Merge branch 'main' into fix_namepaced_ingress_issue

.github/ISSUE_TEMPLATE/cve_report.md

@@ -4,8 +4,9 @@ about: CVE reporting for ingress-nginx
 title: ''
 labels: kind/bug
 assignees:
-    - strongjz
+    - Gacko
     - rikatz
+    - strongjz
 ---
 
 <!-- if you found something that impacts directly ingress-nginx and

.github/dependabot.yml

@@ -1,33 +1,7 @@
----
 version: 2
 updates:
-  - package-ecosystem: "gomod"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    labels:
-      - "area/dependency"
-      - "release-note-none"
-      - "ok-to-test"
-    groups:
-      all:
-        update-types:
-          - "patch"
   - package-ecosystem: "github-actions"
     directory: "/"
-    schedule:
-      interval: "weekly"
-    labels:
-      - "area/dependency"
-      - "release-note-none"
-      - "ok-to-test"
-    groups:
-      all:
-        update-types:
-          - "minor"
-          - "patch"
-  - package-ecosystem: "docker"
-    directory: "/images"
     schedule:
       interval: "weekly"
     labels:
@@ -39,3 +13,31 @@ updates:
         update-types:
           - "minor"
           - "patch"
+  - package-ecosystem: "docker"
+    directories:
+      - "**/rootfs"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "area/dependency"
+      - "release-note-none"
+      - "ok-to-test"
+    groups:
+      docker:
+        update-types:
+          - "minor"
+          - "patch"
+  - package-ecosystem: "gomod"
+    directories:
+      - "/"
+      - "**/rootfs"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "area/dependency"
+      - "release-note-none"
+      - "ok-to-test"
+    groups:
+      go:
+        update-types:
+          - "patch"

.github/workflows/chart.yaml

@@ -0,0 +1,64 @@
+name: Chart
+
+on:
+  push:
+    branches:
+      - main
+      - release-*
+    paths:
+      - charts/ingress-nginx/Chart.yaml
+  
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+
+    steps:
+      - name: Set up Python
+        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+        with:
+          python-version: 3.x
+
+      - name: Set up Helm
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+
+      - name: Set up Helm Chart Testing
+        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
+
+      - name: Set up Artifact Hub
+        run: |
+          curl --fail --location https://github.com/artifacthub/hub/releases/download/v1.19.0/ah_1.19.0_linux_amd64.tar.gz --output /tmp/ah.tar.gz
+          echo "0e430493521ce387ca04d79b26646a86f92886dbcceb44985bb71082a9530ca5  /tmp/ah.tar.gz" | shasum --check
+          sudo tar --extract --file /tmp/ah.tar.gz --directory /usr/local/bin ah
+
+      - name: Set up Git
+        run: |
+          git config --global user.name "${GITHUB_ACTOR}"
+          git config --global user.email "${GITHUB_ACTOR}@users.noreply.github.com"
+
+      - name: Checkout code
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          fetch-depth: 0
+
+      - name: Lint chart
+        run: |
+          ct lint --config .ct.yaml
+          ah lint --path charts/ingress-nginx
+
+      - name: Release chart
+        uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
+        env:
+          CR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CR_RELEASE_NAME_TEMPLATE: helm-chart-{{ .Version }}
+          CR_SKIP_EXISTING: true
+        with:
+          charts_dir: charts

.github/workflows/ci.yaml

@@ -9,7 +9,7 @@ on:
       - 'deploy/**'
       - '**.md'
       - 'images/**' # Images changes should be tested on their own workflow
-      - '!images/nginx-1.25/**'
+      - '!images/nginx/**'
 
   push:
     branches:
@@ -47,7 +47,7 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
         id: filter
@@ -68,23 +68,41 @@ jobs:
               - 'NGINX_BASE'
             baseimage:
               - 'NGINX_BASE'
-              - 'images/nginx-1.25/**'
+              - 'images/nginx/**'
+            docs:
+              - '**/*.md'
+            lua:
+              - '**/*.lua'
+
+  lua-lint:
+    runs-on: ubuntu-latest
+    needs: changes
+    if: |
+      (needs.changes.outputs.lua == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      
+      - name: Lint Lua
+        uses: lunarmodules/luacheck@v1
+        with:
+          args: --codes --globals lua_ingress --globals configuration --globals balancer --globals monitor --globals certificate --globals tcp_udp_configuration --globals tcp_udp_balancer --no-max-comment-line-length -q rootfs/etc/nginx/lua/
 
   test-go:
     runs-on: ubuntu-latest
     needs: changes
     if: |
-      (needs.changes.outputs.go == 'true')
+      (needs.changes.outputs.go == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - name: Get go version
         run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
 
       - name: Set up Go
         id: go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ${{ env.GOLANG_VERSION }}
           check-latest: true
@@ -92,6 +110,27 @@ jobs:
       - name: Run test
         run: make test
 
+        
+  verify-docs:
+    name: Verify Doc generation
+    runs-on: ubuntu-latest
+    needs: changes
+    if: |
+      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.docs == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - name: Get go version
+        run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
+      - name: Set up Go
+        id: go
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
+          check-latest: true
+      - name: Verify Docs
+        run: make verify-docs
+
   build:
     name: Build
     runs-on: ubuntu-latest
@@ -99,13 +138,13 @@ jobs:
     outputs:
       golangversion: ${{ steps.golangversion.outputs.version }}
     if: |
-      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.charts == 'true') || (needs.changes.outputs.baseimage == 'true')
+      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.charts == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
 
     env:
         PLATFORMS: linux/amd64
     steps:
       - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - name: Get go version
         id: golangversion
@@ -114,17 +153,17 @@ jobs:
 
       - name: Set up Go
         id: go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ${{ steps.golangversion.outputs.version }}
           check-latest: true
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3.2.0
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
         with:
           version: latest
 
@@ -141,8 +180,8 @@ jobs:
         if: |
           needs.changes.outputs.baseimage == 'true'
         run: |
-            export TAG=$(cat images/nginx-1.25/TAG)
+            export TAG=$(cat images/nginx/TAG)
-            cd images/nginx-1.25/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --load -t registry.k8s.io/ingress-nginx/nginx-1.25:${TAG} .
+            cd images/nginx/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --load -t registry.k8s.io/ingress-nginx/nginx:${TAG} .
 
       - name: Build images
         env:
@@ -151,8 +190,8 @@ jobs:
           REGISTRY: ingress-controller
         run: |
           echo "building images..."
-          export TAGNGINX=$(cat images/nginx-1.25/TAG)
+          export TAGNGINX=$(cat images/nginx/TAG)
-          make BASE_IMAGE=registry.k8s.io/ingress-nginx/nginx-1.25:${TAGNGINX} clean-image build image image-chroot
+          make BASE_IMAGE=registry.k8s.io/ingress-nginx/nginx:${TAGNGINX} clean-image build image image-chroot
           make -C test/e2e-image image
 
           echo "creating images cache..."
@@ -163,118 +202,94 @@ jobs:
             | gzip > docker.tar.gz
 
       - name: cache
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
         with:
           name: docker.tar.gz
           path: docker.tar.gz
           retention-days: 5
 
-  helm-lint:
+  chart-lint:
-    name: Helm chart lint
+    name: Chart / Lint
     runs-on: ubuntu-latest
     needs:
       - changes
-    if: |
+
-      (needs.changes.outputs.charts == 'true') || (needs.changes.outputs.baseimage == 'true')
+    if: fromJSON(needs.changes.outputs.charts) || fromJSON(needs.changes.outputs.baseimage) || fromJSON(github.event.workflow_dispatch.run_e2e)
 
     steps:
-      - name: Checkout
+      - name: Set up Python
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+        with:
+          python-version: 3.x
+
+      - name: Set up Helm
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+
+      - name: Set up Helm Chart Testing
+        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
+
+      - name: Set up Artifact Hub
+        run: |
+          curl --fail --location https://github.com/artifacthub/hub/releases/download/v1.19.0/ah_1.19.0_linux_amd64.tar.gz --output /tmp/ah.tar.gz
+          echo "0e430493521ce387ca04d79b26646a86f92886dbcceb44985bb71082a9530ca5  /tmp/ah.tar.gz" | shasum --check
+          sudo tar --extract --file /tmp/ah.tar.gz --directory /usr/local/bin ah
+
+      - name: Set up Helm Docs
+        uses: gabe565/setup-helm-docs-action@d5c35bdc9133cfbea3b671acadf50a29029e87c2 # v1.0.4
+
+      - name: Set up Helm Unit Test
+        run: helm plugin install https://github.com/helm-unittest/helm-unittest
+
+      - name: Checkout code
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
 
-      - name: Set up Helm
+      - name: Lint chart
-        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
-
-      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
-        with:
-          python-version: '3.x'
-
-      - name: Set up chart-testing
-        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
-
-      - name: Install Helm Unit Test Plugin
         run: |
-          helm plugin install https://github.com/helm-unittest/helm-unittest
+          ct lint --config .ct.yaml
+          ah lint --path charts/ingress-nginx
 
-      - name: Run Helm Unit Tests
+      - name: Check docs
         run: |
-          helm unittest charts/ingress-nginx -d
+          helm-docs --chart-search-root charts
+          git diff --exit-code charts/ingress-nginx/README.md
 
-      - name: Run chart-testing (lint)
+      - name: Run tests
-        run: ct lint --config ./.ct.yaml
+        run: helm unittest charts/ingress-nginx
 
-      - name: Run helm-docs
+  chart-test:
-        run: |
+    name: Chart / Test
-          GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.11.0
-          ./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts
-          DIFF=$(git diff ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md)
-          if [ ! -z "$DIFF" ]; then
-            echo "Please use helm-docs in your clone, of your fork, of the project, and commit a updated README.md for the chart. https://github.com/kubernetes/ingress-nginx/blob/main/RELEASE.md#d-edit-the-valuesyaml-and-run-helm-docs"
-          fi
-          git diff --exit-code
-          rm -f ./helm-docs
-
-      - name: Run Artifact Hub lint
-        run: |
-          wget https://github.com/artifacthub/hub/releases/download/v1.5.0/ah_1.5.0_linux_amd64.tar.gz
-          echo 'ad0e44c6ea058ab6b85dbf582e88bad9fdbc64ded0d1dd4edbac65133e5c87da *ah_1.5.0_linux_amd64.tar.gz' | shasum -c
-          tar -xzvf ah_1.5.0_linux_amd64.tar.gz ah
-          ./ah lint -p charts/ingress-nginx || exit 1
-          rm -f ./ah ./ah_1.5.0_linux_amd64.tar.gz
-
-  helm-test:
-    name: Helm chart testing
     runs-on: ubuntu-latest
     needs:
       - changes
       - build
-      - helm-lint
+      - chart-lint
-    if: |
+
-      (needs.changes.outputs.charts == 'true') || (needs.changes.outputs.baseimage == 'true')
+    if: fromJSON(needs.changes.outputs.charts) || fromJSON(needs.changes.outputs.baseimage) || fromJSON(github.event.workflow_dispatch.run_e2e)
 
     strategy:
       matrix:
-        k8s: [v1.26.6, v1.27.3, v1.28.0, v1.29.0]
+        k8s: [v1.28.13, v1.29.8, v1.30.4, v1.31.0]
 
     steps:
-      - name: Checkout
+      - name: Checkout code
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
-      - name: Setup Go
+      - name: Download cache
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-        with:
-          go-version: ${{ needs.build.outputs.golangversion }}
-          check-latest: true
-
-      - name: cache
-        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
         with:
           name: docker.tar.gz
 
-      - name: fix permissions
+      - name: Load cache
-        run: |
+        run: gzip --decompress --stdout docker.tar.gz | docker load
-          sudo mkdir -p $HOME/.kube
-          sudo chmod -R 777 $HOME/.kube
 
-      - name: Create Kubernetes ${{ matrix.k8s }} cluster
+      - name: Run tests
-        id: kind
-        run: |
-          kind create cluster --image=kindest/node:${{ matrix.k8s }}
-
-      - name: Load images from cache
-        run: |
-          echo "loading docker images..."
-          gzip -dc docker.tar.gz | docker load
-
-      - name: Test
         env:
-          KIND_CLUSTER_NAME: kind
+          K8S_VERSION: ${{ matrix.k8s }}
-          SKIP_CLUSTER_CREATION: true
           SKIP_IMAGE_CREATION: true
-          SKIP_INGRESS_IMAGE_CREATION: true
         run: |
-          kind get kubeconfig > $HOME/.kube/kind-config-kind
+          sudo mkdir -pm 777 "${HOME}/.kube"
           make kind-e2e-chart-tests
 
   kubernetes:
@@ -283,39 +298,24 @@ jobs:
       - changes
       - build
     if: |
-      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true')
+      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
     strategy:
       matrix:
-        k8s: [v1.26.6, v1.27.3, v1.28.0, v1.29.0]
+        k8s: [v1.28.13, v1.29.8, v1.30.4, v1.31.0]
     uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml
     with:
       k8s-version: ${{ matrix.k8s }}
 
-  kubernetes-validations:
-    name: Kubernetes with Validations
-    needs:
-      - changes
-      - build
-    if: |
-      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true')
-    strategy:
-      matrix:
-        k8s: [v1.26.6, v1.27.3, v1.28.0, v1.29.0]
-    uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml
-    with:
-      k8s-version: ${{ matrix.k8s }}
-      variation: "VALIDATIONS"
-
   kubernetes-chroot:
     name: Kubernetes chroot
     needs:
       - changes
       - build
     if: |
-      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true')
+      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
     strategy:
       matrix:
-        k8s: [v1.26.6, v1.27.3, v1.28.0, v1.29.0]
+        k8s: [v1.28.13, v1.29.8, v1.30.4, v1.31.0]
     uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml
     with:
       k8s-version: ${{ matrix.k8s }}

.github/workflows/depreview.yaml

@@ -9,6 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@5bbc3ba658137598168acb2ab73b21c432dd411b # v4.2.5
+        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4

