Merge branch 'master' of github.com:kubernetes/ingress-nginx into add-servicemonitor-joblabel

2021-04-08 08:37:32 +02:00 · 2021-04-08 08:37:32 +02:00 · ab58492ea4
commit ab58492ea4
parent fbaff07dc2 1b9a9e0fc4
10 changed files with 32 additions and 6 deletions
--- a/charts/ingress-nginx/CHANGELOG.md
+++ b/charts/ingress-nginx/CHANGELOG.md
@ -4,10 +4,14 @@ This file documents all notable changes to [ingress-nginx](https://github.com/ku

 ### Unreleased

-### 3.28.0
+### 3.29.0

 - [X] [#6945](https://github.com/kubernetes/ingress-nginx/pull/7020) Add option to specify job label for ServiceMonitor

+### 3.28.0
+
+- [ ] [#6900](https://github.com/kubernetes/ingress-nginx/pull/6900) Support existing PSPs
+
 ### 3.27.0

 - Update ingress-nginx v0.45.0
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 3.28.0
+version: 3.29.0
 appVersion: 0.45.0
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
@ -22,6 +22,10 @@ rules:
    resources: ['podsecuritypolicies']
    verbs:     ['use']
    resourceNames:
+    {{- with .Values.controller.admissionWebhooks.existingPsp }}
+    - {{ . }}
+    {{- else }}
    - {{ include "ingress-nginx.fullname" . }}-admission
+    {{- end }}
 {{- end }}
 {{- end }}
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
@ -1,4 +1,4 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled -}}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
--- a/charts/ingress-nginx/templates/controller-psp.yaml
+++ b/charts/ingress-nginx/templates/controller-psp.yaml
@ -1,4 +1,4 @@
-{{- if .Values.podSecurityPolicy.enabled -}}
+{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
--- a/charts/ingress-nginx/templates/controller-role.yaml
+++ b/charts/ingress-nginx/templates/controller-role.yaml
@ -82,6 +82,10 @@ rules:
  - apiGroups:      [{{ template "podSecurityPolicy.apiGroup" . }}]
    resources:      ['podsecuritypolicies']
    verbs:          ['use']
+    {{- with .Values.controller.existingPsp }}
+    resourceNames:  [{{ . }}]
+    {{- else }}
    resourceNames:  [{{ include "ingress-nginx.fullname" . }}]
+    {{- end }}
 {{- end }}
 {{- end }}
--- a/charts/ingress-nginx/templates/default-backend-psp.yaml
+++ b/charts/ingress-nginx/templates/default-backend-psp.yaml
@ -1,4 +1,4 @@
-{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}}
+{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
--- a/charts/ingress-nginx/templates/default-backend-role.yaml
+++ b/charts/ingress-nginx/templates/default-backend-role.yaml
@ -10,5 +10,9 @@ rules:
  - apiGroups:      [{{ template "podSecurityPolicy.apiGroup" . }}]
    resources:      ['podsecuritypolicies']
    verbs:          ['use']
+    {{- with .Values.defaultBackend.existingPsp }}
+    resourceNames:  [{{ . }}]
+    {{- else }}
    resourceNames:  [{{ include "ingress-nginx.fullname" . }}-backend]
+    {{- end }}
 {{- end }}
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@ -18,6 +18,9 @@ controller:
    runAsUser: 101
    allowPrivilegeEscalation: true

+  # Use an existing PSP instead of creating one
+  existingPsp: ""
+
  # Configures the ports the nginx-controller listens on
  containerPort:
    http: 80
@ -473,6 +476,9 @@ controller:
    namespaceSelector: {}
    objectSelector: {}

+    # Use an existing PSP instead of creating one
+    existingPsp: ""
+
    service:
      annotations: {}
      # clusterIP: ""
@ -611,6 +617,9 @@ defaultBackend:
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false

+  # Use an existing PSP instead of creating one
+  existingPsp: ""
+
  extraArgs: {}

  serviceAccount:
--- a/docs/examples/auth/basic/README.md
+++ b/docs/examples/auth/basic/README.md
@ -112,15 +112,16 @@ server_version=nginx: 1.9.11 - lua: 10001

 HEADERS RECEIVED:
 accept=*/*
-authorization=Basic Zm9vOmJhcg==
 connection=close
 host=foo.bar.com
 user-agent=curl/7.43.0
+x-request-id=e426c7829ef9f3b18d40730857c3eddb
 x-forwarded-for=10.2.29.1
 x-forwarded-host=foo.bar.com
 x-forwarded-port=80
 x-forwarded-proto=http
 x-real-ip=10.2.29.1
+x-scheme=http
 BODY:
 * Connection #0 to host 10.2.29.4 left intact
 -no body in request-