DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: remove unrequired comment

Browse source
This commit is contained in:
patst 2023-11-28 15:37:37 +01:00
commit 4824469180
538 changed files with 15409 additions and 9071 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

0
.gcloudignore Normal file
View file

10
.github/ISSUE_TEMPLATE/feature_request.md vendored
View file

@ -7,16 +7,6 @@ assignees: ''
--- ---
<!--
With the situation in place today, we think (and decided) that it's time to temporarily pause accepting new features and focus on fixing and stabilizing Ingress NGINX. We understand that some people may need to merge a trivial new feature. Still, we are asking the community to understand that maintaining the project at this pace is becoming hard for the project maintainers. We understand that you waited too long with your PR in the queue, and we are sorry! But it's hard for us as well to keep the project stable.
More details are available here https://youtu.be/UBt4N82ymOE and here https://kubernetes.slack.com/archives/CANQGM8BA/p1656020331133589.
The announcement in the dev mailing list is here https://groups.google.com/a/kubernetes.io/g/dev/c/rxtrKvT_Q8E
Thank you,
Ingress-Nginx maintainer
-->
<!-- What do you want to happen? --> <!-- What do you want to happen? -->
<!-- Is there currently another issue associated with this? --> <!-- Is there currently another issue associated with this? -->

34
.github/PULL_REQUEST_TEMPLATE.md vendored
View file

@ -1,5 +1,6 @@
<!--- Provide a general summary of your changes in the Title above ---> <!--- Provide a general summary of your changes in the Title above --->
<!--- Please don't @-mention people in PR or commit messages (do so in an additional comment). ---> <!--- Please don't @-mention people in PR or commit messages (do so in an additional comment). --->
<!--- Please make sure you title is descriptive, it is used in the Release notes to let others know what it does --->
## What this PR does / why we need it: ## What this PR does / why we need it:
<!--- Why is this change required? What problem does it solve? --> <!--- Why is this change required? What problem does it solve? -->
@ -33,36 +34,3 @@ fixes #
- [ ] I've read the [CONTRIBUTION](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md) guide - [ ] I've read the [CONTRIBUTION](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md) guide
- [ ] I have added unit and/or e2e tests to cover my changes. - [ ] I have added unit and/or e2e tests to cover my changes.
- [ ] All new and existing tests passed. - [ ] All new and existing tests passed.
- [ ] Added Release Notes.
## Does my pull request need a release note?
Any user-visible or operator-visible change qualifies for a release note. This could be a:
- CLI change
- API change
- UI change
- configuration schema change
- behavioral change
- change in non-functional attributes such as efficiency or availability, availability of a new platform
- a warning about a deprecation
- fix of a previous Known Issue
- fix of a vulnerability (CVE)
No release notes are required for changes to the following:
- Tests
- Build infrastructure
- Fixes for unreleased bugs
For more tips on writing good release notes, check out the [Release Notes Handbook](https://github.com/kubernetes/sig-release/tree/master/release-team/role-handbooks/release-notes)
<!--
If no, just write "NONE" in the release-note block below.
If yes, a release note is required:
Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, include the string "action required".
For more information on release notes see: https://git.k8s.io/community/contributors/guide/release-notes.md
-->
```release-note
PLACE RELEASE NOTES HERE
```

4
.github/actions/mkdocs/Dockerfile vendored
View file

@ -1,6 +1,4 @@
FROM squidfunk/mkdocs-material:6.2.4 FROM squidfunk/mkdocs-material:9.4.5
RUN pip install mkdocs-awesome-pages-plugin
COPY action.sh /action.sh COPY action.sh /action.sh

2
.github/actions/mkdocs/action.sh vendored
View file

@ -16,7 +16,7 @@
set -e set -e
REQUIREMENTS="${GITHUB_WORKSPACE}/requirements.txt" REQUIREMENTS="${GITHUB_WORKSPACE}/docs/requirements.txt"
if [ -f "${REQUIREMENTS}" ]; then if [ -f "${REQUIREMENTS}" ]; then
pip install -r "${REQUIREMENTS}" pip install -r "${REQUIREMENTS}"

207
.github/workflows/ci.yaml vendored
View file

@ -7,6 +7,7 @@ on:
paths-ignore: paths-ignore:
- 'docs/**' - 'docs/**'
- 'deploy/**' - 'deploy/**'
- '**.md'
push: push:
branches: branches:
@ -14,6 +15,7 @@ on:
paths-ignore: paths-ignore:
- 'docs/**' - 'docs/**'
- 'deploy/**' - 'deploy/**'
- '**.md'
workflow_dispatch: workflow_dispatch:
inputs: inputs:
@ -40,7 +42,7 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: filter id: filter
@ -60,60 +62,6 @@ jobs:
- 'charts/ingress-nginx/**/*' - 'charts/ingress-nginx/**/*'
- 'NGINX_BASE' - 'NGINX_BASE'
security:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- name: Run Gosec Security Scanner
uses: securego/gosec@a459eb0ba387d9bd083d5c2e2354dbeef2465038 # v2.15.0
with:
# G601 for zz_generated.deepcopy.go
# G306 TODO: Expect WriteFile permissions to be 0600 or less
# G307 TODO: Deferring unsafe method "Close"
args: -exclude=G109,G601,G104,G204,G304,G306,G307 -tests=false -exclude-dir=test -exclude-dir=images/ -exclude-dir=docs/ ./...
lint:
runs-on: ubuntu-latest
needs: changes
if: |
(needs.changes.outputs.go == 'true')
steps:
- name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- name: Set up Go
id: go
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
with:
go-version: '1.20'
check-latest: true
- name: Run Lint
run: ./hack/verify-golint.sh
gofmt:
runs-on: ubuntu-latest
needs: changes
if: |
(needs.changes.outputs.go == 'true')
steps:
- name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- name: Set up Go
id: go
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
with:
go-version: '1.20'
check-latest: true
- name: Run go-fmt
run: ./hack/verify-gofmt.sh
test-go: test-go:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: changes needs: changes
@ -121,13 +69,13 @@ jobs:
(needs.changes.outputs.go == 'true') (needs.changes.outputs.go == 'true')
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up Go - name: Set up Go
id: go id: go
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with: with:
go-version: '1.20' go-version: '1.21.3'
check-latest: true check-latest: true
- name: Run test - name: Run test
@ -142,21 +90,21 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up Go - name: Set up Go
id: go id: go
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with: with:
go-version: '1.20' go-version: '1.21.3'
check-latest: true check-latest: true
- name: Set up QEMU - name: Set up QEMU
uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0 uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
- name: Set up Docker Buildx - name: Set up Docker Buildx
id: buildx id: buildx
uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0 uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
with: with:
version: latest version: latest
@ -165,9 +113,7 @@ jobs:
- name: Prepare Host - name: Prepare Host
run: | run: |
sudo apt-get -qq update || true curl -LO https://dl.k8s.io/release/v1.27.3/bin/linux/amd64/kubectl
sudo apt-get install -y pigz
curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.25.5/bin/linux/amd64/kubectl
chmod +x ./kubectl chmod +x ./kubectl
sudo mv ./kubectl /usr/local/bin/kubectl sudo mv ./kubectl /usr/local/bin/kubectl
@ -186,10 +132,10 @@ jobs:
nginx-ingress-controller:e2e \ nginx-ingress-controller:e2e \
ingress-controller/controller:1.0.0-dev \ ingress-controller/controller:1.0.0-dev \
ingress-controller/controller-chroot:1.0.0-dev \ ingress-controller/controller-chroot:1.0.0-dev \
| pigz > docker.tar.gz | gzip > docker.tar.gz
- name: cache - name: cache
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with: with:
name: docker.tar.gz name: docker.tar.gz
path: docker.tar.gz path: docker.tar.gz
@ -205,16 +151,16 @@ jobs:
strategy: strategy:
matrix: matrix:
k8s: [v1.24.12, v1.25.8, v1.26.3,v1.27.1] k8s: [v1.25.11, v1.26.6, v1.27.3, v1.28.0]
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Go - name: Setup Go
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with: with:
go-version: '1.20' go-version: '1.21.3'
check-latest: true check-latest: true
- name: cache - name: cache
@ -258,7 +204,7 @@ jobs:
- name: Load images from cache - name: Load images from cache
run: | run: |
echo "loading docker images..." echo "loading docker images..."
pigz -dc docker.tar.gz | docker load gzip -dc docker.tar.gz | docker load
- name: Test - name: Test
env: env:
@ -280,11 +226,11 @@ jobs:
strategy: strategy:
matrix: matrix:
k8s: [v1.24.12, v1.25.8, v1.26.3,v1.27.1] k8s: [v1.25.11, v1.26.6, v1.27.3, v1.28.0]
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: cache - name: cache
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
@ -299,7 +245,7 @@ jobs:
- name: Load images from cache - name: Load images from cache
run: | run: |
echo "loading docker images..." echo "loading docker images..."
pigz -dc docker.tar.gz | docker load gzip -dc docker.tar.gz | docker load
- name: Run e2e tests - name: Run e2e tests
env: env:
@ -310,8 +256,57 @@ jobs:
kind get kubeconfig > $HOME/.kube/kind-config-kind kind get kubeconfig > $HOME/.kube/kind-config-kind
make kind-e2e-test make kind-e2e-test
- name: Uplaod e2e junit-reports - name: Upload e2e junit-reports
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
if: success() || failure()
with:
name: e2e-test-reports-${{ matrix.k8s }}
path: 'test/junitreports/report*.xml'
kubernetes-validations:
name: Kubernetes with Validations
runs-on: ubuntu-latest
needs:
- changes
- build
if: |
(needs.changes.outputs.go == 'true') || ${{ inputs.run_e2e }}
strategy:
matrix:
k8s: [v1.25.11, v1.26.6, v1.27.3, v1.28.0]
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: cache
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: docker.tar.gz
- name: Create Kubernetes ${{ matrix.k8s }} cluster
id: kind
run: |
kind create cluster --image=kindest/node:${{ matrix.k8s }} --config test/e2e/kind.yaml
- name: Load images from cache
run: |
echo "loading docker images..."
gzip -dc docker.tar.gz | docker load
- name: Run e2e tests
env:
KIND_CLUSTER_NAME: kind
SKIP_CLUSTER_CREATION: true
SKIP_IMAGE_CREATION: true
ENABLE_VALIDATIONS: true
run: |
kind get kubeconfig > $HOME/.kube/kind-config-kind
make kind-e2e-test
- name: Upload e2e junit-reports
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
if: success() || failure() if: success() || failure()
with: with:
name: e2e-test-reports-${{ matrix.k8s }} name: e2e-test-reports-${{ matrix.k8s }}
@ -329,12 +324,12 @@ jobs:
strategy: strategy:
matrix: matrix:
k8s: [v1.24.12, v1.25.8, v1.26.3,v1.27.1] k8s: [v1.25.11, v1.26.6, v1.27.3, v1.28.0]
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: cache - name: cache
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
@ -349,7 +344,7 @@ jobs:
- name: Load images from cache - name: Load images from cache
run: | run: |
echo "loading docker images..." echo "loading docker images..."
pigz -dc docker.tar.gz | docker load gzip -dc docker.tar.gz | docker load
- name: Run e2e tests - name: Run e2e tests
env: env:
@ -362,12 +357,48 @@ jobs:
make kind-e2e-test make kind-e2e-test
- name: Upload e2e junit-reports - name: Upload e2e junit-reports
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
if: success() || failure() if: success() || failure()
with: with:
name: e2e-test-reports-chroot-${{ matrix.k8s }} name: e2e-test-reports-chroot-${{ matrix.k8s }}
path: 'test/junitreports/report*.xml' path: 'test/junitreports/report*.xml'
test-nginx-image-build:
permissions:
contents: read # for dorny/paths-filter to fetch a list of changed files
pull-requests: read # for dorny/paths-filter to read pull requests
runs-on: ubuntu-latest
env:
PLATFORMS: linux/amd64,linux/arm64
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: filter-images
with:
token: ${{ secrets.GITHUB_TOKEN }}
filters: |
nginx-base:
- 'images/nginx/**'
- name: nginx-base-image
if: ${{ steps.filter-images.outputs.nginx-base == 'true' }}
run: |
cd images/nginx/rootfs && docker build -t docker.io/nginx-test-workflow/nginx:${{ github.sha }} .
- name: Run Trivy on NGINX Image
if: ${{ steps.filter-images.outputs.nginx-base == 'true' }}
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/nginx-test-workflow/nginx:${{ github.sha }}'
format: 'sarif'
ignore-unfixed: true
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
if: ${{ steps.filter-images.outputs.nginx-base == 'true' && always() }}
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
test-image-build: test-image-build:
permissions: permissions:
@ -378,7 +409,7 @@ jobs:
PLATFORMS: linux/amd64,linux/arm64 PLATFORMS: linux/amd64,linux/arm64
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: filter-images id: filter-images
@ -401,7 +432,6 @@ jobs:
- 'images/kube-webhook-certgen/**' - 'images/kube-webhook-certgen/**'
ext-auth-example-authsvc: ext-auth-example-authsvc:
- 'images/ext-auth-example-authsvc/**' - 'images/ext-auth-example-authsvc/**'
- name: custom-error-pages image build - name: custom-error-pages image build
if: ${{ steps.filter-images.outputs.custom-error-pages == 'true' }} if: ${{ steps.filter-images.outputs.custom-error-pages == 'true' }}
run: | run: |
@ -447,11 +477,11 @@ jobs:
strategy: strategy:
matrix: matrix:
k8s: [v1.24.12, v1.25.8, v1.26.3,v1.27.1] k8s: [v1.25.11, v1.26.6, v1.27.3, v1.28.0]
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: filter-images id: filter-images
@ -470,12 +500,13 @@ jobs:
- name: Set up Go - name: Set up Go
id: go id: go
if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }} if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with: with:
go-version: '1.20' go-version: '1.21.3'
check-latest: true check-latest: true
- name: kube-webhook-certgen image build - name: kube-webhook-certgen image build
if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }} if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
run: | run: |
cd images/kube-webhook-certgen && make test test-e2e cd images/kube-webhook-certgen && make test test-e2e

4
.github/workflows/depreview.yaml vendored
View file

@ -9,6 +9,6 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: 'Checkout Repository' - name: 'Checkout Repository'
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: 'Dependency Review' - name: 'Dependency Review'
uses: actions/dependency-review-action@f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e # v3.0.4 uses: actions/dependency-review-action@7bbfa034e752445ea40215fff1c3bf9597993d3f # v3.1.3

4
.github/workflows/docs.yaml vendored
View file

@ -23,7 +23,7 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: filter id: filter
@ -47,7 +47,7 @@ jobs:
steps: steps:
- name: Checkout master - name: Checkout master
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Deploy - name: Deploy
uses: ./.github/actions/mkdocs uses: ./.github/actions/mkdocs

34
.github/workflows/golangci-lint.yml vendored Normal file
View file

@ -0,0 +1,34 @@
name: golangci-lint
on:
pull_request:
push:
branches:
- main
paths-ignore:
- 'docs/**'
- 'deploy/**'
- '**.md'
permissions:
contents: read
jobs:
golangci:
name: lint
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up Go
id: go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: '1.21.3'
check-latest: true
- name: golangci-lint
uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
with:
version: v1.53

8
.github/workflows/helm.yaml vendored
View file

@ -23,7 +23,7 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run Artifact Hub lint - name: Run Artifact Hub lint
run: | run: |
@ -61,7 +61,7 @@ jobs:
steps: steps:
- name: Checkout master - name: Checkout master
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with: with:
# Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896 # Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896
fetch-depth: 0 fetch-depth: 0
@ -73,9 +73,9 @@ jobs:
git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com" git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Helm Chart Releaser - name: Helm Chart Releaser
uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0 uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
env: env:
CR_SKIP_EXISTING: "false" CR_SKIP_EXISTING: true
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}" CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}"
with: with:

2
.github/workflows/junit-reports.yaml vendored
View file

@ -9,7 +9,7 @@ jobs:
report: report:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: dorny/test-reporter@c9b3d0e2bd2a4e96aaf424dbaa31c46b42318226 # v1.6.0 - uses: dorny/test-reporter@afe6793191b75b608954023a46831a3fe10048d4 # v1.7.0
with: with:
artifact: /e2e-test-reports-(.*)/ artifact: /e2e-test-reports-(.*)/
name: JEST Tests $1 # Name of the check run which will be created name: JEST Tests $1 # Name of the check run which will be created

2
.github/workflows/perftest.yaml vendored
View file

@ -19,7 +19,7 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Install K6 - name: Install K6
run: | run: |

14
.github/workflows/plugin.yaml vendored
View file

@ -4,10 +4,8 @@ on:
push: push:
branches: branches:
- "main" - "main"
paths:
- "cmd/plugin/**"
tags: tags:
- "v*" - 'v*.*.*\+plugin'
permissions: permissions:
contents: write # for goreleaser/goreleaser-action contents: write # for goreleaser/goreleaser-action
@ -17,21 +15,21 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Set up Go - name: Set up Go
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with: with:
go-version: 1.20 go-version: '1.21.3'
check-latest: true check-latest: true
- name: Run GoReleaser - name: Run GoReleaser
uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0 uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
with: with:
version: latest version: latest
args: release --rm-dist args: release --clean
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

6
.github/workflows/scorecards.yml vendored
View file

@ -27,12 +27,12 @@ jobs:
steps: steps:
- name: "Checkout code" - name: "Checkout code"
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with: with:
persist-credentials: false persist-credentials: false
- name: "Run analysis" - name: "Run analysis"
uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3 uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
with: with:
results_file: results.sarif results_file: results.sarif
results_format: sarif results_format: sarif
@ -51,7 +51,7 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab. # format to the repository Actions tab.
- name: "Upload artifact" - name: "Upload artifact"
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with: with:
name: SARIF file name: SARIF file
path: results.sarif path: results.sarif

6
.github/workflows/vulnerability-scans.yaml vendored
View file

@ -22,7 +22,7 @@ jobs:
versions: ${{ steps.version.outputs.TAGS }} versions: ${{ steps.version.outputs.TAGS }}
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with: with:
fetch-depth: 0 fetch-depth: 0
@ -52,7 +52,7 @@ jobs:
versions: ${{ fromJSON(needs.version.outputs.versions) }} versions: ${{ fromJSON(needs.version.outputs.versions) }}
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- shell: bash - shell: bash
id: test id: test
@ -60,7 +60,7 @@ jobs:
- name: Scan image with AquaSec/Trivy - name: Scan image with AquaSec/Trivy
id: scan id: scan
uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 # v0.10.0 uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 # v0.14.0
with: with:
image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }} image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }}
format: 'sarif' format: 'sarif'

1
.gitignore vendored
View file

@ -60,3 +60,4 @@ cmd/plugin/release/ingress-nginx.yaml
cmd/plugin/release/*.tar.gz cmd/plugin/release/*.tar.gz
cmd/plugin/release/LICENSE cmd/plugin/release/LICENSE
tmp/ tmp/
test/junitreports/

241
.golangci.yml Normal file
View file

@ -0,0 +1,241 @@
run:
timeout: 10m
allow-parallel-runners: true
# Maximum issues count per one linter. Set to 0 to disable. Default is 50.
max-issues-per-linter: 0
# Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
max-same-issues: 0
linters:
disable-all: true
enable:
- asasalint
- asciicheck
- bidichk
- bodyclose
- contextcheck
- decorder
- dogsled
- dupl
- durationcheck
- errcheck
- errchkjson
- errname
- execinquery
- ginkgolinter
- gocheckcompilerdirectives
- goconst
- gocritic
- gocyclo
- godox
- gofmt
- gofumpt
- goheader
- goimports
- gomoddirectives
- gomodguard
- goprintffuncname
- gosec
- gosimple
- govet
- grouper
- importas
- ineffassign
- loggercheck
- makezero
- misspell
- musttag
- nakedret
- nolintlint
- nosprintfhostport
- prealloc
- predeclared
- promlinter
- reassign
- revive
- rowserrcheck
- sqlclosecheck
- staticcheck
- stylecheck
- tenv
- testableexamples
- typecheck
- unconvert
- unparam
- unused
- usestdlibvars
- whitespace
# - containedctx
# - cyclop
# - dupword
# - errorlint
# - exhaustive
# - exhaustruct
# - exportloopref
# - forbidigo
# - forcetypeassert
# - funlen
# - gci
# - gochecknoglobals
# - gochecknoinits
# - gocognit
# - godot
# - goerr113
# - gomnd
# - interfacebloat
# - ireturn
# - lll
# - maintidx
# - nestif
# - nilerr
# - nilnil
# - nlreturn
# - noctx
# - nonamedreturns
# - paralleltest
# - tagliatelle
# - testpackage
# - thelper
# - tparallel
# - varnamelen
# - wastedassign
# - wrapcheck
# - wsl
linters-settings:
gocyclo:
min-complexity: 40
godox:
keywords:
- BUG
- FIXME
- HACK
errcheck:
check-type-assertions: true
check-blank: true
gocritic:
enabled-checks:
# Diagnostic
- appendAssign
- argOrder
- badCall
- badCond
- badLock
- badRegexp
- badSorting
- builtinShadowDecl
- caseOrder
- codegenComment
- commentedOutCode
- deferInLoop
- deprecatedComment
- dupArg
- dupBranchBody
- dupCase
- dupSubExpr
- dynamicFmtString
- emptyDecl
- evalOrder
- exitAfterDefer
- externalErrorReassign
- filepathJoin
- flagDeref
- flagName
- mapKey
- nilValReturn
- offBy1
- regexpPattern
- returnAfterHttpError
- sloppyReassign
- sloppyTypeAssert
- sortSlice
- sprintfQuotedString
- sqlQuery
- syncMapLoadAndDelete
- truncateCmp
- unnecessaryDefer
- weakCond
# Performance
- appendCombine
- equalFold
- hugeParam
- indexAlloc
- preferDecodeRune
- preferFprint
- preferStringWriter
- preferWriteByte
- rangeExprCopy
- rangeValCopy
- sliceClear
- stringXbytes
# Style
- assignOp
- boolExprSimplify
- captLocal
- commentFormatting
- commentedOutImport
- defaultCaseOrder
- deferUnlambda
- docStub
- dupImport
- elseif
- emptyFallthrough
- emptyStringTest
- exposedSyncMutex
- hexLiteral
- httpNoBody
- ifElseChain
- methodExprCall
- newDeref
- octalLiteral
- preferFilepathJoin
- redundantSprint
- regexpMust
- regexpSimplify
- ruleguard
- singleCaseSwitch
- sloppyLen
- stringConcatSimplify
- stringsCompare
- switchTrue
- timeCmpSimplify
- timeExprSimplify
- todoCommentWithoutDetail
- tooManyResultsChecker
- typeAssertChain
- typeDefFirst
- typeSwitchVar
- underef
- unlabelStmt
- unlambda
- unslice
- valSwap
- whyNoLint
- wrapperFunc
- yodaStyleExpr
# Opinionated
- builtinShadow
- importShadow
- initClause
- nestingReduce
- paramTypeCombine
- ptrToRefParam
- typeUnparen
- unnamedResult
- unnecessaryBlock
nolintlint:
# Enable to ensure that nolint directives are all used. Default is true.
allow-unused: false
# Disable to ensure that nolint directives don't have a leading space. Default is true.
# TODO(lint): Enforce machine-readable `nolint` directives
allow-leading-space: true
# Exclude following linters from requiring an explanation. Default is [].
allow-no-explanation: []
# Enable to require an explanation of nonzero length after each nolint directive. Default is false.
# TODO(lint): Enforce explanations for `nolint` directives
require-explanation: false
# Enable to require nolint directives to mention the specific linter being suppressed. Default is false.
require-specific: true