.github/workflows/docs.yaml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
         id: filter
@@ -47,7 +47,7 @@ jobs:
 
     steps:
       - name: Checkout master
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - name: Deploy
         uses: ./.github/actions/mkdocs

.github/workflows/golangci-lint.yml

@@ -15,19 +15,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - name: Get go version
         run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
 
       - name: Set up Go
         id: go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ${{ env.GOLANG_VERSION }}
           check-latest: true
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0
+        uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
         with:
           version: v1.56

.github/workflows/helm.yaml

@@ -1,84 +0,0 @@
-name: Helm
-
-on:
-  push:
-    branches:
-      - main
-
-permissions:
-  contents: read
-
-jobs:
-
-  changes:
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read  # for dorny/paths-filter to fetch a list of changed files
-
-    if: github.repository == 'kubernetes/ingress-nginx'
-
-    outputs:
-      docs: ${{ steps.filter.outputs.docs }}
-      charts: ${{ steps.filter.outputs.charts }}
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-
-      - name: Run Artifact Hub lint
-        run: |
-          wget https://github.com/artifacthub/hub/releases/download/v1.5.0/ah_1.5.0_linux_amd64.tar.gz
-          echo 'ad0e44c6ea058ab6b85dbf582e88bad9fdbc64ded0d1dd4edbac65133e5c87da *ah_1.5.0_linux_amd64.tar.gz' | shasum -c
-          tar -xzvf ah_1.5.0_linux_amd64.tar.gz ah
-          ./ah lint -p charts/ingress-nginx || exit 1
-          rm -f ./ah ./ah_1.5.0_linux_amd64.tar.gz
-
-      - name: Set up chart-testing
-        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
-
-      - name: Run chart-testing (lint)
-        run: ct lint --config ./.ct.yaml
-
-      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
-        id: filter
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          filters: |
-            charts:
-              - 'charts/ingress-nginx/Chart.yaml'
-              - 'charts/ingress-nginx/values.yaml'
-
-  chart:
-    name: Release Chart
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: write # needed to write releases
-
-    needs:
-      - changes
-
-    if: ${{ needs.changes.outputs.charts == 'true' }}
-
-    steps:
-      - name: Checkout master
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-        with:
-          # Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896
-          fetch-depth: 0
-
-      - name: Setup
-        shell: bash
-        run: |
-          git config --global user.name "$GITHUB_ACTOR"
-          git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"
-
-      - name: Helm Chart Releaser
-        uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
-        env:
-          CR_SKIP_EXISTING: true
-          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-          CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}"
-        with:
-          charts_dir: charts

.github/workflows/images.yaml

@@ -36,12 +36,10 @@ jobs:
       kube-webhook-certgen: ${{ steps.filter.outputs.kube-webhook-certgen }}
       ext-auth-example-authsvc: ${{ steps.filter.outputs.ext-auth-example-authsvc }}
       nginx: ${{ steps.filter.outputs.nginx }}
-      nginx125: ${{ steps.filter.outputs.nginx125 }}
-      opentelemetry: ${{ steps.filter.outputs.opentelemetry }}
 
     steps:
       - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
         id: filter
         with:
@@ -65,10 +63,6 @@ jobs:
               - 'images/ext-auth-example-authsvc/**'
             nginx:
               - 'images/nginx/**'
-            opentelemetry:
-              - 'images/opentelemetry/**'
-            nginx125:
-              - 'images/nginx-1.25/TAG'
 
   #### TODO: Make the below jobs 'less dumb' and use the job name as parameter (the github.job context does not work here)
   cfssl:
@@ -141,17 +135,17 @@ jobs:
       (needs.changes.outputs.kube-webhook-certgen == 'true')
     strategy:
       matrix:
-        k8s: [v1.25.11, v1.26.6, v1.27.3, v1.28.0, v1.29.0]
+        k8s: [v1.28.13, v1.29.8, v1.30.4, v1.31.0]
     steps:
     - name: Checkout
-      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
     - name: Get go version
       run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
 
     - name: Set up Go
       id: go
-      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
         go-version: ${{ env.GOLANG_VERSION }}
         check-latest: true
@@ -166,50 +160,33 @@ jobs:
       run: |
         cd images/ && make NAME=kube-webhook-certgen test test-e2e
 
-  opentelemetry:
+  nginx:
-    runs-on: ubuntu-latest
-    env:
-      PLATFORMS: linux/amd64,linux/arm,linux/arm64
-    needs: changes
-    if: |
-      (needs.changes.outputs.opentelemetry == 'true')
-    strategy:
-      matrix:
-        nginx: ['1.25.3', '1.21.6']
-    steps:
-    - name: Checkout
-      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-    - name: image build
-      run: |
-        cd images/opentelemetry && make NGINX_VERSION=${{ matrix.nginx }} build
-
-  nginx125:
     permissions:
       contents: write
       packages: write
     runs-on: ubuntu-latest
     needs: changes
     if: |
-      (github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.changes.outputs.nginx125 == 'true')
+      (github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.changes.outputs.nginx == 'true')
     env:
-      PLATFORMS: linux/amd64,linux/arm,linux/arm64,linux/s390x
+      PLATFORMS: linux/amd64,linux/arm,linux/arm64
     steps:
       - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3.2.0
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
         with:
           version: latest
           platforms: ${{ env.PLATFORMS }}
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: build-image
         run: |
-          export TAG=$(cat images/nginx-1.25/TAG)
+          export TAG=$(cat images/nginx/TAG)
-          cd images/nginx-1.25/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --push -t ingressnginx/nginx-1.25:${TAG} .
+          cd images/nginx/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --push -t ingressnginx/nginx:${TAG} .

.github/workflows/junit-reports.yaml

@@ -5,11 +5,15 @@ on:
     workflows: ['CI']                     # runs after CI workflow
     types:
       - completed
+
+permissions:
+  checks: write
+
 jobs:
   report:
     runs-on: ubuntu-latest
     steps:
-      - uses: dorny/test-reporter@eaa763f6ffc21c7a37837f56cd5f9737f27fc6c8 # v1.8.0
+      - uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 # v1.9.1
         with:
           artifact: /e2e-test-reports-(.*)/
           name: JEST Tests $1               # Name of the check run which will be created

.github/workflows/perftest.yaml

@@ -19,7 +19,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - name: Install K6
         run: |

.github/workflows/plugin.yaml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
 
@@ -20,14 +20,14 @@ jobs:
         run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
 
       - name: Set up Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ${{ env.GOLANG_VERSION }}
           check-latest: true
 
       - name: Run GoReleaser Snapshot
         if: ${{ ! startsWith(github.ref, 'refs/tags/') }}
-        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
+        uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
         with:
           version: latest
           args: release --snapshot --clean
@@ -36,7 +36,7 @@ jobs:
 
       - name: Run GoReleaser
         if: ${{ startsWith(github.ref, 'refs/tags/') }}
-        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
+        uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
         with:
           version: latest
           args: release --clean

.github/workflows/project.yml

@@ -13,7 +13,7 @@ jobs:
       repository-projects: write
       issues: write
     steps:
-      - uses: actions/add-to-project@2e5cc851ca7162e9eb510e6da6a5c64022e606a7 # v1.0.0
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
         with:
           project-url: https://github.com/orgs/kubernetes/projects/104
           github-token: ${{ secrets.PROJECT_WRITER }}

.github/workflows/scorecards.yml

@@ -27,12 +27,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -51,7 +51,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
         with:
           name: SARIF file
           path: results.sarif
@@ -59,6 +59,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
         with:
           sarif_file: results.sarif

.github/workflows/vulnerability-scans.yaml

@@ -22,7 +22,7 @@ jobs:
       versions: ${{ steps.version.outputs.TAGS }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
 
@@ -52,7 +52,7 @@ jobs:
         versions: ${{ fromJSON(needs.version.outputs.versions) }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - shell: bash
         id: test
@@ -60,7 +60,7 @@ jobs:
 
       - name: Scan image with AquaSec/Trivy
         id: scan
-        uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
         with:
           image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }}
           format: 'sarif'
@@ -75,7 +75,7 @@ jobs:
 
       # This step checks out a copy of your repository.
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
         with:
           token: ${{ github.token }}
           # Path to SARIF file relative to the root of the repository

.github/workflows/zz-tmpl-images.yaml

@@ -1,5 +1,5 @@
 #### THIS IS A TEMPLATE ####
-# This workflow is created to be a template for every time an e2e teest is required,
+# This workflow is created to be a template for every time an e2e test is required,
 
 on:
   workflow_call:
@@ -31,7 +31,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
         id: filter
         with:
@@ -48,7 +48,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - name: Build
         run: |
@@ -67,10 +67,10 @@ jobs:
       PLATFORMS: ${{ inputs.platforms-publish }}
     steps:
     - name: Checkout
-      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
     - name: Login to GitHub Container Registry
-      uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_TOKEN }}

.github/workflows/zz-tmpl-k8s-e2e.yaml

@@ -1,5 +1,5 @@
 #### THIS IS A TEMPLATE ####
-# This workflow is created to be a template for every time an e2e teest is required,
+# This workflow is created to be a template for every time an e2e test is required,
 
 on:
   workflow_call:
@@ -20,10 +20,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - name: cache
-        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: docker.tar.gz
 
@@ -43,14 +43,13 @@ jobs:
           SKIP_CLUSTER_CREATION: true
           SKIP_INGRESS_IMAGE_CREATION: true
           SKIP_E2E_IMAGE_CREATION: true
-          ENABLE_VALIDATIONS: ${{ inputs.variation == 'VALIDATIONS' }}
           IS_CHROOT: ${{ inputs.variation == 'CHROOT' }}
         run: |
           kind get kubeconfig > $HOME/.kube/kind-config-kind
           make kind-e2e-test
 
       - name: Upload e2e junit-reports ${{ inputs.variation }}
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
         if: success() || failure()
         with:
           name: e2e-test-reports-${{ inputs.k8s-version }}${{ inputs.variation }}

.gitignore

@@ -1,4 +1,3 @@
-helm-docs
 # OSX
 ._*
 .DS_Store

.luacheckrc

@@ -1,6 +1,6 @@
 std = 'ngx_lua'
 max_line_length = 100
-exclude_files = {'./rootfs/etc/nginx/lua/test/**/*.lua', './rootfs/etc/nginx/lua/plugins/**/test/**/*.lua'}
+exclude_files = {'./rootfs/etc/nginx/lua/test/**/*.lua'}
 files["rootfs/etc/nginx/lua/lua_ingress.lua"] = {
   ignore = { "122" },
   -- TODO(elvinefendi) figure out why this does not work

Changelog.md

@@ -356,7 +356,7 @@ Image:
 - k8s.gcr.io/ingress-nginx/controller:v1.2.0@sha256:d8196e3bc1e72547c5dec66d6556c0ff92a23f6d0919b206be170bc90d5f9185
 - k8s.gcr.io/ingress-nginx/controller-chroot:v1.2.0@sha256:fb17f1700b77d4fcc52ca6f83ffc2821861ae887dbb87149cf5cbc52bea425e5
 
-This minor version release, introduces 2 breaking changes. For the first time, an option to jail/chroot the nginx process, inside the controller container, is being introduced.. This provides an additional layer of security, for sensitive information like K8S serviceaccounts. This release also brings a special new feature of deep inspection into objects. The inspection is a walk through of all the spec, checking for possible attempts to escape configs. Currently such an inspection only occurs for `networking.Ingress`.  Additionally there are fixes for the recently announced CVEs on busybox & ssl_client. And there is a fix to a recently introduced redirection related bug, that was setting the protocol on URLs to "nil".
+This minor version release, introduces 2 breaking changes. For the first time, an option to jail/chroot the nginx process, inside the controller container, is being introduced. This provides an additional layer of security, for sensitive information like K8S serviceaccounts. This release also brings a special new feature of deep inspection into objects. The inspection is a walk through of all the spec, checking for possible attempts to escape configs. Currently such an inspection only occurs for `networking.Ingress`.  Additionally there are fixes for the recently announced CVEs on busybox & ssl_client. And there is a fix to a recently introduced redirection related bug, that was setting the protocol on URLs to "nil".
 
 _Changes:_
 
@@ -2057,7 +2057,7 @@ _Breaking Changes:_
 
   ```
   Due to upcoming data privacy regulations, we are making significant changes to how you access free GeoLite2 databases starting December 30, 2019.
-  Learn more on our blog https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/
+  Learn more on our blog https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/
   ```
 
   Because of this change, it is not clear we can provide the databases directly from the docker image.
@@ -2193,7 +2193,7 @@ _New Features:_
 
   If the active connections end before that, the pod will terminate gracefully at that time.
 
-  To efectively take advantage of this feature, the Configmap feature [worker-shutdown-timeout](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#worker-shutdown-timeout) new value is `240s` instead of `10s`.
+  To effectively take advantage of this feature, the Configmap feature [worker-shutdown-timeout](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#worker-shutdown-timeout) new value is `240s` instead of `10s`.
 
   **IMPORTANT:** this value has a side effect during reloads, consuming more memory until the old NGINX workers are replaced.
 
