resolve conflicts

.github/actions/mkdocs/Dockerfile

@@ -1,6 +1,4 @@
-FROM squidfunk/mkdocs-material:6.2.4
+FROM squidfunk/mkdocs-material:9.4.5 
-
-RUN pip install mkdocs-awesome-pages-plugin
 
 COPY action.sh /action.sh
 

.github/actions/mkdocs/action.sh

@@ -16,7 +16,7 @@
 
 set -e
 
-REQUIREMENTS="${GITHUB_WORKSPACE}/requirements.txt"
+REQUIREMENTS="${GITHUB_WORKSPACE}/docs/requirements.txt"
 
 if [ -f "${REQUIREMENTS}" ]; then
     pip install -r "${REQUIREMENTS}"

.github/workflows/ci.yaml

@@ -7,6 +7,7 @@ on:
     paths-ignore:
       - 'docs/**'
       - 'deploy/**'
+      - '**.md'
 
   push:
     branches:
@@ -14,6 +15,7 @@ on:
     paths-ignore:
       - 'docs/**'
       - 'deploy/**'
+      - '**.md'
 
   workflow_dispatch:
     inputs:
@@ -40,7 +42,7 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
         id: filter
@@ -60,60 +62,6 @@ jobs:
               - 'charts/ingress-nginx/**/*'
               - 'NGINX_BASE'
 
-
-  security:
-    runs-on: ubuntu-latest
-    steps:
-
-      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
-
-      - name: Run Gosec Security Scanner
-        uses: securego/gosec@a459eb0ba387d9bd083d5c2e2354dbeef2465038 # v2.15.0
-        with:
-          # G601 for zz_generated.deepcopy.go
-          # G306 TODO: Expect WriteFile permissions to be 0600 or less
-          # G307 TODO: Deferring unsafe method "Close"
-          args: -exclude=G109,G601,G104,G204,G304,G306,G307 -tests=false -exclude-dir=test -exclude-dir=images/  -exclude-dir=docs/ ./...
-
-  lint:
-    runs-on: ubuntu-latest
-    needs: changes
-    if: |
-      (needs.changes.outputs.go == 'true')
-    steps:
-      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
-      
-      - name: Set up Go
-        id: go
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
-        with:
-          go-version: '1.20'
-          check-latest: true
-
-      - name: Run Lint
-        run: ./hack/verify-golint.sh
-
-  gofmt:
-    runs-on: ubuntu-latest
-    needs: changes
-    if: |
-      (needs.changes.outputs.go == 'true')
-    steps:
-      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
-      
-      - name: Set up Go
-        id: go
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
-        with:
-          go-version: '1.20'
-          check-latest: true
-
-      - name: Run go-fmt
-        run: ./hack/verify-gofmt.sh
-
   test-go:
     runs-on: ubuntu-latest
     needs: changes
@@ -121,13 +69,13 @@ jobs:
       (needs.changes.outputs.go == 'true')
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       
       - name: Set up Go
         id: go
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: '1.20'
+          go-version: '1.21.3'
           check-latest: true
 
       - name: Run test
@@ -142,21 +90,21 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Set up Go
         id: go
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: '1.20'
+          go-version: '1.21.3'
           check-latest: true
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
         with:
           version: latest
 
@@ -165,9 +113,7 @@ jobs:
 
       - name: Prepare Host
         run: |
-          sudo apt-get -qq update || true
+          curl -LO https://dl.k8s.io/release/v1.27.3/bin/linux/amd64/kubectl
-          sudo apt-get install -y pigz
-          curl -LO https://dl.k8s.io/release/v1.25.5/bin/linux/amd64/kubectl
           chmod +x ./kubectl
           sudo mv ./kubectl /usr/local/bin/kubectl
 
@@ -186,10 +132,10 @@ jobs:
             nginx-ingress-controller:e2e \
             ingress-controller/controller:1.0.0-dev \
             ingress-controller/controller-chroot:1.0.0-dev \
-            | pigz > docker.tar.gz
+            | gzip > docker.tar.gz
 
       - name: cache
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: docker.tar.gz
           path: docker.tar.gz
@@ -205,16 +151,16 @@ jobs:
 
     strategy:
       matrix:
-        k8s: [v1.24.12, v1.25.8, v1.26.3,v1.27.1]
+        k8s: [v1.25.11, v1.26.6, v1.27.3, v1.28.0]
 
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Setup Go
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: '1.20'
+          go-version: '1.21.3'
           check-latest: true
 
       - name: cache
@@ -258,7 +204,7 @@ jobs:
       - name: Load images from cache
         run: |
           echo "loading docker images..."
-          pigz -dc docker.tar.gz | docker load
+          gzip -dc docker.tar.gz | docker load
 
       - name: Test
         env:
@@ -280,11 +226,11 @@ jobs:
 
     strategy:
       matrix:
-        k8s: [v1.24.12, v1.25.8, v1.26.3,v1.27.1]
+        k8s: [v1.25.11, v1.26.6, v1.27.3, v1.28.0]
 
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: cache
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
@@ -299,7 +245,7 @@ jobs:
       - name: Load images from cache
         run: |
           echo "loading docker images..."
-          pigz -dc docker.tar.gz | docker load
+          gzip -dc docker.tar.gz | docker load
 
       - name: Run e2e tests
         env:
@@ -310,8 +256,57 @@ jobs:
           kind get kubeconfig > $HOME/.kube/kind-config-kind
           make kind-e2e-test
 
-      - name: Uplaod e2e junit-reports
+      - name: Upload e2e junit-reports
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        if: success() || failure()
+        with:
+          name: e2e-test-reports-${{ matrix.k8s }}
+          path: 'test/junitreports/report*.xml'
+
+  kubernetes-validations:
+    name: Kubernetes with Validations
+    runs-on: ubuntu-latest
+    needs:
+      - changes
+      - build
+    if: |
+      (needs.changes.outputs.go == 'true') || ${{ inputs.run_e2e }}
+
+    strategy:
+      matrix:
+        k8s: [v1.25.11, v1.26.6, v1.27.3, v1.28.0]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: cache
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: docker.tar.gz
+
+      - name: Create Kubernetes ${{ matrix.k8s }} cluster
+        id: kind
+        run: |
+          kind create cluster --image=kindest/node:${{ matrix.k8s }} --config test/e2e/kind.yaml
+
+      - name: Load images from cache
+        run: |
+          echo "loading docker images..."
+          gzip -dc docker.tar.gz | docker load
+
+      - name: Run e2e tests
+        env:
+          KIND_CLUSTER_NAME: kind
+          SKIP_CLUSTER_CREATION: true
+          SKIP_IMAGE_CREATION: true
+          ENABLE_VALIDATIONS: true
+        run: |
+          kind get kubeconfig > $HOME/.kube/kind-config-kind
+          make kind-e2e-test
+
+      - name: Upload e2e junit-reports
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         if: success() || failure()
         with:
           name: e2e-test-reports-${{ matrix.k8s }}
@@ -329,12 +324,12 @@ jobs:
 
     strategy:
       matrix:
-        k8s: [v1.24.12, v1.25.8, v1.26.3,v1.27.1]
+        k8s: [v1.25.11, v1.26.6, v1.27.3, v1.28.0]
 
     steps:
 
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: cache
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
@@ -349,7 +344,7 @@ jobs:
       - name: Load images from cache
         run: |
           echo "loading docker images..."
-          pigz -dc docker.tar.gz | docker load
+          gzip -dc docker.tar.gz | docker load
 
       - name: Run e2e tests
         env:
@@ -362,12 +357,48 @@ jobs:
           make kind-e2e-test
 
       - name: Upload e2e junit-reports
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         if: success() || failure()
         with:
           name: e2e-test-reports-chroot-${{ matrix.k8s }}
           path: 'test/junitreports/report*.xml'
 
+  test-nginx-image-build:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
+    runs-on: ubuntu-latest
+    env:
+      PLATFORMS: linux/amd64,linux/arm64
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
+        id: filter-images
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          filters: |
+            nginx-base:
+              - 'images/nginx/**'
+      - name: nginx-base-image
+        if: ${{ steps.filter-images.outputs.nginx-base == 'true' }}
+        run: |
+          cd images/nginx/rootfs && docker build -t docker.io/nginx-test-workflow/nginx:${{ github.sha }} .
+      - name: Run Trivy on NGINX Image
+        if: ${{ steps.filter-images.outputs.nginx-base == 'true' }}
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/nginx-test-workflow/nginx:${{ github.sha }}'
+          format: 'sarif'
+          ignore-unfixed: true
+          output: 'trivy-results.sarif'
+      - name: Upload Trivy scan results to GitHub Security tab
+        if: ${{ steps.filter-images.outputs.nginx-base == 'true' && always() }}
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+
 
   test-image-build:
     permissions:
@@ -378,7 +409,7 @@ jobs:
       PLATFORMS: linux/amd64,linux/arm64
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
         id: filter-images
@@ -401,7 +432,6 @@ jobs:
               - 'images/kube-webhook-certgen/**'
             ext-auth-example-authsvc:
               - 'images/ext-auth-example-authsvc/**'
-
       - name: custom-error-pages image build
         if: ${{ steps.filter-images.outputs.custom-error-pages == 'true' }}
         run: |
@@ -447,11 +477,11 @@ jobs:
 
     strategy:
       matrix:
-        k8s: [v1.24.12, v1.25.8, v1.26.3,v1.27.1]
+        k8s: [v1.25.11, v1.26.6, v1.27.3, v1.28.0]
 
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
         id: filter-images
@@ -470,12 +500,13 @@ jobs:
       - name: Set up Go
         id: go
         if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: '1.20'
+          go-version: '1.21.3'
           check-latest: true
 
       - name: kube-webhook-certgen image build
         if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
         run: |
           cd images/kube-webhook-certgen && make test test-e2e
+

.github/workflows/depreview.yaml

@@ -9,6 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e # v3.0.4
+        uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034 # v3.1.0

.github/workflows/docs.yaml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
         id: filter
@@ -47,7 +47,7 @@ jobs:
 
     steps:
       - name: Checkout master
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Deploy
         uses: ./.github/actions/mkdocs

.github/workflows/golangci-lint.yml

@@ -0,0 +1,34 @@
+name: golangci-lint
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - 'docs/**'
+      - 'deploy/**'
+      - '**.md'
+
+permissions:
+  contents: read
+
+jobs:
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      
+      - name: Set up Go
+        id: go
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version: '1.21.3'
+          check-latest: true
+      
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
+        with:
+          version: v1.53

.github/workflows/helm.yaml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Run Artifact Hub lint
         run: |
@@ -61,7 +61,7 @@ jobs:
 
     steps:
       - name: Checkout master
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           # Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896
           fetch-depth: 0
@@ -75,7 +75,7 @@ jobs:
       - name: Helm Chart Releaser
         uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0
         env:
-          CR_SKIP_EXISTING: "false"
+          CR_SKIP_EXISTING: true
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}"
         with:

.github/workflows/junit-reports.yaml

@@ -9,7 +9,7 @@ jobs:
   report:
     runs-on: ubuntu-latest
     steps:
-      - uses: dorny/test-reporter@c9b3d0e2bd2a4e96aaf424dbaa31c46b42318226 # v1.6.0
+      - uses: dorny/test-reporter@afe6793191b75b608954023a46831a3fe10048d4 # v1.7.0
         with:
           artifact: /e2e-test-reports-(.*)/
           name: JEST Tests $1               # Name of the check run which will be created

.github/workflows/perftest.yaml

@@ -19,7 +19,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Install K6
         run: |

.github/workflows/plugin.yaml

@@ -4,10 +4,8 @@ on:
   push:
     branches:
       - "main"
-    paths:
-      - "cmd/plugin/**"
     tags:
-      - "v*"
+      - 'v*.*.*\+plugin'
 
 permissions:
   contents: write # for goreleaser/goreleaser-action
@@ -17,21 +15,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
 
       - name: Set up Go
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: 1.20
+          go-version: '1.21.3'
           check-latest: true
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0
+        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
         with:
           version: latest
-          args: release --rm-dist
+          args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

.github/workflows/scorecards.yml

@@ -27,12 +27,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3
+        uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -51,7 +51,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: SARIF file
           path: results.sarif

.github/workflows/vulnerability-scans.yaml

@@ -22,7 +22,7 @@ jobs:
       versions: ${{ steps.version.outputs.TAGS }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
 
@@ -52,7 +52,7 @@ jobs:
         versions: ${{ fromJSON(needs.version.outputs.versions) }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - shell: bash
         id: test
@@ -60,7 +60,7 @@ jobs:
 
       - name: Scan image with AquaSec/Trivy
         id: scan
-        uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 # v0.10.0
+        uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0
         with:
           image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }}
           format: 'sarif'

.gitignore

@@ -60,3 +60,4 @@ cmd/plugin/release/ingress-nginx.yaml
 cmd/plugin/release/*.tar.gz
 cmd/plugin/release/LICENSE
 tmp/
+test/junitreports/

.golangci.yml

@@ -0,0 +1,241 @@
+run:
+  timeout: 10m
+  allow-parallel-runners: true
+
+  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
+  max-issues-per-linter: 0
+
+  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
+  max-same-issues: 0
+linters:
+  disable-all: true
+  enable:
+    - asasalint
+    - asciicheck
+    - bidichk
+    - bodyclose
+    - contextcheck
+    - decorder
+    - dogsled
+    - dupl
+    - durationcheck
+    - errcheck
+    - errchkjson
+    - errname
+    - execinquery
+    - ginkgolinter
+    - gocheckcompilerdirectives
+    - goconst
+    - gocritic
+    - gocyclo
+    - godox
+    - gofmt
+    - gofumpt
+    - goheader
+    - goimports
+    - gomoddirectives
+    - gomodguard
+    - goprintffuncname
+    - gosec
+    - gosimple
+    - govet
+    - grouper
+    - importas
+    - ineffassign
+    - loggercheck
+    - makezero
+    - misspell
+    - musttag
+    - nakedret
+    - nolintlint
+    - nosprintfhostport
+    - prealloc
+    - predeclared
+    - promlinter
+    - reassign
+    - revive
+    - rowserrcheck
+    - sqlclosecheck
+    - staticcheck
+    - stylecheck
+    - tenv
+    - testableexamples
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - usestdlibvars
+    - whitespace
+    # - containedctx
+    # - cyclop
+    # - dupword
+    # - errorlint
+    # - exhaustive
+    # - exhaustruct
+    # - exportloopref
+    # - forbidigo
+    # - forcetypeassert
+    # - funlen
+    # - gci
+    # - gochecknoglobals
+    # - gochecknoinits
+    # - gocognit
+    # - godot
+    # - goerr113
+    # - gomnd
+    # - interfacebloat
+    # - ireturn
+    # - lll
+    # - maintidx
+    # - nestif
+    # - nilerr
+    # - nilnil
+    # - nlreturn
+    # - noctx
+    # - nonamedreturns
+    # - paralleltest
+    # - tagliatelle
+    # - testpackage
+    # - thelper
+    # - tparallel
+    # - varnamelen
+    # - wastedassign
+    # - wrapcheck
+    # - wsl
+linters-settings:
+  gocyclo:
+    min-complexity: 40
+  godox:
+    keywords:
+      - BUG
+      - FIXME
+      - HACK
+  errcheck:
+    check-type-assertions: true
+    check-blank: true
+  gocritic:
+    enabled-checks:
+      # Diagnostic
+      - appendAssign
+      - argOrder
+      - badCall
+      - badCond
+      - badLock
+      - badRegexp
+      - badSorting
+      - builtinShadowDecl
+      - caseOrder
+      - codegenComment
+      - commentedOutCode
+      - deferInLoop
+      - deprecatedComment
+      - dupArg
+      - dupBranchBody
+      - dupCase
+      - dupSubExpr
+      - dynamicFmtString
+      - emptyDecl
+      - evalOrder
+      - exitAfterDefer
+      - externalErrorReassign
+      - filepathJoin
+      - flagDeref
+      - flagName
+      - mapKey
+      - nilValReturn
+      - offBy1
+      - regexpPattern
+      - returnAfterHttpError
+      - sloppyReassign
+      - sloppyTypeAssert
+      - sortSlice
+      - sprintfQuotedString
+      - sqlQuery
+      - syncMapLoadAndDelete
+      - truncateCmp
+      - unnecessaryDefer
+      - weakCond
+
+      # Performance
+      - appendCombine
+      - equalFold
+      - hugeParam
+      - indexAlloc
+      - preferDecodeRune
+      - preferFprint
+      - preferStringWriter
+      - preferWriteByte
+      - rangeExprCopy
+      - rangeValCopy
+      - sliceClear
+      - stringXbytes
+
+      # Style
+      - assignOp
+      - boolExprSimplify
+      - captLocal
+      - commentFormatting
+      - commentedOutImport
+      - defaultCaseOrder
+      - deferUnlambda
+      - docStub
+      - dupImport
+      - elseif
+      - emptyFallthrough
+      - emptyStringTest
+      - exposedSyncMutex
+      - hexLiteral
+      - httpNoBody
+      - ifElseChain
+      - methodExprCall
+      - newDeref
+      - octalLiteral
+      - preferFilepathJoin
+      - redundantSprint
+      - regexpMust
+      - regexpSimplify
+      - ruleguard
+      - singleCaseSwitch
+      - sloppyLen
+      - stringConcatSimplify
+      - stringsCompare
+      - switchTrue
+      - timeCmpSimplify
+      - timeExprSimplify
+      - todoCommentWithoutDetail
+      - tooManyResultsChecker
+      - typeAssertChain
+      - typeDefFirst
+      - typeSwitchVar
+      - underef
+      - unlabelStmt
+      - unlambda
+      - unslice
+      - valSwap
+      - whyNoLint
+      - wrapperFunc
+      - yodaStyleExpr
+
+      # Opinionated
+      - builtinShadow
+      - importShadow
+      - initClause
+      - nestingReduce
+      - paramTypeCombine
+      - ptrToRefParam
+      - typeUnparen
+      - unnamedResult
+      - unnecessaryBlock
+  nolintlint:
+    # Enable to ensure that nolint directives are all used. Default is true.
+    allow-unused: false
+    # Disable to ensure that nolint directives don't have a leading space. Default is true.
+    # TODO(lint): Enforce machine-readable `nolint` directives
+    allow-leading-space: true
+    # Exclude following linters from requiring an explanation.  Default is [].
+    allow-no-explanation: []
+    # Enable to require an explanation of nonzero length after each nolint directive. Default is false.
+    # TODO(lint): Enforce explanations for `nolint` directives
+    require-explanation: false
+    # Enable to require nolint directives to mention the specific linter being suppressed. Default is false.
+    require-specific: true

