DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'main' into main

Browse source
This commit is contained in:
Jurgen Goelen 2024-10-07 11:49:05 +02:00 committed by GitHub
commit c259b477b5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
388 changed files with 3839 additions and 8132 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

54
.github/dependabot.yml vendored
View file

@ -1,33 +1,7 @@
---
version: 2
updates:
- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "weekly"
labels:
- "area/dependency"
- "release-note-none"
- "ok-to-test"
groups:
all:
update-types:
- "patch"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
labels:
- "area/dependency"
- "release-note-none"
- "ok-to-test"
groups:
all:
update-types:
- "minor"
- "patch"
- package-ecosystem: "docker"
directory: "/images"
schedule:
interval: "weekly"
labels:
@ -39,3 +13,31 @@ updates:
update-types:
- "minor"
- "patch"
- package-ecosystem: "docker"
directories:
- "**/rootfs"
schedule:
interval: "weekly"
labels:
- "area/dependency"
- "release-note-none"
- "ok-to-test"
groups:
docker:
update-types:
- "minor"
- "patch"
- package-ecosystem: "gomod"
directories:
- "/"
- "**/rootfs"
schedule:
interval: "weekly"
labels:
- "area/dependency"
- "release-note-none"
- "ok-to-test"
groups:
go:
update-types:
- "patch"

64
.github/workflows/chart.yaml vendored Normal file
View file

@ -0,0 +1,64 @@
name: Chart
on:
push:
branches:
- main
- release-*
paths:
- charts/ingress-nginx/Chart.yaml
workflow_dispatch:
permissions:
contents: read
jobs:
release:
name: Release
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Set up Python
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
python-version: 3.x
- name: Set up Helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
- name: Set up Helm Chart Testing
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
- name: Set up Artifact Hub
run: |
curl --fail --location https://github.com/artifacthub/hub/releases/download/v1.19.0/ah_1.19.0_linux_amd64.tar.gz --output /tmp/ah.tar.gz
echo "0e430493521ce387ca04d79b26646a86f92886dbcceb44985bb71082a9530ca5 /tmp/ah.tar.gz" | shasum --check
sudo tar --extract --file /tmp/ah.tar.gz --directory /usr/local/bin ah
- name: Set up Git
run: |
git config --global user.name "${GITHUB_ACTOR}"
git config --global user.email "${GITHUB_ACTOR}@users.noreply.github.com"
- name: Checkout code
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
fetch-depth: 0
- name: Lint chart
run: |
ct lint --config .ct.yaml
ah lint --path charts/ingress-nginx
- name: Release chart
uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
env:
CR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CR_RELEASE_NAME_TEMPLATE: helm-chart-{{ .Version }}
CR_SKIP_EXISTING: true
with:
charts_dir: charts

194
.github/workflows/ci.yaml vendored
View file

@ -9,7 +9,7 @@ on:
- 'deploy/**'
- '**.md'
- 'images/**' # Images changes should be tested on their own workflow
- '!images/nginx-1.25/**'
- '!images/nginx/**'
push:
branches:
@ -47,7 +47,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: filter
@ -68,7 +68,25 @@ jobs:
- 'NGINX_BASE'
baseimage:
- 'NGINX_BASE'
- 'images/nginx-1.25/**'
- 'images/nginx/**'
docs:
- '**/*.md'
lua:
- '**/*.lua'
lua-lint:
runs-on: ubuntu-latest
needs: changes
if: |
(needs.changes.outputs.lua == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
steps:
- name: Checkout
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Lint Lua
uses: lunarmodules/luacheck@v1
with:
args: --codes --globals lua_ingress --globals configuration --globals balancer --globals monitor --globals certificate --globals tcp_udp_configuration --globals tcp_udp_balancer --no-max-comment-line-length -q rootfs/etc/nginx/lua/
test-go:
runs-on: ubuntu-latest
@ -77,7 +95,7 @@ jobs:
(needs.changes.outputs.go == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Get go version
run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
@ -92,6 +110,27 @@ jobs:
- name: Run test
run: make test
verify-docs:
name: Verify Doc generation
runs-on: ubuntu-latest
needs: changes
if: |
(needs.changes.outputs.go == 'true') || (needs.changes.outputs.docs == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
steps:
- name: Checkout
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Get go version
run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
- name: Set up Go
id: go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: ${{ env.GOLANG_VERSION }}
check-latest: true
- name: Verify Docs
run: make verify-docs
build:
name: Build
runs-on: ubuntu-latest
@ -105,7 +144,7 @@ jobs:
PLATFORMS: linux/amd64
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Get go version
id: golangversion
@ -124,7 +163,7 @@ jobs:
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
with:
version: latest
@ -141,8 +180,8 @@ jobs:
if: |
needs.changes.outputs.baseimage == 'true'
run: |
export TAG=$(cat images/nginx-1.25/TAG)
cd images/nginx-1.25/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --load -t registry.k8s.io/ingress-nginx/nginx-1.25:${TAG} .
export TAG=$(cat images/nginx/TAG)
cd images/nginx/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --load -t registry.k8s.io/ingress-nginx/nginx:${TAG} .
- name: Build images
env:
@ -151,8 +190,8 @@ jobs:
REGISTRY: ingress-controller
run: |
echo "building images..."
export TAGNGINX=$(cat images/nginx-1.25/TAG)
make BASE_IMAGE=registry.k8s.io/ingress-nginx/nginx-1.25:${TAGNGINX} clean-image build image image-chroot
export TAGNGINX=$(cat images/nginx/TAG)
make BASE_IMAGE=registry.k8s.io/ingress-nginx/nginx:${TAGNGINX} clean-image build image image-chroot
make -C test/e2e-image image
echo "creating images cache..."
@ -163,118 +202,94 @@ jobs:
| gzip > docker.tar.gz
- name: cache
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: docker.tar.gz
path: docker.tar.gz
retention-days: 5
helm-lint:
name: Helm chart lint
chart-lint:
name: Chart / Lint
runs-on: ubuntu-latest
needs:
- changes
if: |
(needs.changes.outputs.charts == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
if: fromJSON(needs.changes.outputs.charts) || fromJSON(needs.changes.outputs.baseimage) || fromJSON(github.event.workflow_dispatch.run_e2e)
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Set up Python
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
fetch-depth: 0
python-version: 3.x
- name: Set up Helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
with:
python-version: '3.x'
- name: Set up chart-testing
- name: Set up Helm Chart Testing
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
- name: Install Helm Unit Test Plugin
- name: Set up Artifact Hub
run: |
helm plugin install https://github.com/helm-unittest/helm-unittest
curl --fail --location https://github.com/artifacthub/hub/releases/download/v1.19.0/ah_1.19.0_linux_amd64.tar.gz --output /tmp/ah.tar.gz
echo "0e430493521ce387ca04d79b26646a86f92886dbcceb44985bb71082a9530ca5 /tmp/ah.tar.gz" | shasum --check
sudo tar --extract --file /tmp/ah.tar.gz --directory /usr/local/bin ah
- name: Run Helm Unit Tests
- name: Set up Helm Docs
uses: gabe565/setup-helm-docs-action@d5c35bdc9133cfbea3b671acadf50a29029e87c2 # v1.0.4
- name: Set up Helm Unit Test
run: helm plugin install https://github.com/helm-unittest/helm-unittest
- name: Checkout code
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
fetch-depth: 0
- name: Lint chart
run: |
helm unittest charts/ingress-nginx -d
ct lint --config .ct.yaml
ah lint --path charts/ingress-nginx
- name: Run chart-testing (lint)
run: ct lint --config ./.ct.yaml
- name: Run helm-docs
- name: Check docs
run: |
GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.11.0
./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts
DIFF=$(git diff ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md)
if [ ! -z "$DIFF" ]; then
echo "Please use helm-docs in your clone, of your fork, of the project, and commit a updated README.md for the chart. https://github.com/kubernetes/ingress-nginx/blob/main/RELEASE.md#d-edit-the-valuesyaml-and-run-helm-docs"
fi
git diff --exit-code
rm -f ./helm-docs
helm-docs --chart-search-root charts
git diff --exit-code charts/ingress-nginx/README.md
- name: Run Artifact Hub lint
run: |
wget https://github.com/artifacthub/hub/releases/download/v1.5.0/ah_1.5.0_linux_amd64.tar.gz
echo 'ad0e44c6ea058ab6b85dbf582e88bad9fdbc64ded0d1dd4edbac65133e5c87da *ah_1.5.0_linux_amd64.tar.gz' | shasum -c
tar -xzvf ah_1.5.0_linux_amd64.tar.gz ah
./ah lint -p charts/ingress-nginx || exit 1
rm -f ./ah ./ah_1.5.0_linux_amd64.tar.gz
- name: Run tests
run: helm unittest charts/ingress-nginx
helm-test:
name: Helm chart testing
chart-test:
name: Chart / Test
runs-on: ubuntu-latest
needs:
- changes
- build
- helm-lint
if: |
(needs.changes.outputs.charts == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
- chart-lint
if: fromJSON(needs.changes.outputs.charts) || fromJSON(needs.changes.outputs.baseimage) || fromJSON(github.event.workflow_dispatch.run_e2e)
strategy:
matrix:
k8s: [v1.26.15, v1.27.13, v1.28.9, v1.29.4, v1.30.0]
k8s: [v1.28.13, v1.29.8, v1.30.4, v1.31.0]
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Checkout code
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Setup Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: ${{ needs.build.outputs.golangversion }}
check-latest: true
- name: cache
- name: Download cache
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: docker.tar.gz
- name: fix permissions
run: |
sudo mkdir -p $HOME/.kube
sudo chmod -R 777 $HOME/.kube
- name: Load cache
run: gzip --decompress --stdout docker.tar.gz | docker load
- name: Create Kubernetes ${{ matrix.k8s }} cluster
id: kind
run: |
kind create cluster --image=kindest/node:${{ matrix.k8s }}
- name: Load images from cache
run: |
echo "loading docker images..."
gzip -dc docker.tar.gz | docker load
- name: Test
- name: Run tests
env:
KIND_CLUSTER_NAME: kind
SKIP_CLUSTER_CREATION: true
K8S_VERSION: ${{ matrix.k8s }}
SKIP_IMAGE_CREATION: true
SKIP_INGRESS_IMAGE_CREATION: true
run: |
kind get kubeconfig > $HOME/.kube/kind-config-kind
sudo mkdir -pm 777 "${HOME}/.kube"
make kind-e2e-chart-tests
kubernetes:
@ -286,26 +301,11 @@ jobs:
(needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
strategy:
matrix:
k8s: [v1.26.15, v1.27.13, v1.28.9, v1.29.4, v1.30.0]
k8s: [v1.28.13, v1.29.8, v1.30.4, v1.31.0]
uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml
with:
k8s-version: ${{ matrix.k8s }}
kubernetes-validations:
name: Kubernetes with Validations
needs:
- changes
- build
if: |
(needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
strategy:
matrix:
k8s: [v1.26.15, v1.27.13, v1.28.9, v1.29.4, v1.30.0]
uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml
with:
k8s-version: ${{ matrix.k8s }}
variation: "VALIDATIONS"
kubernetes-chroot:
name: Kubernetes chroot
needs:
@ -315,7 +315,7 @@ jobs:
(needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
strategy:
matrix:
k8s: [v1.26.15, v1.27.13, v1.28.9, v1.29.4, v1.30.0]
k8s: [v1.28.13, v1.29.8, v1.30.4, v1.31.0]
uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml
with:
k8s-version: ${{ matrix.k8s }}