@@ -2603,7 +2603,7 @@ _New Features:_
 _Breaking changes:_
 
 - The NGINX server listening in port 18080 was removed. It was replaced by a server using an unix socket as port [#3684](https://github.com/kubernetes/ingress-nginx/pull/3684)
-  This server was internal to the ingress controller. In case this was being acceded from the outside, you can restore the old server using the `http-snipet` feature in the configuration configmap like:
+  This server was internal to the ingress controller. In case this was being acceded from the outside, you can restore the old server using the `http-snippet` feature in the configuration configmap like:
 
   ```yaml
   http-snippet: |

GOLANG_VERSION

@@ -1 +1 @@
-1.22.2
+1.22.8

MANUAL_RELEASE.md

@@ -177,7 +177,7 @@ Promoting the images basically means that images, that were pushed to staging co
             ```
             - The -L 38 was used for 2 reasons.
               - Default number of results is 30 and there were more than 30 PRs merged while releasing v1.1.1. If you see the current/soon-to-be-old changelog, you can look at the most recent PR number that has been accounted for already, and start from after that last accounted for PR.
-              -  The other reason to use -L 38 was to ommit the 39th, the 40th and the 41st line in the resulting list. These were non-relevant PRs.
+              -  The other reason to use -L 38 was to omit the 39th, the 40th and the 41st line in the resulting list. These were non-relevant PRs.
             - If you save the output of above command to a file called prlist.txt. It looks somewhat like this ;
 
               ```
@@ -191,7 +191,7 @@ Promoting the images basically means that images, that were pushed to staging co
               ....
               ```
               You can delete the lines, that refer to PRs of the release process itself. We only need to list the feature/bugfix PRs. You can also delete the lines that are housekeeping or not really worth mentioning in the changelog.
-          -  you use some easy automation in bash/python/other, to get the PR-List that can be used in the changelog. For example, its possible to use a bash scripty way, seen below, to convert those plaintext PR numbers into clickable links. 
+          -  you use some easy automation in bash/python/other, to get the PR-List that can be used in the changelog. For example, it's possible to use a bash scripty way, seen below, to convert those plaintext PR numbers into clickable links.
 
             ```
             #!/usr/bin/bash
@@ -205,7 +205,7 @@ Promoting the images basically means that images, that were pushed to staging co
             done <$file
 
             ```
-          - There was a parsing issue and path issue on MacOS, so above scrpt had to be modified and MacOS monterey compatible script is below ;
+          - There was a parsing issue and path issue on MacOS, so above script had to be modified and MacOS monterey compatible script is below ;
 
             ```
             #!/bin/bash
@@ -226,19 +226,18 @@ Promoting the images basically means that images, that were pushed to staging co
           ```
 
 ### d. Edit the values.yaml and run helm-docs
+
   - [Fields to edit in values.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml)
 
     - tag
     - digest
 
-  - [helm-docs](https://github.com/norwoodj/helm-docs) is a tool that generates the README.md for a helm-chart automatically. In the CI pipeline workflow of github actions (/.github/workflows/ci.yaml), you can see how helm-docs is used. But the CI pipeline is not designed to make commits back into the project. So we need to run helm-docs manually, and check in the resulting autogenerated README.md at the path /charts/ingress-nginx/README.md 
+  - [helm-docs](https://github.com/norwoodj/helm-docs) is a tool that generates the README.md for a Helm chart automatically. In the CI pipeline workflow of GitHub actions (.github/workflows/ci.yaml), you can see how helm-docs is used. The CI pipeline is not designed to make commits back into the project, so we need to run helm-docs manually and commit the resulting generated README.md. You can obtain a recent version of the helm-docs binary here: https://github.com/norwoodj/helm-docs/releases.
     ```
-          GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.11.0
+    helm-docs --chart-search-root charts
-          ./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts
+    git diff charts/ingress-nginx/README.md
-          git diff --exit-code
-          rm -f ./helm-docs
     ```
-    Watchout for mistakes like leaving the helm-docs executable in your clone workspace or not checking the new README.md manually etc.
+    Take care of not leaving the helm-docs executable in your clone workspace or not committing the new README.md.
 
 ### e. Edit the static manifests
 
@@ -274,7 +273,7 @@ Promoting the images basically means that images, that were pushed to staging co
 
 ### h. Update README.md
 
-- Update the table in README.md in the root of the projet to reflect the support matrix. Add the new release version and details in there.
+- Update the table in README.md in the root of the project to reflect the support matrix. Add the new release version and details in there.
 
 ## 5. RELEASE new version
 
@@ -291,7 +290,7 @@ Promoting the images basically means that images, that were pushed to staging co
  - `helm repo update`
  - `helm search repo ingress-nginx`
 
-## 6. Github release
+## 6. GitHub release
 
 - Release to github
 

Makefile

@@ -110,7 +110,7 @@ clean-chroot-image: ## Removes local image
 
 .PHONY: build
 build:  ## Build ingress controller, debug tool and pre-stop hook.
-	E2E_IMAGE=golang:$(GO_VERSION)-alpine3.19 USE_SHELL=/bin/sh build/run-in-docker.sh \
+	E2E_IMAGE=golang:$(GO_VERSION)-alpine3.20 USE_SHELL=/bin/sh build/run-in-docker.sh \
 		MAC_OS=$(MAC_OS) \
 		PKG=$(PKG) \
 		ARCH=$(ARCH) \
@@ -124,6 +124,9 @@ build:  ## Build ingress controller, debug tool and pre-stop hook.
 clean: ## Remove .gocache directory.
 	rm -rf bin/ .gocache/ .cache/
 
+.PHONY: verify-docs
+verify-docs: ## Verify doc generation
+	hack/verify-annotation-docs.sh
 
 .PHONY: static-check
 static-check: ## Run verification script for boilerplate, codegen, gofmt, golint, lualint and chart-lint.

NEW_CONTRIBUTOR.md

@@ -20,14 +20,14 @@ It all starts with the OSI model...
 ### Approaching the problem
 
 
-Not everybody knows everything. But the factors that help are a love/passion for this to begin. But to move forward, its the approach and not the knowledge that sustains prolonged joy, while working on issues. If the approach is simple and powered by good-wishes-for-community, then info & tools are forthcoming and easy.
+Not everybody knows everything. But the factors that help are a love/passion for this to begin. But to move forward, it's the approach and not the knowledge that sustains prolonged joy, while working on issues. If the approach is simple and powered by good-wishes-for-community, then info & tools are forthcoming and easy.
 
 Here we take a bird's eye-view of the hops in the network plumbing, that a packet takes, from source to destination, when we run `curl`, from a laptop to a nginx webserver process, running in a container, inside a pod, inside a Kubernetes cluster, created using `kind` or `minikube` or any other cluster-management tool.
 
 ### [Kind](https://kind.sigs.k8s.io/) cluster example on a Linux Host
 
 #### TL;DR
-The destination of the packet from the curl command, is looked up, in the `routing table`. Based on the route, the the packet first travels to the virtual bridge `172.18.0.1` interface, created by docker, when we created the kind cluster on a laptop. Next the packet is forwarded to `172.18.0.2`(See below on how we got this IP address), within the kind cluster. The `kube-proxy` container creates iptables rules that make sure the packet goes to the correct pod ip in this case `10.244.0.5`
+The destination of the packet from the curl command, is looked up, in the `routing table`. Based on the route, the packet first travels to the virtual bridge `172.18.0.1` interface, created by docker, when we created the kind cluster on a laptop. Next the packet is forwarded to `172.18.0.2`(See below on how we got this IP address), within the kind cluster. The `kube-proxy` container creates iptables rules that make sure the packet goes to the correct pod ip in this case `10.244.0.5`
 
 Command:
 ```
@@ -435,7 +435,7 @@ virbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
 ```
 Output Relevance: From the above output you can see there are two Virtual Bridges created by minikube when we created the cluster on the network. Here, `virbr0` is the default NAT network bridge while `virbr2` is a isolated network bridge on which the pods run.
 
-Minikube creates a Virtual Machine, to enter the virtual machine we can simple do:
+Minikube creates a Virtual Machine, to enter the virtual machine we can simply do:
 ```
 # minikube ssh
 ```
@@ -707,7 +707,7 @@ NAME    TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
 httpd   ClusterIP   10.104.111.0   <none>        80/TCP    13s
 ```
 
-Once we have this we can now create a n ingress using the following
+Once we have this we can now create an ingress using the following
 ```
 kubectl -n httpd create ingress httpd --class nginx --rule httpd.dev.leonnunes.com/"*"=httpd:80
 ```
@@ -771,7 +771,7 @@ Hypertext Transfer Protocol
     [Response in frame: 6]
 
 ```
-The above output shows the information that the `httpd` pod recieves. The `curl` command sends the host header, `Host: httpd.dev.leonnunes.com`, to the nginx controller, that then matches the rule and sends the information to the right controller
+The above output shows the information that the `httpd` pod receives. The `curl` command sends the host header, `Host: httpd.dev.leonnunes.com`, to the nginx controller, that then matches the rule and sends the information to the right controller
 
 The following output shows what is sent via the laptop.
 ```

NGINX_BASE

@@ -1 +1 @@
-registry.k8s.io/ingress-nginx/nginx-1.25:v0.0.6@sha256:b3e027ab191eb9461a9bcf25092eabb1d547cba164992dbd722c1aa2b4a936ee
+registry.k8s.io/ingress-nginx/nginx:v1.0.0@sha256:11ee0d0e3d063f1468f9a82958d57fa0718614fe10b676941f4dea0aef091faf

OWNERS_ALIASES

@@ -7,6 +7,7 @@ aliases:
   - thockin
 
   ingress-nginx-admins:
+  - Gacko
   - rikatz
   - strongjz
 

README.md

@@ -6,7 +6,6 @@
 [![GitHub stars](https://img.shields.io/github/stars/kubernetes/ingress-nginx.svg)](https://github.com/kubernetes/ingress-nginx/stargazers)
 [![GitHub stars](https://img.shields.io/badge/contributions-welcome-orange.svg)](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md)
 
-
 ## Overview
 
 ingress-nginx is an Ingress controller for Kubernetes using [NGINX](https://www.nginx.org/) as a reverse proxy and load
@@ -18,6 +17,8 @@ balancer.
 
 See the [Getting Started](https://kubernetes.github.io/ingress-nginx/deploy/) document.
 
+Do not use in multi-tenant Kubernetes production installations. This project assumes that users that can create Ingress objects are administrators of the cluster. See the [FAQ](https://kubernetes.github.io/ingress-nginx/faq/#faq) for more.
+
 ## Troubleshooting
 
 If you encounter issues, review the [troubleshooting docs](docs/troubleshooting.md),
@@ -36,21 +37,28 @@ For detailed changes on the `ingress-nginx` helm chart, please check the changel
 Supported versions for the ingress-nginx project mean that we have completed E2E tests, and they are passing for
 the versions listed. Ingress-Nginx versions **may** work on older versions, but the project does not make that guarantee.
 
-|  Supported  | Ingress-NGINX version | k8s supported version        | Alpine Version | Nginx Version | Helm Chart Version |
+| Supported | Ingress-NGINX version | k8s supported version         | Alpine Version | Nginx Version | Helm Chart Version |
-|:--:|-----------------------|------------------------------|----------------|---------------|------------------------------|
+| :-------: | --------------------- | ----------------------------- | -------------- | ------------- | ------------------ |
-| 🔄 | **v1.10.0**            | 1.29, 1.28, 1.27, 1.26        | 3.19.1         | 1.25.3        | 4.10.0*                 |
+|    🔄     | **v1.11.2**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.11.2             |
-| 🔄 | **v1.9.6**            | 1.29, 1.28, 1.27, 1.26, 1.25        | 3.19.0         | 1.21.6        | 4.9.1*                 |
+|    🔄     | **v1.11.1**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.11.1             |
-| 🔄 | **v1.9.5**            | 1.28, 1.27, 1.26, 1.25        | 3.18.4         | 1.21.6        | 4.9.0*                       |
+|    🔄     | **v1.11.0**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.11.0             |
-| 🔄 | **v1.9.4**            | 1.28, 1.27, 1.26, 1.25        | 3.18.4         | 1.21.6        | 4.8.3                        |
+|    🔄     | **v1.10.4**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.10.4             |
-| 🔄 | **v1.9.3**            | 1.28, 1.27, 1.26, 1.25        | 3.18.4         | 1.21.6        | 4.8.*                        |
+|    🔄     | **v1.10.3**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.10.3             |
-| 🔄 | **v1.9.1**            | 1.28, 1.27, 1.26, 1.25        | 3.18.4         | 1.21.6        | 4.8.*                        |
+|    🔄     | **v1.10.2**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.10.2             |
-| 🔄 | **v1.9.0**            | 1.28, 1.27, 1.26, 1.25        | 3.18.2         | 1.21.6        | 4.8.*                        |
+|    🔄     | **v1.10.1**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.19.1         | 1.25.3        | 4.10.1             |
-|  | v1.8.4            | 1.27, 1.26, 1.25, 1.24        | 3.18.2         | 1.21.6        | 4.7.*                        |
+|    🔄     | **v1.10.0**           | 1.29, 1.28, 1.27, 1.26        | 3.19.1         | 1.25.3        | 4.10.0             |
-|  | v1.7.1            | 1.27, 1.26, 1.25, 1.24        | 3.17.2         | 1.21.6        | 4.6.*              |
+|           | v1.9.6                | 1.29, 1.28, 1.27, 1.26, 1.25  | 3.19.0         | 1.21.6        | 4.9.1              |
-|    | v1.6.4                | 1.26, 1.25, 1.24, 1.23       | 3.17.0         | 1.21.6        | 4.5.*              |
+|           | v1.9.5                | 1.28, 1.27, 1.26, 1.25        | 3.18.4         | 1.21.6        | 4.9.0              |
-|    | v1.5.1                | 1.25, 1.24, 1.23             | 3.16.2         | 1.21.6        | 4.4.*              |
+|           | v1.9.4                | 1.28, 1.27, 1.26, 1.25        | 3.18.4         | 1.21.6        | 4.8.3              |
-|    | v1.4.0                | 1.25, 1.24, 1.23, 1.22       | 3.16.2         | 1.19.10†      | 4.3.0              |
+|           | v1.9.3                | 1.28, 1.27, 1.26, 1.25        | 3.18.4         | 1.21.6        | 4.8.*              |
-|    | v1.3.1                | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.2         | 1.19.10†      | 4.2.5              |
+|           | v1.9.1                | 1.28, 1.27, 1.26, 1.25        | 3.18.4         | 1.21.6        | 4.8.*              |
+|           | v1.9.0                | 1.28, 1.27, 1.26, 1.25        | 3.18.2         | 1.21.6        | 4.8.*              |
+|           | v1.8.4                | 1.27, 1.26, 1.25, 1.24        | 3.18.2         | 1.21.6        | 4.7.*              |
+|           | v1.7.1                | 1.27, 1.26, 1.25, 1.24        | 3.17.2         | 1.21.6        | 4.6.*              |
+|           | v1.6.4                | 1.26, 1.25, 1.24, 1.23        | 3.17.0         | 1.21.6        | 4.5.*              |
+|           | v1.5.1                | 1.25, 1.24, 1.23              | 3.16.2         | 1.21.6        | 4.4.*              |
+|           | v1.4.0                | 1.25, 1.24, 1.23, 1.22        | 3.16.2         | 1.19.10†      | 4.3.0              |
+|           | v1.3.1                | 1.24, 1.23, 1.22, 1.21, 1.20  | 3.16.2         | 1.19.10†      | 4.2.5              |
 
 See [this article](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) if you want upgrade to the stable
 Ingress API.
@@ -61,7 +69,6 @@ Thanks for taking the time to join our community and start contributing!
 
