Merge branch 'master' into add-sticky-path

2017-09-01 09:10:46 +08:00 · 2017-09-01 09:10:46 +08:00 · a5df624a47
commit a5df624a47
parent df4082256a cda42f93c7
37 changed files with 756 additions and 301 deletions
--- a/controllers/nginx/Changelog.md
+++ b/controllers/nginx/Changelog.md
@ -1,5 +1,165 @@
 Changelog

+Changelog
+
+### 0.9-beta.12
+
+**Image:**  `gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12`
+
+*Breaking changes:*
+
+- SSL passthrough is disabled by default. To enable the feature use `--enable-ssl-passthrough`
+
+*New Features:*
+
+- Support for arm64
+- New flags to customize listen ports
+- Per minute rate limiting
+- Rate limit whitelist
+- Configuration of nginx worker timeout (to avoid zombie nginx workers processes)
+- Redirects from non-www to www
+- Custom default backend (per Ingress)
+- Graceful shutdown for NGINX
+
+*Changes:*
+
+- [X] [#977](https://github.com/kubernetes/ingress/pull/977) Add sort-backends command line option
+- [X] [#981](https://github.com/kubernetes/ingress/pull/981) Add annotation to allow use of service ClusterIP for NGINX upstream.
+- [X] [#991](https://github.com/kubernetes/ingress/pull/991) Remove secret sync loop
+- [X] [#992](https://github.com/kubernetes/ingress/pull/992) Check errors generating pem files
+- [X] [#993](https://github.com/kubernetes/ingress/pull/993) Fix the sed command to work on macOS
+- [X] [#1013](https://github.com/kubernetes/ingress/pull/1013) The fields of vtsDate are unified in the form of plural
+- [X] [#1025](https://github.com/kubernetes/ingress/pull/1025) Fix file watch
+- [X] [#1027](https://github.com/kubernetes/ingress/pull/1027) Lint code
+- [X] [#1031](https://github.com/kubernetes/ingress/pull/1031) Change missing secret name log level to V(3)
+- [X] [#1032](https://github.com/kubernetes/ingress/pull/1032) Alternative syncSecret approach #1030
+- [X] [#1042](https://github.com/kubernetes/ingress/pull/1042) Add function to allow custom values in Ingress status
+- [X] [#1043](https://github.com/kubernetes/ingress/pull/1043) Return reference to object providing Endpoint
+- [X] [#1046](https://github.com/kubernetes/ingress/pull/1046) Add field FileSHA in BasicDigest struct
+- [X] [#1058](https://github.com/kubernetes/ingress/pull/1058) add per minute rate limiting
+- [X] [#1060](https://github.com/kubernetes/ingress/pull/1060) Update fsnotify dependency to fix arm64 issue
+- [X] [#1065](https://github.com/kubernetes/ingress/pull/1065) Add more descriptive steps in Dev Documentation
+- [X] [#1073](https://github.com/kubernetes/ingress/pull/1073) Release nginx-slim 0.22
+- [X] [#1074](https://github.com/kubernetes/ingress/pull/1074) Remove lua and use fastcgi to render errors
+- [X] [#1075](https://github.com/kubernetes/ingress/pull/1075) (feat/ #374) support proxy timeout
+- [X] [#1076](https://github.com/kubernetes/ingress/pull/1076) Add more ssl test cases
+- [X] [#1078](https://github.com/kubernetes/ingress/pull/1078) fix the same udp port and tcp port, update nginx.conf error
+- [X] [#1080](https://github.com/kubernetes/ingress/pull/1080) Disable platform s390x
+- [X] [#1081](https://github.com/kubernetes/ingress/pull/1081) Spit Static check and Coverage in diff Stages of Travis CI
+- [X] [#1082](https://github.com/kubernetes/ingress/pull/1082) Fix build tasks
+- [X] [#1087](https://github.com/kubernetes/ingress/pull/1087) Release nginx-slim 0.23
+- [X] [#1088](https://github.com/kubernetes/ingress/pull/1088) Configure nginx worker timeout
+- [X] [#1089](https://github.com/kubernetes/ingress/pull/1089) Update nginx to 1.13.4
+- [X] [#1098](https://github.com/kubernetes/ingress/pull/1098) Exposing the event recorder to allow other controllers to create events
+- [X] [#1102](https://github.com/kubernetes/ingress/pull/1102) Fix lose SSL Passthrough
+- [X] [#1104](https://github.com/kubernetes/ingress/pull/1104) Simplify verification of hostname in ssl certificates
+- [X] [#1109](https://github.com/kubernetes/ingress/pull/1109) Cleanup remote address in nginx template
+- [X] [#1110](https://github.com/kubernetes/ingress/pull/1110) Fix Endpoint comparison
+- [X] [#1118](https://github.com/kubernetes/ingress/pull/1118) feat(#733)Support nginx bandwidth control
+- [X] [#1124](https://github.com/kubernetes/ingress/pull/1124) check fields len in dns.go
+- [X] [#1130](https://github.com/kubernetes/ingress/pull/1130) Update nginx.go
+- [X] [#1134](https://github.com/kubernetes/ingress/pull/1134) replace deprecated interface with versioned ones
+- [X] [#1136](https://github.com/kubernetes/ingress/pull/1136) Fix status update - changed in #1074
+- [X] [#1138](https://github.com/kubernetes/ingress/pull/1138) update nginx.go: preformance improve
+- [X] [#1139](https://github.com/kubernetes/ingress/pull/1139) Fix Todo:convert sequence to table
+- [X] [#1162](https://github.com/kubernetes/ingress/pull/1162) Optimize CI build time
+- [X] [#1164](https://github.com/kubernetes/ingress/pull/1164) Use variable request_uri as redirect after auth
+- [X] [#1179](https://github.com/kubernetes/ingress/pull/1179) Fix sticky upstream not used when enable rewrite
+- [X] [#1184](https://github.com/kubernetes/ingress/pull/1184) Add support for temporal and permanent redirects
+- [X] [#1185](https://github.com/kubernetes/ingress/pull/1185) Add more info about Server-Alias usage
+- [X] [#1186](https://github.com/kubernetes/ingress/pull/1186) Add annotation for client-body-buffer-size per location
+- [X] [#1190](https://github.com/kubernetes/ingress/pull/1190) Add flag to disable SSL passthrough
+- [X] [#1193](https://github.com/kubernetes/ingress/pull/1193) fix broken link
+- [X] [#1198](https://github.com/kubernetes/ingress/pull/1198) Add option for specific scheme for base url
+- [X] [#1202](https://github.com/kubernetes/ingress/pull/1202) formatIP issue
+- [X] [#1203](https://github.com/kubernetes/ingress/pull/1203) NGINX not reloading correctly
+- [X] [#1204](https://github.com/kubernetes/ingress/pull/1204) Fix template error
+- [X] [#1205](https://github.com/kubernetes/ingress/pull/1205) Add initial sync of secrets
+- [X] [#1206](https://github.com/kubernetes/ingress/pull/1206) Update ssl-passthrough docs
+- [X] [#1207](https://github.com/kubernetes/ingress/pull/1207) delete broken link
+- [X] [#1208](https://github.com/kubernetes/ingress/pull/1208) fix some typo
+- [X] [#1210](https://github.com/kubernetes/ingress/pull/1210) add rate limit whitelist
+- [X] [#1215](https://github.com/kubernetes/ingress/pull/1215) Replace base64 encoding with random uuid
+- [X] [#1218](https://github.com/kubernetes/ingress/pull/1218) Trivial fixes in core/pkg/net
+- [X] [#1219](https://github.com/kubernetes/ingress/pull/1219) keep zones unique per ingress resource
+- [X] [#1221](https://github.com/kubernetes/ingress/pull/1221) Move certificate authentication from location to server
+- [X] [#1223](https://github.com/kubernetes/ingress/pull/1223) Add doc for non-www to www annotation
+- [X] [#1224](https://github.com/kubernetes/ingress/pull/1224) refactor rate limit whitelist
+- [X] [#1226](https://github.com/kubernetes/ingress/pull/1226) Remove useless variable in nginx.tmpl
+- [X] [#1227](https://github.com/kubernetes/ingress/pull/1227) Update annotations doc with base-url-scheme
+- [X] [#1233](https://github.com/kubernetes/ingress/pull/1233) Fix ClientBodyBufferSize annotation
+- [X] [#1234](https://github.com/kubernetes/ingress/pull/1234) Lint code
+- [X] [#1235](https://github.com/kubernetes/ingress/pull/1235) Fix Equal comparison
+- [X] [#1236](https://github.com/kubernetes/ingress/pull/1236) Add Validation for Client Body Buffer Size
+- [X] [#1238](https://github.com/kubernetes/ingress/pull/1238) Add support for 'client_body_timeout' and 'client_header_timeout'
+- [X] [#1239](https://github.com/kubernetes/ingress/pull/1239) Add flags to customize listen ports and detect port collisions
+- [X] [#1243](https://github.com/kubernetes/ingress/pull/1243) Add support for access-log-path and error-log-path
+- [X] [#1244](https://github.com/kubernetes/ingress/pull/1244) Add custom default backend annotation
+- [X] [#1246](https://github.com/kubernetes/ingress/pull/1246) Add additional headers when custom default backend is used
+- [X] [#1247](https://github.com/kubernetes/ingress/pull/1247) Make Ingress annotations available in template
+- [X] [#1248](https://github.com/kubernetes/ingress/pull/1248) Improve nginx controller performance
+- [X] [#1254](https://github.com/kubernetes/ingress/pull/1254) fix Type transform panic
+- [X] [#1257](https://github.com/kubernetes/ingress/pull/1257) Graceful shutdown for Nginx
+- [X] [#1261](https://github.com/kubernetes/ingress/pull/1261) Add support for 'worker-shutdown-timeout'
+
+
+*Documentation:*
+
+- [X] [#976](https://github.com/kubernetes/ingress/pull/976) Update annotations doc
+- [X] [#979](https://github.com/kubernetes/ingress/pull/979) Missing auth example
+- [X] [#980](https://github.com/kubernetes/ingress/pull/980) Add nginx basic auth example
+- [X] [#1001](https://github.com/kubernetes/ingress/pull/1001) examples/nginx/rbac: Give access to own namespace
+- [X] [#1005](https://github.com/kubernetes/ingress/pull/1005) Update configuration.md
+- [X] [#1018](https://github.com/kubernetes/ingress/pull/1018) add docs for `proxy-set-headers` and `add-headers`
+- [X] [#1038](https://github.com/kubernetes/ingress/pull/1038) typo / spelling in README.md
+- [X] [#1039](https://github.com/kubernetes/ingress/pull/1039) typo in examples/tcp/nginx/README.md
+- [X] [#1049](https://github.com/kubernetes/ingress/pull/1049) Fix config name in the example.
+- [X] [#1054](https://github.com/kubernetes/ingress/pull/1054) Fix link to UDP example
+- [X] [#1084](https://github.com/kubernetes/ingress/pull/1084) (issue #310)Fix some broken link
+- [X] [#1103](https://github.com/kubernetes/ingress/pull/1103) Add GoDoc Widget
+- [X] [#1105](https://github.com/kubernetes/ingress/pull/1105) Make Readme file more readable
+- [X] [#1106](https://github.com/kubernetes/ingress/pull/1106) Update annotations.md
+- [X] [#1107](https://github.com/kubernetes/ingress/pull/1107) Fix Broken Link
+- [X] [#1119](https://github.com/kubernetes/ingress/pull/1119) fix typos in controllers/nginx/README.md
+- [X] [#1122](https://github.com/kubernetes/ingress/pull/1122) Fix broken link
+- [X] [#1131](https://github.com/kubernetes/ingress/pull/1131) Add short help doc in configuration for nginx limit rate
+- [X] [#1143](https://github.com/kubernetes/ingress/pull/1143) Minor Typo Fix
+- [X] [#1144](https://github.com/kubernetes/ingress/pull/1144) Minor Typo fix
+- [X] [#1145](https://github.com/kubernetes/ingress/pull/1145) Minor Typo fix
+- [X] [#1146](https://github.com/kubernetes/ingress/pull/1146) Fix Minor Typo in Readme
+- [X] [#1147](https://github.com/kubernetes/ingress/pull/1147) Minor Typo Fix
+- [X] [#1148](https://github.com/kubernetes/ingress/pull/1148) Minor Typo Fix in Getting-Started.md
+- [X] [#1149](https://github.com/kubernetes/ingress/pull/1149) Fix Minor Typo in TLS authentication
+- [X] [#1150](https://github.com/kubernetes/ingress/pull/1150) Fix Minor Typo in Customize the HAProxy configuration
+- [X] [#1151](https://github.com/kubernetes/ingress/pull/1151) Fix Minor Typo in customization custom-template
+- [X] [#1152](https://github.com/kubernetes/ingress/pull/1152) Fix minor typo in HAProxy Multi TLS certificate termination
+- [X] [#1153](https://github.com/kubernetes/ingress/pull/1153) Fix minor typo in Multi TLS certificate termination
+- [X] [#1154](https://github.com/kubernetes/ingress/pull/1154) Fix minor typo in Role Based Access Control
+- [X] [#1155](https://github.com/kubernetes/ingress/pull/1155) Fix minor typo in TCP loadbalancing
+- [X] [#1156](https://github.com/kubernetes/ingress/pull/1156) Fix minor typo in UDP loadbalancing
+- [X] [#1157](https://github.com/kubernetes/ingress/pull/1157) Fix minor typos in Prerequisites
+- [X] [#1158](https://github.com/kubernetes/ingress/pull/1158) Fix minor typo in Ingress examples
+- [X] [#1159](https://github.com/kubernetes/ingress/pull/1159) Fix minor typos in Ingress admin guide
+- [X] [#1160](https://github.com/kubernetes/ingress/pull/1160) Fix a broken href and typo in Ingress FAQ
+- [X] [#1165](https://github.com/kubernetes/ingress/pull/1165) Update CONTRIBUTING.md
+- [X] [#1168](https://github.com/kubernetes/ingress/pull/1168) finx link to running-locally.md
+- [X] [#1170](https://github.com/kubernetes/ingress/pull/1170) Update dead link in nginx/HTTPS section
+- [X] [#1172](https://github.com/kubernetes/ingress/pull/1172) Update README.md
+- [X] [#1173](https://github.com/kubernetes/ingress/pull/1173) Update admin.md
+- [X] [#1174](https://github.com/kubernetes/ingress/pull/1174) fix several titles
+- [X] [#1177](https://github.com/kubernetes/ingress/pull/1177) fix typos
+- [X] [#1188](https://github.com/kubernetes/ingress/pull/1188) Fix minor typo
+- [X] [#1189](https://github.com/kubernetes/ingress/pull/1189) Fix sign in URL redirect parameter
+- [X] [#1192](https://github.com/kubernetes/ingress/pull/1192) Update README.md
+- [X] [#1195](https://github.com/kubernetes/ingress/pull/1195) Update troubleshooting.md
+- [X] [#1196](https://github.com/kubernetes/ingress/pull/1196) Update README.md
+- [X] [#1209](https://github.com/kubernetes/ingress/pull/1209) Update README.md
+- [X] [#1085](https://github.com/kubernetes/ingress/pull/1085) Fix ConfigMap's namespace in custom configuration example for nginx
+- [X] [#1142](https://github.com/kubernetes/ingress/pull/1142) Fix typo in multiple docs
+- [X] [#1228](https://github.com/kubernetes/ingress/pull/1228) Update release doc in getting-started.md
+- [X] [#1230](https://github.com/kubernetes/ingress/pull/1230) Update godep guide link
+
+
 ### 0.9-beta.11