Makefile

@@ -128,6 +128,12 @@ static-check: ## Run verification script for boilerplate, codegen, gofmt, golint
 	    MAC_OS=$(MAC_OS) \
 		hack/verify-all.sh
 
+.PHONY: golint-check
+golint-check:
+	@build/run-in-docker.sh \
+	    MAC_OS=$(MAC_OS) \
+		hack/verify-golint.sh
+
 ###############################
 # Tests for ingress-nginx
 ###############################
@@ -262,3 +268,8 @@ release: ensure-buildx clean
 		--build-arg COMMIT_SHA="$(COMMIT_SHA)" \
 		--build-arg BUILD_ID="$(BUILD_ID)" \
 		-t $(REGISTRY)/controller-chroot:$(TAG) rootfs -f rootfs/Dockerfile-chroot
+
+.PHONY: build-docs
+build-docs:
+	pip install -r docs/requirements.txt
+	mkdocs build --config-file mkdocs.yml

NGINX_BASE

@@ -1 +1 @@
-registry.k8s.io/ingress-nginx/nginx:91057c439cf07ffb62887b8a8bda66ce3cbe39ca@sha256:3b650123c755392f8c0eb9a356b12716327106e624ab5f5b43bc25ab130978fb
+registry.k8s.io/ingress-nginx/nginx:v20231011-8b53cabe0@sha256:34881d62f71e8573fb765c40585dba28a1148206fbbe2c3871ad3f4e8c6e360f

README.md

@@ -9,7 +9,7 @@
 
 ## Overview
 
-ingress-nginx is an Ingress controller for Kubernetes using [NGINX](https://www.nginx.org/) as a reverse proxy and load 
+ingress-nginx is an Ingress controller for Kubernetes using [NGINX](https://www.nginx.org/) as a reverse proxy and load
 balancer.
 
 [Learn more about Ingress on the main Kubernetes documentation site](https://kubernetes.io/docs/concepts/services-networking/ingress/).
@@ -20,66 +20,63 @@ See the [Getting Started](https://kubernetes.github.io/ingress-nginx/deploy/) do
 
 ## Troubleshooting
 
-If you encounter issues, review the [troubleshooting docs](docs/troubleshooting.md), 
+If you encounter issues, review the [troubleshooting docs](docs/troubleshooting.md),
-[file an issue](https://github.com/kubernetes/ingress-nginx/issues), or talk to us on the 
+[file an issue](https://github.com/kubernetes/ingress-nginx/issues), or talk to us on the
 [#ingress-nginx channel](https://kubernetes.slack.com/messages/ingress-nginx) on the Kubernetes Slack server.
 
 ## Changelog
 
-See [the list of releases](https://github.com/kubernetes/ingress-nginx/releases) to find out about feature changes.
+See [the list of releases](https://github.com/kubernetes/ingress-nginx/releases) for all changes.
-For detailed changes for each release; please check the [Changelog.md](Changelog.md) file.
+For detailed changes for each release, please check the [changelog-$version.md](./changelog) file for the release version.
-For detailed changes on the `ingress-nginx` helm chart, please check the following 
+For detailed changes on the `ingress-nginx` helm chart, please check the changelog folder for a specific version
-[CHANGELOG.md](charts/ingress-nginx/CHANGELOG.md) file.
+[CHANGELOG-$current-version.md](./charts/ingress-nginx/changelog) file.
 
-### Supported Versions table 
+### Supported Versions table
 
 Supported versions for the ingress-nginx project mean that we have completed E2E tests, and they are passing for
-the versions listed. Ingress-Nginx versions may work on older versions but the project does not make that guarantee.
+the versions listed. Ingress-Nginx versions **may** work on older versions, but the project does not make that guarantee.
 
-|       | Ingress-NGINX version | k8s supported version        | Alpine Version | Nginx Version | Helm Chart Version |
+|  Supported  | Ingress-NGINX version | k8s supported version        | Alpine Version | Nginx Version | Helm Chart Version |
-|:-----:|------------------------|------------------------------|----------------|---------------|--------------------|
+|:--:|-----------------------|------------------------------|----------------|---------------|------------------------------|
-| 🔄 |  **v1.7.1**               | 1.27,1.26, 1.25, 1.24             | 3.17.2         | 1.21.6        | 4.6.*         |
+| 🔄 | **v1.9.4**            | 1.28, 1.27,1.26, 1.25        | 3.18.4         | 1.21.6        | 4.8.3*                        |
-| 🔄 |  **v1.7.0**   | 1.26, 1.25, 1.24             | 3.17.2         | 1.21.6        | 4.6.*              |
+| 🔄 | **v1.9.3**            | 1.28, 1.27,1.26, 1.25        | 3.18.4         | 1.21.6        | 4.8.*                        |
-| 🔄 | **v1.6.4**   | 1.26, 1.25, 1.24, 1.23       | 3.17.0         | 1.21.6        | 4.5.*              |
+| 🔄 | **v1.9.1**            | 1.28, 1.27,1.26, 1.25        | 3.18.4         | 1.21.6        | 4.8.*                        |
-| 🔄| **v1.5.1**   | 1.25, 1.24, 1.23             | 3.16.2         | 1.21.6        | 4.4.*              |
+| 🔄 | **v1.9.0**            | 1.28, 1.27,1.26, 1.25        | 3.18.2         | 1.21.6        | 4.8.*                        |
-|   | v1.4.0                | 1.25, 1.24, 1.23, 1.22       | 3.16.2         | 1.19.10†      | 4.3.0              |
+| 🔄 | **v1.8.4**            | 1.27,1.26, 1.25, 1.24        | 3.18.2         | 1.21.6        | 4.7.*                        |
-| | v1.3.1                | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.2         | 1.19.10†      | 4.2.5              |
+| 🔄 | **v1.8.2**            | 1.27,1.26, 1.25, 1.24        | 3.18.2         | 1.21.6        | 4.7.*                        |
-| | v1.3.0                | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.0         | 1.19.10†      | 4.2.3              |
+| 🔄 | **v1.8.1**            | 1.27,1.26, 1.25, 1.24        | 3.18.2         | 1.21.6        | 4.7.*              |
-| | v1.2.1                | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.6         | 1.19.10†      | 4.1.4              |
+| 🔄 | **v1.8.0**            | 1.27,1.26, 1.25, 1.24        | 3.18.0         | 1.21.6        | 4.7.*              |
-| | v1.1.3                | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.4         | 1.19.10†      | 4.0.19             |
+| 🔄 | **v1.7.1**            | 1.27,1.26, 1.25, 1.24        | 3.17.2         | 1.21.6        | 4.6.*              |
-| | v1.1.2                | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2         | 1.19.9†       | 4.0.18             |
+| 🔄 | **v1.7.0**            | 1.26, 1.25, 1.24             | 3.17.2         | 1.21.6        | 4.6.*              |
-| | v1.1.1                | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2         | 1.19.9†       | 4.0.17             |
+|    | **v1.6.4**            | 1.26, 1.25, 1.24, 1.23       | 3.17.0         | 1.21.6        | 4.5.*              |
-| | v1.1.0                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         | 1.19.9†       | 4.0.13             |
+|    | v1.5.1                | 1.25, 1.24, 1.23             | 3.16.2         | 1.21.6        | 4.4.*              |
-| | v1.0.5                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         | 1.19.9†       | 4.0.9              |
+|    | v1.4.0                | 1.25, 1.24, 1.23, 1.22       | 3.16.2         | 1.19.10†      | 4.3.0              |
-| | v1.0.4                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         | 1.19.9†       | 4.0.6              |
+|    | v1.3.1                | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.2         | 1.19.10†      | 4.2.5              |
-| | v1.0.3                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         | 1.19.9†       | 4.0.5              |
+|    | v1.3.0                | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.0         | 1.19.10†      | 4.2.3              |
-| | v1.0.2                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         | 1.19.9†       | 4.0.3              |
-| | v1.0.1                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         | 1.19.9†       | 4.0.2              |
-| | v1.0.0                | 1.22, 1.21, 1.20, 1.19       | 3.13.5         | 1.20.1        | 4.0.1              |
 
-
+See [this article](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) if you want upgrade to the stable
-† _This build is 
+Ingress API.
-[patched against CVE-2021-23017](https://github.com/openresty/openresty/commit/4b5ec7edd78616f544abc194308e0cf4b788725b#diff-42ef841dc27fe0b5aa2d06bd31308bb63a59cdcddcbcddd917248349d22020a3)._
-
-See [this article](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) if you want upgrade to the stable 
-Ingress API. 
 
 ## Get Involved
 
 Thanks for taking the time to join our community and start contributing!
 
-- This project adheres to the [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md). 
+- This project adheres to the [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md).
   By participating in this project, you agree to abide by its terms.
 
-- **Contributing**: Contributions of all kind are welcome!
+- **Contributing**: Contributions of all kinds are welcome!
-  
+
-  - Read [`CONTRIBUTING.md`](CONTRIBUTING.md) for information about setting up your environment, the workflow that we 
+  - Read [`CONTRIBUTING.md`](CONTRIBUTING.md) for information about setting up your environment, the workflow that we
     expect, and instructions on the developer certificate of origin that we require.
   - Join our Kubernetes Slack channel for developer discussion : [#ingress-nginx-dev](https://kubernetes.slack.com/archives/C021E147ZA4).
-  - Submit GitHub issues for any feature enhancements, bugs or documentation problems. Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines **may be closed immediately**.
+  - Submit GitHub issues for any feature enhancements, bugs, or documentation problems.
-  - **Support**: Join the [#ingress-nginx-users](https://kubernetes.slack.com/messages/CANQGM8BA/) channel inside the [Kubernetes Slack](http://slack.kubernetes.io/) to ask questions or get support from the maintainers and other users.
+    - Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines **may be closed immediately**.
+  - Join our [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w)
+
+- **Support**:
+  - Join the [#ingress-nginx-users](https://kubernetes.slack.com/messages/CANQGM8BA/) channel inside the [Kubernetes Slack](http://slack.kubernetes.io/) to ask questions or get support from the maintainers and other users.
   - The [GitHub issues](https://github.com/kubernetes/ingress-nginx/issues) in the repository are **exclusively** for bug reports and feature requests.
-  - **Discuss**: Tweet using the `#IngressNginx` hashtag.
+  - **Discuss**: Tweet using the `#IngressNginx` hashtag or sharing with us [@IngressNginx](https://twitter.com/IngressNGINX).
 
 ## License
 

TAG

@@ -1,2 +1 @@
-v1.7.1
+v1.9.4
-

build/dev-env.sh

@@ -45,14 +45,16 @@ if ! command -v helm &> /dev/null; then
   exit 1
 fi
 
+function ver { printf "%d%03d%03d" $(echo "$1" | tr '.' ' '); }
+
 HELM_VERSION=$(helm version 2>&1 | cut -f1 -d"," | grep -oE '[0-9]+\.[0-9]+\.[0-9]+') || true
 echo $HELM_VERSION
-if [[ ${HELM_VERSION} -lt 3.10.0 ]]; then
+if [[ $(ver $HELM_VERSION) -lt $(ver "3.10.0") ]]; then
   echo "Please upgrade helm to v3.10.0 or higher"
   exit 1
 fi
 
-KUBE_CLIENT_VERSION=$(kubectl version --client --short 2>/dev/null | grep Client | awk '{print $3}' | cut -d. -f2) || true
+KUBE_CLIENT_VERSION=$(kubectl version --client -oyaml 2>/dev/null | grep "minor:" | awk '{print $2}' | tr -d '"') || true
 if [[ ${KUBE_CLIENT_VERSION} -lt 24 ]]; then
   echo "Please update kubectl to 1.24.2 or higher"
   exit 1

build/run-in-docker.sh

@@ -44,7 +44,7 @@ function cleanup {
 }
 trap cleanup EXIT
 
-E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20230314-helm-chart-4.5.2-32-g520384b11@sha256:754c62f9a5efd1ee515ee908ecc16c0c4d1dda96a8cc8019667182a55f3a9035}
+E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20231011-8b53cabe0@sha256:ed0dad805c635e66469b4ac376010eebdd0b3fe62d753f58db1632d6f12f451d}
 
 if [[ "$RUNTIME" == podman ]]; then
   # Podman does not support both tag and digest
@@ -87,7 +87,7 @@ if [[ "$DOCKER_IN_DOCKER_ENABLED" == "true" ]]; then
   echo "..reached DIND check TRUE block, inside run-in-docker.sh"
   echo "FLAGS=$FLAGS"
   #go env
-  go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.9.0
+  go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.13.0
   find / -type f -name ginkgo 2>/dev/null
   which ginkgo
   /bin/bash -c "${FLAGS}"

changelog/Changelog-1.8.0.md

@@ -0,0 +1,67 @@
+# Changelog
+
+### 1.8.0
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.8.0@sha256:a45e41cd2b7670adf829759878f512d4208d0aec1869dae593a0fecd09a5e49e
+
+### Important Changes:
+
+* Validate path types (#9967)
+* images: upgrade to Alpine 3.18 (#9997)
+* Update documentation to reflect project name; Ingress-Nginx Controller
+
+For improving security on our 1.8.0 release includes a 
+[new, **optional** validation ](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type) 
+that limits the characters accepted  on ".spec paths.path" when pathType=Exact or pathType=Prefix, 
+to alphanumeric characters only. More information can be found on our 
+[Google doc](https://docs.google.com/document/d/1HPvaEwHRuMSkXYkVIJ-w7IpijKdHfNynm_4N2Akt0CQ/edit?usp=sharing)
+, our new [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w)
+or in our [docs](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type)
+
+### Community Updates
+
+We are now posting updates and release to our twitter handle, [@IngressNginx](https://twitter.com/IngressNGINX) and
+on our new [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w)
+
+### All Changes:
+
+* Add legacy to OpenTelemetry migration doc (#10011)
+* changed tagsha to recent builds (#10001)
+* change to alpine318 baseimage (#10000)
+* images: upgrade to Alpine 3.18 (#9997)
+* openssl CVE fix (#9996)
+* PodDisruptionBudget spec logic update (#9904)
+* Admission warning (#9975)
+* Add OPA examples on pathType restrictions (#9992)
+* updated testrunner image tag+sha (#9987)
+* bumped ginkgo to v2.9.5 (#9985)
+* helm: Fix opentelemetry module installation for daemonset (#9792)
+* OpenTelemetry default config (#9978)
+* Correct annotations in monitoring docs (#9976)
+* fix: avoid builds and tests for changes to markdown (#9962)
+* Validate path types (#9967)
+* HPA: Use capabilites & align manifests. (#9521)
+* Use dl.k8s.io instead of hardcoded GCS URIs (#9946)
+* add option for annotations in PodDisruptionBudget (#9843)
+* chore: update httpbin to httpbun (#9919)
+* image_update (#9942)
+* Add geoname id value into $geoip2_*_geoname_id variables (#9527)
+* Update annotations.md (#9933)
+* Update charts/* to keep project name display aligned (#9931)
+* Keep project name display aligned (#9920)
+
+### Dependencies updates:
+* Bump github.com/imdario/mergo from 0.3.15 to 0.3.16 (#10008)
+* Bump github.com/prometheus/common from 0.43.0 to 0.44.0 (#10007)
+* Bump k8s.io/klog/v2 from 2.90.1 to 2.100.1 (#9913)
+* Bump github.com/onsi/ginkgo/v2 from 2.9.0 to 2.9.5 (#9980)
+* Bump golang.org/x/crypto from 0.8.0 to 0.9.0 (#9982)
+* Bump actions/setup-go from 4.0.0 to 4.0.1 (#9984)
+* Bump securego/gosec from 2.15.0 to 2.16.0 (#9983)
+* Bump github.com/prometheus/common from 0.42.0 to 0.43.0 (#9981)
+* Bump github.com/prometheus/client_model from 0.3.0 to 0.4.0 (#9937)
+* Bump google.golang.org/grpc from 1.54.0 to 1.55.0 (#9936)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.7.1...controller-controller-v1.8.0