 - This project adheres to the [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md).
   By participating in this project, you agree to abide by its terms.
-
 - **Contributing**: Contributions of all kinds are welcome!
 
   - Read [`CONTRIBUTING.md`](CONTRIBUTING.md) for information about setting up your environment, the workflow that we
@@ -70,8 +77,8 @@ Thanks for taking the time to join our community and start contributing!
   - Submit GitHub issues for any feature enhancements, bugs, or documentation problems.
     - Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines **may be closed immediately**.
   - Join our [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w)
-
 - **Support**:
+
   - Join the [#ingress-nginx-users](https://kubernetes.slack.com/messages/CANQGM8BA/) channel inside the [Kubernetes Slack](http://slack.kubernetes.io/) to ask questions or get support from the maintainers and other users.
   - The [GitHub issues](https://github.com/kubernetes/ingress-nginx/issues) in the repository are **exclusively** for bug reports and feature requests.
   - **Discuss**: Tweet using the `#IngressNginx` hashtag or sharing with us [@IngressNginx](https://twitter.com/IngressNGINX).

SECURITY_CONTACTS

@@ -9,6 +9,6 @@
 #
 # DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
 # INSTRUCTIONS AT https://kubernetes.io/security/
-bowei
+Gacko
 rikatz
 strongjz

build/dev-env.sh

@@ -64,7 +64,7 @@ echo "[dev-env] building image"
 make build image
 docker tag "${REGISTRY}/controller:${TAG}" "${DEV_IMAGE}"
 
-export K8S_VERSION=${K8S_VERSION:-v1.26.3@sha256:61b92f38dff6ccc29969e7aa154d34e38b89443af1a2c14e6cfbd2df6419c66f}
+export K8S_VERSION=${K8S_VERSION:-v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245}
 
 KIND_CLUSTER_NAME="ingress-nginx-dev"
 

build/run-in-docker.sh

@@ -44,7 +44,7 @@ function cleanup {
 }
 trap cleanup EXIT
 
-E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20240404-436df3e4@sha256:6bcba53b14d396177414e01f20e9111f1c009ac3b476a9b7668bb98d12bd5e85}
+E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20241004-114a6abb@sha256:1389ec0589abbf5c431c9290c4c307437c8396995c63dda5eac26abd70963dc8}
 
 if [[ "$RUNTIME" == podman ]]; then
   # Podman does not support both tag and digest
@@ -82,7 +82,7 @@ if [[ "$DOCKER_IN_DOCKER_ENABLED" == "true" ]]; then
   echo "..reached DIND check TRUE block, inside run-in-docker.sh"
   echo "FLAGS=$FLAGS"
   #go env
-  go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.17.1
+  go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.20.2
   find / -type f -name ginkgo 2>/dev/null
   which ginkgo
   /bin/bash -c "${FLAGS}"

build/run-ingress-controller.sh

@@ -49,7 +49,7 @@ fi
 SSL_VOLUME=$(mktemp -d)
 
 function cleanup {
-    echo -e "${BGREEN}Stoping kubectl proxy${NC}"
+    echo -e "${BGREEN}Stopping kubectl proxy${NC}"
     rm -rf "${SSL_VOLUME}"
     kill "$proxy_pid"
 }

changelog/controller-1.10.1.md

@@ -0,0 +1,57 @@
+# Changelog
+
+### controller-v1.10.1
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.1@sha256:e24f39d3eed6bcc239a56f20098878845f62baa34b9f2be2fd2c38ce9fb0f29e
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.1@sha256:c155954116b397163c88afcb3252462771bd7867017e8a17623e83601bab7ac7
+
+### All changes:
+
+* start 1.10.1 build (#11246)
+* force nginx rebuild (#11245)
+* update k8s version to latest kind release (#11241)
+* remove _ssl_expire_time_seconds metric by identifier (#11239)
+* update post submit helm ci and clean up (#11221)
+* Chart: Add unit tests for default backend & topology spread constraints. (#11219)
+* sort default backend hpa metrics (#11217)
+* updated certgen image shatag (#11216)
+* changed testrunner image sha (#11211)
+* bumped certgeimage tag (#11213)
+* updated baseimage & deleted a useless file (#11209)
+* bump ginkgo to 2-17-1 in testrunner (#11204)
+* chunking related faq update (#11205)
+* Fix-semver (#11199)
+* refactor helm ci tests part I (#11188)
+* Proposal: e2e tests for regex patterns (#11185)
+* bump ginkgo to v2.17.1 (#11186)
+* fixes brotli build issue (#11187)
+* fix geoip2 configuration docs (#11151)
+* Fix typos in OTel doc (#11081) (#11129)
+* Chart: Render `controller.ingressClassResource.parameters` natively. (#11126)
+* Fix admission controller logging of `admissionTime` and `testedConfigurationSize` (#11114)
+* Chart: Align HPA & KEDA conditions. (#11113)
+* Chart: Improve IngressClass documentation. (#11111)
+* Chart: Add Gacko to maintainers. Again. (#11112)
+* Chart: Deploy `PodDisruptionBudget` with KEDA. (#11105)
+* Chores: Pick patches from main. (#11103)
+
+### Dependency updates:
+
+* Bump google.golang.org/grpc from 1.63.0 to 1.63.2 (#11238)
+* Bump google.golang.org/grpc from 1.62.1 to 1.63.0 (#11234)
+* Bump github.com/prometheus/common from 0.51.1 to 0.52.2 (#11233)
+* Bump golang.org/x/crypto from 0.21.0 to 0.22.0 (#11232)
+* Bump github.com/prometheus/client_model in the all group (#11231)
+* Bump the all group with 3 updates (#11230)
+* Bump the all group with 2 updates (#11190)
+* Bump actions/add-to-project from 0.6.1 to 1.0.0 (#11189)
+* Bump the all group with 3 updates (#11166)
+* Bump github.com/prometheus/common from 0.50.0 to 0.51.1 (#11160)
+* Bump the all group with 4 updates (#11140)
+* Bump the all group with 1 update (#11136)
+* Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /magefiles (#11127)
+* Bump google.golang.org/protobuf in /images/custom-error-pages/rootfs (#11128)
+* Bump google.golang.org/protobuf in /images/kube-webhook-certgen/rootfs (#11122)
+

changelog/controller-1.10.2.md

@@ -0,0 +1,130 @@
+# Changelog
+
+### controller-v1.10.2
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.2@sha256:e3311b3d9671bc52d90572bcbfb7ee5b71c985d6d6cffd445c241f1e2703363c
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.2@sha256:c4395cba98f9721e3381d3c06e7994371bae20f5ab30e457cd7debe44a8c8c54
+
+### All changes:
+
+* update test runner to latest build (#11557)
+* add k8s 1.30 to ci build (#11553)
+* update test runner go base to 3.20 (#11550)
+* tag new test runner image with new nginx base 0.0.8 (#11549)
+* bump NGINX_BASE to v0.0.8 (#11543)
+* trigger build for NGINX-1.25 v0.0.8 (#11542)
+* Upgrade OWASP_MODSECURITY_CRS_VERSION 3.3.5 to 4.4.0 and update docs (#11548)
+* [feature] bump nginx to 1.25.5 and add http3 module (#11541)
+* add ssl patches to nginx-1.25 image for coroutines to work in lua client hello and cert ssl blocks (#11534)
+* bump alpine version to 3.20 to custom-error-pages (#11537)
+* fix: Ensure changes in MatchCN annotation are detected (#11528)
+* Docs: Add information about HTTP/3 support. (#11525)
+* Docs: Specify `ingressClass` for multi-controller setup. (#11520)
+* Docs: Improve default certificate usage. (#11519)
+* docs: Update Ingress-NGINX v1.10.1 compatibility with Kubernetes v1.30 (#11500)
+* Update getting-started.md with new prerequisites (#11487)
+* Fix boolean configuration (#11484)
+* Chores: Align security contacts & chart maintainers to actual owners. (#11480)
+* CI: Bump forgotten Ginkgo versions. (#11469)
+* Tests: Replace deprecated `grpc.Dial` by `grpc.NewClient`. (#11468)
+* Owners: Promote Gacko to admin. (#11464)
+* fixed fastcgi userguide (#11455)
+* Remove unnecessary space character (#11451)
+* fix for docs issue 11432 (#11446)
+* Update index.md (#11445)
+* upgrade to alpine 3.20 (#11438)
+* update golang to 1.22.4 (#11431)
+* Adapt dashboards for Grafana 11 compatibility (#11414)
+* Rename variable to fix typo (#11413)
+* Fix helm install on cloud provider admonition block (#11412)
+* edited helm-install tips (#11411)
+* added info for aws helm install (#11410)
+* added multiplecontrollers-howto to faq (#11409)
+* removed tlsv1 & tlsv1.1 (#11408)
+* Docs: Remove opentracing and zipkin from docs (#11405)
+* Go: Sync modules from `main`. (#11398)
+* add workflow to helm release and update ct for branch (#11317)
+* Merge pull request #11277 from strongjz/chart-1.10.1 (#11314)
+* Release Helm Chart on branch update (#11306)
+* Release controller 1.10.1 (#11298)
+* fix path in file changed detected message (#11286)
+* chore: fix function names in comment (#11281)
+* fix: update kube version requirement to 1.21 (#11279)
+* release helm chart from release branch (#11278)
+* start 1.10.1 build (#11246)
+* force nginx rebuild (#11245)
+* update k8s version to latest kind release (#11241)
+* remove _ssl_expire_time_seconds metric by identifier (#11239)
+* update post submit helm ci and clean up (#11221)
+* Chart: Add unit tests for default backend & topology spread constraints. (#11219)
+* sort default backend hpa metrics (#11217)
+* updated certgen image shatag (#11216)
+* changed testrunner image sha (#11211)
+* bumped certgeimage tag (#11213)
+* updated baseimage & deleted a useless file (#11209)
+* bump ginkgo to 2-17-1 in testrunner (#11204)
+* chunking related faq update (#11205)
+* Fix-semver (#11199)
+* refactor helm ci tests part I (#11188)
+* Proposal: e2e tests for regex patterns (#11185)
+* bump ginkgo to v2.17.1 (#11186)
+* fixes brotli build issue (#11187)
+* fix geoip2 configuration docs (#11151)
+* Fix typos in OTel doc (#11081) (#11129)
+* Chart: Render `controller.ingressClassResource.parameters` natively. (#11126)
+* Fix admission controller logging of `admissionTime` and `testedConfigurationSize` (#11114)
+* Chart: Align HPA & KEDA conditions. (#11113)
+* Chart: Improve IngressClass documentation. (#11111)
+* Chart: Add Gacko to maintainers. Again. (#11112)
+* Chart: Deploy `PodDisruptionBudget` with KEDA. (#11105)
+* Chores: Pick patches from main. (#11103)
+* Start the release of v1.10.0 (#11038)
+
+### Dependency updates:
+
+* Bump the all group with 2 updates (#11524)
+* Bump k8s.io/klog/v2 from 2.130.0 to 2.130.1 in the all group (#11521)
+* Bump aquasecurity/trivy-action from 0.22.0 to 0.23.0 in the all group (#11501)
+* Bump k8s.io/klog/v2 from 2.120.1 to 2.130.0 (#11479)
+* Bump the all group with 3 updates (#11478)
+* Bump the all group with 2 updates (#11477)
+* Bump golang.org/x/crypto from 0.23.0 to 0.24.0 (#11471)
+* Bump sigs.k8s.io/controller-runtime in the all group (#11449)
+* Bump github.com/prometheus/common from 0.53.0 to 0.54.0 (#11447)
+* Bump the all group with 3 updates (#11450)
+* Bump goreleaser/goreleaser-action from 5.1.0 to 6.0.0 (#11448)
+* Bump github.com/onsi/ginkgo/v2 from 2.17.2 to 2.19.0 (#11422)
+* Bump the all group with 2 updates (#11421)
+* Bump google.golang.org/grpc from 1.63.2 to 1.64.0 (#11423)
+* Bump the all group across 1 directory with 6 updates (#11407)
+* Bump golangci/golangci-lint-action from 5.3.0 to 6.0.1 (#11406)
+* Bump the all group with 3 updates (#11404)
+* Bump Kubernetes version on images (#11403)
+* Bump golangci/golangci-lint-action from 4.0.0 to 5.0.0 (#11402)
+* Bump the all group with 4 updates (#11380)
+* Bump k8s.io/component-base from 0.29.3 to 0.30.0 (#11301)
+* Bump github.com/prometheus/common from 0.52.3 to 0.53.0 (#11300)
+* Bump golang.org/x/net from 0.22.0 to 0.23.0 (#11285)
+* Bump golang.org/x/net in /images/kube-webhook-certgen/rootfs (#11284)
+* Bump the all group with 2 updates (#11266)
+* Bump azure/setup-helm from 3.5 to 4 (#11265)
+* Bump actions/add-to-project from 1.0.0 to 1.0.1 in the all group (#11264)
+* Bump google.golang.org/grpc from 1.63.0 to 1.63.2 (#11238)
+* Bump google.golang.org/grpc from 1.62.1 to 1.63.0 (#11234)
+* Bump github.com/prometheus/common from 0.51.1 to 0.52.2 (#11233)
+* Bump golang.org/x/crypto from 0.21.0 to 0.22.0 (#11232)
+* Bump github.com/prometheus/client_model in the all group (#11231)
+* Bump the all group with 3 updates (#11230)
+* Bump the all group with 2 updates (#11190)
+* Bump actions/add-to-project from 0.6.1 to 1.0.0 (#11189)
+* Bump the all group with 3 updates (#11166)
+* Bump github.com/prometheus/common from 0.50.0 to 0.51.1 (#11160)
+* Bump the all group with 4 updates (#11140)
+* Bump the all group with 1 update (#11136)
+* Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /magefiles (#11127)
+* Bump google.golang.org/protobuf in /images/custom-error-pages/rootfs (#11128)
+* Bump google.golang.org/protobuf in /images/kube-webhook-certgen/rootfs (#11122)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.1...controller-v1.10.2