2
.github/workflows/depreview.yaml vendored
View file

@ -9,6 +9,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: 'Dependency Review'
uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4

4
.github/workflows/docs.yaml vendored
View file

@ -23,7 +23,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: filter
@ -47,7 +47,7 @@ jobs:
steps:
- name: Checkout master
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Deploy
uses: ./.github/actions/mkdocs

4
.github/workflows/golangci-lint.yml vendored
View file

@ -15,7 +15,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Get go version
run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
@ -28,6 +28,6 @@ jobs:
check-latest: true
- name: golangci-lint
uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
with:
version: v1.56

88
.github/workflows/helm.yaml vendored
View file

@ -1,88 +0,0 @@
name: Helm
on:
push:
branches:
- main
- release-*
workflow_dispatch:
permissions:
contents: read
jobs:
changes:
runs-on: ubuntu-latest
permissions:
contents: read # for dorny/paths-filter to fetch a list of changed files
if: github.repository == 'kubernetes/ingress-nginx'
outputs:
docs: ${{ steps.filter.outputs.docs }}
charts: ${{ steps.filter.outputs.charts }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Run Artifact Hub lint
run: |
wget https://github.com/artifacthub/hub/releases/download/v1.5.0/ah_1.5.0_linux_amd64.tar.gz
echo 'ad0e44c6ea058ab6b85dbf582e88bad9fdbc64ded0d1dd4edbac65133e5c87da *ah_1.5.0_linux_amd64.tar.gz' | shasum -c
tar -xzvf ah_1.5.0_linux_amd64.tar.gz ah
./ah lint -p charts/ingress-nginx || exit 1
rm -f ./ah ./ah_1.5.0_linux_amd64.tar.gz
- name: Set up chart-testing
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
- name: Run chart-testing (lint)
run: ct lint --target-branch ${{ github.ref_name }} --config ./.ct.yaml
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: filter
with:
token: ${{ secrets.GITHUB_TOKEN }}
filters: |
charts:
- 'charts/ingress-nginx/Chart.yaml'
- 'charts/ingress-nginx/values.yaml'
chart:
name: Release Chart
runs-on: ubuntu-latest
permissions:
contents: write # needed to write releases
needs:
- changes
if: ${{ needs.changes.outputs.charts == 'true' }}
steps:
- name: Checkout master
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
# Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896
fetch-depth: 0
ref: ${{ github.ref_name }}
- name: Setup
shell: bash
run: |
git config --global user.name "$GITHUB_ACTOR"
git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Helm Chart Releaser
uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
env:
CR_SKIP_EXISTING: true
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}"
with:
charts_dir: charts

41
.github/workflows/images.yaml vendored
View file

@ -36,12 +36,10 @@ jobs:
kube-webhook-certgen: ${{ steps.filter.outputs.kube-webhook-certgen }}
ext-auth-example-authsvc: ${{ steps.filter.outputs.ext-auth-example-authsvc }}
nginx: ${{ steps.filter.outputs.nginx }}
nginx125: ${{ steps.filter.outputs.nginx125 }}
opentelemetry: ${{ steps.filter.outputs.opentelemetry }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: filter
with:
@ -65,10 +63,6 @@ jobs:
- 'images/ext-auth-example-authsvc/**'
nginx:
- 'images/nginx/**'
opentelemetry:
- 'images/opentelemetry/**'
nginx125:
- 'images/nginx-1.25/TAG'
#### TODO: Make the below jobs 'less dumb' and use the job name as parameter (the github.job context does not work here)
cfssl:
@ -141,10 +135,10 @@ jobs:
(needs.changes.outputs.kube-webhook-certgen == 'true')
strategy:
matrix:
k8s: [v1.26.15, v1.27.13, v1.28.9, v1.29.4, v1.30.0]
k8s: [v1.28.13, v1.29.8, v1.30.4, v1.31.0]
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Get go version
run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
@ -166,41 +160,24 @@ jobs:
run: |
cd images/ && make NAME=kube-webhook-certgen test test-e2e
opentelemetry:
runs-on: ubuntu-latest
env:
PLATFORMS: linux/amd64,linux/arm,linux/arm64
needs: changes
if: |
(needs.changes.outputs.opentelemetry == 'true')
strategy:
matrix:
nginx: ['1.25.3', '1.21.6']
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: image build
run: |
cd images/opentelemetry && make NGINX_VERSION=${{ matrix.nginx }} build
nginx125:
nginx:
permissions:
contents: write
packages: write
runs-on: ubuntu-latest
needs: changes
if: |
(github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.changes.outputs.nginx125 == 'true')
(github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.changes.outputs.nginx == 'true')
env:
PLATFORMS: linux/amd64,linux/arm,linux/arm64,linux/s390x
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
with:
version: latest
platforms: ${{ env.PLATFORMS }}
@ -211,5 +188,5 @@ jobs:
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: build-image
run: |
export TAG=$(cat images/nginx-1.25/TAG)
cd images/nginx-1.25/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --push -t ingressnginx/nginx-1.25:${TAG} .
export TAG=$(cat images/nginx/TAG)
cd images/nginx/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --push -t ingressnginx/nginx:${TAG} .

4
.github/workflows/junit-reports.yaml vendored
View file

@ -5,6 +5,10 @@ on:
workflows: ['CI'] # runs after CI workflow
types:
- completed
permissions:
checks: write
jobs:
report:
runs-on: ubuntu-latest

2
.github/workflows/perftest.yaml vendored
View file

@ -19,7 +19,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Install K6
run: |

2
.github/workflows/plugin.yaml vendored
View file

@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
fetch-depth: 0

6
.github/workflows/scorecards.yml vendored
View file

@ -27,7 +27,7 @@ jobs:
steps:
- name: "Checkout code"
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
@ -51,7 +51,7 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: SARIF file
path: results.sarif
@ -59,6 +59,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11
with:
sarif_file: results.sarif

6
.github/workflows/vulnerability-scans.yaml vendored
View file

@ -22,7 +22,7 @@ jobs:
versions: ${{ steps.version.outputs.TAGS }}
steps:
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
fetch-depth: 0
@ -52,7 +52,7 @@ jobs:
versions: ${{ fromJSON(needs.version.outputs.versions) }}
steps:
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- shell: bash
id: test
@ -75,7 +75,7 @@ jobs:
# This step checks out a copy of your repository.
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11
with:
token: ${{ github.token }}
# Path to SARIF file relative to the root of the repository

8
.github/workflows/zz-tmpl-images.yaml vendored
View file

@ -1,5 +1,5 @@
#### THIS IS A TEMPLATE ####
# This workflow is created to be a template for every time an e2e teest is required,
# This workflow is created to be a template for every time an e2e test is required,
on:
workflow_call:
@ -31,7 +31,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: filter
with:
@ -48,7 +48,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Build
run: |
@ -67,7 +67,7 @@ jobs:
PLATFORMS: ${{ inputs.platforms-publish }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0

7
.github/workflows/zz-tmpl-k8s-e2e.yaml vendored
View file

@ -1,5 +1,5 @@
#### THIS IS A TEMPLATE ####
# This workflow is created to be a template for every time an e2e teest is required,
# This workflow is created to be a template for every time an e2e test is required,
on:
workflow_call:
@ -20,7 +20,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: cache
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
@ -43,14 +43,13 @@ jobs:
SKIP_CLUSTER_CREATION: true
SKIP_INGRESS_IMAGE_CREATION: true
SKIP_E2E_IMAGE_CREATION: true
ENABLE_VALIDATIONS: ${{ inputs.variation == 'VALIDATIONS' }}
IS_CHROOT: ${{ inputs.variation == 'CHROOT' }}
run: |
kind get kubeconfig > $HOME/.kube/kind-config-kind
make kind-e2e-test
- name: Upload e2e junit-reports ${{ inputs.variation }}
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
if: success() || failure()
with:
name: e2e-test-reports-${{ inputs.k8s-version }}${{ inputs.variation }}

1
.gitignore vendored
View file

@ -1,4 +1,3 @@
helm-docs
# OSX
._*
.DS_Store

2
.luacheckrc
View file

@ -1,6 +1,6 @@
std = 'ngx_lua'
max_line_length = 100
exclude_files = {'./rootfs/etc/nginx/lua/test/**/*.lua', './rootfs/etc/nginx/lua/plugins/**/test/**/*.lua'}
exclude_files = {'./rootfs/etc/nginx/lua/test/**/*.lua'}
files["rootfs/etc/nginx/lua/lua_ingress.lua"] = {
ignore = { "122" },
-- TODO(elvinefendi) figure out why this does not work