changelog/Changelog-1.8.1.md

@@ -0,0 +1,67 @@
+# Changelog
+
+### 1.8.1
+Images:
+
+ * registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd
+ * registry.k8s.io/ingress-nginx/controller-chroot:v1.8.1@sha256:e0d4121e3c5e39de9122e55e331a32d5ebf8d4d257227cb93ab54a1b912a7627
+ 
+### All Changes:
+
+* netlify: Only trigger preview when there are changes in docs. (#10144)
+* changed to updated baseimage and reverted tag (#10143)
+* Fix loadBalancerClass value (#10139)
+* Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406)
+* Set grpc :authority header from request header (#8912)
+* bump pinned golang to 1.20.5 (#10127)
+* update test runner (#10125)
+* chore: remove echo from snippet tests (#10110)
+* Update typo in docs for lb scheme (#10117)
+* golang 1.20.5 bump (#10120)
+* feat(helm): Add loadBalancerClass (#9562)
+* chore: remove echo friom canary tests (#10089)
+* fix: obsolete warnings (#10029)
+* docs: change Dockefile url ref main (#10087)
+* Revert "Remove fastcgi feature" (#10081)
+* docs: add netlify configuration (#10073)
+* add distroless otel init (#10035)
+* chore: move httpbun to be part of framework (#9955)
+* Remove fastcgi feature (#9864)
+* Fix mirror-target values without path separator and port (#9889)
+* Adding feature to upgrade Oracle Cloud Infrastructure's Flexible Load Balancer and adjusting Health Check that were critical in the previous configuration (#9961)
+* add support for keda fallback settings (#9993)
+* unnecessary use of fmt.Sprint (S1039) (#10049)
+* chore: pkg imported more than once (#10048)
+* tracing: upgrade to dd-opentracing-cpp v1.3.7 (#10031)
+* fix: add canary to sidebar in examples (#10068)
+* docs: add lua testing documentation (#10060)
+* docs: canary weighted deployments example (#10067)
+* Update Internal Load Balancer docs (#10062)
+* fix broken kubernetes.io/user-guide/ docs links (#10055)
+* docs: Updated the content of deploy/rbac.md (#10054)
+* ensured hpa mem spec before cpu spec (#10043)
+* Fix typo in controller_test (#10034)
+* chore(dep): upgrade github.com/emicklei/go-restful/v3 to 3.10 (#10028)
+* Upgrade to Golang 1.20.4 (#10016)
+* perf: avoid unnecessary byte/string conversion (#10012)
+* added note on dns for localtesting (#10021)
+* added helmshowvalues example (#10019)
+* release controller 1.8.0 and chart 4.7.0 (#10017)
+
+### Dependencies updates: 
+* Bump ossf/scorecard-action from 2.1.3 to 2.2.0 (#10133)
+* Bump google.golang.org/grpc from 1.56.0 to 1.56.1 (#10134)
+* Bump github.com/prometheus/client_golang from 1.15.1 to 1.16.0 (#10106)
+* Bump golang.org/x/crypto from 0.9.0 to 0.10.0 (#10105)
+* Bump google.golang.org/grpc from 1.55.0 to 1.56.0 (#10103)
+* Bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 (#10101)
+* Bump docker/setup-buildx-action from 2.6.0 to 2.7.0 (#10102)
+* Bump actions/checkout from 3.5.2 to 3.5.3 (#10076)
+* Bump docker/setup-qemu-action from 2.1.0 to 2.2.0 (#10075)
+* Bump aquasecurity/trivy-action from 0.10.0 to 0.11.2 (#10078)
+* Bump docker/setup-buildx-action from 2.5.0 to 2.6.0 (#10077)
+* Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#10042)
+* Bump github.com/stretchr/testify from 1.8.3 to 1.8.4 (#10041)
+* Bump github.com/stretchr/testify from 1.8.2 to 1.8.3 (#10005)
+ 
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.8.0...controller-controller-v1.8.1

changelog/Changelog-1.8.2.md

@@ -0,0 +1,19 @@
+# Changelog
+
+### 1.8.2
+Images:
+
+ * registry.k8s.io/ingress-nginx/controller:v1.8.2@sha256:74834d3d25b336b62cabeb8bf7f1d788706e2cf1cfd64022de4137ade8881ff2
+ * registry.k8s.io/ingress-nginx/controller-chroot:v1.8.2@sha256:1317a563219f755a6094d990057c78e5c4dcea5e31f4ce1db8641e732a7d6133
+ 
+### All Changes:
+
+* Release v1.8.2 and Update Go to v1.21.1 (#10379)
+* Making auth access logs optional (#10380)
+* [release-1.8] Disable Modsecurity from internal processing which affects large ingresses  (#10375)
+* promote distroless otel init image (#10270)
+* [release-1.8] Update images tags after adding git data in gcloud (#10233)
+* [release-1.8] Golang 1.20.6 for test runner (#10231)
+
+### Dependencies updates: 
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.8.1...controller-controller-v1.8.2

changelog/Changelog-1.9.0-beta.0.md

@@ -0,0 +1,93 @@
+# Changelog
+
+### 1.9.0-beta.0
+Images:
+
+ * registry.k8s.io/ingress-nginx/controller:v1.9.0-beta.0@sha256:531377e4cc9dc62af40d742402222603259673f5a755a64d74122f256dfad8f9
+ * registry.k8s.io/ingress-nginx/controller-chroot:v1.9.0-beta.0@sha256:60b4c95349ce2a81a3b2a76423ee483b847b89d3fa8cb148468434f606f3fa0c
+ 
+### All Changes:
+
+* Rework mage (#10418)
+* Start release of v1.9.0 beta0 (#10407)
+* Update k8s versions on CI (#10406)
+* Add a flag to enable or disable aio_write (#10394)
+* Update external-articles.md - advanced setup with GKE/Cloud Armor/IAP (#10372)
+* Fix e2e test suite doc (#10396)
+* Disable user snippets per default (#10393)
+* Deployment/DaemonSet: Fix templating & value. (#10240)
+* Fix deferInLoop error (#10387)
+* Remove gofmt (#10385)
+* Deployment/DaemonSet: Template `topologySpreadConstraints`. (#10259)
+* release notes 1.8.2 (#10389)
+* fix: remove curl on base container #9716 (#10306)
+* Fix http default backend test (#10382)
+* Add golangci github action and replace the deprecated golint (#10187)
+* BUGFIX incorrect indentation (#10254)
+* Upgrade OpenTelemetry to v1.11.0 and gRPC to v1.57.0 (#10352)
+* fix: path with sepecial characters warning #10281 #10308 (#10330)
+* Fix golangci-lint errors (#10196)
+* chore(build): Fix Run make dev-env syntax error (#10294)
+* Add firewall configuration to quick start documentation (#10357)
+* Making auth access logs optional (#10335)
+* Fix “dev-env” Makefile target to work with kubectl 1.28+ (#10350)
+* fix: update action file to auto release plugin #10197 (#10321)
+* Use gzip instead of pigz in CI (#10348)
+* Disable Modsecurity from internal processing which affects large ingresses  (#10316)
+* fix: add /etc/mime.types #10309 (#10310)
+* Remove curl dependencies in e2e tests #9716 (#10296)
+* docs: swap explanation to match example (#10220)
+* ci(helm): fix Helm Chart release action 422 error (#10237)
+* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249)
+* Updated index.md - Fix typos (#10256)
+* Handle request_id variable correctly in auth requests (#9219)
+* test kind updates (#10272)
+* promote distroless otel init image (#10257)
+* [helm] configure allow to configure hostAliases (#10180)
+* Add rolling update strategy to each static deployment file (#10129)
+* Implement annotation validation (#9673)
+* Golang 1.20.6 for test runner (#10230)
+* [helm] pass service annotations through helm tpl engine (#10084)
+* Ignore deployment template's replicas if KEDA is enabled (#9534)
+* chore: bump OpenResty to v1.21.4.2 (#10219)
+* Scanning port 10247 lead to tcp connection 502 error (#9815)
+* revise Datadog trace sampling configuration (#10151)
+* Clarify TCP/UDP service docs (#10146)
+* Exposed continent data as  variable in the case of Maxmind city files (#10157)
+* Cleanup errcheck code (#10166)
+* Fix golang-ci linter errors (#10128)
+* Deprecate and remove AJP support (#10158)
+* release notes 1.8.1 (#10161)
+
+### Dependencies updates: 
+* Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.12.0 (#10355)
+* Bump golang.org/x/crypto from 0.12.0 to 0.13.0 (#10399)
+* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10403)
+* Bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 (#10402)
+* Bump actions/upload-artifact from 3.1.2 to 3.1.3 (#10404)
+* Bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#10400)
+* Bump google.golang.org/grpc from 1.57.0 to 1.58.0 (#10398)
+* Bump actions/dependency-review-action from 3.0.8 to 3.1.0 (#10401)
+* Bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4 (#10373)
+* Bump github.com/cyphar/filepath-securejoin in /magefiles (#10374)
+* Bump Go version to 1.21.1 (#10377)
+* Bump Go version to 1.21.1 on testrunner (#10378)
+* Bump aquasecurity/trivy-action from 0.11.2 to 0.12.0 (#10365)
+* Bump docker/setup-buildx-action from 2.9.1 to 2.10.0 (#10353)
+* Bump actions/checkout from 3.5.3 to 3.6.0 (#10354)
+* Bump actions/dependency-review-action from 3.0.6 to 3.0.8 (#10333)
+* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10313)
+* Bump securego/gosec from 2.16.0 to 2.17.0 (#10332)
+* Bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 (#10314)
+* Bump github.com/opencontainers/runc from 1.1.8 to 1.1.9 (#10298)
+* Bump k8s.io/component-base from 0.26.4 to 0.27.4 (Replace Topology Aware Hints with Topology Aware Routing) (#10282)
+* Bump google.golang.org/grpc from 1.56.2 to 1.57.0 (#10258)
+* Bump golang.org/x/crypto from 0.11.0 to 0.12.0 (#10280)
+* Bump github.com/opencontainers/runc from 1.1.7 to 1.1.8 (#10244)
+* Bump google.golang.org/grpc from 1.56.1 to 1.56.2 (#10193)
+* Bump docker/setup-buildx-action from 2.9.0 to 2.9.1 (#10207)
+* Bump golang.org/x/crypto from 0.10.0 to 0.11.0 (#10192)
+* Bump docker/setup-buildx-action from 2.8.0 to 2.9.0 (#10191)
+* Bump docker/setup-buildx-action from 2.7.0 to 2.8.0 (#10165)
+ 
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-release-1.8...controller-controller-v1.9.0-beta.0

changelog/Changelog-1.9.0.md

@@ -0,0 +1,93 @@
+# Changelog
+
+### 1.9.0
+Images:
+
+ * registry.k8s.io/ingress-nginx/controller:v1.9.0@sha256:c15d1a617858d90fb8f8a2dd60b0676f2bb85c54e3ed11511794b86ec30c8c60
+ * registry.k8s.io/ingress-nginx/controller-chroot:v1.9.0@sha256:d9fa7a136de2104fb2ecfcf1666978bfab927f4a125b75c0fb471e6104366ab5
+ 
+### All Changes:
+
+* Rework mage (#10418)
+* Start release of v1.9.0 beta0 (#10407)
+* Update k8s versions on CI (#10406)
+* Add a flag to enable or disable aio_write (#10394)
+* Update external-articles.md - advanced setup with GKE/Cloud Armor/IAP (#10372)
+* Fix e2e test suite doc (#10396)
+* Disable user snippets per default (#10393)
+* Deployment/DaemonSet: Fix templating & value. (#10240)
+* Fix deferInLoop error (#10387)
+* Remove gofmt (#10385)
+* Deployment/DaemonSet: Template `topologySpreadConstraints`. (#10259)
+* release notes 1.8.2 (#10389)
+* fix: remove curl on base container #9716 (#10306)
+* Fix http default backend test (#10382)
+* Add golangci github action and replace the deprecated golint (#10187)
+* BUGFIX incorrect indentation (#10254)
+* Upgrade OpenTelemetry to v1.11.0 and gRPC to v1.57.0 (#10352)
+* fix: path with sepecial characters warning #10281 #10308 (#10330)
+* Fix golangci-lint errors (#10196)
+* chore(build): Fix Run make dev-env syntax error (#10294)
+* Add firewall configuration to quick start documentation (#10357)
+* Making auth access logs optional (#10335)
+* Fix “dev-env” Makefile target to work with kubectl 1.28+ (#10350)
+* fix: update action file to auto release plugin #10197 (#10321)
+* Use gzip instead of pigz in CI (#10348)
+* Disable Modsecurity from internal processing which affects large ingresses  (#10316)
+* fix: add /etc/mime.types #10309 (#10310)
+* Remove curl dependencies in e2e tests #9716 (#10296)
+* docs: swap explanation to match example (#10220)
+* ci(helm): fix Helm Chart release action 422 error (#10237)
+* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249)
+* Updated index.md - Fix typos (#10256)
+* Handle request_id variable correctly in auth requests (#9219)
+* test kind updates (#10272)
+* promote distroless otel init image (#10257)
+* [helm] configure allow to configure hostAliases (#10180)
+* Add rolling update strategy to each static deployment file (#10129)
+* Implement annotation validation (#9673)
+* Golang 1.20.6 for test runner (#10230)
+* [helm] pass service annotations through helm tpl engine (#10084)
+* Ignore deployment template's replicas if KEDA is enabled (#9534)
+* chore: bump OpenResty to v1.21.4.2 (#10219)
+* Scanning port 10247 lead to tcp connection 502 error (#9815)
+* revise Datadog trace sampling configuration (#10151)
+* Clarify TCP/UDP service docs (#10146)
+* Exposed continent data as  variable in the case of Maxmind city files (#10157)
+* Cleanup errcheck code (#10166)
+* Fix golang-ci linter errors (#10128)
+* Deprecate and remove AJP support (#10158)
+* release notes 1.8.1 (#10161)
+
+### Dependencies updates: 
+* Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.12.0 (#10355)
+* Bump golang.org/x/crypto from 0.12.0 to 0.13.0 (#10399)
+* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10403)
+* Bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 (#10402)
+* Bump actions/upload-artifact from 3.1.2 to 3.1.3 (#10404)
+* Bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#10400)
+* Bump google.golang.org/grpc from 1.57.0 to 1.58.0 (#10398)
+* Bump actions/dependency-review-action from 3.0.8 to 3.1.0 (#10401)
+* Bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4 (#10373)
+* Bump github.com/cyphar/filepath-securejoin in /magefiles (#10374)
+* Bump Go version to 1.21.1 (#10377)
+* Bump Go version to 1.21.1 on testrunner (#10378)
+* Bump aquasecurity/trivy-action from 0.11.2 to 0.12.0 (#10365)
+* Bump docker/setup-buildx-action from 2.9.1 to 2.10.0 (#10353)
+* Bump actions/checkout from 3.5.3 to 3.6.0 (#10354)
+* Bump actions/dependency-review-action from 3.0.6 to 3.0.8 (#10333)
+* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10313)
+* Bump securego/gosec from 2.16.0 to 2.17.0 (#10332)
+* Bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 (#10314)
+* Bump github.com/opencontainers/runc from 1.1.8 to 1.1.9 (#10298)
+* Bump k8s.io/component-base from 0.26.4 to 0.27.4 (Replace Topology Aware Hints with Topology Aware Routing) (#10282)
+* Bump google.golang.org/grpc from 1.56.2 to 1.57.0 (#10258)
+* Bump golang.org/x/crypto from 0.11.0 to 0.12.0 (#10280)
+* Bump github.com/opencontainers/runc from 1.1.7 to 1.1.8 (#10244)
+* Bump google.golang.org/grpc from 1.56.1 to 1.56.2 (#10193)
+* Bump docker/setup-buildx-action from 2.9.0 to 2.9.1 (#10207)
+* Bump golang.org/x/crypto from 0.10.0 to 0.11.0 (#10192)
+* Bump docker/setup-buildx-action from 2.8.0 to 2.9.0 (#10191)
+* Bump docker/setup-buildx-action from 2.7.0 to 2.8.0 (#10165)
+ 
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-release-1.8...controller-controller-v1.9.0

changelog/Changelog-1.9.1.md

@@ -0,0 +1,19 @@
+# Changelog
+
+### 1.9.1
+Images:
+
+ * registry.k8s.io/ingress-nginx/controller:v1.9.1@sha256:605a737877de78969493a4b1213b21de4ee425d2926906857b98050f57a95b25
+ * registry.k8s.io/ingress-nginx/controller-chroot:v1.9.1@sha256:2ac744ef08850ee86ad7162451a6879f47c1a41c6a757f6b6f913c52103b8836
+ 
+### All Changes:
+
+* upgrade owasp modsecurity core rule set to v3.3.5 (#10437)
+* Start v1.9.1 release (#10463)
+* Accept backend protocol on any case (#10461)
+* Chart: Rework network policies. (#10438)
+
+### Dependencies updates: 
+* Bump google.golang.org/grpc from 1.58.0 to 1.58.1 (#10436)
+ 
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.9.0...controller-controller-v1.9.1

changelog/Changelog-1.9.3.md

@@ -0,0 +1,27 @@
+# Changelog
+
+### 1.9.3
+Images:
+
+ * registry.k8s.io/ingress-nginx/controller:v1.9.3@sha256:8fd21d59428507671ce0fb47f818b1d859c92d2ad07bb7c947268d433030ba98
+ * registry.k8s.io/ingress-nginx/controller-chroot:v1.9.3@sha256:df4931fd6859fbf1a71e785f02a44b2f9a16f010ae852c442e9bb779cbefdc86
+ 
+### All Changes:
+
+* update nginx base, httpbun, e2e, helm webhook cert gen (#10506)
+* added warning for configuration-snippets usage (#10492)
+* Remove legacy GeoIP from controller (#10495)
+* add upstream patch for CVE-2023-44487 (#10494)
+* Revert "Remove curl from nginx base image (#10477)" (#10479)
+* update error and otel to have all the arch we support (#10476)
+* Remove curl from nginx base image (#10477)
+
+### Dependencies updates: 
+* Bump x/net (#10514)
+* Bump curl and Go version (#10503)
+* Bump google.golang.org/grpc from 1.58.2 to 1.58.3 (#10496)
+* Bump github.com/prometheus/client_model (#10486)
+* Bump ossf/scorecard-action from 2.2.0 to 2.3.0 (#10487)
+* Bump golang.org/x/crypto from 0.13.0 to 0.14.0 (#10485)
+ 
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.9.1...controller-controller-v1.9.3

changelog/Changelog-1.9.4.md

@@ -0,0 +1,13 @@
+# Changelog
+
+### 1.9.4
+Images:
+
+ * registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
+ * registry.k8s.io/ingress-nginx/controller-chroot:v1.9.4@sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26
+ 
+### All Changes:
+
+* Cherry pick fcgi fix and release v1.9.4 (#10544)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.9.3...controller-controller-v1.9.4

charts/ingress-nginx/Chart.yaml

@@ -1,14 +1,11 @@
 annotations:
-  artifacthub.io/changes: |
+  artifacthub.io/changes: |-
-     - "[helm] Support custom port configuration for internal service (#9846)"
+     - "Update Ingress-Nginx version controller-v1.9.4"
-     - "Adding resource type to default HPA configuration to resolve issues with Terraform helm chart usage (#9803)"
-     - "Update Ingress-Nginx version controller-v1.7.1"
   artifacthub.io/prerelease: "false"
 apiVersion: v2
-appVersion: 1.7.1
+appVersion: 1.9.4
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and
   load balancer
-engine: gotpl
 home: https://github.com/kubernetes/ingress-nginx
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
 keywords:
@@ -22,4 +19,4 @@ maintainers:
 name: ingress-nginx
 sources:
 - https://github.com/kubernetes/ingress-nginx
-version: 4.6.1
+version: 4.8.3

charts/ingress-nginx/README.md

@@ -2,7 +2,7 @@
 
 [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 
-![Version: 4.6.1](https://img.shields.io/badge/Version-4.6.1-informational?style=flat-square) ![AppVersion: 1.7.1](https://img.shields.io/badge/AppVersion-1.7.1-informational?style=flat-square)
+![Version: 4.8.3](https://img.shields.io/badge/Version-4.8.3-informational?style=flat-square) ![AppVersion: 1.9.4](https://img.shields.io/badge/AppVersion-1.9.4-informational?style=flat-square)
 
 To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
 
@@ -143,8 +143,10 @@ controller:
     internal:
       enabled: true
       annotations:
-        # Create internal ELB
+        # Create internal NLB
-        service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+        service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
+        # Create internal ELB(Deprecated)
+        # service.beta.kubernetes.io/aws-load-balancer-internal: "true"
         # Any other annotation can be declared here.
 ```
 
@@ -187,6 +189,8 @@ controller:
         # Any other annotation can be declared here.
 ```
 
+The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer).
+
 An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object.
 
 Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`.
@@ -245,14 +249,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` |  |
 | controller.admissionWebhooks.labels | object | `{}` | Labels to be added to admission webhooks |
 | controller.admissionWebhooks.namespaceSelector | object | `{}` |  |
-| controller.admissionWebhooks.networkPolicyEnabled | bool | `false` |  |
 | controller.admissionWebhooks.objectSelector | object | `{}` |  |
 | controller.admissionWebhooks.patch.enabled | bool | `true` |  |
-| controller.admissionWebhooks.patch.image.digest | string | `"sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f"` |  |
+| controller.admissionWebhooks.patch.image.digest | string | `"sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80"` |  |
 | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` |  |
 | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` |  |
 | controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` |  |
-| controller.admissionWebhooks.patch.image.tag | string | `"v20230312-helm-chart-4.5.2-28-g66a760794"` |  |
+| controller.admissionWebhooks.patch.image.tag | string | `"v20231011-8b53cabe0"` |  |
 | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
 | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
 | controller.admissionWebhooks.patch.podAnnotations | object | `{}` |  |
@@ -271,7 +274,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.admissionWebhooks.service.servicePort | int | `443` |  |
 | controller.admissionWebhooks.service.type | string | `"ClusterIP"` |  |
 | controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # |
-| controller.allowSnippetAnnotations | bool | `true` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected |
+| controller.allowSnippetAnnotations | bool | `false` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected |
 | controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # |
 | controller.autoscaling.annotations | object | `{}` |  |
 | controller.autoscaling.behavior | object | `{}` |  |
@@ -291,8 +294,9 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. |
 | controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. |
 | controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' |
+| controller.enableAnnotationValidations | bool | `false` |  |
 | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # |
-| controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto" Defaults to false |
+| controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false |
 | controller.existingPsp | string | `""` | Use an existing PSP instead of creating one |
 | controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use |
 | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. |
@@ -303,6 +307,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. |
 | controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. |
 | controller.healthCheckPath | string | `"/healthz"` | Path of the health check endpoint. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. |
+| controller.hostAliases | list | `[]` | Optionally customize the pod hostAliases. |
 | controller.hostNetwork | bool | `false` | Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 is merged |
 | controller.hostPort.enabled | bool | `false` | Enable 'hostPort' or not |
 | controller.hostPort.ports.http | int | `80` | 'hostPort' http port |
@@ -310,13 +315,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.hostname | object | `{}` | Optionally customize the pod hostname. |
 | controller.image.allowPrivilegeEscalation | bool | `true` |  |
 | controller.image.chroot | bool | `false` |  |
-| controller.image.digest | string | `"sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407"` |  |
+| controller.image.digest | string | `"sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3"` |  |
-| controller.image.digestChroot | string | `"sha256:e35d5ab487861b9d419c570e3530589229224a0762c7b4d2e2222434abb8d988"` |  |
+| controller.image.digestChroot | string | `"sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26"` |  |
 | controller.image.image | string | `"ingress-nginx/controller"` |  |
 | controller.image.pullPolicy | string | `"IfNotPresent"` |  |
 | controller.image.registry | string | `"registry.k8s.io"` |  |
 | controller.image.runAsUser | int | `101` |  |
-| controller.image.tag | string | `"v1.7.1"` |  |
+| controller.image.tag | string | `"v1.9.4"` |  |
 | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
 | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
 | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass |
@@ -353,7 +358,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.metrics.prometheusRule.enabled | bool | `false` |  |
 | controller.metrics.prometheusRule.rules | list | `[]` |  |
 | controller.metrics.service.annotations | object | `{}` |  |
-| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # |
+| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
 | controller.metrics.service.labels | object | `{}` | Labels to be added to the metrics service resource |
 | controller.metrics.service.loadBalancerSourceRanges | list | `[]` |  |
 | controller.metrics.service.nameSuffix | string | `"metrics"` | - Suffix to be used to name the metrics service |
@@ -367,13 +372,15 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.metrics.serviceMonitor.relabelings | list | `[]` |  |
 | controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` |  |
 | controller.metrics.serviceMonitor.targetLabels | list | `[]` |  |
-| controller.minAvailable | int | `1` | Define either 'minAvailable' or 'maxUnavailable', never both. |
+| controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. |
 | controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
 | controller.name | string | `"controller"` |  |
-| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ # |
+| controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
+| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
 | controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` |  |
 | controller.opentelemetry.enabled | bool | `false` |  |
-| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:40f766ac4a9832f36f217bb0e98d44c8d38faeccbfe861fbc1a76af7e9ab257f"` |  |
+| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` |  |
+| controller.opentelemetry.resources | object | `{}` |  |
 | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # |
 | controller.podLabels | object | `{}` | Labels to add to the pod container metadata |
 | controller.podSecurityContext | object | `{}` | Security Context policies for controller pods |
@@ -397,15 +404,16 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.scope.enabled | bool | `false` | Enable 'scope' or not |
 | controller.scope.namespace | string | `""` | Namespace to limit the controller to; defaults to $(POD_NAMESPACE) |
 | controller.scope.namespaceSelector | string | `""` | When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. |
-| controller.service.annotations | object | `{}` |  |
+| controller.service.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. |
 | controller.service.appProtocol | bool | `true` | If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http It allows choosing the protocol for each backend specified in the Kubernetes service. See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 Will be ignored for Kubernetes versions older than 1.20 # |
 | controller.service.enableHttp | bool | `true` |  |
 | controller.service.enableHttps | bool | `true` |  |
 | controller.service.enabled | bool | `true` |  |
 | controller.service.external.enabled | bool | `true` |  |
-| controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # |
+| controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
-| controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. |
+| controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. |
 | controller.service.internal.enabled | bool | `false` | Enables an additional internal load balancer (besides the external one). |
+| controller.service.internal.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS. |
 | controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. |
 | controller.service.internal.nameSuffix | string | `"internal"` | - Suffix to be used to name the internal service |
 | controller.service.internal.ports | object | `{}` | Custom port mapping for internal service |
@@ -413,6 +421,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ |
 | controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack-ness requested or required by this Service. Possible values are SingleStack, PreferDualStack or RequireDualStack. The ipFamilies and clusterIPs fields depend on the value of this field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ |
 | controller.service.labels | object | `{}` |  |
+| controller.service.loadBalancerClass | string | `""` | Used by cloud providers to select a load balancer implementation other than the cloud provider default. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class |
 | controller.service.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer |
 | controller.service.loadBalancerSourceRanges | list | `[]` |  |
 | controller.service.nodePorts.http | string | `""` |  |
@@ -466,7 +475,8 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | defaultBackend.minAvailable | int | `1` |  |
 | defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
 | defaultBackend.name | string | `"defaultbackend"` |  |
-| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ # |
+| defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
+| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
 | defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # |
 | defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata |
 | defaultBackend.podSecurityContext | object | `{}` | Security Context policies for controller pods See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # |
@@ -480,7 +490,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | defaultBackend.replicaCount | int | `1` |  |
 | defaultBackend.resources | object | `{}` |  |
 | defaultBackend.service.annotations | object | `{}` |  |
-| defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # |
+| defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
 | defaultBackend.service.loadBalancerSourceRanges | list | `[]` |  |
 | defaultBackend.service.servicePort | int | `80` |  |
 | defaultBackend.service.type | string | `"ClusterIP"` |  |
@@ -491,6 +501,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
 | dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param |
 | imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
+| namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace |
 | podSecurityPolicy.enabled | bool | `false` |  |
 | portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration |
 | rbac.create | bool | `true` |  |

charts/ingress-nginx/README.md.gotmpl

@@ -140,8 +140,10 @@ controller:
     internal:
       enabled: true
       annotations:
-        # Create internal ELB
+        # Create internal NLB
-        service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+        service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
+        # Create internal ELB(Deprecated)
+        # service.beta.kubernetes.io/aws-load-balancer-internal: "true"
         # Any other annotation can be declared here.
 ```
 
@@ -184,6 +186,8 @@ controller:
         # Any other annotation can be declared here.
 ```
 
+The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer).
+
 An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object.
 
 Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`.

charts/ingress-nginx/changelog/Changelog-4.7.0.md

@@ -0,0 +1,14 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.7.0
+
+* helm: Fix opentelemetry module installation for daemonset (#9792)
+* Update charts/* to keep project name display aligned (#9931)
+* HPA: Use capabilites & align manifests. (#9521)
+* PodDisruptionBudget spec logic update (#9904)
+* add option for annotations in PodDisruptionBudget (#9843)
+* Update Ingress-Nginx version controller-v1.8.0
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.6.1...helm-chart-4.7.0

charts/ingress-nginx/changelog/Changelog-4.7.1.md

@@ -0,0 +1,12 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.7.1
+
+* Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406)
+* feat(helm): Add loadBalancerClass (#9562)
+* added helmshowvalues example (#10019)
+* Update Ingress-Nginx version controller-v1.8.1
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.0...helm-chart-4.7.1

charts/ingress-nginx/changelog/Changelog-4.7.2.md

@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.7.2
+
+* Update Ingress-Nginx version controller-v1.8.2
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.1...helm-chart-4.7.2

charts/ingress-nginx/changelog/Changelog-4.8.0-beta.0.md

@@ -0,0 +1,13 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.8.0-beta.0
+
+* ci(helm): fix Helm Chart release action 422 error (#10237)
+* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249)
+* [helm] configure allow to configure hostAliases (#10180)
+* [helm] pass service annotations through helm tpl engine (#10084)
+* Update Ingress-Nginx version controller-v1.9.0-beta.0
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.2...helm-chart-4.8.0-beta.0

charts/ingress-nginx/changelog/Changelog-4.8.0.md

@@ -0,0 +1,13 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.8.0
+
+* ci(helm): fix Helm Chart release action 422 error (#10237)
+* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249)
+* [helm] configure allow to configure hostAliases (#10180)
+* [helm] pass service annotations through helm tpl engine (#10084)
+* Update Ingress-Nginx version controller-v1.9.0
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.2...helm-chart-4.8.0

charts/ingress-nginx/changelog/Changelog-4.8.1.md

@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.8.1
+
+* Update Ingress-Nginx version controller-v1.9.1
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.0...helm-chart-4.8.1

charts/ingress-nginx/changelog/Changelog-4.8.2.md

@@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.8.2
+
+* - "update nginx base, httpbun, e2e, helm webhook cert gen (#10506)"
+* - "Update Ingress-Nginx version controller-v1.9.3"
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.1...helm-chart-4.8.2

charts/ingress-nginx/changelog/Changelog-4.8.3.md

@@ -0,0 +1,8 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.8.3
+* Update Ingress-Nginx version controller-v1.9.4
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.2...helm-chart-4.8.3

charts/ingress-nginx/templates/NOTES.txt

@@ -6,24 +6,24 @@ Get the application URL by running these commands:
 {{- if (not (empty .Values.controller.service.nodePorts.http)) }}
   export HTTP_NODE_PORT={{ .Values.controller.service.nodePorts.http }}
 {{- else }}
-  export HTTP_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[0].nodePort}" {{ include "ingress-nginx.controller.fullname" . }})
+  export HTTP_NODE_PORT=$(kubectl --namespace {{ include "ingress-nginx.namespace" . }} get services -o jsonpath="{.spec.ports[0].nodePort}" {{ include "ingress-nginx.controller.fullname" . }})
 {{- end }}
 {{- if (not (empty .Values.controller.service.nodePorts.https)) }}
   export HTTPS_NODE_PORT={{ .Values.controller.service.nodePorts.https }}
 {{- else }}
-  export HTTPS_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[1].nodePort}" {{ include "ingress-nginx.controller.fullname" . }})
+  export HTTPS_NODE_PORT=$(kubectl --namespace {{ include "ingress-nginx.namespace" . }} get services -o jsonpath="{.spec.ports[1].nodePort}" {{ include "ingress-nginx.controller.fullname" . }})
 {{- end }}
-  export NODE_IP=$(kubectl --namespace {{ .Release.Namespace }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}")
+  export NODE_IP=$(kubectl --namespace {{ include "ingress-nginx.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}")
 
   echo "Visit http://$NODE_IP:$HTTP_NODE_PORT to access your application via HTTP."
   echo "Visit https://$NODE_IP:$HTTPS_NODE_PORT to access your application via HTTPS."
 {{- else if contains "LoadBalancer" .Values.controller.service.type }}
 It may take a few minutes for the LoadBalancer IP to be available.
-You can watch the status by running 'kubectl --namespace {{ .Release.Namespace }} get services -o wide -w {{ include "ingress-nginx.controller.fullname" . }}'
+You can watch the status by running 'kubectl --namespace {{ include "ingress-nginx.namespace" . }} get services -o wide -w {{ include "ingress-nginx.controller.fullname" . }}'
 {{- else if contains "ClusterIP"  .Values.controller.service.type }}
 Get the application URL by running these commands:
-  export POD_NAME=$(kubectl --namespace {{ .Release.Namespace }} get pods -o jsonpath="{.items[0].metadata.name}" -l "app={{ template "ingress-nginx.name" . }},component={{ .Values.controller.name }},release={{ .Release.Name }}")
+  export POD_NAME=$(kubectl --namespace {{ include "ingress-nginx.namespace" . }} get pods -o jsonpath="{.items[0].metadata.name}" -l "app={{ template "ingress-nginx.name" . }},component={{ .Values.controller.name }},release={{ .Release.Name }}")
-  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80
+  kubectl --namespace {{ include "ingress-nginx.namespace" . }} port-forward $POD_NAME 8080:80
   echo "Visit http://127.0.0.1:8080 to access your application."
 {{- end }}
 

charts/ingress-nginx/templates/_helpers.tpl

@@ -30,6 +30,17 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}
 {{- end -}}
 