changelog/controller-1.10.3.md

@@ -0,0 +1,37 @@
+# Changelog
+
+### controller-v1.10.3
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.3@sha256:b5a5082f8e508cc1aac1c0ef101dc2f87b63d51598a5747d81d6cf6e7ba058fd
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.3@sha256:9033e04bd3cd01f92414f8d5999c5095734d4caceb4923942298152a38373d4b
+
+### All changes:
+
+* Images: Trigger `controller` v1.10.3 build. (#11648)
+* Tests: Bump `test-runner` to v20240717-1fe74b5f. (#11646)
+* Images: Re-run `test-runner` build. (#11643)
+* Images: Trigger `test-runner` build. (#11639)
+* Images: Bump `NGINX_BASE` to v0.0.10. (#11637)
+* Images: Trigger NGINX build. (#11631)
+* bump testing runner (#11626)
+* remove modsecurity coreruleset test files from nginx image (#11619)
+* unskip the ocsp tests and update images to fix cfssl bug (#11615)
+* Fix indent in YAML for example pod (#11609)
+* Images: Bump `test-runner`. (#11604)
+* Images: Bump `NGINX_BASE` to v0.0.9. (#11601)
+* revert module upgrade (#11595)
+* README: Fix support matrix. (#11593)
+* Mage: Stop mutating release notes. (#11582)
+* Images: Bump `kube-webhook-certgen`. (#11583)
+
+### Dependency updates:
+
+* Bump github.com/prometheus/common from 0.54.0 to 0.55.0 (#11622)
+* Bump the all group with 5 updates (#11613)
+* Bump golang.org/x/crypto from 0.24.0 to 0.25.0 (#11579)
+* Bump google.golang.org/grpc from 1.64.0 to 1.65.0 (#11577)
+* Bump the all group with 4 updates (#11574)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.2...controller-v1.10.3

changelog/controller-1.10.4.md

@@ -0,0 +1,53 @@
+# Changelog
+
+### controller-v1.10.4
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.4@sha256:505b9048c02dde3d6c8667bf0b52aba7b36adf7b03da34c47d5fa312d2d4c6fc
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.4@sha256:bf71acf6e71830a4470e2183e3bc93c4f006b954f8a05fb434242ef0f8a24858
+
+### All changes:
+
+* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11811)
+* Images: Trigger controller build. (#11808)
+* Tests & Docs: Bump images. (#11804)
+* Images: Trigger failed builds. (#11801)
+* Images: Trigger other builds. (#11797)
+* Controller: Fix panic in alternative backend merging. (#11793)
+* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11791)
+* Images: Trigger `test-runner` build. (#11786)
+* Images: Bump `NGINX_BASE` to v0.0.12. (#11783)
+* Images: Trigger NGINX build. (#11780)
+* Cloud Build: Add missing config, remove unused ones. (#11776)
+* Generate correct output on NumCPU() when using cgroups2 (#11775)
+* Cloud Build: Tweak timeouts. (#11762)
+* Cloud Build: Fix substitutions. (#11759)
+* Cloud Build: Some chores. (#11756)
+* Go: Bump to v1.22.6. (#11748)
+* Images: Bump `NGINX_BASE` to v0.0.11. (#11744)
+* Images: Trigger NGINX build. (#11736)
+* docs: update OpenSSL Roadmap link (#11734)
+* Go: Bump to v1.22.5. (#11731)
+* Docs: Fix typo in AWS LB Controller reference (#11724)
+* Perform some cleaning operations on line breaks. (#11722)
+* Missing anchors in regular expression. (#11718)
+* Docs: Fix `from-to-www` redirect description. (#11715)
+* Chart: Remove `isControllerTagValid`. (#11714)
+* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11704)
+* Docs: Clarify `from-to-www` redirect direction. (#11692)
+* added real-client-ip faq (#11665)
+* Docs: Format NGINX configuration table. (#11660)
+
+### Dependency updates:
+
+* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11772)
+* Bump the all group with 2 updates (#11770)
+* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11768)
+* Bump the all group with 3 updates (#11729)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11700)
+* Bump the all group with 2 updates (#11697)
+* Bump the all group with 4 updates (#11676)
+* Bump the all group with 2 updates (#11674)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.3...controller-v1.10.4

changelog/controller-1.11.0.md

@@ -0,0 +1,164 @@
+# Changelog
+
+### controller-v1.11.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.11.0@sha256:a886e56d532d1388c77c8340261149d974370edca1093af4c97a96fb1467cb39
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.0@sha256:f16dfed1c94d216b65e5dcb7508ab46148641a99649c5a700749db6f01a7039e
+
+### All changes:
+
+* update test runner to latest build (#11558)
+* add k8s 1.30 to ci build (#11554)
+* update test runner go base to 3.20 (#11552)
+* tag new test runner image with new nginx base 0.0.8 (#11551)
+* bump NGINX_BASE to v0.0.8 (#11544)
+* add ssl patches to nginx-1.25 image for coroutines to work in lua client hello and cert ssl blocks (#11535)
+* trigger build for NGINX-1.25 v0.0.8 (#11539)
+* bump alpine version to 3.20 to custom-error-pages (#11538)
+* fix: Ensure changes in MatchCN annotation are detected (#11529)
+* Docs: Add information about HTTP/3 support. (#11513)
+* Docs: Specify `ingressClass` for multi-controller setup. (#11493)
+* Docs: Improve default certificate usage. (#11504)
+* Upgrade OWASP_MODSECURITY_CRS_VERSION 3.3.5 to 4.4.0 and update docs (#11511)
+* docs: Update Ingress-NGINX v1.10.1 compatibility with Kubernetes v1.30 (#11495)
+* Update getting-started.md with new prerequisites (#11486)
+* [feature] bump nginx to 1.25.5 and add http3 module (#11470)
+* Fix boolean configuration (#11483)
+* Chores: Align security contacts & chart maintainers to actual owners. (#11465)
+* CI: Bump forgotten Ginkgo versions. (#11467)
+* Tests: Replace deprecated `grpc.Dial` by `grpc.NewClient`. (#11462)
+* Owners: Promote Gacko to admin. (#11463)
+* Chart: Make pod affinity templatable. (#11453)
+* fixed fastcgi userguide (#11454)
+* Remove unnecessary space character (#11434)
+* upgrade to alpine 3.20 (#11428)
+* fix for docs issue 11432 (#11433)
+* Update index.md (#11437)
+* update golang to 1.22.4 (#11427)
+* Chart: Fix `IngressClass` annotations. (#11416)
+* Chart: Make admission webhook patch job RBAC configurable. (#11376)
+* Merge pull request #11277 from strongjz/chart-1.10.1 (#11415)
+* Chart: Remove `controller.enableWorkerSerialReloads`. (#11400)
+* Adapt dashboards for Grafana 11 compatibility (#11399)
+* Rename variable to fix typo (#11395)
+* Fix helm install on cloud provider admonition block (#11394)
+* edited helm-install tips (#11393)
+* added info for aws helm install (#11390)
+* added multiplecontrollers-howto to faq (#11389)
+* removed tlsv1 & tlsv1.1 (#11343)
+* feat: Add grpc timeouts annotations (#11258)
+* sfix position of options (#11379)
+* add workflow to helm release and update ct for branch (#11378)
+* Accept user defined annotations in IngressClass (#11362)
+* Docs: Remove opentracing and zipkin from docs (#11361)
+* Allow configuring nginx worker reload behaviour, to prevent multiple concurrent worker reloads which can lead to high resource usage and OOMKill (#10884)
+* chore(deps): group update k8s.io packages to v0.30.0 (#11344)
+* Fix function name in comment (#11296)
+* fix path in file changed detected message (#11271)
+* chore: fix function names in comment (#11280)
+* fix: update kube version requirement to 1.21 (#11275)
+* release helm chart from release branch (#11276)
+* update k8s version to latest kind release (#11240)
+* feat: add annotation to allow to add custom response headers (#9742)
+* remove _ssl_expire_time_seconds metric by identifier (#9706)
+* update post submit helm ci and clean up (#11220)
+* Chart: Add unit tests for default backend & topology spread constraints. (#11218)
+* sort default backend hpa metrics (#11215)
+* updated certgen image shatag (#11214)
+* feature(default_backend): topologySpreadConstraints on default backend (#11197)
+* bumped certgeimage tag (#11212)
+* changed testrunner image sha (#11207)
+* updated baseimage & deleted a useless file (#11208)
+* Chart: Make `controller.config` templatable. (#11181)
+* chunking related faq update (#11196)
+* bump ginkgo to 2-17-1 in testrunner (#11202)
+* Owners: Promote Gacko to `ingress-nginx-maintainers` & `ingress-nginx-reviewers`. (#11165)
+* Fix-semver (#11193)
+* refactor helm ci tests part I (#11178)
+* fixes brotli build issue (#10484)
+* bump ginkgo to v2.17.1 (#11177)
+* Proposal: e2e tests for regex patterns (#11174)
+* Controller: Make Leader Election TTL configurable. (#11142)
+* Chores: Remove recently added whitespaces. (#11156)
+* Add GRPC Buffer Size to the Configmap (#11155)
+* fix geoip2 configuration docs (#11150)
+* feature(geoip2_autoreload): Enable GeoIP2 auto_reload config  (#11079)
+* Chart: Add IngressClass aliases. (#11109)
+* Fix typos in OTel doc (#11081)
+* Chart: Render `controller.ingressClassResource.parameters` natively. (#11108)
+* Fix admission controller logging of `admissionTime` and `testedConfigurationSize` (#11089)
+* Chart: Align HPA & KEDA conditions. (#11110)
+* Chart: Add Gacko to maintainers. Again. (#11107)
+* Chart: Improve IngressClass documentation. (#11104)
+* Chart: Deploy `PodDisruptionBudget` with KEDA. (#11032)
+* Undo #11062 since it breaks the nginx config (#11082)
+* [mTLS] Fix acme verification when mTLS and Client CN verification is enabled (#11062)
+* golangci-lint update, ci cleanup, group dependabot updates (#11071)
+* bump golang (#11070)
+* feature(leader_election): flag to disable leader election feature on controller (#11064)
+* docs: update the 404 link to FAQ (#11069)
+* Update README.md (#11065)
+* quotes around numbers fort ports definitions (#11052)
+
+### Dependency updates:
+
+* Bump the all group with 2 updates (#11523)
+* Bump k8s.io/klog/v2 from 2.130.0 to 2.130.1 in the all group (#11499)
+* Bump aquasecurity/trivy-action from 0.22.0 to 0.23.0 in the all group (#11497)
+* Bump k8s.io/klog/v2 from 2.120.1 to 2.130.0 (#11475)
+* Bump the all group with 3 updates (#11474)
+* Bump the all group with 2 updates (#11476)
+* Bump golang.org/x/crypto from 0.23.0 to 0.24.0 (#11442)
+* Bump the all group with 3 updates (#11443)
+* Bump sigs.k8s.io/controller-runtime in the all group (#11440)
+* Bump goreleaser/goreleaser-action from 5.1.0 to 6.0.0 (#11444)
+* Bump github.com/prometheus/common from 0.53.0 to 0.54.0 (#11441)
+* Bump the all group with 2 updates (#11419)
+* Bump github.com/onsi/ginkgo/v2 from 2.17.2 to 2.19.0 (#11418)
+* Bump google.golang.org/grpc from 1.63.2 to 1.64.0 (#11417)
+* Bump the all group across 1 directory with 3 updates (#11384)
+* Bump the all group across 1 directory with 6 updates (#11383)
+* Bump golang.org/x/crypto from 0.22.0 to 0.23.0 (#11357)
+* Bump golangci/golangci-lint-action from 5.3.0 to 6.0.1 (#11355)
+* Bump the all group with 3 updates (#11348)
+* Bump Kubernetes version on images (#11346)
+* Bump sigs.k8s.io/controller-runtime from 0.17.3 to 0.18.1 (#11345)
+* Bump golangci/golangci-lint-action from 4.0.0 to 5.0.0 (#11328)
+* Bump the all group with 4 updates (#11327)
+* Bump k8s.io/component-base from 0.29.3 to 0.30.0 (#11291)
+* Bump github.com/prometheus/common from 0.52.3 to 0.53.0 (#11290)
+* Bump golang.org/x/net from 0.22.0 to 0.23.0 (#11282)
+* Bump golang.org/x/net in /images/kube-webhook-certgen/rootfs (#11283)
+* Bump the all group with 2 updates (#11261)
+* Bump azure/setup-helm from 3.5 to 4 (#11263)
+* Bump actions/add-to-project from 1.0.0 to 1.0.1 in the all group (#11262)
+* Bump google.golang.org/grpc from 1.63.0 to 1.63.2 (#11237)
+* Bump google.golang.org/grpc from 1.62.1 to 1.63.0 (#11228)
+* Bump github.com/prometheus/common from 0.51.1 to 0.52.2 (#11227)
+* Bump golang.org/x/crypto from 0.21.0 to 0.22.0 (#11229)
+* Bump github.com/prometheus/client_model in the all group (#11226)
+* Bump the all group with 3 updates (#11225)
+* Bump the all group with 2 updates (#11183)
+* Bump actions/add-to-project from 0.6.1 to 1.0.0 (#11184)
+* Bump the all group with 3 updates (#11157)
+* Bump github.com/prometheus/common from 0.50.0 to 0.51.1 (#11159)
+* Bump the all group with 4 updates (#11133)
+* Bump the all group with 1 update (#11134)
+* Bump google.golang.org/protobuf in /images/custom-error-pages/rootfs (#11119)
+* Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /magefiles (#11121)
+* Bump google.golang.org/protobuf in /images/kube-webhook-certgen/rootfs (#11120)
+* Bump github.com/onsi/ginkgo/v2 from 2.15.0 to 2.16.0 (#11076)
+* Bump the all group with 1 update (#11073)
+* Bump the all group with 1 update (#11072)
+* Bump github.com/prometheus/common from 0.49.0 to 0.50.0 (#11075)
+* Bump actions/download-artifact from 4.1.2 to 4.1.4 (#11059)
+* Bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (#11055)
+* Bump docker/setup-buildx-action from 3.0.0 to 3.1.0 (#11057)
+* Bump github.com/prometheus/common from 0.48.0 to 0.49.0 (#11056)
+* Bump github/codeql-action from 3.24.5 to 3.24.6 (#11060)
+* Bump aquasecurity/trivy-action from 0.17.0 to 0.18.0 (#11058)
+* Bump dorny/paths-filter from 3.0.1 to 3.0.2 (#11061)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.2...controller-v1.11.0

changelog/controller-1.11.1.md

@@ -0,0 +1,45 @@
+# Changelog
+
+### controller-v1.11.1
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.11.1@sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.1@sha256:7cabe4bd7558bfdf5b707976d7be56fd15ffece735d7c90fc238b6eda290fd8d
+
+### All changes:
+
+* Tests: Bump `test-runner` to v20240717-1fe74b5f. (#11647)
+* Images: Re-run `test-runner` build. (#11644)
+* Images: Trigger `test-runner` build. (#11640)
+* Images: Bump `NGINX_BASE` to v0.0.10. (#11638)
+* Images: Trigger NGINX build. (#11632)
+* bump testing runner (#11627)
+* remove modsecurity coreruleset test files from nginx image (#11620)
+* unskip the ocsp tests and update images to fix cfssl bug (#11616)
+* Fix indent in YAML for example pod (#11610)
+* Images: Bump `test-runner`. (#11605)
+* Images: Bump `NGINX_BASE` to v0.0.9. (#11602)
+* revert module upgrade (#11597)
+* Release: Apply changes from `main`. (#11589)
+* Mage: Stop mutating release notes. (#11581)
+* Images: Bump `kube-webhook-certgen`. (#11584)
+* update test runner to latest build (#11558)
+* add k8s 1.30 to ci build (#11554)
+* update test runner go base to 3.20 (#11552)
+* tag new test runner image with new nginx base 0.0.8 (#11551)
+* bump NGINX_BASE to v0.0.8 (#11544)
+* add ssl patches to nginx-1.25 image for coroutines to work in lua client hello and cert ssl blocks (#11535)
+* trigger build for NGINX-1.25 v0.0.8 (#11539)
+* bump alpine version to 3.20 to custom-error-pages (#11538)
+* fix: Ensure changes in MatchCN annotation are detected (#11529)
+
+### Dependency updates:
+
+* Bump github.com/prometheus/common from 0.54.0 to 0.55.0 (#11621)
+* Bump the all group with 5 updates (#11614)
+* Bump golang.org/x/crypto from 0.24.0 to 0.25.0 (#11580)
+* Bump google.golang.org/grpc from 1.64.0 to 1.65.0 (#11576)
+* Bump the all group with 4 updates (#11575)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.0...controller-v1.11.1

changelog/controller-1.11.2.md

@@ -0,0 +1,54 @@
+# Changelog
+
+### controller-v1.11.2
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.11.2@sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.2@sha256:21b55a2f0213a18b91612a8c0850167e00a8e34391fd595139a708f9c047e7a8
+
+### All changes:
+
+* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11812)
+* Images: Trigger controller build. (#11807)
+* Tests & Docs: Bump images. (#11805)
+* Images: Trigger failed builds. (#11802)
+* Images: Trigger other builds. (#11798)
+* Controller: Fix panic in alternative backend merging. (#11794)
+* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11792)
+* Images: Trigger `test-runner` build. (#11787)
+* Images: Bump `NGINX_BASE` to v0.0.12. (#11784)
+* Images: Trigger NGINX build. (#11781)
+* Cloud Build: Add missing config, remove unused ones. (#11777)
+* Generate correct output on NumCPU() when using cgroups2 (#11778)
+* Cloud Build: Tweak timeouts. (#11763)
+* Cloud Build: Fix substitutions. (#11760)
+* Cloud Build: Some chores. (#11757)
+* Go: Bump to v1.22.6. (#11749)
+* Images: Bump `NGINX_BASE` to v0.0.11. (#11743)
+* Images: Trigger NGINX build. (#11737)
+* docs: update OpenSSL Roadmap link (#11733)
+* Go: Bump to v1.22.5. (#11732)
+* Docs: Fix typo in AWS LB Controller reference (#11725)
+* Perform some cleaning operations on line breaks. (#11721)
+* Missing anchors in regular expression. (#11719)
+* Docs: Fix `from-to-www` redirect description. (#11716)
+* Chart: Remove `isControllerTagValid`. (#11713)
+* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11705)
+* Docs: Clarify `from-to-www` redirect direction. (#11693)
+* added real-client-ip faq (#11664)
+* Docs: Format NGINX configuration table. (#11662)
+* Docs: Update version in `deploy/index.md`. (#11652)
+
+### Dependency updates:
+
+* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11773)
+* Bump the all group with 2 updates (#11771)
+* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11769)
+* Bump the all group with 3 updates (#11728)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11701)
+* Bump the all group with 2 updates (#11698)
+* Bump the all group with 4 updates (#11677)
+* Bump the all group with 2 updates (#11675)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.1...controller-v1.11.2

changelog/controller-1.6.4.md

@@ -83,7 +83,7 @@ Images:
 * ModSecurity dependencies update to avoid Memory Leaks (#9330)
 * fix(hpa): deprecated api version, bump to v2 (#9348)
 * fix(typo): pluralize provider (#9346)
-* removed deprecation messsage for ingressClass annotation (#9357)
+* removed deprecation message for ingressClass annotation (#9357)
 * added ginkgo junit reports (#9350)
 * Fix typos found by codespell (#9353)
 * bumped ginkgo to v2.5.1 in testrunner (#9340)

changelog/controller-1.7.1.md

@@ -15,7 +15,7 @@ Images:
 * Add support for --container flag (#9703)
 * Fix typo in OpenTelemetry (#9903)
 * ensure make lua-test runs locally (#9902)
-* update k8s.io dependecies to v0.26.4 (#9893)
+* update k8s.io dependencies to v0.26.4 (#9893)
 * Adding resource type to default HPA configuration to resolve issues with Terraform helm chart usage (#9803)
 * I have not been able to fulfill my maintainer responsibilities for a while already, making it official now. (#9883)
 * Update k8s versions (#9879)

changelog/controller-1.8.0.md

@@ -39,7 +39,7 @@ on our new [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernet
 * Correct annotations in monitoring docs (#9976)
 * fix: avoid builds and tests for changes to markdown (#9962)
 * Validate path types (#9967)
-* HPA: Use capabilites & align manifests. (#9521)
+* HPA: Use capabilities & align manifests. (#9521)
 * Use dl.k8s.io instead of hardcoded GCS URIs (#9946)
 * add option for annotations in PodDisruptionBudget (#9843)
 * chore: update httpbin to httpbun (#9919)

changelog/controller-1.9.0-beta.0.md

@@ -26,7 +26,7 @@ Images:
 * Add golangci github action and replace the deprecated golint (#10187)
 * BUGFIX incorrect indentation (#10254)
 * Upgrade OpenTelemetry to v1.11.0 and gRPC to v1.57.0 (#10352)
-* fix: path with sepecial characters warning #10281 #10308 (#10330)
+* fix: path with special characters warning #10281 #10308 (#10330)
 * Fix golangci-lint errors (#10196)
 * chore(build): Fix Run make dev-env syntax error (#10294)
 * Add firewall configuration to quick start documentation (#10357)

changelog/controller-1.9.0.md

@@ -26,7 +26,7 @@ Images:
 * Add golangci github action and replace the deprecated golint (#10187)
 * BUGFIX incorrect indentation (#10254)
 * Upgrade OpenTelemetry to v1.11.0 and gRPC to v1.57.0 (#10352)
-* fix: path with sepecial characters warning #10281 #10308 (#10330)
+* fix: path with special characters warning #10281 #10308 (#10330)
 * Fix golangci-lint errors (#10196)
 * chore(build): Fix Run make dev-env syntax error (#10294)
 * Add firewall configuration to quick start documentation (#10357)

charts/ingress-nginx/Chart.yaml

@@ -1,23 +1,25 @@
 annotations:
-  artifacthub.io/changes: |-
+  artifacthub.io/changes: |
-    - "Update Ingress-Nginx version controller-v1.10.0"
+    - Update Ingress-Nginx version controller-v1.11.2
   artifacthub.io/prerelease: "false"
 apiVersion: v2
-appVersion: 1.10.0
+appVersion: 1.11.2
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and
   load balancer
 home: https://github.com/kubernetes/ingress-nginx
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
 keywords:
-  - ingress
+- ingress
-  - nginx
+- nginx
-kubeVersion: '>=1.20.0-0'
+kubeVersion: '>=1.21.0-0'
 maintainers:
-  - name: Gacko
+- name: cpanato
-  - name: rikatz
+- name: Gacko
-  - name: strongjz
+- name: puerco
-  - name: tao12345666333
+- name: rikatz
+- name: strongjz
+- name: tao12345666333
 name: ingress-nginx
 sources:
-  - https://github.com/kubernetes/ingress-nginx
+- https://github.com/kubernetes/ingress-nginx
-version: 4.10.0
+version: 4.11.2

charts/ingress-nginx/README.md

@@ -2,7 +2,7 @@
 
 [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 
-![Version: 4.10.0](https://img.shields.io/badge/Version-4.10.0-informational?style=flat-square) ![AppVersion: 1.10.0](https://img.shields.io/badge/AppVersion-1.10.0-informational?style=flat-square)
+![Version: 4.11.2](https://img.shields.io/badge/Version-4.11.2-informational?style=flat-square) ![AppVersion: 1.11.2](https://img.shields.io/badge/AppVersion-1.11.2-informational?style=flat-square)
 
 To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
 
@@ -10,7 +10,7 @@ This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kuber
 
 ## Requirements
 
-Kubernetes: `>=1.20.0-0`
+Kubernetes: `>=1.21.0-0`
 
 ## Get Repo Info
 
@@ -242,9 +242,8 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` |  |
 | controller.admissionWebhooks.createSecretJob.name | string | `"create"` |  |
 | controller.admissionWebhooks.createSecretJob.resources | object | `{}` |  |
-| controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers |
+| controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers |
 | controller.admissionWebhooks.enabled | bool | `true` |  |
-| controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one |
 | controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set |
 | controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use |
 | controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` |  |
@@ -253,21 +252,26 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.admissionWebhooks.namespaceSelector | object | `{}` |  |
 | controller.admissionWebhooks.objectSelector | object | `{}` |  |
 | controller.admissionWebhooks.patch.enabled | bool | `true` |  |
-| controller.admissionWebhooks.patch.image.digest | string | `"sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366"` |  |
+| controller.admissionWebhooks.patch.image.digest | string | `"sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f"` |  |
 | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` |  |
 | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` |  |
-| controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` |  |
+| controller.admissionWebhooks.patch.image.tag | string | `"v1.4.4"` |  |
-| controller.admissionWebhooks.patch.image.tag | string | `"v1.4.1"` |  |
 | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
 | controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
 | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
 | controller.admissionWebhooks.patch.podAnnotations | object | `{}` |  |
 | controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # |
+| controller.admissionWebhooks.patch.rbac | object | `{"create":true}` | Admission webhook patch job RBAC |
+| controller.admissionWebhooks.patch.rbac.create | bool | `true` | Create RBAC or not |
 | controller.admissionWebhooks.patch.securityContext | object | `{}` | Security context for secret creation & webhook patch pods |
+| controller.admissionWebhooks.patch.serviceAccount | object | `{"automountServiceAccountToken":true,"create":true,"name":""}` | Admission webhook patch job service account |
+| controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken | bool | `true` | Auto-mount service account token or not |
+| controller.admissionWebhooks.patch.serviceAccount.create | bool | `true` | Create a service account or not |
+| controller.admissionWebhooks.patch.serviceAccount.name | string | `""` | Custom service account name |
 | controller.admissionWebhooks.patch.tolerations | list | `[]` |  |
 | controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` |  |
 | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` |  |
-| controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers |
+| controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers |
 | controller.admissionWebhooks.port | int | `8443` |  |
 | controller.admissionWebhooks.service.annotations | object | `{}` |  |
 | controller.admissionWebhooks.service.externalIPs | list | `[]` |  |
@@ -298,15 +302,14 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. |
 | controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' |
 | controller.electionTTL | string | `""` | Duration a leader election is valid before it's getting re-elected, e.g. `15s`, `10m` or `1h`. (Default: 30s) |
-| controller.enableAnnotationValidations | bool | `false` |  |
+| controller.enableAnnotationValidations | bool | `true` |  |
 | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # |
 | controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false |
-| controller.existingPsp | string | `""` | Use an existing PSP instead of creating one |
 | controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use |
 | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. |
 | controller.extraEnvs | list | `[]` | Additional environment variables to set |
 | controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. |
-| controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module |
+| controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. |
 | controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. |
 | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. |
 | controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. |
@@ -319,20 +322,21 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.hostname | object | `{}` | Optionally customize the pod hostname. |
 | controller.image.allowPrivilegeEscalation | bool | `false` |  |
 | controller.image.chroot | bool | `false` |  |
-| controller.image.digest | string | `"sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c"` |  |
+| controller.image.digest | string | `"sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce"` |  |
-| controller.image.digestChroot | string | `"sha256:7eb46ff733429e0e46892903c7394aff149ac6d284d92b3946f3baf7ff26a096"` |  |
+| controller.image.digestChroot | string | `"sha256:21b55a2f0213a18b91612a8c0850167e00a8e34391fd595139a708f9c047e7a8"` |  |
 | controller.image.image | string | `"ingress-nginx/controller"` |  |
 | controller.image.pullPolicy | string | `"IfNotPresent"` |  |
 | controller.image.readOnlyRootFilesystem | bool | `false` |  |
-| controller.image.registry | string | `"registry.k8s.io"` |  |
+| controller.image.runAsGroup | int | `82` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) |
 | controller.image.runAsNonRoot | bool | `true` |  |
-| controller.image.runAsUser | int | `101` |  |
+| controller.image.runAsUser | int | `101` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) |
 | controller.image.seccompProfile.type | string | `"RuntimeDefault"` |  |
-| controller.image.tag | string | `"v1.10.0"` |  |
+| controller.image.tag | string | `"v1.11.2"` |  |
 | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
 | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
-| controller.ingressClassResource | object | `{"aliases":[],"controllerValue":"k8s.io/ingress-nginx","default":false,"enabled":true,"name":"nginx","parameters":{}}` | This section refers to the creation of the IngressClass resource. IngressClasses are immutable and cannot be changed after creation. We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. |
+| controller.ingressClassResource | object | `{"aliases":[],"annotations":{},"controllerValue":"k8s.io/ingress-nginx","default":false,"enabled":true,"name":"nginx","parameters":{}}` | This section refers to the creation of the IngressClass resource. IngressClasses are immutable and cannot be changed after creation. We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. |
 | controller.ingressClassResource.aliases | list | `[]` | Aliases of this IngressClass. Creates copies with identical settings but the respective alias as name. Useful for development environments with only one Ingress Controller but production-like Ingress resources. `default` gets enabled on the original IngressClass only. |
+| controller.ingressClassResource.annotations | object | `{}` | Annotations to be added to the IngressClass resource. |
 | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller of the IngressClass. An Ingress Controller looks for IngressClasses it should reconcile by this value. This value is also being set as the `--controller-class` argument of this Ingress Controller. Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class |
 | controller.ingressClassResource.default | bool | `false` | If true, Ingresses without `ingressClassName` get assigned to this IngressClass on creation. Ingress creation gets rejected if there are multiple default IngressClasses. Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class |
 | controller.ingressClassResource.enabled | bool | `true` | Create the IngressClass or not |
@@ -359,21 +363,23 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.livenessProbe.periodSeconds | int | `10` |  |
 | controller.livenessProbe.successThreshold | int | `1` |  |
 | controller.livenessProbe.timeoutSeconds | int | `1` |  |
-| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. # https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases |
+| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. # https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/ |
 | controller.metrics.enabled | bool | `false` |  |
 | controller.metrics.port | int | `10254` |  |
 | controller.metrics.portName | string | `"metrics"` |  |
 | controller.metrics.prometheusRule.additionalLabels | object | `{}` |  |
+| controller.metrics.prometheusRule.annotations | object | `{}` | Annotations to be added to the PrometheusRule. |
 | controller.metrics.prometheusRule.enabled | bool | `false` |  |
 | controller.metrics.prometheusRule.rules | list | `[]` |  |
 | controller.metrics.service.annotations | object | `{}` |  |
+| controller.metrics.service.enabled | bool | `true` | Enable the metrics service or not. |
 | controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
 | controller.metrics.service.labels | object | `{}` | Labels to be added to the metrics service resource |
 | controller.metrics.service.loadBalancerSourceRanges | list | `[]` |  |
 | controller.metrics.service.servicePort | int | `10254` |  |
 | controller.metrics.service.type | string | `"ClusterIP"` |  |
 | controller.metrics.serviceMonitor.additionalLabels | object | `{}` |  |
-| controller.metrics.serviceMonitor.annotations | object | `{}` |  |
+| controller.metrics.serviceMonitor.annotations | object | `{}` | Annotations to be added to the ServiceMonitor. |
 | controller.metrics.serviceMonitor.enabled | bool | `false` |  |
 | controller.metrics.serviceMonitor.metricRelabelings | list | `[]` |  |
 | controller.metrics.serviceMonitor.namespace | string | `""` |  |
@@ -386,24 +392,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.name | string | `"controller"` |  |
 | controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
 | controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
-| controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` |  |
-| controller.opentelemetry.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` |  |
-| controller.opentelemetry.containerSecurityContext.readOnlyRootFilesystem | bool | `true` |  |
-| controller.opentelemetry.containerSecurityContext.runAsNonRoot | bool | `true` |  |
-| controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. |
-| controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
-| controller.opentelemetry.enabled | bool | `false` |  |
-| controller.opentelemetry.image.digest | string | `"sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` |  |
-| controller.opentelemetry.image.distroless | bool | `true` |  |
-| controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry"` |  |
-| controller.opentelemetry.image.registry | string | `"registry.k8s.io"` |  |
-| controller.opentelemetry.image.tag | string | `"v20230721-3e2062ee5"` |  |
-| controller.opentelemetry.name | string | `"opentelemetry"` |  |
-| controller.opentelemetry.resources | object | `{}` |  |
 | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # |
 | controller.podLabels | object | `{}` | Labels to add to the pod container metadata |
 | controller.podSecurityContext | object | `{}` | Security context for controller pods |
 | controller.priorityClassName | string | `""` |  |
+| controller.progressDeadlineSeconds | int | `0` | Specifies the number of seconds you want to wait for the controller deployment to progress before the system reports back that it has failed. Ref.: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds |
 | controller.proxySetHeaders | object | `{}` | Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers |
 | controller.publishService | object | `{"enabled":true,"pathOverride":""}` | Allows customization of the source of the IP address or FQDN to report in the ingress status field. By default, it reads the information provided by the service. If disable, the status field reports the IP address of the node or nodes where an ingress controller pod is running. |
 | controller.publishService.enabled | bool | `true` | Enable 'publishService' or not |
@@ -476,9 +469,10 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ # |
 | controller.udp.annotations | object | `{}` | Annotations to be added to the udp config configmap |
 | controller.udp.configMapNamespace | string | `""` | Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) |
+| controller.unhealthyPodEvictionPolicy | string | `""` | Eviction policy for unhealthy pods guarded by PodDisruptionBudget. Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ |
 | controller.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
 | controller.watchIngressWithoutClass | bool | `false` | Process Ingress objects without ingressClass annotation/ingressClassName field Overrides value for --watch-ingress-without-class flag of the controller binary Defaults to false |
-| defaultBackend.affinity | object | `{}` |  |
+| defaultBackend.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity |
 | defaultBackend.autoscaling.annotations | object | `{}` |  |
 | defaultBackend.autoscaling.enabled | bool | `false` |  |
 | defaultBackend.autoscaling.maxReplicas | int | `2` |  |
@@ -487,7 +481,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` |  |
 | defaultBackend.containerSecurityContext | object | `{}` | Security context for default backend containers |
 | defaultBackend.enabled | bool | `false` |  |
-| defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one |
 | defaultBackend.extraArgs | object | `{}` |  |
 | defaultBackend.extraConfigMaps | list | `[]` |  |
 | defaultBackend.extraEnvs | list | `[]` | Additional environment variables to set for defaultBackend pods |
@@ -497,7 +490,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | defaultBackend.image.image | string | `"defaultbackend-amd64"` |  |
 | defaultBackend.image.pullPolicy | string | `"IfNotPresent"` |  |
 | defaultBackend.image.readOnlyRootFilesystem | bool | `true` |  |
-| defaultBackend.image.registry | string | `"registry.k8s.io"` |  |
+| defaultBackend.image.runAsGroup | int | `65534` |  |
 | defaultBackend.image.runAsNonRoot | bool | `true` |  |
 | defaultBackend.image.runAsUser | int | `65534` |  |
 | defaultBackend.image.seccompProfile.type | string | `"RuntimeDefault"` |  |
@@ -508,7 +501,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | defaultBackend.livenessProbe.periodSeconds | int | `10` |  |
 | defaultBackend.livenessProbe.successThreshold | int | `1` |  |
 | defaultBackend.livenessProbe.timeoutSeconds | int | `5` |  |
-| defaultBackend.minAvailable | int | `1` |  |
+| defaultBackend.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. |
 | defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
 | defaultBackend.name | string | `"defaultbackend"` |  |
 | defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
@@ -535,11 +528,12 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | defaultBackend.serviceAccount.name | string | `""` |  |
 | defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # |
 | defaultBackend.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. Ref.: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ |
+| defaultBackend.unhealthyPodEvictionPolicy | string | `""` | Eviction policy for unhealthy pods guarded by PodDisruptionBudget. Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ |
 | defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
 | dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param |
+| global.image.registry | string | `"registry.k8s.io"` | Registry host to pull images from. |
 | imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
 | namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace |
-| podSecurityPolicy.enabled | bool | `false` |  |
 | portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration |
 | rbac.create | bool | `true` |  |
 | rbac.scope | bool | `false` |  |

charts/ingress-nginx/changelog/helm-chart-4.1.2.md

@@ -5,7 +5,7 @@ This file documents all notable changes to [ingress-nginx](https://github.com/ku
 ### 4.1.2
 
 * [8587](https://github.com/kubernetes/ingress-nginx/pull/8587) Add CAP_SYS_CHROOT to DS/PSP when needed
-* [8458](https://github.com/kubernetes/ingress-nginx/pull/8458) Add portNamePreffix Helm chart parameter
+* [8458](https://github.com/kubernetes/ingress-nginx/pull/8458) Add portNamePrefix Helm chart parameter
 * [8522](https://github.com/kubernetes/ingress-nginx/pull/8522) Add documentation for controller.service.loadBalancerIP in Helm chart
 
 **Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.1.0...helm-chart-4.1.2

charts/ingress-nginx/changelog/helm-chart-4.10.1.md

@@ -0,0 +1,11 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.10.1
+
+* - "update post submit helm ci and clean up (#11221)"
+* - "refactor helm ci tests part I (#11188)"
+* - "Update Ingress-Nginx version controller-v1.10.1"
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.0...helm-chart-4.10.1

charts/ingress-nginx/changelog/helm-chart-4.10.2.md

@@ -0,0 +1,18 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.10.2
+
+* Chores: Align security contacts & chart maintainers to actual owners. (#11480)
+* Fix helm install on cloud provider admonition block (#11412)
+* edited helm-install tips (#11411)
+* added info for aws helm install (#11410)
+* add workflow to helm release and update ct for branch (#11317)
+* Merge pull request #11277 from strongjz/chart-1.10.1 (#11314)
+* release helm chart from release branch (#11278)
+* update post submit helm ci and clean up (#11221)
+* refactor helm ci tests part I (#11188)
+* Update Ingress-Nginx version controller-v1.10.2
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.1...helm-chart-4.10.2

charts/ingress-nginx/changelog/helm-chart-4.10.3.md

@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.10.3
+
+* Update Ingress-Nginx version controller-v1.10.3
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.2...helm-chart-4.10.3

charts/ingress-nginx/changelog/helm-chart-4.10.4.md

@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.10.4
+
+* Update Ingress-Nginx version controller-v1.10.4
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.3...helm-chart-4.10.4

charts/ingress-nginx/changelog/helm-chart-4.11.0.md

@@ -0,0 +1,18 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.11.0
+
+* Chores: Align security contacts & chart maintainers to actual owners. (#11465)
+* Merge pull request #11277 from strongjz/chart-1.10.1 (#11415)
+* Fix helm install on cloud provider admonition block (#11394)
+* edited helm-install tips (#11393)
+* added info for aws helm install (#11390)
+* add workflow to helm release and update ct for branch (#11378)
+* release helm chart from release branch (#11276)
+* update post submit helm ci and clean up (#11220)
+* refactor helm ci tests part I (#11178)
+* Update Ingress-Nginx version controller-v1.11.0
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.2...helm-chart-4.11.0

charts/ingress-nginx/changelog/helm-chart-4.11.1.md

@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.11.1
+
+* Update Ingress-Nginx version controller-v1.11.1
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.0...helm-chart-4.11.1

charts/ingress-nginx/changelog/helm-chart-4.11.2.md

@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.11.2
+
+* Update Ingress-Nginx version controller-v1.11.2
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.1...helm-chart-4.11.2

charts/ingress-nginx/changelog/helm-chart-4.7.0.md

@@ -6,7 +6,7 @@ This file documents all notable changes to [ingress-nginx](https://github.com/ku
 
 * helm: Fix opentelemetry module installation for daemonset (#9792)
 * Update charts/* to keep project name display aligned (#9931)
-* HPA: Use capabilites & align manifests. (#9521)
+* HPA: Use capabilities & align manifests. (#9521)
 * PodDisruptionBudget spec logic update (#9904)
 * add option for annotations in PodDisruptionBudget (#9843)
 * Update Ingress-Nginx version controller-v1.8.0

charts/ingress-nginx/ci/admission-webhooks-cert-manager-values.yaml

@@ -1,10 +1,12 @@
 controller:
-  kind: DaemonSet
   image:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-  admissionWebhooks:
+
-    enabled: false
   service:
     type: ClusterIP
+
+  admissionWebhooks:
+    certManager:
+      enabled: true

charts/ingress-nginx/ci/controller-admission-tls-cert-manager-values.yaml

@@ -1,6 +0,0 @@
-controller:
-  admissionWebhooks:
-    certManager:
-      enabled: true
-  service:
-    type: ClusterIP

charts/ingress-nginx/ci/controller-configmap-addheaders-values.yaml

@@ -1,8 +1,11 @@
-# Left blank to test default values
 controller:
   image:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
+
   service:
     type: ClusterIP
+
+  addHeaders:
+    X-Frame-Options: deny

charts/ingress-nginx/ci/controller-configmap-proxyheaders-values.yaml

@@ -0,0 +1,11 @@
+controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+
+  service:
+    type: ClusterIP
+
+  proxySetHeaders:
+    X-Forwarded-Proto: https

charts/ingress-nginx/ci/controller-configmap-values.yaml

@@ -0,0 +1,11 @@
+controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+
+  service:
+    type: ClusterIP
+
+  config:
+    use-proxy-protocol: "true"

charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml

@@ -1,7 +0,0 @@
-controller:
-  watchIngressWithoutClass: true
-  ingressClassResource:
-    name: custom-nginx
-    enabled: true
-    default: true
-    controllerValue: "k8s.io/custom-nginx"

charts/ingress-nginx/ci/controller-daemonset-metrics-values.yaml

@@ -1,10 +1,13 @@
 controller:
-  kind: DaemonSet
   image:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-  admissionWebhooks:
+
-    enabled: true
   service:
     type: ClusterIP
+
+  kind: DaemonSet
+
+  metrics:
+    enabled: true

charts/ingress-nginx/ci/controller-daemonset-podannotations-values.yaml

@@ -1,17 +1,16 @@
 controller:
-  kind: DaemonSet
   image:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-  admissionWebhooks:
+
-    enabled: false
-  metrics:
-    enabled: true
   service:
     type: ClusterIP
+
+  kind: DaemonSet
+
   podAnnotations:
-    prometheus.io/path: /metrics
+    prometheus.io/scrape: "true"
     prometheus.io/port: "10254"
     prometheus.io/scheme: http
-    prometheus.io/scrape: "true"
+    prometheus.io/path: /metrics

charts/ingress-nginx/ci/controller-daemonset-values.yaml

@@ -3,8 +3,8 @@ controller:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
+
   service:
     type: ClusterIP
 
-podSecurityPolicy:
+  kind: DaemonSet
-  enabled: true

charts/ingress-nginx/ci/controller-deployment-metrics-values.yaml

@@ -3,7 +3,11 @@ controller:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-  admissionWebhooks:
+
-    enabled: true
   service:
     type: ClusterIP
+
+  kind: Deployment
+
+  metrics:
+    enabled: true

charts/ingress-nginx/ci/controller-deployment-podannotations-values.yaml

@@ -3,14 +3,14 @@ controller:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-  admissionWebhooks:
+
-    enabled: false
-  metrics:
-    enabled: true
   service:
     type: ClusterIP
+
+  kind: Deployment
+
   podAnnotations:
-    prometheus.io/path: /metrics
+    prometheus.io/scrape: "true"
     prometheus.io/port: "10254"
     prometheus.io/scheme: http
-    prometheus.io/scrape: "true"
+    prometheus.io/path: /metrics

charts/ingress-nginx/ci/controller-deployment-values.yaml

@@ -3,7 +3,8 @@ controller:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
+
   service:
     type: ClusterIP
-  opentelemetry:
+
-    enabled: true
+  kind: Deployment

charts/ingress-nginx/ci/controller-hpa-values.yaml

@@ -1,4 +1,12 @@
 controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+
+  service:
+    type: ClusterIP
+
   autoscaling:
     enabled: true
     behavior:
@@ -8,7 +16,3 @@ controller:
         - type: Pods
           value: 1
           periodSeconds: 180
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP

charts/ingress-nginx/ci/controller-ingressclass-values.yaml

@@ -0,0 +1,15 @@
+controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+
+  service:
+    type: ClusterIP
+
+  ingressClassResource:
+    name: custom-nginx
+    default: true
+    controllerValue: k8s.io/custom-nginx
+
+  watchIngressWithoutClass: true

charts/ingress-nginx/ci/controller-service-internal-values.yaml

@@ -1,13 +1,12 @@
 controller:
-  kind: DaemonSet
   image:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-  admissionWebhooks:
+
-    enabled: false
   service:
     type: ClusterIP
+
     internal:
       enabled: true
       annotations:

charts/ingress-nginx/ci/controller-service-values.yaml

@@ -3,18 +3,20 @@ controller:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-  admissionWebhooks:
+
-    enabled: false
   service:
     type: NodePort
+
     nodePorts:
       tcp:
         9000: 30090
       udp:
         9001: 30091
 
+portNamePrefix: port
+
 tcp:
-  9000: "default/test:8080"
+  9000: default/test:8080
 
 udp:
-  9001: "default/test:8080"
+  9001: default/test:8080

charts/ingress-nginx/ci/daemonset-customconfig-values.yaml

@@ -1,14 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  kind: DaemonSet
-  allowSnippetAnnotations: false
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
-
-  config:
-    use-proxy-protocol: "true"

charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml

@@ -1,22 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-
-  service:
-    type: NodePort
-    nodePorts:
-      tcp:
-        9000: 30090
-      udp:
-        9001: 30091
-
-tcp:
-  9000: "default/test:8080"
-
-udp:
-  9001: "default/test:8080"

charts/ingress-nginx/ci/daemonset-extra-modules.yaml

@@ -1,13 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-  service:
-    type: ClusterIP
-  extraModules:
-    - name: opentelemetry
-      image:
-        registry: registry.k8s.io
-        image: busybox
-        tag: latest

charts/ingress-nginx/ci/daemonset-headers-values.yaml

@@ -1,14 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  addHeaders:
-    X-Frame-Options: deny
-  proxySetHeaders:
-    X-Forwarded-Proto: https
-  service:
-    type: ClusterIP

charts/ingress-nginx/ci/daemonset-nodeport-values.yaml

@@ -1,10 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: NodePort

charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml

@@ -1,20 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
-  tcp:
-    configMapNamespace: default
-  udp:
-    configMapNamespace: default
-
-tcp:
-  9000: "default/test:8080"
-
-udp:
-  9001: "default/test:8080"

charts/ingress-nginx/ci/daemonset-tcp-udp-portNamePrefix-values.yaml

@@ -1,18 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
-
-tcp:
-  9000: "default/test:8080"
-
-udp:
-  9001: "default/test:8080"
-
-portNamePrefix: "port"

charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml

@@ -1,16 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
-
-tcp:
-  9000: "default/test:8080"
-
-udp:
-  9001: "default/test:8080"

charts/ingress-nginx/ci/daemonset-tcp-values.yaml

@@ -1,14 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
-
-tcp:
-  9000: "default/test:8080"
-  9001: "default/test:8080"

charts/ingress-nginx/ci/deamonset-metrics-values.yaml

@@ -1,12 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  metrics:
-    enabled: true
-  service:
-    type: ClusterIP

charts/ingress-nginx/ci/deamonset-psp-values.yaml

@@ -1,13 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
-
-podSecurityPolicy:
-  enabled: true

charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml

@@ -1,13 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: true
-  service:
-    type: ClusterIP
-
-podSecurityPolicy:
-  enabled: true

charts/ingress-nginx/ci/deployment-autoscaling-values.yaml

@@ -1,11 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  autoscaling:
-    enabled: true
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP

charts/ingress-nginx/ci/deployment-customconfig-values.yaml

@@ -1,12 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  config:
-    use-proxy-protocol: "true"
-  allowSnippetAnnotations: false
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP

charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml

@@ -1,15 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  service:
-    type: ClusterIP
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-  extraModules:
-    - name: opentelemetry
-      image:
-        registry: registry.k8s.io
-        image: busybox
-        tag: latest

charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml

@@ -1,15 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  service:
-    type: ClusterIP
-  extraModules:
-    - name: opentelemetry
-      image:
-        registry: registry.k8s.io
-        image: busybox
-        tag: latest
-      containerSecurityContext:
-        allowPrivilegeEscalation: false

charts/ingress-nginx/ci/deployment-extra-modules.yaml

@@ -1,13 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  service:
-    type: ClusterIP
-  extraModules:
-    - name: opentelemetry
-      image:
-        registry: registry.k8s.io
-        image: busybox
-        tag: latest

charts/ingress-nginx/ci/deployment-headers-values.yaml

@@ -1,13 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  addHeaders:
-    X-Frame-Options: deny
-  proxySetHeaders:
-    X-Forwarded-Proto: https
-  service:
-    type: ClusterIP

charts/ingress-nginx/ci/deployment-internal-lb-values.yaml

@@ -1,19 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
-    internal:
-      enabled: true
-      annotations:
-        service.beta.kubernetes.io/aws-load-balancer-internal: "true"
-      ports:
-        http: 443
-        https: 80
-      targetPorts:
-        http: 443
-        https: 80

charts/ingress-nginx/ci/deployment-metrics-values.yaml

@@ -1,11 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  metrics:
-    enabled: true
-  service:
-    type: ClusterIP

charts/ingress-nginx/ci/deployment-nodeport-values.yaml

@@ -1,9 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: NodePort

charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml

@@ -1,19 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
-  tcp:
-    configMapNamespace: default
-  udp:
-    configMapNamespace: default
-
-tcp:
-  9000: "default/test:8080"
-
-udp:
-  9001: "default/test:8080"

charts/ingress-nginx/ci/deployment-tcp-udp-portNamePrefix-values.yaml

@@ -1,17 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
-
-tcp:
-  9000: "default/test:8080"
-
-udp:
-  9001: "default/test:8080"
-
-portNamePrefix: "port"

charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml

@@ -1,15 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
-
-tcp:
-  9000: "default/test:8080"
-
-udp:
-  9001: "default/test:8080"

charts/ingress-nginx/ci/deployment-tcp-values.yaml

@@ -1,11 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  service:
-    type: ClusterIP
-
-tcp:
-  9000: "default/test:8080"
-  9001: "default/test:8080"

charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml

@@ -1,12 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: true
-  service:
-    type: ClusterIP
-
-podSecurityPolicy:
-  enabled: true

charts/ingress-nginx/ci/deployment-webhook-extraEnvs-values.yaml

@@ -1,12 +0,0 @@
-controller:
-  service:
-    type: ClusterIP
-  admissionWebhooks:
-    enabled: true
-    extraEnvs:
-      - name: FOO
-        value: foo
-      - name: TEST
-        value: test
-    patch:
-      enabled: true

charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml

@@ -1,23 +0,0 @@
-controller:
-  service:
-    type: ClusterIP
-  admissionWebhooks:
-    enabled: true
-    createSecretJob:
-      resources:
-        limits:
-          cpu: 10m
-          memory: 20Mi
-        requests:
-          cpu: 10m
-          memory: 20Mi
-    patchWebhookJob:
-      resources:
-        limits:
-          cpu: 10m
-          memory: 20Mi
-        requests:
-          cpu: 10m
-          memory: 20Mi
-    patch:
-      enabled: true

charts/ingress-nginx/templates/_helpers.tpl

@@ -47,6 +47,7 @@ Controller container security context.
 {{- else -}}
 runAsNonRoot: {{ .Values.controller.image.runAsNonRoot }}
 runAsUser: {{ .Values.controller.image.runAsUser }}
+runAsGroup: {{ .Values.controller.image.runAsGroup }}
 allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }}
 {{- if .Values.controller.image.seccompProfile }}
 seccompProfile: {{ toYaml .Values.controller.image.seccompProfile | nindent 2 }}
@@ -167,6 +168,17 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.controller.admissionWebhooks.name | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Create the name of the admission webhook patch job service account to use
+*/}}
+{{- define "ingress-nginx.admissionWebhooks.patch.serviceAccountName" -}}
+{{- if .Values.controller.admissionWebhooks.patch.serviceAccount.create -}}
+    {{ default (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.patch.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.controller.admissionWebhooks.patch.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Create a default fully qualified admission webhook secret creation job name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
@@ -192,7 +204,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}
 
 {{/*
-Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
+Create the name of the default backend service account to use
 */}}
 {{- define "ingress-nginx.defaultBackend.serviceAccountName" -}}
 {{- if .Values.defaultBackend.serviceAccount.create -}}
@@ -211,6 +223,7 @@ Default backend container security context.
 {{- else -}}
 runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
 runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
+runAsGroup: {{ .Values.defaultBackend.image.runAsGroup }}
 allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
 {{- if .Values.defaultBackend.image.seccompProfile }}
 seccompProfile: {{ toYaml .Values.defaultBackend.image.seccompProfile | nindent 2 }}
@@ -222,26 +235,6 @@ readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem }
 {{- end -}}
 {{- end -}}
 
-{{/*
-Return the appropriate apiGroup for PodSecurityPolicy.
-*/}}
-{{- define "podSecurityPolicy.apiGroup" -}}
-{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
-{{- print "policy" -}}
-{{- else -}}
-{{- print "extensions" -}}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Check the ingress controller version tag is at most three versions behind the last release
-*/}}
-{{- define "isControllerTagValid" -}}
-{{- if not (semverCompare ">=0.27.0-0" .Values.controller.image.tag) -}}
-{{- fail "Controller container image tag should be 0.27.0 or higher" -}}
-{{- end -}}
-{{- end -}}
-
 {{/*
 Extra modules.
 */}}

charts/ingress-nginx/templates/_params.tpl

@@ -1,7 +1,7 @@
 {{- define "ingress-nginx.params" -}}
 - /nginx-ingress-controller
-{{- if .Values.controller.enableAnnotationValidations }}
+{{- if not .Values.controller.enableAnnotationValidations }}
-- --enable-annotation-validation=true
+- --enable-annotation-validation=false
 {{- end }}
 {{- if .Values.defaultBackend.enabled }}
 - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }}
@@ -54,7 +54,7 @@
 {{- if .Values.controller.watchIngressWithoutClass }}
 - --watch-ingress-without-class=true
 {{- end }}
-{{- if not .Values.controller.metrics.enabled }}
+{{- if .Values.controller.metrics.enabled }}
 - --enable-metrics={{ .Values.controller.metrics.enabled }}
 {{- end }}
 {{- if .Values.controller.enableTopologyAwareRouting }}