11
Makefile
View file

@ -128,6 +128,12 @@ static-check: ## Run verification script for boilerplate, codegen, gofmt, golint
MAC_OS=$(MAC_OS) \ MAC_OS=$(MAC_OS) \
hack/verify-all.sh hack/verify-all.sh
.PHONY: golint-check
golint-check:
@build/run-in-docker.sh \
MAC_OS=$(MAC_OS) \
hack/verify-golint.sh
############################### ###############################
# Tests for ingress-nginx # Tests for ingress-nginx
############################### ###############################
@ -262,3 +268,8 @@ release: ensure-buildx clean
--build-arg COMMIT_SHA="$(COMMIT_SHA)" \ --build-arg COMMIT_SHA="$(COMMIT_SHA)" \
--build-arg BUILD_ID="$(BUILD_ID)" \ --build-arg BUILD_ID="$(BUILD_ID)" \
-t $(REGISTRY)/controller-chroot:$(TAG) rootfs -f rootfs/Dockerfile-chroot -t $(REGISTRY)/controller-chroot:$(TAG) rootfs -f rootfs/Dockerfile-chroot
.PHONY: build-docs
build-docs:
pip install -r docs/requirements.txt
mkdocs build --config-file mkdocs.yml

2
NGINX_BASE
View file

@ -1 +1 @@
registry.k8s.io/ingress-nginx/nginx:91057c439cf07ffb62887b8a8bda66ce3cbe39ca@sha256:3b650123c755392f8c0eb9a356b12716327106e624ab5f5b43bc25ab130978fb registry.k8s.io/ingress-nginx/nginx:v20231011-8b53cabe0@sha256:34881d62f71e8573fb765c40585dba28a1148206fbbe2c3871ad3f4e8c6e360f

2
OWNERS_ALIASES
View file

@ -26,10 +26,12 @@ aliases:
ingress-nginx-helm-maintainers: ingress-nginx-helm-maintainers:
- cpanato - cpanato
- Gacko
- strongjz - strongjz
ingress-nginx-helm-reviewers: ingress-nginx-helm-reviewers:
- cpanato - cpanato
- Gacko
- strongjz - strongjz
ingress-nginx-docs-maintainers: ingress-nginx-docs-maintainers:

81
README.md
View file

@ -9,7 +9,7 @@
## Overview ## Overview
ingress-nginx is an Ingress controller for Kubernetes using [NGINX](https://www.nginx.org/) as a reverse proxy and load ingress-nginx is an Ingress controller for Kubernetes using [NGINX](https://www.nginx.org/) as a reverse proxy and load
balancer. balancer.
[Learn more about Ingress on the main Kubernetes documentation site](https://kubernetes.io/docs/concepts/services-networking/ingress/). [Learn more about Ingress on the main Kubernetes documentation site](https://kubernetes.io/docs/concepts/services-networking/ingress/).
@ -20,66 +20,63 @@ See the [Getting Started](https://kubernetes.github.io/ingress-nginx/deploy/) do
## Troubleshooting ## Troubleshooting
If you encounter issues, review the [troubleshooting docs](docs/troubleshooting.md), If you encounter issues, review the [troubleshooting docs](docs/troubleshooting.md),
[file an issue](https://github.com/kubernetes/ingress-nginx/issues), or talk to us on the [file an issue](https://github.com/kubernetes/ingress-nginx/issues), or talk to us on the
[#ingress-nginx channel](https://kubernetes.slack.com/messages/ingress-nginx) on the Kubernetes Slack server. [#ingress-nginx channel](https://kubernetes.slack.com/messages/ingress-nginx) on the Kubernetes Slack server.
## Changelog ## Changelog
See [the list of releases](https://github.com/kubernetes/ingress-nginx/releases) to find out about feature changes. See [the list of releases](https://github.com/kubernetes/ingress-nginx/releases) for all changes.
For detailed changes for each release; please check the [Changelog.md](Changelog.md) file. For detailed changes for each release, please check the [changelog-$version.md](./changelog) file for the release version.
For detailed changes on the `ingress-nginx` helm chart, please check the following For detailed changes on the `ingress-nginx` helm chart, please check the changelog folder for a specific version
[CHANGELOG.md](charts/ingress-nginx/CHANGELOG.md) file. [CHANGELOG-$current-version.md](./charts/ingress-nginx/changelog) file.
### Supported Versions table ### Supported Versions table
Supported versions for the ingress-nginx project mean that we have completed E2E tests, and they are passing for Supported versions for the ingress-nginx project mean that we have completed E2E tests, and they are passing for
the versions listed. Ingress-Nginx versions may work on older versions but the project does not make that guarantee. the versions listed. Ingress-Nginx versions **may** work on older versions, but the project does not make that guarantee.
| | Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | Helm Chart Version | | Supported | Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | Helm Chart Version |
|:-----:|------------------------|------------------------------|----------------|---------------|--------------------| |:--:|-----------------------|------------------------------|----------------|---------------|------------------------------|
| 🔄 | **v1.7.1** | 1.27,1.26, 1.25, 1.24 | 3.17.2 | 1.21.6 | 4.6.* | | 🔄 | **v1.9.4** | 1.28, 1.27,1.26, 1.25 | 3.18.4 | 1.21.6 | 4.8.3* |
| 🔄 | **v1.7.0** | 1.26, 1.25, 1.24 | 3.17.2 | 1.21.6 | 4.6.* | | 🔄 | **v1.9.3** | 1.28, 1.27,1.26, 1.25 | 3.18.4 | 1.21.6 | 4.8.* |
| 🔄 | **v1.6.4** | 1.26, 1.25, 1.24, 1.23 | 3.17.0 | 1.21.6 | 4.5.* | | 🔄 | **v1.9.1** | 1.28, 1.27,1.26, 1.25 | 3.18.4 | 1.21.6 | 4.8.* |
| 🔄| **v1.5.1** | 1.25, 1.24, 1.23 | 3.16.2 | 1.21.6 | 4.4.* | | 🔄 | **v1.9.0** | 1.28, 1.27,1.26, 1.25 | 3.18.2 | 1.21.6 | 4.8.* |
| | v1.4.0 | 1.25, 1.24, 1.23, 1.22 | 3.16.2 | 1.19.10† | 4.3.0 | | 🔄 | **v1.8.4** | 1.27,1.26, 1.25, 1.24 | 3.18.2 | 1.21.6 | 4.7.* |
| | v1.3.1 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.2 | 1.19.10† | 4.2.5 | | 🔄 | **v1.8.2** | 1.27,1.26, 1.25, 1.24 | 3.18.2 | 1.21.6 | 4.7.* |
| | v1.3.0 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.0 | 1.19.10† | 4.2.3 | | 🔄 | **v1.8.1** | 1.27,1.26, 1.25, 1.24 | 3.18.2 | 1.21.6 | 4.7.* |
| | v1.2.1 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.6 | 1.19.10† | 4.1.4 | | 🔄 | **v1.8.0** | 1.27,1.26, 1.25, 1.24 | 3.18.0 | 1.21.6 | 4.7.* |
| | v1.1.3 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.4 | 1.19.10† | 4.0.19 | | 🔄 | **v1.7.1** | 1.27,1.26, 1.25, 1.24 | 3.17.2 | 1.21.6 | 4.6.* |
| | v1.1.2 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.18 | | 🔄 | **v1.7.0** | 1.26, 1.25, 1.24 | 3.17.2 | 1.21.6 | 4.6.* |
| | v1.1.1 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.17 | | | v1.6.4 | 1.26, 1.25, 1.24, 1.23 | 3.17.0 | 1.21.6 | 4.5.* |
| | v1.1.0 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.13 | | | v1.5.1 | 1.25, 1.24, 1.23 | 3.16.2 | 1.21.6 | 4.4.* |
| | v1.0.5 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.9 | | | v1.4.0 | 1.25, 1.24, 1.23, 1.22 | 3.16.2 | 1.19.10† | 4.3.0 |
| | v1.0.4 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.6 | | | v1.3.1 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.2 | 1.19.10† | 4.2.5 |
| | v1.0.3 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.5 | | | v1.3.0 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.0 | 1.19.10† | 4.2.3 |
| | v1.0.2 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.3 |
| | v1.0.1 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | 4.0.2 |
| | v1.0.0 | 1.22, 1.21, 1.20, 1.19 | 3.13.5 | 1.20.1 | 4.0.1 |
See [this article](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) if you want upgrade to the stable
† _This build is Ingress API.
[patched against CVE-2021-23017](https://github.com/openresty/openresty/commit/4b5ec7edd78616f544abc194308e0cf4b788725b#diff-42ef841dc27fe0b5aa2d06bd31308bb63a59cdcddcbcddd917248349d22020a3)._
See [this article](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) if you want upgrade to the stable
Ingress API.
## Get Involved ## Get Involved
Thanks for taking the time to join our community and start contributing! Thanks for taking the time to join our community and start contributing!
- This project adheres to the [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md). - This project adheres to the [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md).
By participating in this project, you agree to abide by its terms. By participating in this project, you agree to abide by its terms.
- **Contributing**: Contributions of all kind are welcome! - **Contributing**: Contributions of all kinds are welcome!
- Read [`CONTRIBUTING.md`](CONTRIBUTING.md) for information about setting up your environment, the workflow that we - Read [`CONTRIBUTING.md`](CONTRIBUTING.md) for information about setting up your environment, the workflow that we
expect, and instructions on the developer certificate of origin that we require. expect, and instructions on the developer certificate of origin that we require.
- Join our Kubernetes Slack channel for developer discussion : [#ingress-nginx-dev](https://kubernetes.slack.com/archives/C021E147ZA4). - Join our Kubernetes Slack channel for developer discussion : [#ingress-nginx-dev](https://kubernetes.slack.com/archives/C021E147ZA4).
- Submit GitHub issues for any feature enhancements, bugs or documentation problems. Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines **may be closed immediately**. - Submit GitHub issues for any feature enhancements, bugs, or documentation problems.
- **Support**: Join the [#ingress-nginx-users](https://kubernetes.slack.com/messages/CANQGM8BA/) channel inside the [Kubernetes Slack](http://slack.kubernetes.io/) to ask questions or get support from the maintainers and other users. - Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines **may be closed immediately**.
- Join our [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w)
- **Support**:
- Join the [#ingress-nginx-users](https://kubernetes.slack.com/messages/CANQGM8BA/) channel inside the [Kubernetes Slack](http://slack.kubernetes.io/) to ask questions or get support from the maintainers and other users.
- The [GitHub issues](https://github.com/kubernetes/ingress-nginx/issues) in the repository are **exclusively** for bug reports and feature requests. - The [GitHub issues](https://github.com/kubernetes/ingress-nginx/issues) in the repository are **exclusively** for bug reports and feature requests.
- **Discuss**: Tweet using the `#IngressNginx` hashtag. - **Discuss**: Tweet using the `#IngressNginx` hashtag or sharing with us [@IngressNginx](https://twitter.com/IngressNGINX).
## License ## License

3
TAG
View file

@ -1,2 +1 @@
v1.7.1 v1.9.4

6
build/dev-env.sh
View file

@ -45,14 +45,16 @@ if ! command -v helm &> /dev/null; then
exit 1 exit 1
fi fi
function ver { printf "%d%03d%03d" $(echo "$1" | tr '.' ' '); }
HELM_VERSION=$(helm version 2>&1 | cut -f1 -d"," | grep -oE '[0-9]+\.[0-9]+\.[0-9]+') || true HELM_VERSION=$(helm version 2>&1 | cut -f1 -d"," | grep -oE '[0-9]+\.[0-9]+\.[0-9]+') || true
echo $HELM_VERSION echo $HELM_VERSION
if [[ ${HELM_VERSION} -lt 3.10.0 ]]; then if [[ $(ver $HELM_VERSION) -lt $(ver "3.10.0") ]]; then
echo "Please upgrade helm to v3.10.0 or higher" echo "Please upgrade helm to v3.10.0 or higher"
exit 1 exit 1
fi fi
KUBE_CLIENT_VERSION=$(kubectl version --client --short 2>/dev/null | grep Client | awk '{print $3}' | cut -d. -f2) || true KUBE_CLIENT_VERSION=$(kubectl version --client -oyaml 2>/dev/null | grep "minor:" | awk '{print $2}' | tr -d '"') || true
if [[ ${KUBE_CLIENT_VERSION} -lt 24 ]]; then if [[ ${KUBE_CLIENT_VERSION} -lt 24 ]]; then
echo "Please update kubectl to 1.24.2 or higher" echo "Please update kubectl to 1.24.2 or higher"
exit 1 exit 1

4
build/run-in-docker.sh
View file

@ -44,7 +44,7 @@ function cleanup {
} }
trap cleanup EXIT trap cleanup EXIT
E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20230314-helm-chart-4.5.2-32-g520384b11@sha256:754c62f9a5efd1ee515ee908ecc16c0c4d1dda96a8cc8019667182a55f3a9035} E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20231011-8b53cabe0@sha256:ed0dad805c635e66469b4ac376010eebdd0b3fe62d753f58db1632d6f12f451d}
if [[ "$RUNTIME" == podman ]]; then if [[ "$RUNTIME" == podman ]]; then
# Podman does not support both tag and digest # Podman does not support both tag and digest
@ -87,7 +87,7 @@ if [[ "$DOCKER_IN_DOCKER_ENABLED" == "true" ]]; then
echo "..reached DIND check TRUE block, inside run-in-docker.sh" echo "..reached DIND check TRUE block, inside run-in-docker.sh"
echo "FLAGS=$FLAGS" echo "FLAGS=$FLAGS"
#go env #go env
go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.9.0 go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.13.0
find / -type f -name ginkgo 2>/dev/null find / -type f -name ginkgo 2>/dev/null
which ginkgo which ginkgo
/bin/bash -c "${FLAGS}" /bin/bash -c "${FLAGS}"

67
changelog/Changelog-1.8.0.md Normal file
View file

@ -0,0 +1,67 @@
# Changelog
### 1.8.0
Images:
* registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3
* registry.k8s.io/ingress-nginx/controller-chroot:v1.8.0@sha256:a45e41cd2b7670adf829759878f512d4208d0aec1869dae593a0fecd09a5e49e
### Important Changes:
* Validate path types (#9967)
* images: upgrade to Alpine 3.18 (#9997)
* Update documentation to reflect project name; Ingress-Nginx Controller
For improving security on our 1.8.0 release includes a
[new, **optional** validation ](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type)
that limits the characters accepted on ".spec paths.path" when pathType=Exact or pathType=Prefix,
to alphanumeric characters only. More information can be found on our
[Google doc](https://docs.google.com/document/d/1HPvaEwHRuMSkXYkVIJ-w7IpijKdHfNynm_4N2Akt0CQ/edit?usp=sharing)
, our new [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w)
or in our [docs](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type)
### Community Updates
We are now posting updates and release to our twitter handle, [@IngressNginx](https://twitter.com/IngressNGINX) and
on our new [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w)
### All Changes:
* Add legacy to OpenTelemetry migration doc (#10011)
* changed tagsha to recent builds (#10001)
* change to alpine318 baseimage (#10000)
* images: upgrade to Alpine 3.18 (#9997)
* openssl CVE fix (#9996)
* PodDisruptionBudget spec logic update (#9904)
* Admission warning (#9975)
* Add OPA examples on pathType restrictions (#9992)
* updated testrunner image tag+sha (#9987)
* bumped ginkgo to v2.9.5 (#9985)
* helm: Fix opentelemetry module installation for daemonset (#9792)
* OpenTelemetry default config (#9978)
* Correct annotations in monitoring docs (#9976)
* fix: avoid builds and tests for changes to markdown (#9962)
* Validate path types (#9967)
* HPA: Use capabilites & align manifests. (#9521)
* Use dl.k8s.io instead of hardcoded GCS URIs (#9946)
* add option for annotations in PodDisruptionBudget (#9843)
* chore: update httpbin to httpbun (#9919)
* image_update (#9942)
* Add geoname id value into $geoip2_*_geoname_id variables (#9527)
* Update annotations.md (#9933)
* Update charts/* to keep project name display aligned (#9931)
* Keep project name display aligned (#9920)
### Dependencies updates:
* Bump github.com/imdario/mergo from 0.3.15 to 0.3.16 (#10008)
* Bump github.com/prometheus/common from 0.43.0 to 0.44.0 (#10007)
* Bump k8s.io/klog/v2 from 2.90.1 to 2.100.1 (#9913)
* Bump github.com/onsi/ginkgo/v2 from 2.9.0 to 2.9.5 (#9980)
* Bump golang.org/x/crypto from 0.8.0 to 0.9.0 (#9982)
* Bump actions/setup-go from 4.0.0 to 4.0.1 (#9984)
* Bump securego/gosec from 2.15.0 to 2.16.0 (#9983)
* Bump github.com/prometheus/common from 0.42.0 to 0.43.0 (#9981)
* Bump github.com/prometheus/client_model from 0.3.0 to 0.4.0 (#9937)
* Bump google.golang.org/grpc from 1.54.0 to 1.55.0 (#9936)
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.7.1...controller-controller-v1.8.0

67
changelog/Changelog-1.8.1.md Normal file
View file

@ -0,0 +1,67 @@
# Changelog
### 1.8.1
Images:
* registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd
* registry.k8s.io/ingress-nginx/controller-chroot:v1.8.1@sha256:e0d4121e3c5e39de9122e55e331a32d5ebf8d4d257227cb93ab54a1b912a7627
### All Changes:
* netlify: Only trigger preview when there are changes in docs. (#10144)
* changed to updated baseimage and reverted tag (#10143)
* Fix loadBalancerClass value (#10139)
* Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406)
* Set grpc :authority header from request header (#8912)
* bump pinned golang to 1.20.5 (#10127)
* update test runner (#10125)
* chore: remove echo from snippet tests (#10110)
* Update typo in docs for lb scheme (#10117)
* golang 1.20.5 bump (#10120)
* feat(helm): Add loadBalancerClass (#9562)
* chore: remove echo friom canary tests (#10089)
* fix: obsolete warnings (#10029)
* docs: change Dockefile url ref main (#10087)
* Revert "Remove fastcgi feature" (#10081)
* docs: add netlify configuration (#10073)
* add distroless otel init (#10035)
* chore: move httpbun to be part of framework (#9955)
* Remove fastcgi feature (#9864)
* Fix mirror-target values without path separator and port (#9889)
* Adding feature to upgrade Oracle Cloud Infrastructure's Flexible Load Balancer and adjusting Health Check that were critical in the previous configuration (#9961)
* add support for keda fallback settings (#9993)
* unnecessary use of fmt.Sprint (S1039) (#10049)
* chore: pkg imported more than once (#10048)
* tracing: upgrade to dd-opentracing-cpp v1.3.7 (#10031)
* fix: add canary to sidebar in examples (#10068)
* docs: add lua testing documentation (#10060)
* docs: canary weighted deployments example (#10067)
* Update Internal Load Balancer docs (#10062)
* fix broken kubernetes.io/user-guide/ docs links (#10055)
* docs: Updated the content of deploy/rbac.md (#10054)
* ensured hpa mem spec before cpu spec (#10043)
* Fix typo in controller_test (#10034)
* chore(dep): upgrade github.com/emicklei/go-restful/v3 to 3.10 (#10028)
* Upgrade to Golang 1.20.4 (#10016)
* perf: avoid unnecessary byte/string conversion (#10012)
* added note on dns for localtesting (#10021)
* added helmshowvalues example (#10019)
* release controller 1.8.0 and chart 4.7.0 (#10017)
### Dependencies updates:
* Bump ossf/scorecard-action from 2.1.3 to 2.2.0 (#10133)
* Bump google.golang.org/grpc from 1.56.0 to 1.56.1 (#10134)
* Bump github.com/prometheus/client_golang from 1.15.1 to 1.16.0 (#10106)
* Bump golang.org/x/crypto from 0.9.0 to 0.10.0 (#10105)
* Bump google.golang.org/grpc from 1.55.0 to 1.56.0 (#10103)
* Bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 (#10101)
* Bump docker/setup-buildx-action from 2.6.0 to 2.7.0 (#10102)
* Bump actions/checkout from 3.5.2 to 3.5.3 (#10076)
* Bump docker/setup-qemu-action from 2.1.0 to 2.2.0 (#10075)
* Bump aquasecurity/trivy-action from 0.10.0 to 0.11.2 (#10078)
* Bump docker/setup-buildx-action from 2.5.0 to 2.6.0 (#10077)
* Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#10042)
* Bump github.com/stretchr/testify from 1.8.3 to 1.8.4 (#10041)
* Bump github.com/stretchr/testify from 1.8.2 to 1.8.3 (#10005)
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.8.0...controller-controller-v1.8.1

19
changelog/Changelog-1.8.2.md Normal file
View file

@ -0,0 +1,19 @@
# Changelog
### 1.8.2
Images:
* registry.k8s.io/ingress-nginx/controller:v1.8.2@sha256:74834d3d25b336b62cabeb8bf7f1d788706e2cf1cfd64022de4137ade8881ff2
* registry.k8s.io/ingress-nginx/controller-chroot:v1.8.2@sha256:1317a563219f755a6094d990057c78e5c4dcea5e31f4ce1db8641e732a7d6133
### All Changes:
* Release v1.8.2 and Update Go to v1.21.1 (#10379)
* Making auth access logs optional (#10380)
* [release-1.8] Disable Modsecurity from internal processing which affects large ingresses (#10375)
* promote distroless otel init image (#10270)
* [release-1.8] Update images tags after adding git data in gcloud (#10233)
* [release-1.8] Golang 1.20.6 for test runner (#10231)
### Dependencies updates:
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.8.1...controller-controller-v1.8.2

93
changelog/Changelog-1.9.0-beta.0.md Normal file
View file

@ -0,0 +1,93 @@
# Changelog
### 1.9.0-beta.0
Images:
* registry.k8s.io/ingress-nginx/controller:v1.9.0-beta.0@sha256:531377e4cc9dc62af40d742402222603259673f5a755a64d74122f256dfad8f9
* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.0-beta.0@sha256:60b4c95349ce2a81a3b2a76423ee483b847b89d3fa8cb148468434f606f3fa0c
### All Changes:
* Rework mage (#10418)
* Start release of v1.9.0 beta0 (#10407)
* Update k8s versions on CI (#10406)
* Add a flag to enable or disable aio_write (#10394)
* Update external-articles.md - advanced setup with GKE/Cloud Armor/IAP (#10372)
* Fix e2e test suite doc (#10396)
* Disable user snippets per default (#10393)
* Deployment/DaemonSet: Fix templating & value. (#10240)
* Fix deferInLoop error (#10387)
* Remove gofmt (#10385)
* Deployment/DaemonSet: Template `topologySpreadConstraints`. (#10259)
* release notes 1.8.2 (#10389)
* fix: remove curl on base container #9716 (#10306)
* Fix http default backend test (#10382)
* Add golangci github action and replace the deprecated golint (#10187)
* BUGFIX incorrect indentation (#10254)
* Upgrade OpenTelemetry to v1.11.0 and gRPC to v1.57.0 (#10352)
* fix: path with sepecial characters warning #10281 #10308 (#10330)
* Fix golangci-lint errors (#10196)
* chore(build): Fix Run make dev-env syntax error (#10294)
* Add firewall configuration to quick start documentation (#10357)
* Making auth access logs optional (#10335)
* Fix “dev-env” Makefile target to work with kubectl 1.28+ (#10350)
* fix: update action file to auto release plugin #10197 (#10321)
* Use gzip instead of pigz in CI (#10348)
* Disable Modsecurity from internal processing which affects large ingresses (#10316)
* fix: add /etc/mime.types #10309 (#10310)
* Remove curl dependencies in e2e tests #9716 (#10296)
* docs: swap explanation to match example (#10220)
* ci(helm): fix Helm Chart release action 422 error (#10237)
* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249)
* Updated index.md - Fix typos (#10256)
* Handle request_id variable correctly in auth requests (#9219)
* test kind updates (#10272)
* promote distroless otel init image (#10257)
* [helm] configure allow to configure hostAliases (#10180)
* Add rolling update strategy to each static deployment file (#10129)
* Implement annotation validation (#9673)
* Golang 1.20.6 for test runner (#10230)
* [helm] pass service annotations through helm tpl engine (#10084)
* Ignore deployment template's replicas if KEDA is enabled (#9534)
* chore: bump OpenResty to v1.21.4.2 (#10219)
* Scanning port 10247 lead to tcp connection 502 error (#9815)
* revise Datadog trace sampling configuration (#10151)
* Clarify TCP/UDP service docs (#10146)
* Exposed continent data as variable in the case of Maxmind city files (#10157)
* Cleanup errcheck code (#10166)
* Fix golang-ci linter errors (#10128)
* Deprecate and remove AJP support (#10158)
* release notes 1.8.1 (#10161)
### Dependencies updates:
* Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.12.0 (#10355)
* Bump golang.org/x/crypto from 0.12.0 to 0.13.0 (#10399)
* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10403)
* Bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 (#10402)
* Bump actions/upload-artifact from 3.1.2 to 3.1.3 (#10404)
* Bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#10400)
* Bump google.golang.org/grpc from 1.57.0 to 1.58.0 (#10398)
* Bump actions/dependency-review-action from 3.0.8 to 3.1.0 (#10401)
* Bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4 (#10373)
* Bump github.com/cyphar/filepath-securejoin in /magefiles (#10374)
* Bump Go version to 1.21.1 (#10377)
* Bump Go version to 1.21.1 on testrunner (#10378)
* Bump aquasecurity/trivy-action from 0.11.2 to 0.12.0 (#10365)
* Bump docker/setup-buildx-action from 2.9.1 to 2.10.0 (#10353)
* Bump actions/checkout from 3.5.3 to 3.6.0 (#10354)
* Bump actions/dependency-review-action from 3.0.6 to 3.0.8 (#10333)
* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10313)
* Bump securego/gosec from 2.16.0 to 2.17.0 (#10332)
* Bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 (#10314)
* Bump github.com/opencontainers/runc from 1.1.8 to 1.1.9 (#10298)
* Bump k8s.io/component-base from 0.26.4 to 0.27.4 (Replace Topology Aware Hints with Topology Aware Routing) (#10282)
* Bump google.golang.org/grpc from 1.56.2 to 1.57.0 (#10258)
* Bump golang.org/x/crypto from 0.11.0 to 0.12.0 (#10280)
* Bump github.com/opencontainers/runc from 1.1.7 to 1.1.8 (#10244)
* Bump google.golang.org/grpc from 1.56.1 to 1.56.2 (#10193)
* Bump docker/setup-buildx-action from 2.9.0 to 2.9.1 (#10207)
* Bump golang.org/x/crypto from 0.10.0 to 0.11.0 (#10192)
* Bump docker/setup-buildx-action from 2.8.0 to 2.9.0 (#10191)
* Bump docker/setup-buildx-action from 2.7.0 to 2.8.0 (#10165)
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-release-1.8...controller-controller-v1.9.0-beta.0

93
changelog/Changelog-1.9.0.md Normal file
View file

@ -0,0 +1,93 @@
# Changelog
### 1.9.0
Images:
* registry.k8s.io/ingress-nginx/controller:v1.9.0@sha256:c15d1a617858d90fb8f8a2dd60b0676f2bb85c54e3ed11511794b86ec30c8c60
* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.0@sha256:d9fa7a136de2104fb2ecfcf1666978bfab927f4a125b75c0fb471e6104366ab5
### All Changes:
* Rework mage (#10418)
* Start release of v1.9.0 beta0 (#10407)
* Update k8s versions on CI (#10406)
* Add a flag to enable or disable aio_write (#10394)
* Update external-articles.md - advanced setup with GKE/Cloud Armor/IAP (#10372)
* Fix e2e test suite doc (#10396)
* Disable user snippets per default (#10393)
* Deployment/DaemonSet: Fix templating & value. (#10240)
* Fix deferInLoop error (#10387)
* Remove gofmt (#10385)
* Deployment/DaemonSet: Template `topologySpreadConstraints`. (#10259)
* release notes 1.8.2 (#10389)
* fix: remove curl on base container #9716 (#10306)
* Fix http default backend test (#10382)
* Add golangci github action and replace the deprecated golint (#10187)
* BUGFIX incorrect indentation (#10254)
* Upgrade OpenTelemetry to v1.11.0 and gRPC to v1.57.0 (#10352)
* fix: path with sepecial characters warning #10281 #10308 (#10330)
* Fix golangci-lint errors (#10196)
* chore(build): Fix Run make dev-env syntax error (#10294)
* Add firewall configuration to quick start documentation (#10357)
* Making auth access logs optional (#10335)
* Fix “dev-env” Makefile target to work with kubectl 1.28+ (#10350)
* fix: update action file to auto release plugin #10197 (#10321)
* Use gzip instead of pigz in CI (#10348)
* Disable Modsecurity from internal processing which affects large ingresses (#10316)
* fix: add /etc/mime.types #10309 (#10310)
* Remove curl dependencies in e2e tests #9716 (#10296)
* docs: swap explanation to match example (#10220)
* ci(helm): fix Helm Chart release action 422 error (#10237)
* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249)
* Updated index.md - Fix typos (#10256)
* Handle request_id variable correctly in auth requests (#9219)
* test kind updates (#10272)
* promote distroless otel init image (#10257)
* [helm] configure allow to configure hostAliases (#10180)
* Add rolling update strategy to each static deployment file (#10129)
* Implement annotation validation (#9673)
* Golang 1.20.6 for test runner (#10230)
* [helm] pass service annotations through helm tpl engine (#10084)
* Ignore deployment template's replicas if KEDA is enabled (#9534)
* chore: bump OpenResty to v1.21.4.2 (#10219)
* Scanning port 10247 lead to tcp connection 502 error (#9815)
* revise Datadog trace sampling configuration (#10151)
* Clarify TCP/UDP service docs (#10146)
* Exposed continent data as variable in the case of Maxmind city files (#10157)
* Cleanup errcheck code (#10166)
* Fix golang-ci linter errors (#10128)
* Deprecate and remove AJP support (#10158)
* release notes 1.8.1 (#10161)
### Dependencies updates:
* Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.12.0 (#10355)
* Bump golang.org/x/crypto from 0.12.0 to 0.13.0 (#10399)
* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10403)
* Bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 (#10402)
* Bump actions/upload-artifact from 3.1.2 to 3.1.3 (#10404)
* Bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#10400)
* Bump google.golang.org/grpc from 1.57.0 to 1.58.0 (#10398)
* Bump actions/dependency-review-action from 3.0.8 to 3.1.0 (#10401)
* Bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4 (#10373)
* Bump github.com/cyphar/filepath-securejoin in /magefiles (#10374)
* Bump Go version to 1.21.1 (#10377)
* Bump Go version to 1.21.1 on testrunner (#10378)
* Bump aquasecurity/trivy-action from 0.11.2 to 0.12.0 (#10365)
* Bump docker/setup-buildx-action from 2.9.1 to 2.10.0 (#10353)
* Bump actions/checkout from 3.5.3 to 3.6.0 (#10354)
* Bump actions/dependency-review-action from 3.0.6 to 3.0.8 (#10333)
* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10313)
* Bump securego/gosec from 2.16.0 to 2.17.0 (#10332)
* Bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 (#10314)
* Bump github.com/opencontainers/runc from 1.1.8 to 1.1.9 (#10298)
* Bump k8s.io/component-base from 0.26.4 to 0.27.4 (Replace Topology Aware Hints with Topology Aware Routing) (#10282)
* Bump google.golang.org/grpc from 1.56.2 to 1.57.0 (#10258)
* Bump golang.org/x/crypto from 0.11.0 to 0.12.0 (#10280)
* Bump github.com/opencontainers/runc from 1.1.7 to 1.1.8 (#10244)
* Bump google.golang.org/grpc from 1.56.1 to 1.56.2 (#10193)
* Bump docker/setup-buildx-action from 2.9.0 to 2.9.1 (#10207)
* Bump golang.org/x/crypto from 0.10.0 to 0.11.0 (#10192)
* Bump docker/setup-buildx-action from 2.8.0 to 2.9.0 (#10191)
* Bump docker/setup-buildx-action from 2.7.0 to 2.8.0 (#10165)
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-release-1.8...controller-controller-v1.9.0

19
changelog/Changelog-1.9.1.md Normal file
View file

@ -0,0 +1,19 @@
# Changelog
### 1.9.1
Images:
* registry.k8s.io/ingress-nginx/controller:v1.9.1@sha256:605a737877de78969493a4b1213b21de4ee425d2926906857b98050f57a95b25
* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.1@sha256:2ac744ef08850ee86ad7162451a6879f47c1a41c6a757f6b6f913c52103b8836
### All Changes:
* upgrade owasp modsecurity core rule set to v3.3.5 (#10437)
* Start v1.9.1 release (#10463)
* Accept backend protocol on any case (#10461)
* Chart: Rework network policies. (#10438)
### Dependencies updates:
* Bump google.golang.org/grpc from 1.58.0 to 1.58.1 (#10436)
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.9.0...controller-controller-v1.9.1

27
changelog/Changelog-1.9.3.md Normal file
View file

@ -0,0 +1,27 @@
# Changelog
### 1.9.3
Images:
* registry.k8s.io/ingress-nginx/controller:v1.9.3@sha256:8fd21d59428507671ce0fb47f818b1d859c92d2ad07bb7c947268d433030ba98
* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.3@sha256:df4931fd6859fbf1a71e785f02a44b2f9a16f010ae852c442e9bb779cbefdc86
### All Changes:
* update nginx base, httpbun, e2e, helm webhook cert gen (#10506)
* added warning for configuration-snippets usage (#10492)
* Remove legacy GeoIP from controller (#10495)
* add upstream patch for CVE-2023-44487 (#10494)
* Revert "Remove curl from nginx base image (#10477)" (#10479)
* update error and otel to have all the arch we support (#10476)
* Remove curl from nginx base image (#10477)
### Dependencies updates:
* Bump x/net (#10514)
* Bump curl and Go version (#10503)
* Bump google.golang.org/grpc from 1.58.2 to 1.58.3 (#10496)
* Bump github.com/prometheus/client_model (#10486)
* Bump ossf/scorecard-action from 2.2.0 to 2.3.0 (#10487)
* Bump golang.org/x/crypto from 0.13.0 to 0.14.0 (#10485)
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.9.1...controller-controller-v1.9.3

13
changelog/Changelog-1.9.4.md Normal file
View file

@ -0,0 +1,13 @@
# Changelog
### 1.9.4
Images:
* registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.4@sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26
### All Changes:
* Cherry pick fcgi fix and release v1.9.4 (#10544)
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.9.3...controller-controller-v1.9.4

11
charts/ingress-nginx/Chart.yaml
View file

@ -1,14 +1,11 @@
annotations: annotations:
artifacthub.io/changes: | artifacthub.io/changes: |-
- "[helm] Support custom port configuration for internal service (#9846)" - "Update Ingress-Nginx version controller-v1.9.4"
- "Adding resource type to default HPA configuration to resolve issues with Terraform helm chart usage (#9803)"
- "Update Ingress-Nginx version controller-v1.7.1"
artifacthub.io/prerelease: "false" artifacthub.io/prerelease: "false"
apiVersion: v2 apiVersion: v2
appVersion: 1.7.1 appVersion: 1.9.4
description: Ingress controller for Kubernetes using NGINX as a reverse proxy and description: Ingress controller for Kubernetes using NGINX as a reverse proxy and
load balancer load balancer
engine: gotpl
home: https://github.com/kubernetes/ingress-nginx home: https://github.com/kubernetes/ingress-nginx
icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
keywords: keywords:
@ -22,4 +19,4 @@ maintainers:
name: ingress-nginx name: ingress-nginx
sources: sources:
- https://github.com/kubernetes/ingress-nginx - https://github.com/kubernetes/ingress-nginx
version: 4.6.1 version: 4.8.3

87
charts/ingress-nginx/README.md
View file

@ -2,7 +2,7 @@
[ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
![Version: 4.6.1](https://img.shields.io/badge/Version-4.6.1-informational?style=flat-square) ![AppVersion: 1.7.1](https://img.shields.io/badge/AppVersion-1.7.1-informational?style=flat-square) ![Version: 4.8.3](https://img.shields.io/badge/Version-4.8.3-informational?style=flat-square) ![AppVersion: 1.9.4](https://img.shields.io/badge/AppVersion-1.9.4-informational?style=flat-square)
To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
@ -143,8 +143,10 @@ controller:
internal: internal:
enabled: true enabled: true
annotations: annotations:
# Create internal ELB # Create internal NLB
service.beta.kubernetes.io/aws-load-balancer-internal: "true" service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
# Create internal ELB(Deprecated)
# service.beta.kubernetes.io/aws-load-balancer-internal: "true"
# Any other annotation can be declared here. # Any other annotation can be declared here.
``` ```
@ -187,6 +189,8 @@ controller:
# Any other annotation can be declared here. # Any other annotation can be declared here.
``` ```
The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer).
An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object. An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object.
Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`. Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`.
@ -236,33 +240,33 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.admissionWebhooks.certManager.enabled | bool | `false` | | | controller.admissionWebhooks.certManager.enabled | bool | `false` | |
| controller.admissionWebhooks.certManager.rootCert.duration | string | `""` | | | controller.admissionWebhooks.certManager.rootCert.duration | string | `""` | |
| controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` | | | controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` | |
| controller.admissionWebhooks.createSecretJob.name | string | `"create"` | |
| controller.admissionWebhooks.createSecretJob.resources | object | `{}` | | | controller.admissionWebhooks.createSecretJob.resources | object | `{}` | |
| controller.admissionWebhooks.createSecretJob.securityContext.allowPrivilegeEscalation | bool | `false` | | | controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers |
| controller.admissionWebhooks.enabled | bool | `true` | | | controller.admissionWebhooks.enabled | bool | `true` | |
| controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one | | controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one |
| controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set | | controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set |
| controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use | | controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use |
| controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` | | | controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` | |
| controller.admissionWebhooks.labels | object | `{}` | Labels to be added to admission webhooks | | controller.admissionWebhooks.labels | object | `{}` | Labels to be added to admission webhooks |
| controller.admissionWebhooks.name | string | `"admission"` | |
| controller.admissionWebhooks.namespaceSelector | object | `{}` | | | controller.admissionWebhooks.namespaceSelector | object | `{}` | |
| controller.admissionWebhooks.networkPolicyEnabled | bool | `false` | |
| controller.admissionWebhooks.objectSelector | object | `{}` | | | controller.admissionWebhooks.objectSelector | object | `{}` | |
| controller.admissionWebhooks.patch.enabled | bool | `true` | | | controller.admissionWebhooks.patch.enabled | bool | `true` | |
| controller.admissionWebhooks.patch.image.digest | string | `"sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f"` | | | controller.admissionWebhooks.patch.image.digest | string | `"sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80"` | |
| controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | | | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | |
| controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | | | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | |
| controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | | | controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | |
| controller.admissionWebhooks.patch.image.tag | string | `"v20230312-helm-chart-4.5.2-28-g66a760794"` | | | controller.admissionWebhooks.patch.image.tag | string | `"v20231011-8b53cabe0"` | |
| controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources | | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
| controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | |
| controller.admissionWebhooks.patch.podAnnotations | object | `{}` | | | controller.admissionWebhooks.patch.podAnnotations | object | `{}` | |
| controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # | | controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # |
| controller.admissionWebhooks.patch.securityContext.fsGroup | int | `2000` | | | controller.admissionWebhooks.patch.securityContext | object | `{}` | Security context for secret creation & webhook patch pods |
| controller.admissionWebhooks.patch.securityContext.runAsNonRoot | bool | `true` | |
| controller.admissionWebhooks.patch.securityContext.runAsUser | int | `2000` | |
| controller.admissionWebhooks.patch.tolerations | list | `[]` | | | controller.admissionWebhooks.patch.tolerations | list | `[]` | |
| controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` | |
| controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | | | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | |
| controller.admissionWebhooks.patchWebhookJob.securityContext.allowPrivilegeEscalation | bool | `false` | | | controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers |
| controller.admissionWebhooks.port | int | `8443` | | | controller.admissionWebhooks.port | int | `8443` | |
| controller.admissionWebhooks.service.annotations | object | `{}` | | | controller.admissionWebhooks.service.annotations | object | `{}` | |
| controller.admissionWebhooks.service.externalIPs | list | `[]` | | | controller.admissionWebhooks.service.externalIPs | list | `[]` | |
@ -270,10 +274,9 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.admissionWebhooks.service.servicePort | int | `443` | | | controller.admissionWebhooks.service.servicePort | int | `443` | |
| controller.admissionWebhooks.service.type | string | `"ClusterIP"` | | | controller.admissionWebhooks.service.type | string | `"ClusterIP"` | |
| controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # | | controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # |
| controller.allowSnippetAnnotations | bool | `true` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected | | controller.allowSnippetAnnotations | bool | `false` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected |
| controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # | | controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # |
| controller.autoscaling.annotations | object | `{}` | | | controller.autoscaling.annotations | object | `{}` | |
| controller.autoscaling.apiVersion | string | `"autoscaling/v2"` | |
| controller.autoscaling.behavior | object | `{}` | | | controller.autoscaling.behavior | object | `{}` | |
| controller.autoscaling.enabled | bool | `false` | | | controller.autoscaling.enabled | bool | `false` | |
| controller.autoscaling.maxReplicas | int | `11` | | | controller.autoscaling.maxReplicas | int | `11` | |
@ -286,13 +289,15 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.configMapNamespace | string | `""` | Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) | | controller.configMapNamespace | string | `""` | Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) |
| controller.containerName | string | `"controller"` | Configures the controller container name | | controller.containerName | string | `"controller"` | Configures the controller container name |
| controller.containerPort | object | `{"http":80,"https":443}` | Configures the ports that the nginx-controller listens on | | controller.containerPort | object | `{"http":80,"https":443}` | Configures the ports that the nginx-controller listens on |
| controller.containerSecurityContext | object | `{}` | Security context for controller containers |
| controller.customTemplate.configMapKey | string | `""` | | | controller.customTemplate.configMapKey | string | `""` | |
| controller.customTemplate.configMapName | string | `""` | | | controller.customTemplate.configMapName | string | `""` | |
| controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. | | controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. |
| controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. | | controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. |
| controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' | | controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' |
| controller.enableAnnotationValidations | bool | `false` | |
| controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # | | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # |
| controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto" Defaults to false | | controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false |
| controller.existingPsp | string | `""` | Use an existing PSP instead of creating one | | controller.existingPsp | string | `""` | Use an existing PSP instead of creating one |
| controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use | | controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use |
| controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. | | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. |
@ -303,20 +308,24 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. | | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. |
| controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. | | controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. |
| controller.healthCheckPath | string | `"/healthz"` | Path of the health check endpoint. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. | | controller.healthCheckPath | string | `"/healthz"` | Path of the health check endpoint. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. |
| controller.hostAliases | list | `[]` | Optionally customize the pod hostAliases. |
| controller.hostNetwork | bool | `false` | Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 is merged | | controller.hostNetwork | bool | `false` | Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 is merged |
| controller.hostPort.enabled | bool | `false` | Enable 'hostPort' or not | | controller.hostPort.enabled | bool | `false` | Enable 'hostPort' or not |
| controller.hostPort.ports.http | int | `80` | 'hostPort' http port | | controller.hostPort.ports.http | int | `80` | 'hostPort' http port |
| controller.hostPort.ports.https | int | `443` | 'hostPort' https port | | controller.hostPort.ports.https | int | `443` | 'hostPort' https port |
| controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.hostname | object | `{}` | Optionally customize the pod hostname. |
| controller.image.allowPrivilegeEscalation | bool | `true` | | | controller.image.allowPrivilegeEscalation | bool | `false` | |
| controller.image.chroot | bool | `false` | | | controller.image.chroot | bool | `false` | |
| controller.image.digest | string | `"sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407"` | | | controller.image.digest | string | `"sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3"` | |
| controller.image.digestChroot | string | `"sha256:e35d5ab487861b9d419c570e3530589229224a0762c7b4d2e2222434abb8d988"` | | | controller.image.digestChroot | string | `"sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26"` | |
| controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.image | string | `"ingress-nginx/controller"` | |
| controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | |
| controller.image.readOnlyRootFilesystem | bool | `false` | |
| controller.image.registry | string | `"registry.k8s.io"` | | | controller.image.registry | string | `"registry.k8s.io"` | |
| controller.image.runAsNonRoot | bool | `true` | |
| controller.image.runAsUser | int | `101` | | | controller.image.runAsUser | int | `101` | |
| controller.image.tag | string | `"v1.7.1"` | | | controller.image.seccompProfile.type | string | `"RuntimeDefault"` | |
| controller.image.tag | string | `"v1.9.4"` | |
| controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
| controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
| controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass | | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass |
@ -353,7 +362,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.metrics.prometheusRule.enabled | bool | `false` | | | controller.metrics.prometheusRule.enabled | bool | `false` | |
| controller.metrics.prometheusRule.rules | list | `[]` | | | controller.metrics.prometheusRule.rules | list | `[]` | |
| controller.metrics.service.annotations | object | `{}` | | | controller.metrics.service.annotations | object | `{}` | |
| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # | | controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
| controller.metrics.service.labels | object | `{}` | Labels to be added to the metrics service resource | | controller.metrics.service.labels | object | `{}` | Labels to be added to the metrics service resource |
| controller.metrics.service.loadBalancerSourceRanges | list | `[]` | | | controller.metrics.service.loadBalancerSourceRanges | list | `[]` | |
| controller.metrics.service.servicePort | int | `10254` | | | controller.metrics.service.servicePort | int | `10254` | |
@ -366,19 +375,31 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.metrics.serviceMonitor.relabelings | list | `[]` | | | controller.metrics.serviceMonitor.relabelings | list | `[]` | |
| controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` | | | controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` | |
| controller.metrics.serviceMonitor.targetLabels | list | `[]` | | | controller.metrics.serviceMonitor.targetLabels | list | `[]` | |
| controller.minAvailable | int | `1` | Define either 'minAvailable' or 'maxUnavailable', never both. | | controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. |
| controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
| controller.name | string | `"controller"` | | | controller.name | string | `"controller"` | |
| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ # | | controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
| controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | | controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | |
| controller.opentelemetry.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | |
| controller.opentelemetry.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | |
| controller.opentelemetry.containerSecurityContext.runAsNonRoot | bool | `true` | |
| controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. |
| controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| controller.opentelemetry.distroless | bool | `true` | |
| controller.opentelemetry.enabled | bool | `false` | | | controller.opentelemetry.enabled | bool | `false` | |
| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` | |
| controller.opentelemetry.name | string | `"opentelemetry"` | |
| controller.opentelemetry.resources | object | `{}` | |
| controller.opentelemetry.image.digest | string | `"sha256:40f766ac4a9832f36f217bb0e98d44c8d38faeccbfe861fbc1a76af7e9ab257f"` | | | controller.opentelemetry.image.digest | string | `"sha256:40f766ac4a9832f36f217bb0e98d44c8d38faeccbfe861fbc1a76af7e9ab257f"` | |
| controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry"` | | | controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry"` | |
| controller.opentelemetry.image.registry | string | `"registry.k8s.io"` | | | controller.opentelemetry.image.registry | string | `"registry.k8s.io"` | |
| controller.opentelemetry.image.tag | string | `"v20230312-helm-chart-4.5.2-28-g66a760794"` | | | controller.opentelemetry.image.tag | string | `"v20230312-helm-chart-4.5.2-28-g66a760794"` | |
| controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # | | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # |
| controller.podLabels | object | `{}` | Labels to add to the pod container metadata | | controller.podLabels | object | `{}` | Labels to add to the pod container metadata |
| controller.podSecurityContext | object | `{}` | Security Context policies for controller pods | | controller.podSecurityContext | object | `{}` | Security context for controller pods |
| controller.priorityClassName | string | `""` | | | controller.priorityClassName | string | `""` | |
| controller.proxySetHeaders | object | `{}` | Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers | | controller.proxySetHeaders | object | `{}` | Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers |
| controller.publishService | object | `{"enabled":true,"pathOverride":""}` | Allows customization of the source of the IP address or FQDN to report in the ingress status field. By default, it reads the information provided by the service. If disable, the status field reports the IP address of the node or nodes where an ingress controller pod is running. | | controller.publishService | object | `{"enabled":true,"pathOverride":""}` | Allows customization of the source of the IP address or FQDN to report in the ingress status field. By default, it reads the information provided by the service. If disable, the status field reports the IP address of the node or nodes where an ingress controller pod is running. |
@ -399,21 +420,23 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.scope.enabled | bool | `false` | Enable 'scope' or not | | controller.scope.enabled | bool | `false` | Enable 'scope' or not |
| controller.scope.namespace | string | `""` | Namespace to limit the controller to; defaults to $(POD_NAMESPACE) | | controller.scope.namespace | string | `""` | Namespace to limit the controller to; defaults to $(POD_NAMESPACE) |
| controller.scope.namespaceSelector | string | `""` | When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. | | controller.scope.namespaceSelector | string | `""` | When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. |
| controller.service.annotations | object | `{}` | | | controller.service.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. |
| controller.service.appProtocol | bool | `true` | If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http It allows choosing the protocol for each backend specified in the Kubernetes service. See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 Will be ignored for Kubernetes versions older than 1.20 # | | controller.service.appProtocol | bool | `true` | If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http It allows choosing the protocol for each backend specified in the Kubernetes service. See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 Will be ignored for Kubernetes versions older than 1.20 # |
| controller.service.enableHttp | bool | `true` | | | controller.service.enableHttp | bool | `true` | |
| controller.service.enableHttps | bool | `true` | | | controller.service.enableHttps | bool | `true` | |
| controller.service.enabled | bool | `true` | | | controller.service.enabled | bool | `true` | |
| controller.service.external.enabled | bool | `true` | | | controller.service.external.enabled | bool | `true` | |
| controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # | | controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
| controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. | | controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. |
| controller.service.internal.enabled | bool | `false` | Enables an additional internal load balancer (besides the external one). | | controller.service.internal.enabled | bool | `false` | Enables an additional internal load balancer (besides the external one). |
| controller.service.internal.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS. |
| controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. | | controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. |
| controller.service.internal.ports | object | `{}` | Custom port mapping for internal service | | controller.service.internal.ports | object | `{}` | Custom port mapping for internal service |
| controller.service.internal.targetPorts | object | `{}` | Custom target port mapping for internal service | | controller.service.internal.targetPorts | object | `{}` | Custom target port mapping for internal service |
| controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ | | controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ |
| controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack-ness requested or required by this Service. Possible values are SingleStack, PreferDualStack or RequireDualStack. The ipFamilies and clusterIPs fields depend on the value of this field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ | | controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack-ness requested or required by this Service. Possible values are SingleStack, PreferDualStack or RequireDualStack. The ipFamilies and clusterIPs fields depend on the value of this field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ |
| controller.service.labels | object | `{}` | | | controller.service.labels | object | `{}` | |
| controller.service.loadBalancerClass | string | `""` | Used by cloud providers to select a load balancer implementation other than the cloud provider default. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class |
| controller.service.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer | | controller.service.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer |
| controller.service.loadBalancerSourceRanges | list | `[]` | | | controller.service.loadBalancerSourceRanges | list | `[]` | |
| controller.service.nodePorts.http | string | `""` | | | controller.service.nodePorts.http | string | `""` | |
@ -426,7 +449,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.service.targetPorts.https | string | `"https"` | | | controller.service.targetPorts.https | string | `"https"` | |
| controller.service.type | string | `"LoadBalancer"` | | | controller.service.type | string | `"LoadBalancer"` | |
| controller.shareProcessNamespace | bool | `false` | | | controller.shareProcessNamespace | bool | `false` | |
| controller.sysctls | object | `{}` | See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls | | controller.sysctls | object | `{}` | sysctls for controller pods # Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ |
| controller.tcp.annotations | object | `{}` | Annotations to be added to the tcp config configmap | | controller.tcp.annotations | object | `{}` | Annotations to be added to the tcp config configmap |
| controller.tcp.configMapNamespace | string | `""` | Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) | | controller.tcp.configMapNamespace | string | `""` | Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) |
| controller.terminationGracePeriodSeconds | int | `300` | `terminationGracePeriodSeconds` to avoid killing pods before we are ready # wait up to five minutes for the drain of connections # | | controller.terminationGracePeriodSeconds | int | `300` | `terminationGracePeriodSeconds` to avoid killing pods before we are ready # wait up to five minutes for the drain of connections # |
@ -438,13 +461,12 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.watchIngressWithoutClass | bool | `false` | Process Ingress objects without ingressClass annotation/ingressClassName field Overrides value for --watch-ingress-without-class flag of the controller binary Defaults to false | | controller.watchIngressWithoutClass | bool | `false` | Process Ingress objects without ingressClass annotation/ingressClassName field Overrides value for --watch-ingress-without-class flag of the controller binary Defaults to false |
| defaultBackend.affinity | object | `{}` | | | defaultBackend.affinity | object | `{}` | |
| defaultBackend.autoscaling.annotations | object | `{}` | | | defaultBackend.autoscaling.annotations | object | `{}` | |
| defaultBackend.autoscaling.apiVersion | string | `"autoscaling/v2"` | |
| defaultBackend.autoscaling.enabled | bool | `false` | | | defaultBackend.autoscaling.enabled | bool | `false` | |
| defaultBackend.autoscaling.maxReplicas | int | `2` | | | defaultBackend.autoscaling.maxReplicas | int | `2` | |
| defaultBackend.autoscaling.minReplicas | int | `1` | | | defaultBackend.autoscaling.minReplicas | int | `1` | |
| defaultBackend.autoscaling.targetCPUUtilizationPercentage | int | `50` | | | defaultBackend.autoscaling.targetCPUUtilizationPercentage | int | `50` | |
| defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` | | | defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` | |
| defaultBackend.containerSecurityContext | object | `{}` | Security Context policies for controller main container. See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # | | defaultBackend.containerSecurityContext | object | `{}` | Security context for default backend containers |
| defaultBackend.enabled | bool | `false` | | | defaultBackend.enabled | bool | `false` | |
| defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one | | defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one |
| defaultBackend.extraArgs | object | `{}` | | | defaultBackend.extraArgs | object | `{}` | |
@ -458,6 +480,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.image.registry | string | `"registry.k8s.io"` | | | defaultBackend.image.registry | string | `"registry.k8s.io"` | |
| defaultBackend.image.runAsNonRoot | bool | `true` | | | defaultBackend.image.runAsNonRoot | bool | `true` | |
| defaultBackend.image.runAsUser | int | `65534` | | | defaultBackend.image.runAsUser | int | `65534` | |
| defaultBackend.image.seccompProfile.type | string | `"RuntimeDefault"` | |
| defaultBackend.image.tag | string | `"1.5"` | | | defaultBackend.image.tag | string | `"1.5"` | |
| defaultBackend.labels | object | `{}` | Labels to be added to the default backend resources | | defaultBackend.labels | object | `{}` | Labels to be added to the default backend resources |
| defaultBackend.livenessProbe.failureThreshold | int | `3` | | | defaultBackend.livenessProbe.failureThreshold | int | `3` | |
@ -468,10 +491,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.minAvailable | int | `1` | | | defaultBackend.minAvailable | int | `1` | |
| defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
| defaultBackend.name | string | `"defaultbackend"` | | | defaultBackend.name | string | `"defaultbackend"` | |
| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ # | | defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
| defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # | | defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # |
| defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata | | defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata |
| defaultBackend.podSecurityContext | object | `{}` | Security Context policies for controller pods See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # | | defaultBackend.podSecurityContext | object | `{}` | Security context for default backend pods |
| defaultBackend.port | int | `8080` | | | defaultBackend.port | int | `8080` | |
| defaultBackend.priorityClassName | string | `""` | | | defaultBackend.priorityClassName | string | `""` | |
| defaultBackend.readinessProbe.failureThreshold | int | `6` | | | defaultBackend.readinessProbe.failureThreshold | int | `6` | |
@ -482,7 +506,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.replicaCount | int | `1` | | | defaultBackend.replicaCount | int | `1` | |
| defaultBackend.resources | object | `{}` | | | defaultBackend.resources | object | `{}` | |
| defaultBackend.service.annotations | object | `{}` | | | defaultBackend.service.annotations | object | `{}` | |
| defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # | | defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
| defaultBackend.service.loadBalancerSourceRanges | list | `[]` | | | defaultBackend.service.loadBalancerSourceRanges | list | `[]` | |
| defaultBackend.service.servicePort | int | `80` | | | defaultBackend.service.servicePort | int | `80` | |
| defaultBackend.service.type | string | `"ClusterIP"` | | | defaultBackend.service.type | string | `"ClusterIP"` | |
@ -493,6 +517,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # | | defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
| dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param | | dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param |
| imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | | imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
| namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace |
| podSecurityPolicy.enabled | bool | `false` | | | podSecurityPolicy.enabled | bool | `false` | |
| portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration | | portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration |
| rbac.create | bool | `true` | | | rbac.create | bool | `true` | |

8
charts/ingress-nginx/README.md.gotmpl
View file

@ -140,8 +140,10 @@ controller:
internal: internal:
enabled: true enabled: true
annotations: annotations:
# Create internal ELB # Create internal NLB
service.beta.kubernetes.io/aws-load-balancer-internal: "true" service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
# Create internal ELB(Deprecated)
# service.beta.kubernetes.io/aws-load-balancer-internal: "true"
# Any other annotation can be declared here. # Any other annotation can be declared here.
``` ```
@ -184,6 +186,8 @@ controller:
# Any other annotation can be declared here. # Any other annotation can be declared here.
``` ```
The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer).
An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object. An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object.
Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`. Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`.

14
charts/ingress-nginx/changelog/Changelog-4.7.0.md Normal file
View file

@ -0,0 +1,14 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.7.0
* helm: Fix opentelemetry module installation for daemonset (#9792)
* Update charts/* to keep project name display aligned (#9931)
* HPA: Use capabilites & align manifests. (#9521)
* PodDisruptionBudget spec logic update (#9904)
* add option for annotations in PodDisruptionBudget (#9843)
* Update Ingress-Nginx version controller-v1.8.0
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.6.1...helm-chart-4.7.0

12
charts/ingress-nginx/changelog/Changelog-4.7.1.md Normal file
View file

@ -0,0 +1,12 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.7.1
* Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406)
* feat(helm): Add loadBalancerClass (#9562)
* added helmshowvalues example (#10019)
* Update Ingress-Nginx version controller-v1.8.1
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.0...helm-chart-4.7.1

9
charts/ingress-nginx/changelog/Changelog-4.7.2.md Normal file
View file

@ -0,0 +1,9 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.7.2
* Update Ingress-Nginx version controller-v1.8.2
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.1...helm-chart-4.7.2

13
charts/ingress-nginx/changelog/Changelog-4.8.0-beta.0.md Normal file
View file

@ -0,0 +1,13 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.8.0-beta.0
* ci(helm): fix Helm Chart release action 422 error (#10237)
* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249)
* [helm] configure allow to configure hostAliases (#10180)
* [helm] pass service annotations through helm tpl engine (#10084)
* Update Ingress-Nginx version controller-v1.9.0-beta.0
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.2...helm-chart-4.8.0-beta.0

13
charts/ingress-nginx/changelog/Changelog-4.8.0.md Normal file
View file

@ -0,0 +1,13 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.8.0
* ci(helm): fix Helm Chart release action 422 error (#10237)
* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249)
* [helm] configure allow to configure hostAliases (#10180)
* [helm] pass service annotations through helm tpl engine (#10084)
* Update Ingress-Nginx version controller-v1.9.0
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.2...helm-chart-4.8.0

9
charts/ingress-nginx/changelog/Changelog-4.8.1.md Normal file
View file

@ -0,0 +1,9 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.8.1
* Update Ingress-Nginx version controller-v1.9.1
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.0...helm-chart-4.8.1

10
charts/ingress-nginx/changelog/Changelog-4.8.2.md Normal file
View file

@ -0,0 +1,10 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.8.2
* - "update nginx base, httpbun, e2e, helm webhook cert gen (#10506)"
* - "Update Ingress-Nginx version controller-v1.9.3"
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.1...helm-chart-4.8.2

8
charts/ingress-nginx/changelog/Changelog-4.8.3.md Normal file
View file

@ -0,0 +1,8 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.8.3
* Update Ingress-Nginx version controller-v1.9.4
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.2...helm-chart-4.8.3

18
charts/ingress-nginx/templates/NOTES.txt
View file

@ -6,24 +6,24 @@ Get the application URL by running these commands:
{{- if (not (empty .Values.controller.service.nodePorts.http)) }} {{- if (not (empty .Values.controller.service.nodePorts.http)) }}
export HTTP_NODE_PORT={{ .Values.controller.service.nodePorts.http }} export HTTP_NODE_PORT={{ .Values.controller.service.nodePorts.http }}
{{- else }} {{- else }}
export HTTP_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[0].nodePort}" {{ include "ingress-nginx.controller.fullname" . }}) export HTTP_NODE_PORT=$(kubectl get service --namespace {{ include "ingress-nginx.namespace" . }} {{ include "ingress-nginx.controller.fullname" . }} --output jsonpath="{.spec.ports[0].nodePort}")
{{- end }} {{- end }}
{{- if (not (empty .Values.controller.service.nodePorts.https)) }} {{- if (not (empty .Values.controller.service.nodePorts.https)) }}
export HTTPS_NODE_PORT={{ .Values.controller.service.nodePorts.https }} export HTTPS_NODE_PORT={{ .Values.controller.service.nodePorts.https }}
{{- else }} {{- else }}
export HTTPS_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[1].nodePort}" {{ include "ingress-nginx.controller.fullname" . }}) export HTTPS_NODE_PORT=$(kubectl get service --namespace {{ include "ingress-nginx.namespace" . }} {{ include "ingress-nginx.controller.fullname" . }} --output jsonpath="{.spec.ports[1].nodePort}")
{{- end }} {{- end }}
export NODE_IP=$(kubectl --namespace {{ .Release.Namespace }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}") export NODE_IP="$(kubectl get nodes --output jsonpath="{.items[0].status.addresses[1].address}")"
echo "Visit http://$NODE_IP:$HTTP_NODE_PORT to access your application via HTTP." echo "Visit http://${NODE_IP}:${HTTP_NODE_PORT} to access your application via HTTP."
echo "Visit https://$NODE_IP:$HTTPS_NODE_PORT to access your application via HTTPS." echo "Visit https://${NODE_IP}:${HTTPS_NODE_PORT} to access your application via HTTPS."
{{- else if contains "LoadBalancer" .Values.controller.service.type }} {{- else if contains "LoadBalancer" .Values.controller.service.type }}
It may take a few minutes for the LoadBalancer IP to be available. It may take a few minutes for the load balancer IP to be available.
You can watch the status by running 'kubectl --namespace {{ .Release.Namespace }} get services -o wide -w {{ include "ingress-nginx.controller.fullname" . }}' You can watch the status by running 'kubectl get service --namespace {{ include "ingress-nginx.namespace" . }} {{ include "ingress-nginx.controller.fullname" . }} --output wide --watch'
{{- else if contains "ClusterIP" .Values.controller.service.type }} {{- else if contains "ClusterIP" .Values.controller.service.type }}
Get the application URL by running these commands: Get the application URL by running these commands:
export POD_NAME=$(kubectl --namespace {{ .Release.Namespace }} get pods -o jsonpath="{.items[0].metadata.name}" -l "app={{ template "ingress-nginx.name" . }},component={{ .Values.controller.name }},release={{ .Release.Name }}") export POD_NAME="$(kubectl get pods --namespace {{ include "ingress-nginx.namespace" . }} --selector app.kubernetes.io/name={{ include "ingress-nginx.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=controller --output jsonpath="{.items[0].metadata.name}")"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80 kubectl port-forward --namespace {{ include "ingress-nginx.namespace" . }} "${POD_NAME}" 8080:80
echo "Visit http://127.0.0.1:8080 to access your application." echo "Visit http://127.0.0.1:8080 to access your application."
{{- end }} {{- end }}

108
charts/ingress-nginx/templates/_helpers.tpl
View file

@ -30,25 +30,40 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{/*
Expand the namespace of the release.
Allows overriding it for multi-namespace deployments in combined charts.
*/}}
{{- define "ingress-nginx.namespace" -}}
{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/* {{/*
Container SecurityContext. Controller container security context.
*/}} */}}
{{- define "controller.containerSecurityContext" -}} {{- define "ingress-nginx.controller.containerSecurityContext" -}}
{{- if .Values.controller.containerSecurityContext -}} {{- if .Values.controller.containerSecurityContext -}}
{{- toYaml .Values.controller.containerSecurityContext -}} {{- toYaml .Values.controller.containerSecurityContext -}}
{{- else -}} {{- else -}}
runAsNonRoot: {{ .Values.controller.image.runAsNonRoot }}
runAsUser: {{ .Values.controller.image.runAsUser }}
allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }}
{{- if .Values.controller.image.seccompProfile }}
seccompProfile: {{ toYaml .Values.controller.image.seccompProfile | nindent 2 }}
{{- end }}
capabilities: capabilities:
drop: drop:
- ALL - ALL
add: add:
- NET_BIND_SERVICE - NET_BIND_SERVICE
{{- if .Values.controller.image.chroot }} {{- if .Values.controller.image.chroot }}
{{- if .Values.controller.image.seccompProfile }}
- SYS_ADMIN
{{- end }}
- SYS_CHROOT - SYS_CHROOT
{{- end }} {{- end }}
runAsUser: {{ .Values.controller.image.runAsUser }} readOnlyRootFilesystem: {{ .Values.controller.image.readOnlyRootFilesystem }}
allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }} {{- end -}}
{{- end }}
{{- end -}} {{- end -}}
{{/* {{/*
@ -102,7 +117,6 @@ By convention this will simply use the <namespace>/<controller-name> to match th
service generated. service generated.
Users can provide an override for an explicit service they want bound via `.Values.controller.publishService.pathOverride` Users can provide an override for an explicit service they want bound via `.Values.controller.publishService.pathOverride`
*/}} */}}
{{- define "ingress-nginx.controller.publishServicePath" -}} {{- define "ingress-nginx.controller.publishServicePath" -}}
{{- $defServiceName := printf "%s/%s" "$(POD_NAMESPACE)" (include "ingress-nginx.controller.fullname" .) -}} {{- $defServiceName := printf "%s/%s" "$(POD_NAMESPACE)" (include "ingress-nginx.controller.fullname" .) -}}
@ -110,14 +124,6 @@ Users can provide an override for an explicit service they want bound via `.Valu
{{- print $servicePath | trimSuffix "-" -}} {{- print $servicePath | trimSuffix "-" -}}
{{- end -}} {{- end -}}
{{/*
Create a default fully qualified default backend name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ingress-nginx.defaultBackend.fullname" -}}
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/* {{/*
Common labels Common labels
*/}} */}}
@ -153,6 +159,38 @@ Create the name of the controller service account to use
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{/*
Create a default fully qualified admission webhook name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ingress-nginx.admissionWebhooks.fullname" -}}
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.controller.admissionWebhooks.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified admission webhook secret creation job name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ingress-nginx.admissionWebhooks.createSecretJob.fullname" -}}
{{- printf "%s-%s" (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.createSecretJob.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified admission webhook patch job name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ingress-nginx.admissionWebhooks.patchWebhookJob.fullname" -}}
{{- printf "%s-%s" (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.patchWebhookJob.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified default backend name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ingress-nginx.defaultBackend.fullname" -}}
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/* {{/*
Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
*/}} */}}
@ -164,6 +202,26 @@ Create the name of the backend service account to use - only used when podsecuri
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{/*
Default backend container security context.
*/}}
{{- define "ingress-nginx.defaultBackend.containerSecurityContext" -}}
{{- if .Values.defaultBackend.containerSecurityContext -}}
{{- toYaml .Values.defaultBackend.containerSecurityContext -}}
{{- else -}}
runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
{{- if .Values.defaultBackend.image.seccompProfile }}
seccompProfile: {{ toYaml .Values.defaultBackend.image.seccompProfile | nindent 2 }}
{{- end }}
capabilities:
drop:
- ALL
readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem }}
{{- end -}}
{{- end -}}
{{/* {{/*
Return the appropriate apiGroup for PodSecurityPolicy. Return the appropriate apiGroup for PodSecurityPolicy.
*/}} */}}
@ -198,15 +256,23 @@ IngressClass parameters.
Extra modules. Extra modules.
*/}} */}}
{{- define "extraModules" -}} {{- define "extraModules" -}}
- name: {{ .name }} - name: {{ .name }}
image: {{ .image }} image: {{ .image }}
command: ['sh', '-c', '/usr/local/bin/init_module.sh'] command:
{{- if (.containerSecurityContext) }} {{- if .distroless }}
securityContext: {{ .containerSecurityContext | toYaml | nindent 4 }} - /init_module
{{- else }}
- sh
- -c
- /usr/local/bin/init_module.sh
{{- end }}
{{- if .containerSecurityContext }}
securityContext: {{ toYaml .containerSecurityContext | nindent 4 }}
{{- end }}
{{- if .resources }}
resources: {{ toYaml .resources | nindent 4 }}
{{- end }} {{- end }}
volumeMounts: volumeMounts:
- name: {{ toYaml "modules"}} - name: modules
mountPath: {{ toYaml "/modules_mount"}} mountPath: /modules_mount
{{- end -}} {{- end -}}

3
charts/ingress-nginx/templates/_params.tpl
View file

@ -1,5 +1,8 @@
{{- define "ingress-nginx.params" -}} {{- define "ingress-nginx.params" -}}
- /nginx-ingress-controller - /nginx-ingress-controller
{{- if .Values.controller.enableAnnotationValidations }}
- --enable-annotation-validation=true
{{- end }}
{{- if .Values.defaultBackend.enabled }} {{- if .Values.defaultBackend.enabled }}
- --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }} - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }}
{{- end }} {{- end }}

16
charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml
View file

@ -6,7 +6,7 @@ apiVersion: cert-manager.io/v1
kind: Issuer kind: Issuer
metadata: metadata:
name: {{ include "ingress-nginx.fullname" . }}-self-signed-issuer name: {{ include "ingress-nginx.fullname" . }}-self-signed-issuer
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
spec: spec:
selfSigned: {} selfSigned: {}
--- ---
@ -15,7 +15,7 @@ apiVersion: cert-manager.io/v1
kind: Certificate kind: Certificate
metadata: metadata:
name: {{ include "ingress-nginx.fullname" . }}-root-cert name: {{ include "ingress-nginx.fullname" . }}-root-cert
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
spec: spec:
secretName: {{ include "ingress-nginx.fullname" . }}-root-cert secretName: {{ include "ingress-nginx.fullname" . }}-root-cert
duration: {{ .Values.controller.admissionWebhooks.certManager.rootCert.duration | default "43800h0m0s" | quote }} duration: {{ .Values.controller.admissionWebhooks.certManager.rootCert.duration | default "43800h0m0s" | quote }}
@ -32,7 +32,7 @@ apiVersion: cert-manager.io/v1
kind: Issuer kind: Issuer
metadata: metadata:
name: {{ include "ingress-nginx.fullname" . }}-root-issuer name: {{ include "ingress-nginx.fullname" . }}-root-issuer
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
spec: spec:
ca: ca:
secretName: {{ include "ingress-nginx.fullname" . }}-root-cert secretName: {{ include "ingress-nginx.fullname" . }}-root-cert
@ -42,10 +42,10 @@ spec:
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: Certificate kind: Certificate
metadata: metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
spec: spec:
secretName: {{ include "ingress-nginx.fullname" . }}-admission secretName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
duration: {{ .Values.controller.admissionWebhooks.certManager.admissionCert.duration | default "8760h0m0s" | quote }} duration: {{ .Values.controller.admissionWebhooks.certManager.admissionCert.duration | default "8760h0m0s" | quote }}
issuerRef: issuerRef:
{{- if .Values.controller.admissionWebhooks.certManager.issuerRef }} {{- if .Values.controller.admissionWebhooks.certManager.issuerRef }}
@ -55,8 +55,8 @@ spec:
{{- end }} {{- end }}
dnsNames: dnsNames:
- {{ include "ingress-nginx.controller.fullname" . }}-admission - {{ include "ingress-nginx.controller.fullname" . }}-admission
- {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }} - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ include "ingress-nginx.namespace" . }}
- {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }}.svc - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ include "ingress-nginx.namespace" . }}.svc
subject: subject:
organizations: organizations:
- ingress-nginx-admission - ingress-nginx-admission

13
charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
View file

@ -2,7 +2,7 @@
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
annotations: annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@ -21,14 +21,13 @@ rules:
- get - get
- update - update
{{- if .Values.podSecurityPolicy.enabled }} {{- if .Values.podSecurityPolicy.enabled }}
- apiGroups: ['extensions'] - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}]
resources: ['podsecuritypolicies'] resources: ['podsecuritypolicies']
verbs: ['use'] verbs: ['use']
resourceNames:
{{- with .Values.controller.admissionWebhooks.existingPsp }} {{- with .Values.controller.admissionWebhooks.existingPsp }}
- {{ . }} resourceNames: [{{ . }}]
{{- else }} {{- else }}
- {{ include "ingress-nginx.fullname" . }}-admission resourceNames: [{{ include "ingress-nginx.admissionWebhooks.fullname" . }}]
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}

8
charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
View file

@ -2,7 +2,7 @@
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
annotations: annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@ -15,9 +15,9 @@ metadata:
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: {{ include "ingress-nginx.fullname" . }}-admission name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ include "ingress-nginx.fullname" . }}-admission name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
namespace: {{ .Release.Namespace | quote }} namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }} {{- end }}

17
charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
View file

@ -2,8 +2,8 @@
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission-create name: {{ include "ingress-nginx.admissionWebhooks.createSecretJob.fullname" . }}
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
annotations: annotations:
"helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@ -23,7 +23,7 @@ spec:
{{- end }} {{- end }}
template: template:
metadata: metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission-create name: {{ include "ingress-nginx.admissionWebhooks.createSecretJob.fullname" . }}
{{- if .Values.controller.admissionWebhooks.patch.podAnnotations }} {{- if .Values.controller.admissionWebhooks.patch.podAnnotations }}
annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }} annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }}
{{- end }} {{- end }}
@ -50,7 +50,7 @@ spec:
- create - create
- --host={{ include "ingress-nginx.controller.fullname" . }}-admission,{{ include "ingress-nginx.controller.fullname" . }}-admission.$(POD_NAMESPACE).svc - --host={{ include "ingress-nginx.controller.fullname" . }}-admission,{{ include "ingress-nginx.controller.fullname" . }}-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE) - --namespace=$(POD_NAMESPACE)
- --secret-name={{ include "ingress-nginx.fullname" . }}-admission - --secret-name={{ include "ingress-nginx.admissionWebhooks.fullname" . }}
env: env:
- name: POD_NAMESPACE - name: POD_NAMESPACE
valueFrom: valueFrom:
@ -66,15 +66,14 @@ spec:
resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }} resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }}
{{- end }} {{- end }}
restartPolicy: OnFailure restartPolicy: OnFailure
serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
{{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.controller.admissionWebhooks.patch.tolerations }} {{- if .Values.controller.admissionWebhooks.patch.tolerations }}
tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }} tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.controller.admissionWebhooks.patch.securityContext }} {{- if .Values.controller.admissionWebhooks.patch.securityContext }}
securityContext: securityContext: {{ toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
{{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }} {{- end }}
{{- end }}
{{- end }} {{- end }}

19
charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
View file

@ -2,8 +2,8 @@
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission-patch name: {{ include "ingress-nginx.admissionWebhooks.patchWebhookJob.fullname" . }}
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
annotations: annotations:
"helm.sh/hook": post-install,post-upgrade "helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@ -23,7 +23,7 @@ spec:
{{- end }} {{- end }}
template: template:
metadata: metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission-patch name: {{ include "ingress-nginx.admissionWebhooks.patchWebhookJob.fullname" . }}
{{- if .Values.controller.admissionWebhooks.patch.podAnnotations }} {{- if .Values.controller.admissionWebhooks.patch.podAnnotations }}
annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }} annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }}
{{- end }} {{- end }}
@ -48,10 +48,10 @@ spec:
imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
args: args:
- patch - patch
- --webhook-name={{ include "ingress-nginx.fullname" . }}-admission - --webhook-name={{ include "ingress-nginx.admissionWebhooks.fullname" . }}
- --namespace=$(POD_NAMESPACE) - --namespace=$(POD_NAMESPACE)
- --patch-mutating=false - --patch-mutating=false
- --secret-name={{ include "ingress-nginx.fullname" . }}-admission - --secret-name={{ include "ingress-nginx.admissionWebhooks.fullname" . }}
- --patch-failure-policy={{ .Values.controller.admissionWebhooks.failurePolicy }} - --patch-failure-policy={{ .Values.controller.admissionWebhooks.failurePolicy }}
env: env:
- name: POD_NAMESPACE - name: POD_NAMESPACE
@ -68,15 +68,14 @@ spec:
resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }} resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }}
{{- end }} {{- end }}
restartPolicy: OnFailure restartPolicy: OnFailure
serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
{{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.controller.admissionWebhooks.patch.tolerations }} {{- if .Values.controller.admissionWebhooks.patch.tolerations }}
tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }} tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.controller.admissionWebhooks.patch.securityContext }} {{- if .Values.controller.admissionWebhooks.patch.securityContext }}
securityContext: securityContext: {{ toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
{{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }} {{- end }}
{{- end }}
{{- end }} {{- end }}

14
charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml
View file

@ -1,9 +1,9 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.networkPolicyEnabled }} {{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: NetworkPolicy kind: NetworkPolicy
metadata: metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
annotations: annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@ -16,11 +16,11 @@ metadata:
spec: spec:
podSelector: podSelector:
matchLabels: matchLabels:
{{- include "ingress-nginx.labels" . | nindent 6 }} {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: admission-webhook app.kubernetes.io/component: admission-webhook
policyTypes: policyTypes:
- Ingress - Ingress
- Egress - Egress
egress: egress:
- {} - {}
{{- end }} {{- end }}

49
charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
View file

@ -1,12 +1,13 @@
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} {{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}} {{- if and .Values.podSecurityPolicy.enabled .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
apiVersion: policy/v1beta1 apiVersion: policy/v1beta1
kind: PodSecurityPolicy kind: PodSecurityPolicy
metadata: metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
annotations: annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
labels: labels:
{{- include "ingress-nginx.labels" . | nindent 4 }} {{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook app.kubernetes.io/component: admission-webhook
@ -14,28 +15,38 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
spec: spec:
allowPrivilegeEscalation: false privileged: false
hostPID: false
hostIPC: false
hostNetwork: false
volumes:
- configMap
- downwardAPI
- emptyDir
- secret
- projected
fsGroup: fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs rule: MustRunAs
requiredDropCapabilities: ranges:
- ALL - min: 1
max: 65535
readOnlyRootFilesystem: true
runAsUser: runAsUser:
rule: MustRunAsNonRoot rule: MustRunAsNonRoot
runAsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
seLinux: seLinux:
rule: RunAsAny rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
{{- end }} {{- end }}
{{- end }} {{- end }}

4
charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
View file

@ -2,8 +2,8 @@
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
annotations: annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

10
charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
View file

@ -2,8 +2,8 @@
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
annotations: annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@ -16,9 +16,9 @@ metadata:
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: Role
name: {{ include "ingress-nginx.fullname" . }}-admission name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ include "ingress-nginx.fullname" . }}-admission name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
namespace: {{ .Release.Namespace | quote }} namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }} {{- end }}

4
charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
View file

@ -2,8 +2,8 @@
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
annotations: annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

8
charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
View file

@ -6,8 +6,8 @@ kind: ValidatingWebhookConfiguration
metadata: metadata:
annotations: annotations:
{{- if .Values.controller.admissionWebhooks.certManager.enabled }} {{- if .Values.controller.admissionWebhooks.certManager.enabled }}
certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "ingress-nginx.fullname" .) | quote }} certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s" (include "ingress-nginx.namespace" .) (include "ingress-nginx.admissionWebhooks.fullname" .) | quote }}
cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "ingress-nginx.fullname" .) | quote }} cert-manager.io/inject-ca-from: {{ printf "%s/%s" (include "ingress-nginx.namespace" .) (include "ingress-nginx.admissionWebhooks.fullname" .) | quote }}
{{- end }} {{- end }}
{{- if .Values.controller.admissionWebhooks.annotations }} {{- if .Values.controller.admissionWebhooks.annotations }}
{{- toYaml .Values.controller.admissionWebhooks.annotations | nindent 4 }} {{- toYaml .Values.controller.admissionWebhooks.annotations | nindent 4 }}
@ -18,7 +18,7 @@ metadata:
{{- with .Values.controller.admissionWebhooks.labels }} {{- with .Values.controller.admissionWebhooks.labels }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "ingress-nginx.fullname" . }}-admission name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
webhooks: webhooks:
- name: validate.nginx.ingress.kubernetes.io - name: validate.nginx.ingress.kubernetes.io
matchPolicy: Equivalent matchPolicy: Equivalent
@ -38,8 +38,8 @@ webhooks:
- v1 - v1
clientConfig: clientConfig:
service: service:
namespace: {{ .Release.Namespace | quote }}
name: {{ include "ingress-nginx.controller.fullname" . }}-admission name: {{ include "ingress-nginx.controller.fullname" . }}-admission
namespace: {{ include "ingress-nginx.namespace" . }}
path: /networking/v1/ingresses path: /networking/v1/ingresses
{{- if .Values.controller.admissionWebhooks.timeoutSeconds }} {{- if .Values.controller.admissionWebhooks.timeoutSeconds }}
timeoutSeconds: {{ .Values.controller.admissionWebhooks.timeoutSeconds }} timeoutSeconds: {{ .Values.controller.admissionWebhooks.timeoutSeconds }}

2
charts/ingress-nginx/templates/clusterrolebinding.yaml
View file

@ -15,5 +15,5 @@ roleRef:
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ template "ingress-nginx.serviceAccountName" . }} name: {{ template "ingress-nginx.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }} namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }} {{- end }}

2
charts/ingress-nginx/templates/controller-configmap-addheaders.yaml
View file

@ -9,6 +9,6 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "ingress-nginx.fullname" . }}-custom-add-headers name: {{ include "ingress-nginx.fullname" . }}-custom-add-headers
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
data: {{ toYaml .Values.controller.addHeaders | nindent 2 }} data: {{ toYaml .Values.controller.addHeaders | nindent 2 }}
{{- end }} {{- end }}

2
charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml
View file

@ -9,6 +9,6 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "ingress-nginx.fullname" . }}-custom-proxy-headers name: {{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
data: {{ toYaml .Values.controller.proxySetHeaders | nindent 2 }} data: {{ toYaml .Values.controller.proxySetHeaders | nindent 2 }}
{{- end }} {{- end }}

2
charts/ingress-nginx/templates/controller-configmap-tcp.yaml
View file

@ -12,6 +12,6 @@ metadata:
annotations: {{ toYaml .Values.controller.tcp.annotations | nindent 4 }} annotations: {{ toYaml .Values.controller.tcp.annotations | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "ingress-nginx.fullname" . }}-tcp name: {{ include "ingress-nginx.fullname" . }}-tcp
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
data: {{ tpl (toYaml .Values.tcp) . | nindent 2 }} data: {{ tpl (toYaml .Values.tcp) . | nindent 2 }}
{{- end }} {{- end }}

2
charts/ingress-nginx/templates/controller-configmap-udp.yaml
View file

@ -12,6 +12,6 @@ metadata:
annotations: {{ toYaml .Values.controller.udp.annotations | nindent 4 }} annotations: {{ toYaml .Values.controller.udp.annotations | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "ingress-nginx.fullname" . }}-udp name: {{ include "ingress-nginx.fullname" . }}-udp
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
data: {{ tpl (toYaml .Values.udp) . | nindent 2 }} data: {{ tpl (toYaml .Values.udp) . | nindent 2 }}
{{- end }} {{- end }}

8
charts/ingress-nginx/templates/controller-configmap.yaml
View file

@ -11,17 +11,17 @@ metadata:
annotations: {{ toYaml .Values.controller.configAnnotations | nindent 4 }} annotations: {{ toYaml .Values.controller.configAnnotations | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }} name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
data: data:
allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}" allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}"
{{- if .Values.controller.addHeaders }} {{- if .Values.controller.addHeaders }}
add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers add-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers
{{- end }} {{- end }}
{{- if .Values.controller.proxySetHeaders }} {{- if .Values.controller.proxySetHeaders }}
proxy-set-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers proxy-set-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
{{- end }} {{- end }}
{{- if .Values.dhParam }} {{- if .Values.dhParam }}
ssl-dh-param: {{ .Release.Namespace }}/{{ include "ingress-nginx.controller.fullname" . }} ssl-dh-param: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.controller.fullname" . }}
{{- end }} {{- end }}
{{- range $key, $value := .Values.controller.config }} {{- range $key, $value := .Values.controller.config }}
{{- $key | nindent 2 }}: {{ $value | quote }} {{- $key | nindent 2 }}: {{ $value | quote }}

69
charts/ingress-nginx/templates/controller-daemonset.yaml
View file

@ -1,4 +1,4 @@
{{- if or (eq .Values.controller.kind "DaemonSet") (eq .Values.controller.kind "Both") -}} {{- if eq .Values.controller.kind "DaemonSet" -}}
{{- include "isControllerTagValid" . -}} {{- include "isControllerTagValid" . -}}
apiVersion: apps/v1 apiVersion: apps/v1
kind: DaemonSet kind: DaemonSet
@ -10,7 +10,7 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }} name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
{{- if .Values.controller.annotations }} {{- if .Values.controller.annotations }}
annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
{{- end }} {{- end }}
@ -45,6 +45,9 @@ spec:
{{- if .Values.controller.dnsConfig }} {{- if .Values.controller.dnsConfig }}
dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }} dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.controller.hostAliases }}
hostAliases: {{ tpl (toYaml .Values.controller.hostAliases) $ | nindent 8 }}
{{- end }}
{{- if .Values.controller.hostname }} {{- if .Values.controller.hostname }}
hostname: {{ toYaml .Values.controller.hostname | nindent 8 }} hostname: {{ toYaml .Values.controller.hostname | nindent 8 }}
{{- end }} {{- end }}
@ -53,20 +56,20 @@ spec:
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.controller.priorityClassName }} {{- if .Values.controller.priorityClassName }}
priorityClassName: {{ .Values.controller.priorityClassName }} priorityClassName: {{ .Values.controller.priorityClassName | quote }}
{{- end }} {{- end }}
{{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }}
securityContext: securityContext:
{{- end }} {{- if .Values.controller.podSecurityContext }}
{{- if .Values.controller.podSecurityContext }}
{{- toYaml .Values.controller.podSecurityContext | nindent 8 }} {{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.controller.sysctls }} {{- if .Values.controller.sysctls }}
sysctls: sysctls:
{{- range $sysctl, $value := .Values.controller.sysctls }} {{- range $sysctl, $value := .Values.controller.sysctls }}
- name: {{ $sysctl | quote }} - name: {{ $sysctl | quote }}
value: {{ $value | quote }} value: {{ $value | quote }}
{{- end }} {{- end }}
{{- end }}
{{- end }} {{- end }}
{{- if .Values.controller.shareProcessNamespace }} {{- if .Values.controller.shareProcessNamespace }}
shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }} shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }}
@ -80,9 +83,8 @@ spec:
{{- if .Values.controller.lifecycle }} {{- if .Values.controller.lifecycle }}
lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }} lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}
{{- end }} {{- end }}
args: args: {{ include "ingress-nginx.params" . | nindent 12 }}
{{- include "ingress-nginx.params" . | nindent 12 }} securityContext: {{ include "ingress-nginx.controller.containerSecurityContext" . | nindent 12 }}
securityContext: {{ include "controller.containerSecurityContext" . | nindent 12 }}
env: env:
- name: POD_NAME - name: POD_NAME
valueFrom: valueFrom:
@ -143,11 +145,15 @@ spec:
hostPort: {{ $key }} hostPort: {{ $key }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }} {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
volumeMounts: volumeMounts:
{{- if .Values.controller.extraModules }} {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
- name: modules - name: modules
{{- if .Values.controller.image.chroot }}
mountPath: /chroot/modules_mount
{{- else }}
mountPath: /modules_mount mountPath: /modules_mount
{{- end }}
{{- end }} {{- end }}
{{- if .Values.controller.customTemplate.configMapName }} {{- if .Values.controller.customTemplate.configMapName }}
- mountPath: /etc/nginx/template - mountPath: /etc/nginx/template
@ -167,26 +173,29 @@ spec:
resources: {{ toYaml .Values.controller.resources | nindent 12 }} resources: {{ toYaml .Values.controller.resources | nindent 12 }}
{{- end }} {{- end }}
{{- if .Values.controller.extraContainers }} {{- if .Values.controller.extraContainers }}
{{ toYaml .Values.controller.extraContainers | nindent 8 }} {{- toYaml .Values.controller.extraContainers | nindent 8 }}
{{- end }} {{- end }}
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }}
initContainers: initContainers:
{{- if .Values.controller.extraInitContainers }} {{- if .Values.controller.extraInitContainers }}
{{ toYaml .Values.controller.extraInitContainers | nindent 8 }} {{- toYaml .Values.controller.extraInitContainers | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.controller.extraModules }} {{- if .Values.controller.extraModules }}
{{- range .Values.controller.extraModules }} {{- range .Values.controller.extraModules }}
{{ $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{ include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | indent 8 }} {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.controller.opentelemetry.enabled}} {{- if .Values.controller.opentelemetry.enabled }}
{{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }} {{- with .Values.controller.opentelemetry }}
{{ $fullImage := printf "%s/%s:%s@%s" .Values.controller.opentelemetry.image.registry .Values.controller.opentelemetry.image.image .Values.controller.opentelemetry.image.tag .Values.controller.opentelemetry.image.digest }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}} {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end}} {{- end }}
<!!----- old ---->
{{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{ $fullImage := printf "%s/%s:%s@%s" .Values.controller.opentelemetry.image.registry .Values.controller.opentelemetry.image.image .Values.controller.opentelemetry.image.tag .Values.controller.opentelemetry.image.digest }}
{{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}}
{{- end }}
{{- end }} {{- end }}
{{- if .Values.controller.hostNetwork }} {{- if .Values.controller.hostNetwork }}
hostNetwork: {{ .Values.controller.hostNetwork }} hostNetwork: {{ .Values.controller.hostNetwork }}
@ -201,7 +210,7 @@ spec:
affinity: {{ toYaml .Values.controller.affinity | nindent 8 }} affinity: {{ toYaml .Values.controller.affinity | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.controller.topologySpreadConstraints }} {{- if .Values.controller.topologySpreadConstraints }}
topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }} topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }}
{{- end }} {{- end }}
serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
@ -222,7 +231,7 @@ spec:
{{- if .Values.controller.admissionWebhooks.enabled }} {{- if .Values.controller.admissionWebhooks.enabled }}
- name: webhook-cert - name: webhook-cert
secret: secret:
secretName: {{ include "ingress-nginx.fullname" . }}-admission secretName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
{{- if .Values.controller.admissionWebhooks.certManager.enabled }} {{- if .Values.controller.admissionWebhooks.certManager.enabled }}
items: items:
- key: tls.crt - key: tls.crt

66
charts/ingress-nginx/templates/controller-deployment.yaml
View file

@ -1,4 +1,4 @@
{{- if or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both") -}} {{- if eq .Values.controller.kind "Deployment" -}}
{{- include "isControllerTagValid" . -}} {{- include "isControllerTagValid" . -}}
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
@ -10,7 +10,7 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }} name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
{{- if .Values.controller.annotations }} {{- if .Values.controller.annotations }}
annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
{{- end }} {{- end }}
@ -19,13 +19,12 @@ spec:
matchLabels: matchLabels:
{{- include "ingress-nginx.selectorLabels" . | nindent 6 }} {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
{{- if not .Values.controller.autoscaling.enabled }} {{- if not (or .Values.controller.autoscaling.enabled .Values.controller.keda.enabled) }}
replicas: {{ .Values.controller.replicaCount }} replicas: {{ .Values.controller.replicaCount }}
{{- end }} {{- end }}
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
{{- if .Values.controller.updateStrategy }} {{- if .Values.controller.updateStrategy }}
strategy: strategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }}
{{ toYaml .Values.controller.updateStrategy | nindent 4 }}
{{- end }} {{- end }}
minReadySeconds: {{ .Values.controller.minReadySeconds }} minReadySeconds: {{ .Values.controller.minReadySeconds }}
template: template:
@ -49,6 +48,9 @@ spec:
{{- if .Values.controller.dnsConfig }} {{- if .Values.controller.dnsConfig }}
dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }} dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.controller.hostAliases }}
hostAliases: {{ tpl (toYaml .Values.controller.hostAliases) $ | nindent 8 }}
{{- end }}
{{- if .Values.controller.hostname }} {{- if .Values.controller.hostname }}
hostname: {{ toYaml .Values.controller.hostname | nindent 8 }} hostname: {{ toYaml .Values.controller.hostname | nindent 8 }}
{{- end }} {{- end }}
@ -61,16 +63,16 @@ spec:
{{- end }} {{- end }}
{{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }}
securityContext: securityContext:
{{- end }} {{- if .Values.controller.podSecurityContext }}
{{- if .Values.controller.podSecurityContext }}
{{- toYaml .Values.controller.podSecurityContext | nindent 8 }} {{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.controller.sysctls }} {{- if .Values.controller.sysctls }}
sysctls: sysctls:
{{- range $sysctl, $value := .Values.controller.sysctls }} {{- range $sysctl, $value := .Values.controller.sysctls }}
- name: {{ $sysctl | quote }} - name: {{ $sysctl | quote }}
value: {{ $value | quote }} value: {{ $value | quote }}
{{- end }} {{- end }}
{{- end }}
{{- end }} {{- end }}
{{- if .Values.controller.shareProcessNamespace }} {{- if .Values.controller.shareProcessNamespace }}
shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }} shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }}
@ -84,9 +86,8 @@ spec:
{{- if .Values.controller.lifecycle }} {{- if .Values.controller.lifecycle }}
lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }} lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}
{{- end }} {{- end }}
args: args: {{ include "ingress-nginx.params" . | nindent 12 }}
{{- include "ingress-nginx.params" . | nindent 12 }} securityContext: {{ include "ingress-nginx.controller.containerSecurityContext" . | nindent 12 }}
securityContext: {{ include "controller.containerSecurityContext" . | nindent 12 }}
env: env:
- name: POD_NAME - name: POD_NAME
valueFrom: valueFrom:
@ -151,11 +152,11 @@ spec:
volumeMounts: volumeMounts:
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
- name: modules - name: modules
{{ if .Values.controller.image.chroot }} {{- if .Values.controller.image.chroot }}
mountPath: /chroot/modules_mount mountPath: /chroot/modules_mount
{{ else }} {{- else }}
mountPath: /modules_mount mountPath: /modules_mount
{{ end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.controller.customTemplate.configMapName }} {{- if .Values.controller.customTemplate.configMapName }}
- mountPath: /etc/nginx/template - mountPath: /etc/nginx/template
@ -175,24 +176,29 @@ spec:
resources: {{ toYaml .Values.controller.resources | nindent 12 }} resources: {{ toYaml .Values.controller.resources | nindent 12 }}
{{- end }} {{- end }}
{{- if .Values.controller.extraContainers }} {{- if .Values.controller.extraContainers }}
{{ toYaml .Values.controller.extraContainers | nindent 8 }} {{- toYaml .Values.controller.extraContainers | nindent 8 }}
{{- end }} {{- end }}
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
initContainers: initContainers:
{{- if .Values.controller.extraInitContainers }} {{- if .Values.controller.extraInitContainers }}
{{ toYaml .Values.controller.extraInitContainers | nindent 8 }} {{- toYaml .Values.controller.extraInitContainers | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.controller.extraModules }} {{- if .Values.controller.extraModules }}
{{- range .Values.controller.extraModules }} {{- range .Values.controller.extraModules }}
{{ $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{ include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | indent 8 }} {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.controller.opentelemetry.enabled}} {{- if .Values.controller.opentelemetry.enabled }}
{{- $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }} {{- with .Values.controller.opentelemetry }}
{{- $fullImage := printf "%s/%s:%s@%s" .Values.controller.opentelemetry.image.registry .Values.controller.opentelemetry.image.image .Values.controller.opentelemetry.image.tag .Values.controller.opentelemetry.image.digest }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" "opentelemetry" "image" $fullImage "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}} {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end}} {{- end }}
<!------ oldd -->
{{- $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- $fullImage := printf "%s/%s:%s@%s" .Values.controller.opentelemetry.image.registry .Values.controller.opentelemetry.image.image .Values.controller.opentelemetry.image.tag .Values.controller.opentelemetry.image.digest }}
{{- include "extraModules" (dict "name" "opentelemetry" "image" $fullImage "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}}
{{- end }}
{{- end }} {{- end }}
{{- if .Values.controller.hostNetwork }} {{- if .Values.controller.hostNetwork }}
hostNetwork: {{ .Values.controller.hostNetwork }} hostNetwork: {{ .Values.controller.hostNetwork }}
@ -207,7 +213,7 @@ spec:
affinity: {{ toYaml .Values.controller.affinity | nindent 8 }} affinity: {{ toYaml .Values.controller.affinity | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.controller.topologySpreadConstraints }} {{- if .Values.controller.topologySpreadConstraints }}
topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }} topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }}
{{- end }} {{- end }}
serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
@ -228,7 +234,7 @@ spec:
{{- if .Values.controller.admissionWebhooks.enabled }} {{- if .Values.controller.admissionWebhooks.enabled }}
- name: webhook-cert - name: webhook-cert
secret: secret:
secretName: {{ include "ingress-nginx.fullname" . }}-admission secretName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
{{- if .Values.controller.admissionWebhooks.certManager.enabled }} {{- if .Values.controller.admissionWebhooks.certManager.enabled }}
items: items:
- key: tls.crt - key: tls.crt

13
charts/ingress-nginx/templates/controller-hpa.yaml
View file

@ -1,12 +1,9 @@
{{- if and .Values.controller.autoscaling.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}} {{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled (not .Values.controller.keda.enabled) -}}
{{- if not .Values.controller.keda.enabled }} apiVersion: {{ ternary "autoscaling/v2" "autoscaling/v2beta2" (.Capabilities.APIVersions.Has "autoscaling/v2") }}
apiVersion: {{ .Values.controller.autoscaling.apiVersion }}
kind: HorizontalPodAutoscaler kind: HorizontalPodAutoscaler
metadata: metadata:
annotations:
{{- with .Values.controller.autoscaling.annotations }} {{- with .Values.controller.autoscaling.annotations }}
{{- toYaml . | trimSuffix "\n" | nindent 4 }} annotations: {{ toYaml . | nindent 4 }}
{{- end }} {{- end }}
labels: labels:
{{- include "ingress-nginx.labels" . | nindent 4 }} {{- include "ingress-nginx.labels" . | nindent 4 }}
@ -15,7 +12,7 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }} name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
spec: spec:
scaleTargetRef: scaleTargetRef:
apiVersion: apps/v1 apiVersion: apps/v1
@ -48,5 +45,3 @@ spec:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }}

10
charts/ingress-nginx/templates/controller-keda.yaml
View file

@ -1,6 +1,4 @@
{{- if and .Values.controller.keda.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}} {{- if and .Values.controller.keda.enabled (eq .Values.controller.kind "Deployment") -}}
# https://keda.sh/docs/
apiVersion: {{ .Values.controller.keda.apiVersion }} apiVersion: {{ .Values.controller.keda.apiVersion }}
kind: ScaledObject kind: ScaledObject
metadata: metadata:
@ -11,6 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }} name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- if .Values.controller.keda.scaledObject.annotations }} {{- if .Values.controller.keda.scaledObject.annotations }}
annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }}
{{- end }} {{- end }}
@ -25,6 +24,11 @@ spec:
cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }}
minReplicaCount: {{ .Values.controller.keda.minReplicas }} minReplicaCount: {{ .Values.controller.keda.minReplicas }}
maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} maxReplicaCount: {{ .Values.controller.keda.maxReplicas }}
{{- with .Values.controller.keda.fallback }}
fallback:
failureThreshold: {{ .failureThreshold | default 3 }}
replicas: {{ .replicas | default $.Values.controller.keda.maxReplicas }}
{{- end }}
triggers: triggers:
{{- with .Values.controller.keda.triggers }} {{- with .Values.controller.keda.triggers }}
{{ toYaml . | indent 2 }} {{ toYaml . | indent 2 }}

45
charts/ingress-nginx/templates/controller-networkpolicy.yaml Normal file
View file

@ -0,0 +1,45 @@
{{- if .Values.controller.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- with .Values.controller.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
podSelector:
matchLabels:
{{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: controller
policyTypes:
- Ingress
- Egress
ingress:
- ports:
{{- range $key, $value := .Values.controller.containerPort }}
- protocol: TCP
port: {{ $value }}
{{- end }}
{{- if .Values.controller.metrics.enabled }}
- protocol: TCP
port: {{ .Values.controller.metrics.port }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
- protocol: TCP
port: {{ .Values.controller.admissionWebhooks.port }}
{{- end }}
{{- range $key, $value := .Values.tcp }}
- protocol: TCP
port: {{ $key }}
{{- end }}
{{- range $key, $value := .Values.udp }}
- protocol: UDP
port: {{ $key }}
{{- end }}
egress:
- {}
{{- end }}

4
charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }} name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
{{- if .Values.controller.annotations }} {{- if .Values.controller.annotations }}
annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
{{- end }} {{- end }}
@ -18,7 +18,7 @@ spec:
matchLabels: matchLabels:
{{- include "ingress-nginx.selectorLabels" . | nindent 6 }} {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
{{- if .Values.controller.minAvailable }} {{- if and .Values.controller.minAvailable (not (hasKey .Values.controller "maxUnavailable")) }}
minAvailable: {{ .Values.controller.minAvailable }} minAvailable: {{ .Values.controller.minAvailable }}
{{- else if .Values.controller.maxUnavailable }} {{- else if .Values.controller.maxUnavailable }}
maxUnavailable: {{ .Values.controller.maxUnavailable }} maxUnavailable: {{ .Values.controller.maxUnavailable }}

4
charts/ingress-nginx/templates/controller-prometheusrules.yaml
View file

@ -4,7 +4,9 @@ kind: PrometheusRule
metadata: metadata:
name: {{ include "ingress-nginx.controller.fullname" . }} name: {{ include "ingress-nginx.controller.fullname" . }}
{{- if .Values.controller.metrics.prometheusRule.namespace }} {{- if .Values.controller.metrics.prometheusRule.namespace }}
namespace: {{ .Values.controller.metrics.prometheusRule.namespace | quote }} namespace: {{ .Values.controller.metrics.prometheusRule.namespace }}
{{- else }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }} {{- end }}
labels: labels:
{{- include "ingress-nginx.labels" . | nindent 4 }} {{- include "ingress-nginx.labels" . | nindent 4 }}

142
charts/ingress-nginx/templates/controller-psp.yaml
View file

@ -4,6 +4,8 @@ apiVersion: policy/v1beta1
kind: PodSecurityPolicy kind: PodSecurityPolicy
metadata: metadata:
name: {{ include "ingress-nginx.fullname" . }} name: {{ include "ingress-nginx.fullname" . }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
labels: labels:
{{- include "ingress-nginx.labels" . | nindent 4 }} {{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
@ -11,84 +13,88 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
spec: spec:
allowedCapabilities:
- NET_BIND_SERVICE
{{- if .Values.controller.image.chroot }}
- SYS_CHROOT
{{- end }}
{{- if .Values.controller.sysctls }}
allowedUnsafeSysctls:
{{- range $sysctl, $value := .Values.controller.sysctls }}
- {{ $sysctl }}
{{- end }}
{{- end }}
privileged: false privileged: false
allowPrivilegeEscalation: true hostPID: false
# Allow core volume types. hostIPC: false
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
{{- if .Values.controller.hostNetwork }}
hostNetwork: {{ .Values.controller.hostNetwork }} hostNetwork: {{ .Values.controller.hostNetwork }}
{{- end }}
{{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }} {{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }}
hostPorts: hostPorts:
{{- if .Values.controller.hostNetwork }} {{- if .Values.controller.hostNetwork }}
{{- range $key, $value := .Values.controller.containerPort }} {{- range $key, $value := .Values.controller.containerPort }}
# {{ $key }} # controller.containerPort.{{ $key }}
- min: {{ $value }} - min: {{ $value }}
max: {{ $value }} max: {{ $value }}
{{- end }}
{{- else if .Values.controller.hostPort.enabled }}
{{- range $key, $value := .Values.controller.hostPort.ports }}
# controller.hostPort.ports.{{ $key }}
- min: {{ $value }}
max: {{ $value }}
{{- end }}
{{- end }}
{{- if .Values.controller.metrics.enabled }}
# controller.metrics.port
- min: {{ .Values.controller.metrics.port }}
max: {{ .Values.controller.metrics.port }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
# controller.admissionWebhooks.port
- min: {{ .Values.controller.admissionWebhooks.port }}
max: {{ .Values.controller.admissionWebhooks.port }}
{{- end }}
{{- range $key, $value := .Values.tcp }}
# tcp.{{ $key }}
- min: {{ $key }}
max: {{ $key }}
{{- end }}
{{- range $key, $value := .Values.udp }}
# udp.{{ $key }}
- min: {{ $key }}
max: {{ $key }}
{{- end }}
{{- end }} {{- end }}
{{- else if .Values.controller.hostPort.enabled }} volumes:
{{- range $key, $value := .Values.controller.hostPort.ports }} - configMap
# {{ $key }} - downwardAPI
- min: {{ $value }} - emptyDir
max: {{ $value }} - secret
{{- end }} - projected
{{- end }}
{{- if .Values.controller.metrics.enabled }}
# metrics
- min: {{ .Values.controller.metrics.port }}
max: {{ .Values.controller.metrics.port }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
# admission webhooks
- min: {{ .Values.controller.admissionWebhooks.port }}
max: {{ .Values.controller.admissionWebhooks.port }}
{{- end }}
{{- range $key, $value := .Values.tcp }}
# {{ $key }}-tcp
- min: {{ $key }}
max: {{ $key }}
{{- end }}
{{- range $key, $value := .Values.udp }}
# {{ $key }}-udp
- min: {{ $key }}
max: {{ $key }}
{{- end }}
{{- end }}
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup: fsGroup:
rule: 'MustRunAs' rule: MustRunAs
ranges: ranges:
# Forbid adding the root group.
- min: 1 - min: 1
max: 65535 max: 65535
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
runAsUser:
rule: MustRunAsNonRoot
runAsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }}
requiredDropCapabilities:
- ALL
allowedCapabilities:
- NET_BIND_SERVICE
{{- if .Values.controller.image.chroot }}
{{- if .Values.controller.image.seccompProfile }}
- SYS_ADMIN
{{- end }}
- SYS_CHROOT
{{- end }}
seLinux: seLinux:
rule: 'RunAsAny' rule: RunAsAny
{{- if .Values.controller.sysctls }}
allowedUnsafeSysctls:
{{- range $sysctl, $value := .Values.controller.sysctls }}
- {{ $sysctl }}
{{- end }}
{{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}

2
charts/ingress-nginx/templates/controller-role.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "ingress-nginx.fullname" . }} name: {{ include "ingress-nginx.fullname" . }}
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
rules: rules:
- apiGroups: - apiGroups:
- "" - ""

4
charts/ingress-nginx/templates/controller-rolebinding.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "ingress-nginx.fullname" . }} name: {{ include "ingress-nginx.fullname" . }}
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: Role
@ -17,5 +17,5 @@ roleRef:
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ template "ingress-nginx.serviceAccountName" . }} name: {{ template "ingress-nginx.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }} namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }} {{- end }}

2
charts/ingress-nginx/templates/controller-secret.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }} name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
data: data:
dhparam.pem: {{ .Values.dhParam }} dhparam.pem: {{ .Values.dhParam }}
{{- end }} {{- end }}

7
charts/ingress-nginx/templates/controller-service-internal.yaml
View file

@ -4,7 +4,7 @@ kind: Service
metadata: metadata:
annotations: annotations:
{{- range $key, $value := .Values.controller.service.internal.annotations }} {{- range $key, $value := .Values.controller.service.internal.annotations }}
{{ $key }}: {{ $value | quote }} {{ $key }}: {{ tpl ($value | toString) $ | quote }}
{{- end }} {{- end }}
labels: labels:
{{- include "ingress-nginx.labels" . | nindent 4 }} {{- include "ingress-nginx.labels" . | nindent 4 }}
@ -13,9 +13,12 @@ metadata:
{{- toYaml .Values.controller.service.labels | nindent 4 }} {{- toYaml .Values.controller.service.labels | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}-internal name: {{ include "ingress-nginx.controller.fullname" . }}-internal
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
spec: spec:
type: "{{ .Values.controller.service.type }}" type: "{{ .Values.controller.service.type }}"
{{- if hasKey .Values.controller.service.internal "allocateLoadBalancerNodePorts" }}
allocateLoadBalancerNodePorts: {{ .Values.controller.service.internal.allocateLoadBalancerNodePorts }}
{{- end }}
{{- if .Values.controller.service.internal.loadBalancerIP }} {{- if .Values.controller.service.internal.loadBalancerIP }}
loadBalancerIP: {{ .Values.controller.service.internal.loadBalancerIP }} loadBalancerIP: {{ .Values.controller.service.internal.loadBalancerIP }}
{{- end }} {{- end }}

2
charts/ingress-nginx/templates/controller-service-metrics.yaml
View file

@ -12,7 +12,7 @@ metadata:
{{- toYaml .Values.controller.metrics.service.labels | nindent 4 }} {{- toYaml .Values.controller.metrics.service.labels | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}-metrics name: {{ include "ingress-nginx.controller.fullname" . }}-metrics
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
spec: spec:
type: {{ .Values.controller.metrics.service.type }} type: {{ .Values.controller.metrics.service.type }}
{{- if .Values.controller.metrics.service.clusterIP }} {{- if .Values.controller.metrics.service.clusterIP }}

2
charts/ingress-nginx/templates/controller-service-webhook.yaml
View file

@ -12,7 +12,7 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}-admission name: {{ include "ingress-nginx.controller.fullname" . }}-admission
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
spec: spec:
type: {{ .Values.controller.admissionWebhooks.service.type }} type: {{ .Values.controller.admissionWebhooks.service.type }}
{{- if .Values.controller.admissionWebhooks.service.clusterIP }} {{- if .Values.controller.admissionWebhooks.service.clusterIP }}

10
charts/ingress-nginx/templates/controller-service.yaml
View file

@ -4,7 +4,7 @@ kind: Service
metadata: metadata:
annotations: annotations:
{{- range $key, $value := .Values.controller.service.annotations }} {{- range $key, $value := .Values.controller.service.annotations }}
{{ $key }}: {{ $value | quote }} {{ $key }}: {{ tpl ($value | toString) $ | quote }}
{{- end }} {{- end }}
labels: labels:
{{- include "ingress-nginx.labels" . | nindent 4 }} {{- include "ingress-nginx.labels" . | nindent 4 }}
@ -13,9 +13,12 @@ metadata:
{{- toYaml .Values.controller.service.labels | nindent 4 }} {{- toYaml .Values.controller.service.labels | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }} name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
spec: spec:
type: {{ .Values.controller.service.type }} type: {{ .Values.controller.service.type }}
{{- if hasKey .Values.controller.service "allocateLoadBalancerNodePorts" }}
allocateLoadBalancerNodePorts: {{ .Values.controller.service.allocateLoadBalancerNodePorts }}
{{- end }}
{{- if .Values.controller.service.clusterIP }} {{- if .Values.controller.service.clusterIP }}
clusterIP: {{ .Values.controller.service.clusterIP }} clusterIP: {{ .Values.controller.service.clusterIP }}
{{- end }} {{- end }}
@ -28,6 +31,9 @@ spec:
{{- if .Values.controller.service.loadBalancerSourceRanges }} {{- if .Values.controller.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges: {{ toYaml .Values.controller.service.loadBalancerSourceRanges | nindent 4 }} loadBalancerSourceRanges: {{ toYaml .Values.controller.service.loadBalancerSourceRanges | nindent 4 }}
{{- end }} {{- end }}
{{- if .Values.controller.service.loadBalancerClass }}
loadBalancerClass: {{ .Values.controller.service.loadBalancerClass }}
{{- end }}
{{- if .Values.controller.service.externalTrafficPolicy }} {{- if .Values.controller.service.externalTrafficPolicy }}
externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }}
{{- end }} {{- end }}

5
charts/ingress-nginx/templates/controller-serviceaccount.yaml
View file

@ -9,10 +9,9 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
name: {{ template "ingress-nginx.serviceAccountName" . }} name: {{ template "ingress-nginx.serviceAccountName" . }}
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
{{- if .Values.serviceAccount.annotations }} {{- if .Values.serviceAccount.annotations }}
annotations: annotations: {{ toYaml .Values.serviceAccount.annotations | nindent 4 }}
{{- toYaml .Values.serviceAccount.annotations | nindent 4 }}
{{- end }} {{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }} {{- end }}

6
charts/ingress-nginx/templates/controller-servicemonitor.yaml
View file

@ -4,7 +4,9 @@ kind: ServiceMonitor
metadata: metadata:
name: {{ include "ingress-nginx.controller.fullname" . }} name: {{ include "ingress-nginx.controller.fullname" . }}
{{- if .Values.controller.metrics.serviceMonitor.namespace }} {{- if .Values.controller.metrics.serviceMonitor.namespace }}
namespace: {{ .Values.controller.metrics.serviceMonitor.namespace | quote }} namespace: {{ .Values.controller.metrics.serviceMonitor.namespace }}
{{- else }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }} {{- end }}
labels: labels:
{{- include "ingress-nginx.labels" . | nindent 4 }} {{- include "ingress-nginx.labels" . | nindent 4 }}
@ -33,7 +35,7 @@ spec:
{{- else }} {{- else }}
namespaceSelector: namespaceSelector:
matchNames: matchNames:
- {{ .Release.Namespace }} - {{ include "ingress-nginx.namespace" . }}
{{- end }} {{- end }}
{{- if .Values.controller.metrics.serviceMonitor.targetLabels }} {{- if .Values.controller.metrics.serviceMonitor.targetLabels }}
targetLabels: targetLabels:

19
charts/ingress-nginx/templates/controller-webhooks-networkpolicy.yaml
View file

@ -1,19 +0,0 @@
{{- if .Values.controller.admissionWebhooks.enabled }}
{{- if .Values.controller.admissionWebhooks.networkPolicyEnabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "ingress-nginx.fullname" . }}-webhooks-allow
namespace: {{ .Release.Namespace }}
spec:
ingress:
- {}
podSelector:
matchLabels:
app.kubernetes.io/name: {{ include "ingress-nginx.name" . }}
policyTypes:
- Ingress
{{- end }}
{{- end }}

11
charts/ingress-nginx/templates/default-backend-deployment.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "ingress-nginx.defaultBackend.fullname" . }} name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
spec: spec:
selector: selector:
matchLabels: matchLabels:
@ -65,14 +65,7 @@ spec:
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
securityContext: securityContext: {{ include "ingress-nginx.defaultBackend.containerSecurityContext" . | nindent 12 }}
capabilities:
drop:
- ALL
runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem}}
{{- if .Values.defaultBackend.extraEnvs }} {{- if .Values.defaultBackend.extraEnvs }}
env: {{ toYaml .Values.defaultBackend.extraEnvs | nindent 12 }} env: {{ toYaml .Values.defaultBackend.extraEnvs | nindent 12 }}
{{- end }} {{- end }}

43
charts/ingress-nginx/templates/default-backend-hpa.yaml
View file

@ -1,37 +1,40 @@
{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.autoscaling.enabled }} {{- if and .Values.defaultBackend.enabled .Values.defaultBackend.autoscaling.enabled }}
apiVersion: {{ .Values.defaultBackend.autoscaling.apiVersion }} apiVersion: {{ ternary "autoscaling/v2" "autoscaling/v2beta2" (.Capabilities.APIVersions.Has "autoscaling/v2") }}
kind: HorizontalPodAutoscaler kind: HorizontalPodAutoscaler
metadata: metadata:
{{- with .Values.defaultBackend.autoscaling.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
labels: labels:
{{- include "ingress-nginx.labels" . | nindent 4 }} {{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: default-backend app.kubernetes.io/component: default-backend
{{- with .Values.defaultBackend.labels }} {{- with .Values.defaultBackend.labels }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
name: {{ template "ingress-nginx.defaultBackend.fullname" . }} name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
spec: spec:
scaleTargetRef: scaleTargetRef:
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
name: {{ template "ingress-nginx.defaultBackend.fullname" . }} name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
minReplicas: {{ .Values.defaultBackend.autoscaling.minReplicas }} minReplicas: {{ .Values.defaultBackend.autoscaling.minReplicas }}
maxReplicas: {{ .Values.defaultBackend.autoscaling.maxReplicas }} maxReplicas: {{ .Values.defaultBackend.autoscaling.maxReplicas }}
metrics: metrics:
{{- with .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }} {{- with .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource - type: Resource
resource: resource:
name: cpu name: cpu
target: target:
type: Utilization type: Utilization
averageUtilization: {{ . }} averageUtilization: {{ . }}
{{- end }} {{- end }}
{{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }} {{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource - type: Resource
resource: resource:
name: memory name: memory
target: target:
type: Utilization type: Utilization
averageUtilization: {{ . }} averageUtilization: {{ . }}
{{- end }} {{- end }}
{{- end }} {{- end }}

25
charts/ingress-nginx/templates/default-backend-networkpolicy.yaml Normal file
View file

@ -0,0 +1,25 @@
{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: default-backend
{{- with .Values.defaultBackend.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
podSelector:
matchLabels:
{{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: default-backend
policyTypes:
- Ingress
- Egress
ingress:
- ports:
- protocol: TCP
port: {{ .Values.defaultBackend.port }}
{{- end }}

2
charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
View file

@ -10,7 +10,7 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "ingress-nginx.defaultBackend.fullname" . }} name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
spec: spec:
selector: selector:
matchLabels: matchLabels:

46
charts/ingress-nginx/templates/default-backend-psp.yaml
View file

@ -4,6 +4,8 @@ apiVersion: policy/v1beta1
kind: PodSecurityPolicy kind: PodSecurityPolicy
metadata: metadata:
name: {{ include "ingress-nginx.fullname" . }}-backend name: {{ include "ingress-nginx.fullname" . }}-backend
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
labels: labels:
{{- include "ingress-nginx.labels" . | nindent 4 }} {{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: default-backend app.kubernetes.io/component: default-backend
@ -11,28 +13,38 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
spec: spec:
allowPrivilegeEscalation: false privileged: false
hostPID: false
hostIPC: false
hostNetwork: false
volumes:
- configMap
- downwardAPI
- emptyDir
- secret
- projected
fsGroup: fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs rule: MustRunAs
requiredDropCapabilities: ranges:
- ALL - min: 1
max: 65535
readOnlyRootFilesystem: true
runAsUser: runAsUser:
rule: MustRunAsNonRoot rule: MustRunAsNonRoot
runAsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
seLinux: seLinux:
rule: RunAsAny rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
{{- end }} {{- end }}
{{- end }} {{- end }}

2
charts/ingress-nginx/templates/default-backend-role.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "ingress-nginx.fullname" . }}-backend name: {{ include "ingress-nginx.fullname" . }}-backend
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
rules: rules:
- apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}]
resources: ['podsecuritypolicies'] resources: ['podsecuritypolicies']

4
charts/ingress-nginx/templates/default-backend-rolebinding.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "ingress-nginx.fullname" . }}-backend name: {{ include "ingress-nginx.fullname" . }}-backend
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: Role
@ -17,5 +17,5 @@ roleRef:
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }} namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }} {{- end }}

2
charts/ingress-nginx/templates/default-backend-service.yaml
View file

@ -12,7 +12,7 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
name: {{ include "ingress-nginx.defaultBackend.fullname" . }} name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
spec: spec:
type: {{ .Values.defaultBackend.service.type }} type: {{ .Values.defaultBackend.service.type }}
{{- if .Values.defaultBackend.service.clusterIP }} {{- if .Values.defaultBackend.service.clusterIP }}

2
charts/ingress-nginx/templates/default-backend-serviceaccount.yaml
View file

@ -9,6 +9,6 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
namespace: {{ .Release.Namespace }} namespace: {{ include "ingress-nginx.namespace" . }}
automountServiceAccountToken: {{ .Values.defaultBackend.serviceAccount.automountServiceAccountToken }} automountServiceAccountToken: {{ .Values.defaultBackend.serviceAccount.automountServiceAccountToken }}
{{- end }} {{- end }}

187
charts/ingress-nginx/values.yaml
View file

@ -7,6 +7,9 @@
# nameOverride: # nameOverride:
# fullnameOverride: # fullnameOverride:
# -- Override the deployment namespace; defaults to .Release.Namespace
namespaceOverride: ""
## Labels to apply to all resources ## Labels to apply to all resources
## ##
commonLabels: {} commonLabels: {}
@ -15,6 +18,7 @@ commonLabels: {}
controller: controller:
name: controller name: controller
enableAnnotationValidations: false
image: image:
## Keep false as default for now! ## Keep false as default for now!
chroot: false chroot: false
@ -23,13 +27,17 @@ controller:
## for backwards compatibility consider setting the full image url via the repository value below ## for backwards compatibility consider setting the full image url via the repository value below
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
## repository: ## repository:
tag: "v1.7.1" tag: "v1.9.4"
digest: sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 digest: sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
digestChroot: sha256:e35d5ab487861b9d419c570e3530589229224a0762c7b4d2e2222434abb8d988 digestChroot: sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
runAsNonRoot: true
# www-data -> uid 101 # www-data -> uid 101
runAsUser: 101 runAsUser: 101
allowPrivilegeEscalation: true allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: false
# -- Use an existing PSP instead of creating one # -- Use an existing PSP instead of creating one
existingPsp: "" existingPsp: ""
# -- Configures the controller container name # -- Configures the controller container name
@ -48,6 +56,16 @@ controller:
addHeaders: {} addHeaders: {}
# -- Optionally customize the pod dnsConfig. # -- Optionally customize the pod dnsConfig.
dnsConfig: {} dnsConfig: {}
# -- Optionally customize the pod hostAliases.
hostAliases: []
# - ip: 127.0.0.1
# hostnames:
# - foo.local
# - bar.local
# - ip: 10.1.2.3
# hostnames:
# - foo.remote
# - bar.remote
# -- Optionally customize the pod hostname. # -- Optionally customize the pod hostname.
hostname: {} hostname: {}
# -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. # -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'.
@ -63,14 +81,14 @@ controller:
watchIngressWithoutClass: false watchIngressWithoutClass: false
# -- Process IngressClass per name (additionally as per spec.controller). # -- Process IngressClass per name (additionally as per spec.controller).
ingressClassByName: false ingressClassByName: false
# -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto" # -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto"
# Defaults to false # Defaults to false
enableTopologyAwareRouting: false enableTopologyAwareRouting: false
# -- This configuration defines if Ingress Controller should allow users to set # -- This configuration defines if Ingress Controller should allow users to set
# their own *-snippet annotations, otherwise this is forbidden / dropped # their own *-snippet annotations, otherwise this is forbidden / dropped
# when users add those annotations. # when users add those annotations.
# Global snippets in ConfigMap are still respected # Global snippets in ConfigMap are still respected
allowSnippetAnnotations: true allowSnippetAnnotations: false
# -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), # -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm),
# since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920
# is merged # is merged
@ -85,6 +103,10 @@ controller:
http: 80 http: 80
# -- 'hostPort' https port # -- 'hostPort' https port
https: 443 https: 443
# NetworkPolicy for controller component.
networkPolicy:
# -- Enable 'networkPolicy' or not
enabled: false
# -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' # -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader'
electionID: "" electionID: ""
## This section refers to the creation of the IngressClass resource ## This section refers to the creation of the IngressClass resource
@ -109,12 +131,15 @@ controller:
podLabels: {} podLabels: {}
# key: value # key: value
# -- Security Context policies for controller pods # -- Security context for controller pods
podSecurityContext: {} podSecurityContext: {}
# -- See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # -- sysctls for controller pods
## Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
sysctls: {} sysctls: {}
# sysctls: # sysctls:
# "net.core.somaxconn": "8192" # "net.core.somaxconn": "8192"
# -- Security context for controller containers
containerSecurityContext: {}
# -- Allows customization of the source of the IP address or FQDN to report # -- Allows customization of the source of the IP address or FQDN to report
# in the ingress status field. By default, it reads the information provided # in the ingress status field. By default, it reads the information provided
@ -155,6 +180,9 @@ controller:
extraArgs: {} extraArgs: {}
## extraArgs: ## extraArgs:
## default-ssl-certificate: "<namespace>/<secret_name>" ## default-ssl-certificate: "<namespace>/<secret_name>"
## time-buckets: "0.005,0.01,0.025,0.05,0.1,0.25,0.5,1,2.5,5,10"
## length-buckets: "10,20,30,40,50,60,70,80,90,100"
## size-buckets: "10,100,1000,10000,100000,1e+06,1e+07"
# -- Additional environment variables to set # -- Additional environment variables to set
extraEnvs: [] extraEnvs: []
@ -245,19 +273,29 @@ controller:
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
## ##
topologySpreadConstraints: [] topologySpreadConstraints: []
# - maxSkew: 1 # - labelSelector:
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: DoNotSchedule
# labelSelector:
# matchLabels: # matchLabels:
# app.kubernetes.io/instance: ingress-nginx-internal # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
# app.kubernetes.io/instance: '{{ .Release.Name }}'
# app.kubernetes.io/component: controller
# topologyKey: topology.kubernetes.io/zone
# maxSkew: 1
# whenUnsatisfiable: ScheduleAnyway
# - labelSelector:
# matchLabels:
# app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
# app.kubernetes.io/instance: '{{ .Release.Name }}'
# app.kubernetes.io/component: controller
# topologyKey: kubernetes.io/hostname
# maxSkew: 1
# whenUnsatisfiable: ScheduleAnyway
# -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready # -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready
## wait up to five minutes for the drain of connections ## wait up to five minutes for the drain of connections
## ##
terminationGracePeriodSeconds: 300 terminationGracePeriodSeconds: 300
# -- Node labels for controller pod assignment # -- Node labels for controller pod assignment
## Ref: https://kubernetes.io/docs/user-guide/node-selection/ ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
## ##
nodeSelector: nodeSelector:
kubernetes.io/os: linux kubernetes.io/os: linux
@ -308,9 +346,10 @@ controller:
## ##
podAnnotations: {} podAnnotations: {}
replicaCount: 1 replicaCount: 1
# -- Define either 'minAvailable' or 'maxUnavailable', never both. # -- Minimum available pods set in PodDisruptionBudget.
# Define either 'minAvailable' or 'maxUnavailable', never both.
minAvailable: 1 minAvailable: 1
# -- Define either 'minAvailable' or 'maxUnavailable', never both. # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
# maxUnavailable: 1 # maxUnavailable: 1
## Define requests resources to avoid probe issues due to CPU utilization in busy nodes ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes
@ -326,7 +365,6 @@ controller:
memory: 90Mi memory: 90Mi
# Mutually exclusive with keda autoscaling # Mutually exclusive with keda autoscaling
autoscaling: autoscaling:
apiVersion: autoscaling/v2
enabled: false enabled: false
annotations: {} annotations: {}
minReplicas: 1 minReplicas: 1
@ -368,6 +406,9 @@ controller:
maxReplicas: 11 maxReplicas: 11
pollingInterval: 30 pollingInterval: 30
cooldownPeriod: 300 cooldownPeriod: 300
# fallback:
# failureThreshold: 3
# replicas: 11
restoreToOriginalReplicaCount: false restoreToOriginalReplicaCount: false
scaledObject: scaledObject:
annotations: {} annotations: {}
@ -412,17 +453,23 @@ controller:
# Will be ignored for Kubernetes versions older than 1.20 # Will be ignored for Kubernetes versions older than 1.20
## ##
appProtocol: true appProtocol: true
# -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine.
annotations: {} annotations: {}
labels: {} labels: {}
# clusterIP: "" # clusterIP: ""
# -- List of IP addresses at which the controller services are available # -- List of IP addresses at which the controller services are available
## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
## ##
externalIPs: [] externalIPs: []
# -- Set to false to disable loadbalancer node port allocation
# See https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
# allocateLoadBalancerNodePorts: true
# -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer # -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
loadBalancerIP: "" loadBalancerIP: ""
loadBalancerSourceRanges: [] loadBalancerSourceRanges: []
# -- Used by cloud providers to select a load balancer implementation other than the cloud provider default. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
loadBalancerClass: ""
enableHttp: true enableHttp: true
enableHttps: true enableHttps: true
## Set external traffic policy to: "Local" to preserve source IP on providers supporting it. ## Set external traffic policy to: "Local" to preserve source IP on providers supporting it.
@ -471,10 +518,13 @@ controller:
internal: internal:
# -- Enables an additional internal load balancer (besides the external one). # -- Enables an additional internal load balancer (besides the external one).
enabled: false enabled: false
# -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine.
annotations: {} annotations: {}
# loadBalancerIP: "" # -- Set to false to disable loadbalancer node port allocation
# See https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
# allocateLoadBalancerNodePorts: true
# -- Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS.
loadBalancerIP: ""
# -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. # -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0.
loadBalancerSourceRanges: [] loadBalancerSourceRanges: []
## Set external traffic policy to: "Local" to preserve source IP on ## Set external traffic policy to: "Local" to preserve source IP on
@ -538,8 +588,18 @@ controller:
extraModules: [] extraModules: []
# - name: mytestmodule # - name: mytestmodule
# image: registry.k8s.io/ingress-nginx/mytestmodule # image: registry.k8s.io/ingress-nginx/mytestmodule
# distroless: false
# containerSecurityContext: # containerSecurityContext:
# runAsNonRoot: true
# runAsUser: <user-id>
# allowPrivilegeEscalation: false # allowPrivilegeEscalation: false
# seccompProfile:
# type: RuntimeDefault
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# resources: {}
# #
# The image must contain a `/usr/local/bin/init_module.sh` executable, which # The image must contain a `/usr/local/bin/init_module.sh` executable, which
# will be executed as initContainers, to move its config files within the # will be executed as initContainers, to move its config files within the
@ -547,14 +607,32 @@ controller:
opentelemetry: opentelemetry:
enabled: false enabled: false
name: opentelemetry
image: registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472
image: image:
registry: registry.k8s.io registry: registry.k8s.io
image: ingress-nginx/opentelemetry image: ingress-nginx/opentelemetry
tag: "v20230312-helm-chart-4.5.2-28-g66a760794" tag: "v20230312-helm-chart-4.5.2-28-g66a760794"
digest: sha256:40f766ac4a9832f36f217bb0e98d44c8d38faeccbfe861fbc1a76af7e9ab257f digest: sha256:40f766ac4a9832f36f217bb0e98d44c8d38faeccbfe861fbc1a76af7e9ab257f
distroless: true
containerSecurityContext: containerSecurityContext:
runAsNonRoot: true
# -- The image's default user, inherited from its base image `cgr.dev/chainguard/static`.
runAsUser: 65532
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
resources: {}
admissionWebhooks: admissionWebhooks:
name: admission
annotations: {} annotations: {}
# ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem". # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem".
@ -582,7 +660,6 @@ controller:
labels: {} labels: {}
# -- Use an existing PSP instead of creating one # -- Use an existing PSP instead of creating one
existingPsp: "" existingPsp: ""
networkPolicyEnabled: false
service: service:
annotations: {} annotations: {}
# clusterIP: "" # clusterIP: ""
@ -592,8 +669,18 @@ controller:
servicePort: 443 servicePort: 443
type: ClusterIP type: ClusterIP
createSecretJob: createSecretJob:
name: create
# -- Security context for secret creation containers
securityContext: securityContext:
runAsNonRoot: true
runAsUser: 65532
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
resources: {} resources: {}
# limits: # limits:
# cpu: 10m # cpu: 10m
@ -602,8 +689,18 @@ controller:
# cpu: 10m # cpu: 10m
# memory: 20Mi # memory: 20Mi
patchWebhookJob: patchWebhookJob:
name: patch
# -- Security context for webhook patch containers
securityContext: securityContext:
runAsNonRoot: true
runAsUser: 65532
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
resources: {} resources: {}
patch: patch:
enabled: true enabled: true
@ -613,8 +710,8 @@ controller:
## for backwards compatibility consider setting the full image url via the repository value below ## for backwards compatibility consider setting the full image url via the repository value below
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
## repository: ## repository:
tag: v20230312-helm-chart-4.5.2-28-g66a760794 tag: v20231011-8b53cabe0
digest: sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f digest: sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# -- Provide a priority class name to the webhook patching job # -- Provide a priority class name to the webhook patching job
## ##
@ -625,10 +722,8 @@ controller:
tolerations: [] tolerations: []
# -- Labels to be added to patch job resources # -- Labels to be added to patch job resources
labels: {} labels: {}
securityContext: # -- Security context for secret creation & webhook patch pods
runAsNonRoot: true securityContext: {}
runAsUser: 2000
fsGroup: 2000
# Use certmanager to generate webhook certs # Use certmanager to generate webhook certs
certManager: certManager:
enabled: false enabled: false
@ -656,7 +751,7 @@ controller:
# clusterIP: "" # clusterIP: ""
# -- List of IP addresses at which the stats-exporter service is available # -- List of IP addresses at which the stats-exporter service is available
## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
## ##
externalIPs: [] externalIPs: []
# loadBalancerIP: "" # loadBalancerIP: ""
@ -672,7 +767,7 @@ controller:
## jobLabel: "app.kubernetes.io/name" ## jobLabel: "app.kubernetes.io/name"
namespace: "" namespace: ""
namespaceSelector: {} namespaceSelector: {}
## Default: scrape .Release.Namespace only ## Default: scrape .Release.Namespace or namespaceOverride only
## To scrape all, use the following: ## To scrape all, use the following:
## namespaceSelector: ## namespaceSelector:
## any: true ## any: true
@ -695,8 +790,13 @@ controller:
# annotations: # annotations:
# description: bad ingress config - nginx config test failed # description: bad ingress config - nginx config test failed
# summary: uninstall the latest ingress changes to allow config reloads to resume # summary: uninstall the latest ingress changes to allow config reloads to resume
# # By default a fake self-signed certificate is generated as default and
# # it is fine if it expires. If `--default-ssl-certificate` flag is used
# # and a valid certificate passed please do not filter for `host` label!
# # (i.e. delete `{host!="_"}` so also the default SSL certificate is
# # checked for expiration)
# - alert: NGINXCertificateExpiry # - alert: NGINXCertificateExpiry
# expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800 # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds{host!="_"}) by (host) - time()) < 604800
# for: 1s # for: 1s
# labels: # labels:
# severity: critical # severity: critical
@ -749,11 +849,13 @@ defaultBackend:
## repository: ## repository:
tag: "1.5" tag: "1.5"
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
runAsNonRoot: true
# nobody user -> uid 65534 # nobody user -> uid 65534
runAsUser: 65534 runAsUser: 65534
runAsNonRoot: true
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
# -- Use an existing PSP instead of creating one # -- Use an existing PSP instead of creating one
existingPsp: "" existingPsp: ""
extraArgs: {} extraArgs: {}
@ -799,22 +901,16 @@ defaultBackend:
# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
affinity: {} affinity: {}
# -- Security Context policies for controller pods # -- Security context for default backend pods
# See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
# notes on enabling and using sysctls
##
podSecurityContext: {} podSecurityContext: {}
# -- Security Context policies for controller main container. # -- Security context for default backend containers
# See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
# notes on enabling and using sysctls
##
containerSecurityContext: {} containerSecurityContext: {}
# -- Labels to add to the pod container metadata # -- Labels to add to the pod container metadata
podLabels: {} podLabels: {}
# key: value # key: value
# -- Node labels for default backend pod assignment # -- Node labels for default backend pod assignment
## Ref: https://kubernetes.io/docs/user-guide/node-selection/ ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
## ##
nodeSelector: nodeSelector:
kubernetes.io/os: linux kubernetes.io/os: linux
@ -842,19 +938,22 @@ defaultBackend:
# emptyDir: {} # emptyDir: {}
autoscaling: autoscaling:
apiVersion: autoscaling/v2
annotations: {} annotations: {}
enabled: false enabled: false
minReplicas: 1 minReplicas: 1
maxReplicas: 2 maxReplicas: 2
targetCPUUtilizationPercentage: 50 targetCPUUtilizationPercentage: 50
targetMemoryUtilizationPercentage: 50 targetMemoryUtilizationPercentage: 50
# NetworkPolicy for default backend component.
networkPolicy:
# -- Enable 'networkPolicy' or not
enabled: false
service: service:
annotations: {} annotations: {}
# clusterIP: "" # clusterIP: ""
# -- List of IP addresses at which the default backend service is available # -- List of IP addresses at which the default backend service is available
## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
## ##
externalIPs: [] externalIPs: []
# loadBalancerIP: "" # loadBalancerIP: ""

4
cmd/dataplane/main.go
View file

@ -18,10 +18,8 @@ package main
import ( import (
"fmt" "fmt"
"math/rand" // #nosec
"net/http" "net/http"
"os" "os"
"time"
"github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus"
"github.com/prometheus/client_golang/prometheus/collectors" "github.com/prometheus/client_golang/prometheus/collectors"
@ -41,8 +39,6 @@ import (
func main() { func main() {
klog.InitFlags(nil) klog.InitFlags(nil)
rand.Seed(time.Now().UnixNano())
fmt.Println(version.String()) fmt.Println(version.String())
var err error var err error
showVersion, conf, err := ingressflags.ParseFlags() showVersion, conf, err := ingressflags.ParseFlags()

40
cmd/dbg/main.go
View file

@ -114,7 +114,6 @@ func main() {
fmt.Println(err) fmt.Println(err)
os.Exit(1) os.Exit(1)
} }
} }
func backendsAll() { func backendsAll() {
@ -155,10 +154,16 @@ func backendsList() {
fmt.Println(unmarshalErr) fmt.Println(unmarshalErr)
return return
} }
backends := f.([]interface{}) backends, ok := f.([]interface{})
if !ok {
fmt.Printf("unexpected type: %T", f)
}
for _, backendi := range backends { for _, backendi := range backends {
backend := backendi.(map[string]interface{}) backend, ok := backendi.(map[string]interface{})
if !ok {
fmt.Printf("unexpected type: %T", backendi)
}
fmt.Println(backend["name"].(string)) fmt.Println(backend["name"].(string))
} }
} }
@ -180,12 +185,22 @@ func backendsGet(name string) {
fmt.Println(unmarshalErr) fmt.Println(unmarshalErr)
return return
} }
backends := f.([]interface{}) backends, ok := f.([]interface{})
if !ok {
fmt.Printf("unexpected type: %T", f)
}
for _, backendi := range backends { for _, backendi := range backends {
backend := backendi.(map[string]interface{}) backend, ok := backendi.(map[string]interface{})
if !ok {
fmt.Printf("unexpected type: %T", backendi)
}
if backend["name"].(string) == name { if backend["name"].(string) == name {
printed, _ := json.MarshalIndent(backend, "", " ") printed, err := json.MarshalIndent(backend, "", " ")
if err != nil {
fmt.Println(err)
return
}
fmt.Println(string(printed)) fmt.Println(string(printed))
return return
} }
@ -213,18 +228,7 @@ func certGet(host string) {
} }
func general() { func general() {
//TODO: refactor to obtain ingress-nginx pod count from the api server // TODO: refactor to obtain ingress-nginx pod count from the api server
/*
statusCode, body, requestErr := nginx.NewGetStatusRequest(generalPath)
if requestErr != nil {
fmt.Println(requestErr)
return
}
if statusCode != 200 {
fmt.Printf("Nginx returned code %v\n", statusCode)
return
}
*/
var prettyBuffer bytes.Buffer var prettyBuffer bytes.Buffer
indentErr := json.Indent(&prettyBuffer, []byte("{}"), "", " ") indentErr := json.Indent(&prettyBuffer, []byte("{}"), "", " ")

1
cmd/nginx/logger.go
View file

@ -47,5 +47,4 @@ func logger(address string) {
server.Wait() server.Wait()
klog.Infof("Stopping logger") klog.Infof("Stopping logger")
} }

8
cmd/nginx/main.go
View file

@ -19,7 +19,6 @@ package main
import ( import (
"context" "context"
"fmt" "fmt"
"math/rand" // #nosec
"net/http" "net/http"
"os" "os"
"path/filepath" "path/filepath"
@ -54,8 +53,6 @@ import (
func main() { func main() {
klog.InitFlags(nil) klog.InitFlags(nil)
rand.Seed(time.Now().UnixNano())
fmt.Println(version.String()) fmt.Println(version.String())
showVersion, conf, err := ingressflags.ParseFlags() showVersion, conf, err := ingressflags.ParseFlags()
@ -156,7 +153,6 @@ func main() {
if errExists == nil { if errExists == nil {
conf.IsChroot = true conf.IsChroot = true
go logger(conf.InternalLoggerAddress) go logger(conf.InternalLoggerAddress)
} }
go metrics.StartHTTPServer(conf.HealthCheckHost, conf.ListenPorts.Health, mux) go metrics.StartHTTPServer(conf.HealthCheckHost, conf.ListenPorts.Health, mux)
@ -285,10 +281,10 @@ func checkService(key string, kubeClient *kubernetes.Clientset) error {
} }
if errors.IsNotFound(err) { if errors.IsNotFound(err) {
return fmt.Errorf("No service with name %v found in namespace %v: %v", name, ns, err) return fmt.Errorf("no service with name %v found in namespace %v: %v", name, ns, err)
} }
return fmt.Errorf("Unexpected error searching service with name %v in namespace %v: %v", name, ns, err) return fmt.Errorf("unexpected error searching service with name %v in namespace %v: %v", name, ns, err)
} }
return nil return nil

10
cmd/nginx/main_test.go
View file

@ -47,7 +47,7 @@ func TestCreateApiserverClient(t *testing.T) {
func init() { func init() {
// the default value of nginx.TemplatePath assumes the template exists in // the default value of nginx.TemplatePath assumes the template exists in
// the root filesystem and not in the rootfs directory // the root filesystem and not in the rootfs directory
path, err := filepath.Abs(filepath.Join("../../rootfs/", nginx.TemplatePath)) path, err := filepath.Abs(filepath.Join("..", "..", "rootfs", nginx.TemplatePath))
if err == nil { if err == nil {
nginx.TemplatePath = path nginx.TemplatePath = path
} }
@ -87,14 +87,14 @@ func TestHandleSigterm(t *testing.T) {
ingressflags.ResetForTesting(func() { t.Fatal("bad parse") }) ingressflags.ResetForTesting(func() { t.Fatal("bad parse") })
os.Setenv("POD_NAME", podName) t.Setenv("POD_NAME", podName)
os.Setenv("POD_NAMESPACE", namespace) t.Setenv("POD_NAMESPACE", namespace)
oldArgs := os.Args oldArgs := os.Args
defer func() { defer func() {
os.Setenv("POD_NAME", "") t.Setenv("POD_NAME", "")
os.Setenv("POD_NAMESPACE", "") t.Setenv("POD_NAMESPACE", "")
os.Args = oldArgs os.Args = oldArgs
}() }()

9
cmd/plugin/commands/backends/backends.go
View file

@ -63,13 +63,14 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command {
return cmd return cmd
} }
func backends(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, container string, backend string, onlyList bool) error { func backends(flags *genericclioptions.ConfigFlags, podName, deployment, selector, container, backend string, onlyList bool) error {
var command []string var command []string
if onlyList { switch {
case onlyList:
command = []string{"/dbg", "backends", "list"} command = []string{"/dbg", "backends", "list"}
} else if backend != "" { case backend != "":
command = []string{"/dbg", "backends", "get", backend} command = []string{"/dbg", "backends", "get", backend}
} else { default:
command = []string{"/dbg", "backends", "all"} command = []string{"/dbg", "backends", "all"}
} }

8
cmd/plugin/commands/certs/certs.go
View file

@ -18,6 +18,7 @@ package certs
import ( import (
"fmt" "fmt"
"os"
"github.com/spf13/cobra" "github.com/spf13/cobra"
@ -46,7 +47,10 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command {
} }
cmd.Flags().String("host", "", "Get the cert for this hostname") cmd.Flags().String("host", "", "Get the cert for this hostname")
cobra.MarkFlagRequired(cmd.Flags(), "host") if err := cobra.MarkFlagRequired(cmd.Flags(), "host"); err != nil {
util.PrintError(err)
os.Exit(1)
}
pod = util.AddPodFlag(cmd) pod = util.AddPodFlag(cmd)
deployment = util.AddDeploymentFlag(cmd) deployment = util.AddDeploymentFlag(cmd)
selector = util.AddSelectorFlag(cmd) selector = util.AddSelectorFlag(cmd)
@ -55,7 +59,7 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command {
return cmd return cmd
} }
func certs(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, container string, host string) error { func certs(flags *genericclioptions.ConfigFlags, podName, deployment, selector, container, host string) error {
command := []string{"/dbg", "certs", "get", host} command := []string{"/dbg", "certs", "get", host}
pod, err := request.ChoosePod(flags, podName, deployment, selector) pod, err := request.ChoosePod(flags, podName, deployment, selector)

2
cmd/plugin/commands/conf/conf.go
View file

@ -55,7 +55,7 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command {
return cmd return cmd
} }
func conf(flags *genericclioptions.ConfigFlags, host string, podName string, deployment string, selector string, container string) error { func conf(flags *genericclioptions.ConfigFlags, host, podName, deployment, selector, container string) error {
pod, err := request.ChoosePod(flags, podName, deployment, selector) pod, err := request.ChoosePod(flags, podName, deployment, selector)
if err != nil { if err != nil {
return err return err

2
cmd/plugin/commands/exec/exec.go
View file

@ -55,7 +55,7 @@ type execFlags struct {
Stdin bool Stdin bool
} }
func exec(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, container string, cmd []string, opts execFlags) error { func exec(flags *genericclioptions.ConfigFlags, podName, deployment, selector, container string, cmd []string, opts execFlags) error {
pod, err := request.ChoosePod(flags, podName, deployment, selector) pod, err := request.ChoosePod(flags, podName, deployment, selector)
if err != nil { if err != nil {
return err return err

Some files were not shown because too many files have changed in this diff Show more