 **Image:**  `gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11`
@ -111,7 +271,7 @@ Fix release 0.9-beta.9
 - [X] [#829](https://github.com/kubernetes/ingress/pull/829) feat(template): wrap IPv6 addresses in []
 - [X] [#786](https://github.com/kubernetes/ingress/pull/786) Update echoserver image version in examples
 - [X] [#825](https://github.com/kubernetes/ingress/pull/825) Create or delete ingress based on class annotation
- [X] [#790](https://github.com/kubernetes/ingress/pull/790) #789 removing duplicate X-Real-IP header 
+- [X] [#790](https://github.com/kubernetes/ingress/pull/790) #789 removing duplicate X-Real-IP header
 - [X] [#792](https://github.com/kubernetes/ingress/pull/792) Avoid checking if the controllers are synced
 - [X] [#798](https://github.com/kubernetes/ingress/pull/798) nginx: RBAC for leader election
 - [X] [#799](https://github.com/kubernetes/ingress/pull/799) could not build variables_hash
@ -134,7 +294,7 @@ Fix release 0.9-beta.9

 *Changes:*

- [X] [#777](https://github.com/kubernetes/ingress/pull/777) Update sniff parser to fix index out of bound error 
+- [X] [#777](https://github.com/kubernetes/ingress/pull/777) Update sniff parser to fix index out of bound error

 ### 0.9-beta.6

@ -191,8 +351,8 @@ Fix release 0.9-beta.9

 - [X] [#663](https://github.com/kubernetes/ingress/pull/663) Remove helper required in go < 1.8
 - [X] [#662](https://github.com/kubernetes/ingress/pull/662) Add debug information about ingress class
- [X] [#661](https://github.com/kubernetes/ingress/pull/661) Avoid running nginx if the configuration file is empty  
- [X] [#660](https://github.com/kubernetes/ingress/pull/660) Rollback queue refactoring  
+- [X] [#661](https://github.com/kubernetes/ingress/pull/661) Avoid running nginx if the configuration file is empty
+- [X] [#660](https://github.com/kubernetes/ingress/pull/660) Rollback queue refactoring
 - [X] [#654](https://github.com/kubernetes/ingress/pull/654) Update go version to 1.8


@ -222,13 +382,13 @@ Fix release 0.9-beta.9
 - [X] [#595](https://github.com/kubernetes/ingress/pull/595) Remove Host header from auth_request proxy configuration
 - [X] [#588](https://github.com/kubernetes/ingress/pull/588) Read resolv.conf file just once
 - [X] [#586](https://github.com/kubernetes/ingress/pull/586) Updated instructions to create an ingress controller build
- [X] [#583](https://github.com/kubernetes/ingress/pull/583) fixed lua_package_path in nginx.tmpl 
+- [X] [#583](https://github.com/kubernetes/ingress/pull/583) fixed lua_package_path in nginx.tmpl
 - [X] [#580](https://github.com/kubernetes/ingress/pull/580) Updated faq for running multiple ingress controller
 - [X] [#579](https://github.com/kubernetes/ingress/pull/579) Detect if the ingress controller is running with multiple replicas
 - [X] [#578](https://github.com/kubernetes/ingress/pull/578) Set different listeners per protocol version
 - [X] [#577](https://github.com/kubernetes/ingress/pull/577) Avoid zombie child processes
 - [X] [#576](https://github.com/kubernetes/ingress/pull/576) Replace secret workqueue
- [X] [#568](https://github.com/kubernetes/ingress/pull/568) Revert merge annotations to the implicit root context 
+- [X] [#568](https://github.com/kubernetes/ingress/pull/568) Revert merge annotations to the implicit root context
 - [X] [#563](https://github.com/kubernetes/ingress/pull/563) Add option to disable hsts preload
 - [X] [#560](https://github.com/kubernetes/ingress/pull/560) Fix intermittent misconfiguration of backend.secure and SessionAffinity
 - [X] [#556](https://github.com/kubernetes/ingress/pull/556) Update nginx version and remove dumb-init
@ -252,7 +412,7 @@ Fix release 0.9-beta.9
 - [X] [#512](https://github.com/kubernetes/ingress/pull/512) Fix typos regarding the ssl-passthrough annotation documentation
 - [X] [#505](https://github.com/kubernetes/ingress/pull/505) add unit test cases for core/pkg/ingress/controller/annotations
 - [X] [#503](https://github.com/kubernetes/ingress/pull/503) Add example for nginx in aws
- [X] [#502](https://github.com/kubernetes/ingress/pull/502) Add information about SSL Passthrough annotation 
+- [X] [#502](https://github.com/kubernetes/ingress/pull/502) Add information about SSL Passthrough annotation
 - [X] [#500](https://github.com/kubernetes/ingress/pull/500) Improve TLS secret configuration
 - [X] [#498](https://github.com/kubernetes/ingress/pull/498) Proper enqueue a secret on the secret queue
 - [X] [#493](https://github.com/kubernetes/ingress/pull/493) Update nginx and vts module
@ -261,7 +421,7 @@ Fix release 0.9-beta.9
 - [X] [#485](https://github.com/kubernetes/ingress/pull/485) Fix typo nginx configMap vts metrics customization
 - [X] [#481](https://github.com/kubernetes/ingress/pull/481) Remove unnecessary quote in nginx log format
 - [X] [#471](https://github.com/kubernetes/ingress/pull/471) prometheus scrape annotations
- [X] [#460](https://github.com/kubernetes/ingress/pull/460) add example of 'run multiple haproxy ingress controllers as a deployment' 
+- [X] [#460](https://github.com/kubernetes/ingress/pull/460) add example of 'run multiple haproxy ingress controllers as a deployment'
 - [X] [#459](https://github.com/kubernetes/ingress/pull/459) Add information about SSL certificates in the default log level
 - [X] [#456](https://github.com/kubernetes/ingress/pull/456) Avoid upstreams with multiple servers with the same port
 - [X] [#454](https://github.com/kubernetes/ingress/pull/454) Pass request port to real server
@ -293,55 +453,55 @@ Fix release 0.9-beta.9