54
Changelog.md
View file

@ -2,7 +2,7 @@
All New change are in [Changelog](./changelog)
### 1.5.1
### 1.5.1
* Upgrade NGINX to 1.21.6
* Upgrade Golang 1.19.2
@ -102,18 +102,18 @@ Images:
### Community Updates
We will discuss the results of our Community Survey, progress on the stabilization project, and ideas going
forward with the project at
[Kubecon NA 2022 in Detroit](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/). Come join us
forward with the project at
[Kubecon NA 2022 in Detroit](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/). Come join us
and let us hear what you'd like to see in the future for ingress-nginx.
https://kccncna2022.sched.com/event/18lgl?iframe=no
[**Kubernetes Registry change notice**](https://twitter.com/BenTheElder/status/1575898507235323904)
The [@kubernetesio](https://twitter.com/kubernetesio) container image host http://k8s.gcr.io is
*actually* getting redirected to the community controlled http://registry.k8s.io starting with a small portion of
The [@kubernetesio](https://twitter.com/kubernetesio) container image host http://k8s.gcr.io is
*actually* getting redirected to the community controlled http://registry.k8s.io starting with a small portion of
traffic on October 3rd.
If you notice any issues, *please* ping [Ben Elder](https://twitter.com/BenTheElder),
If you notice any issues, *please* ping [Ben Elder](https://twitter.com/BenTheElder),
[@thockin](https://twitter.com/thockin), [@ameukam](https://twitter.com/ameukam),or report issues in slack to
[sig-k8s-infra slack channel](https://kubernetes.slack.com/archives/CCK68P2Q2).
@ -123,7 +123,7 @@ If you notice any issues, *please* ping [Ben Elder](https://twitter.com/BenTheEl
[8890](https://github.com/kubernetes/ingress-nginx/pull/8890)
* Update to Prometheus metric names, more information [available here]( https://github.com/kubernetes/ingress-nginx/pull/8728
)
* Deprecated Kubernetes versions 1.20-1.21, Added support for, 1.25, currently supported versions v1.22, v1.23, v1.24, v1.25
* Deprecated Kubernetes versions 1.20-1.21, Added support for, 1.25, currently supported versions v1.22, v1.23, v1.24, v1.25
ADDED
* `_request_duration_seconds` Histogram
@ -203,11 +203,11 @@ Images:
### 1.3.1
In v1.3.1 leader elections will be done entirely using the Lease API and no longer using configmaps.
In v1.3.1 leader elections will be done entirely using the Lease API and no longer using configmaps.
v1.3.0 is a safe transition version, using v1.3.0 can automatically complete the merging of election locks, and then you can safely upgrade to v1.3.1.
Also, *important note*, with the Release of Kubernetes v1.25 we are dropping support for the legacy branches,
Also, *important note*, with the release of Kubernetes v1.25, we are dropping support for the legacy edition,
Also, *important note*, with the Release of Kubernetes v1.25 we are dropping support for the legacy branches,
Also, *important note*, with the release of Kubernetes v1.25, we are dropping support for the legacy edition,
that means all version <1.0.0 of the ingress-nginx-controller.
## Image:
@ -277,11 +277,11 @@ All other Changes
### 1.3.0
Image:
Image:
- registry.k8s.io/ingress-nginx/controller:v1.3.0@sha256:d1707ca76d3b044ab8a28277a2466a02100ee9f58a86af1535a3edf9323ea1b5
- registry.k8s.io/ingress-nginx/controller-chroot:v1.3.0@sha256:0fcb91216a22aae43b374fc2e6a03b8afe9e8c78cbf07a09d75636dc4ea3c191
_IMPORTANT CHANGES:_
_IMPORTANT CHANGES:_
* This release removes support for Kubernetes v1.19.0
* This release adds support for Kubernetes v1.24.0
* Starting with this release, we will need permissions on the `coordination.k8s.io/leases` resource for leaderelection lock
@ -352,11 +352,11 @@ _Changes:_
### 1.2.0
Image:
Image:
- k8s.gcr.io/ingress-nginx/controller:v1.2.0@sha256:d8196e3bc1e72547c5dec66d6556c0ff92a23f6d0919b206be170bc90d5f9185
- k8s.gcr.io/ingress-nginx/controller-chroot:v1.2.0@sha256:fb17f1700b77d4fcc52ca6f83ffc2821861ae887dbb87149cf5cbc52bea425e5
This minor version release, introduces 2 breaking changes. For the first time, an option to jail/chroot the nginx process, inside the controller container, is being introduced.. This provides an additional layer of security, for sensitive information like K8S serviceaccounts. This release also brings a special new feature of deep inspection into objects. The inspection is a walk through of all the spec, checking for possible attempts to escape configs. Currently such an inspection only occurs for `networking.Ingress`. Additionally there are fixes for the recently announced CVEs on busybox & ssl_client. And there is a fix to a recently introduced redirection related bug, that was setting the protocol on URLs to "nil".
This minor version release, introduces 2 breaking changes. For the first time, an option to jail/chroot the nginx process, inside the controller container, is being introduced. This provides an additional layer of security, for sensitive information like K8S serviceaccounts. This release also brings a special new feature of deep inspection into objects. The inspection is a walk through of all the spec, checking for possible attempts to escape configs. Currently such an inspection only occurs for `networking.Ingress`. Additionally there are fixes for the recently announced CVEs on busybox & ssl_client. And there is a fix to a recently introduced redirection related bug, that was setting the protocol on URLs to "nil".
_Changes:_
@ -419,7 +419,7 @@ _Changes:_
**Image:**
- k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
This release upgrades Alpine to 3.14.4 and nginx to 1.19.10
This release upgrades Alpine to 3.14.4 and nginx to 1.19.10
Patches [OpenSSL CVE-2022-0778](https://github.com/kubernetes/ingress-nginx/issues/8339)
@ -460,7 +460,7 @@ _Changes:_
### 1.1.2
**Image:**
**Image:**
- k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
This release bumps grpc version to 1.44.0 & runc to version 1.1.0. The release also re-introduces the ingress.class annotation, which was previously declared as deprecated. Besides that, several bug fixes and improvements are listed below.
@ -502,7 +502,7 @@ _Changes:_
### 1.1.1
**Image:**
**Image:**
- k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
This release contains several fixes and improvements. This image is now built using Go v1.17.6 and gRPC v1.43.0. See detailed list below.
@ -571,9 +571,9 @@ _Changes:_
_Possible Breaking Change_
We now implement string sanitization in annotation values. This means that words like "location", "by_lua" and
others will drop the reconciliation of an Ingress object.
others will drop the reconciliation of an Ingress object.
Users from mod_security and other features should be aware that some blocked values may be used by those features
Users from mod_security and other features should be aware that some blocked values may be used by those features
and must be manually unblocked by the Ingress Administrator.
For more details please check [https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#annotation-value-word-blocklist]
@ -592,7 +592,7 @@ _Changes:_
- k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef
_Possible Breaking Change_
We have disabled the builtin ssl_session_cache due to possible memory fragmentation. This should not impact the majority of users, but please let us know
We have disabled the builtin ssl_session_cache due to possible memory fragmentation. This should not impact the majority of users, but please let us know
if you face any problem
_Changes:_
@ -608,7 +608,7 @@ _Changes:_
- k8s.gcr.io/ingress-nginx/controller:v1.0.3@sha256:4ade87838eb8256b094fbb5272d7dda9b6c7fa8b759e6af5383c1300996a7452
**Known Issues**
* Ingress controller now (starting from v1.0.0) mandates cluster scoped access to IngressClass. This leads to problems when updating old Ingress controller to newest version, as described [here](https://github.com/kubernetes/ingress-nginx/issues/7510). We plan to fix it in v1.0.4, see [this](https://github.com/kubernetes/ingress-nginx/pull/7578).
* Ingress controller now (starting from v1.0.0) mandates cluster scoped access to IngressClass. This leads to problems when updating old Ingress controller to newest version, as described [here](https://github.com/kubernetes/ingress-nginx/issues/7510). We plan to fix it in v1.0.4, see [this](https://github.com/kubernetes/ingress-nginx/pull/7578).
_New Features:_
@ -624,7 +624,7 @@ _Changes:_
- k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
**Known Issues**
* Ingress controller now (starting from v1.0.0) mandates cluster scoped access to IngressClass. This leads to problems when updating old Ingress controller to newest version, as described [here](https://github.com/kubernetes/ingress-nginx/issues/7510). We plan to fix it in v1.0.3, see [this](https://github.com/kubernetes/ingress-nginx/pull/7578).
* Ingress controller now (starting from v1.0.0) mandates cluster scoped access to IngressClass. This leads to problems when updating old Ingress controller to newest version, as described [here](https://github.com/kubernetes/ingress-nginx/issues/7510). We plan to fix it in v1.0.3, see [this](https://github.com/kubernetes/ingress-nginx/pull/7578).
_New Features:_
@ -640,7 +640,7 @@ _Changes:_
- k8s.gcr.io/ingress-nginx/controller:v1.0.1@sha256:26bbd57f32bac3b30f90373005ef669aae324a4de4c19588a13ddba399c6664e
**Known Issues**
* Ingress controller now (starting from v1.0.0) mandates cluster scoped access to IngressClass. This leads to problems when updating old Ingress controller to newest version, as described [here](https://github.com/kubernetes/ingress-nginx/issues/7510). We plan to fix it in v1.0.2, see [this](https://github.com/kubernetes/ingress-nginx/pull/7578).
* Ingress controller now (starting from v1.0.0) mandates cluster scoped access to IngressClass. This leads to problems when updating old Ingress controller to newest version, as described [here](https://github.com/kubernetes/ingress-nginx/issues/7510). We plan to fix it in v1.0.2, see [this](https://github.com/kubernetes/ingress-nginx/pull/7578).
_New Features:_
@ -883,7 +883,7 @@ _Changes:_
test #7255
- [X] [#7216](https://github.com/kubernetes/ingress-nginx/pull/7216) Admission: Skip validation checks if an ingress
is marked as deleted #7216
### 1.0.0-beta.3
** This is a breaking change**
@ -2057,7 +2057,7 @@ _Breaking Changes:_
```
Due to upcoming data privacy regulations, we are making significant changes to how you access free GeoLite2 databases starting December 30, 2019.
Learn more on our blog https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/
Learn more on our blog https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/
```
Because of this change, it is not clear we can provide the databases directly from the docker image.
@ -2193,7 +2193,7 @@ _New Features:_
If the active connections end before that, the pod will terminate gracefully at that time.
To efectively take advantage of this feature, the Configmap feature [worker-shutdown-timeout](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#worker-shutdown-timeout) new value is `240s` instead of `10s`.
To effectively take advantage of this feature, the Configmap feature [worker-shutdown-timeout](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#worker-shutdown-timeout) new value is `240s` instead of `10s`.
**IMPORTANT:** this value has a side effect during reloads, consuming more memory until the old NGINX workers are replaced.
@ -2603,7 +2603,7 @@ _New Features:_
_Breaking changes:_
- The NGINX server listening in port 18080 was removed. It was replaced by a server using an unix socket as port [#3684](https://github.com/kubernetes/ingress-nginx/pull/3684)
This server was internal to the ingress controller. In case this was being acceded from the outside, you can restore the old server using the `http-snipet` feature in the configuration configmap like:
This server was internal to the ingress controller. In case this was being acceded from the outside, you can restore the old server using the `http-snippet` feature in the configuration configmap like:
```yaml
http-snippet: |

2
GOLANG_VERSION
View file

@ -1 +1 @@
1.22.4
1.22.8

25
MANUAL_RELEASE.md
View file

@ -177,21 +177,21 @@ Promoting the images basically means that images, that were pushed to staging co
```
- The -L 38 was used for 2 reasons.
- Default number of results is 30 and there were more than 30 PRs merged while releasing v1.1.1. If you see the current/soon-to-be-old changelog, you can look at the most recent PR number that has been accounted for already, and start from after that last accounted for PR.
- The other reason to use -L 38 was to ommit the 39th, the 40th and the 41st line in the resulting list. These were non-relevant PRs.
- The other reason to use -L 38 was to omit the 39th, the 40th and the 41st line in the resulting list. These were non-relevant PRs.
- If you save the output of above command to a file called prlist.txt. It looks somewhat like this ;
```
% cat ~/Downloads/prlist.txt
% cat ~/Downloads/prlist.txt
8129 fix syntax in docs for multi-tls example
8120 Update go in runner and release v1.1.1
8119 Update to go v1.17.6
8118 Remove deprecated libraries, update other libs
8117 Fix codegen errors
8115 chart/ghaction: set the correct permission to have access to push a release
8115 chart/ghaction: set the correct permission to have access to push a release
....
```
You can delete the lines, that refer to PRs of the release process itself. We only need to list the feature/bugfix PRs. You can also delete the lines that are housekeeping or not really worth mentioning in the changelog.
- you use some easy automation in bash/python/other, to get the PR-List that can be used in the changelog. For example, its possible to use a bash scripty way, seen below, to convert those plaintext PR numbers into clickable links.
- you use some easy automation in bash/python/other, to get the PR-List that can be used in the changelog. For example, it's possible to use a bash scripty way, seen below, to convert those plaintext PR numbers into clickable links.
```
#!/usr/bin/bash
@ -205,7 +205,7 @@ Promoting the images basically means that images, that were pushed to staging co
done <$file
```
- There was a parsing issue and path issue on MacOS, so above scrpt had to be modified and MacOS monterey compatible script is below ;
- There was a parsing issue and path issue on MacOS, so above script had to be modified and MacOS monterey compatible script is below ;
```
#!/bin/bash
@ -226,19 +226,18 @@ Promoting the images basically means that images, that were pushed to staging co
```
### d. Edit the values.yaml and run helm-docs
- [Fields to edit in values.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml)
- tag
- digest
- [helm-docs](https://github.com/norwoodj/helm-docs) is a tool that generates the README.md for a helm-chart automatically. In the CI pipeline workflow of github actions (/.github/workflows/ci.yaml), you can see how helm-docs is used. But the CI pipeline is not designed to make commits back into the project. So we need to run helm-docs manually, and check in the resulting autogenerated README.md at the path /charts/ingress-nginx/README.md
- [helm-docs](https://github.com/norwoodj/helm-docs) is a tool that generates the README.md for a Helm chart automatically. In the CI pipeline workflow of GitHub actions (.github/workflows/ci.yaml), you can see how helm-docs is used. The CI pipeline is not designed to make commits back into the project, so we need to run helm-docs manually and commit the resulting generated README.md. You can obtain a recent version of the helm-docs binary here: https://github.com/norwoodj/helm-docs/releases.
```
GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.11.0
./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts
git diff --exit-code
rm -f ./helm-docs
helm-docs --chart-search-root charts
git diff charts/ingress-nginx/README.md
```
Watchout for mistakes like leaving the helm-docs executable in your clone workspace or not checking the new README.md manually etc.
Take care of not leaving the helm-docs executable in your clone workspace or not committing the new README.md.
### e. Edit the static manifests
@ -274,7 +273,7 @@ Promoting the images basically means that images, that were pushed to staging co
### h. Update README.md
- Update the table in README.md in the root of the projet to reflect the support matrix. Add the new release version and details in there.
- Update the table in README.md in the root of the project to reflect the support matrix. Add the new release version and details in there.
## 5. RELEASE new version
@ -291,7 +290,7 @@ Promoting the images basically means that images, that were pushed to staging co
- `helm repo update`
- `helm search repo ingress-nginx`
## 6. Github release
## 6. GitHub release
- Release to github

7
Makefile
View file

@ -124,6 +124,9 @@ build: ## Build ingress controller, debug tool and pre-stop hook.
clean: ## Remove .gocache directory.
rm -rf bin/ .gocache/ .cache/
.PHONY: verify-docs
verify-docs: ## Verify doc generation
hack/verify-annotation-docs.sh
.PHONY: static-check
static-check: ## Run verification script for boilerplate, codegen, gofmt, golint, lualint and chart-lint.
@ -237,8 +240,8 @@ ensure-buildx:
show-version:
echo -n $(TAG)
PLATFORMS ?= amd64 arm arm64
BUILDX_PLATFORMS ?= linux/amd64,linux/arm,linux/arm64
PLATFORMS ?= amd64 arm arm64 s390x
BUILDX_PLATFORMS ?= linux/amd64,linux/arm,linux/arm64,linux/s390x
.PHONY: release # Build a multi-arch docker image
release: ensure-buildx clean

10
NEW_CONTRIBUTOR.md
View file

@ -20,14 +20,14 @@ It all starts with the OSI model...
### Approaching the problem
Not everybody knows everything. But the factors that help are a love/passion for this to begin. But to move forward, its the approach and not the knowledge that sustains prolonged joy, while working on issues. If the approach is simple and powered by good-wishes-for-community, then info & tools are forthcoming and easy.
Not everybody knows everything. But the factors that help are a love/passion for this to begin. But to move forward, it's the approach and not the knowledge that sustains prolonged joy, while working on issues. If the approach is simple and powered by good-wishes-for-community, then info & tools are forthcoming and easy.
Here we take a bird's eye-view of the hops in the network plumbing, that a packet takes, from source to destination, when we run `curl`, from a laptop to a nginx webserver process, running in a container, inside a pod, inside a Kubernetes cluster, created using `kind` or `minikube` or any other cluster-management tool.
### [Kind](https://kind.sigs.k8s.io/) cluster example on a Linux Host
#### TL;DR
The destination of the packet from the curl command, is looked up, in the `routing table`. Based on the route, the the packet first travels to the virtual bridge `172.18.0.1` interface, created by docker, when we created the kind cluster on a laptop. Next the packet is forwarded to `172.18.0.2`(See below on how we got this IP address), within the kind cluster. The `kube-proxy` container creates iptables rules that make sure the packet goes to the correct pod ip in this case `10.244.0.5`
The destination of the packet from the curl command, is looked up, in the `routing table`. Based on the route, the packet first travels to the virtual bridge `172.18.0.1` interface, created by docker, when we created the kind cluster on a laptop. Next the packet is forwarded to `172.18.0.2`(See below on how we got this IP address), within the kind cluster. The `kube-proxy` container creates iptables rules that make sure the packet goes to the correct pod ip in this case `10.244.0.5`
Command:
```
@ -435,7 +435,7 @@ virbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
```
Output Relevance: From the above output you can see there are two Virtual Bridges created by minikube when we created the cluster on the network. Here, `virbr0` is the default NAT network bridge while `virbr2` is a isolated network bridge on which the pods run.
Minikube creates a Virtual Machine, to enter the virtual machine we can simple do:
Minikube creates a Virtual Machine, to enter the virtual machine we can simply do:
```
# minikube ssh
```
@ -707,7 +707,7 @@ NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd ClusterIP 10.104.111.0 <none> 80/TCP 13s
```
Once we have this we can now create a n ingress using the following
Once we have this we can now create an ingress using the following
```
kubectl -n httpd create ingress httpd --class nginx --rule httpd.dev.leonnunes.com/"*"=httpd:80
```
@ -771,7 +771,7 @@ Hypertext Transfer Protocol
[Response in frame: 6]
```
The above output shows the information that the `httpd` pod recieves. The `curl` command sends the host header, `Host: httpd.dev.leonnunes.com`, to the nginx controller, that then matches the rule and sends the information to the right controller
The above output shows the information that the `httpd` pod receives. The `curl` command sends the host header, `Host: httpd.dev.leonnunes.com`, to the nginx controller, that then matches the rule and sends the information to the right controller
The following output shows what is sent via the laptop.
```

2
NGINX_BASE
View file

@ -1 +1 @@
registry.k8s.io/ingress-nginx/nginx-1.25:v0.0.10@sha256:1686f4cd2e16f09a1e7d27529d21eb74a8b551dc06ef86189ac837d3d6548725
registry.k8s.io/ingress-nginx/nginx:v1.0.0@sha256:11ee0d0e3d063f1468f9a82958d57fa0718614fe10b676941f4dea0aef091faf

4
README.md
View file

@ -17,6 +17,8 @@ balancer.
See the [Getting Started](https://kubernetes.github.io/ingress-nginx/deploy/) document.
Do not use in multi-tenant Kubernetes production installations. This project assumes that users that can create Ingress objects are administrators of the cluster. See the [FAQ](https://kubernetes.github.io/ingress-nginx/faq/#faq) for more.
## Troubleshooting
If you encounter issues, review the [troubleshooting docs](docs/troubleshooting.md),
@ -37,8 +39,10 @@ the versions listed. Ingress-Nginx versions **may** work on older versions, but
| Supported | Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | Helm Chart Version |
| :-------: | --------------------- | ----------------------------- | -------------- | ------------- | ------------------ |
| 🔄 | **v1.11.2** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.11.2 |
| 🔄 | **v1.11.1** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.11.1 |
| 🔄 | **v1.11.0** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.11.0 |
| 🔄 | **v1.10.4** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.10.4 |
| 🔄 | **v1.10.3** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.10.3 |
| 🔄 | **v1.10.2** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.10.2 |
| 🔄 | **v1.10.1** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.19.1 | 1.25.3 | 4.10.1 |

4
build/run-in-docker.sh
View file

@ -44,7 +44,7 @@ function cleanup {
}
trap cleanup EXIT
E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20240729-04899b27@sha256:9f067e6c861343da47f5851bf255aecdeb33a61fc5991a6c659fb237a3f619f9}
E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20241004-114a6abb@sha256:1389ec0589abbf5c431c9290c4c307437c8396995c63dda5eac26abd70963dc8}
if [[ "$RUNTIME" == podman ]]; then
# Podman does not support both tag and digest
@ -82,7 +82,7 @@ if [[ "$DOCKER_IN_DOCKER_ENABLED" == "true" ]]; then
echo "..reached DIND check TRUE block, inside run-in-docker.sh"
echo "FLAGS=$FLAGS"
#go env
go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.19.1
go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.20.2
find / -type f -name ginkgo 2>/dev/null
which ginkgo
/bin/bash -c "${FLAGS}"

2
build/run-ingress-controller.sh
View file

@ -49,7 +49,7 @@ fi
SSL_VOLUME=$(mktemp -d)
function cleanup {
echo -e "${BGREEN}Stoping kubectl proxy${NC}"
echo -e "${BGREEN}Stopping kubectl proxy${NC}"
rm -rf "${SSL_VOLUME}"
kill "$proxy_pid"
}

53
changelog/controller-1.10.4.md Normal file
View file

@ -0,0 +1,53 @@
# Changelog
### controller-v1.10.4
Images:
* registry.k8s.io/ingress-nginx/controller:v1.10.4@sha256:505b9048c02dde3d6c8667bf0b52aba7b36adf7b03da34c47d5fa312d2d4c6fc
* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.4@sha256:bf71acf6e71830a4470e2183e3bc93c4f006b954f8a05fb434242ef0f8a24858
### All changes:
* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11811)
* Images: Trigger controller build. (#11808)
* Tests & Docs: Bump images. (#11804)
* Images: Trigger failed builds. (#11801)
* Images: Trigger other builds. (#11797)
* Controller: Fix panic in alternative backend merging. (#11793)
* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11791)
* Images: Trigger `test-runner` build. (#11786)
* Images: Bump `NGINX_BASE` to v0.0.12. (#11783)
* Images: Trigger NGINX build. (#11780)
* Cloud Build: Add missing config, remove unused ones. (#11776)
* Generate correct output on NumCPU() when using cgroups2 (#11775)
* Cloud Build: Tweak timeouts. (#11762)
* Cloud Build: Fix substitutions. (#11759)
* Cloud Build: Some chores. (#11756)
* Go: Bump to v1.22.6. (#11748)
* Images: Bump `NGINX_BASE` to v0.0.11. (#11744)
* Images: Trigger NGINX build. (#11736)
* docs: update OpenSSL Roadmap link (#11734)
* Go: Bump to v1.22.5. (#11731)
* Docs: Fix typo in AWS LB Controller reference (#11724)
* Perform some cleaning operations on line breaks. (#11722)
* Missing anchors in regular expression. (#11718)
* Docs: Fix `from-to-www` redirect description. (#11715)
* Chart: Remove `isControllerTagValid`. (#11714)
* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11704)
* Docs: Clarify `from-to-www` redirect direction. (#11692)
* added real-client-ip faq (#11665)
* Docs: Format NGINX configuration table. (#11660)
### Dependency updates:
* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11772)
* Bump the all group with 2 updates (#11770)
* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11768)
* Bump the all group with 3 updates (#11729)
* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11700)
* Bump the all group with 2 updates (#11697)
* Bump the all group with 4 updates (#11676)
* Bump the all group with 2 updates (#11674)
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.3...controller-v1.10.4

2
changelog/controller-1.11.0.md
View file

@ -94,7 +94,7 @@ Images:
* Chart: Improve IngressClass documentation. (#11104)
* Chart: Deploy `PodDisruptionBudget` with KEDA. (#11032)
* Undo #11062 since it breaks the nginx config (#11082)
* [mTLS] Fix acme verfication when mTLS and Client CN verification is enabled (#11062)
* [mTLS] Fix acme verification when mTLS and Client CN verification is enabled (#11062)
* golangci-lint update, ci cleanup, group dependabot updates (#11071)
* bump golang (#11070)
* feature(leader_election): flag to disable leader election feature on controller (#11064)

54
changelog/controller-1.11.2.md Normal file
View file

@ -0,0 +1,54 @@
# Changelog
### controller-v1.11.2
Images:
* registry.k8s.io/ingress-nginx/controller:v1.11.2@sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce
* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.2@sha256:21b55a2f0213a18b91612a8c0850167e00a8e34391fd595139a708f9c047e7a8
### All changes:
* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11812)
* Images: Trigger controller build. (#11807)
* Tests & Docs: Bump images. (#11805)
* Images: Trigger failed builds. (#11802)
* Images: Trigger other builds. (#11798)
* Controller: Fix panic in alternative backend merging. (#11794)
* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11792)
* Images: Trigger `test-runner` build. (#11787)
* Images: Bump `NGINX_BASE` to v0.0.12. (#11784)
* Images: Trigger NGINX build. (#11781)
* Cloud Build: Add missing config, remove unused ones. (#11777)
* Generate correct output on NumCPU() when using cgroups2 (#11778)
* Cloud Build: Tweak timeouts. (#11763)
* Cloud Build: Fix substitutions. (#11760)
* Cloud Build: Some chores. (#11757)
* Go: Bump to v1.22.6. (#11749)
* Images: Bump `NGINX_BASE` to v0.0.11. (#11743)
* Images: Trigger NGINX build. (#11737)
* docs: update OpenSSL Roadmap link (#11733)
* Go: Bump to v1.22.5. (#11732)
* Docs: Fix typo in AWS LB Controller reference (#11725)
* Perform some cleaning operations on line breaks. (#11721)
* Missing anchors in regular expression. (#11719)
* Docs: Fix `from-to-www` redirect description. (#11716)
* Chart: Remove `isControllerTagValid`. (#11713)
* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11705)
* Docs: Clarify `from-to-www` redirect direction. (#11693)
* added real-client-ip faq (#11664)
* Docs: Format NGINX configuration table. (#11662)
* Docs: Update version in `deploy/index.md`. (#11652)
### Dependency updates:
* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11773)
* Bump the all group with 2 updates (#11771)
* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11769)
* Bump the all group with 3 updates (#11728)
* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11701)
* Bump the all group with 2 updates (#11698)
* Bump the all group with 4 updates (#11677)
* Bump the all group with 2 updates (#11675)
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.1...controller-v1.11.2

2
changelog/controller-1.6.4.md
View file

@ -83,7 +83,7 @@ Images:
* ModSecurity dependencies update to avoid Memory Leaks (#9330)
* fix(hpa): deprecated api version, bump to v2 (#9348)
* fix(typo): pluralize provider (#9346)
* removed deprecation messsage for ingressClass annotation (#9357)
* removed deprecation message for ingressClass annotation (#9357)
* added ginkgo junit reports (#9350)
* Fix typos found by codespell (#9353)
* bumped ginkgo to v2.5.1 in testrunner (#9340)

2
changelog/controller-1.7.1.md
View file

@ -15,7 +15,7 @@ Images:
* Add support for --container flag (#9703)
* Fix typo in OpenTelemetry (#9903)
* ensure make lua-test runs locally (#9902)
* update k8s.io dependecies to v0.26.4 (#9893)
* update k8s.io dependencies to v0.26.4 (#9893)
* Adding resource type to default HPA configuration to resolve issues with Terraform helm chart usage (#9803)
* I have not been able to fulfill my maintainer responsibilities for a while already, making it official now. (#9883)
* Update k8s versions (#9879)

2
changelog/controller-1.8.0.md
View file

@ -39,7 +39,7 @@ on our new [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernet
* Correct annotations in monitoring docs (#9976)
* fix: avoid builds and tests for changes to markdown (#9962)
* Validate path types (#9967)
* HPA: Use capabilites & align manifests. (#9521)
* HPA: Use capabilities & align manifests. (#9521)
* Use dl.k8s.io instead of hardcoded GCS URIs (#9946)
* add option for annotations in PodDisruptionBudget (#9843)
* chore: update httpbin to httpbun (#9919)

2
changelog/controller-1.9.0-beta.0.md
View file

@ -26,7 +26,7 @@ Images:
* Add golangci github action and replace the deprecated golint (#10187)
* BUGFIX incorrect indentation (#10254)
* Upgrade OpenTelemetry to v1.11.0 and gRPC to v1.57.0 (#10352)
* fix: path with sepecial characters warning #10281 #10308 (#10330)
* fix: path with special characters warning #10281 #10308 (#10330)
* Fix golangci-lint errors (#10196)
* chore(build): Fix Run make dev-env syntax error (#10294)
* Add firewall configuration to quick start documentation (#10357)

2
changelog/controller-1.9.0.md
View file

@ -26,7 +26,7 @@ Images:
* Add golangci github action and replace the deprecated golint (#10187)
* BUGFIX incorrect indentation (#10254)
* Upgrade OpenTelemetry to v1.11.0 and gRPC to v1.57.0 (#10352)
* fix: path with sepecial characters warning #10281 #10308 (#10330)
* fix: path with special characters warning #10281 #10308 (#10330)
* Fix golangci-lint errors (#10196)
* chore(build): Fix Run make dev-env syntax error (#10294)
* Add firewall configuration to quick start documentation (#10357)

6
charts/ingress-nginx/Chart.yaml
View file

@ -1,9 +1,9 @@
annotations:
artifacthub.io/changes: |
- Update Ingress-Nginx version controller-v1.11.1
- Update Ingress-Nginx version controller-v1.11.2
artifacthub.io/prerelease: "false"
apiVersion: v2
appVersion: 1.11.1
appVersion: 1.11.2
description: Ingress controller for Kubernetes using NGINX as a reverse proxy and
load balancer
home: https://github.com/kubernetes/ingress-nginx
@ -22,4 +22,4 @@ maintainers:
name: ingress-nginx
sources:
- https://github.com/kubernetes/ingress-nginx
version: 4.11.1
version: 4.11.2

50
charts/ingress-nginx/README.md
View file

@ -2,7 +2,7 @@
[ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
![Version: 4.11.1](https://img.shields.io/badge/Version-4.11.1-informational?style=flat-square) ![AppVersion: 1.11.1](https://img.shields.io/badge/AppVersion-1.11.1-informational?style=flat-square)
![Version: 4.11.2](https://img.shields.io/badge/Version-4.11.2-informational?style=flat-square) ![AppVersion: 1.11.2](https://img.shields.io/badge/AppVersion-1.11.2-informational?style=flat-square)
To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
@ -244,7 +244,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.admissionWebhooks.createSecretJob.resources | object | `{}` | |
| controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers |
| controller.admissionWebhooks.enabled | bool | `true` | |
| controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one |
| controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set |
| controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use |
| controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` | |
@ -253,11 +252,10 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.admissionWebhooks.namespaceSelector | object | `{}` | |
| controller.admissionWebhooks.objectSelector | object | `{}` | |
| controller.admissionWebhooks.patch.enabled | bool | `true` | |
| controller.admissionWebhooks.patch.image.digest | string | `"sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366"` | |
| controller.admissionWebhooks.patch.image.digest | string | `"sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f"` | |
| controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | |
| controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | |
| controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | |
| controller.admissionWebhooks.patch.image.tag | string | `"v1.4.1"` | |
| controller.admissionWebhooks.patch.image.tag | string | `"v1.4.4"` | |
| controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
| controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
| controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | |
@ -304,15 +302,14 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. |
| controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' |
| controller.electionTTL | string | `""` | Duration a leader election is valid before it's getting re-elected, e.g. `15s`, `10m` or `1h`. (Default: 30s) |
| controller.enableAnnotationValidations | bool | `false` | |
| controller.enableAnnotationValidations | bool | `true` | |
| controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # |
| controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false |
| controller.existingPsp | string | `""` | Use an existing PSP instead of creating one |
| controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use |
| controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. |
| controller.extraEnvs | list | `[]` | Additional environment variables to set |
| controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. |
| controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module |
| controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. |
| controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. |
| controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. |
| controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. |
@ -325,17 +322,16 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.hostname | object | `{}` | Optionally customize the pod hostname. |
| controller.image.allowPrivilegeEscalation | bool | `false` | |
| controller.image.chroot | bool | `false` | |
| controller.image.digest | string | `"sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a"` | |
| controller.image.digestChroot | string | `"sha256:7cabe4bd7558bfdf5b707976d7be56fd15ffece735d7c90fc238b6eda290fd8d"` | |
| controller.image.digest | string | `"sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce"` | |
| controller.image.digestChroot | string | `"sha256:21b55a2f0213a18b91612a8c0850167e00a8e34391fd595139a708f9c047e7a8"` | |
| controller.image.image | string | `"ingress-nginx/controller"` | |
| controller.image.pullPolicy | string | `"IfNotPresent"` | |
| controller.image.readOnlyRootFilesystem | bool | `false` | |
| controller.image.registry | string | `"registry.k8s.io"` | |
| controller.image.runAsGroup | int | `82` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) |
| controller.image.runAsNonRoot | bool | `true` | |
| controller.image.runAsUser | int | `101` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) |
| controller.image.seccompProfile.type | string | `"RuntimeDefault"` | |
| controller.image.tag | string | `"v1.11.1"` | |
| controller.image.tag | string | `"v1.11.2"` | |
| controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
| controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
| controller.ingressClassResource | object | `{"aliases":[],"annotations":{},"controllerValue":"k8s.io/ingress-nginx","default":false,"enabled":true,"name":"nginx","parameters":{}}` | This section refers to the creation of the IngressClass resource. IngressClasses are immutable and cannot be changed after creation. We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. |
@ -367,21 +363,23 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.livenessProbe.periodSeconds | int | `10` | |
| controller.livenessProbe.successThreshold | int | `1` | |
| controller.livenessProbe.timeoutSeconds | int | `1` | |
| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. # https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases |
| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. # https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/ |
| controller.metrics.enabled | bool | `false` | |
| controller.metrics.port | int | `10254` | |
| controller.metrics.portName | string | `"metrics"` | |
| controller.metrics.prometheusRule.additionalLabels | object | `{}` | |
| controller.metrics.prometheusRule.annotations | object | `{}` | Annotations to be added to the PrometheusRule. |
| controller.metrics.prometheusRule.enabled | bool | `false` | |
| controller.metrics.prometheusRule.rules | list | `[]` | |
| controller.metrics.service.annotations | object | `{}` | |
| controller.metrics.service.enabled | bool | `true` | Enable the metrics service or not. |
| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
| controller.metrics.service.labels | object | `{}` | Labels to be added to the metrics service resource |
| controller.metrics.service.loadBalancerSourceRanges | list | `[]` | |
| controller.metrics.service.servicePort | int | `10254` | |
| controller.metrics.service.type | string | `"ClusterIP"` | |
| controller.metrics.serviceMonitor.additionalLabels | object | `{}` | |
| controller.metrics.serviceMonitor.annotations | object | `{}` | |
| controller.metrics.serviceMonitor.annotations | object | `{}` | Annotations to be added to the ServiceMonitor. |
| controller.metrics.serviceMonitor.enabled | bool | `false` | |
| controller.metrics.serviceMonitor.metricRelabelings | list | `[]` | |
| controller.metrics.serviceMonitor.namespace | string | `""` | |
@ -394,25 +392,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.name | string | `"controller"` | |
| controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
| controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | |
| controller.opentelemetry.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | |
| controller.opentelemetry.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | |
| controller.opentelemetry.containerSecurityContext.runAsGroup | int | `65532` | |
| controller.opentelemetry.containerSecurityContext.runAsNonRoot | bool | `true` | |
| controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. |
| controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| controller.opentelemetry.enabled | bool | `false` | |
| controller.opentelemetry.image.digest | string | `"sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` | |
| controller.opentelemetry.image.distroless | bool | `true` | |
| controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry"` | |
| controller.opentelemetry.image.registry | string | `"registry.k8s.io"` | |
| controller.opentelemetry.image.tag | string | `"v20230721-3e2062ee5"` | |
| controller.opentelemetry.name | string | `"opentelemetry"` | |
| controller.opentelemetry.resources | object | `{}` | |
| controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # |
| controller.podLabels | object | `{}` | Labels to add to the pod container metadata |
| controller.podSecurityContext | object | `{}` | Security context for controller pods |
| controller.priorityClassName | string | `""` | |
| controller.progressDeadlineSeconds | int | `0` | Specifies the number of seconds you want to wait for the controller deployment to progress before the system reports back that it has failed. Ref.: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds |
| controller.proxySetHeaders | object | `{}` | Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers |
| controller.publishService | object | `{"enabled":true,"pathOverride":""}` | Allows customization of the source of the IP address or FQDN to report in the ingress status field. By default, it reads the information provided by the service. If disable, the status field reports the IP address of the node or nodes where an ingress controller pod is running. |
| controller.publishService.enabled | bool | `true` | Enable 'publishService' or not |
@ -485,6 +469,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ # |
| controller.udp.annotations | object | `{}` | Annotations to be added to the udp config configmap |
| controller.udp.configMapNamespace | string | `""` | Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) |
| controller.unhealthyPodEvictionPolicy | string | `""` | Eviction policy for unhealthy pods guarded by PodDisruptionBudget. Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ |
| controller.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
| controller.watchIngressWithoutClass | bool | `false` | Process Ingress objects without ingressClass annotation/ingressClassName field Overrides value for --watch-ingress-without-class flag of the controller binary Defaults to false |
| defaultBackend.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity |
@ -496,7 +481,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` | |
| defaultBackend.containerSecurityContext | object | `{}` | Security context for default backend containers |
| defaultBackend.enabled | bool | `false` | |
| defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one |
| defaultBackend.extraArgs | object | `{}` | |
| defaultBackend.extraConfigMaps | list | `[]` | |
| defaultBackend.extraEnvs | list | `[]` | Additional environment variables to set for defaultBackend pods |
@ -506,7 +490,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.image.image | string | `"defaultbackend-amd64"` | |
| defaultBackend.image.pullPolicy | string | `"IfNotPresent"` | |
| defaultBackend.image.readOnlyRootFilesystem | bool | `true` | |
| defaultBackend.image.registry | string | `"registry.k8s.io"` | |
| defaultBackend.image.runAsGroup | int | `65534` | |
| defaultBackend.image.runAsNonRoot | bool | `true` | |
| defaultBackend.image.runAsUser | int | `65534` | |
@ -518,7 +501,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.livenessProbe.periodSeconds | int | `10` | |
| defaultBackend.livenessProbe.successThreshold | int | `1` | |
| defaultBackend.livenessProbe.timeoutSeconds | int | `5` | |
| defaultBackend.minAvailable | int | `1` | |
| defaultBackend.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. |
| defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
| defaultBackend.name | string | `"defaultbackend"` | |
| defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
@ -545,11 +528,12 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.serviceAccount.name | string | `""` | |
| defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # |
| defaultBackend.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. Ref.: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ |
| defaultBackend.unhealthyPodEvictionPolicy | string | `""` | Eviction policy for unhealthy pods guarded by PodDisruptionBudget. Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ |
| defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
| dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param |
| global.image.registry | string | `"registry.k8s.io"` | Registry host to pull images from. |
| imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
| namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace |
| podSecurityPolicy.enabled | bool | `false` | |
| portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration |
| rbac.create | bool | `true` | |
| rbac.scope | bool | `false` | |

2
charts/ingress-nginx/changelog/helm-chart-4.1.2.md
View file

@ -5,7 +5,7 @@ This file documents all notable changes to [ingress-nginx](https://github.com/ku
### 4.1.2
* [8587](https://github.com/kubernetes/ingress-nginx/pull/8587) Add CAP_SYS_CHROOT to DS/PSP when needed
* [8458](https://github.com/kubernetes/ingress-nginx/pull/8458) Add portNamePreffix Helm chart parameter
* [8458](https://github.com/kubernetes/ingress-nginx/pull/8458) Add portNamePrefix Helm chart parameter
* [8522](https://github.com/kubernetes/ingress-nginx/pull/8522) Add documentation for controller.service.loadBalancerIP in Helm chart
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.1.0...helm-chart-4.1.2

9
charts/ingress-nginx/changelog/helm-chart-4.10.4.md Normal file
View file

@ -0,0 +1,9 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.10.4
* Update Ingress-Nginx version controller-v1.10.4
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.3...helm-chart-4.10.4

9
charts/ingress-nginx/changelog/helm-chart-4.11.2.md Normal file
View file

@ -0,0 +1,9 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.11.2
* Update Ingress-Nginx version controller-v1.11.2
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.1...helm-chart-4.11.2

2
charts/ingress-nginx/changelog/helm-chart-4.7.0.md
View file

@ -6,7 +6,7 @@ This file documents all notable changes to [ingress-nginx](https://github.com/ku
* helm: Fix opentelemetry module installation for daemonset (#9792)
* Update charts/* to keep project name display aligned (#9931)
* HPA: Use capabilites & align manifests. (#9521)
* HPA: Use capabilities & align manifests. (#9521)
* PodDisruptionBudget spec logic update (#9904)
* add option for annotations in PodDisruptionBudget (#9843)
* Update Ingress-Nginx version controller-v1.8.0

8
charts/ingress-nginx/ci/deamonset-default-values.yaml → charts/ingress-nginx/ci/admission-webhooks-cert-manager-values.yaml
View file

@ -1,10 +1,12 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
admissionWebhooks:
certManager:
enabled: true

6
charts/ingress-nginx/ci/controller-admission-tls-cert-manager-values.yaml
View file

@ -1,6 +0,0 @@
controller:
admissionWebhooks:
certManager:
enabled: true
service:
type: ClusterIP

5
charts/ingress-nginx/ci/deployment-default-values.yaml → charts/ingress-nginx/ci/controller-configmap-addheaders-values.yaml
View file

@ -1,8 +1,11 @@
# Left blank to test default values
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
addHeaders:
X-Frame-Options: deny

11
charts/ingress-nginx/ci/controller-configmap-proxyheaders-values.yaml Normal file
View file

@ -0,0 +1,11 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
proxySetHeaders:
X-Forwarded-Proto: https

11
charts/ingress-nginx/ci/controller-configmap-values.yaml Normal file
View file

@ -0,0 +1,11 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
config:
use-proxy-protocol: "true"

7
charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml
View file

@ -1,7 +0,0 @@
controller:
watchIngressWithoutClass: true
ingressClassResource:
name: custom-nginx
enabled: true
default: true
controllerValue: "k8s.io/custom-nginx"

9
charts/ingress-nginx/ci/deamonset-webhook-values.yaml → charts/ingress-nginx/ci/controller-daemonset-metrics-values.yaml
View file

@ -1,10 +1,13 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: true
service:
type: ClusterIP
kind: DaemonSet
metrics:
enabled: true

13
charts/ingress-nginx/ci/daemonset-podannotations-values.yaml → charts/ingress-nginx/ci/controller-daemonset-podannotations-values.yaml
View file

@ -1,17 +1,16 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
metrics:
enabled: true
service:
type: ClusterIP
kind: DaemonSet
podAnnotations:
prometheus.io/path: /metrics
prometheus.io/scrape: "true"
prometheus.io/port: "10254"
prometheus.io/scheme: http
prometheus.io/scrape: "true"
prometheus.io/path: /metrics

4
charts/ingress-nginx/ci/deployment-psp-values.yaml → charts/ingress-nginx/ci/controller-daemonset-values.yaml
View file

@ -3,8 +3,8 @@ controller:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
podSecurityPolicy:
enabled: true
kind: DaemonSet

8
charts/ingress-nginx/ci/deployment-webhook-values.yaml → charts/ingress-nginx/ci/controller-deployment-metrics-values.yaml
View file

@ -3,7 +3,11 @@ controller:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: true
service:
type: ClusterIP
kind: Deployment
metrics:
enabled: true

12
charts/ingress-nginx/ci/deployment-podannotations-values.yaml → charts/ingress-nginx/ci/controller-deployment-podannotations-values.yaml
View file

@ -3,14 +3,14 @@ controller:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
metrics:
enabled: true
service:
type: ClusterIP
kind: Deployment
podAnnotations:
prometheus.io/path: /metrics
prometheus.io/scrape: "true"
prometheus.io/port: "10254"
prometheus.io/scheme: http
prometheus.io/scrape: "true"
prometheus.io/path: /metrics

5
charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml → charts/ingress-nginx/ci/controller-deployment-values.yaml
View file

@ -3,7 +3,8 @@ controller:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
opentelemetry:
enabled: true
kind: Deployment

12
charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml → charts/ingress-nginx/ci/controller-hpa-values.yaml
View file

@ -1,4 +1,12 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
autoscaling:
enabled: true
behavior:
@ -8,7 +16,3 @@ controller:
- type: Pods
value: 1
periodSeconds: 180
admissionWebhooks:
enabled: false
service:
type: ClusterIP

15
charts/ingress-nginx/ci/controller-ingressclass-values.yaml Normal file
View file

@ -0,0 +1,15 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
ingressClassResource:
name: custom-nginx
default: true
controllerValue: k8s.io/custom-nginx
watchIngressWithoutClass: true

5
charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml → charts/ingress-nginx/ci/controller-service-internal-values.yaml
View file

@ -1,13 +1,12 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
internal:
enabled: true
annotations:

10
charts/ingress-nginx/ci/deployment-customnodeport-values.yaml → charts/ingress-nginx/ci/controller-service-values.yaml
View file

@ -3,18 +3,20 @@ controller:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: NodePort
nodePorts:
tcp:
9000: 30090
udp:
9001: 30091
portNamePrefix: port
tcp:
9000: "default/test:8080"
9000: default/test:8080
udp:
9001: "default/test:8080"
9001: default/test:8080

14
charts/ingress-nginx/ci/daemonset-customconfig-values.yaml
View file

@ -1,14 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
kind: DaemonSet
allowSnippetAnnotations: false
admissionWebhooks:
enabled: false
service:
type: ClusterIP
config:
use-proxy-protocol: "true"

22
charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml
View file

@ -1,22 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: NodePort
nodePorts:
tcp:
9000: 30090
udp:
9001: 30091
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"

13
charts/ingress-nginx/ci/daemonset-extra-modules.yaml
View file

@ -1,13 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
service:
type: ClusterIP
extraModules:
- name: opentelemetry
image:
registry: registry.k8s.io
image: busybox
tag: latest

14
charts/ingress-nginx/ci/daemonset-headers-values.yaml
View file

@ -1,14 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
addHeaders:
X-Frame-Options: deny
proxySetHeaders:
X-Forwarded-Proto: https
service:
type: ClusterIP

10
charts/ingress-nginx/ci/daemonset-nodeport-values.yaml
View file

@ -1,10 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: NodePort

20
charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml
View file

@ -1,20 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
tcp:
configMapNamespace: default
udp:
configMapNamespace: default
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"

18
charts/ingress-nginx/ci/daemonset-tcp-udp-portNamePrefix-values.yaml
View file

@ -1,18 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"
portNamePrefix: "port"

16
charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml
View file

@ -1,16 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"

14
charts/ingress-nginx/ci/daemonset-tcp-values.yaml
View file

@ -1,14 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
tcp:
9000: "default/test:8080"
9001: "default/test:8080"

12
charts/ingress-nginx/ci/deamonset-metrics-values.yaml
View file

@ -1,12 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
metrics:
enabled: true
service:
type: ClusterIP

13
charts/ingress-nginx/ci/deamonset-psp-values.yaml
View file

@ -1,13 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
podSecurityPolicy:
enabled: true

13
charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml
View file

@ -1,13 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: true
service:
type: ClusterIP
podSecurityPolicy:
enabled: true

11
charts/ingress-nginx/ci/deployment-autoscaling-values.yaml
View file

@ -1,11 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
autoscaling:
enabled: true
admissionWebhooks:
enabled: false
service:
type: ClusterIP

12
charts/ingress-nginx/ci/deployment-customconfig-values.yaml
View file

@ -1,12 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
config:
use-proxy-protocol: "true"
allowSnippetAnnotations: false
admissionWebhooks:
enabled: false
service:
type: ClusterIP

15
charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml
View file

@ -1,15 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
containerSecurityContext:
allowPrivilegeEscalation: false
extraModules:
- name: opentelemetry
image:
registry: registry.k8s.io
image: busybox
tag: latest

15
charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml
View file

@ -1,15 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
extraModules:
- name: opentelemetry
image:
registry: registry.k8s.io
image: busybox
tag: latest
containerSecurityContext:
allowPrivilegeEscalation: false

13
charts/ingress-nginx/ci/deployment-extra-modules.yaml
View file

@ -1,13 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
extraModules:
- name: opentelemetry
image:
registry: registry.k8s.io
image: busybox
tag: latest

13
charts/ingress-nginx/ci/deployment-headers-values.yaml
View file

@ -1,13 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
addHeaders:
X-Frame-Options: deny
proxySetHeaders:
X-Forwarded-Proto: https
service:
type: ClusterIP

19
charts/ingress-nginx/ci/deployment-internal-lb-values.yaml
View file

@ -1,19 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
internal:
enabled: true
annotations:
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
ports:
http: 443
https: 80
targetPorts:
http: 443
https: 80

11
charts/ingress-nginx/ci/deployment-metrics-values.yaml
View file

@ -1,11 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
metrics:
enabled: true
service:
type: ClusterIP

9
charts/ingress-nginx/ci/deployment-nodeport-values.yaml
View file

@ -1,9 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: NodePort

19
charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml
View file

@ -1,19 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
tcp:
configMapNamespace: default
udp:
configMapNamespace: default
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"

17
charts/ingress-nginx/ci/deployment-tcp-udp-portNamePrefix-values.yaml
View file

@ -1,17 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"
portNamePrefix: "port"

15
charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml
View file

@ -1,15 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"

11
charts/ingress-nginx/ci/deployment-tcp-values.yaml
View file

@ -1,11 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
tcp:
9000: "default/test:8080"
9001: "default/test:8080"

12
charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml
View file

@ -1,12 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: true
service:
type: ClusterIP
podSecurityPolicy:
enabled: true

12
charts/ingress-nginx/ci/deployment-webhook-extraEnvs-values.yaml
View file

@ -1,12 +0,0 @@
controller:
service:
type: ClusterIP
admissionWebhooks:
enabled: true
extraEnvs:
- name: FOO
value: foo
- name: TEST
value: test
patch:
enabled: true

23
charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml
View file

@ -1,23 +0,0 @@
controller:
service:
type: ClusterIP
admissionWebhooks:
enabled: true
createSecretJob:
resources:
limits:
cpu: 10m
memory: 20Mi
requests:
cpu: 10m
memory: 20Mi
patchWebhookJob:
resources:
limits:
cpu: 10m
memory: 20Mi
requests:
cpu: 10m
memory: 20Mi
patch:
enabled: true

22
charts/ingress-nginx/templates/_helpers.tpl
View file

@ -204,7 +204,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- end -}}
{{/*
Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
Create the name of the default backend service account to use
*/}}
{{- define "ingress-nginx.defaultBackend.serviceAccountName" -}}
{{- if .Values.defaultBackend.serviceAccount.create -}}
@ -235,26 +235,6 @@ readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem }
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiGroup for PodSecurityPolicy.
*/}}
{{- define "podSecurityPolicy.apiGroup" -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "policy" -}}
{{- else -}}
{{- print "extensions" -}}
{{- end -}}
{{- end -}}
{{/*
Check the ingress controller version tag is at most three versions behind the last release
*/}}
{{- define "isControllerTagValid" -}}
{{- if not (semverCompare ">=0.27.0-0" .Values.controller.image.tag) -}}
{{- fail "Controller container image tag should be 0.27.0 or higher" -}}
{{- end -}}
{{- end -}}
{{/*
Extra modules.
*/}}

4
charts/ingress-nginx/templates/_params.tpl
View file

@ -1,7 +1,7 @@
{{- define "ingress-nginx.params" -}}
- /nginx-ingress-controller
{{- if .Values.controller.enableAnnotationValidations }}
- --enable-annotation-validation=true
{{- if not .Values.controller.enableAnnotationValidations }}
- --enable-annotation-validation=false
{{- end }}
{{- if .Values.defaultBackend.enabled }}
- --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }}

10
charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
View file

@ -20,14 +20,4 @@ rules:
verbs:
- get
- update
{{- if .Values.podSecurityPolicy.enabled }}
- apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}]
resources: ['podsecuritypolicies']
verbs: ['use']
{{- with .Values.controller.admissionWebhooks.existingPsp }}
resourceNames: [{{ . }}]
{{- else }}
resourceNames: [{{ include "ingress-nginx.admissionWebhooks.fullname" . }}]
{{- end }}
{{- end }}
{{- end }}

2
charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
View file

@ -42,7 +42,7 @@ spec:
{{- end }}
containers:
- name: create
{{- with .Values.controller.admissionWebhooks.patch.image }}
{{- with (merge .Values.controller.admissionWebhooks.patch.image .Values.global.image) }}
image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }}
{{- end }}
imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}

2
charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
View file

@ -42,7 +42,7 @@ spec:
{{- end }}
containers:
- name: patch
{{- with .Values.controller.admissionWebhooks.patch.image }}
{{- with (merge .Values.controller.admissionWebhooks.patch.image .Values.global.image) }}
image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }}
{{- end }}
imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}

52
charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
View file

@ -1,52 +0,0 @@
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
{{- if and .Values.podSecurityPolicy.enabled .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
{{- with .Values.controller.admissionWebhooks.patch.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
privileged: false
hostPID: false
hostIPC: false
hostNetwork: false
volumes:
- configMap
- downwardAPI
- emptyDir
- secret
- projected
fsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: true
runAsUser:
rule: MustRunAsNonRoot
runAsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
seLinux:
rule: RunAsAny
{{- end }}
{{- end }}

1
charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
View file

@ -40,6 +40,7 @@ webhooks:
service:
name: {{ include "ingress-nginx.controller.fullname" . }}-admission
namespace: {{ include "ingress-nginx.namespace" . }}
port: {{ .Values.controller.admissionWebhooks.service.servicePort }}
path: /networking/v1/ingresses
{{- if .Values.controller.admissionWebhooks.timeoutSeconds }}
timeoutSeconds: {{ .Values.controller.admissionWebhooks.timeoutSeconds }}

4
charts/ingress-nginx/templates/controller-configmap.yaml
View file

@ -13,7 +13,9 @@ metadata:
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
data:
allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}"
{{- if .Values.controller.allowSnippetAnnotations }}
allow-snippet-annotations: "true"
{{- end }}
{{- if .Values.controller.addHeaders }}
add-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers
{{- end }}

21
charts/ingress-nginx/templates/controller-daemonset.yaml
View file

@ -1,5 +1,4 @@
{{- if eq .Values.controller.kind "DaemonSet" -}}
{{- include "isControllerTagValid" . -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
@ -76,7 +75,7 @@ spec:
{{- end }}
containers:
- name: {{ .Values.controller.containerName }}
{{- with .Values.controller.image }}
{{- with (merge .Values.controller.image .Values.global.image) }}
image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}
{{- end }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
@ -145,9 +144,9 @@ spec:
hostPort: {{ $key }}
{{- end }}
{{- end }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }}
volumeMounts:
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
{{- if .Values.controller.extraModules }}
- name: modules
{{- if .Values.controller.image.chroot }}
mountPath: /chroot/modules_mount
@ -175,7 +174,7 @@ spec:
{{- if .Values.controller.extraContainers }}
{{- toYaml .Values.controller.extraContainers | nindent 8 }}
{{- end }}
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }}
initContainers:
{{- if .Values.controller.extraInitContainers }}
{{- toYaml .Values.controller.extraInitContainers | nindent 8 }}
@ -183,13 +182,7 @@ spec:
{{- if .Values.controller.extraModules }}
{{- range .Values.controller.extraModules }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.controller.opentelemetry.enabled }}
{{- with .Values.controller.opentelemetry }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- include "extraModules" (dict "name" .name "image" (merge .image $.Values.global.image) "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}
@ -210,9 +203,9 @@ spec:
{{- end }}
serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }}
volumes:
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}}
{{- if .Values.controller.extraModules }}
- name: modules
emptyDir: {}
{{- end }}

24
charts/ingress-nginx/templates/controller-deployment.yaml
View file

@ -1,5 +1,4 @@
{{- if eq .Values.controller.kind "Deployment" -}}
{{- include "isControllerTagValid" . -}}
apiVersion: apps/v1
kind: Deployment
metadata:
@ -23,6 +22,9 @@ spec:
replicas: {{ .Values.controller.replicaCount }}
{{- end }}
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
{{- if .Values.controller.progressDeadlineSeconds }}
progressDeadlineSeconds: {{ .Values.controller.progressDeadlineSeconds }}
{{- end }}
{{- if .Values.controller.updateStrategy }}
strategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }}
{{- end }}
@ -79,7 +81,7 @@ spec:
{{- end }}
containers:
- name: {{ .Values.controller.containerName }}
{{- with .Values.controller.image }}
{{- with (merge .Values.controller.image .Values.global.image) }}
image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}
{{- end }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
@ -148,9 +150,9 @@ spec:
hostPort: {{ $key }}
{{- end }}
{{- end }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }}
volumeMounts:
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
{{- if .Values.controller.extraModules }}
- name: modules
{{- if .Values.controller.image.chroot }}
mountPath: /chroot/modules_mount
@ -178,7 +180,7 @@ spec:
{{- if .Values.controller.extraContainers }}
{{- toYaml .Values.controller.extraContainers | nindent 8 }}
{{- end }}
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }}
initContainers:
{{- if .Values.controller.extraInitContainers }}
{{- toYaml .Values.controller.extraInitContainers | nindent 8 }}
@ -186,13 +188,7 @@ spec:
{{- if .Values.controller.extraModules }}
{{- range .Values.controller.extraModules }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.controller.opentelemetry.enabled }}
{{- with .Values.controller.opentelemetry }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- include "extraModules" (dict "name" .name "image" (merge .image $.Values.global.image) "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}
@ -213,9 +209,9 @@ spec:
{{- end }}
serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }}
volumes:
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}}
{{- if .Values.controller.extraModules }}
- name: modules
emptyDir: {}
{{- end }}

3
charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml
View file

@ -32,5 +32,8 @@ spec:
{{- else if .Values.controller.maxUnavailable }}
maxUnavailable: {{ .Values.controller.maxUnavailable }}
{{- end }}
{{- if .Values.controller.unhealthyPodEvictionPolicy }}
unhealthyPodEvictionPolicy: {{ .Values.controller.unhealthyPodEvictionPolicy }}
{{- end }}
{{- end }}
{{- end }}

3
charts/ingress-nginx/templates/controller-prometheusrules.yaml → charts/ingress-nginx/templates/controller-prometheusrule.yaml
View file

@ -14,6 +14,9 @@ metadata:
{{- if .Values.controller.metrics.prometheusRule.additionalLabels }}
{{- toYaml .Values.controller.metrics.prometheusRule.additionalLabels | nindent 4 }}
{{- end }}
{{- if .Values.controller.metrics.prometheusRule.annotations }}
annotations: {{ toYaml .Values.controller.metrics.prometheusRule.annotations | nindent 4 }}
{{- end }}
spec:
{{- if .Values.controller.metrics.prometheusRule.rules }}
groups:

100
charts/ingress-nginx/templates/controller-psp.yaml
View file

@ -1,100 +0,0 @@
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "ingress-nginx.fullname" . }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- with .Values.controller.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
privileged: false
hostPID: false
hostIPC: false
hostNetwork: {{ .Values.controller.hostNetwork }}
{{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }}
hostPorts:
{{- if .Values.controller.hostNetwork }}
{{- range $key, $value := .Values.controller.containerPort }}
# controller.containerPort.{{ $key }}
- min: {{ $value }}
max: {{ $value }}
{{- end }}
{{- else if .Values.controller.hostPort.enabled }}
{{- range $key, $value := .Values.controller.hostPort.ports }}
# controller.hostPort.ports.{{ $key }}
- min: {{ $value }}
max: {{ $value }}
{{- end }}
{{- end }}
{{- if .Values.controller.metrics.enabled }}
# controller.metrics.port
- min: {{ .Values.controller.metrics.port }}
max: {{ .Values.controller.metrics.port }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
# controller.admissionWebhooks.port
- min: {{ .Values.controller.admissionWebhooks.port }}
max: {{ .Values.controller.admissionWebhooks.port }}
{{- end }}
{{- range $key, $value := .Values.tcp }}
# tcp.{{ $key }}
- min: {{ $key }}
max: {{ $key }}
{{- end }}
{{- range $key, $value := .Values.udp }}
# udp.{{ $key }}
- min: {{ $key }}
max: {{ $key }}
{{- end }}
{{- end }}
volumes:
- configMap
- downwardAPI
- emptyDir
- secret
- projected
fsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
runAsUser:
rule: MustRunAsNonRoot
runAsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }}
requiredDropCapabilities:
- ALL
allowedCapabilities:
- NET_BIND_SERVICE
{{- if .Values.controller.image.chroot }}
{{- if .Values.controller.image.seccompProfile }}
- SYS_ADMIN
{{- end }}
- SYS_CHROOT
{{- end }}
seLinux:
rule: RunAsAny
{{- if .Values.controller.sysctls }}
allowedUnsafeSysctls:
{{- range $sysctl, $value := .Values.controller.sysctls }}
- {{ $sysctl }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

10
charts/ingress-nginx/templates/controller-role.yaml
View file

@ -91,14 +91,4 @@ rules:
- list
- watch
- get
{{- if .Values.podSecurityPolicy.enabled }}
- apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}]
resources: ['podsecuritypolicies']
verbs: ['use']
{{- with .Values.controller.existingPsp }}
resourceNames: [{{ . }}]
{{- else }}
resourceNames: [{{ include "ingress-nginx.fullname" . }}]
{{- end }}
{{- end }}
{{- end }}

2
charts/ingress-nginx/templates/controller-service-metrics.yaml
View file

@ -1,4 +1,4 @@
{{- if .Values.controller.metrics.enabled -}}
{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.service.enabled -}}
apiVersion: v1
kind: Service
metadata:

2
charts/ingress-nginx/templates/controller-service-webhook.yaml
View file

@ -29,7 +29,7 @@ spec:
{{- end }}
ports:
- name: https-webhook
port: 443
port: {{ .Values.controller.admissionWebhooks.service.servicePort }}
targetPort: webhook
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
appProtocol: https

Some files were not shown because too many files have changed in this diff Show more