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "ingress-nginx.namespace" -}}
+  {{- if .Values.namespaceOverride -}}
+    {{- .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
 
 {{/*
 Container SecurityContext.
@@ -241,15 +252,20 @@ IngressClass parameters.
 Extra modules.
 */}}
 {{- define "extraModules" -}}
-
 - name: {{ .name }}
   image: {{ .image }}
+  {{- if .distroless | default false }}
+  command: ['/init_module']
+  {{- else }}
   command: ['sh', '-c', '/usr/local/bin/init_module.sh']
-  {{- if (.containerSecurityContext) }}
+  {{- end }}
+  {{- if .containerSecurityContext }}
   securityContext: {{ .containerSecurityContext | toYaml | nindent 4 }}
   {{- end }}
+  {{- if .resources }}
+  resources: {{ .resources | toYaml | nindent 4 }}
+  {{- end }}
   volumeMounts:
     - name: {{ toYaml "modules"}}
       mountPath: {{ toYaml "/modules_mount"}}
-
 {{- end -}}

charts/ingress-nginx/templates/_params.tpl

@@ -1,5 +1,8 @@
 {{- define "ingress-nginx.params" -}}
 - /nginx-ingress-controller
+{{- if .Values.controller.enableAnnotationValidations }}
+- --enable-annotation-validation=true
+{{- end }}
 {{- if .Values.defaultBackend.enabled }}
 - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }}
 {{- end }}

charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml

@@ -6,7 +6,7 @@ apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   name: {{ include "ingress-nginx.fullname" . }}-self-signed-issuer
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   selfSigned: {}
 ---
@@ -15,7 +15,7 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: {{ include "ingress-nginx.fullname" . }}-root-cert
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   secretName: {{ include "ingress-nginx.fullname" . }}-root-cert
   duration: {{ .Values.controller.admissionWebhooks.certManager.rootCert.duration | default "43800h0m0s" | quote }}
@@ -32,7 +32,7 @@ apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   name: {{ include "ingress-nginx.fullname" . }}-root-issuer
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   ca:
     secretName: {{ include "ingress-nginx.fullname" . }}-root-cert

charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.networkPolicyEnabled }}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -16,11 +16,11 @@ metadata:
 spec:
   podSelector:
     matchLabels:
-      {{- include "ingress-nginx.labels" . | nindent 6 }}
+      {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
       app.kubernetes.io/component: admission-webhook
   policyTypes:
-  - Ingress
+    - Ingress
-  - Egress
+    - Egress
   egress:
-  - {}
+    - {}
 {{- end }}

charts/ingress-nginx/templates/clusterrolebinding.yaml

@@ -15,5 +15,5 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "ingress-nginx.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace | quote }}
+    namespace: {{ (include "ingress-nginx.namespace" .) | quote }}
 {{- end }}

charts/ingress-nginx/templates/controller-configmap-addheaders.yaml

@@ -9,6 +9,6 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}-custom-add-headers
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 data: {{ toYaml .Values.controller.addHeaders | nindent 2 }}
 {{- end }}

charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml

@@ -9,6 +9,6 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 data: {{ toYaml .Values.controller.proxySetHeaders | nindent 2 }}
 {{- end }}

charts/ingress-nginx/templates/controller-configmap-tcp.yaml

@@ -12,6 +12,6 @@ metadata:
   annotations: {{ toYaml .Values.controller.tcp.annotations | nindent 4 }}
 {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}-tcp
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 data: {{ tpl (toYaml .Values.tcp) . | nindent 2 }}
 {{- end }}

charts/ingress-nginx/templates/controller-configmap-udp.yaml

@@ -12,6 +12,6 @@ metadata:
   annotations: {{ toYaml .Values.controller.udp.annotations | nindent 4 }}
 {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}-udp
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 data: {{ tpl (toYaml .Values.udp) . | nindent 2 }}
 {{- end }}

charts/ingress-nginx/templates/controller-configmap.yaml

@@ -11,17 +11,17 @@ metadata:
   annotations: {{ toYaml .Values.controller.configAnnotations | nindent 4 }}
 {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 data:
   allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}"
 {{- if .Values.controller.addHeaders }}
-  add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers
+  add-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers
 {{- end }}
 {{- if .Values.controller.proxySetHeaders }}
-  proxy-set-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
+  proxy-set-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
 {{- end }}
 {{- if .Values.dhParam }}
-  ssl-dh-param: {{ .Release.Namespace }}/{{ include "ingress-nginx.controller.fullname" . }}
+  ssl-dh-param: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.controller.fullname" . }}
 {{- end }}
 {{- range $key, $value := .Values.controller.config }}
   {{- $key | nindent 2 }}: {{ $value | quote }}

charts/ingress-nginx/templates/controller-daemonset.yaml

@@ -1,4 +1,4 @@
-{{- if or (eq .Values.controller.kind "DaemonSet") (eq .Values.controller.kind "Both") -}}
+{{- if eq .Values.controller.kind "DaemonSet" -}}
 {{- include  "isControllerTagValid" . -}}
 apiVersion: apps/v1
 kind: DaemonSet
@@ -10,7 +10,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
   {{- if .Values.controller.annotations }}
   annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
   {{- end }}
@@ -45,6 +45,9 @@ spec:
     {{- if .Values.controller.dnsConfig }}
       dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }}
     {{- end }}
+    {{- if .Values.controller.hostAliases }}
+      hostAliases: {{ tpl (toYaml .Values.controller.hostAliases) $ | nindent 8 }}
+    {{- end }}
     {{- if .Values.controller.hostname }}
       hostname: {{ toYaml .Values.controller.hostname | nindent 8 }}
     {{- end }}
@@ -53,12 +56,12 @@ spec:
       imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
     {{- end }}
     {{- if .Values.controller.priorityClassName }}
-      priorityClassName: {{ .Values.controller.priorityClassName }}
+      priorityClassName: {{ .Values.controller.priorityClassName | quote }}
     {{- end }}
     {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }}
       securityContext:
     {{- end }}
-    {{- if .Values.controller.podSecurityContext  }}
+    {{- if .Values.controller.podSecurityContext }}
         {{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
     {{- end }}
     {{- if .Values.controller.sysctls }}
@@ -143,11 +146,15 @@ spec:
               hostPort: {{ $key }}
               {{- end }}
           {{- end }}
-        {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }}
+        {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
           volumeMounts:
-          {{- if .Values.controller.extraModules }}
+          {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
             - name: modules
+            {{ if .Values.controller.image.chroot }}
+              mountPath: /chroot/modules_mount
+            {{ else }}
               mountPath: /modules_mount
+            {{ end }}
           {{- end }}
           {{- if .Values.controller.customTemplate.configMapName }}
             - mountPath: /etc/nginx/template
@@ -169,22 +176,21 @@ spec:
       {{- if .Values.controller.extraContainers }}
         {{ toYaml .Values.controller.extraContainers | nindent 8 }}
       {{- end }}
-
+    {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
-
-    {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }}
       initContainers:
       {{- if .Values.controller.extraInitContainers }}
         {{ toYaml .Values.controller.extraInitContainers | nindent 8 }}
       {{- end }}
       {{- if .Values.controller.extraModules }}
         {{- range .Values.controller.extraModules }}
-          {{ $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
+          {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-{{ include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | indent 8 }}
+          {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | nindent 8 }}
         {{- end }}
       {{- end }}
       {{- if .Values.controller.opentelemetry.enabled}}
-          {{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
+          {{- $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-          {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}}
+          {{ $otelResources := $.Values.controller.opentelemetry.resources | default dict }}
+          {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" true "resources" $otelResources) | nindent 8}}
       {{- end}}
     {{- end }}
     {{- if .Values.controller.hostNetwork }}
@@ -200,7 +206,7 @@ spec:
       affinity: {{ toYaml .Values.controller.affinity | nindent 8 }}
     {{- end }}
     {{- if .Values.controller.topologySpreadConstraints }}
-      topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }}
+      topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }}
     {{- end }}
       serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
       terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}

charts/ingress-nginx/templates/controller-deployment.yaml

@@ -1,4 +1,4 @@
-{{- if or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both") -}}
+{{- if eq .Values.controller.kind "Deployment" -}}
 {{- include  "isControllerTagValid" . -}}
 apiVersion: apps/v1
 kind: Deployment
@@ -10,7 +10,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
   {{- if .Values.controller.annotations }}
   annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
   {{- end }}
@@ -19,13 +19,12 @@ spec:
     matchLabels:
       {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
       app.kubernetes.io/component: controller
-  {{- if not .Values.controller.autoscaling.enabled }}
+  {{- if not (or .Values.controller.autoscaling.enabled .Values.controller.keda.enabled) }}
   replicas: {{ .Values.controller.replicaCount }}
   {{- end }}
   revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
   {{- if .Values.controller.updateStrategy }}
-  strategy:
+  strategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }}
-    {{ toYaml .Values.controller.updateStrategy | nindent 4 }}
   {{- end }}
   minReadySeconds: {{ .Values.controller.minReadySeconds }}
   template:
@@ -49,6 +48,9 @@ spec:
     {{- if .Values.controller.dnsConfig }}
       dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }}
     {{- end }}
+    {{- if .Values.controller.hostAliases }}
+      hostAliases: {{ tpl (toYaml .Values.controller.hostAliases) $ | nindent 8 }}
+    {{- end }}
     {{- if .Values.controller.hostname }}
       hostname: {{ toYaml .Values.controller.hostname | nindent 8 }}
     {{- end }}
@@ -184,13 +186,14 @@ spec:
       {{- end }}
       {{- if .Values.controller.extraModules }}
         {{- range .Values.controller.extraModules }}
-          {{ $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
+          {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-{{ include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | indent 8 }}
+          {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | nindent 8 }}
         {{- end }}
       {{- end }}
       {{- if .Values.controller.opentelemetry.enabled}}
-          {{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
+          {{- $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-          {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}}
+          {{ $otelResources := $.Values.controller.opentelemetry.resources | default dict }}
+          {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" true "resources" $otelResources) | nindent 8}}
       {{- end}}
     {{- end }}
     {{- if .Values.controller.hostNetwork }}
@@ -206,7 +209,7 @@ spec:
       affinity: {{ toYaml .Values.controller.affinity | nindent 8 }}
     {{- end }}
     {{- if .Values.controller.topologySpreadConstraints }}
-      topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }}
+      topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }}
     {{- end }}
       serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
       terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}

charts/ingress-nginx/templates/controller-hpa.yaml

@@ -1,4 +1,4 @@
-{{- if and (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) .Values.controller.autoscaling.enabled (not .Values.controller.keda.enabled) -}}
+{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled (not .Values.controller.keda.enabled) -}}
 apiVersion: {{ ternary "autoscaling/v2" "autoscaling/v2beta2" (.Capabilities.APIVersions.Has "autoscaling/v2") }}
 kind: HorizontalPodAutoscaler
 metadata:
@@ -12,7 +12,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   scaleTargetRef:
     apiVersion: apps/v1
@@ -21,14 +21,6 @@ spec:
   minReplicas: {{ .Values.controller.autoscaling.minReplicas }}
   maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }}
   metrics:
-  {{- with .Values.controller.autoscaling.targetCPUUtilizationPercentage }}
-  - type: Resource
-    resource:
-      name: cpu
-      target:
-        type: Utilization
-        averageUtilization: {{ . }}
-  {{- end }}
   {{- with .Values.controller.autoscaling.targetMemoryUtilizationPercentage }}
   - type: Resource
     resource:
@@ -37,6 +29,14 @@ spec:
         type: Utilization
         averageUtilization: {{ . }}
   {{- end }}
+  {{- with .Values.controller.autoscaling.targetCPUUtilizationPercentage }}
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: {{ . }}
+  {{- end }}
   {{- with .Values.controller.autoscalingTemplate }}
   {{- toYaml . | nindent 2 }}
   {{- end }}

charts/ingress-nginx/templates/controller-keda.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.controller.keda.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}}
+{{- if and .Values.controller.keda.enabled (eq .Values.controller.kind "Deployment") -}}
 # https://keda.sh/docs/
 
 apiVersion: {{ .Values.controller.keda.apiVersion }}
@@ -25,6 +25,11 @@ spec:
   cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }}
   minReplicaCount: {{ .Values.controller.keda.minReplicas }}
   maxReplicaCount: {{ .Values.controller.keda.maxReplicas }}
+{{- with .Values.controller.keda.fallback }}
+  fallback:
+    failureThreshold: {{ .failureThreshold | default 3 }}
+    replicas: {{ .replicas | default $.Values.controller.keda.maxReplicas }}
+{{- end }}
   triggers:
 {{- with .Values.controller.keda.triggers }}
 {{ toYaml . | indent 2 }}

charts/ingress-nginx/templates/controller-networkpolicy.yaml

@@ -0,0 +1,45 @@
+{{- if .Values.controller.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+    {{- with .Values.controller.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  name: {{ include "ingress-nginx.controller.fullname" . }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: controller
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - ports:
+      {{- range $key, $value := .Values.controller.containerPort }}
+        - protocol: TCP
+          port: {{ $value }}
+      {{- end }}
+      {{- if .Values.controller.metrics.enabled }}
+        - protocol: TCP
+          port: {{ .Values.controller.metrics.port }}
+      {{- end }}
+      {{- if .Values.controller.admissionWebhooks.enabled }}
+        - protocol: TCP
+          port: {{ .Values.controller.admissionWebhooks.port }}
+      {{- end }}
+      {{- range $key, $value := .Values.tcp }}
+        - protocol: TCP
+          port: {{ $key }}
+      {{- end }}
+      {{- range $key, $value := .Values.udp }}
+        - protocol: UDP
+          port: {{ $key }}
+      {{- end }}
+  egress:
+    - {}
+{{- end }}

charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
   {{- if .Values.controller.annotations }}
   annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
   {{- end }}
@@ -18,7 +18,7 @@ spec:
     matchLabels:
       {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
       app.kubernetes.io/component: controller
-  {{- if .Values.controller.minAvailable }}
+  {{- if and .Values.controller.minAvailable (not (hasKey .Values.controller "maxUnavailable")) }}
   minAvailable: {{ .Values.controller.minAvailable }}
   {{- else if .Values.controller.maxUnavailable }}
   maxUnavailable: {{ .Values.controller.maxUnavailable }}

charts/ingress-nginx/templates/controller-role.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 rules:
   - apiGroups:
       - ""

charts/ingress-nginx/templates/controller-rolebinding.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -17,5 +17,5 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "ingress-nginx.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace | quote }}
+    namespace: {{ (include "ingress-nginx.namespace" .) | quote }}
 {{- end }}

charts/ingress-nginx/templates/controller-secret.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 data:
   dhparam.pem: {{ .Values.dhParam }}
 {{- end }}

charts/ingress-nginx/templates/controller-service-internal.yaml

@@ -4,7 +4,7 @@ kind: Service
 metadata:
   annotations:
   {{- range $key, $value := .Values.controller.service.internal.annotations }}
-    {{ $key }}: {{ $value | quote }}
+    {{ $key }}: {{ tpl ($value | toString) $ | quote }}
   {{- end }}
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}

charts/ingress-nginx/templates/controller-service.yaml

@@ -4,7 +4,7 @@ kind: Service
 metadata:
   annotations:
   {{- range $key, $value := .Values.controller.service.annotations }}
-    {{ $key }}: {{ $value | quote }}
+    {{ $key }}: {{ tpl ($value | toString) $ | quote }}
   {{- end }}
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
@@ -13,7 +13,7 @@ metadata:
     {{- toYaml .Values.controller.service.labels | nindent 4 }}
   {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   type: {{ .Values.controller.service.type }}
 {{- if .Values.controller.service.clusterIP }}
@@ -28,6 +28,9 @@ spec:
 {{- if .Values.controller.service.loadBalancerSourceRanges }}
   loadBalancerSourceRanges: {{ toYaml .Values.controller.service.loadBalancerSourceRanges | nindent 4 }}
 {{- end }}
+{{- if .Values.controller.service.loadBalancerClass }}
+  loadBalancerClass: {{ .Values.controller.service.loadBalancerClass }}
+{{- end }}
 {{- if .Values.controller.service.externalTrafficPolicy }}
   externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }}
 {{- end }}

charts/ingress-nginx/templates/controller-serviceaccount.yaml

@@ -9,10 +9,9 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ template "ingress-nginx.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
   {{- if .Values.serviceAccount.annotations }}
-  annotations:
+  annotations: {{ toYaml .Values.serviceAccount.annotations | nindent 4 }}
-  {{- toYaml .Values.serviceAccount.annotations | nindent 4 }}
   {{- end }}
 automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 {{- end }}

charts/ingress-nginx/templates/controller-servicemonitor.yaml

@@ -5,6 +5,8 @@ metadata:
   name: {{ include "ingress-nginx.controller.fullname" . }}
 {{- if .Values.controller.metrics.serviceMonitor.namespace }}
   namespace: {{ .Values.controller.metrics.serviceMonitor.namespace | quote }}
+{{- else }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 {{- end }}
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
@@ -33,7 +35,7 @@ spec:
 {{- else }}
   namespaceSelector:
     matchNames:
-      - {{ .Release.Namespace }}
+      - {{ include "ingress-nginx.namespace" . }}
 {{- end }}
 {{- if .Values.controller.metrics.serviceMonitor.targetLabels }}
   targetLabels:

charts/ingress-nginx/templates/controller-webhooks-networkpolicy.yaml

@@ -1,19 +0,0 @@
-{{- if .Values.controller.admissionWebhooks.enabled }}
-{{- if .Values.controller.admissionWebhooks.networkPolicyEnabled }}
-
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: {{ include "ingress-nginx.fullname" . }}-webhooks-allow
-  namespace: {{ .Release.Namespace }}
-spec:
-  ingress:
-  - {}
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/name: {{ include "ingress-nginx.name" . }}
-  policyTypes:
-    - Ingress
-
-{{- end }}
-{{- end }}

charts/ingress-nginx/templates/default-backend-deployment.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   selector:
     matchLabels:

charts/ingress-nginx/templates/default-backend-hpa.yaml

@@ -12,7 +12,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   scaleTargetRef:
     apiVersion: apps/v1

charts/ingress-nginx/templates/default-backend-networkpolicy.yaml

@@ -0,0 +1,25 @@
+{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: default-backend
+    {{- with .Values.defaultBackend.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: default-backend
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: {{ .Values.defaultBackend.port }}
+{{- end }}

charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml

@@ -10,7 +10,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   selector:
     matchLabels:

charts/ingress-nginx/templates/default-backend-role.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}-backend
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 rules:
   - apiGroups:      [{{ template "podSecurityPolicy.apiGroup" . }}]
     resources:      ['podsecuritypolicies']

charts/ingress-nginx/templates/default-backend-rolebinding.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}-backend
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -17,5 +17,5 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace | quote }}
+    namespace: {{ (include "ingress-nginx.namespace" .) | quote }}
 {{- end }}

charts/ingress-nginx/templates/default-backend-service.yaml

@@ -12,7 +12,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
   type: {{ .Values.defaultBackend.service.type }}
 {{- if .Values.defaultBackend.service.clusterIP }}

charts/ingress-nginx/templates/default-backend-serviceaccount.yaml

@@ -9,6 +9,6 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "ingress-nginx.namespace" . }}
 automountServiceAccountToken: {{ .Values.defaultBackend.serviceAccount.automountServiceAccountToken }}
 {{- end }}

charts/ingress-nginx/values.yaml

@@ -7,6 +7,9 @@
 # nameOverride:
 # fullnameOverride:
 
+# -- Override the deployment namespace; defaults to .Release.Namespace
+namespaceOverride: ""
+
 ## Labels to apply to all resources
 ##
 commonLabels: {}
@@ -15,6 +18,7 @@ commonLabels: {}
 
 controller:
   name: controller
+  enableAnnotationValidations: false
   image:
     ## Keep false as default for now!
     chroot: false
@@ -23,9 +27,9 @@ controller:
     ## for backwards compatibility consider setting the full image url via the repository value below
     ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     ## repository:
-    tag: "v1.7.1"
+    tag: "v1.9.4"
-    digest: sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407
+    digest: sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
-    digestChroot: sha256:e35d5ab487861b9d419c570e3530589229224a0762c7b4d2e2222434abb8d988
+    digestChroot: sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26
     pullPolicy: IfNotPresent
     # www-data -> uid 101
     runAsUser: 101
@@ -48,6 +52,16 @@ controller:
   addHeaders: {}
   # -- Optionally customize the pod dnsConfig.
   dnsConfig: {}
+  # -- Optionally customize the pod hostAliases.
+  hostAliases: []
+  # - ip: 127.0.0.1
+  #   hostnames:
+  #   - foo.local
+  #   - bar.local
+  # - ip: 10.1.2.3
+  #   hostnames:
+  #   - foo.remote
+  #   - bar.remote
   # -- Optionally customize the pod hostname.
   hostname: {}
   # -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'.
@@ -63,14 +77,14 @@ controller:
   watchIngressWithoutClass: false
   # -- Process IngressClass per name (additionally as per spec.controller).
   ingressClassByName: false
-  # -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto"
+  # -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto"
   # Defaults to false
   enableTopologyAwareRouting: false
   # -- This configuration defines if Ingress Controller should allow users to set
   # their own *-snippet annotations, otherwise this is forbidden / dropped
   # when users add those annotations.
   # Global snippets in ConfigMap are still respected
-  allowSnippetAnnotations: true
+  allowSnippetAnnotations: false
   # -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm),
   # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920
   # is merged
@@ -85,6 +99,10 @@ controller:
       http: 80
       # -- 'hostPort' https port
       https: 443
+  # NetworkPolicy for controller component.
+  networkPolicy:
+    # -- Enable 'networkPolicy' or not
+    enabled: false
   # -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader'
   electionID: ""
   ## This section refers to the creation of the IngressClass resource
@@ -245,19 +263,29 @@ controller:
   ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
   ##
   topologySpreadConstraints: []
-  # - maxSkew: 1
+  # - labelSelector:
-  #   topologyKey: topology.kubernetes.io/zone
-  #   whenUnsatisfiable: DoNotSchedule
-  #   labelSelector:
   #     matchLabels:
-  #       app.kubernetes.io/instance: ingress-nginx-internal
+  #       app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
+  #       app.kubernetes.io/instance: '{{ .Release.Name }}'
+  #       app.kubernetes.io/component: controller
+  #   topologyKey: topology.kubernetes.io/zone
+  #   maxSkew: 1
+  #   whenUnsatisfiable: ScheduleAnyway
+  # - labelSelector:
+  #     matchLabels:
+  #       app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
+  #       app.kubernetes.io/instance: '{{ .Release.Name }}'
+  #       app.kubernetes.io/component: controller
+  #   topologyKey: kubernetes.io/hostname
+  #   maxSkew: 1
+  #   whenUnsatisfiable: ScheduleAnyway
 
   # -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready
   ## wait up to five minutes for the drain of connections
   ##
   terminationGracePeriodSeconds: 300
   # -- Node labels for controller pod assignment
-  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
   ##
   nodeSelector:
     kubernetes.io/os: linux
@@ -308,9 +336,10 @@ controller:
   ##
   podAnnotations: {}
   replicaCount: 1
-  # -- Define either 'minAvailable' or 'maxUnavailable', never both.
+  # -- Minimum available pods set in PodDisruptionBudget.
+  # Define either 'minAvailable' or 'maxUnavailable', never both.
   minAvailable: 1
-  # -- Define either 'minAvailable' or 'maxUnavailable', never both.
+  # -- Maximum unavalaile pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
   # maxUnavailable: 1
 
   ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes
@@ -367,6 +396,9 @@ controller:
     maxReplicas: 11
     pollingInterval: 30
     cooldownPeriod: 300
+    # fallback:
+    #   failureThreshold: 3
+    #   replicas: 11
     restoreToOriginalReplicaCount: false
     scaledObject:
       annotations: {}
@@ -411,17 +443,20 @@ controller:
     # Will be ignored for Kubernetes versions older than 1.20
     ##
     appProtocol: true
+    # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine.
     annotations: {}
     labels: {}
     # clusterIP: ""
 
     # -- List of IP addresses at which the controller services are available
-    ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
+    ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
     ##
     externalIPs: []
     # -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
     loadBalancerIP: ""
     loadBalancerSourceRanges: []
+    # -- Used by cloud providers to select a load balancer implementation other than the cloud provider default. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
+    loadBalancerClass: ""
     enableHttp: true
     enableHttps: true
     ## Set external traffic policy to: "Local" to preserve source IP on providers supporting it.
@@ -470,10 +505,10 @@ controller:
     internal:
       # -- Enables an additional internal load balancer (besides the external one).
       enabled: false
-      # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service.
+      # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine.
       annotations: {}
-      # loadBalancerIP: ""
+      # -- Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS.
-
+      loadBalancerIP: ""
       # -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0.
       loadBalancerSourceRanges: []
       ## Set external traffic policy to: "Local" to preserve source IP on
@@ -550,9 +585,10 @@ controller:
 
   opentelemetry:
     enabled: false
-    image: registry.k8s.io/ingress-nginx/opentelemetry:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:40f766ac4a9832f36f217bb0e98d44c8d38faeccbfe861fbc1a76af7e9ab257f
+    image: registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472
     containerSecurityContext:
       allowPrivilegeEscalation: false
+    resources: {}
   admissionWebhooks:
     annotations: {}
     # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem".
@@ -581,7 +617,6 @@ controller:
     labels: {}
     # -- Use an existing PSP instead of creating one
     existingPsp: ""
-    networkPolicyEnabled: false
     service:
       annotations: {}
       # clusterIP: ""
@@ -614,8 +649,8 @@ controller:
         ## for backwards compatibility consider setting the full image url via the repository value below
         ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
         ## repository:
-        tag: v20230312-helm-chart-4.5.2-28-g66a760794
+        tag: v20231011-8b53cabe0
-        digest: sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f
+        digest: sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80
         pullPolicy: IfNotPresent
       # -- Provide a priority class name to the webhook patching job
       ##
@@ -657,7 +692,7 @@ controller:
       # clusterIP: ""
 
       # -- List of IP addresses at which the stats-exporter service is available
-      ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
+      ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
       ##
       externalIPs: []
       # loadBalancerIP: ""
@@ -675,7 +710,7 @@ controller:
       ## jobLabel: "app.kubernetes.io/name"
       namespace: ""
       namespaceSelector: {}
-      ## Default: scrape .Release.Namespace only
+      ## Default: scrape .Release.Namespace or namespaceOverride only
       ## To scrape all, use the following:
       ## namespaceSelector:
       ##   any: true
@@ -817,7 +852,7 @@ defaultBackend:
   #  key: value
 
   # -- Node labels for default backend pod assignment
-  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
   ##
   nodeSelector:
     kubernetes.io/os: linux
@@ -851,12 +886,16 @@ defaultBackend:
     maxReplicas: 2
     targetCPUUtilizationPercentage: 50
     targetMemoryUtilizationPercentage: 50
+  # NetworkPolicy for default backend component.
+  networkPolicy:
+    # -- Enable 'networkPolicy' or not
+    enabled: false
   service:
     annotations: {}
     # clusterIP: ""
 
     # -- List of IP addresses at which the default backend service is available
-    ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
+    ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
     ##
     externalIPs: []
     # loadBalancerIP: ""

cmd/dataplane/main.go

@@ -18,10 +18,8 @@ package main
 
 import (
 	"fmt"
-	"math/rand" // #nosec
 	"net/http"
 	"os"
-	"time"
 
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/collectors"
@@ -41,8 +39,6 @@ import (
 func main() {
 	klog.InitFlags(nil)
 
-	rand.Seed(time.Now().UnixNano())
-
 	fmt.Println(version.String())
 	var err error
 	showVersion, conf, err := ingressflags.ParseFlags()

cmd/dbg/main.go

@@ -114,7 +114,6 @@ func main() {
 		fmt.Println(err)
 		os.Exit(1)
 	}
-
 }
 
 func backendsAll() {
@@ -155,10 +154,16 @@ func backendsList() {
 		fmt.Println(unmarshalErr)
 		return
 	}
-	backends := f.([]interface{})
+	backends, ok := f.([]interface{})
+	if !ok {
+		fmt.Printf("unexpected type: %T", f)
+	}
 
 	for _, backendi := range backends {
-		backend := backendi.(map[string]interface{})
+		backend, ok := backendi.(map[string]interface{})
+		if !ok {
+			fmt.Printf("unexpected type: %T", backendi)
+		}
 		fmt.Println(backend["name"].(string))
 	}
 }
@@ -180,12 +185,22 @@ func backendsGet(name string) {
 		fmt.Println(unmarshalErr)
 		return
 	}
-	backends := f.([]interface{})
+	backends, ok := f.([]interface{})
+	if !ok {
+		fmt.Printf("unexpected type: %T", f)
+	}
 
 	for _, backendi := range backends {
-		backend := backendi.(map[string]interface{})
+		backend, ok := backendi.(map[string]interface{})
+		if !ok {
+			fmt.Printf("unexpected type: %T", backendi)
+		}
 		if backend["name"].(string) == name {
-			printed, _ := json.MarshalIndent(backend, "", "  ")
+			printed, err := json.MarshalIndent(backend, "", "  ")
+			if err != nil {
+				fmt.Println(err)
+				return
+			}
 			fmt.Println(string(printed))
 			return
 		}
@@ -213,18 +228,7 @@ func certGet(host string) {
 }
 
 func general() {
-	//TODO: refactor to obtain ingress-nginx pod count from the api server
+	// TODO: refactor to obtain ingress-nginx pod count from the api server
-	/*
-		statusCode, body, requestErr := nginx.NewGetStatusRequest(generalPath)
-		if requestErr != nil {
-			fmt.Println(requestErr)
-			return
-		}
-		if statusCode != 200 {
-			fmt.Printf("Nginx returned code %v\n", statusCode)
-			return
-		}
-	*/
 
 	var prettyBuffer bytes.Buffer
 	indentErr := json.Indent(&prettyBuffer, []byte("{}"), "", "  ")

cmd/nginx/logger.go

@@ -47,5 +47,4 @@ func logger(address string) {
 
 	server.Wait()
 	klog.Infof("Stopping logger")
-
 }

cmd/nginx/main.go

@@ -19,7 +19,6 @@ package main
 import (
 	"context"
 	"fmt"
-	"math/rand" // #nosec
 	"net/http"
 	"os"
 	"path/filepath"
@@ -54,8 +53,6 @@ import (
 func main() {
 	klog.InitFlags(nil)
 
-	rand.Seed(time.Now().UnixNano())
-
 	fmt.Println(version.String())
 
 	showVersion, conf, err := ingressflags.ParseFlags()
@@ -156,7 +153,6 @@ func main() {
 	if errExists == nil {
 		conf.IsChroot = true
 		go logger(conf.InternalLoggerAddress)
-
 	}
 
 	go metrics.StartHTTPServer(conf.HealthCheckHost, conf.ListenPorts.Health, mux)
@@ -285,10 +281,10 @@ func checkService(key string, kubeClient *kubernetes.Clientset) error {
 		}
 
 		if errors.IsNotFound(err) {
-			return fmt.Errorf("No service with name %v found in namespace %v: %v", name, ns, err)
+			return fmt.Errorf("no service with name %v found in namespace %v: %v", name, ns, err)
 		}
 
-		return fmt.Errorf("Unexpected error searching service with name %v in namespace %v: %v", name, ns, err)
+		return fmt.Errorf("unexpected error searching service with name %v in namespace %v: %v", name, ns, err)
 	}
 
 	return nil

cmd/nginx/main_test.go

@@ -47,7 +47,7 @@ func TestCreateApiserverClient(t *testing.T) {
 func init() {
 	// the default value of nginx.TemplatePath assumes the template exists in
 	// the root filesystem and not in the rootfs directory
-	path, err := filepath.Abs(filepath.Join("../../rootfs/", nginx.TemplatePath))
+	path, err := filepath.Abs(filepath.Join("..", "..", "rootfs", nginx.TemplatePath))
 	if err == nil {
 		nginx.TemplatePath = path
 	}
@@ -87,14 +87,14 @@ func TestHandleSigterm(t *testing.T) {
 
 	ingressflags.ResetForTesting(func() { t.Fatal("bad parse") })
 
-	os.Setenv("POD_NAME", podName)
+	t.Setenv("POD_NAME", podName)
-	os.Setenv("POD_NAMESPACE", namespace)
+	t.Setenv("POD_NAMESPACE", namespace)
 
 	oldArgs := os.Args
 
 	defer func() {
-		os.Setenv("POD_NAME", "")
+		t.Setenv("POD_NAME", "")
-		os.Setenv("POD_NAMESPACE", "")
+		t.Setenv("POD_NAMESPACE", "")
 		os.Args = oldArgs
 	}()
 

cmd/plugin/commands/backends/backends.go

@@ -63,13 +63,14 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command {
 	return cmd
 }
 
-func backends(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, container string, backend string, onlyList bool) error {
+func backends(flags *genericclioptions.ConfigFlags, podName, deployment, selector, container, backend string, onlyList bool) error {
 	var command []string
-	if onlyList {
+	switch {
+	case onlyList:
 		command = []string{"/dbg", "backends", "list"}
-	} else if backend != "" {
+	case backend != "":
 		command = []string{"/dbg", "backends", "get", backend}
-	} else {
+	default:
 		command = []string{"/dbg", "backends", "all"}
 	}
 

cmd/plugin/commands/certs/certs.go

@@ -18,6 +18,7 @@ package certs
 
 import (
 	"fmt"
+	"os"
 
 	"github.com/spf13/cobra"
 
@@ -46,7 +47,10 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command {
 	}
 
 	cmd.Flags().String("host", "", "Get the cert for this hostname")
-	cobra.MarkFlagRequired(cmd.Flags(), "host")
+	if err := cobra.MarkFlagRequired(cmd.Flags(), "host"); err != nil {
+		util.PrintError(err)
+		os.Exit(1)
+	}
 	pod = util.AddPodFlag(cmd)
 	deployment = util.AddDeploymentFlag(cmd)
 	selector = util.AddSelectorFlag(cmd)
@@ -55,7 +59,7 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command {
 	return cmd
 }
 
-func certs(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, container string, host string) error {
+func certs(flags *genericclioptions.ConfigFlags, podName, deployment, selector, container, host string) error {
 	command := []string{"/dbg", "certs", "get", host}
 
 	pod, err := request.ChoosePod(flags, podName, deployment, selector)

cmd/plugin/commands/conf/conf.go

@@ -55,7 +55,7 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command {
 	return cmd
 }
 
-func conf(flags *genericclioptions.ConfigFlags, host string, podName string, deployment string, selector string, container string) error {
+func conf(flags *genericclioptions.ConfigFlags, host, podName, deployment, selector, container string) error {
 	pod, err := request.ChoosePod(flags, podName, deployment, selector)
 	if err != nil {
 		return err

cmd/plugin/commands/exec/exec.go

@@ -55,7 +55,7 @@ type execFlags struct {
 	Stdin bool
 }
 
-func exec(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, container string, cmd []string, opts execFlags) error {
+func exec(flags *genericclioptions.ConfigFlags, podName, deployment, selector, container string, cmd []string, opts execFlags) error {
 	pod, err := request.ChoosePod(flags, podName, deployment, selector)
 	if err != nil {
 		return err

cmd/plugin/commands/general/general.go

@@ -47,7 +47,7 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command {
 	return cmd
 }
 
-func general(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, container string) error {
+func general(flags *genericclioptions.ConfigFlags, podName, deployment, selector, container string) error {
 	pod, err := request.ChoosePod(flags, podName, deployment, selector)
 	if err != nil {
 		return err

cmd/plugin/commands/ingresses/ingresses.go

@@ -74,9 +74,9 @@ func ingresses(flags *genericclioptions.ConfigFlags, host string, allNamespaces
 
 	if host != "" {
 		rowsWithHost := make([]ingressRow, 0)
-		for _, row := range rows {
+		for i := range rows {
-			if row.Host == host {
+			if rows[i].Host == host {
-				rowsWithHost = append(rowsWithHost, row)
+				rowsWithHost = append(rowsWithHost, rows[i])
 			}
 		}
 		rows = rowsWithHost
@@ -91,7 +91,8 @@ func ingresses(flags *genericclioptions.ConfigFlags, host string, allNamespaces
 		fmt.Fprintln(printer, "INGRESS NAME\tHOST+PATH\tADDRESSES\tTLS\tSERVICE\tSERVICE PORT\tENDPOINTS")
 	}
 
-	for _, row := range rows {
+	for i := range rows {
+		row := &rows[i]
 		var tlsMsg string
 		if row.TLS {
 			tlsMsg = "YES"
@@ -134,8 +135,8 @@ type ingressRow struct {
 func getIngressRows(ingresses *[]networking.Ingress) []ingressRow {
 	rows := make([]ingressRow, 0)
 
-	for _, ing := range *ingresses {
+	for i := range *ingresses {
-
+		ing := &(*ingresses)[i]
 		address := ""
 		for _, lbIng := range ing.Status.LoadBalancer.Ingress {
 			if len(lbIng.IP) > 0 {
@@ -182,7 +183,7 @@ func getIngressRows(ingresses *[]networking.Ingress) []ingressRow {
 		for _, rule := range ing.Spec.Rules {
 			_, hasTLS := tlsHosts[rule.Host]
 
-			//Handle ingress with no paths
+			// Handle ingress with no paths
 			if rule.HTTP == nil {
 				row := ingressRow{
 					Namespace:   ing.Namespace,

cmd/plugin/commands/ingresses/ingresses_test.go

@@ -24,7 +24,6 @@ import (
 )
 
 func TestGetIngressInformation(t *testing.T) {
-
 	testcases := map[string]struct {
 		ServiceBackend *networking.IngressServiceBackend
 		wantName       string

cmd/plugin/commands/lint/main.go

@@ -111,11 +111,13 @@ type lintOptions struct {
 }
 
 func (opts *lintOptions) Validate() error {
+	//nolint:dogsled // Ignore 3 blank identifiers
 	_, _, _, err := util.ParseVersionString(opts.versionFrom)
 	if err != nil {
 		return err
 	}
 
+	//nolint:dogsled // Ignore 3 blank identifiers
 	_, _, _, err = util.ParseVersionString(opts.versionTo)
 	if err != nil {
 		return err
@@ -131,9 +133,9 @@ type lint interface {
 	Version() string
 }
 
-func checkObjectArray(lints []lint, objects []kmeta.Object, opts lintOptions) {
+func checkObjectArray(allLints []lint, objects []kmeta.Object, opts lintOptions) {
 	usedLints := make([]lint, 0)
-	for _, lint := range lints {
+	for _, lint := range allLints {
 		lintVersion := lint.Version()
 		if lint.Version() == "" {
 			lintVersion = "0.0.0"
@@ -189,7 +191,7 @@ func ingresses(opts lintOptions) error {
 		return err
 	}
 
-	var iLints []lints.IngressLint = lints.GetIngressLints()
+	iLints := lints.GetIngressLints()
 	genericLints := make([]lint, len(iLints))
 	for i := range iLints {
 		genericLints[i] = iLints[i]
@@ -216,7 +218,7 @@ func deployments(opts lintOptions) error {
 		return err
 	}
 
-	var iLints []lints.DeploymentLint = lints.GetDeploymentLints()
+	iLints := lints.GetDeploymentLints()
 	genericLints := make([]lint, len(iLints))
 	for i := range iLints {
 		genericLints[i] = iLints[i]

cmd/plugin/commands/logs/logs.go

@@ -95,7 +95,7 @@ func (o *logsFlags) toStrings() []string {
 	return r
 }
 
-func logs(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, container string, opts logsFlags) error {
+func logs(flags *genericclioptions.ConfigFlags, podName, deployment, selector, container string, opts logsFlags) error {
 	pod, err := request.ChoosePod(flags, podName, deployment, selector)
 	if err != nil {
 		return err

cmd/plugin/commands/ssh/ssh.go

@@ -45,7 +45,7 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command {
 	return cmd
 }
 
-func ssh(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, container string) error {
+func ssh(flags *genericclioptions.ConfigFlags, podName, deployment, selector, container string) error {
 	pod, err := request.ChoosePod(flags, podName, deployment, selector)
 	if err != nil {
 		return err

cmd/plugin/kubectl/kubectl.go

@@ -38,11 +38,11 @@ func PodExecString(flags *genericclioptions.ConfigFlags, pod *apiv1.Pod, contain
 
 // ExecToString runs a kubectl subcommand and returns stdout as a string
 func ExecToString(flags *genericclioptions.ConfigFlags, args []string) (string, error) {
-	kArgs := getKubectlConfigFlags(flags)
+	kubectlArgs := getKubectlConfigFlags(flags)
-	kArgs = append(kArgs, args...)
+	kubectlArgs = append(kubectlArgs, args...)
 
 	buf := bytes.NewBuffer(make([]byte, 0))
-	err := execToWriter(append([]string{"kubectl"}, kArgs...), buf)
+	err := execToWriter(append([]string{"kubectl"}, kubectlArgs...), buf)
 	if err != nil {
 		return "", err
 	}
@@ -51,9 +51,9 @@ func ExecToString(flags *genericclioptions.ConfigFlags, args []string) (string,
 
 // Exec replaces the current process with a kubectl invocation
 func Exec(flags *genericclioptions.ConfigFlags, args []string) error {
-	kArgs := getKubectlConfigFlags(flags)
+	kubectlArgs := getKubectlConfigFlags(flags)
-	kArgs = append(kArgs, args...)
+	kubectlArgs = append(kubectlArgs, args...)
-	return execCommand(append([]string{"kubectl"}, kArgs...))
+	return execCommand(append([]string{"kubectl"}, kubectlArgs...))
 }
 
 // Replaces the currently running process with the given command
@@ -70,6 +70,7 @@ func execCommand(args []string) error {
 
 // Runs a command and returns stdout
 func execToWriter(args []string, writer io.Writer) error {
+	//nolint:gosec // Ignore G204 error
 	cmd := exec.Command(args[0], args[1:]...)
 
 	op, err := cmd.StdoutPipe()
@@ -77,7 +78,9 @@ func execToWriter(args []string, writer io.Writer) error {
 		return err
 	}
 
-	go io.Copy(writer, op)
+	go func() {
+		io.Copy(writer, op) //nolint:errcheck // Ignore the error
+	}()
 	err = cmd.Run()
 	if err != nil {
 		return err
@@ -104,7 +107,6 @@ func getKubectlConfigFlags(flags *genericclioptions.ConfigFlags) []string {
 	appendStringFlag(o, flags.Password, "password")
 	appendStringFlag(o, flags.ClusterName, "cluster")
 	appendStringFlag(o, flags.AuthInfoName, "user")
-	//appendStringFlag(o, flags.Namespace, "namespace")
 	appendStringFlag(o, flags.Context, "context")
 	appendStringFlag(o, flags.APIServer, "server")
 	appendBoolFlag(o, flags.Insecure, "insecure-skip-tls-verify")
@@ -126,7 +128,7 @@ func appendBoolFlag(out *[]string, in *bool, flag string) {
 	}
 }
 
-func appendStringArrayFlag(out *[]string, in *[]string, flag string) {
+func appendStringArrayFlag(out, in *[]string, flag string) {
 	if in != nil && len(*in) > 0 {
 		*out = append(*out, fmt.Sprintf("--%v=%v'", flag, strings.Join(*in, ",")))
 	}

cmd/plugin/lints/deployment.go

@@ -35,7 +35,10 @@ type DeploymentLint struct {
 
 // Check returns true if the lint detects an issue
 func (lint DeploymentLint) Check(obj kmeta.Object) bool {
-	cmp := obj.(*v1.Deployment)
+	cmp, ok := obj.(*v1.Deployment)
+	if !ok {
+		util.PrintError(fmt.Errorf("unexpected type: %T", obj))
+	}
 	return lint.f(*cmp)
 }
 
@@ -72,11 +75,11 @@ func removedFlag(flag string, issueNumber int, version string) DeploymentLint {
 		issue:   issueNumber,
 		version: version,
 		f: func(dep v1.Deployment) bool {
-			if !isIngressNginxDeployment(dep) {
+			if !isIngressNginxDeployment(&dep) {
 				return false
 			}
 
-			args := getNginxArgs(dep)
+			args := getNginxArgs(&dep)
 			for _, arg := range args {
 				if strings.HasPrefix(arg, fmt.Sprintf("--%v", flag)) {
 					return true
@@ -88,8 +91,9 @@ func removedFlag(flag string, issueNumber int, version string) DeploymentLint {
 	}
 }
 
-func getNginxArgs(dep v1.Deployment) []string {
+func getNginxArgs(dep *v1.Deployment) []string {
-	for _, container := range dep.Spec.Template.Spec.Containers {
+	for i := range dep.Spec.Template.Spec.Containers {
+		container := &dep.Spec.Template.Spec.Containers[i]
 		if len(container.Args) > 0 && container.Args[0] == "/nginx-ingress-controller" {
 			return container.Args
 		}
@@ -97,10 +101,10 @@ func getNginxArgs(dep v1.Deployment) []string {
 	return make([]string, 0)
 }
 
-func isIngressNginxDeployment(dep v1.Deployment) bool {
+func isIngressNginxDeployment(dep *v1.Deployment) bool {
 	containers := dep.Spec.Template.Spec.Containers
-	for _, container := range containers {
+	for i := range containers {
-		if len(container.Args) > 0 && container.Args[0] == "/nginx-ingress-controller" {
+		if len(containers[i].Args) > 0 && containers[i].Args[0] == "/nginx-ingress-controller" {
 			return true
 		}
 	}

cmd/plugin/lints/ingress.go

@@ -30,13 +30,16 @@ type IngressLint struct {
 	message string
 	issue   int
 	version string
-	f       func(ing networking.Ingress) bool
+	f       func(ing *networking.Ingress) bool
 }
 
 // Check returns true if the lint detects an issue
 func (lint IngressLint) Check(obj kmeta.Object) bool {
-	ing := obj.(*networking.Ingress)
+	ing, ok := obj.(*networking.Ingress)
-	return lint.f(*ing)
+	if !ok {
+		util.PrintError(fmt.Errorf("unexpected type: %T", obj))
+	}
+	return lint.f(ing)
 }
 
 // Message is a description of the lint
@@ -94,7 +97,7 @@ func GetIngressLints() []IngressLint {
 	}
 }
 
-func xForwardedPrefixIsBool(ing networking.Ingress) bool {
+func xForwardedPrefixIsBool(ing *networking.Ingress) bool {
 	for name, val := range ing.Annotations {
 		if strings.HasSuffix(name, "/x-forwarded-prefix") && (val == "true" || val == "false") {
 			return true
@@ -103,7 +106,7 @@ func xForwardedPrefixIsBool(ing networking.Ingress) bool {
 	return false
 }
 
-func annotationPrefixIsNginxCom(ing networking.Ingress) bool {
+func annotationPrefixIsNginxCom(ing *networking.Ingress) bool {
 	for name := range ing.Annotations {
 		if strings.HasPrefix(name, "nginx.com/") {
 			return true
@@ -112,7 +115,7 @@ func annotationPrefixIsNginxCom(ing networking.Ingress) bool {
 	return false
 }
 
-func annotationPrefixIsNginxOrg(ing networking.Ingress) bool {
+func annotationPrefixIsNginxOrg(ing *networking.Ingress) bool {
 	for name := range ing.Annotations {
 		if strings.HasPrefix(name, "nginx.org/") {
 			return true
@@ -121,7 +124,7 @@ func annotationPrefixIsNginxOrg(ing networking.Ingress) bool {
 	return false
 }
 
-func rewriteTargetWithoutCaptureGroup(ing networking.Ingress) bool {
+func rewriteTargetWithoutCaptureGroup(ing *networking.Ingress) bool {
 	for name, val := range ing.Annotations {
 		if strings.HasSuffix(name, "/rewrite-target") && !strings.Contains(val, "$1") {
 			return true
@@ -135,7 +138,7 @@ func removedAnnotation(annotationName string, issueNumber int, version string) I
 		message: fmt.Sprintf("Contains the removed %v annotation.", annotationName),
 		issue:   issueNumber,
 		version: version,
-		f: func(ing networking.Ingress) bool {
+		f: func(ing *networking.Ingress) bool {
 			for annotation := range ing.Annotations {
 				if strings.HasSuffix(annotation, "/"+annotationName) {
 					return true
@@ -146,7 +149,7 @@ func removedAnnotation(annotationName string, issueNumber int, version string) I
 	}
 }
 
-func satisfyDirective(ing networking.Ingress) bool {
+func satisfyDirective(ing *networking.Ingress) bool {
 	for name, val := range ing.Annotations {
 		if strings.HasSuffix(name, "/configuration-snippet") {
 			return strings.Contains(val, "satisfy")

cmd/plugin/main.go

@@ -24,7 +24,7 @@ import (
 
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 
-	//Just importing this is supposed to allow cloud authentication
+	// Just importing this is supposed to allow cloud authentication
 	// eg GCP, AWS, Azure ...
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 

cmd/plugin/request/request.go

@@ -35,7 +35,7 @@ import (
 )
 
 // ChoosePod finds a pod either by deployment or by name
-func ChoosePod(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string) (apiv1.Pod, error) {
+func ChoosePod(flags *genericclioptions.ConfigFlags, podName, deployment, selector string) (apiv1.Pod, error) {
 	if podName != "" {
 		return GetNamedPod(flags, podName)
 	}
@@ -54,9 +54,9 @@ func GetNamedPod(flags *genericclioptions.ConfigFlags, name string) (apiv1.Pod,
 		return apiv1.Pod{}, err
 	}
 
-	for _, pod := range allPods {
+	for i := range allPods {
-		if pod.Name == name {
+		if allPods[i].Name == name {
-			return pod, nil
+			return allPods[i], nil
 		}
 	}
 
@@ -132,7 +132,7 @@ func GetIngressDefinitions(flags *genericclioptions.ConfigFlags, namespace strin
 }
 
 // GetNumEndpoints counts the number of endpointslices adresses for the service with the given name
-func GetNumEndpoints(flags *genericclioptions.ConfigFlags, namespace string, serviceName string) (*int, error) {
+func GetNumEndpoints(flags *genericclioptions.ConfigFlags, namespace, serviceName string) (*int, error) {
 	epss, err := GetEndpointSlicesByName(flags, namespace, serviceName)
 	if err != nil {
 		return nil, err
@@ -143,25 +143,26 @@ func GetNumEndpoints(flags *genericclioptions.ConfigFlags, namespace string, ser
 	}
 
 	ret := 0
-	for _, eps := range epss {
+	for i := range epss {
-		for _, ep := range eps.Endpoints {
+		eps := &epss[i]
-			ret += len(ep.Addresses)
+		for j := range eps.Endpoints {
+			ret += len(eps.Endpoints[j].Addresses)
 		}
 	}
 	return &ret, nil
 }
 
 // GetEndpointSlicesByName returns the endpointSlices for the service with the given name
-func GetEndpointSlicesByName(flags *genericclioptions.ConfigFlags, namespace string, name string) ([]discoveryv1.EndpointSlice, error) {
+func GetEndpointSlicesByName(flags *genericclioptions.ConfigFlags, namespace, name string) ([]discoveryv1.EndpointSlice, error) {
 	allEndpointsSlices, err := getEndpointSlices(flags, namespace)
 	if err != nil {
 		return nil, err
 	}
 	var eps []discoveryv1.EndpointSlice
-	for _, slice := range allEndpointsSlices {
+	for i := range allEndpointsSlices {
-		if svcName, ok := slice.ObjectMeta.GetLabels()[discoveryv1.LabelServiceName]; ok {
+		if svcName, ok := allEndpointsSlices[i].ObjectMeta.GetLabels()[discoveryv1.LabelServiceName]; ok {
 			if svcName == name {
-				eps = append(eps, slice)
+				eps = append(eps, allEndpointsSlices[i])
 			}
 		}
 	}
@@ -182,7 +183,7 @@ func getEndpointSlices(flags *genericclioptions.ConfigFlags, namespace string) (
 		tryAllNamespacesEndpointSlicesCache(flags)
 	}
 
-	cachedEndpointSlices = tryFilteringEndpointSlicesFromAllNamespacesCache(flags, namespace)
+	cachedEndpointSlices = tryFilteringEndpointSlicesFromAllNamespacesCache(namespace)
 
 	if cachedEndpointSlices != nil {
 		return *cachedEndpointSlices, nil
@@ -217,13 +218,13 @@ func tryAllNamespacesEndpointSlicesCache(flags *genericclioptions.ConfigFlags) {
 	}
 }
 
-func tryFilteringEndpointSlicesFromAllNamespacesCache(flags *genericclioptions.ConfigFlags, namespace string) *[]discoveryv1.EndpointSlice {
+func tryFilteringEndpointSlicesFromAllNamespacesCache(namespace string) *[]discoveryv1.EndpointSlice {
 	allEndpointSlices := endpointSlicesCache[""]
 	if allEndpointSlices != nil {
 		endpointSlices := make([]discoveryv1.EndpointSlice, 0)
-		for _, slice := range *allEndpointSlices {
+		for i := range *allEndpointSlices {
-			if slice.Namespace == namespace {
+			if (*allEndpointSlices)[i].Namespace == namespace {
-				endpointSlices = append(endpointSlices, slice)
+				endpointSlices = append(endpointSlices, (*allEndpointSlices)[i])
 			}
 		}
 		endpointSlicesCache[namespace] = &endpointSlices
@@ -242,9 +243,9 @@ func GetServiceByName(flags *genericclioptions.ConfigFlags, name string, service
 		services = &servicesArray
 	}
 
-	for _, svc := range *services {
+	for i := range *services {
-		if svc.Name == name {
+		if (*services)[i].Name == name {
-			return svc, nil
+			return (*services)[i], nil
 		}
 	}
 
@@ -288,7 +289,6 @@ func getLabeledPods(flags *genericclioptions.ConfigFlags, label string) ([]apiv1
 	pods, err := api.Pods(namespace).List(context.TODO(), metav1.ListOptions{
 		LabelSelector: label,
 	})
-
 	if err != nil {
 		return make([]apiv1.Pod, 0), err
 	}
@@ -303,9 +303,9 @@ func getDeploymentPods(flags *genericclioptions.ConfigFlags, deployment string)
 	}
 
 	ingressPods := make([]apiv1.Pod, 0)
-	for _, pod := range pods {
+	for i := range pods {
-		if util.PodInDeployment(pod, deployment) {
+		if util.PodInDeployment(&pods[i], deployment) {
-			ingressPods = append(ingressPods, pod)
+			ingressPods = append(ingressPods, pods[i])
 		}
 	}
 
@@ -331,5 +331,4 @@ func getServices(flags *genericclioptions.ConfigFlags) ([]apiv1.Service, error)
 	}
 
 	return services.Items, nil
-
 }

cmd/plugin/util/util.go

@@ -29,8 +29,8 @@ import (
 
 // The default deployment and service names for ingress-nginx
 const (
-	DefaultIngressDeploymentName = "ingress-nginx-controller"
+	DefaultIngressDeploymentName = "ingress-nginx-controller" //#nosec G101
-	DefaultIngressServiceName    = "ingress-nginx-controller"
+	DefaultIngressServiceName    = "ingress-nginx-controller" //#nosec G101
 	DefaultIngressContainerName  = "controller"
 )
 
@@ -47,17 +47,25 @@ func PrintError(e error) {
 }
 
 // ParseVersionString returns the major, minor, and patch numbers of a version string
-func ParseVersionString(v string) (int, int, int, error) {
+func ParseVersionString(v string) (major, minor, patch int, err error) {
 	parts := versionRegex.FindStringSubmatch(v)
 
 	if len(parts) != 4 {
 		return 0, 0, 0, fmt.Errorf("could not parse %v as a version string (like 0.20.3)", v)
 	}
 
-	major, _ := strconv.Atoi(parts[1])
+	major, err = strconv.Atoi(parts[1])
-	minor, _ := strconv.Atoi(parts[2])
+	if err != nil {
-	patch, _ := strconv.Atoi(parts[3])
+		return 0, 0, 0, err
-
+	}
+	minor, err = strconv.Atoi(parts[2])
+	if err != nil {
+		return 0, 0, 0, err
+	}
+	patch, err = strconv.Atoi(parts[3])
+	if err != nil {
+		return 0, 0, 0, err
+	}
 	return major, minor, patch, nil
 }
 
@@ -90,7 +98,7 @@ func isVersionLessThan(a, b string) bool {
 
 // PodInDeployment returns whether a pod is part of a deployment with the given name
 // a pod is considered to be in {deployment} if it is owned by a replicaset with a name of format {deployment}-otherchars
-func PodInDeployment(pod apiv1.Pod, deployment string) bool {
+func PodInDeployment(pod *apiv1.Pod, deployment string) bool {
 	for _, owner := range pod.OwnerReferences {
 		if owner.Controller == nil || !*owner.Controller || owner.Kind != "ReplicaSet" {
 			continue
@@ -138,7 +146,7 @@ func AddContainerFlag(cmd *cobra.Command) *string {
 // GetNamespace takes a set of kubectl flag values and returns the namespace we should be operating in
 func GetNamespace(flags *genericclioptions.ConfigFlags) string {
 	namespace, _, err := flags.ToRawKubeConfigLoader().Namespace()
-	if err != nil || len(namespace) == 0 {
+	if err != nil || namespace == "" {
 		namespace = apiv1.NamespaceDefault
 	}
 	return namespace

deploy/static/provider/aws/deploy.yaml

@@ -15,7 +15,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -27,7 +27,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -39,7 +39,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -129,7 +129,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -148,7 +148,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -230,7 +230,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -249,7 +249,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -269,7 +269,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -288,7 +288,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -307,7 +307,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -320,7 +320,7 @@ subjects:
 ---
 apiVersion: v1
 data:
-  allow-snippet-annotations: "true"
+  allow-snippet-annotations: "false"
 kind: ConfigMap
 metadata:
   labels:
@@ -328,7 +328,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -344,7 +344,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -377,7 +377,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -400,7 +400,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -411,6 +411,10 @@ spec:
       app.kubernetes.io/component: controller
       app.kubernetes.io/instance: ingress-nginx
       app.kubernetes.io/name: ingress-nginx
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
   template:
     metadata:
       labels:
@@ -418,7 +422,7 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.7.1
+        app.kubernetes.io/version: 1.9.4
     spec:
       containers:
       - args:
@@ -442,7 +446,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407
+        image: registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -514,7 +518,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -525,7 +529,7 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.7.1
+        app.kubernetes.io/version: 1.9.4
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -539,7 +543,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f
+        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0@sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80
         imagePullPolicy: IfNotPresent
         name: create
         securityContext:
@@ -561,7 +565,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -572,7 +576,7 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.7.1
+        app.kubernetes.io/version: 1.9.4
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -588,7 +592,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f
+        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0@sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80
         imagePullPolicy: IfNotPresent
         name: patch
         securityContext:
@@ -610,11 +614,34 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
 ---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.9.4
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+spec:
+  egress:
+  - {}
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: admission-webhook
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  policyTypes:
+  - Ingress
+  - Egress
+---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
@@ -623,7 +650,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:

deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml

@@ -15,7 +15,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -27,7 +27,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -39,7 +39,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -129,7 +129,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -148,7 +148,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -230,7 +230,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -249,7 +249,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -269,7 +269,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -288,7 +288,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -307,7 +307,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -320,7 +320,7 @@ subjects:
 ---
 apiVersion: v1
 data:
-  allow-snippet-annotations: "true"
+  allow-snippet-annotations: "false"
   http-snippet: |
     server {
       listen 2443;
@@ -335,7 +335,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -353,7 +353,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -386,7 +386,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -409,7 +409,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -420,6 +420,10 @@ spec:
       app.kubernetes.io/component: controller
       app.kubernetes.io/instance: ingress-nginx
       app.kubernetes.io/name: ingress-nginx
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
   template:
     metadata:
       labels:
@@ -427,7 +431,7 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.7.1
+        app.kubernetes.io/version: 1.9.4
     spec:
       containers:
       - args:
@@ -451,7 +455,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407
+        image: registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -526,7 +530,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -537,7 +541,7 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.7.1
+        app.kubernetes.io/version: 1.9.4
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -551,7 +555,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f
+        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0@sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80
         imagePullPolicy: IfNotPresent
         name: create
         securityContext:
@@ -573,7 +577,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -584,7 +588,7 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.7.1
+        app.kubernetes.io/version: 1.9.4
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -600,7 +604,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f
+        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0@sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80
         imagePullPolicy: IfNotPresent
         name: patch
         securityContext:
@@ -622,11 +626,34 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
 ---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.9.4
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+spec:
+  egress:
+  - {}
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: admission-webhook
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  policyTypes:
+  - Ingress
+  - Egress
+---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
@@ -635,7 +662,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:

deploy/static/provider/baremetal/deploy.yaml

@@ -15,7 +15,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -27,7 +27,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -39,7 +39,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -129,7 +129,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -148,7 +148,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -230,7 +230,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -249,7 +249,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -269,7 +269,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -288,7 +288,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -307,7 +307,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -320,7 +320,7 @@ subjects:
 ---
 apiVersion: v1
 data:
-  allow-snippet-annotations: "true"
+  allow-snippet-annotations: "false"
 kind: ConfigMap
 metadata:
   labels:
@@ -328,7 +328,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -340,7 +340,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -372,7 +372,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -395,7 +395,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -406,6 +406,10 @@ spec:
       app.kubernetes.io/component: controller
       app.kubernetes.io/instance: ingress-nginx
       app.kubernetes.io/name: ingress-nginx
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
   template:
     metadata:
       labels:
@@ -413,7 +417,7 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.7.1
+        app.kubernetes.io/version: 1.9.4
     spec:
       containers:
       - args:
@@ -436,7 +440,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407
+        image: registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -508,7 +512,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -519,7 +523,7 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.7.1
+        app.kubernetes.io/version: 1.9.4
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -533,7 +537,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f
+        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0@sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80
         imagePullPolicy: IfNotPresent
         name: create
         securityContext:
@@ -555,7 +559,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -566,7 +570,7 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.7.1
+        app.kubernetes.io/version: 1.9.4
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -582,7 +586,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f
+        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0@sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80
         imagePullPolicy: IfNotPresent
         name: patch
         securityContext:
@@ -604,11 +608,34 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
 ---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.9.4
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+spec:
+  egress:
+  - {}
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: admission-webhook
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  policyTypes:
+  - Ingress
+  - Egress
+---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
@@ -617,7 +644,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:

deploy/static/provider/cloud/deploy.yaml

@@ -15,7 +15,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -27,7 +27,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -39,7 +39,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -129,7 +129,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -148,7 +148,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -230,7 +230,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -249,7 +249,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -269,7 +269,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -288,7 +288,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -307,7 +307,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -320,7 +320,7 @@ subjects:
 ---
 apiVersion: v1
 data:
-  allow-snippet-annotations: "true"
+  allow-snippet-annotations: "false"
 kind: ConfigMap
 metadata:
   labels:
@@ -328,7 +328,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -340,7 +340,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -373,7 +373,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -396,7 +396,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -407,6 +407,10 @@ spec:
       app.kubernetes.io/component: controller
       app.kubernetes.io/instance: ingress-nginx
       app.kubernetes.io/name: ingress-nginx
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
   template:
     metadata:
       labels:
@@ -414,7 +418,7 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.7.1
+        app.kubernetes.io/version: 1.9.4
     spec:
       containers:
       - args:
@@ -438,7 +442,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407
+        image: registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -510,7 +514,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -521,7 +525,7 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.7.1
+        app.kubernetes.io/version: 1.9.4
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -535,7 +539,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f
+        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0@sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80
         imagePullPolicy: IfNotPresent
         name: create
         securityContext:
@@ -557,7 +561,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -568,7 +572,7 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.7.1
+        app.kubernetes.io/version: 1.9.4
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -584,7 +588,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f
+        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0@sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80
         imagePullPolicy: IfNotPresent
         name: patch
         securityContext:
@@ -606,11 +610,34 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
 ---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.9.4
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+spec:
+  egress:
+  - {}
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: admission-webhook
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  policyTypes:
+  - Ingress
+  - Egress
+---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
@@ -619,7 +646,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:

deploy/static/provider/do/deploy.yaml

@@ -15,7 +15,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -27,7 +27,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -39,7 +39,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -129,7 +129,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -148,7 +148,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -230,7 +230,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -249,7 +249,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -269,7 +269,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -288,7 +288,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -307,7 +307,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -320,7 +320,7 @@ subjects:
 ---
 apiVersion: v1
 data:
-  allow-snippet-annotations: "true"
+  allow-snippet-annotations: "false"
   use-proxy-protocol: "true"
 kind: ConfigMap
 metadata:
@@ -329,7 +329,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -343,7 +343,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -376,7 +376,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -399,7 +399,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -410,6 +410,10 @@ spec:
       app.kubernetes.io/component: controller
       app.kubernetes.io/instance: ingress-nginx
       app.kubernetes.io/name: ingress-nginx
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
   template:
     metadata:
       labels:
@@ -417,7 +421,7 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.7.1
+        app.kubernetes.io/version: 1.9.4
     spec:
       containers:
       - args:
@@ -441,7 +445,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407
+        image: registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -513,7 +517,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -524,7 +528,7 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.7.1
+        app.kubernetes.io/version: 1.9.4
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -538,7 +542,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f
+        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0@sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80
         imagePullPolicy: IfNotPresent
         name: create
         securityContext:
@@ -560,7 +564,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -571,7 +575,7 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.7.1
+        app.kubernetes.io/version: 1.9.4
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -587,7 +591,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f
+        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0@sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80
         imagePullPolicy: IfNotPresent
         name: patch
         securityContext:
@@ -609,11 +613,34 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
 ---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.9.4
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+spec:
+  egress:
+  - {}
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: admission-webhook
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  policyTypes:
+  - Ingress
+  - Egress
+---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
@@ -622,7 +649,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.7.1
+    app.kubernetes.io/version: 1.9.4
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions: