpl, err := template.New(tmplName).Parse(tmplText) + if err != nil { + return "", err } tmplBuf := bytes.NewBuffer(make([]byte, 0)) err = tmpl.Execute(tmplBuf, cfg) + if err != nil { + return "", err + } + + return tmplBuf.String(), nil +} + +func createOpentracingCfg(cfg ngx_config.Configuration) error { + var configData string + var err error + + if cfg.ZipkinCollectorHost != "" { + configData, err = opentracingCfgFromTemplate(cfg, "zipkin", zipkinTmpl) + } else if cfg.JaegerCollectorHost != "" || cfg.JaegerEndpoint != "" { + configData, err = opentracingCfgFromTemplate(cfg, "jaeger", jaegerTmpl) + } else if cfg.DatadogCollectorHost != "" { + configData, err = datadogOpentracingCfg(cfg) + } else { + configData = "{}" + } + if err != nil { return err } // Expand possible environment variables before writing the configuration to file. - expanded := os.ExpandEnv(tmplBuf.String()) + expanded := os.ExpandEnv(configData) return os.WriteFile("/etc/nginx/opentracing.json", []byte(expanded), file.ReadWriteByUser) } From b9122e0248a5de64bfb3fd7c321be7e2c5238040 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Jul 2023 05:55:07 -0700 Subject: [PATCH 390/405] Bump docker/setup-buildx-action from 2.8.0 to 2.9.0 (#10191) Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2.8.0 to 2.9.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/16c0bc4a6e6ada2cfd8afd41d22d95379cf7c32a...2a1a44ac4aa01993040736bd95bb470da1a38365) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 150ec29ae..e2ddec049 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -158,7 +158,7 @@ jobs: - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@16c0bc4a6e6ada2cfd8afd41d22d95379cf7c32a # v2.8.0 + uses: docker/setup-buildx-action@2a1a44ac4aa01993040736bd95bb470da1a38365 # v2.9.0 with: version: latest From 5b35651a1a40f5506d06540c1fcd103dc41a16d5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Jul 2023 05:57:06 -0700 Subject: [PATCH 391/405] Bump golang.org/x/crypto from 0.10.0 to 0.11.0 (#10192) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.10.0 to 0.11.0. - [Commits](https://github.com/golang/crypto/compare/v0.10.0...v0.11.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 ++++---- go.sum | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index 4b75cbd12..2b808ef2b 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/stretchr/testify v1.8.4 github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a - golang.org/x/crypto v0.10.0 + golang.org/x/crypto v0.11.0 google.golang.org/grpc v1.56.1 google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 @@ -103,9 +103,9 @@ require ( golang.org/x/mod v0.10.0 // indirect golang.org/x/net v0.10.0 // indirect golang.org/x/oauth2 v0.8.0 // indirect - golang.org/x/sys v0.9.0 // indirect - golang.org/x/term v0.9.0 // indirect - golang.org/x/text v0.10.0 // indirect + golang.org/x/sys v0.10.0 // indirect + golang.org/x/term v0.10.0 // indirect + golang.org/x/text v0.11.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.9.1 // indirect google.golang.org/appengine v1.6.7 // indirect diff --git a/go.sum b/go.sum index db879481c..9fee095bc 100644 --- a/go.sum +++ b/go.sum @@ -390,8 +390,8 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.10.0 h1:LKqV2xt9+kDzSTfOhx4FrkEBcMrAgHSYgzywV9zcGmM= -golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I= +golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= +golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -524,19 +524,19 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s= -golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= +golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.9.0 h1:GRRCnKYhdQrD8kfRAdQ6Zcw1P0OcELxGLKJvtjVMZ28= -golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo= +golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c= +golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.10.0 h1:UpjohKhiEgNc0CSauXmwYftY1+LlaC75SJwh0SgCX58= -golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= +golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From 0cd1f16c476ca72c324b8ded07c861ebe0dce4e0 Mon Sep 17 00:00:00 2001 From: lijie Date: Mon, 17 Jul 2023 04:45:06 +0800 Subject: [PATCH 392/405] Scanning port 10247 lead to tcp connection 502 error (#9815) * fix tcp 502 error * fix tcp 502 error for parse tcp backend data * fix tcp 502 error for parse tcp backend data --- rootfs/etc/nginx/lua/tcp_udp_configuration.lua | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/rootfs/etc/nginx/lua/tcp_udp_configuration.lua b/rootfs/etc/nginx/lua/tcp_udp_configuration.lua index 85864b45b..f191454fa 100644 --- a/rootfs/etc/nginx/lua/tcp_udp_configuration.lua +++ b/rootfs/etc/nginx/lua/tcp_udp_configuration.lua @@ -1,5 +1,6 @@ local ngx = ngx local tostring = tostring +local cjson = require("cjson.safe") -- this is the Lua representation of TCP/UDP Configuration local tcp_udp_configuration_data = ngx.shared.tcp_udp_configuration_data @@ -37,6 +38,14 @@ function _M.call() return end + local _, backends_err = cjson.decode(backends) + + if backends_err then + ngx.log(ngx.ERR, "could not parse backends data: ", backends_err) + return + end + + local success, err_conf = tcp_udp_configuration_data:set("backends", backends) if not success then ngx.log(ngx.ERR, "dynamic-configuration: error updating configuration: " .. tostring(err_conf)) From 8f8f471422f0ec4ef8dc09dd22d317b9ee1814de Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Jul 2023 04:47:08 -0700 Subject: [PATCH 393/405] Bump docker/setup-buildx-action from 2.9.0 to 2.9.1 (#10207) Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2.9.0 to 2.9.1. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/2a1a44ac4aa01993040736bd95bb470da1a38365...4c0219f9ac95b02789c1075625400b2acbff50b1) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e2ddec049..097e77276 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -158,7 +158,7 @@ jobs: - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@2a1a44ac4aa01993040736bd95bb470da1a38365 # v2.9.0 + uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1 with: version: latest From 49674631ef52ef3b37f0ec0ec3210f8cfe3aa951 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Jul 2023 05:49:09 -0700 Subject: [PATCH 394/405] Bump google.golang.org/grpc from 1.56.1 to 1.56.2 (#10193) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.56.1 to 1.56.2. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.56.1...v1.56.2) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 2b808ef2b..8864e3a83 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a golang.org/x/crypto v0.11.0 - google.golang.org/grpc v1.56.1 + google.golang.org/grpc v1.56.2 google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 diff --git a/go.sum b/go.sum index 9fee095bc..acd310e3a 100644 --- a/go.sum +++ b/go.sum @@ -661,8 +661,8 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.56.1 h1:z0dNfjIl0VpaZ9iSVjA6daGatAYwPGstTjt5vkRMFkQ= -google.golang.org/grpc v1.56.1/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= +google.golang.org/grpc v1.56.2 h1:fVRFRnXvU+x6C4IlHZewvJOVHoOv1TUuQyoRsYnB4bI= +google.golang.org/grpc v1.56.2/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 h1:pPsdyuBif+uoyUoL19yuj/TCfUPsmpJHJZhWQ98JGLU= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7/go.mod h1:8pQa1yxxkh+EsxUK8/455D5MSbv3vgmEJqKCH3y17mI= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= From 6416ed821d726d78d8988ed1ae189bc243903471 Mon Sep 17 00:00:00 2001 From: Jintao Zhang Date: Thu, 20 Jul 2023 23:36:09 +0800 Subject: [PATCH 395/405] chore: bump OpenResty to v1.21.4.2 (#10219) Signed-off-by: Jintao Zhang --- images/nginx/rootfs/build.sh | 66 ++++++++++++++++++------------------ 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh index 5e215bf72..a99ebd292 100755 --- a/images/nginx/rootfs/build.sh +++ b/images/nginx/rootfs/build.sh @@ -20,14 +20,14 @@ set -o pipefail export NGINX_VERSION=1.21.6 -# Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.1...master -export NDK_VERSION=0.3.1 +# Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.2...master +export NDK_VERSION=0.3.2 # Check for recent changes: https://github.com/openresty/set-misc-nginx-module/compare/v0.33...master export SETMISC_VERSION=0.33 -# Check for recent changes: https://github.com/openresty/headers-more-nginx-module/compare/v0.33...master -export MORE_HEADERS_VERSION=0.33 +# Check for recent changes: https://github.com/openresty/headers-more-nginx-module/compare/v0.34...master +export MORE_HEADERS_VERSION=0.34 # Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...atomx:master export NGINX_DIGEST_AUTH=1.0.0 @@ -65,32 +65,32 @@ export MODSECURITY_LIB_VERSION=e9a7ba4a60be48f761e0328c6dfcc668d70e35a0 # Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v3.3.2...v3.3/master export OWASP_MODSECURITY_CRS_VERSION=v3.3.4 -# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.21...master -export LUA_NGX_VERSION=0.10.21 +# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.25...master +export LUA_NGX_VERSION=0.10.25 -# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/v0.0.11...master -export LUA_STREAM_NGX_VERSION=0.0.11 +# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/v0.0.13...master +export LUA_STREAM_NGX_VERSION=0.0.13 # Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/8aa93ead98ba2060d4efd594ae33a35d153589bf...master export LUA_UPSTREAM_VERSION=8aa93ead98ba2060d4efd594ae33a35d153589bf -# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.10...openresty:master -export LUA_CJSON_VERSION=2.1.0.10 +# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.11...openresty:master +export LUA_CJSON_VERSION=2.1.0.11 # Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/3.3...master export GEOIP2_VERSION=a26c6beed77e81553686852dceb6c7fdacc5970d -# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20220411...v2.1-agentzh -export LUAJIT_VERSION=2.1-20220411 +# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20230410...v2.1-agentzh +export LUAJIT_VERSION=2.1-20230410 # Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/v0.04...master export LUA_RESTY_BALANCER=0.04 -# Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/v0.11...master -export LUA_RESTY_CACHE=0.11 +# Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/v0.13...master +export LUA_RESTY_CACHE=0.13 -# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.23...master -export LUA_RESTY_CORE=0.1.23 +# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.27...master +export LUA_RESTY_CORE=0.1.27 # Check for recent changes: https://github.com/cloudflare/lua-resty-cookie/compare/v0.1.0...master export LUA_RESTY_COOKIE_VERSION=303e32e512defced053a6484bc0745cf9dc0d39e @@ -101,17 +101,17 @@ export LUA_RESTY_DNS=0.22 # Check for recent changes: https://github.com/ledgetech/lua-resty-http/compare/v0.16.1...master export LUA_RESTY_HTTP=0ce55d6d15da140ecc5966fa848204c6fd9074e8 -# Check for recent changes: https://github.com/openresty/lua-resty-lock/compare/v0.08...master -export LUA_RESTY_LOCK=0.08 +# Check for recent changes: https://github.com/openresty/lua-resty-lock/compare/v0.09...master +export LUA_RESTY_LOCK=0.09 -# Check for recent changes: https://github.com/openresty/lua-resty-upload/compare/v0.10...master -export LUA_RESTY_UPLOAD_VERSION=0.10 +# Check for recent changes: https://github.com/openresty/lua-resty-upload/compare/v0.11...master +export LUA_RESTY_UPLOAD_VERSION=0.11 # Check for recent changes: https://github.com/openresty/lua-resty-string/compare/v0.15...master export LUA_RESTY_STRING_VERSION=0.15 -# Check for recent changes: https://github.com/openresty/lua-resty-memcached/compare/v0.16...master -export LUA_RESTY_MEMCACHED_VERSION=0.16 +# Check for recent changes: https://github.com/openresty/lua-resty-memcached/compare/v0.17...master +export LUA_RESTY_MEMCACHED_VERSION=0.17 # Check for recent changes: https://github.com/openresty/lua-resty-redis/compare/v0.30...master export LUA_RESTY_REDIS_VERSION=0.30 @@ -199,13 +199,13 @@ cd "$BUILD_PATH" get_src 66dc7081488811e9f925719e34d1b4504c2801c81dee2920e5452a86b11405ae \ "https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz" -get_src 0e971105e210d272a497567fa2e2c256f4e39b845a5ba80d373e26ba1abfbd85 \ +get_src 09fec34ff3ef1baf23dd0eaf04307fd73db865cdf99294687de45bf80c58f146 \ "https://github.com/simpl/ngx_devel_kit/archive/v$NDK_VERSION.tar.gz" get_src cd5e2cc834bcfa30149e7511f2b5a2183baf0b70dc091af717a89a64e44a2985 \ "https://github.com/openresty/set-misc-nginx-module/archive/v$SETMISC_VERSION.tar.gz" -get_src a3dcbab117a9c103bc1ea5200fc00a7b7d2af97ff7fd525f16f8ac2632e30fbf \ +get_src 2a86088a37932a4a9812d2e552cc3847e11470a753ed78a18510b196344c2734 \ "https://github.com/openresty/headers-more-nginx-module/archive/v$MORE_HEADERS_VERSION.tar.gz" get_src f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b \ @@ -241,10 +241,10 @@ get_src 7d5f3439c8df56046d0564b5857fd8a30296ab1bd6df0f048aed7afb56a0a4c2 \ get_src 99c47c75c159795c9faf76bbb9fa58e5a50b75286c86565ffcec8514b1c74bf9 \ "https://github.com/openresty/stream-lua-nginx-module/archive/v$LUA_STREAM_NGX_VERSION.tar.gz" else -get_src 9db756000578efaecb43bea4fc6cf631aaa80988d86ffe5d3afeb9927895ffad \ +get_src bc764db42830aeaf74755754b900253c233ad57498debe7a441cee2c6f4b07c2 \ "https://github.com/openresty/lua-nginx-module/archive/v$LUA_NGX_VERSION.tar.gz" -get_src c7924f28cb014a99636e747ea907724dd55f60e180cb92cde6e8ed48d2278f27 \ +get_src c4df29aeee1ec648a2d2d527c2b27312617a1f1a4033e492e8cf8e6ecbbc269d \ "https://github.com/openresty/stream-lua-nginx-module/archive/v$LUA_STREAM_NGX_VERSION.tar.gz" fi @@ -256,7 +256,7 @@ if [[ ${ARCH} == "s390x" ]]; then get_src 266ed1abb70a9806d97cb958537a44b67db6afb33d3b32292a2d68a2acedea75 \ "https://github.com/openresty/luajit2/archive/$LUAJIT_VERSION.tar.gz" else -get_src d3f2c870f8f88477b01726b32accab30f6e5d57ae59c5ec87374ff73d0794316 \ +get_src 77bbcbb24c3c78f51560017288f3118d995fe71240aa379f5818ff6b166712ff \ "https://github.com/openresty/luajit2/archive/v$LUAJIT_VERSION.tar.gz" fi @@ -266,7 +266,7 @@ get_src 8d39c6b23f941a2d11571daaccc04e69539a3fcbcc50a631837560d5861a7b96 \ get_src 4c1933434572226942c65b2f2b26c8a536ab76aa771a3c7f6c2629faa764976b \ "https://github.com/leev/ngx_http_geoip2_module/archive/$GEOIP2_VERSION.tar.gz" -get_src 5d16e623d17d4f42cc64ea9cfb69ca960d313e12f5d828f785dd227cc483fcbd \ +get_src c7e94aefd32ed04068642fd5da2dcc41aa41a63a8dfac6d73b203bc73f1a3232 \ "https://github.com/openresty/lua-resty-upload/archive/v$LUA_RESTY_UPLOAD_VERSION.tar.gz" get_src bdbf271003d95aa91cab0a92f24dca129e99b33f79c13ebfcdbbcbb558129491 \ @@ -279,20 +279,20 @@ if [[ ${ARCH} == "s390x" ]]; then get_src 8f5f76d2689a3f6b0782f0a009c56a65e4c7a4382be86422c9b3549fe95b0dc4 \ "https://github.com/openresty/lua-resty-core/archive/v$LUA_RESTY_CORE.tar.gz" else -get_src efd6b51520429e64b1bcc10f477d370ebed1631c190f7e4dc270d959a743ad7d \ +get_src 5249631c2f493fc41a9e85b1e7214675d2e31d5bb52cac7a1e99d9a5eb873ba9 \ "https://github.com/openresty/lua-resty-core/archive/v$LUA_RESTY_CORE.tar.gz" fi -get_src 0c551d6898f89f876e48730f9b55790d0ba07d5bc0aa6c76153277f63c19489f \ +get_src a77b9de160d81712f2f442e1de8b78a5a7ef0d08f13430ff619f79235db974d4 \ "https://github.com/openresty/lua-cjson/archive/$LUA_CJSON_VERSION.tar.gz" get_src 5ed48c36231e2622b001308622d46a0077525ac2f751e8cc0c9905914254baa4 \ "https://github.com/cloudflare/lua-resty-cookie/archive/$LUA_RESTY_COOKIE_VERSION.tar.gz" -get_src e810ed124fe788b8e4aac2c8960dda1b9a6f8d0ca94ce162f28d3f4d877df8af \ +get_src b38ba9620a08cf3e0b3cc17f85bde285dca6441fe5a6bd982ef732f4b6036e66 \ "https://github.com/openresty/lua-resty-lrucache/archive/v$LUA_RESTY_CACHE.tar.gz" -get_src 2b4683f9abe73e18ca00345c65010c9056777970907a311d6e1699f753141de2 \ +get_src 6aebf4412639a84eedc8b140aa48e065d625453859699a6712a62fa8085f2704 \ "https://github.com/openresty/lua-resty-lock/archive/v$LUA_RESTY_LOCK.tar.gz" get_src 70e9a01eb32ccade0d5116a25bcffde0445b94ad35035ce06b94ccd260ad1bf0 \ @@ -301,7 +301,7 @@ get_src 70e9a01eb32ccade0d5116a25bcffde0445b94ad35035ce06b94ccd260ad1bf0 \ get_src 9fcb6db95bc37b6fce77d3b3dc740d593f9d90dce0369b405eb04844d56ac43f \ "https://github.com/ledgetech/lua-resty-http/archive/$LUA_RESTY_HTTP.tar.gz" -get_src 42893da0e3de4ec180c9bf02f82608d78787290a70c5644b538f29d243147396 \ +get_src 0513e2be4e9d6dd59c5575432c8a28e5f7a105b373009fa5058f685f0759f28f \ "https://github.com/openresty/lua-resty-memcached/archive/v$LUA_RESTY_MEMCACHED_VERSION.tar.gz" get_src c15aed1a01c88a3a6387d9af67a957dff670357f5fdb4ee182beb44635eef3f1 \ From 1dd8d0cfd70b13aeb3220ab2f5157302bebf7418 Mon Sep 17 00:00:00 2001 From: amirschw <24677563+amirschw@users.noreply.github.com> Date: Thu, 20 Jul 2023 20:34:11 +0300 Subject: [PATCH 396/405] Ignore deployment template's replicas if KEDA is enabled (#9534) --- charts/ingress-nginx/templates/controller-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index 7fe8804ea..c4a1a37e1 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -19,7 +19,7 @@ spec: matchLabels: {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} app.kubernetes.io/component: controller - {{- if not .Values.controller.autoscaling.enabled }} + {{- if not (or .Values.controller.autoscaling.enabled .Values.controller.keda.enabled) }} replicas: {{ .Values.controller.replicaCount }} {{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} From a297cedb7abdff51e1afbb286e4bd008e9715c69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Thu, 20 Jul 2023 20:00:10 +0200 Subject: [PATCH 397/405] [helm] pass service annotations through helm tpl engine (#10084) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jan-Otto Kröpke --- charts/ingress-nginx/README.md | 4 ++-- .../ingress-nginx/templates/controller-service-internal.yaml | 2 +- charts/ingress-nginx/templates/controller-service.yaml | 2 +- charts/ingress-nginx/values.yaml | 3 ++- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 955091873..953eff685 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -399,14 +399,14 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.scope.enabled | bool | `false` | Enable 'scope' or not | | controller.scope.namespace | string | `""` | Namespace to limit the controller to; defaults to $(POD_NAMESPACE) | | controller.scope.namespaceSelector | string | `""` | When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. | -| controller.service.annotations | object | `{}` | | +| controller.service.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. | | controller.service.appProtocol | bool | `true` | If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http It allows choosing the protocol for each backend specified in the Kubernetes service. See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 Will be ignored for Kubernetes versions older than 1.20 # | | controller.service.enableHttp | bool | `true` | | | controller.service.enableHttps | bool | `true` | | | controller.service.enabled | bool | `true` | | | controller.service.external.enabled | bool | `true` | | | controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # | -| controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. | +| controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. | | controller.service.internal.enabled | bool | `false` | Enables an additional internal load balancer (besides the external one). | | controller.service.internal.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS. | | controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. | diff --git a/charts/ingress-nginx/templates/controller-service-internal.yaml b/charts/ingress-nginx/templates/controller-service-internal.yaml index 87146b746..3966b3260 100644 --- a/charts/ingress-nginx/templates/controller-service-internal.yaml +++ b/charts/ingress-nginx/templates/controller-service-internal.yaml @@ -4,7 +4,7 @@ kind: Service metadata: annotations: {{- range $key, $value := .Values.controller.service.internal.annotations }} - {{ $key }}: {{ $value | quote }} + {{ $key }}: {{ tpl ($value | toString) $ | quote }} {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} diff --git a/charts/ingress-nginx/templates/controller-service.yaml b/charts/ingress-nginx/templates/controller-service.yaml index b2735d2e8..f079fd4d8 100644 --- a/charts/ingress-nginx/templates/controller-service.yaml +++ b/charts/ingress-nginx/templates/controller-service.yaml @@ -4,7 +4,7 @@ kind: Service metadata: annotations: {{- range $key, $value := .Values.controller.service.annotations }} - {{ $key }}: {{ $value | quote }} + {{ $key }}: {{ tpl ($value | toString) $ | quote }} {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index d091391a8..6fd113b67 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -415,6 +415,7 @@ controller: # Will be ignored for Kubernetes versions older than 1.20 ## appProtocol: true + # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. annotations: {} labels: {} # clusterIP: "" @@ -476,7 +477,7 @@ controller: internal: # -- Enables an additional internal load balancer (besides the external one). enabled: false - # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. + # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. annotations: {} # -- Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS. loadBalancerIP: "" From 24fda9da20e3045de54c92ef64016d801c370bc9 Mon Sep 17 00:00:00 2001 From: James Strong Date: Thu, 20 Jul 2023 17:34:12 -0400 Subject: [PATCH 398/405] Golang 1.20.6 for test runner (#10230) * Golang 1.20.6 for test runner * alpine 3.18.2 as well Signed-off-by: James Strong --------- Signed-off-by: James Strong --- images/cfssl/rootfs/Dockerfile | 2 +- images/nginx/rootfs/Dockerfile | 4 ++-- images/opentelemetry/rootfs/Dockerfile | 2 +- images/test-runner/Makefile | 4 ++-- rootfs/Dockerfile-chroot | 2 +- test/e2e-image/Dockerfile | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/images/cfssl/rootfs/Dockerfile b/images/cfssl/rootfs/Dockerfile index e8d6c617a..89a5eef9c 100644 --- a/images/cfssl/rootfs/Dockerfile +++ b/images/cfssl/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine:3.18.0 +FROM alpine:3.18.2 RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile index 9b4abf244..7627870ba 100644 --- a/images/nginx/rootfs/Dockerfile +++ b/images/nginx/rootfs/Dockerfile @@ -11,7 +11,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine:3.18.0 as builder +FROM alpine:3.18.2 as builder COPY . / @@ -21,7 +21,7 @@ RUN apk update \ && /build.sh # Use a multi-stage build -FROM alpine:3.18.0 +FROM alpine:3.18.2 ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin diff --git a/images/opentelemetry/rootfs/Dockerfile b/images/opentelemetry/rootfs/Dockerfile index d15c28bbf..f3628b1f3 100644 --- a/images/opentelemetry/rootfs/Dockerfile +++ b/images/opentelemetry/rootfs/Dockerfile @@ -13,7 +13,7 @@ # limitations under the License. -FROM alpine:3.18.0 as base +FROM alpine:3.18.2 as base RUN mkdir -p /opt/third_party/install COPY . /opt/third_party/ diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile index acf3dd660..3cd378937 100644 --- a/images/test-runner/Makefile +++ b/images/test-runner/Makefile @@ -43,7 +43,7 @@ image: --pull \ --push \ --build-arg BASE_IMAGE=${NGINX_BASE_IMAGE} \ - --build-arg GOLANG_VERSION=1.20.5 \ + --build-arg GOLANG_VERSION=1.20.6 \ --build-arg ETCD_VERSION=3.4.3-0 \ --build-arg K8S_RELEASE=v1.26.0 \ --build-arg RESTY_CLI_VERSION=0.27 \ @@ -64,7 +64,7 @@ build: ensure-buildx --progress=${PROGRESS} \ --pull \ --build-arg BASE_IMAGE=${NGINX_BASE_IMAGE} \ - --build-arg GOLANG_VERSION=1.20.5 \ + --build-arg GOLANG_VERSION=1.20.6 \ --build-arg ETCD_VERSION=3.4.3-0 \ --build-arg K8S_RELEASE=v1.26.0 \ --build-arg RESTY_CLI_VERSION=0.27 \ diff --git a/rootfs/Dockerfile-chroot b/rootfs/Dockerfile-chroot index a4123fe87..48facd44f 100644 --- a/rootfs/Dockerfile-chroot +++ b/rootfs/Dockerfile-chroot @@ -23,7 +23,7 @@ RUN apk update \ && apk upgrade \ && /chroot.sh -FROM alpine:3.18.0 +FROM alpine:3.18.2 ARG TARGETARCH ARG VERSION diff --git a/test/e2e-image/Dockerfile b/test/e2e-image/Dockerfile index 97986ec95..2ee5716ed 100644 --- a/test/e2e-image/Dockerfile +++ b/test/e2e-image/Dockerfile @@ -1,7 +1,7 @@ ARG E2E_BASE_IMAGE FROM ${E2E_BASE_IMAGE} AS BASE -FROM alpine:3.18.0 +FROM alpine:3.18.2 RUN apk update \ && apk upgrade && apk add -U --no-cache \ From e8097d8b8ff4aa4573a8d25e4bb98093323e6302 Mon Sep 17 00:00:00 2001 From: James Strong Date: Thu, 20 Jul 2023 21:04:21 -0400 Subject: [PATCH 399/405] fix gcloud builds Signed-off-by: James Strong --- images/cfssl/Makefile | 2 -- images/cfssl/cloudbuild.yaml | 5 ----- images/custom-error-pages/cloudbuild.yaml | 5 ----- images/echo/cloudbuild.yaml | 5 ----- images/ext-auth-example-authsvc/Makefile | 4 +++- images/ext-auth-example-authsvc/cloudbuild.yaml | 5 ----- images/fastcgi-helloserver/cloudbuild.yaml | 6 +----- images/go-grpc-greeter-server/cloudbuild.yaml | 5 ----- images/httpbun/cloudbuild.yaml | 5 ----- images/kube-webhook-certgen/cloudbuild.yaml | 5 ----- images/opentelemetry/cloudbuild.yaml | 5 ----- images/test-runner/Makefile | 2 +- 12 files changed, 5 insertions(+), 49 deletions(-) diff --git a/images/cfssl/Makefile b/images/cfssl/Makefile index 8d8e597a4..31c37fbc5 100644 --- a/images/cfssl/Makefile +++ b/images/cfssl/Makefile @@ -23,8 +23,6 @@ TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA) REGISTRY ?= local - - IMAGE = $(REGISTRY)/e2e-test-cfssl # required to enable buildx diff --git a/images/cfssl/cloudbuild.yaml b/images/cfssl/cloudbuild.yaml index 4976a3f67..5fed3b712 100644 --- a/images/cfssl/cloudbuild.yaml +++ b/images/cfssl/cloudbuild.yaml @@ -6,8 +6,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - SHORT_SHA=$SHORT_SHA - - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx # set the home to /root explicitly to if using docker buildx @@ -17,6 +15,3 @@ steps: - | gcloud auth configure-docker \ && cd images/cfssl && make push -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "master" diff --git a/images/custom-error-pages/cloudbuild.yaml b/images/custom-error-pages/cloudbuild.yaml index e38d4bcdc..a443d2b11 100644 --- a/images/custom-error-pages/cloudbuild.yaml +++ b/images/custom-error-pages/cloudbuild.yaml @@ -6,8 +6,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - SHORT_SHA=$SHORT_SHA - - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx # set the home to /root explicitly to if using docker buildx @@ -17,6 +15,3 @@ steps: - | gcloud auth configure-docker \ && cd images/custom-error-pages && make push -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "master" diff --git a/images/echo/cloudbuild.yaml b/images/echo/cloudbuild.yaml index f07be825a..811d8d3f0 100644 --- a/images/echo/cloudbuild.yaml +++ b/images/echo/cloudbuild.yaml @@ -6,8 +6,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - SHORT_SHA=$SHORT_SHA - - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx # set the home to /root explicitly to if using docker buildx @@ -17,6 +15,3 @@ steps: - | gcloud auth configure-docker \ && cd images/echo && make push -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "master" diff --git a/images/ext-auth-example-authsvc/Makefile b/images/ext-auth-example-authsvc/Makefile index 85d2f8e6b..63f261ec3 100644 --- a/images/ext-auth-example-authsvc/Makefile +++ b/images/ext-auth-example-authsvc/Makefile @@ -18,7 +18,9 @@ SHELL=/bin/bash -o pipefail -o errexit DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh -TAG ?=v1.0.0 +SHORT_SHA ?=$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA) + REGISTRY ?= local IMAGE = $(REGISTRY)/ext-auth-example-authsvc diff --git a/images/ext-auth-example-authsvc/cloudbuild.yaml b/images/ext-auth-example-authsvc/cloudbuild.yaml index c5bb5db6a..4a436e012 100644 --- a/images/ext-auth-example-authsvc/cloudbuild.yaml +++ b/images/ext-auth-example-authsvc/cloudbuild.yaml @@ -8,8 +8,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - SHORT_SHA=$SHORT_SHA - - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx # set the home to /root explicitly to if using docker buildx @@ -19,6 +17,3 @@ steps: - | gcloud auth configure-docker \ && cd images/ext-auth-example-authsvc && make push -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "master" diff --git a/images/fastcgi-helloserver/cloudbuild.yaml b/images/fastcgi-helloserver/cloudbuild.yaml index a4c9d5eff..80623a197 100644 --- a/images/fastcgi-helloserver/cloudbuild.yaml +++ b/images/fastcgi-helloserver/cloudbuild.yaml @@ -6,8 +6,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - SHORT_SHA=$SHORT_SHA - - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx # set the home to /root explicitly to if using docker buildx @@ -17,6 +15,4 @@ steps: - | gcloud auth configure-docker \ && cd images/fastcgi-helloserver && make push -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "master" + diff --git a/images/go-grpc-greeter-server/cloudbuild.yaml b/images/go-grpc-greeter-server/cloudbuild.yaml index 6f32bcf50..20740eb27 100644 --- a/images/go-grpc-greeter-server/cloudbuild.yaml +++ b/images/go-grpc-greeter-server/cloudbuild.yaml @@ -8,8 +8,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - SHORT_SHA=$SHORT_SHA - - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx # set the home to /root explicitly to if using docker buildx @@ -19,6 +17,3 @@ steps: - | gcloud auth configure-docker \ && cd images/go-grpc-greeter-server && make push -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "master" diff --git a/images/httpbun/cloudbuild.yaml b/images/httpbun/cloudbuild.yaml index 9e3af5935..68afbe873 100644 --- a/images/httpbun/cloudbuild.yaml +++ b/images/httpbun/cloudbuild.yaml @@ -8,8 +8,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - SHORT_SHA=$SHORT_SHA - - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx # set the home to /root explicitly to if using docker buildx @@ -19,6 +17,3 @@ steps: - | gcloud auth configure-docker \ && cd images/httpbun && make push -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "master" diff --git a/images/kube-webhook-certgen/cloudbuild.yaml b/images/kube-webhook-certgen/cloudbuild.yaml index bf0bd3ce1..88d7400d0 100644 --- a/images/kube-webhook-certgen/cloudbuild.yaml +++ b/images/kube-webhook-certgen/cloudbuild.yaml @@ -21,8 +21,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - SHORT_SHA=$SHORT_SHA - - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx # set the home to /root explicitly to if using docker buildx @@ -32,6 +30,3 @@ steps: - | gcloud auth configure-docker \ && cd images/kube-webhook-certgen && make push -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "main" diff --git a/images/opentelemetry/cloudbuild.yaml b/images/opentelemetry/cloudbuild.yaml index 9556ccba9..baf29a051 100644 --- a/images/opentelemetry/cloudbuild.yaml +++ b/images/opentelemetry/cloudbuild.yaml @@ -8,8 +8,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - SHORT_SHA=$SHORT_SHA - - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx # set the home to /root explicitly to if using docker buildx @@ -19,6 +17,3 @@ steps: - | gcloud auth configure-docker \ && cd images/opentelemetry && make push -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "main" diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile index 3cd378937..97133045e 100644 --- a/images/test-runner/Makefile +++ b/images/test-runner/Makefile @@ -21,7 +21,7 @@ INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh SHORT_SHA ?=$(shell git rev-parse --short HEAD) TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA) -REGISTRY ?= local +REGISTRY ?= gcr.io/k8s-staging-ingress-nginx IMAGE = $(REGISTRY)/e2e-test-runner From b0081a574ab46d5477544294836da0746953af17 Mon Sep 17 00:00:00 2001 From: James Strong Date: Thu, 20 Jul 2023 21:05:38 -0400 Subject: [PATCH 400/405] update reg Signed-off-by: James Strong --- images/test-runner/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile index 97133045e..3cd378937 100644 --- a/images/test-runner/Makefile +++ b/images/test-runner/Makefile @@ -21,7 +21,7 @@ INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh SHORT_SHA ?=$(shell git rev-parse --short HEAD) TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA) -REGISTRY ?= gcr.io/k8s-staging-ingress-nginx +REGISTRY ?= local IMAGE = $(REGISTRY)/e2e-test-runner From c83422fd6592b7b6aea2f58b5688929a5170875a Mon Sep 17 00:00:00 2001 From: Jintao Zhang Date: Sat, 22 Jul 2023 06:41:22 +0800 Subject: [PATCH 401/405] fix deps sha Signed-off-by: Jintao Zhang --- images/nginx/rootfs/build.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh index a99ebd292..db1eebfb8 100755 --- a/images/nginx/rootfs/build.sh +++ b/images/nginx/rootfs/build.sh @@ -199,13 +199,13 @@ cd "$BUILD_PATH" get_src 66dc7081488811e9f925719e34d1b4504c2801c81dee2920e5452a86b11405ae \ "https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz" -get_src 09fec34ff3ef1baf23dd0eaf04307fd73db865cdf99294687de45bf80c58f146 \ - "https://github.com/simpl/ngx_devel_kit/archive/v$NDK_VERSION.tar.gz" +get_src aa961eafb8317e0eb8da37eb6e2c9ff42267edd18b56947384e719b85188f58b \ + "https://github.com/vision5/ngx_devel_kit/archive/v$NDK_VERSION.tar.gz" get_src cd5e2cc834bcfa30149e7511f2b5a2183baf0b70dc091af717a89a64e44a2985 \ "https://github.com/openresty/set-misc-nginx-module/archive/v$SETMISC_VERSION.tar.gz" -get_src 2a86088a37932a4a9812d2e552cc3847e11470a753ed78a18510b196344c2734 \ +get_src 0c0d2ced2ce895b3f45eb2b230cd90508ab2a773299f153de14a43e44c1209b3 \ "https://github.com/openresty/headers-more-nginx-module/archive/v$MORE_HEADERS_VERSION.tar.gz" get_src f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b \ @@ -244,7 +244,7 @@ else get_src bc764db42830aeaf74755754b900253c233ad57498debe7a441cee2c6f4b07c2 \ "https://github.com/openresty/lua-nginx-module/archive/v$LUA_NGX_VERSION.tar.gz" -get_src c4df29aeee1ec648a2d2d527c2b27312617a1f1a4033e492e8cf8e6ecbbc269d \ +get_src 01b715754a8248cc7228e0c8f97f7488ae429d90208de0481394e35d24cef32f \ "https://github.com/openresty/stream-lua-nginx-module/archive/v$LUA_STREAM_NGX_VERSION.tar.gz" fi @@ -266,7 +266,7 @@ get_src 8d39c6b23f941a2d11571daaccc04e69539a3fcbcc50a631837560d5861a7b96 \ get_src 4c1933434572226942c65b2f2b26c8a536ab76aa771a3c7f6c2629faa764976b \ "https://github.com/leev/ngx_http_geoip2_module/archive/$GEOIP2_VERSION.tar.gz" -get_src c7e94aefd32ed04068642fd5da2dcc41aa41a63a8dfac6d73b203bc73f1a3232 \ +get_src deb4ab1ffb9f3d962c4b4a2c4bdff692b86a209e3835ae71ebdf3b97189e40a9 \ "https://github.com/openresty/lua-resty-upload/archive/v$LUA_RESTY_UPLOAD_VERSION.tar.gz" get_src bdbf271003d95aa91cab0a92f24dca129e99b33f79c13ebfcdbbcbb558129491 \ @@ -279,7 +279,7 @@ if [[ ${ARCH} == "s390x" ]]; then get_src 8f5f76d2689a3f6b0782f0a009c56a65e4c7a4382be86422c9b3549fe95b0dc4 \ "https://github.com/openresty/lua-resty-core/archive/v$LUA_RESTY_CORE.tar.gz" else -get_src 5249631c2f493fc41a9e85b1e7214675d2e31d5bb52cac7a1e99d9a5eb873ba9 \ +get_src 39baab9e2b31cc48cecf896cea40ef6e80559054fd8a6e440cc804a858ea84d4 \ "https://github.com/openresty/lua-resty-core/archive/v$LUA_RESTY_CORE.tar.gz" fi @@ -289,10 +289,10 @@ get_src a77b9de160d81712f2f442e1de8b78a5a7ef0d08f13430ff619f79235db974d4 \ get_src 5ed48c36231e2622b001308622d46a0077525ac2f751e8cc0c9905914254baa4 \ "https://github.com/cloudflare/lua-resty-cookie/archive/$LUA_RESTY_COOKIE_VERSION.tar.gz" -get_src b38ba9620a08cf3e0b3cc17f85bde285dca6441fe5a6bd982ef732f4b6036e66 \ +get_src 573184006b98ccee2594b0d134fa4d05e5d2afd5141cbad315051ccf7e9b6403 \ "https://github.com/openresty/lua-resty-lrucache/archive/v$LUA_RESTY_CACHE.tar.gz" -get_src 6aebf4412639a84eedc8b140aa48e065d625453859699a6712a62fa8085f2704 \ +get_src b4ddcd47db347e9adf5c1e1491a6279a6ae2a3aff3155ef77ea0a65c998a69c1 \ "https://github.com/openresty/lua-resty-lock/archive/v$LUA_RESTY_LOCK.tar.gz" get_src 70e9a01eb32ccade0d5116a25bcffde0445b94ad35035ce06b94ccd260ad1bf0 \ @@ -301,7 +301,7 @@ get_src 70e9a01eb32ccade0d5116a25bcffde0445b94ad35035ce06b94ccd260ad1bf0 \ get_src 9fcb6db95bc37b6fce77d3b3dc740d593f9d90dce0369b405eb04844d56ac43f \ "https://github.com/ledgetech/lua-resty-http/archive/$LUA_RESTY_HTTP.tar.gz" -get_src 0513e2be4e9d6dd59c5575432c8a28e5f7a105b373009fa5058f685f0759f28f \ +get_src 02733575c4aed15f6cab662378e4b071c0a4a4d07940c4ef19a7319e9be943d4 \ "https://github.com/openresty/lua-resty-memcached/archive/v$LUA_RESTY_MEMCACHED_VERSION.tar.gz" get_src c15aed1a01c88a3a6387d9af67a957dff670357f5fdb4ee182beb44635eef3f1 \ From c5f348ea2eec5f15ab0d5c5e976b29d6787fd3dc Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Sat, 22 Jul 2023 00:32:07 -0300 Subject: [PATCH 402/405] Implement annotation validation (#9673) * Add validation to all annotations * Add annotation validation for fcgi * Fix reviews and fcgi e2e * Add flag to disable cross namespace validation * Add risk, flag for validation, tests * Add missing formating * Enable validation by default on tests * Test validation flag * remove ajp from list * Finalize validation changes * Add validations to CI * Update helm docs * Fix code review * Use a better name for annotation risk --- .github/workflows/ci.yaml | 49 +++ charts/ingress-nginx/README.md | 1 + charts/ingress-nginx/templates/_params.tpl | 3 + charts/ingress-nginx/values.yaml | 1 + docs/user-guide/cli-arguments.md | 1 + .../nginx-configuration/configmap.md | 26 ++ internal/ingress/annotations/alias/main.go | 36 +- .../ingress/annotations/alias/main_test.go | 35 +- internal/ingress/annotations/annotations.go | 17 +- .../ingress/annotations/annotations_test.go | 32 +- internal/ingress/annotations/auth/main.go | 86 ++++- .../ingress/annotations/auth/main_test.go | 114 ++++++- internal/ingress/annotations/authreq/main.go | 221 +++++++++++-- .../ingress/annotations/authreq/main_test.go | 6 +- .../ingress/annotations/authreqglobal/main.go | 35 +- internal/ingress/annotations/authtls/main.go | 105 +++++- .../ingress/annotations/authtls/main_test.go | 66 +++- .../annotations/backendprotocol/main.go | 59 +++- .../annotations/backendprotocol/main_test.go | 4 +- internal/ingress/annotations/canary/main.go | 121 ++++++- .../annotations/clientbodybuffersize/main.go | 38 ++- .../clientbodybuffersize/main_test.go | 3 + .../ingress/annotations/connection/main.go | 41 ++- .../annotations/connection/main_test.go | 20 +- internal/ingress/annotations/cors/main.go | 120 ++++++- .../ingress/annotations/cors/main_test.go | 42 +-- .../annotations/customhttperrors/main.go | 43 ++- .../annotations/defaultbackend/main.go | 36 +- .../annotations/defaultbackend/main_test.go | 58 +++- internal/ingress/annotations/fastcgi/main.go | 71 +++- .../ingress/annotations/fastcgi/main_test.go | 124 ++++++- .../annotations/globalratelimit/main.go | 81 ++++- .../annotations/globalratelimit/main_test.go | 22 +- .../annotations/http2pushpreload/main.go | 35 +- .../annotations/http2pushpreload/main_test.go | 20 +- .../{ipwhitelist => ipallowlist}/main.go | 64 +++- .../{ipwhitelist => ipallowlist}/main_test.go | 83 ++++- .../ingress/annotations/ipdenylist/main.go | 47 ++- .../annotations/ipdenylist/main_test.go | 30 +- .../ingress/annotations/loadbalancing/main.go | 44 ++- .../annotations/loadbalancing/main_test.go | 3 +- internal/ingress/annotations/log/main.go | 44 ++- internal/ingress/annotations/log/main_test.go | 22 +- internal/ingress/annotations/mirror/main.go | 74 ++++- .../ingress/annotations/mirror/main_test.go | 11 +- .../ingress/annotations/modsecurity/main.go | 73 ++++- .../ingress/annotations/opentelemetry/main.go | 67 +++- .../annotations/opentelemetry/main_test.go | 30 +- .../ingress/annotations/opentracing/main.go | 45 ++- .../annotations/opentracing/main_test.go | 8 +- internal/ingress/annotations/parser/main.go | 109 ++++-- .../ingress/annotations/parser/main_test.go | 21 +- .../ingress/annotations/parser/validators.go | 239 ++++++++++++++ .../annotations/parser/validators_test.go | 310 ++++++++++++++++++ .../annotations/portinredirect/main.go | 35 +- .../annotations/portinredirect/main_test.go | 28 +- internal/ingress/annotations/proxy/main.go | 188 +++++++++-- .../ingress/annotations/proxy/main_test.go | 68 ++++ internal/ingress/annotations/proxyssl/main.go | 115 ++++++- .../ingress/annotations/proxyssl/main_test.go | 2 +- .../ingress/annotations/ratelimit/main.go | 120 ++++++- .../annotations/ratelimit/main_test.go | 93 +++++- .../ingress/annotations/redirect/redirect.go | 67 +++- .../annotations/redirect/redirect_test.go | 10 +- internal/ingress/annotations/rewrite/main.go | 103 +++++- .../ingress/annotations/rewrite/main_test.go | 24 ++ internal/ingress/annotations/satisfy/main.go | 37 ++- .../ingress/annotations/satisfy/main_test.go | 2 +- .../ingress/annotations/serversnippet/main.go | 35 +- .../annotations/serversnippet/main_test.go | 2 +- .../annotations/serviceupstream/main.go | 35 +- .../annotations/serviceupstream/main_test.go | 6 +- .../annotations/sessionaffinity/main.go | 125 ++++++- internal/ingress/annotations/snippet/main.go | 35 +- .../ingress/annotations/snippet/main_test.go | 2 +- .../ingress/annotations/sslcipher/main.go | 56 +++- .../annotations/sslcipher/main_test.go | 27 +- .../annotations/sslpassthrough/main.go | 34 +- .../annotations/sslpassthrough/main_test.go | 2 +- .../ingress/annotations/streamsnippet/main.go | 35 +- .../annotations/streamsnippet/main_test.go | 2 +- .../annotations/upstreamhashby/main.go | 71 +++- .../annotations/upstreamhashby/main_test.go | 32 +- .../ingress/annotations/upstreamvhost/main.go | 36 +- .../annotations/upstreamvhost/main_test.go | 2 +- .../annotations/xforwardedprefix/main.go | 35 +- .../annotations/xforwardedprefix/main_test.go | 2 +- internal/ingress/controller/config/config.go | 15 +- internal/ingress/controller/controller.go | 15 +- .../ingress/controller/controller_test.go | 13 +- internal/ingress/controller/store/store.go | 35 +- .../ingress/controller/store/store_test.go | 17 +- internal/ingress/defaults/main.go | 12 + internal/ingress/errors/errors.go | 44 +++ internal/ingress/resolver/main.go | 3 + internal/ingress/resolver/mock.go | 15 +- pkg/apis/ingress/types.go | 8 +- pkg/apis/ingress/types_equals.go | 2 +- pkg/flags/flags.go | 4 + rootfs/etc/nginx/template/nginx.tmpl | 10 +- .../validations/values.yaml | 38 +++ test/e2e/annotations/fastcgi.go | 4 +- .../{ipwhitelist.go => ipallowlist.go} | 10 +- test/e2e/e2e.go | 2 + test/e2e/framework/exec.go | 7 +- test/e2e/run-e2e-suite.sh | 1 + test/e2e/run-kind-e2e.sh | 1 + test/e2e/settings/validations/validations.go | 86 +++++ test/e2e/wait-for-nginx.sh | 2 + 109 files changed, 4320 insertions(+), 586 deletions(-) rename internal/ingress/annotations/{ipwhitelist => ipallowlist}/main.go (53%) rename internal/ingress/annotations/{ipwhitelist => ipallowlist}/main_test.go (64%) create mode 100644 internal/ingress/annotations/parser/validators.go create mode 100644 internal/ingress/annotations/parser/validators_test.go create mode 100644 test/e2e-image/namespace-overlays/validations/values.yaml rename test/e2e/annotations/{ipwhitelist.go => ipallowlist.go} (81%) create mode 100644 test/e2e/settings/validations/validations.go diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 097e77276..453775379 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -319,6 +319,55 @@ jobs: name: e2e-test-reports-${{ matrix.k8s }} path: 'test/junitreports/report*.xml' + kubernetes-validations: + name: Kubernetes with Validations + runs-on: ubuntu-latest + needs: + - changes + - build + if: | + (needs.changes.outputs.go == 'true') || ${{ inputs.run_e2e }} + + strategy: + matrix: + k8s: [v1.27.1] + + steps: + - name: Checkout + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + + - name: cache + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: docker.tar.gz + + - name: Create Kubernetes ${{ matrix.k8s }} cluster + id: kind + run: | + kind create cluster --image=kindest/node:${{ matrix.k8s }} --config test/e2e/kind.yaml + + - name: Load images from cache + run: | + echo "loading docker images..." + pigz -dc docker.tar.gz | docker load + + - name: Run e2e tests + env: + KIND_CLUSTER_NAME: kind + SKIP_CLUSTER_CREATION: true + SKIP_IMAGE_CREATION: true + ENABLE_VALIDATIONS: true + run: | + kind get kubeconfig > $HOME/.kube/kind-config-kind + make kind-e2e-test + + - name: Upload e2e junit-reports + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + if: success() || failure() + with: + name: e2e-test-reports-${{ matrix.k8s }} + path: 'test/junitreports/report*.xml' + kubernetes-chroot: name: Kubernetes chroot diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 953eff685..17547912d 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -294,6 +294,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. | | controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. | | controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' | +| controller.enableAnnotationValidations | bool | `false` | | | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # | | controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto" Defaults to false | | controller.existingPsp | string | `""` | Use an existing PSP instead of creating one | diff --git a/charts/ingress-nginx/templates/_params.tpl b/charts/ingress-nginx/templates/_params.tpl index a1aef01ae..47d024e85 100644 --- a/charts/ingress-nginx/templates/_params.tpl +++ b/charts/ingress-nginx/templates/_params.tpl @@ -1,5 +1,8 @@ {{- define "ingress-nginx.params" -}} - /nginx-ingress-controller +{{- if .Values.controller.enableAnnotationValidations }} +- --enable-annotation-validation=true +{{- end }} {{- if .Values.defaultBackend.enabled }} - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }} {{- end }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 6fd113b67..1cd74dad0 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -15,6 +15,7 @@ commonLabels: {} controller: name: controller + enableAnnotationValidations: false image: ## Keep false as default for now! chroot: false diff --git a/docs/user-guide/cli-arguments.md b/docs/user-guide/cli-arguments.md index bc0894a52..be6e1dd50 100644 --- a/docs/user-guide/cli-arguments.md +++ b/docs/user-guide/cli-arguments.md @@ -15,6 +15,7 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment | `--default-backend-service` | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form "namespace/name". The controller configures NGINX to forward requests to the first port of this Service. | | `--default-server-port` | Port to use for exposing the default server (catch-all). (default 8181) | | `--default-ssl-certificate` | Secret containing a SSL certificate to be used by the default HTTPS server (catch-all). Takes the form "namespace/name". | +| `--enable-annotation-validation` | If true, will enable the annotation validation feature. This value will be defaulted to true on a future release. | | `--disable-catch-all` | Disable support for catch-all Ingresses. (default false) | | `--disable-full-test` | Disable full test of all merged ingresses at the admission stage and tests the template of the ingress being created or updated (full test of all ingresses is enabled by default). | | `--disable-svc-external-name` | Disable support for Services of type ExternalName. (default false) | diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index c55b7502a..0a7e44dce 100644 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -29,7 +29,9 @@ The following table shows a configuration option's name, type, and the default v |:---|:---|:------|:----| |[add-headers](#add-headers)|string|""|| |[allow-backend-server-header](#allow-backend-server-header)|bool|"false"|| +|[allow-cross-namespace-resources](#allow-cross-namespace-resources)|bool|"true"|| |[allow-snippet-annotations](#allow-snippet-annotations)|bool|true|| +|[annotations-risk-level](#annotations-risk-level)|string|Critical|| |[annotation-value-word-blocklist](#annotation-value-word-blocklist)|string array|""|| |[hide-headers](#hide-headers)|string array|empty|| |[access-log-params](#access-log-params)|string|""|| @@ -239,6 +241,20 @@ Sets custom headers from named configmap before sending traffic to the client. S Enables the return of the header Server from the backend instead of the generic nginx string. _**default:**_ is disabled +## allow-cross-namespace-resources + +Enables users to consume cross namespace resource on annotations, when was previously enabled . _**default:**_ true + +**Annotations that may be impacted with this change**: +* `auth-secret` +* `auth-proxy-set-header` +* `auth-tls-secret` +* `fastcgi-params-configmap` +* `proxy-ssl-secret` + + +**This option will be defaulted to false in the next major release** + ## allow-snippet-annotations Enables Ingress to parse and add *-snippet annotations/directives created by the user. _**default:**_ `true` @@ -246,6 +262,16 @@ Enables Ingress to parse and add *-snippet annotations/directives created by the Warning: We recommend enabling this option only if you TRUST users with permission to create Ingress objects, as this may allow a user to add restricted configurations to the final nginx.conf file +**This option will be defaulted to false in the next major release** + +## annotations-risk-level + +Represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations with risk High and Critical will not be accepted. + +Accepted values are `Critical`, `High`, `Medium` and `Low`. + +Defaults to `Critical` but will be changed to `High` on the next minor release + ## annotation-value-word-blocklist Contains a comma-separated value of chars/words that are well known of being used to abuse Ingress configuration diff --git a/internal/ingress/annotations/alias/main.go b/internal/ingress/annotations/alias/main.go index bd2067c9f..4a5e6f188 100644 --- a/internal/ingress/annotations/alias/main.go +++ b/internal/ingress/annotations/alias/main.go @@ -27,19 +27,44 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + serverAliasAnnotation = "server-alias" +) + +var aliasAnnotation = parser.Annotation{ + Group: "alias", + Annotations: parser.AnnotationFields{ + serverAliasAnnotation: { + Validator: parser.ValidateArrayOfServerName, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskHigh, // High as this allows regex chars + Documentation: `this annotation can be used to define additional server + aliases for this Ingress`, + }, + }, +} + type alias struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new Alias annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return alias{r} + return alias{ + r: r, + annotationConfig: aliasAnnotation, + } +} + +func (a alias) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations } // Parse parses the annotations contained in the ingress rule // used to add an alias to the provided hosts func (a alias) Parse(ing *networking.Ingress) (interface{}, error) { - val, err := parser.GetStringAnnotation("server-alias", ing) + val, err := parser.GetStringAnnotation(serverAliasAnnotation, ing, a.annotationConfig.Annotations) if err != nil { return []string{}, err } @@ -61,3 +86,8 @@ func (a alias) Parse(ing *networking.Ingress) (interface{}, error) { return l, nil } + +func (a alias) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, aliasAnnotation.Annotations) +} diff --git a/internal/ingress/annotations/alias/main_test.go b/internal/ingress/annotations/alias/main_test.go index 8e6fca447..1965f2630 100644 --- a/internal/ingress/annotations/alias/main_test.go +++ b/internal/ingress/annotations/alias/main_test.go @@ -27,7 +27,7 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) -var annotation = parser.GetAnnotationWithPrefix("server-alias") +var annotation = parser.GetAnnotationWithPrefix(serverAliasAnnotation) func TestParse(t *testing.T) { ap := NewParser(&resolver.Mock{}) @@ -36,16 +36,20 @@ func TestParse(t *testing.T) { } testCases := []struct { - annotations map[string]string - expected []string + annotations map[string]string + expected []string + skipValidation bool + wantErr bool }{ - {map[string]string{annotation: "a.com, b.com, , c.com"}, []string{"a.com", "b.com", "c.com"}}, - {map[string]string{annotation: "www.example.com"}, []string{"www.example.com"}}, - {map[string]string{annotation: "*.example.com,www.example.*"}, []string{"*.example.com", "www.example.*"}}, - {map[string]string{annotation: `~^www\d+\.example\.com$`}, []string{`~^www\d+\.example\.com$`}}, - {map[string]string{annotation: ""}, []string{}}, - {map[string]string{}, []string{}}, - {nil, []string{}}, + {map[string]string{annotation: "a.com, b.com, , c.com"}, []string{"a.com", "b.com", "c.com"}, false, false}, + {map[string]string{annotation: "www.example.com"}, []string{"www.example.com"}, false, false}, + {map[string]string{annotation: "*.example.com,www.example.*"}, []string{"*.example.com", "www.example.*"}, false, false}, + {map[string]string{annotation: `~^www\d+\.example\.com$`}, []string{`~^www\d+\.example\.com$`}, false, false}, + {map[string]string{annotation: `www.xpto;lala`}, []string{}, false, true}, + {map[string]string{annotation: `www.xpto;lala`}, []string{"www.xpto;lala"}, true, false}, // When we skip validation no error should happen + {map[string]string{annotation: ""}, []string{}, false, true}, + {map[string]string{}, []string{}, false, true}, + {nil, []string{}, false, true}, } ing := &networking.Ingress{ @@ -58,7 +62,16 @@ func TestParse(t *testing.T) { for _, testCase := range testCases { ing.SetAnnotations(testCase.annotations) - result, _ := ap.Parse(ing) + if testCase.skipValidation { + parser.EnableAnnotationValidation = false + } + defer func() { + parser.EnableAnnotationValidation = true + }() + result, err := ap.Parse(ing) + if (err != nil) != testCase.wantErr { + t.Errorf("ParseAliasAnnotation() annotation: %s, error = %v, wantErr %v", testCase.annotations, err, testCase.wantErr) + } if !reflect.DeepEqual(result, testCase.expected) { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) } diff --git a/internal/ingress/annotations/annotations.go b/internal/ingress/annotations/annotations.go index 5bb2bf5e6..5371e6eb7 100644 --- a/internal/ingress/annotations/annotations.go +++ b/internal/ingress/annotations/annotations.go @@ -44,8 +44,8 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/fastcgi" "k8s.io/ingress-nginx/internal/ingress/annotations/globalratelimit" "k8s.io/ingress-nginx/internal/ingress/annotations/http2pushpreload" + "k8s.io/ingress-nginx/internal/ingress/annotations/ipallowlist" "k8s.io/ingress-nginx/internal/ingress/annotations/ipdenylist" - "k8s.io/ingress-nginx/internal/ingress/annotations/ipwhitelist" "k8s.io/ingress-nginx/internal/ingress/annotations/loadbalancing" "k8s.io/ingress-nginx/internal/ingress/annotations/log" "k8s.io/ingress-nginx/internal/ingress/annotations/mirror" @@ -109,7 +109,6 @@ type Ingress struct { UpstreamHashBy upstreamhashby.Config LoadBalancing string UpstreamVhost string - Whitelist ipwhitelist.SourceRange Denylist ipdenylist.SourceRange XForwardedPrefix string SSLCipher sslcipher.Config @@ -117,6 +116,7 @@ type Ingress struct { ModSecurity modsecurity.Config Mirror mirror.Config StreamSnippet string + Allowlist ipallowlist.SourceRange } // Extractor defines the annotation parsers to be used in the extraction of annotations @@ -159,7 +159,7 @@ func NewAnnotationExtractor(cfg resolver.Resolver) Extractor { "UpstreamHashBy": upstreamhashby.NewParser(cfg), "LoadBalancing": loadbalancing.NewParser(cfg), "UpstreamVhost": upstreamvhost.NewParser(cfg), - "Whitelist": ipwhitelist.NewParser(cfg), + "Allowlist": ipallowlist.NewParser(cfg), "Denylist": ipdenylist.NewParser(cfg), "XForwardedPrefix": xforwardedprefix.NewParser(cfg), "SSLCipher": sslcipher.NewParser(cfg), @@ -173,16 +173,23 @@ func NewAnnotationExtractor(cfg resolver.Resolver) Extractor { } // Extract extracts the annotations from an Ingress -func (e Extractor) Extract(ing *networking.Ingress) *Ingress { +func (e Extractor) Extract(ing *networking.Ingress) (*Ingress, error) { pia := &Ingress{ ObjectMeta: ing.ObjectMeta, } data := make(map[string]interface{}) for name, annotationParser := range e.annotations { + if err := annotationParser.Validate(ing.GetAnnotations()); err != nil { + return nil, errors.NewRiskyAnnotations(name) + } val, err := annotationParser.Parse(ing) klog.V(5).InfoS("Parsing Ingress annotation", "name", name, "ingress", klog.KObj(ing), "value", val) if err != nil { + if errors.IsValidationError(err) { + klog.ErrorS(err, "ingress contains invalid annotation value") + return nil, err + } if errors.IsMissingAnnotations(err) { continue } @@ -220,5 +227,5 @@ func (e Extractor) Extract(ing *networking.Ingress) *Ingress { klog.ErrorS(err, "unexpected error merging extracted annotations") } - return pia + return pia, nil } diff --git a/internal/ingress/annotations/annotations_test.go b/internal/ingress/annotations/annotations_test.go index d792801bc..2b2a64268 100644 --- a/internal/ingress/annotations/annotations_test.go +++ b/internal/ingress/annotations/annotations_test.go @@ -134,8 +134,11 @@ func TestSSLPassthrough(t *testing.T) { for _, foo := range fooAnns { ing.SetAnnotations(foo.annotations) - r := ec.Extract(ing).SSLPassthrough - if r != foo.er { + r, err := ec.Extract(ing) + if err != nil { + t.Errorf("Errors should be null: %v", err) + } + if r.SSLPassthrough != foo.er { t.Errorf("Returned %v but expected %v", r, foo.er) } } @@ -158,8 +161,11 @@ func TestUpstreamHashBy(t *testing.T) { for _, foo := range fooAnns { ing.SetAnnotations(foo.annotations) - r := ec.Extract(ing).UpstreamHashBy.UpstreamHashBy - if r != foo.er { + r, err := ec.Extract(ing) + if err != nil { + t.Errorf("error should be null: %v", err) + } + if r.UpstreamHashBy.UpstreamHashBy != foo.er { t.Errorf("Returned %v but expected %v", r, foo.er) } } @@ -185,7 +191,11 @@ func TestAffinitySession(t *testing.T) { for _, foo := range fooAnns { ing.SetAnnotations(foo.annotations) - r := ec.Extract(ing).SessionAffinity + rann, err := ec.Extract(ing) + if err != nil { + t.Errorf("error should be null: %v", err) + } + r := rann.SessionAffinity t.Logf("Testing pass %v %v", foo.affinitytype, foo.cookiename) if r.Type != foo.affinitytype { @@ -228,7 +238,11 @@ func TestCors(t *testing.T) { for _, foo := range fooAnns { ing.SetAnnotations(foo.annotations) - r := ec.Extract(ing).CorsConfig + rann, err := ec.Extract(ing) + if err != nil { + t.Errorf("error should be null: %v", err) + } + r := rann.CorsConfig t.Logf("Testing pass %v %v %v %v %v", foo.corsenabled, foo.methods, foo.headers, foo.origin, foo.credentials) if r.CorsEnabled != foo.corsenabled { @@ -277,7 +291,11 @@ func TestCustomHTTPErrors(t *testing.T) { for _, foo := range fooAnns { ing.SetAnnotations(foo.annotations) - r := ec.Extract(ing).CustomHTTPErrors + rann, err := ec.Extract(ing) + if err != nil { + t.Errorf("error should be null: %v", err) + } + r := rann.CustomHTTPErrors // Check that expected codes were created for i := range foo.er { diff --git a/internal/ingress/annotations/auth/main.go b/internal/ingress/annotations/auth/main.go index 62d70873e..beecebdb1 100644 --- a/internal/ingress/annotations/auth/main.go +++ b/internal/ingress/annotations/auth/main.go @@ -32,13 +32,56 @@ import ( "k8s.io/ingress-nginx/pkg/util/file" ) +const ( + authSecretTypeAnnotation = "auth-secret-type" //#nosec G101 + authRealmAnnotation = "auth-realm" + authTypeAnnotation = "auth-type" + // This should be exported as it is imported by other packages + AuthSecretAnnotation = "auth-secret" //#nosec G101 +) + var ( - authTypeRegex = regexp.MustCompile(`basic|digest`) + authTypeRegex = regexp.MustCompile(`basic|digest`) + authSecretTypeRegex = regexp.MustCompile(`auth-file|auth-map`) + // AuthDirectory default directory used to store files // to authenticate request AuthDirectory = "/etc/ingress-controller/auth" ) +var AuthSecretConfig = parser.AnnotationConfig{ + Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, // Medium as it allows a subset of chars + Documentation: `This annotation defines the name of the Secret that contains the usernames and passwords which are granted access to the paths defined in the Ingress rules. `, +} + +var authSecretAnnotations = parser.Annotation{ + Group: "authentication", + Annotations: parser.AnnotationFields{ + AuthSecretAnnotation: AuthSecretConfig, + authSecretTypeAnnotation: { + Validator: parser.ValidateRegex(*authSecretTypeRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation what is the format of auth-secret value. Can be "auth-file" that defines the content of an htpasswd file, or "auth-map" where each key + is a user and each value is the password.`, + }, + authRealmAnnotation: { + Validator: parser.ValidateRegex(*parser.CharsWithSpace, false), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, // Medium as it allows a subset of chars + Documentation: `This annotation defines the realm (message) that should be shown to user when authentication is requested.`, + }, + authTypeAnnotation: { + Validator: parser.ValidateRegex(*authTypeRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation defines the basic authentication type. Should be "basic" or "digest"`, + }, + }, +} + const ( fileAuth = "auth-file" mapAuth = "auth-map" @@ -85,13 +128,18 @@ func (bd1 *Config) Equal(bd2 *Config) bool { } type auth struct { - r resolver.Resolver - authDirectory string + r resolver.Resolver + authDirectory string + annotationConfig parser.Annotation } // NewParser creates a new authentication annotation parser func NewParser(authDirectory string, r resolver.Resolver) parser.IngressAnnotation { - return auth{r, authDirectory} + return auth{ + r: r, + authDirectory: authDirectory, + annotationConfig: authSecretAnnotations, + } } // Parse parses the annotations contained in the ingress @@ -99,7 +147,7 @@ func NewParser(authDirectory string, r resolver.Resolver) parser.IngressAnnotati // and generated an htpasswd compatible file to be used as source // during the authentication process func (a auth) Parse(ing *networking.Ingress) (interface{}, error) { - at, err := parser.GetStringAnnotation("auth-type", ing) + at, err := parser.GetStringAnnotation(authTypeAnnotation, ing, a.annotationConfig.Annotations) if err != nil { return nil, err } @@ -109,12 +157,15 @@ func (a auth) Parse(ing *networking.Ingress) (interface{}, error) { } var secretType string - secretType, err = parser.GetStringAnnotation("auth-secret-type", ing) + secretType, err = parser.GetStringAnnotation(authSecretTypeAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if ing_errors.IsValidationError(err) { + return nil, err + } secretType = fileAuth } - s, err := parser.GetStringAnnotation("auth-secret", ing) + s, err := parser.GetStringAnnotation(AuthSecretAnnotation, ing, a.annotationConfig.Annotations) if err != nil { return nil, ing_errors.LocationDenied{ Reason: fmt.Errorf("error reading secret name from annotation: %w", err), @@ -131,6 +182,13 @@ func (a auth) Parse(ing *networking.Ingress) (interface{}, error) { if sns == "" { sns = ing.Namespace } + secCfg := a.r.GetSecurityConfiguration() + // We don't accept different namespaces for secrets. + if !secCfg.AllowCrossNamespaceResources && sns != ing.Namespace { + return nil, ing_errors.LocationDenied{ + Reason: fmt.Errorf("cross namespace usage of secrets is not allowed"), + } + } name := fmt.Sprintf("%v/%v", sns, sname) secret, err := a.r.GetSecret(name) @@ -140,7 +198,10 @@ func (a auth) Parse(ing *networking.Ingress) (interface{}, error) { } } - realm, _ := parser.GetStringAnnotation("auth-realm", ing) + realm, err := parser.GetStringAnnotation(authRealmAnnotation, ing, a.annotationConfig.Annotations) + if ing_errors.IsValidationError(err) { + return nil, err + } passFilename := fmt.Sprintf("%v/%v-%v-%v.passwd", a.authDirectory, ing.GetNamespace(), ing.UID, secret.UID) @@ -210,3 +271,12 @@ func dumpSecretAuthMap(filename string, secret *api.Secret) error { return nil } + +func (a auth) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a auth) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, authSecretAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/auth/main_test.go b/internal/ingress/annotations/auth/main_test.go index d4ec53459..2a9dc7c72 100644 --- a/internal/ingress/annotations/auth/main_test.go +++ b/internal/ingress/annotations/auth/main_test.go @@ -26,6 +26,7 @@ import ( api "k8s.io/api/core/v1" networking "k8s.io/api/networking/v1" meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/tools/cache" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" @@ -79,13 +80,18 @@ type mockSecret struct { } func (m mockSecret) GetSecret(name string) (*api.Secret, error) { - if name != "default/demo-secret" { + if name != "default/demo-secret" && name != "otherns/demo-secret" { return nil, fmt.Errorf("there is no secret with name %v", name) } + ns, _, err := cache.SplitMetaNamespaceKey(name) + if err != nil { + return nil, err + } + return &api.Secret{ ObjectMeta: meta_v1.ObjectMeta{ - Namespace: api.NamespaceDefault, + Namespace: ns, Name: "demo-secret", }, Data: map[string][]byte{"auth": []byte("foo:$apr1$OFG3Xybp$ckL0FHDAkoXYIlH9.cysT0")}, @@ -106,13 +112,91 @@ func TestIngressAuthBadAuthType(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("auth-type")] = "invalid" + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = "invalid" ing.SetAnnotations(data) _, dir, _ := dummySecretContent(t) defer os.RemoveAll(dir) - expected := ing_errors.NewLocationDenied("invalid authentication type") + expected := ing_errors.NewValidationError("nginx.ingress.kubernetes.io/auth-type") + _, err := NewParser(dir, &mockSecret{}).Parse(ing) + if err.Error() != expected.Error() { + t.Errorf("expected '%v' but got '%v'", expected, err) + } +} + +func TestIngressInvalidRealm(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = "basic" + data[parser.GetAnnotationWithPrefix(authRealmAnnotation)] = "something weird ; location trying to { break }" + data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = "demo-secret" + ing.SetAnnotations(data) + + _, dir, _ := dummySecretContent(t) + defer os.RemoveAll(dir) + + expected := ing_errors.NewValidationError("nginx.ingress.kubernetes.io/auth-realm") + _, err := NewParser(dir, &mockSecret{}).Parse(ing) + if err.Error() != expected.Error() { + t.Errorf("expected '%v' but got '%v'", expected, err) + } +} + +func TestIngressInvalidDifferentNamespace(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = "basic" + data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = "otherns/demo-secret" + ing.SetAnnotations(data) + + _, dir, _ := dummySecretContent(t) + defer os.RemoveAll(dir) + + expected := ing_errors.LocationDenied{ + Reason: errors.New("cross namespace usage of secrets is not allowed"), + } + _, err := NewParser(dir, &mockSecret{}).Parse(ing) + if err.Error() != expected.Error() { + t.Errorf("expected '%v' but got '%v'", expected, err) + } +} + +func TestIngressInvalidDifferentNamespaceAllowed(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = "basic" + data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = "otherns/demo-secret" + ing.SetAnnotations(data) + + _, dir, _ := dummySecretContent(t) + defer os.RemoveAll(dir) + + r := mockSecret{} + r.AllowCrossNamespace = true + _, err := NewParser(dir, r).Parse(ing) + if err != nil { + t.Errorf("not expecting an error") + } +} + +func TestIngressInvalidSecretName(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = "basic" + data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = "demo-secret;xpto" + ing.SetAnnotations(data) + + _, dir, _ := dummySecretContent(t) + defer os.RemoveAll(dir) + + expected := ing_errors.LocationDenied{ + Reason: errors.New("error reading secret name from annotation: annotation nginx.ingress.kubernetes.io/auth-secret contains invalid value"), + } _, err := NewParser(dir, &mockSecret{}).Parse(ing) if err.Error() != expected.Error() { t.Errorf("expected '%v' but got '%v'", expected, err) @@ -123,7 +207,7 @@ func TestInvalidIngressAuthNoSecret(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("auth-type")] = "basic" + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = "basic" ing.SetAnnotations(data) _, dir, _ := dummySecretContent(t) @@ -142,9 +226,9 @@ func TestIngressAuth(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("auth-type")] = "basic" - data[parser.GetAnnotationWithPrefix("auth-secret")] = "demo-secret" - data[parser.GetAnnotationWithPrefix("auth-realm")] = "-realm-" + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = "basic" + data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = "demo-secret" + data[parser.GetAnnotationWithPrefix(authRealmAnnotation)] = "-realm-" ing.SetAnnotations(data) _, dir, _ := dummySecretContent(t) @@ -173,9 +257,9 @@ func TestIngressAuthWithoutSecret(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("auth-type")] = "basic" - data[parser.GetAnnotationWithPrefix("auth-secret")] = "invalid-secret" - data[parser.GetAnnotationWithPrefix("auth-realm")] = "-realm-" + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = "basic" + data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = "invalid-secret" + data[parser.GetAnnotationWithPrefix(authRealmAnnotation)] = "-realm-" ing.SetAnnotations(data) _, dir, _ := dummySecretContent(t) @@ -191,10 +275,10 @@ func TestIngressAuthInvalidSecretKey(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("auth-type")] = "basic" - data[parser.GetAnnotationWithPrefix("auth-secret")] = "demo-secret" - data[parser.GetAnnotationWithPrefix("auth-secret-type")] = "invalid-type" - data[parser.GetAnnotationWithPrefix("auth-realm")] = "-realm-" + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = "basic" + data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = "demo-secret" + data[parser.GetAnnotationWithPrefix(authSecretTypeAnnotation)] = "invalid-type" + data[parser.GetAnnotationWithPrefix(authRealmAnnotation)] = "-realm-" ing.SetAnnotations(data) _, dir, _ := dummySecretContent(t) diff --git a/internal/ingress/annotations/authreq/main.go b/internal/ingress/annotations/authreq/main.go index 2ab389146..2ab98ace0 100644 --- a/internal/ingress/annotations/authreq/main.go +++ b/internal/ingress/annotations/authreq/main.go @@ -24,6 +24,7 @@ import ( "k8s.io/klog/v2" networking "k8s.io/api/networking/v1" + "k8s.io/client-go/tools/cache" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" @@ -31,6 +32,118 @@ import ( "k8s.io/ingress-nginx/pkg/util/sets" ) +const ( + authReqURLAnnotation = "auth-url" + authReqMethodAnnotation = "auth-method" + authReqSigninAnnotation = "auth-signin" + authReqSigninRedirParamAnnotation = "auth-signin-redirect-param" + authReqSnippetAnnotation = "auth-snippet" + authReqCacheKeyAnnotation = "auth-cache-key" + authReqKeepaliveAnnotation = "auth-keepalive" + authReqKeepaliveRequestsAnnotation = "auth-keepalive-requests" + authReqKeepaliveTimeout = "auth-keepalive-timeout" + authReqCacheDuration = "auth-cache-duration" + authReqResponseHeadersAnnotation = "auth-response-headers" + authReqProxySetHeadersAnnotation = "auth-proxy-set-headers" + authReqRequestRedirectAnnotation = "auth-request-redirect" + authReqAlwaysSetCookieAnnotation = "auth-always-set-cookie" + + // This should be exported as it is imported by other packages + AuthSecretAnnotation = "auth-secret" +) + +var authReqAnnotations = parser.Annotation{ + Group: "authentication", + Annotations: parser.AnnotationFields{ + authReqURLAnnotation: { + Validator: parser.ValidateRegex(*parser.URLWithNginxVariableRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskHigh, + Documentation: `This annotation allows to indicate the URL where the HTTP request should be sent`, + }, + authReqMethodAnnotation: { + Validator: parser.ValidateRegex(*methodsRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation allows to specify the HTTP method to use`, + }, + authReqSigninAnnotation: { + Validator: parser.ValidateRegex(*parser.URLWithNginxVariableRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskHigh, + Documentation: `This annotation allows to specify the location of the error page`, + }, + authReqSigninRedirParamAnnotation: { + Validator: parser.ValidateRegex(*parser.URLIsValidRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation allows to specify the URL parameter in the error page which should contain the original URL for a failed signin request`, + }, + authReqSnippetAnnotation: { + Validator: parser.ValidateNull, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskCritical, + Documentation: `This annotation allows to specify a custom snippet to use with external authentication`, + }, + authReqCacheKeyAnnotation: { + Validator: parser.ValidateRegex(*parser.NGINXVariable, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation enables caching for auth requests.`, + }, + authReqKeepaliveAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation specifies the maximum number of keepalive connections to auth-url. Only takes effect when no variables are used in the host part of the URL`, + }, + authReqKeepaliveRequestsAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation defines the maximum number of requests that can be served through one keepalive connection`, + }, + authReqKeepaliveTimeout: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation specifies a duration in seconds which an idle keepalive connection to an upstream server will stay open`, + }, + authReqCacheDuration: { + Validator: parser.ValidateRegex(*parser.ExtendedCharsRegex, false), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation allows to specify a caching time for auth responses based on their response codes, e.g. 200 202 30m`, + }, + authReqResponseHeadersAnnotation: { + Validator: parser.ValidateRegex(*parser.HeadersVariable, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation sets the headers to pass to backend once authentication request completes. They should be separated by comma.`, + }, + authReqProxySetHeadersAnnotation: { + Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation sets the name of a ConfigMap that specifies headers to pass to the authentication service. + Only ConfigMaps on the same namespace are allowed`, + }, + authReqRequestRedirectAnnotation: { + Validator: parser.ValidateRegex(*parser.URLIsValidRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation allows to specify the X-Auth-Request-Redirect header value`, + }, + authReqAlwaysSetCookieAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables setting a cookie returned by auth request. + By default, the cookie will be set only if an upstream reports with the code 200, 201, 204, 206, 301, 302, 303, 304, 307, or 308`, + }, + }, +} + // Config returns external authentication configuration for an Ingress rule type Config struct { URL string `json:"url"` @@ -121,7 +234,7 @@ func (e1 *Config) Equal(e2 *Config) bool { } var ( - methods = []string{"GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "CONNECT", "OPTIONS", "TRACE"} + methodsRegex = regexp.MustCompile("(GET|HEAD|POST|PUT|PATCH|DELETE|CONNECT|OPTIONS|TRACE)") headerRegexp = regexp.MustCompile(`^[a-zA-Z\d\-_]+$`) statusCodeRegex = regexp.MustCompile(`^[\d]{3}$`) durationRegex = regexp.MustCompile(`^[\d]+(ms|s|m|h|d|w|M|y)$`) // see http://nginx.org/en/docs/syntax.html @@ -129,16 +242,7 @@ var ( // ValidMethod checks is the provided string a valid HTTP method func ValidMethod(method string) bool { - if len(method) == 0 { - return false - } - - for _, m := range methods { - if method == m { - return true - } - } - return false + return methodsRegex.MatchString(method) } // ValidHeader checks is the provided string satisfies the header's name regex @@ -173,19 +277,23 @@ func ValidCacheDuration(duration string) bool { } type authReq struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new authentication request annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return authReq{r} + return authReq{ + r: r, + annotationConfig: authReqAnnotations, + } } // ParseAnnotations parses the annotations contained in the ingress // rule used to use an Config URL as source for authentication func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) { // Required Parameters - urlString, err := parser.GetStringAnnotation("auth-url", ing) + urlString, err := parser.GetStringAnnotation(authReqURLAnnotation, ing, a.annotationConfig.Annotations) if err != nil { return nil, err } @@ -195,33 +303,44 @@ func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) { return nil, ing_errors.LocationDenied{Reason: fmt.Errorf("could not parse auth-url annotation: %v", err)} } - authMethod, _ := parser.GetStringAnnotation("auth-method", ing) - if len(authMethod) != 0 && !ValidMethod(authMethod) { - return nil, ing_errors.NewLocationDenied("invalid HTTP method") + authMethod, err := parser.GetStringAnnotation(authReqMethodAnnotation, ing, a.annotationConfig.Annotations) + if err != nil { + if ing_errors.IsValidationError(err) { + return nil, ing_errors.NewLocationDenied("invalid HTTP method") + } } // Optional Parameters - signIn, err := parser.GetStringAnnotation("auth-signin", ing) + signIn, err := parser.GetStringAnnotation(authReqSigninAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if ing_errors.IsValidationError(err) { + klog.Warningf("%s value is invalid: %s", authReqSigninAnnotation, err) + } klog.V(3).InfoS("auth-signin annotation is undefined and will not be set") } - signInRedirectParam, err := parser.GetStringAnnotation("auth-signin-redirect-param", ing) + signInRedirectParam, err := parser.GetStringAnnotation(authReqSigninRedirParamAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if ing_errors.IsValidationError(err) { + klog.Warningf("%s value is invalid: %s", authReqSigninRedirParamAnnotation, err) + } klog.V(3).Infof("auth-signin-redirect-param annotation is undefined and will not be set") } - authSnippet, err := parser.GetStringAnnotation("auth-snippet", ing) + authSnippet, err := parser.GetStringAnnotation(authReqSnippetAnnotation, ing, a.annotationConfig.Annotations) if err != nil { klog.V(3).InfoS("auth-snippet annotation is undefined and will not be set") } - authCacheKey, err := parser.GetStringAnnotation("auth-cache-key", ing) + authCacheKey, err := parser.GetStringAnnotation(authReqCacheKeyAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if ing_errors.IsValidationError(err) { + klog.Warningf("%s value is invalid: %s", authReqCacheKeyAnnotation, err) + } klog.V(3).InfoS("auth-cache-key annotation is undefined and will not be set") } - keepaliveConnections, err := parser.GetIntAnnotation("auth-keepalive", ing) + keepaliveConnections, err := parser.GetIntAnnotation(authReqKeepaliveAnnotation, ing, a.annotationConfig.Annotations) if err != nil { klog.V(3).InfoS("auth-keepalive annotation is undefined and will be set to its default value") keepaliveConnections = defaultKeepaliveConnections @@ -238,9 +357,9 @@ func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) { } } - keepaliveRequests, err := parser.GetIntAnnotation("auth-keepalive-requests", ing) + keepaliveRequests, err := parser.GetIntAnnotation(authReqKeepaliveRequestsAnnotation, ing, a.annotationConfig.Annotations) if err != nil { - klog.V(3).InfoS("auth-keepalive-requests annotation is undefined and will be set to its default value") + klog.V(3).InfoS("auth-keepalive-requests annotation is undefined or invalid and will be set to its default value") keepaliveRequests = defaultKeepaliveRequests } if keepaliveRequests <= 0 { @@ -248,7 +367,7 @@ func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) { keepaliveConnections = 0 } - keepaliveTimeout, err := parser.GetIntAnnotation("auth-keepalive-timeout", ing) + keepaliveTimeout, err := parser.GetIntAnnotation(authReqKeepaliveTimeout, ing, a.annotationConfig.Annotations) if err != nil { klog.V(3).InfoS("auth-keepalive-timeout annotation is undefined and will be set to its default value") keepaliveTimeout = defaultKeepaliveTimeout @@ -258,14 +377,20 @@ func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) { keepaliveConnections = 0 } - durstr, _ := parser.GetStringAnnotation("auth-cache-duration", ing) + durstr, err := parser.GetStringAnnotation(authReqCacheDuration, ing, a.annotationConfig.Annotations) + if err != nil && ing_errors.IsValidationError(err) { + return nil, fmt.Errorf("%s contains invalid value", authReqCacheDuration) + } authCacheDuration, err := ParseStringToCacheDurations(durstr) if err != nil { return nil, err } responseHeaders := []string{} - hstr, _ := parser.GetStringAnnotation("auth-response-headers", ing) + hstr, err := parser.GetStringAnnotation(authReqResponseHeadersAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && ing_errors.IsValidationError(err) { + return nil, ing_errors.NewLocationDenied("validation error") + } if len(hstr) != 0 { harr := strings.Split(hstr, ",") for _, header := range harr { @@ -279,9 +404,28 @@ func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) { } } - proxySetHeaderMap, err := parser.GetStringAnnotation("auth-proxy-set-headers", ing) + proxySetHeaderMap, err := parser.GetStringAnnotation(authReqProxySetHeadersAnnotation, ing, a.annotationConfig.Annotations) if err != nil { - klog.V(3).InfoS("auth-set-proxy-headers annotation is undefined and will not be set") + klog.V(3).InfoS("auth-set-proxy-headers annotation is undefined and will not be set", "err", err) + } + + cns, _, err := cache.SplitMetaNamespaceKey(proxySetHeaderMap) + if err != nil { + return nil, ing_errors.LocationDenied{ + Reason: fmt.Errorf("error reading configmap name %s from annotation: %w", proxySetHeaderMap, err), + } + } + + if cns == "" { + cns = ing.Namespace + } + + secCfg := a.r.GetSecurityConfiguration() + // We don't accept different namespaces for secrets. + if !secCfg.AllowCrossNamespaceResources && cns != ing.Namespace { + return nil, ing_errors.LocationDenied{ + Reason: fmt.Errorf("cross namespace usage of secrets is not allowed"), + } } var proxySetHeaders map[string]string @@ -301,9 +445,15 @@ func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) { proxySetHeaders = proxySetHeadersMapContents.Data } - requestRedirect, _ := parser.GetStringAnnotation("auth-request-redirect", ing) + requestRedirect, err := parser.GetStringAnnotation(authReqRequestRedirectAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && ing_errors.IsValidationError(err) { + return nil, fmt.Errorf("%s is invalid: %w", authReqRequestRedirectAnnotation, err) + } - alwaysSetCookie, _ := parser.GetBoolAnnotation("auth-always-set-cookie", ing) + alwaysSetCookie, err := parser.GetBoolAnnotation(authReqAlwaysSetCookieAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && ing_errors.IsValidationError(err) { + return nil, fmt.Errorf("%s is invalid: %w", authReqAlwaysSetCookieAnnotation, err) + } return &Config{ URL: urlString, @@ -348,3 +498,12 @@ func ParseStringToCacheDurations(input string) ([]string, error) { } return authCacheDuration, nil } + +func (a authReq) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a authReq) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, authReqAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/authreq/main_test.go b/internal/ingress/annotations/authreq/main_test.go index e1325235b..833bebe78 100644 --- a/internal/ingress/annotations/authreq/main_test.go +++ b/internal/ingress/annotations/authreq/main_test.go @@ -192,11 +192,13 @@ func TestHeaderAnnotations(t *testing.T) { i, err := NewParser(&resolver.Mock{}).Parse(ing) if test.expErr { if err == nil { - t.Error("expected error but retuned nil") + t.Errorf("%v expected error but retuned nil", test.title) } continue } - + if err != nil { + t.Errorf("no error was expected but %v happened in %s", err, test.title) + } u, ok := i.(*Config) if !ok { t.Errorf("%v: expected an External type", test.title) diff --git a/internal/ingress/annotations/authreqglobal/main.go b/internal/ingress/annotations/authreqglobal/main.go index 78dd7d6a5..a1641e085 100644 --- a/internal/ingress/annotations/authreqglobal/main.go +++ b/internal/ingress/annotations/authreqglobal/main.go @@ -23,23 +23,52 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + enableGlobalAuthAnnotation = "enable-global-auth" +) + +var globalAuthAnnotations = parser.Annotation{ + Group: "authentication", + Annotations: parser.AnnotationFields{ + enableGlobalAuthAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `Defines if the global external authentication should be enabled.`, + }, + }, +} + type authReqGlobal struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new authentication request annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return authReqGlobal{r} + return authReqGlobal{ + r: r, + annotationConfig: globalAuthAnnotations, + } } // ParseAnnotations parses the annotations contained in the ingress // rule used to enable or disable global external authentication func (a authReqGlobal) Parse(ing *networking.Ingress) (interface{}, error) { - enableGlobalAuth, err := parser.GetBoolAnnotation("enable-global-auth", ing) + enableGlobalAuth, err := parser.GetBoolAnnotation(enableGlobalAuthAnnotation, ing, a.annotationConfig.Annotations) if err != nil { enableGlobalAuth = true } return enableGlobalAuth, nil } + +func (a authReqGlobal) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a authReqGlobal) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, globalAuthAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/authtls/main.go b/internal/ingress/annotations/authtls/main.go index 2efd6d176..5d6763e8b 100644 --- a/internal/ingress/annotations/authtls/main.go +++ b/internal/ingress/annotations/authtls/main.go @@ -32,13 +32,64 @@ import ( const ( defaultAuthTLSDepth = 1 defaultAuthVerifyClient = "on" + + annotationAuthTLSSecret = "auth-tls-secret" //#nosec G101 + annotationAuthTLSVerifyClient = "auth-tls-verify-client" + annotationAuthTLSVerifyDepth = "auth-tls-verify-depth" + annotationAuthTLSErrorPage = "auth-tls-error-page" + annotationAuthTLSPassCertToUpstream = "auth-tls-pass-certificate-to-upstream" //#nosec G101 + annotationAuthTLSMatchCN = "auth-tls-match-cn" ) var ( + regexChars = regexp.QuoteMeta(`()|=`) authVerifyClientRegex = regexp.MustCompile(`on|off|optional|optional_no_ca`) - commonNameRegex = regexp.MustCompile(`CN=`) + commonNameRegex = regexp.MustCompile(`^CN=[/\-.\_\~a-zA-Z0-9` + regexChars + `]*$`) + redirectRegex = regexp.MustCompile(`^((https?://)?[A-Za-z0-9\-\.]*(:[0-9]+)?/[A-Za-z0-9\-\.]*)?$`) ) +var authTLSAnnotations = parser.Annotation{ + Group: "authentication", + Annotations: parser.AnnotationFields{ + annotationAuthTLSSecret: { + Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, // Medium as it allows a subset of chars + Documentation: `This annotation defines the secret that contains the certificate chain of allowed certs`, + }, + annotationAuthTLSVerifyClient: { + Validator: parser.ValidateRegex(*authVerifyClientRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, // Medium as it allows a subset of chars + Documentation: `This annotation enables verification of client certificates. Can be "on", "off", "optional" or "optional_no_ca"`, + }, + annotationAuthTLSVerifyDepth: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation defines validation depth between the provided client certificate and the Certification Authority chain.`, + }, + annotationAuthTLSErrorPage: { + Validator: parser.ValidateRegex(*redirectRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskHigh, + Documentation: `This annotation defines the URL/Page that user should be redirected in case of a Certificate Authentication Error`, + }, + annotationAuthTLSPassCertToUpstream: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation defines if the received certificates should be passed or not to the upstream server in the header "ssl-client-cert"`, + }, + annotationAuthTLSMatchCN: { + Validator: parser.ValidateRegex(*commonNameRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskHigh, + Documentation: `This annotation adds a sanity check for the CN of the client certificate that is sent over using a string / regex starting with "CN="`, + }, + }, +} + // Config contains the AuthSSLCert used for mutual authentication // and the configured ValidationDepth type Config struct { @@ -80,11 +131,15 @@ func (assl1 *Config) Equal(assl2 *Config) bool { // NewParser creates a new TLS authentication annotation parser func NewParser(resolver resolver.Resolver) parser.IngressAnnotation { - return authTLS{resolver} + return authTLS{ + r: resolver, + annotationConfig: authTLSAnnotations, + } } type authTLS struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // Parse parses the annotations contained in the ingress @@ -93,15 +148,23 @@ func (a authTLS) Parse(ing *networking.Ingress) (interface{}, error) { var err error config := &Config{} - tlsauthsecret, err := parser.GetStringAnnotation("auth-tls-secret", ing) + tlsauthsecret, err := parser.GetStringAnnotation(annotationAuthTLSSecret, ing, a.annotationConfig.Annotations) if err != nil { return &Config{}, err } - _, _, err = k8s.ParseNameNS(tlsauthsecret) + ns, _, err := k8s.ParseNameNS(tlsauthsecret) if err != nil { return &Config{}, ing_errors.NewLocationDenied(err.Error()) } + if ns == "" { + ns = ing.Namespace + } + secCfg := a.r.GetSecurityConfiguration() + // We don't accept different namespaces for secrets. + if !secCfg.AllowCrossNamespaceResources && ns != ing.Namespace { + return &Config{}, ing_errors.NewLocationDenied("cross namespace secrets are not supported") + } authCert, err := a.r.GetAuthCertificate(tlsauthsecret) if err != nil { @@ -110,30 +173,50 @@ func (a authTLS) Parse(ing *networking.Ingress) (interface{}, error) { } config.AuthSSLCert = *authCert - config.VerifyClient, err = parser.GetStringAnnotation("auth-tls-verify-client", ing) + config.VerifyClient, err = parser.GetStringAnnotation(annotationAuthTLSVerifyClient, ing, a.annotationConfig.Annotations) + // We can set a default value here in case of validation error if err != nil || !authVerifyClientRegex.MatchString(config.VerifyClient) { config.VerifyClient = defaultAuthVerifyClient } - config.ValidationDepth, err = parser.GetIntAnnotation("auth-tls-verify-depth", ing) + config.ValidationDepth, err = parser.GetIntAnnotation(annotationAuthTLSVerifyDepth, ing, a.annotationConfig.Annotations) + // We can set a default value here in case of validation error if err != nil || config.ValidationDepth == 0 { config.ValidationDepth = defaultAuthTLSDepth } - config.ErrorPage, err = parser.GetStringAnnotation("auth-tls-error-page", ing) + config.ErrorPage, err = parser.GetStringAnnotation(annotationAuthTLSErrorPage, ing, a.annotationConfig.Annotations) if err != nil { + if ing_errors.IsValidationError(err) { + return &Config{}, err + } config.ErrorPage = "" } - config.PassCertToUpstream, err = parser.GetBoolAnnotation("auth-tls-pass-certificate-to-upstream", ing) + config.PassCertToUpstream, err = parser.GetBoolAnnotation(annotationAuthTLSPassCertToUpstream, ing, a.annotationConfig.Annotations) if err != nil { + if ing_errors.IsValidationError(err) { + return &Config{}, err + } config.PassCertToUpstream = false } - config.MatchCN, err = parser.GetStringAnnotation("auth-tls-match-cn", ing) - if err != nil || !commonNameRegex.MatchString(config.MatchCN) { + config.MatchCN, err = parser.GetStringAnnotation(annotationAuthTLSMatchCN, ing, a.annotationConfig.Annotations) + if err != nil { + if ing_errors.IsValidationError(err) { + return &Config{}, err + } config.MatchCN = "" } return config, nil } + +func (a authTLS) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a authTLS) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, authTLSAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/authtls/main_test.go b/internal/ingress/annotations/authtls/main_test.go index 569f3865b..a1f3f0f92 100644 --- a/internal/ingress/annotations/authtls/main_test.go +++ b/internal/ingress/annotations/authtls/main_test.go @@ -93,7 +93,7 @@ func TestAnnotations(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("auth-tls-secret")] = "default/demo-secret" + data[parser.GetAnnotationWithPrefix(annotationAuthTLSSecret)] = "default/demo-secret" ing.SetAnnotations(data) @@ -132,11 +132,11 @@ func TestAnnotations(t *testing.T) { t.Errorf("expected empty string, but got %v", u.MatchCN) } - data[parser.GetAnnotationWithPrefix("auth-tls-verify-client")] = "off" - data[parser.GetAnnotationWithPrefix("auth-tls-verify-depth")] = "2" - data[parser.GetAnnotationWithPrefix("auth-tls-error-page")] = "ok.com/error" - data[parser.GetAnnotationWithPrefix("auth-tls-pass-certificate-to-upstream")] = "true" - data[parser.GetAnnotationWithPrefix("auth-tls-match-cn")] = "CN=hello-app" + data[parser.GetAnnotationWithPrefix(annotationAuthTLSVerifyClient)] = "off" + data[parser.GetAnnotationWithPrefix(annotationAuthTLSVerifyDepth)] = "2" + data[parser.GetAnnotationWithPrefix(annotationAuthTLSErrorPage)] = "ok.com/error" + data[parser.GetAnnotationWithPrefix(annotationAuthTLSPassCertToUpstream)] = "true" + data[parser.GetAnnotationWithPrefix(annotationAuthTLSMatchCN)] = "CN=(hello-app|ok|goodbye)" ing.SetAnnotations(data) @@ -165,8 +165,8 @@ func TestAnnotations(t *testing.T) { if u.PassCertToUpstream != true { t.Errorf("expected %v but got %v", true, u.PassCertToUpstream) } - if u.MatchCN != "CN=hello-app" { - t.Errorf("expected %v but got %v", "CN=hello-app", u.MatchCN) + if u.MatchCN != "CN=(hello-app|ok|goodbye)" { + t.Errorf("expected %v but got %v", "CN=(hello-app|ok|goodbye)", u.MatchCN) } } @@ -182,15 +182,24 @@ func TestInvalidAnnotations(t *testing.T) { } // Invalid NameSpace - data[parser.GetAnnotationWithPrefix("auth-tls-secret")] = "demo-secret" + data[parser.GetAnnotationWithPrefix(annotationAuthTLSSecret)] = "demo-secret" ing.SetAnnotations(data) _, err = NewParser(fakeSecret).Parse(ing) if err == nil { t.Errorf("Expected error with ingress but got nil") } + // Invalid Cross NameSpace + data[parser.GetAnnotationWithPrefix(annotationAuthTLSSecret)] = "nondefault/demo-secret" + ing.SetAnnotations(data) + _, err = NewParser(fakeSecret).Parse(ing) + expErr := errors.NewLocationDenied("cross namespace secrets are not supported") + if err.Error() != expErr.Error() { + t.Errorf("received error is different from cross namespace error: %s Expected %s", err, expErr) + } + // Invalid Auth Certificate - data[parser.GetAnnotationWithPrefix("auth-tls-secret")] = "default/invalid-demo-secret" + data[parser.GetAnnotationWithPrefix(annotationAuthTLSSecret)] = "default/invalid-demo-secret" ing.SetAnnotations(data) _, err = NewParser(fakeSecret).Parse(ing) if err == nil { @@ -198,11 +207,38 @@ func TestInvalidAnnotations(t *testing.T) { } // Invalid optional Annotations - data[parser.GetAnnotationWithPrefix("auth-tls-secret")] = "default/demo-secret" - data[parser.GetAnnotationWithPrefix("auth-tls-verify-client")] = "w00t" - data[parser.GetAnnotationWithPrefix("auth-tls-verify-depth")] = "abcd" - data[parser.GetAnnotationWithPrefix("auth-tls-pass-certificate-to-upstream")] = "nahh" - data[parser.GetAnnotationWithPrefix("auth-tls-match-cn")] = "" + data[parser.GetAnnotationWithPrefix(annotationAuthTLSSecret)] = "default/demo-secret" + + data[parser.GetAnnotationWithPrefix(annotationAuthTLSVerifyClient)] = "w00t" + ing.SetAnnotations(data) + _, err = NewParser(fakeSecret).Parse(ing) + if err != nil { + t.Errorf("Error should be nil and verify client should be defaulted") + } + + data[parser.GetAnnotationWithPrefix(annotationAuthTLSVerifyDepth)] = "abcd" + ing.SetAnnotations(data) + _, err = NewParser(fakeSecret).Parse(ing) + if err != nil { + t.Errorf("Error should be nil and verify depth should be defaulted") + } + + data[parser.GetAnnotationWithPrefix(annotationAuthTLSPassCertToUpstream)] = "nahh" + ing.SetAnnotations(data) + _, err = NewParser(fakeSecret).Parse(ing) + if err == nil { + t.Errorf("Expected error with ingress but got nil") + } + delete(data, parser.GetAnnotationWithPrefix(annotationAuthTLSPassCertToUpstream)) + + data[parser.GetAnnotationWithPrefix(annotationAuthTLSMatchCN)] = "" + ing.SetAnnotations(data) + _, err = NewParser(fakeSecret).Parse(ing) + if err == nil { + t.Errorf("Expected error with ingress CN but got nil") + } + delete(data, parser.GetAnnotationWithPrefix(annotationAuthTLSMatchCN)) + ing.SetAnnotations(data) i, err := NewParser(fakeSecret).Parse(ing) diff --git a/internal/ingress/annotations/backendprotocol/main.go b/internal/ingress/annotations/backendprotocol/main.go index c749072e3..2704ce9f6 100644 --- a/internal/ingress/annotations/backendprotocol/main.go +++ b/internal/ingress/annotations/backendprotocol/main.go @@ -17,49 +17,72 @@ limitations under the License. package backendprotocol import ( - "regexp" - "strings" - networking "k8s.io/api/networking/v1" "k8s.io/klog/v2" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" ) -// HTTP protocol -const HTTP = "HTTP" - var ( - validProtocols = regexp.MustCompile(`^(AUTO_HTTP|HTTP|HTTPS|GRPC|GRPCS|FCGI)$`) + validProtocols = []string{"auto_http", "http", "https", "grpc", "grpcs", "fcgi"} ) +const ( + http = "HTTP" + backendProtocolAnnotation = "backend-protocol" +) + +var backendProtocolConfig = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + backendProtocolAnnotation: { + Validator: parser.ValidateOptions(validProtocols, false, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `this annotation can be used to define which protocol should + be used to communicate with backends`, + }, + }, +} + type backendProtocol struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new backend protocol annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return backendProtocol{r} + return backendProtocol{ + r: r, + annotationConfig: backendProtocolConfig, + } +} + +func (a backendProtocol) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations } // ParseAnnotations parses the annotations contained in the ingress // rule used to indicate the backend protocol. func (a backendProtocol) Parse(ing *networking.Ingress) (interface{}, error) { if ing.GetAnnotations() == nil { - return HTTP, nil + return http, nil } - proto, err := parser.GetStringAnnotation("backend-protocol", ing) + proto, err := parser.GetStringAnnotation(backendProtocolAnnotation, ing, a.annotationConfig.Annotations) if err != nil { - return HTTP, nil - } - - proto = strings.TrimSpace(strings.ToUpper(proto)) - if !validProtocols.MatchString(proto) { - klog.Warningf("Protocol %v is not a valid value for the backend-protocol annotation. Using HTTP as protocol", proto) - return HTTP, nil + if errors.IsValidationError(err) { + klog.Warningf("validation error %s. Using HTTP as protocol", err) + } + return http, nil } return proto, nil } + +func (a backendProtocol) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, backendProtocolConfig.Annotations) +} diff --git a/internal/ingress/annotations/backendprotocol/main_test.go b/internal/ingress/annotations/backendprotocol/main_test.go index e8c018998..490be447b 100644 --- a/internal/ingress/annotations/backendprotocol/main_test.go +++ b/internal/ingress/annotations/backendprotocol/main_test.go @@ -77,7 +77,7 @@ func TestParseInvalidAnnotations(t *testing.T) { } // Test invalid annotation set - data[parser.GetAnnotationWithPrefix("backend-protocol")] = "INVALID" + data[parser.GetAnnotationWithPrefix(backendProtocolAnnotation)] = "INVALID" ing.SetAnnotations(data) i, err = NewParser(&resolver.Mock{}).Parse(ing) @@ -97,7 +97,7 @@ func TestParseAnnotations(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("backend-protocol")] = "HTTPS" + data[parser.GetAnnotationWithPrefix(backendProtocolAnnotation)] = " HTTPS " ing.SetAnnotations(data) i, err := NewParser(&resolver.Mock{}).Parse(ing) diff --git a/internal/ingress/annotations/canary/main.go b/internal/ingress/annotations/canary/main.go index d9e53b3b8..119f09181 100644 --- a/internal/ingress/annotations/canary/main.go +++ b/internal/ingress/annotations/canary/main.go @@ -18,14 +18,82 @@ package canary import ( networking "k8s.io/api/networking/v1" + "k8s.io/klog/v2" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + canaryAnnotation = "canary" + canaryWeightAnnotation = "canary-weight" + canaryWeightTotalAnnotation = "canary-weight-total" + canaryByHeaderAnnotation = "canary-by-header" + canaryByHeaderValueAnnotation = "canary-by-header-value" + canaryByHeaderPatternAnnotation = "canary-by-header-pattern" + canaryByCookieAnnotation = "canary-by-cookie" +) + +var CanaryAnnotations = parser.Annotation{ + Group: "canary", + Annotations: parser.AnnotationFields{ + canaryAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables the Ingress spec to act as an alternative service for requests to route to depending on the rules applied`, + }, + canaryWeightAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation defines the integer based (0 - ) percent of random requests that should be routed to the service specified in the canary Ingress`, + }, + canaryWeightTotalAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation The total weight of traffic. If unspecified, it defaults to 100`, + }, + canaryByHeaderAnnotation: { + Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation defines the header that should be used for notifying the Ingress to route the request to the service specified in the Canary Ingress. + When the request header is set to 'always', it will be routed to the canary. When the header is set to 'never', it will never be routed to the canary. + For any other value, the header will be ignored and the request compared against the other canary rules by precedence`, + }, + canaryByHeaderValueAnnotation: { + Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation defines the header value to match for notifying the Ingress to route the request to the service specified in the Canary Ingress. + When the request header is set to this value, it will be routed to the canary. For any other header value, the header will be ignored and the request compared against the other canary rules by precedence. + This annotation has to be used together with 'canary-by-header'. The annotation is an extension of the 'canary-by-header' to allow customizing the header value instead of using hardcoded values. + It doesn't have any effect if the 'canary-by-header' annotation is not defined`, + }, + canaryByHeaderPatternAnnotation: { + Validator: parser.ValidateRegex(*parser.IsValidRegex, false), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation works the same way as canary-by-header-value except it does PCRE Regex matching. + Note that when 'canary-by-header-value' is set this annotation will be ignored. + When the given Regex causes error during request processing, the request will be considered as not matching.`, + }, + canaryByCookieAnnotation: { + Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation defines the cookie that should be used for notifying the Ingress to route the request to the service specified in the Canary Ingress. + When the cookie is set to 'always', it will be routed to the canary. When the cookie is set to 'never', it will never be routed to the canary`, + }, + }, +} + type canary struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // Config returns the configuration rules for setting up the Canary @@ -41,7 +109,10 @@ type Config struct { // NewParser parses the ingress for canary related annotations func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return canary{r} + return canary{ + r: r, + annotationConfig: CanaryAnnotations, + } } // Parse parses the annotations contained in the ingress @@ -50,45 +121,75 @@ func (c canary) Parse(ing *networking.Ingress) (interface{}, error) { config := &Config{} var err error - config.Enabled, err = parser.GetBoolAnnotation("canary", ing) + config.Enabled, err = parser.GetBoolAnnotation(canaryAnnotation, ing, c.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%s is invalid, defaulting to 'false'", canaryAnnotation) + } config.Enabled = false } - config.Weight, err = parser.GetIntAnnotation("canary-weight", ing) + config.Weight, err = parser.GetIntAnnotation(canaryWeightAnnotation, ing, c.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%s is invalid, defaulting to '0'", canaryWeightAnnotation) + } config.Weight = 0 } - config.WeightTotal, err = parser.GetIntAnnotation("canary-weight-total", ing) + config.WeightTotal, err = parser.GetIntAnnotation(canaryWeightTotalAnnotation, ing, c.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%s is invalid, defaulting to '100'", canaryWeightTotalAnnotation) + } config.WeightTotal = 100 } - config.Header, err = parser.GetStringAnnotation("canary-by-header", ing) + config.Header, err = parser.GetStringAnnotation(canaryByHeaderAnnotation, ing, c.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%s is invalid, defaulting to ''", canaryByHeaderAnnotation) + } config.Header = "" } - config.HeaderValue, err = parser.GetStringAnnotation("canary-by-header-value", ing) + config.HeaderValue, err = parser.GetStringAnnotation(canaryByHeaderValueAnnotation, ing, c.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%s is invalid, defaulting to ''", canaryByHeaderValueAnnotation) + } config.HeaderValue = "" } - config.HeaderPattern, err = parser.GetStringAnnotation("canary-by-header-pattern", ing) + config.HeaderPattern, err = parser.GetStringAnnotation(canaryByHeaderPatternAnnotation, ing, c.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%s is invalid, defaulting to ''", canaryByHeaderPatternAnnotation) + } config.HeaderPattern = "" } - config.Cookie, err = parser.GetStringAnnotation("canary-by-cookie", ing) + config.Cookie, err = parser.GetStringAnnotation(canaryByCookieAnnotation, ing, c.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%s is invalid, defaulting to ''", canaryByCookieAnnotation) + } config.Cookie = "" } if !config.Enabled && (config.Weight > 0 || len(config.Header) > 0 || len(config.HeaderValue) > 0 || len(config.Cookie) > 0 || len(config.HeaderPattern) > 0) { - return nil, errors.NewInvalidAnnotationConfiguration("canary", "configured but not enabled") + return nil, errors.NewInvalidAnnotationConfiguration(canaryAnnotation, "configured but not enabled") } return config, nil } + +func (c canary) GetDocumentation() parser.AnnotationFields { + return c.annotationConfig.Annotations +} + +func (a canary) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, CanaryAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/clientbodybuffersize/main.go b/internal/ingress/annotations/clientbodybuffersize/main.go index 9020ee594..aa1485df2 100644 --- a/internal/ingress/annotations/clientbodybuffersize/main.go +++ b/internal/ingress/annotations/clientbodybuffersize/main.go @@ -23,17 +23,49 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + clientBodyBufferSizeAnnotation = "client-body-buffer-size" +) + +var clientBodyBufferSizeConfig = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + clientBodyBufferSizeAnnotation: { + Validator: parser.ValidateRegex(*parser.SizeRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `Sets buffer size for reading client request body per location. + In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file. + By default, buffer size is equal to two memory pages. This is 8K on x86, other 32-bit platforms, and x86-64. + It is usually 16K on other 64-bit platforms. This annotation is applied to each location provided in the ingress rule.`, + }, + }, +} + type clientBodyBufferSize struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new clientBodyBufferSize annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return clientBodyBufferSize{r} + return clientBodyBufferSize{ + r: r, + annotationConfig: clientBodyBufferSizeConfig, + } +} + +func (cbbs clientBodyBufferSize) GetDocumentation() parser.AnnotationFields { + return cbbs.annotationConfig.Annotations } // Parse parses the annotations contained in the ingress rule // used to add an client-body-buffer-size to the provided locations func (cbbs clientBodyBufferSize) Parse(ing *networking.Ingress) (interface{}, error) { - return parser.GetStringAnnotation("client-body-buffer-size", ing) + return parser.GetStringAnnotation(clientBodyBufferSizeAnnotation, ing, cbbs.annotationConfig.Annotations) +} + +func (a clientBodyBufferSize) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, clientBodyBufferSizeConfig.Annotations) } diff --git a/internal/ingress/annotations/clientbodybuffersize/main_test.go b/internal/ingress/annotations/clientbodybuffersize/main_test.go index 9932f8314..0f2c8474a 100644 --- a/internal/ingress/annotations/clientbodybuffersize/main_test.go +++ b/internal/ingress/annotations/clientbodybuffersize/main_test.go @@ -39,6 +39,9 @@ func TestParse(t *testing.T) { }{ {map[string]string{annotation: "8k"}, "8k"}, {map[string]string{annotation: "16k"}, "16k"}, + {map[string]string{annotation: "10000"}, "10000"}, + {map[string]string{annotation: "16R"}, ""}, + {map[string]string{annotation: "16kkk"}, ""}, {map[string]string{annotation: ""}, ""}, {map[string]string{}, ""}, {nil, ""}, diff --git a/internal/ingress/annotations/connection/main.go b/internal/ingress/annotations/connection/main.go index e9b0c1865..9e96b6ab1 100644 --- a/internal/ingress/annotations/connection/main.go +++ b/internal/ingress/annotations/connection/main.go @@ -17,12 +17,34 @@ limitations under the License. package connection import ( + "regexp" + networking "k8s.io/api/networking/v1" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + connectionProxyHeaderAnnotation = "connection-proxy-header" +) + +var ( + validConnectionHeaderValue = regexp.MustCompile(`^(close|keep-alive)$`) +) + +var connectionHeadersAnnotations = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + connectionProxyHeaderAnnotation: { + Validator: parser.ValidateRegex(*validConnectionHeaderValue, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation allows setting a specific value for "proxy_set_header Connection" directive. Right now it is restricted to "close" or "keep-alive"`, + }, + }, +} + // Config returns the connection header configuration for an Ingress rule type Config struct { Header string `json:"header"` @@ -30,18 +52,22 @@ type Config struct { } type connection struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new port in redirect annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return connection{r} + return connection{ + r: r, + annotationConfig: connectionHeadersAnnotations, + } } // Parse parses the annotations contained in the ingress // rule used to indicate if the connection header should be overridden. func (a connection) Parse(ing *networking.Ingress) (interface{}, error) { - cp, err := parser.GetStringAnnotation("connection-proxy-header", ing) + cp, err := parser.GetStringAnnotation(connectionProxyHeaderAnnotation, ing, a.annotationConfig.Annotations) if err != nil { return &Config{ Enabled: false, @@ -70,3 +96,12 @@ func (r1 *Config) Equal(r2 *Config) bool { return true } + +func (a connection) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a connection) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, connectionHeadersAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/connection/main_test.go b/internal/ingress/annotations/connection/main_test.go index 011a2948c..a95288385 100644 --- a/internal/ingress/annotations/connection/main_test.go +++ b/internal/ingress/annotations/connection/main_test.go @@ -37,10 +37,12 @@ func TestParse(t *testing.T) { testCases := []struct { annotations map[string]string expected *Config + expectErr bool }{ - {map[string]string{annotation: "keep-alive"}, &Config{Enabled: true, Header: "keep-alive"}}, - {map[string]string{}, &Config{Enabled: false}}, - {nil, &Config{Enabled: false}}, + {map[string]string{annotation: "keep-alive"}, &Config{Enabled: true, Header: "keep-alive"}, false}, + {map[string]string{annotation: "not-allowed-value"}, &Config{Enabled: false}, true}, + {map[string]string{}, &Config{Enabled: false}, true}, + {nil, &Config{Enabled: false}, true}, } ing := &networking.Ingress{ @@ -53,11 +55,17 @@ func TestParse(t *testing.T) { for _, testCase := range testCases { ing.SetAnnotations(testCase.annotations) - i, _ := ap.Parse(ing) - p, _ := i.(*Config) - + i, err := ap.Parse(ing) + if (err != nil) != testCase.expectErr { + t.Fatalf("expected error: %t got error: %t err value: %s. %+v", testCase.expectErr, err != nil, err, testCase.annotations) + } + p, ok := i.(*Config) + if !ok { + t.Fatalf("expected a Config type") + } if !p.Equal(testCase.expected) { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, p, testCase.annotations) } + } } diff --git a/internal/ingress/annotations/cors/main.go b/internal/ingress/annotations/cors/main.go index 3888f2909..cc30b8405 100644 --- a/internal/ingress/annotations/cors/main.go +++ b/internal/ingress/annotations/cors/main.go @@ -24,6 +24,7 @@ import ( "k8s.io/klog/v2" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" ) @@ -38,20 +39,87 @@ var ( // Regex are defined here to prevent information leak, if user tries to set anything not valid // that could cause the Response to contain some internal value/variable (like returning $pid, $upstream_addr, etc) // Origin must contain a http/s Origin (including or not the port) or the value '*' + // This Regex is composed of the following: + // * Sets a group that can be (https?://)?*?.something.com:port? + // * Allows this to be repeated as much as possible, and separated by comma + // Otherwise it should be '*' + corsOriginRegexValidator = regexp.MustCompile(`^((((https?://)?(\*\.)?[A-Za-z0-9\-\.]*(:[0-9]+)?,?)+)|\*)?$`) + // corsOriginRegex defines the regex for validation inside Parse corsOriginRegex = regexp.MustCompile(`^(https?://(\*\.)?[A-Za-z0-9\-\.]*(:[0-9]+)?|\*)?$`) // Method must contain valid methods list (PUT, GET, POST, BLA) // May contain or not spaces between each verb corsMethodsRegex = regexp.MustCompile(`^([A-Za-z]+,?\s?)+$`) - // Headers must contain valid values only (X-HEADER12, X-ABC) - // May contain or not spaces between each Header - corsHeadersRegex = regexp.MustCompile(`^([A-Za-z0-9\-\_]+,?\s?)+$`) // Expose Headers must contain valid values only (*, X-HEADER12, X-ABC) // May contain or not spaces between each Header corsExposeHeadersRegex = regexp.MustCompile(`^(([A-Za-z0-9\-\_]+|\*),?\s?)+$`) ) +const ( + corsEnableAnnotation = "enable-cors" + corsAllowOriginAnnotation = "cors-allow-origin" + corsAllowHeadersAnnotation = "cors-allow-headers" + corsAllowMethodsAnnotation = "cors-allow-methods" + corsAllowCredentialsAnnotation = "cors-allow-credentials" //#nosec G101 + corsExposeHeadersAnnotation = "cors-expose-headers" + corsMaxAgeAnnotation = "cors-max-age" +) + +var corsAnnotation = parser.Annotation{ + Group: "cors", + Annotations: parser.AnnotationFields{ + corsEnableAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables Cross-Origin Resource Sharing (CORS) in an Ingress rule`, + }, + corsAllowOriginAnnotation: { + Validator: parser.ValidateRegex(*corsOriginRegexValidator, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation controls what's the accepted Origin for CORS. + This is a multi-valued field, separated by ','. It must follow this format: http(s)://origin-site.com or http(s)://origin-site.com:port + It also supports single level wildcard subdomains and follows this format: http(s)://*.foo.bar, http(s)://*.bar.foo:8080 or http(s)://*.abc.bar.foo:9000`, + }, + corsAllowHeadersAnnotation: { + Validator: parser.ValidateRegex(*parser.HeadersVariable, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation controls which headers are accepted. + This is a multi-valued field, separated by ',' and accepts letters, numbers, _ and -`, + }, + corsAllowMethodsAnnotation: { + Validator: parser.ValidateRegex(*corsMethodsRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation controls which methods are accepted. + This is a multi-valued field, separated by ',' and accepts only letters (upper and lower case)`, + }, + corsAllowCredentialsAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation controls if credentials can be passed during CORS operations.`, + }, + corsExposeHeadersAnnotation: { + Validator: parser.ValidateRegex(*corsExposeHeadersRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation controls which headers are exposed to response. + This is a multi-valued field, separated by ',' and accepts letters, numbers, _, - and *.`, + }, + corsMaxAgeAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation controls how long, in seconds, preflight requests can be cached.`, + }, + }, +} + type cors struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // Config contains the Cors configuration to be used in the Ingress @@ -67,7 +135,10 @@ type Config struct { // NewParser creates a new CORS annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return cors{r} + return cors{ + r: r, + annotationConfig: corsAnnotation, + } } // Equal tests for equality between two External types @@ -116,13 +187,16 @@ func (c cors) Parse(ing *networking.Ingress) (interface{}, error) { var err error config := &Config{} - config.CorsEnabled, err = parser.GetBoolAnnotation("enable-cors", ing) + config.CorsEnabled, err = parser.GetBoolAnnotation(corsEnableAnnotation, ing, c.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("enable-cors is invalid, defaulting to 'false'") + } config.CorsEnabled = false } config.CorsAllowOrigin = []string{} - unparsedOrigins, err := parser.GetStringAnnotation("cors-allow-origin", ing) + unparsedOrigins, err := parser.GetStringAnnotation(corsAllowOriginAnnotation, ing, c.annotationConfig.Annotations) if err == nil { origins := strings.Split(unparsedOrigins, ",") for _, origin := range origins { @@ -140,33 +214,53 @@ func (c cors) Parse(ing *networking.Ingress) (interface{}, error) { klog.Infof("Current config.corsAllowOrigin %v", config.CorsAllowOrigin) } } else { + if errors.IsValidationError(err) { + klog.Warningf("cors-allow-origin is invalid, defaulting to '*'") + } config.CorsAllowOrigin = []string{"*"} } - config.CorsAllowHeaders, err = parser.GetStringAnnotation("cors-allow-headers", ing) - if err != nil || !corsHeadersRegex.MatchString(config.CorsAllowHeaders) { + config.CorsAllowHeaders, err = parser.GetStringAnnotation(corsAllowHeadersAnnotation, ing, c.annotationConfig.Annotations) + if err != nil || !parser.HeadersVariable.MatchString(config.CorsAllowHeaders) { config.CorsAllowHeaders = defaultCorsHeaders } - config.CorsAllowMethods, err = parser.GetStringAnnotation("cors-allow-methods", ing) + config.CorsAllowMethods, err = parser.GetStringAnnotation(corsAllowMethodsAnnotation, ing, c.annotationConfig.Annotations) if err != nil || !corsMethodsRegex.MatchString(config.CorsAllowMethods) { config.CorsAllowMethods = defaultCorsMethods } - config.CorsAllowCredentials, err = parser.GetBoolAnnotation("cors-allow-credentials", ing) + config.CorsAllowCredentials, err = parser.GetBoolAnnotation(corsAllowCredentialsAnnotation, ing, c.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + if errors.IsValidationError(err) { + klog.Warningf("cors-allow-credentials is invalid, defaulting to 'true'") + } + } config.CorsAllowCredentials = true } - config.CorsExposeHeaders, err = parser.GetStringAnnotation("cors-expose-headers", ing) + config.CorsExposeHeaders, err = parser.GetStringAnnotation(corsExposeHeadersAnnotation, ing, c.annotationConfig.Annotations) if err != nil || !corsExposeHeadersRegex.MatchString(config.CorsExposeHeaders) { config.CorsExposeHeaders = "" } - config.CorsMaxAge, err = parser.GetIntAnnotation("cors-max-age", ing) + config.CorsMaxAge, err = parser.GetIntAnnotation(corsMaxAgeAnnotation, ing, c.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("cors-max-age is invalid, defaulting to %d", defaultCorsMaxAge) + } config.CorsMaxAge = defaultCorsMaxAge } return config, nil } + +func (c cors) GetDocumentation() parser.AnnotationFields { + return c.annotationConfig.Annotations +} + +func (a cors) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, corsAnnotation.Annotations) +} diff --git a/internal/ingress/annotations/cors/main_test.go b/internal/ingress/annotations/cors/main_test.go index 086a59d89..d371d183b 100644 --- a/internal/ingress/annotations/cors/main_test.go +++ b/internal/ingress/annotations/cors/main_test.go @@ -75,13 +75,13 @@ func TestIngressCorsConfigValid(t *testing.T) { data := map[string]string{} // Valid - data[parser.GetAnnotationWithPrefix("enable-cors")] = "true" - data[parser.GetAnnotationWithPrefix("cors-allow-headers")] = "DNT,X-CustomHeader, Keep-Alive,User-Agent" - data[parser.GetAnnotationWithPrefix("cors-allow-credentials")] = "false" - data[parser.GetAnnotationWithPrefix("cors-allow-methods")] = "GET, PATCH" - data[parser.GetAnnotationWithPrefix("cors-allow-origin")] = "https://origin123.test.com:4443" - data[parser.GetAnnotationWithPrefix("cors-expose-headers")] = "*, X-CustomResponseHeader" - data[parser.GetAnnotationWithPrefix("cors-max-age")] = "600" + data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)] = "true" + data[parser.GetAnnotationWithPrefix(corsAllowHeadersAnnotation)] = "DNT,X-CustomHeader, Keep-Alive,User-Agent" + data[parser.GetAnnotationWithPrefix(corsAllowCredentialsAnnotation)] = "false" + data[parser.GetAnnotationWithPrefix(corsAllowMethodsAnnotation)] = "GET, PATCH" + data[parser.GetAnnotationWithPrefix(corsAllowOriginAnnotation)] = "https://origin123.test.com:4443" + data[parser.GetAnnotationWithPrefix(corsExposeHeadersAnnotation)] = "*, X-CustomResponseHeader" + data[parser.GetAnnotationWithPrefix(corsMaxAgeAnnotation)] = "600" ing.SetAnnotations(data) corst, err := NewParser(&resolver.Mock{}).Parse(ing) @@ -95,31 +95,31 @@ func TestIngressCorsConfigValid(t *testing.T) { } if !nginxCors.CorsEnabled { - t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix("enable-cors")], nginxCors.CorsEnabled) + t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)], nginxCors.CorsEnabled) } if nginxCors.CorsAllowCredentials { - t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix("cors-allow-credentials")], nginxCors.CorsAllowCredentials) + t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsAllowCredentialsAnnotation)], nginxCors.CorsAllowCredentials) } if nginxCors.CorsAllowHeaders != "DNT,X-CustomHeader, Keep-Alive,User-Agent" { - t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix("cors-allow-headers")], nginxCors.CorsAllowHeaders) + t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsAllowHeadersAnnotation)], nginxCors.CorsAllowHeaders) } if nginxCors.CorsAllowMethods != "GET, PATCH" { - t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix("cors-allow-methods")], nginxCors.CorsAllowMethods) + t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsAllowMethodsAnnotation)], nginxCors.CorsAllowMethods) } if nginxCors.CorsAllowOrigin[0] != "https://origin123.test.com:4443" { - t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix("cors-allow-origin")], nginxCors.CorsAllowOrigin) + t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsAllowOriginAnnotation)], nginxCors.CorsAllowOrigin) } if nginxCors.CorsExposeHeaders != "*, X-CustomResponseHeader" { - t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix("cors-expose-headers")], nginxCors.CorsExposeHeaders) + t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsExposeHeadersAnnotation)], nginxCors.CorsExposeHeaders) } if nginxCors.CorsMaxAge != 600 { - t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix("cors-max-age")], nginxCors.CorsMaxAge) + t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsMaxAgeAnnotation)], nginxCors.CorsMaxAge) } } @@ -129,13 +129,13 @@ func TestIngressCorsConfigInvalid(t *testing.T) { data := map[string]string{} // Valid - data[parser.GetAnnotationWithPrefix("enable-cors")] = "yes" - data[parser.GetAnnotationWithPrefix("cors-allow-headers")] = "@alright, #ingress" - data[parser.GetAnnotationWithPrefix("cors-allow-credentials")] = "no" - data[parser.GetAnnotationWithPrefix("cors-allow-methods")] = "GET, PATCH, $nginx" - data[parser.GetAnnotationWithPrefix("cors-allow-origin")] = "origin123.test.com:4443" - data[parser.GetAnnotationWithPrefix("cors-expose-headers")] = "@alright, #ingress" - data[parser.GetAnnotationWithPrefix("cors-max-age")] = "abcd" + data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)] = "yes" + data[parser.GetAnnotationWithPrefix(corsAllowHeadersAnnotation)] = "@alright, #ingress" + data[parser.GetAnnotationWithPrefix(corsAllowCredentialsAnnotation)] = "no" + data[parser.GetAnnotationWithPrefix(corsAllowMethodsAnnotation)] = "GET, PATCH, $nginx" + data[parser.GetAnnotationWithPrefix(corsAllowOriginAnnotation)] = "origin123.test.com:4443" + data[parser.GetAnnotationWithPrefix(corsExposeHeadersAnnotation)] = "@alright, #ingress" + data[parser.GetAnnotationWithPrefix(corsMaxAgeAnnotation)] = "abcd" ing.SetAnnotations(data) corst, err := NewParser(&resolver.Mock{}).Parse(ing) diff --git a/internal/ingress/annotations/customhttperrors/main.go b/internal/ingress/annotations/customhttperrors/main.go index a05fb16c8..c3c9b5be3 100644 --- a/internal/ingress/annotations/customhttperrors/main.go +++ b/internal/ingress/annotations/customhttperrors/main.go @@ -17,6 +17,7 @@ limitations under the License. package customhttperrors import ( + "regexp" "strconv" "strings" @@ -26,19 +27,46 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + customHTTPErrorsAnnotation = "custom-http-errors" +) + +var ( + // We accept anything between 400 and 599, on a comma separated. + arrayOfHTTPErrors = regexp.MustCompile(`^(?:[4,5][0-9][0-9],?)*$`) +) + +var customHTTPErrorsAnnotations = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + customHTTPErrorsAnnotation: { + Validator: parser.ValidateRegex(*arrayOfHTTPErrors, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `If a default backend annotation is specified on the ingress, the errors code specified on this annotation + will be routed to that annotation's default backend service. Otherwise they will be routed to the global default backend. + A comma-separated list of error codes is accepted (anything between 400 and 599, like 403, 503)`, + }, + }, +} + type customhttperrors struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new custom http errors annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return customhttperrors{r} + return customhttperrors{ + r: r, + annotationConfig: customHTTPErrorsAnnotations, + } } // Parse parses the annotations contained in the ingress to use // custom http errors func (e customhttperrors) Parse(ing *networking.Ingress) (interface{}, error) { - c, err := parser.GetStringAnnotation("custom-http-errors", ing) + c, err := parser.GetStringAnnotation(customHTTPErrorsAnnotation, ing, e.annotationConfig.Annotations) if err != nil { return nil, err } @@ -55,3 +83,12 @@ func (e customhttperrors) Parse(ing *networking.Ingress) (interface{}, error) { return codes, nil } + +func (e customhttperrors) GetDocumentation() parser.AnnotationFields { + return e.annotationConfig.Annotations +} + +func (a customhttperrors) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, customHTTPErrorsAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/defaultbackend/main.go b/internal/ingress/annotations/defaultbackend/main.go index b1685015e..f3ca004dd 100644 --- a/internal/ingress/annotations/defaultbackend/main.go +++ b/internal/ingress/annotations/defaultbackend/main.go @@ -25,19 +25,40 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + defaultBackendAnnotation = "default-backend" +) + +var defaultBackendAnnotations = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + defaultBackendAnnotation: { + Validator: parser.ValidateServiceName, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This service will be used to handle the response when the configured service in the Ingress rule does not have any active endpoints. + It will also be used to handle the error responses if both this annotation and the custom-http-errors annotation are set.`, + }, + }, +} + type backend struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new default backend annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return backend{r} + return backend{ + r: r, + annotationConfig: defaultBackendAnnotations, + } } // Parse parses the annotations contained in the ingress to use // a custom default backend func (db backend) Parse(ing *networking.Ingress) (interface{}, error) { - s, err := parser.GetStringAnnotation("default-backend", ing) + s, err := parser.GetStringAnnotation(defaultBackendAnnotation, ing, db.annotationConfig.Annotations) if err != nil { return nil, err } @@ -50,3 +71,12 @@ func (db backend) Parse(ing *networking.Ingress) (interface{}, error) { return svc, nil } + +func (db backend) GetDocumentation() parser.AnnotationFields { + return db.annotationConfig.Annotations +} + +func (a backend) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, defaultBackendAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/defaultbackend/main_test.go b/internal/ingress/annotations/defaultbackend/main_test.go index ec23d32c2..214d07803 100644 --- a/internal/ingress/annotations/defaultbackend/main_test.go +++ b/internal/ingress/annotations/defaultbackend/main_test.go @@ -91,21 +91,51 @@ func (m mockService) GetService(name string) (*api.Service, error) { func TestAnnotations(t *testing.T) { ing := buildIngress() - data := map[string]string{} - data[parser.GetAnnotationWithPrefix("default-backend")] = "demo-service" - ing.SetAnnotations(data) - - fakeService := &mockService{} - i, err := NewParser(fakeService).Parse(ing) - if err != nil { - t.Errorf("unexpected error %v", err) + tests := map[string]struct { + expectErr bool + serviceName string + }{ + "valid name": { + serviceName: "demo-service", + expectErr: false, + }, + "not in backend": { + serviceName: "demo1-service", + expectErr: true, + }, + "invalid dns name": { + serviceName: "demo-service.something.tld", + expectErr: true, + }, + "invalid name": { + serviceName: "something/xpto", + expectErr: true, + }, + "invalid characters": { + serviceName: "something;xpto", + expectErr: true, + }, } - svc, ok := i.(*api.Service) - if !ok { - t.Errorf("expected *api.Service but got %v", svc) - } - if svc.Name != "demo-service" { - t.Errorf("expected %v but got %v", "demo-service", svc.Name) + for _, test := range tests { + data := map[string]string{} + data[parser.GetAnnotationWithPrefix(defaultBackendAnnotation)] = test.serviceName + ing.SetAnnotations(data) + + fakeService := &mockService{} + i, err := NewParser(fakeService).Parse(ing) + if (err != nil) != test.expectErr { + t.Errorf("expected error: %t got error: %t err value: %s. %+v", test.expectErr, err != nil, err, i) + } + + if !test.expectErr { + svc, ok := i.(*api.Service) + if !ok { + t.Errorf("expected *api.Service but got %v", svc) + } + if svc.Name != test.serviceName { + t.Errorf("expected %v but got %v", test.serviceName, svc.Name) + } + } } } diff --git a/internal/ingress/annotations/fastcgi/main.go b/internal/ingress/annotations/fastcgi/main.go index 84bac4109..96dbc7159 100644 --- a/internal/ingress/annotations/fastcgi/main.go +++ b/internal/ingress/annotations/fastcgi/main.go @@ -19,17 +19,49 @@ package fastcgi import ( "fmt" "reflect" + "regexp" networking "k8s.io/api/networking/v1" "k8s.io/client-go/tools/cache" + "k8s.io/klog/v2" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + fastCGIIndexAnnotation = "fastcgi-index" + fastCGIParamsAnnotation = "fastcgi-params-configmap" +) + +var ( + // fast-cgi valid parameters is just a single file name (like index.php) + regexValidIndexAnnotationAndKey = regexp.MustCompile(`^[A-Za-z0-9\.\-\_]+$`) +) + +var fastCGIAnnotations = parser.Annotation{ + Group: "fastcgi", + Annotations: parser.AnnotationFields{ + fastCGIIndexAnnotation: { + Validator: parser.ValidateRegex(*regexValidIndexAnnotationAndKey, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation can be used to specify an index file`, + }, + fastCGIParamsAnnotation: { + Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation can be used to specify a ConfigMap containing the fastcgi parameters as a key/value. + Only ConfigMaps on the same namespace of ingress can be used. They key and value from ConfigMap are validated for unauthorized characters.`, + }, + }, +} + type fastcgi struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // Config describes the per location fastcgi config @@ -57,7 +89,10 @@ func (l1 *Config) Equal(l2 *Config) bool { // NewParser creates a new fastcgiConfig protocol annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return fastcgi{r} + return fastcgi{ + r: r, + annotationConfig: fastCGIAnnotations, + } } // ParseAnnotations parses the annotations contained in the ingress @@ -70,14 +105,21 @@ func (a fastcgi) Parse(ing *networking.Ingress) (interface{}, error) { return fcgiConfig, nil } - index, err := parser.GetStringAnnotation("fastcgi-index", ing) + index, err := parser.GetStringAnnotation(fastCGIIndexAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if ing_errors.IsValidationError(err) { + return fcgiConfig, err + } index = "" } + fcgiConfig.Index = index - cm, err := parser.GetStringAnnotation("fastcgi-params-configmap", ing) + cm, err := parser.GetStringAnnotation(fastCGIParamsAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if ing_errors.IsValidationError(err) { + return fcgiConfig, err + } return fcgiConfig, nil } @@ -87,8 +129,10 @@ func (a fastcgi) Parse(ing *networking.Ingress) (interface{}, error) { Reason: fmt.Errorf("error reading configmap name from annotation: %w", err), } } + secCfg := a.r.GetSecurityConfiguration() - if cmns != "" && cmns != ing.Namespace { + // We don't accept different namespaces for secrets. + if cmns != "" && !secCfg.AllowCrossNamespaceResources && cmns != ing.Namespace { return fcgiConfig, fmt.Errorf("different namespace is not supported on fast_cgi param configmap") } @@ -100,7 +144,24 @@ func (a fastcgi) Parse(ing *networking.Ingress) (interface{}, error) { } } + for k, v := range cmap.Data { + if !regexValidIndexAnnotationAndKey.MatchString(k) || !parser.NGINXVariable.MatchString(v) { + klog.ErrorS(fmt.Errorf("fcgi contains invalid key or value"), "fcgi annotation error", "configmap", cmap.Name, "namespace", cmap.Namespace, "key", k, "value", v) + return fcgiConfig, ing_errors.NewValidationError(fastCGIParamsAnnotation) + } + } + + fcgiConfig.Index = index fcgiConfig.Params = cmap.Data return fcgiConfig, nil } + +func (a fastcgi) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a fastcgi) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, fastCGIAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/fastcgi/main_test.go b/internal/ingress/annotations/fastcgi/main_test.go index 35c5bbc12..3296ded65 100644 --- a/internal/ingress/annotations/fastcgi/main_test.go +++ b/internal/ingress/annotations/fastcgi/main_test.go @@ -18,6 +18,7 @@ package fastcgi import ( "fmt" + "reflect" "testing" api "k8s.io/api/core/v1" @@ -49,10 +50,16 @@ func buildIngress() *networking.Ingress { type mockConfigMap struct { resolver.Mock + extraConfigMap map[string]map[string]string } func (m mockConfigMap) GetConfigMap(name string) (*api.ConfigMap, error) { - if name != "default/demo-configmap" && name != "otherns/demo-configmap" { + if m.extraConfigMap == nil { + m.extraConfigMap = make(map[string]map[string]string) + } + cmdata, ok := m.extraConfigMap[name] + + if name != "default/demo-configmap" && name != "otherns/demo-configmap" && !ok { return nil, fmt.Errorf("there is no configmap with name %v", name) } @@ -61,12 +68,17 @@ func (m mockConfigMap) GetConfigMap(name string) (*api.ConfigMap, error) { return nil, fmt.Errorf("invalid configmap name") } + data := map[string]string{"REDIRECT_STATUS": "200", "SERVER_NAME": "$server_name"} + if ok { + data = cmdata + } + return &api.ConfigMap{ ObjectMeta: meta_v1.ObjectMeta{ Namespace: cmns, Name: cmn, }, - Data: map[string]string{"REDIRECT_STATUS": "200", "SERVER_NAME": "$server_name"}, + Data: data, }, nil } @@ -283,3 +295,111 @@ func TestConfigEquality(t *testing.T) { t.Errorf("config4 should be equal to config") } } + +func Test_fastcgi_Parse(t *testing.T) { + + tests := []struct { + name string + index string + configmapname string + configmap map[string]string + want interface{} + wantErr bool + }{ + { + name: "valid configuration", + index: "indexxpto-92123.php", + configmapname: "default/fcgiconfig", + configmap: map[string]string{ + "REQUEST_METHOD": "$request_method", + "SCRIPT_FILENAME": "$document_root$fastcgi_script_name", + }, + want: Config{ + Index: "indexxpto-92123.php", + Params: map[string]string{ + "REQUEST_METHOD": "$request_method", + "SCRIPT_FILENAME": "$document_root$fastcgi_script_name", + }, + }, + }, + { + name: "invalid index name", + index: "indexxpto-92123$xx.php", + configmapname: "default/fcgiconfig", + configmap: map[string]string{ + "REQUEST_METHOD": "$request_method", + "SCRIPT_FILENAME": "$document_root$fastcgi_script_name", + }, + want: Config{}, + wantErr: true, + }, + { + name: "invalid configmap namespace", + index: "indexxpto-92123.php", + configmapname: "otherns/fcgiconfig", + configmap: map[string]string{ + "REQUEST_METHOD": "$request_method", + "SCRIPT_FILENAME": "$document_root$fastcgi_script_name", + }, + want: Config{Index: "indexxpto-92123.php"}, + wantErr: true, + }, + { + name: "invalid configmap namespace name", + index: "indexxpto-92123.php", + configmapname: "otherns/fcgicon;{fig", + configmap: map[string]string{ + "REQUEST_METHOD": "$request_method", + "SCRIPT_FILENAME": "$document_root$fastcgi_script_name", + }, + want: Config{Index: "indexxpto-92123.php"}, + wantErr: true, + }, + { + name: "invalid configmap values key", + index: "indexxpto-92123.php", + configmapname: "default/fcgiconfig", + configmap: map[string]string{ + "REQUEST_METHOD$XPTO": "$request_method", + }, + want: Config{Index: "indexxpto-92123.php"}, + wantErr: true, + }, + { + name: "invalid configmap values val", + index: "indexxpto-92123.php", + configmapname: "default/fcgiconfig", + configmap: map[string]string{ + "REQUEST_METHOD_XPTO": "$request_method{test};a", + }, + want: Config{Index: "indexxpto-92123.php"}, + wantErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix("fastcgi-index")] = tt.index + data[parser.GetAnnotationWithPrefix("fastcgi-params-configmap")] = tt.configmapname + ing.SetAnnotations(data) + + m := &mockConfigMap{ + extraConfigMap: map[string]map[string]string{ + tt.configmapname: tt.configmap, + }, + } + + got, err := NewParser(m).Parse(ing) + if (err != nil) != tt.wantErr { + t.Errorf("fastcgi.Parse() error = %v, wantErr %v", err, tt.wantErr) + return + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("fastcgi.Parse() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/internal/ingress/annotations/globalratelimit/main.go b/internal/ingress/annotations/globalratelimit/main.go index ea9fc4678..41f58fd57 100644 --- a/internal/ingress/annotations/globalratelimit/main.go +++ b/internal/ingress/annotations/globalratelimit/main.go @@ -22,8 +22,10 @@ import ( "time" networking "k8s.io/api/networking/v1" + "k8s.io/klog/v2" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/errors" ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" "k8s.io/ingress-nginx/internal/net" @@ -32,6 +34,46 @@ import ( const defaultKey = "$remote_addr" +const ( + globalRateLimitAnnotation = "global-rate-limit" + globalRateLimitWindowAnnotation = "global-rate-limit-window" + globalRateLimitKeyAnnotation = "global-rate-limit-key" + globalRateLimitIgnoredCidrsAnnotation = "global-rate-limit-ignored-cidrs" +) + +var globalRateLimitAnnotationConfig = parser.Annotation{ + Group: "ratelimit", + Annotations: parser.AnnotationFields{ + globalRateLimitAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation configures maximum allowed number of requests per window`, + }, + globalRateLimitWindowAnnotation: { + Validator: parser.ValidateDuration, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `Configures a time window (i.e 1m) that the limit is applied`, + }, + globalRateLimitKeyAnnotation: { + Validator: parser.ValidateRegex(*parser.NGINXVariable, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskHigh, + Documentation: `This annotation Configures a key for counting the samples. Defaults to $remote_addr. + You can also combine multiple NGINX variables here, like ${remote_addr}-${http_x_api_client} which would mean the limit will be applied to + requests coming from the same API client (indicated by X-API-Client HTTP request header) with the same source IP address`, + }, + globalRateLimitIgnoredCidrsAnnotation: { + Validator: parser.ValidateCIDRs, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation defines a comma separated list of IPs and CIDRs to match client IP against. + When there's a match request is not considered for rate limiting.`, + }, + }, +} + // Config encapsulates all global rate limit attributes type Config struct { Namespace string `json:"namespace"` @@ -63,12 +105,16 @@ func (l *Config) Equal(r *Config) bool { } type globalratelimit struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new globalratelimit annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return globalratelimit{r} + return globalratelimit{ + r: r, + annotationConfig: globalRateLimitAnnotationConfig, + } } // Parse extracts globalratelimit annotations from the given ingress @@ -76,8 +122,16 @@ func NewParser(r resolver.Resolver) parser.IngressAnnotation { func (a globalratelimit) Parse(ing *networking.Ingress) (interface{}, error) { config := &Config{} - limit, _ := parser.GetIntAnnotation("global-rate-limit", ing) - rawWindowSize, _ := parser.GetStringAnnotation("global-rate-limit-window", ing) + limit, err := parser.GetIntAnnotation(globalRateLimitAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && errors.IsInvalidContent(err) { + return nil, err + } + rawWindowSize, err := parser.GetStringAnnotation(globalRateLimitWindowAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && errors.IsValidationError(err) { + return config, ing_errors.LocationDenied{ + Reason: fmt.Errorf("failed to parse 'global-rate-limit-window' value: %w", err), + } + } if limit == 0 || len(rawWindowSize) == 0 { return config, nil @@ -90,12 +144,18 @@ func (a globalratelimit) Parse(ing *networking.Ingress) (interface{}, error) { } } - key, _ := parser.GetStringAnnotation("global-rate-limit-key", ing) + key, err := parser.GetStringAnnotation(globalRateLimitKeyAnnotation, ing, a.annotationConfig.Annotations) + if err != nil { + klog.Warningf("invalid %s, defaulting to %s", globalRateLimitKeyAnnotation, defaultKey) + } if len(key) == 0 { key = defaultKey } - rawIgnoredCIDRs, _ := parser.GetStringAnnotation("global-rate-limit-ignored-cidrs", ing) + rawIgnoredCIDRs, err := parser.GetStringAnnotation(globalRateLimitIgnoredCidrsAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && errors.IsInvalidContent(err) { + return nil, err + } ignoredCIDRs, err := net.ParseCIDRs(rawIgnoredCIDRs) if err != nil { return nil, err @@ -109,3 +169,12 @@ func (a globalratelimit) Parse(ing *networking.Ingress) (interface{}, error) { return config, nil } + +func (a globalratelimit) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a globalratelimit) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, globalRateLimitAnnotationConfig.Annotations) +} diff --git a/internal/ingress/annotations/globalratelimit/main_test.go b/internal/ingress/annotations/globalratelimit/main_test.go index 815d6cfff..5d7922666 100644 --- a/internal/ingress/annotations/globalratelimit/main_test.go +++ b/internal/ingress/annotations/globalratelimit/main_test.go @@ -149,6 +149,22 @@ func TestGlobalRateLimiting(t *testing.T) { }, nil, }, + { + "global-rate-limit-complex-key", + map[string]string{ + annRateLimit: "100", + annRateLimitWindow: "2m", + annRateLimitKey: "${http_x_api_user}${otherinfo}", + }, + &Config{ + Namespace: expectedUID, + Limit: 100, + WindowSize: 120, + Key: "${http_x_api_user}${otherinfo}", + IgnoredCIDRs: make([]string, 0), + }, + nil, + }, { "incorrect duration for window", map[string]string{ @@ -157,8 +173,8 @@ func TestGlobalRateLimiting(t *testing.T) { annRateLimitKey: "$http_x_api_user", }, &Config{}, - ing_errors.LocationDenied{ - Reason: fmt.Errorf("failed to parse 'global-rate-limit-window' value: time: unknown unit \"mb\" in duration \"2mb\""), + ing_errors.ValidationError{ + Reason: fmt.Errorf("failed to parse 'global-rate-limit-window' value: annotation nginx.ingress.kubernetes.io/global-rate-limit-window contains invalid value"), }, }, } @@ -168,7 +184,7 @@ func TestGlobalRateLimiting(t *testing.T) { i, actualErr := NewParser(mockBackend{}).Parse(ing) if (testCase.expectedErr == nil || actualErr == nil) && testCase.expectedErr != actualErr { - t.Errorf("expected error 'nil' but got '%v'", actualErr) + t.Errorf("%s expected error '%v' but got '%v'", testCase.title, testCase.expectedErr, actualErr) } else if testCase.expectedErr != nil && actualErr != nil && testCase.expectedErr.Error() != actualErr.Error() { t.Errorf("expected error '%v' but got '%v'", testCase.expectedErr, actualErr) diff --git a/internal/ingress/annotations/http2pushpreload/main.go b/internal/ingress/annotations/http2pushpreload/main.go index 27d3368f4..af9f90aa9 100644 --- a/internal/ingress/annotations/http2pushpreload/main.go +++ b/internal/ingress/annotations/http2pushpreload/main.go @@ -23,17 +23,46 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + http2PushPreloadAnnotation = "http2-push-preload" +) + +var http2PushPreloadAnnotations = parser.Annotation{ + Group: "http2", + Annotations: parser.AnnotationFields{ + http2PushPreloadAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `Enables automatic conversion of preload links specified in the “Link” response header fields into push requests`, + }, + }, +} + type http2PushPreload struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new http2PushPreload annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return http2PushPreload{r} + return http2PushPreload{ + r: r, + annotationConfig: http2PushPreloadAnnotations, + } } // Parse parses the annotations contained in the ingress rule // used to add http2 push preload to the server func (h2pp http2PushPreload) Parse(ing *networking.Ingress) (interface{}, error) { - return parser.GetBoolAnnotation("http2-push-preload", ing) + return parser.GetBoolAnnotation(http2PushPreloadAnnotation, ing, h2pp.annotationConfig.Annotations) +} + +func (h2pp http2PushPreload) GetDocumentation() parser.AnnotationFields { + return h2pp.annotationConfig.Annotations +} + +func (a http2PushPreload) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, http2PushPreloadAnnotations.Annotations) } diff --git a/internal/ingress/annotations/http2pushpreload/main_test.go b/internal/ingress/annotations/http2pushpreload/main_test.go index bb98af93f..eb6e9111d 100644 --- a/internal/ingress/annotations/http2pushpreload/main_test.go +++ b/internal/ingress/annotations/http2pushpreload/main_test.go @@ -23,11 +23,12 @@ import ( networking "k8s.io/api/networking/v1" meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" ) func TestParse(t *testing.T) { - annotation := parser.GetAnnotationWithPrefix("http2-push-preload") + annotation := parser.GetAnnotationWithPrefix(http2PushPreloadAnnotation) ap := NewParser(&resolver.Mock{}) if ap == nil { t.Fatalf("expected a parser.IngressAnnotation but returned nil") @@ -36,12 +37,14 @@ func TestParse(t *testing.T) { testCases := []struct { annotations map[string]string expected bool + expectErr bool }{ - {map[string]string{annotation: "true"}, true}, - {map[string]string{annotation: "1"}, true}, - {map[string]string{annotation: ""}, false}, - {map[string]string{}, false}, - {nil, false}, + {map[string]string{annotation: "true"}, true, false}, + {map[string]string{annotation: "1"}, true, false}, + {map[string]string{annotation: "xpto"}, false, true}, + {map[string]string{annotation: ""}, false, false}, + {map[string]string{}, false, false}, + {nil, false, false}, } ing := &networking.Ingress{ @@ -54,7 +57,10 @@ func TestParse(t *testing.T) { for _, testCase := range testCases { ing.SetAnnotations(testCase.annotations) - result, _ := ap.Parse(ing) + result, err := ap.Parse(ing) + if ((err != nil) != testCase.expectErr) && !errors.IsInvalidContent(err) && !errors.IsMissingAnnotations(err) { + t.Fatalf("expected error: %t got error: %t err value: %s. %+v", testCase.expectErr, err != nil, err, testCase.annotations) + } if result != testCase.expected { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) } diff --git a/internal/ingress/annotations/ipwhitelist/main.go b/internal/ingress/annotations/ipallowlist/main.go similarity index 53% rename from internal/ingress/annotations/ipwhitelist/main.go rename to internal/ingress/annotations/ipallowlist/main.go index 63c049fef..d9d454c97 100644 --- a/internal/ingress/annotations/ipwhitelist/main.go +++ b/internal/ingress/annotations/ipallowlist/main.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package ipwhitelist +package ipallowlist import ( "fmt" @@ -30,6 +30,24 @@ import ( "k8s.io/ingress-nginx/pkg/util/sets" ) +const ( + ipWhitelistAnnotation = "whitelist-source-range" + ipAllowlistAnnotation = "allowlist-source-range" +) + +var allowlistAnnotations = parser.Annotation{ + Group: "acl", + Annotations: parser.AnnotationFields{ + ipAllowlistAnnotation: { + Validator: parser.ValidateCIDRs, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, // Failure on parsing this may cause undesired access + Documentation: `This annotation allows setting a list of IPs and networks allowed to access this Location`, + AnnotationAliases: []string{ipWhitelistAnnotation}, + }, + }, +} + // SourceRange returns the CIDR type SourceRange struct { CIDR []string `json:"cidr,omitempty"` @@ -47,36 +65,47 @@ func (sr1 *SourceRange) Equal(sr2 *SourceRange) bool { return sets.StringElementsMatch(sr1.CIDR, sr2.CIDR) } -type ipwhitelist struct { - r resolver.Resolver +type ipallowlist struct { + r resolver.Resolver + annotationConfig parser.Annotation } -// NewParser creates a new whitelist annotation parser +// NewParser creates a new ipallowlist annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return ipwhitelist{r} + return ipallowlist{ + r: r, + annotationConfig: allowlistAnnotations, + } } // ParseAnnotations parses the annotations contained in the ingress // rule used to limit access to certain client addresses or networks. // Multiple ranges can specified using commas as separator // e.g. `18.0.0.0/8,56.0.0.0/8` -func (a ipwhitelist) Parse(ing *networking.Ingress) (interface{}, error) { +func (a ipallowlist) Parse(ing *networking.Ingress) (interface{}, error) { defBackend := a.r.GetDefaultBackend() - defaultWhitelistSourceRange := make([]string, len(defBackend.WhitelistSourceRange)) - copy(defaultWhitelistSourceRange, defBackend.WhitelistSourceRange) - sort.Strings(defaultWhitelistSourceRange) + defaultAllowlistSourceRange := make([]string, len(defBackend.WhitelistSourceRange)) + copy(defaultAllowlistSourceRange, defBackend.WhitelistSourceRange) + sort.Strings(defaultAllowlistSourceRange) - val, err := parser.GetStringAnnotation("whitelist-source-range", ing) + val, err := parser.GetStringAnnotation(ipAllowlistAnnotation, ing, a.annotationConfig.Annotations) // A missing annotation is not a problem, just use the default - if err == ing_errors.ErrMissingAnnotations { - return &SourceRange{CIDR: defaultWhitelistSourceRange}, nil + if err != nil { + if err == ing_errors.ErrMissingAnnotations { + return &SourceRange{CIDR: defaultAllowlistSourceRange}, nil + } + + return &SourceRange{CIDR: defaultAllowlistSourceRange}, ing_errors.LocationDenied{ + Reason: err, + } + } values := strings.Split(val, ",") ipnets, ips, err := net.ParseIPNets(values...) if err != nil && len(ips) == 0 { - return &SourceRange{CIDR: defaultWhitelistSourceRange}, ing_errors.LocationDenied{ + return &SourceRange{CIDR: defaultAllowlistSourceRange}, ing_errors.LocationDenied{ Reason: fmt.Errorf("the annotation does not contain a valid IP address or network: %w", err), } } @@ -93,3 +122,12 @@ func (a ipwhitelist) Parse(ing *networking.Ingress) (interface{}, error) { return &SourceRange{cidrs}, nil } + +func (a ipallowlist) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a ipallowlist) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, allowlistAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/ipwhitelist/main_test.go b/internal/ingress/annotations/ipallowlist/main_test.go similarity index 64% rename from internal/ingress/annotations/ipwhitelist/main_test.go rename to internal/ingress/annotations/ipallowlist/main_test.go index 5042bb200..b16b25a5b 100644 --- a/internal/ingress/annotations/ipwhitelist/main_test.go +++ b/internal/ingress/annotations/ipallowlist/main_test.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package ipwhitelist +package ipallowlist import ( "testing" @@ -86,12 +86,12 @@ func TestParseAnnotations(t *testing.T) { "test parse a invalid net": { net: "ww", expectErr: true, - errOut: "the annotation does not contain a valid IP address or network: invalid CIDR address: ww", + errOut: "annotation nginx.ingress.kubernetes.io/allowlist-source-range contains invalid value", }, "test parse a empty net": { net: "", expectErr: true, - errOut: "the annotation does not contain a valid IP address or network: invalid CIDR address: ", + errOut: "the annotation nginx.ingress.kubernetes.io/allowlist-source-range does not contain a valid value ()", }, "test parse multiple valid cidr": { net: "2.2.2.2/32,1.1.1.1/32,3.3.3.0/24", @@ -102,16 +102,16 @@ func TestParseAnnotations(t *testing.T) { for testName, test := range tests { data := map[string]string{} - data[parser.GetAnnotationWithPrefix("whitelist-source-range")] = test.net + data[parser.GetAnnotationWithPrefix(ipAllowlistAnnotation)] = test.net ing.SetAnnotations(data) p := NewParser(&resolver.Mock{}) i, err := p.Parse(ing) - if err != nil && !test.expectErr { - t.Errorf("%v:unexpected error: %v", testName, err) + if (err != nil) != test.expectErr { + t.Errorf("%s expected error: %t got error: %t err value: %s. %+v", testName, test.expectErr, err != nil, err, i) } - if test.expectErr { + if test.expectErr && err != nil { if err.Error() != test.errOut { - t.Errorf("%v:expected error: %v but %v return", testName, test.errOut, err.Error()) + t.Errorf("expected error %s but got %s", test.errOut, err) } } if !test.expectErr { @@ -137,7 +137,7 @@ func (m mockBackend) GetDefaultBackend() defaults.Backend { } } -// Test that when we have a whitelist set on the Backend that is used when we +// Test that when we have a allowlist set on the Backend that is used when we // don't have the annotation func TestParseAnnotationsWithDefaultConfig(t *testing.T) { ing := buildIngress() @@ -158,12 +158,12 @@ func TestParseAnnotationsWithDefaultConfig(t *testing.T) { "test parse a invalid net": { net: "ww", expectErr: true, - errOut: "the annotation does not contain a valid IP address or network: invalid CIDR address: ww", + errOut: "annotation nginx.ingress.kubernetes.io/allowlist-source-range contains invalid value", }, "test parse a empty net": { net: "", expectErr: true, - errOut: "the annotation does not contain a valid IP address or network: invalid CIDR address: ", + errOut: "the annotation nginx.ingress.kubernetes.io/allowlist-source-range does not contain a valid value ()", }, "test parse multiple valid cidr": { net: "2.2.2.2/32,1.1.1.1/32,3.3.3.0/24", @@ -174,16 +174,67 @@ func TestParseAnnotationsWithDefaultConfig(t *testing.T) { for testName, test := range tests { data := map[string]string{} - data[parser.GetAnnotationWithPrefix("whitelist-source-range")] = test.net + data[parser.GetAnnotationWithPrefix(ipAllowlistAnnotation)] = test.net ing.SetAnnotations(data) p := NewParser(mockBackend) i, err := p.Parse(ing) - if err != nil && !test.expectErr { - t.Errorf("%v:unexpected error: %v", testName, err) + if (err != nil) != test.expectErr { + t.Errorf("expected error: %t got error: %t err value: %s. %+v", test.expectErr, err != nil, err, i) } - if test.expectErr { + if test.expectErr && err != nil { if err.Error() != test.errOut { - t.Errorf("%v:expected error: %v but %v return", testName, test.errOut, err.Error()) + t.Errorf("expected error %s but got %s", test.errOut, err) + } + } + if !test.expectErr { + sr, ok := i.(*SourceRange) + if !ok { + t.Errorf("%v:expected a SourceRange type", testName) + } + if !strsEquals(sr.CIDR, test.expectCidr) { + t.Errorf("%v:expected %v CIDR but %v returned", testName, test.expectCidr, sr.CIDR) + } + } + } +} + +// Test that when we have a whitelist set on the Backend that is used when we +// don't have the annotation +func TestLegacyAnnotation(t *testing.T) { + ing := buildIngress() + + mockBackend := mockBackend{} + + tests := map[string]struct { + net string + expectCidr []string + expectErr bool + errOut string + }{ + "test parse a valid net": { + net: "10.0.0.0/24", + expectCidr: []string{"10.0.0.0/24"}, + expectErr: false, + }, + "test parse multiple valid cidr": { + net: "2.2.2.2/32,1.1.1.1/32,3.3.3.0/24", + expectCidr: []string{"1.1.1.1/32", "2.2.2.2/32", "3.3.3.0/24"}, + expectErr: false, + }, + } + + for testName, test := range tests { + data := map[string]string{} + data[parser.GetAnnotationWithPrefix(ipWhitelistAnnotation)] = test.net + ing.SetAnnotations(data) + p := NewParser(mockBackend) + i, err := p.Parse(ing) + if (err != nil) != test.expectErr { + t.Errorf("expected error: %t got error: %t err value: %s. %+v", test.expectErr, err != nil, err, i) + } + if test.expectErr && err != nil { + if err.Error() != test.errOut { + t.Errorf("expected error %s but got %s", test.errOut, err) } } if !test.expectErr { diff --git a/internal/ingress/annotations/ipdenylist/main.go b/internal/ingress/annotations/ipdenylist/main.go index f6a0e10f1..f17ce079a 100644 --- a/internal/ingress/annotations/ipdenylist/main.go +++ b/internal/ingress/annotations/ipdenylist/main.go @@ -30,6 +30,22 @@ import ( "k8s.io/ingress-nginx/pkg/util/sets" ) +const ( + ipDenylistAnnotation = "denylist-source-range" +) + +var denylistAnnotations = parser.Annotation{ + Group: "acl", + Annotations: parser.AnnotationFields{ + ipDenylistAnnotation: { + Validator: parser.ValidateCIDRs, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, // Failure on parsing this may cause undesired access + Documentation: `This annotation allows setting a list of IPs and networks that should be blocked to access this Location`, + }, + }, +} + // SourceRange returns the CIDR type SourceRange struct { CIDR []string `json:"cidr,omitempty"` @@ -48,12 +64,16 @@ func (sr1 *SourceRange) Equal(sr2 *SourceRange) bool { } type ipdenylist struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new denylist annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return ipdenylist{r} + return ipdenylist{ + r: r, + annotationConfig: denylistAnnotations, + } } // ParseAnnotations parses the annotations contained in the ingress @@ -67,10 +87,16 @@ func (a ipdenylist) Parse(ing *networking.Ingress) (interface{}, error) { copy(defaultDenylistSourceRange, defBackend.DenylistSourceRange) sort.Strings(defaultDenylistSourceRange) - val, err := parser.GetStringAnnotation("denylist-source-range", ing) - // A missing annotation is not a problem, just use the default - if err == ing_errors.ErrMissingAnnotations { - return &SourceRange{CIDR: defaultDenylistSourceRange}, nil + val, err := parser.GetStringAnnotation(ipDenylistAnnotation, ing, a.annotationConfig.Annotations) + if err != nil { + if err == ing_errors.ErrMissingAnnotations { + return &SourceRange{CIDR: defaultDenylistSourceRange}, nil + } + + return &SourceRange{CIDR: defaultDenylistSourceRange}, ing_errors.LocationDenied{ + Reason: err, + } + } values := strings.Split(val, ",") @@ -93,3 +119,12 @@ func (a ipdenylist) Parse(ing *networking.Ingress) (interface{}, error) { return &SourceRange{cidrs}, nil } + +func (a ipdenylist) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a ipdenylist) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, denylistAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/ipdenylist/main_test.go b/internal/ingress/annotations/ipdenylist/main_test.go index eb69aa520..ebd81179a 100644 --- a/internal/ingress/annotations/ipdenylist/main_test.go +++ b/internal/ingress/annotations/ipdenylist/main_test.go @@ -86,17 +86,17 @@ func TestParseAnnotations(t *testing.T) { "test parse a invalid net": { net: "ww", expectErr: true, - errOut: "the annotation does not contain a valid IP address or network: invalid CIDR address: ww", + errOut: "annotation nginx.ingress.kubernetes.io/denylist-source-range contains invalid value", }, "test parse a empty net": { net: "", expectErr: true, - errOut: "the annotation does not contain a valid IP address or network: invalid CIDR address: ", + errOut: "the annotation nginx.ingress.kubernetes.io/denylist-source-range does not contain a valid value ()", }, "test parse a malicious escaped string": { net: `10.0.0.0/8"rm /tmp",11.0.0.0/8`, expectErr: true, - errOut: `the annotation does not contain a valid IP address or network: invalid CIDR address: 10.0.0.0/8"rm /tmp"`, + errOut: `annotation nginx.ingress.kubernetes.io/denylist-source-range contains invalid value`, }, "test parse multiple valid cidr": { net: "2.2.2.2/32,1.1.1.1/32,3.3.3.0/24", @@ -107,16 +107,16 @@ func TestParseAnnotations(t *testing.T) { for testName, test := range tests { data := map[string]string{} - data[parser.GetAnnotationWithPrefix("denylist-source-range")] = test.net + data[parser.GetAnnotationWithPrefix(ipDenylistAnnotation)] = test.net ing.SetAnnotations(data) p := NewParser(&resolver.Mock{}) i, err := p.Parse(ing) - if err != nil && !test.expectErr { - t.Errorf("%v:unexpected error: %v", testName, err) + if (err != nil) != test.expectErr { + t.Errorf("expected error: %t got error: %t err value: %s. %+v", test.expectErr, err != nil, err, i) } - if test.expectErr { + if test.expectErr && err != nil { if err.Error() != test.errOut { - t.Errorf("%v:expected error: %v but %v return", testName, test.errOut, err.Error()) + t.Errorf("expected error %s but got %s", test.errOut, err) } } if !test.expectErr { @@ -163,12 +163,12 @@ func TestParseAnnotationsWithDefaultConfig(t *testing.T) { "test parse a invalid net": { net: "ww", expectErr: true, - errOut: "the annotation does not contain a valid IP address or network: invalid CIDR address: ww", + errOut: "annotation nginx.ingress.kubernetes.io/denylist-source-range contains invalid value", }, "test parse a empty net": { net: "", expectErr: true, - errOut: "the annotation does not contain a valid IP address or network: invalid CIDR address: ", + errOut: "the annotation nginx.ingress.kubernetes.io/denylist-source-range does not contain a valid value ()", }, "test parse multiple valid cidr": { net: "2.2.2.2/32,1.1.1.1/32,3.3.3.0/24", @@ -179,16 +179,16 @@ func TestParseAnnotationsWithDefaultConfig(t *testing.T) { for testName, test := range tests { data := map[string]string{} - data[parser.GetAnnotationWithPrefix("denylist-source-range")] = test.net + data[parser.GetAnnotationWithPrefix(ipDenylistAnnotation)] = test.net ing.SetAnnotations(data) p := NewParser(mockBackend) i, err := p.Parse(ing) - if err != nil && !test.expectErr { - t.Errorf("%v:unexpected error: %v", testName, err) + if (err != nil) != test.expectErr { + t.Errorf("expected error: %t got error: %t err value: %s. %+v", test.expectErr, err != nil, err, i) } - if test.expectErr { + if test.expectErr && err != nil { if err.Error() != test.errOut { - t.Errorf("%v:expected error: %v but %v return", testName, test.errOut, err.Error()) + t.Errorf("expected error %s but got %s", test.errOut, err) } } if !test.expectErr { diff --git a/internal/ingress/annotations/loadbalancing/main.go b/internal/ingress/annotations/loadbalancing/main.go index a8b4335e6..ee89d2c1b 100644 --- a/internal/ingress/annotations/loadbalancing/main.go +++ b/internal/ingress/annotations/loadbalancing/main.go @@ -23,18 +23,52 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) -type loadbalancing struct { - r resolver.Resolver +// LB Alghorithms are defined in https://github.com/kubernetes/ingress-nginx/blob/d3e75b056f77be54e01bdb18675f1bb46caece31/rootfs/etc/nginx/lua/balancer.lua#L28 + +const ( + loadBalanceAlghoritmAnnotation = "load-balance" +) + +var loadBalanceAlghoritms = []string{"round_robin", "chash", "chashsubset", "sticky_balanced", "sticky_persistent", "ewma"} + +var loadBalanceAnnotations = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + loadBalanceAlghoritmAnnotation: { + Validator: parser.ValidateOptions(loadBalanceAlghoritms, true, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation allows setting the load balancing alghorithm that should be used. If none is specified, defaults to + the default configured by Ingress admin, otherwise to round_robin`, + }, + }, } -// NewParser creates a new CORS annotation parser +type loadbalancing struct { + r resolver.Resolver + annotationConfig parser.Annotation +} + +// NewParser creates a new Load Balancer annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return loadbalancing{r} + return loadbalancing{ + r: r, + annotationConfig: loadBalanceAnnotations, + } } // Parse parses the annotations contained in the ingress rule // used to indicate if the location/s contains a fragment of // configuration to be included inside the paths of the rules func (a loadbalancing) Parse(ing *networking.Ingress) (interface{}, error) { - return parser.GetStringAnnotation("load-balance", ing) + return parser.GetStringAnnotation(loadBalanceAlghoritmAnnotation, ing, a.annotationConfig.Annotations) +} + +func (a loadbalancing) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a loadbalancing) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, loadBalanceAnnotations.Annotations) } diff --git a/internal/ingress/annotations/loadbalancing/main_test.go b/internal/ingress/annotations/loadbalancing/main_test.go index e2be5c0ae..b0442c37f 100644 --- a/internal/ingress/annotations/loadbalancing/main_test.go +++ b/internal/ingress/annotations/loadbalancing/main_test.go @@ -38,7 +38,8 @@ func TestParse(t *testing.T) { annotations map[string]string expected string }{ - {map[string]string{annotation: "ip_hash"}, "ip_hash"}, + {map[string]string{annotation: "ewma"}, "ewma"}, + {map[string]string{annotation: "ip_hash"}, ""}, // This is invalid and should not return anything {map[string]string{}, ""}, {nil, ""}, } diff --git a/internal/ingress/annotations/log/main.go b/internal/ingress/annotations/log/main.go index 4bc76dcf7..ec08292a9 100644 --- a/internal/ingress/annotations/log/main.go +++ b/internal/ingress/annotations/log/main.go @@ -23,8 +23,32 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + enableAccessLogAnnotation = "enable-access-log" + enableRewriteLogAnnotation = "enable-rewrite-log" +) + +var logAnnotations = parser.Annotation{ + Group: "log", + Annotations: parser.AnnotationFields{ + enableAccessLogAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This configuration setting allows you to control if this location should generate an access_log`, + }, + enableRewriteLogAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This configuration setting allows you to control if this location should generate logs from the rewrite feature usage`, + }, + }, +} + type log struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // Config contains the configuration to be used in the Ingress @@ -48,7 +72,10 @@ func (bd1 *Config) Equal(bd2 *Config) bool { // NewParser creates a new log annotations parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return log{r} + return log{ + r: r, + annotationConfig: logAnnotations, + } } // Parse parses the annotations contained in the ingress @@ -57,15 +84,24 @@ func (l log) Parse(ing *networking.Ingress) (interface{}, error) { var err error config := &Config{} - config.Access, err = parser.GetBoolAnnotation("enable-access-log", ing) + config.Access, err = parser.GetBoolAnnotation(enableAccessLogAnnotation, ing, l.annotationConfig.Annotations) if err != nil { config.Access = true } - config.Rewrite, err = parser.GetBoolAnnotation("enable-rewrite-log", ing) + config.Rewrite, err = parser.GetBoolAnnotation(enableRewriteLogAnnotation, ing, l.annotationConfig.Annotations) if err != nil { config.Rewrite = false } return config, nil } + +func (l log) GetDocumentation() parser.AnnotationFields { + return l.annotationConfig.Annotations +} + +func (a log) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, logAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/log/main_test.go b/internal/ingress/annotations/log/main_test.go index c4632b010..df97c2e5b 100644 --- a/internal/ingress/annotations/log/main_test.go +++ b/internal/ingress/annotations/log/main_test.go @@ -73,7 +73,7 @@ func TestIngressAccessLogConfig(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("enable-access-log")] = "false" + data[parser.GetAnnotationWithPrefix(enableAccessLogAnnotation)] = "false" ing.SetAnnotations(data) log, _ := NewParser(&resolver.Mock{}).Parse(ing) @@ -91,7 +91,7 @@ func TestIngressRewriteLogConfig(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("enable-rewrite-log")] = "true" + data[parser.GetAnnotationWithPrefix(enableRewriteLogAnnotation)] = "true" ing.SetAnnotations(data) log, _ := NewParser(&resolver.Mock{}).Parse(ing) @@ -104,3 +104,21 @@ func TestIngressRewriteLogConfig(t *testing.T) { t.Errorf("expected rewrite log to be enabled but it is disabled") } } + +func TestInvalidBoolConfig(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix(enableRewriteLogAnnotation)] = "blo" + ing.SetAnnotations(data) + + log, _ := NewParser(&resolver.Mock{}).Parse(ing) + nginxLogs, ok := log.(*Config) + if !ok { + t.Errorf("expected a Config type") + } + + if !nginxLogs.Access { + t.Errorf("expected access log to be enabled due to invalid config, but it is disabled") + } +} diff --git a/internal/ingress/annotations/mirror/main.go b/internal/ingress/annotations/mirror/main.go index 9cb1b0ede..2d417dece 100644 --- a/internal/ingress/annotations/mirror/main.go +++ b/internal/ingress/annotations/mirror/main.go @@ -18,13 +18,50 @@ package mirror import ( "fmt" + "regexp" "strings" networking "k8s.io/api/networking/v1" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" + "k8s.io/klog/v2" ) +const ( + mirrorRequestBodyAnnotation = "mirror-request-body" + mirrorTargetAnnotation = "mirror-target" + mirrorHostAnnotation = "mirror-host" +) + +var ( + OnOffRegex = regexp.MustCompile(`^(on|off)$`) +) + +var mirrorAnnotation = parser.Annotation{ + Group: "mirror", + Annotations: parser.AnnotationFields{ + mirrorRequestBodyAnnotation: { + Validator: parser.ValidateRegex(*OnOffRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation defines if the request-body should be sent to the mirror backend. Can be 'on' or 'off'`, + }, + mirrorTargetAnnotation: { + Validator: parser.ValidateServerName, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskHigh, + Documentation: `This annotation enables a request to be mirrored to a mirror backend.`, + }, + mirrorHostAnnotation: { + Validator: parser.ValidateServerName, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskHigh, + Documentation: `This annotation defines if a specific Host header should be set for mirrored request.`, + }, + }, +} + // Config returns the mirror to use in a given location type Config struct { Source string `json:"source"` @@ -63,12 +100,16 @@ func (m1 *Config) Equal(m2 *Config) bool { } type mirror struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new mirror configuration annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return mirror{r} + return mirror{ + r: r, + annotationConfig: mirrorAnnotation, + } } // ParseAnnotations parses the annotations contained in the ingress @@ -79,19 +120,29 @@ func (a mirror) Parse(ing *networking.Ingress) (interface{}, error) { } var err error - config.RequestBody, err = parser.GetStringAnnotation("mirror-request-body", ing) + config.RequestBody, err = parser.GetStringAnnotation(mirrorRequestBodyAnnotation, ing, a.annotationConfig.Annotations) if err != nil || config.RequestBody != "off" { + if errors.IsValidationError(err) { + klog.Warningf("annotation %s contains invalid value", mirrorRequestBodyAnnotation) + } config.RequestBody = "on" } - config.Target, err = parser.GetStringAnnotation("mirror-target", ing) + config.Target, err = parser.GetStringAnnotation(mirrorTargetAnnotation, ing, a.annotationConfig.Annotations) if err != nil { - config.Target = "" - config.Source = "" + if errors.IsValidationError(err) { + klog.Warningf("annotation %s contains invalid value, defaulting", mirrorTargetAnnotation) + } else { + config.Target = "" + config.Source = "" + } } - config.Host, err = parser.GetStringAnnotation("mirror-host", ing) + config.Host, err = parser.GetStringAnnotation(mirrorHostAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("annotation %s contains invalid value, defaulting", mirrorHostAnnotation) + } if config.Target != "" { target := strings.Split(config.Target, "$") @@ -106,3 +157,12 @@ func (a mirror) Parse(ing *networking.Ingress) (interface{}, error) { return config, nil } + +func (a mirror) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a mirror) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, mirrorAnnotation.Annotations) +} diff --git a/internal/ingress/annotations/mirror/main_test.go b/internal/ingress/annotations/mirror/main_test.go index add90d768..1f6b44d61 100644 --- a/internal/ingress/annotations/mirror/main_test.go +++ b/internal/ingress/annotations/mirror/main_test.go @@ -94,13 +94,13 @@ func TestParse(t *testing.T) { Source: ngxURI, RequestBody: "on", Target: "http://some.test.env.com", - Host: "someInvalidParm.%^&*()_=!@#'\"", + Host: "some.test.env.com", }}, {map[string]string{backendURL: "http://some.test.env.com", host: "_sbrubles-i\"@xpto:12345"}, &Config{ Source: ngxURI, RequestBody: "on", Target: "http://some.test.env.com", - Host: "_sbrubles-i\"@xpto:12345", + Host: "some.test.env.com", }}, } @@ -115,9 +115,12 @@ func TestParse(t *testing.T) { for _, testCase := range testCases { ing.SetAnnotations(testCase.annotations) - result, _ := ap.Parse(ing) + result, err := ap.Parse(ing) + if err != nil { + t.Errorf(err.Error()) + } if !reflect.DeepEqual(result, testCase.expected) { - t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) + t.Errorf("expected %+v but returned %+v, annotations: %s", testCase.expected, result, testCase.annotations) } } } diff --git a/internal/ingress/annotations/modsecurity/main.go b/internal/ingress/annotations/modsecurity/main.go index c53739441..5a9aaa729 100644 --- a/internal/ingress/annotations/modsecurity/main.go +++ b/internal/ingress/annotations/modsecurity/main.go @@ -19,9 +19,48 @@ package modsecurity import ( networking "k8s.io/api/networking/v1" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" + "k8s.io/klog/v2" ) +const ( + modsecEnableAnnotation = "enable-modsecurity" + modsecEnableOwaspCoreAnnotation = "enable-owasp-core-rules" + modesecTransactionIdAnnotation = "modsecurity-transaction-id" + modsecSnippetAnnotation = "modsecurity-snippet" +) + +var modsecurityAnnotation = parser.Annotation{ + Group: "modsecurity", + Annotations: parser.AnnotationFields{ + modsecEnableAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables ModSecurity`, + }, + modsecEnableOwaspCoreAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables the OWASP Core Rule Set`, + }, + modesecTransactionIdAnnotation: { + Validator: parser.ValidateRegex(*parser.NGINXVariable, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskHigh, + Documentation: `This annotation enables passing an NGINX variable to ModSecurity.`, + }, + modsecSnippetAnnotation: { + Validator: parser.ValidateNull, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskCritical, + Documentation: `This annotation enables adding a specific snippet configuration for ModSecurity`, + }, + }, +} + // Config contains ModSecurity Configuration items type Config struct { Enable bool `json:"enable-modsecurity"` @@ -60,11 +99,15 @@ func (modsec1 *Config) Equal(modsec2 *Config) bool { // NewParser creates a new ModSecurity annotation parser func NewParser(resolver resolver.Resolver) parser.IngressAnnotation { - return modSecurity{resolver} + return modSecurity{ + r: resolver, + annotationConfig: modsecurityAnnotation, + } } type modSecurity struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // Parse parses the annotations contained in the ingress @@ -74,26 +117,44 @@ func (a modSecurity) Parse(ing *networking.Ingress) (interface{}, error) { config := &Config{} config.EnableSet = true - config.Enable, err = parser.GetBoolAnnotation("enable-modsecurity", ing) + config.Enable, err = parser.GetBoolAnnotation(modsecEnableAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if errors.IsInvalidContent(err) { + klog.Warningf("annotation %s contains invalid directive, defaulting to false", modsecEnableAnnotation) + } config.Enable = false config.EnableSet = false } - config.OWASPRules, err = parser.GetBoolAnnotation("enable-owasp-core-rules", ing) + config.OWASPRules, err = parser.GetBoolAnnotation(modsecEnableOwaspCoreAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if errors.IsInvalidContent(err) { + klog.Warningf("annotation %s contains invalid directive, defaulting to false", modsecEnableOwaspCoreAnnotation) + } config.OWASPRules = false } - config.TransactionID, err = parser.GetStringAnnotation("modsecurity-transaction-id", ing) + config.TransactionID, err = parser.GetStringAnnotation(modesecTransactionIdAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if errors.IsInvalidContent(err) { + klog.Warningf("annotation %s contains invalid directive, defaulting", modesecTransactionIdAnnotation) + } config.TransactionID = "" } - config.Snippet, err = parser.GetStringAnnotation("modsecurity-snippet", ing) + config.Snippet, err = parser.GetStringAnnotation("modsecurity-snippet", ing, a.annotationConfig.Annotations) if err != nil { config.Snippet = "" } return config, nil } + +func (a modSecurity) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a modSecurity) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, modsecurityAnnotation.Annotations) +} diff --git a/internal/ingress/annotations/opentelemetry/main.go b/internal/ingress/annotations/opentelemetry/main.go index 7dd292322..a029087da 100644 --- a/internal/ingress/annotations/opentelemetry/main.go +++ b/internal/ingress/annotations/opentelemetry/main.go @@ -17,14 +17,51 @@ limitations under the License. package opentelemetry import ( + "regexp" + networking "k8s.io/api/networking/v1" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + enableOpenTelemetryAnnotation = "enable-opentelemetry" + otelTrustSpanAnnotation = "opentelemetry-trust-incoming-span" + otelOperationNameAnnotation = "opentelemetry-operation-name" +) + +var regexOperationName = regexp.MustCompile(`^[A-Za-z0-9_\-]*$`) + +var otelAnnotations = parser.Annotation{ + Group: "opentelemetry", + Annotations: parser.AnnotationFields{ + enableOpenTelemetryAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation defines if Open Telemetry collector should be enable for this location. OpenTelemetry should + already be configured by Ingress administrator`, + }, + otelTrustSpanAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables or disables using spans from incoming requests as parent for created ones`, + }, + otelOperationNameAnnotation: { + Validator: parser.ValidateRegex(*regexOperationName, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation defines what operation name should be added to the span`, + }, + }, +} + type opentelemetry struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // Config contains the configuration to be used in the Ingress @@ -64,13 +101,16 @@ func (bd1 *Config) Equal(bd2 *Config) bool { // NewParser creates a new serviceUpstream annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return opentelemetry{r} + return opentelemetry{ + r: r, + annotationConfig: otelAnnotations, + } } // Parse parses the annotations to look for opentelemetry configurations func (c opentelemetry) Parse(ing *networking.Ingress) (interface{}, error) { cfg := Config{} - enabled, err := parser.GetBoolAnnotation("enable-opentelemetry", ing) + enabled, err := parser.GetBoolAnnotation(enableOpenTelemetryAnnotation, ing, c.annotationConfig.Annotations) if err != nil { return &cfg, nil } @@ -80,10 +120,13 @@ func (c opentelemetry) Parse(ing *networking.Ingress) (interface{}, error) { return &cfg, nil } - trustEnabled, err := parser.GetBoolAnnotation("opentelemetry-trust-incoming-span", ing) + trustEnabled, err := parser.GetBoolAnnotation(otelTrustSpanAnnotation, ing, c.annotationConfig.Annotations) if err != nil { - operationName, err := parser.GetStringAnnotation("opentelemetry-operation-name", ing) + operationName, err := parser.GetStringAnnotation(otelOperationNameAnnotation, ing, c.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + return nil, err + } return &cfg, nil } cfg.OperationName = operationName @@ -92,10 +135,22 @@ func (c opentelemetry) Parse(ing *networking.Ingress) (interface{}, error) { cfg.TrustSet = true cfg.TrustEnabled = trustEnabled - operationName, err := parser.GetStringAnnotation("opentelemetry-operation-name", ing) + operationName, err := parser.GetStringAnnotation(otelOperationNameAnnotation, ing, c.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + return nil, err + } return &cfg, nil } cfg.OperationName = operationName return &cfg, nil } + +func (c opentelemetry) GetDocumentation() parser.AnnotationFields { + return c.annotationConfig.Annotations +} + +func (a opentelemetry) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, otelAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/opentelemetry/main_test.go b/internal/ingress/annotations/opentelemetry/main_test.go index 619108fa6..c78ebc8b3 100644 --- a/internal/ingress/annotations/opentelemetry/main_test.go +++ b/internal/ingress/annotations/opentelemetry/main_test.go @@ -73,7 +73,7 @@ func TestIngressAnnotationOpentelemetrySetTrue(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("enable-opentelemetry")] = "true" + data[parser.GetAnnotationWithPrefix(enableOpenTelemetryAnnotation)] = "true" ing.SetAnnotations(data) val, _ := NewParser(&resolver.Mock{}).Parse(ing) @@ -100,7 +100,7 @@ func TestIngressAnnotationOpentelemetrySetFalse(t *testing.T) { // Test with explicitly set to false data := map[string]string{} - data[parser.GetAnnotationWithPrefix("enable-opentelemetry")] = "false" + data[parser.GetAnnotationWithPrefix(enableOpenTelemetryAnnotation)] = "false" ing.SetAnnotations(data) val, _ := NewParser(&resolver.Mock{}).Parse(ing) @@ -123,12 +123,15 @@ func TestIngressAnnotationOpentelemetryTrustSetTrue(t *testing.T) { data := map[string]string{} opName := "foo-op" - data[parser.GetAnnotationWithPrefix("enable-opentelemetry")] = "true" - data[parser.GetAnnotationWithPrefix("opentelemetry-trust-incoming-span")] = "true" - data[parser.GetAnnotationWithPrefix("opentelemetry-operation-name")] = opName + data[parser.GetAnnotationWithPrefix(enableOpenTelemetryAnnotation)] = "true" + data[parser.GetAnnotationWithPrefix(otelTrustSpanAnnotation)] = "true" + data[parser.GetAnnotationWithPrefix(otelOperationNameAnnotation)] = opName ing.SetAnnotations(data) - val, _ := NewParser(&resolver.Mock{}).Parse(ing) + val, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Fatal(err) + } openTelemetry, ok := val.(*Config) if !ok { t.Errorf("expected a Config type") @@ -155,6 +158,21 @@ func TestIngressAnnotationOpentelemetryTrustSetTrue(t *testing.T) { } } +func TestIngressAnnotationOpentelemetryWithBadOpName(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + opName := "fooxpto_123$la;" + data[parser.GetAnnotationWithPrefix(enableOpenTelemetryAnnotation)] = "true" + data[parser.GetAnnotationWithPrefix(otelOperationNameAnnotation)] = opName + ing.SetAnnotations(data) + + _, err := NewParser(&resolver.Mock{}).Parse(ing) + if err == nil { + t.Fatalf("This operation should return an error but no error was returned") + } +} + func TestIngressAnnotationOpentelemetryUnset(t *testing.T) { ing := buildIngress() diff --git a/internal/ingress/annotations/opentracing/main.go b/internal/ingress/annotations/opentracing/main.go index 17ba7eb9f..7c8671f9d 100644 --- a/internal/ingress/annotations/opentracing/main.go +++ b/internal/ingress/annotations/opentracing/main.go @@ -23,8 +23,33 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + enableOpentracingAnnotation = "enable-opentracing" + opentracingTrustSpanAnnotation = "opentracing-trust-incoming-span" +) + +var opentracingAnnotations = parser.Annotation{ + Group: "opentracing", + Annotations: parser.AnnotationFields{ + enableOpentracingAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation defines if Opentracing collector should be enable for this location. Opentracing should + already be configured by Ingress administrator`, + }, + opentracingTrustSpanAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables or disables using spans from incoming requests as parent for created ones`, + }, + }, +} + type opentracing struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // Config contains the configuration to be used in the Ingress @@ -58,19 +83,31 @@ func (bd1 *Config) Equal(bd2 *Config) bool { // NewParser creates a new serviceUpstream annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return opentracing{r} + return opentracing{ + r: r, + annotationConfig: opentracingAnnotations, + } } func (s opentracing) Parse(ing *networking.Ingress) (interface{}, error) { - enabled, err := parser.GetBoolAnnotation("enable-opentracing", ing) + enabled, err := parser.GetBoolAnnotation(enableOpentracingAnnotation, ing, s.annotationConfig.Annotations) if err != nil { return &Config{}, nil } - trustSpan, err := parser.GetBoolAnnotation("opentracing-trust-incoming-span", ing) + trustSpan, err := parser.GetBoolAnnotation(opentracingTrustSpanAnnotation, ing, s.annotationConfig.Annotations) if err != nil { return &Config{Set: true, Enabled: enabled}, nil } return &Config{Set: true, Enabled: enabled, TrustSet: true, TrustEnabled: trustSpan}, nil } + +func (s opentracing) GetDocumentation() parser.AnnotationFields { + return s.annotationConfig.Annotations +} + +func (a opentracing) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, opentracingAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/opentracing/main_test.go b/internal/ingress/annotations/opentracing/main_test.go index 7bd9d31ff..b7b62ac9d 100644 --- a/internal/ingress/annotations/opentracing/main_test.go +++ b/internal/ingress/annotations/opentracing/main_test.go @@ -73,7 +73,7 @@ func TestIngressAnnotationOpentracingSetTrue(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("enable-opentracing")] = "true" + data[parser.GetAnnotationWithPrefix(enableOpentracingAnnotation)] = "true" ing.SetAnnotations(data) val, _ := NewParser(&resolver.Mock{}).Parse(ing) @@ -92,7 +92,7 @@ func TestIngressAnnotationOpentracingSetFalse(t *testing.T) { // Test with explicitly set to false data := map[string]string{} - data[parser.GetAnnotationWithPrefix("enable-opentracing")] = "false" + data[parser.GetAnnotationWithPrefix(enableOpentracingAnnotation)] = "false" ing.SetAnnotations(data) val, _ := NewParser(&resolver.Mock{}).Parse(ing) @@ -110,8 +110,8 @@ func TestIngressAnnotationOpentracingTrustSetTrue(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("enable-opentracing")] = "true" - data[parser.GetAnnotationWithPrefix("opentracing-trust-incoming-span")] = "true" + data[parser.GetAnnotationWithPrefix(enableOpentracingAnnotation)] = "true" + data[parser.GetAnnotationWithPrefix(opentracingTrustSpanAnnotation)] = "true" ing.SetAnnotations(data) val, _ := NewParser(&resolver.Mock{}).Parse(ing) diff --git a/internal/ingress/annotations/parser/main.go b/internal/ingress/annotations/parser/main.go index 107a278b0..951970e27 100644 --- a/internal/ingress/annotations/parser/main.go +++ b/internal/ingress/annotations/parser/main.go @@ -29,20 +29,79 @@ import ( ) // DefaultAnnotationsPrefix defines the common prefix used in the nginx ingress controller -const DefaultAnnotationsPrefix = "nginx.ingress.kubernetes.io" +const ( + DefaultAnnotationsPrefix = "nginx.ingress.kubernetes.io" + DefaultEnableAnnotationValidation = true +) var ( // AnnotationsPrefix is the mutable attribute that the controller explicitly refers to AnnotationsPrefix = DefaultAnnotationsPrefix + // Enable is the mutable attribute for enabling or disabling the validation functions + EnableAnnotationValidation = DefaultEnableAnnotationValidation ) +// AnnotationGroup defines the group that this annotation may belong +// eg.: Security, Snippets, Rewrite, etc +type AnnotationGroup string + +// AnnotationScope defines which scope this annotation applies. May be to the whole +// ingress, per location, etc +type AnnotationScope string + +var ( + AnnotationScopeLocation AnnotationScope = "location" + AnnotationScopeIngress AnnotationScope = "ingress" +) + +// AnnotationRisk is a subset of risk that an annotation may represent. +// Based on the Risk, the admin will be able to allow or disallow users to set it +// on their ingress objects +type AnnotationRisk int + +type AnnotationFields map[string]AnnotationConfig + +// AnnotationConfig defines the configuration that a single annotation field +// has, with the Validator and the documentation of this field. +type AnnotationConfig struct { + // Validator defines a function to validate the annotation value + Validator AnnotationValidator + // Documentation defines a user facing documentation for this annotation. This + // field will be used to auto generate documentations + Documentation string + // Risk defines a risk of this annotation being exposed to the user. Annotations + // with bool fields, or to set timeout are usually low risk. Annotations that allows + // string input without a limited set of options may represent a high risk + Risk AnnotationRisk + + // Scope defines which scope this annotation applies, may be to location, to an Ingress object, etc + Scope AnnotationScope + + // AnnotationAliases defines other names this annotation may have. + AnnotationAliases []string +} + +// Annotation defines an annotation feature an Ingress may have. +// It should contain the internal resolver, and all the annotations +// with configs and Validators that should be used for each Annotation +type Annotation struct { + // Annotations contains all the annotations that belong to this feature + Annotations AnnotationFields + // Group defines which annotation group this feature belongs to + Group AnnotationGroup +} + // IngressAnnotation has a method to parse annotations located in Ingress type IngressAnnotation interface { Parse(ing *networking.Ingress) (interface{}, error) + GetDocumentation() AnnotationFields + Validate(anns map[string]string) error } type ingAnnotations map[string]string +// TODO: We already parse all of this on checkAnnotation and can just do a parse over the +// value func (a ingAnnotations) parseBool(name string) (bool, error) { val, ok := a[name] if ok { @@ -92,21 +151,9 @@ func (a ingAnnotations) parseFloat32(name string) (float32, error) { return 0, errors.ErrMissingAnnotations } -func checkAnnotation(name string, ing *networking.Ingress) error { - if ing == nil || len(ing.GetAnnotations()) == 0 { - return errors.ErrMissingAnnotations - } - if name == "" { - return errors.ErrInvalidAnnotationName - } - - return nil -} - // GetBoolAnnotation extracts a boolean from an Ingress annotation -func GetBoolAnnotation(name string, ing *networking.Ingress) (bool, error) { - v := GetAnnotationWithPrefix(name) - err := checkAnnotation(v, ing) +func GetBoolAnnotation(name string, ing *networking.Ingress, fields AnnotationFields) (bool, error) { + v, err := checkAnnotation(name, ing, fields) if err != nil { return false, err } @@ -114,9 +161,8 @@ func GetBoolAnnotation(name string, ing *networking.Ingress) (bool, error) { } // GetStringAnnotation extracts a string from an Ingress annotation -func GetStringAnnotation(name string, ing *networking.Ingress) (string, error) { - v := GetAnnotationWithPrefix(name) - err := checkAnnotation(v, ing) +func GetStringAnnotation(name string, ing *networking.Ingress, fields AnnotationFields) (string, error) { + v, err := checkAnnotation(name, ing, fields) if err != nil { return "", err } @@ -125,9 +171,8 @@ func GetStringAnnotation(name string, ing *networking.Ingress) (string, error) { } // GetIntAnnotation extracts an int from an Ingress annotation -func GetIntAnnotation(name string, ing *networking.Ingress) (int, error) { - v := GetAnnotationWithPrefix(name) - err := checkAnnotation(v, ing) +func GetIntAnnotation(name string, ing *networking.Ingress, fields AnnotationFields) (int, error) { + v, err := checkAnnotation(name, ing, fields) if err != nil { return 0, err } @@ -135,9 +180,8 @@ func GetIntAnnotation(name string, ing *networking.Ingress) (int, error) { } // GetFloatAnnotation extracts a float32 from an Ingress annotation -func GetFloatAnnotation(name string, ing *networking.Ingress) (float32, error) { - v := GetAnnotationWithPrefix(name) - err := checkAnnotation(v, ing) +func GetFloatAnnotation(name string, ing *networking.Ingress, fields AnnotationFields) (float32, error) { + v, err := checkAnnotation(name, ing, fields) if err != nil { return 0, err } @@ -149,6 +193,23 @@ func GetAnnotationWithPrefix(suffix string) string { return fmt.Sprintf("%v/%v", AnnotationsPrefix, suffix) } +func TrimAnnotationPrefix(annotation string) string { + return strings.TrimPrefix(annotation, AnnotationsPrefix+"/") +} + +func StringRiskToRisk(risk string) AnnotationRisk { + switch strings.ToLower(risk) { + case "critical": + return AnnotationRiskCritical + case "high": + return AnnotationRiskHigh + case "medium": + return AnnotationRiskMedium + default: + return AnnotationRiskLow + } +} + func normalizeString(input string) string { trimmedContent := []string{} for _, line := range strings.Split(input, "\n") { diff --git a/internal/ingress/annotations/parser/main_test.go b/internal/ingress/annotations/parser/main_test.go index 318e024d3..beca49370 100644 --- a/internal/ingress/annotations/parser/main_test.go +++ b/internal/ingress/annotations/parser/main_test.go @@ -38,7 +38,7 @@ func buildIngress() *networking.Ingress { func TestGetBoolAnnotation(t *testing.T) { ing := buildIngress() - _, err := GetBoolAnnotation("", nil) + _, err := GetBoolAnnotation("", nil, nil) if err == nil { t.Errorf("expected error but retuned nil") } @@ -59,8 +59,8 @@ func TestGetBoolAnnotation(t *testing.T) { for _, test := range tests { data[GetAnnotationWithPrefix(test.field)] = test.value - - u, err := GetBoolAnnotation(test.field, ing) + ing.SetAnnotations(data) + u, err := GetBoolAnnotation(test.field, ing, nil) if test.expErr { if err == nil { t.Errorf("%v: expected error but retuned nil", test.name) @@ -68,7 +68,7 @@ func TestGetBoolAnnotation(t *testing.T) { continue } if u != test.exp { - t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.name, test.exp, u) + t.Errorf("%v: expected \"%v\" but \"%v\" was returned, %+v", test.name, test.exp, u, ing) } delete(data, test.field) @@ -78,7 +78,7 @@ func TestGetBoolAnnotation(t *testing.T) { func TestGetStringAnnotation(t *testing.T) { ing := buildIngress() - _, err := GetStringAnnotation("", nil) + _, err := GetStringAnnotation("", nil, nil) if err == nil { t.Errorf("expected error but none returned") } @@ -109,7 +109,7 @@ rewrite (?i)/arcgis/services/Utilities/Geometry/GeometryServer(.*)$ /arcgis/serv for _, test := range tests { data[GetAnnotationWithPrefix(test.field)] = test.value - s, err := GetStringAnnotation(test.field, ing) + s, err := GetStringAnnotation(test.field, ing, nil) if test.expErr { if err == nil { t.Errorf("%v: expected error but none returned", test.name) @@ -133,7 +133,7 @@ rewrite (?i)/arcgis/services/Utilities/Geometry/GeometryServer(.*)$ /arcgis/serv func TestGetFloatAnnotation(t *testing.T) { ing := buildIngress() - _, err := GetFloatAnnotation("", nil) + _, err := GetFloatAnnotation("", nil, nil) if err == nil { t.Errorf("expected error but retuned nil") } @@ -156,7 +156,7 @@ func TestGetFloatAnnotation(t *testing.T) { for _, test := range tests { data[GetAnnotationWithPrefix(test.field)] = test.value - s, err := GetFloatAnnotation(test.field, ing) + s, err := GetFloatAnnotation(test.field, ing, nil) if test.expErr { if err == nil { t.Errorf("%v: expected error but retuned nil", test.name) @@ -174,7 +174,7 @@ func TestGetFloatAnnotation(t *testing.T) { func TestGetIntAnnotation(t *testing.T) { ing := buildIngress() - _, err := GetIntAnnotation("", nil) + _, err := GetIntAnnotation("", nil, nil) if err == nil { t.Errorf("expected error but retuned nil") } @@ -196,7 +196,7 @@ func TestGetIntAnnotation(t *testing.T) { for _, test := range tests { data[GetAnnotationWithPrefix(test.field)] = test.value - s, err := GetIntAnnotation(test.field, ing) + s, err := GetIntAnnotation(test.field, ing, nil) if test.expErr { if err == nil { t.Errorf("%v: expected error but retuned nil", test.name) @@ -224,6 +224,7 @@ func TestStringToURL(t *testing.T) { }{ {"empty", "", "url scheme is empty", nil, true}, {"no scheme", "bar", "url scheme is empty", nil, true}, + {"invalid parse", "://lala.com", "://lala.com is not a valid URL: parse \"://lala.com\": missing protocol scheme", nil, true}, {"invalid host", "http://", "url host is empty", nil, true}, {"invalid host (multiple dots)", "http://foo..bar.com", "invalid url host", nil, true}, {"valid URL", validURL, "", validParsedURL, false}, diff --git a/internal/ingress/annotations/parser/validators.go b/internal/ingress/annotations/parser/validators.go new file mode 100644 index 000000000..e14b486eb --- /dev/null +++ b/internal/ingress/annotations/parser/validators.go @@ -0,0 +1,239 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package parser + +import ( + "errors" + "fmt" + "regexp" + "strconv" + "strings" + "time" + + networking "k8s.io/api/networking/v1" + machineryvalidation "k8s.io/apimachinery/pkg/api/validation" + ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" + "k8s.io/ingress-nginx/internal/net" + "k8s.io/klog/v2" +) + +type AnnotationValidator func(string) error + +const ( + AnnotationRiskLow AnnotationRisk = iota + AnnotationRiskMedium + AnnotationRiskHigh + AnnotationRiskCritical +) + +var ( + alphaNumericChars = `\-\.\_\~a-zA-Z0-9\/:` + extendedAlphaNumeric = alphaNumericChars + ", " + regexEnabledChars = regexp.QuoteMeta(`^$[](){}*+?|&=\`) + urlEnabledChars = regexp.QuoteMeta(`:?&=`) +) + +// IsValidRegex checks if the tested string can be used as a regex, but without any weird character. +// It includes regex characters for paths that may contain regexes +var IsValidRegex = regexp.MustCompile("^[/" + alphaNumericChars + regexEnabledChars + "]*$") + +// SizeRegex validates sizes understood by NGINX, like 1000, 100k, 1000M +var SizeRegex = regexp.MustCompile("^(?i)[0-9]+[bkmg]?$") + +// URLRegex is used to validate a URL but with only a specific set of characters: +// It is alphanumericChar + ":", "?", "&" +// A valid URL would be proto://something.com:port/something?arg=param +var ( + // URLIsValidRegex is used on full URLs, containing query strings (:, ? and &) + URLIsValidRegex = regexp.MustCompile("^[" + alphaNumericChars + urlEnabledChars + "]*$") + // BasicChars is alphanumeric and ".", "-", "_", "~" and ":", usually used on simple host:port/path composition. + // This combination can also be used on fields that may contain characters like / (as ns/name) + BasicCharsRegex = regexp.MustCompile("^[/" + alphaNumericChars + "]*$") + // ExtendedChars is alphanumeric and ".", "-", "_", "~" and ":" plus "," and spaces, usually used on simple host:port/path composition + ExtendedCharsRegex = regexp.MustCompile("^[/" + extendedAlphaNumeric + "]*$") + // CharsWithSpace is like basic chars, but includes the space character + CharsWithSpace = regexp.MustCompile("^[/" + alphaNumericChars + " ]*$") + // NGINXVariable allows entries with alphanumeric characters, -, _ and the special "$" + NGINXVariable = regexp.MustCompile(`^[A-Za-z0-9\-\_\$\{\}]*$`) + // RegexPathWithCapture allows entries that SHOULD start with "/" and may contain alphanumeric + capture + // character for regex based paths, like /something/$1/anything/$2 + RegexPathWithCapture = regexp.MustCompile(`^/[` + alphaNumericChars + `\/\$]*$`) + // HeadersVariable defines a regex that allows headers separated by comma + HeadersVariable = regexp.MustCompile(`^[A-Za-z0-9-_, ]*$`) + // URLWithNginxVariableRegex defines a url that can contain nginx variables. + // It is a risky operation + URLWithNginxVariableRegex = regexp.MustCompile("^[" + alphaNumericChars + urlEnabledChars + "$]*$") +) + +// ValidateArrayOfServerName validates if all fields on a Server name annotation are +// regexes. They can be *.something*, ~^www\d+\.example\.com$ but not fancy character +func ValidateArrayOfServerName(value string) error { + for _, fqdn := range strings.Split(value, ",") { + if err := ValidateServerName(fqdn); err != nil { + return err + } + } + return nil +} + +// ValidateServerName validates if the passed value is an acceptable server name. The server name +// can contain regex characters, as those are accepted values on nginx configuration +func ValidateServerName(value string) error { + value = strings.TrimSpace(value) + if !IsValidRegex.MatchString(value) { + return fmt.Errorf("value %s is invalid server name", value) + } + return nil +} + +// ValidateRegex receives a regex as an argument and uses it to validate +// the value of the field. +// Annotation can define if the spaces should be trimmed before validating the value +func ValidateRegex(regex regexp.Regexp, removeSpace bool) AnnotationValidator { + return func(s string) error { + if removeSpace { + s = strings.ReplaceAll(s, " ", "") + } + if !regex.MatchString(s) { + return fmt.Errorf("value %s is invalid", s) + } + return nil + } +} + +// ValidateOptions receives an array of valid options that can be the value of annotation. +// If no valid option is found, it will return an error +func ValidateOptions(options []string, caseSensitive bool, trimSpace bool) AnnotationValidator { + return func(s string) error { + if trimSpace { + s = strings.TrimSpace(s) + } + if !caseSensitive { + s = strings.ToLower(s) + } + for _, option := range options { + if s == option { + return nil + } + } + return fmt.Errorf("value does not match any valid option") + } +} + +// ValidateBool validates if the specified value is a bool +func ValidateBool(value string) error { + _, err := strconv.ParseBool(value) + return err +} + +// ValidateInt validates if the specified value is an integer +func ValidateInt(value string) error { + _, err := strconv.Atoi(value) + return err +} + +// ValidateCIDRs validates if the specified value is an array of IPs and CIDRs +func ValidateCIDRs(value string) error { + _, err := net.ParseCIDRs(value) + return err +} + +// ValidateDuration validates if the specified value is a valid time +func ValidateDuration(value string) error { + _, err := time.ParseDuration(value) + return err +} + +// ValidateNull always return null values and should not be widely used. +// It is used on the "snippet" annotations, as it is up to the admin to allow its +// usage, knowing it can be critical! +func ValidateNull(value string) error { + return nil +} + +// ValidateServiceName validates if a provided service name is a valid string +func ValidateServiceName(value string) error { + errs := machineryvalidation.NameIsDNS1035Label(value, false) + if len(errs) != 0 { + return fmt.Errorf("annotation does not contain a valid service name: %+v", errs) + } + return nil +} + +// checkAnnotations will check each annotation for: +// 1 - Does it contain the internal validation and docs config? +// 2 - Does the ingress contains annotations? (validate null pointers) +// 3 - Does it contains a validator? Should it contain a validator (not containing is a bug!) +// 4 - Does the annotation contain aliases? So we should use if the alias is defined an the annotation not. +// 4 - Runs the validator on the value +// It will return the full annotation name if all is fine +func checkAnnotation(name string, ing *networking.Ingress, fields AnnotationFields) (string, error) { + var validateFunc AnnotationValidator + if fields != nil { + config, ok := fields[name] + if !ok { + return "", fmt.Errorf("annotation does not contain a valid internal configuration, this is an Ingress Controller issue! Please raise an issue on github.com/kubernetes/ingress-nginx") + } + validateFunc = config.Validator + } + + if ing == nil || len(ing.GetAnnotations()) == 0 { + return "", ing_errors.ErrMissingAnnotations + } + + annotationFullName := GetAnnotationWithPrefix(name) + if annotationFullName == "" { + return "", ing_errors.ErrInvalidAnnotationName + } + + annotationValue := ing.GetAnnotations()[annotationFullName] + if fields != nil { + if validateFunc == nil { + return "", fmt.Errorf("annotation does not contain a validator. This is an ingress-controller bug. Please open an issue") + } + if annotationValue == "" { + for _, annotationAlias := range fields[name].AnnotationAliases { + tempAnnotationFullName := GetAnnotationWithPrefix(annotationAlias) + if aliasVal := ing.GetAnnotations()[tempAnnotationFullName]; aliasVal != "" { + annotationValue = aliasVal + annotationFullName = tempAnnotationFullName + break + } + } + } + // We don't run validation against empty values + if EnableAnnotationValidation && annotationValue != "" { + if err := validateFunc(annotationValue); err != nil { + klog.Warningf("validation error on ingress %s/%s: annotation %s contains invalid value %s", ing.GetNamespace(), ing.GetName(), name, annotationValue) + return "", ing_errors.NewValidationError(annotationFullName) + } + } + } + + return annotationFullName, nil +} + +func CheckAnnotationRisk(annotations map[string]string, maxrisk AnnotationRisk, config AnnotationFields) error { + var err error + for annotation := range annotations { + annPure := TrimAnnotationPrefix(annotation) + if cfg, ok := config[annPure]; ok && cfg.Risk > maxrisk { + err = errors.Join(err, fmt.Errorf("annotation %s is too risky for environment", annotation)) + } + } + return err +} diff --git a/internal/ingress/annotations/parser/validators_test.go b/internal/ingress/annotations/parser/validators_test.go new file mode 100644 index 000000000..2aa6cec37 --- /dev/null +++ b/internal/ingress/annotations/parser/validators_test.go @@ -0,0 +1,310 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package parser + +import ( + "fmt" + "testing" + + networking "k8s.io/api/networking/v1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func TestValidateArrayOfServerName(t *testing.T) { + tests := []struct { + name string + value string + wantErr bool + }{ + { + name: "should accept common name", + value: "something.com,anything.com", + wantErr: false, + }, + { + name: "should accept wildcard name", + value: "*.something.com,otherthing.com", + wantErr: false, + }, + { + name: "should allow names with spaces between array and some regexes", + value: `~^www\d+\.example\.com$,something.com`, + wantErr: false, + }, + { + name: "should allow names with regexes", + value: `http://some.test.env.com:2121/$someparam=1&$someotherparam=2`, + wantErr: false, + }, + { + name: "should allow names with wildcard in middle common name", + value: "*.so*mething.com,bla.com", + wantErr: false, + }, + { + name: "should deny names with weird characters", + value: "something.com,lolo;xpto.com,nothing.com", + wantErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if err := ValidateArrayOfServerName(tt.value); (err != nil) != tt.wantErr { + t.Errorf("ValidateArrayOfServerName() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} + +func Test_checkAnnotation(t *testing.T) { + type args struct { + name string + ing *networking.Ingress + fields AnnotationFields + } + tests := []struct { + name string + args args + want string + wantErr bool + }{ + { + name: "null ingress should error", + want: "", + args: args{ + name: "some-random-annotation", + }, + wantErr: true, + }, + { + name: "not having a validator for a specific annotation is a bug", + want: "", + args: args{ + name: "some-new-invalid-annotation", + ing: &networking.Ingress{ + ObjectMeta: v1.ObjectMeta{ + Annotations: map[string]string{ + GetAnnotationWithPrefix("some-new-invalid-annotation"): "xpto", + }, + }, + }, + fields: AnnotationFields{ + "otherannotation": AnnotationConfig{ + Validator: func(value string) error { return nil }, + }, + }, + }, + wantErr: true, + }, + { + name: "annotationconfig found and no validation func defined on annotation is a bug", + want: "", + args: args{ + name: "some-new-invalid-annotation", + ing: &networking.Ingress{ + ObjectMeta: v1.ObjectMeta{ + Annotations: map[string]string{ + GetAnnotationWithPrefix("some-new-invalid-annotation"): "xpto", + }, + }, + }, + fields: AnnotationFields{ + "some-new-invalid-annotation": AnnotationConfig{}, + }, + }, + wantErr: true, + }, + { + name: "no annotation can turn into a null pointer and should fail", + want: "", + args: args{ + name: "some-new-invalid-annotation", + ing: &networking.Ingress{ + ObjectMeta: v1.ObjectMeta{}, + }, + fields: AnnotationFields{ + "some-new-invalid-annotation": AnnotationConfig{}, + }, + }, + wantErr: true, + }, + { + name: "no AnnotationField config should bypass validations", + want: GetAnnotationWithPrefix("some-valid-annotation"), + args: args{ + name: "some-valid-annotation", + ing: &networking.Ingress{ + ObjectMeta: v1.ObjectMeta{ + Annotations: map[string]string{ + GetAnnotationWithPrefix("some-valid-annotation"): "xpto", + }, + }, + }, + }, + wantErr: false, + }, + { + name: "annotation with invalid value should fail", + want: "", + args: args{ + name: "some-new-annotation", + ing: &networking.Ingress{ + ObjectMeta: v1.ObjectMeta{ + Annotations: map[string]string{ + GetAnnotationWithPrefix("some-new-annotation"): "xpto1", + }, + }, + }, + fields: AnnotationFields{ + "some-new-annotation": AnnotationConfig{ + Validator: func(value string) error { + if value != "xpto" { + return fmt.Errorf("this is an error") + } + return nil + }, + }, + }, + }, + wantErr: true, + }, + { + name: "annotation with valid value should pass", + want: GetAnnotationWithPrefix("some-other-annotation"), + args: args{ + name: "some-other-annotation", + ing: &networking.Ingress{ + ObjectMeta: v1.ObjectMeta{ + Annotations: map[string]string{ + GetAnnotationWithPrefix("some-other-annotation"): "xpto", + }, + }, + }, + fields: AnnotationFields{ + "some-other-annotation": AnnotationConfig{ + Validator: func(value string) error { + if value != "xpto" { + return fmt.Errorf("this is an error") + } + return nil + }, + }, + }, + }, + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := checkAnnotation(tt.args.name, tt.args.ing, tt.args.fields) + if (err != nil) != tt.wantErr { + t.Errorf("checkAnnotation() error = %v, wantErr %v", err, tt.wantErr) + return + } + if got != tt.want { + t.Errorf("checkAnnotation() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestCheckAnnotationRisk(t *testing.T) { + + tests := []struct { + name string + annotations map[string]string + maxrisk AnnotationRisk + config AnnotationFields + wantErr bool + }{ + { + name: "high risk should not be accepted with maximum medium", + maxrisk: AnnotationRiskMedium, + annotations: map[string]string{ + "nginx.ingress.kubernetes.io/bla": "blo", + "nginx.ingress.kubernetes.io/bli": "bl3", + }, + config: AnnotationFields{ + "bla": { + Risk: AnnotationRiskHigh, + }, + "bli": { + Risk: AnnotationRiskMedium, + }, + }, + wantErr: true, + }, + { + name: "high risk should be accepted with maximum critical", + maxrisk: AnnotationRiskCritical, + annotations: map[string]string{ + "nginx.ingress.kubernetes.io/bla": "blo", + "nginx.ingress.kubernetes.io/bli": "bl3", + }, + config: AnnotationFields{ + "bla": { + Risk: AnnotationRiskHigh, + }, + "bli": { + Risk: AnnotationRiskMedium, + }, + }, + wantErr: false, + }, + { + name: "low risk should be accepted with maximum low", + maxrisk: AnnotationRiskLow, + annotations: map[string]string{ + "nginx.ingress.kubernetes.io/bla": "blo", + "nginx.ingress.kubernetes.io/bli": "bl3", + }, + config: AnnotationFields{ + "bla": { + Risk: AnnotationRiskLow, + }, + "bli": { + Risk: AnnotationRiskLow, + }, + }, + wantErr: false, + }, + { + name: "critical risk should be accepted with maximum critical", + maxrisk: AnnotationRiskCritical, + annotations: map[string]string{ + "nginx.ingress.kubernetes.io/bla": "blo", + "nginx.ingress.kubernetes.io/bli": "bl3", + }, + config: AnnotationFields{ + "bla": { + Risk: AnnotationRiskCritical, + }, + "bli": { + Risk: AnnotationRiskCritical, + }, + }, + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if err := CheckAnnotationRisk(tt.annotations, tt.maxrisk, tt.config); (err != nil) != tt.wantErr { + t.Errorf("CheckAnnotationRisk() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} diff --git a/internal/ingress/annotations/portinredirect/main.go b/internal/ingress/annotations/portinredirect/main.go index 25d665558..7392ea3a6 100644 --- a/internal/ingress/annotations/portinredirect/main.go +++ b/internal/ingress/annotations/portinredirect/main.go @@ -23,22 +23,51 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + portsInRedirectAnnotation = "use-port-in-redirects" +) + +var portsInRedirectAnnotations = parser.Annotation{ + Group: "redirect", + Annotations: parser.AnnotationFields{ + portsInRedirectAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `Enables or disables specifying the port in absolute redirects issued by nginx.`, + }, + }, +} + type portInRedirect struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new port in redirect annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return portInRedirect{r} + return portInRedirect{ + r: r, + annotationConfig: portsInRedirectAnnotations, + } } // Parse parses the annotations contained in the ingress // rule used to indicate if the redirects must func (a portInRedirect) Parse(ing *networking.Ingress) (interface{}, error) { - up, err := parser.GetBoolAnnotation("use-port-in-redirects", ing) + up, err := parser.GetBoolAnnotation(portsInRedirectAnnotation, ing, a.annotationConfig.Annotations) if err != nil { return a.r.GetDefaultBackend().UsePortInRedirects, nil } return up, nil } + +func (a portInRedirect) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a portInRedirect) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, portsInRedirectAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/portinredirect/main_test.go b/internal/ingress/annotations/portinredirect/main_test.go index 71afd4cdf..f5806e01a 100644 --- a/internal/ingress/annotations/portinredirect/main_test.go +++ b/internal/ingress/annotations/portinredirect/main_test.go @@ -17,7 +17,6 @@ limitations under the License. package portinredirect import ( - "fmt" "testing" api "k8s.io/api/core/v1" @@ -84,23 +83,24 @@ func (m mockBackend) GetDefaultBackend() defaults.Backend { func TestPortInRedirect(t *testing.T) { tests := []struct { title string - usePort *bool + usePort string def bool exp bool }{ - {"false - default false", newFalse(), false, false}, - {"false - default true", newFalse(), true, false}, - {"no annotation - default false", nil, false, false}, - {"no annotation - default true", nil, true, true}, - {"true - default true", newTrue(), true, true}, + {"false - default false", "false", false, false}, + {"false - default true", "false", true, false}, + {"no annotation - default false", "", false, false}, + {"no annotation - default false", "not-a-bool", false, false}, + {"no annotation - default true", "", true, true}, + {"true - default true", "true", true, true}, } for _, test := range tests { ing := buildIngress() data := map[string]string{} - if test.usePort != nil { - data[parser.GetAnnotationWithPrefix("use-port-in-redirects")] = fmt.Sprintf("%v", *test.usePort) + if test.usePort != "" { + data[parser.GetAnnotationWithPrefix(portsInRedirectAnnotation)] = test.usePort } ing.SetAnnotations(data) @@ -118,13 +118,3 @@ func TestPortInRedirect(t *testing.T) { } } } - -func newTrue() *bool { - b := true - return &b -} - -func newFalse() *bool { - b := false - return &b -} diff --git a/internal/ingress/annotations/proxy/main.go b/internal/ingress/annotations/proxy/main.go index 3a89b8855..a2d10ca90 100644 --- a/internal/ingress/annotations/proxy/main.go +++ b/internal/ingress/annotations/proxy/main.go @@ -17,12 +17,150 @@ limitations under the License. package proxy import ( + "regexp" + networking "k8s.io/api/networking/v1" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + proxyConnectTimeoutAnnotation = "proxy-connect-timeout" + proxySendTimeoutAnnotation = "proxy-send-timeout" + proxyReadTimeoutAnnotation = "proxy-read-timeout" + proxyBuffersNumberAnnotation = "proxy-buffers-number" + proxyBufferSizeAnnotation = "proxy-buffer-size" + proxyCookiePathAnnotation = "proxy-cookie-path" + proxyCookieDomainAnnotation = "proxy-cookie-domain" + proxyBodySizeAnnotation = "proxy-body-size" + proxyNextUpstreamAnnotation = "proxy-next-upstream" + proxyNextUpstreamTimeoutAnnotation = "proxy-next-upstream-timeout" + proxyNextUpstreamTriesAnnotation = "proxy-next-upstream-tries" + proxyRequestBufferingAnnotation = "proxy-request-buffering" + proxyRedirectFromAnnotation = "proxy-redirect-from" + proxyRedirectToAnnotation = "proxy-redirect-to" + proxyBufferingAnnotation = "proxy-buffering" + proxyHTTPVersionAnnotation = "proxy-http-version" + proxyMaxTempFileSizeAnnotation = "proxy-max-temp-file-size" +) + +var ( + validUpstreamAnnotation = regexp.MustCompile(`^((error|timeout|invalid_header|http_500|http_502|http_503|http_504|http_403|http_404|http_429|non_idempotent|off)\s?)+$`) +) + +var proxyAnnotations = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + proxyConnectTimeoutAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation allows setting the timeout in seconds of the connect operation to the backend.`, + }, + proxySendTimeoutAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation allows setting the timeout in seconds of the send operation to the backend.`, + }, + proxyReadTimeoutAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation allows setting the timeout in seconds of the read operation to the backend.`, + }, + proxyBuffersNumberAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation sets the number of the buffers in proxy_buffers used for reading the first part of the response received from the proxied server. + By default proxy buffers number is set as 4`, + }, + proxyBufferSizeAnnotation: { + Validator: parser.ValidateRegex(*parser.SizeRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation sets the size of the buffer proxy_buffer_size used for reading the first part of the response received from the proxied server. + By default proxy buffer size is set as "4k".`, + }, + proxyCookiePathAnnotation: { + Validator: parser.ValidateRegex(*parser.URLIsValidRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation sets a text that should be changed in the path attribute of the "Set-Cookie" header fields of a proxied server response.`, + }, + proxyCookieDomainAnnotation: { + Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation ets a text that should be changed in the domain attribute of the "Set-Cookie" header fields of a proxied server response.`, + }, + proxyBodySizeAnnotation: { + Validator: parser.ValidateRegex(*parser.SizeRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation allows setting the maximum allowed size of a client request body.`, + }, + proxyNextUpstreamAnnotation: { + Validator: parser.ValidateRegex(*validUpstreamAnnotation, false), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation defines when the next upstream should be used. + This annotation reflect the directive https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream + and only the allowed values on upstream are allowed here.`, + }, + proxyNextUpstreamTimeoutAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation limits the time during which a request can be passed to the next server`, + }, + proxyNextUpstreamTriesAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation limits the number of possible tries for passing a request to the next server`, + }, + proxyRequestBufferingAnnotation: { + Validator: parser.ValidateOptions([]string{"on", "off"}, true, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables or disables buffering of a client request body.`, + }, + proxyRedirectFromAnnotation: { + Validator: parser.ValidateRegex(*parser.URLIsValidRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `The annotations proxy-redirect-from and proxy-redirect-to will set the first and second parameters of NGINX's proxy_redirect directive respectively`, + }, + proxyRedirectToAnnotation: { + Validator: parser.ValidateRegex(*parser.URLIsValidRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `The annotations proxy-redirect-from and proxy-redirect-to will set the first and second parameters of NGINX's proxy_redirect directive respectively`, + }, + proxyBufferingAnnotation: { + Validator: parser.ValidateOptions([]string{"on", "off"}, true, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables or disables buffering of responses from the proxied server. It can be "on" or "off"`, + }, + proxyHTTPVersionAnnotation: { + Validator: parser.ValidateOptions([]string{"1.0", "1.1"}, true, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotations sets the HTTP protocol version for proxying. Can be "1.0" or "1.1".`, + }, + proxyMaxTempFileSizeAnnotation: { + Validator: parser.ValidateRegex(*parser.SizeRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation defines the maximum size of a temporary file when buffering responses.`, + }, + }, +} + // Config returns the proxy timeout to use in the upstream server/s type Config struct { BodySize string `json:"bodySize"` @@ -109,12 +247,15 @@ func (l1 *Config) Equal(l2 *Config) bool { } type proxy struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new reverse proxy configuration annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return proxy{r} + return proxy{r: r, + annotationConfig: proxyAnnotations, + } } // ParseAnnotations parses the annotations contained in the ingress @@ -125,90 +266,99 @@ func (a proxy) Parse(ing *networking.Ingress) (interface{}, error) { var err error - config.ConnectTimeout, err = parser.GetIntAnnotation("proxy-connect-timeout", ing) + config.ConnectTimeout, err = parser.GetIntAnnotation(proxyConnectTimeoutAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.ConnectTimeout = defBackend.ProxyConnectTimeout } - config.SendTimeout, err = parser.GetIntAnnotation("proxy-send-timeout", ing) + config.SendTimeout, err = parser.GetIntAnnotation(proxySendTimeoutAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.SendTimeout = defBackend.ProxySendTimeout } - config.ReadTimeout, err = parser.GetIntAnnotation("proxy-read-timeout", ing) + config.ReadTimeout, err = parser.GetIntAnnotation(proxyReadTimeoutAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.ReadTimeout = defBackend.ProxyReadTimeout } - config.BuffersNumber, err = parser.GetIntAnnotation("proxy-buffers-number", ing) + config.BuffersNumber, err = parser.GetIntAnnotation(proxyBuffersNumberAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.BuffersNumber = defBackend.ProxyBuffersNumber } - config.BufferSize, err = parser.GetStringAnnotation("proxy-buffer-size", ing) + config.BufferSize, err = parser.GetStringAnnotation(proxyBufferSizeAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.BufferSize = defBackend.ProxyBufferSize } - config.CookiePath, err = parser.GetStringAnnotation("proxy-cookie-path", ing) + config.CookiePath, err = parser.GetStringAnnotation(proxyCookiePathAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.CookiePath = defBackend.ProxyCookiePath } - config.CookieDomain, err = parser.GetStringAnnotation("proxy-cookie-domain", ing) + config.CookieDomain, err = parser.GetStringAnnotation(proxyCookieDomainAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.CookieDomain = defBackend.ProxyCookieDomain } - config.BodySize, err = parser.GetStringAnnotation("proxy-body-size", ing) + config.BodySize, err = parser.GetStringAnnotation(proxyBodySizeAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.BodySize = defBackend.ProxyBodySize } - config.NextUpstream, err = parser.GetStringAnnotation("proxy-next-upstream", ing) + config.NextUpstream, err = parser.GetStringAnnotation(proxyNextUpstreamAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.NextUpstream = defBackend.ProxyNextUpstream } - config.NextUpstreamTimeout, err = parser.GetIntAnnotation("proxy-next-upstream-timeout", ing) + config.NextUpstreamTimeout, err = parser.GetIntAnnotation(proxyNextUpstreamTimeoutAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.NextUpstreamTimeout = defBackend.ProxyNextUpstreamTimeout } - config.NextUpstreamTries, err = parser.GetIntAnnotation("proxy-next-upstream-tries", ing) + config.NextUpstreamTries, err = parser.GetIntAnnotation(proxyNextUpstreamTriesAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.NextUpstreamTries = defBackend.ProxyNextUpstreamTries } - config.RequestBuffering, err = parser.GetStringAnnotation("proxy-request-buffering", ing) + config.RequestBuffering, err = parser.GetStringAnnotation(proxyRequestBufferingAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.RequestBuffering = defBackend.ProxyRequestBuffering } - config.ProxyRedirectFrom, err = parser.GetStringAnnotation("proxy-redirect-from", ing) + config.ProxyRedirectFrom, err = parser.GetStringAnnotation(proxyRedirectFromAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.ProxyRedirectFrom = defBackend.ProxyRedirectFrom } - config.ProxyRedirectTo, err = parser.GetStringAnnotation("proxy-redirect-to", ing) + config.ProxyRedirectTo, err = parser.GetStringAnnotation(proxyRedirectToAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.ProxyRedirectTo = defBackend.ProxyRedirectTo } - config.ProxyBuffering, err = parser.GetStringAnnotation("proxy-buffering", ing) + config.ProxyBuffering, err = parser.GetStringAnnotation(proxyBufferingAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.ProxyBuffering = defBackend.ProxyBuffering } - config.ProxyHTTPVersion, err = parser.GetStringAnnotation("proxy-http-version", ing) + config.ProxyHTTPVersion, err = parser.GetStringAnnotation(proxyHTTPVersionAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.ProxyHTTPVersion = defBackend.ProxyHTTPVersion } - config.ProxyMaxTempFileSize, err = parser.GetStringAnnotation("proxy-max-temp-file-size", ing) + config.ProxyMaxTempFileSize, err = parser.GetStringAnnotation(proxyMaxTempFileSizeAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.ProxyMaxTempFileSize = defBackend.ProxyMaxTempFileSize } return config, nil } + +func (a proxy) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a proxy) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, proxyAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/proxy/main_test.go b/internal/ingress/annotations/proxy/main_test.go index e377ccb19..fa185551b 100644 --- a/internal/ingress/annotations/proxy/main_test.go +++ b/internal/ingress/annotations/proxy/main_test.go @@ -161,6 +161,74 @@ func TestProxy(t *testing.T) { } } +func TestProxyComplex(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix("proxy-connect-timeout")] = "1" + data[parser.GetAnnotationWithPrefix("proxy-send-timeout")] = "2" + data[parser.GetAnnotationWithPrefix("proxy-read-timeout")] = "3" + data[parser.GetAnnotationWithPrefix("proxy-buffers-number")] = "8" + data[parser.GetAnnotationWithPrefix("proxy-buffer-size")] = "1k" + data[parser.GetAnnotationWithPrefix("proxy-body-size")] = "2k" + data[parser.GetAnnotationWithPrefix("proxy-next-upstream")] = "error http_502" + data[parser.GetAnnotationWithPrefix("proxy-next-upstream-timeout")] = "5" + data[parser.GetAnnotationWithPrefix("proxy-next-upstream-tries")] = "3" + data[parser.GetAnnotationWithPrefix("proxy-request-buffering")] = "off" + data[parser.GetAnnotationWithPrefix("proxy-buffering")] = "on" + data[parser.GetAnnotationWithPrefix("proxy-http-version")] = "1.0" + data[parser.GetAnnotationWithPrefix("proxy-max-temp-file-size")] = "128k" + ing.SetAnnotations(data) + + i, err := NewParser(mockBackend{}).Parse(ing) + if err != nil { + t.Fatalf("unexpected error parsing a valid") + } + p, ok := i.(*Config) + if !ok { + t.Fatalf("expected a Config type") + } + if p.ConnectTimeout != 1 { + t.Errorf("expected 1 as connect-timeout but returned %v", p.ConnectTimeout) + } + if p.SendTimeout != 2 { + t.Errorf("expected 2 as send-timeout but returned %v", p.SendTimeout) + } + if p.ReadTimeout != 3 { + t.Errorf("expected 3 as read-timeout but returned %v", p.ReadTimeout) + } + if p.BuffersNumber != 8 { + t.Errorf("expected 8 as proxy-buffers-number but returned %v", p.BuffersNumber) + } + if p.BufferSize != "1k" { + t.Errorf("expected 1k as buffer-size but returned %v", p.BufferSize) + } + if p.BodySize != "2k" { + t.Errorf("expected 2k as body-size but returned %v", p.BodySize) + } + if p.NextUpstream != "error http_502" { + t.Errorf("expected off as next-upstream but returned %v", p.NextUpstream) + } + if p.NextUpstreamTimeout != 5 { + t.Errorf("expected 5 as next-upstream-timeout but returned %v", p.NextUpstreamTimeout) + } + if p.NextUpstreamTries != 3 { + t.Errorf("expected 3 as next-upstream-tries but returned %v", p.NextUpstreamTries) + } + if p.RequestBuffering != "off" { + t.Errorf("expected off as request-buffering but returned %v", p.RequestBuffering) + } + if p.ProxyBuffering != "on" { + t.Errorf("expected on as proxy-buffering but returned %v", p.ProxyBuffering) + } + if p.ProxyHTTPVersion != "1.0" { + t.Errorf("expected 1.0 as proxy-http-version but returned %v", p.ProxyHTTPVersion) + } + if p.ProxyMaxTempFileSize != "128k" { + t.Errorf("expected 128k as proxy-max-temp-file-size but returned %v", p.ProxyMaxTempFileSize) + } +} + func TestProxyWithNoAnnotation(t *testing.T) { ing := buildIngress() diff --git a/internal/ingress/annotations/proxyssl/main.go b/internal/ingress/annotations/proxyssl/main.go index 22f49b3eb..40ee18aa0 100644 --- a/internal/ingress/annotations/proxyssl/main.go +++ b/internal/ingress/annotations/proxyssl/main.go @@ -24,9 +24,11 @@ import ( networking "k8s.io/api/networking/v1" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/errors" ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" "k8s.io/ingress-nginx/internal/k8s" + "k8s.io/klog/v2" ) const ( @@ -39,9 +41,73 @@ const ( var ( proxySSLOnOffRegex = regexp.MustCompile(`^(on|off)$`) - proxySSLProtocolRegex = regexp.MustCompile(`^(SSLv2|SSLv3|TLSv1|TLSv1\.1|TLSv1\.2|TLSv1\.3)$`) + proxySSLProtocolRegex = regexp.MustCompile(`^(SSLv2|SSLv3|TLSv1|TLSv1\.1|TLSv1\.2|TLSv1\.3| )*$`) + proxySSLCiphersRegex = regexp.MustCompile(`^[A-Za-z0-9\+\:\_\-\!]*$`) ) +const ( + proxySSLSecretAnnotation = "proxy-ssl-secret" + proxySSLCiphersAnnotation = "proxy-ssl-ciphers" + proxySSLProtocolsAnnotation = "proxy-ssl-protocols" + proxySSLNameAnnotation = "proxy-ssl-name" + proxySSLVerifyAnnotation = "proxy-ssl-verify" + proxySSLVerifyDepthAnnotation = "proxy-ssl-verify-depth" + proxySSLServerNameAnnotation = "proxy-ssl-server-name" +) + +var proxySSLAnnotation = parser.Annotation{ + Group: "proxy", + Annotations: parser.AnnotationFields{ + proxySSLSecretAnnotation: { + Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation specifies a Secret with the certificate tls.crt, key tls.key in PEM format used for authentication to a proxied HTTPS server. + It should also contain trusted CA certificates ca.crt in PEM format used to verify the certificate of the proxied HTTPS server. + This annotation expects the Secret name in the form "namespace/secretName" + Just secrets on the same namespace of the ingress can be used.`, + }, + proxySSLCiphersAnnotation: { + Validator: parser.ValidateRegex(*proxySSLCiphersRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation Specifies the enabled ciphers for requests to a proxied HTTPS server. + The ciphers are specified in the format understood by the OpenSSL library.`, + }, + proxySSLProtocolsAnnotation: { + Validator: parser.ValidateRegex(*proxySSLProtocolRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables the specified protocols for requests to a proxied HTTPS server.`, + }, + proxySSLNameAnnotation: { + Validator: parser.ValidateServerName, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskHigh, + Documentation: `This annotation allows to set proxy_ssl_name. This allows overriding the server name used to verify the certificate of the proxied HTTPS server. + This value is also passed through SNI when a connection is established to the proxied HTTPS server.`, + }, + proxySSLVerifyAnnotation: { + Validator: parser.ValidateRegex(*proxySSLOnOffRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables or disables verification of the proxied HTTPS server certificate. (default: off)`, + }, + proxySSLVerifyDepthAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation Sets the verification depth in the proxied HTTPS server certificates chain. (default: 1).`, + }, + proxySSLServerNameAnnotation: { + Validator: parser.ValidateRegex(*proxySSLOnOffRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables passing of the server name through TLS Server Name Indication extension (SNI, RFC 6066) when establishing a connection with the proxied HTTPS server.`, + }, + }, +} + // Config contains the AuthSSLCert used for mutual authentication // and the configured VerifyDepth type Config struct { @@ -85,11 +151,14 @@ func (pssl1 *Config) Equal(pssl2 *Config) bool { // NewParser creates a new TLS authentication annotation parser func NewParser(resolver resolver.Resolver) parser.IngressAnnotation { - return proxySSL{resolver} + return proxySSL{ + r: resolver, + annotationConfig: proxySSLAnnotation} } type proxySSL struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } func sortProtocols(protocols string) string { @@ -120,16 +189,22 @@ func (p proxySSL) Parse(ing *networking.Ingress) (interface{}, error) { var err error config := &Config{} - proxysslsecret, err := parser.GetStringAnnotation("proxy-ssl-secret", ing) + proxysslsecret, err := parser.GetStringAnnotation(proxySSLSecretAnnotation, ing, p.annotationConfig.Annotations) if err != nil { return &Config{}, err } - _, _, err = k8s.ParseNameNS(proxysslsecret) + ns, _, err := k8s.ParseNameNS(proxysslsecret) if err != nil { return &Config{}, ing_errors.NewLocationDenied(err.Error()) } + secCfg := p.r.GetSecurityConfiguration() + // We don't accept different namespaces for secrets. + if !secCfg.AllowCrossNamespaceResources && ns != ing.Namespace { + return &Config{}, ing_errors.NewLocationDenied("cross namespace secrets are not supported") + } + proxyCert, err := p.r.GetAuthCertificate(proxysslsecret) if err != nil { e := fmt.Errorf("error obtaining certificate: %w", err) @@ -137,37 +212,55 @@ func (p proxySSL) Parse(ing *networking.Ingress) (interface{}, error) { } config.AuthSSLCert = *proxyCert - config.Ciphers, err = parser.GetStringAnnotation("proxy-ssl-ciphers", ing) + config.Ciphers, err = parser.GetStringAnnotation(proxySSLCiphersAnnotation, ing, p.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("invalid value passed to proxy-ssl-ciphers, defaulting to %s", defaultProxySSLCiphers) + } config.Ciphers = defaultProxySSLCiphers } - config.Protocols, err = parser.GetStringAnnotation("proxy-ssl-protocols", ing) + config.Protocols, err = parser.GetStringAnnotation(proxySSLProtocolsAnnotation, ing, p.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("invalid value passed to proxy-ssl-protocols, defaulting to %s", defaultProxySSLProtocols) + } config.Protocols = defaultProxySSLProtocols } else { config.Protocols = sortProtocols(config.Protocols) } - config.ProxySSLName, err = parser.GetStringAnnotation("proxy-ssl-name", ing) + config.ProxySSLName, err = parser.GetStringAnnotation(proxySSLNameAnnotation, ing, p.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("invalid value passed to proxy-ssl-name, defaulting to empty") + } config.ProxySSLName = "" } - config.Verify, err = parser.GetStringAnnotation("proxy-ssl-verify", ing) + config.Verify, err = parser.GetStringAnnotation(proxySSLVerifyAnnotation, ing, p.annotationConfig.Annotations) if err != nil || !proxySSLOnOffRegex.MatchString(config.Verify) { config.Verify = defaultProxySSLVerify } - config.VerifyDepth, err = parser.GetIntAnnotation("proxy-ssl-verify-depth", ing) + config.VerifyDepth, err = parser.GetIntAnnotation(proxySSLVerifyDepthAnnotation, ing, p.annotationConfig.Annotations) if err != nil || config.VerifyDepth == 0 { config.VerifyDepth = defaultProxySSLVerifyDepth } - config.ProxySSLServerName, err = parser.GetStringAnnotation("proxy-ssl-server-name", ing) + config.ProxySSLServerName, err = parser.GetStringAnnotation(proxySSLServerNameAnnotation, ing, p.annotationConfig.Annotations) if err != nil || !proxySSLOnOffRegex.MatchString(config.ProxySSLServerName) { config.ProxySSLServerName = defaultProxySSLServerName } return config, nil } + +func (p proxySSL) GetDocumentation() parser.AnnotationFields { + return p.annotationConfig.Annotations +} + +func (a proxySSL) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, proxySSLAnnotation.Annotations) +} diff --git a/internal/ingress/annotations/proxyssl/main_test.go b/internal/ingress/annotations/proxyssl/main_test.go index 29949796c..edd65343e 100644 --- a/internal/ingress/annotations/proxyssl/main_test.go +++ b/internal/ingress/annotations/proxyssl/main_test.go @@ -93,7 +93,7 @@ func TestAnnotations(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("proxy-ssl-secret")] = "default/demo-secret" + data[parser.GetAnnotationWithPrefix(proxySSLSecretAnnotation)] = "default/demo-secret" data[parser.GetAnnotationWithPrefix("proxy-ssl-ciphers")] = "HIGH:-SHA" data[parser.GetAnnotationWithPrefix("proxy-ssl-name")] = "$host" data[parser.GetAnnotationWithPrefix("proxy-ssl-protocols")] = "TLSv1.3 SSLv2 TLSv1 TLSv1.2" diff --git a/internal/ingress/annotations/ratelimit/main.go b/internal/ingress/annotations/ratelimit/main.go index 84a5f10f0..39161a2c0 100644 --- a/internal/ingress/annotations/ratelimit/main.go +++ b/internal/ingress/annotations/ratelimit/main.go @@ -24,6 +24,7 @@ import ( networking "k8s.io/api/networking/v1" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" "k8s.io/ingress-nginx/internal/net" "k8s.io/ingress-nginx/pkg/util/sets" @@ -58,7 +59,7 @@ type Config struct { ID string `json:"id"` - Whitelist []string `json:"whitelist"` + Allowlist []string `json:"allowlist"` } // Equal tests for equality between two RateLimit types @@ -90,11 +91,11 @@ func (rt1 *Config) Equal(rt2 *Config) bool { if rt1.Name != rt2.Name { return false } - if len(rt1.Whitelist) != len(rt2.Whitelist) { + if len(rt1.Allowlist) != len(rt2.Allowlist) { return false } - return sets.StringElementsMatch(rt1.Whitelist, rt2.Whitelist) + return sets.StringElementsMatch(rt1.Allowlist, rt2.Allowlist) } // Zone returns information about the NGINX rate limit (limit_req_zone) @@ -131,43 +132,121 @@ func (z1 *Zone) Equal(z2 *Zone) bool { return true } +const ( + limitRateAnnotation = "limit-rate" + limitRateAfterAnnotation = "limit-rate-after" + limitRateRPMAnnotation = "limit-rpm" + limitRateRPSAnnotation = "limit-rps" + limitRateConnectionsAnnotation = "limit-connections" + limitRateBurstMultiplierAnnotation = "limit-burst-multiplier" + limitWhitelistAnnotation = "limit-whitelist" // This annotation is an alias for limit-allowlist + limitAllowlistAnnotation = "limit-allowlist" +) + +var rateLimitAnnotations = parser.Annotation{ + Group: "rate-limit", + Annotations: parser.AnnotationFields{ + limitRateAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `Limits the rate of response transmission to a client. The rate is specified in bytes per second. + The zero value disables rate limiting. The limit is set per a request, and so if a client simultaneously opens two connections, the overall rate will be twice as much as the specified limit. + References: https://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate`, + }, + limitRateAfterAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `Sets the initial amount after which the further transmission of a response to a client will be rate limited.`, + }, + limitRateRPMAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `Requests per minute that will be allowed.`, + }, + limitRateRPSAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `Requests per second that will be allowed.`, + }, + limitRateConnectionsAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `Number of connections that will be allowed`, + }, + limitRateBurstMultiplierAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `Burst multiplier for a limit-rate enabled location.`, + }, + limitAllowlistAnnotation: { + Validator: parser.ValidateCIDRs, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `List of CIDR/IP addresses that will not be rate-limited.`, + AnnotationAliases: []string{limitWhitelistAnnotation}, + }, + }, +} + type ratelimit struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new ratelimit annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return ratelimit{r} + return ratelimit{ + r: r, + annotationConfig: rateLimitAnnotations, + } } // ParseAnnotations parses the annotations contained in the ingress // rule used to rewrite the defined paths func (a ratelimit) Parse(ing *networking.Ingress) (interface{}, error) { defBackend := a.r.GetDefaultBackend() - lr, err := parser.GetIntAnnotation("limit-rate", ing) + lr, err := parser.GetIntAnnotation(limitRateAnnotation, ing, a.annotationConfig.Annotations) if err != nil { lr = defBackend.LimitRate } - lra, err := parser.GetIntAnnotation("limit-rate-after", ing) + lra, err := parser.GetIntAnnotation(limitRateAfterAnnotation, ing, a.annotationConfig.Annotations) if err != nil { lra = defBackend.LimitRateAfter } - rpm, _ := parser.GetIntAnnotation("limit-rpm", ing) - rps, _ := parser.GetIntAnnotation("limit-rps", ing) - conn, _ := parser.GetIntAnnotation("limit-connections", ing) - burstMultiplier, err := parser.GetIntAnnotation("limit-burst-multiplier", ing) + rpm, err := parser.GetIntAnnotation(limitRateRPMAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && errors.IsValidationError(err) { + return nil, err + } + rps, err := parser.GetIntAnnotation(limitRateRPSAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && errors.IsValidationError(err) { + return nil, err + } + conn, err := parser.GetIntAnnotation(limitRateConnectionsAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && errors.IsValidationError(err) { + return nil, err + } + burstMultiplier, err := parser.GetIntAnnotation(limitRateBurstMultiplierAnnotation, ing, a.annotationConfig.Annotations) if err != nil { burstMultiplier = defBurst } - val, _ := parser.GetStringAnnotation("limit-whitelist", ing) - - cidrs, err := net.ParseCIDRs(val) - if err != nil { + val, err := parser.GetStringAnnotation(limitAllowlistAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && errors.IsValidationError(err) { return nil, err } + cidrs, errCidr := net.ParseCIDRs(val) + if errCidr != nil { + return nil, errCidr + } + if rpm == 0 && rps == 0 && conn == 0 { return &Config{ Connections: Zone{}, @@ -203,7 +282,7 @@ func (a ratelimit) Parse(ing *networking.Ingress) (interface{}, error) { LimitRateAfter: lra, Name: zoneName, ID: encode(zoneName), - Whitelist: cidrs, + Allowlist: cidrs, }, nil } @@ -211,3 +290,12 @@ func encode(s string) string { str := base64.URLEncoding.EncodeToString([]byte(s)) return strings.Replace(str, "=", "", -1) } + +func (a ratelimit) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a ratelimit) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, rateLimitAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/ratelimit/main_test.go b/internal/ingress/annotations/ratelimit/main_test.go index 9f101cc3b..d3a2cc0e9 100644 --- a/internal/ingress/annotations/ratelimit/main_test.go +++ b/internal/ingress/annotations/ratelimit/main_test.go @@ -25,6 +25,7 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/ingress/defaults" + "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" ) @@ -85,8 +86,8 @@ func (m mockBackend) GetDefaultBackend() defaults.Backend { func TestWithoutAnnotations(t *testing.T) { ing := buildIngress() _, err := NewParser(mockBackend{}).Parse(ing) - if err != nil { - t.Error("unexpected error with ingress without annotations") + if err != nil && !errors.IsMissingAnnotations(err) { + t.Errorf("unexpected error with ingress without annotations: %s", err) } } @@ -94,22 +95,22 @@ func TestRateLimiting(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("limit-connections")] = "0" - data[parser.GetAnnotationWithPrefix("limit-rps")] = "0" - data[parser.GetAnnotationWithPrefix("limit-rpm")] = "0" + data[parser.GetAnnotationWithPrefix(limitRateConnectionsAnnotation)] = "0" + data[parser.GetAnnotationWithPrefix(limitRateRPSAnnotation)] = "0" + data[parser.GetAnnotationWithPrefix(limitRateRPMAnnotation)] = "0" ing.SetAnnotations(data) _, err := NewParser(mockBackend{}).Parse(ing) if err != nil { - t.Errorf("unexpected error with invalid limits (0)") + t.Errorf("unexpected error with invalid limits (0): %s", err) } data = map[string]string{} - data[parser.GetAnnotationWithPrefix("limit-connections")] = "5" - data[parser.GetAnnotationWithPrefix("limit-rps")] = "100" - data[parser.GetAnnotationWithPrefix("limit-rpm")] = "10" - data[parser.GetAnnotationWithPrefix("limit-rate-after")] = "100" - data[parser.GetAnnotationWithPrefix("limit-rate")] = "10" + data[parser.GetAnnotationWithPrefix(limitRateConnectionsAnnotation)] = "5" + data[parser.GetAnnotationWithPrefix(limitRateRPSAnnotation)] = "100" + data[parser.GetAnnotationWithPrefix(limitRateRPMAnnotation)] = "10" + data[parser.GetAnnotationWithPrefix(limitRateAfterAnnotation)] = "100" + data[parser.GetAnnotationWithPrefix(limitRateAnnotation)] = "10" ing.SetAnnotations(data) @@ -147,12 +148,12 @@ func TestRateLimiting(t *testing.T) { } data = map[string]string{} - data[parser.GetAnnotationWithPrefix("limit-connections")] = "5" - data[parser.GetAnnotationWithPrefix("limit-rps")] = "100" - data[parser.GetAnnotationWithPrefix("limit-rpm")] = "10" - data[parser.GetAnnotationWithPrefix("limit-rate-after")] = "100" - data[parser.GetAnnotationWithPrefix("limit-rate")] = "10" - data[parser.GetAnnotationWithPrefix("limit-burst-multiplier")] = "3" + data[parser.GetAnnotationWithPrefix(limitRateConnectionsAnnotation)] = "5" + data[parser.GetAnnotationWithPrefix(limitRateRPSAnnotation)] = "100" + data[parser.GetAnnotationWithPrefix(limitRateRPMAnnotation)] = "10" + data[parser.GetAnnotationWithPrefix(limitRateAfterAnnotation)] = "100" + data[parser.GetAnnotationWithPrefix(limitRateAnnotation)] = "10" + data[parser.GetAnnotationWithPrefix(limitRateBurstMultiplierAnnotation)] = "3" ing.SetAnnotations(data) @@ -189,3 +190,61 @@ func TestRateLimiting(t *testing.T) { t.Errorf("expected 10 in limit by limitrate but %v was returned", rateLimit.LimitRate) } } + +func TestAnnotationCIDR(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix(limitRateConnectionsAnnotation)] = "5" + data[parser.GetAnnotationWithPrefix(limitAllowlistAnnotation)] = "192.168.0.5, 192.168.50.32/24" + ing.SetAnnotations(data) + + i, err := NewParser(mockBackend{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } + + rateLimit, ok := i.(*Config) + if !ok { + t.Errorf("expected a RateLimit type") + } + if len(rateLimit.Allowlist) != 2 { + t.Errorf("expected 2 cidrs in limit by ip but %v was returned", len(rateLimit.Allowlist)) + } + + data = map[string]string{} + data[parser.GetAnnotationWithPrefix(limitRateConnectionsAnnotation)] = "5" + data[parser.GetAnnotationWithPrefix(limitWhitelistAnnotation)] = "192.168.0.5, 192.168.50.32/24, 10.10.10.1" + ing.SetAnnotations(data) + + i, err = NewParser(mockBackend{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } + rateLimit, ok = i.(*Config) + if !ok { + t.Errorf("expected a RateLimit type") + } + if len(rateLimit.Allowlist) != 3 { + t.Errorf("expected 3 cidrs in limit by ip but %v was returned", len(rateLimit.Allowlist)) + } + + // Parent annotation surpasses any alias + data = map[string]string{} + data[parser.GetAnnotationWithPrefix(limitRateConnectionsAnnotation)] = "5" + data[parser.GetAnnotationWithPrefix(limitWhitelistAnnotation)] = "192.168.0.5, 192.168.50.32/24, 10.10.10.1" + data[parser.GetAnnotationWithPrefix(limitAllowlistAnnotation)] = "192.168.0.9" + ing.SetAnnotations(data) + + i, err = NewParser(mockBackend{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } + rateLimit, ok = i.(*Config) + if !ok { + t.Errorf("expected a RateLimit type") + } + if len(rateLimit.Allowlist) != 1 { + t.Errorf("expected 1 cidrs in limit by ip but %v was returned", len(rateLimit.Allowlist)) + } +} diff --git a/internal/ingress/annotations/redirect/redirect.go b/internal/ingress/annotations/redirect/redirect.go index 11b08a4a2..89513c83c 100644 --- a/internal/ingress/annotations/redirect/redirect.go +++ b/internal/ingress/annotations/redirect/redirect.go @@ -37,13 +37,56 @@ type Config struct { FromToWWW bool `json:"fromToWWW"` } +const ( + fromToWWWRedirAnnotation = "from-to-www-redirect" + temporalRedirectAnnotation = "temporal-redirect" + permanentRedirectAnnotation = "permanent-redirect" + permanentRedirectAnnotationCode = "permanent-redirect-code" +) + +var redirectAnnotations = parser.Annotation{ + Group: "redirect", + Annotations: parser.AnnotationFields{ + fromToWWWRedirAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `In some scenarios is required to redirect from www.domain.com to domain.com or vice versa. To enable this feature use this annotation.`, + }, + temporalRedirectAnnotation: { + Validator: parser.ValidateRegex(*parser.URLIsValidRegex, false), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, // Medium, as it allows arbitrary URLs that needs to be validated + Documentation: `This annotation allows you to return a temporal redirect (Return Code 302) instead of sending data to the upstream. + For example setting this annotation to https://www.google.com would redirect everything to Google with a Return Code of 302 (Moved Temporarily).`, + }, + permanentRedirectAnnotation: { + Validator: parser.ValidateRegex(*parser.URLIsValidRegex, false), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, // Medium, as it allows arbitrary URLs that needs to be validated + Documentation: `This annotation allows to return a permanent redirect (Return Code 301) instead of sending data to the upstream. + For example setting this annotation https://www.google.com would redirect everything to Google with a code 301`, + }, + permanentRedirectAnnotationCode: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `This annotation allows you to modify the status code used for permanent redirects.`, + }, + }, +} + type redirect struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new redirect annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return redirect{r} + return redirect{ + r: r, + annotationConfig: redirectAnnotations, + } } // Parse parses the annotations contained in the ingress @@ -51,9 +94,12 @@ func NewParser(r resolver.Resolver) parser.IngressAnnotation { // If the Ingress contains both annotations the execution order is // temporal and then permanent func (r redirect) Parse(ing *networking.Ingress) (interface{}, error) { - r3w, _ := parser.GetBoolAnnotation("from-to-www-redirect", ing) + r3w, err := parser.GetBoolAnnotation(fromToWWWRedirAnnotation, ing, r.annotationConfig.Annotations) + if err != nil && !errors.IsMissingAnnotations(err) { + return nil, err + } - tr, err := parser.GetStringAnnotation("temporal-redirect", ing) + tr, err := parser.GetStringAnnotation(temporalRedirectAnnotation, ing, r.annotationConfig.Annotations) if err != nil && !errors.IsMissingAnnotations(err) { return nil, err } @@ -70,12 +116,12 @@ func (r redirect) Parse(ing *networking.Ingress) (interface{}, error) { }, nil } - pr, err := parser.GetStringAnnotation("permanent-redirect", ing) + pr, err := parser.GetStringAnnotation(permanentRedirectAnnotation, ing, r.annotationConfig.Annotations) if err != nil && !errors.IsMissingAnnotations(err) { return nil, err } - prc, err := parser.GetIntAnnotation("permanent-redirect-code", ing) + prc, err := parser.GetIntAnnotation(permanentRedirectAnnotationCode, ing, r.annotationConfig.Annotations) if err != nil && !errors.IsMissingAnnotations(err) { return nil, err } @@ -127,3 +173,12 @@ func isValidURL(s string) error { return nil } + +func (a redirect) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a redirect) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, redirectAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/redirect/redirect_test.go b/internal/ingress/annotations/redirect/redirect_test.go index b5a87a5d3..5a61f364d 100644 --- a/internal/ingress/annotations/redirect/redirect_test.go +++ b/internal/ingress/annotations/redirect/redirect_test.go @@ -43,7 +43,7 @@ func TestPermanentRedirectWithDefaultCode(t *testing.T) { ing := new(networking.Ingress) data := make(map[string]string, 1) - data[parser.GetAnnotationWithPrefix("permanent-redirect")] = defRedirectURL + data[parser.GetAnnotationWithPrefix(permanentRedirectAnnotation)] = defRedirectURL ing.SetAnnotations(data) i, err := rp.Parse(ing) @@ -81,8 +81,8 @@ func TestPermanentRedirectWithCustomCode(t *testing.T) { ing := new(networking.Ingress) data := make(map[string]string, 2) - data[parser.GetAnnotationWithPrefix("permanent-redirect")] = defRedirectURL - data[parser.GetAnnotationWithPrefix("permanent-redirect-code")] = strconv.Itoa(tc.input) + data[parser.GetAnnotationWithPrefix(permanentRedirectAnnotation)] = defRedirectURL + data[parser.GetAnnotationWithPrefix(permanentRedirectAnnotationCode)] = strconv.Itoa(tc.input) ing.SetAnnotations(data) i, err := rp.Parse(ing) @@ -112,8 +112,8 @@ func TestTemporalRedirect(t *testing.T) { ing := new(networking.Ingress) data := make(map[string]string, 1) - data[parser.GetAnnotationWithPrefix("from-to-www-redirect")] = "true" - data[parser.GetAnnotationWithPrefix("temporal-redirect")] = defRedirectURL + data[parser.GetAnnotationWithPrefix(fromToWWWRedirAnnotation)] = "true" + data[parser.GetAnnotationWithPrefix(temporalRedirectAnnotation)] = defRedirectURL ing.SetAnnotations(data) i, err := rp.Parse(ing) diff --git a/internal/ingress/annotations/rewrite/main.go b/internal/ingress/annotations/rewrite/main.go index f92d508dc..84dc93bf0 100644 --- a/internal/ingress/annotations/rewrite/main.go +++ b/internal/ingress/annotations/rewrite/main.go @@ -27,6 +27,59 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + rewriteTargetAnnotation = "rewrite-target" + sslRedirectAnnotation = "ssl-redirect" + preserveTrailingSlashAnnotation = "preserve-trailing-slash" + forceSSLRedirectAnnotation = "force-ssl-redirect" + useRegexAnnotation = "use-regex" + appRootAnnotation = "app-root" +) + +var rewriteAnnotations = parser.Annotation{ + Group: "rewrite", + Annotations: parser.AnnotationFields{ + rewriteTargetAnnotation: { + Validator: parser.ValidateRegex(*parser.RegexPathWithCapture, false), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation allows to specify the target URI where the traffic must be redirected. It can contain regular characters and captured + groups specified as '$1', '$2', etc.`, + }, + sslRedirectAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation defines if the location section is only accessible via SSL`, + }, + preserveTrailingSlashAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation defines if the trailing slash should be preserved in the URI with 'ssl-redirect'`, + }, + forceSSLRedirectAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation forces the redirection to HTTPS even if the Ingress is not TLS Enabled`, + }, + useRegexAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation defines if the paths defined on an Ingress use regular expressions. To use regex on path + the pathType should also be defined as 'ImplementationSpecific'.`, + }, + appRootAnnotation: { + Validator: parser.ValidateRegex(*parser.RegexPathWithCapture, false), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation defines the Application Root that the Controller must redirect if it's in / context`, + }, + }, +} + // Config describes the per location redirect config type Config struct { // Target URI where the traffic must be redirected @@ -71,12 +124,16 @@ func (r1 *Config) Equal(r2 *Config) bool { } type rewrite struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new rewrite annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return rewrite{r} + return rewrite{ + r: r, + annotationConfig: rewriteAnnotations, + } } // ParseAnnotations parses the annotations contained in the ingress @@ -85,24 +142,45 @@ func (a rewrite) Parse(ing *networking.Ingress) (interface{}, error) { var err error config := &Config{} - config.Target, _ = parser.GetStringAnnotation("rewrite-target", ing) - config.SSLRedirect, err = parser.GetBoolAnnotation("ssl-redirect", ing) + config.Target, err = parser.GetStringAnnotation(rewriteTargetAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%sis invalid, defaulting to empty", rewriteTargetAnnotation) + } + config.Target = "" + } + config.SSLRedirect, err = parser.GetBoolAnnotation(sslRedirectAnnotation, ing, a.annotationConfig.Annotations) + if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%sis invalid, defaulting to '%s'", sslRedirectAnnotation, a.r.GetDefaultBackend().SSLRedirect) + } config.SSLRedirect = a.r.GetDefaultBackend().SSLRedirect } - config.PreserveTrailingSlash, err = parser.GetBoolAnnotation("preserve-trailing-slash", ing) + config.PreserveTrailingSlash, err = parser.GetBoolAnnotation(preserveTrailingSlashAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%sis invalid, defaulting to '%s'", preserveTrailingSlashAnnotation, a.r.GetDefaultBackend().PreserveTrailingSlash) + } config.PreserveTrailingSlash = a.r.GetDefaultBackend().PreserveTrailingSlash } - config.ForceSSLRedirect, err = parser.GetBoolAnnotation("force-ssl-redirect", ing) + config.ForceSSLRedirect, err = parser.GetBoolAnnotation(forceSSLRedirectAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%sis invalid, defaulting to '%s'", forceSSLRedirectAnnotation, a.r.GetDefaultBackend().ForceSSLRedirect) + } config.ForceSSLRedirect = a.r.GetDefaultBackend().ForceSSLRedirect } - config.UseRegex, _ = parser.GetBoolAnnotation("use-regex", ing) + config.UseRegex, err = parser.GetBoolAnnotation(useRegexAnnotation, ing, a.annotationConfig.Annotations) + if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%sis invalid, defaulting to 'false'", useRegexAnnotation) + } + config.UseRegex = false + } - config.AppRoot, err = parser.GetStringAnnotation("app-root", ing) + config.AppRoot, err = parser.GetStringAnnotation(appRootAnnotation, ing, a.annotationConfig.Annotations) if err != nil { if !errors.IsMissingAnnotations(err) && !errors.IsInvalidContent(err) { klog.Warningf("Annotation app-root contains an invalid value: %v", err) @@ -126,3 +204,12 @@ func (a rewrite) Parse(ing *networking.Ingress) (interface{}, error) { return config, nil } + +func (a rewrite) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a rewrite) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, rewriteAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/rewrite/main_test.go b/internal/ingress/annotations/rewrite/main_test.go index c2cb42c78..6b97d2e01 100644 --- a/internal/ingress/annotations/rewrite/main_test.go +++ b/internal/ingress/annotations/rewrite/main_test.go @@ -129,6 +129,30 @@ func TestSSLRedirect(t *testing.T) { t.Errorf("Expected true but returned false") } + data[parser.GetAnnotationWithPrefix("rewrite-target")] = "/xpto/$1/abc/$2" + ing.SetAnnotations(data) + + i, _ = NewParser(mockBackend{redirect: true}).Parse(ing) + redirect, ok = i.(*Config) + if !ok { + t.Errorf("expected a Redirect type") + } + if redirect.Target != "/xpto/$1/abc/$2" { + t.Errorf("Expected /xpto/$1/abc/$2 but returned %s", redirect.Target) + } + + data[parser.GetAnnotationWithPrefix("rewrite-target")] = "/xpto/xas{445}" + ing.SetAnnotations(data) + + i, _ = NewParser(mockBackend{redirect: true}).Parse(ing) + redirect, ok = i.(*Config) + if !ok { + t.Errorf("expected a Redirect type") + } + if redirect.Target != "" { + t.Errorf("Expected empty rewrite target but returned %s", redirect.Target) + } + data[parser.GetAnnotationWithPrefix("ssl-redirect")] = "false" ing.SetAnnotations(data) diff --git a/internal/ingress/annotations/satisfy/main.go b/internal/ingress/annotations/satisfy/main.go index 0d4fd4ff6..45187fe5c 100644 --- a/internal/ingress/annotations/satisfy/main.go +++ b/internal/ingress/annotations/satisfy/main.go @@ -23,18 +23,40 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + satisfyAnnotation = "satisfy" +) + +var satisfyAnnotations = parser.Annotation{ + Group: "authentication", + Annotations: parser.AnnotationFields{ + satisfyAnnotation: { + Validator: parser.ValidateOptions([]string{"any", "all"}, true, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `By default, a request would need to satisfy all authentication requirements in order to be allowed. + By using this annotation, requests that satisfy either any or all authentication requirements are allowed, based on the configuration value. + Valid options are "all" and "any"`, + }, + }, +} + type satisfy struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new SATISFY annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return satisfy{r} + return satisfy{ + r: r, + annotationConfig: satisfyAnnotations, + } } // Parse parses annotation contained in the ingress func (s satisfy) Parse(ing *networking.Ingress) (interface{}, error) { - satisfy, err := parser.GetStringAnnotation("satisfy", ing) + satisfy, err := parser.GetStringAnnotation(satisfyAnnotation, ing, s.annotationConfig.Annotations) if err != nil || (satisfy != "any" && satisfy != "all") { satisfy = "" @@ -42,3 +64,12 @@ func (s satisfy) Parse(ing *networking.Ingress) (interface{}, error) { return satisfy, nil } + +func (s satisfy) GetDocumentation() parser.AnnotationFields { + return s.annotationConfig.Annotations +} + +func (a satisfy) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, satisfyAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/satisfy/main_test.go b/internal/ingress/annotations/satisfy/main_test.go index b45205d9f..c8d5782f9 100644 --- a/internal/ingress/annotations/satisfy/main_test.go +++ b/internal/ingress/annotations/satisfy/main_test.go @@ -83,7 +83,7 @@ func TestSatisfyParser(t *testing.T) { annotations := map[string]string{} for input, expected := range data { - annotations[parser.GetAnnotationWithPrefix("satisfy")] = input + annotations[parser.GetAnnotationWithPrefix(satisfyAnnotation)] = input ing.SetAnnotations(annotations) satisfyt, err := NewParser(&resolver.Mock{}).Parse(ing) diff --git a/internal/ingress/annotations/serversnippet/main.go b/internal/ingress/annotations/serversnippet/main.go index 70f0af8e5..aa15608d0 100644 --- a/internal/ingress/annotations/serversnippet/main.go +++ b/internal/ingress/annotations/serversnippet/main.go @@ -23,18 +23,47 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + serverSnippetAnnotation = "server-snippet" +) + +var serverSnippetAnnotations = parser.Annotation{ + Group: "snippets", + Annotations: parser.AnnotationFields{ + serverSnippetAnnotation: { + Validator: parser.ValidateNull, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskCritical, // Critical, this annotation is not validated at all and allows arbitrary configutations + Documentation: `This annotation allows setting a custom NGINX configuration on a server block. This annotation does not contain any validation and it's usage is not recommended!`, + }, + }, +} + type serverSnippet struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new server snippet annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return serverSnippet{r} + return serverSnippet{ + r: r, + annotationConfig: serverSnippetAnnotations, + } } // Parse parses the annotations contained in the ingress rule // used to indicate if the location/s contains a fragment of // configuration to be included inside the paths of the rules func (a serverSnippet) Parse(ing *networking.Ingress) (interface{}, error) { - return parser.GetStringAnnotation("server-snippet", ing) + return parser.GetStringAnnotation(serverSnippetAnnotation, ing, a.annotationConfig.Annotations) +} + +func (a serverSnippet) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a serverSnippet) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, serverSnippetAnnotations.Annotations) } diff --git a/internal/ingress/annotations/serversnippet/main_test.go b/internal/ingress/annotations/serversnippet/main_test.go index c9e0979ad..601e11a42 100644 --- a/internal/ingress/annotations/serversnippet/main_test.go +++ b/internal/ingress/annotations/serversnippet/main_test.go @@ -27,7 +27,7 @@ import ( ) func TestParse(t *testing.T) { - annotation := parser.GetAnnotationWithPrefix("server-snippet") + annotation := parser.GetAnnotationWithPrefix(serverSnippetAnnotation) ap := NewParser(&resolver.Mock{}) if ap == nil { diff --git a/internal/ingress/annotations/serviceupstream/main.go b/internal/ingress/annotations/serviceupstream/main.go index 4a4879682..e662f73c3 100644 --- a/internal/ingress/annotations/serviceupstream/main.go +++ b/internal/ingress/annotations/serviceupstream/main.go @@ -24,19 +24,39 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + serviceUpstreamAnnotation = "service-upstream" +) + +var serviceUpstreamAnnotations = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + serviceUpstreamAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, // Critical, this annotation is not validated at all and allows arbitrary configutations + Documentation: `This annotation makes NGINX use Service's Cluster IP and Port instead of Endpoints as the backend endpoints`, + }, + }, +} + type serviceUpstream struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new serviceUpstream annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return serviceUpstream{r} + return serviceUpstream{ + r: r, + annotationConfig: serviceUpstreamAnnotations, + } } func (s serviceUpstream) Parse(ing *networking.Ingress) (interface{}, error) { defBackend := s.r.GetDefaultBackend() - val, err := parser.GetBoolAnnotation("service-upstream", ing) + val, err := parser.GetBoolAnnotation(serviceUpstreamAnnotation, ing, s.annotationConfig.Annotations) // A missing annotation is not a problem, just use the default if err == errors.ErrMissingAnnotations { return defBackend.ServiceUpstream, nil @@ -44,3 +64,12 @@ func (s serviceUpstream) Parse(ing *networking.Ingress) (interface{}, error) { return val, nil } + +func (s serviceUpstream) GetDocumentation() parser.AnnotationFields { + return s.annotationConfig.Annotations +} + +func (a serviceUpstream) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, serviceUpstreamAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/serviceupstream/main_test.go b/internal/ingress/annotations/serviceupstream/main_test.go index b773e9723..2751208ec 100644 --- a/internal/ingress/annotations/serviceupstream/main_test.go +++ b/internal/ingress/annotations/serviceupstream/main_test.go @@ -74,7 +74,7 @@ func TestIngressAnnotationServiceUpstreamEnabled(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("service-upstream")] = "true" + data[parser.GetAnnotationWithPrefix(serviceUpstreamAnnotation)] = "true" ing.SetAnnotations(data) val, _ := NewParser(&resolver.Mock{}).Parse(ing) @@ -93,7 +93,7 @@ func TestIngressAnnotationServiceUpstreamSetFalse(t *testing.T) { // Test with explicitly set to false data := map[string]string{} - data[parser.GetAnnotationWithPrefix("service-upstream")] = "false" + data[parser.GetAnnotationWithPrefix(serviceUpstreamAnnotation)] = "false" ing.SetAnnotations(data) val, _ := NewParser(&resolver.Mock{}).Parse(ing) @@ -155,7 +155,7 @@ func TestParseAnnotationsOverridesDefaultConfig(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("service-upstream")] = "false" + data[parser.GetAnnotationWithPrefix(serviceUpstreamAnnotation)] = "false" ing.SetAnnotations(data) val, _ := NewParser(mockBackend{}).Parse(ing) diff --git a/internal/ingress/annotations/sessionaffinity/main.go b/internal/ingress/annotations/sessionaffinity/main.go index 98a0d64f8..0a4a59dbc 100644 --- a/internal/ingress/annotations/sessionaffinity/main.go +++ b/internal/ingress/annotations/sessionaffinity/main.go @@ -65,6 +65,90 @@ const ( annotationAffinityCookieChangeOnFailure = "session-cookie-change-on-failure" ) +var sessionAffinityAnnotations = parser.Annotation{ + Group: "affinity", + Annotations: parser.AnnotationFields{ + annotationAffinityType: { + Validator: parser.ValidateOptions([]string{"cookie"}, true, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables and sets the affinity type in all Upstreams of an Ingress. This way, a request will always be directed to the same upstream server. The only affinity type available for NGINX is cookie`, + }, + annotationAffinityMode: { + Validator: parser.ValidateOptions([]string{"balanced", "persistent"}, true, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation defines the stickiness of a session. + Setting this to balanced (default) will redistribute some sessions if a deployment gets scaled up, therefore rebalancing the load on the servers. + Setting this to persistent will not rebalance sessions to new servers, therefore providing maximum stickiness.`, + }, + annotationAffinityCanaryBehavior: { + Validator: parser.ValidateOptions([]string{"sticky", "legacy"}, true, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation defines the behavior of canaries when session affinity is enabled. + Setting this to sticky (default) will ensure that users that were served by canaries, will continue to be served by canaries. + Setting this to legacy will restore original canary behavior, when session affinity was ignored.`, + }, + annotationAffinityCookieName: { + Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation allows to specify the name of the cookie that will be used to route the requests`, + }, + annotationAffinityCookieSecure: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation set the cookie as secure regardless the protocol of the incoming request`, + }, + annotationAffinityCookieExpires: { + Validator: parser.ValidateRegex(*affinityCookieExpiresRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation is a legacy version of "session-cookie-max-age" for compatibility with older browsers, generates an "Expires" cookie directive by adding the seconds to the current date`, + }, + annotationAffinityCookieMaxAge: { + Validator: parser.ValidateRegex(*affinityCookieExpiresRegex, false), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation sets the time until the cookie expires`, + }, + annotationAffinityCookiePath: { + Validator: parser.ValidateRegex(*parser.URLIsValidRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation defines the Path that will be set on the cookie (required if your Ingress paths use regular expressions)`, + }, + annotationAffinityCookieDomain: { + Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation defines the Domain attribute of the sticky cookie.`, + }, + annotationAffinityCookieSameSite: { + Validator: parser.ValidateOptions([]string{"None", "Lax", "Strict"}, false, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation is used to apply a SameSite attribute to the sticky cookie. + Browser accepted values are None, Lax, and Strict`, + }, + annotationAffinityCookieConditionalSameSiteNone: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation is used to omit SameSite=None from browsers with SameSite attribute incompatibilities`, + }, + annotationAffinityCookieChangeOnFailure: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation, when set to false will send request to upstream pointed by sticky cookie even if previous attempt failed. + When set to true and previous attempt failed, sticky cookie will be changed to point to another upstream.`, + }, + }, +} + var ( affinityCookieExpiresRegex = regexp.MustCompile(`(^0|-?[1-9]\d*$)`) ) @@ -109,50 +193,50 @@ func (a affinity) cookieAffinityParse(ing *networking.Ingress) *Cookie { cookie := &Cookie{} - cookie.Name, err = parser.GetStringAnnotation(annotationAffinityCookieName, ing) + cookie.Name, err = parser.GetStringAnnotation(annotationAffinityCookieName, ing, a.annotationConfig.Annotations) if err != nil { klog.V(3).InfoS("Invalid or no annotation value found. Ignoring", "ingress", klog.KObj(ing), "annotation", annotationAffinityCookieName, "default", defaultAffinityCookieName) cookie.Name = defaultAffinityCookieName } - cookie.Expires, err = parser.GetStringAnnotation(annotationAffinityCookieExpires, ing) + cookie.Expires, err = parser.GetStringAnnotation(annotationAffinityCookieExpires, ing, a.annotationConfig.Annotations) if err != nil || !affinityCookieExpiresRegex.MatchString(cookie.Expires) { klog.V(3).InfoS("Invalid or no annotation value found. Ignoring", "ingress", klog.KObj(ing), "annotation", annotationAffinityCookieExpires) cookie.Expires = "" } - cookie.MaxAge, err = parser.GetStringAnnotation(annotationAffinityCookieMaxAge, ing) + cookie.MaxAge, err = parser.GetStringAnnotation(annotationAffinityCookieMaxAge, ing, a.annotationConfig.Annotations) if err != nil || !affinityCookieExpiresRegex.MatchString(cookie.MaxAge) { klog.V(3).InfoS("Invalid or no annotation value found. Ignoring", "ingress", klog.KObj(ing), "annotation", annotationAffinityCookieMaxAge) cookie.MaxAge = "" } - cookie.Path, err = parser.GetStringAnnotation(annotationAffinityCookiePath, ing) + cookie.Path, err = parser.GetStringAnnotation(annotationAffinityCookiePath, ing, a.annotationConfig.Annotations) if err != nil { klog.V(3).InfoS("Invalid or no annotation value found. Ignoring", "ingress", klog.KObj(ing), "annotation", annotationAffinityCookiePath) } - cookie.Domain, err = parser.GetStringAnnotation(annotationAffinityCookieDomain, ing) + cookie.Domain, err = parser.GetStringAnnotation(annotationAffinityCookieDomain, ing, a.annotationConfig.Annotations) if err != nil { klog.V(3).InfoS("Invalid or no annotation value found. Ignoring", "ingress", klog.KObj(ing), "annotation", annotationAffinityCookieDomain) } - cookie.SameSite, err = parser.GetStringAnnotation(annotationAffinityCookieSameSite, ing) + cookie.SameSite, err = parser.GetStringAnnotation(annotationAffinityCookieSameSite, ing, a.annotationConfig.Annotations) if err != nil { klog.V(3).InfoS("Invalid or no annotation value found. Ignoring", "ingress", klog.KObj(ing), "annotation", annotationAffinityCookieSameSite) } - cookie.Secure, err = parser.GetBoolAnnotation(annotationAffinityCookieSecure, ing) + cookie.Secure, err = parser.GetBoolAnnotation(annotationAffinityCookieSecure, ing, a.annotationConfig.Annotations) if err != nil { klog.V(3).InfoS("Invalid or no annotation value found. Ignoring", "ingress", klog.KObj(ing), "annotation", annotationAffinityCookieSecure) } - cookie.ConditionalSameSiteNone, err = parser.GetBoolAnnotation(annotationAffinityCookieConditionalSameSiteNone, ing) + cookie.ConditionalSameSiteNone, err = parser.GetBoolAnnotation(annotationAffinityCookieConditionalSameSiteNone, ing, a.annotationConfig.Annotations) if err != nil { klog.V(3).InfoS("Invalid or no annotation value found. Ignoring", "ingress", klog.KObj(ing), "annotation", annotationAffinityCookieConditionalSameSiteNone) } - cookie.ChangeOnFailure, err = parser.GetBoolAnnotation(annotationAffinityCookieChangeOnFailure, ing) + cookie.ChangeOnFailure, err = parser.GetBoolAnnotation(annotationAffinityCookieChangeOnFailure, ing, a.annotationConfig.Annotations) if err != nil { klog.V(3).InfoS("Invalid or no annotation value found. Ignoring", "ingress", klog.KObj(ing), "annotation", annotationAffinityCookieChangeOnFailure) } @@ -162,11 +246,15 @@ func (a affinity) cookieAffinityParse(ing *networking.Ingress) *Cookie { // NewParser creates a new Affinity annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return affinity{r} + return affinity{ + r: r, + annotationConfig: sessionAffinityAnnotations, + } } type affinity struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // ParseAnnotations parses the annotations contained in the ingress @@ -174,18 +262,18 @@ type affinity struct { func (a affinity) Parse(ing *networking.Ingress) (interface{}, error) { cookie := &Cookie{} // Check the type of affinity that will be used - at, err := parser.GetStringAnnotation(annotationAffinityType, ing) + at, err := parser.GetStringAnnotation(annotationAffinityType, ing, a.annotationConfig.Annotations) if err != nil { at = "" } // Check the affinity mode that will be used - am, err := parser.GetStringAnnotation(annotationAffinityMode, ing) + am, err := parser.GetStringAnnotation(annotationAffinityMode, ing, a.annotationConfig.Annotations) if err != nil { am = "" } - cb, err := parser.GetStringAnnotation(annotationAffinityCanaryBehavior, ing) + cb, err := parser.GetStringAnnotation(annotationAffinityCanaryBehavior, ing, a.annotationConfig.Annotations) if err != nil { cb = "" } @@ -205,3 +293,12 @@ func (a affinity) Parse(ing *networking.Ingress) (interface{}, error) { Cookie: *cookie, }, nil } + +func (a affinity) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a affinity) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, sessionAffinityAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/snippet/main.go b/internal/ingress/annotations/snippet/main.go index 93ec70cf9..2406093c5 100644 --- a/internal/ingress/annotations/snippet/main.go +++ b/internal/ingress/annotations/snippet/main.go @@ -23,18 +23,47 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + configurationSnippetAnnotation = "configuration-snippet" +) + +var configurationSnippetAnnotations = parser.Annotation{ + Group: "snippets", + Annotations: parser.AnnotationFields{ + configurationSnippetAnnotation: { + Validator: parser.ValidateNull, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskCritical, // Critical, this annotation is not validated at all and allows arbitrary configutations + Documentation: `This annotation allows setting a custom NGINX configuration on a location block. This annotation does not contain any validation and it's usage is not recommended!`, + }, + }, +} + type snippet struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new CORS annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return snippet{r} + return snippet{ + r: r, + annotationConfig: configurationSnippetAnnotations, + } } // Parse parses the annotations contained in the ingress rule // used to indicate if the location/s contains a fragment of // configuration to be included inside the paths of the rules func (a snippet) Parse(ing *networking.Ingress) (interface{}, error) { - return parser.GetStringAnnotation("configuration-snippet", ing) + return parser.GetStringAnnotation(configurationSnippetAnnotation, ing, a.annotationConfig.Annotations) +} + +func (a snippet) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a snippet) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, configurationSnippetAnnotations.Annotations) } diff --git a/internal/ingress/annotations/snippet/main_test.go b/internal/ingress/annotations/snippet/main_test.go index 0defc3c1f..921afeea8 100644 --- a/internal/ingress/annotations/snippet/main_test.go +++ b/internal/ingress/annotations/snippet/main_test.go @@ -27,7 +27,7 @@ import ( ) func TestParse(t *testing.T) { - annotation := parser.GetAnnotationWithPrefix("configuration-snippet") + annotation := parser.GetAnnotationWithPrefix(configurationSnippetAnnotation) ap := NewParser(&resolver.Mock{}) if ap == nil { diff --git a/internal/ingress/annotations/sslcipher/main.go b/internal/ingress/annotations/sslcipher/main.go index e4e5baad2..c30f12424 100644 --- a/internal/ingress/annotations/sslcipher/main.go +++ b/internal/ingress/annotations/sslcipher/main.go @@ -17,14 +17,47 @@ limitations under the License. package sslcipher import ( + "regexp" + networking "k8s.io/api/networking/v1" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + sslPreferServerCipherAnnotation = "ssl-prefer-server-ciphers" + sslCipherAnnotation = "ssl-ciphers" +) + +var ( + // Should cover something like "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" + regexValidSSLCipher = regexp.MustCompile(`^[A-Za-z0-9!:+\-]*$`) +) + +var sslCipherAnnotations = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + sslPreferServerCipherAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `The following annotation will set the ssl_prefer_server_ciphers directive at the server level. + This configuration specifies that server ciphers should be preferred over client ciphers when using the SSLv3 and TLS protocols.`, + }, + sslCipherAnnotation: { + Validator: parser.ValidateRegex(*regexValidSSLCipher, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `Using this annotation will set the ssl_ciphers directive at the server level. This configuration is active for all the paths in the host.`, + }, + }, +} + type sslCipher struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // Config contains the ssl-ciphers & ssl-prefer-server-ciphers configuration @@ -35,7 +68,10 @@ type Config struct { // NewParser creates a new sslCipher annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return sslCipher{r} + return sslCipher{ + r: r, + annotationConfig: sslCipherAnnotations, + } } // Parse parses the annotations contained in the ingress rule @@ -45,7 +81,7 @@ func (sc sslCipher) Parse(ing *networking.Ingress) (interface{}, error) { var err error var sslPreferServerCiphers bool - sslPreferServerCiphers, err = parser.GetBoolAnnotation("ssl-prefer-server-ciphers", ing) + sslPreferServerCiphers, err = parser.GetBoolAnnotation(sslPreferServerCipherAnnotation, ing, sc.annotationConfig.Annotations) if err != nil { config.SSLPreferServerCiphers = "" } else { @@ -56,7 +92,19 @@ func (sc sslCipher) Parse(ing *networking.Ingress) (interface{}, error) { } } - config.SSLCiphers, _ = parser.GetStringAnnotation("ssl-ciphers", ing) + config.SSLCiphers, err = parser.GetStringAnnotation(sslCipherAnnotation, ing, sc.annotationConfig.Annotations) + if err != nil && !errors.IsInvalidContent(err) && !errors.IsMissingAnnotations(err) { + return config, err + } return config, nil } + +func (sc sslCipher) GetDocumentation() parser.AnnotationFields { + return sc.annotationConfig.Annotations +} + +func (a sslCipher) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, sslCipherAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/sslcipher/main_test.go b/internal/ingress/annotations/sslcipher/main_test.go index 6eb9ec0c2..ac6808e06 100644 --- a/internal/ingress/annotations/sslcipher/main_test.go +++ b/internal/ingress/annotations/sslcipher/main_test.go @@ -33,22 +33,24 @@ func TestParse(t *testing.T) { t.Fatalf("expected a parser.IngressAnnotation but returned nil") } - annotationSSLCiphers := parser.GetAnnotationWithPrefix("ssl-ciphers") - annotationSSLPreferServerCiphers := parser.GetAnnotationWithPrefix("ssl-prefer-server-ciphers") + annotationSSLCiphers := parser.GetAnnotationWithPrefix(sslCipherAnnotation) + annotationSSLPreferServerCiphers := parser.GetAnnotationWithPrefix(sslPreferServerCipherAnnotation) testCases := []struct { annotations map[string]string expected Config + expectErr bool }{ - {map[string]string{annotationSSLCiphers: "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"}, Config{"ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP", ""}}, + {map[string]string{annotationSSLCiphers: "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"}, Config{"ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP", ""}, false}, {map[string]string{annotationSSLCiphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"}, - Config{"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256", ""}}, - {map[string]string{annotationSSLCiphers: ""}, Config{"", ""}}, - {map[string]string{annotationSSLPreferServerCiphers: "true"}, Config{"", "on"}}, - {map[string]string{annotationSSLPreferServerCiphers: "false"}, Config{"", "off"}}, - {map[string]string{annotationSSLCiphers: "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP", annotationSSLPreferServerCiphers: "true"}, Config{"ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP", "on"}}, - {map[string]string{}, Config{"", ""}}, - {nil, Config{"", ""}}, + Config{"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256", ""}, false}, + {map[string]string{annotationSSLCiphers: ""}, Config{"", ""}, false}, + {map[string]string{annotationSSLPreferServerCiphers: "true"}, Config{"", "on"}, false}, + {map[string]string{annotationSSLPreferServerCiphers: "false"}, Config{"", "off"}, false}, + {map[string]string{annotationSSLCiphers: "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP", annotationSSLPreferServerCiphers: "true"}, Config{"ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP", "on"}, false}, + {map[string]string{annotationSSLCiphers: "ALL:SOMETHING:;locationXPTO"}, Config{"", ""}, true}, + {map[string]string{}, Config{"", ""}, false}, + {nil, Config{"", ""}, false}, } ing := &networking.Ingress{ @@ -61,7 +63,10 @@ func TestParse(t *testing.T) { for _, testCase := range testCases { ing.SetAnnotations(testCase.annotations) - result, _ := ap.Parse(ing) + result, err := ap.Parse(ing) + if (err != nil) != testCase.expectErr { + t.Fatalf("expected error: %t got error: %t err value: %s. %+v", testCase.expectErr, err != nil, err, testCase.annotations) + } if !reflect.DeepEqual(result, &testCase.expected) { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) } diff --git a/internal/ingress/annotations/sslpassthrough/main.go b/internal/ingress/annotations/sslpassthrough/main.go index d1def7172..1557d4243 100644 --- a/internal/ingress/annotations/sslpassthrough/main.go +++ b/internal/ingress/annotations/sslpassthrough/main.go @@ -24,13 +24,32 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + sslPassthroughAnnotation = "ssl-passthrough" +) + +var sslPassthroughAnnotations = parser.Annotation{ + Group: "", // TBD + Annotations: parser.AnnotationFields{ + sslPassthroughAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, // Low, as it allows regexes but on a very limited set + Documentation: `This annotation instructs the controller to send TLS connections directly to the backend instead of letting NGINX decrypt the communication.`, + }, + }, +} + type sslpt struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new SSL passthrough annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return sslpt{r} + return sslpt{r: r, + annotationConfig: sslPassthroughAnnotations, + } } // ParseAnnotations parses the annotations contained in the ingress @@ -40,5 +59,14 @@ func (a sslpt) Parse(ing *networking.Ingress) (interface{}, error) { return false, ing_errors.ErrMissingAnnotations } - return parser.GetBoolAnnotation("ssl-passthrough", ing) + return parser.GetBoolAnnotation(sslPassthroughAnnotation, ing, a.annotationConfig.Annotations) +} + +func (a sslpt) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a sslpt) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, sslPassthroughAnnotations.Annotations) } diff --git a/internal/ingress/annotations/sslpassthrough/main_test.go b/internal/ingress/annotations/sslpassthrough/main_test.go index 5cf2f979a..b712fda19 100644 --- a/internal/ingress/annotations/sslpassthrough/main_test.go +++ b/internal/ingress/annotations/sslpassthrough/main_test.go @@ -54,7 +54,7 @@ func TestParseAnnotations(t *testing.T) { } data := map[string]string{} - data[parser.GetAnnotationWithPrefix("ssl-passthrough")] = "true" + data[parser.GetAnnotationWithPrefix(sslPassthroughAnnotation)] = "true" ing.SetAnnotations(data) // test ingress using the annotation without a TLS section _, err = NewParser(&resolver.Mock{}).Parse(ing) diff --git a/internal/ingress/annotations/streamsnippet/main.go b/internal/ingress/annotations/streamsnippet/main.go index fb22f754c..71ff3b140 100644 --- a/internal/ingress/annotations/streamsnippet/main.go +++ b/internal/ingress/annotations/streamsnippet/main.go @@ -23,18 +23,47 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + streamSnippetAnnotation = "stream-snippet" +) + +var streamSnippetAnnotations = parser.Annotation{ + Group: "snippets", + Annotations: parser.AnnotationFields{ + streamSnippetAnnotation: { + Validator: parser.ValidateNull, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskCritical, // Critical, this annotation is not validated at all and allows arbitrary configutations + Documentation: `This annotation allows setting a custom NGINX configuration on a stream block. This annotation does not contain any validation and it's usage is not recommended!`, + }, + }, +} + type streamSnippet struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new server snippet annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return streamSnippet{r} + return streamSnippet{ + r: r, + annotationConfig: streamSnippetAnnotations, + } } // Parse parses the annotations contained in the ingress rule // used to indicate if the location/s contains a fragment of // configuration to be included inside the paths of the rules func (a streamSnippet) Parse(ing *networking.Ingress) (interface{}, error) { - return parser.GetStringAnnotation("stream-snippet", ing) + return parser.GetStringAnnotation("stream-snippet", ing, a.annotationConfig.Annotations) +} + +func (a streamSnippet) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a streamSnippet) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, streamSnippetAnnotations.Annotations) } diff --git a/internal/ingress/annotations/streamsnippet/main_test.go b/internal/ingress/annotations/streamsnippet/main_test.go index 0b8e3e3aa..997b7be70 100644 --- a/internal/ingress/annotations/streamsnippet/main_test.go +++ b/internal/ingress/annotations/streamsnippet/main_test.go @@ -27,7 +27,7 @@ import ( ) func TestParse(t *testing.T) { - annotation := parser.GetAnnotationWithPrefix("stream-snippet") + annotation := parser.GetAnnotationWithPrefix(streamSnippetAnnotation) ap := NewParser(&resolver.Mock{}) if ap == nil { diff --git a/internal/ingress/annotations/upstreamhashby/main.go b/internal/ingress/annotations/upstreamhashby/main.go index e6bbca6c3..bc07f70fb 100644 --- a/internal/ingress/annotations/upstreamhashby/main.go +++ b/internal/ingress/annotations/upstreamhashby/main.go @@ -17,14 +17,54 @@ limitations under the License. package upstreamhashby import ( + "regexp" + networking "k8s.io/api/networking/v1" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + upstreamHashByAnnotation = "upstream-hash-by" + upstreamHashBySubsetAnnotation = "upstream-hash-by-subset" + upstreamHashBySubsetSize = "upstream-hash-by-subset-size" +) + +var ( + specialChars = regexp.QuoteMeta("_${}") + hashByRegex = regexp.MustCompilePOSIX(`^[A-Za-z0-9\-` + specialChars + `]*$`) +) + +var upstreamHashByAnnotations = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + upstreamHashByAnnotation: { + Validator: parser.ValidateRegex(*hashByRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskHigh, // High, this annotation allows accessing NGINX variables + Documentation: `This annotation defines the nginx variable, text value or any combination thereof to use for consistent hashing. + For example: nginx.ingress.kubernetes.io/upstream-hash-by: "$request_uri" or nginx.ingress.kubernetes.io/upstream-hash-by: "$request_uri$host" or nginx.ingress.kubernetes.io/upstream-hash-by: "${request_uri}-text-value" to consistently hash upstream requests by the current request URI.`, + }, + upstreamHashBySubsetAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation maps requests to subset of nodes instead of a single one.`, + }, + upstreamHashBySubsetSize: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation determines the size of each subset (default 3)`, + }, + }, +} + type upstreamhashby struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // Config contains the Consistent hash configuration to be used in the Ingress @@ -36,14 +76,26 @@ type Config struct { // NewParser creates a new UpstreamHashBy annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return upstreamhashby{r} + return upstreamhashby{ + r: r, + annotationConfig: upstreamHashByAnnotations, + } } // Parse parses the annotations contained in the ingress rule func (a upstreamhashby) Parse(ing *networking.Ingress) (interface{}, error) { - upstreamHashBy, _ := parser.GetStringAnnotation("upstream-hash-by", ing) - upstreamHashBySubset, _ := parser.GetBoolAnnotation("upstream-hash-by-subset", ing) - upstreamHashbySubsetSize, _ := parser.GetIntAnnotation("upstream-hash-by-subset-size", ing) + upstreamHashBy, err := parser.GetStringAnnotation(upstreamHashByAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && !errors.IsMissingAnnotations(err) { + return nil, err + } + upstreamHashBySubset, err := parser.GetBoolAnnotation(upstreamHashBySubsetAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && !errors.IsMissingAnnotations(err) { + return nil, err + } + upstreamHashbySubsetSize, err := parser.GetIntAnnotation(upstreamHashBySubsetSize, ing, a.annotationConfig.Annotations) + if err != nil && !errors.IsMissingAnnotations(err) { + return nil, err + } if upstreamHashbySubsetSize == 0 { upstreamHashbySubsetSize = 3 @@ -51,3 +103,12 @@ func (a upstreamhashby) Parse(ing *networking.Ingress) (interface{}, error) { return &Config{upstreamHashBy, upstreamHashBySubset, upstreamHashbySubsetSize}, nil } + +func (a upstreamhashby) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a upstreamhashby) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, upstreamHashByAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/upstreamhashby/main_test.go b/internal/ingress/annotations/upstreamhashby/main_test.go index d2c2644ca..bdbd9c350 100644 --- a/internal/ingress/annotations/upstreamhashby/main_test.go +++ b/internal/ingress/annotations/upstreamhashby/main_test.go @@ -27,7 +27,7 @@ import ( ) func TestParse(t *testing.T) { - annotation := parser.GetAnnotationWithPrefix("upstream-hash-by") + annotation := parser.GetAnnotationWithPrefix(upstreamHashByAnnotation) ap := NewParser(&resolver.Mock{}) if ap == nil { @@ -37,12 +37,15 @@ func TestParse(t *testing.T) { testCases := []struct { annotations map[string]string expected string + expectErr bool }{ - {map[string]string{annotation: "$request_uri"}, "$request_uri"}, - {map[string]string{annotation: "$request_uri$scheme"}, "$request_uri$scheme"}, - {map[string]string{annotation: "false"}, "false"}, - {map[string]string{}, ""}, - {nil, ""}, + {map[string]string{annotation: "$request_URI"}, "$request_URI", false}, + {map[string]string{annotation: "$request_uri$scheme"}, "$request_uri$scheme", false}, + {map[string]string{annotation: "xpto;[]"}, "", true}, + {map[string]string{annotation: "lalal${scheme_test}"}, "lalal${scheme_test}", false}, + {map[string]string{annotation: "false"}, "false", false}, + {map[string]string{}, "", false}, + {nil, "", false}, } ing := &networking.Ingress{ @@ -55,14 +58,19 @@ func TestParse(t *testing.T) { for _, testCase := range testCases { ing.SetAnnotations(testCase.annotations) - result, _ := ap.Parse(ing) - uc, ok := result.(*Config) - if !ok { - t.Fatalf("expected a Config type") + result, err := ap.Parse(ing) + if (err != nil) != testCase.expectErr { + t.Fatalf("expected error: %t got error: %t err value: %s. %+v", testCase.expectErr, err != nil, err, testCase.annotations) } + if !testCase.expectErr { + uc, ok := result.(*Config) + if !ok { + t.Fatalf("expected a Config type") + } - if uc.UpstreamHashBy != testCase.expected { - t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) + if uc.UpstreamHashBy != testCase.expected { + t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) + } } } } diff --git a/internal/ingress/annotations/upstreamvhost/main.go b/internal/ingress/annotations/upstreamvhost/main.go index 2eed5607e..052ca2344 100644 --- a/internal/ingress/annotations/upstreamvhost/main.go +++ b/internal/ingress/annotations/upstreamvhost/main.go @@ -23,18 +23,48 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + upstreamVhostAnnotation = "upstream-vhost" +) + +var upstreamVhostAnnotations = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + upstreamVhostAnnotation: { + Validator: parser.ValidateServerName, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows regexes but on a very limited set + Documentation: `This configuration setting allows you to control the value for host in the following statement: proxy_set_header Host $host, which forms part of the location block. + This is useful if you need to call the upstream server by something other than $host`, + }, + }, +} + type upstreamVhost struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new upstream VHost annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return upstreamVhost{r} + return upstreamVhost{ + r: r, + annotationConfig: upstreamVhostAnnotations, + } } // Parse parses the annotations contained in the ingress rule // used to indicate if the location/s contains a fragment of // configuration to be included inside the paths of the rules func (a upstreamVhost) Parse(ing *networking.Ingress) (interface{}, error) { - return parser.GetStringAnnotation("upstream-vhost", ing) + return parser.GetStringAnnotation(upstreamVhostAnnotation, ing, a.annotationConfig.Annotations) +} + +func (a upstreamVhost) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a upstreamVhost) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, upstreamVhostAnnotations.Annotations) } diff --git a/internal/ingress/annotations/upstreamvhost/main_test.go b/internal/ingress/annotations/upstreamvhost/main_test.go index 130d745ee..87324b181 100644 --- a/internal/ingress/annotations/upstreamvhost/main_test.go +++ b/internal/ingress/annotations/upstreamvhost/main_test.go @@ -36,7 +36,7 @@ func TestParse(t *testing.T) { } data := map[string]string{} - data[parser.GetAnnotationWithPrefix("upstream-vhost")] = "ok.com" + data[parser.GetAnnotationWithPrefix(upstreamVhostAnnotation)] = "ok.com" ing.SetAnnotations(data) diff --git a/internal/ingress/annotations/xforwardedprefix/main.go b/internal/ingress/annotations/xforwardedprefix/main.go index 60eed8773..fc4d5798d 100644 --- a/internal/ingress/annotations/xforwardedprefix/main.go +++ b/internal/ingress/annotations/xforwardedprefix/main.go @@ -23,17 +23,46 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + xForwardedForPrefixAnnotation = "x-forwarded-prefix" +) + +var xForwardedForAnnotations = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + xForwardedForPrefixAnnotation: { + Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows regexes but on a very limited set + Documentation: `This annotation can be used to add the non-standard X-Forwarded-Prefix header to the upstream request with a string value`, + }, + }, +} + type xforwardedprefix struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new xforwardedprefix annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return xforwardedprefix{r} + return xforwardedprefix{ + r: r, + annotationConfig: xForwardedForAnnotations, + } } // Parse parses the annotations contained in the ingress rule // used to add an x-forwarded-prefix header to the request func (cbbs xforwardedprefix) Parse(ing *networking.Ingress) (interface{}, error) { - return parser.GetStringAnnotation("x-forwarded-prefix", ing) + return parser.GetStringAnnotation(xForwardedForPrefixAnnotation, ing, cbbs.annotationConfig.Annotations) +} + +func (cbbs xforwardedprefix) GetDocumentation() parser.AnnotationFields { + return cbbs.annotationConfig.Annotations +} + +func (a xforwardedprefix) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, xForwardedForAnnotations.Annotations) } diff --git a/internal/ingress/annotations/xforwardedprefix/main_test.go b/internal/ingress/annotations/xforwardedprefix/main_test.go index a78c63d04..d873a4412 100644 --- a/internal/ingress/annotations/xforwardedprefix/main_test.go +++ b/internal/ingress/annotations/xforwardedprefix/main_test.go @@ -27,7 +27,7 @@ import ( ) func TestParse(t *testing.T) { - annotation := parser.GetAnnotationWithPrefix("x-forwarded-prefix") + annotation := parser.GetAnnotationWithPrefix(xForwardedForPrefixAnnotation) ap := NewParser(&resolver.Mock{}) if ap == nil { t.Fatalf("expected a parser.IngressAnnotation but returned nil") diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index 345ce89b4..6e78964ed 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -97,6 +97,17 @@ type Configuration struct { // If disabled, only snippets added via ConfigMap are added to ingress. AllowSnippetAnnotations bool `json:"allow-snippet-annotations"` + // AllowCrossNamespaceResources enables users to consume cross namespace resource on annotations + // Case disabled, attempts to use secrets or configmaps from a namespace different from Ingress will + // be denied + // This value will default to `false` on future releases + AllowCrossNamespaceResources bool `json:"allow-cross-namespace-resources"` + + // AnnotationsRiskLevel represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations + // with risk High and Critical will not be accepted. + // Default Risk is Critical by default, but this may be changed in future releases + AnnotationsRiskLevel string `json:"annotations-risk-level"` + // AnnotationValueWordBlocklist defines words that should not be part of an user annotation value // (can be used to run arbitrary code or configs, for example) and that should be dropped. // This list should be separated by "," character @@ -708,7 +719,7 @@ type Configuration struct { // DatadogSampleRate specifies sample rate for any traces created. // Default: use a dynamic rate instead - DatadogSampleRate *float32 `json:"datadog-sample-rate",omitempty` + DatadogSampleRate *float32 `json:"datadog-sample-rate,omitempty"` // MainSnippet adds custom configuration to the main section of the nginx configuration MainSnippet string `json:"main-snippet"` @@ -853,8 +864,10 @@ func NewDefault() Configuration { cfg := Configuration{ AllowSnippetAnnotations: true, + AllowCrossNamespaceResources: true, AllowBackendServerHeader: false, AnnotationValueWordBlocklist: "", + AnnotationsRiskLevel: "Critical", AccessLogPath: "/var/log/nginx/access.log", AccessLogParams: "", EnableAccessLogForDefaultBackend: false, diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 4a4417130..7dc1a5292 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -389,14 +389,19 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { toCheck.ObjectMeta.Name == ing.ObjectMeta.Name } ings := store.FilterIngresses(allIngresses, filter) + parsed, err := annotations.NewAnnotationExtractor(n.store).Extract(ing) + if err != nil { + n.metricCollector.IncCheckErrorCount(ing.ObjectMeta.Namespace, ing.Name) + return err + } ings = append(ings, &ingress.Ingress{ Ingress: *ing, - ParsedAnnotations: annotations.NewAnnotationExtractor(n.store).Extract(ing), + ParsedAnnotations: parsed, }) startTest := time.Now().UnixNano() / 1000000 _, servers, pcfg := n.getConfiguration(ings) - err := checkOverlap(ing, allIngresses, servers) + err = checkOverlap(ing, allIngresses, servers) if err != nil { n.metricCollector.IncCheckErrorCount(ing.ObjectMeta.Namespace, ing.Name) return err @@ -1509,7 +1514,7 @@ func locationApplyAnnotations(loc *ingress.Location, anns *annotations.Ingress) loc.Rewrite = anns.Rewrite loc.UpstreamVhost = anns.UpstreamVhost loc.Denylist = anns.Denylist - loc.Whitelist = anns.Whitelist + loc.Allowlist = anns.Allowlist loc.Denied = anns.Denied loc.XForwardedPrefix = anns.XForwardedPrefix loc.UsePortInRedirects = anns.UsePortInRedirects @@ -1808,9 +1813,9 @@ func checkOverlap(ing *networking.Ingress, ingresses []*ingress.Ingress, servers } // path overlap. Check if one of the ingresses has a canary annotation - isCanaryEnabled, annotationErr := parser.GetBoolAnnotation("canary", ing) + isCanaryEnabled, annotationErr := parser.GetBoolAnnotation("canary", ing, canary.CanaryAnnotations.Annotations) for _, existing := range existingIngresses { - isExistingCanaryEnabled, existingAnnotationErr := parser.GetBoolAnnotation("canary", existing) + isExistingCanaryEnabled, existingAnnotationErr := parser.GetBoolAnnotation("canary", existing, canary.CanaryAnnotations.Annotations) if isCanaryEnabled && isExistingCanaryEnabled { return fmt.Errorf(`host "%s" and path "%s" is already defined in ingress %s/%s`, rule.Host, path.Path, existing.Namespace, existing.Name) diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go index 44184f6b9..c353d1b5e 100644 --- a/internal/ingress/controller/controller_test.go +++ b/internal/ingress/controller/controller_test.go @@ -44,7 +44,7 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations" "k8s.io/ingress-nginx/internal/ingress/annotations/canary" - "k8s.io/ingress-nginx/internal/ingress/annotations/ipwhitelist" + "k8s.io/ingress-nginx/internal/ingress/annotations/ipallowlist" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/ingress/annotations/proxyssl" "k8s.io/ingress-nginx/internal/ingress/annotations/sessionaffinity" @@ -73,6 +73,13 @@ func (fis fakeIngressStore) GetBackendConfiguration() ngx_config.Configuration { return fis.configuration } +func (fis fakeIngressStore) GetSecurityConfiguration() defaults.SecurityConfiguration { + return defaults.SecurityConfiguration{ + AnnotationsRiskLevel: fis.configuration.AnnotationsRiskLevel, + AllowCrossNamespaceResources: fis.configuration.AllowCrossNamespaceResources, + } +} + func (fakeIngressStore) GetConfigMap(key string) (*corev1.ConfigMap, error) { return nil, fmt.Errorf("test error") } @@ -2418,7 +2425,7 @@ func TestGetBackendServers(t *testing.T) { }, }, ParsedAnnotations: &annotations.Ingress{ - Whitelist: ipwhitelist.SourceRange{CIDR: []string{"10.0.0.0/24"}}, + Allowlist: ipallowlist.SourceRange{CIDR: []string{"10.0.0.0/24"}}, ServerSnippet: "bla", ConfigurationSnippet: "blo", }, @@ -2439,7 +2446,7 @@ func TestGetBackendServers(t *testing.T) { t.Errorf("config snippet should be empty, got '%s'", s.Locations[0].ConfigurationSnippet) } - if len(s.Locations[0].Whitelist.CIDR) != 1 || s.Locations[0].Whitelist.CIDR[0] != "10.0.0.0/24" { + if len(s.Locations[0].Allowlist.CIDR) != 1 || s.Locations[0].Allowlist.CIDR[0] != "10.0.0.0/24" { t.Errorf("allow list was incorrectly dropped, len should be 1 and contain 10.0.0.0/24") } diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go index 9b3700739..c11e35d76 100644 --- a/internal/ingress/controller/store/store.go +++ b/internal/ingress/controller/store/store.go @@ -69,6 +69,9 @@ type Storer interface { // GetBackendConfiguration returns the nginx configuration stored in a configmap GetBackendConfiguration() ngx_config.Configuration + // GetSecurityConfiguration returns the configuration options from Ingress + GetSecurityConfiguration() defaults.SecurityConfiguration + // GetConfigMap returns the ConfigMap matching key. GetConfigMap(key string) (*corev1.ConfigMap, error) @@ -882,9 +885,14 @@ func (s *k8sStore) syncIngress(ing *networkingv1.Ingress) { k8s.SetDefaultNGINXPathType(copyIng) - err := s.listers.IngressWithAnnotation.Update(&ingress.Ingress{ + parsed, err := s.annotations.Extract(ing) + if err != nil { + klog.Error(err) + return + } + err = s.listers.IngressWithAnnotation.Update(&ingress.Ingress{ Ingress: *copyIng, - ParsedAnnotations: s.annotations.Extract(ing), + ParsedAnnotations: parsed, }) if err != nil { klog.Error(err) @@ -920,8 +928,10 @@ func (s *k8sStore) updateSecretIngressMap(ing *networkingv1.Ingress) { "proxy-ssl-secret", "secure-verify-ca-secret", } + + secConfig := s.GetSecurityConfiguration().AllowCrossNamespaceResources for _, ann := range secretAnnotations { - secrKey, err := objectRefAnnotationNsKey(ann, ing) + secrKey, err := objectRefAnnotationNsKey(ann, ing, secConfig) if err != nil && !errors.IsMissingAnnotations(err) { klog.Errorf("error reading secret reference in annotation %q: %s", ann, err) continue @@ -937,8 +947,9 @@ func (s *k8sStore) updateSecretIngressMap(ing *networkingv1.Ingress) { // objectRefAnnotationNsKey returns an object reference formatted as a // 'namespace/name' key from the given annotation name. -func objectRefAnnotationNsKey(ann string, ing *networkingv1.Ingress) (string, error) { - annValue, err := parser.GetStringAnnotation(ann, ing) +func objectRefAnnotationNsKey(ann string, ing *networkingv1.Ingress, allowCrossNamespace bool) (string, error) { + // We pass nil fields, as this is an internal process and we don't need to validate it. + annValue, err := parser.GetStringAnnotation(ann, ing, nil) if err != nil { return "", err } @@ -951,6 +962,9 @@ func objectRefAnnotationNsKey(ann string, ing *networkingv1.Ingress) (string, er if secrNs == "" { return fmt.Sprintf("%v/%v", ing.Namespace, secrName), nil } + if !allowCrossNamespace && secrNs != ing.Namespace { + return "", fmt.Errorf("cross namespace secret is not supported") + } return annValue, nil } @@ -1125,6 +1139,17 @@ func (s *k8sStore) GetBackendConfiguration() ngx_config.Configuration { return s.backendConfig } +func (s *k8sStore) GetSecurityConfiguration() defaults.SecurityConfiguration { + s.backendConfigMu.RLock() + defer s.backendConfigMu.RUnlock() + + secConfig := defaults.SecurityConfiguration{ + AllowCrossNamespaceResources: s.backendConfig.AllowCrossNamespaceResources, + AnnotationsRiskLevel: s.backendConfig.AnnotationsRiskLevel, + } + return secConfig +} + func (s *k8sStore) setConfig(cmap *corev1.ConfigMap) { s.backendConfigMu.Lock() defer s.backendConfigMu.Unlock() diff --git a/internal/ingress/controller/store/store_test.go b/internal/ingress/controller/store/store_test.go index b91cadc6c..774a45676 100644 --- a/internal/ingress/controller/store/store_test.go +++ b/internal/ingress/controller/store/store_test.go @@ -1414,18 +1414,31 @@ func TestUpdateSecretIngressMap(t *testing.T) { t.Run("with annotation in namespace/name format", func(t *testing.T) { ing := ingTpl.DeepCopy() ing.ObjectMeta.SetAnnotations(map[string]string{ - parser.GetAnnotationWithPrefix("auth-secret"): "otherns/auth", + parser.GetAnnotationWithPrefix("auth-secret"): "testns/auth", }) if err := s.listers.Ingress.Update(ing); err != nil { t.Errorf("error updating the Ingress: %v", err) } s.updateSecretIngressMap(ing) - if l := s.secretIngressMap.Len(); !(l == 1 && s.secretIngressMap.Has("otherns/auth")) { + if l := s.secretIngressMap.Len(); !(l == 1 && s.secretIngressMap.Has("testns/auth")) { t.Errorf("Expected \"otherns/auth\" to be the only referenced Secret (got %d)", l) } }) + t.Run("with annotation in namespace/name format should not be supported", func(t *testing.T) { + ing := ingTpl.DeepCopy() + ing.ObjectMeta.SetAnnotations(map[string]string{ + parser.GetAnnotationWithPrefix("auth-secret"): "anotherns/auth", + }) + s.listers.Ingress.Update(ing) + s.updateSecretIngressMap(ing) + + if l := s.secretIngressMap.Len(); l != 0 { + t.Errorf("Expected \"otherns/auth\" to be denied as it contains a different namespace (got %d)", l) + } + }) + t.Run("with annotation in invalid format", func(t *testing.T) { ing := ingTpl.DeepCopy() ing.ObjectMeta.SetAnnotations(map[string]string{ diff --git a/internal/ingress/defaults/main.go b/internal/ingress/defaults/main.go index 0aab2ff47..8cd0e8ba5 100644 --- a/internal/ingress/defaults/main.go +++ b/internal/ingress/defaults/main.go @@ -170,3 +170,15 @@ type Backend struct { // It disables that behavior and instead uses a single upstream in NGINX, the service's Cluster IP and port. ServiceUpstream bool `json:"service-upstream"` } + +type SecurityConfiguration struct { + // AllowCrossNamespaceResources enables users to consume cross namespace resource on annotations + // Case disabled, attempts to use secrets or configmaps from a namespace different from Ingress will + // be denied + // This valid will default to `false` on future releases + AllowCrossNamespaceResources bool `json:"allow-cross-namespace-resources"` + + // AnnotationsRiskLevel represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations + // with risk High and Critical will not be accepted + AnnotationsRiskLevel string `json:"annotations-risk-level"` +} diff --git a/internal/ingress/errors/errors.go b/internal/ingress/errors/errors.go index 93c9ee5e0..e6f7fb52c 100644 --- a/internal/ingress/errors/errors.go +++ b/internal/ingress/errors/errors.go @@ -110,3 +110,47 @@ func New(m string) error { func Errorf(format string, args ...interface{}) error { return fmt.Errorf(format, args...) } + +type ValidationError struct { + Reason error +} + +type RiskyAnnotationError struct { + Reason error +} + +func (e ValidationError) Error() string { + return e.Reason.Error() +} + +// NewValidationError returns a new LocationDenied error +func NewValidationError(annotation string) error { + return ValidationError{ + Reason: fmt.Errorf("annotation %s contains invalid value", annotation), + } +} + +// IsValidationError checks if the err is an error which +// indicates that some annotation value is invalid +func IsValidationError(e error) bool { + _, ok := e.(ValidationError) + return ok +} + +// NewValidationError returns a new LocationDenied error +func NewRiskyAnnotations(name string) error { + return RiskyAnnotationError{ + Reason: fmt.Errorf("annotation group %s contains risky annotation based on ingress configuration", name), + } +} + +// IsRiskyAnnotationError checks if the err is an error which +// indicates that some annotation value is invalid +func IsRiskyAnnotationError(e error) bool { + _, ok := e.(ValidationError) + return ok +} + +func (e RiskyAnnotationError) Error() string { + return e.Reason.Error() +} diff --git a/internal/ingress/resolver/main.go b/internal/ingress/resolver/main.go index e05a2aaae..7d17f4e16 100644 --- a/internal/ingress/resolver/main.go +++ b/internal/ingress/resolver/main.go @@ -26,6 +26,9 @@ type Resolver interface { // GetDefaultBackend returns the backend that must be used as default GetDefaultBackend() defaults.Backend + // GetSecurityConfiguration returns the configuration options from Ingress + GetSecurityConfiguration() defaults.SecurityConfiguration + // GetConfigMap searches for configmap containing the namespace and name usting the character / GetConfigMap(string) (*apiv1.ConfigMap, error) diff --git a/internal/ingress/resolver/mock.go b/internal/ingress/resolver/mock.go index 62c5c6db9..679c3b13c 100644 --- a/internal/ingress/resolver/mock.go +++ b/internal/ingress/resolver/mock.go @@ -26,7 +26,9 @@ import ( // Mock implements the Resolver interface type Mock struct { - ConfigMaps map[string]*apiv1.ConfigMap + ConfigMaps map[string]*apiv1.ConfigMap + AnnotationsRiskLevel string + AllowCrossNamespace bool } // GetDefaultBackend returns the backend that must be used as default @@ -34,6 +36,17 @@ func (m Mock) GetDefaultBackend() defaults.Backend { return defaults.Backend{} } +func (m Mock) GetSecurityConfiguration() defaults.SecurityConfiguration { + defRisk := m.AnnotationsRiskLevel + if defRisk == "" { + defRisk = "Critical" + } + return defaults.SecurityConfiguration{ + AnnotationsRiskLevel: defRisk, + AllowCrossNamespaceResources: m.AllowCrossNamespace, + } +} + // GetSecret searches for secrets contenating the namespace and name using a the character / func (m Mock) GetSecret(string) (*apiv1.Secret, error) { return nil, nil diff --git a/pkg/apis/ingress/types.go b/pkg/apis/ingress/types.go index e50666c18..284e9b427 100644 --- a/pkg/apis/ingress/types.go +++ b/pkg/apis/ingress/types.go @@ -29,8 +29,8 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/cors" "k8s.io/ingress-nginx/internal/ingress/annotations/fastcgi" "k8s.io/ingress-nginx/internal/ingress/annotations/globalratelimit" + "k8s.io/ingress-nginx/internal/ingress/annotations/ipallowlist" "k8s.io/ingress-nginx/internal/ingress/annotations/ipdenylist" - "k8s.io/ingress-nginx/internal/ingress/annotations/ipwhitelist" "k8s.io/ingress-nginx/internal/ingress/annotations/log" "k8s.io/ingress-nginx/internal/ingress/annotations/mirror" "k8s.io/ingress-nginx/internal/ingress/annotations/modsecurity" @@ -224,7 +224,7 @@ type Server struct { // is required. // The chain in the execution order of annotations should be: // - Denylist -// - Whitelist +// - Allowlist // - RateLimit // - BasicDigestAuth // - ExternalAuth @@ -298,10 +298,10 @@ type Location struct { // addresses or networks are allowed. // +optional Denylist ipdenylist.SourceRange `json:"denylist,omitempty"` - // Whitelist indicates only connections from certain client + // Allowlist indicates only connections from certain client // addresses or networks are allowed. // +optional - Whitelist ipwhitelist.SourceRange `json:"whitelist,omitempty"` + Allowlist ipallowlist.SourceRange `json:"allowlist,omitempty"` // Proxy contains information about timeouts and buffer sizes // to be used in connections against endpoints // +optional diff --git a/pkg/apis/ingress/types_equals.go b/pkg/apis/ingress/types_equals.go index 84b1a186a..c87f5ba3e 100644 --- a/pkg/apis/ingress/types_equals.go +++ b/pkg/apis/ingress/types_equals.go @@ -400,7 +400,7 @@ func (l1 *Location) Equal(l2 *Location) bool { if !(&l1.Denylist).Equal(&l2.Denylist) { return false } - if !(&l1.Whitelist).Equal(&l2.Whitelist) { + if !(&l1.Allowlist).Equal(&l2.Allowlist) { return false } if !(&l1.Proxy).Equal(&l2.Proxy) { diff --git a/pkg/flags/flags.go b/pkg/flags/flags.go index 489e24886..2c926a35f 100644 --- a/pkg/flags/flags.go +++ b/pkg/flags/flags.go @@ -152,6 +152,9 @@ Requires the update-status parameter.`) annotationsPrefix = flags.String("annotations-prefix", parser.DefaultAnnotationsPrefix, `Prefix of the Ingress annotations specific to the NGINX controller.`) + enableAnnotationValidation = flags.Bool("enable-annotation-validation", false, + `If true, will enable the annotation validation feature. This value will be defaulted to true on a future release`) + enableSSLChainCompletion = flags.Bool("enable-ssl-chain-completion", false, `Autocomplete SSL certificate chains with missing intermediate CA certificates. Certificates uploaded to Kubernetes must have the "Authority Information Access" X.509 v3 @@ -249,6 +252,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g } parser.AnnotationsPrefix = *annotationsPrefix + parser.EnableAnnotationValidation = *enableAnnotationValidation // check port collisions if !ing_net.IsPortAvailable(*httpPort) { diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 189c13d6c..02b5309cd 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -548,14 +548,14 @@ http { {{ range $rl := (filterRateLimits $servers ) }} # Ratelimit {{ $rl.Name }} - geo $remote_addr $whitelist_{{ $rl.ID }} { + geo $remote_addr $allowlist_{{ $rl.ID }} { default 0; - {{ range $ip := $rl.Whitelist }} + {{ range $ip := $rl.Allowlist }} {{ $ip }} 1;{{ end }} } # Ratelimit {{ $rl.Name }} - map $whitelist_{{ $rl.ID }} $limit_{{ $rl.ID }} { + map $allowlist_{{ $rl.ID }} $limit_{{ $rl.ID }} { 0 {{ $cfg.LimitConnZoneVariable }}; 1 ""; } @@ -1312,8 +1312,8 @@ stream { {{ range $ip := $location.Denylist.CIDR }} deny {{ $ip }};{{ end }} {{ end }} - {{ if gt (len $location.Whitelist.CIDR) 0 }} - {{ range $ip := $location.Whitelist.CIDR }} + {{ if gt (len $location.Allowlist.CIDR) 0 }} + {{ range $ip := $location.Allowlist.CIDR }} allow {{ $ip }};{{ end }} deny all; {{ end }} diff --git a/test/e2e-image/namespace-overlays/validations/values.yaml b/test/e2e-image/namespace-overlays/validations/values.yaml new file mode 100644 index 000000000..d423217db --- /dev/null +++ b/test/e2e-image/namespace-overlays/validations/values.yaml @@ -0,0 +1,38 @@ +# TODO: remove the need to use fullnameOverride +fullnameOverride: nginx-ingress +controller: + image: + repository: ingress-controller/controller + chroot: true + tag: 1.0.0-dev + digest: + digestChroot: + containerPort: + http: "1080" + https: "1443" + + extraArgs: + http-port: "1080" + https-port: "1443" + # e2e tests do not require information about ingress status + update-status: "false" + + scope: + enabled: true + + config: + worker-processes: "1" + service: + type: NodePort + + admissionWebhooks: + enabled: true + certificate: "/usr/local/certificates/cert" + key: "/usr/local/certificates/key" + +defaultBackend: + enabled: false + +rbac: + create: true + scope: true diff --git a/test/e2e/annotations/fastcgi.go b/test/e2e/annotations/fastcgi.go index 572eca548..7ed35cb76 100644 --- a/test/e2e/annotations/fastcgi.go +++ b/test/e2e/annotations/fastcgi.go @@ -75,7 +75,7 @@ var _ = framework.DescribeAnnotation("backend-protocol - FastCGI", func() { Namespace: f.Namespace, }, Data: map[string]string{ - "SCRIPT_FILENAME": "/home/www/scripts/php$fastcgi_script_name", + "SCRIPT_FILENAME": "$fastcgi_script_name", "REDIRECT_STATUS": "200", }, } @@ -94,7 +94,7 @@ var _ = framework.DescribeAnnotation("backend-protocol - FastCGI", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "fastcgi_param SCRIPT_FILENAME \"/home/www/scripts/php$fastcgi_script_name\";") && + return strings.Contains(server, "fastcgi_param SCRIPT_FILENAME \"$fastcgi_script_name\";") && strings.Contains(server, "fastcgi_param REDIRECT_STATUS \"200\";") }) }) diff --git a/test/e2e/annotations/ipwhitelist.go b/test/e2e/annotations/ipallowlist.go similarity index 81% rename from test/e2e/annotations/ipwhitelist.go rename to test/e2e/annotations/ipallowlist.go index 71f026c7f..79c77b4d0 100644 --- a/test/e2e/annotations/ipwhitelist.go +++ b/test/e2e/annotations/ipallowlist.go @@ -24,19 +24,19 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) -var _ = framework.DescribeAnnotation("whitelist-source-range", func() { - f := framework.NewDefaultFramework("ipwhitelist") +var _ = framework.DescribeAnnotation("allowlist-source-range", func() { + f := framework.NewDefaultFramework("ipallowlist") ginkgo.BeforeEach(func() { f.NewEchoDeployment() }) - ginkgo.It("should set valid ip whitelist range", func() { - host := "ipwhitelist.foo.com" + ginkgo.It("should set valid ip allowlist range", func() { + host := "ipallowlist.foo.com" nameSpace := f.Namespace annotations := map[string]string{ - "nginx.ingress.kubernetes.io/whitelist-source-range": "18.0.0.0/8, 56.0.0.0/8", + "nginx.ingress.kubernetes.io/allowlist-source-range": "18.0.0.0/8, 56.0.0.0/8", } ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations) diff --git a/test/e2e/e2e.go b/test/e2e/e2e.go index 614dd166a..28adf297d 100644 --- a/test/e2e/e2e.go +++ b/test/e2e/e2e.go @@ -47,6 +47,8 @@ import ( _ "k8s.io/ingress-nginx/test/e2e/settings" _ "k8s.io/ingress-nginx/test/e2e/settings/modsecurity" _ "k8s.io/ingress-nginx/test/e2e/settings/ocsp" + _ "k8s.io/ingress-nginx/test/e2e/settings/validations" + _ "k8s.io/ingress-nginx/test/e2e/ssl" _ "k8s.io/ingress-nginx/test/e2e/status" _ "k8s.io/ingress-nginx/test/e2e/tcpudp" diff --git a/test/e2e/framework/exec.go b/test/e2e/framework/exec.go index d91d36551..07bf09be8 100644 --- a/test/e2e/framework/exec.go +++ b/test/e2e/framework/exec.go @@ -116,7 +116,12 @@ func (f *Framework) newIngressController(namespace string, namespaceOverlay stri if !ok { isChroot = "false" } - cmd := exec.Command("./wait-for-nginx.sh", namespace, namespaceOverlay, isChroot) + + enableAnnotationValidations, ok := os.LookupEnv("ENABLE_VALIDATIONS") + if !ok { + enableAnnotationValidations = "false" + } + cmd := exec.Command("./wait-for-nginx.sh", namespace, namespaceOverlay, isChroot, enableAnnotationValidations) out, err := cmd.CombinedOutput() if err != nil { return fmt.Errorf("unexpected error waiting for ingress controller deployment: %v.\nLogs:\n%v", err, string(out)) diff --git a/test/e2e/run-e2e-suite.sh b/test/e2e/run-e2e-suite.sh index b56312afd..015895e56 100755 --- a/test/e2e/run-e2e-suite.sh +++ b/test/e2e/run-e2e-suite.sh @@ -78,6 +78,7 @@ kubectl run --rm \ --env="E2E_NODES=${E2E_NODES}" \ --env="FOCUS=${FOCUS}" \ --env="IS_CHROOT=${IS_CHROOT:-false}"\ + --env="ENABLE_VALIDATIONS=${ENABLE_VALIDATIONS:-false}"\ --env="E2E_CHECK_LEAKS=${E2E_CHECK_LEAKS}" \ --env="NGINX_BASE_IMAGE=${NGINX_BASE_IMAGE}" \ --env="HTTPBUN_IMAGE=${HTTPBUN_IMAGE}" \ diff --git a/test/e2e/run-kind-e2e.sh b/test/e2e/run-kind-e2e.sh index e6e4e086b..4dc1bddd0 100755 --- a/test/e2e/run-kind-e2e.sh +++ b/test/e2e/run-kind-e2e.sh @@ -39,6 +39,7 @@ fi KIND_LOG_LEVEL="1" IS_CHROOT="${IS_CHROOT:-false}" +ENABLE_VALIDATIONS="${ENABLE_VALIDATIONS:-false}" export KIND_CLUSTER_NAME=${KIND_CLUSTER_NAME:-ingress-nginx-dev} DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" # Use 1.0.0-dev to make sure we use the latest configuration in the helm template diff --git a/test/e2e/settings/validations/validations.go b/test/e2e/settings/validations/validations.go new file mode 100644 index 000000000..6f1715ada --- /dev/null +++ b/test/e2e/settings/validations/validations.go @@ -0,0 +1,86 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package annotations + +import ( + "context" + + "github.com/onsi/ginkgo/v2" + "github.com/stretchr/testify/assert" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.IngressNginxDescribeSerial("annotation validations", func() { + f := framework.NewDefaultFramework("validations") + + ginkgo.It("should allow ingress based on their risk on webhooks", func() { + host := "annotation-validations" + + // Low and Medium Risk annotations should be allowed, the rest should be denied + f.UpdateNginxConfigMapData("annotations-risk-level", "Medium") + // Sleep a while just to guarantee that the configmap is applied + framework.Sleep() + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/default-backend": "default/bla", // low risk + "nginx.ingress.kubernetes.io/denylist-source-range": "1.1.1.1/32", // medium risk + } + + ginkgo.By("allow ingress with low/medium risk annotations") + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + _, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), ing, metav1.CreateOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "creating ingress with allowed annotations should not trigger an error") + + ginkgo.By("block ingress with risky annotations") + annotations["nginx.ingress.kubernetes.io/modsecurity-transaction-id"] = "bla123" // High should be blocked + annotations["nginx.ingress.kubernetes.io/modsecurity-snippet"] = "some random stuff;" // High should be blocked + ing = framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + _, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Update(context.TODO(), ing, metav1.UpdateOptions{}) + assert.NotNil(ginkgo.GinkgoT(), err, "creating ingress with risky annotations should trigger an error") + + }) + + ginkgo.It("should allow ingress based on their risk on webhooks", func() { + host := "annotation-validations" + + // Low and Medium Risk annotations should be allowed, the rest should be denied + f.UpdateNginxConfigMapData("annotations-risk-level", "Medium") + // Sleep a while just to guarantee that the configmap is applied + framework.Sleep() + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/default-backend": "default/bla", // low risk + "nginx.ingress.kubernetes.io/denylist-source-range": "1.1.1.1/32", // medium risk + } + + ginkgo.By("allow ingress with low/medium risk annotations") + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + _, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), ing, metav1.CreateOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "creating ingress with allowed annotations should not trigger an error") + + ginkgo.By("block ingress with risky annotations") + annotations["nginx.ingress.kubernetes.io/modsecurity-transaction-id"] = "bla123" // High should be blocked + annotations["nginx.ingress.kubernetes.io/modsecurity-snippet"] = "some random stuff;" // High should be blocked + ing = framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + _, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Update(context.TODO(), ing, metav1.UpdateOptions{}) + assert.NotNil(ginkgo.GinkgoT(), err, "creating ingress with risky annotations should trigger an error") + + }) +}) diff --git a/test/e2e/wait-for-nginx.sh b/test/e2e/wait-for-nginx.sh index 153d348c2..0726bde10 100755 --- a/test/e2e/wait-for-nginx.sh +++ b/test/e2e/wait-for-nginx.sh @@ -24,6 +24,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" export NAMESPACE=$1 export NAMESPACE_OVERLAY=$2 export IS_CHROOT=$3 +export ENABLE_VALIDATIONS=$4 echo "deploying NGINX Ingress controller in namespace $NAMESPACE" @@ -68,6 +69,7 @@ else # TODO: remove the need to use fullnameOverride fullnameOverride: nginx-ingress controller: + enableAnnotationValidations: ${ENABLE_VALIDATIONS} image: repository: ingress-controller/controller chroot: ${IS_CHROOT} From ee9c6246f25799677a67a93c4913a70cf756c174 Mon Sep 17 00:00:00 2001 From: Chen Chen Date: Mon, 24 Jul 2023 23:26:13 +0800 Subject: [PATCH 403/405] Add rolling update strategy to each static deployment file (#10129) * Add rollingUpdate strategy to each static deployment file Signed-off-by: z1cheng * Update the templates and regenerate Signed-off-by: z1cheng * Upgrade k8s version and add rolling update for exoscale Signed-off-by: z1cheng * Add rolling update strategy to Oracle template Signed-off-by: z1cheng * Revert the k8s version in generate-deploy-scripts.sh Signed-off-by: z1cheng --------- Signed-off-by: z1cheng --- deploy/static/provider/aws/deploy.yaml | 4 ++++ .../static/provider/aws/nlb-with-tls-termination/deploy.yaml | 4 ++++ deploy/static/provider/baremetal/deploy.yaml | 4 ++++ deploy/static/provider/cloud/deploy.yaml | 4 ++++ deploy/static/provider/do/deploy.yaml | 4 ++++ deploy/static/provider/exoscale/deploy.yaml | 4 ++++ deploy/static/provider/oracle/deploy.yaml | 4 ++++ deploy/static/provider/scw/deploy.yaml | 4 ++++ .../provider/aws/nlb-with-tls-termination/values.yaml | 4 ++++ hack/manifest-templates/provider/aws/values.yaml | 4 ++++ hack/manifest-templates/provider/baremetal/values.yaml | 4 ++++ hack/manifest-templates/provider/cloud/values.yaml | 4 ++++ hack/manifest-templates/provider/do/values.yaml | 4 ++++ hack/manifest-templates/provider/exoscale/values.yaml | 4 ++++ hack/manifest-templates/provider/oracle/values.yaml | 4 ++++ hack/manifest-templates/provider/scw/values.yaml | 4 ++++ 16 files changed, 64 insertions(+) diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml index f22f3a9c1..2c785fab2 100644 --- a/deploy/static/provider/aws/deploy.yaml +++ b/deploy/static/provider/aws/deploy.yaml @@ -411,6 +411,10 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate template: metadata: labels: diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml index e9ae85143..7eb2a4c12 100644 --- a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml +++ b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml @@ -420,6 +420,10 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate template: metadata: labels: diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml index b66da7d45..ba5b71838 100644 --- a/deploy/static/provider/baremetal/deploy.yaml +++ b/deploy/static/provider/baremetal/deploy.yaml @@ -406,6 +406,10 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate template: metadata: labels: diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml index 659da1d1b..0bb95331f 100644 --- a/deploy/static/provider/cloud/deploy.yaml +++ b/deploy/static/provider/cloud/deploy.yaml @@ -407,6 +407,10 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate template: metadata: labels: diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml index 434f21ead..9ef7f86ee 100644 --- a/deploy/static/provider/do/deploy.yaml +++ b/deploy/static/provider/do/deploy.yaml @@ -410,6 +410,10 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate template: metadata: labels: diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml index c9dff62cb..d09c9bbb4 100644 --- a/deploy/static/provider/exoscale/deploy.yaml +++ b/deploy/static/provider/exoscale/deploy.yaml @@ -510,6 +510,10 @@ spec: - name: webhook-cert secret: secretName: ingress-nginx-admission + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate --- apiVersion: batch/v1 kind: Job diff --git a/deploy/static/provider/oracle/deploy.yaml b/deploy/static/provider/oracle/deploy.yaml index 72556bb42..4c93acfb2 100644 --- a/deploy/static/provider/oracle/deploy.yaml +++ b/deploy/static/provider/oracle/deploy.yaml @@ -411,6 +411,10 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate template: metadata: labels: diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml index 8b4750992..a57ef5ded 100644 --- a/deploy/static/provider/scw/deploy.yaml +++ b/deploy/static/provider/scw/deploy.yaml @@ -410,6 +410,10 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate template: metadata: labels: diff --git a/hack/manifest-templates/provider/aws/nlb-with-tls-termination/values.yaml b/hack/manifest-templates/provider/aws/nlb-with-tls-termination/values.yaml index 5b36b3dd2..46f8417c7 100644 --- a/hack/manifest-templates/provider/aws/nlb-with-tls-termination/values.yaml +++ b/hack/manifest-templates/provider/aws/nlb-with-tls-termination/values.yaml @@ -1,5 +1,9 @@ # AWS NLB with TLS termination controller: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 service: type: LoadBalancer externalTrafficPolicy: Local diff --git a/hack/manifest-templates/provider/aws/values.yaml b/hack/manifest-templates/provider/aws/values.yaml index 743721fc4..37eac03c2 100644 --- a/hack/manifest-templates/provider/aws/values.yaml +++ b/hack/manifest-templates/provider/aws/values.yaml @@ -1,5 +1,9 @@ # AWS - NLB controller: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 service: type: LoadBalancer externalTrafficPolicy: Local diff --git a/hack/manifest-templates/provider/baremetal/values.yaml b/hack/manifest-templates/provider/baremetal/values.yaml index 3c5a0840b..205a7430c 100644 --- a/hack/manifest-templates/provider/baremetal/values.yaml +++ b/hack/manifest-templates/provider/baremetal/values.yaml @@ -1,5 +1,9 @@ # Baremetal controller: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 service: type: NodePort diff --git a/hack/manifest-templates/provider/cloud/values.yaml b/hack/manifest-templates/provider/cloud/values.yaml index 7d8266c0f..edc5662dd 100644 --- a/hack/manifest-templates/provider/cloud/values.yaml +++ b/hack/manifest-templates/provider/cloud/values.yaml @@ -1,4 +1,8 @@ controller: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 service: type: LoadBalancer externalTrafficPolicy: Local diff --git a/hack/manifest-templates/provider/do/values.yaml b/hack/manifest-templates/provider/do/values.yaml index 2b0578414..aeee47ad6 100644 --- a/hack/manifest-templates/provider/do/values.yaml +++ b/hack/manifest-templates/provider/do/values.yaml @@ -1,5 +1,9 @@ # Digital Ocean controller: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 service: type: LoadBalancer externalTrafficPolicy: Local diff --git a/hack/manifest-templates/provider/exoscale/values.yaml b/hack/manifest-templates/provider/exoscale/values.yaml index 17458cac9..867ecc57e 100644 --- a/hack/manifest-templates/provider/exoscale/values.yaml +++ b/hack/manifest-templates/provider/exoscale/values.yaml @@ -1,6 +1,10 @@ # Exoscale controller: kind: DaemonSet + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 service: type: LoadBalancer externalTrafficPolicy: Local diff --git a/hack/manifest-templates/provider/oracle/values.yaml b/hack/manifest-templates/provider/oracle/values.yaml index b4480531f..600dbfe5c 100644 --- a/hack/manifest-templates/provider/oracle/values.yaml +++ b/hack/manifest-templates/provider/oracle/values.yaml @@ -1,4 +1,8 @@ controller: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 service: type: LoadBalancer externalTrafficPolicy: Local diff --git a/hack/manifest-templates/provider/scw/values.yaml b/hack/manifest-templates/provider/scw/values.yaml index cee5e2b1e..56d351dcd 100644 --- a/hack/manifest-templates/provider/scw/values.yaml +++ b/hack/manifest-templates/provider/scw/values.yaml @@ -1,5 +1,9 @@ # Scaleway controller: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 service: type: LoadBalancer externalTrafficPolicy: Local From 0ec08bd1d06a2fbb797e6ee9116102599ad9f0e1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Jul 2023 10:22:13 -0700 Subject: [PATCH 404/405] Bump github.com/opencontainers/runc from 1.1.7 to 1.1.8 (#10244) Bumps [github.com/opencontainers/runc](https://github.com/opencontainers/runc) from 1.1.7 to 1.1.8. - [Release notes](https://github.com/opencontainers/runc/releases) - [Changelog](https://github.com/opencontainers/runc/blob/v1.1.8/CHANGELOG.md) - [Commits](https://github.com/opencontainers/runc/compare/v1.1.7...v1.1.8) --- updated-dependencies: - dependency-name: github.com/opencontainers/runc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 8864e3a83..13d0fcf04 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/moul/pb v0.0.0-20220425114252-bca18df4138c github.com/ncabatoff/process-exporter v0.7.10 github.com/onsi/ginkgo/v2 v2.9.5 - github.com/opencontainers/runc v1.1.7 + github.com/opencontainers/runc v1.1.8 github.com/pmezard/go-difflib v1.0.0 github.com/prometheus/client_golang v1.16.0 github.com/prometheus/client_model v0.4.0 diff --git a/go.sum b/go.sum index acd310e3a..6e1495776 100644 --- a/go.sum +++ b/go.sum @@ -289,8 +289,8 @@ github.com/onsi/ginkgo/v2 v2.9.5/go.mod h1:tvAoo1QUJwNEU2ITftXTpR7R1RbCzoZUOs3Ro github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE= -github.com/opencontainers/runc v1.1.7 h1:y2EZDS8sNng4Ksf0GUYNhKbTShZJPJg1FiXJNH/uoCk= -github.com/opencontainers/runc v1.1.7/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50= +github.com/opencontainers/runc v1.1.8 h1:zICRlc+C1XzivLc3nzE+cbJV4LIi8tib6YG0MqC6OqA= +github.com/opencontainers/runc v1.1.8/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= From afd1311f8529c21fdf6621bf683bec814e698f1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Fri, 28 Jul 2023 13:41:56 +0200 Subject: [PATCH 405/405] [helm] configure allow to configure hostAliases (#10180) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jan-Otto Kröpke --- charts/ingress-nginx/README.md | 1 + charts/ingress-nginx/templates/controller-deployment.yaml | 3 +++ charts/ingress-nginx/values.yaml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 17547912d..6288da3e3 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -307,6 +307,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. | | controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. | | controller.healthCheckPath | string | `"/healthz"` | Path of the health check endpoint. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. | +| controller.hostAliases | object | `{}` | Optionally customize the pod hostAliases. | | controller.hostNetwork | bool | `false` | Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 is merged | | controller.hostPort.enabled | bool | `false` | Enable 'hostPort' or not | | controller.hostPort.ports.http | int | `80` | 'hostPort' http port | diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index c4a1a37e1..537c3feef 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -49,6 +49,9 @@ spec: {{- if .Values.controller.dnsConfig }} dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }} {{- end }} + {{- if .Values.controller.hostAliases }} + hostAliases: {{ tpl (toYaml .Values.controller.hostAliases) $ | nindent 8 }} + {{- end }} {{- if .Values.controller.hostname }} hostname: {{ toYaml .Values.controller.hostname | nindent 8 }} {{- end }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 1cd74dad0..8205b3506 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -49,6 +49,8 @@ controller: addHeaders: {} # -- Optionally customize the pod dnsConfig. dnsConfig: {} + # -- Optionally customize the pod hostAliases. + hostAliases: {} # -- Optionally customize the pod hostname. hostname: {} # -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'.

sKOYYw|>+j1GPSG8^N!ezs%p@wn-{X z)Z7QyGv%UG3yNawRQz6}6++&q^V0ypr9HbtFO?!&5+4#?HF||%Lws7Cx|tktFdSdQ zJ=A3suk5FxK2L{#F1l3)ad^@euqx&mvK_+wc7G>V&UQHO_T0GdybFrhgP$VTYDx~* zrix?FzF-ch7ZqI$XJ@~jO3-((TRYrcE+^O(qdh6>wW*#01AF4UCCit!NNSv&2HS?= zyU^BSmdr7D+4s;@ab2ZohRD7m>s@hni&xbQ2QMA*Ln*RR=CaG&Dq`xH?RczH_j>)D zm-tRMIaCaBb*SLYG@Co}g#|2HMzM66NoXykp9WeH1DXuHGpb`}>4i;{!MQ^0C+7eEs-&_)(Eh565Y4zMEYR zws!x5sPFcZ)X+U=$1lDwU&oahvEj){H<@-=JymX`qzEG_vCqWAo&hxqXO~GspR$bV z4^v1+HF|lnI%l^^Hx(coi-!2~&!;wS9lNa*bTYpW-ma`U-@BbCm5nR>jdXSI`OJEh zu_b;wvm3Nc&@}c06TQZc6nE6x1bg=A{>-{5aLz_>7;Qf|i>MCR=uZnYAy`hzz4;70 zM*&nxU^GfjkL)2d>%iw9%kI*2k*cXG^Hm3}X-+|}fYG@Mx{edvrFv(p^WqOHo`!XH znxvma1e9Eb#nHQraMKF8cFQu?KUR(OEzsI(2I#wE81%C2Nl0fih7Ow-LoXG#ozppV zHh?b~o}#>rs>ys?c!8yIK?aW7x&MOsIGJg!Yiz2@T5a(g3>!nvWfEG^ zR5wkQ$`sG73ZzRtHYBUEA2`tFn?CpRiMCyGK~iYHKxI@Ai?2chctHgOd)3yaK0iyd ze*bNnt!`~dROxf^i2K&vgKJOQ35Cc=mQ1AFZTlym?uQty7=y7n`4x;|Ye7L&Am%5f z?Z^xPZ;`FbnzdDhIl| zBh!WgjM+FQD>RHXeN+BVb`wi`h*PJGgnEOSwX94%>~NrS&jlWUyT+?rNYr@B&B6Qn zR6Tc7!>S6qIKHT=;kXUafX1KkM!c=P$9NGYXXBIfK ziA#Bqi%P6>I;!%o0TtZlE(jT6J*`U-VgW;Uv=gOgxDU(KSLsnXX2UpkP@_Y1TE^j9 zS$?rcvfSlKF{@tv^?xfmhacglENh>~_P=%M^-Kj`!ts5~*y!RyZhwnOm8?k<4D0UG zsOX8*VB=H!iin#~Z-QA%4pQ=3Zn0R8y?}}*S7?nOpze{~qYui;krDxX8>-NM$rN^`;pi1-_llGU+p*dC1PB@?ECl5yzMm@Zp z2FiaExAj|DJAut?omDT@x$*2uj^KJ`-C*i;?V#5& ze2~~V57{XtNoFC~_}bsPYp%SS122*>DK)U{0MMcHVvx^_|Md%jAPgeWJ-==;{xOTW zXx|~xLB$hmpnG?iUK5XvME;YteN_YbMO_!@d^8pI{=B?Ok?7N=ItI)yH!GZy(Z9zG z;-NX~QVt_~{$L(#UV-lSj2T%HSKWfojv1*wFFfY;32e6g&iX&&7XK+IZjwGOkR4e0 zSuWtFZsfZ#nn!l8LMGTOYUK%eDGSo9W4M`yc zmX462W>e8@q{gdL#HahI`VwyBFX!*x_-7Q4h7v=(>zZqf0>8cnO)3WSY+H_kU z(1vqr7B*BJ<(n$7$O{1swxyMAPc|A}#^|J5F(LhoLB_DQlzac1#nOpa6%wWgjM)0$ z(Of&7UDm0gC8FcCb6?G&dxs9{hfDWcYc&YAzzQP)n_{l~x295r>?#|E^76cHZR*Kd zZ_sA+B6j87A{aeI&>PgOc_G!-_|*D(LtmvbyH{I zvMVugB>m2LG^tScWkYbc#BzOL*0RlpajxrCTT7+I9&Ew@`7Y!8c4iiQT`*{F zxO_WX)nT%{W)t8jgX>n18$AN6bV}JI$0;z^4&!|u1?eQ(P&_6pCE?ZkfXHnI81yB0P8{f%4Oa6%%w;`;@ zA-KK%YM8hnD%^ums4(TkPQYLv&8R!mK};ocQp2EE#pASwx_g*z$^r=t%CE847J*F6 z@c6yUO4g?4zxiRCzi>CnSP>y=+IdO5o_xov2BPNRKdL-iL&{EFH;CIRA?L72)ErwB zTl!^1$8R&M{W@xR!_ulP;x#URRarhM-@up%!|8iW=t~69Ux~J&aQ863rk{F4TYLvg zU#irNSLn<*32x)01*rl~1vy(0B{SBmAux<`2i)e(#F zmiLKw2RRl&(mx%bKG5n%u&Dlqj!&9)_QXeI-yc%r_RyhCN*<|ruvD~p6O@Q;W^;t zc<4Sq_VBTe7FwWT=96@8!a&-}Cg8Pv!&9wDnpcXN6yxnTqMQXU4HK6*MLgiW?zp<$ zLVmbT+^rAV;ty7x3kn%AwkWRsu1-Bl+^v_!d_)^_?KY>&=fBXtUdR1-c5m)QtmCMs z5>6d%s!Fzmde7SGcm8(aX`3ALLiMhA^GwX4Ud`X3zcH|HW2n5LOU*;FYpw;n4Q;qn zlZS^?3{Ay@L9NogZ8p}&ld-B>?aF6DqFZ?3uwCN?j)a|}pGPO8<(1z?6vSg?crkm2 zZpwNsf6$z)9UeP_L>#U;vNR*Qe@?z9V2x{J|tbrtHB#PYC1 z?`kZ+=7kI4|F7EftJV)Jrlx4VQ)%w3{qaapc=_Ni(SK)8ntMX?xmM(b?z}ZXwG{-% zNkg9QvEM2Eu}l#Ko3@-uu^4H=OX3B!FLe9G%@zkL>L+vsb*}kebrl`hi_++a+pPHT zXt@0A;i~Vy`aGU{AP4ZRdx~4x;a$$MO(~7y=2#^t+YW80apV{$*p+q}RV*09>#^yL zy8igo`8=AnM8Z7nVhNb-G+xXVqhi`Q7dhM*n1U(hAmHj9HEP?{gA`D&s&|S@$&}k8 z&GeN4_6yV&m+Tnk6)DT&n-~f#I+^3_DBEn;b4Yb~L`;l0F#MH@S%9fVyRQ4|+3yg9 zjg_rQW#l_=L%l{TVpRe$!#n%g{Ydbb+iY;B?o!`9e z%STEtwvJ5boM_`9gU;$h4LUN~wEe=-)F(IB4|;R+*o0fvF>a zAP~_@mduHN$tb2iqp%f(a?mWJ8xk+ZXD{8^9p&gZh><&xb47hbW{auOJaf>aHHEC5 zA5uzs8M@So!AnZWtCXVJSOImpm3BkgUe>9cn#?(ku zg`90XR!eDR-wdyQ(#;N;z|E&|=FyBZG1~;G;hy#ZXmD*CeBA)g9H{ci#n+pEoA}sN zYk)qB!tU`lALLiC-tEh+IL91M&ygqh_IrW5dqRp~J{fAK{QbNOZzerEG953$s#}&X zvYqjA4j%=38r;QwaLR^H$@|HrD+!e?IQ)kX*%p%$!_yO{jsh;NJC{dZJBF{5{dbj+ z$rp5i%MZQX4E&6C?kfLi^Quq^GS+=1@9etGf1~uL@vgPok$9pQW;JeSV60L@45w_o^AQnXCoh(1U5S5ikv=XYT(o1zc;!smD zQ7m}?c3Az3{m$c`mYtz-0j1BZ7>XtDPK|wkTdbefd=*WKkxto`aXGa z$K5EJX>gB&!Yi=T7q4rcY7j_wstW-$GH6!*Pi^6c`%MpoY&czi2qx*MnIjxsii{>j z`IIfo3fw5=Y;qFmh%bUFK-WI&QKw>cg8Ai6|HOEHRG!EcfQRsOzH(tv*83Q+O_}Ww zJ1w(vZRoZH7&WSCw^7`i(&iC;av;)W#=+vuGan3FFf+_rAMC+;O{%1e{Aoarqv;}! zlIIVQ);rFc7uYwqA4D%4?n+?~Es^IU6Xy7b+tiUMK3`WzIW^Y@)Okw5RjGRn-<@yz z1d0fm9R!u3_D*8^BiBEyO{N`I!b#`&RKOmoIxY2@gy*gyA31nOb=&w_CF+HZcqrU8 z`0&b<~9rL~Nt~`{i0!&)X!ZmX+L9@Hu9;aVk$3G6kZ%n)T|3rM}O?zxqS0#VY zh>GQGCUY}V9QQMsB-ldO_yi`Kw(ty`fceVX{{M8SoM$sD7gyUgB^)?X zgZtcOx#KeKtyhZ;Ug&YTVtVOS=@=}aHDG1rNR@I}C*of});MKf4vxOX=}H%dz)-(S z26DElrzlL4h`_o<=?2M@R=bhi*!i3t7$L@Vu0KCn{mo|Se|rN-p9t5F;VCyUeDe*} zE3@UF3#ZMUf2uGiEnX9DxP-a5_dH;S1?J(-dUGAy;8^Y}f8;+*vmVgaPQ!sXeU2^) zEv50;M((nY4n@n#sdq}3Mb4=A_+In4y6apOxYOJ2-MM{%J-6hp>@5x#7DAj%M)N%y zUeeSt>z~u~>&{LkZq}uoJk3hOSQe%VKmj@~dBxPsSz@kvdb7oagoyHrlDk=QaxcOL z>}iAc_llEYy?-J{oU}4ytPL%tBMHJ*#RsYvSv-#c(-Mf$fM;7`)iD;^kC9tyf84*% z34zfO*U?T7TbdJwiC{apkw@cE=Mx zBkP@c;_eMN&Ur{2#mf^2fqHeiSVj46qYXuRaaZ_O9Dl>TTHEOGSFY~14CLLqzvte# zr6YPLk)X_c6c{8a=<4np=V#;UPem6L8iuO%TXIziTCBgIWVMrdv>`6f>Q?-qJ(RNR zS%?x^mC-QiJX&$G&{aTas>XOw?fBDz;mQ+EDS~lCVqKGAvjup6#Y1@u!sw~Rx?6!9 z@7qyEMRz|c*7txSaV7g%@SVW*EH~{c^GSIATJRoNVt>@#Bn~RJQ@$%!(;SnL3LO^j zRN@a=)kgQ!kPoY!B;Gy-4l^HS=O4C7hwe&^5;5i0&^*H$yk=E!vWmj{R9BQhdu0el zVO3015+4LYcle6dg!*_+$?0jq@kgqS0 zW%Ky>MLQ9tRKs2K+4 zwQO4^xAUYLpnSxEve}tyQM0Je#4nETKlGS+H2LLD>5XuPBI`U@=tcql%NUwCW6NcEysHsfT?0;3srl(DE&pT-ft zth}Pn$Kb5nnp+ilp|V7w1nE>{2%ZGCDB3PHx|0vF3k|Hv3vJ3Z^0|{)bioMZ(-WI0 z4l5zi0eNT-!LrM(EPnNk51d+R?)Ca)&Fmh{0rI`{vSLrVd8zyw;lBKqh~Y-m{_dvi z75TIFZ-X*O{19QZw4pkq%E4n}@Fp2U0kXbM83R$rcNy5t+<8zE>pj_PyiENXEIhQAg;@i!wI+R-0A5(?oemw{Mb*gAI1@5in(m_i$PQk zMvAKe(st>ERg^Nchn}@uVYl)otKX?4hK8qbqNwcS#pDOaZZ`vm3gbk=Ve}$tdxP_o#}>8bmNrrmTPuqTZu1* zB=8Tws|8Qw7hvN8wjfl?>ebTldQ)+8)R6nu-<2$14?YW1JLkUijrsRloa#SU#^dat zTRM_Rh#2!)$)G6lk*({a{aKRa+;mKSlwM=nY^L66&x*pBr(MA%myRBn&{li;3n6+I zqFYczd_Lg7X|C-5clI`sn-@90D=}n1Ia*DW#nLk={{NUkY`#<_FKSkd?iue}U2Ztn{sp#s z-HfCJzjSsY6T1?hmg3cK9^$&GtvfLKUG)p+(hfGSUdTj^BlNPUZB zbyGWJn`*D1bd!E{7~gNEr<#1y&ywEiSFE4d52oIfUtd@=6t1%kO}u@FewR8e#SUDR z-!R8l+GMV)VRQvrjCRMRvNSREe3J24T?L^jdWzC66>|OIu+|Q~=@_})c}O;Qmi(xk z9CuH(^585dbNa?va5S6|Sz&(r>(6mXqU%v;ue^LUXX;wwM+L9#7sv01`LW{NWuWqG z3EXeS;_@1!sQIXwLdgRk3un96-3)t`p8Vp?#&S?;>(=GyPn!+8Xffo-_*9tA#NTBV z!~DfOq8`=H&?OxR#M&OIxBm3=j`~ySEDxb43X1~rz*!WtV8Od;Qyu-eO-o+5ljt8M zI+Bzmx+R%fB?N>m2AG$BnPE**lbTPo)em=9JDo<-aPGYe=G6X84|LEp!PYZx(lBz9yOB_;*UDr01dNW3lYCx_rhAmbT6UG zv;V!iGjXi}{5auF3@=Z%(c7FwFe`R6qp|fj`ZFdP z^>StPFMmXb<&sK|*XFy3{AGs;(2sJgteS*BtrRt4a%2YdIx!|DVT&?(A9YkHT=1~= zs5?oe?Ul7v*x!5!JCcrpmry)i@u990PU7H}#&gLjk0(HauXu+}SZgfgE5u69u<#vw zZUx`CMOcqp$Hgd+Bf4s(Q)$G0`ZC^)3~&rxX2@9V$cw3_m8;)f1~vOeoY5Tg&fP;` z(3F{It|g|~=fv7}y`RShwPrS-7g?3G_*lZ=GJb$Kp5dG z>enxFEx0}PHyThnrD0Sjj62C8K1u(AWRH&!Wcas?B67wQZQ8AGfA;^)Q_Qon*D_&A{13b+xsfJ^nwt*A-j zv$>OwKJ&rCOr+XU!4hX3?YeD2rl8co5rxmPlMptE;fv#xV-aD98?%b%SFiZdSo{kf{PCTN}T_nYvwL6q(${Nt(e6Lyj)Voo^|JT-4>**B-EiYZB zI(5Gl-;!@P;Aq~tDAbW?I`^OS^5P8l9zaT~6_S4ZPUk-0}VoUDMok@S%2 zB3IRjSd0qe|MQ|{SDEdUBA!F(!7Cy`*<#Do%f$D)r8Ya8XOMeDWuabaAnh!9UJlv^ z7MyI7Wx(+L;XI7ie0w7M)v87CGcA-QLhtbG76(7de`l1?KWxzQgZZ#iVA9SXudokCO z)sQ#sKMwfMbGPn~jeIkS(a)&5OV2_E`kBEXdS5zqF81y_jW*5jfztCR@4Nbf$i`-+ zh-B>^T6$@m5ry#)F5^GN$WoUKk=KhNA|UI&D2%KI)9U5$ZDcP8^0)a-LetD%652dn z)O2_nO-k7@ds_kt{NcgL=LHoO5udQ?tjrvGyxUWw?YvMLeIog^hKH)Z>AzAXcu2`0_nK_pU}!a1}f3L6FUBQZsS;NEY0K zlaYLeY1K{aGctDz*0HlL+1AuRrrYwjs~=8>1KkaJop$vR_{@J>jYZKy>WKzmbLINt zm6XF_-%@398+&!5N{YYqtm@m^wa{@B^#1(fZFig>HI|6o8=vn9STk#K*y|742X-mh zg>3Q*fzHhDS6O+X60KI8*o9~E`%~$Bq!Rm+_}c@%xGO?>;Y=$D`Xts#nto!E^>&gy zOM3RAt)h_58&5?axuqY&T4;;+I)`^vo7P?(_)xxu2H3_U5PHCBuS6VlyaFpufrNL- zl0dG10td!~hR6r~kbrN;s1hVMUL-(nbF29;s6X7(RmaBh$Gw`_qW;l0hHZ|8c?a=3 zlP;=TegEzEVCC5uc~zS{{^6WqPsz8N+FidfZ7A2<18LU&zn2%O8{^o`h#re(8NA-P3iZE<1{dZgg6&UWWR4N+F2Tw z>4m5dBWwCojFGTi88bM!{a`e{3kT&lJM5-gE#MHcsjT42#g4zeOX;8%IpZ9|Aa;Ko zTHS3%FAJ1}nY#kDxy0NQN5=<=DYsWCc}(m2jp9^LJ}vj0w)oKp4t~z^e;F=IWZELw zZUxpN$SdTGvL8;0~?VV~8A!L>X>(KpH_eTM-4Is*0zu zz6CjFD1P>5elF-v9sQpXBfY4Rc&UiUG%?YRge4=Ij8Bik6tv^;0oJEnX!1SDz-W0sLErf3WhVZ%7Vcs2m z^3e7!ZTBIj8o-(EYj;S^5~4eapH`3p`R4;OJ%Ks>i-@3C#AQKEik{JAN!2&`TfKMi zvfyGqJuz#2k|#kW7&ieTnO3;INj+HS98*lKa26S4*vf8 zR!|r=72py}X~|cwJS(={$Lp=5T}-yOjjw|BsP1rg;=PTYqn*iT zrwV4n>b$MIN2AE|!NpDIA@xVLt`5JPBpL)aTDn6PNkmKywb|ag#gw3GbS9JaQrrx6 z6m7`6S3c*bCUQT1WVN*@qB@l!LrlpdvVztqO7AcYaTh8eAP#ZGH? zZLGC7+RXR%4c0otK)UG@Hv*88Teu@o0`6cFtkSctBq1q~E!HFEpp>~)f2l2ti*Xxy z=3xi8Ox;M`{C#FoPIv9}K?axJXU}qaLa4;Oh)#D_>(=}TTSZI3kEXx7jKca6;)5;F zyfd(R(OJH-rfP%S^aQ@-@+BSY;U})(BmmJ{0>kQ*2>i{DR+on`gbHmVHB9|v zx|i|`fz#I!iDzkk!YYv3IyTQ#*7_Jk=o2?|{DLTEx!d^6@bYAT*yGjYQ#13KZMDBL z@&0{l40(dDNe!cMFUx=Hkx)mZ=nyR2;YSds$Y#Ck)*0`wGiAue(#Epu&HihfB{wCP zb5pv${iGMnY@`;or44%%7AYW)ZO zv=r>1TlOom|5jjDz~+|4&mkqDDSza`D*tua)b z&WKAQ0aL^VTi!o_Hkx}rUce)1C!GIVTd@ph7mQgl-ef&ArSLey8R27By|IyO|D^i+ zeO*z><%^RlHSxNlaLd86=T)DcpGD(fY{Q}IJ)?#vw@X`Hg#|GFNH&TX{js4QKLp5! zFsZ5GrJ~OSWx72wF7(We#8u(;_kLpVgb$ar-2owAJR4wNn*5ewpX?j%V{lE(O{|N4 zfU4x@^oLu16t-T|xr*QBU-mF=~p!rY9JGs7updB5}DH`aX~>YK31h-Fu_G0Nuh%YCbK9gJMmu%M`S`1r|T@7&F5&pkK`sukYLh;!+ z_l^6zJqv?vkmF<_=3NHe4x4tmVSwKEZcJ*G;z)T z&JCrnD@{j0j&!-T#e)lYQ!;^_o!z$L`lK-eDo{o4>{ClMAC(uL+1qBB4ZZW$?l`kR z(w4bNJw%dJH$8+WvEmPT zm$Jp#h}+?H!pmx~L3Os+t8jo8M%4I3I#?=oeu2l&@wY(Lk_+P%oRJo|b9r=VZ#hdI zo@eUy()^i6%J+lA>}J8JNbXb@uhA@939lHiA%)ePPAD>6^l>Pt39nIUKBJ^%BZ18c zuAD&fNejF{`hwlB`#*y0ujIyw>)|ovm3XTjRg+;r(j>(w?CCwWL~i82V7yz9|8CXg zed{Mb1efB1N+gwpFU7UNq0E0y>KnMj{dK#)Xr@okvQOJ zL0S37Om{t&+w8%kuCPMBs_p+rJ8kT2BxB!Z#ykpb!Hy-}89h6%Sgy=3uI}ZDFeS)q z5pRirSBGxos?SzB*kH5Ch zJmwQ=DPw1Bd5ewB!~R)GHk)(kmqG`>>HR&?M+#Q>lB{0OD$~UY#9fMzyXmTNL=Jkm z6p42w{`;KL6luC26^nK9vrfe#QV-iUG7T7L+mf4(**8CHwckQZnziY@@;~LhcGWNR zQ%IX{ET~z@uDmFOGPi0Oaoq#`Va9x(7G9m!GpVPn+jH9~O!u9KXJURn>cXHhzcOus zejFVi9c3r@;8_&`#A2vLpYNRb?xywFR#KLU3ZKYS7$1sm8S z#l+ftL8uPk%U<--=>_NorGykn@7hG?bBppXMdU8yw%|r`i2GH@Rg2nSWNo7L=`Vmq zNfB#)5z8?#7)tOh({t`mPBQ}HP1(cV9W+kj-&_qIJ5FZT?U~rk4?Vc6Wp!|&NywCv z|H#wa2lK3B-gA6pf!Ik9j!E@9o31+i_hHMem(k^7)`1U#RXIGyOODOIgN>a&oIz%l zdJS|f2QcaDSbKA(n1kP6M}BhuMYv!jID|VSkfsPF@kz-R2__Q`Y)kk^5fcMF@JD$3 zdzRD6;TrJ^lz%2^wx615H-K(0`}}4N7~~fV>eQWgmN>M%8QRVn+;1=$O0eobaBkh} zy9IhnR}<=LIQhJM&_lfxe0}!ul1Hwf74wJBylOIeK(NB7_Za@Uf7}?z@IUnPR~31r zW5VKXQ{m)QupW}(d*ol=bTXa9BxDX_(qaEtmLhOvjj!v>QI>`EyJWH6z01wPcE=yS zb8_YvEW2ov&x8rB??atEgPi-9sJYb?(wTsa_QbHbti-FsGa}{I{Qq0A17qf>fi#4F z&;I<$$yCzskiQ+&*EuVmFq8^cQfBvg(JEmhZcll$#6IRn4GVivU5|e~P11WIjkA@t zni>l;^J;wBec305o3}(3I~mNoM)Wp^Eg1eLbpb{PBJWkK2PWWE>g?=`_IH0uy_h!f z(QELG^pyAdr&0Q;R&E!5eqUv1U~-Lf@_%S)0!3KOVxFtwd)Oq|DCshhQ&H(f7=IaV zR7>7+>puPSW5ySNb7c&uIR*%S-oa_AWt$tcqab_fL)J~x-YY2-cCL-d=T}YsP5oq> z)C>${c3byoQs4TJHGip%XTAbP0bbiqZ1QAPEN@KLF8)-o01acW&}}(xq@w_MU0gb( zSAc7IoTB(}%dK%G=R)}axpMC7ZFJC%sQRI2-4&?CAfTuhK6c;n%qPoM@R(YDAp?V)DD6ZicufLu<{k0vn^t4no%0X)Pp;Bfnzoy*d68L}Q#< z+vEhT!g(qrZ{#{~Dvu3w^5?F8X=wqDUy`yt2udG|6b;BBL3<3$s3Q9a-02BP?7*oq zEzJFtE9z{Jn_(1Tb(g+_yZ|5n%Aw)}&5Ue@GL-nF)lBb0U?q$J*SOYy0VP1ueQ^>=FK z^9*#+W(a!!q3ynTk@L>9M9?gzcfQHIJdWS9ew%Cf>x+(NoO-5y{a&s?syx}PVAU<90rE-q-4FLUR&h6h52YN-uchZFHPX-2wHDn;ymW${yDXu6nuAp6fNiinQr4=hK4S;xy%_|D%;RYw=a z#z3}+1b(ofPtB{q2=i8*{IC@|eK_!q?HIF9;cFSuW#)6H0kp-){vgYIK1Hrm0VXsK z!uH+CpGD^~G#hSy*9+FqW9IYK~ z7UlntSDQebSlJh#a+#HPL4|_4=%sP&jO+6Z-dzXzipTUFc;k%^av`4_n;2|cz>t}O znAK#Cl8TILYRy6pXHvII!Cb>3TBIr_F|DGo@F@%y#wMprOAVAy+rlN9Q<3#mgBv%( z5BEeLh`n^o-SCCRQ)#O(C?Pmdd@8Bf6w<{bC(|jk+{%*(HR5hR3!qpv5`BO?7@! zeY5oWFNhi^l^`+L^b!Hxk5|01uS&%%sMOfmBlZ<(6Caom>_~{iSW_!mu3?MkMrnzq z>lJSud8XR9-~W!2ZO-1Kb*ReaK%1V7)?t7AxJ65uN4by;y!}gfDfN2T;JU>t4yBog z=-BqBF>wJl(^q17-GPEA;{oz9!hK!^xJ)L2)=&Wp(;F51`_IJ`dYS;{7N|JvGBvz* z=gJ%Q4l7VI_G^;T0#8{*60p-D^eAXC4~3P1_H2W$ErQXpAEwiqR-yKKUUJ``)D zhPbp&Fxs7TJ(@f%xUF7i3AUHlzod|?yY6OQ^Y(SimoxrtXfHvTfy)AC3|>@8m@G7V zxsk{=(BrW^JXb!s$ll9azs)}#vXH~G0npqOfDlkKt~H{oj;6a$HhXI#X<9?e2Sa6?iif;c|t~a*0S$C z&CumuJ({_bZH8RN*1?$|wHZETOf9FSKn(056hA4nafjV4FIaXDc3#Q|Qh2;;Um?lcd08q?HpaY&#Vnn@4*l_$C8Ji{?=`i_5(syJgpw8589_{a%(KItQWRNcuG zyzyRvN30!~Ntb+V-AD2@^b@DIJU7x@%}9tak|1A94;-lmI5x@~O)HS!TiBLOLK|NU z(>IMOXJkq9Ya1YWJ za^69H9GmNHjS(0vCcHE&W2`tnis~-TrtbZW7WK`3<`^QS!76aHxvq)sU`%!??t^xj zGe4?~>d&qnb`qqngHB&_m6&|Yat;M>i7)mV)lcoMcG=G@ErBVm9}^Fv*lU_f?ULS* zPe{JFXZtkN8~g(DyL{zvS6TI&D*4AnmXXdrUi>poy}}I$XdX>z+yP zbrsUMK=0u#J=*lhUt^{zzNx)<{2dKzq@DjYdM$g6tpLV^Ys)i(>dVPDR`%aiJ1Os$nVJ`gQ;8 zUlk$zSB!3p6twDj=sBhCKXD^Yx;6NkYC=)S_xQnVf%Tr21J=lR7I$zed1M0B`M?&=iBN&U zSeF6Ku}5$pLa>z#x%)%h_4?sJ#rW_P;Y67I>7AsR6?;b1>kHsK6!sv^fu2m$mU;=pOu2a2zp2F@c6eZo`Bz|KDfiaKY|51JG z&|3Wx&}3OnWE%68wHAQ+@jopIu0>&5+08ox=7W0`XkP{ie`z=yah7mrI`51EQX|Py zRI!Jzl8aGZ)%G`N#YK9Ib{HpXMJd~tFIw@$B$;!uMS(Z1;5noras~=Iep=^a!2upD z7spQV;tHR-LItUzK0_R8_e>mfW)YGjXPEES(SxOCB$XZ?vS_EZG9%a%0iDzM;JJr# zOXbzk(Grp)`^x%ulswZ)$h9O1n>Pto#*>8-dUOi}_hQG_ChpV)XE){{gXjNa?>obq z+O|bewy;H!t%!6`kuD;=7ezsk-a7(PL+?ExB1ly!N^e5wkzPYUno<&42t^3JcL;$1 z$y@Am&%I~gbAH@^=e_T~`DcBZnQN`N#+;*%IR>jU#viu0(r;4wP|uySP z>#jApT*Q#t9O7Ch+}MRf{%#wcP$~5s`_M;WjaM#*F#o1spKYgC1*v`S<@s=AJD?l zWj!De;KGmEq_kFQz_VazavFu$0xD>#4{@E6@-XPO1lP)re}W7%P#xH|;;xP8@qKFN z&$-r=Nq?H)TI))*bhT?0GTC#X+W%c|f4X8%mC@;any=^C^D=_#%!h-Tte|BZzLUph z6G~;r9V!omi7ZZcI>tXO^ER3}Z$DqAE$DndH>UG?UANA)S|48hl(lRs&w1j})IKK& z2(Up-YQJJ9KVmNEyjmeeCKspNq;l_Qr&xQY5V!erq+%*nhCq0gZar1JQ;=J!l_~cJ zNL8{zdrzR}iTvO&kyl6(whHyE=6+^28+7?uB;;E4?~QDztWdS=v)d+a8gCZ5ba_ zZgTu!eFZ8QQjZh0E&kE?F>PwK)vMem>!koX^Q}1UD8Jsq`czkMJ?k+ui>-6Va@zYF^ANKx;w)y!M7pC8xz!^?%$sP~%{G;YEs zuCi+ploxyFdv!cu6LBHL4M;pHtlaXhn{Zk2kHugYVDX~ucABwPlhdIglv5gi52e|y zMIAuo&e!B_KvlOa@`gx04CSa6c;8CTGvO`P|2Us{r1F;76i6N8 zd8W#EerXoupE8XYjQO_QKP7jRhYBt+m+LAhz<3gt9bD@cFu*kQ%;%I*8Od+*I2?XV z<07jK5%$Q1rOqRd>Cu<&6$GJfn8)lbv% zHEIDZw7JX+yBLpTll6yPznTV1SJuKBf< zblyytm`%nyU|>UrDPyOKwL@u=occ#hB$!JKiI26ObTua%Ek0COQ7+;DuiQLeTuz}i z>N~2?4T#5bxKxA)=O)R=PAKX z_4IrJzBGaKJnHV!l`vJC`pIqa$*3K6N=Kuc^)eg2&?nK^(l2aMO-x*4GNzWlr1Z7l z39juvUFH^Q?(}Sa_4`E(U=U81(t|&(Y<(e8S9e0!aRS`-g3?`f<`+VveeOw#lzy3x z_ZXp@6ch3>E#t9DaQfEDWwLia;Z@IiN;8b^@SWU<8WN!U z7~o0UM zV^xZtQz(%1tau{ANl}AgeeDMnHg~%^P(2m!14f-+0J7#?{hC+iOJ&Ny%z&R!IH0tnmPBo6Es0uF`Q--h+k7_ zDO*X639`U(gBipx+!um>bmY-QtX(&r7kuhMQ!m;gBYT`x*wpoGYaA{H>X5EoDMwmp zL@4%v%%m zcIwj;DXFis5h7&!bm%dR2OYNFi)IK?e}09%8&~rSvAI`2v3zn2S``rzw)xg~*#TMk zF+FSD0Nn4+^lJa=(0H)`#a_dU$?C6t0_F->Wg1bbZYf7*yDQJlN*DJ;z3pq)=0obMn|w2cC(+Xp@g>u> zOME!KWs9H6dQD}CM@I+m(r=@C14fdqr@HH4zEMvvm*{B))KpSptgo9`O$Rg4r4}*X z`fhS&Ud{?-Ao|S&e=c_LKct{99txKUDWWlp#Yz@8PjP7=z%yM2?H%uaKo38})5EnC z^xp5|?8Kb&m3W!=-qWW)C|Gs0D-Pte{tVu4yC>mu63MjjG6Z&CiArDIO%6r7SUfro zk(#I32psTP2yK+5kBh5R@9sL%`MIYu!4~cI8B^b}l^GM-&LHx&zBhKOE!L#}s0qMX z&X*ZeO7GR1y3NBrsF?2;GO-A7z=#@fcd}fhL%WQCk>sLjpb!UwkI_e=45zc7{ricFp>AQp>5go`z z$xYJ5z+n~h60DYH|6>Uc`pNWNr?ZgoNS>ngqG%q3;fMvq{NC8}%^SNLV!8{ELVNtz zISQOuO0#PwP;t6^F<Nty%;pgTHFKR za8Cq}sKC%(x*mPsOd8c`Rm+mg`RkDA`_s4P5D;~8G5)b-(+%f9f5RIgq}C!L?k!~W zag%Gk9?81n5Y-_A&h_*IaNdp?Yw>dZgV81Dv3aDFq=(&8qxU{g;{xWM@|mqAk*i2D zi}XBbY9V(=K0Z-s{O{7W>vN977V9>ZqPyX_d*XGa=9; zX@}W%d4Zb7)eb9unQRWh(L1`vbiZZT`c%oZZ#ETW!qk_$RJXPWxs(raOoN#fX&D(+ z@@!GtJ54E0CE};AG;!L*zL9<)lp!}aF_@q5G?G$>m?a`<7HsU@9p5<upC{ zw1+EkZ8LJKL<4g-=9MU~P=~Q8ard)B3d(~+(gku{KipT0(|eXJsi&`7)a0)!_DC5G zwl4c_tcr`!@Z0Y7@o9Z)ml#YGaE^X=g<<2BT0u0!RH&g^E5gw(&tztFd2}R7`4&V? zPnSrB%JjM6T34VWj2-h2ctyA#=b$Bc{*+UiF%~22kw-&%AAS2X zEf`JOWH;tVx%y%l7G`Y9&I%^Jp>-yVkT-g(^_hs8SDUndM~4O*NJY%Qj3Bniu! zh7FXiN?v*Euvm1nn_suMq+}#+s`4kK{${vRyut9{gE)s)dC89?<0DbmG`6Jjbe8Lw z1QnHs?v+1q%CeKH(x@I9%P!ZA7|P0aN7PStnvv<5wBiV+V;_ z5JE4M<;>1?3$$aKIGVzLBGk<$cYF|6Ui!I&Yq-i`Ybgy5JAYHl_Gq=vN3dQTWg;ke zZSi3SbMVwW5;jbMlhl*Jv6hkCgvs0N@uKm(TM7-J4Zqr#@3Xg1$v~ol7PgB`RsU2` z*clYJ^7OjwrFI5s$4?b6v&wF=R9nTJuMOVSW8u?oJW$-kn^Vx!a;Kk@xmZuhp`E7c zp;X}__qQ2UP87?&;~AZiGu9=tc1&no{3zFfn3y;F+{B`s{Kxzr$7e4zQ0OuG1-X2D zHG*bx7F5G_9tl!?Q|X$0yMVy*X6R8l+ANd!r~r1{BsyH^UT*SsIz8; zlS+$g)-8X1p$fO<{3ZVuX}1$=lXvx&nQwW={wr(l?Du;>UgFmHcU?RZvRVfr_?kPW z)Q;HyJRn@M3-(RN* zjIMq0zpO9d_U+pl)lL6BX?a_z=0D|x4n?nP>F6j#*!>-Xf4`c)r}(D~=Ph@x{(JiL z6VlSsJoSAe^;pKg`VuRjOk6>gh|QdmDLMA`yMhp%uX-+aNGPu&thcUw3?qxzKC!X& za_Z~}X1gsFoZ^zsP~Mv5B2w0mD#Yo7IGJxiO~oG{<2?dX67`KIk-ZeK?e@sXrF_#LM1+AOxh$PuX%g`;cP{Y7=fC;hiXn) zKS9gsSr*)uw0)yUwOycd6)F+*>MI$ndsOU~F%Cb1_znJigF zUoKTBF=o<5lH0{^564@3uPAdL%lE7Y4vG`#mby;(Ww5IrEyXm-eT;$-wo7U>3Os4T(=Swzr@4%jZhfFNkz(+&v%dLVomUv{!lFJZ5g{rdV z913A@+^|_jUe9vN=b+kJqWc|~X6EwRudh4B9g^RCK{19~E%7d>btF|ux0rlz_?b+n zXUFYqCN^~GA@h40ex=OPUDM25G!Ycxal6 z2nvIZ#?PX~Wf~dFa*`JAm-LDFr{(@j?9NKCjpJRp~NIt5L~_zPzbVj8Dj4=nv1fAfg1e$yqWBesl+I1lY6?-s&&@#=B&} zI?~^+?|K1i=@P2)vH7laU3;*+vRIZ_1!8y@^H6VW4M--tD=@%di#5pAm&1J$O}@gl z-Aq(E=n*4B@R*)Pn*$-j2uN5!EzfuQC{bO< zQ%p#yO)84wOO?C^L8k^wJD|+7xR$H+~t{z<=Bn zc{nb{SWPmiOH970M37Nx7n3dPv8`EfV49}m4JcKoDSAY3O7vj(`i*f}lwB$vuRdyq zi58HIu659<$Y%wZ%Ma+ZVfy94az{WlS zFX&7>y@m%vU9>F~EU;VF*quA5$<}#io6MB&E-h&Gi3!cLd{ZH}8z=8v994ZpPk5}1 zKW%=jz8ULz!~i^kRtZ+O^H_t7oXfKCWmWZ02$TbnX_KH;T3uJqt2i)W-;LH@++=Nd zFi02lJxOrnV@=TN>=Wy<6?d<=l(e6SOYTh@k3L;g|7d#do*Nx_<%bx717|o8RX4x< z>+6gBQl}oDC8>ZcgSjELBfwlS`Ek=}wa#!T277jb1QV{6HfQqGdJd5Ha_^M>tPj%3 zPtWpjUJ=SMzrwmRG*luVr_ACkqxj8`G33+&e;$~+?yuLUbmtB<@Cgw+8Q8li@I;x- zj8G|PkWOgT1)F^=1P3*!Z;UyQ+DUopZc9D;sPJYK!Px|SDG6}zY-|JzNSw)0QBei_UEJ?_Z8m52%oj{WZ48q&oIX`LIw)pbO<3Yg^K%Rrj3K4T z92Jz^EW*pUg7zjaqsTQza4Q-~10w31MkO+=J6gq0X{4Mpo|+NMc?{Bram9HUdv=km zW&q2c^REufx2N6ID@1|M@(E{%Q@nlo%@`Lx&4gTm==B}Qx0YQ$p?@)A> z`K1u9^xQ%IVD^jWBmgBhot(0`2_A77ZS;)5lkoKHg+rNKvkgH#Q#pBSJ5|l8;)jis z$2fl7@joE0!E%7<8_w&MQHcDK%Lo*b(K)FwWF#CG`slw9D8_B1yg+j$AJYLSHsUm- zqLNj?I4|?eyR`sN<32}&PPvy`+_Q_do6%4mb^oswCu6rMrFNd<)jOkm#8xASc$n;t zz!RM_-}M1G;?J9yQ~?w9RHytN2e(k&x^o#AVFkXvg_9d@ipzFDUQO?gr7t6?-I znVLawxIP*Q+)2e)c808()IfI2@KkZy_F~hPXh8T-N&=4uG3Q3zJ7U=mAm{y&(XcO= zY43Kpe*56#TmFY*>-|;^ZW$cvX+`e^x{;33Uv=FT^! z_+k}g=c?qY)6+9_DH6Rp?Y#VAK^XKdaz{MF72YSDgLE$kW3R|yJMZ%uzdk#kmjJ3! znb}OcUn@GH%QVOusp3149O9q6NlZx4)ilek8f&ds34u?De+5Wcn@zsKmw8+MLF662 zLE(Bw4ztk@P!Znx(#f)D!9d$;&P2KZPW#Cu5;ix)U=`f9s9|iVxm6m?63Fgx#t!lTJAs+>DGrzpb)rWDVh%jwJwa6w2TUJRU}v)9%v5a?$b6ZE#`5ho0@U;UhAJ5cm`c!)Mif z7Hxiki7?zd+_u4^c4l;Zy5zeU1Wfwn*^+pF3|0}1N+?UshdujRN8g83DoWGlf6GGg zoH?du1zIs8Iyneb%!4*gEXChDs?``_7 zUwfW>8A3+x3k$c!1hhsH@ujmP!6jw;BOgH4!fgZxVE4@4S{IOCsGx_mePYIMCTi4J z!in z7*q4Th_;*kPQm#3>(!5>qkSb0v@;qjOn|y@uE9!RfpGL(wHKyrjwM@G@YSXW0~(?$ zB|BZDAuGDD>^=FRRqq6KQw6_Gim#ZWR*Oz{&>xjD%f;{cu0iBl&Cs1)4&ReDgf|!M zCd~~C&q!&aVFwUAdK45Z?)|1vHBLuic}3DNz?71$5R~ElDeX@Rwfe;oV0zlYAuZ;Y z5^dLxDp%g$zE;29;T%ztpgLGq88S&YvO1sREA^AsiqJ0L9mS~8i&2x&|! zbWQQhK7kqvdt&Wa?|8b$BQicO;%<-TKk_|mm1BERi?O5={KjlkE48EBXawhze-fNN z@LK-Ob}-)Ie6vy_x-Q^C;QOp!>mh4eh-!|d8>@%jkCVrgsWbhW5)a`XFM~sSHH{7+ z*-X=AG_J1tmN0=Ivvh&pF?4KgIK6@@LgiD&8>#gcP3xWFllgApV=Ht}#f;z%F}x&R zL`UD<_)@EOXB-uP;?iY-J1sALgK?K+jux%cq{gDqy!D_p51f>^)OzPn!BbFZ`NUAB z##dXJBf$N8X3l=a} zc*!|9R}>C2rjH-2PJOJ_?2w0V$`DAP2W5uUvD;5R_*{ANmRqzt$fBH~^i9qCzwL{t zdGDB7CxhBiPIcnpfX}n&S`o$H9E&D%3y{(f8!2^%Hm(in%HE`EpURMvW=bBH1!?#5 zcAAg(SnXQvTfduu~^st$d3I^t=8r6}Uvgx%<^4b=_4j)`R=O z(JXi*1iK6KU8|5<*$C^&8ngE8`}r4U=d+R~Dx;O!ivXP7~*E2HVEDpNCCZ zkOt}bHc%MkS1(D|G*(FF9ExKg=k#5hVU;T;Hh|OaGf>p7;h@bjV+9=x_K*yu;3he1 zyUwTEBfUdURM(M*izCR@T>1)f39{^0?EUFWbS_BSV23RD_SbJ(Lq|%YcPjA7=6=Do zqFX-=Qu}_o12dABNN4`p+kRCg+WpXR?wE{^a9~R#_Ka&OmspxTEr&UODsPjbe}<%3 zsuQndEespxP4eDdeSwbt_#kHS*E=H;9V@GZ^tf>L>;Re-r{Q%uc-~4#2ibpwg#8qKnWGgu_BV{cJ?Fj zwwIRMq8`Z&efV=(#Nm!h&;USf>es8)c&i<97OG8VLL7C;LQqF?FP&Czx_eB-Z}s{f zdKB?5w9IJu7ikar;C)Rt#BND{lpGWXxU%7^drJYvLDsWk6cfqSU4 z;v$wX%hM4wl9n0_R61@^FeOevmyFL|Bg&q9SVq36V%af+u3xqeYdIhGXYIO3mTr1G zxr;}%`jOKRgNx^($B2}=dwv}H9UD*0Hl4K3VZ*tIVDACx>HYcnO_WG)JPpImZ@JV9 z_Mb_O1hc;s&0S4fTnjWC&93lKeR(aI21t#wnfGmjb#O#Owve3QkmmilRA8nm$l0P< z7b#P%YqVT*!8s|CLDOZl#cyrJC`F5PD`niaOIPQzWEV;s_Tq;Jl_*R~1JE=XBY z?Tu-ovfAyixR6>K0H`U1Wuil|j6m*&YGf_jIT;<=+yJT2{TW}-rAY&@9Z(9DD_Z&mHi+RMwPM2?9T6sOiyBHA{?{dBu zK{-|HHFRHQ@32b0MCtRIU-8MLK|9~AY$+CEsqeS@kbaL}OOBmHIiVX-9BE?OS%~5F z1pa5*KJN$x`LcKdnAJYUpgnpN;n<7R+D#f=Fh8C{^ zdWpPLOTDo*r#G%A!djI$yWK-z$PBEy{DCuo& z6%2U#tY;rCElYfoes^88wAhRDZ{j?SZPme!`C!_cfRh`U#gPQ(3aiPW5+B}x9-eM# z1Cz{hvq&b`uiMKTQ74j*zbo`-l>Q1{2E|$_P6V31x**B3y*ft|R_FU`oQJ>Uq_fi> z_SY+cD0bz*kHsBdn@C(q?wz!OzkrTw#Us7>^f%Mip(*R1;lj&-$qT8VW-*2_%zOerB9ek$DXj&?5;DWBgdB(;+R!d(#sc6fH+t6Fxzoxrm zT!>n}>vCTt=!cOWdc}UEXUw`KGd4VIOKRY^_ax76>})@$0v5qb_iIHnLOP0Tq>u*m z%gRjT!mgCUoj)064pG&4b25G>eCI*_RN1S_6&b#%?GS3q;5ml#pVB1z??)+rjQn_V5LYPL5vB`bQP0zH;S_(lppq7)3eX=rF^gXx*2)T_sX6C2}#5LZwXN!Flzy) zjmq^c#tPV6l<`NGPI=jz<;!DD>w(^%7Vv>F8E*n;D$W!2Y3VX=jtCF9b7KZ03@c+U zD?Tr=C=kF{IC~&DAM5V?Vn0O@=Gaio2B(34w-tvFI)qzxo@|XLLNoZqcn)^mm+YK} zn|Fc=-w1VkWbE-b@je>Fe=AlY7Xw%P8d0rwQ$Zd7)7HVl*kB$W=^UA6!NVa823?`k{WKc>5~og;n0-D1EOT4I z2*@ylj24{R|0@`8HDWiJ2-YRXrB!Z7;lHa^J=S;)23K7UG$cKw%W)Twsa@$~T4HcN z>@HVq30w>nj63%0N`vvp(dIOq$c>d*stvhB_E`Q1u>NT7XPqe+sA?Zu&B%-?@J{#C zqY*S0g2w4rgS{81S@PRCTLtF{m$xQco}W_0c)fz$Btnm01ojP#2eq;^iS)9I?)aTy zK=w%iw&02k(&n0<_#i|D^JL9FbFk02^p7vaU;>1${sbVaZAG+nXuvQ=|UBLB2sz{YvvtJ+!?LETZ)Blan?LM;R9>GfEB z-7Q(0&4HmKwMUH%k5(LsOUw88tP$baYcfK0%&A3F9M|gt0-pZKu^gV{i!}AH1ZSBP z{o-S+wE=&OzOh-EogQ?$5MJ{5fMh#J(=#v7i1bTUjn~k%fRU*70P`h}?NQ%vR%D;o zOUo|Pymqc@<<&{ouNYJcjBSGgHg4kU_&n1$#W#AQAyn(0LUuWE#|Ug%t4@q3jL<=2 zgTT$0ZsA86c4o{bEtkoIjB|vRB_;xwc?!!9nzlxZDUgNVI7i4lfBT^0jr9*RM%UDNjozIZ^LMMr|Zm&B0<7;Ln^l6D248T(7kZ!7WwLVwnd9X z=);ABsrsdoyljDZaKH=V%C@-oGB-Z}M0uRh4b^P|m5h(wr~Bb?B$(KQ`lZ#k7H|JF z-GpT1eOvyB1DJKqk7!>Fsrl(LHan45exJ4j4&{WwK?nBrfLM|+6S5_q>%`)BJ}R)C z!?3hdHBY?DCJH|gI9DpI^e3MOvo2IqNf$QXVxt*5c$`>)P|&U^BGxgCy4*6ibN8n_s!r^4^g+c~u7MJ5gFhbS4isbAoAJI5EhZ98s0907|VJ;{tP$pvR=cb{|26!hE~FffgIRT5KaMf-O8 zIFv2>ZYKj&00W%pBJ2ry@8nPWs@Ey0sm1y8&t1_6Ec?MvK=F|d%W%1}q_98T4kQ)| zokU=oe{VUbnrwi?@Rt^fzW*;AmH(>m!g=Y5SpV-XUlQokf8o)Ld29EV*8o4v|5aZp z@Bsr7rOjq34~?w6FLd>PZ1PjvjVmmrrJny>dAAMZUG)6`*NT%V?VE-Vuz>!&*&u~2 zczzSApl&x|0X!^}m!=XR<|MQ7PJn46ly{m~@0fsE+U5tJ#Gp{_|F`?E14c(j0pBum zBM@_%1x))Vm{5qi2p}*uI?_F?g~wBt)W9zUc>^9Rz+_0$7B&u;mPrhnAcSKo04x@S zecIB}g(mj7lUiD^&3`~hBwcV5DgigblxQ~u*^Df|{L;7l>s ztaBRR`3>4P87~Ce8=c)3zlNv%S1xj=Ry>eCHG~2^e`&Mc|Bpum7#=xAk&vL^%FmwY z{>PX7?~8KypRVD5-?8QOGgW}EiMFrNbH%HuNpZ;=tIrC^AK!cj$dAwhLavqnw0|G* z%LKj{3JbnHSPemulML$l&iF(A3uhllleXFPs`{CGG-w*pB>(xe4-J8kbML-}t49XF z3eBoKzrc19@jn5r>O*)dS_7q&D3 z>vveh$5qv;|6b{vMCahlN(k4$3wS7Ru>Vt)`?juU|5O~D1p55n)Q8G1EL_e&O+R{> z@^EOf7PK{ef%yQYyX|F4`KrIXLCaH`H@r?t(s28h?@kTeg+HLTU>tWZOR|gZpK@v;FW^)}>iN8xCpKk_s(im=5|+l11C=73-D5O$Y2H5-(cdeqaoLWzdPo z=|+qH!9U#s{L9oNG&j)`@Yf(KpdWe>qzx#9z}+V+-3Pmsws{cO89H@*{+ z^et3fan$ge&SqF2;Pz7G`p1E8SML4~MXG-#X8l|Ha#C4jVWas5-vSOmSY z!0pDK^>rqme`1rn#>^EL828skd+o0q=;B{LzP~Yte;oP$`vACq2;(j`IVQ zQd9d*z%VoW^l!V^7(HU6ZtJ)P{#D^n|7b7~$&U(r1jyvWr1ZUpjk@pVn?mzJ;dX$%ny2 z2z+!nxw~l*h$2iKsa%rb3nnP@HF&4F5EBY|-A?Rkx{jUEEk&#t@6TC5)$`xa-;ub5 zp;*tKf={Q3>zUB_;<5D=GnHEG0C5aV#1S302o-98Mcwv%3r;kF2M0pbjnA75l8*=r zU~Dtod2q&~)Zp6I$zMp~AgoD$uF*a`rf>V3hV4|S99NDsuyfH!(@&dh!YeEMtHfWD zPe%h?UKSFP8swpq%{%CMJ~_=6So2kYV4L13@qy=KU~uG&a}4~s?=SK8zAO%{0$8cJ z!DIyww_8~&cG^S)VSBCvlu{e(g||XwmeH{qC|Gq5*B~C^q62=BPVh|?Wn9pF_4Si2 zrow?OK#DL>JQpPjtE$;T22px9+<$U%$yr$g4WUo%m9?^c7s-R4{Ha3dR%;S16uQvt zj+-{@TeO0uUuHumzVaVA>9|x*^hAkO#G^&fh*7cmr?+1bb$Jmf8*K*JJi#M(Y?g2T zjMaBiu%gL!EB};8EwUdpr{Y~)B?=uX3* zNUJv{?yII@3o~5;P2t%x!vP~-UsnDBkl|O7K_Lsfq6Ogn#yZjM5od}7`r>irOzECM zRqV}$Q#qfL5R(S0gJpoez2gd%@@27?BILG_RClNcuft$u5z%w9_U76 zKq~<|#Jalt(KfA`+)gFAaufY%!ywAV{IDt{OJ&$|1Cb5L1fL^~nN`3_JKz+4A##Jc z#AHdkcinzEAAFXhMEOlh)SfH)9t#73n92&0RpB1YvTo7aP5jS0_y=!Pw0c3tDvsr) zw%EUtiU=;{?K3I=Y_6{3!%OomAAYi9>=*cu7GQ~?=|??` z-aPnCHP~T5)A_Rk&brd&wcIOW+`~Gd`l;nL#Pe|dm71dlpfJSQ>#$a#_5(Gfw~`zx zoml;B?I`903lO>FI(OdW@Fg3S&kWe)8jX!!67~39YG&%f0Fk;ax#T4PW|PB6J7Nx> z;_pLi!4CBgq7W zMuLC*84}4~$;ujN6_Z-PO5oC~3@&G3c0Xo2N00O+yTY8!c&{Q? zq=>FDdh6j-^rz*BO%s^X3UwCl5ef&#<+06)5JLDu*2tsfG?o>+44~^hRL06xY58_? zXQ|rwDNNfGQ;3FK>%!;W$IWn@lrvuWY4xJz=eMgaYF|WJeZ%%(`Zg<9eOq&gL9ZQ~ zKNa)VwUmG@jybn#;ORN1#9gWLyYWeONI(qP#d>(`7{jvbQ0@ycV)`sTrGsaD1KBd_ zTi3$W9dRWE0hqEsoHr>U!MG`v=x;3f?zy8ZBebQ2iUi!0&JP&_gbUKHRdF)-4Pt5D zVzm~xN@zrLRYBdqX&O|Jrq7_};S!I!yTCj2GQx43oWOE&Y{iMKA3@d(kmYsRyRofv zk$6NshtzyrHL91$qvrZ(=I()Zt~36rjEG#tgqnWAQ-%G2#al zvIn!7z^}&1aXCl&-xoGM$T}`|VX$Q_Qr@~$AcHH@PuK8ZOwD6OXrLA?FCASAM@80i zIj^zS%!TfCr{qNtaZ=HsovUVS`n__RUq{BK#*%DXirEt+2alK(7s?;S*)Q`+E;k;Zq&m#`aU z!9!8Xz-;qEj*qF5S3M{SKz|aG!AV-zQEnnD90i71V?exwBi8k8Mk^XCc$ooYy~D%| zAy5-bj)1C@>!0fb*`Fb@*?sR{iwkV~#@<1Keaq3)Wm9rrvwxiU{1tObP zuCQ{=z>#V-pQxOeI&Ae4pUXmglGiX#N@5Vz`w(`L&F>gq34KhRzSHPiH~+MsSv9lw zU>Lj2I^)G8m5>3+mJ3O|zeQS`ee${he4b6&{TZ^FbtQ3f96l~AU1-GaU`?#SN7yCX zZp(Fi!e+A06fSb5FPxnZIpf{d7~`MWTVwET;4{s{H(Ls3DM4lE8@&AkHMc$&BuTAg zh)qn~_QD38&+2c)&FI)7=t~*RAx%$d^daimTIHyT2QQw`zUtyv4XhQIkXTIDsFeb4 zNb-Xd4%X7kct^~QBTg17-WvoZFm?=Bk!swyu>pS9m^`M8khp+!n_B{p4>H}MviBN1mx zM)rmNU3#7jMwXi24$&{MB4Z~G6+)g+YQ;sX_gIe{v2m5{VERGE88416$=Uua0J|28 z!dMgss|mXwv^%>bj`z}$-}c}UiU^DP_hzoriw7i5&#RA*amTU(wCLo(ejZ5{=(|kk zy*9Q4;gE5o;o(aPteN4QEg6egRKZr;iUlz=@ty0gp&)WcoqibSqFb@JDMk%WlX!a4 zre@_Fxo!Ps4Ct_l^{u(R{(NiqBM%eu>V6rWtFY@8NbX4GYJ%*( zpF%w+!)d{*s@!S@Aonf8?P;6mz2Dt*z9VjJ)NTK6`0bC8#ZP~vj(@|^sVoNatZG{& ze-k2`pJ*JJD}I;BUfvX7g=eL0S2FjL&Z8PL4bRJ<;|=n;`@V zxI&S6M`FK8qJ7#rXKzK*^|}=G&6`H*z7HAtI(WY$upSni`75>^=^Jrgoi8oz)-FR< z!b{(#uS?tkrk__h*DLVghoxPyyeik7cyweY`&e(_b^b?T&>(H}tA!b_ByL~hWz)-| zz?e0ew{rLVVi|l=qV|5Y{k*nUmVLH3*vX{beWyg9IW9qq$EBjJ*iT|Jc023~@j(aT z*)uq&#QPzSaeALtzoUdO$8jSo%4QeY-$N`5wcQR?nc`oMu5Yq8e+Yc$aD6rMi6T+~ zZ<742`a`vA_${B5M|T1Q=wyMLhD#RYe5 z(`w#Ly<*)Pxyh2H5DHrQXq;b>sqsAp43D_tS=cr*qSLCDT2115&UwdSWuTy{CMsAj z6?1?x+?x`4&0h9>c0ySy+YiZh71_K5*8c zc)29%OW%)E_iOrR)|Zym^|E_BDVAIDkH)$Ro&+jn4rJtA?*#8XdYVo3G_*<8A@C_? zBC6Br;M|D!k;@-}FZQ;`It_xYS50rti#P`6T{9iEg+&pj_m%VTF|<#!u+`$5Wh<+U zZ~oxNeoo}AWUqA0evur9YDMpO4nZo3{-svgzx`&}E~o#h&vNZYrKZf$%dS1@=<$O* z#;S!%$6~znepA`g&7bSYTp4<3i|qB3wKe+CoE3$=ZCVaW}94 zLZZ+4)eFu;{8j^ccd)+o#9B?|62!S*i$e3R#%xlXCSv>0bdQ^(yDv&Hv0*yz{6|%|E@D*-WaJ z5~DlVN znRuD|JS1g*$IutD9%ftJJM8{IzwwLxVxk5E(e^iY7v@E0@^SC)u!xhTlQt=>Oj2Y# zBE<393l+pSak_PJStf=7j-aM_g@=MCdNZFt9`0TKP2DuKzIFV~SK*Uu>o)!l%H#Wc z+Wo0?QM70~UEO=4Z2a4-egq`%%|OKoy-A^A&j)i)<@o#c4W2X$C^u5{#e$TmD^;ea z6j%a+|@GL z;_*`=?B-r1QvWxduA@%y=_B)?Gt2&SJL&z0SJly9BgliYMqDlL&jeW03?CK*KZ01I z7+v2N-=caeEqXacab`eZ(;^nz6IEi7>3CD=ST*ZwT^OJHds~YfbbR^uH=N;>hYNf( zr_TcKD4U??%2!DLI3AXKt;^@2t4zA{`ONUlI)qEVy9CJw?NfQ6*YaCv-h;B+8+UfS ziuUo34GaB95G?UM-C%& z#Eso~YMtGAIbNKNdD?g(xHXDf<6&Egwc3Nm7hY($Hd5~*X;ZzS_u@`+CHnX8AXjo! zTd`?gOP0J|M*+Vj9BN&jkP9Zt+(<2n&zB0@NDR9q;KGT$%i z9fYmye(@!J;qm?ZP3cjd3w?c+bGy%TI^qJs)JC0vVOA#&-o31bOP?9KI0T zC@s!RA}c=-Oe->WUgpTuQGor;w4K$=q9HKFH;{ATXnx z?7MSP#!IvLs`ppyZ!#N})*GcgWmpKfu# z=lUpi4{!SPwLk8y^VIAe(QkgvnWQhd@JZI=4atN*NK4*)d~@O!aiidIUk&#pZGtr6 zu%mZ-C1viY7|JL=Fm$Ge8{Q0@&F&uXxXO;x0=QxEHG*7E|5SHe%cZPTC3;n|><;j} zkbaYBltv}32BRSzEu%1<5alk6id$>38f?VU5z_=vcxM>|#m15G=g8lH@5KXfjLN*$ zn{o;}v41QK?F8M9YENs5QcN|1%6{C)K&%me7MP}&|9aW6I-UK&gfIBPDH~PvlGE?$ zu_YtbU+}2r*R|e1A0cC4syjRx6T)7dV?)v4O@m@P9;LqirYpQX*XJ~LZ zjxabIBxMi+BvGS7nyQbka=u2rBakL0dVLuRNnN;oX z3}18&8kLF*2n7w(Ad7`s9^~j2FL$CGPB$Y|G#1C*b&t{t`d}?noo(+Kqo#XBj(>@i z*QS$sE#zwB6WH2VZ8=BYUj+Ik`fYgGB|7E$gBr${y!4P>y<()c#FbdN%<6%@LlYFn zpC6rYk+POBZRU??`GYH8W+n5X?%oScKN2FahoNM%j_Oe*+T~tTzy14jM7~v$(ek1Q z`OTW79-VT=>koNc$JkU5g)0ef3`!tEZp6_zDU>0v4*a|d;Y{kd?k1MuN5JBA@?VT) zo*yFmM&oL9*Q=lxj7gHVg{XPg$q+t1PF`>-^ft5Q0fG?HuMcYPWM|7-x}{Prh`5$| zF;0^Xy{_(vU%~?RMHdj&+V>2~M{1TagDm-7D{)NF*-#uj&0)OT2^l-8n2CB;Pu} zIv!O^ugBkr{Zh!IN`%m>dFwN%M-+;VKAqWHcNMaSQCC+nEpo^=hD`9T*>y&HvhL=a zeq!cQLNHck3bd;-NSrU*8SGLb(}+{1Bn*dWcC& zGO9PA!k3xH8RE`(pEVVZ(9*x!OvC7zOm;!r6~Fm%+4qg>FtjNI| z`V?6!Inh=5XbMi&x|^4>UQZAD@@90mk zZ=zDqH{N=%Pshs@3ej)o9;(vlJcSJ0#&^H?yhSaRC<5wZqp;nsDC zhKgS0fI7f{F>rbfw6ZjATJkP+If$ zP~;;-oM``ZaUfHTUAz<$vYdU>EbADac^>tCWByVLuT&|_8FnO9OnV{%&p3iO2ijfo zXKPj1K7$C6A!(yo))7S=+*(EE&cU}3+7K?0NTyIpVA5Ce#tKyGsKbw79Q}=EqDe5Y zLrYxLdK9?m9Yhs_BoR}knk}=+0RxFq{672S6DHz;Pqj06GwYMjS_%|+x^gi+3-bq8 z+PlkR>~%6`xs67D<$I6h#S+xPvS1=1l&r#x`dg(u$CUyUkZdTU-yP8K&B=VWYp6@_ zC>isR+p|hEcAeDFiyJf5SXVIX1u46e8(UnjJqZB7q>k$AGr!eKs4pL}81}}ep zDcpHPAGQp~B7a4?7{5-4d8(=+!P^&+_#l9Yufnohy~*Gbb9W*n=Eo>Idb;}|yEJ~_ zDxrc%d53TI{O(gM#NE=DW##wH#;2k#z*eAHl2Xqni#BKkoFY=iLU9G0+^&T4I584| zRBLs5f1vhI_o!6D3nQdslM${a5)o-ctL}VzhQ$22q)kMSRlpc~BmIU|a1Xp4W^0?} zu5~=z0YLN9VXWSRV{TXY-mMEJ2TOb{!9Tw^4r-D-;`PYI^U#(wKlu}KpX6^D%_icR3V>eMo>l#j{XQL)8rX+8z39K(Kg-ZzqiRT<@=NZz@?qb!> zvyg^)5qy*#e)-GPlRxC}T35Jk;^?v)QOWO@-w0mK`C5=p(Tp*J@+EVWrZS$Xj^yCW3>tZ^ZH1R z125v=^Ba@RAy0&aWQs&{=1c5Nw;qwuD}uX68p>Cwk}-W|r2XbML1vq4&r?DEFCi~1 z?Lp$Ly`4AhI6J^)o{=1(TI}qK4gayK z-{n`mruC3`MyvL=ww_UIsAVfcGikCi_feDS%Z=Ad5&88L`lhq%?Qc)9ozY_4YU-1c zRf>c{Dzhv4P%O6BVcA~8$;@>xMBP3_OG+DCHQi>+vL1wQPz$e(NzdSV#W9=CW_PxS{;PjadksB2$pj^Mu0R0%({SR+sSlBsM5<=E$-+Vow&81~= zOMGSsN$|k%;h@}p?%b;k zxaRk24CX;K`GX9OQbv@x93nuFVdBgw%M;6gr$e}m&|b>vWAcys*v&Q(Dg1&`J`$)W zQ`HjQDCwPdJ_T8adaE?9r@Vm^HcVk-RdnNjONe^#0|B|G<$G35JU#8OUrZFRYVZKw zpDq1ff9eRLi-^AR&~AK)sOw@S``l* z7~4*QrU^$Tjdt*V-k%OnBLyNFR~hsUIvw%0`Ozq0x%I>P2;hM-7q`c{$o7^q5=DoZ^`FxPXTF`TRE~h%MuK(UVyK zRh1nbFP!krs-BsH>`&jDX#|TWBo76k0*z>Cl5T#UyLDu&JT0QI`^^Ozo-rf(W*fki z#S8h%{yVGMt9T~MLY>{UqRH<-n!DsOPh@`}OJV7HN&#G2REsMo`pI0=2P;APu7v9Pj-WAf8^rra0*mG--%N@A_Njzbl;}=<9AUbt9xPI)5lUkb_SWJPMkZh_?Z{EC9lntmmVp}&xzzgk?j{I z5%R?`9{te*xdGj-VdWWYttQkh^oxxh?KB()FVx4$j1LziO*_rT8R5Xd`BmjSGNrhr z>78HC4_A;El}EP8EyU(iPZQAIb}Vx}y)Z z*w7v64jAp0?+iY%E1}AehBuPhBK06r%ebNFf=o&g@!LI08Yhi8@jPRv5UbhKCEzaEbxSUw7Hf60Kog3j9&DSy-ev93!r%hlF%v1Tn!0u}u z3>*H!;lTsrhCA7tb>tI_x%pOb*an3kD!>~?s&5Z>6*wZ@#F;)YLEKd@cI5}~4p0_G zZ${l5CX9fYRwl?fnyE1w)G;TxMSd6E4-NH?%lFJ-xHIB(sxFDY{V6}7x+6fOE2y5n zc(~0*6D;x?)I{1`B;JK7F5Qh%_-g4>a~Lzbz1*1iEVxi}LKtQdpXlb}sFcC+7#Xnp z7D}T-)I&H#tfewQc0O#vcssV&9R}mbcm3leJKo;5G{RcX{Ny}C6ik{vyPuL{Zegdx zyiMqYAIYQ{e`8Sbws{5Ok-cB{Ve9KZHJ2Rv8;xIx%N~2)f$tV;$t}AdPtM`8&Bk8S z=df)2rEK1w!7KOY@oWx<&Umfu+;6`I8~?%6eCiroXSiH$;z*n@TAZ5&x_MdcfiB-B zb)knNd(FgFi-7lwOkV%UbadUqo(h`%Ii;BZw)t{g6{iXxZfL9r{HYu`vSTlDQTH7e zbV3*Q(+fHh&zzFW9Bi`z!U?07>`_h>Zm+%bs5@Od!gIjE1W}um^_oyF-0wK_`X4U# zVxMO=PU$>u_y~17ba6e8gV2E0sM2A;<{w-28?9;se(fLaztc%>4%?SD@yoqLJ^w*$#Y5pn=Kwj&PMh6cgp-pCwy72 zTZaSLOG3-rF8~T8z(EMUzX3H&83xazAUj+%IK=Rmgml9K>ZfQb<8|3aAqQ^LTOQn> z4*dniw`_|{VM1y#(APihkqH~Wg`r{YDeFJx?5xy9&({C)u_}vE<|N%T#uYw0K)*eg zy9__T%=9G{rJ9h$WJO&@(6VMcsu3vV8P=+Z#*&d_u=9wwh8+Dx+AyqDvdJMRf?&@M z2|v_il!ZOz_7v%sgQw_XFBJdTS3=O${Cdt+U7U4(bCjM1ar+Nv@~+}bMI@0Y z;2*%EA9W9mHjB<;yFBD4%SP=51y%VF_s?R6?g1E={l4D@iT-NOc7cyA=WtDSD>PY> zHBDuATPF_WDSOrr%*|B)H5;_^;;9Id83I*V3vt$Oe6OIGCR658q8 zVY2=)^BLaI=&=4WL41cn`xdmiXp~5T|RDw4q|4`Pya|`^U1u67rGI@#vMEGs$!IfTL^{`up4lr z>7#BwXtf)|&gh^FG>Cu!!jWpQCZoXqdPhTr&;~o<9vyjhu7i7%)whLwGm~TQmJ{te zL?v#$E>Eh}F}e7{UR{Nnh(~yyn^!n9-I?85-0TqAwVr*8fr%ka|hyklyxZ2Hpf#U%Vljl2+8Z1nrprv&TW)1G+8YqQxlMWz8G?Z+Js z&(C*Ato*rFc8wMXu*xPEi_Nv6j_~rK=Rej;PV-Q@OUC6^VtSy9fVDHavj)SWj~fW) zprq4$eI22GGg54<3vhWSZD%}fB7Dipe)vm%H2^!Jcq{xsle|wmr z-ScQSMu#$!J5ldil*g&pqSt0mjZ3C`om7V=qmnjKHb8 z4&}^}?Xo&k@GI5H?u0PjOnXr!F8J_BlVnc`L^nDhi3*+? zU*m5!*ESKsRDrEILC%&Y`L2iB+Hq~~B00Rvph@mp@$jI|ll9a3bQLek=k<%P3lS$a zYRZ$-YK`^u=+}Mg|InbzlwY0q-hY%FZHh_xGq1f?&aNt}>p5`d09~3&{OGuP)tcvFY9#Q6NbxRQ$m70#ei*Fx<0wI^ z1tBx0&7l68H|!UAHEI}9Szg9t1QLWF_T%n<#Kg8s(NIfiNx`8>s)afEGTvcg8ICAj z1AH~wp@7b@!_z>jh~%v(x7Wz;w$#kX4G$7M6eH3<+Js(WJ!NgV-~7u7<}>cT-`PX8 z$Yiw{`*bs(c_M%_b8;4>G=%eYJrBg--`?EZa2Xf$FAt{@k^#^#e!?Z-J3Qg{{eUB6 zt=-X*=9Ky?h$hR&L3jvXO}wdV@T^&gw--ByDSWy(bX~1p6w=TWE zq-RXIVa8wx&SDYM%@PEV`zngf7~M3_t^HW~Iy31(Emja+Q%#q%=JFmir&sQ3f>9=w z#X8Of?UwPV=?#|THAOl{=oaaYLi3r>AdD#V(+x)QDbB|2RtA1=hIFFnVko@R zu}d6nv98%>Qc#b$cNXVqv`{U!JqCQN{cUzLB0d3iO+;tMBuAaDPwdx9)MUOVavd)- zFda|^nBQv=2c0Z#fhGuz7SV^p*J1aQxKRMWJ<~KE@LE}-ak1#Z9gaYQL|EmCzVO6D zWaq`Ec+a&_Za{HtK0tiwF}wQ8Bsu}7DRB7F4E@&LZEc3jb{Zcw+Dir>L9IMv9lrC< z-(0ph6pgp4x%U}+_v@F^0-yT#G=5=y2diK9dD5&iLw3W>sQdaiNKb8@vr6$+az7yK zTwo~WXG`RG|1Lmz3eCHE5&;g6A|7ndU&>U(%#wEIupQ%JKv`y`nyV{K*G~qb;gZ1+2(F=rXVQ3>0h6l;h*Ne@^3<_!;M)V}W(mo05o$j!HHWPIs#sbB~l8ebF z!`Sv<0QEx7mj_=<`)Atglhk4E0S7#EbQS$XvYV9W`6hj#Z4GhsYDQT(8BFXvHbc3Hj`iCO&XV2Ja$l02as`LAase;^ zHuMzRBNRaCVR+7}FH)+MvR|d)d=E{H1}x3i^0wTsePbQL1!)MZpNG*~178!q1z)c> z(v$eFe_)&lxG(i2BNn3V37OyJyatz~0BVlTmT6xXLYxS%Vyb^4iH(GijZjv2y1c~^ z1ooeuF&%@%vKAzMHF4=Iq~tjdgk4!ysJFkBh0?Pf_Mi794rVXQmjqf7GJm41T*_s5bsFK?wgx^TGighaK(*s1hK!N0hehQ#yHNWsJNt=MbrN5Y59%Db-WcmpQJ zlm3OuX(gMqHOSj&>>IRc8;!#2%ZIC(W@r2a6^cM2!b=}&b zhZH041fv6C*mkc%x2zwP;;C-d8c(MTUhn8dfS-j+I3y!cv3H18VkxeY*3mDo+qE$E z0)63eDf9)Mu&xM2hOY}*!u&YBqaUriwk4sCq?kXMpi%?tdaxyzdgBDm1O^~dXdGZ0 z1Ap}FAI?oIJy+dGcythWPQB4m`%mG(5-p~~@LnNZ-52yq4dAWMl0tC!bXRP0RYWLt z|7ppuNFpLxnPgqpU4*{M+@bh~bzs-V(`)%j8-DLUAYV`Tx@BH5bIRlTIqGemXH+l& z;XgvRiyIdJL4#@V`fMav@%)R}36X1)oycdK<=)2n@T-6V9~zltYk9{8scu7{#`Ubq z!0$@m%Og97wN{6}9LgD?M#_!l%1y_%nC#A4{58J;`+Qz=QlL!T>BD^ufRSh5XcAk0 zwcLi{R3I@MoKvayP=mhQ?{uH;ZsJQSD4?nKFbfT0{7wlZAmDF|?q{&pSgR(bQpkdu z3k1;{WRI-I=z?=}D_mDHZJmYRN0(9W`YBrr2SYmHMNji6DQ(r$?qiVrr7JP&+|oEH zedEfSI?=8xfOlncnV`!R0kZuU*1KJiUBD_Pdb>72xOw<=o5ZDL?j+0>_7+x&iM>ZQ62RaLMFHoi0p&n36+>UPSCMqUVFVDzib}1N{zz-Be=v~h7 ztk;u$dC4XncM)K)Agunmj%b4<6$cI2o9pY;HxKDs4bV+_#2!Ri^_r(XxFYLUwzm?m z4J!=y`N;rNZwPS4Q&Be2tM+lRjvTqPUKc)|a#k$JKvNZN?}?eQN)%Bw>-}>ylx#l> zZ_JXu`Z>ZrN=D>6nvkw#jQM;$gwwoJ1n4XIJ_YMxo1}Evb7}fq3DdNcW;0oSJa(tM z4|bCIGR%-=TeXkPKGvoa@KeVd+2G~n7D&4Ki5GW{*bbIxPMtd2b8SyteClWJtmkvebPf%W7=89BYYcw~zWnKr> z@G6m(ixZ|ldZGrjr@mQc>W7BLDzj$xD&y0LjUF)_NK{l*wC%YNo%jvc9cyZfx4K}y z>h?~(pvi)lvw1(3VsXtFJM)T8jYCe>H&=ABGykX_&Fh(q>*2XtOF|3Y^4AUtx%6ZNPP46k9|CjE#ula< zhUytr8k>+FtGt;x-|QeYt}AaoK6JT+MUq)57%>!k>H9u$Vswip2=`FS3ak z0`uV0g%O8Gm0$YDPv3O;XEfCOXuT(&C{v7dsURt!$t#kr5(K>`iItLgdZ{_@cUhvz zZYI8(N(kLr!(xH4oKX)cSDV;qY|nFaRaeaW*+ivYm##r|wptpW-#)_|7lUY8$GzfB zWf`=csSv3zZ@;c)tWzxhG}Q{faIbVIFo*EP41zyO4%J_7VCVd_)Jy+`zU*fMXN_wA z40n5>SZ)j3hh-iq&6n>wF0aULE~qSS=BJu5Pjv|WHhz{7!w%h~54j1V8aH96n{}zXw zI8=n_RSC-<%+2)itk#=cUU$56-wwvD;p^8kLSv?R4pd#p$L8lN)eg?bmQ;vj zr;RlBOD`kT*B%9cOCWW99Y!<1x5G-&5w5-^jv;?I|*4}`cA2cp*ktb zNDJG@Fk_7>osaFNo3D@C7>=}uT{f;;#1#^mRmRz<8|$iSsV6n#+vw;}jemJu&dIdU zi*9R)`P-wVgj#9)AAuDe?@mV>4L!u_+EjF?82pnt>i zi)W?I&kp`p zL(9r~{1J~i#m5U7sC~97eG{XU9uOI;{r=iH#X#Z}Hx+5r($tZ~*7VOwUPaI8NjA5M zgwf;_!)xuePrrl<8&2CASOC>ajcyvN!?6}sa#QnASZGnEMIBPUzYCePYN zOwWYmV)kd#PF>Pf;tvze-jbwu9c_OS0~}ldnY?_z6)bOZ3hT%5%)UrezjV4 zs)^g-37i!>yW%TycWkuy@#+DES9_8lML?&#$lc~VLaZeOT3}ASWYq%(-Ih#9LJn`S5Ks!6^W9;DRtMv%0A(g?w1WZ7piIKNEaT2pXuohHH63 zfttd_ceXL5iZ+5jE#F^S`pHSmw5m~B>`2luOt08>(!;b1pcF6YDL(A+!;R)1y>mZF zM;a}=IBvAmM@JD(4MM7aX?*uAbc2D@TGBn@&1(F~XN0c3_tgT>nE3YcJFYPK)7bPv-yOWml9KtaewFus#nPIhZmQkhHn zc*w!~?wDF>4^wXZ#UB$1;rr!(`uq1wSkt6A0yL?aD6ZZsdMvc#X) z(D$p;n@L{?`u~_!L03AB?CMNxU@HCT(})(Dmu?A#@Sd<65&=^uU6HuLn(rRrQyKnQ zugwx^OtqA8LFmz&&ud*2Qe~J)WZ=&kSE#q=@2ZI9r9Ev4b}%PX9uZ=p8jt#i%$0S! zWzBwQdQc^PX1!n2WA<8)$d!a$W%ThF{}g1<>FhPY>VCM{V143mM3L|ZvgDr8TGmiL zL-Ip(>_h2395Ckmnp3;E>oQS(l>jp_VbuOlsLgTkE(Kdfb2uu}c-!}kuZ8=2 zE2V<=Hqo8!#m|a5MZ;p>%-oD`T&dK!rtC_NJ|`ZgQ%G@Foeq!<;Cp39{w-|FYn!%+ z%g@q9aA`b+-TF%nG5?{4jRk}L)pIrVf76Zv#IPrh;|(fGc$^v@$)B2iI9v&k3oLS% zN%G;c+S9veb=-ud!3w5m8T=zrtD%1tfz|4ALc#gwvE3$0yw^2I2=DNq_2=^wf-q4b zCXki&*^jQ>M7MsI)u?W1rtI#n7^$>5tVyA|YEj<&6Vk_D#UjMU+-IB+NVi5{%0*&N z{fRx#>_r?8b% z2ORo#Xk}JMDE9N##Q<5NSb8+9cTS8TjZ~F*UMuTyBa$`95wXGSXKaD2oWOBz zFmx`Q%?uTj(=mOJ8<<1(&1#GhkS9C$6~CLlM5>68XUB9N?|g>=&Rqly!LD$KJ=WZm0Sp+Uk&pE zaWwrY`)#`P!rYf`G7p^5*cxQL@|J=TAJSW>7&!5ZPzMs(rhsRly7TH=-OG7bj@m7d zR)uc$2C%U2;V=5FTC6WU&5caX@dr*$U!wLCO9=y44ZE)q-!yr5p;(wkh~wYpy9d7@ zeHM$CaHgphGpjDH*$bv}A1QajL`28k9?R7Fwp7J46zTJ+Dns8Ji&!VO`c-ZJL}O;b-~6zES<`rbhsO*P2Ei8~ zL-{N@kodaAwdS(@Y!!8Ik8UKnNzNn}l^ZWIe?%_UNhWd}!a{JJhU|wEgUW@QFZ^Rt zL?3mW?=C8uaAuchCs5tNv0JVGp9l;aTDF>fF?eS3P0vV8#n(f9(A9>iBcRK`Bv)$S zA0}OSh~g8-<*0*r$TNiLiaQ&ZWpthdt3Oz(&MLA|^WcfWfgtyKKPho54KUozB}yoX zVQF`Uzp{daPx>Wnfig@#}pixY&iBDo5wIlq_n~8*n zRIPdprkQ5Hkm@}aGiR}!}mIz9b?l2hQ+rWnBBdT zFQOPAKd-Nr5R}Nm)I;wA^c3vI0ZeeNvB1CNubi}$t&GV_bmIoU>IZUN1v~1Nv4ei4 z2++BE5x0h`Xf*@*y_R?U$!w>nh~p-|MN^oO9%_V+R%i91Uf2zwmolmU_O&*KrnNXH z&5TKWsBBDb)`ADzwIRz@`s27uiJ4Ko2mncn^#K~ss@-J6X{?81SeL67k5^nK0;R*n zO#%x#Rmx&^f#x`SyDmT)W={{_g|Tm8O*D@5A_y}M;Wk->z~~_Q`|=I?(u-?1hcuL0 zs%r~xOzmjRnQ7IwKWpXch5DyJ)`%XRD-DG5PS=zw^lIN)P!G|oYAyS$DU4+-EFN~Z zHkO`TEqCwkU)DIBv9i*_ISuiums3)9rV@5(TOtqC+f9ZR*ZzoDW^;e4G(Q~hgoE7a z!||5STB!xxj>kQE>$d$iRB!K{MQ0yHP?`^^o|c`UyDt0Xd)`@&95)1j*Zk`#l{f7G(MRI3rSs%T&*T->!GYHIy>s1@osYY<#Lg}%)$VLsTY!QldnJOre1Um&w!ZIeciPd z-Ph+0;8moNhncohgOgK#XR253Z#q#~Uv}fJ$lh>y9((0_D_Z{S;0Aq_$4fx9$$X3) zbT2Yr_nXSrM0!bifaBM5ozTa6Rj>Ed*$r;%(+2Nu@IGytk7$4JThScSWtj#wI_}5?p{d z(QT}kCCQ!R1~db&0`q$}+MC-6+rZbD#xW5#5GvRgZtLDEC!L0tVm{`GyD{Dl^zy#G ztBw13<54P-_Z~D@zL{yG-Sbj6_dZjVk_0Fq9%Vtz4->>|K{oBmq{`)z3(DbP;2oik zy9N3InG^C_KtSxnBDwcYr_4qgoQ37~l@=)Wq(MqxACURJT5ugzo3$^_WJCzH=dgk<0LEz_@fH# z>s#l(lAO?Kae4~NEzoph7+BVlisA$pp~1=nKe#Q)d=X-BC0B9OVjEr+C}`-Sbz7(< z_4~+Ysf7vupn9z*%8OZ?p>oo#{L=IBV~H|ZXx^r;E!-&s_#68YU?=7{vR0_<&MEj` zc8vQWfmA>})OI(!uV7o>;X>$`*e%GkrMnz+1*dR#FW6XbY&3cDTayn-?_6zFGsG@q zUQv%uFdXy}vNe6QJ6&8E*U~sIMB5n~y`}-nx?TI>(tNSu*oP+x=m%DZcwBUHT_pao z@iJ~P19-@2J4%K|Bo|&pSRgE-Q?MOfp(y~C2Omj053!oglgr*Y4-X7Z8i_5Iw>WQO zOvuMvZ2gEsMc6LQ**5p^riuOon+gB4(>uXEV)E@FZ}xjF-h4BxwI74%@_a-K<-6Hn z*L8$Gr&BD!yW9NBQ|sR%=zpsLH0r%O99a0FZ(<8Ya27rBvfZ+j_4k};7N==O*yeJe z7t10-eP|lm#I&?M_^6z%a=5%r!pZW4&3}gdYtxoyh!8eZFp{p9=YB`KfgmRVuVP+1~QRw{_&} zLpaM$>y^I!UGhzf8tq*aXY`Ha)a)!<$2S6361v!`hMq@^t;cx0HIda?YEO-EXKK~=MWloF?& zT{Hr8q$s(fd6=OY&eiPt?L?cd-b`QpubYIEys|6@MQ);EazJD>9-#-VU|!N%Qx_*Li^e?Jts zOET=#8_)KO_0b}y=;2rT=0Ol7Upm+9W#nR$5CUC5J%9To@B8{n#^P+{gt<6Ul_%lb zaec8LS}YiDRvaDhB@vWUAy{ts-1$N<=}_1z^DN3Y+%Ce2E;OoaI6mEUU@yp7LAbKf z5^}OAKZhi_KZ!kbU&ry>8o=gKeOaNI5aKer+1IvIUs6JAr4u#pNkyd{27c7<=obEc z>LfRLcfEn_qj=oBo~FVpm(Wjrl56>4wOs4|dLchrjzehjIz)MqB0 zI+LU?k|rd-zV!?Ky5n8>_pfA#RcVyaK)QXA3EwXELy|@XwAWVe08NlcNJK?JqhWG# zOY6UbYqt9aHM=y0+XHJ&Z#5^X5&OLJfc~19j?1R7#-zE|hxK@SIR$(Typ*d!U0YfB ze81R+?1_~AT^8aq)%Z<50pyDBaWH>8r7y(#^|n6+3`%$B+cU!4-tts)$60B7#(v?p zNFY5Nc<1h8%#)&Pa+7F}J-&L|6ZSzAZ&A5Ic9|;y^fQ#aG~%?~=vO~x!kLFF9FZb( z2^G<^NMw$5Xm61#K6LXOHaHn+1de%z*K)S;$u~f<X|~GQ|KjL%-$qtt0h%@7oaCqlHtn^9xCq>m5C)NM z3fs4MATL(^a8U)mM1#Gz9v(TguA93J@0Uo-*A=q#-Z2PbqUSz=507WwRi2*&AxI-h zYMN-yP1~qZ^bCs>>prMe0LV8?c+d))+YbWsr@I&NLf`u6XxjX>!o#db$jV_Tgck z5n-X|{5NgxE8C^Qzc~(7QgQz0Db2dgZ@jO6)9i2qvTWup{{Gn+(OLStAj%8eP3TJL zEY#%vM=L2c+DiS8&VTt#V}#EN|1U@WXQ$-1@m8v@*|SlT6l|2U?jHm%7y7?<^WPhn zA`*0H|4mbgAMAk+%fD${+W&t#WnEoQPw)T!!z302BpWo=ng$GLL_Yd0s1`f z|H~r)eKhH1YqW67OFdF+eW?G%#Qd*e_BF$E|F?+Bqdv)+fxdvZV5sy<@!kg^uloc) zZuKklo4F(h;Rq2GT{qs+zWNhJi3roB4b>nNb?U!{Wx6skF_G%k85#ja zo2_*?=w~VYcR(ZOYdbNlEp{RDw|eEJn|Ctlq!|L!aDUt4o*!o17|D0j^?*ep*#iEM{l zb31GTCD3#t)Q-lb4!u-mJM1^iDg5LR$N}Y(FA@17k-t*sCdS0BINKj@N)6(w`Fu1q zeqxe5^_KdOVV&ikg$?Y$;pl+m_)Pv<9J!m=wu?6?*<-;?Em(_o^zoHC%lS@r%8|am zV57N5IK{cDG^wyx^Dn+cEF<@wK6RmWZXVvQQl8Zxf#<`W-DbLz^kL8lD2Y=Q#qXQm zS4`RuB~X3Ya%EUx`zF-aYz7-L%F10SEQe}jGhnMn%m#1*l=W|x@PCF(%z=2aY%>!w zRUS95){pJ}>up2b3qz}iNbkojl^GVL@VO zkVg36#l+B*0!69YI07}ohOka#Pnl0F`JKN*+PCBDWQ&340*d4LPv2hVhR=Uh)cv^@{?W68pTEt_ zqPzASnRF1v|FwW3i2p&-0;X@StI30__i^{OVfuYs@^)m6km*4OSH(bELz!p2>P5nN zmG7(1!cg&Q!)L(USlP2r<+-@i-MORGLB0R{xGEMd$?!(ChS7Y?&_klbVqB*gHn~QH z!)TfH@r2oq$2udPop(~*Z(QC6DdbZc#QAt`4?dp}KA zvBC*qM#JT!y7X4KSZ#sV&BvZ`-s{CjmCztr_9RuqqBS*R<%%c%mfKp^_EBIr7&C|* zPNohkmEv`$uoiD{uQ2jhWt0%2NP0@VeXkru942{a*#9CQcUeXVN=|Rvgu!{phV20A z2bL6Wlz4K=_#aH${TM1QujN0PJbpfYGTFZ}A9GaqWl+=(*H&hhaxS`VXJd|$Bt70m zLn>*=KHk9nJsN7XRQ@{;JK!+j{bM?BM*RYOpU(zLZE5aO96J1kj%%UAUCE`j8vR1( zFezbU1$9|hekhY1h+YEkCuf*)enzoOk&%WL9EX?i8AY_I934ZVDZOw|~!TMXAqHD~8YO+l@&HQl0Z| zYs%rOft~4@k67eJsUpY)`czClPPs#kZK6HOM_)=AJ!rtog(^x)JG1>`HXSOxK7P#Z8O%lmWnL&r3C zsq;LiGbch&?(H4A(;-XWNI8^2Tn?_^mY&?AjsCky&s#nC6LsQJewp#}Ckzk>Y-wpB z<>p@4u^d4IE_^VRXnd0Guoenap+ZiVS|k#YlQcKkR> zC1fF5p6^dYW^x)v4IhQh-$}bT#+P1JX!HgzowwSiE}^A|S)aK)F*A5+Mt;Z$5j}f* zHeI-A5V=OAdcvvk?JdyF&t{_S-5+~{}I(rdQ9}{arD?}b*cX; zS2l%xDVLnlpo@8SE24ABvjMGe$3Rz_MG%sZTo>blztrx-5)G=5EWK4T*0)}5H|k zU=zaY8o2H0h`0kuN6u`(W6)?_&ca8XK5)y0;B$=1B2 z+#f;=pY$fecGMz`Qyvo^hFQDp>W=E}<1cJLejWzBBNN^{(1$U=$cMIRu|f${$_)jMJ%$dkKOfyuN9yGV2;<6DW*gOx#@S$Y9mancw_{> zxwy;vK|-hs*vy^skzko2(F-p7pz9_lqEPntlAX1OhE#O@Gg*TbXJ3^KaNpA1+6H}m z;!O!s%{CltcPUS|YBvQaU-QvX`@Rdk=zk8u^Avi+3Bk{8uitF554?+}=ZX;ePe-uO zeg?83!%<0q9#T5jL}t@gI?yC{Ngz|6tGohXJyVGk2c*%koO@F#Sm5Dhc2uG$WrLNF zyO68Z#0bzfx_A+>7|n{>r)QX2?saY|t9wkXG2?0(#f0oD z0}9n=-qm#*m1-*XS30VC+ftNj&1-J@X12FM`81M76zXa^l>YC|=Vy>`=Zgh;-Fe^^V zsoLDq25%JNG4qGI^DlN4djWYnw7&DfN0Zx%7$xA%Y4e9V+Xpy4CD5@5L^i0t^*zQh zjC}}T5sK)^C$G)|C75CQ{e^>9z9|3Cc_ri5$meVTx`d*NWTlxoRt4I6{?Yjb~g#2HK`cZsjH) zL%k-{G}l`7y+dUW4#TUANTMQpib0Y+&zr$`r9YH z#i~c(J2A>oZN7mg$<+)Y^3MDyYAj%BiEN`gb~4=N&hEC_%Vv=8%KaS?ST50eJgZqF z(2uzsAAi&BxZvI?qed6LhrRkPOjV;@lB9x$IsS$9M$w)uGWdnOu^Parnygk`*J7(B z?ZtYsG`l(fN1C&-HK3rX*XrAKPAXs4GVTYTTIAHo^dMD!)ApeXnF}4_&ny0@^xr@f ztgp&qgZ=RyzonL(zP7aWTCM*`GUG)_TpGq|i$$RCR~g)uuBh(1x81JfSVZsI2LGMs z@V~9_6KPp;KY<}Q8n4$=^32GB#DQsf{mblzz)sKkcR4?ezLxA-!obmeLX0*g6)Ft0 z#HSt@o6h+O@D?_T^dR6zg$c*$k0Xr3Wo~d#1rb*L+>5!x`luec`t#T8spX8hygvxh z@6Jo9`4t-CLG$sP97bgRk#>|6sfzxUVM0J=r<$s&a_xxe+ft$~R<{1`jaD?yY!Lke zkYNPb`6vuP{gNe?9syU!HGk1oo~HCw;{+aKHx8V$fKQ*2(hB22#zp_p7QL1r zNebKo8et8xnsle~<@%2USSj5y)8^0ka>@Rv?E!veL>#M4KC<*2Q<#$Kc{u#i2y`2L zvni=T6=$!iF7KKEmN)55vAb@3zi$dgWBSu`nnrl|o$F6uy1#WCz_Ewmr7F*hUH!T> zD(BhtW=|P+Of{tnZfUBQ+=rO`?Km;+HRg6K#sJll@dkw2R!p=XAD585(_vuhBmG2W zPG`-BCP8lDbMz@%i3_$|MmP{hq1IWPoYpi(F)!#GR9f@ua-P(L$vUF?Xmr~ZfcWcC zghZy<_2BIt9+izF6>@Ku;he43!)x^2o*QsJ*voM{^{`VnR?dv-E+6-|ZUk&q-ib5* zkj5wc&PUT=V`)BFi&(DgIYyk*#qgf*FBiq9Fn(LAuJ@@7S&k?>XMNnBm)mWGDz94D zPq(}mDVR^Q_qT_?qN()^PITARPKrsHFIo6H)CJlmy%Vwf@(3@j>U6wG09HNr6wFWb z&fXTOc=GsHN0}uXTsoS}2}k>3e-4k16^8XLq=c`#UEgp~aE?AX#juhb2_QpM^8enN zY7cRp-5(DMAOTyl7dJP|82mC(jj=UgP+lFAdJ=9K=cB7wswE{o41mRsyrk|(M8N%I zZnVQIUE{fe&8@gyT42qcJWDj9qQ)#4&D#3giZ7;W*&rAO{+bP6⪪>-NPBFC5n+ zzH1;q?v7)5q9`!jIyI7XrZ@+Qjx9#06r?|J{DO5IdRfZfCilZ|yU}UPMQjl1R5OVy z3%ohXN22*Y^4xB!oOYruqC1>nL{F6StJwLv!PLnUZT^Ut&fLLr`KSKxcnry&pGauL7rVWNVG^P zW*OeA558kYEt#SErXy}6@(W5PMYFWU5?(n0=eV8O#kV(EF*ACDolo$}xtMuSOJq=p z`?S05MZM8}kN3rRgbTfumS#b#If4og3q2p5Rc`eTOpPt%wcWxiTH4g)+IEI`yn6{HYfp_=sAfrK$eyh=w*j+P(Dh_CSeayRx`7h<13! zb@qiD&fSO~v@EWF!**;xk>Q{pY`iZ5*lzWr!YWdl3)`YF@U_Z&F<$cF>$}0eN-+E4 z*sx2q8FTz?0)K?ByEc)pQvroL+#`4J6Fj%#|7}oDn-(uB^7he-+9h)jr z-Mr$csQ<(a?#7#%M}DDw?6Xs+-OM z!?8JM-#@kbV3>+bJcN2Bd2Rc*L`*t-M|1T=0p80g6|>C+<_*R3M5dMwds1R8aVF2V z?)+NDxa}tIPio%x#rp5V7b5>Z%{13#81B2DE;k-dL#jj$3tL(qk`lU<*OQSNewLp` z2B5{vm+}*Hli$bTFS~r<4hq!C+ORt)1X#r=AsagvGJg^#Hv{D4glQ08S+3y&2mmg1 zRmZxFSh{4P%)OoSc6mlOEnnP-P1uN2;&A}BrjKSbamB7gXn5^G7!atzo_@q)>s`g4 zHmSIHCZhVAnrJ!=&0Y->raA#jGnCDDjMNe9i6zt*D)i?WrW@%rCskMITT+ z-QZaJWGaS(YzvO)W)FTPdc#WI_84?8%4312q)dUWvo-{ftpDIEnDWai=ZA$E=!#LV zKs9|p*_0TVMn#%K>eYPS&YxUfoUNF_l+9pTyx;BCRUlx}Zfbo@epb97n(P^(H=LDZ!Q+37=TQNXn29{^f1a50MX?LB=z6QvH zm`g?PBkm8iZ4+wkrt{98*Pv#O?b^ZjUJUY;ad?dZm$O~9QQ&qq0KuZ(E^^Y&atit;VmK#JnO~S-(NL|0}abolZPXTSlpW@zt$$ zN0vi|ON>+4OVJNJFIrV>gt4|2;&>!xEx)iubr z1nVJ5hfVK-6p=?R@iFztrkTa2hZV$<|4`1#;UTjWkEDdxQq))v)+CWi6?VMNHUY?2syBo;ciLV7ixeGgJAz~k#DMw}Yf zC(tc7=q9bBgg=x%x)skm~fBZE6Nfz?cmS>-Dh}6KxzVvd3kkOG%5fTU-Xx z-cZ{@>}4ku`2KZqpi~A`p!4{ksT;`9){^Ee^K*U;j`}uIjFHKyP8i0jI|jL!gb~Pz zWYhbbxY(A1E9U4xT-;N(GB*KK6+rH2(3^irhW8o*SX7i zO0gOq%LLWcxt{goB}@zL?Auf=yVNkd#$g^+-eiL+R-{)w6fr=pmGn!wj;dBr7Xw_4 ztQu`SapNHv-O+QHFW!)j5F!{Wt>(Kk(fa?qOVlEB$|e+&L0L@ldPkp@edA|-ZO8l%@%F1mW~ z&4j2CcaU;vvGQk7D$dO;B)S)yW0q{_7o!>fEom|AAhE^)+}2Tgat?>y!Xo0zfi<`f zA_&=Lw!13LFVFLR9g1f7!u`?ynL#@mivG-c=h(6ax^Bm2y@`agEy8A(l3LP-4UcL^ zVFr>!lzOmP}!RE`1O^^M+(d8$=_Tq8f7qJxGy9T`!Bne zzwnIu)g53pt&iV1m89sE0QFImFrj^lqOk+~0g?wf0T2CS(IRP*Ky@G#C!j1t=1 z$eJ9L)bl?O=_g)l&%CI{x>Uxx&Wh_y>pv-pTWpB$oP9@m*oUk76zzq!zdR!Q&^k&o zJtv2S9Ilo(+AZ!Ca3m2^Z^aQAY^uS_*9{JELba73;rJg1=}tiw;~mvv_6;W8y?&Em{87wyjKJFDGzfe~{KFTHfxy@Q#~txUsKl7K=G?$>@La z|9x1J(X~@SO*J8fpo4#OK6^AzSxbsXZEg+P8ub+xl5D>OikUK=6j!x9a=bp5P2N5$ z&tN*hTnAWDn8C?Jn23S2L;U4)Z{LAsrAbmDIT!*XNk1UyIZL)1+l~D;8{M~N^5g2{AvHJ#xV582@*@euaCbgoI;TKlUHpHReHc^YRh!|Q&u zd3Xu~BDu{~O+1}keiaAeQ(rZJt8M6&!C6`z3fnz4E)G%j^f5SK0l zZ5vA~y3hA2w*6Us6WSv>MhBhfr4AeSN&V5{7m55^aiB(UA0j<4$2iQAG~_sAs`E}* z#U9gV5YyO*st4yb#NE~khIRRsgd{t(r5A7|3}@+l{J-bw%VAYPbg)ZzpK$Mw(ntvy zXx&d&3_-t$^H~==JiC}6cGrx6DmPFc5!y;|Cf>3rmh~e>owBc|zJyWthDgrOm7`vF zo~jFel8K`C-mb^&^P&tvx}jUmo7mPga1|Kgm{Eo>RFT1T4#fXTs!;BQ7ogz^=B##sXh$1JjMew+Q|k;swMMV?8>m{ za-WzxIXCjbLp{TbxzKm$z|ivAo8Rv$Za3RxBrDzVEAWcYj-K)&|8XY#Up_%KJ)>5N}@6jZ;GZ-nXy6>SuPqh$P`iz3;luwP0?=iQ6gs zi39}B|6CXy6|(b2rbab-msk3sC-bXsw7RZ#7g%u{bW7NWX$4?Vt#*5omx?c26g3r* z>PX7>A@UY#iOZ2ttwt4I)ZO^=y^;3KUa`YA1jD>dVwFbSzbnbk{j3!>u#-WhNb(F| zfpR+*Mo~%wcwwFgBOIs1Q}F|^&%9dHPLFO%K6fAx|1I?NPed7qw?%;j*cyVaTa@Tt z1jPoQ%mmfEFe3-%t>C&BaDJk~N~F;P--@!kmj?J4r`-HJ(*S~TNR`?>7Q{PkWjwF5-VBj~7G8Oo2OSdx461?U5v#2mi_ml|3DB!H=lcb66(J`I0=u-c z`p8VgrEiN-y-hE4C)PmNZ;IVhBVteBtjf8wF$^`s)|#?OE6Fui<}`MXxa z9ot#L^44jjn{9ztc2ryh2@AE~^FfbWs(dy*>>naiC(Vq=!%5JttW3oU*xkO@7M)=(^%Xk8%6-0B`c3Os_5$;O|9H%I;sG7KESxU zlGYPLjWrGK?6c+iXea6G6;-9^whp~*EJYJCU|oWC&+rp z(EmNU<=EcehB0Qzc@sd2#eNX12S7=;6dB2i;x=Q}Wq$lf%ILSkT&!amDf@;gmS2f2s-eOm}ni_HKOi7?n6zT+X7cj!+Ha0EP%>*lGZP*cW*z3K{Ijk>0 zJ|*GV0WQOJf=eC{V7Ac=Xh3G1=lAGfWFrXE$G$>!RbfC^cfR72mXWq<(WO`3Yu}ph zqTY{65-i6c(b5$+OqiB*r>m<9I@&iFM!RHNWtEt}MeKOq%kLQKB~weh+HM|gC$eE1~D zsN$C9n< z*0z2n__=%7N4g5(2`9ZCLR|P$jLiDiCn~kJy(VQf5k{{qGMi-Jwo8{sDb-A?Av8ZS zg#_c7R_@1XhnF{=C48?QlJ!Y}GzsDg7@u(jR zo9AoI;FY>^a5xG0imxeKT{Plj3a`;{^%c8m1LQ>Dy59vESkN!x zE+Py+Ux1q&N^p8_1am6S&T}mAiJwJ3lU?yS4ZFYPQi~_*=yvjG*Zw*|51|1AMD#(o zY%r|btjNKYgC7-*AWugpbItGj>^9VRSH__vf3rKyYdzx`^If$lea4RpAI6L_@If@ z0xEqDr72f#Wwk$UIzjY(Khj;v-*th$!? z<7kTS=eo<~X|b=k=`=PrHka~{9?K3)h>oUw+x`c)hw|TH*goX3h)y$td?r<@ia!-{ zfp3f@V2Ix;E-t>A5U@SMh;=!?B|T4wj;P5O2DQL18x60hfA*y-oitbr57vkNc-RX< z45~U4`89IDunj=wW|M$P`Y2Alz<$a?x4YdtvoX{8{{bHseuQ*`M)?Qh9Ym!-)Jxu6~{jqMmNw|8!Rj?yhv_{=_myMGi0DF`7!oCP08Qag@69`b@o2jhrD5VNjgnLOhuRDhW4LBp9>Qr)&J{{LtdGvz4EEN>O{m$&>02R zj7lNF2d)9nJYwa%&}lO7MEnG%LtKNp(xNq-H4yeLvXWNy)8;#ra=Nf$X-1LYAwX#a zr1F@WTYmEdnl4LZ9+~K9ufBqZZkoBN-_w#aq}G|&M5k7o8JPHfXISw=-d<+mec-(; zBs|jkZJbc>5kr{uY4=h`H9k!Uek6K|$ER_4vws=sGheD7x4c<#`@c`vXqtpuhu*7| z-_vWs!3@R$d(DbAIKI}_2FCCG3w17@ZbUwOuOSf5S?=YuXyTU`Ly^3`pfdFi;gerC z0Gg8RL7gY={-IL^7M7kLQQS0kWhoY@Di;b*J9O_Xc6g~^;;}|aG<9YVks@=ujVk5( zkQSFmalqdPP<+=;NU|(M)C8Ac@%;^{?j_E7_8FCik6_=;=HmPXuY&0iUms8E_IZ)9 zxI~k=_m4zO2h-y^%~yknSOZHnxbI3rj`{U5&WzJKwQuP z_gs4a#-h0mwHHt3uY8=r^z$lRbD3!WcpIgcR+kFt+QN|L=tTedv=AQ6O#if0ZSC&G zrp9}2VR~=+dnC`csNM+yUT^Cx;sGHXzxi%pR(#j!Nb1no+;crK-Rv%fsVgd{M0y2} z7kAz11JZ-i`~%qm`>Z)jx{Uj<+A*(g>8Sf&2n$cef0JYel%B%_f`=bg;M2oG56RR^ z$BbUi$lfQ?;AVar=YO4CPTp-;fNYFpofTv-Ok&03Jj`D=wq4!l_(u ztxb%*PD%|Bm6J`fl6gV|%bJ|5do-^pDfKQ~SE~;NmC`q+E$L5cqjrhpqRhmnj)5qHL{f;=}m4hI7FF)6FTA{E=U3CvV8^Gc!_wRcy13h-T+-Deh< zG5zlsaLX$zM>sm8qoWDrjDnI=i2(zRQPkG*jIbnRFu{8D#Tn00Kh z)#(?KZgt#vK2LxcJmE$sCPlYi$WIbA)^mC^zFzi z0gI-{Gg0%KBB-&V;VAb~-HK7L8L+#kpyZiRT6UUGupVxSuN^Crv)+yE&LDbz(^P}- zx6f;?`SqWVy7$iSCt(e)nZ&H+B(`e9e@N)18fcW!LfDx;;fBJ|WWvM+hK^wgSwreT7 z#gRT{EgALA6v+W`#jr*tUUNZc@-nBlX{f(`e=W11J6gwLiP*CFubxWDEUl(%VDJW< zy^CUhnGhbtD@j>$_DghSU1ohzN{O1{z1$|+rrOEH)@fS`~p5f&<>FUe{T6^Wn(Ki!a^w3e^NKacih?RE9;w&uh_m6m_6GGk*`&H6QVi zjU<7Os1DP2@uUN8Q_U@WP6z314G#f1nCOUF)d(dS3Vze^I8>H_9A;jODN$t-w@nnh z9i?my@^)?xG)C&fzMkpF!evJs<3XvdO6G!77VUa4_QS;!N$r2EhjT; zs(IN$&tg7OOKe}Rm3{XM20g(a#pl6=)X+j$BYQcDHOuXbTQcu^9s2!;ejfKOg<^iL zGm0#I3pU<%KOkUVfjIP&S80Cp)dL1mnl(aUn1U75zO$ibb~wnNk;H2AOv(d&GB7^` z3u4xBYm*EeI%Tzxmz+{xBz?Icus9)2*NG5(LsEj?hDUvxvwNHNY$pD3x~ zlh?o!v6Z6PS=UMoA4LpP!BRK)4Za*d-^jHEzKB=L)SHobzB#-r_p9IfxJa@jD;EO^ zyXNS**DP8x@z$@R_wTjmySt~blAk6Otho`Z_nwGI&KOqoz7r)Qf*3Kr`B1(aeXtMK zafIbd{9&n@UV%^6d7A_?(4e5R_4p+*qDQdV{@#Q#v?6RR59ECP<4jDyVS&DSI?#I| zdC};B@sUOiaJw&HhXYOK;FkuM_y7SadWyUGc%poejLU5$zZtz8c&0+Zj$QW(-_+%4`ts?^bIvO@qWp{mSr~~`mq1k6kI{YJ*xcOQ5400$$IsCk zAI#o-KQ*@{0d}FBi?goAtylbhD|NK3afaKg)27D62Aj*W43_eDbBv?N9d4)m7OKJZ z%q-(meV59l?o>G4gsd$hjS z_=>$*8Uo;cqQYFYTrxZen}O7kzJq$?-Hd*%UMv-!C^x4$4u?W~>yUzcip0N{)ve2` zhPy9O?~|6`;#1=n>J5#*=mdv(O=PHczuvyCLJ{JMUN>OTC2GK#m}>DaCe=ePgHrD0 zptj&%iSAKs1gE1MK$x^*HlXCHpV+62%q5{g04tFDInL!;eMwg3kIR?+HPI3Xa10Q| z--=L=o42^^U$U>%g4<2e5m!Wu&jPhTV{uNCu4W5`vfvde)BFj3)j;aO(70{87_SgJ z9;%#+-x9kTGyjmJAsPGh9<=_}W0cpZc1%l++a6nA=8w}X`G&t?i|GQ8^a!uItv-Kk zo`Kw0Y8Is%`#fB_G0X&*hkUS@``Bep+LPT6bROnBrHz2rxU9P8o-4IiP~oo=8a96gQOoMY0& zl?;hVw|z>a)U|}q?fz4zPEPRPs3@oP=2H>ceIWu~ubX@f-m}%T{O)ymYcx}QGw+#= z*~^^wPmcKY0TJLu64D^x{23*l^{Gp><~Z{@tt7|IUU!P>sb4l*KdR(u;Zp$8TVHWn ze^%{5rnO|r(WQ5=_6_~5niq)cye_V}s5gr>{)Udp1_=S*q8So0q`QzmAiwpiKa4me zxDbyI^-^>_&f;U&Xw2m0dIilWzNO+vZ@`-mP3`j;lGZT#% zF7*w3c}Rp*H=w6gwepo`ov681^ z2OzS*OAvaw zRt^&x3xpI8XLtQJuX#?!U+R&k77`)rPNPfCt(>LbDne&EWtk9NrDSo9;ai_<3~`?4Sn%p~Y#n z`Hm%@x=ALT0KfkD{2h|@&l)RTQR$-VS6IP|v5_LY0@>W}!tOo}y?`g#p3~^_^XO!4 z?Y~P^Kq=P)(t_wY@IpV2D5R(+FK76UAo}9;zA)$DY zKrycGDZ`^M%JwFZ64JF9~*zV7LXoEz}l`v8oxZwG~U2Bj4j9WZ_Ihx@LJ zrr13T0Z=4-*kf$ccqW01>Zy< zhe%|2N7bH*ubu}eSoOSE0h@UibGAfyEOE1@MEPTS!2w%ohK|ZX)N9rvfq90jsr^{> zGMcxU1$tf226<=saADq>>nMA8Mi&Jb)U|jady_E<`^u*L-_v^J8j8dRv#gz2zQWjs z{p=E4Gq@Yu3|T_&y6$~6rXsjX9PUkG$(Cm&?c~-bI(`Qc0=punfQl3}Nxd3HevKu+ zRm9cfVoPL?T)r&0lPuwf?VkY*y5a4gPWgL|zY5#rT@+-yk0Gp2OLGoh+B?-J6=>+u z4YH&KngJO`W!_%Rcl;5;!)s+&Efg1vIRft?`*9eUi~XFR1e=9%HY}ghf{nGToXC!Y zBnx1v>;`iXuMbPZZ=}8Z4oKVqSvW$ZW6`XERrZ%6>niLSZY-wWwC=CO;}XxIX+(2b#F{6 zf>I_Y;2v$)N1FYUFo6^L~wBSMIVU#Wsa;40o2mNWdv+zUjBbnqfw&I zGZcnn>T1)_ej^|lU8I&^r74-WY=R6ElvFi?-AbwXTsR$5Nyg8Tt!1UQz)y~W)@FuCRllh& zy%W*Pf*nuJNx9&iRs{UQoLEj6KG|LA?_(E|JD!%@ulP!t^cc4)m1jpt{S3fΠ28 zsK*MF2csyHS>Ooqd*q*9&pDNw6z|q>8W$@gnpvSe3RQ_s>&_9cv4`FxbOl%s^hU~m zpi=eFT=akduO&%2zM!`Qf;pLC?G&gH!yHL-XWFrK;K4(hM8}+BT0U@z@YcZxFK0hS zpqEOmRl?9H{)B*YKy@%JM+11yotIUgrvr~2B`t3qBpe$z?$T&>OTedksC+SfKtxh} zq6{%`gpND3$6xtb^^eR~7SJ%JpXHI3?`0n>yiS;m+SmLtki9!cJWCBhD>}>WFui;7 zRQ5oo$X!(=bnY`)`SuA2C0|RzBo`i%AUZiAL?S-ALtJ?P$;Ux6t@2sEB$1-wATE#>#j z_5rf@788cD63+VnclI%RX~&h+ErB2~eQz|aM6QetI7*V6pT8OniT6w8=bMe2a@kiQ zb1N@JOmThQ*ySUt*3%6!FFFK!L=7p}!j7W!4pv|o-7p@CaRl;f6CDAtLQf|CSQ{)V zbjI`LTAp2r?I)OsF{Al5clshnoplVFQX*bDNe}~l{7Yraubo$LJ1-aM8x-nUU&z?h z%KAu&17N+N4C1IZo}^6IV8=ut0Thd9duq0>&ZECD{^AH8I}7F^B0ixI{#KI%5I1jN zSk01~|Bg_L?7YYzicC)Fx{hEWS=CBFJ4@G-zZTTdCbYa5meKSrcbhTx!{Rn-qjZf| z#b*bK#kgY~Q{FV)h-0SIEJW`e8YXWS)La3F+XZX)W@}G0Ol@7=44br_4EKc{1b_F_ z_h7pV8AP;8OkHJEUBiz`7_?M2Ly#@SISNUU_lRhO^%7BIao4CC5~n^RbGt@nXTA8D z2n%xV7f&noYp&Y@iEE2B7A0!=V`Fz@$kD=zE^mZjbCfV++O!sL=hRe@0GsuqJI-5i zO{jz1R^slhn}JiNk|yuDqQD_PY+By?J%~iW_to#Wbn@P(?fm@p8nvS1@ZAwZ5GZ2z zj;=jHk0-*IP-{z{)7TiJpw3de!p|cTFNf-hMU~av3MMr{`bZ+#$sxYx3(5h*M|+7e zS=pXH%SK=c+}|zG?6TI99ey{B;s2q66AhkyK4*&d9j<7-C2G6h43o|R(jPzXB327ZqSd$2FENX9u$|# zCqIEsrWMm2^X7{ysGOs=jRLC1m@1sd__+^|!2Ry-lC^B5JWpKwNQ3VFGfII?7_suj zA4zGR_S<5B8dGLNV-3;;5zwoFnP*s-7%RPHD|5o+A;sBd-O2W^2KHN*LGt1l#z%El z$apz{O0>K-7y{v4WJTQ4tjSg3>DSsGz<~+n`XbKO-kiokInz$9eAM zc$Z>L{2ld0lf%={n``hN*ZRBUXRQF3TK`>VH=uVpxUQD>d$P7l@^$tN!# z8HDB}hy~Uch0Bk>Z#l3iVH;z%UhrG5fDux*c*hfnBDDTt@Aju1mTvSSR0C^xSdw%LHLd&8CLBc?Wk3RJ~M`IQG)X+GR) z{iD$iNz?sU))VQRg&5P-4l2%14YMoy0!oQyg3Ft!W7jOWiMDdx`nfj@ef4wi*on@H z{~hVl!Q90AED4eNoqA{Cz7h%Tg^s*-A>RZs3Tb3_eR`3{)p$h0;^i{UCL*N6!TFk_ zLKPhe=$I+uVh_leBX~2(T$X;-Vp4u)TEva8qbEJ2xQ*5aLHDBDC6@xM5aWPexUhGM zn>@e4L`tAN?e-Okc@KlduEfgoqIal=Cy1W(g`QV@HSR_8PpTiNT#M;<9pS@)eng*{e|*ZOLa# zG1yuk!LkamIze=i3NzgJSi?C&43)AbCW{%Aw9`Z)?(?CyY1_00dm^E|iTp7F zH|O@X%#<1~zF>>3YNoN5y^czE<1(D_`$S!zNDnvvibdvMq!#X++nf#ZoUckOa zDwEZjp+bT}@IE=GSyx})xOJEkqX0tJil$9)kSV2RyIwlR7yYsN6vjVN^QCnon)NUU z6@@33Rlm+_iOSJ$``C<^AYwF9vSo9M(uZS>JkBSC&gS;X8Vy6}uDyqDpE!OISHc5& z`gej(cwMihryMwixPEZ;Q0MB(Q;hA{Ptq1d@wEU2w2B}K2JJKr1au4p2zc@1!De_f4Y zxD5<(k3dOdIgmQN#nL93&S|*=fI`$qR&J?hC9wBT^4#9-O`rvYs4t$%rQT;2N#rCy z6#Z7#&4CC@d@3&GWm>jjdB?qvGD57nVlzq2**F1OJGCHZlsbs%J_T_9^5Mh-zm14r z*#2;CZacra659)f9>D|GDw0#kN%Zw2k4#7iswXrT_Od!a?ac0Pe#|&22A?coImkU) zVvTZdI-AduJ{slvP>^{!QT3soM3Lz(cBs8t!e^H5Ghx4vOm6Lnh6t7a)@;z=(@VyK z(jh@Nsel|9u!h_<&6fU|B;}BX=G5^FqK|3_mFMWW8sni>VFWj{z9N<1AKNzHV6m-( zpzI#RmdpGq)FAij^)*eKP<=jC|KCv=%oXo+|J*Q%F{gweI$Ef=b|JR3i5S;}+RdsP zx(TXT@)}&ce`QNQTKze<_Gwjq643G*S%v*N1~*%t@c|uV5F7KuUsN;rUcTl6Bu@Vc zom^#!1y{8YBqsFsN7=&X3HbcLxD_Sgg46YyA2?SQXqfa_Ll6H}>BgccI=rx=8@%Zt| zp|Y8v{r1nfZl`9Ec4z8W zdUmI!Bwren`;?v+g58Bk&RW}{ispJ+bmQjiPZzc>#~vqj)jWnf7gS$0LjW)fe6=fx zL>}6MwP)dxO1~Z)K1LEUChMn!IyGXq3X(JpC_{RNNhMH67WFpc6^?tH;xqTHB zS3D-ZXRnr??9&M}%Tdkc=qMHN6NFJ_oO9`u=RSb1~YZ~WuCbB6l|OOZQIgM9J} zPEQ4yEGv|=q)QHQIs35+qkW7EcnOYFuI(yn3!i@F@5paq*x9` z*n8ZJ^U;29o84_hhF&0+!$HYy$mxZ$@XwQ9;H=R{7Ei{+4Im4}f>dkBH zBN!=Bt_EwUdF^$o)B$9NW`s(?enYo67e%E{k7iG$$m^#;Z_UVf`c0zcuPyvv&*|D; ze4P$;Re$d%_zF2|L}U<*8E@`1E}S}yrRIF?Yu_B1X&+BNU3#O>6dZfn)@~Qp_9kap zS&{!*Z?#BJRNE#}YnI?)nKJnl%@_3~QOuRD@RClpWl>%{o&`yKY)`gg6XW*5H`>x?jCTDQyBQa4ttBxoJz#*+BKay8AY zaD}Ij^^R_w_t+V%i4g9d_NhcmKBK^?qzUlu-OEJz6ar-I`xA;pD(YOW?c45t18Dhe zHG!&L^!S~$`sFlCQ=1>JE9EqNN=<(s?S`l&F5AmBG>Ow5Qnkxlc)o>y1`sP6bFD6b zq|&_Pn_u{Awr&_mkJyjtBGTAg#;uG}>_xW+XWsp*?US|}LyhA@j}bT^4N2EL1qd+0 z5|uKjc2+e?heoNl(8}_bgsNJ=i%(tcyd{d5E*qSDVzcLESlv+<&L@lj#rS~I9h3w^ zxkop?jwr5bHK&02tG~Rq=3NGs@M{luTn{nSK$rEcE}_JyMw^^iMVw7gJrKX&)>Y5r zz!krhD4w{8m8))kLf(1umPp)6G9G{^Qpo(YrEIgCniaU45ls4RH@r%!;LGZ%ZT9|X z9`(kOZbv$mhob=LBguJA?0S3VL3Q8)l+zW-9q(M1+XquO{=Vc3uXa7}k7ZUgJH($< z?mZfj%bZW^)cOcoH>?gul{QlORe6BF{EmC#4`!6pphtOy2*gaS!ej_bTwR7+Ej*(y zsmjibGF(0{F;_m*3^#Z0n=rR5L1$*=F0Sa12*`YjuPV>=U!9?o!wegcb`UQiE36YBF&Iu)8()Mza8D! ziw4|s)e(3GrK!toeOBev@T9+;RWUv?WV6q%`!~Vt*Sr`F={+E}2gejjq}(9Tg_3DCOEIE@O$cjaS$Fvk~wq zF!?vl8AHZk@mQgyvD`L8@2=K~je6j;P8V|49J^-8>)jqSyr}HF!eq+n*Gmfwn zn94tDODKKtd1^=~a6x13&u5vzAlEH4sh{vUjca`=GTVZykKsr>3Tf9iP}L{;M2 zO|uy09QkeGd=tj|N?u;m|DNovNIn~v+pA4Ypl!L>f7x&nTJW{?iHns|ZXyE#m#u#l zXL@hK{&H9|H(s9Uq{&O)1`ugl+FirLQFuaflw&U2HYG6Xu;O^6uaycXgs3qlYD2d- zxv|}*?bUHC^YsUeg1}MN6wQo#qc_NTW6$;9bLw_mbw0F-``8(EB`D8NoWaM4Q zySS~Xh^eJIY7McB4C}4F8E!;UFXFQN6_$zr^o7fO^ok(KT>-AA%M~a>I3ckGVJN5G zB*4pm14f=qwrBjp_T)`*N#~voo49O69#;KvoN^&jU}e#*?g-uS^F)RDska$2Wvz63 z0Dn1Z-=6GOL)${0$uQAN_j$Hp(Qc55vJ99+y>$9ecg!Ix>bdfG;J{eN7|cBB;labE z!mDBT0>YbNjK#`hlg7!G2xX6y6zO*}8&Q!R#QIpX7DtiQ|h3u`~}xMg!}V+8!51y_ZvF^pC}_`LX2CbzFTjci8_ zJ`&k$XBcv@ZTvpHEpcUakNl)nj*Sf>awPMR&C4ty4Pjc5Ex8{|G(#1j7B z=}K3z@wG?nnNtzWu+rHYqDN&W8W1bQD%6%!Qqmc0sIOm@$x@jpt9$pJGkX3pdNzSA zKREm=3T$kxkNK&rq5eCy{&8=b_wOvW)<5q5zu_IGe;mgA_yhk+t>=DQJ^il?*6#to^7SoGDc4>u$43eTGSu$8*8o1pZq?6p7< zu*aX46E((7)~LAK$qkzOr@x!8==FI={%QVfQG7q_oJCJG9LUc@ zsM+)zaya|UQ$O3|ab-;)Y&`PORqfKJr=V-O{93?zn zJB;XV(H%|wii&X+ zaQ6tP`Po=&bxf>P$27U6A zN`fK$MsV*QcfPxQM{U__=aoCwOU4!{!WQKp;t)8B>A;>1m)k}u24A9bdDTzZNtBss)c$zbQR2V^<^73HBgj6J z2>CoIA5ba~bQ+Xg{6Gh;IxL&9Mk_PvW~Yz@kpv~O6%=i!hk#&!X}aFn2jzI2Bv)+H z-r-A`P^S+*cF@?!^zI?w?Z^+CTW5R`G9hXKF888*nud}mQ0@x7;Uw!0Z}A9nft-KY z>=no6C?jjWZeW9Q3m$M5H(@blhcX(;o>$YhU3qHga5*>RhqPL!t0Kncs!*9Z>d@{G zpmHc`<*T=KSmb1}axOkA1H4;&t^M=oYr0fdn0n4wjDopeS?}nDpK>Pr#tJk>)yq>n zy&AkTrQa}bf9EbVKu+4^k1K6;2K;&z07g1L?HDU;>U$Y?lmc||NQAq4%Ka)lli*PnYMLu(BiRb~lyX1XN zQ$|Bid=N-Md7_W!6*wq4X$k1%E<^rar74nd)pD1c(a@Kg?%+xADHPnh6W`paIm@^4 z=GU_aNc{qkBxJH@4MbVDGOw4{D(SQ%d0wab#EbI5gpU;%XPjBNZ(belQ~!P)8eP4@(R=esKdN)e zcypiQ3x%=tbhk2jDPA@hM_Cq{?3X>M_H*X7sXVUga0E6`*db(UGQ?O%N#YNpNrl+PzYz1{p2Y zrG^y-k%$ct26Wj6%uDW*#R-&|_YZ___nsV7`<}GroQ8sYOKg#!jxAz&)11qx>D|B^ zQ>EV|(@7_j`=jA#XiMheQ(!#_Hc@f=fEpY@sY(#SC`yrQ&hg~;| zyx0v>!~?7{m;Z2%irJ)r?1KqYZu0J%5-z}cdNR1+3|3u`tf#eqN=bLuq@ceGXqjzp zCwG~0+@m*{Y(hVMA9<2XdB*u(vFZJnO6zIjc;DG-TP#drM8@xUlDKDhW>>8HI1G8w zg1Q{mDn{7*tr4+=KUn&uU=-qa!IT95om8e^^q{BwVbMu4L%+3VnZAf&zyBc@gG(y4 zcL!{NFt6S~I^EyWsvTYJg%@js4KLp z=j3=W%6?S5-*R|dY*-UkeSTqr zBNe%nEA-}F~>86G}m8qT1FXA@ju zdDbs0E32nbIx*Fa$~MOZP1{?*l&>$HY;VxH`=#4OdI$k6D%LdFO?mt1uF$cex&BWr zdgimRkiijG-}skiy4b6LgLw{Deg$jED?oRTiBfI_su`UjZgntwe|_O~&3AwCb1u8I zSs{V)5gl=>z?Hiq@s$dTk1K#rmzt4*MRz{RhkWQ)Ff{E7py59e8$HKU^=2*CrjIo5 zdbR*49%stN`j35! zd3vg$wkFkbIi=iP1CW|p^;p+$gO<8!fNj(1U^YHJzB1^aLCL2-gOY!`wQEALZhDzt zyFBcnW}j-Cy1d6|03*h6mGrj*pRD&9moy&3Q~TFpEdu@^cqr~Z>w#*$#CNZ#w>K+& zjTUS^FZEka(KU~E@L5TaYCrWk9S>|i`CFvPnOQQI^FH71@sA8gTjVS}IT$*QD9GO^ zGCwD~?B-1wepEDiVE}4aS#)`SmN_Z6?51l0%8%%&As&FImI`!htRtCF`-JzEoym6D z5uw=lfMHc;%H~#aYp7CIDd{HgsV%*!%fQGqr9x0j2;miM09e=XJoXJgyno$$f$+$t zJ2z`=ONYUn1v|<(EHi>#o4ixFMtXa(elf;tjq|-1(kem<)C)2U?a7#TyCZoxJnmp6 z(;k{AsRl7B*EYsZ*tORpQq(qb5CP1MgXRH};P=tw%%b#~dt>VZlrh3!S+Qb5p+Q!m zOJXd4g;a3^vNyQjlX*j6cryzP!*@6OejTx!6}2Q9HLN{@Cs6zKG^TRzo!1anDQ-qD zo3Jt+s(3Z;j`8dhJ{bGxH`e^Xkg-W*;_Vh%Iq4AhO{FNs1qKx1b^LQ0d50@wJM(DMp*#o zM%mg1jyyo8Vr_>&>8ajBRN~rOyB);7r+Eva1-RWy7;DJ4k2zonQv0#8j3 zRGfd|tqNe?@;zR&nQ88ZUH2$=!CP4xy;?!1ef zoO$mSu2n~?4=?8JZj{Ef`B%IA^uA7uv%IhV5422T!@ojw6>cSyZ?iL5M4G^L{J zlP(%qfO6Lrx`CCo*6lM!))(E1K_u3yjOrT9n^|gXQFj2k#5?PtXle6RA=<{nH_;R0 zwk2@wV_q6LAvZ(PBlRqmB&klTB2;u``aT&na2XnkD6lbm;#BFZRTCQLZY0Fa^W zWf~J;=Z41YrBZ5GRTsakz6Za|$|(lxGy3}N2?e8D1Lts!kexj{FBgw_@5Z14@}j7* zrEujFVtz}wsS(NsRlp%VG{BWW5!0~9*2&8&&=3T6EZ&XY=w3fsZR^WRglLH~}*T zG1_-{Z|Vpt3(4Djut$Ul3zW!}s`G15^$}t#&wqHJT_G)Ns-CRV@GL{RO@;(1Wajao zp30N(E32{R-9yW^`MWV96BlGJs2#r}z!B|T)Io7#Z7oU5Epp#kO_;elWvlx~0KEC7 zk@0u4;B@tqT0$}>5M`iI>@OszqRv_GPJpmo=Ab_5dN+7&e#uVaW&p|1Am;M5fUEi( zTE3K_!TKlOBNIC34^IiG>U_9@zk^WXM0o+FvXmw#1rw6|j#S}6`}+4mz`1M*X1#IH zyp34hT-q$~j`x<^wJ9-#4^~aMV5bJpFR!FZBDOkjk~AAcXF3{Op>2k5Ie(}j z@7C)uj=_Z%%!G>0I)-Ii^yA{QW7`c$qc(p3H7WnEeggfweiYE3i9{6xkdR(&zZKV9Q!Ro zW<$b|E@*QN$3xb;w=o!L{TyPWrUKYvvEt*gw9NLvAuh(BA{>h7JbCMT;L;h zCSC9OW;0YUAj2u5mXdKx*>I7guM%ZnjIlZvMZ0u_6;Qr+!M{1IH5e+a>m^5a(ablp zTasRKa(o1J#lGN?eB9)j3Ss4h6Pe(Z#m{0?Z-a~i_N~x+VT6~ogoGid<|1F0Z&Ha| z4vf)U;}A4#B$i;C8}*apK&is{T@l1b zkaVt~bvrMSitffSdW{WDaN**mgp1=s*AqHaDeQnf>k7M2_k_)%EYoz}b2Q<6>=Rqm zNMeQu_!I3nLwpgulPJ&5*O&^3AAW(3^BF^YE|6G*VSQkEu0}-L!g=`7QeEG1YA5K| z28E9rnX;PFap`cL98-kWtIWNZC&Qb}#ho5+{oZ<3ed=9tmA3HG)dbOWT+uH}b&Q=^ z&4fZNo_zAK_^=2}O<*BnLD4_sTS!wnkIe20urHlG+r15t%3-t=>o@KK=UU9V1#WOM zkmWCmg}E_Uf_`uWrm`WVJU)&puH)^}UfPaV`ao9>Dh74Hsa<_BF{b+ZvALR~kSKN4 z!nQNL`}?a!>aqPi6llh4FHD$n@P}SSx`-J$sCpwDeJPBtd+>tq=kUE@WpyzZ8OlEO zzaYgDO0h2fm&W1f9zZhawYF`Dw>RrFJ$$)ZB0}vJyGj9I zH>u#e_K7|@a>J3h-M2S{?>?^5z>0M?HkbqAq>$*%QeRt4QyN0T?3g65!4*ZbhTzYC zy{sT?W1yrb;wKDq-=SZ#Q_T+UO3e>W&T^NR0Di#NyXNd8Lq{=Rf?ib~1(gK7M(s2i z_;oablxThWo5}+oR8Q4|b?gM=^(BLZWa+5E(BR1aa$GDkLu#~r3>^6p4E-Prl2rR)-}LhyKlBU84osXP)Sy-gSW zl5vM)HdZMe=Ps2hAqVNJI}vuIi8$!p=W^Cpdf&0E$nRxHdZMsL#y-b4Xx63*mX+mw zB6Dw50C+3Zttl+4IH`yC{K4%TA1Yg92pFbo|F(<`Tvg1PLv{5@lO0+x@M~#Lnpe#B zZ~2veKqRtuQpxV=8eG;r7dTqKpO}c8sMR|l_%Fn*O8^N7W1oetEB~?o{6}o7+}Drg z)|`m>3b`dY&swy0rjk;ZrA_|&p^F`UQx{O9dny1w9LRsGpBJFin{WN;PCuXf=t6D! zsE9;FfpNXl_khqXU!PZf2rqb8vF!5!LzTCM4l`f;Oy^pCX45c-aZiIs^9;=PUaa!S znezzy5?KjL1@HE0=hO?PK1sX26ej>_T{1-(&gZe35+C*Y&On&kBB6d1`l;{`^vD(y^>TqfDEe`#x_0;(gL0 zVL97LXMyhhh1^>U=2{D*zIV!nZXwq!UT8g@&N)U9(1AbN1D zZrpL&-QBSCnX3>wRSbCONIAc(m!a45E__eqILm}Em#Ia-{oPqCu2>eXN+!YuNgEKu zU0H$cyzNByB&?Xs*CuoVz{*}0?z|Bu=2h130jBp`+0wMuy1gbcOWM=qeCctrn?V?7 z@Iqpx@>IlttzN(q+ACu%PF(c-BZ`>^$WEVKPP!)2#qfPFy^ zn{RMt%)w;6lk%+jI^b%dc!!QbYLlytWFxN$-U-cVhXY%-E?z#eH8m%JbFEaVFA#A(kn0`fjxu(MChtZYGh^-u!4>aW~M6TT{@dWA=p9 zEe(K*U(gFetkzb2b@;{Y184WjQjvu8bK4vosL!{_0}!v-<*o>_`dhQI#`M?EdN*5y z`<>W-c>J;YLWr-H6tp;w@`!QPomf-eJ^P-%S-;I;2x&jxIGg7b=EeoWn3!F-LUrT>IOf~bU8QD4>1|iL;hff~+Yj$pZ z@MGM0vlf9*lh;f8HTKK&4YOI*W8H?!w5@R$ z;s2@N{hb}Ka^$-JZ9 zQmej7`EY22HgJh7+2NYJ#5#N_G|UPaLn6A>jCbKOVUR2thsm((+gbX zAb=psY{F!ABu`9yF}@o@)v48&-AuGHx-~NMP5Q3#`_ZB^?J~$u`YVQr-)grZOLB*X z{7NjsBCU*&vUlw%*t|n&sW)jU_S!`p1RIRJ<(kv$?LOuQy4fT!HDaG_{GI&)NoCAbV{C041FA> zva%C@X@dFW12n$2RJ}H1$P4z<+SyKX{ersW^t@Kd|%q2Tm=53NMYwQ4?zrsbpUKnn?~@FQ3YmYDsv_M$;Rh!sRtx%hAT=X$6_^ z!i|G`VxkkQFs)NP>~>2i?zAIh0K`l|8tHK7io(XO<~jJr%!}~zGfVDxGQVY8HL^!q zPZ4t;W*PAxkfj+`&MLXtXPf#Nf$kmtE=FP6e6uE4h2GcS&+*sP{{XGc2U`2BriNTx zxcs1=mBc_(@#3>Ks6~2``e{6COOIz!Gp@eV#a8XPGWoMgGL_Lq>~_FH#?sq+AMYHv zHcZUK<1JJi%Q*esOyO&rBQ%B5wfzK2ot-rct#H8N5?l6cTix0c461z88s3E&Xam_JBFY_VZ&>XxF(g^=6Si zN0q)9+N9a34T(>yen(=Z9m^(1Ww#2c_q$$IVP1ueZM)UBt`B8y)iUqkn5wlzwbvz0 z4AOA5Y)4%LVS451d?R)4BicD4&9Iek;vjY_&-(Q%Xjyh`e{km0!)UGWEJ?-D(XvQ$#l*@vcEg?6z7_ zYFAIaN53A<{cGXGp-9cfxo!W#qvnZ0MYyVC zL3D%(1@vR@$qr?jook^qbL-oKK<_!CZRrl8y$kZTApddh2qM3Xi(O*W5@66A}SX;uy`aDs8A#Wlh@_gTA+;SJ?Gyn5?Ex859WOD_=l*EsMn+e25yjoVwJNcncxxd1-_e7qlnCp(d`PX`3E@cGGmL*s> z(08lgWG7hEz%t>*mA;@Z>rj!Fxqx{)GT1A%KEP^<%C7s$Hw?AZ)IsU%&;`OmjphQz z4`YKaL7Za260GzAcoH3S!pl2M(0tk=k1qjXN@RG5Kv7?3>&2HYL*fl=kwWSX#+@E{ zTjSym)(*R7z1UOpo864hQ&R7dw>iweEvIb;VfFDnX&^9D->O&)15JRGZwCG%6pk7Z z7jFn4aauWp0?zWQ>6|*CotTJ7)nXk8B02J?50E`g?vK%XSAIX?z*x`h7|$?f(K`4c z>8=4kq0nr`r!lem@r@3?KW5&&a`DX=U~WcRZ6hAlJFpas7QLVtL~DQ;sbaM8QC?Q8 z5x-(N`2A5_11%=}2LCy_&Abx2@SljYu`XeR>i3#G75^_QTdQwWMcw(s=8!AHYGsTVjo%URG16abRJ{GA28V6>Ba4RNbC z+WKT^+k9L;d3ZVBcyl+ry~B5}fa^ogR*UL=z3ia;XO|w&>Qq-%cOwa^61uVxvUX-~ zF*zzN>NT(@N*3h`o0-PiUhwK^Cq%h=ZY4I{iA{MP8`#@K5e<7!eh=>@q)LB19U{}c zU8&`_x+;tCaK~?-GK5y?If#uTRmgnje z%WPzax14630LwyN2S+1bQZ)`^f=g=+5d@9 z`BBQo=LaC|@5EE_f53w%d5|y{Os_pswd(|6`08SZ`VMmLIx7AEudu3@8|Q5ZSTvQg zZMZF$A^o$RSeqXpn7>o3#s7Vt>iVIj26{S%|}FAuI<`fuV57t5SB{0~>) xpIy>SGVyHLm;X=tG~i7BcL*7qCeI@C*!^qri00y`{2w*w+&BCkb@#!u{{i&8_@)2= literal 0 HcmV?d00001 diff --git a/docs/images/otel-zipkin-demo.png b/docs/images/otel-zipkin-demo.png new file mode 100644 index 0000000000000000000000000000000000000000..a3af04e466c8717c01ea4286ba360acedd76fe76 GIT binary patch literal 133964 zcmdSA_dnbH`#!8il@`6|w5rug?bdAUE~SLltgV+lLNA2cExOf;9g+^j3K}CdQyoT( zsM(0omPEw}iP0c(zjA%<&-;D4JUl$Y zW~SGzd3c06czAe&4jush!t*q%0r1*`T4ZceuL-riQ)~08C*UaHs**9s_i&1`awYE!RyKU zpM~ub)SOG=`TqAfor?Lt^Ld0FS|HW==7PhhSuE!Kp^y6qZLl+hJ*A!ZOGK=D@1Dv| zlN;#2cN#k864sC1+g@~F>&(Q49h2Gr&@GqkxEYwicG-+OjNb3G>^`@MoyjQ zIrQ;ECfjK<=6kqSOu}pJw78xB|9qRhd)x+X?dQ|e z)iV1$^!+zO`uD0G1pgCU#t1=idE2y?$5kr+fB(zTx!3ZPeHkDm5 z^fnxA1qi|bgWX}&p6$wq+0<=2p3gc!>@n8SMr}b&l$?#c_NnMa3EDqJ!CA`+lW) z(H<1gvV=81hBRW$!Fw-tN!5kFJABc_IizjlA#ZKQ;NE~9-9_|ON(Y~Z9J6KEQg8Iy zzZ>8qp~{&@Tixu=ll*9!l8 zJC7vtcP0a;UK_hvhf-0C{`Qh~=^C?nysbKR?WKE_llT8@$df6U#)*n%aaZoU3m)-# zNG5WROcpq@W}UVL2!%~gNXS?BzGdL^VCe0V8K}rMV)CD^=))ghy#Hn*Dcr*Q?`fTU z0h}oJt;RI~UYOWb7soRZGr$F?Qj7h0$a3uAG1_C`S#9&eFnZkPUywGrD)Gb5DMH#5 zH|7*LTBB^2fSwOuG^uzm`tZ%kTRe?t4j$rJ#|qZ@^gG#ZZM7!s%_pd;J?J<@P^=6e z*fiYxGfT?)fE2Id1~XXz0cKJc1))R@=oJS{7!UPNSZ#ww29un zQ*lVL8b}Zf;HySC_o4#X$N__`N!s6;YeC*Stw0-@@9jve63Hk&VjM>~m^mCZ4?Voa@ zP;Z`Co|-{!)}!q(e{p7w_B=`9!;qH7b0UX{5`k5Bv?u)DVYjAZavji+Lb{5 z<~|OOnhJQx4HGmqpe8fDZkt#}WWrXY-D~y8yU_i$m+pN^Rs;=?bQG_Z<+je9-$=Ok z1G^^`|K}$KIP_=~Ny)yDx>Yn27tf(bkGJf$zY#T<5epJ&O$Af)us!mK5l^IY`JbBj zjY^8I(T<~mkE7sQnb7Vt-oVwX?9zYZZ2n}*$vbZS+s)n{5Xyxgyfqm{WZ)8ZaCU=o zlIY;f5l#(fyQZ2selozkmKaObs8q6Qd3;NQ2*jKk0r*T(bf4J2S%8$DIw zj(Obc1NND&vv6BYJh9#~8@t*e&?_3hniODoG68_zv}|94MaPXn>@*_>mxTy!E|-z` zushZcY{!vnz1sjZx$iB{>|taiTrqgKOLio{NF3O_8S|X^ggxJ;ZCYjJJ(Ug-VsOi{ zJwHPSNDhWLXjSZ!38BE@7mN4T|2D4$kI^E$*PH?|cBK~iSc^A(vuQ?ddw;r&assQH zN@YGX-k!g!@^9jon}2Gwd(Up{m}mLu_!ySe;fEOys?R~pb7t5pk(E#4wueWQMCz*y zh;d()-0qC#o@>pH{yc&%9j)U(bUaIM<-@xQ-)?n!r52%dpk&zhRM{9McY9(sRj-;x zpDR&|^B?_l>uO^8RuF1FYygbjo#C+E$8#o}azl2eINR#qDZPX2}mM^K0Ylh|jL&Ku;gJRSTRS>0@GUef!^In{Af&$w1v+|qs-`g7o=u4zJO867M zT9pp@6WKFiAUMdXI#p|8@h-dFQKp_xkHGNc?BF>&*tJf{aUdQ*Qbv1gX*n&3whxAA2Uf*M@h*!g0&$#?m?vdg zBDwg;=I*I;A9W|IPyCzVfsF|3S^*ic%vb}F?KbfMgKz-FWL(WZy15BEEO0I3J}mLa z0w0&|Kg`Jb;b}v>zq5=>%ja2QWF1ImG!6e4Fg0VZ2pIk8U}V?CmI!rFRiT)l7=541 zvrG;*L)jgA_D%)noS!@C7>q88sGwca>kp%8<98`)4w080Qxq2G7>7STIezb^0}U7X z{od0G%kz)MlQV2i0GBACRp_%XA{gq5nU=C9jE-WoNttVRKN zdw79n*I7MpK#zjWV8!fvvM+wl7>^Wc^KvEFh4Q4N*2kvj%+s6ZkpY(-ROAmX<|uMO zW<4?aili?pE@Db&)8(J9$Ly5e@Giu&dfjsZYuXy)y?vYbLueOm=$Bmthe{}8j&(kE zltll&3z*e7fKw>fB(N7N4;T&UI$bUHKQi~eOQ!NuX~Kp>g54eq#c4tkUW|`4$*1H* z4~$$v-+Rd2Hlv{yap4jMX1$5;x#S*ojV<3h95c;CQY0Qi=L{HbRS(EeoNK~Rs$;zovMZTfrfeh5HyfXgxuA< z(p)^LXZBG81W`KsgQN&D1QO3yx>I4_qi%CIMkZs)*QiBCBOH8cXZ5L(%VTrh$Ch=m zp@FZ`V&~*Wp&B_jP0EymN0XYMIPSRe;12fM%3MWdb%l`r6S*2tU zA?t^|WdNvYYz_$`s6<;|xtOrG8}OiQW6U|a2#Rf0cey$M5)gL9Ps+2@De|=DpV+ioD z?KaxlbPOHiWT3ZPKU`7k@0R;I(COv!@q^NY7-|^x#V3>MC$Sxe+y=GI>8DfRrR#cA z6S63|{>6DhX9U=B<@o)ebH#rE%ze{r5GoUPDBI;qLDGCMGX|hFcAyNwm7yJOzNO_{ zTn;S>5z>94iu{U@HKVu_rO0*1G_MM4Sr znZC|rt^Vc5p<-DVof-w3VC$@Tlsmq;PRf+B)y&=`=k~xs4zrAHbG5em=(xs^DXMQR z7SkKE43sOQD#KwVo{fn7`JkHsalqS>-<)RuzL_M#+`>J1&`|^MEv=e z4q;pXepQL;e$poNO%cCrwB0ex_PKoWF*Y79IIT^tEmZcAQ3VPv^^ob-02g<4QH9lkkh**mszD9Jd~Si^8a`xb)b!OX z=bF$S6C5Tr65H6ThHssWW%j!oIlpr>L%<h9p`ram`d@I0YzP5#_W&AFl5RN1Zn#l7yTux z4jp6w6IVzZP+!)@*mG7zIk&SL(E1>X0gyO3P8{For32@^gF&d+P&<30yKEKwh)T&n zrCC#PoShjpcNW2c#?f~qFaWaMU16c*eT_52+2YuFKYBGr(aYN=?&Z*5q^s9Dw9)MB ziay+<W8-oP2{~aywb|q`4A5(tsUR6XV zj_~gR_*TUkc9oEi0U+INRHwK~ms~%R5S|&jTi@5V+(@>^1na=k{YSSq$ssk3-xP>+ zD;n5ZZDIsbKlZ#-^#{P_F8~CbuGjcC;`m3@&g8s(jai%(?Qd=c;-C`X+kzsdvze!S z3-3TRBqf7C+=Jcx*&4anI?pP9+RZPstWty??Hg$-oz_NOg7sy*RK^z8)daG4%UftQ z4eRY*G5NX$rg1^-pMl~VSD_R@Ybn^e)%(l8r_GKgC2GQca;LyYx{sw4?azaBSGa1Ml5TGuv*>xE4EmdN z2JJ`-x-5Rw+*n?(G5E^&LgP7&`qO;t8_4|lutB(esQC58qqJ8*r9OMC=E03)9|Cec zZbn>PmZX_pxpGx;$_t(Q+Ee=%_|G$aAKxNjm`IAQ3OrVa^d~a#Cww}y(i6ekVh{G0 zc`hA3_Gb5huG#PV^$h?{LOl;C?)x?->$q6YkO4n4HwBTO@x_T4tPfUrl#mR)9K8{l zyk841%<(jkdn^*a(jRo`Rq&2dUt^=naZ5!0fS^5aoD&%hUG_X@~^Ku z-)UYoFiz%P6^AtK?UesC`0*hyPdq(l#<@t}tGPeCU<-0YXVDnvKgW0RaTxfGdBS37 zUp*Gzvke!YJgN&j^b(U2YK`1bTr}P^DrzpwqHYZ;f+pk|q%_!j)He<0_pZBxBIHyS z-5Ws}(8#L^yxHP}WNe)bb*s=bbMuGa*yz!NI^;)VvjwfH_~$_}3}=EmZJoqy)(6pZ z=QTkj44!SF)0GX@?%j$9s*Z7vqdgVPYSRRbzuHy9FDk=>+_9M7w&`R;BZa#?n#_r@ z86QJuLkFr7h*OkU8x_C5jg;!u40&Vi<&2E#*}M$m^#2o9I=aC0jwy(Jj;>BfjDWJr)0g7E9;&Ur@9?1x~>URRR}XLVH@vvUfy<&XYDa%^0)Y6tY^p& znt_c-e(1X_ckgJ-qU|CBih23l%Dp%8hH2aWtGW2u*y%`c_Q$CG_XIDpx5x3- ziB^ZLXpb4rv@!2C3BSNETsm!MMfTTS*gn*g8cB+{fn)rloQLs{bhKbc6qqYDXR>1H zg8QkFIWzt^#zGKUtk$B)j3$K$Wwbijh$5OPBmQ1wMDt)ol|KnRW+uApS zax)jK~D?)k{aDCdcrbqIXH2TawVYFwvYn#GUcwf-fyR5_DQ++Xo zz-(f46YDB6SEpQe*ydt3B@do+G+Ikwxao$CjbFhJr%#Wf+)5GSb8R*!Pk?2Kq09CC zM0KkNS|G7+Qs;biNnKjKvcrBV$xyG@YHea|d<2 zGF#k=lLmQ7u!>54$l>vP5yPR-Mo^RD<P8B?AwoU{te$Y|BRLB`+k&%O=X+K7 z$NMAGDFqY+F`F_~H5-L;Ig(B6ED@4){aSW&`mQ`ew|gYRM=y67I=p(jF-iesC4Hk250U<- za^xTR2l-G>B#N<{px zE<4Q|Z1gn!k!8e3xfuq6SP8T^n^e?RAXRTTAScSu;nSxk$(j4-Zx?REN22B~pWXNi z!$f!&d6V265X5O0&2(K_X-TK0SV~a)%Mo#{-YO$UVgYg5v?#Q*r1$H^WouDnbVaKJ zZITfs*4Y<{q^k~{4Pd%bq8tbMV@hDZMxfdoCahgnP!aY3YqGy6*v1|1?=9WGGZ&{( zROQQZkC*JxtFNhXtS%q#+0kSU#m<+@1++iy3zUfJiPpA1?>iQYW3?lm+kSD=pUeGEakNE) zx(s6L=IE{9Y33pKKUa@+N<7O57S!&j;p`GQOVKdvJ=Az)0Y@3Wx&ch?d&WTWw2g5W5ezzBI`-WM6i#>aq^Fb&? z8>i5{?_T^n48CDk4P*yi=++E1-g|Bp`*x!9{Ox?Q-`rL{?=aO%;mI~hY|rA1b^I17 zIF12FDZB4Xj90Lr(`xs&gT!sh^5!W_N?QRubI+@pbX@**_9vY3J1OPTi}Yf+WksSz ze`5vgbjB8;QITIWDmbw|st*G`3$ktsP#^9!RAA;iYf+-|w~~W7bk1IlZf$T*RCD2x zIoXzP&3&__h+xIjoIhQ?IzU%4Kv$4&{vUIVP;Wy04coHANo%i(4(W`vTFUqMtv=B zJL5ROjg5(Nv(y*2AU5aEQ?@e2*9!mmx@R7VY}`lMo5N);+sbjw-0%OE^!OBN zzx8<<+LXe#{9JXot-kki-WUaQD-vX2!Dgi(bYvYJt4kToFgZUY6r|&SUSr=kKEB}+ z7tb3FCtF&b5+UqaU|>Y4&_92rEGw*d@|?G{f>Ow+gL#RgjNo4-$`>hm{)2wSTEA%ZSkwjupzpJ-F`?4o!zO;Euw1Xxelf_uYi@iW z;|VH`KZk#pQ6^d(!ir~*C7+E*mIlEGOe$fmL6Ty-y?f;ffdks-URijxWN(igMo+(O zE9nVVZ%cL<{&0s-Rj0z?HaJI%imT5E8_Y!(K?7`%Gb4ZD8dLKN%~x#4M{K;@3p&4x z1qYSFvCNURVpa7G`2}koax*&ss-=OtL|Niim|CLw_A+(s=Y27W*^s#K_B3v?w2KRx z)?lVbSr}N*?l9uZuXTr8JHWSFlvV-=&mr z-zLUi6(juxwcnJL9{X&G{n=**xr%(JB8d$O+JOt-84kGH667J?EKw#Edv0|k`M?C_ zoSq(P&+>W>n(vmF$!~L9k!gfqzuB?28t0dI$iC0_VTgg-B9^&0z8&$83pKs_*0_^$ ze1MqyH7R*#8(e3k}7V=TOE`@ra;Qgl0v_WS`zCK|2-KmBB85Xl)K+Qh1`gi+Is}652 zy{YY?Iw%1AytJjTSQ|eR0WS5gZtvelK#kE4pyNBbx`!@I${J@sPoR(V*v_;K(; zFaR<41AB`|G9?e+C>%ArXLdDp`BCR#bb6aYtJ%FY3qIlb6{dTc*o3r-n=d@3Pz!V1uQ z*>W`@(=8c4kAA;ln4rirq4Yw%KX$rwRi6J^zhQ-u+(r~)e`D;^S&Lyx1wqm2=hVsx?+q4`>VI`ST~(Uao#)ZB=N;na;N(<}jxmH+hcjj){fnd!r| z8gg@O>$O@XrWq_zUr-oEHlfbR3B-Ske}6^fu=xHLM?+yPVhg~y{abB~zU3bUa#ixI z*b8Ehoes;QU%%!;eogXBb5EmQ?`4p>qkSAdXJ=xX^5wOl3q`Tf^2!g>4u|#@soy>c zLxmP|dV!Yv!`{Lxby|A%Dw^)U6O6fZxu_lGlJR}{)6tw{z7}?TSR(mo;v8SI4Nqgn z@(uBdzHKt!1-%}-z^T&gg}J#8`DhC?OStq1TH#0c^JtsZZ)R>NR?qrb{@YW*(z#{&5g0HgG$w!m#IH6M-e#kSamYR;J9 z=sKvDZ|(S=V^8|m;;C)q8ycie>N%q{5>O zL-=KEA(^-K)ozW!?+HazL%9aQ5WNxOH+S`Ua!TD{hwD7rSR?von{U3i+fYe+Nlg?j zkln32rOc6fSv=i}sCvpWWERcqWb%ZE%0Y^vI?;RWh*s^Ux>!0(#u}}8+}luK8c73?PTO6 zq1r`aCE}#LF2#qp+=x$%NoorH0B>z~Rw67rB);MY-|4xsY~1|w=wXU1o@^JEA!{Ed zi%Oa|`D6h3qa;us_ZWYc2`)^ku5aDS!L^n&3wHq`gl+HrI9702OJd=NIAH!+BSUt+ z=`tO9e{y^)o$T5M%r%t(!JP+eBcf8d7tr~AXcl8~>1|_g(cy@Ev{oWl7cknc{y05D zJaMd&heNB`tBC!V8u*vN zuKVjCkF0=F-0Uhm4vGpb9FofQjv4N|CKORHV>1on7c8Q_TVU)!sc4w)a_ALP9IGe9 zh>YmQ1{la&bXaQ?vX%o8S*+g?LD{ST#nX&dPA*&PS@X_GBb3r zF&m7Jor%_h#T@Eg9y%MMC?lr19LO0v*+V2p|1=ds3{{vbHWWB7198pMrhs|I{&fOh z_7s_Z{4)dJUjKwG;lCuW!oc_m`j^W1$hx`<->EnEggg$=iHU~c#W`xts>f8w-im$-+!47rOw;W?63Ib;iP_&mJ zO|fq9bPt+p3k;)jue7jrqdG{C8o%Uux{_v4hYHGG_1H}CKck0dk1;mey*NXd_%p*n zZLiUksn zP`~=V9Ieu8wSuQw*~=kxjdb{{2f;d1nC#YX>92efYk9vxy9(f4?TJ!J*~Yda;U3D} zDw4WASH5sXf}+9@x0wZxbNGh$Cleuln&hUvW;~mW$0QmmIf<+k9N!H6G39Ls|07>j;L>vi7?-7t{v zMkEafUn%cUWm-Cg2%-|ljtXs#QWQ6Q;>D_gq4HEk{DBp&8fa=OIhLs5(^vM?FMEH| z*o<-DKFH#ll~6$F*-3|7_)aO$*^WP!Z-#?%w}pI6giaSI`P)1jv;g6sQ+4u}Evu0$ znx`ST4`ad@`K*O-=YpTzp@BKBRGh-mg;Me*e`;k@y6kXoM8ojB|8fCczSpx@bu3_1 z8F$oB>&%Y~^-PowzbQr~&Nr^-eHSoht+?7Y*>U#7oO0T~5BLe3%?2fLJNIRZfE!Ai(s4bq&2#ZT9o;R@fl>OKS@o!r=4BXj-{6976!`7#paU1t zbMQe)Vt;mky>Q2n)njG<=KIVpRmbi&*8k%f%5n@aG*sXBIoTAU`!WkYU;U(9e5o=p z5gir3gQ3Zho3oyS`W}qjxtZ;m3ik2mHS|}O-_VB?nIvE#7D@6&UhRm5;sG?dXtVQe zUkFZbMhp8YMB+$~FBF<5H{@qs3U6K;xu!GYS==zZ^pZIRQl5gIN-cgg(sE-ge@Pr` zxl6{gosU_wpCZz0yu;lzNB)L^y!- zsK9vo_8crK4rH|ZQ#7}!L9_R!$PWbX`Wr%o;^P~fKWUu1$h8z-Tb1EPneKTH)t_Zj zA4Rv?4k*#5W^Rat#4S2kDz&<=y>PGvs5q*@?acSWJmF$kP;@UP*WGPP1#DtwTCEV| z;mCsMJo=J+`Dy4c-IFYt?H$zvj6%1ptMA6rFMZBkejs#m*!mW_HdyF}*b~c_rxkYT zm6_ar{z=KuJ)~Y76p$Hgd)z9|q^tpBk!6wq-a>;R&{l2_Pst7Ob{ z#W?H`7wKN)LT_&xb)8O#9rZIGeqcho7r_<7Bt&&@F1ymB9ga0Z@-7LR)Q>-xpCmcF ze1pNF{8Z1~C3$fs9NHoq-}P^5!{#AMZRH_=;}TZKiwQ()xr3}?CWb32@u639 zmJ=E`1jnd3R|VBi$1J_4Ktp1jqe#7O_IrR1Dkk6gP6|IMl0w)j-N5&`S2q)vQ?U5$ z@dWmG1?P0=4K<2d79QyO|iLn}=iv^S%^5nd>CTlv(Tizx zJyUNXqQNgXkO3%1!#++~#WUb%LQY_pX(2n=d!WW~Peng)$4B51DG_onr7D}yO%}gxVyo$1=>C>Z#lDA)80D|D-@83rs78%4u zjA}LW-_t0}@sMnyFi5_rHj9h38=ToID+Bo+0fe7J2d#o}Q|>QuO`n~@F0I+1wnr*d zU&BYFVFCOwP04Iir5ZpZC0ao&w71*|`+Cg5R)t#Xa&be-8QNgSMy;W3jx?U(IrN#y zy$GYy>cdzXcW@LP#IZISUBY99Z(VMH^T~(ZxkghJnBY#fYusHcbiXdmh{e9*3mHCQ zudXjR#}zD4uASb#J!%cT+Ptm;J4iyC&`u9E5T?9sZXPS&BK`eRrDD$|CG&Praq8QK z4&=A27Df4UMN7u#s`B-=eDODvEtF#OHU83HI88z9DOw+UH-A~VTedUfzk@LDlFUH z-6_QE;!(BuwU?D+HgW>cfAxUkEtA$4aE$Kf&R0u3?+7g;ff2cyt8X2OU^nA`N*h!L z&NBi;l$D%~^A0R6khUWdP<_>G3%rAIz7@LE{#~5CSbrp6HfSzSmj5strbOPV2XuLA z!ameuT!U8snDZx1%vTYIRD~UceSAniU57awv}1jj>=K9IY{6oi&w9BPybdw62{b1a z&4s}-iQ~#!u_xFN-y437alEYd1A$TT(^Yc0Zqfe#%3Gzw3L_@`N81%2>t+l_+Q@Qk zH7P1n`)dX1C5vhY$rD0B1aI+&ud=*#fYj?S8aI1WBF=PBfdW?8F`YdUH!580{YkzR zZW1F_xO_}u)~v~ckkvRD+PlwnsZiG1rv36XOo$61tKK^kK`{rM9lmeJ1kwIJt74)} zE=@U2!%PnoU=sC#w9{P8-13PbF({4muMFvgQA)9<@wbsP#aH0LV8r_iOaz&+b-wF3 zgl*IQt`zy+jwYQcN7&Qe2x7^EzPXXuO>#JYLC=2EpeZTDh6pESHp7W=D`9qVQL2h& zCnIE;1;o)`7JzNv%!U2t?>VRWYP;AHcB66ckmpq1p$_@td}HUG>@18J zVLJ^#`b(0@1WOuDPRh?$*64br7>Fx5K1zSpLD%S+$`F{KtBo8`YZPZhOUR%uE%_7Lyz0 zQRRYB>ZvwE_t%UyaNiz!$v5KZHzZE15tTdi9FkwMxv!C_$X58EZL znCU!isMC}HH>Qro@q5_pWmel9iO6-0D1Um(u5sLNf9*Gk#Qwm}tE67j9TZSumZ;R1 zo^KAO+|KBX8G2|;n6ws1ZzhZgZY7SX?_>pXwaGvZvrZdL?k&K!u2pFrRN^@#Cx@}u z{@FH?y#y#5?KsBu+Ns~NUfx_mP8^;GPdQOmtP+zUNDz60Ni@Q9g-4_JTSo2`yTpAM zI^rU}(jR|LxNrUZMi`fH6S!nlxZ?a2rKG00(6p?9HO&C)P5G;D3_zs4HZO4<0~^w% z$g?wni)#eGTT>C@)&shQ?BCfAZjQo{L*rQB7-Dk9PL-yrc1cdnUCkcJM)OnVOsykP z<2tZd!Ec+NS7=yYEZvwLqVe~Q@#e@Su3aMfeiI-=j(|dRXLod0rJjvd z{)ONjvc%%Md)yLms_q%;bjV3XfucC+`=zjl?LvHEXRe70^=Zf8rXni00Ue+`hiG=k zQd>OrOWE2*VchFg*GpgvXOjS%`O+R#OvjQ z3I;u6I!rsYx-Np>^qa-Hhni>qtGoY^B&rIKOb3I_9!62Pl3!1VA3)kM@t^z6Jmr{~ z@VV|-U%l@#u|PEmx$=Mt>T>?vbn!L3Z^j)EyU9pAM;2Nu2Rd#6a@h zb()qVR>bl`3r6^To2V=I<9e849=E`M{LFq|@LtKMyST6k4(-^AceIGLJ)mA;&~^sG zY=U8cooa-0YNkN8ibpvmCHcUx$IaqkZ&cjosoSoRG~I&ja?RG9!)9`n5sWb0E872C z17ZX}*SIQpthCx-LocKG`B-#jJ1uvLhFyeXgH^%cnZVmBoezG>Ji2SQu#N*vQ={;m`O^%mFYGBx*q z2kL!1*U4nZF4EjEBymcom21pj))&g0*I@hBK5L=hH6#dUgr+m(3V_UVk1u zI{(aTpM8$!;ge;T#1s1uD1i>gEq|yB+y0goZ~HjB6T4&qC>+P5%UWC%CNKUGIMxX{eZrxJ?3F5>3yiDTOxl^0FK$XS#0XILXYkRTyqz4W{ZL8lY17`Mj89!s z>pqUuFv^SV1Xgas!et|WGwq$KJ}Z%eoo2DLM~jPz$aYN!`YRnr(K;k3eaeNMe>LN% z4DLkg+yk}8#r=)4i}Cw6F`&MTpFzXJ-fYPDIRAA)^V0M(w)T#~g>JKmI^mv>a+q#@ z+OBE=d_5?}dUe>)D1)v>E-Q5L)k}Bg5kB`Ce7D@#Ke5TNnk28|a8M^SC7(zh?}=3{ z3@C-q&(Af*v95P6176S3ug>{yLLvpP*`@?6QT=5Qih%^0$Mc6EXWSZFimIQjcme!! zx~2){-adQu2h6E6-()yCdhCr4LWGOg?OBHopW`8Se~<@Az^6b7J-@jGNR!FCjV1-O z;~nexjYp!f9v@u^`A=zFxhvs(t_!waxkgRF0lfL$vy!o>Z{%I(U%ss5&bkE#Oih)? z$!BN7{$X&PN}-caXd=ayFAn5dY9AsTdLe-6vC z$&O0rHse`aK<`oUB%o-B50hL?_OW)zocAHkMJc_^TIBX(Os9eZrEfVI#?4C3+#M~7 zX!dj^l%uv<=k0{UHH9rE0coLCfXm9;m#R(^N6Z?1Nx52)p3v-nnv(7z;n4d|642ll zMu<2CBdV5TG5a4?fZAMg`MZ>H%MSTem!DRJX6+&Dvu$dSo~f4j zHx@c4ro1E^Yv9g)Mvaof82qwNJJ8L1P|>hm~iot|Ihw4?HKSkcpRPFLD=T_+(!ymu_!Q4Um|j~li! zYLj6m7yf`XpNH<3im2&FkBj{)6oXrFPzp3ek2o44&~>$&fv<8*B&TvAaZ2>j;OgF3;L`G=Pt zM}r^qMJQiEZNd?6VjGY8aGP3=(GL+Vc>(r_0Z6K@lS;w=lcpMS@67Fquz_4 zR}1v|D(ls}BoZ~CI<`})78ILJ8J@HRroo}Qlq{QyL*lo-%h%7|q~2plcGDX-ye@PU9O!h%fpTq548{uILC3fou`p*&eaO z+ktYNUiE-aHT}C@;PWRD9A9vwE>M@C>ifuOIIBNGzE`%3(nQc24lK=H{+#cNY_d40 zO)i&01G>!}Gkz=TJ9vFJBC)PYGzw)=X_xBEBq3&}V%?*r0a>nNzo$@g!Kcb4UhHA# zn&4npwcPP}D5|SUhm_zYBlj2_g`ygWJ%m)QL++giz~*A~0m+BZ?D5jT{eLN33nuhw zRJU0uocP|@PJ9Y@n5*{<{G?UJV~mz5(-_zxcJ}j|NL2K+{Es2`s5pYHdjH5F+*4Ow zvs1U*-(@At=a841MMXW=O$sTw^JFQ^Y4IKw(;e}4SUSfBiQ@S?5X=Gu=yzb{qGsSI+FuB$ ztIf)cF6LivfU27x?W7GT9lP1*(70TFsC(0pV?}yERbi8mzAYh9<^ zIq160s1U-u4G2L=*G(SV>W{~f+)4*DBNNQ0ZoB1LSmHh|c+6MA>lF){OO#Q{v&u<* zHdGxlhfl(0e01b}q|?AMV{(Lq7I~ZD&*s8tt>kQX{6!3#s^M#B1ImRdpBWkPzDZjX z?;e;po3g_#-@x+w7neJR)EWA)yQ4Gd3QW{SF$>8+Mg^n2i)LR={)P3=*6P)miOlh& z4XPV06l`eChOOPI= ztrhh_jHOCfetA+58|q7%|L~J*-K1T*sBRMIu9Mk$-Mm(C`&`p>^K5W#5}Iq(+8F$v zEBq}GD3k&OCRO#O3ePpH-5YcL5tbn zlCqPiN2TU|R3fCL&d=#&-Jc*RtK3IFEEn8I@wnu0YyP@i+Nptk4uOHsuVvU*G2H}V zCW&_b6Gj3rNmj)VK>|_WBl-))@SMiI+vg|hOiIh3rcAE>k{DveGJlOG&yHyB_HeB}kNzS_k%HLDEwai!K~J3UtM z)&_XHcpE{A4~G=n-dY+LuWra8>X+PDD@^|A0c`a%gO;vB;!airSj&0bw8Kjt67rn! zghX&(%o1Q)wyQ)7f_*+@%xkHbhQogZT58)|%uGzR0P$-=cpCF-HVH4f!)^SEwz^wy zSiWFxTY#9O5)b>IhdGt_AzSq446rGoZ)N&-&+!#3J6KlN#rYY%56)dEPJc@p+GHG+zQ`BTC55V#>w;zNi>`Fq$%n2P)>LGtawuYs zFDta`&6ql>FM)76>{|p9-cl!gUY{4^wmp<2s!L zP~^y;_AOt6mVn|6@_tB5NQqwNOxqcG!^M3AO@sH zN`TOU4aS0u3Pieyf|QU@LL?AEQPG5=l!O2Q5knxMR|zC}b{s|Lf1l?*=YFnp-W^_e z4MXxPyRN;~cYT%=rAE=2vy>YCsKayLrj*z3h&Pp_e=;AG5-&QDi`Hw4%*r=`OZ+mV zt2F4JMf1wbs3sWXo)HGy)V9A7?3u&m2c2U6!P%!lHa9JP@25-f;Y6kK@*?{g#u7RZ*%XU1C(W!% zY4@R^1EJmgSL)H{nmw)H=p+smU+%*%{^y6hTM5Ig1*kNOJyl zOA?aCD5|oD&X9{9<^i|9#!|mZ*)I6LF1iX~D9V8iV)_$@<3U2B?~J4W#B_ug#=ZIX z3(-}paqk$9E{liYY=nN{!#bLSrP<@xQZK*NOH|I;qQaT2@}=+k{3(?7X3TSo$Ed=p z&V~erqAwmO8SDT?UIl_lQ4(eb{wFd*Wds zam$~k5bgd5BcUkYn{Q00{VekNhySz&?dR=+R_@vI8?`*}amG;}T7F&mTG`5-W9IO1 zD@4Rx`L?cI!EF6gmv#2^M@nJ(EiHVfqrG$=J0~Nfr7Gi1EG`DsoytWYt1HCT5WQDb zkn7369Q|aovob2o2yW!gHDG=E?GJ|&7C(u{ZmF2)OmvzoQJY06Wr*Br)K>6C9H|#e_NL>$~WXprQN}XGXi8khG3!@zx-g|or zc4g%r%E8yFOk^GPPCoZjq29WPlck_{Dy%Ah(gton)11XVE4%k2h7NQpYYr)^luj|w zUKieM;9+>i6r74L;kf!>=HZr~70tfco3QHwq{8{wy^NjpBdy9VQ@8h!c@4euE<{*qT5|j(} zcXen!%~Ygn#v470R_cdpl6B?YE-P3b-fZ6|N?I@MN4R7W*$QurobnS|G90b?+dGg? zqnE)h;m~RPF4=W2;(&c@zPcX`8#$CKxu0qzvBW}7M6&e@c|~SAgIk`A?UVThCYRQK z^iq`h{NA~nDS43~7TRa%COll6#KU`#yoQwKyzOmOUQae-olN zLmO*JKjbu+z29z6*Q;dD4I#Kd$o-xz!Nhv^1ADqoz2L&sBkZ>-Tt=^n$+@Rj5FVw! z#}0UEdIK*e*PfTWl%}Ttd0tH{470`e^c^fRT1PxT?^%vPCI-%D8P>wouTp`Fm(_q|wehYG)>Q_It-HM;+w4k0K-V8+|7~+D zsL>LVy!o25WZP3j>MqMW`D>EcqC}rU7oE01$G*cmGHG@_&yW*NW2rrX4Pg%*ckSDd z)^k4e;n1A%^!A!8h&5sYp|+;=&E|4iuwUej z`tL)4(il9)y4N+kL%Oo{lHWK#79~P|iQWiT9o-P3D}ozPMHbgM*jvNRJOStDAnM)9}$ZOMt7;jo0e(YR^qVlSW~4oA0WNUsc>7N-m~>3a*YJYF%*zS$<02`tl#c>TomY_s8x-&l~9E-B|d=npd2S39rlG|Vk{Um zwn>Qv8KO3rS{Fp8HGk+n#75y5j{065WK~R$hmxzn0Pa^30g>!qTyf)PotFb7nF6nA zIDoHoVwfmEe(4n28;L+XfkP>tA-)pYwzou?l`L?Si#A;U8Z9E4{8VrB`NQ?O?O*ya zrVjc3j?0CGq`;|HG9o-vhe?!=1a%xFy&~jmyB_*E2Clmk z5}lJcB4=_;_UGY~#ts18aDEO2Mvby4dA+kgt6Bl;_et`;*Pd;U)jiV#PA~}<_d!JQ zOajNUuoHkYP_}auWTBvQP((+vI5KdffNVV@obm>tht5G5+S$gi{`PFH4k^E2;tV9D z?%F!*C_32jZA52w-VOjF0yF6t&Sc-(jU**oJJhGW@=Aq8(|?+Di83LnQmD@j;Tv2( z2S!d7*pdnWv_gLQgBS~JV9x=DP4wJJowp_HhWJKPw=6I4v0<;23k?1&m4YLwjuaCq z!wVJ6ke+FvHlOGeIs)v}QMjzs5>fHID@6IK2o13-sOfhWaNOn-6QV}lSL15`GIcv! zp|eJ!dV|33t|Y~E<{O00VxQ8K-}Y#UE@xf zenX?xPEUgL^x~hg?!jcBkpW0i#+_8WrNgy#uGQ^ZR+wyi53Xtl*`3*PJ0mpUDJLN@ z?{oKe?P**2K<(#e`|TjF_5T59e0dy5?Eyd}`sY8vzyCd|P1>V575{u()WctXwx#I? zdCY||U}){%)srT?~62_R-E-yvqfSAaV_NyJzys^M{9g_w$iq5xvOi3s|ZwF=@6op)rQ zV8+QJN*aRnJrLO+kZ=iFbf+>AP7Q{^(+V8k zweM7ckS@M|avTOG1Pg$RQ~;?4jvUU8;|OPsR={GQ%feg!f4bk7k!$EFA}4I?(Z-NZyjEOJ9mqZ2bxT@N%}ad# z+D5e>XSwTzVDH`9ZuFtwg_iX4^=X@ZwFH2?wRL5<1C!<^_m>zy2b3SLeYNjQ*NuyX z$*$PSp`Ab8%;tsQ81DUAXpVTj&7l8_f%X6Xqs5-C%e(t;T%37S?7dE#Pv{N2^L?6t z1LqU1$?gLDx-JleO{KXiHl=9(3n+Q6edi6ov58-9G`n{;XXxAh*a+u3cSgt426DG{ zDL@==x=mC~{A-xMzM%jvE&ft_Pgg<2hpS>gw)1vP2NP`kyg(dG=)eEtd3w8x`6%np zcsZSc`zPgoL|D2ujr{Vr^UiC|IM=KH{*u)@ym4Vs>6sMVm4RbFHo)t|`75IjW96e} z&;9#<3mpE+m;|h@@7zM*VDmuy^wJ^>plWXZxPU4Zb|if7+;^Hkj>+0bI)E-kgp2>{ z>gn_Ee5%CnY%5#>nK)m69xHz5Zz?A~Uw!BoK7Rd%TFUq4w)20vC5CnS&^A|=!pg9} z`=aLKh9^JOo}Jwqwl#L0o$mJs-kWQ+$?fqVggEj`;O^lgkk{%f58?V}`N_==aZ5b; zqp0o%45lH9FBLOozS4W!ll@oGX;Vzzs`UkqllT!CaOK7C&u2ojeTUyM&eetRcbxi+ zC$k}kjK1I3g!WQW&oG1wFP~o%+^*D-+UU>EkXyAq>xS#eF44N|Pv*~0gAiphkU~|< zeFKuZw;n7kIuCGmnCZkkgJ&X2$6VJ{AE}B8qlyrEKhjcH*cwC`)t^uel79r1!)A#c z+Fl4IaISfZQ$_a`W+^+loqAV-?g-#F#NqiPb~8iG%78m@Qbb>)h(LeAvVe9pccty= zX&BgQlw|$N&)I`0DOU(-*t1su*idU06qu8x-t2FCCrQCAJw?+q8Nf{F?mXH~ol_{y z-q}3U!E?f;xI#)Lss_W8uRYZrL5-*SWL8FP9k#5+jXc2{J1mJ^oF8StKwKHvw$;Fv zMvF*+a;sy{YzVoLjuI?dL$npwIr^3yPXV!g{PnM!drZl}J)M<7>|_!C!7F1SGh*Cc zNPwI7KAtNX(O?D(r_%0FJA=lH1yVQzU!5ra^gMg~JS&)Z)6G#{?Bg_5U0t-Rbdmv; zEKx$c>#?_1#G&?>5Qg#4_(u>bw5x5p^)l#`T2ZF}CMl6~$u+@n zeslEKr+J*W568*U&mNo-Tr@L@<;S}~ zh}Y)|;@3U2+;v^O7103aqimIHmM>hhmksQ<1Gdm8got^H->|V^A4YezXdrNYSFQc2 z_8(Ip^3LZxJwtEeGN)GTi4{aU0d#u;LW4I?6+O!B~9&FxGd;7tdMTPNo zaZ*JU2-+7k0)*zDkYpAJBhc`dX@;(opgE2f|0<4Id7{Epy@_1O>NEvcn%rS3H`RYW z1DsJ-+1&LFbs(5vh<=1_W@vv@=b*@fH>{tg75Ow1#WrPjD14pRhxUml;zPY|O=ZT( z1t*8}B19?j7Xh{~X@r zy6;kzl^<#wJZ`;gwBKQD$|1L7a~r6RWyKP(sCD2N_{~6!eI}lcAWG=g-fr`~p6a&+ zGMKfp8Xo%9{CSa<6HTvp1aiV;DdagKqQh$!gk<@B>OYu2WFLzM2+L%!a@!okLI%?| zkDl45KbKVb&ruQL`l+1OkV~G^{shU%?x}baBJR4p<=XDN(i#5=n~-GjZ%Z2FuKY3F zpc!|w-7`^y!x0vi8t?I*gkpX&$V6J zZuejI<1zrLt#c5VB?XNvjA0Rj*VSz(Sn{DffoD1^q$8~DgZUZH40v{P)k!q(!entx zZIwIoJvC-wgEg=uPd`Usa^TElm~vki{?}Ck4!Nq+(ilX0VFUFyzZi!AovW60g#VF) zgebR(Np(Fl1D5j_LlsyhFkqxOr;2+Khm+UoE{&EIHi~dB;WxI{g^M)+x1(Hp`q{&& z1GI;C%7b}b1N{f?WD2Lw*9f?!!`-?7zZ$mV0`)iQrK!@l8s6}&+Nq8IYAoIj*N6)~ zhswmS*bLAc<&+cTgPpd{K9#?NK9_8bZ*r)|#nZlRZx!wE- zw;){QdJ>FIRB=Q&&aZr~b{IV5AL8y6p*IsCo`>x0L(ENaWB^WlUJPR*x@G4 z)*?C2=2UCLd*wsQ6nCEmU{WRB+$fVQqB;U^&5NRia#TTP<2&Fq@}xdJeaG^$4U}Y- zex#&`$SHu;-w>w;zc={W{&#iwohYet0Z%#)>SPF4VIXEkVC`O3R2x~0ZAFR^My`iJ zk}`CPj(R1*s+VOaRt*_mNQf$3lU0Mzy}aNDV)eVCKU#8)T#xfUtg70iyc96c@U%?; z2S)f@7qt)Y5tF|};5nl)Ya|Z=;}H0Hs|lIkW@^B1dZ zvpa#fsboC$Aw@Z>Bx>4pnS=`pgznw|Wp*rqs?G zs@f`rBzK|4)bRB}HU5ro1_!nMUYf7nO{f&eJ7xHG>&a?O2 zHmXexyC=}2AnsIf7J@DybpB>T?gD>`itR(J@R&Wn5Uwt59C@V^@K(PLE>|RQjK<01 z*tmM^*p}F+i91==l1xu_xS3LdK>^@3kBXdj+!}$zP$k6uK6t=pZ+JvBbKw#&3%_0? zmgCpjgV|NSR5ADNO;2c#dEvreaWX~@hO6)HzwR|)?Sm7+i(!>1xRG+=#9JOu{_7Vv z9k0)?f=_h-k&@$h4S9L?i4Ro?^`dlnVM0v_sy}1N5@v+BXpML4f|-dxFT9BWTcC2c zDxvp0(1=ZRnq-IwRS4jJj2Iuu%W@$p*4llijn7tt#wYY?VwXSH`%o04Kle<(mFE{P ze*$;G7Qd)Tk6@~@KBoC&>#;k~hepYf?7P!sw(~i;u&_V)97SrxGi$q;t@|+*a^b_- zUvSL~0D=F4u7<5H02)O9IUzi9P^wn9#ZI6S*l~Y(vptv1#wPsB*~W`<87u zR+|TBdP3$CfMvJ~)m_Odzk@BT$MGvsg1s!dZQoe|IV;1l1-jhrzrKy5QhVyOD_)$W zkQgqK@~ooWxF7EsHRLeU-WkP|1Ne{`&cTI#YA!!HkO#QX2*287mV zFNln*N(%0B2{CJr-b|BbVWS8}nXnhLczYUbXaBhsaSg|^3fS>mr4x)^m@QA%fxM1w z(Vr4aCx-_nB2Ts%5+W=9bAwU^eiXahJ3~MJGYDL(N3ep3$8+?5b~WXCWBGFUm+=kg zv`d&Q^vP{THc}Fn4pC7(Ga-d>ypYegj4?~Gp29U!2e7F|C32j`!36ZpjdE&)-T=qN zW_hdLy^y18fGOA{=VtR1KUqy$WQ?-*) zJyve3>)+}HoBr6Ra(zM7Wj*zB%Fu^kUZzLlUP)%QFCpBpD~mS+HC%c<&EE)j1Y%N; z*6FuVIx1F$S5Hz{o>}K=BK@@9VWZ~z$<=P{S_Oie3%yPPejGZvurT}mOx>E09X9iW zqh;tw#+P;INOCoZ&mI(c9yr;{mq8H|@Q|#(40Y7nIVj98oK`Yd zttvUkr6h=vFXvo2zdTLtNws-EKcGKWx>PEh@MvdJuOc872J=UCh0E`yYVUb^WgyA{ z&mB2TJFilE`TJ2lysf4OVG%B9olplYKA0JP`NNh1KG;f>8ijLLS!M7rx5Zg5^sJE} z)tcOr7wE&4*{yP6p-5<9@3l(S5{7%saUr{1?SOI3P-Y-1 zLoDk>UoI)a(0zW+|_VD&y!bQ=npqv>>#ur%ra&Z1K+2|6?m$+9AQl>W0e#Iqjc7z zvSM{Q-K{lW7H%u>?-$f(QX5ScTrOBFj~%U|Qg<|Lc+`@inU@~YGC?J$N3cKcFL~K9 zVyP@fdywj#auimvQxx54no*T?1=*`p3|=`wvmK8xeJLFi35r}RLI66>~d z@$RMD_K z4?h?OVUs{`Pyv8>G~Hw8(TVT%LBd<^#_PqoszdWlaL<}Z3-_O?h9_Iw1gm_yAINCi zc3d%eEVCwvLH7SW_@y~Bdz3KsAUT2xhNNenGjx52+(X9lJa=usi8LMM5Vv_ImGzkI>!R(f#ZN%%mZ_`v?>wQ5-_#_+ z2LoPs^)tDhk8U_hf#4R{xD7mUe{|WBd7YgG@wqo_fm80?!8hRmtWR?n8yD3$nCmt( z*}N?roHMU$3@C9EZ=IAkcwB6p;nJQ@jreN49WC4;TWq^vH~>aAhM2@CN6-&E8B&WH|n^yLc?O)2-?JIGH~b`1(QLs!HCdE{hkwO|h8lrhEDH z#1Vo=iczIE8Bx+m%|YBDQC|po(-`FmCDU!qF98)TgDS8_`Q>F$gLIs>XgP$nVpvt| zO$S1nHXPwR&nduhx_z*q@PR)Vay!og3ITgai~lylQ|=4Y!u>?6e*a=ipeTilp9exJ_LJ>V0^#%$ZJ&sRl8r7u?+Tpeh8iwOZ%v>U`M3h+R6} zey7+ucWGL^6)V&~OmC`OI^Dj@7rnSs%gQrR$JgkYT-ejz$o9*J+wBPl9O6_IE&GWk zcb+tazB|#(cCr%$F1Z@BwOFk)oW5IDl)Jk*f&kxc@N)j4QqKuUDeih(Ei*O8$;2kl+>Rk)k{`%b`4Kx z0cz~&xxVY-bTv!yb%gcT#DF&!aQsC~Fp~L(L*FQaivU->FZ|Dh0_^6=vnL)uXD4d zm9S{7LnXchsv7HYerN3l`!X}foLkif=Z7Tsgc>XicsQrn(U5^T_0-N;KbP}0!Cke) zLCN%UWbXqsl^(wmr0!)}Gz%JnT~h>es}!VCsk+uEMX96-A@6nIjJs)UuD?bOSZ>aT zgtyqh^1N4n8{P4dS}>5xI;vB?DB4rUWnTzf9@3yQeeTDH_GkCjt^Ef%QZic^ll}8G zSgnGuA!*!k>ckA`>#52$*c@yP4BdSx<2hpEE-p*6Bd~Dk7!vpObbOYx)rlF8xvy)* z?!y@`To^*#o@6i6*b}u@l#bJgiOu|>x|5umR|*{oq|0+&EbHC0Tl<+al%HFH9`pqx zQA1ZeyHO@N4O{(uSLlF=sY_2Y-!@s8#y^^0L$c0IGz{%2+*SVS0WI?D@|jcV5g-C0 zM_JOK$|X@FTznLXeR+qODE;`g&dPZ)#${pBgf*nAgPzEm=T6sHsRJ2l&dF92*4?0D zWn1IwOP4>!IwliFEB2kLEUgl@^iUSdzydyyyu`JYU@nV|tJ^|@V2jIA7V24g6D{Gs z{l!M?=|F*Df-PTKC*4Nd84=LxE|oabN-lSDj)#@^qEHKni}g3M6^U^(-S0L2{*sS@ z63v+>J>y`qSHF*hf1M@Uoi|cD*~0Q&(HBh@_%oCRPvf&g>Ti{DOS%GuP=6KArjfj) z)~zD~E|s8`<~U@#rZ91b{`h&xR0oMo?PDx~o|FECR%f4hBE01I+~7~s??^I9(kOl0 zc-0*=G;3RvYCqgreOsu!-WUZuGD5lf4#q}KiS85>RT+L32`qF+nI@&6w7Eh9m!YPb z>PT)y_}}N+ZNp|nd(zT+ES7FG=4Dy9^g6TV8g4ZX7q}UWjcw5%dJz4$by6oJ{&|nu zuF|D#ma6JZM4B6-$4tJjc`?t-fq%NaDH3yNp;gs$dA?}+?MBYuBLzOm86lu2e=nP$ z*~mNZ^xpNttFZi~>G~bpGa?wzSe`+gqeCy}D1uf-#U}XMMibch-exiT9J4h01RF zr5KOFDfJ2I8Xt<&ELz8CEW??;uYI-|9?|E|+F#|bS>)d{!lhfurjjG-GA&a*hJ22v zMKF*oS-R0#&I@;jKS8w0IYt%`V_9?*hdafmG1 zEm?p2zEa2jKbTiPPwkfKh?1sSWpy`-jbH95g*{Ai{Cu=hKp~O?`u8HZ_-93B^LL3@ zd2Z1;1v+WLFwC8)le$fPphboueX~G4`jChQ9wD!rBt1J)FOhO z6X73t5$1iG6B)?uKn~_6yBc?>M!Zhrz@2fI$PbaTN^3a0_7SZNVzuJeH@>^ovVT?y zHX}jHj{{YkBv4=w7g1Yls?$-HyF;8rR%feoRorf|-IGpbzQiHvJza}qm|V%1d^)-n z>Oin_v{BLw>3z2AaPLdXVi2`CL3Jd9_`aR;$8JYm=d$W~mRRzjOG$+8Wvb#eLeH2! zsp+|KTYc4pim^-E(v38EC8rEKx50uR@{LgrIWW)YAn z6(cPyyrYHvw6IbBpp0_}^MSwy%#)yGg`0UvwsZ7%qaA)!|8~xWu|cWCG!ONW-O~P5 z<&mKw?dPv3wR?HP=fm%17`*;n5NYg)Qn`-s*; z8_5;x8nR|K5doG`;tf}9h9+TLb{)alp$63;ZT`1K&&9au*m&+$n*}JexRPK|r*M~d zjS1`rJB`o#WPP3Qb%pZUu8iR(pRr>KuF2Tt0w=nkd^B6r&Wn=@{@ zW(`4&`bl2~MH5zisL=5IW4(=iwOPnP`6xjyj90KDy1FSP3aL9aG)t(ebPBfJjZ+28 zi-jl~q_wGODfJOCK-X8OnswQJzORyXS0KxE$_7g=CGec4Wuc0|plZUYqEKwdk~ZVg zLn8djmK(qvGogxnBMHc3uUV+ZT|s7s9#>-ZES1kl-`E;+GwJ$@<$S1kdGTHZ#XOX0 z>tE&RQaLCPqcWvh)Mw;ez`7e&Zoun$02zjkM?DVTRpi+e=4}sraN)z^D59W3W8rG< z;=A_&i*R*y87+CAP9<2Y=jgiu8v)pUp`LaC%e^`)7Qtr7e-_TkehqSJFtM94yNL@S5~ny#sWwS~ik{7l<>`kxuB zzu2ABVPr&-)N-eQB_svXOWAsJe~OHBVWYAs>fEpv9h3L_JO70NZDzQq?$olbDck2` zcv>R4JLrY#ROyplK!{=@nE|FvB}+uIXMkmcN(J=>3QSR;X-!H%eY6WRhiUtl5B{@S zeqAA4ofv^RbCeM@zcO+;j;t!bD1cKyl(2C6s&Em8>?fek_09C>B{f(sdsTjjC3m#S zz2JwYo^vVXY6E|YAdLSZPiJ~uMHt{>+7-ZWraFdjH-}U&woQZ6u!@eY>Ql7}%0U=M zkDHWH(fwjH#sA?PWmXB%o_j~N8fCFKZrQ5r+0oDtxQJwV60~&K@~c9fZHjihvxGPliXbYFB}1ZQYb+SdEA`>k3&&)Ksa37rj5kBDxD@mE9A zu#V)w?fx~7BR#!L>k1Ri2~4o&;pHwhEj580i3JJfR$HfYhz0~;n{)yX<`3g?ym|~- zm6TVk4-OtRQ3PgrwRh`oPBx4gMvr1W01mvk6O3k=#CCswe-`;nN=ZWtOepEr2tu&c zk(?f~azAOhC6K>nBek9g>v|^VXg5yw^w(u4u#?MUK4bGxlRhEG#)-v|i-~2FTQdDN#Wn2v8p6{+w;ilb{M0s`Ke1dBiFzTyQu9O$!$T^o zy?ze;7!I6=O~dcbA98;W%6d3U9{CUhDr{8qI;BJuaaY(wtup_(;;cB?B?Fm` zMve;RsTV{g(KG@+zAWVwfDn|lf=c`GnGOGp)I)uqJg#MWbiiCSYrkrwWJer% zfg4D#&Ry4(Epk8DWOw`51oIYIw;ikc9kPDE%z4dv?CEPikL2uRsmo-XGeRK^Gc)H` zd{?c-ascDr&k0Zgl?5FsBF4HDCJdCl2?6Yz=<}j75}oe<#ee16%M&@v=X;`OfRjVJ z-!&t!E4pfaM+|>z9eqRX{F5cPva!)jC<|J%A7TnW^?4RldKMZOc;u}TwU zzv+Tfgnwm#C`&ps&pFW9a4jy9#8QRlJ6wtv6<7S}l_)Wc1t=ZfKxb)WRRc&(Xp!)h zCv@HSITf7Xzwknv=NBl4YVClY@#|_ZTix#*WtH_u*KQpKuKHra7==svG{?S<$N!?Gl(kCZ$3~MTnP*RL;^v(jodvkEI6kl zpQR`&-~`g1&qsp-B{qAyXf%5e>Yv~M=Wx+bCGZmCO1ixf{aeIq6*i#J*I!F?)2#Ek!N$L zob3Hu>`0=m#w5xy0=NuGN)M?#A9FRX>iG1I@oHegHCBts7#m$M-Z-o!Z{Uh{gBiCN zEsb&l`lA*wauH0R>vmi~D6G}jzDt;sv^l(|>*rtB>Km;@7L}`9KyM?}yu)ddMTH%tjy+4LpYE6KBi|c_L zb-6uV0guH4a?_3kThfso5zB?oAYubtp+yFu5GV^M^^`VlQ+X~Y4-70( zk)uE%e*q1EYR^UGEW`UKJTOP-3j3->Wtc^EokX+mODX1fE!qK)V-!C30u;@)ZuN1v z>F39{{wBJv4WmQ(p;qkP4tpJEPL7p&h8|ZGR*w8K8&(ya5)Ew86gnu@cK9~!ld(h4 zuS|_!MN0R%7eE(glYslpZo)N8q=LHrQ{9OfgcgweY5&nRbmNJ5y}~jN)SeR6ShgM9 zlIVxxhtb0)AH?`b1}a!)I*EkyH{F27lUrxG8aI+k#~XbMRC^x79aWdU_Dsh9>$QQ* zDn~cv6k7UrusCt(>2HcMBU@t4(E^1-RT|#cFuJv;C$*e;?X227uT>Sm7JNVU;p?Du zH2`rFk#?E%1_(TW7-qE%Kr*Fbi;%w8Fql8Oa(!YQ*Wi#$$~2xJS9|!6E``a|MvwxG zYo2*RUh_2y8#8rc!?t1AG2HBL+})cJHji$wdk=)4H5Ef8S{r)Sx&U!$=EH$`dXb8Q zlqy{t^ojW_sQ0@2%-_*Z7i@m*8myB4V1xfin{9X)oAN9Gt3xo;AN;0GkNdIfIk!>4m2WTSDO`HrW6}a<~z3G z)pBgc8dg3~+qG}4zD4lH;EIrp*BBM&yw<*g_HX;kdP}DAAqQU+#K!20O3AHd2&L>p zKfSU`g3E}WKcGNsS!uZP2JHLlHW&vKQBSQl1j9IA@3mbQGlv^PlzCsix)sA1FNY^Q z!IRaSXTAvIzlg%tIG?<#`2Elw`_$^P;vg-fIvf}sB1xEE+TpVg70e61%n;7c$pjB) zpRa^sS8G;H+%wRVL zl=S;j$lLk{O`53Rzf|uA5<{DWuaExD=ZnHE^3axpJ`#_bBMS~m;V#0e+KIcpd1CH4 z@!AD)pe{3QT2zINkE_14n@ZgFMd1dn7AC5ZW7r4klskNrFg|8KE!Ic$z3;dxWwYAT z>$oiN4z^X1gAibo{jt= zM8rYS?TdWu*)iE^xX+ESjfShgDMC3vYQIl zb@}h<62+UmHfV!&E4ON1Jv5m+j(pn7AHFd?`NaD6V<05Hg|kQn2OJdsIE*_-JJ4f* zXgCN-Q>&vZtgQkk1WEn1vR<1e09oRIs3`r`QJJ!fM@j|zi%2bc+{Ae8?&rkMYqx*b zZo8g!$XP#PNx$JL(n>ws(`AtRbN<@5BA3&_%~haS9tZjHr&`y2M;~3`z63Rk-*H7{ z$v3-QTQ>i!l>mC8yKS?t4@7&tEXa%*{XQkuV{XYFPQYO56oykb`%2$1|2!uWjn1%J zv9I?Z=n;g+SfqaNmXp3>-i4U{^cGYzSF+w-Azqtndb9$+wQC50Nr2o{U)la^ALCz3 zwDkvr?Q8x{tBxKFmLiBR5YH3A8dwY}ivLT;-1etr zYNJ9|HwcOlJzi)*(&)ETAyHluWuV)BSY?qJ5S7}`-!&s0Z&tBx5_Ri>EU;u%q2|8b=nmlBGAL%a5LGkZF|xDX5YgDbPp#v z$1FN9Ph6M3$IfG)8HT^xq*F)Vq~m;eaMk)8d=j1Z&WHQi1}xVnM*?(bR{k?hPSUw%cB26^ncVmX4@^e$-S>)^Lx-IZq|6 zrDX11IS7KP-mTxe?*B7G`2T4e{P<2Wzr*{?Ws)}vgS{$eQ>m2rAoN{FR2ha!(+pA7 zTL>}nS=-SS$HnmV|jGXHT z4=t0id=D3;v@t8m=*4IlJD#ro(6&&hFB}i#vOJTl$PpHm0aKGrbkyT&uZ21E^24i@ zBX)ntd0Hrn^&~k>`V}@N0YSW+8{qvCONyfkH5bb#moZ?ncdEmC^eljvmP- zeUp^wrsm8IwXeM&($&+92a{NsxG^idQ#iv?t*9QisgCEfAPWqqn3AJET!4^nZ8W!N zMP;&%vnJga)Gf>PyT@No&w&0A9E!@CP9=~_eT7eBPqESZYWjKUi20i=3L`WT2^%YY zZ=;{coM&Q3HG^^#ZyLjwS@&6{!{&Q;jOGSY#`)!lCLru!Cv3LrtM>Sdyy_A^J zF18)!=MWS1eXJl^^>8^Wi<+l9T&DXK32S>IE42MoU%jqouoE?-QEru-2eLA#yk|vZ zMpG%@e<_ilg-6&|VRW&I4$1tZNCtm*a7 zh1aL??ll)$UU)Hdkf1g*MZ9shtp)FuJOv>IfZ18ds__J4b;YRh7lHL~xaw}tLgv9a zADu#WK=*@%meLf1=NIa{VSz3>QE#t7Bf@h_UikQx5_+ABc>`$5?@<09y6gwCrVQV= zK{i$F(!drevdz84X(@{JLWiZ_%%nBAwz}ZnxSh|GPlW@fH>&ZaMrC+m74@dDJrbLc zJXeT>=OT|ScF-+>W~SgY$ct(z3ZK2WvY6gAm!_*eRCKa!$ug{RLX5m(72kYF{iFoq z;BS2rtra?2N7|PII}>Uy)C3Jwm(Guiq4)M7F6+8Z7*gaS49X0a7*&Z9+xi>?!F9j~ z+2{c(kT|2f?wnuXFV4Q2u&3-s+2ak^853%7J=clSM$Ihe%qr%3*vFkd=*EdfMCIq$ zDhknY!m+}ItonO+&vBMm9uyRX9ITyAHPk*RU3h;XiEC+0Zc=kZd&=Qp_Jo}TyVV%z zl68uew)zrz?yqSAHgf(WvM0x2h9Q<{n9HFx6C5zXJWy}S21DMRW< zo>tH4I->Dx<~gsB#1q2@x002-#O71<{qcw2F&H^4;zmnV9kuZuL1$c|3|`BvN-&O9LCxKrqYkyh z)kFL7mwGWW%hl;+p9g)XujwSwNAd49+OrIz2-Br#@^jzPu$mU$*gDpD`112Kl(nv~ zaWPSo3To@UFIAl@E)8Mu7O_g|5xkFr!f2P4EM~Su4<33Uvnoti#adBrsI@9;N>LRy zKZX11R9#?JIuj@RvN;()GS`0v1$CJ+3-9OQVbk z6pew6qsED4(P4qQ1H!0+$jL#da^CV3O#}6IV={4RsIcHDM;xBXfq|&=3rN*SoCSqX(VR*_h(&A2Hpy zV{1ZRptG)`VQaVtBbwxWAq`KZS@!!)4OUObf#9%4L8rE*ef4?+hIgU5*T7t9P>aJd zvEtX+a?j+@<(UE2ZfqZB&}S87*iU+!s?EX|m)JY^q2@GOPz>l^AaFeJcZAnFISE$%7gNDU`)3Y)GS95J>roBG(}gu$0wUJ!IB>M zcE2dI5hhq(1c%jF5E!_Q2gklZK<`L)gp=@2kyEcg9LPUks5yU^_xoFK;CPmWLqj6Q zm8p*X5f^kh8K(Ya#uL}9sP?vp$Lc`%dECBD2M(klM4zf)L`=vP8)e6d>E6<}A8X2r zE3;L+HqE~eY|ug-m;o&)93u>Oo#)~Vj$mu>D2KYSNnMWGs;-htebwCL*(OrS;IfVL zYTR{vw*rhz5SkzxmFJauEG-`oj|UF!XD3>b`S`%zlSXz%i28h1DQ`(E=KTZrr@NF{ zkCYlMbYoY?ezQjnhe1Xq_S)|yAf57p>dR-(UX&kPeb>-jIdE^=$33|7VL$>&0pSk- zofnD<*$>jd>z9Ifgbm;Q)op!+$||SNq=(ej)~c#e(G<#Q(UEn3I{+HCa2`vjq$d z`RbhBaJ~eqO}RxK&7XR`|LOpKL4D#g8Z1vI4eoD(taxNqC1n>s&k?tR-%3QeGURVmi>a1oWb^UTip^SbWazx7&hG4Vf=1hr#k!oc)DCr zEOT1ditREi;jB&WxpOARkZ9+wM)0oVbm|zldq(uV%QBk0o590puED%!u)QC3hB=B! z+Q+-w)%Bf}vu0|yPG^lEYph+X?NRYhe#&d8`QR)oU(GLOKiqZ1q(!dy+#t3?Vh8e| zN{ux=6){(***$Y_0f0g*)&||X)RNSs`%pJjgMD_$>Go~h(f*YPNz8$1z=N=34($-7 z9AVTgL895)W|>$mkV2dzWxV{(JL^=VF#XbBYKz@?4Xxw-eJ{?T!WT3rhGQh3BbP!7 zwFJlDsnURleZH)>}qRth^ zUp-dr8GWuny}Snk`Ex_i_@$QYO+gm077S!oa%CU<>o?$vFGlzfWfef=qc*=`t=q}F z+uiWyGDOAhTSpXkXbk1Z8ds-mF(LI>K9)iM=*kf z)O=z{ZhYTW?11d;9oy;<_LL&hanosQKyErbO zKJJDunu%3l+Y0b-?sb0FK{vBgTET`bos&PCbX21fY*ZH_i{%+Pep%IXihkNX4S)bY zB~v{Jf&8_0Xcr~jbVp5)GGst@c|tBk_N(J!^FUuXS2YTxvDs+7$To@Vc3<@;F*$h~ zcOG!DOA#9(q=4DsbIK6?ut`@5d81yrh>Piuf*xpUT^xn!Vdt#J!q_o=QBj53@W>Nf z8fHea^{{t)Rs}bn9Q`Dy(X3OoKP&&eXU{{2i-#je_v`s3c=DX}XWL%0=h#fF*Afj~ zE=Ztuex^j|MfzVmkD4@e-a$WS$$2-92p^E}`b>W~*L>&VXvx*|{H{Ni%BP+g@;>2a z@o<#wTc}=pbW{HxQswwMQubPB-Kg>wLL;a5+?mfG_l$)h<3fCy&)HC<71j@Ry49HE zB++9)ooBtJ)Oe+;%{Ncq9UzV>=XtfZ?C$QIeW2~XSk~8zcUC98a4F34?g&|MYYjiu znSNIpG2j}Jnz<|7iYxepEORgJn0-HHIuu~H1nql1hT2_>wdCiXNOwzM3O)TISxom# z`Jm5+h7&2R159i z^QtT)c7);>{T!|sTvX+X9Sq9#L>-Cfmn3!nFRHFPp6Y-9Ye=*cm091usR+rIRYG>+ z*jtXAV{`07$tXg@Ja+b(*0GLJX7)VCI1WkXu@4T8@%wbY_uj|-^^bgfj)Twp{eG?I zSlYFaMnf~_w789+yL-GD{;>nULuwxzj2ZJWF@3WA@$u#!pdNy}r5;;;^pjQD@4rnl z`vx#258pFA) zM?t@ zZDAwVFa2ou&e+km2!82NR&OuuzWIjIT`1{Fi|@VXfn)wTu-(d5r>9-|aBufa#8Ig= z%lV9aTAOxXyy@gH9eWfof6OE&^GUJXYNw_Q^~7?>s!knk`xx&v2~A^*;F4PY_7tuR zzXU879IMFKWUs5F>eMaoo;{x~sX2W|dr)bAo`Kky>EXB1yJ?cniP~}d+i7V{TylOj zbK$ikVBai%QM@r@P6r|Xndv^$jg7Pw*-WtzQ3Q>!v*QFWuG$m_$)_uANFp}`#0M6zfHq;$N#sh_^-p1^0g-`=YO|9fK-#EZUgg# z3fE&#S+*^i4sO4Qz4NJ<2avr_85K`Mx6%@AD#m4Q~Lk+%>Y6Qf8Brg<+JFxO9c>PcImx&8m|_!%Zn zX<~ofQq<~91CxOXuJY=|P~K-QuGL0H$X8bRU~Mi;e@^#D^rmdJU_iN*NaaCo@SM?s z{3JD8>F>$-qAq_`!9cWCkMs`FblyUcZXQ=H#Ike(_a6ZUtg$tv94dEBQ&)Idus`fz_v2?~g{Kp>ET?PW5VMZ8BIoME3q<_7aW zVEmc7Hj2*|MpD$2+;Kg_=V*(>j1b-gWVk9b0`3s{tLNdZv7x;P1AKIpVQEcEK-48) z`*5R#Ji(s&NoiMNZ))y7aocjH2tu~FJxZ?`oOLzw^7=xO*DqRZjhzwS^S!R8CXx`R zYn%cXg|%~ny4cDqYJwEcECO8T=ZgQ<2v81Ksh&fVfl1|94f93b5#M8*NzY_6Hitcf zfY=)VFoTx^m0yaH=YRqr50C>H=3_@pHAPZCYl-xKys5GzmQC3C6&)yP`9M9Eryn3Q z8w+JI0QlCzw>Kw9JITq{T3T8b09E}`D{(0)5?9DWu{XbUQl%CE?sNZ0i9LXDgKNEI zxlq9$qdQBJXzLob4xx;RbV~&Q?+yjrO=^}(JIi5IqvbKYmNg*TE8);_h3d8KzdMtJ zDc)wjYLNwiDo*Wpb?^TvROSI`#=&CSrlk_5Q(PgU$KfisM-GQ(hf3`ln3kI5iT82O zb)!U?pv`xEw4*%vOi?w=yx-O72J}}cURi>n8Mf)QVGo;QG(O*w)M^27m*)xM4BSZv zL$}OIn(F^m(*N_Y;X~Gz?I#YFfvxwsbB65^6ExYWs~pTXwb%=93{x`3Sz#PA{9D=7 z_Kp`vu)bTN5R66ZcfJ~-O>CKq6%UhFY;UC$c~pAM>AH**f8TS~VIn;skM?D&FnHGB z0DuJVF|8&f5aA!Hr!La6W>c z51XU4?)82Be1(zGpPScPwIub=Px{&*CC~w@7RN`4&bCO$J*+^k7kpW20~al|^hGh3 zqq~Oxh9WcsM~D0o&y$3A^R;IV%eC<_!Z)o_UB1w6PL{?R`B=_Pl-Eo*Xjkin%TNF> zN~ey>vFZJ=O~pIi&u7yB3meJ8qJuq{(wG5iX?s}E;0K;>dst{VL&Vp?jk9aB%b{VV z$)a)vMUv*i@GW_YJB~0CcIDw@-5j%k^%+$vU%?{(^26T#cFhaWz$M1qcuD4OWN?E* zY46^gNgw6n_WHsz6oMNH@>I_sD1dc24s>ZdOz8hg(JM0x{81WKfaJV^i<W~JuwYn1$p)ye zyAxK`pE(T+Z8Y_U?M^^P7Y$W(s@clENGgtfOhPVy|;x_91&A1tK}-Qr(IFD)w1ZAxk}w+wj-u;T`Q>qp2n$ z#9hjF(`UGT`K6HmlbR?aDWTjCw8u$;bN;ik!Unr}ma|2iRKk_jZ5fReIuRwyb*5)) zuq5lz6i?=ukD(B~h86M2vamz0z#?#oMSh%+=1Bqt%!;e9V>>}xLYHdd_#$CZKZa5T zQ@$ySlO4Rg%HX)wuG&TliBaR03@O#o(OI^f(My%madL7($orSJ#__wIV;Ar{Tuv5K zk)H6&5vl%t8CnBGY&~+N+i*cg8sXkVfyB?HrW#M zXcc-on0LcIspAOW$6c#^kNB1R`N}?uvXX@P^_?d#CZ;T7!6)$^y?|1SRY!TnAa!mj zXqkdbdA0BYzXu8qx#F$OCgYe{LK}LcSgs0+inr8TQNBj}GVKT+A?gi(P5o`*Y6p4W z(V>lR9a1cbc*3Ut)dgBTP%w)u?Wetu(bVsGD``e>C;&0{aQV0nM%>X#n0~-b&?3?t z@0LZn6fDP>&Gc#;w?oP}nuTEB?T9Yp`RVok_4NkkBx0ciIa{W8Viw&o`~m%!q?+mX zl0#X}&B1jix4M;m{ZCxzpU||+;F&@{jfBY{PC-Yb(78)-3g-k7>6i`U05ejs3^uap zC>HllD$M4RllH5jFm*<%=tnMO{R%f=Kjsr?G7x47go&cZZ%>)h33793Ufuu|^{(PX zVCzm&!@epY>OP5<`fC^fXhJK2Klja%V0P3FR6M>c%Y>tIv0O^JpKmf<3cs64h>c#D zwR72YBCl@vz$ETiw)@Z}C$O=epv_lx7L29_zp07-tg(S74ioXty}i=C+8l`_q-`Xj zExIzDKw~X|@-$$pyDk<|OESD`SN;ZQ&+1&!1LQffi}53juqPI6*k7yNojg=>-^f^v z7G+pHP&At%`10Rt;6TJENkI0udzjqce)%#+UClfklddf`Gr@~|l!k}T<4Zv?O1+?z zYQ?Kb`7Lzt=JO9(3%x|h!ogqM%UPoaaj#m=qpmAQljNtC&vku@&rXp>B%06Y zNp53H7Z-yPAG=~fp?k8p^hlaPFrty*;1I;z z5nl`ua=PaHC9&-xL3;i}>Ym>?{tVtzHGwn#QT)X@y0EG?`qv%sE8A{4;_m>uPT6w2 z3!5j$M3~r7$@4AnAR;+0Du&z8!yNHht<@)pE+(VqVb9Z1MF5KDc){+a0CQA=f>M}f z*QK0>SmpzdAPA`GsFRNM>J=;Trl?^oOP`yTz1W}qk`t~)f>5HuHA}!VFGjy|D1;Fi zb5(pb!HV^NL6Vh!0=dI-VE@bH{7D8n1HNra386d)gzswC3l6!IP)&NKjXQe7a?H+vJvrh)AyMMz75DSt`M?sTNywI{F9at4Ak*?W}rw z`>EXg5a1hBp>E-6ml<-8ylOW2d{BVkqWzwBXjb(Iql3&yLU#%j1QO)Nes2(x?P}y8 z&tXpW19$Ycd|+2PI6lkT+RvasI&c?-*ew^8T)0S z^jRu`uM@Np_R^t8RDTOnfH=VFnOk1RV2#@MwY#h2O-C}lGhVva4jlStNPjC5!1yUXo53mQVv0L@ z1t4S6mlNXC=IV^h=wYNCn8HMvVcuwVMMS9m?3Isv7p%1Qn` z_IxGfi~8)#+p%7+Dz-)?ofi1h6gY*xy&w8IW=BA5RLO(xx9i(gvbLJYZg2{^r8yBm z)rE4((p#>Q_iGvyK2-Z@l)MNWQL=9X&%Ze;6;gH+Ht5Igp`NTWQ7i2qpAL{y#7i#Z z$+-cCzw&ka&?K|>2Q|CdZ}4B#tV|C4um(@B3}U1&YII5M0@}!9bh+eWTRXe2_1k!y z)6UuyAjFc=*5%dZb%OZ{eVKff;9ws?>%03Y= z6$UI-VAM^($3vG$B$}1jgou8CsXw_8D8)H5TgGeLj|HhSH>!kKk1qidrc zD7Z+_Bf$TsIKwTmO`8EI;YMznCd0rJu4uQnsrKI6%BRUx#<<;^aO&)8IzrdEUkHo~~k_Wi!-< zhcEHNfznml7`PfBwt%QKI>wj%8Qt13{{R35notMP#^M-%?C7b$00p3P3cy?64~(J5 z7%PUbz+^F1=IgQVP$$Wy0V$P?>*l}Wn^%N{mN3RsOQwRQHFAsZDa8J`fceEA;=TK+ zrJ#jPtze&~I+Rhkcp0dE>*Y>UwGK8?ToP6FUG&*_I;W&a2kD&erlT?BpGEs^{W9)D z;MG8s3i9zTeaOdRZcM+3nMTF*IShod3D;J*!B`$$|5DiQQ&!}JlO7pWHBiB)<%_vi z@J#0>=eBngCzk0G&rNx!JhJlQ94D^xX~j+BYs+{LzHSkfbvfEltNA9$p|>$+>xGpm zVz)I)GJ1PF>ZEPvuqN4R0hlNYb1DeTd|n}w;^LLyomff1lzon0Z!)|s^DzEPV%7*Y zwI`M%;P<`Nj4uI|j*RnSS+0W0q82}wO>s{8E{4w12fp`D>-)A9yj|IzR^Mly8^!$m z1$e3EA;|Ab_P_JCNHRNtoiAY=kq_g`a>FB{@y_6H!88dG^?8B}qC|C%3 zc*3k=T^K$O_pxEAfKqV$&sVy^2&hD0&$8KOt`N;Z76mdjzFdO#n;@-aBMl*XU+O))$6pLXAG9d(if%ZCn%20aQx;%&^*A0%>2V`!c zUr$)&k-NQz{YVbU;SoCDL_Us;n4|+8SEENaZ{D=INctcicYU@Rj8Hxv?)-LPS@9vz zYE6eF()s<^A4neST6t2W2u^9BrLW$Vlmr2~NX4^*2`Rl93W4ap>CD5;JIj*|4Rv-H zR!zi>99BKWqkY;QWAex~W;K>I1JReCQjijt5-GYrkFtR#PRipRf#uliCDlG$%LeLl zv*qW>uQ8?*2|~t@xt?^AoOstpvP+{pI5e?-m&J}xe3cybjJ`r4AC9Kj%mQ;%TV{Wq zJ~}Y6DsELL=qVi-iX>@mZEdBKQr3YSo*2;Oe2d_-yy!s|zv&`=fjvtqGsmrtfpaUH z(5@N@v+v&9WVY(|>Xw=}=Vb3X?_kctlooXQJD;%&1SXAIFL~mio0|;f) z$@QEi!lkcUEuO+AudG?ia_Uy?P;i-n+=hVl>v*JjyxnoYWtGuf$E^oP8Tui^#zPhrt4$+pn?npYo0Dg`$+snW71PVGEe=Lr<_StUi>ff_!z z{iLJx>6l!Lhr<)YgSiuRo2k2d{rjqB^}&SNOYJ8DI`NuXs~rQ&9N5>7N1AjxC63gq zYv{(Pa>{uapC8R%*m@~txItu4YwEYoLHRPJkj1mqJIS#gE4}PKLMG$a>Cy5yUxE<~ z=@}G@?bwxu4{w%-{PajT@(G-KJ`b3~?)=IdTX8ziX!~o%5+3Utl#F)R)4*~b9QxNe zhz``}#{}%pRg(Z-o=$c*9Ll+nxe{Q}Yfk-9W~Fnn5-z3~Pc^0`$j*r*90l7m0*2mH z{x+*Kq#q8(NgNqll8*e1omO}!6SfjV%&~1&D``dwhl{; z#wigQA$zwO;)grmt%F7+Lb>SP=Z1rKba>(~q zmVqSrZ=iSbBG8?lmt^&MaG^Xj7k=(E;x)3U+3CqUpm^F_G;Tm1(LxU6z+K7N8eatP zxT|I71K1i7HaV={5ad735eP+ijbvPZj=DL>sk>IB>gRE4wZQxcr8L#OgtaUKkg`ix zOwCB15%2uT2BDu zClQJYdHDI=m`ij(lNj?#Guu~_d+84yqVUeM)%hExqnz+g2a>q1ut07wAgQw1X*0`w zL+(Rl&ZxOqVs}6+ zZ!%Rqn0RISvfAFk$ONhzZ;B@Yoiztb^7`U?gQc|$f`t%Q6M^fh5=z;ZG7ry-2)#_? z$E`x_)gZO24;M+ZR-Bh#ee%LrzJ6k{qK%)sE9(Brtfq2whZ@0TIXm49)u)}=mZT4L zO6FU$3DP|>rg;!ftKR2AAW`$wu@fHm=k+Vw3ZCXo*csbk+d+G^oZ#E zljycf8R`}d88~uC8OorFo`#|sZpM)wkxGw(EC@jt5Phpn6Md^Y{FAt9WAEDOOU7M& zhJ${#=~jy`-jkr2RsmyC-xl-lP2o^0H3rf*JCz@gC?6YHLDoeKIs{s8f3j_gFg*rh z=aQg_5yf@#1_8J1qkgYm1xMimR(phCTJ|1!@(>(;se4}=4>AxVo%|cfDUWo@?XK`#Sf8`}w|0*SSi_WTIix=bOZcX0gIknQmi z@I2}eap5)l+lx!V>uMZ0B8 z2Z;AhMKv_KZp$UZ<gg?r4x#YGpxfBGCcJjZBjOA5QUyXFwY!bzHvX zg_28_9yemCZ_?huqMlvWJ$?Vmv|He_3zW~fm+C{qRU#LVnd3#wBr$MO8qNpHTSL8| zg&)sVETH7vrca=AWgb0TNO9fQ@r7vgdke*n2{qNDBKb_R7Lqas`I_bD2DlA(+$Ogs zOb;~G=Le-WqpE%GdJ_^wtX53z+*F4)tW7otKc$$6LN_R7{$6`VO1|4^V5L9BZPN{cG!tw3eeVgVBleJ*lm}W=Drq z4~A$G#HHZp;`7@F#m}TuSyB@r{i_(?@q3%8^t$!!(y?DWn)rZmZ>Mx2W#N%Z>w%i9 z@|8)!*2b{kiz=5jVLiaEc0XRMm|dILp9F6{d8aLg+c8|`;BAb+14sb3WP+^@eO*s} zJ&cQ+8}s0mFUY*RG+f0y)n35V#OStOlVPl6g4J8GsWzJg^X}T9 z$Ik{OgNp@g@{gn3>QXP}r-)pcty>zM7VdOzjL+x76y06yMXR%SZNhs5K2Z5z{_!6N zHVJDxz`M1un9D?61M`6o^PeDXN%k@vZ*IM3JwWshJ(y#fRoG>D3Gb1a{;+LRR@4X0 zUvLeSqH)QU4^B+T-Y%BuQ5U1NTnep43Opep9lLE78syLkJ^H@Q=|V==8-8+6Lb#PDXw@G2wy%`!X%H5hIm#Llax@aULCN zX}w)Rmtn?M#5j_2C5tYaX2PJGC2ZY?kDnj&pB=r#vKS*1vyY^V_j6X0yOjCP#9sQf z-hNrAEtCs`yk}$-gVMcMU-{8?2P`0TPuaFL z+rBkWC}olNU^$s5H{@=)g%;F!q2wXquSJ(L5_iPhmG2uixu&2}PjpWYaBsqeOlq_M z4YA>NF)SZW8A|`ATcAw=vCGx%)+j^!(QUGOZ#bR?ACCN7Owm9pZ-@z( zsxj=^DfCyTQ>7*gyOb}xCB%A(T za$gQ>1s8+9swD8tiS&szAK@T%Z0L_U?Dj1MsEZ5!IJy<+B0hrcuJ&GSmF%<=EZsYv zm>In1#MqoYIK}pDPyARntygK%%&4rZ|3^?pJ_2KVybDMo9n)b(f!{{8+0mbIrUgLT zIu^ca0uFrG1x@Yq$a;YB?*Zt5n8oJ&DCc5jVO`g{bETJGGwYrYvx$rRbR9{q7~E5h zll)JiMvo>X);s}_VupjP4K?hz+BYBHQ=!#Xp+MRcNrq^Acl@lNlNluMJ-W*1wb#^Uz zPV1l3?6EEt&UMq)9 zSPve}+?l>|+f-OdOaqa&0#{mz;%M7G3}=VBYp?N5_F)c{I5!V=ev9^e%KL>pH&zFK zYh)yBw2ry%`C-|lC$SZh@VjRqjLHULsOechJlp3{7yU-D{+FS+Rg#6Xv`UFvrd64z z|KQe^*!RX4_L7GX!u9;39CdH34VNH0+rcQ0(6`*)n*=NguJS= zPf)7rVym!%wJFrdK4aQV6Z#A*bE>V^#p)(NecSP^2s7zZXP;))XeYcdc)tmNREz=w zY6b=d(5^E&$|R*LP-JsG(0c@Wgfuabt*&&}=v-AL?~1-sO_R&U!$ zUIYE1t0Iz*H4Qk1GOOLJdLP)Dve%v^GFBVhD2Oe4j<;*z2*ij+g1 zl-Bn;0x&o;f)56PK%o6!taDg~bHBRHbS6#y&k20B`JN(awRFJLL-Sd?ehWVdIaFWe zRF!^P5PAKb(l44J-X*nySKPUO?2eFOP+4Uv500}svKg`;Zz$W^9N{B|cEKUwmb}+5 z6tGm;usc69s;9F>4s!?AUG)yKb+O3yr2ggl6|Bd4r9Jx7^dqn3Vk=CB zUxaSgElrEGF>%#4PJb#djrSd8iMMjQ9xUCa3VBBN<2iGDVP)q^v+25~wuXU`Z4rdz zyv_+OGDU})vQDgqZVw^X_*V@Ntf-@p&o+D1q1f@dmo$Qi2Yc$t>TxF+zhm62zS>R% zft6KymmQKl-B;tlDh=x=W+=b3lH!I#L+WqZN*Po*5fnXY!)EWL+@Ii z%H#_!Nu;`;#%H!+NhH(ksh5^~x;Nys^Gow^(4Y`-8g9`cWMLBC+!-dRvqdbiZ-W3z zJw|s)VUGZ97h~Ge%bn+5`Tie0ZT6ri;^)0hvAR7h&vpHUy zuZd#)?t>8w1Q1U`&Q6I3(boHRCe$uNPf2Z)N@)1_^W=+#qE{d_4C_i)%WtqLZW7LV z(n^(x?p5aSy_K?i7Jl<3`zx4S`mxD^qcs4uZr&@sUwJbG%>97q^Y(pA3~^_DnyhrI z?7XE&(&1X9(){~78PDzQbAX9JxBc+}8CW=%^Pg32ar%44GsoL^ryZjcrmuQ>A9&t4 ze5ceTCnn?b&Y-c`&>;aZeRp{i#B6QOC6u6~V4#|9l_o#G(hyyW2{E3VJZiox=KD!- z;Dp5!^7IQ8o%b7Mj`#fcU+ExHFkjWFGh-o_Et#wDf-dYEw>b`eU+I{SwaC-U%<5FT zBXkgZnJ6Wt4h$0iS*?2>I;EqPURwQ42x=#QO7tBq5jttATZF#kdHEggR?lG!A)se}6XR?U%b z54*X|v>&harT&^T3h4vqtIKV-%(v5*1Ds=ol-<2wr}^6jN3CT;-x}=(&u?zn?=_vF z)J?|0%#wvN5y90W?&7NN@ z+hnl&D8bmO2ryK|8-w8h9Eq%gKG9wqtfyV^-T0i(WIcTOjhO-S(EWn-JW+T%@>i7ef{Ldpz$# z-!#=vPhk@}S6QHKT0re)xMjWFav@ra=ykPlzhye;@su(u7T)5Qr&#rZ8_6lyjiY8@ z#|c~@O9XDSJ?Wk-;psWbVU%n@vv!w3H&QNP0x{6t(!g20CH~zHUG<%|6Rs7r;!4Q=b=&8eH#8-R4;FrHViAk5{e1bC-6O$F-W;7C zrTga|eKTb=BdnOuOgnPSixB3DTfuxx_=A{hN$+<;%DMx{ecVc(~mG*#P;I>;@T4f;?ZWMO7*+V4;UVcjOOVjjNHhaeL^X zp7Os8|2}&3;?2t%!p#tkyy}AHcK_iG#gLS~r&xnA!XOMqaNJ!|nEkG55vuz@< z8|oj{)KYZ-Genu;FkXu5szw-VyU%dmp)zAuy5ag-9Sb+MZhOoMlo@m7s)hR-aBl|h zS{*ZY{YCbT|`!sO2SM@a&kIPG3;L1F@?>ukD8t}LQpr9Ix+%dHeea4utpQxK1+~1M0D+AkeOS2vuQ(jtIw8_+yOWxh7 zAq|IHnL38_*NIA1<&5XAPG?N=-S1;$TlxB{AT=gyhmgfwNYR)Lwf9@&+uKp-whgrU zqZ6qTo?&urR}P*u6wx+usz*rwLHV2u_lJ9hGU@VMT_(3JrAb}{EvnU8?FN;M|K2s7 z_;Ty!i9qeFo;Jg4=dQfoV!aY}&L}}54U$(!QIF+QKprsYQ~)mtaXGhoe+jS_DmS0l z-AVJ(ZHtn$oZ@#AFmV=~N4R4b&QCsA?JWmRu<`AW&N4xuS2~3i7~%Z}VeNOslj1Q= zkr&Jpobm?VoDJD$M3qAHg=`-FCqa_f<#<{N^a?@h&ZJ-f9VLvU`;1f+I|ah1_Vih%X%4 zJkB9%i4w-G4kf~1NWTZ_*Vzd}_uYqujxxshf;skUmiQx8BfpmzRjQhX=ON7-%pX;{ z^mQOx%#u^ShKUTHvW)iJI?eHKSolTBvEKpZ&m7Ek9_jnfT)4aS7xh?b$g^^d8UNc5 z`Bw@LZkVM*4PEe;C8dQ`JxWT99{ja-u^_&@+NZc!L+hxo)3sGplW3{x(?V{2!f`OC zMVb$$l^75&_}ilqGRES(Q-+z4&tBEMWm-oW;J7p8eESg|Wm|RLtAii_QgPPM!91*& zHriD;K}N& zr}6Bb_fKn}Kj**nOMR3GS?G8U$*t(va(-JWdt2mH_NO?qlDxFZPB}ra#B$4rU+lZKHODA0*-=-I4Lj^a05WjOm^F=Y^(s z?)=3QRJ%)}0V?83LmCmD=ANWBP-vVTt9{(m+Jbg%Cd;}DP3+d%qCbW8v zpIS%JFSe9TW9eMU1T)_WV=OY+0uScb2#42)stg_cwK6*_OTG>tqf}8> z2kLyXLtE7zd5`dq#|WmT;xwrNPHCQ;FGsUW`^sg9Ulm!t5t}wsKW#~B6P#(4X9PIp zAh~rd+Nkq_x=xiz0YY0Vca2x{pu}-Ym)Kjv$Rj6g2c}m^-~Wj76?r{q!r$i^F~W+96NVtLTj)iwjLVgiES{Zh16S+DL$$rP5hAI!D#Qm zZ0U~yK>z|LvW`O^ModQ}EuM*v?K@XF>r`9d@FcszWHR!$T(K^lQ*@wac-dy*Q`6X- zSw4YNgy_>tSywuI1GZR#-+g(tw{JYtM5_SSLW2#vS&q@)({J)BW-aR}X6?36(OZ69 z`xNf2Gmka{iM%v)A8zIsw**~kRX#~+=ZwqQZOhe`BxsFBXZ_(LVa(`l%RTt*J6o7X zL1j9p*oqK8Ee#C5Si!f5uaBAV(~|vT{av$)Ggv($$|!VT*%QI=H&%n(Q~(e>T7-l? z5Ez+9WjP7DAoy?XqyYelsAyWoD89VhBmqpI0nFH<`g$v1ZfR<~kuUdyRcy^4?n0&&M$K`oqD@!(64q^*FPJ;JS&BBRJzzUkdDCy^Y_T zNoZz2IF?NGbv#ca)YtPe~Dvx46_O z7o*i*%PhOin`6~&DN^1NBM~C8%bKkj(g{snCV7-k7A>lG8cK*7EDUZC`|L|)j98_w z7TQF?hnpzgJSW=!UCOKC7hy>Tx{mWIgNGtY)syBpMl`i;Kx)Lr_l^Ms3lB{foF6yRCi8L5B0tKo zeg8T_;-2}8?kce{mzhH_`Lb@|S5OaeW}^3wh+dgNK@KN6y-OuY~Iy%bbMCfC-NhVmh9$58OwEW-yALbSI}{KFjsW`7kg!aTJIv+HeKd z-VxFfwCAB&O^|R`rc~VpMQ2)|Kj>#{lOQv?Iz}r^Tb|1<%XdpXa&=au(~xzd27``C zh5cPVc8SQu-}e^ouNs6d(&l&;OFBfK1w4skzWGk$MNco=@8a02BA~$SE!M#Skck;) zPmOUPK|%%Se=04|=|eNPFb6U#tu1CUD8gH9C7$88*ZW{&U-OwdeY)179zB~%vU0vP z&(3bfEm!WA-J&SFDmatS1sZtJdlS6%*Gw?o%+jk{vSxP7joQ}Ixuv_vLkS8$7(eD? zb8t%#TKp@kM*Qd$44D+L&~0WD`D9o)_;0_v=g|hEqS9uMN9|+!W(LuS61kuLjU&|0zcI^XX`qPH z_@q2cAd=9X)$5HrU-P8m(*1p zNuNyTz}63_ePLbXvDgFS@!AYlM@DExeeX#o_r+_!cUh|DGWTzs6h?OI8rd=~&6GrJTlAQHbzePW@RLo?Cjls=d>pALS9u{zP zI8B~YR0_#hc8_&@H2!k34zKp;4DY2Ks{cPH#b)BJ=U5e>5R4(Sx70l}{xS=YD|35> zYY>M1gZC3m>Y#a$^;WjLm~y_;D*&{qYybq-`H~xsT8y7I)+x3heNwASRvpYKlRypa z-&Io0qoU-jt(SCD4IB)_L9QZ-vF3#dD9^DIR=k~8#K5^&8wq*zqZ>c>Y_g<*zg$w`U>8P$WJY%48dbL~%b$A4LzX&=qwz*Bx zct(ATcB}{DFK%9jPb$r=(Z9sPy=~%{>mDgG4{WQ|b*xldC;0R!$dvW0f)*O`1Sibz zV!o^mgCd{Pac@itu#xIQ@K5kNSB6DNiRyAu-!~n&W%d7>@f+apw5>s}6mf63{%IZ_ zl@ARjqoN$=OgIb(V~12|JVQutx{V`XJMvhD$G5zhqk~*hU9moSGBE-^Bbe89_-1xu z^S1123MLSkA4eO_A5yhPO`yjyXP~wGbUDfvB@nM~0PEdgNK%~Nt;Ezw&xr_Klsl}j zF8b@1ay)HKM3|Ap4=r+}Ur!8ZIAp98u|1$O)!a82FwdaxJyO80``5v2l0~ZJRHecD z%9D~BKkdWTg7<@V_SA%NG<4gXWrlyCnuWZT0q&U*Wb7Owz-exc{AP>3s7_C2E16C( z24$y;;`!ISc8CrLrD4M&-uwmnVdY8+=g+MRE<-1z$MZlL3L8CbN%IlzLZheF`_=hP z-?SWVcDn_a85EY^5on&XelKYuaLVp@iY4KrG{{beX|VD>m|wzH&5P;Ts*8*S|>MQGw9{P|f~Ga9(%2UF)# z7m;ei0K9n)kea}3*-diG8H{THsMJR#xuim^~X^w&Y@PH?BiWK!nxNsYCxiXRdU?iPbsLL8_=)fUjM464rfbq#N1zJ4qmup#P*S-57t6BCB=TbrCClgxi zFml$T_u^e9=vl1+-!m)5Ez=Wo7?bUfoZ}K!bIFMB>a}{+FRMbB2E!iK^)B3s7d6$U;HcCR(E5QR z3jp+OUJg zsm*BaviffMF3&&M$dzpYra<}RtVPwU{vp}+6Y9Wp0;IarbU~@S^*T6Rmgl@sEhM?G zswfoNSO%_3*_s13M;3B4fB!`B)I(}_*pKdQ=VS;@;0M&I7j4hJxea7NfHveWw&TT2 z?rdK#J2!ZuvVWeMF{2zGRm+3e>c0V7r)0?xgfgW70-#<(QDOP_)zHl9Z{`IpWlw6~ z4Pg!oPg047fDJqy*6huZlpnMoI|&7Jzod@YK+8wB$o$kc4uW^nLC8?LLDMRv?vB8?qhRKq zU{FM77+w37#JDnQ!E?gUd0AB8vfZ}00ddIivgBhuYtRe!af!#O>;jU<46O0J8Oe~W z{Jnet1@Dj8P5FsRNh-R*1z=FaZ=YCjxotANHr3=Qmu{5T4{#Js+A;yT`N7~#lWZd% zN$L-8vfGo|*=m7n&Wa6xNY{U)Pb7DY4bT1lqkTXsF_jV*Ejvi|Pu461QxI% z%idW+-?{R?;`}pAFU%@j8@BXK$JZaEz`)321Pm>Sy`AD6S^(Hm9rEoOV2$*LKYhBQA!RY2RtDP8R{vJ&_^0O4M@2`H)eX*)* z)vBuX)KgXWbKe))T>B$)iWK(zQLshxJF-RoUlXt63)#1w z>z^N5*;p&HyQ`VIur1HP>4ZEyW3ZZmMSAO1#>(D~l{J{BkR+7SeNTSj`qo_Rf#Gk& zyNY~XkFQBGUGYLJyu@pY^G&@GLSt8tmU*)w&lA@>WxlVOXYgfF2sNT!L&I{km)tVa zyg1-|?&i6YZCF}q!Sr)-KT$97(+fVerKHo>lgOhl9amc!f!%#!m$7*n=qJ8i2bNdM z1PVgZ+dL94Nd54mZ)6;p389Ja&7!1I>^ux8XkRBr<|JgUscFPe3V4l1=HAk&Q3Rip z`)-&&PCDGRbC)ecQEp~$_TBGwtC3u0F*8oGQXjII*-uq33)ZkQN<>6r0tWB?KpB7^ z!c}>aV6N-OMXQ?!Gep;H=I+JzuF=$LyRKCecnYwTZa8N)~Z{C{_t_NLJ$T~Tz z=CqTuVH~&IMFUVwy`nMz&|V6khSu?}Uvf@y+YOyJLh1*%aa-R^IB{(C^2^&`Q<;)64rwhZP0VAMi?n zfZSZw+q|~O94$`@Fb3KQa4pXFM!_Ocq?;Q=2T3`Q~=apOpWKWxGAXN>2l6mvUBO=XjSW zF5&OfM4+xnw{q7#(e;}QdOoF_UODREOBa8R8&YqYE33z2V(5Ut z_7%&;UkF+RW&nyjYrR)Zm6R6k#6hxGK)-lpR z#4#Sn7hl=9Ah-WHGfU1RAjGMqwN+cMBfcY!Lf|n{EH#h`2X?1-+iQ+G9kp`z|-uBt1(A2eR)aqI5f4Z87P+{_>*)`_?;%4H-J<%ZY1fzN&$! zsmsz{v9W5=&jL(upa70s9UuuyI3uJMNV!@JZQya%{`k-R zs2mARdouB-s>pn|{zFji%j^KKoUC5akRY#wkyA;52SjH?tMNRv%@eg6WKMMK5mY~w zoJ{}@MpF*Es=@^Wxw-@+1uL)p5cUu87_s@;T0qxDSO8=$sGG;LA2=&mzQz`O#wMVA z8H_=!^;f#06eghU0CAYmd><5)%#ag^l?kTe@3E4>?Ey%I(VmzXdn}%90<=SrLNrex z0Zt$bXjg)tsd< z?``nMN03nV=v9#ZUz7MC{a>xi z)usPc`ltW5SeLyq=!OHaWlg~6bRMqo^6^qK(?7-zDGVZxcwbnp2-+ybU z;Q6D%X6!!${f{v~Z+rx6I$`;G@}y`Haoq?`ybi!FWdAy~{LIOe;KQp4+`3@{a2UrV z?COsh|6^kQC@SI6#f*lJS*_jHTSMrEgy-SrzdZxnI%N>&)~ciY?E^p_@Siz=DcNuT zt?^hO1~%b8Inusuzcs`NFe0K6lKe*hT|o`$uz%zvMC+7WdyD0hTYJ+U$S)`}a?J*%yGez_01w zsNw$QZvWG{?2i)vYuN^TA+Mt?<(gphS9{EP6n{L!&re0?EB`|W?F28<5Zm`g{mI{6 z-S3g;=YTdFXa?=q&cnfU=T7mtD)^D7GUxsx+Bb>6IDbIVirzm9PF?HfY0UjdY|XiU z%Zy?Dchv3gRak~)r?5(B(mTB|^h~Ysh1k*k;pP06Awjnquk7I9F&Yg{Q@~x#Al~t9 zu{XxQEz^E4VtT%BjHPfU1bbQvhfgvUOAkY|5cIX+y4kO}j@Clyty0{bXk>`Vf$4vQ z_{~l0jg|VoF?xty_OCbH)3fu>sk_k-z(s%tNaKj&Fm$c@fHcQ&cnS-ixC3nDe@WBd za2aBddX2nSmr>$#zN$2LM{KX-W?4ejg;xz+y1_#z5J}>< zAwB%cDn%S3Fn88QrHA^pCTSYOpI}ues-;WKFLPeilh}&RZw&pHIf_;x*fr;8yS;Fo z^fePPJyc*C|G+OdLi5PxPaQC90$*-tC%ORm|NUa|-hI2PJ7jY`DMG)F8}C9;>Qc9l zY0!Nx-n(5+a9N?0az*j?XY&0{&K!Z{{kB?z@>zofk_PQx)tL;ab6SnBRf^7K6MqkN zL;xWT3^3+8zt((u&}IHR2}Ho_s0i%T2by069kpUs?^9S%zk&f=cyBqoR_Ew!H$2ur zM=VWA?u)U2==7g=2EO@<%M%}jD~S~&vzF6tl${Vs7wIGy9KKflTp7akm7E#P6QN~J z;`{5Ebn2Y%lAr8)bj*DzLh1X1#BYCKA8oc~Y9HbHV;gjI6LywMm zE>F???q8>p9Nw#~+Mx8_C&=RA{Wbdx*HxwBLVe8OYwTCUs^SG9VZHzROY}DUEVh4U zE-i@VF;IsyrHWt+#FF?CyuL(lxkTVE`f>y72*}j}=PzmI(Q#=(({O&x9i`yNSSkzm`DWz0g3QViX;2`b~`un*j-8mxyXqA3#6KEfA_#!0m z-ry2C(|zD2*aF2k*~I%3{B2efH#jP>XezO)=kx6WUeS~_^lz8Ge<$VqL2=<;20YKT zBJo#O6Eza_k3v%)MP_MyRpr65O#uEDeYer&11M==@ zxwRWryp11-t%JO<@6Z{X0s%OPzfA*mGo7i<-8sio*ss{06iwi`5N`+1q5V2kmx(48 z`nv>ntQw1fCuqME|N8pZQT0PZuhe3`-}eWxA3^wKQvk*vYv$0i>i?dFo_hB> zRX_nYIUzvO_Lt;)AudL6WpVU(Xbc5@{N)Pp^~6tv@`o^B{NDNhz0l8c7{I0npCq;J zuRm!ct>R7b1b)&e@dwoMw+yfDeKx_k28_aMg!I4s#FzB-86`3G-+J!1MO&SC2|%g) zm-LAEdp3INFN^G}tN-n4|Jg?W+ZWS`62Kmem{p~cmQ1Ki{xyTK@wgda@4~KuxB2sZ znLU8!K&u&8W3lv}3|vK6Tl$8_>+J6`KJ+PvR_fTxzIwpCvR2Bwd&(Wj#e$%vd#xQ0 zzPz*|3om_~uzSeX}G(PcFQ#I4Q%VS-jO z;JhR4x($zP2`>3wu>ek+FZ#54=|C=01}{?7rkaaY*Q%869divVQV<%jlc#;p@%Z=K zNM`$YTjjGV&m=f8gwn$M5RZT$U2Xt@lGn$`~8yF$E`?8nrF3|#PJ{IS!bTwUFu(`_N4|it5N_D`bO19oBpahkpw!s*!y)Gj} zMie6^(Y^~Cy0u-f67Vu~^vWalx^D8Wm(vBQlQ@I`FZew? z;JrQPWK`cK@>1D+TDb@0Pj{bbQ$h?Oy{O0D=%h!v?m|m=*n`@F8LX8V!%o~;pp1$458d0jQ z5@?*8yt{w%R1obX1)y-EV6N$y43)`bUaL?6A03p#T3G7YNcopXa+VJX1*y%Rfm`8t{McbEh);_u7pb<9s`@BM2Uy&891}UdzIf}+-NHCqaL9hO9w1wr_ z_9W!Y**~sU0d1L|owKkqlwB~%B&^wS{)X|ZS`|FJh$V%#T(5G~yI$NF^ssL%Gm9-S z)?y{Gil~*(>lROyu}EQI)j~Tu}k6e2r3575r9Uw}}Uty_~AR*sY9zM0CiJ zO=Lz;6v#+72%P94K?7E_Cg)w}8t32F1xuh+Hejo%E z^9f*#wam`U+nSNK(Mf`cCe?pWGIXv#-0rJ_P1%J~S=1Y2C8c`hiS{5YkB4AUt+Hfh zNK{kpWt9}n<>alWcKp!Rt5hy?#gZ&;6nABrez&NefY@x*K>pN$d#L)3LTr+=8Yji* zT}gq;u@#$-cM3*s+i~aI4$PWZuL_p?l)kT5w?+eT%=1o~5;H&e(DpuJV=NiqT3Mu7 zuo@W}ARJ;mM0kKNcq&Z{c>G7{e6({<;1Vvd0~3j=C7hK$XCK0qebK^=d~iEWY~15^ z?+JiUHrXU3QnBix_XkzUvu;dnfu1qjqvZXKsXPzo^)>WfLF>)PNyj&RyR}28F=wR4 z*r1wueKzmmhEH^*%cx9f8LXOv!(2kMMOmJRSinnWgj}H@4tL4dJp`8-!nTe#`Jvf&hOp+^(OzK z1A{hvA9P1p0!HoWYT{9P%cvH zST;GLAkAE;EztK_*dvb4F*lRo1mW85%?Iow@ChB@y!Uy)&2{@W3ul;D4?zc8fqJ@~ zj{`rTl#?|cJDK(XeK!NZdpK;WDO5i+VBjU7IZZPM&r_pwhMN9v}<%3D|*JcC~>gfy{tl!Fbclo17frO!r*9 zYNRE2juWL(cU)tr3!L>uut1D!jj=rGf~)A2EnPKojU~dIr}kgOsvn)B4<4@kK0Bn) z1hB}LMhN@ONc!$0n1nB5LdhWi6eHKsAIrxqjH)-#}*XPh?5|S826RG{E5($%x z+VgMGKJHgUIf^v*0QeF|&-eMsr>NW^(FQAgq^f#z8rM*0SN|;USnWVVnL6Z>S1R2+ z)_2o(h`lJ;?cCU=c+nuW?8CY}Nh3HeZ(QhMdXA!w3vvyhb!0CC1p+|u2r-aGd9w)0 zeu!_QY_eI=CbwfZ-!fEmh~<>dE^s^Xh|Dm^asEhQ&A_)QbF~Ujt)6$h_qKqTF%5U5 z2@Q@e%dv76E*(T|x2fKykO0)J5vwX&RVPhVak@bYdgK}LP&N!MtWlXQZv(eFbFYw1 z+Wr^{&{->V(OGY4x=f z4!QUdvZfwaM3>Jf%ye?>IQUqCXBZHmu8?=>@L#$LoWtHV)EP<((;k!g~ zb$Z)bfG?vQcaw8@c})a}UI-b-W$!8H_}Fo-86F2$r?>Aoy(DL`$%nq)_q)!ZJE+*blRJJn7OwO;s=d<2!qr)A{eW$Rciy4DeeyhF|X4+Spi^ zX@_98BpQry2aed^Vc}?3J<|-NPA<1VwH-Var%3kNc{d?+L)XdDGpKA~8qIkEb?jO( z;+POrdca?r%v44pXXRMXrvhv@ua{>wYykt|KH$_bCR7Xbo|@2BE=`T_=gXW(gu_s* zyGbBD11s>X63rYi2%ZHx&>jbqPb~{au}5-GKThTUX()bN844f!8?rU!njg9grw|&< z5Z%*cjtyj7rDxtZkBhFjvu@uT>V-e2K^s0BX!^PFOM`4cVBsqHdb_@UirJ~2o5d{m zu>LEW`r(&ImbhfNmMYV7Nnd-%g=HqC%O0Owe_E924F~y;8mqwrFRh|zSf$@R=iWG2 zbHMI4>O#zCm=sP)hq84S!z!E~Gb+27_r9+&tx(}8LLI$p_*Ot!+5SfB>cA!0rVI zur594cdr|_v8zd#`9a$Z5>y=5x1wv*xu?9Zse8I1ifD7DU50Zd;za z0gwr>0HsSiV!6nswO)sPCMHeaT{r7zXfhUfUCzhfuEXz;#i6urwxG+SJdmIAK?hQy zf=5om#wU?m$&Ns>3zysIC9?d4TRf*h=XEVzrDIoHoX_phomX?+KKp_aSZC=(FAHoK zw;CT+_7URC6zA=r`mbc=P?bx`D?E!_|@G`OP=`-6-HFUZhxJ1U)K(_-tzOO+2ee+Z!Pp zw+G!i8@!)JG<%hsSeFImW3=_h*3Xj!Y_r1Fe?Y~POh!Q?2JFL|IJ$D6v!AY$1>idE zg~kX7+QNU>Ma6(L#~sucSk6OEymMKkdp2#i^#Jyb^~9QyBmPq@E@6txx9KP-(!@>Kw{-dIGs4 z&x=?MTh#7bW^hK4f4?Ktt60Wcx3bA6zb0syTMoeFdZdRy>RD-3vDH51=bHRI!op{R z-m~m2EHM_^w!DRGs@{wE3X~x2cK!v}a-WCb)a{hbX?vC1+-4sqRFeIR>e2Fhf#5eF zo(6GnxOv#?{Ytu#C2!(r#8Lhgf9Hbri;Z*!mfB&(GFddV%f0845^9#Op9p-o@nLLZ zkFOwzNIMh3s(-%?+0B38;a{q^x2OrMPqE0a)~77q2n?9!^f`OsX|5Oh@}lwcoQsRt ziRH|{Of+{HIV3`~+_h`X5?7Ih>63-p=9~p-)p{_WvS(HN3_7V@os9B7GFDbPy4cm) z)5{$;ijxD2%Ak^9jRY3sTf$t*xmgbT15{;4(sq7B<;x^+9EY=Kw@GSG%5tkI%{3f{ znh+dQ1m&>IVs!@BmsYJAeU#AA>k2WS^0i_|J2*Ks_PM*!{mss2^B*h>*(xh|jtu9S zLi}NJyODwuj_V1rg{vAk&9j^89d{C3qs-t~J5x|X zv0*>)9^7x!qHW>awx)jkVFr_PtRjjPs#3ipmp5dHEj8OJH2+0R&RyyQxZKL$1#wGr zjwC7O?g4oI%Qg6TolecuJGOX}?ZU5~)T+R{1Q~Us@=of2uzUOv4dldO2h~1g@FW^T zMkW5xnF8$Gc^)-EeP>Cq!Q>k7!GH~3p;Yt7w=}Pz z{oHl?acO)r5w%&SUi~Wn)wcTIr?~idl z+xw3tUFLtRGRA24C9jXnD#iIrz$uI|V9qdI_99n4Yv4jaCW!@MGte_pQ*NpdY(@J} zy@{wlf{R1nhOS`^D)yDjE24SqRRb&k+q)!itjb*H@Eg&*7LKYxR6CgVqTYf1Cw)^J z>hvhs0iHL4X}efKARC@dQrc+hKM~?}iP`c4 z-#*lKzxr~BYzg$p{HX{qs;2E6;JW%V*8toKS^*hQ^EQo%l(T(lUesU_JXAH zAayV}B#E%QrcylDMChy8h4$p5$69Y#IqXZ!0Ubnb(xb23#K*0IJYz5(_8~ECsC;Ue zugjORR@+vCAIfb*$&PStH#cjga6X+#wK*QgwDa>%ae!C_-3RX%`LlEn9$v7aCKL%b z!MoyWM$W=uZ<#DEbF(~`P|=>LX-$TVo<8atT==P;>k_I24K#ygbe{ult#4;g<Cdj{i0F(6SA~@Ksc&`sO`UvcPjZa+c0|!?~g16;Wg3`8xbkjlzcZ7Wv=j{W`L|2o!}| zA%FE+B&gxpeob}N;s`RMLwNHuzYyRfX1<{yn-a>i!GX(+5iRHWe^wuxe zx@+&fVChaTmLH10)*`8+c6r$`Xc0%c#A2Gp+uy(FIT1s@%Y&)lT{LSwjiCGyLOR-_LE@69eqTdcbIH7>McT_CG!^Z60*SPP#_qH3Z>GW zoRgri(SekAU7#x!mX+t8vzfgrs_S+XIUefwEu3N^Rpl8L;^WPo2SJ96eX_@6r;6D) zvx~H*Gurt-Kgt{gkCtCKRc^CWbP(`r(07e5lxRqJSQwjdwRu*9z z9fJ5NZ@N$#VXzP}#$7&FK?$CSa$0{ISg#0TRDOu~%9|_V=*K&efy;sa`-u>a!B4r3 z%`JVR32pdUENO(7YN{-4o<{n>!)$X4T`hP?vKg!USGGtIlQ1KDS)Gy>mU=b!#aPvw zHx>{0g@*NbB4z9DC}ekRvPL`F$>iq&@b-f0n}AYC;feQm)7AtV4M(pvXWnEk=j-y( z8<~^N*1%Q=II}bz&EK3Muc}ygG|73KzA}!8!Ls7;2{*CwtQotSR5iaL$~#LwHk{G2 zb^KoB5U*z2eQusXFzn?8zCv7Fo>kr{>H*mqo6K{G@Dy8cPrF)Q2V*%hFsb6413YE_ zVJDdjo2GZq)qE85*~jY)nPaDI>832(@rp9YdGB=P$Xzq$2@Z>XlreRO=Cr6WpJ+nf z_UcE+-He-gL2|G~{i))4@kg)yisJc3GoOmepMJqMJmf7$4JQT!XoERe zR1V5+#MuX)i`wYMkx#{w6yaLWg54)~V`vyySPC=-Bp_w`b_N3-H%%{9W3|8L==*&9 zVjpLH`QzJ)R>2O(WqpM;9Q+)JLlU`>7Vns`$-uIn&CKz$>%4EC(N)uf5EkR+KHl5KDu3TiSq6g1e-1&_e9vJ1y8r;WY-#)kzwG znc2vbY1tvNETj>CWn6Nu`Y}xvV*5LOm1{(fgJ~($`Z;*}JWdVGj=3z51Q2(I7bQiw}}hYk5e&sDI1Cv34_ z7_3d9ENAUFDw-Q@dBq~&ccM>exS6_DE=)Keqq|X}uhxlf`qEcp8G(-HNo$6xpyMo! zV)}#i2CkG2Kv%pfr#y5^CSUrl+8x&-OSMur1^#FfLVNU@j5Kns*sHsGe9}Pl@}N7; zAb0W2HL%E|Hji4@S>Dr%Ybf`y8f87B;g-FNPsWdRXEdVh5`(p&^y@{?Lz^!XJ6DDLcs+s;ax9J-B zc86xIO3TV~7q@N`)zZmwN=9p)bTDrw;*8X*lz&&TSJ`q1%SOilh9CI!x%#tja9+;6 z0_^nAI!$d`2d2&=IHvW^pvqOb=QBm-(M)C|KHNUJyhg{aJ)g@-(=86qrU=?e;U7}N^wt_}>}X?fz){>LCxmI1OX*nQ&M#L~ zTPCQy7g=KFZAqGYi=uu2#ERjQspSt<$B8f`ng_4*l1jq0!0G)u!XfwThrhcQ$x>C= zyvP;wsqT+=a_0Xsc+8dsoa807C_a4AT}=RE!F7_~p(fJjDolQ5O_UDwa2mmH2q$QV zkVlyb*%5LPfuHPi;eHCg6GAPR)+=_}MJaZ^r|OPKZVjP0TVWs3K zk?1nD2)}uwaSd2|s@d4Up}nkJKq!>2MHyt6gMdaz?F!lo=ztm%0K$R@%j`rm0s!P> z)xhgNQ^R{U)|mU|uWF!ZXhy5rBvDsU6OG%yz|qlCD7+*zfs)bCn6Q31nD^D^`u7W0 zHtAns*8YTaVqSx`$t5AQ8=9E)6;-^=OUXWy-jDzQ&ASXBrb`2^L@Sc^vjMU_?Z3f< zhzs;;Tr2_f{1q;S_vLqD$ZbIB6c91zf!yY?cmXsY{uF#>3QLjUpWwa!?|Q8NcYyBx ziO&4*7W-{x1^)h*#83V&SQlesh{Gp+W70f?gcB}vk-Gr0vx*xaEzwCe0!0ea`Q9a4>`Yy z6m_Z!G|rX1S&03puAer!&5c8=4-m;a(QIj93Y9@rCDs!8HEfw_vFY|wEYC}u;tlg9 z#)2#)W^l<;M=p9D^#hDz_$P1e9Bw$ycG)j>3HG|j?(PWpK9%HQrpCNi?(G69=y4d; zF7Z~7rzXm+ zydiDC1vy)|+>;>aUr@kNB@8{`$=GR*c&IwxOHA^&lxSydYImL8Cw(8XzCW<#+Js4w z1Fbl1F)&Bn9RsG*kAQx>;ofrJD?s$PMmb%2<|`g&gs`$V(g4n;RWI3J-AkOmL8rd0 z;e_9G^KWI7jGD(*7GFRL4NOLrnv>x_GLIm@>5M^1@LkQc3nLtLg09wifdPesLykA#ZDHY6KH2C0A_o;#+VLV`c&B@S}@U)E(b*5|U08Hq~P57A^z})u52XX)ek*^|qsX8D%73Zw`5wkoZ>~;aHppuR8&N}?sGtBOX0~FY5bBUCN?03iFoq5h zHnC}AgRPP)u>@`ItqgqXAX3ee{|tKi>%;S?4Ds;gK_v$@qQ8U&v}wBLQen9A^E)qx zhMQJMpXM!Cm5C^rn==6#gPzAzD`$YX3Psbz1Px$P0^-XQblqm&I$VwO@0Ygc(Y`>; zn+c%hu*gL^k)xdM5s`Q>tbSa~w&K+i_s^EZnjY&JIGRnK`aV&am_3-fgw2kh*Y~8@ z$(wY|7w+sIWKs0^pFPWigA`UwJ)W;zUSCxSJo};*Kv}+(2j9A%=(7$d(&hgj{OXw` zyvSzC8CD4Nrv>xBl^axld=Y_^0h;IOyMK0KnuHTIS9eg^dlJ5#i zZZc2`G36;A?O_c*t2@c;y=xW5^`#I=#ZtVTLpOW>Z1AqAvzK!44w1}#W7|g}gGNiF z<_nGmF_T*F5@=L<_dgV^)_>Y{82vGd2w5H0Flla6L9M?OaUI)2GU_^HQ0EzN8IJ39 z7O{Ob|8bCh&Zy8UYw6)@$mYRDdv`9f$-FdwjOdo}elp~ds2E0HlgUu(65*kZq~tu8 z>J4M_tTb7uF7 zO?z9!*Y(AYmbjr~d>Ny{D#1`Xub|b2Vb+1AnP6WZye1{Pq>xX~IU)=|2)%`b0=>9a z>`Y51)xev5MZ<`o_rb?U5G_pnq2PWrgEy0R-icO3&%2j%?0^yKwz|rn2W8g6L23eetGGEg(VPZE>%=mi9DP$PK5Ufea`JG;hFNetV@8W?ncMQQ*l%; z-}`un8w;=@t$>*TBDpE{malJcq66?`zUXLXP~SU;8i0FnK`|ooR|C=$M>uHH{&iKO zB5kou=)0^Vm=8b!O?10x2%z73nWaZ)W0(WN@kRSVC;hn` zJSa{n#HvWd=45sN&Rg}B(*r|Q335c_U`)2>^oam8Tb|jVfn3ms&oCJ%Ry%b4sp)fC z^#*J4^UBr6CWkai9Vs+*=t__##SUW8u$eHgWX#}QzlQq#r45f2{Ip9fz6-)Z6!CBl zZgIIRK_jj~{0r6c8<@QX5|bPQzFEE6QxycJCy4qo^ni0KG<6F*>2q%kzS;-fQ;R~_ zYxnE^6SIEnuJ_&2LpPis z^$9vt66m~F?oX+Ansu5Z%$HMWiUVyl)&M6*7PjIOr&Psa+?c)A0zrj?P0#}c8orB* z=OW>i#cfAQd_yx6-D}(O9o)hN^h~t&Kn*w(8!;tp#APRtUPl%Y=H?-cWK8Jn zu%P7>4ENCT>L0Am#LpcW>JTQK+uSs^ts|@K(8CY&K4o*Lfcnl&<)BJ)vEHtl(|Wc= za>uBzdp$W1(P-iIVN!g)Vj z9KWo0LP9hVN$>->1q>2)5zuJo$2DI&JoLunGi@9-PQ&LHQs^WkpWjM{E3dqhm$0>e z{C>lkXjL;@-N0)s0JeGB#M7UU|Jq277m2Ztle~I%H#?-aQ+X>6y`bexa@r9C_fT%B zofbVv_L-C!!qE+gWBycpk5)O2y!XH=qP~P?U(wG^PiC!H=7j3eXs-l3gXYl&i}(zo z#?zpFlFQc(Gm&A?{?85A*K7eSs*~wSQm5|Q`Qw3^hm)lZ#8fW4&mFm6KojfL)f%*L zo<0?Rb?hX`*(;tEQ?bNVY_)PtzCqXH1J1h(u>7T=9jbC$JQ*9eGO5+m$DOb@wFPrD=E9|{L%gCHJ$psuSR+D@?#)W`jD0?J zJPWq@#XAd}#2oQOP8DTF8awxuFy$A=?>r1vNY|nFF&=x1%Yg}vNq3d=yx%O39}yCa zA!Zi3IT#I6CGOUI?uWe zg%V7{!s`vsc-VA5za1AbJ*(<1Z2amI-4>$9S z6Q!tD`KDmJh)Mo6F%1uELFe0aHY%qKcHUl^CoaPEk5jW$_T28>3t~4Q?F+?tS~SQB zhzQ9%fBx>|eNfPHTQ7=lKL95lFT1oATqoTLZw1z>e z^aZTP*H6Clg99-($AW^s^Rf$Q=Y6~8XZ!Arezt#)K7Tjf=8kaS=e)(c(L{ayDQi#8 zJ*ku@Hecriyvg?LR!RDuQ&~hiuYa|W`;od(1sS?w?y#MU$W1fsW}Q4! zL^p;v=tFCm=e33CtjfF>{GTW_P9H<{2uxO zhZtxd;sYn^YD9V>fV5weT`d42ZTl*$8T#gQpV&M%i$|B>QFv@O$RuW#l2T-pmZ{c*<=j)TP4nk&29QXvQP z9M<^`3uvo6A=Zv{QMy762{6`g;kiDqi^;y6EY@sq4OB5B&-f<2byoQ(?jEkZ>^gbp z#4%_kIb-J&_!U_SPP}|LSX+&6e`mFO=!OrjQ)GIAlN{|Wqz$-jLl$p~ z=O3S)RK8t?dN@2h%X-67SDvhM-3#ue?N2j{>gJy_+jjLNSVwGI34O$^GUxMS>J$Ym zGA%H&&9%{@Bz`WcO0w&U3HSS_rjw6+2`*XV4lslFBJYyAPgNKydaFFVuZQ|3mSQg)X4gaoFij`>&`ZH0m#UPfEaukbHbG z8%y4E2OnRe=twx13~s>Me3I2LF#NhYv?H?7T2kPN6uc0@fhXbi#X+~;ZmJ1=7;DV= zB|qQ0>E#EadmvS8Xz;lG0qnl1NJFz9u zSnqoE*r;6JBT4IhGjXXAdNCM)oU*}S(&@|SqV>bDDfARm^?`*zh~o0C#%L3qhe-#r zK5Qt(UDi4GQ_4s-hm(-`sL{^%i&A4xv^dx)c?*que^|DZXh*ka_^@n!LfCc~Y1j<| zyX`|)upwUbwnGnzj0Ie-W4p36^)(&?$6dloclA>TOe)4*iIb`AdG+%Ijw7EF%ufcb zF~!f7lQZ7kGhZ!Jr(PlJI9-)1uSdk&N=}o>+7U%#%}OWsduGgh8Q4Ot^tz-Rbz?R9 z+$ERJ#d!C!t#~eUZ2@sxWM9c}VwY%cbIVY7&ix@ro!Y8Mp~S1BI=5M+OMe-&_lLuV z=Xt{G*w3;1wp~lMM(A21^nwLf7?|C;XiNPHS~HOty0`u13JF{Dv6EWY3PFBa4vMa# zw4DX(&fX5rDTEGCI34A7ZsLG{b9v1|Z+G=B?Kra^9A2Y*pM|A(=E$7x;Z$mJ0HkXG z*gz@)R)*BqVcFYX4g%oHn4=>A?hPDt?0tmRVcYz0xvV_6pc) zWol+Mz96d!iKr^gVVA`NI13j)riGU>jkk?r;UYV**vq|iVRw+s%D}$wFz6$PObf}+ z#AVRR4XT3%oK)dRaw^Ewr_$PV2z#7-^S6wBA7-0oKv0+er1CjNC43iiw7WJk^pG)UmSZDb=Js?mu*n{_N&+vwye4 zuJu!nUMfOwCele4Teg4ZTlSgn2D! z->{-K2t12c_NiaCPgUO3;*3nI&C;sRDO6bNa9!uj58a~>deA?jIfY*Ce} zgWH!LmZQ{!R?!}aREcsF=3;N`3yuJ-i>#dW&9SZq!By`soSmz04zw(Fj^q@2x2+Uo z4K>HkCtM1~NJ#o#8NoDq3m0cveW=zw^jq4^4v&kxynV7TTl?idtP%7d*En%l3s~DT zLY(VG<_n zUguAQ4EU0@Ap=fI6+(@^3q~DZx`rRKJvUWhhC`hfLl+{|p!b^LL|ixHq7t>w7Y} z6e1@v=T9M%t9g+z8O_IZbbd!mNl#b%8E`5^uw0ZIvJ0CZBu+i7GXiZF-*LF*bv8IH zt%nh!MOPLV8kpJBbQ~iuRKf0}%CmsNKCi{OZc+Xo*>`tC^{^e-D{G*4 zUaa3XxCr4^Vd{}#C$K*2cRzj1d!3vT2UN2=8^8*kFDKeKRX9@FTr(5vEwU%Pw{}?3 zry5=7IE*JVc4v4RUSon`Cm!KcJ*HodjeSbC!BEt33+~ z&_ebpv~E};I5u4`Mt#LoDX&g6m^^$bt_RB+3cXJ`9r_lO9NZ{3G;@$J@*$d(^mEKn z)ZU%;cC1>B6RxD^q|F%|8+U3eT7u@thlZ2#$KK9fx?_cQB+E6ycnghW64NaWqSr=yo@l7=v#HJt5*Dr9K*yp8>S^2P~*D8bx z`sa%G+_%CE2JbD!o=u`i;u^GbyCJANXLNT1Ee@SkmixVtcS9wbO}!DLqS3RY$vSV$RnC z<4pc#jmoF4Asq7Mm+3b#A&8V$ZDNBysgo?fZAswzG+*NG2Q06SYC z>MuTctdA)N@j`H4xaWhMU*W)W9$szv@EP^CF&@v$(|Ww5!+#4YS{#y%p=PWTdeLy7 z2;yxJ1PAjzvgAjX9QCS|A;fua&qH7@cOOm{Z9GwmIa1v)ndY@xWbR0dh*C@6$Nql+ z>Od90F`w(OrqFrJXuEd7lufwKZZRI)Bg{F54@XXVBDBW$bPRQd_=ld`F z&}?VEI~vOI%Gy#nNGFJCHFddJ)V89Qt29rWq;l;s{!gW4^XD9_et8pW?A^dVQHM=0 zr(;b)DJrEhF)tU1yx#0CMZvS{Q2Mc>^|nhXS83TA_FJwSHFCL%@2_)o1KqOBkC;EL zl+P=xk+ZqZJkGxBf@zmjK5MPkJ88)_H%Qa>Rw349bB?d_tgc^^ujUyZzyN{jVD z%$wMzHXvtp4mKTfJazV#q5tF%<)+%PYBV@#BC+)!HA+o86GGtMt9B-PT2Z$-2kF-H zt?r99yd;(D+x0fWnO$;olUb{6tgja9lf&idOjnci`yu_E90)(rtd$M@-;bVy{md!R z{HnBXd})KU{#$HA*5B!9*YR}|>clz_>Sy;xYwMv+()uR$?H2R(wFxyL~G`mwf-X}VCqvk>K?JUl|M=&lf6 zXd@yT=Gy9OA%5C1H5lW*tLPP46c4jjn4F~@U3AijocKA2UYT!ky+JyEm(GQgZcmUO zrnGgw+;Uhv_!^5j@kP=Zd_QzGqC#A!h)qY)Hlz7`yRlk2C(ek)j2Ii&4bGCzh7zRS zHUqIznUqx3n}f8C)zUn_AkNpLkzQ{5JlvQYi&=A$vSu7m_f0Rs!<>&(Te1X}x?e8?mz@kdRRX zgS~PwIJw5qU*?)N0}(8m)wF9gF1|sJMN3y<)q`^oa+Qm1By_Z+RXu<3zv@b*$Ck@H z)nm(cG<{`#%%x~;tdk$e3$fK2!G#wiWcDH?uUdsAb3@?mY7-6}%{V64DCC2H2}5`! z*Wc+o(X2ekg#b*r(!qx=^HxH{sK%H5KL6=Hw)MMX0U{>Z3!Qdrm5%XclP5TwCr@u> z>R|k`Pv^@68-Eu%w1-Hq@PLCy8sXuou2bzzXm-50+R)E!Lm2OkYt-}Ry2B=$=Q^#2 ztL56jL=f0Vxwxws%yri-0D(GDLUpLB8R`@T5%tTsP{ggyMe!RukgT){-%IEI?bs~e zv+zRXb*|NhPBdsPyaY4mFUF(U*;w)O8MxYoOsQ=AG{pRN1s=`J$3jQVn16E;U#Y#L z`9Q$yvpBpS^`OPd)u7lnkTWw`e`HCS1|tR38buf6+7Oq!*TO*PzxFky^9@x zT7#6-_1J4`zG+BxI;*5>axiX|{#+d-Z65zr1`U&_?fY^?gG>TG1bR%`X1TIByW6%}%S zC{q3>4Uw10F9yb3#(-~R95S>rez<#@jjtsjdQ}A+-e!FL5hT4}l!`b;8Aridq{T)e zWnm=7sc#Xrv*!GAF4DKDOUo}3aoX}w->-yvMR0j85?(a+4kx<@A$fJ0R02W^%AU%G z!Kwz5w(?9Y&r?nxy%w&;3klL0hHBg`ww#|`oF>tyAe1dvX2R>}V!kC0wx|25e3X9MaH2>pZF_h%ww`67ggs}k*X*!su6 zp{CC_Ai7|BX9EgF6NB)?^!dqHm8s5K`Z6r~nIGB@ZAIZm?&Oz|y(&S0wD0s7Ht$)tSr%(PNP2=nPfSVQ|`LRs(`!kSymr}z^ zyKw_Hye#I^17W{dh74^UA4@=#d{w6vd$xb*xYkZ9t$PcxZcCjs-%9N?%hJ2QciAt( z|4cgTj|K*jVmO zsFd~}d&ISxNnu#DJOi2Hv!ct)kUpQ@U@$0cn<+6NKTCV=` zH^A^(dG97dPgLV?uawH$t6ckxMfu3<{jCAg^qH{d)eUw7h=Sc^I3XBH3sz02{?y)D z)m;;f&yD_e1Cl*;q5iEL6ud8PZdz?`nX9_Xbypt#X6$*1qxHbw@QT*lq~-dm?nlB! zd8y0O)XyMk*FWkYu3Nj6enqO7-jooD}w()QTNRuqSbKM{9 zZv&!9QBj|g-I}PxzU$RJ@_Ll8BEw>tL}R+#e5-?X_%-P_pKU{R?0@0-g}XHgq-*QeXDK{OpKt%D)+=OAP-j-7~z zXh=04-mdf<%0%qUgkGUV@i1$`%vne%us&z*yTV73kX;{u2(fGwHIL#!=T=_oSvJ&`UA8o%{j+W%}!vdbYCSibMH$cyWpfd_sJVeBH!LmyFz<7Ufb|j5PV$l2k59 z(OAAsi^mS04(WJTu4!{}Fam5fwXYc;jObrPA!L#`F6x8t+MwN|AM5TYROtavHOE-< zm93*+>0IMu`6$$8ji4UaM`O`#A@J+t|4 zz{hVcv(D2F&(Yiesja0Z^tt%@yKTsP5O%j-zSh$8P9X|+)uUBAckSvx)BaNAy&=xA zrSlExd@ay2UpvU_u8*HmD?n3aof^C*qLHHWL_I2AOGRuuA9`yFY%p;*!lia&k?-!KQH60y04(sCVTpuBY5vm z*?3j_sE(h3#kWs`b$<8a(7Ui$C%)5&_3MkVxA8l3jj*S`I*5%guE!2>{NcY4u@0IH z`0oEouztJrM*kSZ-Z{zPu}yFPi&t|t;`r5f;i1)kKz@F{)a4@U*E5xXZ^K3u|9%Z# ze)Bjc-Ms=?IpW`?ZtW9zK%VxKsN1j$Mym=rzk0tIFTXFHV~n4Mg)6d!lS;X}>JU0c?sdVXxcRnwmEI4kP}Ad7_EJpwcO?aT`0y9K?tOf7xJJGw;~5?-*CspW zx*Kt~_=jCJIBZ=ero-~NJUk;1>?lZ2L^Q%M1WQiY3b>&>CR#~kQ%9z#-oox z+Dp5!J2wuYXhF*$+^4A8SO#NA9C9mnqhNI+=0%F>)yu)#9dE3~JoVmEOWt-=^}0_s z4v~+pMWXs1dYID<(sWzn;`fwT&<(f?gfhgk^FU-r_fgJ@Ih||jWH_|k3 zFGjLj#x2E<;HCE*+^LcZuq84B#f4eQI3njEakaS7rA=oWDxOI~wl)v<=VJFe1<25r zhx-2AmAQyhzti|a5;Dte+)$jFh!-*=mHw78JdtB@lj{ouo=7W_mZ-#Q9v*wxsEanP&HwwZ+_n{T>(_F1wT${ive;aIX{0j5v#gq!+n z>ULQGq883kYZ0kKL({-+_Ba-Z1rLe7&{>Z3+|6cn7D}FUX6`=>K)#!=;hcR zY~3L)*^8S5OA!4tKX|A&KHM(xLCE|Ekv!W$B-QHk@eu*=)K2U!bc3gVIO3NqLWned zB8d9GHGQpZ)kW>?Xb+6Wl9({~jaO&j!m;p+&|{8TQ;6wEE5aT~z=9imFjkw#@qy6K z(@Rq?IaY_JUg0}CzOBLk$~RX4zuECfm>UA0OS-?;=Y|D{zb`}{Z__*FFxnii^xbo# z$%*!8fvgxepopW(Tf%!WWw0) zn{sYrrO!tp{ufcoe7EmGlcW8vwB9HD%3>Vy_eV*?<|tw1BL)~8)Pn30k${Bx7UeU> z69F@&VRtF(mFaDRo$_(4=^y2gw>GhiEtaX^c9~SR(Ru`4?uUS@TG85L@;Xpgu@%+g z!;|!g|K*$>h9>LmYwe54Mx_{_5 zX}X{-E06B&L)*6GSGIohJQ1Rowkh%5(!S+y73#i8S_ilOrBYr8J#_zx1=kN~;)sao ztY|?)t#**;1zkcGO11FmXP@A}&H|)FiSs$>eC??OJYutD5Z8(80EyYsIQ0P-H%b}i z?x#n}Z(@`ehm0^zOhdu?WauWU=eDE9A?V)6@R(d<3Q$tr_b_gY^u>{xr6@>>M1b~y zhPyQ0=nP~fDd(##rAGOoma|7XXMg2sl!@XGNkQ)VG|Zbi4%!*L`(;6x_jmzv9~Ni7 zA|Twe7TntXIm&tXk`$!P4Z=8!OBU`EBaxDsf=Itm=>Dw{jgDIL>7^4@Z>?8unnh;e zh4gs{x~zNT?&Ex+OUlJst=wL#wJNt-6g`zKe_lK!`}%Wn2)#=EyeRXz87O`u#lbm! z_vdk^v_2N5K<{r+E)#V~eCc(pU8t;=Wf|*HHK?`tcE~L#$o#If`_R{beA}*;Sui{u z<`qUu$9-zAEhkN=6XzP&`@!B}Xutd*juHiLcyx)DN7R-z2EEmf{^|Hu`$iup+~Njlg0?IMH+jz-NJL;Imrg;_P3c|%8p$v3X_@U`{ciF#yMd}q-MB|UDeX?*X^ zz*_aDV|PHe5oOOmq1?2SmPK6VlbF|QS-3-Y*J8DdYq9w~J9WXDc45;tr8n|UUC$ux zS>_WNf&g1j?v3}uG_@9%>gJ)l&Es>I9$~gFT6hE_{0_Co)BO$jybmeZrcbMtfZpUN zL|NY?kh#H67lG;OtDd@0|9`uc&j;$ExA}R=Wg!TYn~DSW9S}9A4vnyzr`fm>c_k)j zPc(XjA!MqJJAmUol^`4H(QZ*|p(E{|8kHJ=q>_oy`PsaI<}vlBn0~o80w%lR`*s@( z#X;>srbBAEPMCwJo9vgXUR&*UvGuDjaphz`cwQfZ>+F1o+XQL7Rr{O&X@99q zUl`T11{KYOFz9D0%eC&~dOJ6Xrek4bAZ&fy=Vy9E$seyn%|8aP-JEFe4&Ph4d^!>y zNyd`Ji!j}CyZQPc_Ed@a^+41e5%9CMO^fyZr(w!Xtz)}UXRGxi!ND^0yl%R(-L&sP zy^YT|9ja1pa0fc6MaqI$FXWq%6Cx09XM6Rz{-*qo9wpy}n|M zAEw`;?8y38n@tl;HPV-OOoyZEJAL1eo{RlVJL-($rncm!D1`glP7b(Dis;@3s%m=Q zDDIHT*R zcUfH?V181({%adspV&9eRUQIp-~ASLA8AF+mcJ?M;Dji|-(`EBKtx2tO*2lm>7bk9 zCD)Ku@OTVDweYEQE;r6U63OdJy90+$<)fnC&5BE=F2?*@dY@g73k-!$?bkmrUp;@c z23K`jQZ>`ZAYPe&hCZe6^RJ7**vN=eg7E` z`AW>8^{7xEa_vEyXsy1+9{gfZu&Wfsg=-NbDtU5QBN|Ns(1rLyzi_6Vb8~kDh2F0A zf7e{6l423hBVfB|COR#$7spN z=6CzPM%dSiCbfZ-U~fCeq{BoIG z>1+SC2~9`8M7vcuchJ|}%RJTav-Evmoy+ndB3GSkvpy=SMNw8dUfNPWcs2eLoonCJ zVdMJs*ehyU9X}HfEa+WRt4qE)j=H)dIAZf;;v~M4jx~=Qw_jcT=`S15@cC!3{gxJd zAwGY?-qUJdVejS=c^*Q46^mQ?9O6|>y8UJZ_By@17?b>!`zg}c@gFzYh}T|rg?g_@ znv!p9PvdtdPMT}CwKO_#A)d)tffc`9XydzSD2xe;$MZRhakG4Sb{rpU%E6P%;xPY? zDBOB)5*|}Sv94xfD>LTf)?06N(#^+{yVMU@JNY%V=cBIa>p7#>)zB_&96M=Mg{#jL z+$fLEh{HW@+#E)Y+T~N*wTuo!^({SpFls@y`FH1KZ3hA z84F+H*x!|l{XUcJH-9c@O~v736PkvkGS~o2xYAav$_=Bn&EY4WgH&6OsQE;_`xzPt zKdtswYi&+1|@ma}d~cL%?jm`!e8GT zKvMLUAmup3n)^l2&L)E=ny)$x9_f4i?VPTw)Y@~mEysNc=_oSPqOol-;vE5qc}ZF)-q?-Yx%QXEI8W`& zvS+z9e!NRL=bt)L95UK54m!QT}v9hX%0@-}Vz| zRt`(yBe$nMTy>%8AM#Nsf~9ldp<#mQh;(dse?rezIn-7^lJ8N%1*RSLT16STT8&$= zK{~ee2wfx{?+#V@o+A^&a94z~Zr7CLpkP-Wn!i<#_kZX@YeP8-UM@wQhll;^3`43F z)qh!ooXz`CFRkA_Ladn?Sdk!FtY}8{TX|SpScxW^VTZw5cRk^Gz0x<755p7D;PKTz zi%-rniEU#Xw!_El90)>oaxc->;e=xkOs>ykj9 ztJS`qMqi}Gg8guX))I(I#^dU1l+f&vEidEAytlBo?l?|z=W)(mdVM^ee{(bb`1HfL zduA}qOTMWFm1-#Vj;I(s_U9T{MN3DJYY;3yYkC+5O%}(VpVnZvcqz^I6pQWs>Oh@b z(`##GjZ*Wg>=+Kq8Q5?HU)!IZ0};{i#Skpn>?sG@y;-AMbn-gEcLk;%r-ip$fHb{FCXT0IzU1#p=JBn$g$W zMq`8j1B>L4opdr^w+EXF*C8uC4Xb~jhtjw9q2^e-&6-Ms>i}VI85&ARYUW!22{)2&U6I+#D2uGCyVvsGDq91wN^B1vs_hxber?4 zcF&fo&964$w4GVDr}ZB-@@K<-;$yp}Syi9+qvv8j^R4uqYOm9P!+38sh+YHB%34ME z;PZNM(BOkWUq{<<-}hbJ&AfVuEW3S|cwitun*;mJ^F+uU3lSoUuU%Sqr9XamEI`Dh zv$mrqBBHa!KNK_7K%$}EQF|p$T;lHFym1JPyGZ&q9$p$vYU?v7Lc$H#%1!s$?jn%- zp7PGxZ@cflj?*WrHS|j3swhHw(p*H`a2;mc9*fkh5*QA(3~JD$v#kv+4MtQMN|2wG zis;{FtN+qdON)AC=o)YP4`52VL$p1aKmSu-#}D&L|2k1?+p*!Oa&2NTocc~arV+zUp#cB~Q`{!$~&d~LtK2A zaU^j=z#Yk0B)3M>j=HxCuqGo-Ip0c6L)I$>GtLVK;-TNfV21C-qUr+K z=u5B0v^$sK(Iqo5UV87rzZPScHjXSXZkJ5pxG!HTJXQ2NPSn2fgqW;XkW0PjaVxjyn-$@+bw-M{t ztU^k1A|8F_W%=RJy5sh0x1}LB$`ez<@5aMV=Axvc9GhRy#nX?*m=x4TG@M7tLRYQy#_mOPt--@`Bej zYVUAxaVQcWPca941+Rrq;<35*Zn+qdWAo;eMfak1L(9sPiB4|h0KUH6b>r9#@9KTK zYvt|bdvu!5!yJWWyIBT?8@{k##i;Mx6g;NhXj6nD<-hGU-Pp}nH(zP05VcreZdEpi z3@DOs>UkmgPMx_1p!3s}@O03ewn!>!w+h=%xtLx%*$O-LTe{{{M?abyrNL%5QuaeT zOb05l>Gd3BiJMlBrz3s!8sxlEh|;$zvG0frHzR{R9fVjV9-ivWFWaHXU?%~>ahIu$ z3mrRc4y>Bq=^1S7*_B%~)9;CpdskpZydEJ}b$?I$7xmb;yA*|MS0nA&0&K16IiFpf z16u3*WbBk+9t81T0>spFVnkV9 zI+E^*kgsuEcf$>sF)JFeNvX)pD}m8wh@=Ha|E~6)4MTCz@ol^Mz?hQTzKGSFJW5P80;vX+{0V>Uq#j5eT#Q zaNT7g2oG1*Q&UBq`I^_@ue%=b(2_adcAT|!oQMXKJ3{Y{Q}0VuVAsbyilve1yF(kX zX4R`oaMk-(EPixxKLfCmuj=s8ex>(T{Y?1Vxt)8(bUpNPrKk-s96TZqlYRa%Hp(w2 zK|kAGh;=mlXXl!=6*4#=z4r7~yv=#=}`f*!*@0o`3LW`M9>#@Fae} z%|Q%y>^NL{>7`D(ad01{zTetd5A%Be^*{Sq?`&%;K397ujPG4j>!sIBRPvw?wJ;Q_LT4ITaeoPpGr5^ekfYmSv zORgID4V-h!{hA;IS!O#g9-=q=Rq!?`lD#^Qs^1vaDUEH(&S%^^Ebl zk8+`;{AOaool0-Z>$^~8@fEf2ZC08~^oqw!-H?>}2=b-ln>g+5&?3s7m$(>08}B)= zn_?G^Ha`U%a^EVY2|A};JVG3Wd8yBA-fTH#Lix+9k@M%R*z>VTsnycM8v&Dp5q8@G zEJ|30)Tfp}t6SQx8Yef;+FR97Y5+WJggI+^R*l(9+X?j!`Q-lAs5=(k!BJTB+f~R+ zUxDQKXhi7(;jNAA>pD~x=3vvI?s{3=Mydbkp~o_t>!^+HHZ`oKYZYMg%XVz?&PLo#d;xYN42y+sCZ z8%Am(?V_>fZK%UuYZS6}w5oYP>sBI~Of~X3T!`ObAB9TXMw^dqJ;ymZgR=-^o@hUN zwPcPNt4`ndj$5`k*@`dKUhn_sXg(|)tAjxfbx6mxudlZ8z~)Ni?2z9He7pgx)nSDP zy3dK-#;T>)ak^L2!Is+pX`VWVEwfk~%<+5phhf2e$w-yYuU28jgVMQnu(y2v+Vxcv zl-1A4!`g$Ydz}vsnBed{+Q%1l65vvwVAxUaiJbZ+i8`x3JqVMSfo~3@W|#Pf*$D2g z%Sv@Aru@57UG2^~QFH7m9RB!C`St7|Mqr8P$A=+UGV5;uR>L4Hxx#z{XGCg&;i*SZ zWbq(yOYtLkV%xcSGPv{Gfu7KL!PjZ(%|87^`^&QPU=GrsvaHF~h|E#c zzS?Wa<1%yDu=(WqR41$(#%h7juasuKZR=d=Ag8T7e~twfxi$+q>+`Vnkocl;xKdr8M0pRzEO#B1=1KY+aD70}W_Jd|x!BKK;$fbT zCMQAe?i;|tJ!(N}ZB%L<3ZHU~OV7CU#n?-1M}ol`xX>!t8%^e-V+tb{B^c`W86!ZjNF|E z@X2SNVej^06u*>#l>6r)a;h&nzq8$fjF*=>UmrG_AKp#(a zLwdl>wX~YxqmNHnZmXk*mC;vB z!nEl#5%bGO@l4(yu=*is8OZ-)RYNWffmVF*;xZ)Ndn=Z0aV63^22-wA?=pYbim#Qv zA#gQryzOSWuXSS;jHl#Y7kmR_rTRqO%{m0zJc*rx;BayDUWvm;r4fI25OS<_!Ht+= zBQxuHoz9}>*w1nJL-FEn+<2XhHxm(!a16ncU403_YU~AJMU!Ymg82rHq}kC$d|3-x z`u1?tkZRoWG@jU~+!6{}l7hskqOS#I8BfFTg*@0wD3YyfWU=mg)zG5)T$*>a*PiB< z?pr;<4g#t6T?BXYiSVarap7)P%kfXuKEU1GP93w~8Ik|r%FQr9kCcbiq-}LJ(hF*x z)*LiWcRS+bz7~|cXH?!_U4iw7M2`+}`XJGBo~uXAKkQ$qZ#`D8+yv`W)7zf7@+ZnA z{r37M`@y8HCe&A{{XJX>KXr9(`l!L&%-oOPSor)zt%=e2Ili=ab4e;UQ%yUX8|rb< zC4H$A%VN3Im>iaC>pyDLCOL!Qt=+uqFrltWxhorR+XCoCZ7sI$$ed_42Wai9?$L~Y zPhDs-9aMU+_k+z=@Qn>h@Y5E#e3ahcpZN5xM%1omRBtRq-b-27`l+oiaD&IBFobD8 zKVP+(!=D~L{!n7Ddr;GG7V34G;Exb_o2*3LKe}K#yhje?`h*7~pig(oeBc-C!uI;L zw7ni{h3V5TG4@jNeh*Cei5mQ^szJlIO7Gz5!sl|zzz2c8{kete%sJT4xLpaK>y_S` z!zKs8VQt*%I45fKd+UO{2fnV3+8?H}5Y9ClXig7OG-5a!>^^R{mN zZ~ni#?2E9ys*fqy&U%!sNC5y*Vc)|t3Fyh7p-f1mpD^Ja6+P0q9#cc~8u>#+36 z6zKhJhn^c7EFX^T=KF79N+7jm4{Gh6h;*X%!y>i6r|!>hhf%&(V24RsXWvtL^#P8m zpz0$xt%ZViblE=y8z4{kOi}8q6vvbHj+#1}8kA!#kLmEcN*<*6x*j#+5{@naK0}ep zbMrxfdX80d!2a~%l-g2+By7T2j7dts`*ryP5l6lLQf z&7NKIZ1ug@FTyHySo{s$U*I<38cdh_9Gz!NWv8y+fdLcx6d)ex_`5ze$miHASC`wr zR?t;%zTPl>vR~iM;|IhOp4vHD{V|6RcQ#AghfJKKX*Jaj`nr1>r`1q{$N%# zt{CS%9&PVcp}wUEdp>q>XX20%6>6_;ihAvgXxLK%u+MCk>wm?xpFe?Ri$Zb5V5C1T zyF#su#)!Hjj+*p8jw9-A!|^^>NK>KqU*V_rA4G$rr`9@;pnkv78+xT$b?voxAwNIg zVfW~K<*m4BF|yTR4^2Ny)zY7=!&`q^gEi^v@Sd$__Aa~_SBL%w{zE+$J$dq^!OKPP)EN0LVedyJ#o3xHzcn9**&;h+$L!)#QHziz?B^AsoFR3 z+9q*?>WRA-MB-{?a4*+Pj+Flz|M58v*L@)OhyVK&Tq^fjG1nY>9Ic<4a8PWsGlMb3 z=9`I#MmC0E$?T?^ZbD3qQUhau0419ZVuVL+w&swX#G6Bwo3G&!~v<@@d3Mv%s_V;xpLn}fVpD`B$NeE10B zF*#Jdxl{>5g~{g4wbqaKpj^H;G##On`*Q2bV!1dfSBvHDp_`6C?RrmFSN9DeTQ#7_ zT2WoO+l7E!JIZ$(ZQda2IN_hhM^BaCToo`x=ySY@~0eauOC%GUMnUSxfr^JA*W@VYZFerleEFf#^MQ0;t(}h>j8NJy>8Z22 z1cho1xqW6)_9ZW_hus|P(J~}mI|H+0W09`4R^#rD@0$#$s%}L7UkrAxS+v3YeCj&%F8|&nAfj&QE=(4d0xL!Rrm!{9|IZ0)?+){)%*9-JJoAJQ0@DEmw!7c3t8xog2ziC!J^SL$i%@mR4gqwjL9G(=q+JK2F^L$M5Ft zjfT{Ajd)oO zzykjBAHqYkCSlMjfW2%QZvL6l`>tUZ8tmNG`)c1-Y?U9XnFRd}7B?!dod&&pJ^Ba? zJN81WG`*+OXxOn8ax3n*6*o^kOCi>Qk_!1$jdZNtbP)er)nF&!dJ-qqiABq&sQGSy!o~p?S@PT#rT_X|MFS#c}C42A4Arb z&m9I~PnotND{Z~}kfW!5DenE5{gmpZQ-TpL{XKm61AI^;LcO8T**#~_YL2bI!T&uh z-{TGaY4F)S{~;neOBjNs9<(5Ae*>@@EeOj1EcG%~k2v)PPRr|?QQ@F%-o|Z($XEN% ztwxl+@HEPl1S}G>Q=pSha@=oOif3chu;#|6k-cRwW3c%s+~#0>hf1)%RPB$QiO_yt zV-31_zB!bfU$EJ6kk_;wg~e+B)cMfaxTz^_Qf0oN*7OpYg^YVeO)I{LS&?RbYBc+) zeA_oo&D;@sONHZ>wt2(zYFb0_MkLx1FFSMh)H_PnbF5!-GngAnJsP$w4?gZ8?b4=3GLdw zgm0Tsv!eioJM7mN>gFGXMG^9C1k{w|Aa6@Gn!fG68PRpZgngS|LC!l(z}F^RbbT=V zdK`&3FP~xQl3@JDJxZ+5w4)G(yXw%a)v(#sfu;kSut94I{GR_nur`mbGA|dkTzAw+ z<5$b|hc2`>RH9H@?j9kS6B!8e?HP{=@K-~g^*c79yrC6cTDeNo)_P+JJ4KXK*4JUxpo+j&^ZX7YX9a?-5WV5*j0~K?M%PNdgXzTx#0-x zYxzj0>Y=xWD>tw{-hd68_rau1pQNj!74^F|V59s*xexR=26UH?^x5h2qm@wTv2x`7 zp%9f;Wz<|(j)Ip&O_uFw?(joMpt6qlmli^8e@DGxI3Wc7{W;{4){DF3?ajvadP>Z* zv@VKmO)8o2yTX+4p>X+hEKt|irg!qN?)A#<$gOdf(g8B$bKuH(;`# zvW^bAu?UQugAg(DBL)=yxg2%P+K-3T@50%3tP&gEP{R3scPv1dc|CW7&#ep83*mJr z-B9U52%m_E&MjZee>g=sr#qB`q{W#iJEWyCJJEKi4C!&v%EORe^RPB`o_aoaeh9ib zS()EMnMltlL#=k5qq7aQTQZUG>ufZ7IVcf#clEsdC_ep%b;?ybpH9z$d>KV5``GzO z$ggTdr*>0M`i}aF93q;oWV^@o+{7j7PigUU#-NqAGVe zo{+CC1R>>a9bCP%AZn;pF6~rF=lD6OvKp_kG!wDXG%43nYzac#<&eEti|^dSr#}&tqFEqT{n+XlOIHJkxo!3i(U#!*aPbA1};%JQ0zD+SL7(m>_D> zk<=WQ&L5QC!Dn%fURh9pO$VCLp`NRBG}plJr$UsA5Ti#p?$TKvflJ4z|B#PD5$HQK zN1=jzY(7)mIu++6c_`dH*ynl!(|sIYhfS{(Naw@ty{@0gXX=5`_>W*4=dmZn!;mYn zQgrXwzZTLz7RT{*oA64Zbe?@uU6Z=nVS2w5c}}h)v>zx`rcLU~d$qDV!10fthA{Pf zv+^&}dS-E+-1Th}s<&v%)(`soqinWpVtPj{yOo8gcKN|d*NhGR4=j?GtqF$L3b0i= zA2zRh*4Ig-bF>9LwvRzxcfbBptt~eI{yt)wh-i4RIA*Apj>{HX9=Axxu?+@f$44Vo zeqbpSDXS9^$_y-x1g9IYqjU%4pV+Hs;?~Kh(NI^1I!E1cs~dAC_TuHlL?nuCi&}fS z*~JK*yBIUXb>W7Mc=^Q=y!Y8xIIUeb@B9jN+h0a@-d=ec{O8AFW{;b9lQ8qXg%GjW zlU3`H{XaW!Q2Kr?Fnao%BiQ@bb!v!rJZ3Dp3!x*WR?5+VxOM(Cx%bGHm+|tpgE;<8 zcNF&YNon3T6r)5wJ`08ZCbf178ak8jM)I$e_R?xz{~hMX{thp^Q3>Ox$MMZK-^ktZ zPd~uUSD!@Oub;$D@eEYZVl2LGNF%T^&zY%s`oU0mq7^%zi^F|S6k=zsG+o-UCr;s; z<2BN>J%;=4dsdz{&(OtqI%SsQfUZ|CbU&5;e)tC75J~dMI;aha*fb?bG*!`x5B7?) zY){;H?aC=$P z4^yU0kv~K92aRWy3aA~h5|J%ybF>7&=Ttkdk zR2mAh6A@%}r=@Lw4iaK4Z+P_n&Xz4nn6XT$4K?MB&ycJ>(W@{b=h|pwi{3leV(&{1 zZo*aP;M#lScS65zFLLMhd}rgvBt)br-{TcqfSs!&yKfAgs6hJd32HNddaSL?#k`5~ zzx0D;84ICEDJekmO;&|-)PVG5Nhp$QTMb3p)>0()2&DF5-qD7NRkM&#tlXIjy+0Q( zJg$fDDEVc#9^dJOc`t3n+B>br`kfKkG1178pZe@QU9|<#nERBnM1y`)iqeNeZ8n#v zs73yqxyY2p6?CT_#l1;Xx(3ctP&*@qzFO$szp#+Hb+;30nfZrE{#Rw0sViiLX=pqEWUsG%qV=h z%XYJL9{%C@&zLy~?AJ}cR@9W_q0mkZi=H>>5%RqOgc@M~IE!p128Q69Y!{l| zEkwbVI*Vmz$pZm*#3OE|WfOsp*Oi_+P`{%H8{Vn6Gk(eC(-Hm41(@#LvsAmJauET& zdb=O=#B^!fo%C5AO7}}sDox8O%V{x}YXHJ$dZ2n&wasbpynX@VV#44vMjfCsm)qoU zM0r%B+-Bg`6T$Q2@Qa`IUMF1B1=Fqq6u#}CeB}8|z=E5+dwoaOu}T#FaVzTVe;Ak) zhJ@G!R@+rymZ7E<`wFtu+A)E^m{cU(Wbc_nn!&l0d` zexNiK*R<}3viZ?_NTEMJCjdtql6_FdxUZu!a_`PeG>7prf55Dac(6L?=j}xAh&JRmcvHMUF+edi`z-_9khM ztV(Y=l#ireW}?Dg*$W}kIrBQ{oVmv}iB1@E6Oi*sq4r`H}-&d%5U zW-dX(9hMJrcIz$&`|Hs_#*b6dG5wzlu=S9=vqnGZ+;8liRa9I}+V6qj76=yHB}hon z;K40ukfw2W2=49<2~Kc#ZCrx{CqUCUB*ER?&d$s^^UXW+-kkfdE_y9kt9S2R^;GSu zNB+MA=R@IZh-2BlyR&9}(3Z0M|b zztpoLu~pAkH18eqVW*{6`l`*^mw)3nB&uq?`k?>zaZj=kTRmmW5C6uAZGb_nrc1ke zDGc(+JF_!D?(SiWhP~jEV=9PXF658mD~zRCBF^eVudwB5$zMs^xZIA@%7hkGNcqqS zO#|2y>o_65qef^2}qHmG??Q9=LzU$612eI+7Zy~oQU1LfF73RvP4Ee5g;c#H^Kcz;A!K*)yNhf}uK$6~7Vb^Z$rafOP zO>#4qtN!VNg>J9#&9jtU(1$atb8J2{0g#Y163)WU_+9OIa`;RRXEu2)iEnWD5hME2 zo?S)|m*h(zH0+xLe*eAZqpt%yEJ=QAR^#e4 z^m9f=#!}>Y>RaPCp63?PB;4pkI-f-26n{K^F4?%MX=#_ZiBL>j3?b5Ea?7h|=xQ8} zGnL(9fdO*I=F80`h3<~Ijw8i|f_P5m{WRRwm;~zTB^-%VPV+XSpP$v}eNxjJ)^cdT zOatUSxw5bJ?b#4&zL_R~(yNxcISf3K56tdwrGw?nsWtdTS<2&wi-!F_SI|iWyM?K^ zloE%NDsz5W!@03|tqLVo8JI0NSxxqLw)Id;r1nz}?01XI*{_$W#qN$IHK;BCawK+y z;>ARjt*#YFuh3be(y;Brq@QP@e$9@K-Z)9k$7oDd z+RG6$4Ll2lY&XKl&E>IFw}K}txRp%a6Vc$#iWR|( zeMbmjbUsu)?BlqdeDN>u?1 zub3gl%4nhdsp0VV|$^e4;U0WAp}2 zGJAdKeOCf-EX_l_M-8VtSxT0Q)l;xGf+_DyK>gGX?_0w0HZyAk+IMHaqeId}qZ`YO zyLcD4#xB9Pwyg`!vheUQ_A5j(P)7xKle8GPikyn-IAOC6J*EwU zij1J^4Pu!?aX5|r@(JdySRK^?=ZjAg@{8U1&%vvL z_JOkZI2TQgtHR2SXC|!awzYzg1Nnu={32)ewcOc|BHfHcI96{QZpOSnz0<~kj$!xF z4mYC_IIv9ScH+oMNIc^{OvcAQS_)W#zS|aWu<~uk$%zvE?bJWlCe%a;KS%kDU7{$( z$R1Gi_BCfp{H!uePw$4}O2|kHRkj zf2n(Q_mco_InzOAWI6B|Jq#YyL!K+!Ki5(YM_lWQ}$TJTwLA{0)#nn`Hx=g%8$J7R+(QmE|-e^^zzD6>$QJGtxNof`c zo7HOFdi!&XQkZ5g#RNK!xTuoYhf_F|w#=PQ9{P@ESPwkXDf6Euk(G;2&z|N`8|{(l zk~PV%`e_PkRDhs&g2$<7fO8rsOE;&EpFR89=WSyr%&7IY`TK?s_rPrwE?H|m$k>xgvpr)IY}j*l^WbCrqMv`Gj358CRym@`zm?vBI#mAo z0NG#y-Q$*`zYHZG*UlrBVN*#c&duA$<_%1DXK9P_x1qSD7X}~cA}Q`giuY)Z4~8RU zY(Uj_hYIJ>cs>7Rfhc1CLfnn(1Yu-@JIjV68`hEGfk^%Ffyw|)w=ji{hr+e{mx76% zBrN-g1|ckuLWFTuJ_yexCnQSzu384&v)?ay-aP}I+<$Q|iG!c}^$R`t@s!x4m~G%& zHj)^>8pqk`^ZwE8uw#h_pyxHL*6PRgAnUS1?XW} zD*1ZBl<>q5DgpO*!2J3W>tFiQ)9`12@G2y{#3X;*LW zr5%G7Ouu2pzXoC^UAvsNtpjZ(WW^9wStPnrxP$}}a838bWH2yaImOfQ)}u(69ZL0d z2rWE(N-!m6G(NcH!GHa_4sYFAEkjn{Do{N$UbvnEZGHng3!K>bG5Z!FOZUY>c|_m% z6$dUwcJ)#LhHP&#?~6%YbA_hypu8I?NT`0b1pbj+(D({pPAOt7=SN_>!{nz888|np zWzDQArd7$diXvuShCCuIeTk&!9RG#&oL@kvtZ+(L)4H2FkJ@Ajzd_EpI1p;Szn`O`?D zrULGl_dvSAT`YIci;L&hf%JJmNS%FCsEO2T6%>U(0v5j)%Z(d*f3l)#A|d;1qNMkt zb3Ev4P(|ZULvA<>cQ)@A^0vqZNbK8`zL=gD>XHk+gPPV72VGHb-ZDQc^omNrCAEA_ zStykVnK~A&8e6YZrmJ3MVUOdAA_4Wa4=ITkGq0vu)51joLEsN6&uUO5hyA|KV|Jq- zPQOUFB)!nrKCQh^LvMIh?Rf?`e07YYO?HhW_%XVt{J9UnL0>OI=G08Z!uTsvs@Ny# z(mRsfy)a#D;{XA9WiKo_AepuOb7hH>@-wYH2gqbC+S;4sKlL!NG`DZ}N(B7ncB-WTu})&Zvi{Nd zi~qyCCRMNzn;GW*x$CnSV8cXH zVtbzxv-t)b6Eb)kl?r5`E5%72^V#skkG}w3@m$f|xsC_?HbTgVtU3Yo{G{CIUpab? z9kGWCudbIMm?JcEGK>HdAk)~EK&FctUQ*Rwr-yMcyx}DL2=H%*uvB99uT#8F_I;;^ zyDRpfJwav9i_>|nGMYA891}iHSvjW}A2P)cLy(scQLI2qw)j-b0D>WU2^%Za_AorPum zfPl-uh=29d-tRTwkBj;;^|A8J!D=v;BOKvzn|RoJWB~6l{+9B3wM1=Iuj|Bq&N&B- zd{ftrh(CQ#`Eg5(4-O*^M`F1fjum(?tY>RtZ#gwAPm8t_=+@P^^FCUmZGT`SDVLA$ z{D9U?Lx<#$(0dUXPl{ld7G%(nf2vChp2?LsUz@$yp?JAlz*#r10*G_}lgwf9@(=!E zoP*u{hD7B;k3cTV56x5>U^XvA4{9YvfNzk*Ues-EA+dG`Zl5}{&x}LZnfJTAZ%ncu9cI)r5goB&uCEWB{>|P;DH5<+A zu^oHIa@W_(lw@iazxz`Od9&b44Bv}vR0`h%R6IZ@(ZiCAhH^|YavZ~=^u4PMVpWDW zTUCd~E`xqpxRorBVFu$JJ?}H&lfw9+0l*W&(AV0MEV6Mz zkbe2L3rqcz)xm}Nhj3z^#%{JE@Z8adlFbxEK@m_;L6fMimRlyb%RH={2qCLCm!xe2 zKf;OmrF_F#kJBS%){~KT)e}A~>_Tgjq;ko4NfD7K$&a~prz^r^2OKC&B$;1qhEdP0 zE-pEDd{>7@g^h{cpAvvLcyVa#B!N_r0LDOL)mp0^nr(Y@|Lhh*8l`K6tk~mJdQj4f zxEi!}?myU--ogG{nb#{3%YZ0B+s81tLL*Q&3tX$fT6}UFk^sgu4xb9SaI{D0cu$_P z!9=Xko7yC$Jj#yCXWA;@EtH34m1EL;Y`T9=y*#JgKmhXcAb%iY4^*2jOXgfeb>-dt z3ZoqLlXTl0C3bdk8Cu?%E~ZYR1hAzvexczyGZ72GZao+C8OaQF0YHuc#08*|&C=LXbcT1P&Oof3-|3?wBzvN?a^x z2$7C|DITQw(O0LUo*T@_!3|E{ygTYjspocnbaZm+l_b&){=Y1rm)utPuj3mrMu5%z zi%-|bhE5(4r+Ar6O&IL$%7+qKmVUNLlp~+VHG!EJJ`V4OxSSoe>?L0d$TfND`m1tQ zj1uKG^--O)AnadT@H$Rpz_H#aMu?Yy*Q)JhFsCA$IN<(Dx1pWtKg^#I26~J{t^!RX zPbinh;$h(<^PlVgrH!Nfnf%8(e2*{OW7;HqF8+yQ09K%65T4B{uqXiBAcg;?;RLNu zMGY7%ff_x4J)Seq-_UiqP$l4CUQ6_!C=ZITsR67)ZXeE{iT#(RBBJZwgXDO9F?^Ep zbN9*Z)oWME%EytLsIfY{S$G;ASbql!D$%zIA*l?CbM~!mx^Gd$nNQ2l4q z$wMM$dlu7p>v#PNmNFY*uRazHW&`&4 z*Tzo?+Olo%j!CY>&6P9+J3wE?t3%-m)*z5?NQzDl(Gp!Zz~R zRIU%FV)Ry8>#qFaowXnFe>2BaL7O&+BfyQ6PX^Y|+~59jYb$I<8Pa$eKX{O=um+{j zVTKU63c~dU%uiO?_4o2ZfGjms1hYqu)lY`aPe=0me~+b#JuHp1 z67PnD&6u{1o5q-yA2*aBb9=V#9oMNv?gv~Levjs4gf9TpDkfY3=vZ?mplLpUV{{8- zZbn=@ueJU+!RM+uVEI9E&YRopX**LlpSJFLs2`;t2flTFzZZTn&K9II0 z%+LScUIoq%=zjwc<1%6G{emg?`0i8Mi^)$t|7}XRnd*&ViThHD(h^)cf433>w?&Kn zH&+J!|MyGh|9%1Jfq!fN+e`n}8UJfb|K1t@Ya0LF8?@tp(1y1u3w|rNvt6xG@AruO zB(Hj(i=;k99*(AQZtw1XZksMv5@#0qkj5eTI2sNByjb)(O4yNq-b#X8^ic(&DeI{_ znMs55x#xQ+!eJ${a(=vc!Tp%(m!bLwRAN;a!B_OVBA7%oe9f0xHZ7X} z2(o$(J@7zYs$8bLxQFDStN)>{u_JDaeTeoq}Niu8mxBuCo@Qt!#IaCiF&j^;x~A z%@3rztIM&UZ8Hq-YveLrT^?xjsZ3|%Z`JMU#i}h8Oj%u`Y#ilY`NA89k#&xK9*Tr5Lb)6S#6;$ z7RO)StXbtjDQ%}b#fs4UymrLJk?0c73Dnx6Z!GV@ZqBKt*>N|nBZEfZyW#nEt(~Rp znC(^=_&o&3<8(IGG28zWZVd(W-q-+uh)k5DSSe(4P0|VIo%*kumN=pvtb2 z=#Kf&CsPF*0h9Mbp$c<$E30=j=i@S?af*HSGOImWtGB15u0=>vmXw|IHRJ?~P@kak zE|z3uYrzh#JR3{IWP7K_#hE&KG|uFRjur~*t97Fl_2FaqovY4|9Qa*r|87>m$@N!n z*juyFm(dhLBzAUoj=WY-rhfq~0pkKrbm++s5?gq{k?EZF$D^dsuE1TwBp+T`< zc6j_yKT=tek!f5ZT9OfcCcw)jhOt|Y$uum}y-%8-VD}?*5eU+ZZ1vG}Gy_2ZE{(fy zZh5z2Q;i}hf25&nI4J4C%1UpDRn*gCHm*kB_f642eT%UvjWV%JW#U@k>+w_*^vjS8 zkX#(UB z4o0?+CR7SZ`8m)Q~IbqRIHu{XLGzQFu^pEqGt^ z^P8&y)PiK#m2nr1Ery>5qAWZ1I2fjt8TWw?Zm*0-tpn$eoOb-YvEM3cegkQatA6l`KxW{&*R=}i=^<<`2MnB|J{` zaW`ohN^reg?WKnF%SHpf{aCdXbx_68scdLqCuw4pKCk20Xlr*4znPhExZ`4PZkjQ^ z(?3&D%Nx+Qi-m$ojT~H9?xf0N9aw$*Rga1FDN2eWGd9%^dSKj zJ|5*9j!9hfcCHb7re%w<2B+xre$zTMI(ch@@ju21$ZIftcy z-Uw2Sk(BIH+pw>@h#(2ajW(jczrv1H!Z3FfJs2Ay70VaCU%>z>w_Q+*>sv=keRaSo z(8VElrXJ40woUOll+B)wM#f`C;)VT5|;ous(Qe#(jQzBv6%a z%da=DXP65(5}*&dY5R+Bg$whaP7zcM$CWUH%uf`sg2!!bRE@axt-PO%SBujDo6k1p z8VX-rSiOYVyK+#pk3F{=9&!4v<-gs=Y%(4#**Vzd4kTD)XG=zRsbBYVFj=wtM-V2m zW#+;h89R!lJSX~3ML-t+FCam*X_{hmAXaXWi;7VhDY+{}ACLFN3r@?kym>Jv#9_ez zXOOP4SkLt7RNLGvE5HlfkCF(oJR%z?z;37QF zP)!uxr`vZe!VNW7J&_P~d!ypYBVI$e7-DyUjsG2a@S%4l*LyVc%d2WyhrQ=iw8Ne) zvG0WthNe1S*T0-tA^qV*{u!25moy1_eYDpe4+2FrXn(btl*StLUPoKccor4;7-k@# zl0*E>L-QgP~3T{tXU!$IVC;Fn{3+QFD`vudyzCtqDuIxOLAgIGLPN3~#M77jzqH-v^XI}qIb)Gp@oxV0jI3pY>b&M;9wIIa)tFr+H!>~nfqWacv-p?s@bc#)_5TY zr;+D(U%LViGW;!AaQ|9$$Ntr~*XFi5t1l3r^x#3VBh>o|K%w?F<4Hl~&y9Zg@SAG< zlGV`9!6|pQUVGvRLz;)F;2V z%Hb-0#`=3@_tn?R!Bx=P3-M@&l3m^>v`Z9eH zc*jMb_P5Wp$Rvv=vJJA&*)&BwjI&2Gc`y@le*5ByWPp-aDToK;|JdLJehua$nBvhb zKs1mv5ZZ9qgR6Lh-MVT@rGO=?5l&JZRul3tz&3C7NqvFWWD&IrJ!PlHS+b5qs=EL7 zbmi{2ha|43G8f@Sp7vAk{R;eC{Z7T9z+YkA+wHwLtdnukiv>)qt-K(g8N^-zsfM!Z z&|*S0O^Z_KyL-WJz6ybzkGy3*@6X&6Uns1-{w8T<|6F=crReh8?1-<^rZ4;(zr_L1 zww{^*tJ39Xwug8}Gvz%DivyD5(s>K3r&swwWUdu|YE+-~LHkqfn|KBt!gU%zw%~Sz zjPhF*4o2qqw9nNax@H9hZ`wQ_%3jUT+e+k zBrD@!f7LhP+FSroui6Wgof@j;%Ls3}6x3&IiT@BV>}bgK`00o? zX|#Mis-nC4WMlGrWsHLwHBkeP;L^P*g;^WT`wUKeu*IN6VKkeO^mds zy?F^%xOJCP^!e9?@KvVLBgYcp1VKd~S7bu{d`#Ct$BfuVKD#DuT2~ySP@6dTh(wIc#YUY>!b$qveGHf8lxpx|@%rMp9>fQHtM?G4-A)$zk-*lXf=TT5 zca~|q7C3|uMSp5(3L%s0DA#xD{*E6FtF_IzePIv82re6muje3~NFox^1JP`+MPY zUEvA){GgikdrZ%FSP|1YSYPD!T&>_;k65K58^#wf1KLW))B^I<(S$|>$`RG|=fG(| zltoQ<0$Ma2vhM{o%=4PmuuYoc`KTUxuPzJF?WC@}%txhc+8ds5_R7jz`WvOx+LL4H z&V*%l&7^28)rE)4GAnaq-jyMVT=XcWRLUcB2@!&=44K9xth~8s8ct+%`-Ezznj@7b z4a}ce@I{iG35FQ%np$;{cRmpoUC#W@?-D?3yxU38s38@I`k2$^NoB1?JFMppuJUPR zhlslQwo5PY6WnTxABYT65fi<%TG6x>2323qzlmRc^O1n3tN48Pa9UvgdoYd1k@?(% z)Z0kPxc!?p4$xX{k9&Yl=Lw44Lu8%>aOY6L-`Ko5lC9oPhPcb#R{y>~B-T?Kb!&i0>PS_emR9 zPUZa9pmTGKn$j}l3w>usJ?%KC!Gtzxd_6x#$Pw=a_6atl9Xu*D?PHCF1xf3=ow+!g zs(nVlw&^@mX_@A;1h$fDW>MFFP@V%O4ZC4P3G!3%>Y!+HcD@qaa{=1O(+1=u<4qI_hNfl%WCp^*e#Fj9UC+P>7wCIV_F zEiSXZg8Xk*odTqLDutI}dTVsio5Hv~V2y@q$T|hHSmV-p3mpfBrBf#B_oH2vI*xCG zA{V>Te}rPzL+D1c2%^4Pp}gg`6jv8P@bN#3&zzO0Bs9%=Y`&DGMs=8SWPZ)sfB5ZX zG52gE88>@rR)DR!q8il`5(FkuEm80=EQ*yyawXGONMvvouso>y0&O)Qc!@4%QT45x z8NyT)i)XT%9c55WHnq>BVdrduxSCnHnk}Kp> zlTY$W07z|AWWd~wIKC-=jrg}yUK8wz_{3J0!M^g_cA^cM*US?HwbL-tNxS-4h z-euagc$Gg{Pa8CEr)CYWp#(9cg>`dGJ}JQK=dxxGBFalSW7Uil$jCqMcMX*8AJ~@K zZtD>eBHxn2H1x|41v+pD*LQW!c|dDBo3STOA8RgSI_9*$hNi~*KAKr|a?>#S#;PjL zERYmGR?&_1WAXTE;)^#Nk#+z5Bp5!|pyqkG2BhkoD&JW{)cBUK4j4`Ix@HPSkkj1!vSor^>UcCu1cf*+jab2+<2 z;NHd+Gxd}tbFjwAi}|Y4@7>Z_QRb(7nrU5KLaB-IR`a=An=l z*0<%D#8LA#YnO(ObtGVtCV190Pe5vm3xsU%p7yMb`(4>g-JTl8u-{J@^POa%;_()@xh|C4)>7kczaG zRWMQuiSS{Wk;suSq5w_;0!qKjEHZj`CwEU$qy2akO#N`V0b(l6`r z<)(rfa$BC{!X|;|wO-}r!UmH50k5HUzG_x7@-NUj4rc%Y*xH_ zY0rA8@8peY28>;kD72>RH`)V2^-ZN!nt?^~ywT*9y6b&HWNtfK!0L61$4mT~2)& zj*|UHeF=6+o$xh&#l_*XlZKL4sx&D_n+PVUBfQ9#><0sfHl^N$7bAxxJa6I7peqZl z`HH>%G1=Cl4Uc%!nU!p10)DY+o82{dMPu$eNG@rAw$$d3b!;R{T^>(K8rw5Pd~*gP zy@EO4^Kflle{zBPH%ggwYaiz~f98NF+lwNuWS60b7gKI!{2!bj7eePF%JLXT?_xam zT36LrWSj1y#;Ns%fC}MIr5@wSWj2%2f^%C=R2?> zT^{2G^dNJtv)yPf(N9(2Ei<+9LKG#Lc#*;V(`@QDGR@|E!!}5UD3+dmp79UutrVdJ zIp=Ja9e(eSJt3^LTah`N*!!$1z4tGA8_TlplFRRLD-=1)GG}2n#E%r7kijS0GPUt3 zlA2>#LDyoQ+$xKn$*%H_*Da_-^9l#pCfSzh&Z?ikn2Yee``^O6_bg)d%as_5rD!v$?Q0 zYNg`U`oWTJh;!HDwa0C?@S7i$^|;kxJzsy_HX^HQLp1{?L0lp)vl<&?YgbZzuV{it zZl)MsGC#k}O8)h&7jGG>?K%9kD?VX)PmTa(Z#|l5hcznMMwCanQ-Ywn&oT;+c-ks= zPEi^9MOB0BVes8M_G>-TU^uTEmM-Ps2WRGX-O|e+EZ7smDd9PKM=sLc9TP?eFD~Sn zBMr7SE1hGQymoP&uyS+b*!$bd6MgH&=?8h(;~?(8+<=@yo>=j1dye>`*KrFX8YSEs zV8=pNK&AB;ShAPx4gOY%;S3-Xp5vyPZ$jHhL{xe-yH-2XI81b`d(GriIXlC#UkwnVXcRIIl?#LlLTbP61lLx`U?Zcy?TSc{+tE1|)7b>m zDemdc9X`Hw=MhlJ%tps2ZWV{V-s3XTtO5@tyaMV98m#*|jaA$#>n^@mrpS|GR$D>P zr2#lC@sGs{1!tW&+nURei#MPdoh998#S)0?O-J1eYHZHTVl7%sE0AYeV5X)*OrdrS@U7tSu?R{R#*|uh%xfjt9ushMP^hq-<%%D?JSYYzRjGiTVi6nYuO+q1g1yq>lZv1*qSqYofYyB~~5#c`sf7~gE8SrSg`$=0$Ku24fbT4OSk3`s* zL~!PD#rvmUK4tsEGaNEOKxPEdI;@o9E>SOdd4K!t^IP~-9`S>xX6&M0>4D_GE87H0 zkmy$Ss0N)Kn2acXsD@YV2H*8zLWoZgDik!+3ke}VlRDyq=g&SGe)>Vz!uf|}nS~p5 z{u>?I6mGWqB_WBWb0lxb@eBO?|7FWEzRJ(h@25KDxR7K&{4u6oflOju>+7Z;6cocG zA2HwvsNsZIpNNSaxtpwgZyQx;joL6|1T&!p9v&(qhNokj|8cWAR#93_?#My>!g!23 zG%##T$j-+DCySVEU>Y^_CqEXk+FEGO58ut{_j)^c*?evFB}r&uUcPKS(-o3q4IFrI z1fnNEvd-x{3ASQ(s>vC+>j?Bj3rM#oy|Hh>TKI8%TI#KbY{hTbN1LFW(_{YmvYE^ycJ$g zn!)=-1s?ST1&X>+Siqg3b^%ITWTONDjT+Mh3ji#zVj9K_@c!o~EISE;$|Z!L84{Y9IwTp>Z?6 zI-GNEKphK|f!0-y_(e$Gb_xTLC@ECFhVKy8Npz`weB-8`**E*l2H%EyhUp3*K(92{ zMjoN=t~}n0vAG!yJX}yKtni86n5WHVEw9y5L!XM7DRNPaHKYN!ANJd<%uw z8FKOG5+WJz2o;jqU#nW#oTrCXWF|3$q zFCasT1c<^7icH}&QUaG|&TJ4-?ivLHU&z&pBl>DGre}B@bx}17Jo2a2dUx=>AwD}> zBoCvcPga0Vva+=es zGjII}`-oHAUa!PYD(4y8?A$fdUw>)E2g%*&P+(HI3-WalATy&3Q&lVZV#^ID+EmiP z#%)nk)(OHc#LA~)04sw{Eo||Jauf}Ox4T2@HX4+S z-D;NF)KiB%QaMkaEAObH1BzVsn&n5;mVb>cc^?FxDF@b~0LdCVoMOi9M^;PE$Xa8~ zIuawuu`Vf?B)ViyHFz{hb`Tc0(fA=oeBh|TY?mdT&yUcIeMBNcG!0qYlHs%2ivOGr zZ98ERl~x8M_cRmtM#*&KPOqBYI>B*dUT>)5?YK_)q4GoMPOWQZCe?*0f5E-5Jl1|w zPKkS4&}vc-$%Mfq?Wl(O65#++=z>-;`QA~d)1dEv8d={TBTH^#gnlhG);+K&n@8y# z5L@r4LoU~>>Kpz(UF)fUjsDnHMK803H(s)UuM-Wv72O zvv^BmEF&mX_BJrjRZVX$IQ-%P9}u%@@OL;MXBh8H&{3l6U;O1 zIUR%~D(^KEJMT`!`Gyi!Qc$e2&*Wa;{*XY1wp!Ij79aP4Ph2v-w#Dwwt;J!-h;LGN=l{x1+ z){!+-FQYwY0-!TLfD3AH3HsAOSvXO1bBKUirKoxo`}vNxvbQ~)V%d?S`r;!Q-960= z+3!g2_V?H}Z4@WgeN{1Fr}KpH={CY9QuJFm^Ix29(Pyxt>gqi?C0i_YCNDO;(v#Zo zEDs{D;FBb0lPI4{sLA?cO4aklFd^=D z3&l8%yaQ=&LO~a#47Se+Mb)bd+_%XeD6W@dv!%-)2)sTGw*LfzXyWuQ@iHIAbvJE& z1qWwrE1vGgsc-)pEuqQ7ji3gRfL~V_R&r}6T#Z^)u&_#csAKJtrW+EoTztj%-@)|^ zR?t9+mtW8x!v(qPc%)eyuIDGEjoz;`BXULxA--L%j*UATH$z{RO3QHgZ();@llB;&<5E6CG3dXrxdvk zFLU!}i@?$W&rsDi*P&=cdiZIp{U#37ksn)c96@EO6)#OMvctYYQmz3T9=tuqj(nFhvKn3Ml!tMo z)Sa4F4^9({9);_oS)GoH?ZEpQ_x)!s{V8$ta8#Nb-6sD5?6 zcq3*)~tt)*{nAxOe0J;VNT3b3W~8)Z6W#^X9{6o_)@Vd7AWBjZZ%5T&?Z$ zUy{X=%35Z|oR0MMH?di>D-4^QXS(0US>7&f$jL2aGOD@zdr}>@goyX6R*+|lV*vt=sF9HYdvxW5Brg|rY z@To@i$#AXazHvoud>!|AdgIw=}86C`RE$OFOt14{M zg&hH5IH(RFxo)|=ZO&!8sl#?{QORSwkXsF_`mv;$HTmGesRFjxHBI@qPMg=hPH!fXfkW;MrH>YhB#)M#=1M9tE{tE~6br*+^7)3rru zb@YcsmipTIPyJ6zNdGbeI5nGK1BV-(xylJ5TP}5d((bBh|@a2K6o?~y@5c^6&HSuPjV;&y`9EHxOV3u_&aix?}7O*Es`;f(%fdWe$C z7{Vpn>=7kNk>S-+SpcUzX#N5v_hnP?#4z;aplG>6tD6cIa78)YjXUkcvZjz(o`z>s zx$+upw`q~0h|h_$TRwa-*52fyw4fx==nL%jevk*r3h<8h?EPIDcDr}I?$fU zZLcTKb^B}Gc`j(!~0dek)Y|e{MS4Ipk&IX~4 zPwxDj8V(1;oLO288>N!VT!Qjx--Tu^E7Co_kN@U7e#AIrJ7L3hQ8XwJV)`BT^-Jwn`V5b%nK_K-;-Rz~s;owqnl=h)$)-Py8sWV>C*4il*L&L(J5=!2u=m^HOny#qm4L2=!6<0!n;w`AFp~D!LNGDrM zmFAlFg?k;FzPF|;Wph?`$5Ni#s8rB+Kl;dNRTg{W=f^2h%-T&yTM*`?e@ctVG`;%E zq`n3w^(kMg($fi|hW$agHZ2C4mEOA|@eGAF|J|~goB&IEwcSaKBJ%FXr1aCS>b;Au z*FVhfCiv^CFs=|&u`SJ2;JeX(?yXNWOiefGg3ETei*(J(O0=veDu+{8JhXptt8zB^ z99C9oy$?^U<&u>peQvSHxai0NLH_h}WI{on1lka6$hN8tu3pNap>4Wz9l5iESRq!> zUEQQe+FV>>ol3B1H(gR<^B+IDV-cG(ua$n$CbpMRY3jQSSMG(iGz};|)`g?DkQVR3 ze0#ZU`iwn|^Z8t3v{}Xx)s*N69LT&c8F?5M{N{$%ep1kT1`cNDr3gjw1{tT_KfB9=?6|U}c;+yZmyPhir7F_~nVa=fy_XzbxvBun2 z%dbcl8d3!`y6xyExW~5NL9p@LJJetYuYZ#)6=5BvnK_dtRak7J*(#kv+hb;WyI!|{ zt386~z3`o7@@irHCj*$B?S+OSo5i9?#hEXN(xt<&?lU_13v8xeLQe3KnCit$Otx(drWP`4BcJ5TyCXcU*Y4r=)6c+g20)zMXWxhhj}jJ;Wy4^3K8FrVIZX zGfFw;$FkxexIFn)Y0X9Zm8JqOIq$jo!@XKFWIW<2Bj@C(g*|dxNcO1f=2MoxUc`-B znc5ZXG-gMaP*Nwzm9oR&w&Y^DcEzcxxvssuDz_{|olB@*^lZz$N?2rfVAu7i`6O~h zN6S6@1bD&hlJH9ON?}f4BMIZq6jjblb4IgXYvyjHVZVmyKbhs7;Tq3OT#>MqAG8=q zhr}?eqhs|@g7~%VQyWDf)#bSb1WI9jdO#AvYCR1`9AT(M|t_uBHsf~;pYBM&yB;ITj z%EtG7FtOFC;8oCv|RAe`7x_aWVNELJ+|5?e#_s>CA90NcBDA7e7Q;QDR2_ML{jaM zxeQSq!TTW5xXiW-TD4_vsI)sUHfksqo?Ud(u*&Wt09gwqUN^2Rev;EaTCH5xRiHOE| zM2g%JI|QE92TlOFpARC(fBc6Yr&X*(v2 za^@cY$q@4FNT}@XlR1JtIVH?T2qVJYF1rd%i5&(na(9I2_W?2xZus1~q_lC@83er@rBFwLWR;>=~UAe);BcFDTj(fSRAg*leVzx*`H4ybHS`4lg3>hqS>iqmq{(V zND8TH+h|3K9ex|S6Bz7w0*bKtuC zTD&rNEtZ=kdyO<6*_2?le(P7h)jgvZFptL?V4Isw(OF*5Q-{iJ^Go*Y>)HJ)9*}t= zB_l6r_V%U1l^RYXtI`-{SN%YYzUO!xo~P62i`$FG>Wxu0`|U|{!o9vuEIF{cByaz< zL`->K+3K^y@Sj=c(~zE3D@BGKB3wQy4 z1!c3ujm;?^J8iT*1K*n*UM%cH zT9x{zcS?#jkO`2&gKSRXlGcIu5qo-?iCF1O#?C+$IkaxarK}8t-^IDfwQ9K}M*3i@ z`eS|3OoP`1b@{T?NnD)rcV+WZ9Y$WO6_&Gx$@!BhaG4fE;+KU0axYnS( zTLeE=p?6HXXI*$GP|(|Uxns>a0=wQ+iKJYbdg9<&UBfR?igGjyDq7{0U{B3ak$_TR zbw0WFbC=|filf~g$4G*|e&%hNyDEgFzkTC}q}e97^akrB*u=TxHkP7Xz`jEdmhSv> z`uW9xR}^Hig86rqCHVLol}Hl5lEsO*?((txlO>QsPlZ=CW_=Z?Lc()`$9rwskvHGn z)7s_twW^xhx=mzuOa6e_i@}))w><1=^+U`-D!W;OL#ti$7E<{nIFp}ZHZ%sdKyo$n zV0`3!DZ*l#0hFC;jwx}FE}s~(xjR+xZ(uyyc=_ZYE50>c+y)LCB{7lzhrIU;Xlh&f zhfzdD4`M@)AaK-!D2S*u0Rcq?rMFN*Q;?QW1wscKqDWEcy%R{GhYq0#h(IDG2_zH| zB$AL&6CfeUKlgdwd+z2_--2^A3ph?a)`@ z%yLoO_qLxwDJZRPcM9K>`FW1AA#RV@gZHwT7-bRA@Ae657kfeFi)9*q`}X7zTF24v z8e?lHD!XOn9OK&79@b(k)mog{Izxwh6^vY2i;f)%aeAOUUf4z_(DG^PGt#2y0WHgd zJ7GC`S!=$t`~@gbjOq12?`?mOG>BM8dYSG0$_cqD4)0co59?M&%~m(@1lC?QyI-RX^+Dv1JL$kna3GwFx&-@r9DtnHfXLGjHeIDP6aAobn+<-On)Hq%^WBnH<)Sql!s@Z6Z(uqEr@Z zy0vp-=1dG}_=5P(AuPicNzKr)L^qy*xok6_AC%Fz2O4f@50H41PA9b&nh@(7^5FKM zC3Z@T_tzOUu|N4K(>Nh?wW6uWZ!1dIc$4RfCL?0X3K+HUNh0~Xu5rwaYbBpy~rdD)?g@uJx%X2p&QpiM=)nHatCkrGbB&0qLuyOnq)gYTg9$g|G ztor-S6NNWVj@m?Dur=iVsML9?2KtIUR6!#QG1%xB-;oMmpMex^)54;OLKd%4o8QnQ_YYcfBw+X%e^-a$R4g!~W+-ofSI6Ar`C1lIDZkx%ALJ=gs0H;x?7X&Y?& zp2rM9bSO`BJ=4;=2IlJ#!zhNy8yqjULEF!x); z-6ffeKc^;w@L!=xu#lW+xW^Iu0T~-dRF0};&g884EtlNC8c6n5Y>5ie8t`-WH_Jrq_*=WMc3matY;{rX$n)Od6CvFA9gqOkPm1cmeUcjOG{Ik+B!xKuqELe){ z-ymt|1yL|j(@;6Y$a@qQSl#LLx;z?&S~VK)?d1H_nq>wYIsO8bd%GDGbfHQ&@B4eJ z@djo+sFDRm#I|xezS5!7)Lm9mRPfxY2W32Y>EN-hGvf?FXjrnx?B-B-@&MwdD-Af3 z_ucY@O_MdWb7{BiXxbB)@lx6ED~s-W{ry2^jn!KL2aXKVjRNd$#SHkST1 zcRgY*s=q*2u%?mEvmZ^wHDi!xCKukXZX{~jk@q;+E_v{rlL+u_*jtr7h_y3$@KiQu z^=~(IA7_;bui@!egyg9++u`}GRfGP*O?(S}w zRpn(YsQ^W^2&g#+Mq5z|m2vqbB}E0JlP&JCVO zq5m#AG<6{3RF$JZ#t~O>fz;`;KQ;IL@6QD8_TA%ecapj_>355cM6{0Guj%B>hi$2e z-W~kK({<5d<=BXGt1M$S1qu;666n1Vd6Aff40M=)+31dhEN4XU{~1R>C;FcW81Eds zy0UC=tb1woD7L|GP8;crc8XxGm;-^?OE-5DPYb!rfn$sZxw+mN(gK$+-cNMBu5xz)Yf(V0@PR(SF z%%e2gqpCW!*D6h7>TTx84*vYR#RdWQ(t?afF1ONI_5hvmOb~t*c-d9<-;=Ef`dnlrAn==zKhs#z0=aL0dk-jsn%k;KYNM~1QXUz_K%p&tH zf!>~6K=8;p%g2Yh%KQ!6G{xqqpPru^hak>F1#@^ycMb{YTqZQJ%YcmN<>G#me?Qag z=80EA2C`r8?04D~l+9mTo#Qgq_Sf81ud7yMYt&b(nF`EphhK|d1=9utX`OXzPxsdd zTvv~nt{o_-lNwiT4>`NfRzL^H+;LA1ER+0a1qEKni(IhX`L$b%%U_XprX8tqj@~T` zJ99UzwpxiDzA2(LX&JD4-L<;6N}x?4ZB66FP_IO_$6wXFq1JhjYws_2At-$F_)LKIQwb zy%@qs#jULWb{S|$iNl-iJJTiBE48{3Q2qCRNG{;dkJ$ULe?{6_E5$MDin{vL9l;+K zwbgB(t$7k8V{knjI6EifZ)|EK;x*)4Xz~8NApkpi{@1MWc zmGY_&qgbaM9`Gj@eqA*RpHs|E`E*r*#Q`5-xtc~+XO z{=dWgO#1I(;*VcDQWIl^l5P9>oo||w@9b}Gh^*GZs@SEzBG5yY&IvTP|1V)y1FvU# z2>kf=BsoIn|GjvNpLlTq_8}XA41F%Oy5@%<;ra_{jsMv|KL1~{es}!ZUR{g>!${zI z@|Z(hncYEw>#<`ArvGa23s4^V_ggLSqUXe`hx_)rj_j?SCbupUh0M%vl<&Jcc=P(d zw<7@oAwEC;Ly`Y!+>O0|_{{&^B_MX}!v8H(1O%*Zzj^Y{lm7R1v-#uyUk7tI#|3|O z3SX81XBXFMjofii?^#fW)CKQ3M;crrW`@Nc8P7Y#`e1s8k&0Y|BwF;eeD7A@epBw1=!&UaQ{U>chMFztH z{K{p(ZdENHLqkPr^N1xF=DUmRh_auU9o~R??Fmy=popmEnc@GC!2c?rlxvsHmN!SR z=j z(O>_JwZ0W|#synv_pR9sKxhnW3FVLc&*jGF%@@*5`P(qRKtARNQ&~mcR1y@nB+sWP z!@!bak}pxE3KNG&W5`bvKwq==;$d%rD>}U@b>IZuAg74Vo%)j_(|5&Zl@ z52N>b!0$b{DOl6L9;*~QCaxiNruz5n-qHWOT|X=?9yt0#Uw)-(UwkJ9w0M4kS$35^ zyuW8+x2iUrQhOr4t>~?itmY=7F3&muVK$a;M7?P%qA6mo7IIl2wF9^i98%9R3FO&S zgW|^JD$L0`zmpfppirwQwTT!FM~_^Oc#pxQ;BPfjufcOw^FA|tnQR`r6>S}?i`2th zmNYf;_gJ!#cN$%9JFVvV3gqaDy$wawlXIc*WK&|yS_Q)vP&BFt|D<{9AD-!w@yG3M zlF@23dHnVq8S?U9I*6r-Nz(RcekYr*>DcVwomE#~@5U%7E{;C0c5i#egD*2zNq%VD z;$X^%{B>PyZT9mF$4{G?_=FsUSl;Ty$Ih9FJH^?rj8AK_w{FsaO%6wA4Xs->;eWLO z$y!l3WSAsiGnINLr}DMEjpuCc14ic7=T=;;I}KPd;IzK`iH*LzTvmlYr2$Xfj)Zsj zd#$8uiUEu@8X>uttJmteEA<+U;KX!vz1d)x+0%op22^(8% zUAN>9Hcel}eG5pO#$7=z9#(}8_DKxC5^W}m@(ap?0d7h@LF+HwEJJW?Kcp||sD^E? zu4GuF(ZCxH$F=sZY8_v&evC>U*~Hf_-=Qmt`@iN$Wf8epSq2eEUVa5k_--i*X`CIT zppC~FD~P*K@q5LH1tq+?_LOr};aq1!&oFj?q@TVLREFT*^~+l+*B`z^Zr_1&o?U1s zWg;ia(6|q7R>0?DrH@;gM6lTT^N7O2zdTwgFnI2u4PTiGiIINd6mat`_0#$S4i+Eu z%B(7|bc7 zd(Jo}f_Ja^4Pp#zh_wJ<)|x{%Cn>AQCVZ-?B4nHGtnOQ&0;Bsv+hVAxJG%vpYFacb z%4uao=J>2$I_c=Ffwo)iylr4Oyw{#TAuTP52!|+oa8@}Dgs@wW^;L}~&JN~Ghe>goJfF0s;~_GhY#nVYx7%TPaAzyv zg*4s!npkU+#EefM=8z#~*Dq-4Ys5ZQzs1DO>HK0j$wMuGoaB-3-|W!GLKCt@b;{C3 zkV%-S(g}3G=Z6ktJ|l;_X(NJPjdtGAv-7e>b3KY72Prn1=fg>Vs|?32^}x zdTS#GI&PC}N^b{;KZzB$U9iJ+L$|tfb+UHDR1$THe)lhBKKt9VIylM${2$np zatD24k%#QsRuhcY=}P;y7j)D?14j>gkeu+&GAM6a0HLsxtr1UG*G;~2ntVX&sOPEb z#}E|8v)}~`2^3LDI9I%my;Df7Qr$EtAs*M-u-BoAR+Vdv28gfc)W#15I{&6+`y7G< zu0U!iLFbBh&R|YCJ>}?oz7T%rE^S{TBqQ9lbZX4~bN}49x|#s^=n-p_#%R36Q^vB^ zsC&6i+Qee5IVIq=a2F8~ZHd3W8FyOC^HqM%jV~es5&LUY*;*h~D|RQoHtY76H_=*S zX>0iBWx2sT7{0i=pBY4Q^3n5pC)`B|icd$U{W#!d6Ip9Rcfqeyk2gnyCX7EVMLx2j zko!csfUW(NEy7o%iRbxy38pK zYJM*OY0n9~pQidk6~7_%Z|ep(R63P(G277q)r8} z6okrxO`edSP`=B1Agc4EBc>e`%gPl^FZ`xrJa^uVP!&6KM5pWK9Z2$+N#?l|wfko0 zn3}jspCs!0ziC(hMo{5QA8T|Udur7{1yDwJ1o<+++s&^y;$s1w;k@UK*(^=xC=9eG z$s<5WZ7py*sfZ9tB#WzjH_kp&KKb@ z>xrR#Rj&VNasqB6WU~Dai;5Cvld=_R#i;DE!o(K2-)p*=%piVNO!cMfI3srj5`R-0 zJNO0|6Wv;wlrl1G&0>mWZ@==GdM2qUFGNVNwp#xDFiC?JUhx#=?G}yFJL(*U2X5ci z;t@o*9%fI~fQyx%*h)9iYJ(fkAT*a|HFTPjG(`EwMg`9K()6*9psi_j$yayt!sMb3 zG-ivdR`Wehh$JNYZuJzKI~_E_zV15gligXAkzGb$@S^s9qzO8W2FDlh#KN5Eu z$KLl#4_Kl?$!C_EV&vTVf@DHr%h8_^9a+Bhdc92Tp&bgMS;8n;ic}_QV0O3GKJG2- zsaoB!t7SFc5Cukrl$6Vw?6B{{axFnJ(l=;0u>RO+iE4RVb_(%;CQ{Ghgh)(|aK%A-i5ZvNuFnjPxljHf3 za*zu)M+|fbvJ#(8a>6NN+0k`I`gJR30oI{IH^rxLB8QgD%idD}n$-!Mz%3S)-gwQ9 zU7qe2P~c18$#4*5EslG!y~OqC~_Fh2cB z?u&L<*@!(?cE~qAK>id<$`YJ?8>>-uXhhvvK`&%m`d4FzFaB#pKRi%DtvMGO!@X&; z>PvzvF~cm&V#67t$BR*K-l&*=jSZsNZojz<9MbLxDo?M@DS4nUz7bX4LsL<}sdp)` z?NNRn`=QIkCM`3RturHdI|>_-42JY;M74V-Y|dg@+I40mSK%njIj5M9e%#SxeeKwr zV0ya~;DSN{AR^}8H<&`O4=V5*al2S`lC-fsN<=YZP#*Q{2FbOR2~-a3cEK@Rm{4#yX^2HBP_4a`g6UCSl>S{e}c zbi2}*l>DPLpcPLXm=4a|RvRL%&MnUho3s^XAMu$UV~L(F;MTJCJ}e$^Q+Lf~M3SfC z6>ynM&EVE4jeH0%msEMb;MkZ4hARaA)jnzv?Ca)Nc?Oy;7)@^MxQJ7ZZp>CiQ1{$y zju<=Q_2p^5MwofEP1P2TIQn|@kB|Nr2K*zwi3d6bn<207d)1)DlAqX%_?WV?zUoJlE>bg z562>{h3k{rHnmT65P-7_zCNbH_sNZV3YxI^ncL{cUa?m0Gn;q@kZHr#+61^<|6~Ps zHVSPt$<03Whthw*g)4?kY*&{|dX*xVTj~@kfA6YE&r)GyjIt#*I+gPF!)b(uF@G2; z#76O<`h0=6q&>KUi4tw-zv|6y=N@wK_k|#l{+FyEnGq3rYO#7pK}AM6S5~Py^lSLH$7?C|7TVbg3d3h{%U2 zWW;w!#N4<=!&2UIcB6mW^ffP)hm1czsTES> z)uQ_N)}H;67Q)rd=20GZ*a*44;@W``|FPm)wUy@QwR_$2SfgG8Da(3()YW5l|Crar9yK=F(h4 zufzSKr)uyt(ly;Ek=4WrecD>AmpW9FLTcUiH)+IwjI)J*!pr&LsQ%@-V? z?IFslV%%W-J<_BkvdkAR95{oAD^2+99sYHmn_|t0YGAGez6PJm(Fb$Rm>#Zzy^@o} zt&0)lmrLyE3LB=EJ+W;~gDLxLkV*UG9+J;iHfqst-Rt&CWqKu?Oy7Gvkatr7;04yd z@^t=M6nKBkyktJZ`R2}I1o4Jn@iBE*;x(F4=%~Y?OE{+9cH_pk$G9RHt*xnB1q?qH z>a+VFIBt;IJMq&es?)V1U#FujOZ0rZEcsG<&*u$<#@y=VV^NLi1=@D9BbjHc>R)HK z8l#^lbyobnsxi#w1r{getb)2fiNY+qUR9D)YnhGH{EaJ;rytb-`W5%w^f5d}W8`|+ z!(W-V9jOkp!F=M=vTUq9r;m0M<3=0xn53+jW7DZaxav55wS;n^9jkR-o9kqy%brw_)uu5LPkpK*?#GPimo|Q@3FTQo! z6i)82OU(68Ziu0t0=m4?3d_wcArt&m+1Ab@8mt2<_N12&s8NBXm)Ow3(=Njv<&d`B zzbXxyQEvs36er{hP8$tEea=JE4jEsBS!@0pgzvUa{`z2LS5(B6%cu&JU+MHukqTW9 zmdR;>>}=896{c^@?v4Oeu^L>=Ui%ncTNdkoidg9U;^P|MssHn>)6qv!d_EV)exb|Iy-o}9_w+n)Lk)T$@n$y+isjV zKBCMBhnVrztj1+C`p)`#R-MKH>|?Xd)uEUSospJ7S0PxnIu%h;N}stj6!u zgZ=33TcW74uJ<2derT1mA-}SH(*}ztvP;)A%A>sVJ8h|CYieal@Y-*6**961EmeEJ zO0nm2er<3i3VuOhkQtbXJbA~0_8jU>G#LaN32b zqZ#P>65Qcn%YMQQ)VpxP)#yJ#5_iM+zDmREoHyvgN?HP@ZSY;Yhx-Rl-1-}3(deSP zhER09;UTS|jDEG{eT1mXq^l!mCh=jw=J`yCboiMv?b_gJfyw353Ni9UM!J~;OvS^^ z`C@H%E_}Ix3;0lT=3`h-jMhZO<)^-4wt2Ww#iNy3tY3!=7^SLJ@D#G@k7Jte+HdtC z--=u5&#!Fb4ESqT^ zrV0DQQl$Yn^2&T!I@U67FHQ^V7Iwep+_^v_>P3{-Pvl0(;@1g*mlwPSr*o!{FUh+$ zd>I}JHjqtXiJHxx#CJ6?LC$prFOUOdX>b!X-UpdE{p~gBGU(?AJX?G2VX~q~`<@!v z2=`t0bZZPdB>a9e!_Qw_h;KCPqs>y^X!*<|oyX+2vEP5&$HDTh!p=^P!2EikEcg0? zg`WYoV3W*F`19956eK6?ndF#n%#{4VQw7Z@J!k+C{-H?@4%cs}%+1~`Q>{L7ymaJ} z-iR)|ZKU4WYx7K#-CfG5Y){GULrw|xNt^);!j~c5?AobfAkBq++y*v1)Hk}`@(c%v zlbcSty~nIc&v6gaj3nlwaXq+6A5L?wDc~(SCN+hXC=3EhKb@mr$@$@sV?Eoo+@!yM zu0NWPOYuFt$z$yZt4Eh8>F>pq$Ew{(Lm~;eM9m?u-85FJN%$*7kwPFm&sP$b#shb( zPCSvhCK5V&m6|I%<@|0dk$Cb-MTbVWJx%%VVdvwhcigF_L5bpy#u|$T?#gVX(o)yk z20KJF8dzk~lw?l3IM5L4Xfq`8hO%``^60b{G0-16)p-|iS5W#siJK>3{GzU`Ct{If zefqh5u5RAyfPPxzt|_Lycu`%Ec|b$)c`tg1t4b8%sg7tln@V0?>@dNMUrm7=JC>Y6 zPC+T(VxE0IoxGxqJSnw}`84}6+`9imIbfE5?rU)6pv~%U)qjMLK&m|d9KquCXJwhz zH*xSK&IRtu@-*~^HUm) z(Jz;T+Ji&lwI_XHBx`W-vCgvd9b%yRG*+Lkhjp!^y+EA^fq+d{w@?f93r}OE3Ba3_>DB`J z&Y-liYIGHM=gF&R{MR>ff^sfA#Jv$E*c&{>1K7z|5_NNPVIfUnzEtnk=!DkboQicF z=W0T~B0+kASJ*~kUDcXteJ>2M1Bnub^$CY^rM#9a-vaHrXFsR*WiVHRiL2)qzJVs5 zr7B@nZ1bp@-zvSFJ?)AHCQD*AmDXBv)czrD%SqY36Z}9WFDKHNsb}3gu6m$# zejgkkuZDEd*ag$3DZ-To-A@BR$JuqQ+>7>t{nBO*d)_E-LiZgiyad+F13qe9f&_>2 z9p!??Y9X840UYk7!GW_75x;!sAC>@}(%G-mF`-3|RD3)eX(0^bFYb^ZK6NhI z^fHs*ws-PODBx_F$Xj7IlclPvw&^IxSk2D-rh%5dVvfrpe}JX>w}O>|3OzG98>W zufvFKnl+ZF=bv^12c9qu*(!i%q4VMMquNbO(MsbZ z?vCfN`pC28yq&Q|AY=57Tkfqgjl@D&aInupsLCqZL~sCUN%EYFpc5u=87t__B`>VD zC8*IFAs(h$g7>qM@9}Y$%z|=!>!+h~KiG zdSL%FODFk*W2YxOrQrK`^=zp*?@wq*iVi-hBrdq$GMs3Qj18aRwntkJ?a@w&Yo}-c zO1S)JI?LRA#fEUVCx%RVko*B_-%6%dt{sI`p4T=u)#~zrt%Q)^g3R zK2^WPP32eJ6gC{WC6n5y{@C~JEen*!7j@*v$=jAsH342!vijz?@sNCjau&aK!R{P- z|9FEo(KTJpbjssf4DUZNE>_pxJX!AzSwsj6K2iZ?ze#Z}I&yVT!D7g&L2nvo_Y@9<(G{L!Q92TifjDK5aiz~2o`A;FHO z<6H6u#y!Jrxg%!X`{7UH+nTD2b2FY%e=uMB-arCVS+f!zS`w2ziWV~jYp+5)MC=>;nynkS`r958{#yeZRaUPUD!*BriV2fTwze7RG0ArdRN4H5 zWf0%=iO)?9%fC&yR?n52hpj69UJQm_GJ2u~uPnbzGDkF?L%dL+GgcFac z{*MI^_ED-p)1+S8vGfP*A>cK#_*-n+`=iJU*s_?VRCKE6)pTc;C9lXxNlWTVb8rwU zeJ`RopEvNA)|T#BEk5$8TA<9at&AlG2j_I+Jnrj8%6&=Cz@GJr3uLc-1D)P2WZZV3 zQJOjVQITosw~;>|4T<#Fk!FUJk5ZuPqDaDU9CDLRK9#4=Hi_uLsGKGem4_yrqFlc@ zzqJDYRK5Pv38%$-#pi7;X|XGL*GzwnX2XD!nfQpjgC=*%_MxZBs$|ZMW5RnXgT+p| zW=Ho`S{qxAGNw<29m$N_indpf$k~Oe@two3x3VO?_Y8xh)+_>LhR>BMYUh;|!XDbZ z?$BtixrciHN^1^>DPvWRIpD76pR*kS&KitQL5H_r2S+tri}`EZ1E{+Ca65Qcl4I7U zEeSkC4w=V)wR0UyJ(!;^UAR@11+m>lIEr!;k}=)lqG7q z9XTL>r{|a|D@4EJvNhVq+W*%zw@5elGrbZb2d8g7zH} zO*dZV2FWN&l-q%=*)3X(C%DZ6o`NuhUZP$W3sT$S6ue+;m*EnRe_>)bhfY_+(J?{jpO zeU?!rnd70c`N1O#QkoM4Kph1Aickx3{xk!a)2>RBlV|Te^}r9rZD&7~HA*Zwq=~Ex z)@~wtm&wT?njv=Ikgswp6MV|wk4@FwRPzV2?fCIcVIArCOlzDt9<%Hq+~3e}KR>Xh z9Hw?|xnVEZcr?;9g7@$If3Se&KQgWSvJ`KX<5lY6On-$xtK zv4@YXTQ%errR4jss7T^!@<`WoDv5#Lty)BA6<^&`g7S9dQr2;n(XV=6N)nrTBb?qi ztXiijTrmmmp|p}6F^@xx=306+8{<^Nr`X9?znKCYN&c_A{)M&ScbC7`Cb6xX?5=5x zMZcC45}z0X0+!{*?*v+9taJbPM=ExSE!=u|@a5-6W*br|S30f(?{nc#+yHFVJ=Zq< zY%`(^-aYkg(2eCc!!*{9YA~W-yrc0}-y6f;32wgmMm|#ftGZs zyFm&LsR&mS)@0Yyh^EMifjdOMYOf7^KpfgGj!Xub>!zGLm-lK`TTgr zh;&dKI=&mlk4(BwYkx|Zu_xbFuzx4}qZo1Lf`l`TC29k|c)teERcW_$Md#qmV zFFIS)DQ=^dmVhnyDj?~4<>exjEoYP}xPSIR7^l91RqYcgInOf(PBy^*CakoEX)Iek zNQXTzv4DEUyhM|5+{U(Hl?an_&c@7xl7WI)^8O?*6q~0v-}mRZRZEWeOjz4)uRc;Z zo;EhZNlreR6Lf7b=J9yp+meYsZ04D<;Mi={Ahs-dGERmnJ=Am$Am*KcX>6?SmW*!1 zp8RR)#dPS8D3_s4*AFg!r@|mB-YRPn^kl2?om1jFwv7k(mR_`;0e))o_t0jU`4-V0 z#rF3N4oZ=|#|9ZPR|LVE>WaGA9SCMLn-K!@Vaih1?$Bx_Dj{oxEE(K;8z>(zRMDa4 z(zI^c3&unk2g|Q{CQo*)Ie(c#Ib_(32}v;F9#s6dnUqmLbaazNk5EWsX^ZLbE8vRvz~yM zwa=o~@>kp5EMv?A;)CQA-KmqThrr*$Kcm%6kK&~R;U59-t)?q9jh)3B+{f>!-<$*m zTMekEFB@>~^!cXtK+1A7@7o*&pKK2Iw`;v=q>}pzZeW%g5{VA*mXG88DVth3n zW)tGg=b{4{I|?^_ZD~DD$j7Ofh`0=eMWu1p1=+ER&EQo4X`!bma0oKe>QAQ`!(C`w& zhX#3NjsqwTi}<>q-!+rzJlV8o_daeW@7OU3{##j2p*PaC->Qit=GW_kLN0}HrsB@- z=AKew5LqMi-P2aiGY5xJ7_2$SqX);V3z=gy=F`2B9-C!DyoW^qX9t$5jSm653f(hG z3+MCVZxq0%WShQ{*NUwyP%`UUr!b zM%PF4OI8g6<&#$c$Z*a#BR~{BaHNl2P$0ui_l7_dliGI3?NwH*?>TM2JSH>TWX?Cn zfF$_#+$F#&Mlim^r`srxA=+!AM#vu1s`)c`vgfeN`bKUpO5|BJ@*M+X_@j z9+eSo7yayu=rrTWO@~*~xNR@&Q%jLX>vj!JbO1dI+#*b7%-!P-O3X2=c(K7hS1EQM_^O;2 zm{=(XG!7;*%=dc#Wyj}_P2QWCsCkYIJSU{~yUIL7=v{Y}@%PzkV^VrLOvO1H@}7@F^e%Z5`CGeqxh+q|;MwL_ z0E>X>_4PzpM9F5_J>jG$yygdcw5x~dmTFp$5RO?oDmI5FgfnuADj~6^5mN;T7UXx7 zvDjV%lPPNFqxmDEW@0xMN>L(sE{ftk8?*HX2N88NmPlwsC5^!Qy{s>=`GI7If;Iph z%v}w)+sl;{*jW{WOABZ1*`6H(Sm&`d%*`XnXIgHnWGL3Fg>#GVc;Hrh5hK4HFu1?T z7)8FuHMH87F^AW8g;-6C_^a#h{NkB4kiQj`XrFH*LgpeLNK1!UT3$HO5v0#+!DyQ% z##nTS$Ep*;nD5=PQH!`cq}=q|2IDE{AVJ_g>ljqD*+Pu(YIWO+q`9%t6?MlP9X3Bx zL62*l>$a0$8u6V(uHG(aMt8pa`^KkBM`sRR$Iy!m40g=yFqzgiC=DaPir|#^&ZI_g zhl&${IM|X~f^XTfL@M^FM7aA%``EVW*F}aKj?OI zM5AJ>v0;-zZIqF9`ckv(@2~GmeCxwc;UMWiOWm;!Flk%F(8H|9XCLEh$HO2_1C6qv*&!?il_pcYj|yi0Jj+=8AjGy&pVD9l z!#^AGUS-g#uNX>w}G1n`sFp|KG0 zfqoR48nET6u=}JmpV!{twcN`J9sNs-%QcdbHdburo`N&h$DZQZrsM8PBFV6bhP|zX*8;;o4 z*}z4PWNSVe$DeV!$Z*L}G$ImjX0Mem^ES1qP0u{aBIaCKdOE958KVt0`XK8KkfeIB z!BmUabub$d{cRGVQjjn@USED@WzJ%<7L>+}m|a+Omr2)1MgareMaHQGF$m6Xqb3^> z;my0fDU4jV-0GVu*wi(;#QLWSKLo<5nAROYoed0}i zq7Ren9Q8Nt7=&c0SYR}g!-mLdVly`r>ykR5j)vh^y#7yl=N`^v-v{uCQucIGNYXmI zDI+}@$zcvfJtXFkLz(Fj!$OfcH6$KIDCaN~62s)ovc(m>4s)JkY&q@0Mv*y;?Y()P z()(P`AMbm;f4=uW+qGT$UEkmD{$Ahv+I@dNpWlKEtYj?e={nKRm$S?02m5i?Y*^^^vy zslA1#XW0|3lJ-Xd?UHTceErK&hfm)b#*y3;%3GWXI|sotCH~|n3m4veU5qDBYI+`> zR^C?9vu46Tc;0oGbt8CTwB&t0;@RMPhT&Kz<|T*z$c%*Q!Y~-&P<^g#h^#=svE19O zo3|K1de#3qHk>%-I6dC#oz89?rmSyMAA8dH9C7JIL~m9i(2GekperHUTC0<`kMGu9 zhiWY2SR`QxkiN0}$yVN*@Pl9C8nC-!J$6CAM7LpT^+NSCl|~xhOdV2i$SG`hN3FhV zIU{`f(qyjipqyd90dnO=O;W`_9CNQGE9v*z`WFO0d?>bm|CpgA(kmXeEOL*{o0%1C zk^B5`AM7IWtA~4J;07$xjYr;=AZb9eECeN{pZ&hl2|NU!8#z^jnMkZT5Vgq0e3FFtMUERb+5g(4k(o<4XgY& z-(e;5`?9jKc{WwW^CazTgZR`*fCg=ym(tj~7xvzyHL^8q}G#6udieBMq zD-IA?TQtwh3-6q^HgS1RP|b*Lu7B*sc^w`I1pZlHSI7M4ocNkRuHH5~SJ{;#soHU4=$NeDFi2|)LLKf-|q5HanSyYMl= z1amX12u^jEd(zqK$JH(;56(flhjr01(5FSi6|znGXVKH`oZ{SpWb(bL@<3PR;Db;< zyHfR%mIagBT?c#Y%T0SvcVagXvRLBO8gZ98^%Av#fbW9(dzVH$!vo#iZw>ha>{h{` z@F~NQThh%%2X&;)xjlnJ&mCsGUAl`37krFPRv2~P1qS(c1YHT*BM%LEj}*p-r{#4b zhWP0G-`-!UidQM%M}|vhm_$e3ar1XqCt+}s=6mb2+tKf>A`fa_$UK~!b$RBIDR6}z zaKs@TY33D}i5yuqOj+Ia1zM2D>upl-;*?_qt4Ls%dOPQ8fJJL+oY0#uJKpRP0_^#4 zcpR~_yx)ANv#2<(#1bQl5`*M`pyb_U0l46Ky690AL(^tpkQ>}qlRSr=c!TsD{Nvmi z!*5}OK#4*}t<1Mi&QiODQI2YCMlt{=%v!-0I7fO4(# zXxN$a`Hu%a+_T_Lc$rfrBNfYV^|!OnwdpjE4UsRAUI{0!=C zmN|T!+M;MWZLK%7#~BAPq`e5~SRLKGR!D`C6?3 z_`I?Du7y=FxKbLoHD=lMRk7zsEN9Z*AizJ__Qo_1iOu(97K|IHo~AvT$zBq7#7aIQ zRfHWQ+?wvI-kMxPYY__aNGRv1)=>Cy_o&pVUaf|f(}HJ>^DNhznv76cs#h#ho`XKy zKh1+T%g9lA-XgD`j;6ad$L9EQx&az%x0)t`q-S1;a z-hw1ixLnY@2&i(E_cda-f{P)yE&sO(G0>gy%DZE=zeav%vNJ}m=ytT#4l??|rdw6%0}! zu8x{GH!n@=qRq**2_xoYb<@Yj7QZ2blV2 zvrFbS@EmUYI1mOG& zq_8T10`JBhqAyFRzq&>Vc)AP*75>Djw2axT$e>Emb?Th6o4~onXZS79Eai?JyCAKO zRchOE%AK>|i1OwvpiyCInBr5*#Gz{ClsrttAhiStuy6D!{4kQ0WKrdKgXVVjqXrnH z<;L+r{|zkfGtM`m@kplG26@-Z@&+p0iBfKrwHksMZ~J!KpCN=h0iyo*bWlpMvS$;7}AW1#JCM?&V$} zg?=Bv5WVuu%3TM0-fq#hF8R~eu(3ME;o3*i6V@=nA&!gN~%A%&JtK+M^kQ=U`1v*gZ9R``h!de9=Q@-Z+{_RUJE{?*CnbKcnuN>2 z;X})=?-myY+T4YBGT&5O8?_+ZSZ8@#t%fVNBaM|oV0P^DtGV+j80LURH&1El>FKF9 zuUh$VhG6~N)cE*pvmB$zX(9!?&4%PEY{zD@0=|5(71w5*k>p5-aU&vdguy8qLH$AB zbRlqyV=$h=VrrmlG|X;RVg+nOo;ZUL9*HiSN)$0m1A}m=Wg%<7Z0W2x+L+_Mm3-3* z5Ur>P(&@XFr2iDH+zH8H@3856Akvlz?>`zLcT{NF7dQ?6DC2ZZwvdq`42CZs62_)4 z&B^aRLR>|iW1WF=BqT^pmXQaQQ;QxBl~dZ60v>!>tgnZxD^^6;6)QHr(La^8k0-mf@+^6R(&Ch@u z4RnIJY&x<-b!@kKUo6w>#HT75cyA7R1W-bxX^e^k!R}8--%uRERO_PhyK-$ms z@rQ!TmN{X}4!Q>DL?R#jc |name: nginx| sb + sb --> |hello nginx!| sa + end + + subgraph otel + otc["Otel Collector"] + end + + subgraph observability + tempo["Tempo"] + grafana["Grafana"] + backend["Jaeger"] + zipkin["Zipkin"] + end + + subgraph ingress-nginx + ngx[nginx] + end + + subgraph ngx[nginx] + ng[nginx] + om[OpenTelemetry module] + end + + subgraph Node + app + otel + observability + ingress-nginx + om --> |otlp-gRPC| otc --> |jaeger| backend + otc --> |zipkin| zipkin + otc --> |otlp-gRPC| tempo --> grafana + sa --> |otlp-gRPC| otc + sb --> |otlp-gRPC| otc + start --> ng --> sa + end +``` + +To install the example and collectors run: + +1. Enable Ingress addon with: + + ```yaml + opentelemetry: + enabled: true + image: registry.k8s.io/ingress-nginx/opentelemetry:v20230107-helm-chart-4.4.2-2-g96b3d2165@sha256:331b9bebd6acfcd2d3048abbdd86555f5be76b7e3d0b5af4300b04235c6056c9 + containerSecurityContext: + allowPrivilegeEscalation: false + ``` + +2. Enable OpenTelemetry and set the otlp-collector-host: + + ```yaml + $ echo ' + apiVersion: v1 + kind: ConfigMap + data: + enable-opentelemetry: "true" + opentelemetry-config: "/etc/nginx/opentelemetry.toml" + opentelemetry-operation-name: "HTTP $request_method $service_name $uri" + opentelemetry-trust-incoming-span: "true" + otlp-collector-host: "otel-coll-collector.otel.svc" + otlp-collector-port: "4317" + otel-max-queuesize: "2048" + otel-schedule-delay-millis: "5000" + otel-max-export-batch-size: "512" + otel-service-name: "nginx-proxy" # Opentelemetry resource name + otel-sampler: "AlwaysOn" # Also: AlwaysOff, TraceIdRatioBased + otel-sampler-ratio: "1.0" + otel-sampler-parent-based: "false" + metadata: + name: ingress-nginx-controller + namespace: ingress-nginx + ' | kubectl replace -f - + ``` + +4. Deploy otel-collector, grafana and Jaeger backend: + + ```bash + # add helm charts needed for grafana and OpenTelemetry collector + helm repo add open-telemetry https://open-telemetry.github.io/opentelemetry-helm-charts + helm repo add grafana https://grafana.github.io/helm-charts + helm repo update + # deply cert-manager needed for OpenTelemetry collector operator + kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.yaml + # create observability namespace + kubectl apply -f https://raw.githubusercontent.com/esigo/nginx-example/main/observability/namespace.yaml + # install OpenTelemetry collector operator + helm upgrade --install otel-collector-operator -n otel --create-namespace open-telemetry/opentelemetry-operator + # deploy OpenTelemetry collector + kubectl apply -f https://raw.githubusercontent.com/esigo/nginx-example/main/observability/collector.yaml + # deploy Jaeger all-in-one + kubectl apply -f https://github.com/jaegertracing/jaeger-operator/releases/download/v1.37.0/jaeger-operator.yaml -n observability + kubectl apply -f https://raw.githubusercontent.com/esigo/nginx-example/main/observability/jaeger.yaml -n observability + # deploy zipkin + kubectl apply -f https://raw.githubusercontent.com/esigo/nginx-example/main/observability/zipkin.yaml -n observability + # deploy tempo and grafana + helm upgrade --install tempo grafana/tempo --create-namespace -n observability + helm upgrade -f https://raw.githubusercontent.com/esigo/nginx-example/main/observability/grafana/grafana-values.yaml --install grafana grafana/grafana --create-namespace -n observability + ``` + +3. Build and deploy demo app: + + ```bash + # build images + make images + + # deploy demo app: + make deploy-app + ``` + +5. Make a few requests to the Service: + + ```bash + kubectl port-forward --namespace=ingress-nginx service/ingress-nginx-controller 8090:80 + curl http://esigo.dev:8090/hello/nginx + + + StatusCode : 200 + StatusDescription : OK + Content : {"v":"hello nginx!"} + + RawContent : HTTP/1.1 200 OK + Connection: keep-alive + Content-Length: 21 + Content-Type: text/plain; charset=utf-8 + Date: Mon, 10 Oct 2022 17:43:33 GMT + + {"v":"hello nginx!"} + + Forms : {} + Headers : {[Connection, keep-alive], [Content-Length, 21], [Content-Type, text/plain; charset=utf-8], [Date, + Mon, 10 Oct 2022 17:43:33 GMT]} + Images : {} + InputFields : {} + Links : {} + ParsedHtml : System.__ComObject + RawContentLength : 21 + ``` + +6. View the Grafana UI: + + ```bash + kubectl port-forward --namespace=observability service/grafana 3000:80 + ``` + In the Grafana interface we can see the details: + ![grafana screenshot](../../images/otel-grafana-demo.png "grafana screenshot") + +7. View the Jaeger UI: + + ```bash + kubectl port-forward --namespace=observability service/jaeger-all-in-one-query 16686:16686 + ``` + In the Jaeger interface we can see the details: + ![Jaeger screenshot](../../images/otel-jaeger-demo.png "Jaeger screenshot") + +8. View the Zipkin UI: + + ```bash + kubectl port-forward --namespace=observability service/zipkin 9411:9411 + ``` + In the Zipkin interface we can see the details: + ![zipkin screenshot](../../images/otel-zipkin-demo.png "zipkin screenshot") diff --git a/internal/ingress/annotations/annotations.go b/internal/ingress/annotations/annotations.go index 14415a4f7..6a9e7367c 100644 --- a/internal/ingress/annotations/annotations.go +++ b/internal/ingress/annotations/annotations.go @@ -20,6 +20,7 @@ import ( "github.com/imdario/mergo" "k8s.io/ingress-nginx/internal/ingress/annotations/canary" "k8s.io/ingress-nginx/internal/ingress/annotations/modsecurity" + "k8s.io/ingress-nginx/internal/ingress/annotations/opentelemetry" "k8s.io/ingress-nginx/internal/ingress/annotations/proxyssl" "k8s.io/ingress-nginx/internal/ingress/annotations/sslcipher" "k8s.io/ingress-nginx/internal/ingress/annotations/streamsnippet" @@ -94,6 +95,7 @@ type Ingress struct { EnableGlobalAuth bool HTTP2PushPreload bool Opentracing opentracing.Config + Opentelemetry opentelemetry.Config Proxy proxy.Config ProxySSL proxyssl.Config RateLimit ratelimit.Config @@ -145,6 +147,7 @@ func NewAnnotationExtractor(cfg resolver.Resolver) Extractor { "EnableGlobalAuth": authreqglobal.NewParser(cfg), "HTTP2PushPreload": http2pushpreload.NewParser(cfg), "Opentracing": opentracing.NewParser(cfg), + "Opentelemetry": opentelemetry.NewParser(cfg), "Proxy": proxy.NewParser(cfg), "ProxySSL": proxyssl.NewParser(cfg), "RateLimit": ratelimit.NewParser(cfg), diff --git a/internal/ingress/annotations/opentelemetry/main.go b/internal/ingress/annotations/opentelemetry/main.go new file mode 100644 index 000000000..7dd292322 --- /dev/null +++ b/internal/ingress/annotations/opentelemetry/main.go @@ -0,0 +1,101 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package opentelemetry + +import ( + networking "k8s.io/api/networking/v1" + + "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/resolver" +) + +type opentelemetry struct { + r resolver.Resolver +} + +// Config contains the configuration to be used in the Ingress +type Config struct { + Enabled bool `json:"enabled"` + Set bool `json:"set"` + TrustEnabled bool `json:"trust-enabled"` + TrustSet bool `json:"trust-set"` + OperationName string `json:"operation-name"` +} + +// Equal tests for equality between two Config types +func (bd1 *Config) Equal(bd2 *Config) bool { + + if bd1.Set != bd2.Set { + return false + } + + if bd1.Enabled != bd2.Enabled { + return false + } + + if bd1.TrustSet != bd2.TrustSet { + return false + } + + if bd1.TrustEnabled != bd2.TrustEnabled { + return false + } + + if bd1.OperationName != bd2.OperationName { + return false + } + + return true +} + +// NewParser creates a new serviceUpstream annotation parser +func NewParser(r resolver.Resolver) parser.IngressAnnotation { + return opentelemetry{r} +} + +// Parse parses the annotations to look for opentelemetry configurations +func (c opentelemetry) Parse(ing *networking.Ingress) (interface{}, error) { + cfg := Config{} + enabled, err := parser.GetBoolAnnotation("enable-opentelemetry", ing) + if err != nil { + return &cfg, nil + } + cfg.Set = true + cfg.Enabled = enabled + if !enabled { + return &cfg, nil + } + + trustEnabled, err := parser.GetBoolAnnotation("opentelemetry-trust-incoming-span", ing) + if err != nil { + operationName, err := parser.GetStringAnnotation("opentelemetry-operation-name", ing) + if err != nil { + return &cfg, nil + } + cfg.OperationName = operationName + return &cfg, nil + } + + cfg.TrustSet = true + cfg.TrustEnabled = trustEnabled + operationName, err := parser.GetStringAnnotation("opentelemetry-operation-name", ing) + if err != nil { + return &cfg, nil + } + cfg.OperationName = operationName + return &cfg, nil +} diff --git a/internal/ingress/annotations/opentelemetry/main_test.go b/internal/ingress/annotations/opentelemetry/main_test.go new file mode 100644 index 000000000..619108fa6 --- /dev/null +++ b/internal/ingress/annotations/opentelemetry/main_test.go @@ -0,0 +1,170 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package opentelemetry + +import ( + "testing" + + api "k8s.io/api/core/v1" + networking "k8s.io/api/networking/v1" + meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/resolver" +) + +func buildIngress() *networking.Ingress { + defaultBackend := networking.IngressBackend{ + Service: &networking.IngressServiceBackend{ + Name: "default-backend", + Port: networking.ServiceBackendPort{ + Number: 80, + }, + }, + } + + return &networking.Ingress{ + ObjectMeta: meta_v1.ObjectMeta{ + Name: "foo", + Namespace: api.NamespaceDefault, + }, + Spec: networking.IngressSpec{ + DefaultBackend: &networking.IngressBackend{ + Service: &networking.IngressServiceBackend{ + Name: "default-backend", + Port: networking.ServiceBackendPort{ + Number: 80, + }, + }, + }, + Rules: []networking.IngressRule{ + { + Host: "foo.bar.com", + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + Path: "/foo", + Backend: defaultBackend, + }, + }, + }, + }, + }, + }, + }, + } +} + +func TestIngressAnnotationOpentelemetrySetTrue(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix("enable-opentelemetry")] = "true" + ing.SetAnnotations(data) + + val, _ := NewParser(&resolver.Mock{}).Parse(ing) + openTelemetry, ok := val.(*Config) + if !ok { + t.Errorf("expected a Config type") + } + + if !openTelemetry.Enabled { + t.Errorf("expected annotation value to be true, got false") + } + + if !openTelemetry.Set { + t.Errorf("expected annotation value to be true, got false") + } + + if openTelemetry.TrustSet { + t.Errorf("expected annotation value to be false, got true") + } +} + +func TestIngressAnnotationOpentelemetrySetFalse(t *testing.T) { + ing := buildIngress() + + // Test with explicitly set to false + data := map[string]string{} + data[parser.GetAnnotationWithPrefix("enable-opentelemetry")] = "false" + ing.SetAnnotations(data) + + val, _ := NewParser(&resolver.Mock{}).Parse(ing) + openTelemetry, ok := val.(*Config) + if !ok { + t.Errorf("expected a Config type") + } + + if openTelemetry.Enabled { + t.Errorf("expected annotation value to be false, got true") + } + + if !openTelemetry.Set { + t.Errorf("expected annotation value to be true, got false") + } +} + +func TestIngressAnnotationOpentelemetryTrustSetTrue(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + opName := "foo-op" + data[parser.GetAnnotationWithPrefix("enable-opentelemetry")] = "true" + data[parser.GetAnnotationWithPrefix("opentelemetry-trust-incoming-span")] = "true" + data[parser.GetAnnotationWithPrefix("opentelemetry-operation-name")] = opName + ing.SetAnnotations(data) + + val, _ := NewParser(&resolver.Mock{}).Parse(ing) + openTelemetry, ok := val.(*Config) + if !ok { + t.Errorf("expected a Config type") + } + + if !openTelemetry.Enabled { + t.Errorf("expected annotation value to be true, got false") + } + + if !openTelemetry.Set { + t.Errorf("expected annotation value to be true, got false") + } + + if !openTelemetry.TrustEnabled { + t.Errorf("expected annotation value to be true, got false") + } + + if !openTelemetry.TrustSet { + t.Errorf("expected annotation value to be true, got false") + } + + if openTelemetry.OperationName != opName { + t.Errorf("expected annotation value to be %v, got %v", opName, openTelemetry.OperationName) + } +} + +func TestIngressAnnotationOpentelemetryUnset(t *testing.T) { + ing := buildIngress() + + // Test with no annotation specified + data := map[string]string{} + ing.SetAnnotations(data) + + val, _ := NewParser(&resolver.Mock{}).Parse(ing) + _, ok := val.(*Config) + if !ok { + t.Errorf("expected a Config type") + } +} diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index 5786b6776..da37ea3c9 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -568,6 +568,54 @@ type Configuration struct { // Default: true OpentracingTrustIncomingSpan bool `json:"opentracing-trust-incoming-span"` + // EnableOpentelemetry enables the nginx Opentelemetry extension + // By default this is disabled + EnableOpentelemetry bool `json:"enable-opentelemetry"` + + // OpentelemetryConfig sets the opentelemetry config file + // Default: /etc/nginx/opentelemetry.toml + OpentelemetryConfig string `json:"opentelemetry-config"` + + // OpentelemetryOperationName specifies a custom name for the server span + OpentelemetryOperationName string `json:"opentelemetry-operation-name"` + + // OpentelemetryTrustIncomingSpan sets whether or not to trust incoming trace spans + // If false, incoming span headers will be rejected + // Default: true + OpentelemetryTrustIncomingSpan bool `json:"opentelemetry-trust-incoming-span"` + + // OtlpCollectorHost specifies the host to use when uploading traces + OtlpCollectorHost string `json:"otlp-collector-host"` + + // OtlpCollectorPort specifies the port to use when uploading traces + // Default: 4317 + OtlpCollectorPort string `json:"otlp-collector-port"` + + // OtelServiceName specifies the service name to use for any traces created + // Default: nginx + OtelServiceName string `json:"otel-service-name"` + + // OtelSampler specifies the sampler to use for any traces created + // Default: AlwaysOff + OtelSampler string `json:"otel-sampler"` + + // OtelSamplerRatio specifies the sampler ratio to use for any traces created + // Default: 0.01 + OtelSamplerRatio float32 `json:"otel-sampler-ratio"` + + //OtelSamplerParentBased specifies the parent based sampler to be use for any traces created + // Default: false + OtelSamplerParentBased bool `json:"otel-sampler-parent-based"` + + // MaxQueueSize specifies the max queue size for uploading traces + OtelMaxQueueSize int32 `json:"otel-max-queuesize"` + + // ScheduleDelayMillis specifies the max delay between uploading traces + OtelScheduleDelayMillis int32 `json:"otel-schedule-delay-millis"` + + // MaxExportBatchSize specifies the max export batch size to used when uploading traces + OtelMaxExportBatchSize int32 `json:"otel-max-export-batch-size"` + // ZipkinCollectorHost specifies the host to use when uploading traces ZipkinCollectorHost string `json:"zipkin-collector-host"` @@ -917,6 +965,13 @@ func NewDefault() Configuration { BindAddressIpv4: defBindAddress, BindAddressIpv6: defBindAddress, OpentracingTrustIncomingSpan: true, + OpentelemetryTrustIncomingSpan: true, + OpentelemetryConfig: "/etc/nginx/opentelemetry.toml", + OtlpCollectorPort: "4317", + OtelServiceName: "nginx", + OtelSampler: "AlwaysOff", + OtelSamplerRatio: 0.01, + OtelSamplerParentBased: false, ZipkinCollectorPort: 9411, ZipkinServiceName: "nginx", ZipkinSampleRate: 1.0, diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 20f8c8687..5d94605b5 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -1444,6 +1444,7 @@ func locationApplyAnnotations(loc *ingress.Location, anns *annotations.Ingress) loc.EnableGlobalAuth = anns.EnableGlobalAuth loc.HTTP2PushPreload = anns.HTTP2PushPreload loc.Opentracing = anns.Opentracing + loc.Opentelemetry = anns.Opentelemetry loc.Proxy = anns.Proxy loc.ProxySSL = anns.ProxySSL loc.RateLimit = anns.RateLimit diff --git a/internal/ingress/controller/nginx.go b/internal/ingress/controller/nginx.go index 5575009ea..80693db5c 100644 --- a/internal/ingress/controller/nginx.go +++ b/internal/ingress/controller/nginx.go @@ -673,6 +673,11 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error { return err } + err = createOpentelemetryCfg(cfg) + if err != nil { + return err + } + err = n.testTemplate(content) if err != nil { return err @@ -1056,6 +1061,29 @@ const datadogTmpl = `{ "dd.priority.sampling": {{ .DatadogPrioritySampling }} }` +const otelTmpl = ` +exporter = "otlp" +processor = "batch" + +[exporters.otlp] +# Alternatively the OTEL_EXPORTER_OTLP_ENDPOINT environment variable can also be used. +host = "{{ .OtlpCollectorHost }}" +port = {{ .OtlpCollectorPort }} + +[processors.batch] +max_queue_size = {{ .OtelMaxQueueSize }} +schedule_delay_millis = {{ .OtelScheduleDelayMillis }} +max_export_batch_size = {{ .OtelMaxExportBatchSize }} + +[service] +name = "{{ .OtelServiceName }}" # Opentelemetry resource name + +[sampler] +name = "{{ .OtelSampler }}" # Also: AlwaysOff, TraceIdRatioBased +ratio = {{ .OtelSamplerRatio }} +parent_based = {{ .OtelSamplerParentBased }} +` + func createOpentracingCfg(cfg ngx_config.Configuration) error { var tmpl *template.Template var err error @@ -1091,6 +1119,21 @@ func createOpentracingCfg(cfg ngx_config.Configuration) error { return os.WriteFile("/etc/nginx/opentracing.json", []byte(expanded), file.ReadWriteByUser) } +func createOpentelemetryCfg(cfg ngx_config.Configuration) error { + + tmpl, err := template.New("otel").Parse(otelTmpl) + if err != nil { + return err + } + tmplBuf := bytes.NewBuffer(make([]byte, 0)) + err = tmpl.Execute(tmplBuf, cfg) + if err != nil { + return err + } + + return os.WriteFile(cfg.OpentelemetryConfig, tmplBuf.Bytes(), file.ReadWriteByUser) +} + func cleanTempNginxCfg() error { var files []string diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go index f3283a782..9dc9fb3b8 100644 --- a/internal/ingress/controller/template/template.go +++ b/internal/ingress/controller/template/template.go @@ -265,6 +265,7 @@ var ( "buildAuthSignURL": buildAuthSignURL, "buildAuthSignURLLocation": buildAuthSignURLLocation, "buildOpentracing": buildOpentracing, + "buildOpentelemetry": buildOpentelemetry, "proxySetHeader": proxySetHeader, "buildInfluxDB": buildInfluxDB, "enforceRegexModifier": enforceRegexModifier, @@ -274,7 +275,9 @@ var ( "buildHTTPListener": buildHTTPListener, "buildHTTPSListener": buildHTTPSListener, "buildOpentracingForLocation": buildOpentracingForLocation, + "buildOpentelemetryForLocation": buildOpentelemetryForLocation, "shouldLoadOpentracingModule": shouldLoadOpentracingModule, + "shouldLoadOpentelemetryModule": shouldLoadOpentelemetryModule, "buildModSecurityForLocation": buildModSecurityForLocation, "buildMirrorLocations": buildMirrorLocations, "shouldLoadAuthDigestModule": shouldLoadAuthDigestModule, @@ -1239,6 +1242,33 @@ func buildOpentracing(c interface{}, s interface{}) string { return buf.String() } +func buildOpentelemetry(c interface{}, s interface{}) string { + cfg, ok := c.(config.Configuration) + if !ok { + klog.Errorf("expected a 'config.Configuration' type but %T was returned", c) + return "" + } + + servers, ok := s.([]*ingress.Server) + if !ok { + klog.Errorf("expected an '[]*ingress.Server' type but %T was returned", s) + return "" + } + + if !shouldLoadOpentelemetryModule(cfg, servers) { + return "" + } + + buf := bytes.NewBufferString("") + + buf.WriteString("\r\n") + + if cfg.OpentelemetryOperationName != "" { + buf.WriteString(fmt.Sprintf("opentelemetry_operation_name \"%s\";\n", cfg.OpentelemetryOperationName)) + } + return buf.String() +} + // buildInfluxDB produces the single line configuration // needed by the InfluxDB module to send request's metrics // for the current resource @@ -1360,6 +1390,13 @@ func opentracingPropagateContext(location *ingress.Location) string { return "opentracing_propagate_context;" } +func opentelemetryPropagateContext(location *ingress.Location) string { + if location == nil { + return "" + } + return "opentelemetry_propagate;" +} + // shouldLoadModSecurityModule determines whether or not the ModSecurity module needs to be loaded. // First, it checks if `enable-modsecurity` is set in the ConfigMap. If it is not, it iterates over all locations to // check if ModSecurity is enabled by the annotation `nginx.ingress.kubernetes.io/enable-modsecurity`. @@ -1575,6 +1612,36 @@ func buildOpentracingForLocation(isOTEnabled bool, isOTTrustSet bool, location * return opc } +func buildOpentelemetryForLocation(isOTEnabled bool, isOTTrustSet bool, location *ingress.Location) string { + isOTEnabledInLoc := location.Opentelemetry.Enabled + isOTSetInLoc := location.Opentelemetry.Set + + if isOTEnabled { + if isOTSetInLoc && !isOTEnabledInLoc { + return "opentelemetry off;" + } + } else if !isOTSetInLoc || !isOTEnabledInLoc { + return "" + } + + opc := opentelemetryPropagateContext(location) + if opc != "" { + opc = fmt.Sprintf("opentelemetry on;\n%v", opc) + } + + if location.Opentelemetry.OperationName != "" { + opc = opc + "\nopentelemetry_operation_name " + location.Opentelemetry.OperationName + ";" + } + + if (!isOTTrustSet && !location.Opentelemetry.TrustSet) || + (location.Opentelemetry.TrustSet && !location.Opentelemetry.TrustEnabled) { + opc = opc + "\nopentelemetry_trust_incoming_spans off;" + } else { + opc = opc + "\nopentelemetry_trust_incoming_spans on;" + } + return opc +} + // shouldLoadOpentracingModule determines whether or not the Opentracing module needs to be loaded. // First, it checks if `enable-opentracing` is set in the ConfigMap. If it is not, it iterates over all locations to // check if Opentracing is enabled by the annotation `nginx.ingress.kubernetes.io/enable-opentracing`. @@ -1606,6 +1673,35 @@ func shouldLoadOpentracingModule(c interface{}, s interface{}) bool { return false } +// shouldLoadOpentelemetryModule determines whether or not the Opentelemetry module needs to be loaded. +// It checks if `enable-opentelemetry` is set in the ConfigMap. +func shouldLoadOpentelemetryModule(c interface{}, s interface{}) bool { + cfg, ok := c.(config.Configuration) + if !ok { + klog.Errorf("expected a 'config.Configuration' type but %T was returned", c) + return false + } + + servers, ok := s.([]*ingress.Server) + if !ok { + klog.Errorf("expected an '[]*ingress.Server' type but %T was returned", s) + return false + } + + if cfg.EnableOpentelemetry { + return true + } + + for _, server := range servers { + for _, location := range server.Locations { + if location.Opentelemetry.Enabled { + return true + } + } + } + return false +} + func buildModSecurityForLocation(cfg config.Configuration, location *ingress.Location) string { isMSEnabledInLoc := location.ModSecurity.Enable isMSEnableSetInLoc := location.ModSecurity.EnableSet diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go index cb1ebd1b7..343da506b 100644 --- a/internal/ingress/controller/template/template_test.go +++ b/internal/ingress/controller/template/template_test.go @@ -37,6 +37,7 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/authreq" "k8s.io/ingress-nginx/internal/ingress/annotations/influxdb" "k8s.io/ingress-nginx/internal/ingress/annotations/modsecurity" + "k8s.io/ingress-nginx/internal/ingress/annotations/opentelemetry" "k8s.io/ingress-nginx/internal/ingress/annotations/opentracing" "k8s.io/ingress-nginx/internal/ingress/annotations/ratelimit" "k8s.io/ingress-nginx/internal/ingress/annotations/rewrite" @@ -1150,6 +1151,26 @@ func TestOpentracingPropagateContext(t *testing.T) { } } +func TestOpentelemetryPropagateContext(t *testing.T) { + tests := map[*ingress.Location]string{ + {BackendProtocol: "HTTP"}: "opentelemetry_propagate;", + {BackendProtocol: "HTTPS"}: "opentelemetry_propagate;", + {BackendProtocol: "AUTO_HTTP"}: "opentelemetry_propagate;", + {BackendProtocol: "GRPC"}: "opentelemetry_propagate;", + {BackendProtocol: "GRPCS"}: "opentelemetry_propagate;", + {BackendProtocol: "AJP"}: "opentelemetry_propagate;", + {BackendProtocol: "FCGI"}: "opentelemetry_propagate;", + nil: "", + } + + for loc, expectedDirective := range tests { + actualDirective := opentelemetryPropagateContext(loc) + if actualDirective != expectedDirective { + t.Errorf("Expected %v but returned %v", expectedDirective, actualDirective) + } + } +} + func TestGetIngressInformation(t *testing.T) { testcases := map[string]struct { @@ -1723,6 +1744,37 @@ func TestBuildOpenTracing(t *testing.T) { } +func TestBuildOpenTelemetry(t *testing.T) { + invalidType := &ingress.Ingress{} + expected := "" + actual := buildOpentelemetry(invalidType, []*ingress.Server{}) + + if expected != actual { + t.Errorf("Expected '%v' but returned '%v'", expected, actual) + } + + cfgNoHost := config.Configuration{ + EnableOpentelemetry: true, + } + expected = "\r\n" + actual = buildOpentelemetry(cfgNoHost, []*ingress.Server{}) + + if expected != actual { + t.Errorf("Expected '%v' but returned '%v'", expected, actual) + } + + cfgOpenTelemetry := config.Configuration{ + EnableOpentelemetry: true, + OpentelemetryOperationName: "my-operation-name", + } + expected = "\r\n" + expected += "opentelemetry_operation_name \"my-operation-name\";\n" + actual = buildOpentelemetry(cfgOpenTelemetry, []*ingress.Server{}) + if expected != actual { + t.Errorf("Expected '%v' but returned '%v'", expected, actual) + } +} + func TestEnforceRegexModifier(t *testing.T) { invalidType := &ingress.Ingress{} expected := false @@ -1903,6 +1955,107 @@ func TestShouldLoadOpentracingModule(t *testing.T) { } } +func TestOpentelemetryForLocation(t *testing.T) { + trueVal := true + falseVal := false + + loadOT := `opentelemetry on; +opentelemetry_propagate; +opentelemetry_trust_incoming_spans on;` + loadOTUntrustedSpan := `opentelemetry on; +opentelemetry_propagate; +opentelemetry_trust_incoming_spans off;` + testCases := []struct { + description string + globalOT bool + isSetInLoc bool + isOTInLoc *bool + globalTrust bool + isTrustSetInLoc bool + isTrustInLoc *bool + expected string + }{ + {"globally enabled, without annotation", true, false, nil, true, false, nil, loadOT}, + {"globally enabled and enabled in location", true, true, &trueVal, true, false, nil, loadOT}, + {"globally disabled and not enabled in location", false, false, nil, true, false, nil, ""}, + {"globally disabled but enabled in location", false, true, &trueVal, true, false, nil, loadOT}, + {"globally trusted, not trusted in location", true, false, nil, true, true, &falseVal, loadOTUntrustedSpan}, + {"not globally trusted, trust set in location", true, false, nil, false, true, &trueVal, loadOT}, + {"not globally trusted, trust not set in location", true, false, nil, false, false, nil, loadOTUntrustedSpan}, + } + + for _, testCase := range testCases { + il := &ingress.Location{ + Opentelemetry: opentelemetry.Config{Set: testCase.isSetInLoc, TrustSet: testCase.isTrustSetInLoc}, + } + if il.Opentelemetry.Set { + il.Opentelemetry.Enabled = *testCase.isOTInLoc + } + if il.Opentelemetry.TrustSet { + il.Opentelemetry.TrustEnabled = *testCase.isTrustInLoc + } + + actual := buildOpentelemetryForLocation(testCase.globalOT, testCase.globalTrust, il) + + if testCase.expected != actual { + t.Errorf("%v: expected '%v' but returned '%v'", testCase.description, testCase.expected, actual) + } + } +} + +func TestShouldLoadOpentelemetryModule(t *testing.T) { + // ### Invalid argument type tests ### + // The first tests should return false. + expected := false + + invalidType := &ingress.Ingress{} + actual := shouldLoadOpentelemetryModule(config.Configuration{}, invalidType) + if expected != actual { + t.Errorf("Expected '%v' but returned '%v'", expected, actual) + } + + actual = shouldLoadOpentelemetryModule(invalidType, []*ingress.Server{}) + if expected != actual { + t.Errorf("Expected '%v' but returned '%v'", expected, actual) + } + + // ### Functional tests ### + actual = shouldLoadOpentelemetryModule(config.Configuration{}, []*ingress.Server{}) + if expected != actual { + t.Errorf("Expected '%v' but returned '%v'", expected, actual) + } + + // All further tests should return true. + expected = true + + configuration := config.Configuration{EnableOpentelemetry: true} + actual = shouldLoadOpentelemetryModule(configuration, []*ingress.Server{}) + if expected != actual { + t.Errorf("Expected '%v' but returned '%v'", expected, actual) + } + + servers := []*ingress.Server{ + { + Locations: []*ingress.Location{ + { + Opentelemetry: opentelemetry.Config{ + Enabled: true, + }, + }, + }, + }, + } + actual = shouldLoadOpentelemetryModule(config.Configuration{}, servers) + if expected != actual { + t.Errorf("Expected '%v' but returned '%v'", expected, actual) + } + + actual = shouldLoadOpentelemetryModule(configuration, servers) + if expected != actual { + t.Errorf("Expected '%v' but returned '%v'", expected, actual) + } +} + func TestModSecurityForLocation(t *testing.T) { loadModule := `modsecurity on; ` diff --git a/mkdocs.yml b/mkdocs.yml index c76a640f6..62c0ccf48 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -101,6 +101,7 @@ nav: - Third party addons: - ModSecurity Web Application Firewall: "user-guide/third-party-addons/modsecurity.md" - OpenTracing: "user-guide/third-party-addons/opentracing.md" + - OpenTelemetry: "user-guide/third-party-addons/opentelemetry.md" - Examples: - Introduction: "examples/index.md" - Prerequisites: "examples/PREREQUISITES.md" diff --git a/pkg/apis/ingress/types.go b/pkg/apis/ingress/types.go index 9395683ec..08a2f7575 100644 --- a/pkg/apis/ingress/types.go +++ b/pkg/apis/ingress/types.go @@ -35,6 +35,7 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/log" "k8s.io/ingress-nginx/internal/ingress/annotations/mirror" "k8s.io/ingress-nginx/internal/ingress/annotations/modsecurity" + "k8s.io/ingress-nginx/internal/ingress/annotations/opentelemetry" "k8s.io/ingress-nginx/internal/ingress/annotations/opentracing" "k8s.io/ingress-nginx/internal/ingress/annotations/proxy" "k8s.io/ingress-nginx/internal/ingress/annotations/proxyssl" @@ -360,6 +361,9 @@ type Location struct { // Opentracing allows the global opentracing setting to be overridden for a location // +optional Opentracing opentracing.Config `json:"opentracing"` + // Opentelemetry allows the global opentelemetry setting to be overridden for a location + // +optional + Opentelemetry opentelemetry.Config `json:"opentelemetry"` } // SSLPassthroughBackend describes a SSL upstream server configured diff --git a/pkg/apis/ingress/types_equals.go b/pkg/apis/ingress/types_equals.go index 2485f8a7b..8a54f3758 100644 --- a/pkg/apis/ingress/types_equals.go +++ b/pkg/apis/ingress/types_equals.go @@ -464,6 +464,10 @@ func (l1 *Location) Equal(l2 *Location) bool { return false } + if !l1.Opentelemetry.Equal(&l2.Opentelemetry) { + return false + } + if !l1.Mirror.Equal(&l2.Mirror) { return false } diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl old mode 100755 new mode 100644 index 958397dd5..014c8cc2a --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -37,6 +37,10 @@ load_module /etc/nginx/modules/ngx_http_modsecurity_module.so; load_module /etc/nginx/modules/ngx_http_opentracing_module.so; {{ end }} +{{ if (shouldLoadOpentelemetryModule $cfg $servers) }} +load_module /modules_mount/etc/nginx/modules/otel/otel_ngx_module.so; +{{ end }} + daemon off; worker_processes {{ $cfg.WorkerProcesses }}; @@ -64,6 +68,10 @@ events { } http { + {{ if (shouldLoadOpentelemetryModule $cfg $servers) }} + opentelemetry_config {{ $cfg.OpentelemetryConfig }}; + {{ end }} + lua_package_path "/etc/nginx/lua/?.lua;;"; {{ buildLuaSharedDictionaries $cfg $servers }} @@ -322,6 +330,7 @@ http { limit_conn_status {{ $cfg.LimitConnStatusCode }}; {{ buildOpentracing $cfg $servers }} + {{ buildOpentelemetry $cfg $servers }} include /etc/nginx/mime.types; default_type {{ $cfg.DefaultType }}; @@ -695,6 +704,9 @@ http { opentracing off; {{ end }} + {{ if $cfg.EnableOpentelemetry }} + opentelemetry off; + {{ end }} location {{ $healthzURI }} { return 200; } @@ -1063,6 +1075,11 @@ stream { opentracing_propagate_context; {{ end }} + {{ if (or $all.Cfg.EnableOpentelemetry $location.Opentelemetry.Enabled) }} + opentelemetry on; + opentelemetry_propagate; + {{ end }} + access_log off; # Ensure that modsecurity will not run on an internal location as this is not accessible from outside @@ -1204,6 +1221,7 @@ stream { set $global_rate_limit_exceeding n; {{ buildOpentracingForLocation $all.Cfg.EnableOpentracing $all.Cfg.OpentracingTrustIncomingSpan $location }} + {{ buildOpentelemetryForLocation $all.Cfg.EnableOpentelemetry $all.Cfg.OpentelemetryTrustIncomingSpan $location }} {{ if $location.Mirror.Source }} mirror {{ $location.Mirror.Source }}; @@ -1520,6 +1538,10 @@ stream { opentracing off; {{ end }} + {{ if $all.Cfg.EnableOpentelemetry }} + opentelemetry off; + {{ end }} + access_log off; return 200; } @@ -1531,6 +1553,10 @@ stream { opentracing off; {{ end }} + {{ if $all.Cfg.EnableOpentelemetry }} + opentelemetry off; + {{ end }} + {{ range $v := $all.NginxStatusIpv4Whitelist }} allow {{ $v }}; {{ end }} diff --git a/test/e2e/framework/exec.go b/test/e2e/framework/exec.go index 0284e768c..d91d36551 100644 --- a/test/e2e/framework/exec.go +++ b/test/e2e/framework/exec.go @@ -21,6 +21,7 @@ import ( "encoding/json" "fmt" "io" + "os" "os/exec" "regexp" "strconv" @@ -111,7 +112,11 @@ func (f *Framework) NamespaceContent() (string, error) { // newIngressController deploys a new NGINX Ingress controller in a namespace func (f *Framework) newIngressController(namespace string, namespaceOverlay string) error { // Creates an nginx deployment - cmd := exec.Command("./wait-for-nginx.sh", namespace, namespaceOverlay) + isChroot, ok := os.LookupEnv("IS_CHROOT") + if !ok { + isChroot = "false" + } + cmd := exec.Command("./wait-for-nginx.sh", namespace, namespaceOverlay, isChroot) out, err := cmd.CombinedOutput() if err != nil { return fmt.Errorf("unexpected error waiting for ingress controller deployment: %v.\nLogs:\n%v", err, string(out)) diff --git a/test/e2e/run-e2e-suite.sh b/test/e2e/run-e2e-suite.sh index b1de8bf9a..a3bf589cd 100755 --- a/test/e2e/run-e2e-suite.sh +++ b/test/e2e/run-e2e-suite.sh @@ -76,6 +76,7 @@ kubectl run --rm \ --restart=Never \ --env="E2E_NODES=${E2E_NODES}" \ --env="FOCUS=${FOCUS}" \ + --env="IS_CHROOT=${IS_CHROOT:-false}"\ --env="E2E_CHECK_LEAKS=${E2E_CHECK_LEAKS}" \ --env="NGINX_BASE_IMAGE=${NGINX_BASE_IMAGE}" \ --overrides='{ "apiVersion": "v1", "spec":{"serviceAccountName": "ingress-nginx-e2e"}}' \ diff --git a/test/e2e/settings/opentelemetry.go b/test/e2e/settings/opentelemetry.go new file mode 100644 index 000000000..92d202cb3 --- /dev/null +++ b/test/e2e/settings/opentelemetry.go @@ -0,0 +1,119 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package settings + +import ( + "strings" + + "github.com/onsi/ginkgo/v2" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +const ( + enableOpentelemetry = "enable-opentelemetry" + opentelemetryTrustIncomingSpan = "opentelemetry-trust-incoming-span" + + opentelemetryOperationName = "opentelemetry-operation-name" + opentelemetryLocationOperationName = "opentelemetry-location-operation-name" + opentelemetryConfig = "opentelemetry-config" + opentelemetryConfigPath = "/etc/nginx/opentelemetry.toml" +) + +var _ = framework.IngressNginxDescribe("Configure Opentelemetry", func() { + f := framework.NewDefaultFramework("enable-opentelemetry") + + ginkgo.BeforeEach(func() { + f.NewEchoDeployment() + }) + + ginkgo.AfterEach(func() { + }) + + ginkgo.It("should not exists opentelemetry directive", func() { + config := map[string]string{} + config[enableOpentelemetry] = "false" + f.SetNginxConfigMapData(config) + + f.EnsureIngress(framework.NewSingleIngress(enableOpentelemetry, "/", enableOpentelemetry, f.Namespace, "http-svc", 80, nil)) + + f.WaitForNginxConfiguration( + func(cfg string) bool { + return !strings.Contains(cfg, "opentelemetry on") + }) + }) + + ginkgo.It("should exists opentelemetry directive when is enabled", func() { + config := map[string]string{} + config[enableOpentelemetry] = "true" + config[opentelemetryConfig] = opentelemetryConfigPath + f.SetNginxConfigMapData(config) + + f.EnsureIngress(framework.NewSingleIngress(enableOpentelemetry, "/", enableOpentelemetry, f.Namespace, "http-svc", 80, nil)) + + f.WaitForNginxConfiguration( + func(cfg string) bool { + return strings.Contains(cfg, "opentelemetry on") + }) + }) + + ginkgo.It("should include opentelemetry_trust_incoming_spans on directive when enabled", func() { + config := map[string]string{} + config[enableOpentelemetry] = "true" + config[opentelemetryConfig] = opentelemetryConfigPath + config[opentelemetryTrustIncomingSpan] = "true" + f.SetNginxConfigMapData(config) + + f.EnsureIngress(framework.NewSingleIngress(enableOpentelemetry, "/", enableOpentelemetry, f.Namespace, "http-svc", 80, nil)) + + f.WaitForNginxConfiguration( + func(cfg string) bool { + return strings.Contains(cfg, "opentelemetry_trust_incoming_spans on") + }) + }) + + ginkgo.It("should not exists opentelemetry_operation_name directive when is empty", func() { + config := map[string]string{} + config[enableOpentelemetry] = "true" + config[opentelemetryConfig] = opentelemetryConfigPath + config[opentelemetryOperationName] = "" + f.SetNginxConfigMapData(config) + + f.EnsureIngress(framework.NewSingleIngress(enableOpentelemetry, "/", enableOpentelemetry, f.Namespace, "http-svc", 80, nil)) + + f.WaitForNginxConfiguration( + func(cfg string) bool { + return !strings.Contains(cfg, "opentelemetry_operation_name") + }) + }) + + ginkgo.It("should exists opentelemetry_operation_name directive when is configured", func() { + config := map[string]string{} + config[enableOpentelemetry] = "true" + config[opentelemetryConfig] = opentelemetryConfigPath + config[opentelemetryOperationName] = "HTTP $request_method $uri" + f.SetNginxConfigMapData(config) + + f.EnsureIngress(framework.NewSingleIngress(enableOpentelemetry, "/", enableOpentelemetry, f.Namespace, "http-svc", 80, nil)) + + f.WaitForNginxConfiguration( + func(cfg string) bool { + return strings.Contains(cfg, `opentelemetry_operation_name "HTTP $request_method $uri"`) + }) + }) + +}) diff --git a/test/e2e/wait-for-nginx.sh b/test/e2e/wait-for-nginx.sh index 190f71e6d..153d348c2 100755 --- a/test/e2e/wait-for-nginx.sh +++ b/test/e2e/wait-for-nginx.sh @@ -23,6 +23,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" export NAMESPACE=$1 export NAMESPACE_OVERLAY=$2 +export IS_CHROOT=$3 echo "deploying NGINX Ingress controller in namespace $NAMESPACE" @@ -46,6 +47,16 @@ metadata: EOF +OTEL_MODULE=$(cat < Date: Wed, 22 Mar 2023 18:50:22 -0700 Subject: [PATCH 238/405] Update exposing-tcp-udp-services.md (#9777) --- docs/user-guide/exposing-tcp-udp-services.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/user-guide/exposing-tcp-udp-services.md b/docs/user-guide/exposing-tcp-udp-services.md index 6b595ffae..63293f0e5 100644 --- a/docs/user-guide/exposing-tcp-udp-services.md +++ b/docs/user-guide/exposing-tcp-udp-services.md @@ -63,3 +63,9 @@ spec: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx ``` +Then, the configmap should be added into ingress controller's deployment args. +``` + args: + - /nginx-ingress-controller + - --tcp-services-configmap=ingress-nginx/tcp-services +``` From 72ff21ed9e26cb969052c753633049ba8a87ecf9 Mon Sep 17 00:00:00 2001 From: James Strong Date: Wed, 22 Mar 2023 23:26:22 -0400 Subject: [PATCH 239/405] kick off 1.7.0 build (#9775) Signed-off-by: James Strong --- TAG | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TAG b/TAG index 9dc820555..b13f0e3bc 100644 --- a/TAG +++ b/TAG @@ -1,2 +1,2 @@ -v1.6.4 +v1.7.0 From 7865825cf018624bef7a76fb8481e39dcd2032bc Mon Sep 17 00:00:00 2001 From: James Strong Date: Fri, 24 Mar 2023 09:45:31 -0400 Subject: [PATCH 240/405] release notes v1.7.0 Signed-off-by: James Strong --- README.md | 1 + TAG | 2 +- changelog/Changelog-1.7.0.md | 78 + charts/ingress-nginx/Chart.yaml | 22 +- charts/ingress-nginx/README.md | 8 +- .../changelog/Changelog-4.6.0.md | 24 + charts/ingress-nginx/values.yaml | 1652 ++++++++--------- deploy/static/provider/aws/deploy.yaml | 44 +- .../aws/nlb-with-tls-termination/deploy.yaml | 44 +- deploy/static/provider/baremetal/deploy.yaml | 44 +- deploy/static/provider/cloud/deploy.yaml | 44 +- deploy/static/provider/do/deploy.yaml | 44 +- deploy/static/provider/exoscale/deploy.yaml | 44 +- deploy/static/provider/kind/deploy.yaml | 44 +- deploy/static/provider/scw/deploy.yaml | 44 +- docs/e2e-tests.md | 277 +-- docs/user-guide/exposing-tcp-udp-services.md | 6 + magefiles/release.go | 2 +- 18 files changed, 1283 insertions(+), 1141 deletions(-) create mode 100644 changelog/Changelog-1.7.0.md create mode 100644 charts/ingress-nginx/changelog/Changelog-4.6.0.md diff --git a/README.md b/README.md index 855c47418..f3f68366e 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,7 @@ the versions listed. Ingress-Nginx versions may work on older versions but the p | Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | |-----------------------|------------------------------|----------------|---------------| +| v1.7.0 | 1.26, 1.25, 1.24 | 3.17.2 | 1.21.6 | | v1.6.4 | 1.26, 1.25, 1.24, 1.23 | 3.17.0 | 1.21.6 | | v1.5.1 | 1.25, 1.24, 1.23 | 3.16.2 | 1.21.6 | | v1.4.0 | 1.25, 1.24, 1.23, 1.22 | 3.16.2 | 1.19.10† | diff --git a/TAG b/TAG index 9dc820555..b13f0e3bc 100644 --- a/TAG +++ b/TAG @@ -1,2 +1,2 @@ -v1.6.4 +v1.7.0 diff --git a/changelog/Changelog-1.7.0.md b/changelog/Changelog-1.7.0.md new file mode 100644 index 000000000..6a938c5f5 --- /dev/null +++ b/changelog/Changelog-1.7.0.md @@ -0,0 +1,78 @@ +# Changelog + +### 1.7.0 +Images: + + * registry.k8s.io/ingress-nginx/controller:v1.7.0@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7 + * registry.k8s.io/ingress-nginx/controller-chroot:v1.7.0@sha256:e84ef3b44c8efeefd8b0aa08770a886bfea1f04c53b61b4ba9a7204e9f1a7edc + +### All Changes: + +* kick off 1.7.0 build (#9775) +* Update exposing-tcp-udp-services.md (#9777) +* feat: OpenTelemetry module integration (#9062) +* drop k8s 1.23 support (#9772) +* Fix canary-weight-total annotation ignored in rule backends (#9729) +* fix: controller psp's volume config (#9740) +* Fix several Helm YAML issues with extraModules and extraInitContainers (#9709) +* docs(helm): fix value key in readme for enabling certManager (#9640) +* updated digest and sha for e2e-test-echo (#9760) +* updated digest and sha for e2e-test-fastcgi-helloserver (#9759) +* updated digest and sha for opentelemetry (#9758) +* updated digest and sha for e2e-test-cfssl (#9757) +* updated kube-webhook-certgen digest and tags (#9756) +* updated nginx-error digest and tags (#9755) +* added upgrade ginkgo documentation for contributors (#9753) +* changes Makefile of echo folder to trigger code-build (#9754) +* Chart: Drop `controller.headers`, rework DH param secret. (#9659) +* updated NGINX_BASE image with latest tag (#9747) +* Deployment/DaemonSet: Label pods using `ingress-nginx.labels`. (#9732) +* bumped ginkgo to v2.9.0 (#9722) +* HPA: autoscaling/v2beta1 deprecated, bump apiVersion to v2 for defaultBackend (#9731) +* update to golang 1.20 (#9690) +* Indent values.yaml using 2 instead of 4 spaces (#9656) +* fix some comments (#9688) +* migrate mitchellh/hashstructure to v2 (#9651) +* changed v1.6.3 to v1.6.4 on deploy docs (#9647) +* controller: Don't panic when ready condition in a endpointslice is missing (#9550) +* Rework Ginkgo usage (#9522) +* code clean for fsnotify (#9571) +* Optimize the document for readability (#9551) +* sets.String is deprecated: use generic Set instead. new ways: s1 := Set[string]{} s2 := New[string]() (#9589) +* Adjust the import package order and use http library variables (#9587) +* Optimize the judgment mode to remove redundant transformations (#9588) +* Fix rewrite example (#9633) +* remove tests and regex path checks (#9626) +* Fix incorrect annotation name in upstream hashing configuration (#9617) +* Release docs for Controller v1.6.3 and Helm v4.5.0 (#9614) + +### Dependencies updates: +* Bump aquasecurity/trivy-action from 0.8.0 to 0.9.2 (#9767) +* Bump k8s.io/component-base from 0.26.2 to 0.26.3 (#9764) +* Bump actions/dependency-review-action from 3.0.3 to 3.0.4 (#9766) +* Bump actions/add-to-project from 0.4.0 to 0.4.1 (#9765) +* Bump actions/dependency-review-action from 3.0.2 to 3.0.3 (#9727) +* Bump github.com/prometheus/common from 0.41.0 to 0.42.0 (#9724) +* Bump golang.org/x/crypto from 0.6.0 to 0.7.0 (#9723) +* Bump actions/download-artifact from 3.0.1 to 3.0.2 (#9721) +* Bump goreleaser/goreleaser-action from 4.1.0 to 4.2.0 (#9718) +* Bump actions/upload-artifact from 3.1.1 to 3.1.2 (#9717) +* Bump docker/setup-buildx-action from 2.2.1 to 2.5.0 (#9719) +* Bump helm/chart-releaser-action from 1.4.1 to 1.5.0 (#9720) +* Bump github.com/onsi/ginkgo/v2 from 2.6.1 to 2.9.0 (#9695) +* Bump k8s.io/klog/v2 from 2.90.0 to 2.90.1 (#9694) +* Bump golang.org/x/crypto in /magefiles (#9691) +* Bump k8s.io/component-base from 0.26.1 to 0.26.2 (#9696) +* Bump github.com/prometheus/common from 0.40.0 to 0.41.0 (#9698) +* Bump sigs.k8s.io/controller-runtime from 0.14.2 to 0.14.5 (#9697) +* Bump golang.org/x/net in /magefiles (#9692) +* Bump golang.org/x/sys in /images/custom-error-pages/rootfs (#9671) +* Bump github.com/stretchr/testify from 1.8.1 to 1.8.2 (#9675) +* Bump github.com/prometheus/common from 0.39.0 to 0.40.0 (#9653) +* Bump golang.org/x/net from 0.6.0 to 0.7.0 (#9646) +* Bump golang.org/x/net in /images/kube-webhook-certgen/rootfs (#9645) +* Bump google.golang.org/grpc from 1.52.3 to 1.53.0 (#9610) +* Bump github.com/prometheus/client_golang (#9630) +* Bump golang.org/x/crypto from 0.5.0 to 0.6.0 (#9609) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.6.3...controller-controller-v1.7.0 diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 21779e195..130fe06fd 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -1,13 +1,21 @@ annotations: artifacthub.io/changes: | - - "add lint on chart before release (#9570)" - - "ci: remove setup-helm step (#9404)" - - "feat(helm): Optionally use cert-manager instead admission patch (#9279)" - - "run helm release on main only and when the chart/value changes only (#9290)" - - "Update Ingress-Nginx version controller-v1.6.4" + - "Upgrade alpine 3.17.2" + - "Upgrade golang 1.20" + - "Drop testing/support for Kubernetes 1.23" + - "docs(helm): fix value key in readme for enabling certManager (#9640)" + - "Update Ingress-Nginx version controller-v1.7.0" + - "feat: OpenTelemetry module integration (#9062)" + - "canary-weight-total annotation ignored in rule backends (#9729)" + - "fix controller psp's volume config (#9740)" + - "Fix several Helm YAML issues with extraModules and extraInitContainers (#9709)" + - "Chart: Drop `controller.headers`, rework DH param secret. (#9659)" + - "Deployment/DaemonSet: Label pods using `ingress-nginx.labels`. (#9732)" + - "HPA: autoscaling/v2beta1 deprecated, bump apiVersion to v2 for defaultBackend (#9731)" + - "Fix incorrect annotation name in upstream hashing configuration (#9617)" artifacthub.io/prerelease: "false" apiVersion: v2 -appVersion: 1.6.4 +appVersion: 4.6.0 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer engine: gotpl @@ -24,4 +32,4 @@ maintainers: name: ingress-nginx sources: - https://github.com/kubernetes/ingress-nginx -version: 4.5.2 +version: 4.5.4 diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 9659df139..dcd5af57e 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.5.2](https://img.shields.io/badge/Version-4.5.2-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) +![Version: 4.5.4](https://img.shields.io/badge/Version-4.5.4-informational?style=flat-square) ![AppVersion: 4.6.0](https://img.shields.io/badge/AppVersion-4.6.0-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -333,13 +333,13 @@ Kubernetes: `>=1.20.0-0` | controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.image.allowPrivilegeEscalation | bool | `true` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `"sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f"` | | -| controller.image.digestChroot | string | `"sha256:0de01e2c316c3ca7847ca13b32d077af7910d07f21a4a82f81061839764f8f81"` | | +| controller.image.digest | string | `"sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7"` | | +| controller.image.digestChroot | string | `"sha256:e84ef3b44c8efeefd8b0aa08770a886bfea1f04c53b61b4ba9a7204e9f1a7edc"` | | | controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.registry | string | `"registry.k8s.io"` | | | controller.image.runAsUser | int | `101` | | -| controller.image.tag | string | `"v1.6.4"` | | +| controller.image.tag | string | `"v1.7.0"` | | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass | diff --git a/charts/ingress-nginx/changelog/Changelog-4.6.0.md b/charts/ingress-nginx/changelog/Changelog-4.6.0.md new file mode 100644 index 000000000..469aaba8c --- /dev/null +++ b/charts/ingress-nginx/changelog/Changelog-4.6.0.md @@ -0,0 +1,24 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.5.3 + +* docs(helm): fix value key in readme for enabling certManager (#9640) +* Upgrade alpine 3.17.2 +* Upgrade golang 1.20 +* Drop testing/support for Kubernetes 1.23 +* docs(helm): fix value key in readme for enabling certManager (#9640) +* Update Ingress-Nginx version controller-v1.7.0 +* feat: OpenTelemetry module integration (#9062) +* canary-weight-total annotation ignored in rule backends (#9729) +* fix controller psp's volume config (#9740) +* Fix several Helm YAML issues with extraModules and extraInitContainers (#9709) +* Chart: Drop `controller.headers`, rework DH param secret. (#9659) +* Deployment/DaemonSet: Label pods using `ingress-nginx.labels`. (#9732) +* HPA: autoscaling/v2beta1 deprecated, bump apiVersion to v2 for defaultBackend (#9731) +* Fix incorrect annotation name in upstream hashing configuration (#9617) + +* Update Ingress-Nginx version controller-v1.7.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.5.2...helm-chart-4.6.0 diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 1a538f810..6627bf220 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -14,148 +14,541 @@ commonLabels: {} # myLabel: aakkmd controller: - name: controller - image: - ## Keep false as default for now! - chroot: false - registry: registry.k8s.io - image: ingress-nginx/controller - ## for backwards compatibility consider setting the full image url via the repository value below - ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail - ## repository: - tag: "v1.6.4" - digest: sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f - digestChroot: sha256:0de01e2c316c3ca7847ca13b32d077af7910d07f21a4a82f81061839764f8f81 - pullPolicy: IfNotPresent - # www-data -> uid 101 - runAsUser: 101 - allowPrivilegeEscalation: true - # -- Use an existing PSP instead of creating one - existingPsp: "" - # -- Configures the controller container name - containerName: controller - # -- Configures the ports that the nginx-controller listens on - containerPort: - http: 80 - https: 443 - # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ - config: {} - # -- Annotations to be added to the controller config configuration configmap. - configAnnotations: {} - # -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers - proxySetHeaders: {} - # -- Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers - addHeaders: {} - # -- Optionally customize the pod dnsConfig. - dnsConfig: {} - # -- Optionally customize the pod hostname. - hostname: {} - # -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. - # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller - # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. - dnsPolicy: ClusterFirst - # -- Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network - # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply - reportNodeInternalIp: false - # -- Process Ingress objects without ingressClass annotation/ingressClassName field - # Overrides value for --watch-ingress-without-class flag of the controller binary - # Defaults to false - watchIngressWithoutClass: false - # -- Process IngressClass per name (additionally as per spec.controller). - ingressClassByName: false - # -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto" - # Defaults to false - enableTopologyAwareRouting: false - # -- This configuration defines if Ingress Controller should allow users to set - # their own *-snippet annotations, otherwise this is forbidden / dropped - # when users add those annotations. - # Global snippets in ConfigMap are still respected - allowSnippetAnnotations: true - # -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), - # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 - # is merged - hostNetwork: false - ## Use host ports 80 and 443 - ## Disabled by default - hostPort: - # -- Enable 'hostPort' or not - enabled: false - ports: - # -- 'hostPort' http port - http: 80 - # -- 'hostPort' https port - https: 443 - # -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' - electionID: "" - ## This section refers to the creation of the IngressClass resource - ## IngressClass resources are supported since k8s >= 1.18 and required since k8s >= 1.19 - ingressClassResource: - # -- Name of the ingressClass - name: nginx - # -- Is this ingressClass enabled or not - enabled: true - # -- Is this the default ingressClass for the cluster - default: false - # -- Controller-value of the controller that is processing this ingressClass - controllerValue: "k8s.io/ingress-nginx" - # -- Parameters is a link to a custom resource containing additional - # configuration for the controller. This is optional if the controller - # does not require extra parameters. - parameters: {} - # -- For backwards compatibility with ingress.class annotation, use ingressClass. - # Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation - ingressClass: nginx - # -- Labels to add to the pod container metadata - podLabels: {} - # key: value + name: controller + image: + ## Keep false as default for now! + chroot: false + registry: registry.k8s.io + image: ingress-nginx/controller + ## for backwards compatibility consider setting the full image url via the repository value below + ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + ## repository: + tag: "v1.7.0" + digest: sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7 + digestChroot: sha256:e84ef3b44c8efeefd8b0aa08770a886bfea1f04c53b61b4ba9a7204e9f1a7edc + pullPolicy: IfNotPresent + # www-data -> uid 101 + runAsUser: 101 + allowPrivilegeEscalation: true + # -- Use an existing PSP instead of creating one + existingPsp: "" + # -- Configures the controller container name + containerName: controller + # -- Configures the ports that the nginx-controller listens on + containerPort: + http: 80 + https: 443 + # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ + config: {} + # -- Annotations to be added to the controller config configuration configmap. + configAnnotations: {} + # -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers + proxySetHeaders: {} + # -- Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers + addHeaders: {} + # -- Optionally customize the pod dnsConfig. + dnsConfig: {} + # -- Optionally customize the pod hostname. + hostname: {} + # -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. + # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller + # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. + dnsPolicy: ClusterFirst + # -- Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network + # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply + reportNodeInternalIp: false + # -- Process Ingress objects without ingressClass annotation/ingressClassName field + # Overrides value for --watch-ingress-without-class flag of the controller binary + # Defaults to false + watchIngressWithoutClass: false + # -- Process IngressClass per name (additionally as per spec.controller). + ingressClassByName: false + # -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto" + # Defaults to false + enableTopologyAwareRouting: false + # -- This configuration defines if Ingress Controller should allow users to set + # their own *-snippet annotations, otherwise this is forbidden / dropped + # when users add those annotations. + # Global snippets in ConfigMap are still respected + allowSnippetAnnotations: true + # -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), + # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 + # is merged + hostNetwork: false + ## Use host ports 80 and 443 + ## Disabled by default + hostPort: + # -- Enable 'hostPort' or not + enabled: false + ports: + # -- 'hostPort' http port + http: 80 + # -- 'hostPort' https port + https: 443 + # -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' + electionID: "" + ## This section refers to the creation of the IngressClass resource + ## IngressClass resources are supported since k8s >= 1.18 and required since k8s >= 1.19 + ingressClassResource: + # -- Name of the ingressClass + name: nginx + # -- Is this ingressClass enabled or not + enabled: true + # -- Is this the default ingressClass for the cluster + default: false + # -- Controller-value of the controller that is processing this ingressClass + controllerValue: "k8s.io/ingress-nginx" + # -- Parameters is a link to a custom resource containing additional + # configuration for the controller. This is optional if the controller + # does not require extra parameters. + parameters: {} + # -- For backwards compatibility with ingress.class annotation, use ingressClass. + # Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation + ingressClass: nginx + # -- Labels to add to the pod container metadata + podLabels: {} + # key: value - # -- Security Context policies for controller pods - podSecurityContext: {} - # -- See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls - sysctls: {} - # sysctls: - # "net.core.somaxconn": "8192" + # -- Security Context policies for controller pods + podSecurityContext: {} + # -- See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls + sysctls: {} + # sysctls: + # "net.core.somaxconn": "8192" - # -- Allows customization of the source of the IP address or FQDN to report - # in the ingress status field. By default, it reads the information provided - # by the service. If disable, the status field reports the IP address of the - # node or nodes where an ingress controller pod is running. - publishService: - # -- Enable 'publishService' or not - enabled: true - # -- Allows overriding of the publish service to bind to - # Must be / - pathOverride: "" - # Limit the scope of the controller to a specific namespace - scope: - # -- Enable 'scope' or not - enabled: false - # -- Namespace to limit the controller to; defaults to $(POD_NAMESPACE) - namespace: "" - # -- When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels - # only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. - namespaceSelector: "" - # -- Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) + # -- Allows customization of the source of the IP address or FQDN to report + # in the ingress status field. By default, it reads the information provided + # by the service. If disable, the status field reports the IP address of the + # node or nodes where an ingress controller pod is running. + publishService: + # -- Enable 'publishService' or not + enabled: true + # -- Allows overriding of the publish service to bind to + # Must be / + pathOverride: "" + # Limit the scope of the controller to a specific namespace + scope: + # -- Enable 'scope' or not + enabled: false + # -- Namespace to limit the controller to; defaults to $(POD_NAMESPACE) + namespace: "" + # -- When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels + # only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. + namespaceSelector: "" + # -- Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) + configMapNamespace: "" + tcp: + # -- Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) configMapNamespace: "" - tcp: - # -- Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) - configMapNamespace: "" - # -- Annotations to be added to the tcp config configmap - annotations: {} - udp: - # -- Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) - configMapNamespace: "" - # -- Annotations to be added to the udp config configmap - annotations: {} - # -- Maxmind license key to download GeoLite2 Databases. - ## https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases - maxmindLicenseKey: "" - # -- Additional command line arguments to pass to nginx-ingress-controller - # E.g. to specify the default SSL certificate you can use - extraArgs: {} - ## extraArgs: - ## default-ssl-certificate: "/" + # -- Annotations to be added to the tcp config configmap + annotations: {} + udp: + # -- Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) + configMapNamespace: "" + # -- Annotations to be added to the udp config configmap + annotations: {} + # -- Maxmind license key to download GeoLite2 Databases. + ## https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases + maxmindLicenseKey: "" + # -- Additional command line arguments to pass to nginx-ingress-controller + # E.g. to specify the default SSL certificate you can use + extraArgs: {} + ## extraArgs: + ## default-ssl-certificate: "/" + # -- Additional environment variables to set + extraEnvs: [] + # extraEnvs: + # - name: FOO + # valueFrom: + # secretKeyRef: + # key: FOO + # name: secret-resource + + # -- Use a `DaemonSet` or `Deployment` + kind: Deployment + # -- Annotations to be added to the controller Deployment or DaemonSet + ## + annotations: {} + # keel.sh/pollSchedule: "@every 60m" + + # -- Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels + ## + labels: {} + # keel.sh/policy: patch + # keel.sh/trigger: poll + + # -- The update strategy to apply to the Deployment or DaemonSet + ## + updateStrategy: {} + # rollingUpdate: + # maxUnavailable: 1 + # type: RollingUpdate + + # -- `minReadySeconds` to avoid killing pods before we are ready + ## + minReadySeconds: 0 + # -- Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- Affinity and anti-affinity rules for server scheduling to nodes + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## + affinity: {} + # # An example of preferred pod anti-affinity, weight is in the range 1-100 + # podAntiAffinity: + # preferredDuringSchedulingIgnoredDuringExecution: + # - weight: 100 + # podAffinityTerm: + # labelSelector: + # matchExpressions: + # - key: app.kubernetes.io/name + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/instance + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/component + # operator: In + # values: + # - controller + # topologyKey: kubernetes.io/hostname + + # # An example of required pod anti-affinity + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: app.kubernetes.io/name + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/instance + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/component + # operator: In + # values: + # - controller + # topologyKey: "kubernetes.io/hostname" + + # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/instance: ingress-nginx-internal + + # -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready + ## wait up to five minutes for the drain of connections + ## + terminationGracePeriodSeconds: 300 + # -- Node labels for controller pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: + kubernetes.io/os: linux + ## Liveness and readiness probe values + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + ## startupProbe: + ## httpGet: + ## # should match container.healthCheckPath + ## path: "/healthz" + ## port: 10254 + ## scheme: HTTP + ## initialDelaySeconds: 5 + ## periodSeconds: 5 + ## timeoutSeconds: 2 + ## successThreshold: 1 + ## failureThreshold: 5 + livenessProbe: + httpGet: + # should match container.healthCheckPath + path: "/healthz" + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + httpGet: + # should match container.healthCheckPath + path: "/healthz" + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + # -- Path of the health check endpoint. All requests received on the port defined by + # the healthz-port parameter are forwarded internally to this path. + healthCheckPath: "/healthz" + # -- Address to bind the health check endpoint. + # It is better to set this option to the internal node address + # if the ingress nginx controller is running in the `hostNetwork: true` mode. + healthCheckHost: "" + # -- Annotations to be added to controller pods + ## + podAnnotations: {} + replicaCount: 1 + # -- Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Define either 'minAvailable' or 'maxUnavailable', never both. + # maxUnavailable: 1 + + ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes + ## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 + ## Ideally, there should be no limits. + ## https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/ + resources: + ## limits: + ## cpu: 100m + ## memory: 90Mi + requests: + cpu: 100m + memory: 90Mi + # Mutually exclusive with keda autoscaling + autoscaling: + apiVersion: autoscaling/v2 + enabled: false + annotations: {} + minReplicas: 1 + maxReplicas: 11 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + autoscalingTemplate: [] + # Custom or additional autoscaling metrics + # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics + # - type: Pods + # pods: + # metric: + # name: nginx_ingress_controller_nginx_process_requests_total + # target: + # type: AverageValue + # averageValue: 10000m + + # Mutually exclusive with hpa autoscaling + keda: + apiVersion: "keda.sh/v1alpha1" + ## apiVersion changes with keda 1.x vs 2.x + ## 2.x = keda.sh/v1alpha1 + ## 1.x = keda.k8s.io/v1alpha1 + enabled: false + minReplicas: 1 + maxReplicas: 11 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + # Custom annotations for ScaledObject resource + # annotations: + # key: value + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: http_requests_total + # threshold: '100' + # query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) + + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + + # -- Enable mimalloc as a drop-in replacement for malloc. + ## ref: https://github.com/microsoft/mimalloc + ## + enableMimalloc: true + ## Override NGINX template + customTemplate: + configMapName: "" + configMapKey: "" + service: + enabled: true + # -- If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were + # using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http + # It allows choosing the protocol for each backend specified in the Kubernetes service. + # See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 + # Will be ignored for Kubernetes versions older than 1.20 + ## + appProtocol: true + annotations: {} + labels: {} + # clusterIP: "" + + # -- List of IP addresses at which the controller services are available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + # -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + loadBalancerSourceRanges: [] + enableHttp: true + enableHttps: true + ## Set external traffic policy to: "Local" to preserve source IP on providers supporting it. + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "" + + ## Must be either "None" or "ClientIP" if set. Kubernetes will default to "None". + ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + # sessionAffinity: "" + + ## Specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified, + ## the service controller allocates a port from your cluster’s NodePort range. + ## Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + # healthCheckNodePort: 0 + + # -- Represents the dual-stack-ness requested or required by this Service. Possible values are + # SingleStack, PreferDualStack or RequireDualStack. + # The ipFamilies and clusterIPs fields depend on the value of this field. + ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ipFamilyPolicy: "SingleStack" + # -- List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically + # based on cluster configuration and the ipFamilyPolicy field. + ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ipFamilies: + - IPv4 + ports: + http: 80 + https: 443 + targetPorts: + http: http + https: https + type: LoadBalancer + ## type: NodePort + ## nodePorts: + ## http: 32080 + ## https: 32443 + ## tcp: + ## 8080: 32808 + nodePorts: + http: "" + https: "" + tcp: {} + udp: {} + external: + enabled: true + internal: + # -- Enables an additional internal load balancer (besides the external one). + enabled: false + # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. + annotations: {} + # loadBalancerIP: "" + + # -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. + loadBalancerSourceRanges: [] + ## Set external traffic policy to: "Local" to preserve source IP on + ## providers supporting it + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "" + # shareProcessNamespace enables process namespace sharing within the pod. + # This can be used for example to signal log rotation using `kill -USR1` from a sidecar. + shareProcessNamespace: false + # -- Additional containers to be added to the controller pod. + # See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. + extraContainers: [] + # - name: my-sidecar + # image: nginx:latest + # - name: lemonldap-ng-controller + # image: lemonldapng/lemonldap-ng-controller:0.2.0 + # args: + # - /lemonldap-ng-controller + # - --alsologtostderr + # - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration + # env: + # - name: POD_NAME + # valueFrom: + # fieldRef: + # fieldPath: metadata.name + # - name: POD_NAMESPACE + # valueFrom: + # fieldRef: + # fieldPath: metadata.namespace + # volumeMounts: + # - name: copy-portal-skins + # mountPath: /srv/var/lib/lemonldap-ng/portal/skins + + # -- Additional volumeMounts to the controller main container. + extraVolumeMounts: [] + # - name: copy-portal-skins + # mountPath: /var/lib/lemonldap-ng/portal/skins + + # -- Additional volumes to the controller pod. + extraVolumes: [] + # - name: copy-portal-skins + # emptyDir: {} + + # -- Containers, which are run before the app containers are started. + extraInitContainers: [] + # - name: init-myservice + # image: busybox + # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] + + # -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module + extraModules: [] + # - name: mytestmodule + # image: registry.k8s.io/ingress-nginx/mytestmodule + # containerSecurityContext: + # allowPrivilegeEscalation: false + # + # The image must contain a `/usr/local/bin/init_module.sh` executable, which + # will be executed as initContainers, to move its config files within the + # mounted volume. + + opentelemetry: + enabled: false + image: registry.k8s.io/ingress-nginx/opentelemetry:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:40f766ac4a9832f36f217bb0e98d44c8d38faeccbfe861fbc1a76af7e9ab257f + containerSecurityContext: + allowPrivilegeEscalation: false + admissionWebhooks: + annotations: {} + # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem". + + ## Additional annotations to the admission webhooks. + ## These annotations will be added to the ValidatingWebhookConfiguration and + ## the Jobs Spec of the admission webhooks. + enabled: true # -- Additional environment variables to set extraEnvs: [] # extraEnvs: @@ -164,707 +557,314 @@ controller: # secretKeyRef: # key: FOO # name: secret-resource - - # -- Use a `DaemonSet` or `Deployment` - kind: Deployment - # -- Annotations to be added to the controller Deployment or DaemonSet - ## - annotations: {} - # keel.sh/pollSchedule: "@every 60m" - - # -- Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels - ## + # -- Admission Webhook failure policy to use + failurePolicy: Fail + # timeoutSeconds: 10 + port: 8443 + certificate: "/usr/local/certificates/cert" + key: "/usr/local/certificates/key" + namespaceSelector: {} + objectSelector: {} + # -- Labels to be added to admission webhooks labels: {} - # keel.sh/policy: patch - # keel.sh/trigger: poll - - # -- The update strategy to apply to the Deployment or DaemonSet - ## - updateStrategy: {} - # rollingUpdate: - # maxUnavailable: 1 - # type: RollingUpdate - - # -- `minReadySeconds` to avoid killing pods before we are ready - ## - minReadySeconds: 0 - # -- Node tolerations for server scheduling to nodes with taints - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - ## - tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - - # -- Affinity and anti-affinity rules for server scheduling to nodes - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## - affinity: {} - # # An example of preferred pod anti-affinity, weight is in the range 1-100 - # podAntiAffinity: - # preferredDuringSchedulingIgnoredDuringExecution: - # - weight: 100 - # podAffinityTerm: - # labelSelector: - # matchExpressions: - # - key: app.kubernetes.io/name - # operator: In - # values: - # - ingress-nginx - # - key: app.kubernetes.io/instance - # operator: In - # values: - # - ingress-nginx - # - key: app.kubernetes.io/component - # operator: In - # values: - # - controller - # topologyKey: kubernetes.io/hostname - - # # An example of required pod anti-affinity - # podAntiAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # - labelSelector: - # matchExpressions: - # - key: app.kubernetes.io/name - # operator: In - # values: - # - ingress-nginx - # - key: app.kubernetes.io/instance - # operator: In - # values: - # - ingress-nginx - # - key: app.kubernetes.io/component - # operator: In - # values: - # - controller - # topologyKey: "kubernetes.io/hostname" - - # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - ## - topologySpreadConstraints: [] - # - maxSkew: 1 - # topologyKey: topology.kubernetes.io/zone - # whenUnsatisfiable: DoNotSchedule - # labelSelector: - # matchLabels: - # app.kubernetes.io/instance: ingress-nginx-internal - - # -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready - ## wait up to five minutes for the drain of connections - ## - terminationGracePeriodSeconds: 300 - # -- Node labels for controller pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: - kubernetes.io/os: linux - ## Liveness and readiness probe values - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes - ## - ## startupProbe: - ## httpGet: - ## # should match container.healthCheckPath - ## path: "/healthz" - ## port: 10254 - ## scheme: HTTP - ## initialDelaySeconds: 5 - ## periodSeconds: 5 - ## timeoutSeconds: 2 - ## successThreshold: 1 - ## failureThreshold: 5 - livenessProbe: - httpGet: - # should match container.healthCheckPath - path: "/healthz" - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 5 - readinessProbe: - httpGet: - # should match container.healthCheckPath - path: "/healthz" - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - # -- Path of the health check endpoint. All requests received on the port defined by - # the healthz-port parameter are forwarded internally to this path. - healthCheckPath: "/healthz" - # -- Address to bind the health check endpoint. - # It is better to set this option to the internal node address - # if the ingress nginx controller is running in the `hostNetwork: true` mode. - healthCheckHost: "" - # -- Annotations to be added to controller pods - ## - podAnnotations: {} - replicaCount: 1 - # -- Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Define either 'minAvailable' or 'maxUnavailable', never both. - # maxUnavailable: 1 - - ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes - ## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 - ## Ideally, there should be no limits. - ## https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/ - resources: - ## limits: - ## cpu: 100m - ## memory: 90Mi - requests: - cpu: 100m - memory: 90Mi - # Mutually exclusive with keda autoscaling - autoscaling: - apiVersion: autoscaling/v2 - enabled: false - annotations: {} - minReplicas: 1 - maxReplicas: 11 - targetCPUUtilizationPercentage: 50 - targetMemoryUtilizationPercentage: 50 - behavior: {} - # scaleDown: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 1 - # periodSeconds: 180 - # scaleUp: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 2 - # periodSeconds: 60 - autoscalingTemplate: [] - # Custom or additional autoscaling metrics - # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics - # - type: Pods - # pods: - # metric: - # name: nginx_ingress_controller_nginx_process_requests_total - # target: - # type: AverageValue - # averageValue: 10000m - - # Mutually exclusive with hpa autoscaling - keda: - apiVersion: "keda.sh/v1alpha1" - ## apiVersion changes with keda 1.x vs 2.x - ## 2.x = keda.sh/v1alpha1 - ## 1.x = keda.k8s.io/v1alpha1 - enabled: false - minReplicas: 1 - maxReplicas: 11 - pollingInterval: 30 - cooldownPeriod: 300 - restoreToOriginalReplicaCount: false - scaledObject: - annotations: {} - # Custom annotations for ScaledObject resource - # annotations: - # key: value - triggers: [] - # - type: prometheus - # metadata: - # serverAddress: http://:9090 - # metricName: http_requests_total - # threshold: '100' - # query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) - - behavior: {} - # scaleDown: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 1 - # periodSeconds: 180 - # scaleUp: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 2 - # periodSeconds: 60 - - # -- Enable mimalloc as a drop-in replacement for malloc. - ## ref: https://github.com/microsoft/mimalloc - ## - enableMimalloc: true - ## Override NGINX template - customTemplate: - configMapName: "" - configMapKey: "" + # -- Use an existing PSP instead of creating one + existingPsp: "" + networkPolicyEnabled: false service: - enabled: true - # -- If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were - # using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http - # It allows choosing the protocol for each backend specified in the Kubernetes service. - # See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 - # Will be ignored for Kubernetes versions older than 1.20 - ## - appProtocol: true - annotations: {} - labels: {} - # clusterIP: "" + annotations: {} + # clusterIP: "" + externalIPs: [] + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 443 + type: ClusterIP + createSecretJob: + securityContext: + allowPrivilegeEscalation: false + resources: {} + # limits: + # cpu: 10m + # memory: 20Mi + # requests: + # cpu: 10m + # memory: 20Mi + patchWebhookJob: + securityContext: + allowPrivilegeEscalation: false + resources: {} + patch: + enabled: true + image: + registry: registry.k8s.io + image: ingress-nginx/kube-webhook-certgen + ## for backwards compatibility consider setting the full image url via the repository value below + ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + ## repository: + tag: v20230312-helm-chart-4.5.2-28-g66a760794 + digest: sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f + pullPolicy: IfNotPresent + # -- Provide a priority class name to the webhook patching job + ## + priorityClassName: "" + podAnnotations: {} + nodeSelector: + kubernetes.io/os: linux + tolerations: [] + # -- Labels to be added to patch job resources + labels: {} + securityContext: + runAsNonRoot: true + runAsUser: 2000 + fsGroup: 2000 + # Use certmanager to generate webhook certs + certManager: + enabled: false + # self-signed root certificate + rootCert: + # default to be 5y + duration: "" + admissionCert: + # default to be 1y + duration: "" + # issuerRef: + # name: "issuer" + # kind: "ClusterIssuer" + metrics: + port: 10254 + portName: metrics + # if this port is changed, change healthz-port: in extraArgs: accordingly + enabled: false + service: + annotations: {} + # prometheus.io/scrape: "true" + # prometheus.io/port: "10254" + # -- Labels to be added to the metrics service resource + labels: {} + # clusterIP: "" - # -- List of IP addresses at which the controller services are available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips - ## - externalIPs: [] - # -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer - loadBalancerIP: "" - loadBalancerSourceRanges: [] - enableHttp: true - enableHttps: true - ## Set external traffic policy to: "Local" to preserve source IP on providers supporting it. - ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - # externalTrafficPolicy: "" - - ## Must be either "None" or "ClientIP" if set. Kubernetes will default to "None". - ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - # sessionAffinity: "" - - ## Specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified, - ## the service controller allocates a port from your cluster’s NodePort range. - ## Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - # healthCheckNodePort: 0 - - # -- Represents the dual-stack-ness requested or required by this Service. Possible values are - # SingleStack, PreferDualStack or RequireDualStack. - # The ipFamilies and clusterIPs fields depend on the value of this field. - ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ - ipFamilyPolicy: "SingleStack" - # -- List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically - # based on cluster configuration and the ipFamilyPolicy field. - ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ - ipFamilies: - - IPv4 - ports: - http: 80 - https: 443 - targetPorts: - http: http - https: https - type: LoadBalancer - ## type: NodePort - ## nodePorts: - ## http: 32080 - ## https: 32443 - ## tcp: - ## 8080: 32808 - nodePorts: - http: "" - https: "" - tcp: {} - udp: {} - external: - enabled: true - internal: - # -- Enables an additional internal load balancer (besides the external one). - enabled: false - # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. - annotations: {} - # loadBalancerIP: "" - - # -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. - loadBalancerSourceRanges: [] - ## Set external traffic policy to: "Local" to preserve source IP on - ## providers supporting it - ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - # externalTrafficPolicy: "" - # shareProcessNamespace enables process namespace sharing within the pod. - # This can be used for example to signal log rotation using `kill -USR1` from a sidecar. - shareProcessNamespace: false - # -- Additional containers to be added to the controller pod. - # See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. - extraContainers: [] - # - name: my-sidecar - # image: nginx:latest - # - name: lemonldap-ng-controller - # image: lemonldapng/lemonldap-ng-controller:0.2.0 - # args: - # - /lemonldap-ng-controller - # - --alsologtostderr - # - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration - # env: - # - name: POD_NAME - # valueFrom: - # fieldRef: - # fieldPath: metadata.name - # - name: POD_NAMESPACE - # valueFrom: - # fieldRef: - # fieldPath: metadata.namespace - # volumeMounts: - # - name: copy-portal-skins - # mountPath: /srv/var/lib/lemonldap-ng/portal/skins - - # -- Additional volumeMounts to the controller main container. - extraVolumeMounts: [] - # - name: copy-portal-skins - # mountPath: /var/lib/lemonldap-ng/portal/skins - - # -- Additional volumes to the controller pod. - extraVolumes: [] - # - name: copy-portal-skins - # emptyDir: {} - - # -- Containers, which are run before the app containers are started. - extraInitContainers: [] - # - name: init-myservice - # image: busybox - # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] - - # -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module - extraModules: [] - # - name: mytestmodule - # image: registry.k8s.io/ingress-nginx/mytestmodule - # containerSecurityContext: - # allowPrivilegeEscalation: false - # - # The image must contain a `/usr/local/bin/init_module.sh` executable, which - # will be executed as initContainers, to move its config files within the - # mounted volume. - - opentelemetry: - enabled: false - image: registry.k8s.io/ingress-nginx/opentelemetry:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:40f766ac4a9832f36f217bb0e98d44c8d38faeccbfe861fbc1a76af7e9ab257f - containerSecurityContext: - allowPrivilegeEscalation: false - admissionWebhooks: - annotations: {} - # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem". - - ## Additional annotations to the admission webhooks. - ## These annotations will be added to the ValidatingWebhookConfiguration and - ## the Jobs Spec of the admission webhooks. - enabled: true - # -- Additional environment variables to set - extraEnvs: [] - # extraEnvs: - # - name: FOO - # valueFrom: - # secretKeyRef: - # key: FOO - # name: secret-resource - # -- Admission Webhook failure policy to use - failurePolicy: Fail - # timeoutSeconds: 10 - port: 8443 - certificate: "/usr/local/certificates/cert" - key: "/usr/local/certificates/key" - namespaceSelector: {} - objectSelector: {} - # -- Labels to be added to admission webhooks - labels: {} - # -- Use an existing PSP instead of creating one - existingPsp: "" - networkPolicyEnabled: false - service: - annotations: {} - # clusterIP: "" - externalIPs: [] - # loadBalancerIP: "" - loadBalancerSourceRanges: [] - servicePort: 443 - type: ClusterIP - createSecretJob: - securityContext: - allowPrivilegeEscalation: false - resources: {} - # limits: - # cpu: 10m - # memory: 20Mi - # requests: - # cpu: 10m - # memory: 20Mi - patchWebhookJob: - securityContext: - allowPrivilegeEscalation: false - resources: {} - patch: - enabled: true - image: - registry: registry.k8s.io - image: ingress-nginx/kube-webhook-certgen - ## for backwards compatibility consider setting the full image url via the repository value below - ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail - ## repository: - tag: v20230312-helm-chart-4.5.2-28-g66a760794 - digest: sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f - pullPolicy: IfNotPresent - # -- Provide a priority class name to the webhook patching job - ## - priorityClassName: "" - podAnnotations: {} - nodeSelector: - kubernetes.io/os: linux - tolerations: [] - # -- Labels to be added to patch job resources - labels: {} - securityContext: - runAsNonRoot: true - runAsUser: 2000 - fsGroup: 2000 - # Use certmanager to generate webhook certs - certManager: - enabled: false - # self-signed root certificate - rootCert: - # default to be 5y - duration: "" - admissionCert: - # default to be 1y - duration: "" - # issuerRef: - # name: "issuer" - # kind: "ClusterIssuer" - metrics: - port: 10254 - portName: metrics - # if this port is changed, change healthz-port: in extraArgs: accordingly - enabled: false - service: - annotations: {} - # prometheus.io/scrape: "true" - # prometheus.io/port: "10254" - # -- Labels to be added to the metrics service resource - labels: {} - # clusterIP: "" - - # -- List of IP addresses at which the stats-exporter service is available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips - ## - externalIPs: [] - # loadBalancerIP: "" - loadBalancerSourceRanges: [] - servicePort: 10254 - type: ClusterIP - # externalTrafficPolicy: "" - # nodePort: "" - serviceMonitor: - enabled: false - additionalLabels: {} - ## The label to use to retrieve the job name from. - ## jobLabel: "app.kubernetes.io/name" - namespace: "" - namespaceSelector: {} - ## Default: scrape .Release.Namespace only - ## To scrape all, use the following: - ## namespaceSelector: - ## any: true - scrapeInterval: 30s - # honorLabels: true - targetLabels: [] - relabelings: [] - metricRelabelings: [] - prometheusRule: - enabled: false - additionalLabels: {} - # namespace: "" - rules: [] - # # These are just examples rules, please adapt them to your needs - # - alert: NGINXConfigFailed - # expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0 - # for: 1s - # labels: - # severity: critical - # annotations: - # description: bad ingress config - nginx config test failed - # summary: uninstall the latest ingress changes to allow config reloads to resume - # - alert: NGINXCertificateExpiry - # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800 - # for: 1s - # labels: - # severity: critical - # annotations: - # description: ssl certificate(s) will expire in less then a week - # summary: renew expiring certificates to avoid downtime - # - alert: NGINXTooMany500s - # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 - # for: 1m - # labels: - # severity: warning - # annotations: - # description: Too many 5XXs - # summary: More than 5% of all requests returned 5XX, this requires your attention - # - alert: NGINXTooMany400s - # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 - # for: 1m - # labels: - # severity: warning - # annotations: - # description: Too many 4XXs - # summary: More than 5% of all requests returned 4XX, this requires your attention - # -- Improve connection draining when ingress controller pod is deleted using a lifecycle hook: - # With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds - # to 300, allowing the draining of connections up to five minutes. - # If the active connections end before that, the pod will terminate gracefully at that time. - # To effectively take advantage of this feature, the Configmap feature - # worker-shutdown-timeout new value is 240s instead of 10s. - ## - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - priorityClassName: "" + # -- List of IP addresses at which the stats-exporter service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 10254 + type: ClusterIP + # externalTrafficPolicy: "" + # nodePort: "" + serviceMonitor: + enabled: false + additionalLabels: {} + ## The label to use to retrieve the job name from. + ## jobLabel: "app.kubernetes.io/name" + namespace: "" + namespaceSelector: {} + ## Default: scrape .Release.Namespace only + ## To scrape all, use the following: + ## namespaceSelector: + ## any: true + scrapeInterval: 30s + # honorLabels: true + targetLabels: [] + relabelings: [] + metricRelabelings: [] + prometheusRule: + enabled: false + additionalLabels: {} + # namespace: "" + rules: [] + # # These are just examples rules, please adapt them to your needs + # - alert: NGINXConfigFailed + # expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0 + # for: 1s + # labels: + # severity: critical + # annotations: + # description: bad ingress config - nginx config test failed + # summary: uninstall the latest ingress changes to allow config reloads to resume + # - alert: NGINXCertificateExpiry + # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800 + # for: 1s + # labels: + # severity: critical + # annotations: + # description: ssl certificate(s) will expire in less then a week + # summary: renew expiring certificates to avoid downtime + # - alert: NGINXTooMany500s + # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 + # for: 1m + # labels: + # severity: warning + # annotations: + # description: Too many 5XXs + # summary: More than 5% of all requests returned 5XX, this requires your attention + # - alert: NGINXTooMany400s + # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 + # for: 1m + # labels: + # severity: warning + # annotations: + # description: Too many 4XXs + # summary: More than 5% of all requests returned 4XX, this requires your attention + # -- Improve connection draining when ingress controller pod is deleted using a lifecycle hook: + # With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds + # to 300, allowing the draining of connections up to five minutes. + # If the active connections end before that, the pod will terminate gracefully at that time. + # To effectively take advantage of this feature, the Configmap feature + # worker-shutdown-timeout new value is 240s instead of 10s. + ## + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + priorityClassName: "" # -- Rollback limit ## revisionHistoryLimit: 10 ## Default 404 backend ## defaultBackend: - ## - enabled: false - name: defaultbackend - image: - registry: registry.k8s.io - image: defaultbackend-amd64 - ## for backwards compatibility consider setting the full image url via the repository value below - ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail - ## repository: - tag: "1.5" - pullPolicy: IfNotPresent - # nobody user -> uid 65534 - runAsUser: 65534 - runAsNonRoot: true - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - # -- Use an existing PSP instead of creating one - existingPsp: "" - extraArgs: {} - serviceAccount: - create: true - name: "" - automountServiceAccountToken: true - # -- Additional environment variables to set for defaultBackend pods - extraEnvs: [] - port: 8080 - ## Readiness and liveness probes for default backend - ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ - ## - livenessProbe: - failureThreshold: 3 - initialDelaySeconds: 30 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - failureThreshold: 6 - initialDelaySeconds: 0 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 5 - # -- The update strategy to apply to the Deployment or DaemonSet - ## - updateStrategy: {} - # rollingUpdate: - # maxUnavailable: 1 - # type: RollingUpdate - - # -- `minReadySeconds` to avoid killing pods before we are ready - ## - minReadySeconds: 0 - # -- Node tolerations for server scheduling to nodes with taints - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - ## - tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - - affinity: {} - # -- Security Context policies for controller pods - # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for - # notes on enabling and using sysctls - ## - podSecurityContext: {} - # -- Security Context policies for controller main container. - # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for - # notes on enabling and using sysctls - ## - containerSecurityContext: {} - # -- Labels to add to the pod container metadata - podLabels: {} - # key: value - - # -- Node labels for default backend pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: - kubernetes.io/os: linux - # -- Annotations to be added to default backend pods - ## - podAnnotations: {} - replicaCount: 1 - minAvailable: 1 - resources: {} - # limits: - # cpu: 10m - # memory: 20Mi - # requests: - # cpu: 10m - # memory: 20Mi - - extraVolumeMounts: [] - ## Additional volumeMounts to the default backend container. - # - name: copy-portal-skins - # mountPath: /var/lib/lemonldap-ng/portal/skins - - extraVolumes: [] - ## Additional volumes to the default backend pod. - # - name: copy-portal-skins - # emptyDir: {} - - autoscaling: - apiVersion: autoscaling/v2 - annotations: {} - enabled: false - minReplicas: 1 - maxReplicas: 2 - targetCPUUtilizationPercentage: 50 - targetMemoryUtilizationPercentage: 50 - service: - annotations: {} - # clusterIP: "" - - # -- List of IP addresses at which the default backend service is available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips - ## - externalIPs: [] - # loadBalancerIP: "" - loadBalancerSourceRanges: [] - servicePort: 80 - type: ClusterIP - priorityClassName: "" - # -- Labels to be added to the default backend resources - labels: {} -## Enable RBAC as per https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/rbac.md and https://github.com/kubernetes/ingress-nginx/issues/266 -rbac: - create: true - scope: false -## If true, create & use Pod Security Policy resources -## https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -podSecurityPolicy: - enabled: false -serviceAccount: + ## + enabled: false + name: defaultbackend + image: + registry: registry.k8s.io + image: defaultbackend-amd64 + ## for backwards compatibility consider setting the full image url via the repository value below + ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + ## repository: + tag: "1.5" + pullPolicy: IfNotPresent + # nobody user -> uid 65534 + runAsUser: 65534 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + # -- Use an existing PSP instead of creating one + existingPsp: "" + extraArgs: {} + serviceAccount: create: true name: "" automountServiceAccountToken: true - # -- Annotations for the controller service account + # -- Additional environment variables to set for defaultBackend pods + extraEnvs: [] + port: 8080 + ## Readiness and liveness probes for default backend + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + ## + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 6 + initialDelaySeconds: 0 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + # -- The update strategy to apply to the Deployment or DaemonSet + ## + updateStrategy: {} + # rollingUpdate: + # maxUnavailable: 1 + # type: RollingUpdate + + # -- `minReadySeconds` to avoid killing pods before we are ready + ## + minReadySeconds: 0 + # -- Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + affinity: {} + # -- Security Context policies for controller pods + # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for + # notes on enabling and using sysctls + ## + podSecurityContext: {} + # -- Security Context policies for controller main container. + # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for + # notes on enabling and using sysctls + ## + containerSecurityContext: {} + # -- Labels to add to the pod container metadata + podLabels: {} + # key: value + + # -- Node labels for default backend pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: + kubernetes.io/os: linux + # -- Annotations to be added to default backend pods + ## + podAnnotations: {} + replicaCount: 1 + minAvailable: 1 + resources: {} + # limits: + # cpu: 10m + # memory: 20Mi + # requests: + # cpu: 10m + # memory: 20Mi + + extraVolumeMounts: [] + ## Additional volumeMounts to the default backend container. + # - name: copy-portal-skins + # mountPath: /var/lib/lemonldap-ng/portal/skins + + extraVolumes: [] + ## Additional volumes to the default backend pod. + # - name: copy-portal-skins + # emptyDir: {} + + autoscaling: + apiVersion: autoscaling/v2 annotations: {} + enabled: false + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + service: + annotations: {} + # clusterIP: "" + + # -- List of IP addresses at which the default backend service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 80 + type: ClusterIP + priorityClassName: "" + # -- Labels to be added to the default backend resources + labels: {} +## Enable RBAC as per https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/rbac.md and https://github.com/kubernetes/ingress-nginx/issues/266 +rbac: + create: true + scope: false +## If true, create & use Pod Security Policy resources +## https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +podSecurityPolicy: + enabled: false +serviceAccount: + create: true + name: "" + automountServiceAccountToken: true + # -- Annotations for the controller service account + annotations: {} # -- Optional array of imagePullSecrets containing private registry credentials ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ imagePullSecrets: [] diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml index bf4ffce19..c1d595c3a 100644 --- a/deploy/static/provider/aws/deploy.yaml +++ b/deploy/static/provider/aws/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -344,7 +344,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -377,7 +377,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -400,7 +400,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -417,6 +417,8 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.0 spec: containers: - args: @@ -440,7 +442,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.6.4@sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f + image: registry.k8s.io/ingress-nginx/controller:v1.7.0@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -512,7 +514,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -523,7 +525,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-create spec: containers: @@ -559,7 +561,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -570,7 +572,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-patch spec: containers: @@ -608,7 +610,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -621,7 +623,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml index 0b58831a3..ed6275a0b 100644 --- a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml +++ b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -335,7 +335,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -353,7 +353,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -386,7 +386,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -409,7 +409,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -426,6 +426,8 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.0 spec: containers: - args: @@ -449,7 +451,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.6.4@sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f + image: registry.k8s.io/ingress-nginx/controller:v1.7.0@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -524,7 +526,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -535,7 +537,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-create spec: containers: @@ -571,7 +573,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -582,7 +584,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-patch spec: containers: @@ -620,7 +622,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -633,7 +635,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml index d141e8ca6..595088a0c 100644 --- a/deploy/static/provider/baremetal/deploy.yaml +++ b/deploy/static/provider/baremetal/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -372,7 +372,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -395,7 +395,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -412,6 +412,8 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.0 spec: containers: - args: @@ -434,7 +436,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.6.4@sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f + image: registry.k8s.io/ingress-nginx/controller:v1.7.0@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -506,7 +508,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -517,7 +519,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-create spec: containers: @@ -553,7 +555,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -564,7 +566,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-patch spec: containers: @@ -602,7 +604,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -615,7 +617,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml index 97c22739b..0540ff1cb 100644 --- a/deploy/static/provider/cloud/deploy.yaml +++ b/deploy/static/provider/cloud/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -373,7 +373,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -396,7 +396,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -413,6 +413,8 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.0 spec: containers: - args: @@ -436,7 +438,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.6.4@sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f + image: registry.k8s.io/ingress-nginx/controller:v1.7.0@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -508,7 +510,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -519,7 +521,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-create spec: containers: @@ -555,7 +557,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -566,7 +568,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-patch spec: containers: @@ -604,7 +606,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -617,7 +619,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml index 5b7c86670..ae6ae1f8f 100644 --- a/deploy/static/provider/do/deploy.yaml +++ b/deploy/static/provider/do/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -329,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -343,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -376,7 +376,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -399,7 +399,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -416,6 +416,8 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.0 spec: containers: - args: @@ -439,7 +441,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.6.4@sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f + image: registry.k8s.io/ingress-nginx/controller:v1.7.0@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -511,7 +513,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -522,7 +524,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-create spec: containers: @@ -558,7 +560,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -569,7 +571,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-patch spec: containers: @@ -607,7 +609,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -620,7 +622,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml index c8236ef20..a387fa928 100644 --- a/deploy/static/provider/exoscale/deploy.yaml +++ b/deploy/static/provider/exoscale/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -349,7 +349,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -382,7 +382,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -405,7 +405,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -422,6 +422,8 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.0 spec: containers: - args: @@ -445,7 +447,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.6.4@sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f + image: registry.k8s.io/ingress-nginx/controller:v1.7.0@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -517,7 +519,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -528,7 +530,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-create spec: containers: @@ -564,7 +566,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -575,7 +577,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-patch spec: containers: @@ -613,7 +615,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -626,7 +628,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml index a8fd055c9..a77a08ae9 100644 --- a/deploy/static/provider/kind/deploy.yaml +++ b/deploy/static/provider/kind/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -372,7 +372,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -395,7 +395,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -416,6 +416,8 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.0 spec: containers: - args: @@ -440,7 +442,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.6.4@sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f + image: registry.k8s.io/ingress-nginx/controller:v1.7.0@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -522,7 +524,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -533,7 +535,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-create spec: containers: @@ -569,7 +571,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -580,7 +582,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-patch spec: containers: @@ -618,7 +620,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -631,7 +633,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml index 1f04b9b9e..ab9142ce2 100644 --- a/deploy/static/provider/scw/deploy.yaml +++ b/deploy/static/provider/scw/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -329,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -343,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -376,7 +376,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -399,7 +399,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -416,6 +416,8 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.0 spec: containers: - args: @@ -439,7 +441,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.6.4@sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f + image: registry.k8s.io/ingress-nginx/controller:v1.7.0@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -511,7 +513,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -522,7 +524,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-create spec: containers: @@ -558,7 +560,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -569,7 +571,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission-patch spec: containers: @@ -607,7 +609,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -620,7 +622,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.6.4 + app.kubernetes.io/version: 1.7.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/docs/e2e-tests.md b/docs/e2e-tests.md index 9f66e3991..22a76dc7a 100644 --- a/docs/e2e-tests.md +++ b/docs/e2e-tests.md @@ -7,34 +7,19 @@ Do not try to edit it manually. -### [[Serial] admission controller](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L35) +### [[Admission] admission controller](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L35) -- [reject ingress with global-rate-limit annotations when memcached is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L48) -- [should not allow overlaps of host and paths without canary annotations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L75) -- [should allow overlaps of host and paths with canary annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L92) -- [should block ingress with invalid path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L113) -- [should return an error if there is an error validating the ingress definition](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L130) -- [should return an error if there is an invalid value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L141) -- [should return an error if there is a forbidden value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L155) -- [should not return an error if the Ingress V1 definition is valid with Ingress Class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L169) -- [should not return an error if the Ingress V1 definition is valid with IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L185) -- [should return an error if the Ingress V1 definition contains invalid annotations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L201) -- [should not return an error for an invalid Ingress when it has unknown class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L212) - -### [modsecurity owasp](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L28) - -- [should enable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L35) -- [should enable modsecurity with transaction ID and OWASP rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L53) -- [should disable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L74) -- [should enable modsecurity with snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L91) -- [should enable modsecurity without using 'modsecurity on;'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L110) -- [should disable modsecurity using 'modsecurity off;'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L132) -- [should enable modsecurity with snippet and block requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L153) -- [should enable modsecurity globally and with modsecurity-snippet block requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L189) -- [should enable modsecurity when enable-owasp-modsecurity-crs is set to true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L225) -- [should enable modsecurity through the config map](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L264) -- [should enable modsecurity through the config map but ignore snippet as disabled by admin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L305) -- [should disable default modsecurity conf setting when modsecurity-snippet is specified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L347) +- [reject ingress with global-rate-limit annotations when memcached is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L43) +- [should not allow overlaps of host and paths without canary annotations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L70) +- [should allow overlaps of host and paths with canary annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L87) +- [should block ingress with invalid path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L108) +- [should return an error if there is an error validating the ingress definition](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L125) +- [should return an error if there is an invalid value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L136) +- [should return an error if there is a forbidden value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L150) +- [should not return an error if the Ingress V1 definition is valid with Ingress Class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L164) +- [should not return an error if the Ingress V1 definition is valid with IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L180) +- [should return an error if the Ingress V1 definition contains invalid annotations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L196) +- [should not return an error for an invalid Ingress when it has unknown class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L207) ### [affinitymode](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinitymode.go#L31) @@ -71,33 +56,6 @@ Do not try to edit it manually. - [should set backend protocol to '' and use fastcgi_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L94) - [should set backend protocol to '' and use ajp_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L109) -### [canary-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L36) - -- [should response with a 200 status from the mainline upstream when requests are made to the mainline ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L48) -- [should return 404 status for requests to the canary if no matching ingress is found](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L80) -- [should return the correct status codes when endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L107) -- [should route requests to the correct upstream if mainline ingress is created before the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L161) -- [should route requests to the correct upstream if mainline ingress is created after the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L206) -- [should route requests to the correct upstream if the mainline ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L250) -- [should route requests to the correct upstream if the canary ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L307) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L372) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L426) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L490) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L532) -- [should routes to mainline upstream when the given Regex causes error](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L566) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L604) -- [respects always and never values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L643) -- [should route requests only to mainline if canary weight is 0](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L705) -- [should route requests only to canary if canary weight is 100](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L743) -- [should route requests only to canary if canary weight is equal to canary weight total](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L775) -- [should route requests split between mainline and canary if canary weight is 50](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L808) -- [should not use canary as a catch-all server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L836) -- [should not use canary with domain as a server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L864) -- [does not crash when canary ingress has multiple paths to the same non-matching backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L888) -- [always routes traffic to canary if first request was affinitized to canary (default behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L916) -- [always routes traffic to canary if first request was affinitized to canary (explicit sticky behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L973) -- [routes traffic to either mainline or canary backend (legacy behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1031) - ### [client-body-buffer-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L28) - [should set client_body_buffer_size to 1000](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L35) @@ -151,13 +109,6 @@ Do not try to edit it manually. - [disable-http-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L53) - [disable-stream-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L71) -### [backend-protocol - FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L31) - -- [should use fastcgi_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L38) -- [should add fastcgi_index in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L55) -- [should add fastcgi_param in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L72) -- [should return OK for service with backend protocol FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L105) - ### [force-ssl-redirect](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/forcesslredirect.go#L27) - [should redirect to https](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/forcesslredirect.go#L34) @@ -209,6 +160,21 @@ Do not try to edit it manually. - [should set mirror-target to https://test.env.com/$request_uri](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L51) - [should disable mirror-request-body](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L67) +### [modsecurity owasp](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L28) + +- [should enable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L35) +- [should enable modsecurity with transaction ID and OWASP rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L53) +- [should disable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L74) +- [should enable modsecurity with snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L91) +- [should enable modsecurity without using 'modsecurity on;'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L110) +- [should disable modsecurity using 'modsecurity off;'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L132) +- [should enable modsecurity with snippet and block requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L153) +- [should enable modsecurity globally and with modsecurity-snippet block requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L189) +- [should enable modsecurity when enable-owasp-modsecurity-crs is set to true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L225) +- [should enable modsecurity through the config map](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L264) +- [should enable modsecurity through the config map but ignore snippet as disabled by admin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L305) +- [should disable default modsecurity conf setting when modsecurity-snippet is specified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L347) + ### [preserve-trailing-slash](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/preservetrailingslash.go#L27) - [should allow preservation of trailing slashes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/preservetrailingslash.go#L34) @@ -285,6 +251,11 @@ Do not try to edit it manually. - [should set the X-Forwarded-Prefix to the annotation value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L35) - [should not add X-Forwarded-Prefix if the annotation value is empty](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L57) +### [denylist-source-range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L28) + +- [only deny explicitly denied IPs, allow all others](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L35) +- [only allow explicitly allowed IPs, deny all others](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L86) + ### [affinity session-cookie-name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L35) - [should set sticky cookie SERVERID](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L42) @@ -311,6 +282,13 @@ Do not try to edit it manually. - [should fail to use longest match for documented warning](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L158) - [should allow for custom rewrite parameters](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L190) +### [backend-protocol - FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L30) + +- [should use fastcgi_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L37) +- [should add fastcgi_index in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L54) +- [should add fastcgi_param in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L71) +- [should return OK for service with backend protocol FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L102) + ### [auth-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L39) - [should return status code 200 when no authentication is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L46) @@ -347,10 +325,33 @@ Do not try to edit it manually. - [should return 503 (location was denied)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L879) - [should add error to the config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L887) -### [denylist-source-range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L28) +### [canary-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L36) -- [only deny explicitly denied IPs, allow all others](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L35) -- [only allow explicitly allowed IPs, deny all others](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L86) +- [should response with a 200 status from the mainline upstream when requests are made to the mainline ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L48) +- [should return 404 status for requests to the canary if no matching ingress is found](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L80) +- [should return the correct status codes when endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L107) +- [should route requests to the correct upstream if mainline ingress is created before the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L161) +- [should route requests to the correct upstream if mainline ingress is created after the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L206) +- [should route requests to the correct upstream if the mainline ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L250) +- [should route requests to the correct upstream if the canary ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L307) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L372) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L426) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L490) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L532) +- [should routes to mainline upstream when the given Regex causes error](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L566) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L604) +- [respects always and never values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L643) +- [should route requests only to mainline if canary weight is 0](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L705) +- [should route requests only to canary if canary weight is 100](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L743) +- [should route requests only to canary if canary weight is equal to canary weight total](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L775) +- [should route requests split between mainline and canary if canary weight is 50](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L808) +- [should route requests split between mainline and canary if canary weight is 100 and weight total is 200](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L834) +- [should not use canary as a catch-all server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L863) +- [should not use canary with domain as a server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L891) +- [does not crash when canary ingress has multiple paths to the same non-matching backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L915) +- [always routes traffic to canary if first request was affinitized to canary (default behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L943) +- [always routes traffic to canary if first request was affinitized to canary (explicit sticky behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1000) +- [routes traffic to either mainline or canary backend (legacy behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1058) ### [Debug CLI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L29) @@ -376,30 +377,21 @@ Do not try to edit it manually. - [should apply the annotation to the default backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/with_hosts.go#L38) +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) + ### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e_test.go#L) - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e_test.go#L) -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) +### [[Endpointslices] long service name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/longname.go#L29) -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) +- [should return 200 when service name has max allowed number of characters 63](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/longname.go#L38) -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) +### [[TopologyHints] topology aware routing](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/topology.go#L35) -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/fastcgi_helloserver.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/fastcgi_helloserver.go#L) - -### [[Setting] ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L190) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L206) -- [ [MemoryLeak]](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L207) +- [should return 200 when service has topology hints](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/topology.go#L43) ### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/grpc_fortune_teller.go#L) @@ -445,14 +437,6 @@ Do not try to edit it manually. - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/request.go#L) -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/influxdb.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/influxdb.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/k8s.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/k8s.go#L) - ### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/logs.go#L) - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/logs.go#L) @@ -465,13 +449,41 @@ Do not try to edit it manually. - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/test_context.go#L) +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/util.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/util.go#L) + +### [[Setting] ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L194) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/influxdb.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/influxdb.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/k8s.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/k8s.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) + ### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/util.go#L) +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/util.go#L) +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/fastcgi_helloserver.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/fastcgi_helloserver.go#L) ### [[Shutdown] Grace period shutdown](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/grace_period.go#L32) @@ -546,6 +558,12 @@ Do not try to edit it manually. - [handles endpoints only changes consistently (down scaling of replicas vs. empty service)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L125) - [handles an annotation change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L171) +### [nginx-configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L99) + +- [start nginx with default configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L102) +- [fails when using alias directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L115) +- [fails when using root directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L124) + ### [[Security] request smuggling](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/request_smuggling.go#L32) - [should not return body content from error_page](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/request_smuggling.go#L39) @@ -570,14 +588,6 @@ Do not try to edit it manually. - [should return 404 when backend service is nil](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_nil_backend.go#L38) -### [[Security] modsecurity-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L27) - -- [should add value of modsecurity-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L30) - -### [OCSP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L42) - -- [should enable OCSP and contain stapling information in the connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L49) - ### [access-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L27) - [use the default configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L32) @@ -597,10 +607,6 @@ Do not try to edit it manually. - [ condition](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/brotli.go#L39) -### [Configmap change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L29) - -- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L36) - ### [add-headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L30) - [Add a custom header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L40) @@ -730,26 +736,24 @@ Do not try to edit it manually. - [should add value of main-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/main_snippet.go#L31) +### [[Security] modsecurity-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L27) + +- [should add value of modsecurity-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L30) + ### [enable-multi-accept](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/multi_accept.go#L27) - [should be enabled by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/multi_accept.go#L31) - [should be enabled when set to true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/multi_accept.go#L39) - [should be disabled when set to false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/multi_accept.go#L49) -### [[Flag] watch namespace selector](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/namespace_selector.go#L30) - -- [should ingore Ingress of namespace without label foo=bar and accept those of namespace with label foo=bar](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/namespace_selector.go#L70) - -### [[Security] no-auth-locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L33) - -- [should return status code 401 when accessing '/' unauthentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L54) -- [should return status code 200 when accessing '/' authentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L68) -- [should return status code 200 when accessing '/noauth' unauthenticated](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L82) - ### [Add no tls redirect locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L28) - [Check no tls redirect locations config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L31) +### [OCSP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L42) + +- [should enable OCSP and contain stapling information in the connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L49) + ### [Configure OpenTracing](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L48) - [should not exists opentracing directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L58) @@ -858,11 +862,33 @@ Do not try to edit it manually. - [should set gzip_min_length to 100](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L78) - [should set gzip_types to application/javascript](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L89) +### [Configmap change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L29) + +- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L36) + +### [[Flag] watch namespace selector](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/namespace_selector.go#L30) + +- [should ingore Ingress of namespace without label foo=bar and accept those of namespace with label foo=bar](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/namespace_selector.go#L63) + ### [With enable-ssl-passthrough enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L36) - [should enable ssl-passthrough-proxy-port on a different port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L56) - [should pass unknown traffic to default backend and handle known traffic](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L79) +### [[Security] no-auth-locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L33) + +- [should return status code 401 when accessing '/' unauthentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L54) +- [should return status code 200 when accessing '/' authentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L68) +- [should return status code 200 when accessing '/noauth' unauthenticated](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L82) + +### [Configure Opentelemetry](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L37) + +- [should not exists opentelemetry directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L47) +- [should exists opentelemetry directive when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L60) +- [should include opentelemetry_trust_incoming_spans on directive when enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L74) +- [should not exists opentelemetry_operation_name directive when is empty](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L89) +- [should exists opentelemetry_operation_name directive when is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L104) + ### [[SSL] redirect to HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/http_redirect.go#L29) - [should redirect from HTTP to HTTPS when secret is missing](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/http_redirect.go#L36) @@ -876,25 +902,8 @@ Do not try to edit it manually. - [should update status field after client-go reconnection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/status/update.go#L43) -### [[TCP] tcp-services](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L37) +### [[TCP] tcp-services](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L38) -- [should expose a TCP service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L40) -- [should expose an ExternalName TCP service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L98) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) - -### [[Endpointslices] long service name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/longname.go#L29) - -- [should return 200 when service name has max allowed number of characters 63](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/longname.go#L38) - -### [[TopologyHints] topology aware routing](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/topology.go#L36) - -- [should return 200 when service has topology hints](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/topology.go#L50) - -### [nginx-configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L99) - -- [start nginx with default configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L102) -- [fails when using alias directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L115) -- [fails when using root directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L124) \ No newline at end of file +- [should expose a TCP service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L46) +- [should expose an ExternalName TCP service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L80) +- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L169) \ No newline at end of file diff --git a/docs/user-guide/exposing-tcp-udp-services.md b/docs/user-guide/exposing-tcp-udp-services.md index 6b595ffae..63293f0e5 100644 --- a/docs/user-guide/exposing-tcp-udp-services.md +++ b/docs/user-guide/exposing-tcp-udp-services.md @@ -63,3 +63,9 @@ spec: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx ``` +Then, the configmap should be added into ingress controller's deployment args. +``` + args: + - /nginx-ingress-controller + - --tcp-services-configmap=ingress-nginx/tcp-services +``` diff --git a/magefiles/release.go b/magefiles/release.go index 3c715bc07..aeaafc3d2 100644 --- a/magefiles/release.go +++ b/magefiles/release.go @@ -50,7 +50,7 @@ var INGRESS_REGISTRY = "registry.k8s.io" //Co var KUSTOMIZE_INSTALL_VERSION = "sigs.k8s.io/kustomize/kustomize/v4@v4.5.4" //static deploys needs kustomize to generate the template // ingress-nginx releases start with a TAG then a cloudbuild, then a promotion through a PR, this the location of that PR -var IMAGES_YAML = "https://raw.githubusercontent.com/kubernetes/k8s.io/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml" +var IMAGES_YAML = "https://raw.githubusercontent.com/kubernetes/k8s.io/main/registry.k8s.io/images/k8s-staging-ingress-nginx/images.yaml" var ctx = context.Background() // Context used for GitHub Client const INDEX_DOCS = "docs/deploy/index.md" //index.md has a version of the controller and needs to updated From 81cf94ea482c364e306ca27e4219ac61c0eca56b Mon Sep 17 00:00:00 2001 From: James Strong Date: Fri, 24 Mar 2023 13:27:00 -0400 Subject: [PATCH 241/405] release 1.7.0 chart 4.6.0 Signed-off-by: James Strong --- charts/ingress-nginx/Chart.yaml | 4 ++-- charts/ingress-nginx/README.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 130fe06fd..bad5e2a8c 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -15,7 +15,7 @@ annotations: - "Fix incorrect annotation name in upstream hashing configuration (#9617)" artifacthub.io/prerelease: "false" apiVersion: v2 -appVersion: 4.6.0 +appVersion: 1.7.0 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer engine: gotpl @@ -32,4 +32,4 @@ maintainers: name: ingress-nginx sources: - https://github.com/kubernetes/ingress-nginx -version: 4.5.4 +version: 4.6.0 diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index dcd5af57e..cb3848634 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.5.4](https://img.shields.io/badge/Version-4.5.4-informational?style=flat-square) ![AppVersion: 4.6.0](https://img.shields.io/badge/AppVersion-4.6.0-informational?style=flat-square) +![Version: 4.6.0](https://img.shields.io/badge/Version-4.6.0-informational?style=flat-square) ![AppVersion: 1.7.0](https://img.shields.io/badge/AppVersion-1.7.0-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. From c84ae78bdfabb1f93bf0e87cdff34c75c744b8df Mon Sep 17 00:00:00 2001 From: Mohammad Yasir <74600745+Yasir761@users.noreply.github.com> Date: Mon, 27 Mar 2023 19:44:30 +0530 Subject: [PATCH 242/405] The Ingress-Nginx project recently released version 1.7.0 of the controller, but the deployment documentation still referenced version 1.6.4. This commit updates the documentation to reference the latest version, ensuring that users have access to the most up-to-date information. Fixes#9787 (#9788) --- docs/deploy/index.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/deploy/index.md b/docs/deploy/index.md index 49340e2f5..f6ba17a09 100644 --- a/docs/deploy/index.md +++ b/docs/deploy/index.md @@ -62,7 +62,7 @@ It will install the controller in the `ingress-nginx` namespace, creating that n **If you don't have Helm** or if you prefer to use a YAML manifest, you can run the following command instead: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.4/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.0/deploy/static/provider/cloud/deploy.yaml ``` !!! info @@ -225,7 +225,7 @@ In AWS, we use a Network load balancer (NLB) to expose the NGINX Ingress control ##### Network Load Balancer (NLB) ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.4/deploy/static/provider/aws/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.0/deploy/static/provider/aws/deploy.yaml ``` ##### TLS termination in AWS Load Balancer (NLB) @@ -233,10 +233,10 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS using an NLB. -1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.4/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template +1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.0/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template ```console - wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.4/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml + wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.0/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml ``` 2. Edit the file and change the VPC CIDR in use for the Kubernetes cluster: @@ -282,7 +282,7 @@ Then, the ingress controller can be installed like this: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.4/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.0/deploy/static/provider/cloud/deploy.yaml ``` !!! warning @@ -299,7 +299,7 @@ Proxy-protocol is supported in GCE check the [Official Documentations on how to #### Azure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.4/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.0/deploy/static/provider/cloud/deploy.yaml ``` More information with regard to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller). @@ -307,7 +307,7 @@ More information with regard to Azure annotations for ingress controller can be #### Digital Ocean ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.4/deploy/static/provider/do/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.0/deploy/static/provider/do/deploy.yaml ``` - By default the service object of the ingress-nginx-controller for Digital-Ocean, only configures one annotation. Its this one `service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"`. While this makes the service functional, it was reported that the Digital-Ocean LoadBalancer graphs shows `no data`, unless a few other annotations are also configured. Some of these other annotations require values that can not be generic and hence not forced in a out-of-the-box installation. These annotations and a discussion on them is well documented in [this issue](https://github.com/kubernetes/ingress-nginx/issues/8965). Please refer to the issue to add annotations, with values specific to user, to get graphs of the DO-LB populated with data. @@ -315,7 +315,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont #### Scaleway ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.4/deploy/static/provider/scw/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.0/deploy/static/provider/scw/deploy.yaml ``` #### Exoscale @@ -330,7 +330,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale #### Oracle Cloud Infrastructure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.4/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.0/deploy/static/provider/cloud/deploy.yaml ``` A @@ -357,7 +357,7 @@ For quick testing, you can use a This should work on almost every cluster, but it will typically use a port in the range 30000-32767. ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.6.4/deploy/static/provider/baremetal/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.0/deploy/static/provider/baremetal/deploy.yaml ``` For more information about bare metal deployments (and how to use port 80 instead of a random port in the 30000-32767 range), From ddde3b0d607744b7b3cee968be539bc901782164 Mon Sep 17 00:00:00 2001 From: sarab Date: Sun, 2 Apr 2023 03:03:12 +0530 Subject: [PATCH 243/405] Switched from N1 to E2 machine --- images/ext-auth-example-authsvc/cloudbuild.yaml | 2 +- images/go-grpc-greeter-server/cloudbuild.yaml | 2 +- images/httpbin/cloudbuild.yaml | 2 +- images/nginx/cloudbuild.yaml | 2 +- images/opentelemetry/cloudbuild.yaml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/images/ext-auth-example-authsvc/cloudbuild.yaml b/images/ext-auth-example-authsvc/cloudbuild.yaml index fbd5d7b63..d77c9fc19 100644 --- a/images/ext-auth-example-authsvc/cloudbuild.yaml +++ b/images/ext-auth-example-authsvc/cloudbuild.yaml @@ -2,7 +2,7 @@ timeout: 1200s options: substitution_option: ALLOW_LOOSE # job builds a multi-arch docker image for amd64,arm,arm64 and s390x. - machineType: N1_HIGHCPU_8 + machineType: E2_HIGHCPU_8 steps: - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90 entrypoint: bash diff --git a/images/go-grpc-greeter-server/cloudbuild.yaml b/images/go-grpc-greeter-server/cloudbuild.yaml index f4d6cc6d4..834c0cb85 100644 --- a/images/go-grpc-greeter-server/cloudbuild.yaml +++ b/images/go-grpc-greeter-server/cloudbuild.yaml @@ -2,7 +2,7 @@ timeout: 1200s options: substitution_option: ALLOW_LOOSE # job builds a multi-arch docker image for amd64,arm,arm64 and s390x. - machineType: N1_HIGHCPU_8 + machineType: E2_HIGHCPU_8 steps: - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90 entrypoint: bash diff --git a/images/httpbin/cloudbuild.yaml b/images/httpbin/cloudbuild.yaml index 03f269b6e..9f2658b7b 100644 --- a/images/httpbin/cloudbuild.yaml +++ b/images/httpbin/cloudbuild.yaml @@ -2,7 +2,7 @@ timeout: 1200s options: substitution_option: ALLOW_LOOSE # job builds a multi-arch docker image for amd64,arm,arm64 and s390x. - machineType: N1_HIGHCPU_8 + machineType: E2_HIGHCPU_8 steps: - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90 entrypoint: bash diff --git a/images/nginx/cloudbuild.yaml b/images/nginx/cloudbuild.yaml index fb9a51225..b3d7b1507 100644 --- a/images/nginx/cloudbuild.yaml +++ b/images/nginx/cloudbuild.yaml @@ -2,7 +2,7 @@ timeout: 10800s options: substitution_option: ALLOW_LOOSE # job builds a multi-arch docker image for amd64,arm,arm64 and s390x. - machineType: N1_HIGHCPU_32 + machineType: E2_HIGHCPU_32 steps: - name: 'gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90' entrypoint: bash diff --git a/images/opentelemetry/cloudbuild.yaml b/images/opentelemetry/cloudbuild.yaml index e2aa5a2b2..0096c0f44 100644 --- a/images/opentelemetry/cloudbuild.yaml +++ b/images/opentelemetry/cloudbuild.yaml @@ -2,7 +2,7 @@ timeout: 10800s options: substitution_option: ALLOW_LOOSE # job builds a multi-arch docker image for amd64,arm,arm64 and s390x. - machineType: N1_HIGHCPU_32 + machineType: E2_HIGHCPU_32 steps: - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90 entrypoint: bash From 3b46b85451e2f1c70a873e02639f654dd43bbe7f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 4 Apr 2023 05:41:54 -0700 Subject: [PATCH 244/405] Bump sigs.k8s.io/controller-runtime from 0.14.5 to 0.14.6 (#9822) Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.14.5 to 0.14.6. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.14.5...v0.14.6) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index f351bae17..f65660dd0 100644 --- a/go.mod +++ b/go.mod @@ -40,7 +40,7 @@ require ( k8s.io/component-base v0.26.3 k8s.io/klog/v2 v2.90.1 pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 - sigs.k8s.io/controller-runtime v0.14.5 + sigs.k8s.io/controller-runtime v0.14.6 sigs.k8s.io/mdtoc v1.1.0 ) diff --git a/go.sum b/go.sum index 00918fc47..e7db50a63 100644 --- a/go.sum +++ b/go.sum @@ -771,8 +771,8 @@ pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732/go.mod h1:lpvCfhqEHNJSSpG5R rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/controller-runtime v0.14.5 h1:6xaWFqzT5KuAQ9ufgUaj1G/+C4Y1GRkhrxl+BJ9i+5s= -sigs.k8s.io/controller-runtime v0.14.5/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0= +sigs.k8s.io/controller-runtime v0.14.6 h1:oxstGVvXGNnMvY7TAESYk+lzr6S3V5VFxQ6d92KcwQA= +sigs.k8s.io/controller-runtime v0.14.6/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/kustomize/api v0.12.1 h1:7YM7gW3kYBwtKvoY216ZzY+8hM+lV53LUayghNRJ0vM= From ff048d86b09b91ea3c4c85a556a09ac4a4714637 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 4 Apr 2023 05:43:57 -0700 Subject: [PATCH 245/405] Bump google.golang.org/grpc from 1.53.0 to 1.54.0 (#9794) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.53.0 to 1.54.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.53.0...v1.54.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index f65660dd0..383754428 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a golang.org/x/crypto v0.7.0 - google.golang.org/grpc v1.53.0 + google.golang.org/grpc v1.54.0 google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 diff --git a/go.sum b/go.sum index e7db50a63..e78672fa9 100644 --- a/go.sum +++ b/go.sum @@ -683,8 +683,8 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.53.0 h1:LAv2ds7cmFV/XTS3XG1NneeENYrXGmorPxsBbptIjNc= -google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw= +google.golang.org/grpc v1.54.0 h1:EhTqbhiYeixwWQtAEZAxmV9MGqcjEU2mFx52xCzNyag= +google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 h1:pPsdyuBif+uoyUoL19yuj/TCfUPsmpJHJZhWQ98JGLU= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7/go.mod h1:8pQa1yxxkh+EsxUK8/455D5MSbv3vgmEJqKCH3y17mI= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= From 8249be4e29c2f781654665bb86057616737fa327 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 4 Apr 2023 05:45:53 -0700 Subject: [PATCH 246/405] Bump github.com/imdario/mergo from 0.3.13 to 0.3.15 (#9795) Bumps [github.com/imdario/mergo](https://github.com/imdario/mergo) from 0.3.13 to 0.3.15. - [Release notes](https://github.com/imdario/mergo/releases) - [Commits](https://github.com/imdario/mergo/compare/v0.3.13...v0.3.15) --- updated-dependencies: - dependency-name: github.com/imdario/mergo dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 383754428..5331a7bbe 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a github.com/eapache/channels v1.1.0 github.com/fsnotify/fsnotify v1.6.0 - github.com/imdario/mergo v0.3.13 + github.com/imdario/mergo v0.3.15 github.com/json-iterator/go v1.1.12 github.com/kylelemons/godebug v1.1.0 github.com/mitchellh/go-ps v1.0.0 diff --git a/go.sum b/go.sum index e78672fa9..48d90af46 100644 --- a/go.sum +++ b/go.sum @@ -204,8 +204,8 @@ github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= -github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= -github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= +github.com/imdario/mergo v0.3.15 h1:M8XP7IuFNsqUx6VPK2P9OSmsYsI/YFaGil0uD21V3dM= +github.com/imdario/mergo v0.3.15/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc= github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= @@ -731,7 +731,6 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= From 0169ed5c873355c705557e2dc3e4aa664330844b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 4 Apr 2023 05:47:54 -0700 Subject: [PATCH 247/405] Bump actions/setup-go from 3.5.0 to 4.0.0 (#9796) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.5.0 to 4.0.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/6edd4406fa81c3da01a34fa6f6343087c207a568...4d34df0c2316fe8122ab82dc22947d607c0c91f9) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yaml | 12 ++++++------ .github/workflows/plugin.yaml | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c2c108638..83c9fcd18 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -86,7 +86,7 @@ jobs: - name: Set up Go id: go - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: '1.20' check-latest: true @@ -105,7 +105,7 @@ jobs: - name: Set up Go id: go - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: '1.20' check-latest: true @@ -124,7 +124,7 @@ jobs: - name: Set up Go id: go - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: '1.20' check-latest: true @@ -145,7 +145,7 @@ jobs: - name: Set up Go id: go - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: '1.20' check-latest: true @@ -211,7 +211,7 @@ jobs: uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 - name: Setup Go - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: '1.20' check-latest: true @@ -483,7 +483,7 @@ jobs: - name: Set up Go id: go if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }} - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: '1.20' check-latest: true diff --git a/.github/workflows/plugin.yaml b/.github/workflows/plugin.yaml index 87ba6aca9..bc646da87 100644 --- a/.github/workflows/plugin.yaml +++ b/.github/workflows/plugin.yaml @@ -22,7 +22,7 @@ jobs: fetch-depth: 0 - name: Set up Go - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: 1.20 check-latest: true From 1684070ca915406c79f31a5afba96e66a0fd4eb6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 4 Apr 2023 05:49:53 -0700 Subject: [PATCH 248/405] Bump rajatjindal/krew-release-bot from 0.0.43 to 0.0.46 (#9797) Bumps [rajatjindal/krew-release-bot](https://github.com/rajatjindal/krew-release-bot) from 0.0.43 to 0.0.46. - [Release notes](https://github.com/rajatjindal/krew-release-bot/releases) - [Changelog](https://github.com/rajatjindal/krew-release-bot/blob/main/.goreleaser.yml) - [Commits](https://github.com/rajatjindal/krew-release-bot/compare/92da038bbf995803124a8e50ebd438b2f37bbbb0...df3eb197549e3568be8b4767eec31c5e8e8e6ad8) --- updated-dependencies: - dependency-name: rajatjindal/krew-release-bot dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/plugin.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/plugin.yaml b/.github/workflows/plugin.yaml index bc646da87..03a7a9bac 100644 --- a/.github/workflows/plugin.yaml +++ b/.github/workflows/plugin.yaml @@ -36,6 +36,6 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Update new version in krew-index - uses: rajatjindal/krew-release-bot@92da038bbf995803124a8e50ebd438b2f37bbbb0 # v0.0.43 + uses: rajatjindal/krew-release-bot@df3eb197549e3568be8b4767eec31c5e8e8e6ad8 # v0.0.46 with: krew_template_file: cmd/plugin/krew.yaml From c40a13714bf6cd265171e8eaf03d66c745063f90 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 4 Apr 2023 05:51:54 -0700 Subject: [PATCH 249/405] Bump actions/stale from 7.0.0 to 8.0.0 (#9799) Bumps [actions/stale](https://github.com/actions/stale) from 7.0.0 to 8.0.0. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/6f05e4244c9a0b2ed3401882b05d701dd0a7289b...1160a2240286f5da8ec72b1c0816ce2481aabf84) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/stale.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index 8a172d370..b038f522b 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -13,7 +13,7 @@ jobs: pull-requests: write steps: - - uses: actions/stale@6f05e4244c9a0b2ed3401882b05d701dd0a7289b # v7.0.0 + - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0 with: stale-issue-message: "This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach `#ingress-nginx-dev` on Kubernetes Slack." stale-pr-message: "This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach `#ingress-nginx-dev` on Kubernetes Slack." From 0800f30dcb2dd791e8850948909ff22965915b0f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 4 Apr 2023 05:53:53 -0700 Subject: [PATCH 250/405] Bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 (#9806) Bumps [github.com/opencontainers/runc](https://github.com/opencontainers/runc) from 1.1.4 to 1.1.5. - [Release notes](https://github.com/opencontainers/runc/releases) - [Changelog](https://github.com/opencontainers/runc/blob/v1.1.5/CHANGELOG.md) - [Commits](https://github.com/opencontainers/runc/compare/v1.1.4...v1.1.5) --- updated-dependencies: - dependency-name: github.com/opencontainers/runc dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 5331a7bbe..24c319bc7 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/moul/pb v0.0.0-20220425114252-bca18df4138c github.com/ncabatoff/process-exporter v0.7.10 github.com/onsi/ginkgo/v2 v2.9.0 - github.com/opencontainers/runc v1.1.4 + github.com/opencontainers/runc v1.1.5 github.com/pmezard/go-difflib v1.0.0 github.com/prometheus/client_golang v1.14.0 github.com/prometheus/client_model v0.3.0 diff --git a/go.sum b/go.sum index 48d90af46..8ee1dc453 100644 --- a/go.sum +++ b/go.sum @@ -294,8 +294,8 @@ github.com/onsi/ginkgo/v2 v2.9.0/go.mod h1:4xkjoL/tZv4SMWeww56BU5kAt19mVB47gTWxm github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.27.1 h1:rfztXRbg6nv/5f+Raen9RcGoSecHIFgBBLQK3Wdj754= -github.com/opencontainers/runc v1.1.4 h1:nRCz/8sKg6K6jgYAFLDlXzPeITBZJyX28DBVhWD+5dg= -github.com/opencontainers/runc v1.1.4/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg= +github.com/opencontainers/runc v1.1.5 h1:L44KXEpKmfWDcS02aeGm8QNTFXTo2D+8MYGDIJ/GDEs= +github.com/opencontainers/runc v1.1.5/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= From 5806b5800328c2b8f45808cc4fb32f4f4913c13d Mon Sep 17 00:00:00 2001 From: Marco Ebert Date: Tue, 4 Apr 2023 14:55:53 +0200 Subject: [PATCH 251/405] Values: Fix indention of commented values. (#9812) --- charts/ingress-nginx/values.yaml | 36 ++++++++++++++++---------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 6627bf220..c2e8cdcd7 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -375,26 +375,26 @@ controller: # annotations: # key: value triggers: [] - # - type: prometheus - # metadata: - # serverAddress: http://:9090 - # metricName: http_requests_total - # threshold: '100' - # query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: http_requests_total + # threshold: '100' + # query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) behavior: {} - # scaleDown: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 1 - # periodSeconds: 180 - # scaleUp: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 2 - # periodSeconds: 60 + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 # -- Enable mimalloc as a drop-in replacement for malloc. ## ref: https://github.com/microsoft/mimalloc From 149374d9cd82eafab67019398c082563840f1f49 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 4 Apr 2023 05:57:54 -0700 Subject: [PATCH 252/405] Bump ossf/scorecard-action from 2.1.2 to 2.1.3 (#9823) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.1.2 to 2.1.3. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](https://github.com/ossf/scorecard-action/compare/e38b1902ae4f44df626f11ba0734b14fb91f8f86...80e868c13c90f172d68d1f4501dee99e2479f7af) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 529cc7c28..608d10bcb 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -32,7 +32,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 + uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3 with: results_file: results.sarif results_format: sarif From c76179c04e880b9ec16e6a4a2c47c1fc54e71cc7 Mon Sep 17 00:00:00 2001 From: viq Date: Tue, 4 Apr 2023 16:45:56 +0200 Subject: [PATCH 253/405] ISO 8601 date format (#9682) Adjust the tag to be in sortable format, compatible with ISO 8601. --- images/cfssl/Makefile | 2 +- images/custom-error-pages/Makefile | 2 +- images/fastcgi-helloserver/Makefile | 2 +- images/go-grpc-greeter-server/Makefile | 2 +- images/httpbin/Makefile | 2 +- images/kube-webhook-certgen/Makefile | 2 +- images/opentelemetry/Makefile | 2 +- images/test-runner/Makefile | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/images/cfssl/Makefile b/images/cfssl/Makefile index b1909abe3..1521d2c78 100644 --- a/images/cfssl/Makefile +++ b/images/cfssl/Makefile @@ -18,7 +18,7 @@ SHELL=/bin/bash -o pipefail -o errexit DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh -TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(shell git rev-parse --short HEAD) REGISTRY ?= local IMAGE = $(REGISTRY)/e2e-test-cfssl diff --git a/images/custom-error-pages/Makefile b/images/custom-error-pages/Makefile index 7564b813d..b014beabe 100644 --- a/images/custom-error-pages/Makefile +++ b/images/custom-error-pages/Makefile @@ -20,7 +20,7 @@ SHELL=/bin/bash -o pipefail -o errexit DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh -TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(shell git rev-parse --short HEAD) REGISTRY ?= local IMAGE = $(REGISTRY)/nginx-errors diff --git a/images/fastcgi-helloserver/Makefile b/images/fastcgi-helloserver/Makefile index c1b54703f..6c5a3647a 100644 --- a/images/fastcgi-helloserver/Makefile +++ b/images/fastcgi-helloserver/Makefile @@ -20,7 +20,7 @@ SHELL=/bin/bash -o pipefail -o errexit DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh -TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(shell git rev-parse --short HEAD) REGISTRY ?= local IMAGE = $(REGISTRY)/e2e-test-fastcgi-helloserver diff --git a/images/go-grpc-greeter-server/Makefile b/images/go-grpc-greeter-server/Makefile index 523b83bfb..e6b6efae6 100644 --- a/images/go-grpc-greeter-server/Makefile +++ b/images/go-grpc-greeter-server/Makefile @@ -18,7 +18,7 @@ SHELL=/bin/bash -o pipefail -o errexit DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh -TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(shell git rev-parse --short HEAD) REGISTRY ?= local IMAGE = $(REGISTRY)/go-grpc-greeter-server diff --git a/images/httpbin/Makefile b/images/httpbin/Makefile index ac363dfa8..5d92ffcb5 100644 --- a/images/httpbin/Makefile +++ b/images/httpbin/Makefile @@ -18,7 +18,7 @@ SHELL=/bin/bash -o pipefail -o errexit DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh -TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(shell git rev-parse --short HEAD) REGISTRY ?= local IMAGE = $(REGISTRY)/e2e-test-httpbin diff --git a/images/kube-webhook-certgen/Makefile b/images/kube-webhook-certgen/Makefile index f1d3edc5b..1716bc07e 100644 --- a/images/kube-webhook-certgen/Makefile +++ b/images/kube-webhook-certgen/Makefile @@ -19,7 +19,7 @@ SHELL=/bin/bash -o pipefail -o errexit DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh -TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(shell git rev-parse --short HEAD) REGISTRY ?= local IMAGE = $(REGISTRY)/kube-webhook-certgen diff --git a/images/opentelemetry/Makefile b/images/opentelemetry/Makefile index 20fb7ec63..695dcf632 100644 --- a/images/opentelemetry/Makefile +++ b/images/opentelemetry/Makefile @@ -21,7 +21,7 @@ DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh # 0.0.0 shouldn't clobber any released builds -TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(shell git rev-parse --short HEAD) REGISTRY ?= gcr.io/k8s-staging-ingress-nginx IMAGE = $(REGISTRY)/opentelemetry diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile index a8c3a4560..729f27415 100644 --- a/images/test-runner/Makefile +++ b/images/test-runner/Makefile @@ -18,7 +18,7 @@ SHELL=/bin/bash -o pipefail -o errexit DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh -TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(shell git rev-parse --short HEAD) REGISTRY ?= local IMAGE = $(REGISTRY)/e2e-test-runner From 5d4827af0cfb6242ca69395f4d033f700510f557 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 4 Apr 2023 08:05:54 -0700 Subject: [PATCH 254/405] Bump actions/checkout from 3.4.0 to 3.5.0 (#9798) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.4.0 to 3.5.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/24cb9080177205b6e8c946b17badbe402adc938f...8f4b7f84864484a7bf31766abe9204da3cbe65b3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yaml | 22 +++++++++++----------- .github/workflows/depreview.yaml | 2 +- .github/workflows/docs.yaml | 4 ++-- .github/workflows/helm.yaml | 4 ++-- .github/workflows/perftest.yaml | 2 +- .github/workflows/plugin.yaml | 2 +- .github/workflows/scorecards.yml | 2 +- .github/workflows/vulnerability-scans.yaml | 4 ++-- 8 files changed, 21 insertions(+), 21 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 83c9fcd18..b810a3aba 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -39,7 +39,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter @@ -65,7 +65,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - name: Run Gosec Security Scanner uses: securego/gosec@a459eb0ba387d9bd083d5c2e2354dbeef2465038 # v2.15.0 @@ -82,7 +82,7 @@ jobs: (needs.changes.outputs.go == 'true') steps: - name: Checkout - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - name: Set up Go id: go @@ -101,7 +101,7 @@ jobs: (needs.changes.outputs.go == 'true') steps: - name: Checkout - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - name: Set up Go id: go @@ -120,7 +120,7 @@ jobs: (needs.changes.outputs.go == 'true') steps: - name: Checkout - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - name: Set up Go id: go @@ -141,7 +141,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - name: Set up Go id: go @@ -208,7 +208,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - name: Setup Go uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 @@ -288,7 +288,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - name: cache uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 @@ -342,7 +342,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - name: cache uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 @@ -391,7 +391,7 @@ jobs: PLATFORMS: linux/amd64,linux/arm64 steps: - name: Checkout - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter-images @@ -464,7 +464,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter-images diff --git a/.github/workflows/depreview.yaml b/.github/workflows/depreview.yaml index 46a587ded..e18f71a20 100644 --- a/.github/workflows/depreview.yaml +++ b/.github/workflows/depreview.yaml @@ -9,6 +9,6 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - name: 'Dependency Review' uses: actions/dependency-review-action@f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e # v3.0.4 diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 3ab49ef10..5a0f6bb7b 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter @@ -47,7 +47,7 @@ jobs: steps: - name: Checkout master - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - name: Deploy uses: ./.github/actions/mkdocs diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml index 4e7fde34f..e3fa2d779 100644 --- a/.github/workflows/helm.yaml +++ b/.github/workflows/helm.yaml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - name: Run Artifact Hub lint run: | @@ -61,7 +61,7 @@ jobs: steps: - name: Checkout master - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 with: # Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896 fetch-depth: 0 diff --git a/.github/workflows/perftest.yaml b/.github/workflows/perftest.yaml index dd31420bf..4b7e000a5 100644 --- a/.github/workflows/perftest.yaml +++ b/.github/workflows/perftest.yaml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - name: Install K6 run: | diff --git a/.github/workflows/plugin.yaml b/.github/workflows/plugin.yaml index 03a7a9bac..c56535223 100644 --- a/.github/workflows/plugin.yaml +++ b/.github/workflows/plugin.yaml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 with: fetch-depth: 0 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 608d10bcb..b0ce14f51 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -27,7 +27,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 with: persist-credentials: false diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index 9649140ec..aae43d03c 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -22,7 +22,7 @@ jobs: versions: ${{ steps.version.outputs.TAGS }} steps: - name: Checkout code - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 with: fetch-depth: 0 @@ -52,7 +52,7 @@ jobs: versions: ${{ fromJSON(needs.version.outputs.versions) }} steps: - name: Checkout code - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - shell: bash id: test From 522683813a200fb06342a035db49963b1e76aa26 Mon Sep 17 00:00:00 2001 From: Saumya <76432998+SaumyaBhushan@users.noreply.github.com> Date: Wed, 5 Apr 2023 17:35:41 +0530 Subject: [PATCH 255/405] updated NGINX_BASE image in project (#9829) --- NGINX_BASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NGINX_BASE b/NGINX_BASE index bf23fa5a7..5f1751bbf 100644 --- a/NGINX_BASE +++ b/NGINX_BASE @@ -1 +1 @@ -registry.k8s.io/ingress-nginx/nginx:66a760794f91809bcd897cbdb45435653d73fd92@sha256:86c1581e69dc92d107f8edd36724890ea682a3afda8c1fb1ba41aabc7bc0128d \ No newline at end of file +registry.k8s.io/ingress-nginx/nginx:91057c439cf07ffb62887b8a8bda66ce3cbe39ca@sha256:3b650123c755392f8c0eb9a356b12716327106e624ab5f5b43bc25ab130978fb \ No newline at end of file From 26d83d1b2058cc9c23657b4e97b9e5a6d5fe9871 Mon Sep 17 00:00:00 2001 From: James Strong Date: Thu, 6 Apr 2023 13:25:48 -0400 Subject: [PATCH 256/405] update all container tags with date and sha, upgrade all containers (#9834) Signed-off-by: James Strong --- .github/workflows/ci.yaml | 1 + hack/verify-chart-lint.sh | 2 +- images/cfssl/cloudbuild.yaml | 1 - images/cfssl/rootfs/Dockerfile | 5 +- images/custom-error-pages/cloudbuild.yaml | 1 - images/custom-error-pages/rootfs/Dockerfile | 4 +- images/echo/Makefile | 2 +- images/echo/cloudbuild.yaml | 1 - images/echo/rootfs/Dockerfile | 2 +- .../ext-auth-example-authsvc/cloudbuild.yaml | 1 - images/fastcgi-helloserver/cloudbuild.yaml | 1 - images/go-grpc-greeter-server/cloudbuild.yaml | 1 - images/httpbin/cloudbuild.yaml | 1 - images/httpbin/rootfs/Dockerfile | 2 +- images/kube-webhook-certgen/cloudbuild.yaml | 1 - images/nginx/Makefile | 2 +- images/nginx/cloudbuild.yaml | 1 - images/nginx/rootfs/Dockerfile | 2 +- images/opentelemetry/cloudbuild.yaml | 1 - images/test-runner/Makefile | 45 ++++++++--- images/test-runner/cloudbuild.yaml | 2 +- images/test-runner/rootfs/Dockerfile | 74 +++++++++---------- test/e2e-image/Dockerfile | 3 +- test/e2e-image/Makefile | 2 +- 24 files changed, 90 insertions(+), 68 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b810a3aba..6323c65be 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -22,6 +22,7 @@ on: required: false type: boolean + permissions: contents: read diff --git a/hack/verify-chart-lint.sh b/hack/verify-chart-lint.sh index 2d59dadce..9ece681e0 100755 --- a/hack/verify-chart-lint.sh +++ b/hack/verify-chart-lint.sh @@ -20,5 +20,5 @@ set -o pipefail KUBE_ROOT="$( cd "$(dirname "$0")../" >/dev/null 2>&1 ; pwd -P )" # TODO: This is a temporary workaround while we don't update Helm Chart test -curl https://raw.githubusercontent.com/helm/chart-testing/v3.7.0/etc/chart_schema.yaml -o /tmp/chart_schema.yaml +curl https://raw.githubusercontent.com/helm/chart-testing/v3.8.0/etc/chart_schema.yaml -o /tmp/chart_schema.yaml ct lint --charts ${KUBE_ROOT}/charts/ingress-nginx --validate-maintainers=false --chart-yaml-schema=/tmp/chart_schema.yaml diff --git a/images/cfssl/cloudbuild.yaml b/images/cfssl/cloudbuild.yaml index 5fb9e0c96..3f0abee99 100644 --- a/images/cfssl/cloudbuild.yaml +++ b/images/cfssl/cloudbuild.yaml @@ -6,7 +6,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - TAG=$_GIT_TAG - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx diff --git a/images/cfssl/rootfs/Dockerfile b/images/cfssl/rootfs/Dockerfile index 7841e189c..a50c715ea 100644 --- a/images/cfssl/rootfs/Dockerfile +++ b/images/cfssl/rootfs/Dockerfile @@ -14,8 +14,11 @@ FROM alpine:3.17.2 + RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories -RUN apk add --no-cache \ +RUN apk update \ + && apk upgrade && \ + apk add --no-cache \ bash \ cfssl@testing diff --git a/images/custom-error-pages/cloudbuild.yaml b/images/custom-error-pages/cloudbuild.yaml index 8c96d289c..3490bd73b 100644 --- a/images/custom-error-pages/cloudbuild.yaml +++ b/images/custom-error-pages/cloudbuild.yaml @@ -6,7 +6,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - TAG=$_GIT_TAG - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx diff --git a/images/custom-error-pages/rootfs/Dockerfile b/images/custom-error-pages/rootfs/Dockerfile index 942228eac..b34bb6977 100755 --- a/images/custom-error-pages/rootfs/Dockerfile +++ b/images/custom-error-pages/rootfs/Dockerfile @@ -13,7 +13,9 @@ # limitations under the License. FROM golang:1.20.1-alpine3.17 as builder -RUN apk add git + +RUN apk update \ + && apk upgrade && apk add git WORKDIR /go/src/k8s.io/ingress-nginx/images/custom-error-pages diff --git a/images/echo/Makefile b/images/echo/Makefile index 0ab1c945f..5dc546a8b 100644 --- a/images/echo/Makefile +++ b/images/echo/Makefile @@ -18,7 +18,7 @@ SHELL=/bin/bash -o pipefail -o errexit DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh -TAG ?=v1.0.0 +TAG ?=v$(shell date +%Y%m%d)-$(shell git rev-parse --short HEAD) REGISTRY ?= local IMAGE = $(REGISTRY)/e2e-test-echo diff --git a/images/echo/cloudbuild.yaml b/images/echo/cloudbuild.yaml index 8349b5a7f..8f59b6727 100644 --- a/images/echo/cloudbuild.yaml +++ b/images/echo/cloudbuild.yaml @@ -6,7 +6,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - TAG=$_GIT_TAG - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx diff --git a/images/echo/rootfs/Dockerfile b/images/echo/rootfs/Dockerfile index 4c9b6ab55..c4ab26561 100644 --- a/images/echo/rootfs/Dockerfile +++ b/images/echo/rootfs/Dockerfile @@ -2,7 +2,7 @@ ARG BASE_IMAGE FROM ${BASE_IMAGE} -RUN apk add -U perl curl make unzip +RUN apk update && apk upgrade && apk add -U --no-cache perl curl make unzip ARG LUAROCKS_VERSION ARG LUAROCKS_SHA diff --git a/images/ext-auth-example-authsvc/cloudbuild.yaml b/images/ext-auth-example-authsvc/cloudbuild.yaml index d77c9fc19..8de32fdc9 100644 --- a/images/ext-auth-example-authsvc/cloudbuild.yaml +++ b/images/ext-auth-example-authsvc/cloudbuild.yaml @@ -8,7 +8,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - TAG=$_GIT_TAG - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx diff --git a/images/fastcgi-helloserver/cloudbuild.yaml b/images/fastcgi-helloserver/cloudbuild.yaml index cb4ac2e94..92f4be017 100644 --- a/images/fastcgi-helloserver/cloudbuild.yaml +++ b/images/fastcgi-helloserver/cloudbuild.yaml @@ -6,7 +6,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - TAG=$_GIT_TAG - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx diff --git a/images/go-grpc-greeter-server/cloudbuild.yaml b/images/go-grpc-greeter-server/cloudbuild.yaml index 834c0cb85..d618c5e6f 100644 --- a/images/go-grpc-greeter-server/cloudbuild.yaml +++ b/images/go-grpc-greeter-server/cloudbuild.yaml @@ -8,7 +8,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - TAG=$_GIT_TAG - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx diff --git a/images/httpbin/cloudbuild.yaml b/images/httpbin/cloudbuild.yaml index 9f2658b7b..ffd8c9974 100644 --- a/images/httpbin/cloudbuild.yaml +++ b/images/httpbin/cloudbuild.yaml @@ -8,7 +8,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - TAG=$_GIT_TAG - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx diff --git a/images/httpbin/rootfs/Dockerfile b/images/httpbin/rootfs/Dockerfile index 0e490be74..a05f6872f 100644 --- a/images/httpbin/rootfs/Dockerfile +++ b/images/httpbin/rootfs/Dockerfile @@ -17,7 +17,7 @@ FROM alpine:3.17.2 ENV LC_ALL=C.UTF-8 ENV LANG=C.UTF-8 -RUN apk update \ +RUN apk upgrade && apk update \ && apk add --no-cache \ python3 python3-dev \ musl-dev gcc g++ make \ diff --git a/images/kube-webhook-certgen/cloudbuild.yaml b/images/kube-webhook-certgen/cloudbuild.yaml index 127dee6eb..ef938ef6a 100644 --- a/images/kube-webhook-certgen/cloudbuild.yaml +++ b/images/kube-webhook-certgen/cloudbuild.yaml @@ -21,7 +21,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - TAG=$_GIT_TAG - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx diff --git a/images/nginx/Makefile b/images/nginx/Makefile index 438d0cfe1..053f1e5e8 100644 --- a/images/nginx/Makefile +++ b/images/nginx/Makefile @@ -21,7 +21,7 @@ DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh # 0.0.0 shouldn't clobber any released builds -TAG ?= 0.0 +TAG ?=v$(shell date +%Y%m%d)-$(shell git rev-parse --short HEAD) REGISTRY ?= gcr.io/k8s-staging-ingress-nginx IMAGE = $(REGISTRY)/nginx diff --git a/images/nginx/cloudbuild.yaml b/images/nginx/cloudbuild.yaml index b3d7b1507..003209d77 100644 --- a/images/nginx/cloudbuild.yaml +++ b/images/nginx/cloudbuild.yaml @@ -9,7 +9,6 @@ steps: env: - DOCKER_CLI_EXPERIMENTAL=enabled - BASE_REF=$_PULL_BASE_REF - - TAG=$_PULL_BASE_SHA - REGISTRY=gcr.io/k8s-staging-ingress-nginx - HOME=/root args: diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile index 3279af5d5..a968eb1b3 100644 --- a/images/nginx/rootfs/Dockerfile +++ b/images/nginx/rootfs/Dockerfile @@ -17,7 +17,7 @@ COPY . / RUN apk update \ && apk upgrade \ - && apk add -U bash \ + && apk add -U bash --no-cache \ && /build.sh # Use a multi-stage build diff --git a/images/opentelemetry/cloudbuild.yaml b/images/opentelemetry/cloudbuild.yaml index 0096c0f44..82b75e6e6 100644 --- a/images/opentelemetry/cloudbuild.yaml +++ b/images/opentelemetry/cloudbuild.yaml @@ -8,7 +8,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - TAG=$_GIT_TAG - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile index 729f27415..289270e26 100644 --- a/images/test-runner/Makefile +++ b/images/test-runner/Makefile @@ -30,27 +30,52 @@ export DOCKER_CLI_EXPERIMENTAL=enabled # build with buildx PLATFORMS?=linux/amd64,linux/arm64 -OUTPUT= +OUTPUT?= PROGRESS=plain -build: ensure-buildx - docker buildx build \ - --platform=${PLATFORMS} $(OUTPUT) \ - --progress=$(PROGRESS) \ +image: + echo "Building docker image ($(ARCH))..." + docker build \ + ${PLATFORM_FLAG} ${PLATFORM} \ + --no-cache \ --pull \ - --build-arg BASE_IMAGE=$(NGINX_BASE_IMAGE) \ + --push \ + --build-arg BASE_IMAGE=${NGINX_BASE_IMAGE} \ --build-arg GOLANG_VERSION=1.20.1 \ --build-arg ETCD_VERSION=3.4.3-0 \ - --build-arg K8S_RELEASE=v1.24.2 \ + --build-arg K8S_RELEASE=v1.26.0 \ --build-arg RESTY_CLI_VERSION=0.27 \ --build-arg RESTY_CLI_SHA=e5f4f3128af49ba5c4d039d0554e5ae91bbe05866f60eccfa96d3653274bff90 \ --build-arg LUAROCKS_VERSION=3.8.0 \ --build-arg LUAROCKS_SHA=ab6612ca9ab87c6984871d2712d05525775e8b50172701a0a1cabddf76de2be7 \ - --build-arg CHART_TESTING_VERSION=3.7.0 \ + --build-arg CHART_TESTING_VERSION=3.8.0 \ --build-arg YAML_LINT_VERSION=1.27.1 \ --build-arg YAMALE_VERSION=4.0.4 \ - --build-arg HELM_VERSION=v3.9.0 \ - -t $(IMAGE):$(TAG) rootfs + --build-arg HELM_VERSION=3.11.2 \ + --build-arg GINKGO_VERSION=2.9.0 \ + --build-arg GOLINT_VERSION=latest \ + -t ${IMAGE}:${TAG} rootfs + +build: ensure-buildx + docker buildx build \ + --platform=${PLATFORMS} ${OUTPUT} \ + --progress=${PROGRESS} \ + --pull \ + --build-arg BASE_IMAGE=${NGINX_BASE_IMAGE} \ + --build-arg GOLANG_VERSION=1.20.1 \ + --build-arg ETCD_VERSION=3.4.3-0 \ + --build-arg K8S_RELEASE=v1.26.0 \ + --build-arg RESTY_CLI_VERSION=0.27 \ + --build-arg RESTY_CLI_SHA=e5f4f3128af49ba5c4d039d0554e5ae91bbe05866f60eccfa96d3653274bff90 \ + --build-arg LUAROCKS_VERSION=3.8.0 \ + --build-arg LUAROCKS_SHA=ab6612ca9ab87c6984871d2712d05525775e8b50172701a0a1cabddf76de2be7 \ + --build-arg CHART_TESTING_VERSION=3.8.0 \ + --build-arg YAML_LINT_VERSION=1.27.1 \ + --build-arg YAMALE_VERSION=4.0.4 \ + --build-arg HELM_VERSION=3.11.2 \ + --build-arg GINKGO_VERSION=2.9.0 \ + --build-arg GOLINT_VERSION=latest \ + -t ${IMAGE}:${TAG} rootfs # push the cross built image push: OUTPUT=--push diff --git a/images/test-runner/cloudbuild.yaml b/images/test-runner/cloudbuild.yaml index b1f32d6a2..ff4667b0c 100644 --- a/images/test-runner/cloudbuild.yaml +++ b/images/test-runner/cloudbuild.yaml @@ -6,7 +6,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - TAG=$_GIT_TAG - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx @@ -20,3 +19,4 @@ steps: substitutions: _GIT_TAG: "12345" _PULL_BASE_REF: "master" + _PULL_BASE_SHA: '12345' \ No newline at end of file diff --git a/images/test-runner/rootfs/Dockerfile b/images/test-runner/rootfs/Dockerfile index 7872b7a2b..0b691a7d2 100644 --- a/images/test-runner/rootfs/Dockerfile +++ b/images/test-runner/rootfs/Dockerfile @@ -11,7 +11,6 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - ARG BASE_IMAGE ARG GOLANG_VERSION ARG ETCD_VERSION @@ -21,6 +20,20 @@ FROM registry.k8s.io/etcd:${ETCD_VERSION} as etcd FROM ${BASE_IMAGE} +ARG RESTY_CLI_VERSION +ARG RESTY_CLI_SHA +ARG LUAROCKS_VERSION +ARG LUAROCKS_SHA +ARG TARGETARCH +ARG K8S_RELEASE +ARG CHART_TESTING_VERSION +ARG HELM_VERSION +ARG YAMALE_VERSION +ARG YAML_LINT_VERSION +ARG GINKGO_VERSION +ARG GOLINT_VERSION + + RUN set -eux; \ if [ -e /etc/nsswitch.conf ]; then \ grep '^hosts: files dns' /etc/nsswitch.conf; \ @@ -28,13 +41,16 @@ RUN set -eux; \ echo 'hosts: files dns' > /etc/nsswitch.conf; \ fi - COPY --from=GO /usr/local/go /usr/local/go +ENV GOPATH /go +ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH +RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH" + COPY --from=etcd /usr/local/bin/etcd /usr/local/bin/etcd -RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories +RUN echo "@testing https://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories -RUN apk add --no-cache \ +RUN apk update && apk upgrade && apk add --no-cache \ bash \ ca-certificates \ wget \ @@ -48,19 +64,15 @@ RUN apk add --no-cache \ py-pip \ unzip \ openssl \ - cfssl@testing + cfssl@testing \ + curl \ + tzdata \ + libc6-compat -ENV GOPATH /go -ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH +RUN go install -v github.com/onsi/ginkgo/v2/ginkgo@v${GINKGO_VERSION} \ + && go install golang.org/x/lint/golint@${GOLINT_VERSION} -RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH" - -RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.9.0 && go install golang.org/x/lint/golint@latest - -ARG RESTY_CLI_VERSION -ARG RESTY_CLI_SHA - -RUN wget -O /tmp/resty_cli.tgz \ +RUN wget -qO /tmp/resty_cli.tgz \ https://github.com/openresty/resty-cli/archive/v${RESTY_CLI_VERSION}.tar.gz \ && echo "${RESTY_CLI_SHA} */tmp/resty_cli.tgz" | sha256sum -c - \ && tar -C /tmp -xzf /tmp/resty_cli.tgz \ @@ -68,10 +80,7 @@ RUN wget -O /tmp/resty_cli.tgz \ && resty -V \ && rm -rf /tmp/* -ARG LUAROCKS_VERSION -ARG LUAROCKS_SHA - -RUN wget -O /tmp/luarocks.tgz \ +RUN wget -qO /tmp/luarocks.tgz \ https://github.com/luarocks/luarocks/archive/v${LUAROCKS_VERSION}.tar.gz \ && echo "${LUAROCKS_SHA} */tmp/luarocks.tgz" | sha256sum -c - \ && tar -C /tmp -xzf /tmp/luarocks.tgz \ @@ -82,48 +91,39 @@ RUN wget -O /tmp/luarocks.tgz \ RUN luarocks install busted \ && luarocks install luacheck -ARG TARGETARCH - -ARG K8S_RELEASE - -RUN wget -O /usr/local/bin/kubectl \ +RUN wget -qO /usr/local/bin/kubectl \ https://storage.googleapis.com/kubernetes-release/release/${K8S_RELEASE}/bin/linux/${TARGETARCH}/kubectl \ && chmod +x /usr/local/bin/kubectl -RUN wget -O /usr/local/bin/kube-apiserver \ +RUN wget -qO /usr/local/bin/kube-apiserver \ https://storage.googleapis.com/kubernetes-release/release/${K8S_RELEASE}/bin/linux/${TARGETARCH}/kube-apiserver \ && chmod +x /usr/local/bin/kube-apiserver -ARG CHART_TESTING_VERSION - -RUN wget -O /tmp/ct-${CHART_TESTING_VERSION}-linux-amd64.tar.gz \ - https://github.com/helm/chart-testing/releases/download/v${CHART_TESTING_VERSION}/chart-testing_${CHART_TESTING_VERSION}_linux_amd64.tar.gz \ +RUN wget -qO /tmp/ct-${CHART_TESTING_VERSION}-linux-${TARGETARCH}.tar.gz \ + https://github.com/helm/chart-testing/releases/download/v${CHART_TESTING_VERSION}/chart-testing_${CHART_TESTING_VERSION}_linux_${TARGETARCH}.tar.gz \ && mkdir -p /tmp/ct-download \ - && tar xzvf /tmp/ct-${CHART_TESTING_VERSION}-linux-amd64.tar.gz -C /tmp/ct-download \ - && rm /tmp/ct-${CHART_TESTING_VERSION}-linux-amd64.tar.gz \ + && tar xzvf /tmp/ct-${CHART_TESTING_VERSION}-linux-${TARGETARCH}.tar.gz -C /tmp/ct-download \ + && rm /tmp/ct-${CHART_TESTING_VERSION}-linux-${TARGETARCH}.tar.gz \ && cp /tmp/ct-download/ct /usr/local/bin \ && mkdir -p /etc/ct \ && cp -R /tmp/ct-download/etc/* /etc/ct \ && rm -rf /tmp/* -RUN wget -O /usr/local/bin/lj-releng \ +RUN wget -qO /usr/local/bin/lj-releng \ https://raw.githubusercontent.com/openresty/openresty-devel-utils/master/lj-releng \ && chmod +x /usr/local/bin/lj-releng -ARG HELM_VERSION -RUN wget -O /tmp/helm.tgz \ - https://get.helm.sh/helm-${HELM_VERSION}-linux-${TARGETARCH}.tar.gz \ +RUN wget -qO /tmp/helm.tgz \ + https://get.helm.sh/helm-v${HELM_VERSION}-linux-${TARGETARCH}.tar.gz \ && tar -C /tmp -xzf /tmp/helm.tgz \ && cp /tmp/linux*/helm /usr/local/bin \ && rm -rf /tmp/* # Install a YAML Linter -ARG YAML_LINT_VERSION RUN pip install "yamllint==$YAML_LINT_VERSION" # Install Yamale YAML schema validator -ARG YAMALE_VERSION RUN pip install "yamale==$YAMALE_VERSION" WORKDIR $GOPATH diff --git a/test/e2e-image/Dockerfile b/test/e2e-image/Dockerfile index 09ce36cc5..11abc26b4 100644 --- a/test/e2e-image/Dockerfile +++ b/test/e2e-image/Dockerfile @@ -3,7 +3,8 @@ FROM ${E2E_BASE_IMAGE} AS BASE FROM alpine:3.17.2 -RUN apk add -U --no-cache \ +RUN apk update \ + && apk upgrade && apk add -U --no-cache \ ca-certificates \ bash \ curl \ diff --git a/test/e2e-image/Makefile b/test/e2e-image/Makefile index 001146f65..011396531 100644 --- a/test/e2e-image/Makefile +++ b/test/e2e-image/Makefile @@ -1,6 +1,6 @@ DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) -E2E_BASE_IMAGE="registry.k8s.io/ingress-nginx/e2e-test-runner:v20230314-helm-chart-4.5.2-32-g520384b11@sha256:754c62f9a5efd1ee515ee908ecc16c0c4d1dda96a8cc8019667182a55f3a9035" +E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v20230314-helm-chart-4.5.2-32-g520384b11@sha256:754c62f9a5efd1ee515ee908ecc16c0c4d1dda96a8cc8019667182a55f3a9035" image: echo "..entered Makefile in /test/e2e-image" From 24e0e29386be3ba03249758dcd730360ad6ed97d Mon Sep 17 00:00:00 2001 From: James Strong Date: Fri, 7 Apr 2023 10:42:37 -0400 Subject: [PATCH 257/405] add short sha to gcloud build and makefiles Signed-off-by: James Strong --- images/cfssl/Makefile | 6 +++++- images/cfssl/cloudbuild.yaml | 1 + images/custom-error-pages/Makefile | 4 +++- images/custom-error-pages/cloudbuild.yaml | 1 + images/echo/Makefile | 4 +++- images/echo/cloudbuild.yaml | 1 + images/ext-auth-example-authsvc/cloudbuild.yaml | 1 + images/fastcgi-helloserver/Makefile | 4 +++- images/fastcgi-helloserver/cloudbuild.yaml | 1 + images/go-grpc-greeter-server/Makefile | 4 +++- images/go-grpc-greeter-server/cloudbuild.yaml | 1 + images/httpbin/Makefile | 4 +++- images/httpbin/cloudbuild.yaml | 1 + images/kube-webhook-certgen/Makefile | 4 +++- images/kube-webhook-certgen/cloudbuild.yaml | 1 + images/nginx/Makefile | 4 +++- images/nginx/cloudbuild.yaml | 1 + images/opentelemetry/Makefile | 4 +++- images/opentelemetry/cloudbuild.yaml | 1 + images/test-runner/Makefile | 4 +++- images/test-runner/cloudbuild.yaml | 1 + 21 files changed, 43 insertions(+), 10 deletions(-) diff --git a/images/cfssl/Makefile b/images/cfssl/Makefile index 1521d2c78..8d8e597a4 100644 --- a/images/cfssl/Makefile +++ b/images/cfssl/Makefile @@ -18,9 +18,13 @@ SHELL=/bin/bash -o pipefail -o errexit DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh -TAG ?=v$(shell date +%Y%m%d)-$(shell git rev-parse --short HEAD) +SHORT_SHA ?=$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA) + REGISTRY ?= local + + IMAGE = $(REGISTRY)/e2e-test-cfssl # required to enable buildx diff --git a/images/cfssl/cloudbuild.yaml b/images/cfssl/cloudbuild.yaml index 3f0abee99..4976a3f67 100644 --- a/images/cfssl/cloudbuild.yaml +++ b/images/cfssl/cloudbuild.yaml @@ -6,6 +6,7 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled + - SHORT_SHA=$SHORT_SHA - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx diff --git a/images/custom-error-pages/Makefile b/images/custom-error-pages/Makefile index b014beabe..810736cca 100644 --- a/images/custom-error-pages/Makefile +++ b/images/custom-error-pages/Makefile @@ -20,7 +20,9 @@ SHELL=/bin/bash -o pipefail -o errexit DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh -TAG ?=v$(shell date +%Y%m%d)-$(shell git rev-parse --short HEAD) +SHORT_SHA ?=$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA) + REGISTRY ?= local IMAGE = $(REGISTRY)/nginx-errors diff --git a/images/custom-error-pages/cloudbuild.yaml b/images/custom-error-pages/cloudbuild.yaml index 3490bd73b..e38d4bcdc 100644 --- a/images/custom-error-pages/cloudbuild.yaml +++ b/images/custom-error-pages/cloudbuild.yaml @@ -6,6 +6,7 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled + - SHORT_SHA=$SHORT_SHA - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx diff --git a/images/echo/Makefile b/images/echo/Makefile index 5dc546a8b..a213df5d3 100644 --- a/images/echo/Makefile +++ b/images/echo/Makefile @@ -18,7 +18,9 @@ SHELL=/bin/bash -o pipefail -o errexit DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh -TAG ?=v$(shell date +%Y%m%d)-$(shell git rev-parse --short HEAD) +SHORT_SHA ?=$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA) + REGISTRY ?= local IMAGE = $(REGISTRY)/e2e-test-echo diff --git a/images/echo/cloudbuild.yaml b/images/echo/cloudbuild.yaml index 8f59b6727..f07be825a 100644 --- a/images/echo/cloudbuild.yaml +++ b/images/echo/cloudbuild.yaml @@ -6,6 +6,7 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled + - SHORT_SHA=$SHORT_SHA - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx diff --git a/images/ext-auth-example-authsvc/cloudbuild.yaml b/images/ext-auth-example-authsvc/cloudbuild.yaml index 8de32fdc9..c5bb5db6a 100644 --- a/images/ext-auth-example-authsvc/cloudbuild.yaml +++ b/images/ext-auth-example-authsvc/cloudbuild.yaml @@ -8,6 +8,7 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled + - SHORT_SHA=$SHORT_SHA - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx diff --git a/images/fastcgi-helloserver/Makefile b/images/fastcgi-helloserver/Makefile index 6c5a3647a..4d277a19d 100644 --- a/images/fastcgi-helloserver/Makefile +++ b/images/fastcgi-helloserver/Makefile @@ -20,7 +20,9 @@ SHELL=/bin/bash -o pipefail -o errexit DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh -TAG ?=v$(shell date +%Y%m%d)-$(shell git rev-parse --short HEAD) +SHORT_SHA ?=$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA) + REGISTRY ?= local IMAGE = $(REGISTRY)/e2e-test-fastcgi-helloserver diff --git a/images/fastcgi-helloserver/cloudbuild.yaml b/images/fastcgi-helloserver/cloudbuild.yaml index 92f4be017..a4c9d5eff 100644 --- a/images/fastcgi-helloserver/cloudbuild.yaml +++ b/images/fastcgi-helloserver/cloudbuild.yaml @@ -6,6 +6,7 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled + - SHORT_SHA=$SHORT_SHA - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx diff --git a/images/go-grpc-greeter-server/Makefile b/images/go-grpc-greeter-server/Makefile index e6b6efae6..e221ecfea 100644 --- a/images/go-grpc-greeter-server/Makefile +++ b/images/go-grpc-greeter-server/Makefile @@ -18,7 +18,9 @@ SHELL=/bin/bash -o pipefail -o errexit DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh -TAG ?=v$(shell date +%Y%m%d)-$(shell git rev-parse --short HEAD) +SHORT_SHA ?=$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA) + REGISTRY ?= local IMAGE = $(REGISTRY)/go-grpc-greeter-server diff --git a/images/go-grpc-greeter-server/cloudbuild.yaml b/images/go-grpc-greeter-server/cloudbuild.yaml index d618c5e6f..6f32bcf50 100644 --- a/images/go-grpc-greeter-server/cloudbuild.yaml +++ b/images/go-grpc-greeter-server/cloudbuild.yaml @@ -8,6 +8,7 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled + - SHORT_SHA=$SHORT_SHA - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx diff --git a/images/httpbin/Makefile b/images/httpbin/Makefile index 5d92ffcb5..a2ba07400 100644 --- a/images/httpbin/Makefile +++ b/images/httpbin/Makefile @@ -18,7 +18,9 @@ SHELL=/bin/bash -o pipefail -o errexit DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh -TAG ?=v$(shell date +%Y%m%d)-$(shell git rev-parse --short HEAD) +SHORT_SHA ?=$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA) + REGISTRY ?= local IMAGE = $(REGISTRY)/e2e-test-httpbin diff --git a/images/httpbin/cloudbuild.yaml b/images/httpbin/cloudbuild.yaml index ffd8c9974..e9df202b8 100644 --- a/images/httpbin/cloudbuild.yaml +++ b/images/httpbin/cloudbuild.yaml @@ -8,6 +8,7 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled + - SHORT_SHA=$SHORT_SHA - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx diff --git a/images/kube-webhook-certgen/Makefile b/images/kube-webhook-certgen/Makefile index 1716bc07e..cd014c7c3 100644 --- a/images/kube-webhook-certgen/Makefile +++ b/images/kube-webhook-certgen/Makefile @@ -19,7 +19,9 @@ SHELL=/bin/bash -o pipefail -o errexit DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh -TAG ?=v$(shell date +%Y%m%d)-$(shell git rev-parse --short HEAD) +SHORT_SHA ?=$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA) + REGISTRY ?= local IMAGE = $(REGISTRY)/kube-webhook-certgen diff --git a/images/kube-webhook-certgen/cloudbuild.yaml b/images/kube-webhook-certgen/cloudbuild.yaml index ef938ef6a..bf0bd3ce1 100644 --- a/images/kube-webhook-certgen/cloudbuild.yaml +++ b/images/kube-webhook-certgen/cloudbuild.yaml @@ -21,6 +21,7 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled + - SHORT_SHA=$SHORT_SHA - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx diff --git a/images/nginx/Makefile b/images/nginx/Makefile index 053f1e5e8..b54a7739b 100644 --- a/images/nginx/Makefile +++ b/images/nginx/Makefile @@ -21,7 +21,9 @@ DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh # 0.0.0 shouldn't clobber any released builds -TAG ?=v$(shell date +%Y%m%d)-$(shell git rev-parse --short HEAD) +SHORT_SHA ?=$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA) + REGISTRY ?= gcr.io/k8s-staging-ingress-nginx IMAGE = $(REGISTRY)/nginx diff --git a/images/nginx/cloudbuild.yaml b/images/nginx/cloudbuild.yaml index 003209d77..c581700dd 100644 --- a/images/nginx/cloudbuild.yaml +++ b/images/nginx/cloudbuild.yaml @@ -8,6 +8,7 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled + - SHORT_SHA=$SHORT_SHA - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx - HOME=/root diff --git a/images/opentelemetry/Makefile b/images/opentelemetry/Makefile index 695dcf632..07a66beed 100644 --- a/images/opentelemetry/Makefile +++ b/images/opentelemetry/Makefile @@ -21,7 +21,9 @@ DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh # 0.0.0 shouldn't clobber any released builds -TAG ?=v$(shell date +%Y%m%d)-$(shell git rev-parse --short HEAD) +SHORT_SHA ?=$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA) + REGISTRY ?= gcr.io/k8s-staging-ingress-nginx IMAGE = $(REGISTRY)/opentelemetry diff --git a/images/opentelemetry/cloudbuild.yaml b/images/opentelemetry/cloudbuild.yaml index 82b75e6e6..9556ccba9 100644 --- a/images/opentelemetry/cloudbuild.yaml +++ b/images/opentelemetry/cloudbuild.yaml @@ -8,6 +8,7 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled + - SHORT_SHA=$SHORT_SHA - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile index 289270e26..562625cff 100644 --- a/images/test-runner/Makefile +++ b/images/test-runner/Makefile @@ -18,7 +18,9 @@ SHELL=/bin/bash -o pipefail -o errexit DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh -TAG ?=v$(shell date +%Y%m%d)-$(shell git rev-parse --short HEAD) +SHORT_SHA ?=$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA) + REGISTRY ?= local IMAGE = $(REGISTRY)/e2e-test-runner diff --git a/images/test-runner/cloudbuild.yaml b/images/test-runner/cloudbuild.yaml index ff4667b0c..761ea7f28 100644 --- a/images/test-runner/cloudbuild.yaml +++ b/images/test-runner/cloudbuild.yaml @@ -6,6 +6,7 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled + - SHORT_SHA=$SHORT_SHA - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx From 7fcafff04617528619950b1cef190a3b424e4f2b Mon Sep 17 00:00:00 2001 From: Marco Ebert Date: Fri, 7 Apr 2023 17:39:15 +0200 Subject: [PATCH 258/405] Chart: Improve `README.md`. (#9831) --- charts/ingress-nginx/README.md | 28 ++------------------------- charts/ingress-nginx/README.md.gotmpl | 27 +------------------------- 2 files changed, 3 insertions(+), 52 deletions(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index cb3848634..44b553ece 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -8,10 +8,9 @@ To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.c This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. -## Prerequisites +## Requirements -- Chart version 3.x.x: Kubernetes v1.16+ -- Chart version 4.x.x and above: Kubernetes v1.19+ +Kubernetes: `>=1.20.0-0` ## Get Repo Info @@ -52,10 +51,6 @@ helm upgrade [RELEASE_NAME] [CHART] --install _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ -### Upgrading With Zero Downtime in Production - -By default the ingress-nginx controller has service interruptions whenever it's pods are restarted or redeployed. In order to fix that, see the excellent blog post by Lindsay Landry from Codecademy: [Kubernetes: Nginx and Zero Downtime in Production](https://medium.com/codecademy-engineering/kubernetes-nginx-and-zero-downtime-in-production-2c910c6a5ed8). - ### Migrating from stable/nginx-ingress There are two main ways to migrate a release from `stable/nginx-ingress` to `ingress-nginx/ingress-nginx` chart: @@ -66,7 +61,6 @@ There are two main ways to migrate a release from `stable/nginx-ingress` to `ing 1. Redirect your DNS traffic from the old controller to the new controller 1. Log traffic from both controllers during this changeover 1. [Uninstall](#uninstall-chart) the old controller once traffic has fully drained from it - 1. For details on all of these steps see [Upgrading With Zero Downtime in Production](#upgrading-with-zero-downtime-in-production) Note that there are some different and upgraded configurations between the two charts, described by Rimas Mocevicius from JFrog in the "Upgrading to ingress-nginx Helm chart" section of [Migrating from Helm chart nginx-ingress to ingress-nginx](https://rimusz.net/migrating-to-ingress-nginx). As the `ingress-nginx/ingress-nginx` chart continues to update, you will want to check current differences by running [helm configuration](#configuration) commands on both charts. @@ -126,19 +120,6 @@ controller: service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' ``` -### AWS route53-mapper - -To configure the LoadBalancer service with the [route53-mapper addon](https://github.com/kubernetes/kops/blob/be63d4f1a7a46daaf1c4c482527328236850f111/addons/route53-mapper/README.md), add the `domainName` annotation and `dns` label: - -```yaml -controller: - service: - labels: - dns: "route53" - annotations: - domainName: "kubernetes-example.com" -``` - ### Additional Internal Load Balancer This setup is useful when you need both external and internal load balancers but don't want to have multiple ingress controllers and multiple ingress objects per application. @@ -244,10 +225,6 @@ Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13 As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered. -## Requirements - -Kubernetes: `>=1.20.0-0` - ## Values | Key | Type | Default | Description | @@ -522,4 +499,3 @@ Kubernetes: `>=1.20.0-0` | serviceAccount.name | string | `""` | | | tcp | object | `{}` | TCP service key-value pairs # Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md # | | udp | object | `{}` | UDP service key-value pairs # Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md # | - diff --git a/charts/ingress-nginx/README.md.gotmpl b/charts/ingress-nginx/README.md.gotmpl index 99a2a62cb..238166277 100644 --- a/charts/ingress-nginx/README.md.gotmpl +++ b/charts/ingress-nginx/README.md.gotmpl @@ -7,10 +7,7 @@ To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.c This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. -## Prerequisites - -- Chart version 3.x.x: Kubernetes v1.16+ -- Chart version 4.x.x and above: Kubernetes v1.19+ +{{ template "chart.requirementsSection" . }} ## Get Repo Info @@ -51,10 +48,6 @@ helm upgrade [RELEASE_NAME] [CHART] --install _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ -### Upgrading With Zero Downtime in Production - -By default the ingress-nginx controller has service interruptions whenever it's pods are restarted or redeployed. In order to fix that, see the excellent blog post by Lindsay Landry from Codecademy: [Kubernetes: Nginx and Zero Downtime in Production](https://medium.com/codecademy-engineering/kubernetes-nginx-and-zero-downtime-in-production-2c910c6a5ed8). - ### Migrating from stable/nginx-ingress There are two main ways to migrate a release from `stable/nginx-ingress` to `ingress-nginx/ingress-nginx` chart: @@ -65,7 +58,6 @@ There are two main ways to migrate a release from `stable/nginx-ingress` to `ing 1. Redirect your DNS traffic from the old controller to the new controller 1. Log traffic from both controllers during this changeover 1. [Uninstall](#uninstall-chart) the old controller once traffic has fully drained from it - 1. For details on all of these steps see [Upgrading With Zero Downtime in Production](#upgrading-with-zero-downtime-in-production) Note that there are some different and upgraded configurations between the two charts, described by Rimas Mocevicius from JFrog in the "Upgrading to ingress-nginx Helm chart" section of [Migrating from Helm chart nginx-ingress to ingress-nginx](https://rimusz.net/migrating-to-ingress-nginx). As the `ingress-nginx/ingress-nginx` chart continues to update, you will want to check current differences by running [helm configuration](#configuration) commands on both charts. @@ -125,19 +117,6 @@ controller: service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' ``` -### AWS route53-mapper - -To configure the LoadBalancer service with the [route53-mapper addon](https://github.com/kubernetes/kops/blob/be63d4f1a7a46daaf1c4c482527328236850f111/addons/route53-mapper/README.md), add the `domainName` annotation and `dns` label: - -```yaml -controller: - service: - labels: - dns: "route53" - annotations: - domainName: "kubernetes-example.com" -``` - ### Additional Internal Load Balancer This setup is useful when you need both external and internal load balancers but don't want to have multiple ingress controllers and multiple ingress objects per application. @@ -243,8 +222,4 @@ Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13 As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered. -{{ template "chart.requirementsSection" . }} - {{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} From 4e8d0b5836096426393340273260b9000cd1e151 Mon Sep 17 00:00:00 2001 From: Marco Cadetg Date: Tue, 11 Apr 2023 10:01:18 +0200 Subject: [PATCH 259/405] Exclude socket metrics (#9770) * exclude creation and exporting of socket metrics via flag * make exclude metric naming more consistent * fix connect time metric update * add documentation * e2e test * improve creation of metric mapping --- cmd/dataplane/main.go | 2 +- cmd/nginx/main.go | 2 +- docs/user-guide/cli-arguments.md | 1 + internal/ingress/controller/controller.go | 9 +- internal/ingress/metric/collectors/socket.go | 219 +++++++++++------- .../ingress/metric/collectors/socket_test.go | 116 +++++++++- internal/ingress/metric/main.go | 4 +- pkg/flags/flags.go | 10 +- test/e2e/e2e.go | 1 + test/e2e/metrics/metrics.go | 94 ++++++++ 10 files changed, 362 insertions(+), 96 deletions(-) create mode 100644 test/e2e/metrics/metrics.go diff --git a/cmd/dataplane/main.go b/cmd/dataplane/main.go index 0ab978429..6fd559e4d 100644 --- a/cmd/dataplane/main.go +++ b/cmd/dataplane/main.go @@ -70,7 +70,7 @@ func main() { mc := metric.NewDummyCollector() if conf.EnableMetrics { // TODO: Ingress class is not a part of dataplane anymore - mc, err = metric.NewCollector(conf.MetricsPerHost, conf.ReportStatusClasses, reg, conf.IngressClassConfiguration.Controller, *conf.MetricsBuckets) + mc, err = metric.NewCollector(conf.MetricsPerHost, conf.ReportStatusClasses, reg, conf.IngressClassConfiguration.Controller, *conf.MetricsBuckets, conf.ExcludeSocketMetrics) if err != nil { klog.Fatalf("Error creating prometheus collector: %v", err) } diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go index 9f0973ec9..48dd933dc 100644 --- a/cmd/nginx/main.go +++ b/cmd/nginx/main.go @@ -133,7 +133,7 @@ func main() { mc := metric.NewDummyCollector() if conf.EnableMetrics { - mc, err = metric.NewCollector(conf.MetricsPerHost, conf.ReportStatusClasses, reg, conf.IngressClassConfiguration.Controller, *conf.MetricsBuckets) + mc, err = metric.NewCollector(conf.MetricsPerHost, conf.ReportStatusClasses, reg, conf.IngressClassConfiguration.Controller, *conf.MetricsBuckets, conf.ExcludeSocketMetrics) if err != nil { klog.Fatalf("Error creating prometheus collector: %v", err) } diff --git a/docs/user-guide/cli-arguments.md b/docs/user-guide/cli-arguments.md index febc6f762..59e52957d 100644 --- a/docs/user-guide/cli-arguments.md +++ b/docs/user-guide/cli-arguments.md @@ -25,6 +25,7 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment | `--enable-ssl-chain-completion` | Autocomplete SSL certificate chains with missing intermediate CA certificates. Certificates uploaded to Kubernetes must have the "Authority Information Access" X.509 v3 extension for this to succeed. (default false)| | `--enable-ssl-passthrough` | Enable SSL Passthrough. (default false) | | `--enable-topology-aware-routing` | Enable topology aware hints feature, needs service object annotation service.kubernetes.io/topology-aware-hints sets to auto. (default false) | +| `--exclude-socket-metrics` | Set of socket request metrics to exclude which won't be exported nor being calculated. The possible socket request metrics to exclude are documented in the monitoring guide e.g. 'nginx_ingress_controller_request_duration_seconds,nginx_ingress_controller_response_size'| | `--health-check-path` | URL path of the health check endpoint. Configured inside the NGINX status server. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. (default "/healthz") | | `--health-check-timeout` | Time limit, in seconds, for a probe to health-check-path to succeed. (default 10) | | `--healthz-port` | Port to use for the healthz endpoint. (default 10254) | diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 5d94605b5..17142a478 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -102,10 +102,11 @@ type Configuration struct { EnableProfiling bool - EnableMetrics bool - MetricsPerHost bool - MetricsBuckets *collectors.HistogramBuckets - ReportStatusClasses bool + EnableMetrics bool + MetricsPerHost bool + MetricsBuckets *collectors.HistogramBuckets + ReportStatusClasses bool + ExcludeSocketMetrics []string FakeCertificate *ingress.SSLCert diff --git a/internal/ingress/metric/collectors/socket.go b/internal/ingress/metric/collectors/socket.go index 23048d5d6..508cc6bc8 100644 --- a/internal/ingress/metric/collectors/socket.go +++ b/internal/ingress/metric/collectors/socket.go @@ -21,6 +21,7 @@ import ( "io" "net" "os" + "strings" "syscall" jsoniter "github.com/json-iterator/go" @@ -60,6 +61,8 @@ type HistogramBuckets struct { SizeBuckets []float64 } +type metricMapping map[string]prometheus.Collector + // SocketCollector stores prometheus metrics and ingress meta-data type SocketCollector struct { prometheus.Collector @@ -78,7 +81,7 @@ type SocketCollector struct { listener net.Listener - metricMapping map[string]interface{} + metricMapping metricMapping hosts sets.Set[string] @@ -106,7 +109,7 @@ var defObjectives = map[float64]float64{0.5: 0.05, 0.9: 0.01, 0.99: 0.001} // NewSocketCollector creates a new SocketCollector instance using // the ingress watch namespace and class used by the controller -func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStatusClasses bool, buckets HistogramBuckets) (*SocketCollector, error) { +func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStatusClasses bool, buckets HistogramBuckets, excludeMetrics []string) (*SocketCollector, error) { socket := "/tmp/nginx/prometheus-nginx.socket" // unix sockets must be unlink()ed before being used _ = syscall.Unlink(socket) @@ -132,13 +135,23 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat requestTags = append(requestTags, "host") } + em := make(map[string]struct{}, len(excludeMetrics)) + for _, m := range excludeMetrics { + // remove potential nginx_ingress_controller prefix from the metric name + // TBD: how to handle fully qualified histogram metrics e.g. _buckets and _sum. Should we just remove the suffix and remove the histogram metric or ignore it? + em[strings.TrimPrefix(m, "nginx_ingress_controller_")] = struct{}{} + } + + // create metric mapping with only the metrics that are not excluded + mm := make(metricMapping) + sc := &SocketCollector{ listener: listener, metricsPerHost: metricsPerHost, reportStatusClasses: reportStatusClasses, - connectTime: prometheus.NewHistogramVec( + connectTime: histogramMetric( prometheus.HistogramOpts{ Name: "connect_duration_seconds", Help: "The time spent on establishing a connection with the upstream server", @@ -147,8 +160,11 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat Buckets: buckets.TimeBuckets, }, requestTags, + em, + mm, ), - headerTime: prometheus.NewHistogramVec( + + headerTime: histogramMetric( prometheus.HistogramOpts{ Name: "header_duration_seconds", Help: "The time spent on receiving first header from the upstream server", @@ -157,8 +173,10 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat Buckets: buckets.TimeBuckets, }, requestTags, + em, + mm, ), - responseTime: prometheus.NewHistogramVec( + responseTime: histogramMetric( prometheus.HistogramOpts{ Name: "response_duration_seconds", Help: "The time spent on receiving the response from the upstream server", @@ -167,8 +185,11 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat Buckets: buckets.TimeBuckets, }, requestTags, + em, + mm, ), - requestTime: prometheus.NewHistogramVec( + + requestTime: histogramMetric( prometheus.HistogramOpts{ Name: "request_duration_seconds", Help: "The request processing time in milliseconds", @@ -177,9 +198,11 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat Buckets: buckets.TimeBuckets, }, requestTags, + em, + mm, ), - responseLength: prometheus.NewHistogramVec( + responseLength: histogramMetric( prometheus.HistogramOpts{ Name: "response_size", Help: "The response length (including request line, header, and request body)", @@ -188,19 +211,24 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat Buckets: buckets.LengthBuckets, }, requestTags, + em, + mm, ), - requestLength: prometheus.NewHistogramVec( + + requestLength: histogramMetric( prometheus.HistogramOpts{ Name: "request_size", Help: "The request length (including request line, header, and request body)", Namespace: PrometheusNamespace, - Buckets: buckets.LengthBuckets, ConstLabels: constLabels, + Buckets: buckets.LengthBuckets, }, requestTags, + em, + mm, ), - requests: prometheus.NewCounterVec( + requests: counterMetric( prometheus.CounterOpts{ Name: "requests", Help: "The total number of client requests", @@ -208,9 +236,11 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat ConstLabels: constLabels, }, requestTags, + em, + mm, ), - bytesSent: prometheus.NewHistogramVec( + bytesSent: histogramMetric( prometheus.HistogramOpts{ Name: "bytes_sent", Help: "DEPRECATED The number of bytes sent to a client", @@ -219,9 +249,11 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat ConstLabels: constLabels, }, requestTags, + em, + mm, ), - upstreamLatency: prometheus.NewSummaryVec( + upstreamLatency: summaryMetric( prometheus.SummaryOpts{ Name: "ingress_upstream_latency_seconds", Help: "DEPRECATED Upstream service latency per Ingress", @@ -230,28 +262,59 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat Objectives: defObjectives, }, []string{"ingress", "namespace", "service", "canary"}, + em, + mm, ), } - sc.metricMapping = map[string]interface{}{ - prometheus.BuildFQName(PrometheusNamespace, "", "requests"): sc.requests, - - prometheus.BuildFQName(PrometheusNamespace, "", "connect_duration_seconds"): sc.connectTime, - prometheus.BuildFQName(PrometheusNamespace, "", "header_duration_seconds"): sc.headerTime, - prometheus.BuildFQName(PrometheusNamespace, "", "response_duration_seconds"): sc.responseTime, - prometheus.BuildFQName(PrometheusNamespace, "", "request_duration_seconds"): sc.requestTime, - - prometheus.BuildFQName(PrometheusNamespace, "", "request_size"): sc.requestLength, - prometheus.BuildFQName(PrometheusNamespace, "", "response_size"): sc.responseLength, - - prometheus.BuildFQName(PrometheusNamespace, "", "bytes_sent"): sc.bytesSent, - - prometheus.BuildFQName(PrometheusNamespace, "", "ingress_upstream_latency_seconds"): sc.upstreamLatency, - } - + sc.metricMapping = mm return sc, nil } +func containsMetric(excludeMetrics map[string]struct{}, name string) bool { + if _, ok := excludeMetrics[name]; ok { + klog.V(3).InfoS("Skipping metric", "metric", name) + return true + } + return false +} + +func summaryMetric(opts prometheus.SummaryOpts, requestTags []string, excludeMetrics map[string]struct{}, metricMapping metricMapping) *prometheus.SummaryVec { + if containsMetric(excludeMetrics, opts.Name) { + return nil + } + m := prometheus.NewSummaryVec( + opts, + requestTags, + ) + metricMapping[prometheus.BuildFQName(PrometheusNamespace, "", opts.Name)] = m + return m +} + +func counterMetric(opts prometheus.CounterOpts, requestTags []string, excludeMetrics map[string]struct{}, metricMapping metricMapping) *prometheus.CounterVec { + if containsMetric(excludeMetrics, opts.Name) { + return nil + } + m := prometheus.NewCounterVec( + opts, + requestTags, + ) + metricMapping[prometheus.BuildFQName(PrometheusNamespace, "", opts.Name)] = m + return m +} + +func histogramMetric(opts prometheus.HistogramOpts, requestTags []string, excludeMetrics map[string]struct{}, metricMapping metricMapping) *prometheus.HistogramVec { + if containsMetric(excludeMetrics, opts.Name) { + return nil + } + m := prometheus.NewHistogramVec( + opts, + requestTags, + ) + metricMapping[prometheus.BuildFQName(PrometheusNamespace, "", opts.Name)] = m + return m +} + func (sc *SocketCollector) handleMessage(msg []byte) { klog.V(5).InfoS("Metric", "message", string(msg)) @@ -305,30 +368,36 @@ func (sc *SocketCollector) handleMessage(msg []byte) { "canary": stats.Canary, } - requestsMetric, err := sc.requests.GetMetricWith(collectorLabels) - if err != nil { - klog.ErrorS(err, "Error fetching requests metric") - } else { - requestsMetric.Inc() + if sc.requests != nil { + requestsMetric, err := sc.requests.GetMetricWith(collectorLabels) + if err != nil { + klog.ErrorS(err, "Error fetching requests metric") + } else { + requestsMetric.Inc() + } } if stats.Latency != -1 { - connectTimeMetric, err := sc.connectTime.GetMetricWith(requestLabels) - if err != nil { - klog.ErrorS(err, "Error fetching connect time metric") - } else { - connectTimeMetric.Observe(stats.Latency) + if sc.connectTime != nil { + connectTimeMetric, err := sc.connectTime.GetMetricWith(requestLabels) + if err != nil { + klog.ErrorS(err, "Error fetching connect time metric") + } else { + connectTimeMetric.Observe(stats.Latency) + } } - latencyMetric, err := sc.upstreamLatency.GetMetricWith(latencyLabels) - if err != nil { - klog.ErrorS(err, "Error fetching latency metric") - } else { - latencyMetric.Observe(stats.Latency) + if sc.upstreamLatency != nil { + latencyMetric, err := sc.upstreamLatency.GetMetricWith(latencyLabels) + if err != nil { + klog.ErrorS(err, "Error fetching latency metric") + } else { + latencyMetric.Observe(stats.Latency) + } } } - if stats.HeaderTime != -1 { + if stats.HeaderTime != -1 && sc.headerTime != nil { headerTimeMetric, err := sc.headerTime.GetMetricWith(requestLabels) if err != nil { klog.ErrorS(err, "Error fetching header time metric") @@ -337,7 +406,7 @@ func (sc *SocketCollector) handleMessage(msg []byte) { } } - if stats.RequestTime != -1 { + if stats.RequestTime != -1 && sc.requestTime != nil { requestTimeMetric, err := sc.requestTime.GetMetricWith(requestLabels) if err != nil { klog.ErrorS(err, "Error fetching request duration metric") @@ -346,7 +415,7 @@ func (sc *SocketCollector) handleMessage(msg []byte) { } } - if stats.RequestLength != -1 { + if stats.RequestLength != -1 && sc.requestLength != nil { requestLengthMetric, err := sc.requestLength.GetMetricWith(requestLabels) if err != nil { klog.ErrorS(err, "Error fetching request length metric") @@ -355,7 +424,7 @@ func (sc *SocketCollector) handleMessage(msg []byte) { } } - if stats.ResponseTime != -1 { + if stats.ResponseTime != -1 && sc.responseTime != nil { responseTimeMetric, err := sc.responseTime.GetMetricWith(requestLabels) if err != nil { klog.ErrorS(err, "Error fetching upstream response time metric") @@ -365,18 +434,22 @@ func (sc *SocketCollector) handleMessage(msg []byte) { } if stats.ResponseLength != -1 { - bytesSentMetric, err := sc.bytesSent.GetMetricWith(requestLabels) - if err != nil { - klog.ErrorS(err, "Error fetching bytes sent metric") - } else { - bytesSentMetric.Observe(stats.ResponseLength) + if sc.bytesSent != nil { + bytesSentMetric, err := sc.bytesSent.GetMetricWith(requestLabels) + if err != nil { + klog.ErrorS(err, "Error fetching bytes sent metric") + } else { + bytesSentMetric.Observe(stats.ResponseLength) + } } - responseSizeMetric, err := sc.responseLength.GetMetricWith(requestLabels) - if err != nil { - klog.ErrorS(err, "Error fetching bytes sent metric") - } else { - responseSizeMetric.Observe(stats.ResponseLength) + if sc.responseLength != nil { + responseSizeMetric, err := sc.responseLength.GetMetricWith(requestLabels) + if err != nil { + klog.ErrorS(err, "Error fetching bytes sent metric") + } else { + responseSizeMetric.Observe(stats.ResponseLength) + } } } } @@ -471,36 +544,16 @@ func (sc *SocketCollector) RemoveMetrics(ingresses []string, registry prometheus // Describe implements prometheus.Collector func (sc SocketCollector) Describe(ch chan<- *prometheus.Desc) { - sc.connectTime.Describe(ch) - sc.headerTime.Describe(ch) - sc.responseTime.Describe(ch) - sc.requestTime.Describe(ch) - - sc.requestLength.Describe(ch) - sc.responseLength.Describe(ch) - - sc.requests.Describe(ch) - - sc.upstreamLatency.Describe(ch) - - sc.bytesSent.Describe(ch) + for _, metric := range sc.metricMapping { + metric.Describe(ch) + } } // Collect implements the prometheus.Collector interface. func (sc SocketCollector) Collect(ch chan<- prometheus.Metric) { - sc.connectTime.Collect(ch) - sc.headerTime.Collect(ch) - sc.responseTime.Collect(ch) - sc.requestTime.Collect(ch) - - sc.requestLength.Collect(ch) - sc.responseLength.Collect(ch) - - sc.requests.Collect(ch) - - sc.upstreamLatency.Collect(ch) - - sc.bytesSent.Collect(ch) + for _, metric := range sc.metricMapping { + metric.Collect(ch) + } } // SetHosts sets the hostnames that are being served by the ingress controller diff --git a/internal/ingress/metric/collectors/socket_test.go b/internal/ingress/metric/collectors/socket_test.go index 4bebc7600..fe442aba0 100644 --- a/internal/ingress/metric/collectors/socket_test.go +++ b/internal/ingress/metric/collectors/socket_test.go @@ -84,6 +84,7 @@ func TestCollector(t *testing.T) { data []string metrics []string useStatusClasses bool + excludeMetrics []string wantBefore string removeIngresses []string wantAfter string @@ -470,13 +471,126 @@ func TestCollector(t *testing.T) { wantAfter: ` `, }, + { + name: "basic exclude metrics test", + data: []string{`[{ + "host":"testshop.com", + "status":"200", + "bytesSent":150.0, + "method":"GET", + "path":"/admin", + "requestLength":300.0, + "requestTime":60.0, + "upstreamLatency":1.0, + "upstreamHeaderTime":5.0, + "upstreamName":"test-upstream", + "upstreamIP":"1.1.1.1:8080", + "upstreamResponseTime":200, + "upstreamStatus":"220", + "namespace":"test-app-production", + "ingress":"web-yml", + "service":"test-app", + "canary":"" + }]`}, + excludeMetrics: []string{"nginx_ingress_controller_connect_duration_seconds"}, + metrics: []string{"nginx_ingress_controller_connect_duration_seconds", "nginx_ingress_controller_response_duration_seconds"}, + useStatusClasses: true, + wantBefore: ` + # HELP nginx_ingress_controller_response_duration_seconds The time spent on receiving the response from the upstream server + # TYPE nginx_ingress_controller_response_duration_seconds histogram + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.005"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.01"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.025"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.05"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.1"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.25"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.5"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="1"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="2.5"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="5"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="10"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="+Inf"} 1 + nginx_ingress_controller_response_duration_seconds_sum{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx"} 200 + nginx_ingress_controller_response_duration_seconds_count{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx"} 1 + `, + }, + { + name: "remove metrics with the short metric name", + data: []string{`[{ + "host":"testshop.com", + "status":"200", + "bytesSent":150.0, + "method":"GET", + "path":"/admin", + "requestLength":300.0, + "requestTime":60.0, + "upstreamLatency":1.0, + "upstreamHeaderTime":5.0, + "upstreamName":"test-upstream", + "upstreamIP":"1.1.1.1:8080", + "upstreamResponseTime":200, + "upstreamStatus":"220", + "namespace":"test-app-production", + "ingress":"web-yml", + "service":"test-app", + "canary":"" + }]`}, + excludeMetrics: []string{"response_duration_seconds"}, + metrics: []string{"nginx_ingress_controller_response_duration_seconds"}, + useStatusClasses: true, + wantBefore: ` + `, + }, + { + name: "exclude metrics make sure to only remove exactly matched metrics", + data: []string{`[{ + "host":"testshop.com", + "status":"200", + "bytesSent":150.0, + "method":"GET", + "path":"/admin", + "requestLength":300.0, + "requestTime":60.0, + "upstreamLatency":1.0, + "upstreamHeaderTime":5.0, + "upstreamName":"test-upstream", + "upstreamIP":"1.1.1.1:8080", + "upstreamResponseTime":200, + "upstreamStatus":"220", + "namespace":"test-app-production", + "ingress":"web-yml", + "service":"test-app", + "canary":"" + }]`}, + excludeMetrics: []string{"response_duration_seconds2", "test.*", "nginx_ingress_.*", "response_duration_secon"}, + metrics: []string{"nginx_ingress_controller_response_duration_seconds"}, + useStatusClasses: true, + wantBefore: ` + # HELP nginx_ingress_controller_response_duration_seconds The time spent on receiving the response from the upstream server + # TYPE nginx_ingress_controller_response_duration_seconds histogram + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.005"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.01"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.025"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.05"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.1"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.25"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.5"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="1"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="2.5"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="5"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="10"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="+Inf"} 1 + nginx_ingress_controller_response_duration_seconds_sum{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx"} 200 + nginx_ingress_controller_response_duration_seconds_count{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx"} 1 + `, + }, } for _, c := range cases { t.Run(c.name, func(t *testing.T) { registry := prometheus.NewPedanticRegistry() - sc, err := NewSocketCollector("pod", "default", "ingress", true, c.useStatusClasses, buckets) + sc, err := NewSocketCollector("pod", "default", "ingress", true, c.useStatusClasses, buckets, c.excludeMetrics) if err != nil { t.Errorf("%v: unexpected error creating new SocketCollector: %v", c.name, err) } diff --git a/internal/ingress/metric/main.go b/internal/ingress/metric/main.go index cac86e889..b2f721f62 100644 --- a/internal/ingress/metric/main.go +++ b/internal/ingress/metric/main.go @@ -71,7 +71,7 @@ type collector struct { } // NewCollector creates a new metric collector the for ingress controller -func NewCollector(metricsPerHost, reportStatusClasses bool, registry *prometheus.Registry, ingressclass string, buckets collectors.HistogramBuckets) (Collector, error) { +func NewCollector(metricsPerHost, reportStatusClasses bool, registry *prometheus.Registry, ingressclass string, buckets collectors.HistogramBuckets, excludedSocketMetrics []string) (Collector, error) { podNamespace := os.Getenv("POD_NAMESPACE") if podNamespace == "" { podNamespace = "default" @@ -89,7 +89,7 @@ func NewCollector(metricsPerHost, reportStatusClasses bool, registry *prometheus return nil, err } - s, err := collectors.NewSocketCollector(podName, podNamespace, ingressclass, metricsPerHost, reportStatusClasses, buckets) + s, err := collectors.NewSocketCollector(podName, podNamespace, ingressclass, metricsPerHost, reportStatusClasses, buckets, excludedSocketMetrics) if err != nil { return nil, err } diff --git a/pkg/flags/flags.go b/pkg/flags/flags.go index 911ab775c..370510380 100644 --- a/pkg/flags/flags.go +++ b/pkg/flags/flags.go @@ -171,10 +171,11 @@ Requires the update-status parameter.`) reportStatusClasses = flags.Bool("report-status-classes", false, `Use status classes (2xx, 3xx, 4xx and 5xx) instead of status codes in metrics.`) - timeBuckets = flags.Float64Slice("time-buckets", prometheus.DefBuckets, "Set of buckets which will be used for prometheus histogram metrics such as RequestTime, ResponseTime.") - lengthBuckets = flags.Float64Slice("length-buckets", prometheus.LinearBuckets(10, 10, 10), "Set of buckets which will be used for prometheus histogram metrics such as RequestLength, ResponseLength.") - sizeBuckets = flags.Float64Slice("size-buckets", prometheus.ExponentialBuckets(10, 10, 7), "Set of buckets which will be used for prometheus histogram metrics such as BytesSent.") - monitorMaxBatchSize = flags.Int("monitor-max-batch-size", 10000, "Max batch size of NGINX metrics.") + timeBuckets = flags.Float64Slice("time-buckets", prometheus.DefBuckets, "Set of buckets which will be used for prometheus histogram metrics such as RequestTime, ResponseTime.") + lengthBuckets = flags.Float64Slice("length-buckets", prometheus.LinearBuckets(10, 10, 10), "Set of buckets which will be used for prometheus histogram metrics such as RequestLength, ResponseLength.") + sizeBuckets = flags.Float64Slice("size-buckets", prometheus.ExponentialBuckets(10, 10, 7), "Set of buckets which will be used for prometheus histogram metrics such as BytesSent.") + excludeSocketMetrics = flags.StringSlice("exclude-socket-metrics", []string{}, "et of socket request metrics to exclude which won't be exported nor being calculated. E.g. 'nginx_ingress_controller_success,nginx_ingress_controller_header_duration_seconds'.") + monitorMaxBatchSize = flags.Int("monitor-max-batch-size", 10000, "Max batch size of NGINX metrics.") httpPort = flags.Int("http-port", 80, `Port to use for servicing HTTP traffic.`) httpsPort = flags.Int("https-port", 443, `Port to use for servicing HTTPS traffic.`) @@ -328,6 +329,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g MetricsPerHost: *metricsPerHost, MetricsBuckets: histogramBuckets, ReportStatusClasses: *reportStatusClasses, + ExcludeSocketMetrics: *excludeSocketMetrics, MonitorMaxBatchSize: *monitorMaxBatchSize, DisableServiceExternalName: *disableServiceExternalName, EnableSSLPassthrough: *enableSSLPassthrough, diff --git a/test/e2e/e2e.go b/test/e2e/e2e.go index 57b047230..614dd166a 100644 --- a/test/e2e/e2e.go +++ b/test/e2e/e2e.go @@ -40,6 +40,7 @@ import ( _ "k8s.io/ingress-nginx/test/e2e/leaks" _ "k8s.io/ingress-nginx/test/e2e/loadbalance" _ "k8s.io/ingress-nginx/test/e2e/lua" + _ "k8s.io/ingress-nginx/test/e2e/metrics" _ "k8s.io/ingress-nginx/test/e2e/nginx" _ "k8s.io/ingress-nginx/test/e2e/security" _ "k8s.io/ingress-nginx/test/e2e/servicebackend" diff --git a/test/e2e/metrics/metrics.go b/test/e2e/metrics/metrics.go new file mode 100644 index 000000000..907b53732 --- /dev/null +++ b/test/e2e/metrics/metrics.go @@ -0,0 +1,94 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package defaultbackend + +import ( + "context" + "fmt" + "net/http" + "strings" + "time" + + "github.com/onsi/ginkgo/v2" + "github.com/stretchr/testify/assert" + appsv1 "k8s.io/api/apps/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +const waitForMetrics = 2 * time.Second + +var _ = framework.IngressNginxDescribe("[metrics] exported prometheus metrics", func() { + f := framework.NewDefaultFramework("metrics") + host := "foo.com" + + ginkgo.BeforeEach(func() { + f.NewEchoDeployment() + f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)) + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) && + strings.Contains(server, "proxy_pass http://upstream_balancer;") + }) + }) + + ginkgo.It("exclude socket request metrics are absent", func() { + err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error { + args := deployment.Spec.Template.Spec.Containers[0].Args + args = append(args, "--exclude-socket-metrics=nginx_ingress_controller_request_size,nginx_ingress_controller_header_duration_seconds") + deployment.Spec.Template.Spec.Containers[0].Args = args + _, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{}) + return err + }) + assert.Nil(ginkgo.GinkgoT(), err, "updating deployment") + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK) + time.Sleep(waitForMetrics) + + ip := f.GetNginxPodIP() + mf, err := f.GetMetric("nginx_ingress_controller_request_size", ip) + assert.ErrorContains(ginkgo.GinkgoT(), err, "nginx_ingress_controller_request_size") + assert.Nil(ginkgo.GinkgoT(), mf) + }) + ginkgo.It("exclude socket request metrics are present", func() { + err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error { + args := deployment.Spec.Template.Spec.Containers[0].Args + args = append(args, "--exclude-socket-metrics=non_existing_metric_does_not_affect_existing_metrics") + deployment.Spec.Template.Spec.Containers[0].Args = args + _, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{}) + return err + }) + assert.Nil(ginkgo.GinkgoT(), err, "updating deployment") + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK) + time.Sleep(waitForMetrics) + + ip := f.GetNginxPodIP() + mf, err := f.GetMetric("nginx_ingress_controller_request_size", ip) + assert.Nil(ginkgo.GinkgoT(), err) + assert.NotNil(ginkgo.GinkgoT(), mf) + }) +}) From d3e75b056f77be54e01bdb18675f1bb46caece31 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 16 Apr 2023 14:10:42 -0700 Subject: [PATCH 260/405] Bump actions/add-to-project from 0.4.1 to 0.5.0 (#9840) Bumps [actions/add-to-project](https://github.com/actions/add-to-project) from 0.4.1 to 0.5.0. - [Release notes](https://github.com/actions/add-to-project/releases) - [Commits](https://github.com/actions/add-to-project/compare/4756e6330fe1e0a736690d3cfd9f11c9399c2ed4...31b3f3ccdc584546fc445612dec3f38ff5edb41c) --- updated-dependencies: - dependency-name: actions/add-to-project dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/project.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/project.yml b/.github/workflows/project.yml index 35d6d3e5c..95537e16c 100644 --- a/.github/workflows/project.yml +++ b/.github/workflows/project.yml @@ -13,7 +13,7 @@ jobs: repository-projects: write issues: write steps: - - uses: actions/add-to-project@4756e6330fe1e0a736690d3cfd9f11c9399c2ed4 # v0.4.1 + - uses: actions/add-to-project@31b3f3ccdc584546fc445612dec3f38ff5edb41c # v0.5.0 with: project-url: https://github.com/orgs/kubernetes/projects/104 github-token: ${{ secrets.PROJECT_WRITER }} From 6778c3ec44280fb6c5184aee570a94dac5951fa5 Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Sun, 16 Apr 2023 21:22:43 -0300 Subject: [PATCH 261/405] Remove deprecated annotation secure-upstream (#9862) --- internal/ingress/annotations/annotations.go | 3 - .../annotations/secureupstream/main.go | 48 ------ .../annotations/secureupstream/main_test.go | 162 ------------------ 3 files changed, 213 deletions(-) delete mode 100644 internal/ingress/annotations/secureupstream/main.go delete mode 100644 internal/ingress/annotations/secureupstream/main_test.go diff --git a/internal/ingress/annotations/annotations.go b/internal/ingress/annotations/annotations.go index 6a9e7367c..974b9ce16 100644 --- a/internal/ingress/annotations/annotations.go +++ b/internal/ingress/annotations/annotations.go @@ -58,7 +58,6 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/redirect" "k8s.io/ingress-nginx/internal/ingress/annotations/rewrite" "k8s.io/ingress-nginx/internal/ingress/annotations/satisfy" - "k8s.io/ingress-nginx/internal/ingress/annotations/secureupstream" "k8s.io/ingress-nginx/internal/ingress/annotations/serversnippet" "k8s.io/ingress-nginx/internal/ingress/annotations/serviceupstream" "k8s.io/ingress-nginx/internal/ingress/annotations/sessionaffinity" @@ -103,7 +102,6 @@ type Ingress struct { Redirect redirect.Config Rewrite rewrite.Config Satisfy string - SecureUpstream secureupstream.Config ServerSnippet string ServiceUpstream bool SessionAffinity sessionaffinity.Config @@ -155,7 +153,6 @@ func NewAnnotationExtractor(cfg resolver.Resolver) Extractor { "Redirect": redirect.NewParser(cfg), "Rewrite": rewrite.NewParser(cfg), "Satisfy": satisfy.NewParser(cfg), - "SecureUpstream": secureupstream.NewParser(cfg), "ServerSnippet": serversnippet.NewParser(cfg), "ServiceUpstream": serviceupstream.NewParser(cfg), "SessionAffinity": sessionaffinity.NewParser(cfg), diff --git a/internal/ingress/annotations/secureupstream/main.go b/internal/ingress/annotations/secureupstream/main.go deleted file mode 100644 index ebaea2058..000000000 --- a/internal/ingress/annotations/secureupstream/main.go +++ /dev/null @@ -1,48 +0,0 @@ -/* -Copyright 2016 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package secureupstream - -import ( - networking "k8s.io/api/networking/v1" - "k8s.io/klog/v2" - - "k8s.io/ingress-nginx/internal/ingress/annotations/parser" - "k8s.io/ingress-nginx/internal/ingress/resolver" -) - -// Config describes SSL backend configuration -type Config struct { - CACert resolver.AuthSSLCert `json:"caCert"` -} - -type su struct { - r resolver.Resolver -} - -// NewParser creates a new secure upstream annotation parser -func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return su{r} -} - -// Parse parses the annotations contained in the ingress -// rule used to indicate if the upstream servers should use SSL -func (a su) Parse(ing *networking.Ingress) (secure interface{}, err error) { - if ca, _ := parser.GetStringAnnotation("secure-verify-ca-secret", ing); ca != "" { - klog.Warningf("NOTE! secure-verify-ca-secret is not supported anymore. Please use proxy-ssl-secret instead") - } - return -} diff --git a/internal/ingress/annotations/secureupstream/main_test.go b/internal/ingress/annotations/secureupstream/main_test.go deleted file mode 100644 index 7546cb5cf..000000000 --- a/internal/ingress/annotations/secureupstream/main_test.go +++ /dev/null @@ -1,162 +0,0 @@ -/* -Copyright 2016 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package secureupstream - -import ( - "fmt" - "testing" - - api "k8s.io/api/core/v1" - networking "k8s.io/api/networking/v1" - meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - "k8s.io/ingress-nginx/internal/ingress/annotations/parser" - "k8s.io/ingress-nginx/internal/ingress/resolver" -) - -func buildIngress() *networking.Ingress { - defaultBackend := networking.IngressBackend{ - Service: &networking.IngressServiceBackend{ - Name: "default-backend", - Port: networking.ServiceBackendPort{ - Number: 80, - }, - }, - } - - return &networking.Ingress{ - ObjectMeta: meta_v1.ObjectMeta{ - Name: "foo", - Namespace: api.NamespaceDefault, - }, - Spec: networking.IngressSpec{ - DefaultBackend: &networking.IngressBackend{ - Service: &networking.IngressServiceBackend{ - Name: "default-backend", - Port: networking.ServiceBackendPort{ - Number: 80, - }, - }, - }, - Rules: []networking.IngressRule{ - { - Host: "foo.bar.com", - IngressRuleValue: networking.IngressRuleValue{ - HTTP: &networking.HTTPIngressRuleValue{ - Paths: []networking.HTTPIngressPath{ - { - Path: "/foo", - Backend: defaultBackend, - }, - }, - }, - }, - }, - }, - }, - } -} - -type mockCfg struct { - resolver.Mock - certs map[string]resolver.AuthSSLCert -} - -func (cfg mockCfg) GetAuthCertificate(secret string) (*resolver.AuthSSLCert, error) { - if cert, ok := cfg.certs[secret]; ok { - return &cert, nil - } - return nil, fmt.Errorf("secret not found: %v", secret) -} - -func TestNoCA(t *testing.T) { - ing := buildIngress() - data := map[string]string{} - data[parser.GetAnnotationWithPrefix("backend-protocol")] = "HTTPS" - ing.SetAnnotations(data) - - _, err := NewParser(mockCfg{ - certs: map[string]resolver.AuthSSLCert{ - "default/secure-verify-ca": {}, - }, - }).Parse(ing) - if err != nil { - t.Errorf("Unexpected error on ingress: %v", err) - } -} - -func TestAnnotations(t *testing.T) { - ing := buildIngress() - data := map[string]string{} - data[parser.GetAnnotationWithPrefix("backend-protocol")] = "HTTPS" - data[parser.GetAnnotationWithPrefix("secure-verify-ca-secret")] = "secure-verify-ca" - ing.SetAnnotations(data) - - _, err := NewParser(mockCfg{ - certs: map[string]resolver.AuthSSLCert{ - "default/secure-verify-ca": {}, - }, - }).Parse(ing) - if err != nil { - t.Errorf("Unexpected error on ingress: %v", err) - } -} - -func TestSecretNotFound(t *testing.T) { - ing := buildIngress() - data := map[string]string{} - data[parser.GetAnnotationWithPrefix("backend-protocol")] = "HTTPS" - data[parser.GetAnnotationWithPrefix("secure-verify-ca-secret")] = "secure-verify-ca" - ing.SetAnnotations(data) - _, err := NewParser(mockCfg{}).Parse(ing) - if err != nil { - t.Error("Expected secret not found error on ingress") - } -} - -func TestSecretOnNonSecure(t *testing.T) { - ing := buildIngress() - data := map[string]string{} - data[parser.GetAnnotationWithPrefix("backend-protocol")] = "HTTP" - data[parser.GetAnnotationWithPrefix("secure-verify-ca-secret")] = "secure-verify-ca" - ing.SetAnnotations(data) - _, err := NewParser(mockCfg{ - certs: map[string]resolver.AuthSSLCert{ - "default/secure-verify-ca": {}, - }, - }).Parse(ing) - if err != nil { - t.Error("Expected CA secret on non secure backend error on ingress") - } -} - -func TestUnsupportedAnnotation(t *testing.T) { - ing := buildIngress() - data := map[string]string{} - data[parser.GetAnnotationWithPrefix("backend-protocol")] = "HTTPS" - data[parser.GetAnnotationWithPrefix("secure-verify-ca-secret")] = "secure-verify-ca" - ing.SetAnnotations(data) - - _, err := NewParser(mockCfg{ - certs: map[string]resolver.AuthSSLCert{ - "default/secure-verify-ca": {}, - }, - }).Parse(ing) - if err != nil { - t.Errorf("Unexpected error on ingress: %v", err) - } -} From 297036e1690ae6dee602bae8b49bb015855141eb Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Sun, 16 Apr 2023 21:26:43 -0300 Subject: [PATCH 262/405] Deprecate and remove influxdb feature (#9861) --- docs/e2e-tests.md | 8 - .../nginx-configuration/annotations.md | 28 --- images/nginx/rootfs/build.sh | 6 - internal/ingress/annotations/annotations.go | 3 - internal/ingress/annotations/influxdb/main.go | 101 ---------- .../ingress/annotations/influxdb/main_test.go | 138 ------------- internal/ingress/controller/controller.go | 1 - .../ingress/controller/template/template.go | 45 ----- .../controller/template/template_test.go | 25 --- pkg/apis/ingress/types.go | 4 - pkg/apis/ingress/types_equals.go | 4 - rootfs/etc/nginx/template/nginx.tmpl | 6 - test/e2e/annotations/influxdb.go | 186 ------------------ test/e2e/framework/influxdb.go | 141 ------------- 14 files changed, 696 deletions(-) delete mode 100644 internal/ingress/annotations/influxdb/main.go delete mode 100644 internal/ingress/annotations/influxdb/main_test.go delete mode 100644 test/e2e/annotations/influxdb.go delete mode 100644 test/e2e/framework/influxdb.go diff --git a/docs/e2e-tests.md b/docs/e2e-tests.md index 22a76dc7a..ed3e77f67 100644 --- a/docs/e2e-tests.md +++ b/docs/e2e-tests.md @@ -133,10 +133,6 @@ Do not try to edit it manually. - [enable the http2-push-preload directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/http2pushpreload.go#L34) -### [influxdb-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/influxdb.go#L39) - -- [should send the request metric to the influxdb server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/influxdb.go#L48) - ### [whitelist-source-range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipwhitelist.go#L27) - [should set valid ip whitelist range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipwhitelist.go#L34) @@ -461,10 +457,6 @@ Do not try to edit it manually. - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/influxdb.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/influxdb.go#L) - ### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/k8s.go#L) - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/k8s.go#L) diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md index dac39f752..3b463eea7 100755 --- a/docs/user-guide/nginx-configuration/annotations.md +++ b/docs/user-guide/nginx-configuration/annotations.md @@ -123,11 +123,6 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz |[nginx.ingress.kubernetes.io/opentracing-trust-incoming-span](#opentracing-trust-incoming-span)|"true" or "false"| |[nginx.ingress.kubernetes.io/enable-opentelemetry](#enable-opentelemetry)|"true" or "false"| |[nginx.ingress.kubernetes.io/opentelemetry-trust-incoming-span](#opentelemetry-trust-incoming-spans)|"true" or "false"| -|[nginx.ingress.kubernetes.io/enable-influxdb](#influxdb)|"true" or "false"| -|[nginx.ingress.kubernetes.io/influxdb-measurement](#influxdb)|string| -|[nginx.ingress.kubernetes.io/influxdb-port](#influxdb)|string| -|[nginx.ingress.kubernetes.io/influxdb-host](#influxdb)|string| -|[nginx.ingress.kubernetes.io/influxdb-server-name](#influxdb)|string| |[nginx.ingress.kubernetes.io/use-regex](#use-regex)|bool| |[nginx.ingress.kubernetes.io/enable-modsecurity](#modsecurity)|bool| |[nginx.ingress.kubernetes.io/enable-owasp-core-rules](#modsecurity)|bool| @@ -896,29 +891,6 @@ nginx.ingress.kubernetes.io/modsecurity-snippet: | Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf ``` -### InfluxDB - -Using `influxdb-*` annotations we can monitor requests passing through a Location by sending them to an InfluxDB backend exposing the UDP socket -using the [nginx-influxdb-module](https://github.com/influxdata/nginx-influxdb-module/). - -```yaml -nginx.ingress.kubernetes.io/enable-influxdb: "true" -nginx.ingress.kubernetes.io/influxdb-measurement: "nginx-reqs" -nginx.ingress.kubernetes.io/influxdb-port: "8089" -nginx.ingress.kubernetes.io/influxdb-host: "127.0.0.1" -nginx.ingress.kubernetes.io/influxdb-server-name: "nginx-ingress" -``` - -For the `influxdb-host` parameter you have two options: - -- Use an InfluxDB server configured with the [UDP protocol](https://docs.influxdata.com/influxdb/v1.5/supported_protocols/udp/) enabled. -- Deploy Telegraf as a sidecar proxy to the Ingress controller configured to listen UDP with the [socket listener input](https://github.com/influxdata/telegraf/tree/release-1.6/plugins/inputs/socket_listener) and to write using -anyone of the [outputs plugins](https://github.com/influxdata/telegraf/tree/release-1.7/plugins/outputs) like InfluxDB, Apache Kafka, -Prometheus, etc.. (recommended) - -It's important to remember that there's no DNS resolver at this stage so you will have to configure -an ip address to `nginx.ingress.kubernetes.io/influxdb-host`. If you deploy Influx or Telegraf as sidecar (another container in the same pod) this becomes straightforward since you can directly use `127.0.0.1`. - ### Backend Protocol Using `backend-protocol` annotations is possible to indicate how NGINX should communicate with the backend service. (Replaces `secure-backends` in older versions) diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh index 8023575c0..44c7b20f8 100755 --- a/images/nginx/rootfs/build.sh +++ b/images/nginx/rootfs/build.sh @@ -77,8 +77,6 @@ export LUA_UPSTREAM_VERSION=8aa93ead98ba2060d4efd594ae33a35d153589bf # Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.10...openresty:master export LUA_CJSON_VERSION=2.1.0.10 -export NGINX_INFLUXDB_VERSION=5b09391cb7b9a889687c0aa67964c06a2d933e8b - # Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/3.3...master export GEOIP2_VERSION=a26c6beed77e81553686852dceb6c7fdacc5970d @@ -270,9 +268,6 @@ fi get_src 586f92166018cc27080d34e17c59d68219b85af745edf3cc9fe41403fc9b4ac6 \ "https://github.com/DataDog/dd-opentracing-cpp/archive/v$DATADOG_CPP_VERSION.tar.gz" -get_src 1af5a5632dc8b00ae103d51b7bf225de3a7f0df82f5c6a401996c080106e600e \ - "https://github.com/influxdata/nginx-influxdb-module/archive/$NGINX_INFLUXDB_VERSION.tar.gz" - get_src 4c1933434572226942c65b2f2b26c8a536ab76aa771a3c7f6c2629faa764976b \ "https://github.com/leev/ngx_http_geoip2_module/archive/$GEOIP2_VERSION.tar.gz" @@ -640,7 +635,6 @@ WITH_MODULES=" \ --add-module=$BUILD_PATH/lua-upstream-nginx-module-$LUA_UPSTREAM_VERSION \ --add-module=$BUILD_PATH/nginx_ajp_module-${NGINX_AJP_VERSION} \ --add-dynamic-module=$BUILD_PATH/nginx-http-auth-digest-$NGINX_DIGEST_AUTH \ - --add-dynamic-module=$BUILD_PATH/nginx-influxdb-module-$NGINX_INFLUXDB_VERSION \ --add-dynamic-module=$BUILD_PATH/nginx-opentracing-$NGINX_OPENTRACING_VERSION/opentracing \ --add-dynamic-module=$BUILD_PATH/ModSecurity-nginx-$MODSECURITY_VERSION \ --add-dynamic-module=$BUILD_PATH/ngx_http_geoip2_module-${GEOIP2_VERSION} \ diff --git a/internal/ingress/annotations/annotations.go b/internal/ingress/annotations/annotations.go index 974b9ce16..5bb2bf5e6 100644 --- a/internal/ingress/annotations/annotations.go +++ b/internal/ingress/annotations/annotations.go @@ -44,7 +44,6 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/fastcgi" "k8s.io/ingress-nginx/internal/ingress/annotations/globalratelimit" "k8s.io/ingress-nginx/internal/ingress/annotations/http2pushpreload" - "k8s.io/ingress-nginx/internal/ingress/annotations/influxdb" "k8s.io/ingress-nginx/internal/ingress/annotations/ipdenylist" "k8s.io/ingress-nginx/internal/ingress/annotations/ipwhitelist" "k8s.io/ingress-nginx/internal/ingress/annotations/loadbalancing" @@ -115,7 +114,6 @@ type Ingress struct { XForwardedPrefix string SSLCipher sslcipher.Config Logs log.Config - InfluxDB influxdb.Config ModSecurity modsecurity.Config Mirror mirror.Config StreamSnippet string @@ -166,7 +164,6 @@ func NewAnnotationExtractor(cfg resolver.Resolver) Extractor { "XForwardedPrefix": xforwardedprefix.NewParser(cfg), "SSLCipher": sslcipher.NewParser(cfg), "Logs": log.NewParser(cfg), - "InfluxDB": influxdb.NewParser(cfg), "BackendProtocol": backendprotocol.NewParser(cfg), "ModSecurity": modsecurity.NewParser(cfg), "Mirror": mirror.NewParser(cfg), diff --git a/internal/ingress/annotations/influxdb/main.go b/internal/ingress/annotations/influxdb/main.go deleted file mode 100644 index 1aee91f33..000000000 --- a/internal/ingress/annotations/influxdb/main.go +++ /dev/null @@ -1,101 +0,0 @@ -/* -Copyright 2018 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package influxdb - -import ( - networking "k8s.io/api/networking/v1" - - "k8s.io/ingress-nginx/internal/ingress/annotations/parser" - "k8s.io/ingress-nginx/internal/ingress/resolver" -) - -type influxdb struct { - r resolver.Resolver -} - -// Config contains the IfluxDB configuration to be used in the Ingress -type Config struct { - InfluxDBEnabled bool `json:"influxDBEnabled"` - InfluxDBMeasurement string `json:"influxDBMeasurement"` - InfluxDBPort string `json:"influxDBPort"` - InfluxDBHost string `json:"influxDBHost"` - InfluxDBServerName string `json:"influxDBServerName"` -} - -// NewParser creates a new InfluxDB annotation parser -func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return influxdb{r} -} - -// Parse parses the annotations to look for InfluxDB configurations -func (c influxdb) Parse(ing *networking.Ingress) (interface{}, error) { - var err error - config := &Config{} - - config.InfluxDBEnabled, err = parser.GetBoolAnnotation("enable-influxdb", ing) - if err != nil { - config.InfluxDBEnabled = false - } - - config.InfluxDBMeasurement, err = parser.GetStringAnnotation("influxdb-measurement", ing) - if err != nil { - config.InfluxDBMeasurement = "default" - } - - config.InfluxDBPort, err = parser.GetStringAnnotation("influxdb-port", ing) - if err != nil { - // This is not the default 8086 port but the port usually used to expose - // influxdb in UDP, the module uses UDP to talk to influx via the line protocol. - config.InfluxDBPort = "8089" - } - - config.InfluxDBHost, err = parser.GetStringAnnotation("influxdb-host", ing) - if err != nil { - config.InfluxDBHost = "127.0.0.1" - } - - config.InfluxDBServerName, err = parser.GetStringAnnotation("influxdb-server-name", ing) - if err != nil { - config.InfluxDBServerName = "nginx-ingress" - } - - return config, nil -} - -// Equal tests for equality between two Config types -func (e1 *Config) Equal(e2 *Config) bool { - if e1 == e2 { - return true - } - if e1 == nil || e2 == nil { - return false - } - if e1.InfluxDBEnabled != e2.InfluxDBEnabled { - return false - } - if e1.InfluxDBPort != e2.InfluxDBPort { - return false - } - if e1.InfluxDBHost != e2.InfluxDBHost { - return false - } - if e1.InfluxDBServerName != e2.InfluxDBServerName { - return false - } - - return true -} diff --git a/internal/ingress/annotations/influxdb/main_test.go b/internal/ingress/annotations/influxdb/main_test.go deleted file mode 100644 index 13d681509..000000000 --- a/internal/ingress/annotations/influxdb/main_test.go +++ /dev/null @@ -1,138 +0,0 @@ -/* -Copyright 2018 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package influxdb - -import ( - "testing" - - api "k8s.io/api/core/v1" - networking "k8s.io/api/networking/v1" - meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/ingress-nginx/internal/ingress/annotations/parser" - "k8s.io/ingress-nginx/internal/ingress/resolver" -) - -func buildIngress() *networking.Ingress { - defaultBackend := networking.IngressBackend{ - Service: &networking.IngressServiceBackend{ - Name: "default-backend", - Port: networking.ServiceBackendPort{ - Number: 80, - }, - }, - } - - return &networking.Ingress{ - ObjectMeta: meta_v1.ObjectMeta{ - Name: "foo", - Namespace: api.NamespaceDefault, - }, - Spec: networking.IngressSpec{ - DefaultBackend: &networking.IngressBackend{ - Service: &networking.IngressServiceBackend{ - Name: "default-backend", - Port: networking.ServiceBackendPort{ - Number: 80, - }, - }, - }, - Rules: []networking.IngressRule{ - { - Host: "foo.bar.com", - IngressRuleValue: networking.IngressRuleValue{ - HTTP: &networking.HTTPIngressRuleValue{ - Paths: []networking.HTTPIngressPath{ - { - Path: "/foo", - Backend: defaultBackend, - }, - }, - }, - }, - }, - }, - }, - } -} - -func TestIngressInvalidInfluxDB(t *testing.T) { - ing := buildIngress() - - influx, _ := NewParser(&resolver.Mock{}).Parse(ing) - nginxInflux, ok := influx.(*Config) - if !ok { - t.Errorf("expected a Config type") - } - - if nginxInflux.InfluxDBEnabled == true { - t.Errorf("expected influxdb enabled but returned %v", nginxInflux.InfluxDBEnabled) - } - - if nginxInflux.InfluxDBMeasurement != "default" { - t.Errorf("expected measurement name not found. Found %v", nginxInflux.InfluxDBMeasurement) - } - - if nginxInflux.InfluxDBPort != "8089" { - t.Errorf("expected port not found. Found %v", nginxInflux.InfluxDBPort) - } - - if nginxInflux.InfluxDBHost != "127.0.0.1" { - t.Errorf("expected host not found. Found %v", nginxInflux.InfluxDBHost) - } - - if nginxInflux.InfluxDBServerName != "nginx-ingress" { - t.Errorf("expected server name not found. Found %v", nginxInflux.InfluxDBServerName) - } -} - -func TestIngressInfluxDB(t *testing.T) { - ing := buildIngress() - - data := map[string]string{} - data[parser.GetAnnotationWithPrefix("enable-influxdb")] = "true" - data[parser.GetAnnotationWithPrefix("influxdb-measurement")] = "nginxmeasures" - data[parser.GetAnnotationWithPrefix("influxdb-port")] = "9091" - data[parser.GetAnnotationWithPrefix("influxdb-host")] = "10.99.0.13" - data[parser.GetAnnotationWithPrefix("influxdb-server-name")] = "nginx-test-1" - ing.SetAnnotations(data) - - influx, _ := NewParser(&resolver.Mock{}).Parse(ing) - nginxInflux, ok := influx.(*Config) - if !ok { - t.Errorf("expected a Config type") - } - - if !nginxInflux.InfluxDBEnabled { - t.Errorf("expected influxdb enabled but returned %v", nginxInflux.InfluxDBEnabled) - } - - if nginxInflux.InfluxDBMeasurement != "nginxmeasures" { - t.Errorf("expected measurement name not found. Found %v", nginxInflux.InfluxDBMeasurement) - } - - if nginxInflux.InfluxDBPort != "9091" { - t.Errorf("expected port not found. Found %v", nginxInflux.InfluxDBPort) - } - - if nginxInflux.InfluxDBHost != "10.99.0.13" { - t.Errorf("expected host not found. Found %v", nginxInflux.InfluxDBHost) - } - - if nginxInflux.InfluxDBServerName != "nginx-test-1" { - t.Errorf("expected server name not found. Found %v", nginxInflux.InfluxDBServerName) - } -} diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 17142a478..80b5b587b 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -1460,7 +1460,6 @@ func locationApplyAnnotations(loc *ingress.Location, anns *annotations.Ingress) loc.UsePortInRedirects = anns.UsePortInRedirects loc.Connection = anns.Connection loc.Logs = anns.Logs - loc.InfluxDB = anns.InfluxDB loc.DefaultBackend = anns.DefaultBackend loc.BackendProtocol = anns.BackendProtocol loc.FastCGI = anns.FastCGI diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go index 9dc9fb3b8..6aadab48e 100644 --- a/internal/ingress/controller/template/template.go +++ b/internal/ingress/controller/template/template.go @@ -40,7 +40,6 @@ import ( "k8s.io/apimachinery/pkg/util/sets" "k8s.io/klog/v2" - "k8s.io/ingress-nginx/internal/ingress/annotations/influxdb" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/ingress/annotations/ratelimit" "k8s.io/ingress-nginx/internal/ingress/controller/config" @@ -267,7 +266,6 @@ var ( "buildOpentracing": buildOpentracing, "buildOpentelemetry": buildOpentelemetry, "proxySetHeader": proxySetHeader, - "buildInfluxDB": buildInfluxDB, "enforceRegexModifier": enforceRegexModifier, "buildCustomErrorDeps": buildCustomErrorDeps, "buildCustomErrorLocationsPerServer": buildCustomErrorLocationsPerServer, @@ -281,7 +279,6 @@ var ( "buildModSecurityForLocation": buildModSecurityForLocation, "buildMirrorLocations": buildMirrorLocations, "shouldLoadAuthDigestModule": shouldLoadAuthDigestModule, - "shouldLoadInfluxDBModule": shouldLoadInfluxDBModule, "buildServerName": buildServerName, "buildCorsOriginRegex": buildCorsOriginRegex, } @@ -1269,29 +1266,6 @@ func buildOpentelemetry(c interface{}, s interface{}) string { return buf.String() } -// buildInfluxDB produces the single line configuration -// needed by the InfluxDB module to send request's metrics -// for the current resource -func buildInfluxDB(input interface{}) string { - cfg, ok := input.(influxdb.Config) - if !ok { - klog.Errorf("expected an 'influxdb.Config' type but %T was returned", input) - return "" - } - - if !cfg.InfluxDBEnabled { - return "" - } - - return fmt.Sprintf( - "influxdb server_name=%s host=%s port=%s measurement=%s enabled=true;", - cfg.InfluxDBServerName, - cfg.InfluxDBHost, - cfg.InfluxDBPort, - cfg.InfluxDBMeasurement, - ) -} - func proxySetHeader(loc interface{}) string { location, ok := loc.(*ingress.Location) if !ok { @@ -1797,25 +1771,6 @@ func shouldLoadAuthDigestModule(s interface{}) bool { return false } -// shouldLoadInfluxDBModule determines whether or not the ngx_http_auth_digest_module module needs to be loaded. -func shouldLoadInfluxDBModule(s interface{}) bool { - servers, ok := s.([]*ingress.Server) - if !ok { - klog.Errorf("expected an '[]*ingress.Server' type but %T was returned", s) - return false - } - - for _, server := range servers { - for _, location := range server.Locations { - if location.InfluxDB.InfluxDBEnabled { - return true - } - } - } - - return false -} - // buildServerName ensures wildcard hostnames are valid func buildServerName(hostname string) string { if !strings.HasPrefix(hostname, "*") { diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go index 343da506b..1980d7e52 100644 --- a/internal/ingress/controller/template/template_test.go +++ b/internal/ingress/controller/template/template_test.go @@ -35,7 +35,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/ingress-nginx/internal/ingress/annotations/authreq" - "k8s.io/ingress-nginx/internal/ingress/annotations/influxdb" "k8s.io/ingress-nginx/internal/ingress/annotations/modsecurity" "k8s.io/ingress-nginx/internal/ingress/annotations/opentelemetry" "k8s.io/ingress-nginx/internal/ingress/annotations/opentracing" @@ -1640,30 +1639,6 @@ func TestProxySetHeader(t *testing.T) { } } -func TestBuildInfluxDB(t *testing.T) { - invalidType := &ingress.Ingress{} - expected := "" - actual := buildInfluxDB(invalidType) - - if expected != actual { - t.Errorf("Expected '%v' but returned '%v'", expected, actual) - } - - cfg := influxdb.Config{ - InfluxDBEnabled: true, - InfluxDBServerName: "ok.com", - InfluxDBHost: "host.com", - InfluxDBPort: "5252", - InfluxDBMeasurement: "ok", - } - expected = "influxdb server_name=ok.com host=host.com port=5252 measurement=ok enabled=true;" - actual = buildInfluxDB(cfg) - - if expected != actual { - t.Errorf("Expected '%v' but returned '%v'", expected, actual) - } -} - func TestBuildOpenTracing(t *testing.T) { invalidType := &ingress.Ingress{} expected := "" diff --git a/pkg/apis/ingress/types.go b/pkg/apis/ingress/types.go index 08a2f7575..e50666c18 100644 --- a/pkg/apis/ingress/types.go +++ b/pkg/apis/ingress/types.go @@ -29,7 +29,6 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/cors" "k8s.io/ingress-nginx/internal/ingress/annotations/fastcgi" "k8s.io/ingress-nginx/internal/ingress/annotations/globalratelimit" - "k8s.io/ingress-nginx/internal/ingress/annotations/influxdb" "k8s.io/ingress-nginx/internal/ingress/annotations/ipdenylist" "k8s.io/ingress-nginx/internal/ingress/annotations/ipwhitelist" "k8s.io/ingress-nginx/internal/ingress/annotations/log" @@ -338,9 +337,6 @@ type Location struct { // Logs allows to enable or disable the nginx logs // By default access logs are enabled and rewrite logs are disabled Logs log.Config `json:"logs,omitempty"` - // InfluxDB allows to monitor the incoming request by sending them to an influxdb database - // +optional - InfluxDB influxdb.Config `json:"influxDB,omitempty"` // BackendProtocol indicates which protocol should be used to communicate with the service // By default this is HTTP BackendProtocol string `json:"backend-protocol"` diff --git a/pkg/apis/ingress/types_equals.go b/pkg/apis/ingress/types_equals.go index 8a54f3758..84b1a186a 100644 --- a/pkg/apis/ingress/types_equals.go +++ b/pkg/apis/ingress/types_equals.go @@ -431,10 +431,6 @@ func (l1 *Location) Equal(l2 *Location) bool { return false } - if !(&l1.InfluxDB).Equal(&l2.InfluxDB) { - return false - } - if l1.BackendProtocol != l2.BackendProtocol { return false } diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 014c8cc2a..a49989f30 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -21,10 +21,6 @@ load_module /etc/nginx/modules/ngx_http_brotli_filter_module.so; load_module /etc/nginx/modules/ngx_http_brotli_static_module.so; {{ end }} -{{ if (shouldLoadInfluxDBModule $servers) }} -load_module /etc/nginx/modules/ngx_http_influxdb_module.so; -{{ end }} - {{ if (shouldLoadAuthDigestModule $servers) }} load_module /etc/nginx/modules/ngx_http_auth_digest_module.so; {{ end }} @@ -1366,8 +1362,6 @@ stream { {{ range $limit := $limits }} {{ $limit }}{{ end }} - {{ buildInfluxDB $location.InfluxDB }} - {{ if isValidByteSize $location.Proxy.BodySize true }} client_max_body_size {{ $location.Proxy.BodySize }}; {{ end }} diff --git a/test/e2e/annotations/influxdb.go b/test/e2e/annotations/influxdb.go deleted file mode 100644 index 7a52730cf..000000000 --- a/test/e2e/annotations/influxdb.go +++ /dev/null @@ -1,186 +0,0 @@ -/* -Copyright 2018 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package annotations - -import ( - "bytes" - "context" - "fmt" - "net/http" - "os/exec" - "strings" - "time" - - jsoniter "github.com/json-iterator/go" - "github.com/onsi/ginkgo/v2" - "github.com/stretchr/testify/assert" - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/intstr" - "k8s.io/apimachinery/pkg/util/wait" - - "k8s.io/ingress-nginx/test/e2e/framework" -) - -var _ = framework.DescribeAnnotation("influxdb-*", func() { - f := framework.NewDefaultFramework("influxdb") - - ginkgo.BeforeEach(func() { - f.NewInfluxDBDeployment() - f.NewEchoDeployment() - }) - - ginkgo.Context("when influxdb is enabled", func() { - ginkgo.It("should send the request metric to the influxdb server", func() { - ifs := createInfluxDBService(f) - - // Ingress configured with InfluxDB annotations - host := "influxdb.e2e.local" - createInfluxDBIngress( - f, - host, - framework.EchoService, - 80, - map[string]string{ - "nginx.ingress.kubernetes.io/enable-influxdb": "true", - "nginx.ingress.kubernetes.io/influxdb-host": ifs.Spec.ClusterIP, - "nginx.ingress.kubernetes.io/influxdb-port": "8089", - "nginx.ingress.kubernetes.io/influxdb-measurement": "requests", - "nginx.ingress.kubernetes.io/influxdb-servername": "e2e-nginx-srv", - }, - ) - - // Do a request to the echo server ingress that sends metrics - // to the InfluxDB backend. - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - Expect(). - Status(http.StatusOK) - - framework.Sleep(10 * time.Second) - - var measurements string - var err error - - err = wait.Poll(time.Second, time.Minute, func() (bool, error) { - measurements, err = extractInfluxDBMeasurements(f) - if err != nil { - return false, nil - } - return true, nil - }) - assert.Nil(ginkgo.GinkgoT(), err) - - var results map[string][]map[string]interface{} - _ = jsoniter.ConfigCompatibleWithStandardLibrary.Unmarshal([]byte(measurements), &results) - - assert.NotEqual(ginkgo.GinkgoT(), len(measurements), 0) - for _, elem := range results["results"] { - assert.NotEqual(ginkgo.GinkgoT(), len(elem), 0) - } - }) - }) -}) - -func createInfluxDBService(f *framework.Framework) *corev1.Service { - service := &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: "influxdb", - Namespace: f.Namespace, - }, - Spec: corev1.ServiceSpec{Ports: []corev1.ServicePort{ - { - Name: "udp", - Port: 8089, - TargetPort: intstr.FromInt(8089), - Protocol: "UDP", - }, - }, - Selector: map[string]string{ - "app": "influxdb", - }, - }, - } - - return f.EnsureService(service) -} - -func createInfluxDBIngress(f *framework.Framework, host, service string, port int, annotations map[string]string) { - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, service, port, annotations) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %v", host)) - }) -} - -func extractInfluxDBMeasurements(f *framework.Framework) (string, error) { - l, err := f.KubeClientSet.CoreV1().Pods(f.Namespace).List(context.TODO(), metav1.ListOptions{ - LabelSelector: "app=influxdb", - }) - if err != nil { - return "", err - } - - if len(l.Items) == 0 { - return "", err - } - - cmd := "influx -database 'nginx' -execute 'select * from requests' -format 'json' -pretty" - - var pod *corev1.Pod - for _, p := range l.Items { - pod = &p - break - } - - if pod == nil { - return "", fmt.Errorf("no influxdb pods found") - } - - o, err := execInfluxDBCommand(pod, cmd) - if err != nil { - return "", err - } - - return o, nil -} - -func execInfluxDBCommand(pod *corev1.Pod, command string) (string, error) { - var ( - execOut bytes.Buffer - execErr bytes.Buffer - ) - - cmd := exec.Command("/bin/bash", "-c", fmt.Sprintf("%v exec --namespace %s %s -- %s", framework.KubectlPath, pod.Namespace, pod.Name, command)) - cmd.Stdout = &execOut - cmd.Stderr = &execErr - - err := cmd.Run() - - if execErr.Len() > 0 { - return "", fmt.Errorf("stderr: %v", execErr.String()) - } - - if err != nil { - return "", fmt.Errorf("could not execute '%s %s': %v", cmd.Path, cmd.Args, err) - } - - return execOut.String(), nil -} diff --git a/test/e2e/framework/influxdb.go b/test/e2e/framework/influxdb.go deleted file mode 100644 index 43a5702e6..000000000 --- a/test/e2e/framework/influxdb.go +++ /dev/null @@ -1,141 +0,0 @@ -/* -Copyright 2018 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package framework - -import ( - "github.com/onsi/ginkgo/v2" - "github.com/stretchr/testify/assert" - appsv1 "k8s.io/api/apps/v1" - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/fields" -) - -const influxConfig = ` -reporting-disabled = true -bind-address = "0.0.0.0:8088" - -[meta] - dir = "/var/lib/influxdb/meta" - retention-autocreate = true - logging-enabled = true - -[data] - dir = "/var/lib/influxdb/data" - index-version = "inmem" - wal-dir = "/var/lib/influxdb/wal" - wal-fsync-delay = "0s" - query-log-enabled = true - cache-max-memory-size = 1073741824 - cache-snapshot-memory-size = 26214400 - cache-snapshot-write-cold-duration = "10m0s" - compact-full-write-cold-duration = "4h0m0s" - max-series-per-database = 1000000 - max-values-per-tag = 100000 - max-concurrent-compactions = 0 - trace-logging-enabled = false - -[[udp]] - enabled = true - bind-address = ":8089" - database = "nginx" -` - -// NewInfluxDBDeployment creates an InfluxDB server configured to reply -// on 8086/tcp and 8089/udp -func (f *Framework) NewInfluxDBDeployment() { - configuration := &corev1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{ - Name: "influxdb-config", - Namespace: f.Namespace, - }, - Data: map[string]string{ - "influxd.conf": influxConfig, - }, - } - - f.EnsureConfigMap(configuration) - - deployment := &appsv1.Deployment{ - ObjectMeta: metav1.ObjectMeta{ - Name: "influxdb", - Namespace: f.Namespace, - }, - Spec: appsv1.DeploymentSpec{ - Replicas: NewInt32(1), - Selector: &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "app": "influxdb", - }, - }, - Template: corev1.PodTemplateSpec{ - ObjectMeta: metav1.ObjectMeta{ - Labels: map[string]string{ - "app": "influxdb", - }, - }, - Spec: corev1.PodSpec{ - TerminationGracePeriodSeconds: NewInt64(0), - Volumes: []corev1.Volume{ - { - Name: "influxdb-config", - VolumeSource: corev1.VolumeSource{ - ConfigMap: &corev1.ConfigMapVolumeSource{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "influxdb-config", - }, - }, - }, - }, - }, - Containers: []corev1.Container{ - { - Name: "influxdb", - Image: "docker.io/influxdb:1.5", - Env: []corev1.EnvVar{}, - Command: []string{"influxd", "-config", "/influxdb-config/influxd.conf"}, - VolumeMounts: []corev1.VolumeMount{ - { - Name: "influxdb-config", - ReadOnly: true, - MountPath: "/influxdb-config", - }, - }, - Ports: []corev1.ContainerPort{ - { - Name: "http", - ContainerPort: 8086, - }, - { - Name: "udp", - ContainerPort: 8089, - }, - }, - }, - }, - }, - }, - }, - } - - d := f.EnsureDeployment(deployment) - - err := waitForPodsReady(f.KubeClientSet, DefaultTimeout, 1, f.Namespace, metav1.ListOptions{ - LabelSelector: fields.SelectorFromSet(fields.Set(d.Spec.Template.ObjectMeta.Labels)).String(), - }) - assert.Nil(ginkgo.GinkgoT(), err, "waiting for influxdb pod to become ready") -} From 11419a68373d3b1edf98e1812ed91e6097b3c6b4 Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Sun, 16 Apr 2023 21:32:43 -0300 Subject: [PATCH 263/405] Fastcgi configmap should be on the same namespace of ingress (#9863) --- internal/ingress/annotations/fastcgi/main.go | 6 ++-- .../ingress/annotations/fastcgi/main_test.go | 30 +++++++++++++++---- 2 files changed, 28 insertions(+), 8 deletions(-) diff --git a/internal/ingress/annotations/fastcgi/main.go b/internal/ingress/annotations/fastcgi/main.go index b32b85997..84bac4109 100644 --- a/internal/ingress/annotations/fastcgi/main.go +++ b/internal/ingress/annotations/fastcgi/main.go @@ -88,11 +88,11 @@ func (a fastcgi) Parse(ing *networking.Ingress) (interface{}, error) { } } - if cmns == "" { - cmns = ing.Namespace + if cmns != "" && cmns != ing.Namespace { + return fcgiConfig, fmt.Errorf("different namespace is not supported on fast_cgi param configmap") } - cm = fmt.Sprintf("%v/%v", cmns, cmn) + cm = fmt.Sprintf("%v/%v", ing.Namespace, cmn) cmap, err := a.r.GetConfigMap(cm) if err != nil { return fcgiConfig, ing_errors.LocationDenied{ diff --git a/internal/ingress/annotations/fastcgi/main_test.go b/internal/ingress/annotations/fastcgi/main_test.go index 26d85e7ce..35c5bbc12 100644 --- a/internal/ingress/annotations/fastcgi/main_test.go +++ b/internal/ingress/annotations/fastcgi/main_test.go @@ -17,13 +17,14 @@ limitations under the License. package fastcgi import ( + "fmt" "testing" api "k8s.io/api/core/v1" networking "k8s.io/api/networking/v1" meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/tools/cache" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" - "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" ) @@ -51,14 +52,19 @@ type mockConfigMap struct { } func (m mockConfigMap) GetConfigMap(name string) (*api.ConfigMap, error) { - if name != "default/demo-configmap" { - return nil, errors.Errorf("there is no configmap with name %v", name) + if name != "default/demo-configmap" && name != "otherns/demo-configmap" { + return nil, fmt.Errorf("there is no configmap with name %v", name) + } + + cmns, cmn, err := cache.SplitMetaNamespaceKey(name) + if err != nil { + return nil, fmt.Errorf("invalid configmap name") } return &api.ConfigMap{ ObjectMeta: meta_v1.ObjectMeta{ - Namespace: api.NamespaceDefault, - Name: "demo-secret", + Namespace: cmns, + Name: cmn, }, Data: map[string]string{"REDIRECT_STATUS": "200", "SERVER_NAME": "$server_name"}, }, nil @@ -210,6 +216,20 @@ func TestParseFastCGIParamsConfigMapAnnotationWithNS(t *testing.T) { } } +func TestParseFastCGIParamsConfigMapAnnotationWithDifferentNS(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix("fastcgi-params-configmap")] = "otherns/demo-configmap" + ing.SetAnnotations(data) + + _, err := NewParser(&mockConfigMap{}).Parse(ing) + if err == nil { + t.Errorf("Different namespace configmap should return an error") + } + +} + func TestConfigEquality(t *testing.T) { var nilConfig *Config From 89b8aff3976ba1128c4133b94cb24b3366d4e1b1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Apr 2023 01:48:43 -0700 Subject: [PATCH 264/405] Bump github.com/spf13/cobra from 1.6.1 to 1.7.0 (#9839) Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.6.1 to 1.7.0. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](https://github.com/spf13/cobra/compare/v1.6.1...v1.7.0) --- updated-dependencies: - dependency-name: github.com/spf13/cobra dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 24c319bc7..210afb10a 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ require ( github.com/prometheus/client_golang v1.14.0 github.com/prometheus/client_model v0.3.0 github.com/prometheus/common v0.42.0 - github.com/spf13/cobra v1.6.1 + github.com/spf13/cobra v1.7.0 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.8.2 github.com/yudai/gojsondiff v1.0.0 @@ -76,7 +76,7 @@ require ( github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect github.com/google/uuid v1.3.0 // indirect github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect - github.com/inconshreveable/mousetrap v1.0.1 // indirect + github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect github.com/mailru/easyjson v0.7.6 // indirect diff --git a/go.sum b/go.sum index 8ee1dc453..36403c1d0 100644 --- a/go.sum +++ b/go.sum @@ -206,8 +206,8 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1: github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.15 h1:M8XP7IuFNsqUx6VPK2P9OSmsYsI/YFaGil0uD21V3dM= github.com/imdario/mergo v0.3.15/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= -github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc= -github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= +github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= @@ -349,8 +349,8 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= -github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA= -github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= +github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= +github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= From e09e40af1ad33cf748ee92502f61ec2b6f741b96 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Apr 2023 01:56:43 -0700 Subject: [PATCH 265/405] Bump golang.org/x/crypto from 0.7.0 to 0.8.0 (#9838) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.7.0 to 0.8.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](https://github.com/golang/crypto/compare/v0.7.0...v0.8.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 10 +++++----- go.sum | 20 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/go.mod b/go.mod index 210afb10a..4779437d7 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/stretchr/testify v1.8.2 github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a - golang.org/x/crypto v0.7.0 + golang.org/x/crypto v0.8.0 google.golang.org/grpc v1.54.0 google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 @@ -101,11 +101,11 @@ require ( github.com/yudai/pp v2.0.1+incompatible // indirect go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect golang.org/x/mod v0.8.0 // indirect - golang.org/x/net v0.8.0 // indirect + golang.org/x/net v0.9.0 // indirect golang.org/x/oauth2 v0.5.0 // indirect - golang.org/x/sys v0.6.0 // indirect - golang.org/x/term v0.6.0 // indirect - golang.org/x/text v0.8.0 // indirect + golang.org/x/sys v0.7.0 // indirect + golang.org/x/term v0.7.0 // indirect + golang.org/x/text v0.9.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.6.0 // indirect google.golang.org/appengine v1.6.7 // indirect diff --git a/go.sum b/go.sum index 36403c1d0..f0aef6bc6 100644 --- a/go.sum +++ b/go.sum @@ -407,8 +407,8 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A= -golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= +golang.org/x/crypto v0.8.0 h1:pd9TJtTueMTVQXzk8E2XESSMQDj/U7OUu0PqJqPXQjQ= +golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -475,8 +475,8 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ= -golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= +golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM= +golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -546,19 +546,19 @@ golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ= -golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU= +golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw= -golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= +golang.org/x/term v0.7.0 h1:BEvjmm5fURWqcfbSKTdpkDXYBrUS1c0m8agp14W48vQ= +golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68= -golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From 91a89bcc0c1f63045de37e5dd8a4f7b6a3a85788 Mon Sep 17 00:00:00 2001 From: Marco Ebert Date: Thu, 20 Apr 2023 10:45:13 +0200 Subject: [PATCH 266/405] README: Update `external-dns` link. (#9866) --- charts/ingress-nginx/README.md | 2 +- charts/ingress-nginx/README.md.gotmpl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 44b553ece..b7c97939d 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -94,7 +94,7 @@ Previous versions of this chart had a `controller.stats.*` configuration block, ### ExternalDNS Service Configuration -Add an [ExternalDNS](https://github.com/kubernetes-incubator/external-dns) annotation to the LoadBalancer service: +Add an [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) annotation to the LoadBalancer service: ```yaml controller: diff --git a/charts/ingress-nginx/README.md.gotmpl b/charts/ingress-nginx/README.md.gotmpl index 238166277..b3d35b6e7 100644 --- a/charts/ingress-nginx/README.md.gotmpl +++ b/charts/ingress-nginx/README.md.gotmpl @@ -91,7 +91,7 @@ Previous versions of this chart had a `controller.stats.*` configuration block, ### ExternalDNS Service Configuration -Add an [ExternalDNS](https://github.com/kubernetes-incubator/external-dns) annotation to the LoadBalancer service: +Add an [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) annotation to the LoadBalancer service: ```yaml controller: From 94a3264f1e09e2857c224ef28f5c7f043c72bac6 Mon Sep 17 00:00:00 2001 From: James Strong Date: Thu, 20 Apr 2023 07:52:59 -0400 Subject: [PATCH 267/405] add puerco and cpanato as approvers Signed-off-by: James Strong --- OWNERS_ALIASES | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES index 49806abdb..33c986f57 100644 --- a/OWNERS_ALIASES +++ b/OWNERS_ALIASES @@ -14,24 +14,27 @@ aliases: - ElvinEfendi - rikatz - strongjz + - cpanato + - puerco - tao12345666333 ingress-nginx-reviewers: - ElvinEfendi - rikatz - strongjz + - puerco + - cpanato - tao12345666333 ingress-nginx-helm-maintainers: - - ChiefAlexander - cpanato + - strongjz ingress-nginx-helm-reviewers: - - ChiefAlexander - cpanato + - strongjz ingress-nginx-docs-maintainers: - - IamNoah1 - longwuyuan - tao12345666333 From ec5b4b4fd06cc590f929ca6b63d5a9013d49765b Mon Sep 17 00:00:00 2001 From: James Strong Date: Fri, 21 Apr 2023 03:33:10 +0200 Subject: [PATCH 268/405] Update k8s versions (#9879) * increase wait on web cert setup Signed-off-by: James Strong * add cmctl to check its working Signed-off-by: James Strong * fix wait cmd and update default k8s version Signed-off-by: James Strong * update the kubectl test commands Signed-off-by: James Strong * README: Update `external-dns` link. (#9866) * add puerco and cpanato as approvers Signed-off-by: James Strong * update k8s versions for testing and remove cache deletion Signed-off-by: James Strong * upgrade default to 1.26 for testing Signed-off-by: James Strong --------- Signed-off-by: James Strong Co-authored-by: Marco Ebert --- .github/workflows/ci.yaml | 28 +++++++--------------------- build/dev-env.sh | 2 +- test/e2e/run-chart-test.sh | 13 ++++++++++--- test/e2e/run-kind-e2e.sh | 2 +- 4 files changed, 19 insertions(+), 26 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6323c65be..65e8cacff 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -193,7 +193,7 @@ jobs: with: name: docker.tar.gz path: docker.tar.gz - + retention-days: 5 helm: name: Helm chart runs-on: ubuntu-latest @@ -205,7 +205,7 @@ jobs: strategy: matrix: - k8s: [v1.24.7, v1.25.3, v1.26.0] + k8s: [v1.24.12, v1.25.8, v1.26.3] steps: - name: Checkout @@ -255,11 +255,6 @@ jobs: run: | kind create cluster --image=kindest/node:${{ matrix.k8s }} - - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0 - with: - name: docker.tar.gz - failOnError: false - - name: Load images from cache run: | echo "loading docker images..." @@ -285,7 +280,7 @@ jobs: strategy: matrix: - k8s: [v1.24.7, v1.25.3, v1.26.0] + k8s: [v1.24.12, v1.25.8, v1.26.3] steps: - name: Checkout @@ -301,11 +296,6 @@ jobs: run: | kind create cluster --image=kindest/node:${{ matrix.k8s }} --config test/e2e/kind.yaml - - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0 - with: - name: docker.tar.gz - failOnError: false - - name: Load images from cache run: | echo "loading docker images..." @@ -327,6 +317,7 @@ jobs: name: e2e-test-reports-${{ matrix.k8s }} path: 'test/junitreports/report*.xml' + kubernetes-chroot: name: Kubernetes chroot runs-on: ubuntu-latest @@ -338,7 +329,7 @@ jobs: strategy: matrix: - k8s: [v1.24.7, v1.25.3, v1.26.0] + k8s: [v1.24.12, v1.25.8, v1.26.3] steps: @@ -355,11 +346,6 @@ jobs: run: | kind create cluster --image=kindest/node:${{ matrix.k8s }} --config test/e2e/kind.yaml - - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0 - with: - name: docker.tar.gz - failOnError: false - - name: Load images from cache run: | echo "loading docker images..." @@ -375,7 +361,7 @@ jobs: kind get kubeconfig > $HOME/.kube/kind-config-kind make kind-e2e-test - - name: Uplaod e2e junit-reports + - name: Upload e2e junit-reports uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 if: success() || failure() with: @@ -461,7 +447,7 @@ jobs: strategy: matrix: - k8s: [v1.24.7, v1.25.3, v1.26.0] + k8s: [v1.24.12, v1.25.8, v1.26.3] steps: - name: Checkout diff --git a/build/dev-env.sh b/build/dev-env.sh index 09609367a..3d21b7e15 100755 --- a/build/dev-env.sh +++ b/build/dev-env.sh @@ -62,7 +62,7 @@ echo "[dev-env] building image" make build image docker tag "${REGISTRY}/controller:${TAG}" "${DEV_IMAGE}" -export K8S_VERSION=${K8S_VERSION:-v1.25.2@sha256:9be91e9e9cdf116809841fc77ebdb8845443c4c72fe5218f3ae9eb57fdb4bace} +export K8S_VERSION=${K8S_VERSION:-v1.26.3@sha256:61b92f38dff6ccc29969e7aa154d34e38b89443af1a2c14e6cfbd2df6419c66f} KIND_CLUSTER_NAME="ingress-nginx-dev" diff --git a/test/e2e/run-chart-test.sh b/test/e2e/run-chart-test.sh index 813e296cf..6efa63eb2 100755 --- a/test/e2e/run-chart-test.sh +++ b/test/e2e/run-chart-test.sh @@ -62,7 +62,7 @@ export KUBECONFIG="${KUBECONFIG:-$HOME/.kube/kind-config-$KIND_CLUSTER_NAME}" if [ "${SKIP_CLUSTER_CREATION:-false}" = "false" ]; then echo "[dev-env] creating Kubernetes cluster with kind" - export K8S_VERSION=${K8S_VERSION:-v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6} + export K8S_VERSION=${K8S_VERSION:-v1.26.3@sha256:61b92f38dff6ccc29969e7aa154d34e38b89443af1a2c14e6cfbd2df6419c66f} kind create cluster \ --verbosity=${KIND_LOG_LEVEL} \ @@ -91,9 +91,16 @@ echo "[dev-env] copying docker images to cluster..." kind load docker-image --name="${KIND_CLUSTER_NAME}" --nodes=${KIND_WORKERS} ${REGISTRY}/controller:${TAG} if [ "${SKIP_CERT_MANAGER_CREATION:-false}" = "false" ]; then + curl -fsSL -o cmctl.tar.gz https://github.com/cert-manager/cert-manager/releases/download/v1.11.1/cmctl-linux-amd64.tar.gz + tar xzf cmctl.tar.gz + chmod +x cmctl + ./cmctl help echo "[dev-env] apply cert-manager ..." - kubectl apply --wait -f https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml - sleep 10 + kubectl apply --wait -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml + kubectl wait --timeout=30s --for=condition=available deployment/cert-manager -n cert-manager + kubectl get validatingwebhookconfigurations cert-manager-webhook -ojson | jq '.webhooks[].clientConfig' + kubectl get endpoints -n cert-manager cert-manager-webhook + ./cmctl check api --wait=2m fi echo "[dev-env] running helm chart e2e tests..." diff --git a/test/e2e/run-kind-e2e.sh b/test/e2e/run-kind-e2e.sh index d3ea18b6d..fe7550360 100755 --- a/test/e2e/run-kind-e2e.sh +++ b/test/e2e/run-kind-e2e.sh @@ -63,7 +63,7 @@ echo "Running e2e with nginx base image ${NGINX_BASE_IMAGE}" if [ "${SKIP_CLUSTER_CREATION}" = "false" ]; then echo "[dev-env] creating Kubernetes cluster with kind" - export K8S_VERSION=${K8S_VERSION:-v1.25.2@sha256:9be91e9e9cdf116809841fc77ebdb8845443c4c72fe5218f3ae9eb57fdb4bace} + export K8S_VERSION=${K8S_VERSION:-v1.26.3@sha256:61b92f38dff6ccc29969e7aa154d34e38b89443af1a2c14e6cfbd2df6419c66f} # delete the cluster if it exists if kind get clusters | grep "${KIND_CLUSTER_NAME}"; then From 156273bf394a56ce3014a1fbeab1512b8f2456a5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 22 Apr 2023 02:21:12 -0700 Subject: [PATCH 269/405] Bump actions/checkout from 3.5.0 to 3.5.2 (#9870) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.0 to 3.5.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/8f4b7f84864484a7bf31766abe9204da3cbe65b3...8e5e7e5ab8b370d6c329ec480221332ada57f0ab) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yaml | 22 +++++++++++----------- .github/workflows/depreview.yaml | 2 +- .github/workflows/docs.yaml | 4 ++-- .github/workflows/helm.yaml | 4 ++-- .github/workflows/perftest.yaml | 2 +- .github/workflows/plugin.yaml | 2 +- .github/workflows/scorecards.yml | 2 +- .github/workflows/vulnerability-scans.yaml | 4 ++-- 8 files changed, 21 insertions(+), 21 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 65e8cacff..edef01915 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -40,7 +40,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter @@ -66,7 +66,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Run Gosec Security Scanner uses: securego/gosec@a459eb0ba387d9bd083d5c2e2354dbeef2465038 # v2.15.0 @@ -83,7 +83,7 @@ jobs: (needs.changes.outputs.go == 'true') steps: - name: Checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Set up Go id: go @@ -102,7 +102,7 @@ jobs: (needs.changes.outputs.go == 'true') steps: - name: Checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Set up Go id: go @@ -121,7 +121,7 @@ jobs: (needs.changes.outputs.go == 'true') steps: - name: Checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Set up Go id: go @@ -142,7 +142,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Set up Go id: go @@ -209,7 +209,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup Go uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 @@ -284,7 +284,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: cache uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 @@ -334,7 +334,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: cache uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 @@ -378,7 +378,7 @@ jobs: PLATFORMS: linux/amd64,linux/arm64 steps: - name: Checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter-images @@ -451,7 +451,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter-images diff --git a/.github/workflows/depreview.yaml b/.github/workflows/depreview.yaml index e18f71a20..de9243f16 100644 --- a/.github/workflows/depreview.yaml +++ b/.github/workflows/depreview.yaml @@ -9,6 +9,6 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: 'Dependency Review' uses: actions/dependency-review-action@f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e # v3.0.4 diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 5a0f6bb7b..1a2ceaa83 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter @@ -47,7 +47,7 @@ jobs: steps: - name: Checkout master - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Deploy uses: ./.github/actions/mkdocs diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml index e3fa2d779..2a82fa124 100644 --- a/.github/workflows/helm.yaml +++ b/.github/workflows/helm.yaml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Run Artifact Hub lint run: | @@ -61,7 +61,7 @@ jobs: steps: - name: Checkout master - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: # Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896 fetch-depth: 0 diff --git a/.github/workflows/perftest.yaml b/.github/workflows/perftest.yaml index 4b7e000a5..9e87bf1b2 100644 --- a/.github/workflows/perftest.yaml +++ b/.github/workflows/perftest.yaml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Install K6 run: | diff --git a/.github/workflows/plugin.yaml b/.github/workflows/plugin.yaml index c56535223..f77c59937 100644 --- a/.github/workflows/plugin.yaml +++ b/.github/workflows/plugin.yaml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: fetch-depth: 0 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index b0ce14f51..72acf608a 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -27,7 +27,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: persist-credentials: false diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index aae43d03c..acd5a13f8 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -22,7 +22,7 @@ jobs: versions: ${{ steps.version.outputs.TAGS }} steps: - name: Checkout code - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: fetch-depth: 0 @@ -52,7 +52,7 @@ jobs: versions: ${{ fromJSON(needs.version.outputs.versions) }} steps: - name: Checkout code - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - shell: bash id: test From 4053896179643e235534b145d68bbad6fc4b5b1c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Apr 2023 04:11:02 -0700 Subject: [PATCH 270/405] Bump github.com/opencontainers/runc from 1.1.5 to 1.1.6 (#9867) Bumps [github.com/opencontainers/runc](https://github.com/opencontainers/runc) from 1.1.5 to 1.1.6. - [Release notes](https://github.com/opencontainers/runc/releases) - [Changelog](https://github.com/opencontainers/runc/blob/v1.1.6/CHANGELOG.md) - [Commits](https://github.com/opencontainers/runc/compare/v1.1.5...v1.1.6) --- updated-dependencies: - dependency-name: github.com/opencontainers/runc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 25 ++----------------------- 2 files changed, 3 insertions(+), 24 deletions(-) diff --git a/go.mod b/go.mod index 4779437d7..1cc9a00dd 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/moul/pb v0.0.0-20220425114252-bca18df4138c github.com/ncabatoff/process-exporter v0.7.10 github.com/onsi/ginkgo/v2 v2.9.0 - github.com/opencontainers/runc v1.1.5 + github.com/opencontainers/runc v1.1.6 github.com/pmezard/go-difflib v1.0.0 github.com/prometheus/client_golang v1.14.0 github.com/prometheus/client_model v0.3.0 diff --git a/go.sum b/go.sum index f0aef6bc6..b3c9af550 100644 --- a/go.sum +++ b/go.sum @@ -52,17 +52,13 @@ github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= -github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U= github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzAJc1DzSI= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= -github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI= @@ -70,7 +66,6 @@ github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxG github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/eapache/channels v1.1.0 h1:F1taHcn7/F0i8DYqKXJnyhJcVpp2kgFcNePxXtnyu4k= github.com/eapache/channels v1.1.0/go.mod h1:jMm2qB5Ubtg9zLd+inMZd2/NUvXgzmWXsDaLyQIGfH0= @@ -86,7 +81,6 @@ github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= -github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= @@ -271,7 +265,6 @@ github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/ github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4= github.com/moul/pb v0.0.0-20220425114252-bca18df4138c h1:1STmblv9zmHLDpru4dbnf1PNL6wrrZNf7yBH+SfQU+s= github.com/moul/pb v0.0.0-20220425114252-bca18df4138c/go.mod h1:jE2HT8eoucYyUPBFJMreiVlC3KPHkDMtN8wn+ef7Y64= -github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= @@ -294,11 +287,10 @@ github.com/onsi/ginkgo/v2 v2.9.0/go.mod h1:4xkjoL/tZv4SMWeww56BU5kAt19mVB47gTWxm github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.27.1 h1:rfztXRbg6nv/5f+Raen9RcGoSecHIFgBBLQK3Wdj754= -github.com/opencontainers/runc v1.1.5 h1:L44KXEpKmfWDcS02aeGm8QNTFXTo2D+8MYGDIJ/GDEs= -github.com/opencontainers/runc v1.1.5/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg= +github.com/opencontainers/runc v1.1.6 h1:XbhB8IfG/EsnhNvZtNdLB0GBw92GYEFvKlhaJk9jUgA= +github.com/opencontainers/runc v1.1.6/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= @@ -338,12 +330,9 @@ github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8= github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE= -github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= -github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= @@ -370,11 +359,7 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/urfave/cli v1.17.1-0.20160602030128-01a33823596e/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= -github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= -github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= -github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= github.com/xlab/treeprint v1.1.0 h1:G/1DjNkPpfZCFt9CSh6b5/nY4VimlbHF3Rh4obvtzDk= github.com/xlab/treeprint v1.1.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= github.com/yudai/gojsondiff v1.0.0 h1:27cbfqXLVEJ1o8I6v3y9lg8Ydm53EKqHXAOMxEGlCOA= @@ -472,7 +457,6 @@ golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81R golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM= @@ -506,7 +490,6 @@ golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -514,7 +497,6 @@ golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20191002063906-3421d5a6bb1c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -541,9 +523,7 @@ golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU= @@ -699,7 +679,6 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w= google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= From 23a2b2473e2de0261c6d5faad82cc03d49cffb45 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Apr 2023 05:53:02 -0700 Subject: [PATCH 271/405] Bump aquasecurity/trivy-action from 0.9.2 to 0.10.0 (#9888) Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.9.2 to 0.10.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](https://github.com/aquasecurity/trivy-action/compare/1f0aa582c8c8f5f7639610d6d38baddfea4fdcee...e5f43133f6e8736992c9f3c1b3296e24b37e17f2) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/vulnerability-scans.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index acd5a13f8..069c9f974 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -60,7 +60,7 @@ jobs: - name: Scan image with AquaSec/Trivy id: scan - uses: aquasecurity/trivy-action@1f0aa582c8c8f5f7639610d6d38baddfea4fdcee # v0.9.2 + uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 # v0.10.0 with: image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }} format: 'sarif' From 9d9ff90eddcb8d514ecceb78b432e75f02a9b917 Mon Sep 17 00:00:00 2001 From: Elvin Efendi Date: Mon, 24 Apr 2023 08:55:02 -0400 Subject: [PATCH 272/405] I have not been able to fulfill my maintainer responsibilities for a while already, making it official now. (#9883) * I have not been able to fulfill my maintainer responsibilities for a while already, making it official now. * Make ElvinEfendi emeritus approver --- OWNERS | 1 + OWNERS_ALIASES | 2 -- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/OWNERS b/OWNERS index 71f3328f1..da1da1b2e 100644 --- a/OWNERS +++ b/OWNERS @@ -9,3 +9,4 @@ reviewers: emeritus_approvers: - aledbf # 2020-04-02 - bowei # 2022-10-12 +- ElvinEfendi # 2023-04-23 diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES index 33c986f57..cd9001dd2 100644 --- a/OWNERS_ALIASES +++ b/OWNERS_ALIASES @@ -11,7 +11,6 @@ aliases: - strongjz ingress-nginx-maintainers: - - ElvinEfendi - rikatz - strongjz - cpanato @@ -19,7 +18,6 @@ aliases: - tao12345666333 ingress-nginx-reviewers: - - ElvinEfendi - rikatz - strongjz - puerco From d7ba103515fe6449d6c88a5d726827a8387faa41 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Apr 2023 07:03:04 -0700 Subject: [PATCH 273/405] Bump github.com/prometheus/client_golang from 1.14.0 to 1.15.0 (#9868) Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.14.0 to 1.15.0. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](https://github.com/prometheus/client_golang/compare/v1.14.0...v1.15.0) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 13 +++++++------ 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 1cc9a00dd..75b0e8e1f 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/onsi/ginkgo/v2 v2.9.0 github.com/opencontainers/runc v1.1.6 github.com/pmezard/go-difflib v1.0.0 - github.com/prometheus/client_golang v1.14.0 + github.com/prometheus/client_golang v1.15.0 github.com/prometheus/client_model v0.3.0 github.com/prometheus/common v0.42.0 github.com/spf13/cobra v1.7.0 @@ -66,7 +66,7 @@ require ( github.com/godbus/dbus/v5 v5.0.6 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/golang/protobuf v1.5.2 // indirect + github.com/golang/protobuf v1.5.3 // indirect github.com/gomarkdown/markdown v0.0.0-20210514010506-3b9f47219fe7 // indirect github.com/google/btree v1.0.1 // indirect github.com/google/gnostic v0.5.7-v3refs // indirect @@ -110,7 +110,7 @@ require ( golang.org/x/tools v0.6.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f // indirect - google.golang.org/protobuf v1.28.1 // indirect + google.golang.org/protobuf v1.30.0 // indirect gopkg.in/go-playground/assert.v1 v1.2.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/go.sum b/go.sum index b3c9af550..49a716752 100644 --- a/go.sum +++ b/go.sum @@ -148,8 +148,9 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= +github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/gomarkdown/markdown v0.0.0-20210514010506-3b9f47219fe7 h1:oKYOfNR7Hp6XpZ4JqolL5u642Js5Z0n7psPVl+S5heo= github.com/gomarkdown/markdown v0.0.0-20210514010506-3b9f47219fe7/go.mod h1:aii0r/K0ZnHv7G0KF7xy1v0A7s2Ljrb5byB7MO5p6TU= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= @@ -223,8 +224,8 @@ github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFB github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= -github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0= github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -304,8 +305,8 @@ github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= -github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw= -github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y= +github.com/prometheus/client_golang v1.15.0 h1:5fCgGYogn0hFdhyhLbw7hEsWxufKtY9klyvdNfFlFhM= +github.com/prometheus/client_golang v1.15.0/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= @@ -679,8 +680,8 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w= -google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= +google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= From 01d2646538242a6409be3b8cf1b29d7b92c090f0 Mon Sep 17 00:00:00 2001 From: plynch-magnolia Date: Mon, 24 Apr 2023 11:33:02 -0400 Subject: [PATCH 274/405] Adding resource type to default HPA configuration to resolve issues with Terraform helm chart usage (#9803) --- charts/ingress-nginx/templates/default-backend-hpa.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/charts/ingress-nginx/templates/default-backend-hpa.yaml b/charts/ingress-nginx/templates/default-backend-hpa.yaml index f9ae0b276..924125f07 100644 --- a/charts/ingress-nginx/templates/default-backend-hpa.yaml +++ b/charts/ingress-nginx/templates/default-backend-hpa.yaml @@ -22,12 +22,16 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: {{ . }} + target: + type: Utilization + averageUtilization: {{ . }} {{- end }} {{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: name: memory - targetAverageUtilization: {{ . }} + target: + type: Utilization + averageUtilization: {{ . }} {{- end }} {{- end }} From fa44f2f7cd4ee49864fceddfbe517d9918d85c1d Mon Sep 17 00:00:00 2001 From: Carlos Tadeu Panato Junior Date: Tue, 25 Apr 2023 15:12:17 +0200 Subject: [PATCH 275/405] update k8s.io dependecies to v0.26.4 (#9893) Signed-off-by: cpanato --- go.mod | 16 ++++++++-------- go.sum | 32 ++++++++++++++++---------------- 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/go.mod b/go.mod index 75b0e8e1f..54929c1a7 100644 --- a/go.mod +++ b/go.mod @@ -30,14 +30,14 @@ require ( google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 - k8s.io/api v0.26.3 - k8s.io/apiextensions-apiserver v0.26.1 - k8s.io/apimachinery v0.26.3 - k8s.io/apiserver v0.26.1 - k8s.io/cli-runtime v0.26.0 - k8s.io/client-go v0.26.3 - k8s.io/code-generator v0.26.1 - k8s.io/component-base v0.26.3 + k8s.io/api v0.26.4 + k8s.io/apiextensions-apiserver v0.26.4 + k8s.io/apimachinery v0.26.4 + k8s.io/apiserver v0.26.4 + k8s.io/cli-runtime v0.26.4 + k8s.io/client-go v0.26.4 + k8s.io/code-generator v0.26.4 + k8s.io/component-base v0.26.4 k8s.io/klog/v2 v2.90.1 pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 sigs.k8s.io/controller-runtime v0.14.6 diff --git a/go.sum b/go.sum index 49a716752..4d2b69333 100644 --- a/go.sum +++ b/go.sum @@ -720,22 +720,22 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.26.3 h1:emf74GIQMTik01Aum9dPP0gAypL8JTLl/lHa4V9RFSU= -k8s.io/api v0.26.3/go.mod h1:PXsqwPMXBSBcL1lJ9CYDKy7kIReUydukS5JiRlxC3qE= -k8s.io/apiextensions-apiserver v0.26.1 h1:cB8h1SRk6e/+i3NOrQgSFij1B2S0Y0wDoNl66bn8RMI= -k8s.io/apiextensions-apiserver v0.26.1/go.mod h1:AptjOSXDGuE0JICx/Em15PaoO7buLwTs0dGleIHixSM= -k8s.io/apimachinery v0.26.3 h1:dQx6PNETJ7nODU3XPtrwkfuubs6w7sX0M8n61zHIV/k= -k8s.io/apimachinery v0.26.3/go.mod h1:ats7nN1LExKHvJ9TmwootT00Yz05MuYqPXEXaVeOy5I= -k8s.io/apiserver v0.26.1 h1:6vmnAqCDO194SVCPU3MU8NcDgSqsUA62tBUSWrFXhsc= -k8s.io/apiserver v0.26.1/go.mod h1:wr75z634Cv+sifswE9HlAo5FQ7UoUauIICRlOE+5dCg= -k8s.io/cli-runtime v0.26.0 h1:aQHa1SyUhpqxAw1fY21x2z2OS5RLtMJOCj7tN4oq8mw= -k8s.io/cli-runtime v0.26.0/go.mod h1:o+4KmwHzO/UK0wepE1qpRk6l3o60/txUZ1fEXWGIKTY= -k8s.io/client-go v0.26.3 h1:k1UY+KXfkxV2ScEL3gilKcF7761xkYsSD6BC9szIu8s= -k8s.io/client-go v0.26.3/go.mod h1:ZPNu9lm8/dbRIPAgteN30RSXea6vrCpFvq+MateTUuQ= -k8s.io/code-generator v0.26.1 h1:dusFDsnNSKlMFYhzIM0jAO1OlnTN5WYwQQ+Ai12IIlo= -k8s.io/code-generator v0.26.1/go.mod h1:OMoJ5Dqx1wgaQzKgc+ZWaZPfGjdRq/Y3WubFrZmeI3I= -k8s.io/component-base v0.26.3 h1:oC0WMK/ggcbGDTkdcqefI4wIZRYdK3JySx9/HADpV0g= -k8s.io/component-base v0.26.3/go.mod h1:5kj1kZYwSC6ZstHJN7oHBqcJC6yyn41eR+Sqa/mQc8E= +k8s.io/api v0.26.4 h1:qSG2PmtcD23BkYiWfoYAcak870eF/hE7NNYBYavTT94= +k8s.io/api v0.26.4/go.mod h1:WwKEXU3R1rgCZ77AYa7DFksd9/BAIKyOmRlbVxgvjCk= +k8s.io/apiextensions-apiserver v0.26.4 h1:9D2RTxYGxrG5uYg6D7QZRcykXvavBvcA59j5kTaedQI= +k8s.io/apiextensions-apiserver v0.26.4/go.mod h1:cd4uGFGIgzEqUghWpRsr9KE8j2KNTjY8Ji8pnMMazyw= +k8s.io/apimachinery v0.26.4 h1:rZccKdBLg9vP6J09JD+z8Yr99Ce8gk3Lbi9TCx05Jzs= +k8s.io/apimachinery v0.26.4/go.mod h1:ats7nN1LExKHvJ9TmwootT00Yz05MuYqPXEXaVeOy5I= +k8s.io/apiserver v0.26.4 h1:3Oq4mnJv0mzVX7BR/Nod+8KjlELf/3Ljvu9ZWDyLUoA= +k8s.io/apiserver v0.26.4/go.mod h1:yAY3O1vBM4/0OIGAGeWcdfzQvgdwJ188VirLcuSAVnw= +k8s.io/cli-runtime v0.26.4 h1:MgSU871KDzBDX7V9GtuqS6Ai9lhQCHgRzkurnXOWtZ0= +k8s.io/cli-runtime v0.26.4/go.mod h1:MjJ2DXMChw2zcG0/agzm17xwKpfVxOfuoCdfY9iOCOE= +k8s.io/client-go v0.26.4 h1:/7P/IbGBuT73A+G97trf44NTPSNqvuBREpOfdLbHvD4= +k8s.io/client-go v0.26.4/go.mod h1:6qOItWm3EwxJdl/8p5t7FWtWUOwyMdA8N9ekbW4idpI= +k8s.io/code-generator v0.26.4 h1:zgDD0qX13p/jtrAoYRRiYeQ5ibnriwmo2cMkMZAtJxc= +k8s.io/code-generator v0.26.4/go.mod h1:ryaiIKwfxEJEaywEzx3dhWOydpVctKYbqLajJf0O8dI= +k8s.io/component-base v0.26.4 h1:Bg2xzyXNKL3eAuiTEu3XE198d6z22ENgFgGQv2GGOUk= +k8s.io/component-base v0.26.4/go.mod h1:lTuWL1Xz/a4e80gmIC3YZG2JCO4xNwtKWHJWeJmsq20= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d h1:U9tB195lKdzwqicbJvyJeOXV7Klv+wNAWENRnXEGi08= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= From 82d8cded6123da44860a4b143c07bb9a30ae3cc3 Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Mon, 1 May 2023 19:22:18 +0800 Subject: [PATCH 276/405] ensure make lua-test runs locally (#9902) --- Makefile | 1 - test/test-lua.sh | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 6037ac39d..fc40a39bb 100644 --- a/Makefile +++ b/Makefile @@ -147,7 +147,6 @@ test: ## Run go unit tests. .PHONY: lua-test lua-test: ## Run lua unit tests. @build/run-in-docker.sh \ - BUSTED_ARGS=$(BUSTED_ARGS) \ MAC_OS=$(MAC_OS) \ test/test-lua.sh diff --git a/test/test-lua.sh b/test/test-lua.sh index 9c8149eac..fc60023f8 100755 --- a/test/test-lua.sh +++ b/test/test-lua.sh @@ -41,7 +41,7 @@ SHDICT_ARGS=( ) if [ $# -eq 0 ]; then - resty "${SHDICT_ARGS[@]}" ./rootfs/etc/nginx/lua/test/ ./rootfs/etc/nginx/lua/plugins/**/test + resty "${SHDICT_ARGS[@]}" ./rootfs/etc/nginx/lua/test/ ./rootfs/etc/nginx/lua/plugins/**/test ${BUSTED_ARGS} else - resty "${SHDICT_ARGS[@]}" $@ + resty "${SHDICT_ARGS[@]}" $@ ${BUSTED_ARGS} fi From 97a1a6d616b1bea4edd1404cbbdcf4b759be26f7 Mon Sep 17 00:00:00 2001 From: Ron Nabuurs Date: Mon, 1 May 2023 13:24:17 +0200 Subject: [PATCH 277/405] Fix typo in OpenTelemetry (#9903) I've noticed a small typo, which I've fixed. --- docs/user-guide/third-party-addons/opentelemetry.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/third-party-addons/opentelemetry.md b/docs/user-guide/third-party-addons/opentelemetry.md index d966dff1f..7aeea541c 100644 --- a/docs/user-guide/third-party-addons/opentelemetry.md +++ b/docs/user-guide/third-party-addons/opentelemetry.md @@ -27,7 +27,7 @@ We must also set the host to use when uploading traces: ```yaml otlp-collector-host: "otel-coll-collector.otel.svc" ``` -NOTE: While the option is called `otlp-collector-host`, you will need to point this to any backend that recieves otlp-grpc. +NOTE: While the option is called `otlp-collector-host`, you will need to point this to any backend that receives otlp-grpc. Next you will need to deploy a distributed telemetry system which uses OpenTelemetry. [opentelemetry-collector](https://github.com/open-telemetry/opentelemetry-collector), [Jaeger](https://www.jaegertracing.io/) From ae989d7722bcdc626986a4f8afd69d97eacb471d Mon Sep 17 00:00:00 2001 From: Jacob Henner Date: Mon, 1 May 2023 07:32:18 -0400 Subject: [PATCH 278/405] Add support for --container flag (#9703) Add support for --container flag, which sets an explicit container name for exec operations. Defaults to `controller`. Signed-off-by: Jacob Henner --- cmd/plugin/commands/backends/backends.go | 9 +++++---- cmd/plugin/commands/certs/certs.go | 9 +++++---- cmd/plugin/commands/conf/conf.go | 9 +++++---- cmd/plugin/commands/exec/exec.go | 10 ++++++---- cmd/plugin/commands/general/general.go | 9 +++++---- cmd/plugin/commands/logs/logs.go | 9 +++++---- cmd/plugin/commands/ssh/ssh.go | 9 +++++---- cmd/plugin/kubectl/kubectl.go | 4 ++-- cmd/plugin/util/util.go | 8 ++++++++ docs/kubectl-plugin.md | 2 +- 10 files changed, 47 insertions(+), 31 deletions(-) diff --git a/cmd/plugin/commands/backends/backends.go b/cmd/plugin/commands/backends/backends.go index 341c62a9c..afc98e4d6 100644 --- a/cmd/plugin/commands/backends/backends.go +++ b/cmd/plugin/commands/backends/backends.go @@ -30,7 +30,7 @@ import ( // CreateCommand creates and returns this cobra subcommand func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { - var pod, deployment, selector *string + var pod, deployment, selector, container *string cmd := &cobra.Command{ Use: "backends", Short: "Inspect the dynamic backend information of an ingress-nginx instance", @@ -47,7 +47,7 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { return fmt.Errorf("--list and --backend cannot both be specified") } - util.PrintError(backends(flags, *pod, *deployment, *selector, backend, onlyList)) + util.PrintError(backends(flags, *pod, *deployment, *selector, *container, backend, onlyList)) return nil }, } @@ -55,6 +55,7 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { pod = util.AddPodFlag(cmd) deployment = util.AddDeploymentFlag(cmd) selector = util.AddSelectorFlag(cmd) + container = util.AddContainerFlag(cmd) cmd.Flags().String("backend", "", "Output only the information for the given backend") cmd.Flags().Bool("list", false, "Output a newline-separated list of backend names") @@ -62,7 +63,7 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { return cmd } -func backends(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, backend string, onlyList bool) error { +func backends(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, container string, backend string, onlyList bool) error { var command []string if onlyList { command = []string{"/dbg", "backends", "list"} @@ -77,7 +78,7 @@ func backends(flags *genericclioptions.ConfigFlags, podName string, deployment s return err } - out, err := kubectl.PodExecString(flags, &pod, command) + out, err := kubectl.PodExecString(flags, &pod, container, command) if err != nil { return err } diff --git a/cmd/plugin/commands/certs/certs.go b/cmd/plugin/commands/certs/certs.go index 07fd08ad3..88b721ee3 100644 --- a/cmd/plugin/commands/certs/certs.go +++ b/cmd/plugin/commands/certs/certs.go @@ -30,7 +30,7 @@ import ( // CreateCommand creates and returns this cobra subcommand func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { - var pod, deployment, selector *string + var pod, deployment, selector, container *string cmd := &cobra.Command{ Use: "certs", Short: "Output the certificate data stored in an ingress-nginx pod", @@ -40,7 +40,7 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { return err } - util.PrintError(certs(flags, *pod, *deployment, *selector, host)) + util.PrintError(certs(flags, *pod, *deployment, *selector, *container, host)) return nil }, } @@ -50,11 +50,12 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { pod = util.AddPodFlag(cmd) deployment = util.AddDeploymentFlag(cmd) selector = util.AddSelectorFlag(cmd) + container = util.AddContainerFlag(cmd) return cmd } -func certs(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, host string) error { +func certs(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, container string, host string) error { command := []string{"/dbg", "certs", "get", host} pod, err := request.ChoosePod(flags, podName, deployment, selector) @@ -62,7 +63,7 @@ func certs(flags *genericclioptions.ConfigFlags, podName string, deployment stri return err } - out, err := kubectl.PodExecString(flags, &pod, command) + out, err := kubectl.PodExecString(flags, &pod, container, command) if err != nil { return err } diff --git a/cmd/plugin/commands/conf/conf.go b/cmd/plugin/commands/conf/conf.go index 5caa2a649..a7f03a062 100644 --- a/cmd/plugin/commands/conf/conf.go +++ b/cmd/plugin/commands/conf/conf.go @@ -32,7 +32,7 @@ import ( // CreateCommand creates and returns this cobra subcommand func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { - var pod, deployment, selector *string + var pod, deployment, selector, container *string cmd := &cobra.Command{ Use: "conf", Short: "Inspect the generated nginx.conf", @@ -42,7 +42,7 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { return err } - util.PrintError(conf(flags, host, *pod, *deployment, *selector)) + util.PrintError(conf(flags, host, *pod, *deployment, *selector, *container)) return nil }, } @@ -50,17 +50,18 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { pod = util.AddPodFlag(cmd) deployment = util.AddDeploymentFlag(cmd) selector = util.AddSelectorFlag(cmd) + container = util.AddContainerFlag(cmd) return cmd } -func conf(flags *genericclioptions.ConfigFlags, host string, podName string, deployment string, selector string) error { +func conf(flags *genericclioptions.ConfigFlags, host string, podName string, deployment string, selector string, container string) error { pod, err := request.ChoosePod(flags, podName, deployment, selector) if err != nil { return err } - nginxConf, err := kubectl.PodExecString(flags, &pod, []string{"/dbg", "conf"}) + nginxConf, err := kubectl.PodExecString(flags, &pod, container, []string{"/dbg", "conf"}) if err != nil { return err } diff --git a/cmd/plugin/commands/exec/exec.go b/cmd/plugin/commands/exec/exec.go index 5f1a31913..f06aaeb23 100644 --- a/cmd/plugin/commands/exec/exec.go +++ b/cmd/plugin/commands/exec/exec.go @@ -29,19 +29,21 @@ import ( // CreateCommand creates and returns this cobra subcommand func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { opts := execFlags{} - var pod, deployment, selector *string + var pod, deployment, selector, container *string cmd := &cobra.Command{ Use: "exec", Short: "Execute a command inside an ingress-nginx pod", RunE: func(cmd *cobra.Command, args []string) error { - util.PrintError(exec(flags, *pod, *deployment, *selector, args, opts)) + util.PrintError(exec(flags, *pod, *deployment, *selector, *container, args, opts)) return nil }, } pod = util.AddPodFlag(cmd) deployment = util.AddDeploymentFlag(cmd) selector = util.AddSelectorFlag(cmd) + container = util.AddContainerFlag(cmd) + cmd.Flags().BoolVarP(&opts.TTY, "tty", "t", false, "Stdin is a TTY") cmd.Flags().BoolVarP(&opts.Stdin, "stdin", "i", false, "Pass stdin to the container") @@ -53,7 +55,7 @@ type execFlags struct { Stdin bool } -func exec(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, cmd []string, opts execFlags) error { +func exec(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, container string, cmd []string, opts execFlags) error { pod, err := request.ChoosePod(flags, podName, deployment, selector) if err != nil { return err @@ -67,7 +69,7 @@ func exec(flags *genericclioptions.ConfigFlags, podName string, deployment strin args = append(args, "-i") } - args = append(args, []string{"-n", pod.Namespace, pod.Name, "--"}...) + args = append(args, []string{"-n", pod.Namespace, "-c", container, pod.Name, "--"}...) args = append(args, cmd...) return kubectl.Exec(flags, args) } diff --git a/cmd/plugin/commands/general/general.go b/cmd/plugin/commands/general/general.go index 44e02ca88..fa6c1301f 100644 --- a/cmd/plugin/commands/general/general.go +++ b/cmd/plugin/commands/general/general.go @@ -30,29 +30,30 @@ import ( // CreateCommand creates and returns this cobra subcommand func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { - var pod, deployment, selector *string + var pod, deployment, selector, container *string cmd := &cobra.Command{ Use: "general", Short: "Inspect the other dynamic ingress-nginx information", RunE: func(cmd *cobra.Command, args []string) error { - util.PrintError(general(flags, *pod, *deployment, *selector)) + util.PrintError(general(flags, *pod, *deployment, *selector, *container)) return nil }, } pod = util.AddPodFlag(cmd) deployment = util.AddDeploymentFlag(cmd) selector = util.AddSelectorFlag(cmd) + container = util.AddContainerFlag(cmd) return cmd } -func general(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string) error { +func general(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, container string) error { pod, err := request.ChoosePod(flags, podName, deployment, selector) if err != nil { return err } - out, err := kubectl.PodExecString(flags, &pod, []string{"/dbg", "general"}) + out, err := kubectl.PodExecString(flags, &pod, container, []string{"/dbg", "general"}) if err != nil { return err } diff --git a/cmd/plugin/commands/logs/logs.go b/cmd/plugin/commands/logs/logs.go index 55cd008dc..56f4fc640 100644 --- a/cmd/plugin/commands/logs/logs.go +++ b/cmd/plugin/commands/logs/logs.go @@ -31,19 +31,20 @@ import ( // CreateCommand creates and returns this cobra subcommand func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { o := logsFlags{} - var pod, deployment, selector *string + var pod, deployment, selector, container *string cmd := &cobra.Command{ Use: "logs", Short: "Get the kubernetes logs for an ingress-nginx pod", RunE: func(cmd *cobra.Command, args []string) error { - util.PrintError(logs(flags, *pod, *deployment, *selector, o)) + util.PrintError(logs(flags, *pod, *deployment, *selector, *container, o)) return nil }, } pod = util.AddPodFlag(cmd) deployment = util.AddDeploymentFlag(cmd) selector = util.AddSelectorFlag(cmd) + container = util.AddContainerFlag(cmd) cmd.Flags().BoolVarP(&o.Follow, "follow", "f", o.Follow, "Specify if the logs should be streamed.") cmd.Flags().BoolVar(&o.Timestamps, "timestamps", o.Timestamps, "Include timestamps on each line in the log output") @@ -94,13 +95,13 @@ func (o *logsFlags) toStrings() []string { return r } -func logs(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, opts logsFlags) error { +func logs(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, container string, opts logsFlags) error { pod, err := request.ChoosePod(flags, podName, deployment, selector) if err != nil { return err } - cmd := []string{"logs", "-n", pod.Namespace, pod.Name} + cmd := []string{"logs", "-n", pod.Namespace, "-c", container, pod.Name} cmd = append(cmd, opts.toStrings()...) return kubectl.Exec(flags, cmd) } diff --git a/cmd/plugin/commands/ssh/ssh.go b/cmd/plugin/commands/ssh/ssh.go index 5e8b49fac..fe1b3e9fe 100644 --- a/cmd/plugin/commands/ssh/ssh.go +++ b/cmd/plugin/commands/ssh/ssh.go @@ -28,27 +28,28 @@ import ( // CreateCommand creates and returns this cobra subcommand func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { - var pod, deployment, selector *string + var pod, deployment, selector, container *string cmd := &cobra.Command{ Use: "ssh", Short: "ssh into a running ingress-nginx pod", RunE: func(cmd *cobra.Command, args []string) error { - util.PrintError(ssh(flags, *pod, *deployment, *selector)) + util.PrintError(ssh(flags, *pod, *deployment, *selector, *container)) return nil }, } pod = util.AddPodFlag(cmd) deployment = util.AddDeploymentFlag(cmd) selector = util.AddSelectorFlag(cmd) + container = util.AddContainerFlag(cmd) return cmd } -func ssh(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string) error { +func ssh(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, container string) error { pod, err := request.ChoosePod(flags, podName, deployment, selector) if err != nil { return err } - return kubectl.Exec(flags, []string{"exec", "-it", "-n", pod.Namespace, pod.Name, "--", "/bin/bash"}) + return kubectl.Exec(flags, []string{"exec", "-it", "-n", pod.Namespace, "-c", container, pod.Name, "--", "/bin/bash"}) } diff --git a/cmd/plugin/kubectl/kubectl.go b/cmd/plugin/kubectl/kubectl.go index c11ba5b77..3f31a2104 100644 --- a/cmd/plugin/kubectl/kubectl.go +++ b/cmd/plugin/kubectl/kubectl.go @@ -31,8 +31,8 @@ import ( // PodExecString takes a pod and a command, uses kubectl exec to run the command in the pod // and returns stdout as a string -func PodExecString(flags *genericclioptions.ConfigFlags, pod *apiv1.Pod, args []string) (string, error) { - args = append([]string{"exec", "-n", pod.Namespace, pod.Name}, args...) +func PodExecString(flags *genericclioptions.ConfigFlags, pod *apiv1.Pod, container string, args []string) (string, error) { + args = append([]string{"exec", "-n", pod.Namespace, "-c", container, pod.Name}, args...) return ExecToString(flags, args) } diff --git a/cmd/plugin/util/util.go b/cmd/plugin/util/util.go index cc9882009..e1910140d 100644 --- a/cmd/plugin/util/util.go +++ b/cmd/plugin/util/util.go @@ -31,6 +31,7 @@ import ( const ( DefaultIngressDeploymentName = "ingress-nginx-controller" DefaultIngressServiceName = "ingress-nginx-controller" + DefaultIngressContainerName = "controller" ) // IssuePrefix is the github url that we can append an issue number to to link to it @@ -127,6 +128,13 @@ func AddSelectorFlag(cmd *cobra.Command) *string { return &v } +// AddContainerFlag adds a --container flag to a cobra command +func AddContainerFlag(cmd *cobra.Command) *string { + v := "" + cmd.Flags().StringVar(&v, "container", DefaultIngressContainerName, "The name of the ingress-nginx controller container") + return &v +} + // GetNamespace takes a set of kubectl flag values and returns the namespace we should be operating in func GetNamespace(flags *genericclioptions.ConfigFlags) string { namespace, _, err := flags.ToRawKubeConfigLoader().Namespace() diff --git a/docs/kubectl-plugin.md b/docs/kubectl-plugin.md index 2b6381f6f..9e5a5dcc6 100644 --- a/docs/kubectl-plugin.md +++ b/docs/kubectl-plugin.md @@ -68,7 +68,7 @@ Use "ingress-nginx [command] --help" for more information about a command. ## Common Flags - Every subcommand supports the basic `kubectl` configuration flags like `--namespace`, `--context`, `--client-key` and so on. -- Subcommands that act on a particular `ingress-nginx` pod (`backends`, `certs`, `conf`, `exec`, `general`, `logs`, `ssh`), support the `--deployment ` and `--pod ` flags to select either a pod from a deployment with the given name, or a pod with the given name. The `--deployment` flag defaults to `ingress-nginx-controller`. +- Subcommands that act on a particular `ingress-nginx` pod (`backends`, `certs`, `conf`, `exec`, `general`, `logs`, `ssh`), support the `--deployment `, `--pod `, and `--container ` flags to select either a pod from a deployment with the given name, or a pod with the given name (and the given container name). The `--deployment` flag defaults to `ingress-nginx-controller`, and the `--container` flag defaults to `controller`. - Subcommands that inspect resources (`ingresses`, `lint`) support the `--all-namespaces` flag, which causes them to inspect resources in every namespace. ## Subcommands From d8f54420a47582fd128ec3a85d1f67a2eb983b01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Mon, 1 May 2023 17:18:19 +0200 Subject: [PATCH 279/405] [helm] Support custom port configuration for internal service (#9846) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jan-Otto Kröpke --- charts/ingress-nginx/README.md | 2 ++ .../ci/deployment-internal-lb-values.yaml | 6 ++++++ .../templates/controller-service-internal.yaml | 8 ++++---- charts/ingress-nginx/values.yaml | 11 +++++++++++ 4 files changed, 23 insertions(+), 4 deletions(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index b7c97939d..70a2ea688 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -406,6 +406,8 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. | | controller.service.internal.enabled | bool | `false` | Enables an additional internal load balancer (besides the external one). | | controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. | +| controller.service.internal.ports | object | `{}` | Custom port mapping for internal service | +| controller.service.internal.targetPorts | object | `{}` | Custom target port mapping for internal service | | controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ | | controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack-ness requested or required by this Service. Possible values are SingleStack, PreferDualStack or RequireDualStack. The ipFamilies and clusterIPs fields depend on the value of this field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ | | controller.service.labels | object | `{}` | | diff --git a/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml b/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml index fd8df8de5..663ccb9d1 100644 --- a/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml +++ b/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml @@ -11,3 +11,9 @@ controller: enabled: true annotations: service.beta.kubernetes.io/aws-load-balancer-internal: "true" + ports: + http: 443 + https: 80 + targetPorts: + http: 443 + https: 80 diff --git a/charts/ingress-nginx/templates/controller-service-internal.yaml b/charts/ingress-nginx/templates/controller-service-internal.yaml index aae3e155e..87146b746 100644 --- a/charts/ingress-nginx/templates/controller-service-internal.yaml +++ b/charts/ingress-nginx/templates/controller-service-internal.yaml @@ -29,9 +29,9 @@ spec: {{- $setNodePorts := (or (eq .Values.controller.service.type "NodePort") (eq .Values.controller.service.type "LoadBalancer")) }} {{- if .Values.controller.service.enableHttp }} - name: http - port: {{ .Values.controller.service.ports.http }} + port: {{ .Values.controller.service.internal.ports.http | default .Values.controller.service.ports.http }} protocol: TCP - targetPort: {{ .Values.controller.service.targetPorts.http }} + targetPort: {{ .Values.controller.service.internal.targetPorts.http | default .Values.controller.service.targetPorts.http }} {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} appProtocol: http {{- end }} @@ -41,9 +41,9 @@ spec: {{- end }} {{- if .Values.controller.service.enableHttps }} - name: https - port: {{ .Values.controller.service.ports.https }} + port: {{ .Values.controller.service.internal.ports.https | default .Values.controller.service.ports.https }} protocol: TCP - targetPort: {{ .Values.controller.service.targetPorts.https }} + targetPort: {{ .Values.controller.service.internal.targetPorts.https | default .Values.controller.service.targetPorts.https }} {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} appProtocol: https {{- end }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index c2e8cdcd7..611c384f0 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -482,6 +482,17 @@ controller: ## providers supporting it ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer # externalTrafficPolicy: "" + + # -- Custom port mapping for internal service + ports: {} + # http: 80 + # https: 443 + + # -- Custom target port mapping for internal service + targetPorts: {} + # http: http + # https: https + # shareProcessNamespace enables process namespace sharing within the pod. # This can be used for example to signal log rotation using `kill -USR1` from a sidecar. shareProcessNamespace: false From 914c5cf295a78ff2d85e656e82c36b9681a5fae0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 May 2023 10:58:19 -0700 Subject: [PATCH 280/405] Bump github.com/opencontainers/runc from 1.1.6 to 1.1.7 (#9912) Bumps [github.com/opencontainers/runc](https://github.com/opencontainers/runc) from 1.1.6 to 1.1.7. - [Release notes](https://github.com/opencontainers/runc/releases) - [Changelog](https://github.com/opencontainers/runc/blob/v1.1.7/CHANGELOG.md) - [Commits](https://github.com/opencontainers/runc/compare/v1.1.6...v1.1.7) --- updated-dependencies: - dependency-name: github.com/opencontainers/runc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 54929c1a7..9de23ba1a 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/moul/pb v0.0.0-20220425114252-bca18df4138c github.com/ncabatoff/process-exporter v0.7.10 github.com/onsi/ginkgo/v2 v2.9.0 - github.com/opencontainers/runc v1.1.6 + github.com/opencontainers/runc v1.1.7 github.com/pmezard/go-difflib v1.0.0 github.com/prometheus/client_golang v1.15.0 github.com/prometheus/client_model v0.3.0 diff --git a/go.sum b/go.sum index 4d2b69333..da99bd248 100644 --- a/go.sum +++ b/go.sum @@ -288,8 +288,8 @@ github.com/onsi/ginkgo/v2 v2.9.0/go.mod h1:4xkjoL/tZv4SMWeww56BU5kAt19mVB47gTWxm github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.27.1 h1:rfztXRbg6nv/5f+Raen9RcGoSecHIFgBBLQK3Wdj754= -github.com/opencontainers/runc v1.1.6 h1:XbhB8IfG/EsnhNvZtNdLB0GBw92GYEFvKlhaJk9jUgA= -github.com/opencontainers/runc v1.1.6/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50= +github.com/opencontainers/runc v1.1.7 h1:y2EZDS8sNng4Ksf0GUYNhKbTShZJPJg1FiXJNH/uoCk= +github.com/opencontainers/runc v1.1.7/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= From 4328bed66326a8a2eec84e5676e84b001ccf4b36 Mon Sep 17 00:00:00 2001 From: Jeff Spahr Date: Mon, 1 May 2023 18:42:11 -0400 Subject: [PATCH 281/405] Update dependabot to watch docker images (#9600) * Update dependabot to watch docker images * Change to only /images on dependabot scan --------- Co-authored-by: Ricardo Katz --- .github/dependabot.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 28a5e5580..5ad21ca95 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -17,3 +17,11 @@ updates: - "area/dependency" - "release-note-none" - "ok-to-test" + - package-ecosystem: "docker" + directory: "/images" + schedule: + interval: "weekly" + labels: + - "area/dependency" + - "release-note-none" + - "ok-to-test" From f48b03be54031491e78472bcf3aa026a81e1ffd3 Mon Sep 17 00:00:00 2001 From: James Strong Date: Wed, 3 May 2023 14:20:14 -0400 Subject: [PATCH 282/405] Update TAG - 1.7.1 (#9922) start build 1.7.1 --- TAG | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TAG b/TAG index b13f0e3bc..668c7899c 100644 --- a/TAG +++ b/TAG @@ -1,2 +1,2 @@ -v1.7.0 +v1.7.1 From 6d91c2a54c6e54c987078f6e01868385e3308ee6 Mon Sep 17 00:00:00 2001 From: Brendan Kamp Date: Fri, 5 May 2023 14:27:13 +0200 Subject: [PATCH 283/405] chore: create httpbun image (#9926) Signed-off-by: Spazzy --- .github/workflows/ci.yaml | 8 +++--- images/README.md | 3 ++- images/{httpbin => httpbun}/Makefile | 2 +- images/{httpbin => httpbun}/cloudbuild.yaml | 2 +- images/{httpbin => httpbun}/rootfs/Dockerfile | 26 ++++++++++--------- 5 files changed, 22 insertions(+), 19 deletions(-) rename images/{httpbin => httpbun}/Makefile (97%) rename images/{httpbin => httpbun}/cloudbuild.yaml (94%) rename images/{httpbin => httpbun}/rootfs/Dockerfile (61%) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index edef01915..66d89393c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -395,8 +395,8 @@ jobs: - 'images/echo/**' go-grpc-greeter-server: - 'images/go-grpc-greeter-server/**' - httpbin: - - 'images/httpbin/**' + httpbun: + - 'images/httpbun/**' kube-webhook-certgen: - 'images/kube-webhook-certgen/**' ext-auth-example-authsvc: @@ -422,10 +422,10 @@ jobs: if: ${{ steps.filter-images.outputs.go-grpc-greeter-server == 'true' }} run: | cd images/go-grpc-greeter-server && make build - - name: httpbin image build + - name: httpbun image build if: ${{ steps.filter-images.outputs.httpbin == 'true' }} run: | - cd images/httpbin && make build + cd images/httpbun && make build - name: kube-webhook-certgen image build if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }} run: | diff --git a/images/README.md b/images/README.md index 13f6bfc3c..cdcb9574b 100644 --- a/images/README.md +++ b/images/README.md @@ -17,6 +17,7 @@ custom-error-pages | Example of Custom error pages for the NGINX Ingress control e2e | Image to run e2e tests fastcgi-helloserver | FastCGI application for e2e tests grpc-fortune-teller | grpc server application for the nginx-ingress grpc example -httpbin | A simple HTTP Request & Response Service for e2e tests +httpbun | A simple HTTP Request & Response Service for e2e tests +httpbin | [Removed] we are no longer maintaining the httpbin image due to project being unmaintained nginx | NGINX base image using [alpine linux](https://www.alpinelinux.org) cfssl | Image to run cfssl commands diff --git a/images/httpbin/Makefile b/images/httpbun/Makefile similarity index 97% rename from images/httpbin/Makefile rename to images/httpbun/Makefile index a2ba07400..bcb8c7be2 100644 --- a/images/httpbin/Makefile +++ b/images/httpbun/Makefile @@ -23,7 +23,7 @@ TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA) REGISTRY ?= local -IMAGE = $(REGISTRY)/e2e-test-httpbin +IMAGE = $(REGISTRY)/e2e-test-httpbun # required to enable buildx export DOCKER_CLI_EXPERIMENTAL=enabled diff --git a/images/httpbin/cloudbuild.yaml b/images/httpbun/cloudbuild.yaml similarity index 94% rename from images/httpbin/cloudbuild.yaml rename to images/httpbun/cloudbuild.yaml index e9df202b8..9e3af5935 100644 --- a/images/httpbin/cloudbuild.yaml +++ b/images/httpbun/cloudbuild.yaml @@ -18,7 +18,7 @@ steps: - -c - | gcloud auth configure-docker \ - && cd images/httpbin && make push + && cd images/httpbun && make push substitutions: _GIT_TAG: "12345" _PULL_BASE_REF: "master" diff --git a/images/httpbin/rootfs/Dockerfile b/images/httpbun/rootfs/Dockerfile similarity index 61% rename from images/httpbin/rootfs/Dockerfile rename to images/httpbun/rootfs/Dockerfile index a05f6872f..a1775d303 100644 --- a/images/httpbin/rootfs/Dockerfile +++ b/images/httpbun/rootfs/Dockerfile @@ -12,21 +12,23 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine:3.17.2 +FROM golang:1.20 AS builder ENV LC_ALL=C.UTF-8 ENV LANG=C.UTF-8 +ENV HTTPBUN_COMMIT=a6b387c438b664322734250e426b6966966c2fe4 -RUN apk upgrade && apk update \ - && apk add --no-cache \ - python3 python3-dev \ - musl-dev gcc g++ make \ - libffi libffi-dev libstdc++ \ - py3-gevent py3-gunicorn py3-wheel \ - py3-pip \ - && pip3 install httpbin \ - && apk del python3-dev musl-dev gcc g++ make libffi-dev +RUN git clone https://github.com/sharat87/httpbun.git +WORKDIR httpbun +RUN git checkout $HTTPBUN_COMMIT +RUN CGO_ENABLED=0 GOOS=linux go build \ + -installsuffix cgo \ + -trimpath \ + -o bin/httpbun . + +FROM scratch +COPY --from=builder /go/httpbun/bin/httpbun httpbun +ENV HTTPBUN_BIND=0.0.0.0:80 EXPOSE 80 - -CMD ["gunicorn", "-b", "0.0.0.0:80", "httpbin:app", "-k", "gevent"] +ENTRYPOINT ["/httpbun"] From 3d733279944440ae781a95d216ecc13bec824d6f Mon Sep 17 00:00:00 2001 From: James Strong Date: Fri, 5 May 2023 08:45:13 -0400 Subject: [PATCH 284/405] release controller 1.7.1 and chart 4.6.1 (#9929) * release controller 1.7.1 and chart 4.6.1 Signed-off-by: James Strong * fix typo Signed-off-by: James Strong * fix ah lint errors Signed-off-by: James Strong --------- Signed-off-by: James Strong --- .github/workflows/ci.yaml | 8 +-- README.md | 41 ++++++++------- changelog/Changelog-1.7.1.md | 52 +++++++++++++++++++ charts/ingress-nginx/Chart.yaml | 20 ++----- charts/ingress-nginx/README.md | 8 +-- .../changelog/Changelog-4.6.1.md | 11 ++++ charts/ingress-nginx/values.yaml | 8 ++- deploy/static/provider/aws/deploy.yaml | 44 ++++++++-------- .../aws/nlb-with-tls-termination/deploy.yaml | 44 ++++++++-------- deploy/static/provider/baremetal/deploy.yaml | 44 ++++++++-------- deploy/static/provider/cloud/deploy.yaml | 44 ++++++++-------- deploy/static/provider/do/deploy.yaml | 44 ++++++++-------- deploy/static/provider/exoscale/deploy.yaml | 44 ++++++++-------- deploy/static/provider/kind/deploy.yaml | 44 ++++++++-------- deploy/static/provider/scw/deploy.yaml | 44 ++++++++-------- docs/deploy/index.md | 20 +++---- docs/e2e-tests.md | 15 ++++-- 17 files changed, 296 insertions(+), 239 deletions(-) create mode 100644 changelog/Changelog-1.7.1.md create mode 100644 charts/ingress-nginx/changelog/Changelog-4.6.1.md diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 66d89393c..77232aa88 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -205,7 +205,7 @@ jobs: strategy: matrix: - k8s: [v1.24.12, v1.25.8, v1.26.3] + k8s: [v1.24.12, v1.25.8, v1.26.3,v1.27.1] steps: - name: Checkout @@ -280,7 +280,7 @@ jobs: strategy: matrix: - k8s: [v1.24.12, v1.25.8, v1.26.3] + k8s: [v1.24.12, v1.25.8, v1.26.3,v1.27.1] steps: - name: Checkout @@ -329,7 +329,7 @@ jobs: strategy: matrix: - k8s: [v1.24.12, v1.25.8, v1.26.3] + k8s: [v1.24.12, v1.25.8, v1.26.3,v1.27.1] steps: @@ -447,7 +447,7 @@ jobs: strategy: matrix: - k8s: [v1.24.12, v1.25.8, v1.26.3] + k8s: [v1.24.12, v1.25.8, v1.26.3,v1.27.1] steps: - name: Checkout diff --git a/README.md b/README.md index f3f68366e..86f95cb9b 100644 --- a/README.md +++ b/README.md @@ -34,27 +34,28 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi ### Supported Versions table Supported versions for the ingress-nginx project mean that we have completed E2E tests, and they are passing for -the versions listed. Ingress-Nginx versions may work on older versions but the project does not make that guarantee. +the versions listed. Ingress-Nginx versions may work on older versions but the project does not make that guarantee. -| Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | -|-----------------------|------------------------------|----------------|---------------| -| v1.7.0 | 1.26, 1.25, 1.24 | 3.17.2 | 1.21.6 | -| v1.6.4 | 1.26, 1.25, 1.24, 1.23 | 3.17.0 | 1.21.6 | -| v1.5.1 | 1.25, 1.24, 1.23 | 3.16.2 | 1.21.6 | -| v1.4.0 | 1.25, 1.24, 1.23, 1.22 | 3.16.2 | 1.19.10† | -| v1.3.1 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.2 | 1.19.10† | -| v1.3.0 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.0 | 1.19.10† | -| v1.2.1 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.6 | 1.19.10† | -| v1.1.3 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.4 | 1.19.10† | -| v1.1.2 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | -| v1.1.1 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | -| v1.1.0 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | -| v1.0.5 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | -| v1.0.4 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | -| v1.0.3 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | -| v1.0.2 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | -| v1.0.1 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | -| v1.0.0 | 1.22, 1.21, 1.20, 1.19 | 3.13.5 | 1.20.1 | +| | Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | Helm Chart Version | +|:-----:|------------------------|------------------------------|----------------|---------------|--------------------| +| 🔄 | **v1.7.1** | 1.27,1.26, 1.25, 1.24 | 3.17.2 | 1.21.6 | 4.6.* | +| 🔄 | **v1.7.0** | 1.26, 1.25, 1.24 | 3.17.2 | 1.21.6 | 4.6.* | +| 🔄 | **v1.6.4** | 1.26, 1.25, 1.24, 1.23 | 3.17.0 | 1.21.6 | 4.5.* | +| 🔄| **v1.5.1** | 1.25, 1.24, 1.23 | 3.16.2 | 1.21.6 | 4.4.* | +| | v1.4.0 | 1.25, 1.24, 1.23, 1.22 | 3.16.2 | 1.19.10† | 4.3.0 | +| | v1.3.1 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.2 | 1.19.10† | 4.2.5 | +| | v1.3.0 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.0 | 1.19.10† | 4.2.3 | +| | v1.2.1 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.6 | 1.19.10† | 4.1.4 | +| | v1.1.3 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.4 | 1.19.10† | 4.0.19 | +| | v1.1.2 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.18 | +| | v1.1.1 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.17 | +| | v1.1.0 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.13 | +| | v1.0.5 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.9 | +| | v1.0.4 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.6 | +| | v1.0.3 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.5 | +| | v1.0.2 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.3 | +| | v1.0.1 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.2 | +| | v1.0.0 | 1.22, 1.21, 1.20, 1.19 | 3.13.5 | 1.20.1 | 4.0.1 | † _This build is diff --git a/changelog/Changelog-1.7.1.md b/changelog/Changelog-1.7.1.md new file mode 100644 index 000000000..4921dea15 --- /dev/null +++ b/changelog/Changelog-1.7.1.md @@ -0,0 +1,52 @@ +# Changelog + +### 1.7.1 +Images: + + * registry.k8s.io/controller:controller-v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 + * registry.k8s.io/controller-chroot:controller-v1.7.1@sha256:e35d5ab487861b9d419c570e3530589229224a0762c7b4d2e2222434abb8d988 + +### All Changes: + +* Update TAG - 1.7.1 (#9922) +* Update dependabot to watch docker images (#9600) +* [helm] Support custom port configuration for internal service (#9846) +* Add support for --container flag (#9703) +* Fix typo in OpenTelemetry (#9903) +* ensure make lua-test runs locally (#9902) +* update k8s.io dependecies to v0.26.4 (#9893) +* Adding resource type to default HPA configuration to resolve issues with Terraform helm chart usage (#9803) +* I have not been able to fulfill my maintainer responsibilities for a while already, making it official now. (#9883) +* Update k8s versions (#9879) +* README: Update `external-dns` link. (#9866) +* Fastcgi configmap should be on the same namespace of ingress (#9863) +* Deprecate and remove influxdb feature (#9861) +* Remove deprecated annotation secure-upstream (#9862) +* Exclude socket metrics (#9770) +* Chart: Improve `README.md`. (#9831) +* update all container tags with date and sha, upgrade all containers (#9834) +* updated NGINX_BASE image in project (#9829) +* ISO 8601 date format (#9682) +* Values: Fix indention of commented values. (#9812) +* The Ingress-Nginx project recently released version 1.7.0 of the controller, but the deployment documentation still referenced version 1.6.4. This commit updates the documentation to reference the latest version, ensuring that users have access to the most up-to-date information. Fixes#9787 (#9788) + +### Dependencies updates: +* Bump github.com/opencontainers/runc from 1.1.6 to 1.1.7 (#9912) +* Bump github.com/prometheus/client_golang from 1.14.0 to 1.15.0 (#9868) +* Bump aquasecurity/trivy-action from 0.9.2 to 0.10.0 (#9888) +* Bump github.com/opencontainers/runc from 1.1.5 to 1.1.6 (#9867) +* Bump actions/checkout from 3.5.0 to 3.5.2 (#9870) +* Bump golang.org/x/crypto from 0.7.0 to 0.8.0 (#9838) +* Bump github.com/spf13/cobra from 1.6.1 to 1.7.0 (#9839) +* Bump actions/add-to-project from 0.4.1 to 0.5.0 (#9840) +* Bump actions/checkout from 3.4.0 to 3.5.0 (#9798) +* Bump ossf/scorecard-action from 2.1.2 to 2.1.3 (#9823) +* Bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 (#9806) +* Bump actions/stale from 7.0.0 to 8.0.0 (#9799) +* Bump rajatjindal/krew-release-bot from 0.0.43 to 0.0.46 (#9797) +* Bump actions/setup-go from 3.5.0 to 4.0.0 (#9796) +* Bump github.com/imdario/mergo from 0.3.13 to 0.3.15 (#9795) +* Bump google.golang.org/grpc from 1.53.0 to 1.54.0 (#9794) +* Bump sigs.k8s.io/controller-runtime from 0.14.5 to 0.14.6 (#9822) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.7.0...controller-controller-v1.7.1 diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index bad5e2a8c..81ebfc875 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -1,21 +1,11 @@ annotations: artifacthub.io/changes: | - - "Upgrade alpine 3.17.2" - - "Upgrade golang 1.20" - - "Drop testing/support for Kubernetes 1.23" - - "docs(helm): fix value key in readme for enabling certManager (#9640)" - - "Update Ingress-Nginx version controller-v1.7.0" - - "feat: OpenTelemetry module integration (#9062)" - - "canary-weight-total annotation ignored in rule backends (#9729)" - - "fix controller psp's volume config (#9740)" - - "Fix several Helm YAML issues with extraModules and extraInitContainers (#9709)" - - "Chart: Drop `controller.headers`, rework DH param secret. (#9659)" - - "Deployment/DaemonSet: Label pods using `ingress-nginx.labels`. (#9732)" - - "HPA: autoscaling/v2beta1 deprecated, bump apiVersion to v2 for defaultBackend (#9731)" - - "Fix incorrect annotation name in upstream hashing configuration (#9617)" + - "[helm] Support custom port configuration for internal service (#9846)" + - "Adding resource type to default HPA configuration to resolve issues with Terraform helm chart usage (#9803)" + - "Update Ingress-Nginx version controller-v1.7.1" artifacthub.io/prerelease: "false" apiVersion: v2 -appVersion: 1.7.0 +appVersion: 1.7.1 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer engine: gotpl @@ -32,4 +22,4 @@ maintainers: name: ingress-nginx sources: - https://github.com/kubernetes/ingress-nginx -version: 4.6.0 +version: 4.6.1 diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 70a2ea688..108a5091e 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.6.0](https://img.shields.io/badge/Version-4.6.0-informational?style=flat-square) ![AppVersion: 1.7.0](https://img.shields.io/badge/AppVersion-1.7.0-informational?style=flat-square) +![Version: 4.6.1](https://img.shields.io/badge/Version-4.6.1-informational?style=flat-square) ![AppVersion: 1.7.1](https://img.shields.io/badge/AppVersion-1.7.1-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -310,13 +310,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.image.allowPrivilegeEscalation | bool | `true` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `"sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7"` | | -| controller.image.digestChroot | string | `"sha256:e84ef3b44c8efeefd8b0aa08770a886bfea1f04c53b61b4ba9a7204e9f1a7edc"` | | +| controller.image.digest | string | `"sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407"` | | +| controller.image.digestChroot | string | `"sha256:e35d5ab487861b9d419c570e3530589229224a0762c7b4d2e2222434abb8d988"` | | | controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.registry | string | `"registry.k8s.io"` | | | controller.image.runAsUser | int | `101` | | -| controller.image.tag | string | `"v1.7.0"` | | +| controller.image.tag | string | `"v1.7.1"` | | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass | diff --git a/charts/ingress-nginx/changelog/Changelog-4.6.1.md b/charts/ingress-nginx/changelog/Changelog-4.6.1.md new file mode 100644 index 000000000..57d99b8db --- /dev/null +++ b/charts/ingress-nginx/changelog/Changelog-4.6.1.md @@ -0,0 +1,11 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.6.1 + +* [helm] Support custom port configuration for internal service (#9846) +* Adding resource type to default HPA configuration to resolve issues with Terraform helm chart usage (#9803) +* Update Ingress-Nginx version controller-v1.7.1 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.6.0...helm-chart-4.6.1 diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 611c384f0..551fb0449 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -23,9 +23,9 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: "v1.7.0" - digest: sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7 - digestChroot: sha256:e84ef3b44c8efeefd8b0aa08770a886bfea1f04c53b61b4ba9a7204e9f1a7edc + tag: "v1.7.1" + digest: sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 + digestChroot: sha256:e35d5ab487861b9d419c570e3530589229224a0762c7b4d2e2222434abb8d988 pullPolicy: IfNotPresent # www-data -> uid 101 runAsUser: 101 @@ -395,7 +395,6 @@ controller: # - type: Pods # value: 2 # periodSeconds: 60 - # -- Enable mimalloc as a drop-in replacement for malloc. ## ref: https://github.com/microsoft/mimalloc ## @@ -492,7 +491,6 @@ controller: targetPorts: {} # http: http # https: https - # shareProcessNamespace enables process namespace sharing within the pod. # This can be used for example to signal log rotation using `kill -USR1` from a sidecar. shareProcessNamespace: false diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml index c1d595c3a..41006c016 100644 --- a/deploy/static/provider/aws/deploy.yaml +++ b/deploy/static/provider/aws/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -344,7 +344,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -377,7 +377,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -400,7 +400,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -418,7 +418,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 spec: containers: - args: @@ -442,7 +442,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.7.0@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7 + image: registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -514,7 +514,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -525,7 +525,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-create spec: containers: @@ -561,7 +561,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -572,7 +572,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-patch spec: containers: @@ -610,7 +610,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -623,7 +623,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml index ed6275a0b..4e4f9ca9b 100644 --- a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml +++ b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -335,7 +335,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -353,7 +353,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -386,7 +386,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -409,7 +409,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -427,7 +427,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 spec: containers: - args: @@ -451,7 +451,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.7.0@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7 + image: registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -526,7 +526,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -537,7 +537,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-create spec: containers: @@ -573,7 +573,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -584,7 +584,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-patch spec: containers: @@ -622,7 +622,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -635,7 +635,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml index 595088a0c..3f015f001 100644 --- a/deploy/static/provider/baremetal/deploy.yaml +++ b/deploy/static/provider/baremetal/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -372,7 +372,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -395,7 +395,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -413,7 +413,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 spec: containers: - args: @@ -436,7 +436,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.7.0@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7 + image: registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -508,7 +508,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -519,7 +519,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-create spec: containers: @@ -555,7 +555,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -566,7 +566,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-patch spec: containers: @@ -604,7 +604,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -617,7 +617,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml index 0540ff1cb..a914aca5e 100644 --- a/deploy/static/provider/cloud/deploy.yaml +++ b/deploy/static/provider/cloud/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -373,7 +373,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -396,7 +396,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -414,7 +414,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 spec: containers: - args: @@ -438,7 +438,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.7.0@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7 + image: registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -510,7 +510,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -521,7 +521,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-create spec: containers: @@ -557,7 +557,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -568,7 +568,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-patch spec: containers: @@ -606,7 +606,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -619,7 +619,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml index ae6ae1f8f..676ae1229 100644 --- a/deploy/static/provider/do/deploy.yaml +++ b/deploy/static/provider/do/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -329,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -343,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -376,7 +376,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -399,7 +399,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -417,7 +417,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 spec: containers: - args: @@ -441,7 +441,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.7.0@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7 + image: registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -513,7 +513,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -524,7 +524,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-create spec: containers: @@ -560,7 +560,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -571,7 +571,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-patch spec: containers: @@ -609,7 +609,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -622,7 +622,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml index a387fa928..e9d3522f0 100644 --- a/deploy/static/provider/exoscale/deploy.yaml +++ b/deploy/static/provider/exoscale/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -349,7 +349,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -382,7 +382,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -405,7 +405,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -423,7 +423,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 spec: containers: - args: @@ -447,7 +447,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.7.0@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7 + image: registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -519,7 +519,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -530,7 +530,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-create spec: containers: @@ -566,7 +566,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -577,7 +577,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-patch spec: containers: @@ -615,7 +615,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -628,7 +628,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml index a77a08ae9..6a327b97f 100644 --- a/deploy/static/provider/kind/deploy.yaml +++ b/deploy/static/provider/kind/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -372,7 +372,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -395,7 +395,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -417,7 +417,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 spec: containers: - args: @@ -442,7 +442,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.7.0@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7 + image: registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -524,7 +524,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -535,7 +535,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-create spec: containers: @@ -571,7 +571,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -582,7 +582,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-patch spec: containers: @@ -620,7 +620,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -633,7 +633,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml index ab9142ce2..389e2a920 100644 --- a/deploy/static/provider/scw/deploy.yaml +++ b/deploy/static/provider/scw/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -329,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -343,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -376,7 +376,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -399,7 +399,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -417,7 +417,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 spec: containers: - args: @@ -441,7 +441,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.7.0@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7 + image: registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -513,7 +513,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -524,7 +524,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-create spec: containers: @@ -560,7 +560,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -571,7 +571,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission-patch spec: containers: @@ -609,7 +609,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -622,7 +622,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.7.0 + app.kubernetes.io/version: 1.7.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/docs/deploy/index.md b/docs/deploy/index.md index f6ba17a09..e9418bdfc 100644 --- a/docs/deploy/index.md +++ b/docs/deploy/index.md @@ -62,7 +62,7 @@ It will install the controller in the `ingress-nginx` namespace, creating that n **If you don't have Helm** or if you prefer to use a YAML manifest, you can run the following command instead: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.0/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/cloud/deploy.yaml ``` !!! info @@ -225,7 +225,7 @@ In AWS, we use a Network load balancer (NLB) to expose the NGINX Ingress control ##### Network Load Balancer (NLB) ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.0/deploy/static/provider/aws/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/aws/deploy.yaml ``` ##### TLS termination in AWS Load Balancer (NLB) @@ -233,10 +233,10 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS using an NLB. -1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.0/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template +1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template ```console - wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.0/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml + wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml ``` 2. Edit the file and change the VPC CIDR in use for the Kubernetes cluster: @@ -282,7 +282,7 @@ Then, the ingress controller can be installed like this: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.0/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/cloud/deploy.yaml ``` !!! warning @@ -299,7 +299,7 @@ Proxy-protocol is supported in GCE check the [Official Documentations on how to #### Azure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.0/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/cloud/deploy.yaml ``` More information with regard to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller). @@ -307,7 +307,7 @@ More information with regard to Azure annotations for ingress controller can be #### Digital Ocean ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.0/deploy/static/provider/do/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/do/deploy.yaml ``` - By default the service object of the ingress-nginx-controller for Digital-Ocean, only configures one annotation. Its this one `service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"`. While this makes the service functional, it was reported that the Digital-Ocean LoadBalancer graphs shows `no data`, unless a few other annotations are also configured. Some of these other annotations require values that can not be generic and hence not forced in a out-of-the-box installation. These annotations and a discussion on them is well documented in [this issue](https://github.com/kubernetes/ingress-nginx/issues/8965). Please refer to the issue to add annotations, with values specific to user, to get graphs of the DO-LB populated with data. @@ -315,7 +315,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont #### Scaleway ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.0/deploy/static/provider/scw/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/scw/deploy.yaml ``` #### Exoscale @@ -330,7 +330,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale #### Oracle Cloud Infrastructure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.0/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/cloud/deploy.yaml ``` A @@ -357,7 +357,7 @@ For quick testing, you can use a This should work on almost every cluster, but it will typically use a port in the range 30000-32767. ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.0/deploy/static/provider/baremetal/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/baremetal/deploy.yaml ``` For more information about bare metal deployments (and how to use port 80 instead of a random port in the 30000-32767 range), diff --git a/docs/e2e-tests.md b/docs/e2e-tests.md index ed3e77f67..9b3c5f2ff 100644 --- a/docs/e2e-tests.md +++ b/docs/e2e-tests.md @@ -373,10 +373,6 @@ Do not try to edit it manually. - [should apply the annotation to the default backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/with_hosts.go#L38) -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) - ### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e_test.go#L) - [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e_test.go#L) @@ -898,4 +894,13 @@ Do not try to edit it manually. - [should expose a TCP service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L46) - [should expose an ExternalName TCP service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L80) -- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L169) \ No newline at end of file +- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L169) + +### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) + +- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) + +### [[metrics] exported prometheus metrics](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/metrics/metrics.go#L36) + +- [exclude socket request metrics are absent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/metrics/metrics.go#L50) +- [exclude socket request metrics are present](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/metrics/metrics.go#L72) \ No newline at end of file From c3a22a219ac2826901bd6426e3fdf25519e53a64 Mon Sep 17 00:00:00 2001 From: James Strong Date: Fri, 5 May 2023 09:52:39 -0400 Subject: [PATCH 285/405] fix controller tag in release Signed-off-by: James Strong --- changelog/Changelog-1.7.1.md | 4 ++-- magefiles/helm.go | 2 +- magefiles/release.go | 12 +++++++----- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/changelog/Changelog-1.7.1.md b/changelog/Changelog-1.7.1.md index 4921dea15..9b8422c7e 100644 --- a/changelog/Changelog-1.7.1.md +++ b/changelog/Changelog-1.7.1.md @@ -3,8 +3,8 @@ ### 1.7.1 Images: - * registry.k8s.io/controller:controller-v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 - * registry.k8s.io/controller-chroot:controller-v1.7.1@sha256:e35d5ab487861b9d419c570e3530589229224a0762c7b4d2e2222434abb8d988 + * registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 + * registry.k8s.io/ingress-nginx/controller-chroot:v1.7.1@sha256:e35d5ab487861b9d419c570e3530589229224a0762c7b4d2e2222434abb8d988 ### All Changes: diff --git a/magefiles/helm.go b/magefiles/helm.go index d56cbed78..585a93413 100644 --- a/magefiles/helm.go +++ b/magefiles/helm.go @@ -104,7 +104,7 @@ func updateChartReleaseNotes(releasesNotes []string) { CheckIfError(err, "HELM Could not Load Chart to update release notes %s", HelmChartPath) var releaseNoteString string for i := range releasesNotes { - releaseNoteString = fmt.Sprintf("%s - %s\n", releaseNoteString, releasesNotes[i]) + releaseNoteString = fmt.Sprintf("%s - \"%s\"\n", releaseNoteString, releasesNotes[i]) } Info("HELM Release note string %s", releaseNoteString) chart.Annotations["artifacthub.io/changes"] = releaseNoteString diff --git a/magefiles/release.go b/magefiles/release.go index aeaafc3d2..c02b88cfd 100644 --- a/magefiles/release.go +++ b/magefiles/release.go @@ -356,15 +356,17 @@ func makeReleaseNotes(newVersion string) (*ReleaseNote, error) { c1 := ControllerImage{ Digest: controllerDigest, Registry: INGRESS_REGISTRY, - Name: "controller", - Tag: newReleaseNotes.NewControllerVersion, + Name: "ingress-nginx/controller", + Tag: fmt.Sprintf("v%s", newReleaseNotes.Version), } + c2 := ControllerImage{ Digest: controllerChrootDigest, Registry: INGRESS_REGISTRY, - Name: "controller-chroot", - Tag: newReleaseNotes.NewControllerVersion, + Name: "ingress-nginx/controller-chroot", + Tag: fmt.Sprintf("v%s", newReleaseNotes.Version), } + newReleaseNotes.ControllerImages = append(newReleaseNotes.ControllerImages, c1) newReleaseNotes.ControllerImages = append(newReleaseNotes.ControllerImages, c2) Debug("New Release Controller Images %s %s", newReleaseNotes.ControllerImages[0].Digest, newReleaseNotes.ControllerImages[1].Digest) @@ -413,7 +415,7 @@ func (r ReleaseNote) helmTemplate() { Debug("ChangeLog Templates %s", string(changelogTemplate)) t := template.Must(template.New("changelog").Parse(string(changelogTemplate))) // create a new file - file, err := os.Create(fmt.Sprintf("charts/ingress-nginx/changelog/Changelog-%s.md", r.Version)) + file, err := os.Create(fmt.Sprintf("charts/ingress-nginx/changelog/Changelog-%s.md", r.NewHelmChartVersion)) if err != nil { ErrorF("Could not create changelog file %s", err) } From 788b3606b19df563cc9d45341561f5fdd5f98c12 Mon Sep 17 00:00:00 2001 From: guessi Date: Sat, 6 May 2023 00:31:13 +0800 Subject: [PATCH 286/405] Keep project name display aligned (#9920) --- deploy/grafana/dashboards/README.md | 2 +- docs/deploy/baremetal.md | 28 +++++++++---------- docs/deploy/hardening-guide.md | 2 +- docs/deploy/index.md | 14 +++++----- docs/developer-guide/code-overview.md | 2 +- docs/developer-guide/getting-started.md | 4 +-- docs/examples/affinity/cookie/README.md | 2 +- .../customization/custom-errors/README.md | 4 +-- .../customization/custom-headers/README.md | 4 +-- .../customization/ssl-dh-param/README.md | 2 +- docs/examples/tls-termination/README.md | 2 +- docs/how-it-works.md | 2 +- docs/user-guide/cli-arguments.md | 2 +- docs/user-guide/external-articles.md | 2 +- docs/user-guide/miscellaneous.md | 4 +-- docs/user-guide/monitoring.md | 10 +++---- docs/user-guide/multiple-ingress.md | 4 +-- .../nginx-configuration/annotations.md | 2 +- .../third-party-addons/opentelemetry.md | 2 +- .../third-party-addons/opentracing.md | 2 +- images/README.md | 2 +- images/custom-error-pages/README.md | 2 +- mkdocs.yml | 2 +- 23 files changed, 51 insertions(+), 51 deletions(-) diff --git a/deploy/grafana/dashboards/README.md b/deploy/grafana/dashboards/README.md index 26195583b..e16180c3b 100644 --- a/deploy/grafana/dashboards/README.md +++ b/deploy/grafana/dashboards/README.md @@ -4,7 +4,7 @@ Ingress-nginx supports a rich collection of prometheus metrics. If you have pro This folder contains two dashboards that you can import. -## 1. NGINX Ingress Controller +## 1. Ingress-Nginx Controller ![Dashboard](screenshot.png) diff --git a/docs/deploy/baremetal.md b/docs/deploy/baremetal.md index 7d8076147..f5ff54174 100644 --- a/docs/deploy/baremetal.md +++ b/docs/deploy/baremetal.md @@ -1,14 +1,14 @@ # Bare-metal considerations In traditional *cloud* environments, where network load balancers are available on-demand, a single Kubernetes manifest -suffices to provide a single point of contact to the NGINX Ingress controller to external clients and, indirectly, to +suffices to provide a single point of contact to the Ingress-Nginx Controller to external clients and, indirectly, to any application running inside the cluster. *Bare-metal* environments lack this commodity, requiring a slightly different setup to offer the same kind of access to external consumers. ![Cloud environment](../images/baremetal/cloud_overview.jpg) ![Bare-metal environment](../images/baremetal/baremetal_overview.jpg) -The rest of this document describes a few recommended approaches to deploying the NGINX Ingress controller inside a +The rest of this document describes a few recommended approaches to deploying the Ingress-Nginx Controller inside a Kubernetes cluster running on bare-metal. ## A pure software solution: MetalLB @@ -30,7 +30,7 @@ the traffic for the `ingress-nginx` Service IP. See [Traffic policies][metallb-t yourself by reading the official documentation thoroughly. MetalLB can be deployed either with a simple Kubernetes manifest or with Helm. The rest of this example assumes MetalLB -was deployed following the [Installation][metallb-install] instructions, and that the NGINX Ingress controller was installed +was deployed following the [Installation][metallb-install] instructions, and that the Ingress-Nginx Controller was installed using the steps described in the [quickstart section of the installation guide][install-quickstart]. MetalLB requires a pool of IP addresses in order to be able to take ownership of the `ingress-nginx` Service. This pool @@ -164,7 +164,7 @@ field of the `ingress-nginx` Service spec to `Local` ([example][preserve-ip]). !!! warning This setting effectively **drops packets** sent to Kubernetes nodes which are not running any instance of the NGINX Ingress controller. Consider [assigning NGINX Pods to specific nodes][pod-assign] in order to control on what nodes - the NGINX Ingress controller should be scheduled or not scheduled. + the Ingress-Nginx Controller should be scheduled or not scheduled. !!! example In a Kubernetes cluster composed of 3 nodes (the external IP is added as an example, in most bare-metal environments @@ -193,7 +193,7 @@ field of the `ingress-nginx` Service spec to `Local` ([example][preserve-ip]). * **Ingress status** -Because NodePort Services do not get a LoadBalancerIP assigned by definition, the NGINX Ingress controller **does not +Because NodePort Services do not get a LoadBalancerIP assigned by definition, the Ingress-Nginx Controller **does not update the status of Ingress objects it manages**. ```console @@ -202,12 +202,12 @@ NAME HOSTS ADDRESS PORTS test-ingress myapp.example.com 80 ``` -Despite the fact there is no load balancer providing a public IP address to the NGINX Ingress controller, it is possible +Despite the fact there is no load balancer providing a public IP address to the Ingress-Nginx Controller, it is possible to force the status update of all managed Ingress objects by setting the `externalIPs` field of the `ingress-nginx` Service. !!! warning - There is more to setting `externalIPs` than just enabling the NGINX Ingress controller to update the status of + There is more to setting `externalIPs` than just enabling the Ingress-Nginx Controller to update the status of Ingress objects. Please read about this option in the [Services][external-ips] page of official Kubernetes documentation as well as the section about [External IPs](#external-ips) in this document for more information. @@ -268,11 +268,11 @@ for generating redirect URLs that take into account the URL used by external cli In a setup where there is no external load balancer available but using NodePorts is not an option, one can configure `ingress-nginx` Pods to use the network of the host they run on instead of a dedicated network namespace. The benefit of -this approach is that the NGINX Ingress controller can bind ports 80 and 443 directly to Kubernetes nodes' network +this approach is that the Ingress-Nginx Controller can bind ports 80 and 443 directly to Kubernetes nodes' network interfaces, without the extra network translation imposed by NodePort Services. !!! note - This approach does not leverage any Service object to expose the NGINX Ingress controller. If the `ingress-nginx` + This approach does not leverage any Service object to expose the Ingress-Nginx Controller. If the `ingress-nginx` Service exists in the target cluster, it is **recommended to delete it**. This can be achieved by enabling the `hostNetwork` option in the Pods' spec. @@ -284,7 +284,7 @@ template: ``` !!! danger "Security considerations" - Enabling this option **exposes every system daemon to the NGINX Ingress controller** on any network interface, + Enabling this option **exposes every system daemon to the Ingress-Nginx Controller** on any network interface, including the host's loopback. Please evaluate the impact this may have on the security of your system carefully. !!! example @@ -299,7 +299,7 @@ template: ingress-nginx-controller-5b4cf5fc6-lzrls 1/1 Running 203.0.113.2 host-2 ``` -One major limitation of this deployment approach is that only **a single NGINX Ingress controller Pod** may be scheduled +One major limitation of this deployment approach is that only **a single Ingress-Nginx Controller Pod** may be scheduled on each cluster node, because binding the same port multiple times on the same network interface is technically impossible. Pods that are unschedulable due to such situation fail with the following event: @@ -312,7 +312,7 @@ Events: Warning FailedScheduling default-scheduler 0/3 nodes are available: 3 node(s) didn't have free ports for the requested pod ports. ``` -One way to ensure only schedulable Pods are created is to deploy the NGINX Ingress controller as a *DaemonSet* instead +One way to ensure only schedulable Pods are created is to deploy the Ingress-Nginx Controller as a *DaemonSet* instead of a traditional Deployment. !!! info @@ -334,7 +334,7 @@ expected to resolve internal names for any reason. * **Ingress status** -Because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default +Because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default `--publish-service` flag used in standard cloud setups **does not apply** and the status of all Ingress objects remains blank. @@ -346,7 +346,7 @@ test-ingress myapp.example.com 80 Instead, and because bare-metal nodes usually don't have an ExternalIP, one has to enable the [`--report-node-internal-ip-address`][cli-args] flag, which sets the status of all Ingress objects to the internal IP -address of all nodes running the NGINX Ingress controller. +address of all nodes running the Ingress-Nginx Controller. !!! example Given a `ingress-nginx-controller` DaemonSet composed of 2 replicas diff --git a/docs/deploy/hardening-guide.md b/docs/deploy/hardening-guide.md index d428bc3aa..cfbdb1466 100644 --- a/docs/deploy/hardening-guide.md +++ b/docs/deploy/hardening-guide.md @@ -94,7 +94,7 @@ This guide refers to chapters in the CIS Benchmark. For full explanation you sho | __5 Request Filtering and Restrictions__||| | | ||| | | __5.1 Access Control__||| | -| 5.1.1 Ensure allow and deny filters limit access to specific IP addresses (Not Scored)| OK/ACTION NEEDED | Depends on use case, geo ip module is compiled into nginx ingress controller, there are several ways to use it | If needed set IP restrictions via annotations or work with config snippets (be careful with lets-encrypt-http-challenge!) | +| 5.1.1 Ensure allow and deny filters limit access to specific IP addresses (Not Scored)| OK/ACTION NEEDED | Depends on use case, geo ip module is compiled into Ingress-Nginx Controller, there are several ways to use it | If needed set IP restrictions via annotations or work with config snippets (be careful with lets-encrypt-http-challenge!) | | 5.1.2 Ensure only whitelisted HTTP methods are allowed (Not Scored) | OK/ACTION NEEDED | Depends on use case| If required it can be set via config snippet| | ||| | | __5.2 Request Limits__||| | diff --git a/docs/deploy/index.md b/docs/deploy/index.md index e9418bdfc..e33ee5dbe 100644 --- a/docs/deploy/index.md +++ b/docs/deploy/index.md @@ -1,6 +1,6 @@ # Installation Guide -There are multiple ways to install the NGINX ingress controller: +There are multiple ways to install the Ingress-Nginx Controller: - with [Helm](https://helm.sh), using the project repository chart; - with `kubectl apply`, using YAML manifests; @@ -192,9 +192,9 @@ doesn't work, you might have to fall back to the `kubectl port-forward` method d Rancher Desktop provides Kubernetes and Container Management on the desktop. Kubernetes is enabled by default in Rancher Desktop. -Rancher Desktop uses K3s under the hood, which in turn uses Traefik as the default ingress controller for the Kubernetes cluster. To use NGINX ingress controller in place of the default Traefik, disable Traefik from Preference > Kubernetes menu. +Rancher Desktop uses K3s under the hood, which in turn uses Traefik as the default ingress controller for the Kubernetes cluster. To use Ingress-Nginx Controller in place of the default Traefik, disable Traefik from Preference > Kubernetes menu. -Once traefik is disabled, the NGINX ingress controller can be installed on Rancher Desktop using the default [quick start](#quick-start) instructions. Follow the instructions described in the [local testing section](#local-testing) to try a sample. +Once traefik is disabled, the Ingress-Nginx Controller can be installed on Rancher Desktop using the default [quick start](#quick-start) instructions. Follow the instructions described in the [local testing section](#local-testing) to try a sample. ### Cloud deployments @@ -214,7 +214,7 @@ options of various cloud providers. #### AWS -In AWS, we use a Network load balancer (NLB) to expose the NGINX Ingress controller behind a Service of `Type=LoadBalancer`. +In AWS, we use a Network load balancer (NLB) to expose the Ingress-Nginx Controller behind a Service of `Type=LoadBalancer`. !!! info The provided templates illustrate the setup for legacy in-tree service load balancer for AWS NLB. @@ -419,14 +419,14 @@ Here is how these Ingress versions are supported in Kubernetes: - from Kubernetes 1.19 to 1.21, both `v1beta1` and `v1` Ingress resources are supported - in Kubernetes 1.22 and above, only `v1` Ingress resources are supported -And here is how these Ingress versions are supported in NGINX Ingress Controller: +And here is how these Ingress versions are supported in Ingress-Nginx Controller: - before version 1.0, only `v1beta1` Ingress resources are supported - in version 1.0 and above, only `v1` Ingress resources are As a result, if you're running Kubernetes 1.19 or later, you should be able to use the latest version of the NGINX Ingress Controller; but if you're using an old version of Kubernetes (1.18 or earlier) you will have to use version 0.X -of the NGINX Ingress Controller (e.g. version 0.49). +of the Ingress-Nginx Controller (e.g. version 0.49). -The Helm chart of the NGINX Ingress Controller switched to version 1 in version 4 of the chart. In other words, if +The Helm chart of the Ingress-Nginx Controller switched to version 1 in version 4 of the chart. In other words, if you're running Kubernetes 1.19 or earlier, you should use version 3.X of the chart (this can be done by adding `--version='<4'` to the `helm install` command ). diff --git a/docs/developer-guide/code-overview.md b/docs/developer-guide/code-overview.md index a26083c6a..8e872211d 100644 --- a/docs/developer-guide/code-overview.md +++ b/docs/developer-guide/code-overview.md @@ -53,7 +53,7 @@ This code can be found in [internal/file](https://github.com/kubernetes/ingress- #### Ingress functions -Contains all the logics from NGINX Ingress Controller, with some examples being: +Contains all the logics from Ingress-Nginx Controller, with some examples being: * Expected Golang structures that will be used in templates and other parts of the code - [internal/ingress/types.go](https://github.com/kubernetes/ingress-nginx/blob/main/internal/ingress/types.go). * supported annotations and its parsing logics - [internal/ingress/annotations](https://github.com/kubernetes/ingress-nginx/tree/main/internal/ingress/annotations). diff --git a/docs/developer-guide/getting-started.md b/docs/developer-guide/getting-started.md index 9f4be8fcc..4b7ed46f0 100644 --- a/docs/developer-guide/getting-started.md +++ b/docs/developer-guide/getting-started.md @@ -1,6 +1,6 @@ - Developing for NGINX Ingress Controller + Developing for Ingress-Nginx Controller -This document explains how to get started with developing for NGINX Ingress controller. +This document explains how to get started with developing for Ingress-Nginx Controller. For the really new contributors, who want to contribute to the INGRESS-NGINX project, but need help with understanding some basic concepts, that are needed to work with the Kubernetes ingress resource, here is a link to the [New Contributors Guide](https://github.com/kubernetes/ingress-nginx/blob/main/NEW_CONTRIBUTOR.md). diff --git a/docs/examples/affinity/cookie/README.md b/docs/examples/affinity/cookie/README.md index 1920d132b..e66503dd7 100644 --- a/docs/examples/affinity/cookie/README.md +++ b/docs/examples/affinity/cookie/README.md @@ -67,7 +67,7 @@ Accept-Ranges: bytes ``` In the example above, you can see that the response contains a `Set-Cookie` header with the settings we have defined. -This cookie is created by the NGINX Ingress Controller, it contains a randomly generated key corresponding to the upstream used for that request (selected using [consistent hashing][consistent-hashing]) and has an `Expires` directive. +This cookie is created by the Ingress-Nginx Controller, it contains a randomly generated key corresponding to the upstream used for that request (selected using [consistent hashing][consistent-hashing]) and has an `Expires` directive. If a client sends a cookie that doesn't correspond to an upstream, NGINX selects an upstream and creates a corresponding cookie. If the backend pool grows NGINX will keep sending the requests through the same server of the first request, even if it's overloaded. diff --git a/docs/examples/customization/custom-errors/README.md b/docs/examples/customization/custom-errors/README.md index a137fd6dc..a7c9545b0 100644 --- a/docs/examples/customization/custom-errors/README.md +++ b/docs/examples/customization/custom-errors/README.md @@ -29,7 +29,7 @@ service/nginx-errors ClusterIP 10.0.0.12 80/TCP 10s ## Ingress controller configuration -If you do not already have an instance of the NGINX Ingress controller running, deploy it according to the +If you do not already have an instance of the Ingress-Nginx Controller running, deploy it according to the [deployment guide][deploy], then follow these steps: 1. Edit the `ingress-nginx-controller` Deployment and set the value of the `--default-backend-service` flag to the name of the @@ -37,7 +37,7 @@ If you do not already have an instance of the NGINX Ingress controller running, 2. Edit the `ingress-nginx-controller` ConfigMap and create the key `custom-http-errors` with a value of `404,503`. -3. Take note of the IP address assigned to the NGINX Ingress controller Service. +3. Take note of the IP address assigned to the Ingress-Nginx Controller Service. ``` $ kubectl get svc ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE diff --git a/docs/examples/customization/custom-headers/README.md b/docs/examples/customization/custom-headers/README.md index 499bfc386..0da12582f 100644 --- a/docs/examples/customization/custom-headers/README.md +++ b/docs/examples/customization/custom-headers/README.md @@ -10,7 +10,7 @@ To work around this limitation, perform a rolling restart of the deployment. ## Example -This example demonstrates configuration of the nginx ingress controller via +This example demonstrates configuration of the Ingress-Nginx Controller via a ConfigMap to pass a custom list of headers to the upstream server. @@ -26,7 +26,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/customization/custom-headers/configmap.yaml ``` -The nginx ingress controller will read the `ingress-nginx/ingress-nginx-controller` ConfigMap, find the `proxy-set-headers` key, read HTTP headers from the `ingress-nginx/custom-headers` ConfigMap, and include those HTTP headers in all requests flowing from nginx to the backends. +The Ingress-Nginx Controller will read the `ingress-nginx/ingress-nginx-controller` ConfigMap, find the `proxy-set-headers` key, read HTTP headers from the `ingress-nginx/custom-headers` ConfigMap, and include those HTTP headers in all requests flowing from nginx to the backends. The above example was for passing a custom list of headers to the upstream server. diff --git a/docs/examples/customization/ssl-dh-param/README.md b/docs/examples/customization/ssl-dh-param/README.md index 2eae67ce2..fcd80757b 100644 --- a/docs/examples/customization/ssl-dh-param/README.md +++ b/docs/examples/customization/ssl-dh-param/README.md @@ -1,6 +1,6 @@ # Custom DH parameters for perfect forward secrecy -This example aims to demonstrate the deployment of an nginx ingress controller and +This example aims to demonstrate the deployment of an Ingress-Nginx Controller and use a ConfigMap to configure a custom Diffie-Hellman parameters file to help with "Perfect Forward Secrecy". diff --git a/docs/examples/tls-termination/README.md b/docs/examples/tls-termination/README.md index bd68ddc67..25139b381 100644 --- a/docs/examples/tls-termination/README.md +++ b/docs/examples/tls-termination/README.md @@ -1,6 +1,6 @@ # TLS termination -This example demonstrates how to terminate TLS through the nginx Ingress controller. +This example demonstrates how to terminate TLS through the Ingress-Nginx Controller. ## Prerequisites diff --git a/docs/how-it-works.md b/docs/how-it-works.md index 894a504dc..161803210 100644 --- a/docs/how-it-works.md +++ b/docs/how-it-works.md @@ -60,7 +60,7 @@ In a relatively big cluster with frequently deploying apps this feature saves si Because the ingress controller works using the [synchronization loop pattern](https://coreos.com/kubernetes/docs/latest/replication-controller.html#the-reconciliation-loop-in-detail), it is applying the configuration for all matching objects. In case some Ingress objects have a broken configuration, for example a syntax error in the `nginx.ingress.kubernetes.io/configuration-snippet` annotation, the generated configuration becomes invalid, does not reload and hence no more ingresses will be taken into account. -To prevent this situation to happen, the nginx ingress controller optionally exposes a [validating admission webhook server][8] to ensure the validity of incoming ingress objects. +To prevent this situation to happen, the Ingress-Nginx Controller optionally exposes a [validating admission webhook server][8] to ensure the validity of incoming ingress objects. This webhook appends the incoming ingress objects to the list of ingresses, generates the configuration and calls nginx to ensure the configuration has no syntax errors. [0]: https://github.com/openresty/lua-nginx-module/pull/1259 diff --git a/docs/user-guide/cli-arguments.md b/docs/user-guide/cli-arguments.md index 59e52957d..bc0894a52 100644 --- a/docs/user-guide/cli-arguments.md +++ b/docs/user-guide/cli-arguments.md @@ -68,7 +68,7 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment | `--validating-webhook` | The address to start an admission controller on to validate incoming ingresses. Takes the form ":port". If not provided, no admission controller is started. | | `--validating-webhook-certificate` | The path of the validating webhook certificate PEM. | | `--validating-webhook-key` | The path of the validating webhook key PEM. | -| `--version` | Show release information about the NGINX Ingress controller and exit. | +| `--version` | Show release information about the Ingress-Nginx Controller and exit. | | `--watch-ingress-without-class` | Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified. (default false) | | `--watch-namespace` | Namespace the controller watches for updates to Kubernetes objects. This includes Ingresses, Services and all configuration resources. All namespaces are watched if this parameter is left empty. | | `--watch-namespace-selector` | The controller will watch namespaces whose labels match the given selector. This flag only takes effective when `--watch-namespace` is empty. | diff --git a/docs/user-guide/external-articles.md b/docs/user-guide/external-articles.md index d9fd828b8..27a3f4447 100644 --- a/docs/user-guide/external-articles.md +++ b/docs/user-guide/external-articles.md @@ -2,5 +2,5 @@ - [Pain(less) NGINX Ingress](http://danielfm.me/posts/painless-nginx-ingress.html) - [Accessing Kubernetes Pods from Outside of the Cluster](http://alesnosek.com/blog/2017/02/14/accessing-kubernetes-pods-from-outside-of-the-cluster) -- [Kubernetes - Redirect HTTP to HTTPS with ELB and the nginx ingress controller](https://dev.to/tomhoule/kubernetes---redirect-http-to-https-with-elb-and-the-nginx-ingress-controller) +- [Kubernetes - Redirect HTTP to HTTPS with ELB and the Ingress-Nginx Controller](https://dev.to/tomhoule/kubernetes---redirect-http-to-https-with-elb-and-the-nginx-ingress-controller) - [Configure Nginx Ingress Controller for TLS termination on Kubernetes on Azure](https://blogs.technet.microsoft.com/livedevopsinjapan/2017/02/28/configure-nginx-ingress-controller-for-tls-termination-on-kubernetes-on-azure-2/) diff --git a/docs/user-guide/miscellaneous.md b/docs/user-guide/miscellaneous.md index d9b32d36f..e7d1ac59c 100644 --- a/docs/user-guide/miscellaneous.md +++ b/docs/user-guide/miscellaneous.md @@ -32,7 +32,7 @@ The default value of these settings is `60 seconds`. A more adequate value to support websockets is a value higher than one hour (`3600`). !!! Important - If the NGINX ingress controller is exposed with a service `type=LoadBalancer` make sure the protocol between the loadbalancer and NGINX is TCP. + If the Ingress-Nginx Controller is exposed with a service `type=LoadBalancer` make sure the protocol between the loadbalancer and NGINX is TCP. ## Optimizing TLS Time To First Byte (TTTFB) @@ -52,4 +52,4 @@ The previous behavior can be restored using `retry-non-idempotent=true` in the c ## Why endpoints and not services -The NGINX ingress controller does not use [Services](http://kubernetes.io/docs/user-guide/services) to route traffic to the pods. Instead it uses the Endpoints API in order to bypass [kube-proxy](http://kubernetes.io/docs/admin/kube-proxy/) to allow NGINX features like session affinity and custom load balancing algorithms. It also removes some overhead, such as conntrack entries for iptables DNAT. +The Ingress-Nginx Controller does not use [Services](http://kubernetes.io/docs/user-guide/services) to route traffic to the pods. Instead it uses the Endpoints API in order to bypass [kube-proxy](http://kubernetes.io/docs/admin/kube-proxy/) to allow NGINX features like session affinity and custom load balancing algorithms. It also removes some overhead, such as conntrack entries for iptables DNAT. diff --git a/docs/user-guide/monitoring.md b/docs/user-guide/monitoring.md index 281207866..1e30e556f 100644 --- a/docs/user-guide/monitoring.md +++ b/docs/user-guide/monitoring.md @@ -6,14 +6,14 @@ Two different methods to install and configure Prometheus and Grafana are descri ## Prometheus and Grafana installation using Pod Annotations -This tutorial will show you how to install [Prometheus](https://prometheus.io/) and [Grafana](https://grafana.com/) for scraping the metrics of the NGINX Ingress controller. +This tutorial will show you how to install [Prometheus](https://prometheus.io/) and [Grafana](https://grafana.com/) for scraping the metrics of the Ingress-Nginx Controller. !!! important This example uses `emptyDir` volumes for Prometheus and Grafana. This means once the pod gets terminated you will lose all the data. ### Before You Begin -- The NGINX Ingress controller should already be deployed according to the deployment instructions [here](../deploy/index.md). +- The Ingress-Nginx Controller should already be deployed according to the deployment instructions [here](../deploy/index.md). - The controller should be configured for exporting metrics. This requires 3 configurations to the controller. These configurations are : 1. controller.metrics.enabled=true @@ -184,9 +184,9 @@ According to the above example, this URL will be http://10.192.0.3:31086 ## Prometheus and Grafana installation using Service Monitors This document assumes you're using helm and using the kube-prometheus-stack package to install Prometheus and Grafana. -### Verify NGINX Ingress controller is installed +### Verify Ingress-Nginx Controller is installed -- The NGINX Ingress controller should already be deployed according to the deployment instructions [here](../deploy/index.md). +- The Ingress-Nginx Controller should already be deployed according to the deployment instructions [here](../deploy/index.md). - To check if Ingress controller is deployed, ``` @@ -214,7 +214,7 @@ This document assumes you're using helm and using the kube-prometheus-stack pack - If prometheus is not installed, then you can install from [here](https://artifacthub.io/packages/helm/prometheus-community/kube-prometheus-stack) -### Re-configure NGINX Ingress controller +### Re-configure Ingress-Nginx Controller - The Ingress NGINX controller needs to be reconfigured for exporting metrics. This requires 3 additional configurations to the controller. These configurations are : ``` diff --git a/docs/user-guide/multiple-ingress.md b/docs/user-guide/multiple-ingress.md index 6a9457a9c..fca93ee65 100644 --- a/docs/user-guide/multiple-ingress.md +++ b/docs/user-guide/multiple-ingress.md @@ -111,7 +111,7 @@ spec: then setting the corresponding `kubernetes.io/ingress.class: "internal-nginx"` annotation on your Ingresses. -To reiterate, setting the annotation to any value which does not match a valid ingress class will force the NGINX Ingress controller to ignore your Ingress. -If you are only running a single NGINX ingress controller, this can be achieved by setting the annotation to any value except "nginx" or an empty string. +To reiterate, setting the annotation to any value which does not match a valid ingress class will force the Ingress-Nginx Controller to ignore your Ingress. +If you are only running a single Ingress-Nginx Controller, this can be achieved by setting the annotation to any value except "nginx" or an empty string. Do this if you wish to use one of the other Ingress controllers at the same time as the NGINX controller. diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md index 3b463eea7..328f13a17 100755 --- a/docs/user-guide/nginx-configuration/annotations.md +++ b/docs/user-guide/nginx-configuration/annotations.md @@ -598,7 +598,7 @@ the User guide. ### Service Upstream -By default the NGINX ingress controller uses a list of all endpoints (Pod IP/port) in the NGINX upstream configuration. +By default the Ingress-Nginx Controller uses a list of all endpoints (Pod IP/port) in the NGINX upstream configuration. The `nginx.ingress.kubernetes.io/service-upstream` annotation disables that behavior and instead uses a single upstream in NGINX, the service's Cluster IP and port. diff --git a/docs/user-guide/third-party-addons/opentelemetry.md b/docs/user-guide/third-party-addons/opentelemetry.md index 7aeea541c..1b9b6536e 100644 --- a/docs/user-guide/third-party-addons/opentelemetry.md +++ b/docs/user-guide/third-party-addons/opentelemetry.md @@ -2,7 +2,7 @@ Enables requests served by NGINX for distributed telemetry via The OpenTelemetry Project. -Using the third party module [opentelemetry-cpp-contrib/nginx](https://github.com/open-telemetry/opentelemetry-cpp-contrib/tree/main/instrumentation/nginx) the NGINX ingress controller can configure NGINX to enable [OpenTelemetry](http://opentelemetry.io) instrumentation. +Using the third party module [opentelemetry-cpp-contrib/nginx](https://github.com/open-telemetry/opentelemetry-cpp-contrib/tree/main/instrumentation/nginx) the Ingress-Nginx Controller can configure NGINX to enable [OpenTelemetry](http://opentelemetry.io) instrumentation. By default this feature is disabled. ## Usage diff --git a/docs/user-guide/third-party-addons/opentracing.md b/docs/user-guide/third-party-addons/opentracing.md index 6ed0f195e..f5ec59faf 100644 --- a/docs/user-guide/third-party-addons/opentracing.md +++ b/docs/user-guide/third-party-addons/opentracing.md @@ -2,7 +2,7 @@ Enables requests served by NGINX for distributed tracing via The OpenTracing Project. -Using the third party module [opentracing-contrib/nginx-opentracing](https://github.com/opentracing-contrib/nginx-opentracing) the NGINX ingress controller can configure NGINX to enable [OpenTracing](http://opentracing.io) instrumentation. +Using the third party module [opentracing-contrib/nginx-opentracing](https://github.com/opentracing-contrib/nginx-opentracing) the Ingress-Nginx Controller can configure NGINX to enable [OpenTracing](http://opentracing.io) instrumentation. By default this feature is disabled. ## Usage diff --git a/images/README.md b/images/README.md index cdcb9574b..e7e5f71a6 100644 --- a/images/README.md +++ b/images/README.md @@ -13,7 +13,7 @@ Directory | Purpose ------------ | ------------- -custom-error-pages | Example of Custom error pages for the NGINX Ingress controller +custom-error-pages | Example of Custom error pages for the Ingress-Nginx Controller e2e | Image to run e2e tests fastcgi-helloserver | FastCGI application for e2e tests grpc-fortune-teller | grpc server application for the nginx-ingress grpc example diff --git a/images/custom-error-pages/README.md b/images/custom-error-pages/README.md index 88983591f..cd6df3e0a 100644 --- a/images/custom-error-pages/README.md +++ b/images/custom-error-pages/README.md @@ -1,3 +1,3 @@ # custom-error-pages -Example of Custom error pages for the NGINX Ingress controller +Example of Custom error pages for the Ingress-Nginx Controller diff --git a/mkdocs.yml b/mkdocs.yml index 62c0ccf48..39eab9ef0 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -1,4 +1,4 @@ -site_name: NGINX Ingress Controller +site_name: Ingress-Nginx Controller repo_name: "kubernetes/ingress-nginx" repo_url: https://github.com/kubernetes/ingress-nginx site_url: https://kubernetes.github.io/ingress-nginx From 8ab8803dcc71a6a0cab99bfe13969dce1808aa44 Mon Sep 17 00:00:00 2001 From: guessi Date: Sat, 6 May 2023 09:23:16 +0800 Subject: [PATCH 287/405] Update charts/* to keep project name display aligned (#9931) --- charts/ingress-nginx/README.md | 14 +++++++------- charts/ingress-nginx/README.md.gotmpl | 8 ++++---- charts/ingress-nginx/values.yaml | 6 +++--- 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 108a5091e..2c2dd2f37 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -79,14 +79,14 @@ else it would make it impossible to evacuate a node. See [gh issue #7127](https: ### Prometheus Metrics -The Nginx ingress controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`. +The Ingress-Nginx Controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`. You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`. Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. And set `controller.metrics.serviceMonitor.additionalLabels.release="prometheus"`. "release=prometheus" should match the label configured in the prometheus servicemonitor ( see `kubectl get servicemonitor prometheus-kube-prom-prometheus -oyaml -n prometheus`) ### ingress-nginx nginx\_status page/stats server -Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller: +Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in Ingress-Nginx Controller: - In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed - In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost. @@ -193,7 +193,7 @@ Optionally you can set `controller.service.loadBalancerIP` if you need a static ### Ingress Admission Webhooks -With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster. +With nginx-ingress-controller version 0.25+, the Ingress-Nginx Controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster. **This feature is enabled by default since 0.31.0.** With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521) @@ -202,7 +202,7 @@ With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fi A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks. 1. A pre-install hook provisions a certificate into the same namespace using a format compatible with provisioning using end user certificates. If the certificate already exists, the hook exits. -2. The ingress nginx controller pod is configured to use a TLS proxy container, which will load that certificate. +2. The Ingress-Nginx Controller pod is configured to use a TLS proxy container, which will load that certificate. 3. Validating and Mutating webhook configurations are created in the cluster. 4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations @@ -294,14 +294,14 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # | | controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto" Defaults to false | | controller.existingPsp | string | `""` | Use an existing PSP instead of creating one | -| controller.extraArgs | object | `{}` | Additional command line arguments to pass to nginx-ingress-controller E.g. to specify the default SSL certificate you can use | +| controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use | | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. | | controller.extraEnvs | list | `[]` | Additional environment variables to set | | controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. | | controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module | | controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. | | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. | -| controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the ingress nginx controller is running in the `hostNetwork: true` mode. | +| controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. | | controller.healthCheckPath | string | `"/healthz"` | Path of the health check endpoint. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. | | controller.hostNetwork | bool | `false` | Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 is merged | | controller.hostPort.enabled | bool | `false` | Enable 'hostPort' or not | @@ -390,7 +390,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.readinessProbe.successThreshold | int | `1` | | | controller.readinessProbe.timeoutSeconds | int | `1` | | | controller.replicaCount | int | `1` | | -| controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply | +| controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply | | controller.resources.requests.cpu | string | `"100m"` | | | controller.resources.requests.memory | string | `"90Mi"` | | | controller.scope.enabled | bool | `false` | Enable 'scope' or not | diff --git a/charts/ingress-nginx/README.md.gotmpl b/charts/ingress-nginx/README.md.gotmpl index b3d35b6e7..4a35a40b3 100644 --- a/charts/ingress-nginx/README.md.gotmpl +++ b/charts/ingress-nginx/README.md.gotmpl @@ -76,14 +76,14 @@ else it would make it impossible to evacuate a node. See [gh issue #7127](https: ### Prometheus Metrics -The Nginx ingress controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`. +The Ingress-Nginx Controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`. You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`. Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. And set `controller.metrics.serviceMonitor.additionalLabels.release="prometheus"`. "release=prometheus" should match the label configured in the prometheus servicemonitor ( see `kubectl get servicemonitor prometheus-kube-prom-prometheus -oyaml -n prometheus`) ### ingress-nginx nginx\_status page/stats server -Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller: +Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in Ingress-Nginx Controller: - In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed - In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost. @@ -190,7 +190,7 @@ Optionally you can set `controller.service.loadBalancerIP` if you need a static ### Ingress Admission Webhooks -With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster. +With nginx-ingress-controller version 0.25+, the Ingress-Nginx Controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster. **This feature is enabled by default since 0.31.0.** With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521) @@ -199,7 +199,7 @@ With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fi A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks. 1. A pre-install hook provisions a certificate into the same namespace using a format compatible with provisioning using end user certificates. If the certificate already exists, the hook exits. -2. The ingress nginx controller pod is configured to use a TLS proxy container, which will load that certificate. +2. The Ingress-Nginx Controller pod is configured to use a TLS proxy container, which will load that certificate. 3. Validating and Mutating webhook configurations are created in the cluster. 4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 551fb0449..3a9629d63 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -55,7 +55,7 @@ controller: # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. dnsPolicy: ClusterFirst # -- Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network - # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply + # Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply reportNodeInternalIp: false # -- Process Ingress objects without ingressClass annotation/ingressClassName field # Overrides value for --watch-ingress-without-class flag of the controller binary @@ -150,7 +150,7 @@ controller: # -- Maxmind license key to download GeoLite2 Databases. ## https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases maxmindLicenseKey: "" - # -- Additional command line arguments to pass to nginx-ingress-controller + # -- Additional command line arguments to pass to Ingress-Nginx Controller # E.g. to specify the default SSL certificate you can use extraArgs: {} ## extraArgs: @@ -302,7 +302,7 @@ controller: healthCheckPath: "/healthz" # -- Address to bind the health check endpoint. # It is better to set this option to the internal node address - # if the ingress nginx controller is running in the `hostNetwork: true` mode. + # if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. healthCheckHost: "" # -- Annotations to be added to controller pods ## From 57d94569a4dfecc8deb76bdc21ad288c1ed424a5 Mon Sep 17 00:00:00 2001 From: Ian De Bie Date: Sun, 7 May 2023 02:17:16 -0500 Subject: [PATCH 288/405] Update annotations.md (#9933) add the missing quotes --- docs/user-guide/nginx-configuration/annotations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md index 328f13a17..b515a9f3b 100755 --- a/docs/user-guide/nginx-configuration/annotations.md +++ b/docs/user-guide/nginx-configuration/annotations.md @@ -22,7 +22,7 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz |[nginx.ingress.kubernetes.io/auth-realm](#authentication)|string| |[nginx.ingress.kubernetes.io/auth-secret](#authentication)|string| |[nginx.ingress.kubernetes.io/auth-secret-type](#authentication)|string| -|[nginx.ingress.kubernetes.io/auth-type](#authentication)|basic or digest| +|[nginx.ingress.kubernetes.io/auth-type](#authentication)|"basic" or "digest"| |[nginx.ingress.kubernetes.io/auth-tls-secret](#client-certificate-authentication)|string| |[nginx.ingress.kubernetes.io/auth-tls-verify-depth](#client-certificate-authentication)|number| |[nginx.ingress.kubernetes.io/auth-tls-verify-client](#client-certificate-authentication)|string| From 2794129e9296cf59de89cf7efbd1eebc7cf44349 Mon Sep 17 00:00:00 2001 From: Alexander Stanko Date: Tue, 9 May 2023 05:42:52 +0700 Subject: [PATCH 289/405] Add geoname id value into $geoip2_*_geoname_id variables (#9527) --- rootfs/etc/nginx/template/nginx.tmpl | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index a49989f30..9b3a47de3 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -188,8 +188,10 @@ http { geoip2 /etc/nginx/geoip/GeoLite2-Country.mmdb { $geoip2_country_code source=$remote_addr country iso_code; $geoip2_country_name source=$remote_addr country names en; + $geoip2_country_geoname_id source=$remote_addr country geoname_id; $geoip2_continent_code source=$remote_addr continent code; $geoip2_continent_name source=$remote_addr continent names en; + $geoip2_continent_geoname_id source=$remote_addr continent geoname_id; } {{ end }} @@ -197,8 +199,10 @@ http { geoip2 /etc/nginx/geoip/GeoIP2-Country.mmdb { $geoip2_country_code source=$remote_addr country iso_code; $geoip2_country_name source=$remote_addr country names en; + $geoip2_country_geoname_id source=$remote_addr country geoname_id; $geoip2_continent_code source=$remote_addr continent code; $geoip2_continent_name source=$remote_addr continent names en; + $geoip2_continent_geoname_id source=$remote_addr continent geoname_id; } {{ end }} @@ -206,7 +210,9 @@ http { geoip2 /etc/nginx/geoip/GeoLite2-City.mmdb { $geoip2_city_country_code source=$remote_addr country iso_code; $geoip2_city_country_name source=$remote_addr country names en; + $geoip2_city_country_geoname_id source=$remote_addr country geoname_id; $geoip2_city source=$remote_addr city names en; + $geoip2_city_geoname_id source=$remote_addr city geoname_id; $geoip2_postal_code source=$remote_addr postal code; $geoip2_dma_code source=$remote_addr location metro_code; $geoip2_latitude source=$remote_addr location latitude; @@ -214,8 +220,10 @@ http { $geoip2_time_zone source=$remote_addr location time_zone; $geoip2_region_code source=$remote_addr subdivisions 0 iso_code; $geoip2_region_name source=$remote_addr subdivisions 0 names en; + $geoip2_region_geoname_id source=$remote_addr subdivisions 0 geoname_id; $geoip2_subregion_code source=$remote_addr subdivisions 1 iso_code; $geoip2_subregion_name source=$remote_addr subdivisions 1 names en; + $geoip2_subregion_geoname_id source=$remote_addr subdivisions 1 geoname_id; } {{ end }} @@ -223,7 +231,9 @@ http { geoip2 /etc/nginx/geoip/GeoIP2-City.mmdb { $geoip2_city_country_code source=$remote_addr country iso_code; $geoip2_city_country_name source=$remote_addr country names en; + $geoip2_city_country_geoname_id source=$remote_addr country geoname_id; $geoip2_city source=$remote_addr city names en; + $geoip2_city_geoname_id source=$remote_addr city geoname_id; $geoip2_postal_code source=$remote_addr postal code; $geoip2_dma_code source=$remote_addr location metro_code; $geoip2_latitude source=$remote_addr location latitude; @@ -231,8 +241,10 @@ http { $geoip2_time_zone source=$remote_addr location time_zone; $geoip2_region_code source=$remote_addr subdivisions 0 iso_code; $geoip2_region_name source=$remote_addr subdivisions 0 names en; + $geoip2_region_geoname_id source=$remote_addr subdivisions 0 geoname_id; $geoip2_subregion_code source=$remote_addr subdivisions 1 iso_code; $geoip2_subregion_name source=$remote_addr subdivisions 1 names en; + $geoip2_subregion_geoname_id source=$remote_addr subdivisions 1 geoname_id; } {{ end }} From eec43519fa7b6c933d4f0b6501851bd3ea9e460e Mon Sep 17 00:00:00 2001 From: Kundan Kumar Date: Wed, 10 May 2023 10:32:59 +0530 Subject: [PATCH 290/405] image_update (#9942) --- .../customization/custom-errors/custom-default-backend.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/examples/customization/custom-errors/custom-default-backend.yaml b/docs/examples/customization/custom-errors/custom-default-backend.yaml index 5fc5c55e4..2af64896f 100644 --- a/docs/examples/customization/custom-errors/custom-default-backend.yaml +++ b/docs/examples/customization/custom-errors/custom-default-backend.yaml @@ -36,7 +36,7 @@ spec: spec: containers: - name: nginx-error-server - image: registry.k8s.io/ingress-nginx/nginx-errors:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:332be6ff8c4e93e8845963932f98839dfd52ae49829c29e06475368a3e4fbd9e + image: registry.k8s.io/ingress-nginx/nginx-errors:v20230404-helm-chart-4.6.0-11-gc76179c04@sha256:aabd7a001f6a0a07ed6ea8f6da87e928bfa8f971eba2bef708f3e8504fc5cc9b ports: - containerPort: 8080 # Setting the environment variable DEBUG we can see the headers sent From 0bdb64373c48660192dc87fe17989ab574422932 Mon Sep 17 00:00:00 2001 From: Brendan Kamp Date: Wed, 10 May 2023 16:43:02 +0200 Subject: [PATCH 291/405] chore: update httpbin to httpbun (#9919) Signed-off-by: Spazzy --- test/data/config.json | 6 +- test/e2e/annotations/auth.go | 45 +++---- test/e2e/annotations/grpc.go | 10 +- test/e2e/annotations/satisfy.go | 10 +- test/e2e/framework/deployment.go | 103 ++++++++++++++-- test/e2e/security/request_smuggling.go | 7 +- .../servicebackend/service_externalname.go | 115 +++++++++--------- test/e2e/settings/brotli.go | 4 +- .../settings/disable_service_external_name.go | 8 +- test/e2e/settings/global_external_auth.go | 12 +- test/e2e/settings/listen_nondefault_ports.go | 10 +- test/k6/smoketest.js | 2 +- 12 files changed, 215 insertions(+), 117 deletions(-) diff --git a/test/data/config.json b/test/data/config.json index 5d8a88cbe..d51e1c40b 100644 --- a/test/data/config.json +++ b/test/data/config.json @@ -413,7 +413,7 @@ "secured": false }, "externalAuth": { - "url": "https://httpbin.org/basic-auth/user/passwd", + "url": "https://httpbun.com/basic-auth/user/passwd", "method": "", "sendBody": false }, @@ -59354,7 +59354,7 @@ "secured": false }, "externalAuth": { - "url": "https://httpbin.org/basic-auth/user/passwd", + "url": "https://httpbun.com/basic-auth/user/passwd", "method": "", "sendBody": false }, @@ -60272,4 +60272,4 @@ "failTimeout": 0 }] }] -} \ No newline at end of file +} diff --git a/test/e2e/annotations/auth.go b/test/e2e/annotations/auth.go index e3d0bcb2e..4ca034825 100644 --- a/test/e2e/annotations/auth.go +++ b/test/e2e/annotations/auth.go @@ -19,13 +19,14 @@ package annotations import ( "context" "fmt" - "golang.org/x/crypto/bcrypt" "net/http" "net/url" "regexp" "strings" "time" + "golang.org/x/crypto/bcrypt" + "github.com/onsi/ginkgo/v2" "github.com/stretchr/testify/assert" @@ -389,10 +390,10 @@ http { assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint") assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint") - httpbinIP := e.Subsets[0].Addresses[0].IP + httpbunIP := e.Subsets[0].Addresses[0].IP annotations = map[string]string{ - "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/cookies/set/alma/armud", httpbinIP), + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/cookies/set/alma/armud", httpbunIP), "nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start", } @@ -456,21 +457,21 @@ http { var ing *networking.Ingress ginkgo.BeforeEach(func() { - f.NewHttpbinDeployment() + f.NewHttpbunDeployment() - err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1) + err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBunService, f.Namespace, 1) assert.Nil(ginkgo.GinkgoT(), err) - e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{}) + e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBunService, metav1.GetOptions{}) assert.Nil(ginkgo.GinkgoT(), err) assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint") assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint") - httpbinIP := e.Subsets[0].Addresses[0].IP + httpbunIP := e.Subsets[0].Addresses[0].IP annotations = map[string]string{ - "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP), + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbunIP), "nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start", } @@ -649,20 +650,20 @@ http { var ing *networking.Ingress ginkgo.BeforeEach(func() { - f.NewHttpbinDeployment() + f.NewHttpbunDeployment() - var httpbinIP string + var httpbunIP string - err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1) + err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBunService, f.Namespace, 1) assert.Nil(ginkgo.GinkgoT(), err) - e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{}) + e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBunService, metav1.GetOptions{}) assert.Nil(ginkgo.GinkgoT(), err) - httpbinIP = e.Subsets[0].Addresses[0].IP + httpbunIP = e.Subsets[0].Addresses[0].IP annotations = map[string]string{ - "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP), + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbunIP), "nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start", "nginx.ingress.kubernetes.io/auth-signin-redirect-param": "orig", } @@ -728,23 +729,23 @@ http { barPath := "/bar" ginkgo.BeforeEach(func() { - f.NewHttpbinDeployment() + f.NewHttpbunDeployment() - err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1) + err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBunService, f.Namespace, 1) assert.Nil(ginkgo.GinkgoT(), err) framework.Sleep(1 * time.Second) - e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{}) + e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBunService, metav1.GetOptions{}) assert.Nil(ginkgo.GinkgoT(), err) assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint") assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint") - httpbinIP := e.Subsets[0].Addresses[0].IP + httpbunIP := e.Subsets[0].Addresses[0].IP annotations := map[string]string{ - "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP), + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbunIP), "nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start", "nginx.ingress.kubernetes.io/auth-cache-key": "fixed", "nginx.ingress.kubernetes.io/auth-cache-duration": "200 201 401 30m", @@ -777,7 +778,7 @@ http { Expect(). Status(http.StatusOK) - err := f.DeleteDeployment(framework.HTTPBinService) + err := f.DeleteDeployment(framework.HTTPBunService) assert.Nil(ginkgo.GinkgoT(), err) framework.Sleep() @@ -797,7 +798,7 @@ http { Expect(). Status(http.StatusOK) - err := f.DeleteDeployment(framework.HTTPBinService) + err := f.DeleteDeployment(framework.HTTPBunService) assert.Nil(ginkgo.GinkgoT(), err) framework.Sleep() @@ -826,7 +827,7 @@ http { Expect(). Status(http.StatusOK) - err := f.DeleteDeployment(framework.HTTPBinService) + err := f.DeleteDeployment(framework.HTTPBunService) assert.Nil(ginkgo.GinkgoT(), err) framework.Sleep() diff --git a/test/e2e/annotations/grpc.go b/test/e2e/annotations/grpc.go index 39349e701..046191b21 100644 --- a/test/e2e/annotations/grpc.go +++ b/test/e2e/annotations/grpc.go @@ -125,7 +125,7 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { ginkgo.It("authorization metadata should be overwritten by external auth response headers", func() { f.NewGRPCBinDeployment() - f.NewHttpbinDeployment() + f.NewHttpbunDeployment() host := "echo" @@ -149,19 +149,19 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { } f.EnsureService(svc) - err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1) + err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBunService, f.Namespace, 1) assert.Nil(ginkgo.GinkgoT(), err) - e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{}) + e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBunService, metav1.GetOptions{}) assert.Nil(ginkgo.GinkgoT(), err) assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint") assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint") - httpbinIP := e.Subsets[0].Addresses[0].IP + httpbunIP := e.Subsets[0].Addresses[0].IP annotations := map[string]string{ - "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/response-headers?authorization=foo", httpbinIP), + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/response-headers?authorization=foo", httpbunIP), "nginx.ingress.kubernetes.io/auth-response-headers": "Authorization", "nginx.ingress.kubernetes.io/backend-protocol": "GRPC", } diff --git a/test/e2e/annotations/satisfy.go b/test/e2e/annotations/satisfy.go index e75464a9d..758ad21a4 100644 --- a/test/e2e/annotations/satisfy.go +++ b/test/e2e/annotations/satisfy.go @@ -85,15 +85,15 @@ var _ = framework.DescribeAnnotation("satisfy", func() { host := "auth" // setup external auth - f.NewHttpbinDeployment() + f.NewHttpbunDeployment() - err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1) + err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBunService, f.Namespace, 1) assert.Nil(ginkgo.GinkgoT(), err) - e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{}) + e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBunService, metav1.GetOptions{}) assert.Nil(ginkgo.GinkgoT(), err) - httpbinIP := e.Subsets[0].Addresses[0].IP + httpbunIP := e.Subsets[0].Addresses[0].IP // create basic auth secret at ingress s := f.EnsureSecret(buildSecret("uname", "pwd", "basic-secret", f.Namespace)) @@ -105,7 +105,7 @@ var _ = framework.DescribeAnnotation("satisfy", func() { "nginx.ingress.kubernetes.io/auth-realm": "test basic auth", // annotations for external auth - "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP), + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbunIP), "nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start", // set satisfy any diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go index 4627a8892..06dfa0c5e 100644 --- a/test/e2e/framework/deployment.go +++ b/test/e2e/framework/deployment.go @@ -19,6 +19,7 @@ package framework import ( "context" "errors" + "fmt" "os" "time" @@ -36,14 +37,18 @@ const EchoService = "echo" // SlowEchoService name of the deployment for the echo app const SlowEchoService = "slow-echo" -// HTTPBinService name of the deployment for the httpbin app -const HTTPBinService = "httpbin" +// HTTPBunService name of the deployment for the httpbun app +const HTTPBunService = "httpbun" + +// NipService name of external service using nip.io +const NIPService = "external-nip" type deploymentOptions struct { namespace string name string replicas int svcAnnotations map[string]string + image string } // WithDeploymentNamespace allows configuring the deployment's namespace @@ -82,18 +87,26 @@ func WithName(n string) func(*deploymentOptions) { } } +// WithImage allows configuring the image for the deployments +func WithImage(i string) func(*deploymentOptions) { + return func(o *deploymentOptions) { + o.image = i + } +} + // NewEchoDeployment creates a new single replica deployment of the echo server image in a particular namespace func (f *Framework) NewEchoDeployment(opts ...func(*deploymentOptions)) { options := &deploymentOptions{ namespace: f.Namespace, name: EchoService, replicas: 1, + image: "registry.k8s.io/ingress-nginx/e2e-test-echo@sha256:4938d1d91a2b7d19454460a8c1b010b89f6ff92d2987fd889ac3e8fc3b70d91a", } for _, o := range opts { o(options) } - deployment := newDeployment(options.name, options.namespace, "registry.k8s.io/ingress-nginx/e2e-test-echo@sha256:4938d1d91a2b7d19454460a8c1b010b89f6ff92d2987fd889ac3e8fc3b70d91a", 80, int32(options.replicas), + deployment := newDeployment(options.name, options.namespace, options.image, 80, int32(options.replicas), nil, nil, nil, []corev1.VolumeMount{}, []corev1.Volume{}, @@ -129,6 +142,85 @@ func (f *Framework) NewEchoDeployment(opts ...func(*deploymentOptions)) { assert.Nil(ginkgo.GinkgoT(), err, "waiting for endpoints to become ready") } +// BuildNipHost used to generate a nip host for DNS resolving +func BuildNIPHost(ip string) string { + return fmt.Sprintf("%s.nip.io", ip) +} + +// BuildNIPExternalNameService used to generate a service pointing to nip.io to +// help resolve to an IP address +func BuildNIPExternalNameService(f *Framework, ip, portName string) *corev1.Service { + return &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: NIPService, + Namespace: f.Namespace, + }, + Spec: corev1.ServiceSpec{ + ExternalName: BuildNIPHost(ip), + Type: corev1.ServiceTypeExternalName, + Ports: []corev1.ServicePort{ + { + Name: portName, + Port: 80, + TargetPort: intstr.FromInt(80), + Protocol: "TCP", + }, + }, + }, + } +} + +// NewHttpbunDeployment creates a new single replica deployment of the httpbun +// server image in a particular namespace we return the ip for testing purposes +func (f *Framework) NewHttpbunDeployment(opts ...func(*deploymentOptions)) string { + options := &deploymentOptions{ + namespace: f.Namespace, + name: HTTPBunService, + replicas: 1, + image: "registry.k8s.io/ingress-nginx/e2e-test-httpbun:v20230505-v0.0.1", + } + for _, o := range opts { + o(options) + } + + deployment := newDeployment(options.name, options.namespace, options.image, 80, int32(options.replicas), + nil, nil, nil, + []corev1.VolumeMount{}, + []corev1.Volume{}, + true, + ) + + f.EnsureDeployment(deployment) + + service := &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: options.name, + Namespace: options.namespace, + Annotations: options.svcAnnotations, + }, + Spec: corev1.ServiceSpec{ + Ports: []corev1.ServicePort{ + { + Name: "http", + Port: 80, + TargetPort: intstr.FromInt(80), + Protocol: corev1.ProtocolTCP, + }, + }, + Selector: map[string]string{ + "app": options.name, + }, + }, + } + + s := f.EnsureService(service) + + err := WaitForEndpoints(f.KubeClientSet, DefaultTimeout, options.name, options.namespace, options.replicas) + assert.Nil(ginkgo.GinkgoT(), err, "waiting for endpoints to become ready") + + return s.Spec.ClusterIPs[0] +} + // NewSlowEchoDeployment creates a new deployment of the slow echo server image in a particular namespace. func (f *Framework) NewSlowEchoDeployment() { cfg := `# @@ -418,11 +510,6 @@ func newDeployment(name, namespace, image string, port int32, replicas int32, co return d } -// NewHttpbinDeployment creates a new single replica deployment of the httpbin image in a particular namespace. -func (f *Framework) NewHttpbinDeployment() { - f.NewDeployment(HTTPBinService, "registry.k8s.io/ingress-nginx/e2e-test-httpbin@sha256:c6372ef57a775b95f18e19d4c735a9819f2e7bb4641e5e3f27287d831dfeb7e8", 80, 1) -} - func (f *Framework) NewDeployment(name, image string, port int32, replicas int32) { f.NewDeploymentWithOpts(name, image, port, replicas, nil, nil, nil, nil, nil, true) } diff --git a/test/e2e/security/request_smuggling.go b/test/e2e/security/request_smuggling.go index 9891480dc..786a7a397 100644 --- a/test/e2e/security/request_smuggling.go +++ b/test/e2e/security/request_smuggling.go @@ -50,9 +50,12 @@ server { f.UpdateNginxConfigMapData("http-snippet", snippet) + //TODO: currently using a self hosted HTTPBun instance results in a 499, we + //should move away from using httpbun.com once we have the httpbun + //deployment as part of the framework ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, map[string]string{ - "nginx.ingress.kubernetes.io/auth-signin": "https://httpbin.org/uuid", - "nginx.ingress.kubernetes.io/auth-url": "https://httpbin.org/basic-auth/user/passwd", + "nginx.ingress.kubernetes.io/auth-signin": "https://httpbun.com/bearer/d4bcba7a-0def-4a31-91a7-47e420adf44b", + "nginx.ingress.kubernetes.io/auth-url": "https://httpbun.com/basic-auth/user/passwd", }) f.EnsureIngress(ing) diff --git a/test/e2e/servicebackend/service_externalname.go b/test/e2e/servicebackend/service_externalname.go index 0d121c671..2fd6cd080 100644 --- a/test/e2e/servicebackend/service_externalname.go +++ b/test/e2e/servicebackend/service_externalname.go @@ -29,44 +29,21 @@ import ( corev1 "k8s.io/api/core/v1" networking "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/ingress-nginx/internal/nginx" "k8s.io/ingress-nginx/test/e2e/framework" ) -func buildHTTPBinExternalNameService(f *framework.Framework, portName string) *corev1.Service { - return &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: framework.HTTPBinService, - Namespace: f.Namespace, - }, - Spec: corev1.ServiceSpec{ - ExternalName: "httpbin.org", - Type: corev1.ServiceTypeExternalName, - Ports: []corev1.ServicePort{ - { - Name: portName, - Port: 80, - TargetPort: intstr.FromInt(80), - Protocol: "TCP", - }, - }, - }, - } -} - var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { f := framework.NewDefaultFramework("type-externalname") ginkgo.It("works with external name set to incomplete fqdn", func() { f.NewEchoDeployment() - host := "echo" svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ - Name: framework.HTTPBinService, + Name: framework.HTTPBunService, Namespace: f.Namespace, }, Spec: corev1.ServiceSpec{ @@ -77,7 +54,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { f.EnsureService(svc) - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBinService, 80, nil) + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBunService, 80, nil) f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -93,15 +70,19 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { }) ginkgo.It("should return 200 for service type=ExternalName without a port defined", func() { + // This is a workaround so we only depend on a self hosted instance of + // httpbun + ip := f.NewHttpbunDeployment() + host := "echo" svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ - Name: framework.HTTPBinService, + Name: framework.NIPService, Namespace: f.Namespace, }, Spec: corev1.ServiceSpec{ - ExternalName: "httpbin.org", + ExternalName: framework.BuildNIPHost(ip), Type: corev1.ServiceTypeExternalName, }, } @@ -109,9 +90,9 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { f.EnsureService(svc) annotations := map[string]string{ - "nginx.ingress.kubernetes.io/upstream-vhost": "httpbin.org", + "nginx.ingress.kubernetes.io/upstream-vhost": framework.BuildNIPHost(ip), } - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBinService, 80, annotations) + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBunService, 80, annotations) f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -127,15 +108,19 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { }) ginkgo.It("should return 200 for service type=ExternalName with a port defined", func() { + // This is a workaround so we only depend on a self hosted instance of + // httpbun + ip := f.NewHttpbunDeployment() + host := "echo" - svc := buildHTTPBinExternalNameService(f, host) + svc := framework.BuildNIPExternalNameService(f, ip, host) f.EnsureService(svc) annotations := map[string]string{ - "nginx.ingress.kubernetes.io/upstream-vhost": "httpbin.org", + "nginx.ingress.kubernetes.io/upstream-vhost": framework.BuildNIPHost(ip), } - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBinService, 80, annotations) + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBunService, 80, annotations) f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -155,7 +140,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ - Name: framework.HTTPBinService, + Name: framework.HTTPBunService, Namespace: f.Namespace, }, Spec: corev1.ServiceSpec{ @@ -166,7 +151,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { f.EnsureService(svc) - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBinService, 80, nil) + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBunService, 80, nil) f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -182,18 +167,22 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { }) ginkgo.It("should return 200 for service type=ExternalName using a port name", func() { + // This is a workaround so we only depend on a self hosted instance of + // httpbun + ip := f.NewHttpbunDeployment() + host := "echo" - svc := buildHTTPBinExternalNameService(f, host) + svc := framework.BuildNIPExternalNameService(f, ip, host) f.EnsureService(svc) annotations := map[string]string{ - "nginx.ingress.kubernetes.io/upstream-vhost": "httpbin.org", + "nginx.ingress.kubernetes.io/upstream-vhost": framework.BuildNIPHost(ip), } - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBinService, 80, annotations) + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBunService, 80, annotations) namedBackend := networking.IngressBackend{ Service: &networking.IngressServiceBackend{ - Name: framework.HTTPBinService, + Name: framework.NIPService, Port: networking.ServiceBackendPort{ Name: host, }, @@ -215,22 +204,26 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { }) ginkgo.It("should return 200 for service type=ExternalName using FQDN with trailing dot", func() { + // This is a workaround so we only depend on a self hosted instance of + // httpbun + ip := f.NewHttpbunDeployment() + host := "echo" svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ - Name: framework.HTTPBinService, + Name: framework.NIPService, Namespace: f.Namespace, }, Spec: corev1.ServiceSpec{ - ExternalName: "httpbin.org.", + ExternalName: framework.BuildNIPHost(ip), Type: corev1.ServiceTypeExternalName, }, } f.EnsureService(svc) - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBinService, 80, nil) + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBunService, 80, nil) f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -246,18 +239,23 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { }) ginkgo.It("should update the external name after a service update", func() { + // This is a workaround so we only depend on a self hosted instance of + // httpbun + ip := f.NewHttpbunDeployment() + host := "echo" - svc := buildHTTPBinExternalNameService(f, host) + svc := framework.BuildNIPExternalNameService(f, ip, host) f.EnsureService(svc) annotations := map[string]string{ - "nginx.ingress.kubernetes.io/upstream-vhost": "httpbin.org", + "nginx.ingress.kubernetes.io/upstream-vhost": framework.BuildNIPHost(ip), } - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBinService, 80, annotations) + + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBunService, 80, annotations) namedBackend := networking.IngressBackend{ Service: &networking.IngressServiceBackend{ - Name: framework.HTTPBinService, + Name: framework.NIPService, Port: networking.ServiceBackendPort{ Name: host, }, @@ -281,13 +279,15 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { assert.Contains(ginkgo.GinkgoT(), body, `"X-Forwarded-Host": "echo"`) - svc, err := f.KubeClientSet.CoreV1().Services(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error obtaining httpbin service") + svc, err := f.KubeClientSet.CoreV1().Services(f.Namespace).Get(context.TODO(), framework.NIPService, metav1.GetOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error obtaining external service") - svc.Spec.ExternalName = "eu.httpbin.org" + ip = f.NewHttpbunDeployment(framework.WithDeploymentName("eu-server")) + + svc.Spec.ExternalName = framework.BuildNIPHost(ip) _, err = f.KubeClientSet.CoreV1().Services(f.Namespace).Update(context.Background(), svc, metav1.UpdateOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error updating httpbin service") + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error updating external service") framework.Sleep() @@ -301,18 +301,22 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { assert.Contains(ginkgo.GinkgoT(), body, `"X-Forwarded-Host": "echo"`) - ginkgo.By("checking the service is updated to use eu.httpbin.org") + ginkgo.By("checking the service is updated to use new host") curlCmd := fmt.Sprintf("curl --fail --silent http://localhost:%v/configuration/backends", nginx.StatusPort) output, err := f.ExecIngressPod(curlCmd) assert.Nil(ginkgo.GinkgoT(), err) - assert.Contains(ginkgo.GinkgoT(), output, `{"address":"eu.httpbin.org"`) + assert.Contains(ginkgo.GinkgoT(), output, fmt.Sprintf("{\"address\":\"%s\"", framework.BuildNIPHost(ip))) }) ginkgo.It("should sync ingress on external name service addition/deletion", func() { + // This is a workaround so we only depend on a self hosted instance of + // httpbun + ip := f.NewHttpbunDeployment() + host := "echo" // Create the Ingress first - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBinService, 80, nil) + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.NIPService, 80, nil) f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -328,7 +332,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { Status(http.StatusServiceUnavailable) // Now create the service - svc := buildHTTPBinExternalNameService(f, host) + svc := framework.BuildNIPExternalNameService(f, ip, host) f.EnsureService(svc) framework.Sleep() @@ -341,9 +345,8 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { Status(http.StatusOK) // And back to 503 after deleting the service - - err := f.KubeClientSet.CoreV1().Services(f.Namespace).Delete(context.TODO(), framework.HTTPBinService, metav1.DeleteOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error deleting httpbin service") + err := f.KubeClientSet.CoreV1().Services(f.Namespace).Delete(context.TODO(), framework.NIPService, metav1.DeleteOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error deleting external service") framework.Sleep() diff --git a/test/e2e/settings/brotli.go b/test/e2e/settings/brotli.go index a07eb6c09..a13678f66 100644 --- a/test/e2e/settings/brotli.go +++ b/test/e2e/settings/brotli.go @@ -33,7 +33,7 @@ var _ = framework.IngressNginxDescribe("brotli", func() { host := "brotli" ginkgo.BeforeEach(func() { - f.NewHttpbinDeployment() + f.NewHttpbunDeployment() }) ginkgo.It("should only compress responses that meet the `brotli-min-length` condition", func() { @@ -43,7 +43,7 @@ var _ = framework.IngressNginxDescribe("brotli", func() { f.UpdateNginxConfigMapData("brotli-types", contentEncoding) f.UpdateNginxConfigMapData("brotli-min-length", strconv.Itoa(brotliMinLength)) - f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBinService, 80, nil)) + f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBunService, 80, nil)) f.WaitForNginxConfiguration( func(server string) bool { diff --git a/test/e2e/settings/disable_service_external_name.go b/test/e2e/settings/disable_service_external_name.go index a24cfebde..7f03e5355 100644 --- a/test/e2e/settings/disable_service_external_name.go +++ b/test/e2e/settings/disable_service_external_name.go @@ -50,17 +50,21 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-service-external-name", f }) ginkgo.It("should ignore services of external-name type", func() { - nonexternalhost := "echo-svc.com" externalhost := "echo-external-svc.com" + + ip := f.NewHttpbunDeployment() + svc := framework.BuildNIPExternalNameService(f, ip, "echo") + f.EnsureService(svc) + svcexternal := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ Name: "external", Namespace: f.Namespace, }, Spec: corev1.ServiceSpec{ - ExternalName: "httpbin.org", + ExternalName: framework.BuildNIPHost(ip), Type: corev1.ServiceTypeExternalName, }, } diff --git a/test/e2e/settings/global_external_auth.go b/test/e2e/settings/global_external_auth.go index c70b5a9b1..c5964299f 100644 --- a/test/e2e/settings/global_external_auth.go +++ b/test/e2e/settings/global_external_auth.go @@ -50,13 +50,13 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { ginkgo.BeforeEach(func() { f.NewEchoDeployment() - f.NewHttpbinDeployment() + f.NewHttpbunDeployment() }) ginkgo.Context("when global external authentication is configured", func() { ginkgo.BeforeEach(func() { - globalExternalAuthURL := fmt.Sprintf("http://%s.%s.svc.cluster.local:80/status/401", framework.HTTPBinService, f.Namespace) + globalExternalAuthURL := fmt.Sprintf("http://%s.%s.svc.cluster.local:80/status/401", framework.HTTPBunService, f.Namespace) ginkgo.By("Adding an ingress rule for /foo") fooIng := framework.NewSingleIngress("foo-ingress", fooPath, host, f.Namespace, echoServiceName, 80, nil) @@ -158,7 +158,7 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { globalExternalAuthCacheKey := "foo" globalExternalAuthCacheDurationSetting := "global-auth-cache-duration" globalExternalAuthCacheDuration := "200 201 401 30m" - globalExternalAuthURL := fmt.Sprintf("http://%s.%s.svc.cluster.local:80/status/200", framework.HTTPBinService, f.Namespace) + globalExternalAuthURL := fmt.Sprintf("http://%s.%s.svc.cluster.local:80/status/200", framework.HTTPBunService, f.Namespace) ginkgo.By("Adding a global-auth-cache-key to configMap") f.SetNginxConfigMapData(map[string]string{ @@ -182,7 +182,7 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { Expect(). Status(http.StatusOK) - err := f.DeleteDeployment(framework.HTTPBinService) + err := f.DeleteDeployment(framework.HTTPBunService) assert.Nil(ginkgo.GinkgoT(), err) framework.Sleep() @@ -307,9 +307,9 @@ http { assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint") assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint") - httpbinIP := e.Subsets[0].Addresses[0].IP + httpbunIP := e.Subsets[0].Addresses[0].IP - f.UpdateNginxConfigMapData(globalExternalAuthURLSetting, fmt.Sprintf("http://%s/cookies/set/alma/armud", httpbinIP)) + f.UpdateNginxConfigMapData(globalExternalAuthURLSetting, fmt.Sprintf("http://%s/cookies/set/alma/armud", httpbunIP)) ing1 = framework.NewSingleIngress(host, "/", host, f.Namespace, "http-cookie-with-error", 80, nil) f.EnsureIngress(ing1) diff --git a/test/e2e/settings/listen_nondefault_ports.go b/test/e2e/settings/listen_nondefault_ports.go index 61a128040..8b5d22f6e 100644 --- a/test/e2e/settings/listen_nondefault_ports.go +++ b/test/e2e/settings/listen_nondefault_ports.go @@ -98,21 +98,21 @@ var _ = framework.IngressNginxDescribe("[Flag] custom HTTP and HTTPS ports", fun ginkgo.Context("when external authentication is configured", func() { ginkgo.It("should set the X-Forwarded-Port header to 443", func() { - f.NewHttpbinDeployment() + f.NewHttpbunDeployment() - err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1) + err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBunService, f.Namespace, 1) assert.Nil(ginkgo.GinkgoT(), err) - e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{}) + e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBunService, metav1.GetOptions{}) assert.Nil(ginkgo.GinkgoT(), err) assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint") assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint") - httpbinIP := e.Subsets[0].Addresses[0].IP + httpbunIP := e.Subsets[0].Addresses[0].IP annotations := map[string]string{ - "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP), + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbunIP), "nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start", } diff --git a/test/k6/smoketest.js b/test/k6/smoketest.js index b5ab577a9..8fe9e950a 100644 --- a/test/k6/smoketest.js +++ b/test/k6/smoketest.js @@ -27,7 +27,7 @@ export default function () { const params = { headers: {'host': 'test.ingress-nginx-controller.ga'}, }; - // httpbin.org documents these requests + // httpbun.com documents these requests const req1 = { method: 'GET', url: 'http://test.ingress-nginx-controller.ga/ip', From f18826b73ef5ad78eca74befeb9f0f521f5bfc61 Mon Sep 17 00:00:00 2001 From: vkanelov <81570499+vkanelov@users.noreply.github.com> Date: Thu, 11 May 2023 00:39:14 +0300 Subject: [PATCH 292/405] add option for annotations in PodDisruptionBudget (#9843) add option for annotations in PodDisruptionBudget --- .../templates/controller-poddisruptionbudget.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml index 899d3cc5d..230307cd7 100644 --- a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml +++ b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml @@ -10,6 +10,9 @@ metadata: {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} namespace: {{ .Release.Namespace }} + {{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} + {{- end }} spec: selector: matchLabels: From 3b3cf8b331f221969a2bd89a24a502507583f87b Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Thu, 11 May 2023 08:39:03 -0700 Subject: [PATCH 293/405] Use dl.k8s.io instead of hardcoded GCS URIs (#9946) --- .github/workflows/ci.yaml | 2 +- images/test-runner/rootfs/Dockerfile | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 77232aa88..19d39ab70 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -167,7 +167,7 @@ jobs: run: | sudo apt-get -qq update || true sudo apt-get install -y pigz - curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.25.5/bin/linux/amd64/kubectl + curl -LO https://dl.k8s.io/release/v1.25.5/bin/linux/amd64/kubectl chmod +x ./kubectl sudo mv ./kubectl /usr/local/bin/kubectl diff --git a/images/test-runner/rootfs/Dockerfile b/images/test-runner/rootfs/Dockerfile index 0b691a7d2..8574f8752 100644 --- a/images/test-runner/rootfs/Dockerfile +++ b/images/test-runner/rootfs/Dockerfile @@ -92,11 +92,11 @@ RUN luarocks install busted \ && luarocks install luacheck RUN wget -qO /usr/local/bin/kubectl \ - https://storage.googleapis.com/kubernetes-release/release/${K8S_RELEASE}/bin/linux/${TARGETARCH}/kubectl \ + https://dl.k8s.io/release/${K8S_RELEASE}/bin/linux/${TARGETARCH}/kubectl \ && chmod +x /usr/local/bin/kubectl RUN wget -qO /usr/local/bin/kube-apiserver \ - https://storage.googleapis.com/kubernetes-release/release/${K8S_RELEASE}/bin/linux/${TARGETARCH}/kube-apiserver \ + https://dl.k8s.io/release/${K8S_RELEASE}/bin/linux/${TARGETARCH}/kube-apiserver \ && chmod +x /usr/local/bin/kube-apiserver RUN wget -qO /tmp/ct-${CHART_TESTING_VERSION}-linux-${TARGETARCH}.tar.gz \ From 06612e6ffd044171e33b5e8315b9605eb8730c55 Mon Sep 17 00:00:00 2001 From: Marco Ebert Date: Thu, 11 May 2023 18:37:03 +0200 Subject: [PATCH 294/405] HPA: Use capabilites & align manifests. (#9521) --- charts/ingress-nginx/README.md | 2 - .../templates/controller-hpa.yaml | 27 +++++------- .../templates/default-backend-hpa.yaml | 41 ++++++++++--------- charts/ingress-nginx/values.yaml | 2 - 4 files changed, 33 insertions(+), 39 deletions(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 2c2dd2f37..d79ad38cd 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -273,7 +273,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.allowSnippetAnnotations | bool | `true` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected | | controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # | | controller.autoscaling.annotations | object | `{}` | | -| controller.autoscaling.apiVersion | string | `"autoscaling/v2"` | | | controller.autoscaling.behavior | object | `{}` | | | controller.autoscaling.enabled | bool | `false` | | | controller.autoscaling.maxReplicas | int | `11` | | @@ -435,7 +434,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.watchIngressWithoutClass | bool | `false` | Process Ingress objects without ingressClass annotation/ingressClassName field Overrides value for --watch-ingress-without-class flag of the controller binary Defaults to false | | defaultBackend.affinity | object | `{}` | | | defaultBackend.autoscaling.annotations | object | `{}` | | -| defaultBackend.autoscaling.apiVersion | string | `"autoscaling/v2"` | | | defaultBackend.autoscaling.enabled | bool | `false` | | | defaultBackend.autoscaling.maxReplicas | int | `2` | | | defaultBackend.autoscaling.minReplicas | int | `1` | | diff --git a/charts/ingress-nginx/templates/controller-hpa.yaml b/charts/ingress-nginx/templates/controller-hpa.yaml index d1e78bdfc..96a91f533 100644 --- a/charts/ingress-nginx/templates/controller-hpa.yaml +++ b/charts/ingress-nginx/templates/controller-hpa.yaml @@ -1,12 +1,9 @@ -{{- if and .Values.controller.autoscaling.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}} -{{- if not .Values.controller.keda.enabled }} - -apiVersion: {{ .Values.controller.autoscaling.apiVersion }} +{{- if and (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) .Values.controller.autoscaling.enabled (not .Values.controller.keda.enabled) -}} +apiVersion: {{ ternary "autoscaling/v2" "autoscaling/v2beta2" (.Capabilities.APIVersions.Has "autoscaling/v2") }} kind: HorizontalPodAutoscaler metadata: - annotations: {{- with .Values.controller.autoscaling.annotations }} - {{- toYaml . | trimSuffix "\n" | nindent 4 }} + annotations: {{ toYaml . | nindent 4 }} {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} @@ -24,14 +21,6 @@ spec: minReplicas: {{ .Values.controller.autoscaling.minReplicas }} maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} metrics: - {{- with .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ . }} - {{- end }} {{- with .Values.controller.autoscaling.targetCPUUtilizationPercentage }} - type: Resource resource: @@ -40,6 +29,14 @@ spec: type: Utilization averageUtilization: {{ . }} {{- end }} + {{- with .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} {{- with .Values.controller.autoscalingTemplate }} {{- toYaml . | nindent 2 }} {{- end }} @@ -48,5 +45,3 @@ spec: {{- toYaml . | nindent 4 }} {{- end }} {{- end }} -{{- end }} - diff --git a/charts/ingress-nginx/templates/default-backend-hpa.yaml b/charts/ingress-nginx/templates/default-backend-hpa.yaml index 924125f07..faaf4fa75 100644 --- a/charts/ingress-nginx/templates/default-backend-hpa.yaml +++ b/charts/ingress-nginx/templates/default-backend-hpa.yaml @@ -1,37 +1,40 @@ {{- if and .Values.defaultBackend.enabled .Values.defaultBackend.autoscaling.enabled }} -apiVersion: {{ .Values.defaultBackend.autoscaling.apiVersion }} +apiVersion: {{ ternary "autoscaling/v2" "autoscaling/v2beta2" (.Capabilities.APIVersions.Has "autoscaling/v2") }} kind: HorizontalPodAutoscaler metadata: + {{- with .Values.defaultBackend.autoscaling.annotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: default-backend {{- with .Values.defaultBackend.labels }} {{- toYaml . | nindent 4 }} {{- end }} - name: {{ template "ingress-nginx.defaultBackend.fullname" . }} + name: {{ include "ingress-nginx.defaultBackend.fullname" . }} namespace: {{ .Release.Namespace }} spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment - name: {{ template "ingress-nginx.defaultBackend.fullname" . }} + name: {{ include "ingress-nginx.defaultBackend.fullname" . }} minReplicas: {{ .Values.defaultBackend.autoscaling.minReplicas }} maxReplicas: {{ .Values.defaultBackend.autoscaling.maxReplicas }} metrics: -{{- with .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ . }} -{{- end }} -{{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ . }} -{{- end }} + {{- with .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} {{- end }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 3a9629d63..a398b0503 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -326,7 +326,6 @@ controller: memory: 90Mi # Mutually exclusive with keda autoscaling autoscaling: - apiVersion: autoscaling/v2 enabled: false annotations: {} minReplicas: 1 @@ -838,7 +837,6 @@ defaultBackend: # emptyDir: {} autoscaling: - apiVersion: autoscaling/v2 annotations: {} enabled: false minReplicas: 1 From 98780d7eb85cb38a599637f5f02f45fef2906cd6 Mon Sep 17 00:00:00 2001 From: James Strong Date: Thu, 11 May 2023 15:45:05 -0400 Subject: [PATCH 295/405] Update feature_request.md (#9951) --- .github/ISSUE_TEMPLATE/feature_request.md | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md index 0e892d626..406a7ad0a 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -7,16 +7,6 @@ assignees: '' --- - - From 55e37c6feaff0badaea6b04636e93494d899201f Mon Sep 17 00:00:00 2001 From: James Strong Date: Thu, 11 May 2023 15:47:05 -0400 Subject: [PATCH 296/405] Update PULL_REQUEST_TEMPLATE.md (#9952) --- .github/PULL_REQUEST_TEMPLATE.md | 34 +------------------------------- 1 file changed, 1 insertion(+), 33 deletions(-) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index e3781887a..c1c815678 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -1,5 +1,6 @@ + ## What this PR does / why we need it: @@ -33,36 +34,3 @@ fixes # - [ ] I've read the [CONTRIBUTION](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md) guide - [ ] I have added unit and/or e2e tests to cover my changes. - [ ] All new and existing tests passed. -- [ ] Added Release Notes. - -## Does my pull request need a release note? -Any user-visible or operator-visible change qualifies for a release note. This could be a: - -- CLI change -- API change -- UI change -- configuration schema change -- behavioral change -- change in non-functional attributes such as efficiency or availability, availability of a new platform -- a warning about a deprecation -- fix of a previous Known Issue -- fix of a vulnerability (CVE) - -No release notes are required for changes to the following: - -- Tests -- Build infrastructure -- Fixes for unreleased bugs - -For more tips on writing good release notes, check out the [Release Notes Handbook](https://github.com/kubernetes/sig-release/tree/master/release-team/role-handbooks/release-notes) - - -```release-note -PLACE RELEASE NOTES HERE -``` From bbf70c2a96999cc08194e31ea18d8baf5079aba7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 May 2023 08:24:30 -0700 Subject: [PATCH 297/405] Bump google.golang.org/grpc from 1.54.0 to 1.55.0 (#9936) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.54.0 to 1.55.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.54.0...v1.55.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 9de23ba1a..0a03e522b 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a golang.org/x/crypto v0.8.0 - google.golang.org/grpc v1.54.0 + google.golang.org/grpc v1.55.0 google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 @@ -102,14 +102,14 @@ require ( go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect golang.org/x/mod v0.8.0 // indirect golang.org/x/net v0.9.0 // indirect - golang.org/x/oauth2 v0.5.0 // indirect + golang.org/x/oauth2 v0.6.0 // indirect golang.org/x/sys v0.7.0 // indirect golang.org/x/term v0.7.0 // indirect golang.org/x/text v0.9.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.6.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f // indirect + google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 // indirect google.golang.org/protobuf v1.30.0 // indirect gopkg.in/go-playground/assert.v1 v1.2.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index da99bd248..e602f477b 100644 --- a/go.sum +++ b/go.sum @@ -468,8 +468,8 @@ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4Iltr golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.5.0 h1:HuArIo48skDwlrvM3sEdHXElYslAMsf3KwRkkW4MC4s= -golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I= +golang.org/x/oauth2 v0.6.0 h1:Lh8GPgSKBfWSwFvtuWOfeI3aAAnbXTSutYxJiOJFgIw= +golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -650,8 +650,8 @@ google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f h1:BWUVssLB0HVOSY78gIdvk1dTVYtT1y8SBWtPYuTJ/6w= -google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= +google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 h1:DdoeryqhaXp1LtT/emMP1BRJPHHKFi5akj/nbx/zNTA= +google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4/go.mod h1:NWraEVixdDnqcqQ30jipen1STv2r/n24Wb7twVTGR4s= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= @@ -664,8 +664,8 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.54.0 h1:EhTqbhiYeixwWQtAEZAxmV9MGqcjEU2mFx52xCzNyag= -google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g= +google.golang.org/grpc v1.55.0 h1:3Oj82/tFSCeUrRTg/5E/7d/W5A1tj6Ky1ABAuZuv5ag= +google.golang.org/grpc v1.55.0/go.mod h1:iYEXKGkEBhg1PjZQvoYEVPTDkHo1/bjTnfwTeGONTY8= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 h1:pPsdyuBif+uoyUoL19yuj/TCfUPsmpJHJZhWQ98JGLU= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7/go.mod h1:8pQa1yxxkh+EsxUK8/455D5MSbv3vgmEJqKCH3y17mI= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= From 0dd1cf74600a49ccb5b416da5f3fe7b96ef40d06 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 May 2023 08:26:30 -0700 Subject: [PATCH 298/405] Bump github.com/prometheus/client_model from 0.3.0 to 0.4.0 (#9937) Bumps [github.com/prometheus/client_model](https://github.com/prometheus/client_model) from 0.3.0 to 0.4.0. - [Release notes](https://github.com/prometheus/client_model/releases) - [Commits](https://github.com/prometheus/client_model/compare/v0.3.0...v0.4.0) --- updated-dependencies: - dependency-name: github.com/prometheus/client_model dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 0a03e522b..58b647b40 100644 --- a/go.mod +++ b/go.mod @@ -18,7 +18,7 @@ require ( github.com/opencontainers/runc v1.1.7 github.com/pmezard/go-difflib v1.0.0 github.com/prometheus/client_golang v1.15.0 - github.com/prometheus/client_model v0.3.0 + github.com/prometheus/client_model v0.4.0 github.com/prometheus/common v0.42.0 github.com/spf13/cobra v1.7.0 github.com/spf13/pflag v1.0.5 diff --git a/go.sum b/go.sum index e602f477b..908b21594 100644 --- a/go.sum +++ b/go.sum @@ -311,8 +311,8 @@ github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1: github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4= -github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w= +github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY= +github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= From c540b584745ac47b45f859c5db52e6b7a612a9c6 Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Sat, 20 May 2023 08:58:18 -0300 Subject: [PATCH 299/405] Validate path types (#9967) * Validate path types * Fix the year of header * Update internal/ingress/controller/config/config.go Co-authored-by: Jintao Zhang --------- Co-authored-by: Jintao Zhang --- .../nginx-configuration/configmap.md | 15 ++ internal/ingress/controller/config/config.go | 7 + internal/ingress/controller/controller.go | 9 + internal/ingress/inspector/inspector.go | 29 +++ internal/ingress/inspector/inspector_test.go | 191 ++++++++++++++++++ internal/ingress/inspector/rules.go | 8 + test/e2e/admission/admission.go | 37 ++++ 7 files changed, 296 insertions(+) create mode 100644 internal/ingress/inspector/inspector_test.go diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index ccb115a0f..782b9bc92 100644 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -229,6 +229,7 @@ The following table shows a configuration option's name, type, and the default v |[service-upstream](#service-upstream)|bool|"false"| |[ssl-reject-handshake](#ssl-reject-handshake)|bool|"false"| |[debug-connections](#debug-connections)|[]string|"127.0.0.1,1.1.1.1/24"| +|[strict-validate-path-type](#strict-validate-path-type)|bool|"false" (v1.7.x)| ## add-headers @@ -1379,3 +1380,17 @@ _**default:**_ "" _References:_ [http://nginx.org/en/docs/ngx_core_module.html#debug_connection](http://nginx.org/en/docs/ngx_core_module.html#debug_connection) + +## strict-validate-path-type +Ingress objects contains a field called pathType that defines the proxy behavior. It can be `Exact`, `Prefix` and `ImplementationSpecific`. + +When pathType is configured as `Exact` or `Prefix`, there should be a more strict validation, allowing only paths starting with "/" and +containing only alphanumeric characters and "-", "_" and additional "/". + +When this option is enabled, the validation will happen on the Admission Webhook, making any Ingress not using pathType `ImplementationSpecific` +and containing invalid characters to be denied. + +This means that Ingress objects that rely on paths containing regex characters should use `ImplementationSpecific` pathType. + +The cluster admin should establish validation rules using mechanisms like [Open Policy Agent](https://www.openpolicyagent.org/) to +validate that only authorized users can use `ImplementationSpecific` pathType and that only the authorized characters can be used. diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index da37ea3c9..fafb76ce5 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -830,6 +830,12 @@ type Configuration struct { // http://nginx.org/en/docs/ngx_core_module.html#debug_connection // Default: "" DebugConnections []string `json:"debug-connections"` + + // StrictValidatePathType enable the strict validation of Ingress Paths + // It enforces that pathType of type Exact or Prefix should start with / and contain only + // alphanumeric chars, "-", "_", "/".In case of additional characters, + // like used on Rewrite configurations the user should use pathType as ImplementationSpecific + StrictValidatePathType bool `json:"strict-validate-path-type"` } // NewDefault returns the default nginx configuration @@ -1002,6 +1008,7 @@ func NewDefault() Configuration { GlobalRateLimitMemcachedPoolSize: 50, GlobalRateLimitStatucCode: 429, DebugConnections: []string{}, + StrictValidatePathType: false, // TODO: This will be true in future releases } if klog.V(5).Enabled() { diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 80b5b587b..49e8aa0bb 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -270,11 +270,13 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { if !ing.DeletionTimestamp.IsZero() { return nil } + if n.cfg.DeepInspector { if err := inspector.DeepInspect(ing); err != nil { return fmt.Errorf("invalid object: %w", err) } } + // Do not attempt to validate an ingress that's not meant to be controlled by the current instance of the controller. if ingressClass, err := n.store.GetIngressClass(ing, n.cfg.IngressClassConfiguration); ingressClass == "" { klog.Warningf("ignoring ingress %v in %v based on annotation %v: %v", ing.Name, ing.ObjectMeta.Namespace, ingressClass, err) @@ -293,6 +295,13 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { cfg := n.store.GetBackendConfiguration() cfg.Resolver = n.resolver + // Adds the pathType Validation + if cfg.StrictValidatePathType { + if err := inspector.ValidatePathType(ing); err != nil { + return fmt.Errorf("ingress contains invalid paths: %w", err) + } + } + var arrayBadWords []string if cfg.AnnotationValueWordBlocklist != "" { diff --git a/internal/ingress/inspector/inspector.go b/internal/ingress/inspector/inspector.go index e7b6c2f10..23b57e538 100644 --- a/internal/ingress/inspector/inspector.go +++ b/internal/ingress/inspector/inspector.go @@ -17,6 +17,9 @@ limitations under the License. package inspector import ( + "errors" + "fmt" + corev1 "k8s.io/api/core/v1" networking "k8s.io/api/networking/v1" "k8s.io/klog/v2" @@ -36,3 +39,29 @@ func DeepInspect(obj interface{}) error { return nil } } + +var ( + implSpecific = networking.PathTypeImplementationSpecific +) + +func ValidatePathType(ing *networking.Ingress) error { + if ing == nil { + return fmt.Errorf("received null ingress") + } + var err error + for _, rule := range ing.Spec.Rules { + if rule.HTTP != nil { + for _, path := range rule.HTTP.Paths { + if path.Path == "" { + continue + } + if path.PathType == nil || *path.PathType != implSpecific { + if isValid := validPathType.MatchString(path.Path); !isValid { + err = errors.Join(err, fmt.Errorf("path %s cannot be used with pathType %s", path.Path, string(*path.PathType))) + } + } + } + } + } + return err +} diff --git a/internal/ingress/inspector/inspector_test.go b/internal/ingress/inspector/inspector_test.go new file mode 100644 index 000000000..36b029cff --- /dev/null +++ b/internal/ingress/inspector/inspector_test.go @@ -0,0 +1,191 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package inspector + +import ( + "errors" + "fmt" + "testing" + + networking "k8s.io/api/networking/v1" +) + +var ( + exact = networking.PathTypeExact + prefix = networking.PathTypePrefix +) + +var ( + validIngress = &networking.Ingress{ + Spec: networking.IngressSpec{ + Rules: []networking.IngressRule{ + { + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + Path: "/test", + }, + { + PathType: &prefix, + Path: "/xpto/ab0/x_ss-9", + }, + { + PathType: &exact, + Path: "/bla/", + }, + }, + }, + }, + }, + }, + }, + } + + emptyIngress = &networking.Ingress{ + Spec: networking.IngressSpec{ + Rules: []networking.IngressRule{ + { + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + PathType: &exact, + }, + }, + }, + }, + }, + }, + }, + } + + invalidIngress = &networking.Ingress{ + Spec: networking.IngressSpec{ + Rules: []networking.IngressRule{ + { + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + PathType: &exact, + Path: "/foo.+", + }, + { + PathType: &exact, + Path: "xpto/lala", + }, + { + PathType: &exact, + Path: "/xpto/lala", + }, + { + PathType: &prefix, + Path: "/foo/bar/[a-z]{3}", + }, + { + PathType: &prefix, + Path: "/lala/xp\ntest", + }, + }, + }, + }, + }, + }, + }, + } + + validImplSpecific = &networking.Ingress{ + Spec: networking.IngressSpec{ + Rules: []networking.IngressRule{ + { + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + PathType: &implSpecific, + Path: "/foo.+", + }, + { + PathType: &implSpecific, + Path: "xpto/lala", + }, + }, + }, + }, + }, + }, + }, + } +) + +var aErr = func(s, pathType string) error { + return fmt.Errorf("path %s cannot be used with pathType %s", s, pathType) +} + +func TestValidatePathType(t *testing.T) { + tests := []struct { + name string + ing *networking.Ingress + wantErr bool + err error + }{ + { + name: "nil should return an error", + ing: nil, + wantErr: true, + err: fmt.Errorf("received null ingress"), + }, + { + name: "valid should not return an error", + ing: validIngress, + wantErr: false, + }, + { + name: "empty should not return an error", + ing: emptyIngress, + wantErr: false, + }, + { + name: "empty should not return an error", + ing: validImplSpecific, + wantErr: false, + }, + { + name: "invalid should return multiple errors", + ing: invalidIngress, + wantErr: true, + err: errors.Join( + aErr("/foo.+", "Exact"), + aErr("xpto/lala", "Exact"), + aErr("/foo/bar/[a-z]{3}", "Prefix"), + aErr("/lala/xp\ntest", "Prefix"), + ), + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + err := ValidatePathType(tt.ing) + if (err != nil) != tt.wantErr { + t.Errorf("ValidatePathType() error = %v, wantErr %v", err, tt.wantErr) + } + if (err != nil && tt.err != nil) && tt.err.Error() != err.Error() { + t.Errorf("received invalid error: want = %v, expected %v", tt.err, err) + } + }) + } +} diff --git a/internal/ingress/inspector/rules.go b/internal/ingress/inspector/rules.go index ab573b7fe..c9714e680 100644 --- a/internal/ingress/inspector/rules.go +++ b/internal/ingress/inspector/rules.go @@ -28,6 +28,14 @@ var ( invalidSecretsDir = regexp.MustCompile(`/var/run/secrets`) invalidByLuaDirective = regexp.MustCompile(`.*_by_lua.*`) + // validPathType enforces alphanumeric, -, _ and / characters. + // The field (?i) turns this regex case insensitive + // The remaining regex says that the string must start with a "/" (^/) + // the group [[:alnum:]\_\-\/]* says that any amount of characters (A-Za-z0-9), _, - and / + // are accepted until the end of the line + // Nothing else is accepted. + validPathType = regexp.MustCompile(`(?i)^/[[:alnum:]\_\-\/]*$`) + invalidRegex = []regexp.Regexp{} ) diff --git a/test/e2e/admission/admission.go b/test/e2e/admission/admission.go index 4a4e31980..0ee8248b0 100644 --- a/test/e2e/admission/admission.go +++ b/test/e2e/admission/admission.go @@ -30,6 +30,8 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/ingress-nginx/test/e2e/framework" + + networking "k8s.io/api/networking/v1" ) var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", func() { @@ -161,6 +163,41 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid annotation value should return an error") }) + ginkgo.It("should return an error if there is an invalid path and wrong pathType is set", func() { + host := "path-validation" + var ( + exactPathType = networking.PathTypeExact + prefixPathType = networking.PathTypePrefix + implSpecific = networking.PathTypeImplementationSpecific + ) + + f.UpdateNginxConfigMapData("strict-validate-path-type", "true") + + invalidPath := framework.NewSingleIngress("first-ingress", "/foo/bar/[a-z]{3}", host, f.Namespace, framework.EchoService, 80, nil) + invalidPath.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &exactPathType + + _, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), invalidPath, metav1.CreateOptions{}) + assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid path value should return an error") + + invalidPath.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &prefixPathType + _, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), invalidPath, metav1.CreateOptions{}) + assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid path value should return an error") + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/use-regex": "true", + "nginx.ingress.kubernetes.io/rewrite-target": "/new/backend", + } + pathSpecific := framework.NewSingleIngress("pathspec-ingress", "/foo/bar/[a-z]{3}", host, f.Namespace, framework.EchoService, 80, annotations) + pathSpecific.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &implSpecific + _, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), pathSpecific, metav1.CreateOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "creating an ingress with arbitrary path and implSpecific value should not return an error") + + validPath := framework.NewSingleIngress("second-ingress", "/bloblo", host, f.Namespace, framework.EchoService, 80, nil) + _, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), validPath, metav1.CreateOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "creating an ingress with valid path should not return an error") + + }) + ginkgo.It("should not return an error if the Ingress V1 definition is valid with Ingress Class", func() { out, err := createIngress(f.Namespace, validV1Ingress) assert.Equal(ginkgo.GinkgoT(), "ingress.networking.k8s.io/extensions created\n", out) From 0cb3dcfd5c313305bf36924c300572dbd7f07fc1 Mon Sep 17 00:00:00 2001 From: hongzhouzi <36416216+hongzhouzi@users.noreply.github.com> Date: Sun, 21 May 2023 06:26:18 +0800 Subject: [PATCH 300/405] fix: avoid builds and tests for changes to markdown (#9962) --- .github/workflows/ci.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 19d39ab70..862a0604a 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -7,6 +7,7 @@ on: paths-ignore: - 'docs/**' - 'deploy/**' + - '**.md' push: branches: @@ -14,6 +15,7 @@ on: paths-ignore: - 'docs/**' - 'deploy/**' + - '**.md' workflow_dispatch: inputs: From 4d57ddb5faf9c0899a0b11ca7a15777c2cc5dba8 Mon Sep 17 00:00:00 2001 From: fergusean Date: Sun, 21 May 2023 07:08:20 -0400 Subject: [PATCH 301/405] Correct annotations in monitoring docs (#9976) --- docs/user-guide/monitoring.md | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/docs/user-guide/monitoring.md b/docs/user-guide/monitoring.md index 1e30e556f..28608e850 100644 --- a/docs/user-guide/monitoring.md +++ b/docs/user-guide/monitoring.md @@ -39,10 +39,9 @@ This tutorial will show you how to install [Prometheus](https://prometheus.io/) controller: metrics: enabled: true - service: - annotations: - prometheus.io/port: "10254" - prometheus.io/scrape: "true" + podAnnotations: + prometheus.io/port: "10254" + prometheus.io/scrape: "true" .. ``` - If you are **not using helm**, you will have to edit your manifests like this: @@ -50,10 +49,6 @@ This tutorial will show you how to install [Prometheus](https://prometheus.io/) ``` apiVersion: v1 kind: Service - metadata: - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "10254" .. spec: ports: @@ -67,16 +62,20 @@ This tutorial will show you how to install [Prometheus](https://prometheus.io/) ``` apiVersion: v1 kind: Deployment - metadata: - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "10254" .. spec: - ports: - - name: prometheus - containerPort: 10254 - .. + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "10254" + spec: + containers: + - name: controller + ports: + - name: prometheus + containerPort: 10254 + .. ``` From ac9a50751e98f3ef5f42102a61721b8c44b6426f Mon Sep 17 00:00:00 2001 From: Ehsan Saei <71217171+esigo@users.noreply.github.com> Date: Sun, 21 May 2023 19:04:19 +0200 Subject: [PATCH 302/405] OpenTelemetry default config (#9978) --- internal/ingress/controller/config/config.go | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index fafb76ce5..ad4bebde0 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -596,7 +596,7 @@ type Configuration struct { OtelServiceName string `json:"otel-service-name"` // OtelSampler specifies the sampler to use for any traces created - // Default: AlwaysOff + // Default: AlwaysOn OtelSampler string `json:"otel-sampler"` // OtelSamplerRatio specifies the sampler ratio to use for any traces created @@ -604,16 +604,19 @@ type Configuration struct { OtelSamplerRatio float32 `json:"otel-sampler-ratio"` //OtelSamplerParentBased specifies the parent based sampler to be use for any traces created - // Default: false + // Default: true OtelSamplerParentBased bool `json:"otel-sampler-parent-based"` // MaxQueueSize specifies the max queue size for uploading traces + // Default: 2048 OtelMaxQueueSize int32 `json:"otel-max-queuesize"` // ScheduleDelayMillis specifies the max delay between uploading traces + // Default: 5000 OtelScheduleDelayMillis int32 `json:"otel-schedule-delay-millis"` // MaxExportBatchSize specifies the max export batch size to used when uploading traces + // Default: 512 OtelMaxExportBatchSize int32 `json:"otel-max-export-batch-size"` // ZipkinCollectorHost specifies the host to use when uploading traces @@ -975,9 +978,12 @@ func NewDefault() Configuration { OpentelemetryConfig: "/etc/nginx/opentelemetry.toml", OtlpCollectorPort: "4317", OtelServiceName: "nginx", - OtelSampler: "AlwaysOff", + OtelSampler: "AlwaysOn", OtelSamplerRatio: 0.01, - OtelSamplerParentBased: false, + OtelSamplerParentBased: true, + OtelScheduleDelayMillis: 5000, + OtelMaxExportBatchSize: 512, + OtelMaxQueueSize: 2048, ZipkinCollectorPort: 9411, ZipkinServiceName: "nginx", ZipkinSampleRate: 1.0, From e3fb63fc141900f162c1fcea13da9001b2f5fbf8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 May 2023 05:02:31 -0700 Subject: [PATCH 303/405] Bump github.com/prometheus/common from 0.42.0 to 0.43.0 (#9981) Bumps [github.com/prometheus/common](https://github.com/prometheus/common) from 0.42.0 to 0.43.0. - [Release notes](https://github.com/prometheus/common/releases) - [Commits](https://github.com/prometheus/common/compare/v0.42.0...v0.43.0) --- updated-dependencies: - dependency-name: github.com/prometheus/common dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 14 +++++++------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index 58b647b40..97ad2c9e2 100644 --- a/go.mod +++ b/go.mod @@ -17,9 +17,9 @@ require ( github.com/onsi/ginkgo/v2 v2.9.0 github.com/opencontainers/runc v1.1.7 github.com/pmezard/go-difflib v1.0.0 - github.com/prometheus/client_golang v1.15.0 + github.com/prometheus/client_golang v1.15.1 github.com/prometheus/client_model v0.4.0 - github.com/prometheus/common v0.42.0 + github.com/prometheus/common v0.43.0 github.com/spf13/cobra v1.7.0 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.8.2 @@ -102,7 +102,7 @@ require ( go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect golang.org/x/mod v0.8.0 // indirect golang.org/x/net v0.9.0 // indirect - golang.org/x/oauth2 v0.6.0 // indirect + golang.org/x/oauth2 v0.7.0 // indirect golang.org/x/sys v0.7.0 // indirect golang.org/x/term v0.7.0 // indirect golang.org/x/text v0.9.0 // indirect diff --git a/go.sum b/go.sum index 908b21594..cc9b44d6b 100644 --- a/go.sum +++ b/go.sum @@ -305,8 +305,8 @@ github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= -github.com/prometheus/client_golang v1.15.0 h1:5fCgGYogn0hFdhyhLbw7hEsWxufKtY9klyvdNfFlFhM= -github.com/prometheus/client_golang v1.15.0/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk= +github.com/prometheus/client_golang v1.15.1 h1:8tXpTmJbyH5lydzFPoxSIJ0J46jdh3tylbvM1xCv0LI= +github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= @@ -317,8 +317,8 @@ github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y8 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= github.com/prometheus/common v0.29.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= -github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM= -github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc= +github.com/prometheus/common v0.43.0 h1:iq+BVjvYLei5f27wiuNiB1DN6DYQkp1c8Bx0Vykh5us= +github.com/prometheus/common v0.43.0/go.mod h1:NCvr5cQIh3Y/gy73/RdVtC9r8xxrxwJnB+2lB3BxrFc= github.com/prometheus/exporter-toolkit v0.7.0/go.mod h1:ZUBIj498ePooX9t/2xtDjeQYwvRpiPP2lh5u4iblj2g= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= @@ -329,8 +329,8 @@ github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJf github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= -github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8= github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE= +github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= @@ -468,8 +468,8 @@ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4Iltr golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.6.0 h1:Lh8GPgSKBfWSwFvtuWOfeI3aAAnbXTSutYxJiOJFgIw= -golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw= +golang.org/x/oauth2 v0.7.0 h1:qe6s0zUXlPX80/dITx3440hWZ7GwMwgDDyrSGTPJG/g= +golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= From 3fc10b8374788ace736891f32a47c22b6d29b549 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 May 2023 05:04:31 -0700 Subject: [PATCH 304/405] Bump securego/gosec from 2.15.0 to 2.16.0 (#9983) Bumps [securego/gosec](https://github.com/securego/gosec) from 2.15.0 to 2.16.0. - [Release notes](https://github.com/securego/gosec/releases) - [Changelog](https://github.com/securego/gosec/blob/master/.goreleaser.yml) - [Commits](https://github.com/securego/gosec/compare/a459eb0ba387d9bd083d5c2e2354dbeef2465038...c5ea1b7bdd9efc3792e513258853552b0ae31e06) --- updated-dependencies: - dependency-name: securego/gosec dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 862a0604a..9049a8579 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -71,7 +71,7 @@ jobs: uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Run Gosec Security Scanner - uses: securego/gosec@a459eb0ba387d9bd083d5c2e2354dbeef2465038 # v2.15.0 + uses: securego/gosec@c5ea1b7bdd9efc3792e513258853552b0ae31e06 # v2.16.0 with: # G601 for zz_generated.deepcopy.go # G306 TODO: Expect WriteFile permissions to be 0600 or less From 270571b8ccbdf3fcfe148d2935690cafc86fec6f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 May 2023 05:28:30 -0700 Subject: [PATCH 305/405] Bump actions/setup-go from 4.0.0 to 4.0.1 (#9984) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.0 to 4.0.1. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/4d34df0c2316fe8122ab82dc22947d607c0c91f9...fac708d6674e30b6ba41289acaab6d4b75aa0753) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yaml | 12 ++++++------ .github/workflows/plugin.yaml | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 9049a8579..18be42906 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -89,7 +89,7 @@ jobs: - name: Set up Go id: go - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: '1.20' check-latest: true @@ -108,7 +108,7 @@ jobs: - name: Set up Go id: go - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: '1.20' check-latest: true @@ -127,7 +127,7 @@ jobs: - name: Set up Go id: go - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: '1.20' check-latest: true @@ -148,7 +148,7 @@ jobs: - name: Set up Go id: go - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: '1.20' check-latest: true @@ -214,7 +214,7 @@ jobs: uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup Go - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: '1.20' check-latest: true @@ -472,7 +472,7 @@ jobs: - name: Set up Go id: go if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }} - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: '1.20' check-latest: true diff --git a/.github/workflows/plugin.yaml b/.github/workflows/plugin.yaml index f77c59937..c5c6fc2b1 100644 --- a/.github/workflows/plugin.yaml +++ b/.github/workflows/plugin.yaml @@ -22,7 +22,7 @@ jobs: fetch-depth: 0 - name: Set up Go - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: 1.20 check-latest: true From 214ab50820d80201cd233661ed0657b3343dffb7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 May 2023 06:12:31 -0700 Subject: [PATCH 306/405] Bump golang.org/x/crypto from 0.8.0 to 0.9.0 (#9982) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.8.0 to 0.9.0. - [Commits](https://github.com/golang/crypto/compare/v0.8.0...v0.9.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 ++++---- go.sum | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index 97ad2c9e2..fa303b4f3 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/stretchr/testify v1.8.2 github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a - golang.org/x/crypto v0.8.0 + golang.org/x/crypto v0.9.0 google.golang.org/grpc v1.55.0 google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 @@ -101,10 +101,10 @@ require ( github.com/yudai/pp v2.0.1+incompatible // indirect go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect golang.org/x/mod v0.8.0 // indirect - golang.org/x/net v0.9.0 // indirect + golang.org/x/net v0.10.0 // indirect golang.org/x/oauth2 v0.7.0 // indirect - golang.org/x/sys v0.7.0 // indirect - golang.org/x/term v0.7.0 // indirect + golang.org/x/sys v0.8.0 // indirect + golang.org/x/term v0.8.0 // indirect golang.org/x/text v0.9.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.6.0 // indirect diff --git a/go.sum b/go.sum index cc9b44d6b..d41cfa734 100644 --- a/go.sum +++ b/go.sum @@ -393,8 +393,8 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.8.0 h1:pd9TJtTueMTVQXzk8E2XESSMQDj/U7OUu0PqJqPXQjQ= -golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE= +golang.org/x/crypto v0.9.0 h1:LF6fAI+IutBocDJ2OT0Q1g8plpYljMZ4+lty+dsqw3g= +golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -460,8 +460,8 @@ golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81R golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM= -golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= +golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -527,11 +527,11 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU= -golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.7.0 h1:BEvjmm5fURWqcfbSKTdpkDXYBrUS1c0m8agp14W48vQ= -golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= +golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= From 8c7981bfa21c6dab551ed1f4c48db217b5d852ca Mon Sep 17 00:00:00 2001 From: Federico Cuello Date: Mon, 22 May 2023 16:42:34 +0200 Subject: [PATCH 307/405] helm: Fix opentelemetry module installation for daemonset (#9792) * fix: opentelemetry module for controller-daemonset * fix: Align controller-daemonset with controller-deployment * Fix typo in github/workflows/ci --- .github/workflows/ci.yaml | 2 +- .../templates/controller-daemonset.yaml | 16 +++++++++------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 18be42906..4d443f8d5 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -312,7 +312,7 @@ jobs: kind get kubeconfig > $HOME/.kube/kind-config-kind make kind-e2e-test - - name: Uplaod e2e junit-reports + - name: Upload e2e junit-reports uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 if: success() || failure() with: diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml index bce21a7d6..82abe7564 100644 --- a/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -53,12 +53,12 @@ spec: imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} {{- end }} {{- if .Values.controller.priorityClassName }} - priorityClassName: {{ .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName | quote }} {{- end }} {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} securityContext: {{- end }} - {{- if .Values.controller.podSecurityContext }} + {{- if .Values.controller.podSecurityContext }} {{- toYaml .Values.controller.podSecurityContext | nindent 8 }} {{- end }} {{- if .Values.controller.sysctls }} @@ -143,11 +143,15 @@ spec: hostPort: {{ $key }} {{- end }} {{- end }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} volumeMounts: - {{- if .Values.controller.extraModules }} + {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - name: modules + {{ if .Values.controller.image.chroot }} + mountPath: /chroot/modules_mount + {{ else }} mountPath: /modules_mount + {{ end }} {{- end }} {{- if .Values.controller.customTemplate.configMapName }} - mountPath: /etc/nginx/template @@ -169,9 +173,7 @@ spec: {{- if .Values.controller.extraContainers }} {{ toYaml .Values.controller.extraContainers | nindent 8 }} {{- end }} - - - {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }} + {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} initContainers: {{- if .Values.controller.extraInitContainers }} {{ toYaml .Values.controller.extraInitContainers | nindent 8 }} From 24cd56d27c60b550ee103bff1ccbef980f614c7e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 May 2023 07:50:35 -0700 Subject: [PATCH 308/405] Bump github.com/onsi/ginkgo/v2 from 2.9.0 to 2.9.5 (#9980) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.0 to 2.9.5. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.0...v2.9.5) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 10 +++++----- go.sum | 21 +++++++++++---------- 2 files changed, 16 insertions(+), 15 deletions(-) diff --git a/go.mod b/go.mod index fa303b4f3..cebf8df5d 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/mitchellh/mapstructure v1.5.0 github.com/moul/pb v0.0.0-20220425114252-bca18df4138c github.com/ncabatoff/process-exporter v0.7.10 - github.com/onsi/ginkgo/v2 v2.9.0 + github.com/onsi/ginkgo/v2 v2.9.5 github.com/opencontainers/runc v1.1.7 github.com/pmezard/go-difflib v1.0.0 github.com/prometheus/client_golang v1.15.1 @@ -58,11 +58,11 @@ require ( github.com/evanphx/json-patch/v5 v5.6.0 // indirect github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b // indirect github.com/go-errors/errors v1.0.1 // indirect - github.com/go-logr/logr v1.2.3 // indirect + github.com/go-logr/logr v1.2.4 // indirect github.com/go-openapi/jsonpointer v0.19.5 // indirect github.com/go-openapi/jsonreference v0.20.0 // indirect github.com/go-openapi/swag v0.19.14 // indirect - github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect + github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect github.com/godbus/dbus/v5 v5.0.6 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect @@ -100,14 +100,14 @@ require ( github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect github.com/yudai/pp v2.0.1+incompatible // indirect go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect - golang.org/x/mod v0.8.0 // indirect + golang.org/x/mod v0.10.0 // indirect golang.org/x/net v0.10.0 // indirect golang.org/x/oauth2 v0.7.0 // indirect golang.org/x/sys v0.8.0 // indirect golang.org/x/term v0.8.0 // indirect golang.org/x/text v0.9.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.6.0 // indirect + golang.org/x/tools v0.9.1 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 // indirect google.golang.org/protobuf v1.30.0 // indirect diff --git a/go.sum b/go.sum index d41cfa734..91749fc4b 100644 --- a/go.sum +++ b/go.sum @@ -100,8 +100,8 @@ github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0= -github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= +github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY= @@ -112,8 +112,9 @@ github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng= github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= -github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.0.6 h1:mkgN1ofwASrYnJ5W6U/BxG15eXXXjirgZc7CLqkcaro= github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= @@ -283,11 +284,11 @@ github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.9.0 h1:Tugw2BKlNHTMfG+CheOITkYvk4LAh6MFOvikhGVnhE8= -github.com/onsi/ginkgo/v2 v2.9.0/go.mod h1:4xkjoL/tZv4SMWeww56BU5kAt19mVB47gTWxmrTcxyk= +github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q= +github.com/onsi/ginkgo/v2 v2.9.5/go.mod h1:tvAoo1QUJwNEU2ITftXTpR7R1RbCzoZUOs3RonqW57k= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/onsi/gomega v1.27.1 h1:rfztXRbg6nv/5f+Raen9RcGoSecHIFgBBLQK3Wdj754= +github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE= github.com/opencontainers/runc v1.1.7 h1:y2EZDS8sNng4Ksf0GUYNhKbTShZJPJg1FiXJNH/uoCk= github.com/opencontainers/runc v1.1.7/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc= @@ -425,8 +426,8 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8= -golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= +golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -589,8 +590,8 @@ golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM= -golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo= +golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From 5bc7dc8a6a516f4cedb8f44d37119f60c86c7175 Mon Sep 17 00:00:00 2001 From: Long Wu Yuan Date: Mon, 22 May 2023 23:22:58 +0530 Subject: [PATCH 309/405] bumped ginkgo to v2.9.5 (#9985) --- build/run-in-docker.sh | 2 +- images/test-runner/Makefile | 4 ++-- test/e2e/run-chart-test.sh | 2 +- test/e2e/run-kind-e2e.sh | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh index 3a6aeb43d..90cd7217e 100755 --- a/build/run-in-docker.sh +++ b/build/run-in-docker.sh @@ -87,7 +87,7 @@ if [[ "$DOCKER_IN_DOCKER_ENABLED" == "true" ]]; then echo "..reached DIND check TRUE block, inside run-in-docker.sh" echo "FLAGS=$FLAGS" #go env - go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.9.0 + go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.9.5 find / -type f -name ginkgo 2>/dev/null which ginkgo /bin/bash -c "${FLAGS}" diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile index 562625cff..a004ad932 100644 --- a/images/test-runner/Makefile +++ b/images/test-runner/Makefile @@ -54,7 +54,7 @@ image: --build-arg YAML_LINT_VERSION=1.27.1 \ --build-arg YAMALE_VERSION=4.0.4 \ --build-arg HELM_VERSION=3.11.2 \ - --build-arg GINKGO_VERSION=2.9.0 \ + --build-arg GINKGO_VERSION=2.9.5 \ --build-arg GOLINT_VERSION=latest \ -t ${IMAGE}:${TAG} rootfs @@ -75,7 +75,7 @@ build: ensure-buildx --build-arg YAML_LINT_VERSION=1.27.1 \ --build-arg YAMALE_VERSION=4.0.4 \ --build-arg HELM_VERSION=3.11.2 \ - --build-arg GINKGO_VERSION=2.9.0 \ + --build-arg GINKGO_VERSION=2.9.5 \ --build-arg GOLINT_VERSION=latest \ -t ${IMAGE}:${TAG} rootfs diff --git a/test/e2e/run-chart-test.sh b/test/e2e/run-chart-test.sh index 6efa63eb2..6df4fb1e7 100755 --- a/test/e2e/run-chart-test.sh +++ b/test/e2e/run-chart-test.sh @@ -78,7 +78,7 @@ fi if [ "${SKIP_IMAGE_CREATION:-false}" = "false" ]; then if ! command -v ginkgo &> /dev/null; then - go install github.com/onsi/ginkgo/v2/ginkgo@v2.9.0 + go install github.com/onsi/ginkgo/v2/ginkgo@v2.9.5 fi echo "[dev-env] building image" make -C ${DIR}/../../ clean-image build image diff --git a/test/e2e/run-kind-e2e.sh b/test/e2e/run-kind-e2e.sh index fe7550360..e6e4e086b 100755 --- a/test/e2e/run-kind-e2e.sh +++ b/test/e2e/run-kind-e2e.sh @@ -95,7 +95,7 @@ fi if [ "${SKIP_E2E_IMAGE_CREATION}" = "false" ]; then if ! command -v ginkgo &> /dev/null; then - go install github.com/onsi/ginkgo/v2/ginkgo@v2.9.0 + go install github.com/onsi/ginkgo/v2/ginkgo@v2.9.5 fi echo "[dev-env] .. done building controller images" From 8d9210fd3874343c82e397de220679bfd282ba18 Mon Sep 17 00:00:00 2001 From: Long Wu Yuan Date: Tue, 23 May 2023 16:14:27 +0530 Subject: [PATCH 310/405] updated testrunner image tag+sha (#9987) --- build/run-in-docker.sh | 2 +- test/e2e-image/Makefile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh index 90cd7217e..fe9906e0d 100755 --- a/build/run-in-docker.sh +++ b/build/run-in-docker.sh @@ -44,7 +44,7 @@ function cleanup { } trap cleanup EXIT -E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20230314-helm-chart-4.5.2-32-g520384b11@sha256:754c62f9a5efd1ee515ee908ecc16c0c4d1dda96a8cc8019667182a55f3a9035} +E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20230522@sha256:a3deb0444d53b3f3b2d73acec8be2c3330d28d2df1ef09d0b9d7dbecdee706fb} if [[ "$RUNTIME" == podman ]]; then # Podman does not support both tag and digest diff --git a/test/e2e-image/Makefile b/test/e2e-image/Makefile index 011396531..4106290e6 100644 --- a/test/e2e-image/Makefile +++ b/test/e2e-image/Makefile @@ -1,6 +1,6 @@ DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) -E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v20230314-helm-chart-4.5.2-32-g520384b11@sha256:754c62f9a5efd1ee515ee908ecc16c0c4d1dda96a8cc8019667182a55f3a9035" +E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v20230522@sha256:a3deb0444d53b3f3b2d73acec8be2c3330d28d2df1ef09d0b9d7dbecdee706fb" image: echo "..entered Makefile in /test/e2e-image" From 897783557a178dc09b6cd7ec25d9719c556ee3b9 Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Thu, 25 May 2023 11:18:52 -0300 Subject: [PATCH 311/405] Add OPA examples on pathType restrictions (#9992) --- docs/examples/openpolicyagent/README.md | 25 ++++++++++++ docs/examples/openpolicyagent/rule.yaml | 14 +++++++ docs/examples/openpolicyagent/template.yaml | 40 +++++++++++++++++++ .../tests/should-allow-ns-except.yaml | 18 +++++++++ .../openpolicyagent/tests/should-allow.yaml | 17 ++++++++ .../openpolicyagent/tests/should-deny.yaml | 17 ++++++++ mkdocs.yml | 1 + 7 files changed, 132 insertions(+) create mode 100644 docs/examples/openpolicyagent/README.md create mode 100644 docs/examples/openpolicyagent/rule.yaml create mode 100644 docs/examples/openpolicyagent/template.yaml create mode 100644 docs/examples/openpolicyagent/tests/should-allow-ns-except.yaml create mode 100644 docs/examples/openpolicyagent/tests/should-allow.yaml create mode 100644 docs/examples/openpolicyagent/tests/should-deny.yaml diff --git a/docs/examples/openpolicyagent/README.md b/docs/examples/openpolicyagent/README.md new file mode 100644 index 000000000..2d653a90c --- /dev/null +++ b/docs/examples/openpolicyagent/README.md @@ -0,0 +1,25 @@ +# OpenPolicyAgent and pathType enforcing + +Ingress API allows users to specify different [pathType](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) +on Ingress object. + +While pathType `Exact` and `Prefix` should allow only a small set of characters, pathType `ImplementationSpecific` +allows any characters, as it may contain regexes, variables and other features that may be specific of the Ingress +Controller being used. + +This means that the Ingress Admins (the persona who deployed the Ingress Controller) should trust the users +allowed to use `pathType: ImplementationSpecific`, as this may allow arbitrary configuration, and this +configuration may end on the proxy (aka Nginx) configuration. + +## Example +The example in this repo uses [Gatekeeper](https://open-policy-agent.github.io/gatekeeper/website/) to block the usage of `pathType: ImplementationSpecific`, +allowing just a specific list of namespaces to use it. + +It is recommended that the admin modifies this rules to enforce a specific set of characters when the usage of ImplementationSpecific +is allowed, or in ways that best suits their needs. + +First, the `ConstraintTemplate` from [template.yaml](template.yaml) will define a rule that validates if the Ingress object +is being created on an excempted namespace, and case not, will validate its pathType. + +Then, the rule `K8sBlockIngressPathType` contained in [rule.yaml](rule.yaml) will define the parameters: what kind of +object should be verified (Ingress), what are the excempted namespaces, and what kinds of pathType are blocked. diff --git a/docs/examples/openpolicyagent/rule.yaml b/docs/examples/openpolicyagent/rule.yaml new file mode 100644 index 000000000..fce305241 --- /dev/null +++ b/docs/examples/openpolicyagent/rule.yaml @@ -0,0 +1,14 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sBlockIngressPathType +metadata: + name: implspecificisblocked +spec: + match: + kinds: + - apiGroups: ["networking.k8s.io"] + kinds: ["Ingress"] + parameters: + namespacesExceptions: + - "privileged" + blockedTypes: + - "ImplementationSpecific" diff --git a/docs/examples/openpolicyagent/template.yaml b/docs/examples/openpolicyagent/template.yaml new file mode 100644 index 000000000..ed2a6ba1c --- /dev/null +++ b/docs/examples/openpolicyagent/template.yaml @@ -0,0 +1,40 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8sblockingresspathtype + annotations: + metadata.gatekeeper.sh/title: "Block a pathType usage" + description: >- + Users should not be able to use specific pathTypes +spec: + crd: + spec: + names: + kind: K8sBlockIngressPathType + validation: + openAPIV3Schema: + type: object + properties: + blockedTypes: + type: array + items: + type: string + namespacesExceptions: + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package K8sBlockIngressPathType + + violation[{"msg": msg}] { + input.review.kind.kind == "Ingress" + ns := input.review.object.metadata.namespace + excemptNS := [good | excempts = input.parameters.namespacesExceptions[_] ; good = excempts == ns] + not any(excemptNS) + pathType := object.get(input.review.object.spec.rules[_].http.paths[_], "pathType", "") + blockedPath := [blocked | blockedTypes = input.parameters.blockedTypes[_] ; blocked = blockedTypes == pathType] + any(blockedPath) + msg := sprintf("pathType '%v' is not allowed in this namespace", [pathType]) + } diff --git a/docs/examples/openpolicyagent/tests/should-allow-ns-except.yaml b/docs/examples/openpolicyagent/tests/should-allow-ns-except.yaml new file mode 100644 index 000000000..974e83555 --- /dev/null +++ b/docs/examples/openpolicyagent/tests/should-allow-ns-except.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + creationTimestamp: null + name: simple + namespace: privileged +spec: + rules: + - host: foo1.com + http: + paths: + - backend: + service: + name: svc1 + port: + number: 8080 + path: /bar + pathType: ImplementationSpecific diff --git a/docs/examples/openpolicyagent/tests/should-allow.yaml b/docs/examples/openpolicyagent/tests/should-allow.yaml new file mode 100644 index 000000000..854aff14c --- /dev/null +++ b/docs/examples/openpolicyagent/tests/should-allow.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + creationTimestamp: null + name: simple +spec: + rules: + - host: foo.com + http: + paths: + - backend: + service: + name: svc1 + port: + number: 8080 + path: /bar + pathType: Exact diff --git a/docs/examples/openpolicyagent/tests/should-deny.yaml b/docs/examples/openpolicyagent/tests/should-deny.yaml new file mode 100644 index 000000000..b732fdc89 --- /dev/null +++ b/docs/examples/openpolicyagent/tests/should-deny.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + creationTimestamp: null + name: simple +spec: + rules: + - host: foo2.com + http: + paths: + - backend: + service: + name: svc1 + port: + number: 8080 + path: /bar + pathType: ImplementationSpecific diff --git a/mkdocs.yml b/mkdocs.yml index 39eab9ef0..380b1b67a 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -126,6 +126,7 @@ nav: - Static IPs: "examples/static-ip/README.md" - TLS termination: "examples/tls-termination/README.md" - Pod Security Policy (PSP): "examples/psp/README.md" + - Open Policy Agent rules: "examples/openpolicyagent/README.md" - Developer Guide: - Getting Started: "developer-guide/getting-started.md" - Code Overview: "developer-guide/code-overview.md" From 1282345be2952f497c7f1387ef5fc9658fe95a1d Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Thu, 25 May 2023 11:56:52 -0300 Subject: [PATCH 312/405] Admission warning (#9975) * Add warning feature in admission code * Apply suggestions from code review Co-authored-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * Add deprecation and validation path notice --------- Co-authored-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- internal/admission/controller/main.go | 10 ++ internal/admission/controller/main_test.go | 12 ++ internal/ingress/controller/controller.go | 48 ++++++++ .../ingress/controller/controller_test.go | 107 ++++++++++++++++++ 4 files changed, 177 insertions(+) diff --git a/internal/admission/controller/main.go b/internal/admission/controller/main.go index 645f298b4..f59bf2091 100644 --- a/internal/admission/controller/main.go +++ b/internal/admission/controller/main.go @@ -33,6 +33,7 @@ import ( // contains invalid instructions type Checker interface { CheckIngress(ing *networking.Ingress) error + CheckWarning(ing *networking.Ingress) ([]string, error) } // IngressAdmission implements the AdmissionController interface @@ -85,6 +86,15 @@ func (ia *IngressAdmission) HandleAdmission(obj runtime.Object) (runtime.Object, return review, nil } + // Adds the warnings regardless of operation being allowed or not + warning, err := ia.Checker.CheckWarning(&ingress) + if err != nil { + klog.ErrorS(err, "failed to get ingress warnings") + } + if len(warning) > 0 { + status.Warnings = warning + } + if err := ia.Checker.CheckIngress(&ingress); err != nil { klog.ErrorS(err, "invalid ingress configuration", "ingress", fmt.Sprintf("%v/%v", review.Request.Namespace, review.Request.Name)) status.Allowed = false diff --git a/internal/admission/controller/main_test.go b/internal/admission/controller/main_test.go index 7cc3cd7b4..0a547d4be 100644 --- a/internal/admission/controller/main_test.go +++ b/internal/admission/controller/main_test.go @@ -38,6 +38,11 @@ func (ftc failTestChecker) CheckIngress(ing *networking.Ingress) error { return nil } +func (ftc failTestChecker) CheckWarning(ing *networking.Ingress) ([]string, error) { + ftc.t.Error("checker should not be called") + return nil, nil +} + type testChecker struct { t *testing.T err error @@ -50,6 +55,13 @@ func (tc testChecker) CheckIngress(ing *networking.Ingress) error { return tc.err } +func (tc testChecker) CheckWarning(ing *networking.Ingress) ([]string, error) { + if ing.ObjectMeta.Name != testIngressName { + tc.t.Errorf("CheckWarning should be called with %v ingress, but got %v", testIngressName, ing.ObjectMeta.Name) + } + return nil, tc.err +} + func TestHandleAdmission(t *testing.T) { adm := &IngressAdmission{ Checker: failTestChecker{t: t}, diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 49e8aa0bb..20de63fd1 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -256,6 +256,54 @@ func (n *NGINXController) syncIngress(interface{}) error { return nil } +// GetWarnings returns a list of warnings an Ingress gets when being created. +// The warnings are going to be used in an admission webhook, and they represent +// a list of messages that users need to be aware (like deprecation notices) +// when creating a new ingress object +func (n *NGINXController) CheckWarning(ing *networking.Ingress) ([]string, error) { + warnings := make([]string, 0) + + var deprecatedAnnotations = sets.NewString() + deprecatedAnnotations.Insert( + "enable-influxdb", + "influxdb-measurement", + "influxdb-port", + "influxdb-host", + "influxdb-server-name", + "secure-verify-ca-secret", + "fastcgi-params-configmap", + "fastcgi-index", + ) + + // Skip checks if the ingress is marked as deleted + if !ing.DeletionTimestamp.IsZero() { + return warnings, nil + } + + anns := ing.GetAnnotations() + for k := range anns { + trimmedkey := strings.TrimPrefix(k, parser.AnnotationsPrefix+"/") + if deprecatedAnnotations.Has(trimmedkey) { + warnings = append(warnings, fmt.Sprintf("annotation %s is deprecated", k)) + } + } + + // Add each validation as a single warning + // rikatz: I know this is somehow a duplicated code from CheckIngress, but my goal was to deliver fast warning on this behavior. We + // can and should, tho, simplify this in the near future + if err := inspector.ValidatePathType(ing); err != nil { + if errs, is := err.(interface{ Unwrap() []error }); is { + for _, errW := range errs.Unwrap() { + warnings = append(warnings, errW.Error()) + } + } else { + warnings = append(warnings, err.Error()) + } + } + + return warnings, nil +} + // CheckIngress returns an error in case the provided ingress, when added // to the current configuration, generates an invalid configuration func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go index 8cca10385..06e1e8db0 100644 --- a/internal/ingress/controller/controller_test.go +++ b/internal/ingress/controller/controller_test.go @@ -352,6 +352,113 @@ func TestCheckIngress(t *testing.T) { }) } +func TestCheckWarning(t *testing.T) { + + // Ensure no panic with wrong arguments + var nginx = &NGINXController{} + + nginx.t = fakeTemplate{} + nginx.store = fakeIngressStore{ + ingresses: []*ingress.Ingress{}, + } + + ing := &networking.Ingress{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-ingress-warning", + Namespace: "user-namespace", + Annotations: map[string]string{}, + }, + Spec: networking.IngressSpec{ + Rules: []networking.IngressRule{ + { + Host: "example.com", + }, + }, + }, + } + t.Run("when a deprecated annotation is used a warning should be returned", func(t *testing.T) { + ing.ObjectMeta.Annotations[parser.GetAnnotationWithPrefix("enable-influxdb")] = "true" + defer func() { + ing.ObjectMeta.Annotations = map[string]string{} + }() + + warnings, err := nginx.CheckWarning(ing) + if err != nil { + t.Errorf("no error should be returned, but %s was returned", err) + } + if len(warnings) != 1 { + t.Errorf("expected 1 warning to occur but %d occured", len(warnings)) + } else { + t.Logf("got warning %s correctly", warnings[0]) + } + }) + + t.Run("When an invalid pathType is used, a warning should be returned", func(t *testing.T) { + + rules := ing.Spec.DeepCopy().Rules + ing.Spec.Rules = []networking.IngressRule{ + { + Host: "example.com", + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + Path: "/xpto{$2}", + PathType: &pathTypePrefix, + }, + { + Path: "/ok", + PathType: &pathTypeExact, + }, + }, + }, + }, + }, + } + defer func() { + ing.Spec.Rules = rules + }() + + warnings, err := nginx.CheckWarning(ing) + if err != nil { + t.Errorf("no error should be returned, but %s was returned", err) + } + if len(warnings) != 1 { + t.Errorf("expected 1 warning to occur but %d occured", len(warnings)) + } else { + t.Logf("got warnings %v correctly", warnings) + } + + t.Run("adding invalid annotations increases the warning count", func(t *testing.T) { + ing.ObjectMeta.Annotations[parser.GetAnnotationWithPrefix("enable-influxdb")] = "true" + ing.ObjectMeta.Annotations[parser.GetAnnotationWithPrefix("secure-verify-ca-secret")] = "true" + ing.ObjectMeta.Annotations[parser.GetAnnotationWithPrefix("fastcgi-index")] = "blabla" + defer func() { + ing.ObjectMeta.Annotations = map[string]string{} + }() + warnings, err := nginx.CheckWarning(ing) + if err != nil { + t.Errorf("no error should be returned, but %s was returned", err) + } + if len(warnings) != 4 { + t.Errorf("expected 4 warning to occur but %d occured", len(warnings)) + } else { + t.Logf("got warnings %v correctly", warnings) + } + }) + }) + + t.Run("When the ingress is marked as deleted", func(t *testing.T) { + ing.DeletionTimestamp = &metav1.Time{ + Time: time.Now(), + } + + if warnings, err := nginx.CheckWarning(ing); err != nil || len(warnings) != 0 { + t.Errorf("when the ingress is marked as deleted, no warning should be returned") + } + }) +} + func TestMergeAlternativeBackends(t *testing.T) { testCases := map[string]struct { ingress *ingress.Ingress From 61ae861e81618be3acc1aeed2a8193618434a124 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 May 2023 09:08:51 -0700 Subject: [PATCH 313/405] Bump k8s.io/klog/v2 from 2.90.1 to 2.100.1 (#9913) Bumps [k8s.io/klog/v2](https://github.com/kubernetes/klog) from 2.90.1 to 2.100.1. - [Release notes](https://github.com/kubernetes/klog/releases) - [Changelog](https://github.com/kubernetes/klog/blob/main/RELEASE.md) - [Commits](https://github.com/kubernetes/klog/compare/v2.90.1...v2.100.1) --- updated-dependencies: - dependency-name: k8s.io/klog/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index cebf8df5d..c44d2f207 100644 --- a/go.mod +++ b/go.mod @@ -38,7 +38,7 @@ require ( k8s.io/client-go v0.26.4 k8s.io/code-generator v0.26.4 k8s.io/component-base v0.26.4 - k8s.io/klog/v2 v2.90.1 + k8s.io/klog/v2 v2.100.1 pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 sigs.k8s.io/controller-runtime v0.14.6 sigs.k8s.io/mdtoc v1.1.0 diff --git a/go.sum b/go.sum index 91749fc4b..c2e02777b 100644 --- a/go.sum +++ b/go.sum @@ -740,8 +740,8 @@ k8s.io/component-base v0.26.4/go.mod h1:lTuWL1Xz/a4e80gmIC3YZG2JCO4xNwtKWHJWeJms k8s.io/gengo v0.0.0-20220902162205-c0856e24416d h1:U9tB195lKdzwqicbJvyJeOXV7Klv+wNAWENRnXEGi08= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= -k8s.io/klog/v2 v2.90.1 h1:m4bYOKall2MmOiRaR1J+We67Do7vm9KiQVlT96lnHUw= -k8s.io/klog/v2 v2.90.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= +k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E= k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 h1:KTgPnR10d5zhztWptI952TNtt/4u5h3IzDXkdIMuo2Y= From df0be089d233b4294dee40be53f9d0f6ace2752a Mon Sep 17 00:00:00 2001 From: Peter Jakubis Date: Thu, 25 May 2023 19:26:53 +0200 Subject: [PATCH 314/405] PodDisruptionBudget spec logic update (#9904) Signed-off-by: Peter Jakubis --- charts/ingress-nginx/README.md | 2 +- .../templates/controller-poddisruptionbudget.yaml | 2 +- charts/ingress-nginx/values.yaml | 5 +++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index d79ad38cd..4d4d6ba6f 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -365,7 +365,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.metrics.serviceMonitor.relabelings | list | `[]` | | | controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` | | | controller.metrics.serviceMonitor.targetLabels | list | `[]` | | -| controller.minAvailable | int | `1` | Define either 'minAvailable' or 'maxUnavailable', never both. | +| controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. | | controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | controller.name | string | `"controller"` | | | controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ # | diff --git a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml index 230307cd7..91be5801f 100644 --- a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml +++ b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml @@ -18,7 +18,7 @@ spec: matchLabels: {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} app.kubernetes.io/component: controller - {{- if .Values.controller.minAvailable }} + {{- if and .Values.controller.minAvailable (not (hasKey .Values.controller "maxUnavailable")) }} minAvailable: {{ .Values.controller.minAvailable }} {{- else if .Values.controller.maxUnavailable }} maxUnavailable: {{ .Values.controller.maxUnavailable }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index a398b0503..e0b38c5a7 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -308,9 +308,10 @@ controller: ## podAnnotations: {} replicaCount: 1 - # -- Define either 'minAvailable' or 'maxUnavailable', never both. + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. minAvailable: 1 - # -- Define either 'minAvailable' or 'maxUnavailable', never both. + # -- Maximum unavalaile pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. # maxUnavailable: 1 ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes From 4cf439118ffc1e9455d8ceae1e3c3439fc979dd9 Mon Sep 17 00:00:00 2001 From: Long Wu Yuan Date: Sat, 27 May 2023 01:26:56 +0530 Subject: [PATCH 315/405] openssl CVE fix (#9996) --- NGINX_BASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NGINX_BASE b/NGINX_BASE index 5f1751bbf..ebe355582 100644 --- a/NGINX_BASE +++ b/NGINX_BASE @@ -1 +1 @@ -registry.k8s.io/ingress-nginx/nginx:91057c439cf07ffb62887b8a8bda66ce3cbe39ca@sha256:3b650123c755392f8c0eb9a356b12716327106e624ab5f5b43bc25ab130978fb \ No newline at end of file +registry.k8s.io/ingress-nginx/nginx:v20230526@sha256:b05566e432d85a7681feb7ef93fda8385d53712478737b39e617c993c86c5e65 From c2e1f34cbefe95014540b3fb833fbe9580339cc7 Mon Sep 17 00:00:00 2001 From: Jintao Zhang Date: Sat, 27 May 2023 08:54:49 +0800 Subject: [PATCH 316/405] images: upgrade to Alpine 3.18 (#9997) Alpine Linux 3.18 was released https://alpinelinux.org/posts/Alpine-3.18.0-released.html Signed-off-by: Jintao Zhang --- docs/examples/customization/sysctl/patch.json | 2 +- images/cfssl/rootfs/Dockerfile | 2 +- images/nginx/rootfs/Dockerfile | 4 ++-- images/opentelemetry/rootfs/Dockerfile | 4 ++-- rootfs/Dockerfile-chroot | 2 +- test/e2e-image/Dockerfile | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/examples/customization/sysctl/patch.json b/docs/examples/customization/sysctl/patch.json index 3f736197b..e87c9affa 100644 --- a/docs/examples/customization/sysctl/patch.json +++ b/docs/examples/customization/sysctl/patch.json @@ -4,7 +4,7 @@ "spec": { "initContainers": [{ "name": "sysctl", - "image": "alpine:3.17.0", + "image": "alpine:3.18", "securityContext": { "privileged": true }, diff --git a/images/cfssl/rootfs/Dockerfile b/images/cfssl/rootfs/Dockerfile index a50c715ea..e8d6c617a 100644 --- a/images/cfssl/rootfs/Dockerfile +++ b/images/cfssl/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine:3.17.2 +FROM alpine:3.18.0 RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile index a968eb1b3..9b4abf244 100644 --- a/images/nginx/rootfs/Dockerfile +++ b/images/nginx/rootfs/Dockerfile @@ -11,7 +11,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine:3.17.2 as builder +FROM alpine:3.18.0 as builder COPY . / @@ -21,7 +21,7 @@ RUN apk update \ && /build.sh # Use a multi-stage build -FROM alpine:3.17.2 +FROM alpine:3.18.0 ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin diff --git a/images/opentelemetry/rootfs/Dockerfile b/images/opentelemetry/rootfs/Dockerfile index 33f5bcb36..69d82cda2 100644 --- a/images/opentelemetry/rootfs/Dockerfile +++ b/images/opentelemetry/rootfs/Dockerfile @@ -13,7 +13,7 @@ # limitations under the License. -FROM alpine:3.17.2 as base +FROM alpine:3.18.0 as base RUN mkdir -p /opt/third_party/install COPY . /opt/third_party/ @@ -39,7 +39,7 @@ COPY --from=grpc /opt/third_party/install/ /usr COPY --from=otel-cpp /opt/third_party/install/ /usr RUN bash /opt/third_party/build.sh -n -FROM alpine:3.17.2 as final +FROM alpine:3.18.0 as final COPY --from=base /opt/third_party/init_module.sh /usr/local/bin/init_module.sh COPY --from=nginx /etc/nginx/modules /etc/nginx/modules COPY --from=nginx /opt/third_party/install/lib /etc/nginx/modules diff --git a/rootfs/Dockerfile-chroot b/rootfs/Dockerfile-chroot index 7ab8584a7..a4123fe87 100644 --- a/rootfs/Dockerfile-chroot +++ b/rootfs/Dockerfile-chroot @@ -23,7 +23,7 @@ RUN apk update \ && apk upgrade \ && /chroot.sh -FROM alpine:3.17.2 +FROM alpine:3.18.0 ARG TARGETARCH ARG VERSION diff --git a/test/e2e-image/Dockerfile b/test/e2e-image/Dockerfile index 11abc26b4..97986ec95 100644 --- a/test/e2e-image/Dockerfile +++ b/test/e2e-image/Dockerfile @@ -1,7 +1,7 @@ ARG E2E_BASE_IMAGE FROM ${E2E_BASE_IMAGE} AS BASE -FROM alpine:3.17.2 +FROM alpine:3.18.0 RUN apk update \ && apk upgrade && apk add -U --no-cache \ From 9398c7e747bc74d2ec78be2b4d92ed7dddbb63df Mon Sep 17 00:00:00 2001 From: Long Wu Yuan Date: Sat, 27 May 2023 12:44:52 +0530 Subject: [PATCH 317/405] change to alpine318 baseimage (#10000) --- NGINX_BASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NGINX_BASE b/NGINX_BASE index ebe355582..02a35039a 100644 --- a/NGINX_BASE +++ b/NGINX_BASE @@ -1 +1 @@ -registry.k8s.io/ingress-nginx/nginx:v20230526@sha256:b05566e432d85a7681feb7ef93fda8385d53712478737b39e617c993c86c5e65 +registry.k8s.io/ingress-nginx/nginx:v20230527@sha256:cf77c71aa6e4284925ca2233ddf871b5823eaa3ee000347ae25096b07fb52c57 From f7ea0b152b9139e895f2da7629953e0cb5f59d84 Mon Sep 17 00:00:00 2001 From: Long Wu Yuan Date: Sat, 27 May 2023 20:16:51 +0530 Subject: [PATCH 318/405] changed tagsha to recent builds (#10001) --- build/run-in-docker.sh | 2 +- charts/ingress-nginx/README.md | 6 +++--- charts/ingress-nginx/values.yaml | 6 +++--- .../custom-errors/custom-default-backend.helm.values.yaml | 2 +- .../customization/custom-errors/custom-default-backend.yaml | 2 +- .../customization/external-auth-headers/echo-service.yaml | 2 +- docs/user-guide/third-party-addons/opentelemetry.md | 2 +- test/e2e-image/Makefile | 2 +- test/e2e/framework/deployment.go | 2 +- test/e2e/settings/ocsp/ocsp.go | 2 +- 10 files changed, 14 insertions(+), 14 deletions(-) diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh index fe9906e0d..d2d6fcdd9 100755 --- a/build/run-in-docker.sh +++ b/build/run-in-docker.sh @@ -44,7 +44,7 @@ function cleanup { } trap cleanup EXIT -E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20230522@sha256:a3deb0444d53b3f3b2d73acec8be2c3330d28d2df1ef09d0b9d7dbecdee706fb} +E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20230527@sha256:a98ce8ab90f16bdd8539b168a4d000f366afa4eec23a220b3ce39698c5769bfd} if [[ "$RUNTIME" == podman ]]; then # Podman does not support both tag and digest diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 4d4d6ba6f..391eb4159 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -248,11 +248,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.admissionWebhooks.networkPolicyEnabled | bool | `false` | | | controller.admissionWebhooks.objectSelector | object | `{}` | | | controller.admissionWebhooks.patch.enabled | bool | `true` | | -| controller.admissionWebhooks.patch.image.digest | string | `"sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f"` | | +| controller.admissionWebhooks.patch.image.digest | string | `"sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b"` | | | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | | | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | | | controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | | -| controller.admissionWebhooks.patch.image.tag | string | `"v20230312-helm-chart-4.5.2-28-g66a760794"` | | +| controller.admissionWebhooks.patch.image.tag | string | `"v20230407"` | | | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources | | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | controller.admissionWebhooks.patch.podAnnotations | object | `{}` | | @@ -371,7 +371,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ # | | controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | | controller.opentelemetry.enabled | bool | `false` | | -| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:40f766ac4a9832f36f217bb0e98d44c8d38faeccbfe861fbc1a76af7e9ab257f"` | | +| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230527@sha256:fd7ec835f31b7b37187238eb4fdad4438806e69f413a203796263131f4f02ed0"` | | | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # | | controller.podLabels | object | `{}` | Labels to add to the pod container metadata | | controller.podSecurityContext | object | `{}` | Security Context policies for controller pods | diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index e0b38c5a7..962567e07 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -547,7 +547,7 @@ controller: opentelemetry: enabled: false - image: registry.k8s.io/ingress-nginx/opentelemetry:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:40f766ac4a9832f36f217bb0e98d44c8d38faeccbfe861fbc1a76af7e9ab257f + image: registry.k8s.io/ingress-nginx/opentelemetry:v20230527@sha256:fd7ec835f31b7b37187238eb4fdad4438806e69f413a203796263131f4f02ed0 containerSecurityContext: allowPrivilegeEscalation: false admissionWebhooks: @@ -609,8 +609,8 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: v20230312-helm-chart-4.5.2-28-g66a760794 - digest: sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f + tag: v20230407 + digest: sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b pullPolicy: IfNotPresent # -- Provide a priority class name to the webhook patching job ## diff --git a/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml b/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml index 807da71a4..708a93831 100644 --- a/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml +++ b/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml @@ -6,7 +6,7 @@ defaultBackend: image: registry: registry.k8s.io image: ingress-nginx/nginx-errors - tag: "v20230312-helm-chart-4.5.2-28-g66a760794@sha256:332be6ff8c4e93e8845963932f98839dfd52ae49829c29e06475368a3e4fbd9e" + tag: "v20230505@sha256:3600dcd1bbd0d05959bb01af4b272714e94d22d24a64e91838e7183c80e53f7f" extraVolumes: - name: custom-error-pages configMap: diff --git a/docs/examples/customization/custom-errors/custom-default-backend.yaml b/docs/examples/customization/custom-errors/custom-default-backend.yaml index 2af64896f..e606c5b62 100644 --- a/docs/examples/customization/custom-errors/custom-default-backend.yaml +++ b/docs/examples/customization/custom-errors/custom-default-backend.yaml @@ -36,7 +36,7 @@ spec: spec: containers: - name: nginx-error-server - image: registry.k8s.io/ingress-nginx/nginx-errors:v20230404-helm-chart-4.6.0-11-gc76179c04@sha256:aabd7a001f6a0a07ed6ea8f6da87e928bfa8f971eba2bef708f3e8504fc5cc9b + image: registry.k8s.io/ingress-nginx/nginx-errors:v20230505@sha256:3600dcd1bbd0d05959bb01af4b272714e94d22d24a64e91838e7183c80e53f7f ports: - containerPort: 8080 # Setting the environment variable DEBUG we can see the headers sent diff --git a/docs/examples/customization/external-auth-headers/echo-service.yaml b/docs/examples/customization/external-auth-headers/echo-service.yaml index 57df4d628..fc4461cd8 100644 --- a/docs/examples/customization/external-auth-headers/echo-service.yaml +++ b/docs/examples/customization/external-auth-headers/echo-service.yaml @@ -18,7 +18,7 @@ spec: terminationGracePeriodSeconds: 60 containers: - name: echo-service - image: registry.k8s.io/ingress-nginx/e2e-test-echo:v20230318-helm-chart-4.5.2-44-gfec1dbe3a@sha256:4938d1d91a2b7d19454460a8c1b010b89f6ff92d2987fd889ac3e8fc3b70d91a + image: registry.k8s.io/ingress-nginx/e2e-test-echo:v20230527@sha256:6fc5aa2994c86575975bb20a5203651207029a0d28e3f491d8a127d08baadab4 ports: - containerPort: 8080 resources: diff --git a/docs/user-guide/third-party-addons/opentelemetry.md b/docs/user-guide/third-party-addons/opentelemetry.md index 1b9b6536e..1e276939e 100644 --- a/docs/user-guide/third-party-addons/opentelemetry.md +++ b/docs/user-guide/third-party-addons/opentelemetry.md @@ -140,7 +140,7 @@ To install the example and collectors run: ```yaml opentelemetry: enabled: true - image: registry.k8s.io/ingress-nginx/opentelemetry:v20230107-helm-chart-4.4.2-2-g96b3d2165@sha256:331b9bebd6acfcd2d3048abbdd86555f5be76b7e3d0b5af4300b04235c6056c9 + image: registry.k8s.io/ingress-nginx/opentelemetry:v20230527@sha256:fd7ec835f31b7b37187238eb4fdad4438806e69f413a203796263131f4f02ed0 containerSecurityContext: allowPrivilegeEscalation: false ``` diff --git a/test/e2e-image/Makefile b/test/e2e-image/Makefile index 4106290e6..f74ea8c74 100644 --- a/test/e2e-image/Makefile +++ b/test/e2e-image/Makefile @@ -1,6 +1,6 @@ DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) -E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v20230522@sha256:a3deb0444d53b3f3b2d73acec8be2c3330d28d2df1ef09d0b9d7dbecdee706fb" +E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v20230527@sha256:a98ce8ab90f16bdd8539b168a4d000f366afa4eec23a220b3ce39698c5769bfd" image: echo "..entered Makefile in /test/e2e-image" diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go index 06dfa0c5e..565b8f4ac 100644 --- a/test/e2e/framework/deployment.go +++ b/test/e2e/framework/deployment.go @@ -100,7 +100,7 @@ func (f *Framework) NewEchoDeployment(opts ...func(*deploymentOptions)) { namespace: f.Namespace, name: EchoService, replicas: 1, - image: "registry.k8s.io/ingress-nginx/e2e-test-echo@sha256:4938d1d91a2b7d19454460a8c1b010b89f6ff92d2987fd889ac3e8fc3b70d91a", + image: "registry.k8s.io/ingress-nginx/e2e-test-echo@sha256:6fc5aa2994c86575975bb20a5203651207029a0d28e3f491d8a127d08baadab4", } for _, o := range opts { o(options) diff --git a/test/e2e/settings/ocsp/ocsp.go b/test/e2e/settings/ocsp/ocsp.go index 483013f59..ea444444b 100644 --- a/test/e2e/settings/ocsp/ocsp.go +++ b/test/e2e/settings/ocsp/ocsp.go @@ -290,7 +290,7 @@ func ocspserveDeployment(namespace string) (*appsv1.Deployment, *corev1.Service) Containers: []corev1.Container{ { Name: name, - Image: "registry.k8s.io/ingress-nginx/e2e-test-cfssl@sha256:d02c1e18f573449966999fc850f1fed3d37621bf77797562cbe77ebdb06a66ea", + Image: "registry.k8s.io/ingress-nginx/e2e-test-cfssl@sha256:adaa118c179c41cb33fb567004a1f0c71b8fce6bc13263efa63d42dddd5b4346", Command: []string{ "/bin/bash", "-c", From 40957d43ccaf13b380887d8dee8abe709e01a303 Mon Sep 17 00:00:00 2001 From: longwuyuan Date: Fri, 26 May 2023 23:58:19 +0530 Subject: [PATCH 319/405] add faq section in docs --- docs/faq.md | 33 ++++++++++++++ docs/index.md | 7 +-- docs/user-guide/retaining-client-ipaddress.md | 44 +++++++++++++++++++ mkdocs.yml | 1 + 4 files changed, 79 insertions(+), 6 deletions(-) create mode 100644 docs/faq.md create mode 100644 docs/user-guide/retaining-client-ipaddress.md diff --git a/docs/faq.md b/docs/faq.md new file mode 100644 index 000000000..253378c65 --- /dev/null +++ b/docs/faq.md @@ -0,0 +1,33 @@ + +# FAQ + +## Retaining Client IPAddress + +Please read [Retain Client IPAddress Guide here](./user-guide/retaining-client-ipaddress.md). + +## Kubernetes v1.22 Migration + +If you are using Ingress objects in your cluster (running Kubernetes older than v1.22), and you plan to upgrade your Kubernetes version to K8S 1.22 or above, then please read [the migration guide here](./user-guide/k8s-122-migration.md). + +## Validation Of __`path`__ + +- For improving security and also following desired standards on Kubernetes API spec, the next release, scheduled for v1.8.0, will include a new & optional feature of validating the value for the key `ingress.spec.rules.http.paths.path` . + +- This behavior will be disabled by default on the 1.8.0 release and enabled by default on the next breaking change release, set for 2.0.0. + +- When "`ingress.spec.rules.http.pathType=Exact`" or "`pathType=Prefix`", this validation will limit the characters accepted on the field "`ingress.spec.rules.http.paths.path`", to "`alphanumeric characters`", and `"/," "_," "-."` Also, in this case, the path should start with `"/."` + +- When the ingress resource path contains other characters (like on rewrite configurations), the pathType value should be "`ImplementationSpecific`". + +- API Spec on pathType is documented [here](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) + +- When this option is enabled, the validation will happen on the Admission Webhook. So if any new ingress object contains characters other than "`alphanumeric characters`", and `"/," "_," "-."` , in the `path` field, but is not using `pathType` value as `ImplementationSpecific`, then the ingress object will be denied admission. + +- The cluster admin should establish validation rules using mechanisms like "`Open Policy Agent`", to validate that only authorized users can use ImplementationSpecific pathType and that only the authorized characters can be used. [The configmap value is here](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type) + +- A complete example of an Openpolicyagent gatekeeper rule is available [here](https://kubernetes.github.io/ingress-nginx/examples/openpolicyagent/) + +- If you have any issues or concerns, please do one of the following: + - Open a GitHub issue + - Comment in our Dev Slack Channel + - Open a thread in our Google Group ingress-nginx-dev@kubernetes.io diff --git a/docs/index.md b/docs/index.md index bcf4a4018..0a0f488cf 100644 --- a/docs/index.md +++ b/docs/index.md @@ -6,12 +6,7 @@ It is built around the [Kubernetes Ingress resource](https://kubernetes.io/docs/ You can learn more about using [Ingress](http://kubernetes.io/docs/user-guide/ingress/) in the official [Kubernetes documentation](https://docs.k8s.io). -## Getting Started +# Getting Started See [Deployment](./deploy/) for a whirlwind tour that will get you started. - -# FAQ - Kubernetes 1.22 Migration - -If you are using Ingress objects in your cluster (running Kubernetes older than v1.22), -and you plan to upgrade to Kubernetes v1.22, please read [the migration guide here](./user-guide/k8s-122-migration.md). diff --git a/docs/user-guide/retaining-client-ipaddress.md b/docs/user-guide/retaining-client-ipaddress.md new file mode 100644 index 000000000..237bd3004 --- /dev/null +++ b/docs/user-guide/retaining-client-ipaddress.md @@ -0,0 +1,44 @@ + +## Retaining Client IPAddress + +Please read this https://kubernetes.github.io/ingress-nginx/user-guide/miscellaneous/#source-ip-address , to get details of retaining the client IPAddress. + +### Using proxy-protocol + +Please read this https://kubernetes.github.io/ingress-nginx/user-guide/miscellaneous/#proxy-protocol , to use proxy-protocol for retaining client IPAddress + + +### Using the K8S spec service.spec.externalTrafficPolicy + +``` +% kubectl explain service.spec.externalTrafficPolicy +KIND: Service +VERSION: v1 + +FIELD: externalTrafficPolicy + +DESCRIPTION: + externalTrafficPolicy describes how nodes distribute service traffic they + receive on one of the Service's "externally-facing" addresses (NodePorts, + ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will + configure the service in a way that assumes that external load balancers + will take care of balancing the service traffic between nodes, and so each + node will deliver traffic only to the node-local endpoints of the service, + without masquerading the client source IP. (Traffic mistakenly sent to a + node with no endpoints will be dropped.) The default value, "Cluster", uses + the standard behavior of routing to all endpoints evenly (possibly modified + by topology and other features). Note that traffic sent to an External IP or + LoadBalancer IP from within the cluster will always get "Cluster" semantics, + but clients sending to a NodePort from within the cluster may need to take + traffic policy into account when picking a node. + + Possible enum values: + - `"Cluster"` routes traffic to all endpoints. + - `"Local"` preserves the source IP of the traffic by routing only to + endpoints on the same node as the traffic was received on (dropping the + traffic if there are no local endpoints). + +``` + + +- Setting the field `externalTrafficPolicy`, in the ingress-controller service, to a value of `Local` retains the client's ipaddress, within the scope explained above diff --git a/mkdocs.yml b/mkdocs.yml index 380b1b67a..992c04d45 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -130,3 +130,4 @@ nav: - Developer Guide: - Getting Started: "developer-guide/getting-started.md" - Code Overview: "developer-guide/code-overview.md" + - FAQ: "faq.md" From 0e94cc1b234c62fbc3a37ba1b991c2accb5e6959 Mon Sep 17 00:00:00 2001 From: Jintao Zhang Date: Mon, 29 May 2023 19:35:25 +0800 Subject: [PATCH 320/405] chore: start v1.8.0 release process Signed-off-by: Jintao Zhang --- TAG | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TAG b/TAG index 668c7899c..ba103d909 100644 --- a/TAG +++ b/TAG @@ -1,2 +1,2 @@ -v1.7.1 +v1.8.0 From 53254647bc4e908dd3e046a56d3274565e1b011a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 May 2023 07:03:43 -0700 Subject: [PATCH 321/405] Bump github.com/prometheus/common from 0.43.0 to 0.44.0 (#10007) Bumps [github.com/prometheus/common](https://github.com/prometheus/common) from 0.43.0 to 0.44.0. - [Release notes](https://github.com/prometheus/common/releases) - [Commits](https://github.com/prometheus/common/compare/v0.43.0...v0.44.0) --- updated-dependencies: - dependency-name: github.com/prometheus/common dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index c44d2f207..721a3c16b 100644 --- a/go.mod +++ b/go.mod @@ -19,7 +19,7 @@ require ( github.com/pmezard/go-difflib v1.0.0 github.com/prometheus/client_golang v1.15.1 github.com/prometheus/client_model v0.4.0 - github.com/prometheus/common v0.43.0 + github.com/prometheus/common v0.44.0 github.com/spf13/cobra v1.7.0 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.8.2 @@ -102,7 +102,7 @@ require ( go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect golang.org/x/mod v0.10.0 // indirect golang.org/x/net v0.10.0 // indirect - golang.org/x/oauth2 v0.7.0 // indirect + golang.org/x/oauth2 v0.8.0 // indirect golang.org/x/sys v0.8.0 // indirect golang.org/x/term v0.8.0 // indirect golang.org/x/text v0.9.0 // indirect diff --git a/go.sum b/go.sum index c2e02777b..003ad5fb8 100644 --- a/go.sum +++ b/go.sum @@ -318,8 +318,8 @@ github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y8 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= github.com/prometheus/common v0.29.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= -github.com/prometheus/common v0.43.0 h1:iq+BVjvYLei5f27wiuNiB1DN6DYQkp1c8Bx0Vykh5us= -github.com/prometheus/common v0.43.0/go.mod h1:NCvr5cQIh3Y/gy73/RdVtC9r8xxrxwJnB+2lB3BxrFc= +github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY= +github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY= github.com/prometheus/exporter-toolkit v0.7.0/go.mod h1:ZUBIj498ePooX9t/2xtDjeQYwvRpiPP2lh5u4iblj2g= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= @@ -469,8 +469,8 @@ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4Iltr golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.7.0 h1:qe6s0zUXlPX80/dITx3440hWZ7GwMwgDDyrSGTPJG/g= -golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4= +golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= +golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= From 1240361855d3b4679379f66eb0c437014cd5e5fb Mon Sep 17 00:00:00 2001 From: Ehsan Saei <71217171+esigo@users.noreply.github.com> Date: Mon, 29 May 2023 19:33:44 +0200 Subject: [PATCH 322/405] Add legacy to OpenTelemetry migration doc (#10011) --- .../third-party-addons/opentelemetry.md | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/docs/user-guide/third-party-addons/opentelemetry.md b/docs/user-guide/third-party-addons/opentelemetry.md index 1e276939e..d735fca4f 100644 --- a/docs/user-guide/third-party-addons/opentelemetry.md +++ b/docs/user-guide/third-party-addons/opentelemetry.md @@ -5,6 +5,18 @@ Enables requests served by NGINX for distributed telemetry via The OpenTelemetry Using the third party module [opentelemetry-cpp-contrib/nginx](https://github.com/open-telemetry/opentelemetry-cpp-contrib/tree/main/instrumentation/nginx) the Ingress-Nginx Controller can configure NGINX to enable [OpenTelemetry](http://opentelemetry.io) instrumentation. By default this feature is disabled. +Check out this demo showcasing OpenTelemetry in Ingress NGINX. The video provides an overview and +practical demonstration of how OpenTelemetry can be utilized in Ingress NGINX for observability +and monitoring purposes. + +