 *Changes:*

- [X] [#433](https://github.com/kubernetes/ingress/pull/433) close over the ingress variable or the last assignment will be used 
- [X] [#424](https://github.com/kubernetes/ingress/pull/424) Manually sync secrets from certificate authentication annotations 
- [X] [#423](https://github.com/kubernetes/ingress/pull/423) Scrap json metrics from nginx vts module when enabled 
- [X] [#418](https://github.com/kubernetes/ingress/pull/418) Only update Ingress status for the configured class     
- [X] [#415](https://github.com/kubernetes/ingress/pull/415) Improve external authentication docs 
- [X] [#410](https://github.com/kubernetes/ingress/pull/410) Add support for "signin url" 
- [X] [#409](https://github.com/kubernetes/ingress/pull/409) Allow custom http2 header sizes 
- [X] [#408](https://github.com/kubernetes/ingress/pull/408) Review docs 
- [X] [#406](https://github.com/kubernetes/ingress/pull/406) Add debug info and fix spelling 
- [X] [#402](https://github.com/kubernetes/ingress/pull/402) allow specifying custom dh param 
+- [X] [#433](https://github.com/kubernetes/ingress/pull/433) close over the ingress variable or the last assignment will be used
+- [X] [#424](https://github.com/kubernetes/ingress/pull/424) Manually sync secrets from certificate authentication annotations
+- [X] [#423](https://github.com/kubernetes/ingress/pull/423) Scrap json metrics from nginx vts module when enabled
+- [X] [#418](https://github.com/kubernetes/ingress/pull/418) Only update Ingress status for the configured class
+- [X] [#415](https://github.com/kubernetes/ingress/pull/415) Improve external authentication docs
+- [X] [#410](https://github.com/kubernetes/ingress/pull/410) Add support for "signin url"
+- [X] [#409](https://github.com/kubernetes/ingress/pull/409) Allow custom http2 header sizes
+- [X] [#408](https://github.com/kubernetes/ingress/pull/408) Review docs
+- [X] [#406](https://github.com/kubernetes/ingress/pull/406) Add debug info and fix spelling
+- [X] [#402](https://github.com/kubernetes/ingress/pull/402) allow specifying custom dh param
 - [X] [#397](https://github.com/kubernetes/ingress/pull/397) Fix external auth
- [X] [#394](https://github.com/kubernetes/ingress/pull/394) Update README.md 
+- [X] [#394](https://github.com/kubernetes/ingress/pull/394) Update README.md
 - [X] [#392](https://github.com/kubernetes/ingress/pull/392) Fix http2 header size
- [X] [#391](https://github.com/kubernetes/ingress/pull/391) remove tmp nginx-diff files 
- [X] [#390](https://github.com/kubernetes/ingress/pull/390) Fix RateLimit comment 
- [X] [#385](https://github.com/kubernetes/ingress/pull/385) add Copyright 
- [X] [#382](https://github.com/kubernetes/ingress/pull/382) Ingress Fake Certificate generation 
- [X] [#380](https://github.com/kubernetes/ingress/pull/380) Fix custom log format 
- [X] [#373](https://github.com/kubernetes/ingress/pull/373) Cleanup 
- [X] [#371](https://github.com/kubernetes/ingress/pull/371) add configuration to disable listening on ipv6 
- [X] [#370](https://github.com/kubernetes/ingress/pull/270) Add documentation for ingress.kubernetes.io/force-ssl-redirect 
- [X] [#369](https://github.com/kubernetes/ingress/pull/369) Minor text fix for "ApiServer" 
+- [X] [#391](https://github.com/kubernetes/ingress/pull/391) remove tmp nginx-diff files
+- [X] [#390](https://github.com/kubernetes/ingress/pull/390) Fix RateLimit comment
+- [X] [#385](https://github.com/kubernetes/ingress/pull/385) add Copyright
+- [X] [#382](https://github.com/kubernetes/ingress/pull/382) Ingress Fake Certificate generation
+- [X] [#380](https://github.com/kubernetes/ingress/pull/380) Fix custom log format
+- [X] [#373](https://github.com/kubernetes/ingress/pull/373) Cleanup
+- [X] [#371](https://github.com/kubernetes/ingress/pull/371) add configuration to disable listening on ipv6
+- [X] [#370](https://github.com/kubernetes/ingress/pull/270) Add documentation for ingress.kubernetes.io/force-ssl-redirect
+- [X] [#369](https://github.com/kubernetes/ingress/pull/369) Minor text fix for "ApiServer"
 - [X] [#367](https://github.com/kubernetes/ingress/pull/367) BuildLogFormatUpstream was always using the default log-format
- [X] [#366](https://github.com/kubernetes/ingress/pull/366) add_judgment 
- [X] [#365](https://github.com/kubernetes/ingress/pull/365) add ForceSSLRedirect ingress annotation 
- [X] [#364](https://github.com/kubernetes/ingress/pull/364) Fix error caused by increasing proxy_buffer_size (#363) 
- [X] [#362](https://github.com/kubernetes/ingress/pull/362) Fix ingress class 
- [X] [#360](https://github.com/kubernetes/ingress/pull/360) add example of 'run multiple nginx ingress controllers as a deployment' 
- [X] [#358](https://github.com/kubernetes/ingress/pull/358) Checks if the TLS secret contains a valid keypair structure 
- [X] [#356](https://github.com/kubernetes/ingress/pull/356) Disable listen only on ipv6 and fix proxy_protocol 
- [X] [#354](https://github.com/kubernetes/ingress/pull/354) add judgment 
- [X] [#352](https://github.com/kubernetes/ingress/pull/352) Add ability to customize upstream and stream log format 
- [X] [#351](https://github.com/kubernetes/ingress/pull/351) Enable custom election id for status sync. 
- [X] [#347](https://github.com/kubernetes/ingress/pull/347) Fix client source IP address 
+- [X] [#366](https://github.com/kubernetes/ingress/pull/366) add_judgment
+- [X] [#365](https://github.com/kubernetes/ingress/pull/365) add ForceSSLRedirect ingress annotation
+- [X] [#364](https://github.com/kubernetes/ingress/pull/364) Fix error caused by increasing proxy_buffer_size (#363)
+- [X] [#362](https://github.com/kubernetes/ingress/pull/362) Fix ingress class
+- [X] [#360](https://github.com/kubernetes/ingress/pull/360) add example of 'run multiple nginx ingress controllers as a deployment'
+- [X] [#358](https://github.com/kubernetes/ingress/pull/358) Checks if the TLS secret contains a valid keypair structure
+- [X] [#356](https://github.com/kubernetes/ingress/pull/356) Disable listen only on ipv6 and fix proxy_protocol
+- [X] [#354](https://github.com/kubernetes/ingress/pull/354) add judgment
+- [X] [#352](https://github.com/kubernetes/ingress/pull/352) Add ability to customize upstream and stream log format
+- [X] [#351](https://github.com/kubernetes/ingress/pull/351) Enable custom election id for status sync.
+- [X] [#347](https://github.com/kubernetes/ingress/pull/347) Fix client source IP address
 - [X] [#345](https://github.com/kubernetes/ingress/pull/345) Fix lint error
- [X] [#344](https://github.com/kubernetes/ingress/pull/344) Refactoring of TCP and UDP services 
- [X] [#343](https://github.com/kubernetes/ingress/pull/343) Fix node lister when --watch-namespace is used 
- [X] [#341](https://github.com/kubernetes/ingress/pull/341) Do not run coverage check in the default target. 
- [X] [#340](https://github.com/kubernetes/ingress/pull/340) Add support for specify proxy cookie path/domain 
- [X] [#337](https://github.com/kubernetes/ingress/pull/337) Fix for formatting error introduced in #304 
- [X] [#335](https://github.com/kubernetes/ingress/pull/335) Fix for vet complaints: 
- [X] [#332](https://github.com/kubernetes/ingress/pull/332) Add annotation to customize nginx configuration 
- [X] [#331](https://github.com/kubernetes/ingress/pull/331) Correct spelling mistake 
- [X] [#328](https://github.com/kubernetes/ingress/pull/328) fix misspell "affinity" in main.go 
- [X] [#326](https://github.com/kubernetes/ingress/pull/326) add nginx daemonset example 
- [X] [#311](https://github.com/kubernetes/ingress/pull/311) Sort stream service ports to avoid extra reloads 
+- [X] [#344](https://github.com/kubernetes/ingress/pull/344) Refactoring of TCP and UDP services
+- [X] [#343](https://github.com/kubernetes/ingress/pull/343) Fix node lister when --watch-namespace is used
+- [X] [#341](https://github.com/kubernetes/ingress/pull/341) Do not run coverage check in the default target.
+- [X] [#340](https://github.com/kubernetes/ingress/pull/340) Add support for specify proxy cookie path/domain
+- [X] [#337](https://github.com/kubernetes/ingress/pull/337) Fix for formatting error introduced in #304
+- [X] [#335](https://github.com/kubernetes/ingress/pull/335) Fix for vet complaints:
+- [X] [#332](https://github.com/kubernetes/ingress/pull/332) Add annotation to customize nginx configuration
+- [X] [#331](https://github.com/kubernetes/ingress/pull/331) Correct spelling mistake
+- [X] [#328](https://github.com/kubernetes/ingress/pull/328) fix misspell "affinity" in main.go
+- [X] [#326](https://github.com/kubernetes/ingress/pull/326) add nginx daemonset example
+- [X] [#311](https://github.com/kubernetes/ingress/pull/311) Sort stream service ports to avoid extra reloads
 - [X] [#307](https://github.com/kubernetes/ingress/pull/307) Add docs for body-size annotation
- [X] [#306](https://github.com/kubernetes/ingress/pull/306) modify nginx readme 
- [X] [#304](https://github.com/kubernetes/ingress/pull/304) change 'buildSSPassthrouthUpstreams' to 'buildSSLPassthroughUpstreams' 
+- [X] [#306](https://github.com/kubernetes/ingress/pull/306) modify nginx readme
+- [X] [#304](https://github.com/kubernetes/ingress/pull/304) change 'buildSSPassthrouthUpstreams' to 'buildSSLPassthroughUpstreams'


 ### 0.9-beta.2
@ -382,9 +542,9 @@ Fix release 0.9-beta.9
 - [X] [#227](https://github.com/kubernetes/ingress/pull/227) proxy_protocol on ssl_passthrough listener
 - [X] [#223](https://github.com/kubernetes/ingress/pull/223) Fix panic if a tempfile cannot be created
 - [X] [#220](https://github.com/kubernetes/ingress/pull/220) Fixes for minikube usage instructions.
- [X] [#219](https://github.com/kubernetes/ingress/pull/219) Fix typo, add a couple of links. 
+- [X] [#219](https://github.com/kubernetes/ingress/pull/219) Fix typo, add a couple of links.
 - [X] [#218](https://github.com/kubernetes/ingress/pull/218) Improve links from CONTRIBUTING.
- [X] [#217](https://github.com/kubernetes/ingress/pull/217) Fix an e2e link. 
+- [X] [#217](https://github.com/kubernetes/ingress/pull/217) Fix an e2e link.
 - [X] [#212](https://github.com/kubernetes/ingress/pull/212) Simplify code to obtain TCP or UDP services
 - [X] [#208](https://github.com/kubernetes/ingress/pull/208) Fix nil HTTP field
 - [X] [#198](https://github.com/kubernetes/ingress/pull/198) Add an example for static-ip and deployment
--- a/controllers/nginx/Makefile
+++ b/controllers/nginx/Makefile
@ -3,7 +3,7 @@ all: push
 BUILDTAGS=

 # Use the 0.0 tag for testing, it shouldn't clobber any release builds
-TAG?=0.9.0-beta.11
+TAG?=0.9.0-beta.12
 REGISTRY?=gcr.io/google_containers
 GOOS?=linux
 DOCKER?=gcloud docker --
--- a/controllers/nginx/README.md
+++ b/controllers/nginx/README.md
@ -95,14 +95,14 @@ $ ./rootfs/nginx-ingress-controller --running-in-cluster=false --default-backend

 First create a default backend:
 ```
-$ kubectl create -f examples/deployment/nginx/default-backend.yaml
+$ kubectl create -f examples/default-backend.yaml
 $ kubectl expose rc default-http-backend --port=80 --target-port=8080 --name=default-http-backend
 ```

 Loadbalancers are created via a ReplicationController or Daemonset:

 ```
-$ kubectl create -f examples/default/rc-default.yaml
+$ kubectl create -f examples/rc-default.yaml
 ```

 ## HTTP
--- a/controllers/nginx/examples/default-backend.yaml
+++ b/controllers/nginx/examples/default-backend.yaml
@ -0,0 +1,51 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: default-http-backend
+  labels:
+    k8s-app: default-http-backend
+  namespace: kube-system
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        k8s-app: default-http-backend
+    spec:
+      terminationGracePeriodSeconds: 60
+      containers:
+      - name: default-http-backend
+        # Any image is permissable as long as:
+        # 1. It serves a 404 page at /
+        # 2. It serves 200 on a /healthz endpoint
+        image: gcr.io/google_containers/defaultbackend:1.0
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 30
+          timeoutSeconds: 5
+        ports:
+        - containerPort: 8080
+        resources:
+          limits:
+            cpu: 10m
+            memory: 20Mi
+          requests:
+            cpu: 10m
+            memory: 20Mi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: default-http-backend
+  namespace: kube-system
+  labels:
+    k8s-app: default-http-backend
+spec:
+  ports:
+  - port: 80
+    targetPort: 8080
+  selector:
+    k8s-app: default-http-backend
--- a/controllers/nginx/examples/ingress.yaml
+++ b/controllers/nginx/examples/ingress.yaml
@ -0,0 +1,26 @@
+# This is the Ingress resource that creates a HTTP Loadbalancer configured
+# according to the Ingress rules.
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: echomap
+spec:
+  rules:
+  - host: foo.bar.com
+    http:
+      paths:
+      - path: /foo
+        backend:
+          serviceName: echoheaders-x
+          servicePort: 80
+  - host: bar.baz.com
+    http:
+      paths:
+      - path: /bar
+        backend:
+          serviceName: echoheaders-y
+          servicePort: 80
+      - path: /foo
+        backend:
+          serviceName: echoheaders-x
+          servicePort: 80
--- a/controllers/nginx/pkg/cmd/controller/metrics.go
+++ b/controllers/nginx/pkg/cmd/controller/metrics.go
@ -24,7 +24,7 @@ import (
 )

 const (
-	ngxStatusPath = "/internal_nginx_status"
+	ngxStatusPath = "/nginx_status"
 	ngxVtsPath    = "/nginx_status/format/json"
 )

@ -46,7 +46,7 @@ type statsCollector struct {
 	namespace  string
 	watchClass string

-	healthPort int
+	port int
 }

 func (s *statsCollector) stop(sm statusModule) {
@ -63,18 +63,19 @@ func (s *statsCollector) stop(sm statusModule) {
 func (s *statsCollector) start(sm statusModule) {
 	switch sm {
 	case defaultStatusModule:
-		s.basic = collector.NewNginxStatus(s.namespace, s.watchClass, s.healthPort, ngxStatusPath)
+		s.basic = collector.NewNginxStatus(s.namespace, s.watchClass, s.port, ngxStatusPath)
 		prometheus.Register(s.basic)
 		break
 	case vtsStatusModule:
-		s.vts = collector.NewNGINXVTSCollector(s.namespace, s.watchClass, s.healthPort, ngxVtsPath)
+		s.vts = collector.NewNGINXVTSCollector(s.namespace, s.watchClass, s.port, ngxVtsPath)
 		prometheus.Register(s.vts)
 		break
 	}
 }

-func newStatsCollector(ns, class, binary string, hz int) *statsCollector {
+func newStatsCollector(ns, class, binary string, port int) *statsCollector {
 	glog.Infof("starting new nginx stats collector for Ingress controller running in namespace %v (class %v)", ns, class)
+	glog.Infof("collector extracting information from port %v", port)
 	pc, err := collector.NewNamedProcess(true, collector.BinaryNameMatcher{
 		Name:   "nginx",
 		Binary: binary,
@ -91,6 +92,6 @@ func newStatsCollector(ns, class, binary string, hz int) *statsCollector {
 		namespace:  ns,
 		watchClass: class,
 		process:    pc,
-		healthPort: hz,
+		port:       port,
 	}
 }
--- a/controllers/nginx/pkg/cmd/controller/nginx.go
+++ b/controllers/nginx/pkg/cmd/controller/nginx.go
@ -372,7 +372,11 @@ func (n *NGINXController) OverrideFlags(flags *pflag.FlagSet) {
 	}

 	flags.Set("ingress-class", ic)
-	n.stats = newStatsCollector(wc, ic, n.binary, n.ports.Health)
+
+	h, _ := flags.GetInt("healthz-port")
+	n.ports.Health = h
+
+	n.stats = newStatsCollector(wc, ic, n.binary, n.ports.Status)

 	if n.isSSLPassthroughEnabled {
 		if !isPortAvailable(n.ports.SSLProxy) {
--- a/controllers/nginx/pkg/metric/collector/status.go
+++ b/controllers/nginx/pkg/metric/collector/status.go
@ -143,8 +143,8 @@ func (bit BoolToFloat64) UnmarshalJSON(data []byte) error {
 	return nil
 }

-func getNginxStatus(ngxHealthPort int, ngxStatusPath string) (*basicStatus, error) {
-	url := fmt.Sprintf("http://localhost:%v%v", ngxHealthPort, ngxStatusPath)
+func getNginxStatus(port int, path string) (*basicStatus, error) {
+	url := fmt.Sprintf("http://localhost:%v%v", port, path)
 	glog.V(3).Infof("start scrapping url: %v", url)

 	data, err := httpBody(url)
@ -174,8 +174,8 @@ func httpBody(url string) ([]byte, error) {
 	return data, nil
 }

-func getNginxVtsMetrics(ngxHealthPort int, ngxVtsPath string) (*vts, error) {
-	url := fmt.Sprintf("http://localhost:%v%v", ngxHealthPort, ngxVtsPath)
+func getNginxVtsMetrics(port int, path string) (*vts, error) {
+	url := fmt.Sprintf("http://localhost:%v%v", port, path)
 	glog.V(3).Infof("start scrapping url: %v", url)

 	data, err := httpBody(url)
--- a/controllers/nginx/pkg/metric/collector/vts.go
+++ b/controllers/nginx/pkg/metric/collector/vts.go
@ -28,8 +28,8 @@ const ns = "nginx"
 type (
 	vtsCollector struct {
 		scrapeChan     chan scrapeRequest
-		ngxHealthPort  int
-		ngxVtsPath     string
+		port           int
+		path           string
 		data           *vtsData
 		watchNamespace string
 		ingressClass   string
@ -57,12 +57,12 @@ type (
 )

 // NewNGINXVTSCollector returns a new prometheus collector for the VTS module
-func NewNGINXVTSCollector(watchNamespace, ingressClass string, ngxHealthPort int, ngxVtsPath string) Stopable {
+func NewNGINXVTSCollector(watchNamespace, ingressClass string, port int, path string) Stopable {

 	p := vtsCollector{
 		scrapeChan:     make(chan scrapeRequest),
-		ngxHealthPort:  ngxHealthPort,
-		ngxVtsPath:     ngxVtsPath,
+		port:           port,
+		path:           path,
 		watchNamespace: watchNamespace,
 		ingressClass:   ingressClass,
 	}
@ -201,7 +201,7 @@ func (p vtsCollector) Stop() {

 // scrapeVts scrape nginx vts metrics
 func (p vtsCollector) scrapeVts(ch chan<- prometheus.Metric) {
-	nginxMetrics, err := getNginxVtsMetrics(p.ngxHealthPort, p.ngxVtsPath)
+	nginxMetrics, err := getNginxVtsMetrics(p.port, p.path)
 	if err != nil {
 		glog.Warningf("unexpected error obtaining nginx status info: %v", err)
 		return
--- a/controllers/nginx/pkg/template/template.go
+++ b/controllers/nginx/pkg/template/template.go
@ -301,7 +301,7 @@ func buildProxyPass(host string, b interface{}, loc interface{}) string {
 		return defProxyPass
 	}

-	if path != slash && !strings.HasSuffix(path, slash) {
+	if !strings.HasSuffix(path, slash) {
 		path = fmt.Sprintf("%s/", path)
 	}

@ -312,12 +312,12 @@ func buildProxyPass(host string, b interface{}, loc interface{}) string {
 			bPath := fmt.Sprintf("%s%s", path, "$baseuri")
 			if len(location.Rewrite.BaseURLScheme) > 0 {
 				abu = fmt.Sprintf(`subs_filter '<head(.*)>' '<head$1><base href="%v://$http_host%v">' r;
-	subs_filter '<HEAD(.*)>' '<HEAD$1><base href="%v://$http_host%v">' r;
-	`, location.Rewrite.BaseURLScheme, bPath, location.Rewrite.BaseURLScheme, bPath)
+	    subs_filter '<HEAD(.*)>' '<HEAD$1><base href="%v://$http_host%v">' r;
+	    `, location.Rewrite.BaseURLScheme, bPath, location.Rewrite.BaseURLScheme, bPath)
 			} else {
 				abu = fmt.Sprintf(`subs_filter '<head(.*)>' '<head$1><base href="$scheme://$http_host%v">' r;
-	subs_filter '<HEAD(.*)>' '<HEAD$1><base href="$scheme://$http_host%v">' r;
-	`, bPath, bPath)
+	    subs_filter '<HEAD(.*)>' '<HEAD$1><base href="$scheme://$http_host%v">' r;
+	    `, bPath, bPath)
 			}
 		}

@ -325,16 +325,16 @@ func buildProxyPass(host string, b interface{}, loc interface{}) string {
 			// special case redirect to /
 			// ie /something to /
 			return fmt.Sprintf(`
-	rewrite %s(.*) /$1 break;
-	rewrite %s / break;
-	proxy_pass %s://%s;
-	%v`, path, location.Path, proto, upstreamName, abu)
+	    rewrite %s(.*) /$1 break;
+	    rewrite %s / break;
+	    proxy_pass %s://%s;
+	    %v`, path, location.Path, proto, upstreamName, abu)
 		}

 		return fmt.Sprintf(`
-	rewrite %s(.*) %s/$1 break;
-	proxy_pass %s://%s;
-	%v`, path, location.Rewrite.Target, proto, upstreamName, abu)
+	    rewrite %s(.*) %s/$1 break;
+	    proxy_pass %s://%s;
+	    %v`, path, location.Rewrite.Target, proto, upstreamName, abu)
 	}

 	// default proxy_pass
--- a/controllers/nginx/pkg/template/template_test.go
+++ b/controllers/nginx/pkg/template/template_test.go
@ -44,54 +44,54 @@ var (
 		"invalid redirect / to /": {"/", "/", "/", "proxy_pass http://upstream-name;", false, ""},
 		"redirect / to /jenkins": {"/", "/jenkins", "~* /",
 			`
-	rewrite /(.*) /jenkins/$1 break;
-	proxy_pass http://upstream-name;
-	`, false, ""},
+	    rewrite /(.*) /jenkins/$1 break;
+	    proxy_pass http://upstream-name;
+	    `, false, ""},
 		"redirect /something to /": {"/something", "/", `~* ^/something\/?(?<baseuri>.*)`, `
-	rewrite /something/(.*) /$1 break;
-	rewrite /something / break;
-	proxy_pass http://upstream-name;
-	`, false, ""},
+	    rewrite /something/(.*) /$1 break;
+	    rewrite /something / break;
+	    proxy_pass http://upstream-name;
+	    `, false, ""},
 		"redirect /end-with-slash/ to /not-root": {"/end-with-slash/", "/not-root", "~* ^/end-with-slash/(?<baseuri>.*)", `
-	rewrite /end-with-slash/(.*) /not-root/$1 break;
-	proxy_pass http://upstream-name;
-	`, false, ""},
+	    rewrite /end-with-slash/(.*) /not-root/$1 break;
+	    proxy_pass http://upstream-name;
+	    `, false, ""},
 		"redirect /something-complex to /not-root": {"/something-complex", "/not-root", `~* ^/something-complex\/?(?<baseuri>.*)`, `
-	rewrite /something-complex/(.*) /not-root/$1 break;
-	proxy_pass http://upstream-name;
-	`, false, ""},
+	    rewrite /something-complex/(.*) /not-root/$1 break;
+	    proxy_pass http://upstream-name;
+	    `, false, ""},
 		"redirect / to /jenkins and rewrite": {"/", "/jenkins", "~* /", `
-	rewrite /(.*) /jenkins/$1 break;
-	proxy_pass http://upstream-name;
-	subs_filter '<head(.*)>' '<head$1><base href="$scheme://$http_host/$baseuri">' r;
-	subs_filter '<HEAD(.*)>' '<HEAD$1><base href="$scheme://$http_host/$baseuri">' r;
-	`, true, ""},
+	    rewrite /(.*) /jenkins/$1 break;
+	    proxy_pass http://upstream-name;
+	    subs_filter '<head(.*)>' '<head$1><base href="$scheme://$http_host/$baseuri">' r;
+	    subs_filter '<HEAD(.*)>' '<HEAD$1><base href="$scheme://$http_host/$baseuri">' r;
+	    `, true, ""},
 		"redirect /something to / and rewrite": {"/something", "/", `~* ^/something\/?(?<baseuri>.*)`, `
-	rewrite /something/(.*) /$1 break;
-	rewrite /something / break;
-	proxy_pass http://upstream-name;
-	subs_filter '<head(.*)>' '<head$1><base href="$scheme://$http_host/something/$baseuri">' r;
-	subs_filter '<HEAD(.*)>' '<HEAD$1><base href="$scheme://$http_host/something/$baseuri">' r;
-	`, true, ""},
+	    rewrite /something/(.*) /$1 break;
+	    rewrite /something / break;
+	    proxy_pass http://upstream-name;
+	    subs_filter '<head(.*)>' '<head$1><base href="$scheme://$http_host/something/$baseuri">' r;
+	    subs_filter '<HEAD(.*)>' '<HEAD$1><base href="$scheme://$http_host/something/$baseuri">' r;
+	    `, true, ""},
 		"redirect /end-with-slash/ to /not-root and rewrite": {"/end-with-slash/", "/not-root", `~* ^/end-with-slash/(?<baseuri>.*)`, `
-	rewrite /end-with-slash/(.*) /not-root/$1 break;
-	proxy_pass http://upstream-name;
-	subs_filter '<head(.*)>' '<head$1><base href="$scheme://$http_host/end-with-slash/$baseuri">' r;
-	subs_filter '<HEAD(.*)>' '<HEAD$1><base href="$scheme://$http_host/end-with-slash/$baseuri">' r;
-	`, true, ""},
+	    rewrite /end-with-slash/(.*) /not-root/$1 break;
+	    proxy_pass http://upstream-name;
+	    subs_filter '<head(.*)>' '<head$1><base href="$scheme://$http_host/end-with-slash/$baseuri">' r;
+	    subs_filter '<HEAD(.*)>' '<HEAD$1><base href="$scheme://$http_host/end-with-slash/$baseuri">' r;
+	    `, true, ""},
 		"redirect /something-complex to /not-root and rewrite": {"/something-complex", "/not-root", `~* ^/something-complex\/?(?<baseuri>.*)`, `
-	rewrite /something-complex/(.*) /not-root/$1 break;
-	proxy_pass http://upstream-name;
-	subs_filter '<head(.*)>' '<head$1><base href="$scheme://$http_host/something-complex/$baseuri">' r;
-	subs_filter '<HEAD(.*)>' '<HEAD$1><base href="$scheme://$http_host/something-complex/$baseuri">' r;
-	`, true, ""},
+	    rewrite /something-complex/(.*) /not-root/$1 break;
+	    proxy_pass http://upstream-name;
+	    subs_filter '<head(.*)>' '<head$1><base href="$scheme://$http_host/something-complex/$baseuri">' r;
+	    subs_filter '<HEAD(.*)>' '<HEAD$1><base href="$scheme://$http_host/something-complex/$baseuri">' r;
+	    `, true, ""},
 		"redirect /something to / and rewrite with specific scheme": {"/something", "/", `~* ^/something\/?(?<baseuri>.*)`, `
-	rewrite /something/(.*) /$1 break;
-	rewrite /something / break;
-	proxy_pass http://upstream-name;
-	subs_filter '<head(.*)>' '<head$1><base href="http://$http_host/something/$baseuri">' r;
-	subs_filter '<HEAD(.*)>' '<HEAD$1><base href="http://$http_host/something/$baseuri">' r;
-	`, true, "http"},
+	    rewrite /something/(.*) /$1 break;
+	    rewrite /something / break;
+	    proxy_pass http://upstream-name;
+	    subs_filter '<head(.*)>' '<head$1><base href="http://$http_host/something/$baseuri">' r;
+	    subs_filter '<HEAD(.*)>' '<HEAD$1><base href="http://$http_host/something/$baseuri">' r;
+	    `, true, "http"},
 	}
 )

--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@ -387,7 +387,7 @@ http {
        # Changing this value requires a change in:
        # https://github.com/kubernetes/ingress/blob/master/controllers/nginx/pkg/cmd/controller/nginx.go
        listen 127.0.0.1:{{ $all.ListenPorts.Status }} default_server reuseport backlog={{ $all.BacklogSize }};
-        {{ if $IsIPV6Enabled }}listen [::1]:{{ $all.ListenPorts.Status }} default_server reuseport backlog={{ $all.BacklogSize }};{{ end }}
+        {{ if $IsIPV6Enabled }}listen [::]:{{ $all.ListenPorts.Status }} default_server reuseport backlog={{ $all.BacklogSize }};{{ end }}
        set $proxy_upstream_name "-";

        location {{ $healthzURI }} {
@ -407,21 +407,6 @@ http {
            {{ end }}
        }

-        # this location is used to extract nginx metrics
-        # using prometheus.
-        # TODO: enable extraction for vts module.
-        location /internal_nginx_status {
-            set $proxy_upstream_name "internal";
-
-            allow 127.0.0.1;
-            {{ if not $cfg.DisableIpv6 }}allow ::1;{{ end }}
-            deny all;
-
-            access_log off;
-            stub_status on;
-        }
-
-
        fastcgi_param       HTTP_X_Code             404;
        fastcgi_param       HTTP_X_Format           $http_accept;
        fastcgi_param       HTTP_X_Original_URI     $request_uri;
@ -631,196 +616,196 @@ stream {

        {{ if not (empty $location.Rewrite.AppRoot)}}
        if ($uri = /) {
-        return 302 {{ $location.Rewrite.AppRoot }};
+            return 302 {{ $location.Rewrite.AppRoot }};
        }
        {{ end }}

        {{ if not (empty $authPath) }}
        location = {{ $authPath }} {
-        internal;
-        set $proxy_upstream_name "internal";
+            internal;
+            set $proxy_upstream_name "internal";

-        {{ if not $location.ExternalAuth.SendBody }}
-        proxy_pass_request_body     off;
-        proxy_set_header            Content-Length "";
-        {{ end }}
-        {{ if not (empty $location.ExternalAuth.Method) }}
-        proxy_method                {{ $location.ExternalAuth.Method }};
-        proxy_set_header            X-Original-URI $request_uri;
-        proxy_set_header            X-Scheme       $pass_access_scheme;
-        {{ end }}
-        proxy_pass_request_headers  on;
-        proxy_set_header            Host {{ $location.ExternalAuth.Host }};
-        proxy_ssl_server_name       on;
+            {{ if not $location.ExternalAuth.SendBody }}
+            proxy_pass_request_body     off;
+            proxy_set_header            Content-Length "";
+            {{ end }}
+            {{ if not (empty $location.ExternalAuth.Method) }}
+            proxy_method                {{ $location.ExternalAuth.Method }};
+            proxy_set_header            X-Original-URI $request_uri;
+            proxy_set_header            X-Scheme       $pass_access_scheme;
+            {{ end }}
+            proxy_pass_request_headers  on;
+            proxy_set_header            Host {{ $location.ExternalAuth.Host }};
+            proxy_ssl_server_name       on;

-        client_max_body_size        "{{ $location.Proxy.BodySize }}";
-        {{ if isValidClientBodyBufferSize $location.ClientBodyBufferSize }}
-        client_body_buffer_size     {{ $location.ClientBodyBufferSize }};
-        {{ end }}
+            client_max_body_size        "{{ $location.Proxy.BodySize }}";
+            {{ if isValidClientBodyBufferSize $location.ClientBodyBufferSize }}
+            client_body_buffer_size     {{ $location.ClientBodyBufferSize }};
+            {{ end }}

-        set $target {{ $location.ExternalAuth.URL }};
-        proxy_pass $target;
+            set $target {{ $location.ExternalAuth.URL }};
+            proxy_pass $target;
        }

        {{ end }}

        location {{ $path }} {
-        set $proxy_upstream_name "{{ buildUpstreamName $server.Hostname $all.Backends $location }}";
+            set $proxy_upstream_name "{{ buildUpstreamName $server.Hostname $all.Backends $location }}";

-        {{ $ing := (getIngressInformation $location.Ingress $path) }}
-        {{/* $ing.Metadata contains the Ingress metadata */}}
-        set $namespace      "{{ $ing.Namespace }}";
-        set $ingress_name   "{{ $ing.Rule }}";
-        set $service_name   "{{ $ing.Service }}";
-        set $base_path      "{{ $location.Path }}";
+            {{ $ing := (getIngressInformation $location.Ingress $path) }}
+            {{/* $ing.Metadata contains the Ingress metadata */}}
+            set $namespace      "{{ $ing.Namespace }}";
+            set $ingress_name   "{{ $ing.Rule }}";
+            set $service_name   "{{ $ing.Service }}";
+            set $base_path      "{{ $location.Path }}";

-        {{ if (or $location.Rewrite.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Rewrite.SSLRedirect)) }}
-        # enforce ssl on server side
-        if ($pass_access_scheme = http) {
-        return 301 https://$best_http_host$request_uri;
-        }
-        {{ end }}
+            {{ if (or $location.Rewrite.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Rewrite.SSLRedirect)) }}
+            # enforce ssl on server side
+            if ($pass_access_scheme = http) {
+                return 301 https://$best_http_host$request_uri;
+            }
+            {{ end }}

-        {{ if isLocationAllowed $location }}
-        {{ if gt (len $location.Whitelist.CIDR) 0 }}
-        if ({{ buildDenyVariable (print $server.Hostname "_"  $path) }}) {
-        return 403;
-        }
-        {{ end }}
+            {{ if isLocationAllowed $location }}
+            {{ if gt (len $location.Whitelist.CIDR) 0 }}
+            if ({{ buildDenyVariable (print $server.Hostname "_"  $path) }}) {
+                return 403;
+            }
+            {{ end }}

-        port_in_redirect {{ if $location.UsePortInRedirects }}on{{ else }}off{{ end }};
+            port_in_redirect {{ if $location.UsePortInRedirects }}on{{ else }}off{{ end }};

-        {{ if not (empty $authPath) }}
-        # this location requires authentication
-        auth_request {{ $authPath }};
-        auth_request_set $auth_cookie $upstream_http_set_cookie;
-        add_header Set-Cookie $auth_cookie;
-        {{- range $idx, $line := buildAuthResponseHeaders $location }}
-        {{ $line }}
-        {{- end }}
-        {{ end }}
+            {{ if not (empty $authPath) }}
+            # this location requires authentication
+            auth_request {{ $authPath }};
+            auth_request_set $auth_cookie $upstream_http_set_cookie;
+            add_header Set-Cookie $auth_cookie;
+            {{- range $idx, $line := buildAuthResponseHeaders $location }}
+            {{ $line }}
+            {{- end }}
+            {{ end }}

-        {{ if not (empty $location.ExternalAuth.SigninURL) }}
-        error_page 401 = {{ buildAuthSignURL $location.ExternalAuth.SigninURL }};
-        {{ end }}
+            {{ if not (empty $location.ExternalAuth.SigninURL) }}
+            error_page 401 = {{ buildAuthSignURL $location.ExternalAuth.SigninURL }};
+            {{ end }}

-        {{/* if the location contains a rate limit annotation, create one */}}
-        {{ $limits := buildRateLimit $location }}
-        {{ range $limit := $limits }}
-        {{ $limit }}{{ end }}
+            {{/* if the location contains a rate limit annotation, create one */}}
+            {{ $limits := buildRateLimit $location }}
+            {{ range $limit := $limits }}
+            {{ $limit }}{{ end }}

-        {{ if $location.BasicDigestAuth.Secured }}
-        {{ if eq $location.BasicDigestAuth.Type "basic" }}
-        auth_basic "{{ $location.BasicDigestAuth.Realm }}";
-        auth_basic_user_file {{ $location.BasicDigestAuth.File }};
-        {{ else }}
-        auth_digest "{{ $location.BasicDigestAuth.Realm }}";
-        auth_digest_user_file {{ $location.BasicDigestAuth.File }};
-        {{ end }}
-        proxy_set_header Authorization "";
-        {{ end }}
+            {{ if $location.BasicDigestAuth.Secured }}
+            {{ if eq $location.BasicDigestAuth.Type "basic" }}
+            auth_basic "{{ $location.BasicDigestAuth.Realm }}";
+            auth_basic_user_file {{ $location.BasicDigestAuth.File }};
+            {{ else }}
+            auth_digest "{{ $location.BasicDigestAuth.Realm }}";
+            auth_digest_user_file {{ $location.BasicDigestAuth.File }};
+            {{ end }}
+            proxy_set_header Authorization "";
+            {{ end }}

-        {{ if $location.EnableCORS }}
-        {{ template "CORS" }}
-        {{ end }}
+            {{ if $location.EnableCORS }}
+            {{ template "CORS" }}
+            {{ end }}

-        {{ if not (empty $location.Redirect.URL) }}
-        if ($uri ~* {{ $path }}) {
-            return {{ $location.Redirect.Code }} {{ $location.Redirect.URL }};
-        }
-        {{ end }}
+            {{ if not (empty $location.Redirect.URL) }}
+            if ($uri ~* {{ $path }}) {
+                return {{ $location.Redirect.Code }} {{ $location.Redirect.URL }};
+            }
+            {{ end }}

-        client_max_body_size                    "{{ $location.Proxy.BodySize }}";
-        {{ if isValidClientBodyBufferSize $location.ClientBodyBufferSize }}
-        client_body_buffer_size                 {{ $location.ClientBodyBufferSize }};
-        {{ end }}
+            client_max_body_size                    "{{ $location.Proxy.BodySize }}";
+            {{ if isValidClientBodyBufferSize $location.ClientBodyBufferSize }}
+            client_body_buffer_size                 {{ $location.ClientBodyBufferSize }};
+            {{ end }}

-        proxy_set_header Host                   $best_http_host;
+            proxy_set_header Host                   $best_http_host;

-        # Pass the extracted client certificate to the backend
-        {{ if not (empty $server.CertificateAuth.CAFileName) }}
-        proxy_set_header ssl-client-cert        $ssl_client_cert;
-        {{ end }}
+            # Pass the extracted client certificate to the backend
+            {{ if not (empty $server.CertificateAuth.CAFileName) }}
+            proxy_set_header ssl-client-cert        $ssl_client_cert;
+            {{ end }}

-        # Allow websocket connections
-        proxy_set_header                        Upgrade           $http_upgrade;
-        proxy_set_header                        Connection        $connection_upgrade;
+            # Allow websocket connections
+            proxy_set_header                        Upgrade           $http_upgrade;
+            proxy_set_header                        Connection        $connection_upgrade;

-        proxy_set_header X-Real-IP              $the_real_ip;
-        proxy_set_header X-Forwarded-For        $the_real_ip;
-        proxy_set_header X-Forwarded-Host       $best_http_host;
-        proxy_set_header X-Forwarded-Port       $pass_port;
-        proxy_set_header X-Forwarded-Proto      $pass_access_scheme;
-        proxy_set_header X-Original-URI         $request_uri;
-        proxy_set_header X-Scheme               $pass_access_scheme;
+            proxy_set_header X-Real-IP              $the_real_ip;
+            proxy_set_header X-Forwarded-For        $the_real_ip;
+            proxy_set_header X-Forwarded-Host       $best_http_host;
+            proxy_set_header X-Forwarded-Port       $pass_port;
+            proxy_set_header X-Forwarded-Proto      $pass_access_scheme;
+            proxy_set_header X-Original-URI         $request_uri;
+            proxy_set_header X-Scheme               $pass_access_scheme;

-        # mitigate HTTPoxy Vulnerability
-        # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
-        proxy_set_header Proxy                  "";
+            # mitigate HTTPoxy Vulnerability
+            # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
+            proxy_set_header Proxy                  "";

-        # Custom headers to proxied server
-        {{ range $k, $v := $all.ProxySetHeaders }}
-        proxy_set_header {{ $k }}                    "{{ $v }}";
-        {{ end }}
+            # Custom headers to proxied server
+            {{ range $k, $v := $all.ProxySetHeaders }}
+            proxy_set_header {{ $k }}                    "{{ $v }}";
+            {{ end }}

-        proxy_connect_timeout                   {{ $location.Proxy.ConnectTimeout }}s;
-        proxy_send_timeout                      {{ $location.Proxy.SendTimeout }}s;
-        proxy_read_timeout                      {{ $location.Proxy.ReadTimeout }}s;
+            proxy_connect_timeout                   {{ $location.Proxy.ConnectTimeout }}s;
+            proxy_send_timeout                      {{ $location.Proxy.SendTimeout }}s;
+            proxy_read_timeout                      {{ $location.Proxy.ReadTimeout }}s;

-        proxy_redirect                          off;
-        proxy_buffering                         off;
-        proxy_buffer_size                       "{{ $location.Proxy.BufferSize }}";
-        proxy_buffers                           4 "{{ $location.Proxy.BufferSize }}";
+            proxy_redirect                          off;
+            proxy_buffering                         off;
+            proxy_buffer_size                       "{{ $location.Proxy.BufferSize }}";
+            proxy_buffers                           4 "{{ $location.Proxy.BufferSize }}";

-        proxy_http_version                      1.1;
+            proxy_http_version                      1.1;

-        proxy_cookie_domain                     {{ $location.Proxy.CookieDomain }};
-        proxy_cookie_path                       {{ $location.Proxy.CookiePath }};
+            proxy_cookie_domain                     {{ $location.Proxy.CookieDomain }};
+            proxy_cookie_path                       {{ $location.Proxy.CookiePath }};

-        # In case of errors try the next upstream server before returning an error
-        proxy_next_upstream                     {{ buildNextUpstream $location.Proxy.NextUpstream }}{{ if $all.Cfg.RetryNonIdempotent }} non_idempotent{{ end }};
+            # In case of errors try the next upstream server before returning an error
+            proxy_next_upstream                     {{ buildNextUpstream $location.Proxy.NextUpstream }}{{ if $all.Cfg.RetryNonIdempotent }} non_idempotent{{ end }};

-        {{/* rewrite only works if the content is not compressed */}}
-        {{ if $location.Rewrite.AddBaseURL }}
-        proxy_set_header                        Accept-Encoding     "";
-        {{ end }}
+            {{/* rewrite only works if the content is not compressed */}}
+            {{ if $location.Rewrite.AddBaseURL }}
+            proxy_set_header                        Accept-Encoding     "";
+            {{ end }}

-        {{/* Add any additional configuration defined */}}
-        {{ $location.ConfigurationSnippet }}
+            {{/* Add any additional configuration defined */}}
+            {{ $location.ConfigurationSnippet }}

-        {{/* if we are sending the request to a custom default backend, we add the required headers */}}
-        {{ if (hasPrefix $location.Backend "custom-default-backend-") }}
-        proxy_set_header       X-Code             503;
-        proxy_set_header       X-Format           $http_accept;
-        proxy_set_header       X-Namespace        $namespace;
-        proxy_set_header       X-Ingress-Name     $ingress_name;
-        proxy_set_header       X-Service-Name     $service_name;
-        {{ end }}
+            {{/* if we are sending the request to a custom default backend, we add the required headers */}}
+            {{ if (hasPrefix $location.Backend "custom-default-backend-") }}
+            proxy_set_header       X-Code             503;
+            proxy_set_header       X-Format           $http_accept;
+            proxy_set_header       X-Namespace        $namespace;
+            proxy_set_header       X-Ingress-Name     $ingress_name;
+            proxy_set_header       X-Service-Name     $service_name;
+            {{ end }}

-        {{ buildProxyPass $server.Hostname $all.Backends $location }}
-        {{ else }}
-        # Location denied. Reason: {{ $location.Denied }}
-        return 503;
-        {{ end }}
+            {{ buildProxyPass $server.Hostname $all.Backends $location }}
+            {{ else }}
+            # Location denied. Reason: {{ $location.Denied }}
+            return 503;
+            {{ end }}
        }
        {{ end }}

        {{ if eq $server.Hostname "_" }}
        # health checks in cloud providers require the use of port {{ $all.ListenPorts.HTTP }}
        location {{ $all.HealthzURI }} {
-        access_log off;
-        return 200;
+            access_log off;
+            return 200;
        }

        # this is required to avoid error if nginx is being monitored
        # with an external software (like sysdig)
        location /nginx_status {
-        allow 127.0.0.1;
-        {{ if $all.IsIPV6Enabled }}allow ::1;{{ end }}
-        deny all;
+            allow 127.0.0.1;
+            {{ if $all.IsIPV6Enabled }}allow ::1;{{ end }}
+            deny all;

-        access_log off;
-        stub_status on;
+            access_log off;
+            stub_status on;
        }

        {{ end }}
--- a/docs/troubleshooting.md
+++ b/docs/troubleshooting.md
@ -259,7 +259,7 @@ spec:
    spec:
      terminationGracePeriodSeconds: 60
      containers:
-      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
+      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
        name: ingress-nginx
        imagePullPolicy: Always
        ports:
--- a/examples/aws/nginx/nginx-ingress-controller.yaml
+++ b/examples/aws/nginx/nginx-ingress-controller.yaml
@ -101,7 +101,7 @@ spec:
    spec:
      terminationGracePeriodSeconds: 60
      containers:
-      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
+      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
        name: ingress-nginx
        imagePullPolicy: Always
        ports:
--- a/examples/customization/configuration-snippets/nginx/nginx-ingress-controller.yaml
+++ b/examples/customization/configuration-snippets/nginx/nginx-ingress-controller.yaml
@ -19,7 +19,7 @@ spec:
      # hostNetwork: true
      terminationGracePeriodSeconds: 60
      containers:
-      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
+      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
        name: nginx-ingress-controller
        readinessProbe:
          httpGet:
--- a/examples/customization/custom-configuration/nginx/nginx-custom-configuration.yaml
+++ b/examples/customization/custom-configuration/nginx/nginx-custom-configuration.yaml
@ -22,7 +22,7 @@ spec:
      # hostNetwork: true
      terminationGracePeriodSeconds: 60
      containers:
-      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
+      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
        name: nginx-ingress-controller
        readinessProbe:
          httpGet:
--- a/examples/customization/custom-errors/nginx/rc-custom-errors.yaml
+++ b/examples/customization/custom-errors/nginx/rc-custom-errors.yaml
@ -16,7 +16,7 @@ spec:
    spec:
      terminationGracePeriodSeconds: 60
      containers:
-      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
+      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
        name: nginx-ingress-lb
        imagePullPolicy: Always
        readinessProbe:
--- a/examples/customization/custom-headers/nginx/nginx-ingress-controller.yaml
+++ b/examples/customization/custom-headers/nginx/nginx-ingress-controller.yaml
@ -19,7 +19,7 @@ spec:
      # hostNetwork: true
      terminationGracePeriodSeconds: 60
      containers:
-      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
+      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
        name: nginx-ingress-controller
        readinessProbe:
          httpGet:
--- a/examples/customization/custom-template/custom-template.yaml
+++ b/examples/customization/custom-template/custom-template.yaml
@ -16,7 +16,7 @@ spec:
    spec:
      terminationGracePeriodSeconds: 60
      containers:
-      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
+      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
        name: nginx-ingress-lb
        imagePullPolicy: Always
        readinessProbe:
--- a/examples/customization/custom-vts-metrics/nginx/nginx-ingress-controller.yaml
+++ b/examples/customization/custom-vts-metrics/nginx/nginx-ingress-controller.yaml
@ -22,7 +22,7 @@ spec:
      # hostNetwork: true
      terminationGracePeriodSeconds: 60
      containers:
-      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
+      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
        name: nginx-ingress-controller
        readinessProbe:
          httpGet:
--- a/examples/customization/ssl-dh-param/nginx/nginx-ingress-controller.yaml
+++ b/examples/customization/ssl-dh-param/nginx/nginx-ingress-controller.yaml
@ -19,7 +19,7 @@ spec:
      # hostNetwork: true
      terminationGracePeriodSeconds: 60
      containers:
-      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
+      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
        name: nginx-ingress-controller
        readinessProbe:
          httpGet:
--- a/examples/daemonset/haproxy/README.md
+++ b/examples/daemonset/haproxy/README.md
@ -41,6 +41,11 @@ NAME                                    READY     STATUS    RESTARTS   AGE
 default-http-backend-q5sb6              1/1       Running   0          30m
 ```

+## RBAC Authorization
+
+Check the [RBAC sample](/examples/rbac/haproxy) if deploying on a cluster with
+[RBAC authorization](https://kubernetes.io/docs/admin/authorization/rbac/).
+
 ## Ingress DaemonSet

 Deploy the daemonset as follows:
--- a/examples/daemonset/nginx/nginx-ingress-daemonset.yaml
+++ b/examples/daemonset/nginx/nginx-ingress-daemonset.yaml
@ -16,7 +16,7 @@ spec:
    spec:
      terminationGracePeriodSeconds: 60
      containers:
-      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
+      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
        name: nginx-ingress-lb
        readinessProbe:
          httpGet:
--- a/examples/deployment/haproxy/README.md
+++ b/examples/deployment/haproxy/README.md
@ -70,6 +70,11 @@ configmap can be edited or replaced later in order to apply new
 configuration on a running ingress controller. All supported options
 are [here](https://github.com/jcmoraisjr/haproxy-ingress#configmap).

+## RBAC Authorization
+
+Check the [RBAC sample](/examples/rbac/haproxy) if deploying on a cluster with
+[RBAC authorization](https://kubernetes.io/docs/admin/authorization/rbac/).
+
 ## Controller

 Deploy HAProxy Ingress:
--- a/examples/deployment/nginx/kubeadm/nginx-ingress-controller.yaml
+++ b/examples/deployment/nginx/kubeadm/nginx-ingress-controller.yaml
@ -71,7 +71,7 @@ spec:
      hostNetwork: true
      terminationGracePeriodSeconds: 60
      containers:
-      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
+      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
        name: nginx-ingress-controller
        readinessProbe:
          httpGet:
--- a/examples/deployment/nginx/nginx-ingress-controller.yaml
+++ b/examples/deployment/nginx/nginx-ingress-controller.yaml
@ -22,7 +22,7 @@ spec:
      # hostNetwork: true
      terminationGracePeriodSeconds: 60
      containers:
-      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
+      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
        name: nginx-ingress-controller
        readinessProbe:
          httpGet:
--- a/examples/rbac/haproxy/README.md
+++ b/examples/rbac/haproxy/README.md
@ -0,0 +1,80 @@
+# Role Based Access Control
+
+This example demonstrates how to authorize an ingress controller on a cluster
+with role based access control.
+
+## Overview
+
+This example applies to ingress controllers being deployed in an environment with
+[RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) enabled.
+
+## Service Account created in this example
+
+One ServiceAccount is created in this example, `ingress-controller`. See
+[Using cert based authentication](#using-cert-based-authentication)
+below if using client cert authentication.
+
+## Permissions Granted in this example
+
+There are two sets of permissions defined in this example.  Cluster-wide
+permissions defined by a `ClusterRole` and namespace specific permissions
+defined by a `Role`, both named `ingress-controller`.
+
+### Cluster Permissions
+
+These permissions are granted in order for the ingress-controller to be
+able to function as an ingress across the cluster. These permissions are
+granted to the ClusterRole:
+
+* `configmaps`, `endpoints`, `nodes`, `pods`, `secrets`: list, watch
+* `nodes`: get
+* `services`, `ingresses`: get, list, watch
+* `events`: create, patch
+* `ingresses/status`: update
+
+### Namespace Permissions
+
+These permissions are granted specific to the `ingress-controller` namespace.
+The Role permissions are:
+
+* `configmaps`, `pods`, `secrets`: get
+* `endpoints`: create, get, update
+
+Furthermore to support leader-election, the ingress controller needs to
+have access to a `configmap` in the `ingress-controller` namespace:
+
+* `configmaps`: get, update, create
+
+## Namespace created in this example
+
+The `Namespace` named `ingress-controller` is defined in this example. The
+namespace name can be changed arbitrarily as long as all of the references
+change as well.
+
+## Usage
+
+1. Create the `Namespace`, `Service Account`, `ClusterRole`, `Role`,
+`ClusterRoleBinding`, and `RoleBinding`:
+
+```console
+$ kubectl create -f ingress-controller-rbac.yml
+```
+
+2. Deploy the ingress controller. The deployment should be configured to use
+the `ingress-controller` service account name if not using kubeconfig and
+client cert based authentication. Add the `serviceAccountName` to the pod
+template spec:
+
+```yaml
+spec:
+  template:
+    spec:
+      serviceAccountName: ingress-controller
+```
+
+## Using cert based authentication
+
+A client certificate based authentication can also be used with the following changes:
+
+1. No need to add the `serviceAccountName` to the pod template spec.
+2. Sign a client certificate using `ingress-controller` as it's common name.
--- a/examples/rbac/haproxy/ingress-controller-rbac.yml
+++ b/examples/rbac/haproxy/ingress-controller-rbac.yml
@ -0,0 +1,133 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ingress-controller
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ingress-controller
+  namespace: ingress-controller
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: ingress-controller
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - endpoints
+      - nodes
+      - pods
+      - secrets
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "extensions"
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - "extensions"
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: ingress-controller
+  namespace: ingress-controller
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - pods
+      - secrets
+      - namespaces
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+    verbs:
+      - get
+      - create
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: ingress-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-controller
+subjects:
+  - kind: ServiceAccount
+    name: ingress-controller
+    namespace: ingress-controller
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: ingress-controller
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: ingress-controller
+  namespace: ingress-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-controller
+subjects:
+  - kind: ServiceAccount
+    name: ingress-controller
+    namespace: ingress-controller
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: ingress-controller
--- a/examples/rbac/nginx/nginx-ingress-controller.yml
+++ b/examples/rbac/nginx/nginx-ingress-controller.yml
@ -16,7 +16,7 @@ spec:
      serviceAccountName: nginx-ingress-serviceaccount
      containers:
        - name: nginx-ingress-controller
-          image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
+          image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
          args:
             - /nginx-ingress-controller
             - --default-backend-service=default/default-http-backend
--- a/examples/scaling-deployment/haproxy/README.md
+++ b/examples/scaling-deployment/haproxy/README.md
@ -41,6 +41,11 @@ NAME                                    READY     STATUS    RESTARTS   AGE
 default-http-backend-q5sb6              1/1       Running   0          30m
 ```

+## RBAC Authorization
+
+Check the [RBAC sample](/examples/rbac/haproxy) if deploying on a cluster with
+[RBAC authorization](https://kubernetes.io/docs/admin/authorization/rbac/).
+
 ## Ingress Deployment

 Deploy the Deployment of multi controllers as follows:
--- a/examples/scaling-deployment/nginx/nginx-ingress-deployment.yaml
+++ b/examples/scaling-deployment/nginx/nginx-ingress-deployment.yaml
@ -14,7 +14,7 @@ spec:
    spec:
      terminationGracePeriodSeconds: 60
      containers:
-      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
+      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
        name: nginx-ingress-controller
        readinessProbe:
          httpGet:
--- a/examples/static-ip/nginx/nginx-ingress-controller.yaml
+++ b/examples/static-ip/nginx/nginx-ingress-controller.yaml
@ -18,7 +18,7 @@ spec:
      # hostNetwork: true
      terminationGracePeriodSeconds: 60
      containers:
-      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
+      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
        name: nginx-ingress-controller
        readinessProbe:
          httpGet:
--- a/examples/tcp/nginx/README.md
+++ b/examples/tcp/nginx/README.md
@ -47,7 +47,7 @@ nginx-ingress-controller   1         1         1         3m
 $ kubectl -n kube-system describe rc nginx-ingress-controller
 Name:           nginx-ingress-controller
 Namespace:      kube-system
-Image(s):       gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
+Image(s):       gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
 Selector:       k8s-app=nginx-tcp-ingress-lb
 Labels:         k8s-app=nginx-ingress-lb
 Annotations:    <none>
--- a/examples/tcp/nginx/nginx-tcp-ingress-controller.yaml
+++ b/examples/tcp/nginx/nginx-tcp-ingress-controller.yaml
@ -17,7 +17,7 @@ spec:
    spec:
      terminationGracePeriodSeconds: 60
      containers:
-      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
+      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
        name: nginx-tcp-ingress-lb
        readinessProbe:
          httpGet:
--- a/examples/tls-termination/elb-nginx/nginx-ingress-controller.yaml
+++ b/examples/tls-termination/elb-nginx/nginx-ingress-controller.yaml
@ -105,7 +105,7 @@ spec:
    spec:
      terminationGracePeriodSeconds: 60
      containers:
-      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
+      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
        name: ingress-nginx
        imagePullPolicy: Always
        ports:
--- a/examples/udp/nginx/README.md
+++ b/examples/udp/nginx/README.md
@ -53,7 +53,7 @@ nginx-udp-ingress-controller   1         1         1         13m
 $ kubectl -n kube-system describe rc nginx-udp-ingress-controller
 Name:           nginx-udp-ingress-controller
 Namespace:      kube-system
-Image(s):       gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
+Image(s):       gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
 Selector:       k8s-app=nginx-udp-ingress-lb
 Labels:         k8s-app=nginx-udp-ingress-lb
 Annotations:    <none>
--- a/examples/udp/nginx/nginx-udp-ingress-controller.yaml
+++ b/examples/udp/nginx/nginx-udp-ingress-controller.yaml
@ -17,7 +17,7 @@ spec:
    spec:
      terminationGracePeriodSeconds: 60
      containers:
-      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
+      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
        name: nginx-udp-ingress-lb
        readinessProbe:
          httpGet: