diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 69d1ba161..deb434675 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,33 +1,7 @@ ---- version: 2 updates: - - package-ecosystem: "gomod" - directory: "/" - schedule: - interval: "weekly" - labels: - - "area/dependency" - - "release-note-none" - - "ok-to-test" - groups: - all: - update-types: - - "patch" - package-ecosystem: "github-actions" directory: "/" - schedule: - interval: "weekly" - labels: - - "area/dependency" - - "release-note-none" - - "ok-to-test" - groups: - all: - update-types: - - "minor" - - "patch" - - package-ecosystem: "docker" - directory: "/images" schedule: interval: "weekly" labels: @@ -39,3 +13,31 @@ updates: update-types: - "minor" - "patch" + - package-ecosystem: "docker" + directories: + - "**/rootfs" + schedule: + interval: "weekly" + labels: + - "area/dependency" + - "release-note-none" + - "ok-to-test" + groups: + docker: + update-types: + - "minor" + - "patch" + - package-ecosystem: "gomod" + directories: + - "/" + - "**/rootfs" + schedule: + interval: "weekly" + labels: + - "area/dependency" + - "release-note-none" + - "ok-to-test" + groups: + go: + update-types: + - "patch" diff --git a/.github/workflows/chart.yaml b/.github/workflows/chart.yaml new file mode 100644 index 000000000..a546801a0 --- /dev/null +++ b/.github/workflows/chart.yaml @@ -0,0 +1,64 @@ +name: Chart + +on: + push: + branches: + - main + - release-* + paths: + - charts/ingress-nginx/Chart.yaml + + workflow_dispatch: + +permissions: + contents: read + +jobs: + release: + name: Release + runs-on: ubuntu-latest + + permissions: + contents: write + + steps: + - name: Set up Python + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + with: + python-version: 3.x + + - name: Set up Helm + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 + + - name: Set up Helm Chart Testing + uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 + + - name: Set up Artifact Hub + run: | + curl --fail --location https://github.com/artifacthub/hub/releases/download/v1.19.0/ah_1.19.0_linux_amd64.tar.gz --output /tmp/ah.tar.gz + echo "0e430493521ce387ca04d79b26646a86f92886dbcceb44985bb71082a9530ca5 /tmp/ah.tar.gz" | shasum --check + sudo tar --extract --file /tmp/ah.tar.gz --directory /usr/local/bin ah + + - name: Set up Git + run: | + git config --global user.name "${GITHUB_ACTOR}" + git config --global user.email "${GITHUB_ACTOR}@users.noreply.github.com" + + - name: Checkout code + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + fetch-depth: 0 + + - name: Lint chart + run: | + ct lint --config .ct.yaml + ah lint --path charts/ingress-nginx + + - name: Release chart + uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0 + env: + CR_TOKEN: ${{ secrets.GITHUB_TOKEN }} + CR_RELEASE_NAME_TEMPLATE: helm-chart-{{ .Version }} + CR_SKIP_EXISTING: true + with: + charts_dir: charts diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 3bd8bbb3d..648cbd194 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -9,7 +9,7 @@ on: - 'deploy/**' - '**.md' - 'images/**' # Images changes should be tested on their own workflow - - '!images/nginx-1.25/**' + - '!images/nginx/**' push: branches: @@ -47,7 +47,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: filter @@ -68,7 +68,25 @@ jobs: - 'NGINX_BASE' baseimage: - 'NGINX_BASE' - - 'images/nginx-1.25/**' + - 'images/nginx/**' + docs: + - '**/*.md' + lua: + - '**/*.lua' + + lua-lint: + runs-on: ubuntu-latest + needs: changes + if: | + (needs.changes.outputs.lua == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }} + steps: + - name: Checkout + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + + - name: Lint Lua + uses: lunarmodules/luacheck@v1 + with: + args: --codes --globals lua_ingress --globals configuration --globals balancer --globals monitor --globals certificate --globals tcp_udp_configuration --globals tcp_udp_balancer --no-max-comment-line-length -q rootfs/etc/nginx/lua/ test-go: runs-on: ubuntu-latest @@ -77,7 +95,7 @@ jobs: (needs.changes.outputs.go == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }} steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Get go version run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV @@ -92,6 +110,27 @@ jobs: - name: Run test run: make test + + verify-docs: + name: Verify Doc generation + runs-on: ubuntu-latest + needs: changes + if: | + (needs.changes.outputs.go == 'true') || (needs.changes.outputs.docs == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }} + steps: + - name: Checkout + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - name: Get go version + run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV + - name: Set up Go + id: go + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version: ${{ env.GOLANG_VERSION }} + check-latest: true + - name: Verify Docs + run: make verify-docs + build: name: Build runs-on: ubuntu-latest @@ -105,7 +144,7 @@ jobs: PLATFORMS: linux/amd64 steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Get go version id: golangversion @@ -124,7 +163,7 @@ jobs: - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 with: version: latest @@ -141,8 +180,8 @@ jobs: if: | needs.changes.outputs.baseimage == 'true' run: | - export TAG=$(cat images/nginx-1.25/TAG) - cd images/nginx-1.25/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --load -t registry.k8s.io/ingress-nginx/nginx-1.25:${TAG} . + export TAG=$(cat images/nginx/TAG) + cd images/nginx/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --load -t registry.k8s.io/ingress-nginx/nginx:${TAG} . - name: Build images env: @@ -151,8 +190,8 @@ jobs: REGISTRY: ingress-controller run: | echo "building images..." - export TAGNGINX=$(cat images/nginx-1.25/TAG) - make BASE_IMAGE=registry.k8s.io/ingress-nginx/nginx-1.25:${TAGNGINX} clean-image build image image-chroot + export TAGNGINX=$(cat images/nginx/TAG) + make BASE_IMAGE=registry.k8s.io/ingress-nginx/nginx:${TAGNGINX} clean-image build image image-chroot make -C test/e2e-image image echo "creating images cache..." @@ -163,118 +202,94 @@ jobs: | gzip > docker.tar.gz - name: cache - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: docker.tar.gz path: docker.tar.gz retention-days: 5 - helm-lint: - name: Helm chart lint + chart-lint: + name: Chart / Lint runs-on: ubuntu-latest needs: - changes - if: | - (needs.changes.outputs.charts == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }} + + if: fromJSON(needs.changes.outputs.charts) || fromJSON(needs.changes.outputs.baseimage) || fromJSON(github.event.workflow_dispatch.run_e2e) steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Set up Python + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: - fetch-depth: 0 + python-version: 3.x - name: Set up Helm uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 - - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 - with: - python-version: '3.x' - - - name: Set up chart-testing + - name: Set up Helm Chart Testing uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - - name: Install Helm Unit Test Plugin + - name: Set up Artifact Hub run: | - helm plugin install https://github.com/helm-unittest/helm-unittest + curl --fail --location https://github.com/artifacthub/hub/releases/download/v1.19.0/ah_1.19.0_linux_amd64.tar.gz --output /tmp/ah.tar.gz + echo "0e430493521ce387ca04d79b26646a86f92886dbcceb44985bb71082a9530ca5 /tmp/ah.tar.gz" | shasum --check + sudo tar --extract --file /tmp/ah.tar.gz --directory /usr/local/bin ah - - name: Run Helm Unit Tests + - name: Set up Helm Docs + uses: gabe565/setup-helm-docs-action@d5c35bdc9133cfbea3b671acadf50a29029e87c2 # v1.0.4 + + - name: Set up Helm Unit Test + run: helm plugin install https://github.com/helm-unittest/helm-unittest + + - name: Checkout code + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + fetch-depth: 0 + + - name: Lint chart run: | - helm unittest charts/ingress-nginx -d + ct lint --config .ct.yaml + ah lint --path charts/ingress-nginx - - name: Run chart-testing (lint) - run: ct lint --config ./.ct.yaml - - - name: Run helm-docs + - name: Check docs run: | - GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.11.0 - ./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts - DIFF=$(git diff ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md) - if [ ! -z "$DIFF" ]; then - echo "Please use helm-docs in your clone, of your fork, of the project, and commit a updated README.md for the chart. https://github.com/kubernetes/ingress-nginx/blob/main/RELEASE.md#d-edit-the-valuesyaml-and-run-helm-docs" - fi - git diff --exit-code - rm -f ./helm-docs + helm-docs --chart-search-root charts + git diff --exit-code charts/ingress-nginx/README.md - - name: Run Artifact Hub lint - run: | - wget https://github.com/artifacthub/hub/releases/download/v1.5.0/ah_1.5.0_linux_amd64.tar.gz - echo 'ad0e44c6ea058ab6b85dbf582e88bad9fdbc64ded0d1dd4edbac65133e5c87da *ah_1.5.0_linux_amd64.tar.gz' | shasum -c - tar -xzvf ah_1.5.0_linux_amd64.tar.gz ah - ./ah lint -p charts/ingress-nginx || exit 1 - rm -f ./ah ./ah_1.5.0_linux_amd64.tar.gz + - name: Run tests + run: helm unittest charts/ingress-nginx - helm-test: - name: Helm chart testing + chart-test: + name: Chart / Test runs-on: ubuntu-latest needs: - changes - build - - helm-lint - if: | - (needs.changes.outputs.charts == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }} + - chart-lint + + if: fromJSON(needs.changes.outputs.charts) || fromJSON(needs.changes.outputs.baseimage) || fromJSON(github.event.workflow_dispatch.run_e2e) strategy: matrix: - k8s: [v1.26.15, v1.27.13, v1.28.9, v1.29.4, v1.30.0] + k8s: [v1.28.13, v1.29.8, v1.30.4, v1.31.0] steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Checkout code + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - - name: Setup Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version: ${{ needs.build.outputs.golangversion }} - check-latest: true - - - name: cache + - name: Download cache uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: docker.tar.gz - - name: fix permissions - run: | - sudo mkdir -p $HOME/.kube - sudo chmod -R 777 $HOME/.kube + - name: Load cache + run: gzip --decompress --stdout docker.tar.gz | docker load - - name: Create Kubernetes ${{ matrix.k8s }} cluster - id: kind - run: | - kind create cluster --image=kindest/node:${{ matrix.k8s }} - - - name: Load images from cache - run: | - echo "loading docker images..." - gzip -dc docker.tar.gz | docker load - - - name: Test + - name: Run tests env: - KIND_CLUSTER_NAME: kind - SKIP_CLUSTER_CREATION: true + K8S_VERSION: ${{ matrix.k8s }} SKIP_IMAGE_CREATION: true - SKIP_INGRESS_IMAGE_CREATION: true run: | - kind get kubeconfig > $HOME/.kube/kind-config-kind + sudo mkdir -pm 777 "${HOME}/.kube" make kind-e2e-chart-tests kubernetes: @@ -286,26 +301,11 @@ jobs: (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }} strategy: matrix: - k8s: [v1.26.15, v1.27.13, v1.28.9, v1.29.4, v1.30.0] + k8s: [v1.28.13, v1.29.8, v1.30.4, v1.31.0] uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml with: k8s-version: ${{ matrix.k8s }} - kubernetes-validations: - name: Kubernetes with Validations - needs: - - changes - - build - if: | - (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }} - strategy: - matrix: - k8s: [v1.26.15, v1.27.13, v1.28.9, v1.29.4, v1.30.0] - uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml - with: - k8s-version: ${{ matrix.k8s }} - variation: "VALIDATIONS" - kubernetes-chroot: name: Kubernetes chroot needs: @@ -315,7 +315,7 @@ jobs: (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }} strategy: matrix: - k8s: [v1.26.15, v1.27.13, v1.28.9, v1.29.4, v1.30.0] + k8s: [v1.28.13, v1.29.8, v1.30.4, v1.31.0] uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml with: k8s-version: ${{ matrix.k8s }} diff --git a/.github/workflows/depreview.yaml b/.github/workflows/depreview.yaml index 913b995bd..857411f79 100644 --- a/.github/workflows/depreview.yaml +++ b/.github/workflows/depreview.yaml @@ -9,6 +9,6 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: 'Dependency Review' uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index c1434c7b7..479c139aa 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: filter @@ -47,7 +47,7 @@ jobs: steps: - name: Checkout master - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Deploy uses: ./.github/actions/mkdocs diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index b40eca1bb..4ef7e9085 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Get go version run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV @@ -28,6 +28,6 @@ jobs: check-latest: true - name: golangci-lint - uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1 + uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1 with: version: v1.56 diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml deleted file mode 100644 index f7a68af1a..000000000 --- a/.github/workflows/helm.yaml +++ /dev/null @@ -1,88 +0,0 @@ -name: Helm - -on: - push: - branches: - - main - - release-* - - workflow_dispatch: - -permissions: - contents: read - -jobs: - - changes: - runs-on: ubuntu-latest - - permissions: - contents: read # for dorny/paths-filter to fetch a list of changed files - - if: github.repository == 'kubernetes/ingress-nginx' - - outputs: - docs: ${{ steps.filter.outputs.docs }} - charts: ${{ steps.filter.outputs.charts }} - - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: Run Artifact Hub lint - run: | - wget https://github.com/artifacthub/hub/releases/download/v1.5.0/ah_1.5.0_linux_amd64.tar.gz - echo 'ad0e44c6ea058ab6b85dbf582e88bad9fdbc64ded0d1dd4edbac65133e5c87da *ah_1.5.0_linux_amd64.tar.gz' | shasum -c - tar -xzvf ah_1.5.0_linux_amd64.tar.gz ah - ./ah lint -p charts/ingress-nginx || exit 1 - rm -f ./ah ./ah_1.5.0_linux_amd64.tar.gz - - - name: Set up chart-testing - uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - - - name: Run chart-testing (lint) - run: ct lint --target-branch ${{ github.ref_name }} --config ./.ct.yaml - - - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 - id: filter - with: - token: ${{ secrets.GITHUB_TOKEN }} - filters: | - charts: - - 'charts/ingress-nginx/Chart.yaml' - - 'charts/ingress-nginx/values.yaml' - - chart: - name: Release Chart - runs-on: ubuntu-latest - - permissions: - contents: write # needed to write releases - - needs: - - changes - - if: ${{ needs.changes.outputs.charts == 'true' }} - - steps: - - name: Checkout master - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - # Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896 - fetch-depth: 0 - ref: ${{ github.ref_name }} - - - name: Setup - shell: bash - run: | - git config --global user.name "$GITHUB_ACTOR" - git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com" - - - name: Helm Chart Releaser - uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0 - env: - CR_SKIP_EXISTING: true - CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}" - with: - charts_dir: charts diff --git a/.github/workflows/images.yaml b/.github/workflows/images.yaml index 92325c632..77358e8b3 100644 --- a/.github/workflows/images.yaml +++ b/.github/workflows/images.yaml @@ -36,12 +36,10 @@ jobs: kube-webhook-certgen: ${{ steps.filter.outputs.kube-webhook-certgen }} ext-auth-example-authsvc: ${{ steps.filter.outputs.ext-auth-example-authsvc }} nginx: ${{ steps.filter.outputs.nginx }} - nginx125: ${{ steps.filter.outputs.nginx125 }} - opentelemetry: ${{ steps.filter.outputs.opentelemetry }} steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: filter with: @@ -65,10 +63,6 @@ jobs: - 'images/ext-auth-example-authsvc/**' nginx: - 'images/nginx/**' - opentelemetry: - - 'images/opentelemetry/**' - nginx125: - - 'images/nginx-1.25/TAG' #### TODO: Make the below jobs 'less dumb' and use the job name as parameter (the github.job context does not work here) cfssl: @@ -141,10 +135,10 @@ jobs: (needs.changes.outputs.kube-webhook-certgen == 'true') strategy: matrix: - k8s: [v1.26.15, v1.27.13, v1.28.9, v1.29.4, v1.30.0] + k8s: [v1.28.13, v1.29.8, v1.30.4, v1.31.0] steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Get go version run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV @@ -166,41 +160,24 @@ jobs: run: | cd images/ && make NAME=kube-webhook-certgen test test-e2e - opentelemetry: - runs-on: ubuntu-latest - env: - PLATFORMS: linux/amd64,linux/arm,linux/arm64 - needs: changes - if: | - (needs.changes.outputs.opentelemetry == 'true') - strategy: - matrix: - nginx: ['1.25.3', '1.21.6'] - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: image build - run: | - cd images/opentelemetry && make NGINX_VERSION=${{ matrix.nginx }} build - - nginx125: + nginx: permissions: contents: write packages: write runs-on: ubuntu-latest needs: changes if: | - (github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.changes.outputs.nginx125 == 'true') + (github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.changes.outputs.nginx == 'true') env: PLATFORMS: linux/amd64,linux/arm,linux/arm64,linux/s390x steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Set up QEMU uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 with: version: latest platforms: ${{ env.PLATFORMS }} @@ -211,5 +188,5 @@ jobs: password: ${{ secrets.DOCKERHUB_TOKEN }} - name: build-image run: | - export TAG=$(cat images/nginx-1.25/TAG) - cd images/nginx-1.25/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --push -t ingressnginx/nginx-1.25:${TAG} . + export TAG=$(cat images/nginx/TAG) + cd images/nginx/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --push -t ingressnginx/nginx:${TAG} . diff --git a/.github/workflows/junit-reports.yaml b/.github/workflows/junit-reports.yaml index 947b90c25..e2a82910e 100644 --- a/.github/workflows/junit-reports.yaml +++ b/.github/workflows/junit-reports.yaml @@ -5,6 +5,10 @@ on: workflows: ['CI'] # runs after CI workflow types: - completed + +permissions: + checks: write + jobs: report: runs-on: ubuntu-latest diff --git a/.github/workflows/perftest.yaml b/.github/workflows/perftest.yaml index 2e1e01a3e..eb086538e 100644 --- a/.github/workflows/perftest.yaml +++ b/.github/workflows/perftest.yaml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Install K6 run: | diff --git a/.github/workflows/plugin.yaml b/.github/workflows/plugin.yaml index 63b8c19bf..0ae13a2df 100644 --- a/.github/workflows/plugin.yaml +++ b/.github/workflows/plugin.yaml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: fetch-depth: 0 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 83837e312..9eaf091ee 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -27,7 +27,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: persist-credentials: false @@ -51,7 +51,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: SARIF file path: results.sarif @@ -59,6 +59,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 + uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11 with: sarif_file: results.sarif diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index 14d5dc406..0cd02552d 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -22,7 +22,7 @@ jobs: versions: ${{ steps.version.outputs.TAGS }} steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: fetch-depth: 0 @@ -52,7 +52,7 @@ jobs: versions: ${{ fromJSON(needs.version.outputs.versions) }} steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - shell: bash id: test @@ -75,7 +75,7 @@ jobs: # This step checks out a copy of your repository. - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 + uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11 with: token: ${{ github.token }} # Path to SARIF file relative to the root of the repository diff --git a/.github/workflows/zz-tmpl-images.yaml b/.github/workflows/zz-tmpl-images.yaml index 4594a1de4..2efc039d6 100644 --- a/.github/workflows/zz-tmpl-images.yaml +++ b/.github/workflows/zz-tmpl-images.yaml @@ -1,5 +1,5 @@ #### THIS IS A TEMPLATE #### -# This workflow is created to be a template for every time an e2e teest is required, +# This workflow is created to be a template for every time an e2e test is required, on: workflow_call: @@ -31,7 +31,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: filter with: @@ -48,7 +48,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Build run: | @@ -67,7 +67,7 @@ jobs: PLATFORMS: ${{ inputs.platforms-publish }} steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Login to GitHub Container Registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 diff --git a/.github/workflows/zz-tmpl-k8s-e2e.yaml b/.github/workflows/zz-tmpl-k8s-e2e.yaml index 114e1a45f..f1b6bb242 100644 --- a/.github/workflows/zz-tmpl-k8s-e2e.yaml +++ b/.github/workflows/zz-tmpl-k8s-e2e.yaml @@ -1,5 +1,5 @@ #### THIS IS A TEMPLATE #### -# This workflow is created to be a template for every time an e2e teest is required, +# This workflow is created to be a template for every time an e2e test is required, on: workflow_call: @@ -20,7 +20,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: cache uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 @@ -43,14 +43,13 @@ jobs: SKIP_CLUSTER_CREATION: true SKIP_INGRESS_IMAGE_CREATION: true SKIP_E2E_IMAGE_CREATION: true - ENABLE_VALIDATIONS: ${{ inputs.variation == 'VALIDATIONS' }} IS_CHROOT: ${{ inputs.variation == 'CHROOT' }} run: | kind get kubeconfig > $HOME/.kube/kind-config-kind make kind-e2e-test - name: Upload e2e junit-reports ${{ inputs.variation }} - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 if: success() || failure() with: name: e2e-test-reports-${{ inputs.k8s-version }}${{ inputs.variation }} diff --git a/.gitignore b/.gitignore index 73108f627..5eac1a800 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,3 @@ -helm-docs # OSX ._* .DS_Store diff --git a/.luacheckrc b/.luacheckrc index a24399e26..5a1c249fe 100644 --- a/.luacheckrc +++ b/.luacheckrc @@ -1,6 +1,6 @@ std = 'ngx_lua' max_line_length = 100 -exclude_files = {'./rootfs/etc/nginx/lua/test/**/*.lua', './rootfs/etc/nginx/lua/plugins/**/test/**/*.lua'} +exclude_files = {'./rootfs/etc/nginx/lua/test/**/*.lua'} files["rootfs/etc/nginx/lua/lua_ingress.lua"] = { ignore = { "122" }, -- TODO(elvinefendi) figure out why this does not work diff --git a/Changelog.md b/Changelog.md index 400c187f7..f049654ee 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,7 +2,7 @@ All New change are in [Changelog](./changelog) -### 1.5.1 +### 1.5.1 * Upgrade NGINX to 1.21.6 * Upgrade Golang 1.19.2 @@ -102,18 +102,18 @@ Images: ### Community Updates We will discuss the results of our Community Survey, progress on the stabilization project, and ideas going -forward with the project at -[Kubecon NA 2022 in Detroit](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/). Come join us +forward with the project at +[Kubecon NA 2022 in Detroit](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/). Come join us and let us hear what you'd like to see in the future for ingress-nginx. https://kccncna2022.sched.com/event/18lgl?iframe=no [**Kubernetes Registry change notice**](https://twitter.com/BenTheElder/status/1575898507235323904) -The [@kubernetesio](https://twitter.com/kubernetesio) container image host http://k8s.gcr.io is -*actually* getting redirected to the community controlled http://registry.k8s.io starting with a small portion of +The [@kubernetesio](https://twitter.com/kubernetesio) container image host http://k8s.gcr.io is +*actually* getting redirected to the community controlled http://registry.k8s.io starting with a small portion of traffic on October 3rd. -If you notice any issues, *please* ping [Ben Elder](https://twitter.com/BenTheElder), +If you notice any issues, *please* ping [Ben Elder](https://twitter.com/BenTheElder), [@thockin](https://twitter.com/thockin), [@ameukam](https://twitter.com/ameukam),or report issues in slack to [sig-k8s-infra slack channel](https://kubernetes.slack.com/archives/CCK68P2Q2). @@ -123,7 +123,7 @@ If you notice any issues, *please* ping [Ben Elder](https://twitter.com/BenTheEl [8890](https://github.com/kubernetes/ingress-nginx/pull/8890) * Update to Prometheus metric names, more information [available here]( https://github.com/kubernetes/ingress-nginx/pull/8728 ) -* Deprecated Kubernetes versions 1.20-1.21, Added support for, 1.25, currently supported versions v1.22, v1.23, v1.24, v1.25 +* Deprecated Kubernetes versions 1.20-1.21, Added support for, 1.25, currently supported versions v1.22, v1.23, v1.24, v1.25 ADDED * `_request_duration_seconds` Histogram @@ -203,11 +203,11 @@ Images: ### 1.3.1 -In v1.3.1 leader elections will be done entirely using the Lease API and no longer using configmaps. +In v1.3.1 leader elections will be done entirely using the Lease API and no longer using configmaps. v1.3.0 is a safe transition version, using v1.3.0 can automatically complete the merging of election locks, and then you can safely upgrade to v1.3.1. -Also, *important note*, with the Release of Kubernetes v1.25 we are dropping support for the legacy branches, -Also, *important note*, with the release of Kubernetes v1.25, we are dropping support for the legacy edition, +Also, *important note*, with the Release of Kubernetes v1.25 we are dropping support for the legacy branches, +Also, *important note*, with the release of Kubernetes v1.25, we are dropping support for the legacy edition, that means all version <1.0.0 of the ingress-nginx-controller. ## Image: @@ -277,11 +277,11 @@ All other Changes ### 1.3.0 -Image: +Image: - registry.k8s.io/ingress-nginx/controller:v1.3.0@sha256:d1707ca76d3b044ab8a28277a2466a02100ee9f58a86af1535a3edf9323ea1b5 - registry.k8s.io/ingress-nginx/controller-chroot:v1.3.0@sha256:0fcb91216a22aae43b374fc2e6a03b8afe9e8c78cbf07a09d75636dc4ea3c191 -_IMPORTANT CHANGES:_ +_IMPORTANT CHANGES:_ * This release removes support for Kubernetes v1.19.0 * This release adds support for Kubernetes v1.24.0 * Starting with this release, we will need permissions on the `coordination.k8s.io/leases` resource for leaderelection lock @@ -352,11 +352,11 @@ _Changes:_ ### 1.2.0 -Image: +Image: - k8s.gcr.io/ingress-nginx/controller:v1.2.0@sha256:d8196e3bc1e72547c5dec66d6556c0ff92a23f6d0919b206be170bc90d5f9185 - k8s.gcr.io/ingress-nginx/controller-chroot:v1.2.0@sha256:fb17f1700b77d4fcc52ca6f83ffc2821861ae887dbb87149cf5cbc52bea425e5 -This minor version release, introduces 2 breaking changes. For the first time, an option to jail/chroot the nginx process, inside the controller container, is being introduced.. This provides an additional layer of security, for sensitive information like K8S serviceaccounts. This release also brings a special new feature of deep inspection into objects. The inspection is a walk through of all the spec, checking for possible attempts to escape configs. Currently such an inspection only occurs for `networking.Ingress`. Additionally there are fixes for the recently announced CVEs on busybox & ssl_client. And there is a fix to a recently introduced redirection related bug, that was setting the protocol on URLs to "nil". +This minor version release, introduces 2 breaking changes. For the first time, an option to jail/chroot the nginx process, inside the controller container, is being introduced. This provides an additional layer of security, for sensitive information like K8S serviceaccounts. This release also brings a special new feature of deep inspection into objects. The inspection is a walk through of all the spec, checking for possible attempts to escape configs. Currently such an inspection only occurs for `networking.Ingress`. Additionally there are fixes for the recently announced CVEs on busybox & ssl_client. And there is a fix to a recently introduced redirection related bug, that was setting the protocol on URLs to "nil". _Changes:_ @@ -419,7 +419,7 @@ _Changes:_ **Image:** - k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2 -This release upgrades Alpine to 3.14.4 and nginx to 1.19.10 +This release upgrades Alpine to 3.14.4 and nginx to 1.19.10 Patches [OpenSSL CVE-2022-0778](https://github.com/kubernetes/ingress-nginx/issues/8339) @@ -460,7 +460,7 @@ _Changes:_ ### 1.1.2 -**Image:** +**Image:** - k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c This release bumps grpc version to 1.44.0 & runc to version 1.1.0. The release also re-introduces the ingress.class annotation, which was previously declared as deprecated. Besides that, several bug fixes and improvements are listed below. @@ -502,7 +502,7 @@ _Changes:_ ### 1.1.1 -**Image:** +**Image:** - k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de This release contains several fixes and improvements. This image is now built using Go v1.17.6 and gRPC v1.43.0. See detailed list below. @@ -571,9 +571,9 @@ _Changes:_ _Possible Breaking Change_ We now implement string sanitization in annotation values. This means that words like "location", "by_lua" and -others will drop the reconciliation of an Ingress object. +others will drop the reconciliation of an Ingress object. -Users from mod_security and other features should be aware that some blocked values may be used by those features +Users from mod_security and other features should be aware that some blocked values may be used by those features and must be manually unblocked by the Ingress Administrator. For more details please check [https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#annotation-value-word-blocklist] @@ -592,7 +592,7 @@ _Changes:_ - k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef _Possible Breaking Change_ -We have disabled the builtin ssl_session_cache due to possible memory fragmentation. This should not impact the majority of users, but please let us know +We have disabled the builtin ssl_session_cache due to possible memory fragmentation. This should not impact the majority of users, but please let us know if you face any problem _Changes:_ @@ -608,7 +608,7 @@ _Changes:_ - k8s.gcr.io/ingress-nginx/controller:v1.0.3@sha256:4ade87838eb8256b094fbb5272d7dda9b6c7fa8b759e6af5383c1300996a7452 **Known Issues** -* Ingress controller now (starting from v1.0.0) mandates cluster scoped access to IngressClass. This leads to problems when updating old Ingress controller to newest version, as described [here](https://github.com/kubernetes/ingress-nginx/issues/7510). We plan to fix it in v1.0.4, see [this](https://github.com/kubernetes/ingress-nginx/pull/7578). +* Ingress controller now (starting from v1.0.0) mandates cluster scoped access to IngressClass. This leads to problems when updating old Ingress controller to newest version, as described [here](https://github.com/kubernetes/ingress-nginx/issues/7510). We plan to fix it in v1.0.4, see [this](https://github.com/kubernetes/ingress-nginx/pull/7578). _New Features:_ @@ -624,7 +624,7 @@ _Changes:_ - k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049 **Known Issues** -* Ingress controller now (starting from v1.0.0) mandates cluster scoped access to IngressClass. This leads to problems when updating old Ingress controller to newest version, as described [here](https://github.com/kubernetes/ingress-nginx/issues/7510). We plan to fix it in v1.0.3, see [this](https://github.com/kubernetes/ingress-nginx/pull/7578). +* Ingress controller now (starting from v1.0.0) mandates cluster scoped access to IngressClass. This leads to problems when updating old Ingress controller to newest version, as described [here](https://github.com/kubernetes/ingress-nginx/issues/7510). We plan to fix it in v1.0.3, see [this](https://github.com/kubernetes/ingress-nginx/pull/7578). _New Features:_ @@ -640,7 +640,7 @@ _Changes:_ - k8s.gcr.io/ingress-nginx/controller:v1.0.1@sha256:26bbd57f32bac3b30f90373005ef669aae324a4de4c19588a13ddba399c6664e **Known Issues** -* Ingress controller now (starting from v1.0.0) mandates cluster scoped access to IngressClass. This leads to problems when updating old Ingress controller to newest version, as described [here](https://github.com/kubernetes/ingress-nginx/issues/7510). We plan to fix it in v1.0.2, see [this](https://github.com/kubernetes/ingress-nginx/pull/7578). +* Ingress controller now (starting from v1.0.0) mandates cluster scoped access to IngressClass. This leads to problems when updating old Ingress controller to newest version, as described [here](https://github.com/kubernetes/ingress-nginx/issues/7510). We plan to fix it in v1.0.2, see [this](https://github.com/kubernetes/ingress-nginx/pull/7578). _New Features:_ @@ -883,7 +883,7 @@ _Changes:_ test #7255 - [X] [#7216](https://github.com/kubernetes/ingress-nginx/pull/7216) Admission: Skip validation checks if an ingress is marked as deleted #7216 - + ### 1.0.0-beta.3 ** This is a breaking change** @@ -2057,7 +2057,7 @@ _Breaking Changes:_ ``` Due to upcoming data privacy regulations, we are making significant changes to how you access free GeoLite2 databases starting December 30, 2019. - Learn more on our blog https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/ + Learn more on our blog https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/ ``` Because of this change, it is not clear we can provide the databases directly from the docker image. @@ -2193,7 +2193,7 @@ _New Features:_ If the active connections end before that, the pod will terminate gracefully at that time. - To efectively take advantage of this feature, the Configmap feature [worker-shutdown-timeout](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#worker-shutdown-timeout) new value is `240s` instead of `10s`. + To effectively take advantage of this feature, the Configmap feature [worker-shutdown-timeout](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#worker-shutdown-timeout) new value is `240s` instead of `10s`. **IMPORTANT:** this value has a side effect during reloads, consuming more memory until the old NGINX workers are replaced. @@ -2603,7 +2603,7 @@ _New Features:_ _Breaking changes:_ - The NGINX server listening in port 18080 was removed. It was replaced by a server using an unix socket as port [#3684](https://github.com/kubernetes/ingress-nginx/pull/3684) - This server was internal to the ingress controller. In case this was being acceded from the outside, you can restore the old server using the `http-snipet` feature in the configuration configmap like: + This server was internal to the ingress controller. In case this was being acceded from the outside, you can restore the old server using the `http-snippet` feature in the configuration configmap like: ```yaml http-snippet: | diff --git a/GOLANG_VERSION b/GOLANG_VERSION index be02b337a..229a27c6f 100644 --- a/GOLANG_VERSION +++ b/GOLANG_VERSION @@ -1 +1 @@ -1.22.4 \ No newline at end of file +1.22.8 diff --git a/MANUAL_RELEASE.md b/MANUAL_RELEASE.md index d7144b85d..8a6b10bc1 100644 --- a/MANUAL_RELEASE.md +++ b/MANUAL_RELEASE.md @@ -177,21 +177,21 @@ Promoting the images basically means that images, that were pushed to staging co ``` - The -L 38 was used for 2 reasons. - Default number of results is 30 and there were more than 30 PRs merged while releasing v1.1.1. If you see the current/soon-to-be-old changelog, you can look at the most recent PR number that has been accounted for already, and start from after that last accounted for PR. - - The other reason to use -L 38 was to ommit the 39th, the 40th and the 41st line in the resulting list. These were non-relevant PRs. + - The other reason to use -L 38 was to omit the 39th, the 40th and the 41st line in the resulting list. These were non-relevant PRs. - If you save the output of above command to a file called prlist.txt. It looks somewhat like this ; ``` - % cat ~/Downloads/prlist.txt + % cat ~/Downloads/prlist.txt 8129 fix syntax in docs for multi-tls example 8120 Update go in runner and release v1.1.1 8119 Update to go v1.17.6 8118 Remove deprecated libraries, update other libs 8117 Fix codegen errors - 8115 chart/ghaction: set the correct permission to have access to push a release + 8115 chart/ghaction: set the correct permission to have access to push a release .... ``` You can delete the lines, that refer to PRs of the release process itself. We only need to list the feature/bugfix PRs. You can also delete the lines that are housekeeping or not really worth mentioning in the changelog. - - you use some easy automation in bash/python/other, to get the PR-List that can be used in the changelog. For example, its possible to use a bash scripty way, seen below, to convert those plaintext PR numbers into clickable links. + - you use some easy automation in bash/python/other, to get the PR-List that can be used in the changelog. For example, it's possible to use a bash scripty way, seen below, to convert those plaintext PR numbers into clickable links. ``` #!/usr/bin/bash @@ -205,7 +205,7 @@ Promoting the images basically means that images, that were pushed to staging co done <$file ``` - - There was a parsing issue and path issue on MacOS, so above scrpt had to be modified and MacOS monterey compatible script is below ; + - There was a parsing issue and path issue on MacOS, so above script had to be modified and MacOS monterey compatible script is below ; ``` #!/bin/bash @@ -226,19 +226,18 @@ Promoting the images basically means that images, that were pushed to staging co ``` ### d. Edit the values.yaml and run helm-docs + - [Fields to edit in values.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml) - tag - digest - - [helm-docs](https://github.com/norwoodj/helm-docs) is a tool that generates the README.md for a helm-chart automatically. In the CI pipeline workflow of github actions (/.github/workflows/ci.yaml), you can see how helm-docs is used. But the CI pipeline is not designed to make commits back into the project. So we need to run helm-docs manually, and check in the resulting autogenerated README.md at the path /charts/ingress-nginx/README.md + - [helm-docs](https://github.com/norwoodj/helm-docs) is a tool that generates the README.md for a Helm chart automatically. In the CI pipeline workflow of GitHub actions (.github/workflows/ci.yaml), you can see how helm-docs is used. The CI pipeline is not designed to make commits back into the project, so we need to run helm-docs manually and commit the resulting generated README.md. You can obtain a recent version of the helm-docs binary here: https://github.com/norwoodj/helm-docs/releases. ``` - GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.11.0 - ./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts - git diff --exit-code - rm -f ./helm-docs + helm-docs --chart-search-root charts + git diff charts/ingress-nginx/README.md ``` - Watchout for mistakes like leaving the helm-docs executable in your clone workspace or not checking the new README.md manually etc. + Take care of not leaving the helm-docs executable in your clone workspace or not committing the new README.md. ### e. Edit the static manifests @@ -274,7 +273,7 @@ Promoting the images basically means that images, that were pushed to staging co ### h. Update README.md -- Update the table in README.md in the root of the projet to reflect the support matrix. Add the new release version and details in there. +- Update the table in README.md in the root of the project to reflect the support matrix. Add the new release version and details in there. ## 5. RELEASE new version @@ -291,7 +290,7 @@ Promoting the images basically means that images, that were pushed to staging co - `helm repo update` - `helm search repo ingress-nginx` -## 6. Github release +## 6. GitHub release - Release to github diff --git a/Makefile b/Makefile index a99e1540c..033577e14 100644 --- a/Makefile +++ b/Makefile @@ -124,6 +124,9 @@ build: ## Build ingress controller, debug tool and pre-stop hook. clean: ## Remove .gocache directory. rm -rf bin/ .gocache/ .cache/ +.PHONY: verify-docs +verify-docs: ## Verify doc generation + hack/verify-annotation-docs.sh .PHONY: static-check static-check: ## Run verification script for boilerplate, codegen, gofmt, golint, lualint and chart-lint. @@ -237,8 +240,8 @@ ensure-buildx: show-version: echo -n $(TAG) -PLATFORMS ?= amd64 arm arm64 -BUILDX_PLATFORMS ?= linux/amd64,linux/arm,linux/arm64 +PLATFORMS ?= amd64 arm arm64 s390x +BUILDX_PLATFORMS ?= linux/amd64,linux/arm,linux/arm64,linux/s390x .PHONY: release # Build a multi-arch docker image release: ensure-buildx clean diff --git a/NEW_CONTRIBUTOR.md b/NEW_CONTRIBUTOR.md index e89c1ba88..20c4e3daa 100644 --- a/NEW_CONTRIBUTOR.md +++ b/NEW_CONTRIBUTOR.md @@ -20,14 +20,14 @@ It all starts with the OSI model... ### Approaching the problem -Not everybody knows everything. But the factors that help are a love/passion for this to begin. But to move forward, its the approach and not the knowledge that sustains prolonged joy, while working on issues. If the approach is simple and powered by good-wishes-for-community, then info & tools are forthcoming and easy. +Not everybody knows everything. But the factors that help are a love/passion for this to begin. But to move forward, it's the approach and not the knowledge that sustains prolonged joy, while working on issues. If the approach is simple and powered by good-wishes-for-community, then info & tools are forthcoming and easy. Here we take a bird's eye-view of the hops in the network plumbing, that a packet takes, from source to destination, when we run `curl`, from a laptop to a nginx webserver process, running in a container, inside a pod, inside a Kubernetes cluster, created using `kind` or `minikube` or any other cluster-management tool. ### [Kind](https://kind.sigs.k8s.io/) cluster example on a Linux Host #### TL;DR -The destination of the packet from the curl command, is looked up, in the `routing table`. Based on the route, the the packet first travels to the virtual bridge `172.18.0.1` interface, created by docker, when we created the kind cluster on a laptop. Next the packet is forwarded to `172.18.0.2`(See below on how we got this IP address), within the kind cluster. The `kube-proxy` container creates iptables rules that make sure the packet goes to the correct pod ip in this case `10.244.0.5` +The destination of the packet from the curl command, is looked up, in the `routing table`. Based on the route, the packet first travels to the virtual bridge `172.18.0.1` interface, created by docker, when we created the kind cluster on a laptop. Next the packet is forwarded to `172.18.0.2`(See below on how we got this IP address), within the kind cluster. The `kube-proxy` container creates iptables rules that make sure the packet goes to the correct pod ip in this case `10.244.0.5` Command: ``` @@ -435,7 +435,7 @@ virbr0: flags=4163 mtu 1500 ``` Output Relevance: From the above output you can see there are two Virtual Bridges created by minikube when we created the cluster on the network. Here, `virbr0` is the default NAT network bridge while `virbr2` is a isolated network bridge on which the pods run. -Minikube creates a Virtual Machine, to enter the virtual machine we can simple do: +Minikube creates a Virtual Machine, to enter the virtual machine we can simply do: ``` # minikube ssh ``` @@ -707,7 +707,7 @@ NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE httpd ClusterIP 10.104.111.0 80/TCP 13s ``` -Once we have this we can now create a n ingress using the following +Once we have this we can now create an ingress using the following ``` kubectl -n httpd create ingress httpd --class nginx --rule httpd.dev.leonnunes.com/"*"=httpd:80 ``` @@ -771,7 +771,7 @@ Hypertext Transfer Protocol [Response in frame: 6] ``` -The above output shows the information that the `httpd` pod recieves. The `curl` command sends the host header, `Host: httpd.dev.leonnunes.com`, to the nginx controller, that then matches the rule and sends the information to the right controller +The above output shows the information that the `httpd` pod receives. The `curl` command sends the host header, `Host: httpd.dev.leonnunes.com`, to the nginx controller, that then matches the rule and sends the information to the right controller The following output shows what is sent via the laptop. ``` diff --git a/NGINX_BASE b/NGINX_BASE index b179689bf..ea1e443b0 100644 --- a/NGINX_BASE +++ b/NGINX_BASE @@ -1 +1 @@ -registry.k8s.io/ingress-nginx/nginx-1.25:v0.0.10@sha256:1686f4cd2e16f09a1e7d27529d21eb74a8b551dc06ef86189ac837d3d6548725 +registry.k8s.io/ingress-nginx/nginx:v1.0.0@sha256:11ee0d0e3d063f1468f9a82958d57fa0718614fe10b676941f4dea0aef091faf diff --git a/README.md b/README.md index 00960a4b7..2ffacd861 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,8 @@ balancer. See the [Getting Started](https://kubernetes.github.io/ingress-nginx/deploy/) document. +Do not use in multi-tenant Kubernetes production installations. This project assumes that users that can create Ingress objects are administrators of the cluster. See the [FAQ](https://kubernetes.github.io/ingress-nginx/faq/#faq) for more. + ## Troubleshooting If you encounter issues, review the [troubleshooting docs](docs/troubleshooting.md), @@ -37,8 +39,10 @@ the versions listed. Ingress-Nginx versions **may** work on older versions, but | Supported | Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | Helm Chart Version | | :-------: | --------------------- | ----------------------------- | -------------- | ------------- | ------------------ | +| 🔄 | **v1.11.2** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.11.2 | | 🔄 | **v1.11.1** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.11.1 | | 🔄 | **v1.11.0** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.11.0 | +| 🔄 | **v1.10.4** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.10.4 | | 🔄 | **v1.10.3** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.10.3 | | 🔄 | **v1.10.2** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.10.2 | | 🔄 | **v1.10.1** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.19.1 | 1.25.3 | 4.10.1 | diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh index 822ff265a..095e09b91 100755 --- a/build/run-in-docker.sh +++ b/build/run-in-docker.sh @@ -44,7 +44,7 @@ function cleanup { } trap cleanup EXIT -E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20240729-04899b27@sha256:9f067e6c861343da47f5851bf255aecdeb33a61fc5991a6c659fb237a3f619f9} +E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20241004-114a6abb@sha256:1389ec0589abbf5c431c9290c4c307437c8396995c63dda5eac26abd70963dc8} if [[ "$RUNTIME" == podman ]]; then # Podman does not support both tag and digest @@ -82,7 +82,7 @@ if [[ "$DOCKER_IN_DOCKER_ENABLED" == "true" ]]; then echo "..reached DIND check TRUE block, inside run-in-docker.sh" echo "FLAGS=$FLAGS" #go env - go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.19.1 + go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.20.2 find / -type f -name ginkgo 2>/dev/null which ginkgo /bin/bash -c "${FLAGS}" diff --git a/build/run-ingress-controller.sh b/build/run-ingress-controller.sh index 29338241f..99f598b1f 100755 --- a/build/run-ingress-controller.sh +++ b/build/run-ingress-controller.sh @@ -49,7 +49,7 @@ fi SSL_VOLUME=$(mktemp -d) function cleanup { - echo -e "${BGREEN}Stoping kubectl proxy${NC}" + echo -e "${BGREEN}Stopping kubectl proxy${NC}" rm -rf "${SSL_VOLUME}" kill "$proxy_pid" } diff --git a/changelog/controller-1.10.4.md b/changelog/controller-1.10.4.md new file mode 100644 index 000000000..9a4e8025b --- /dev/null +++ b/changelog/controller-1.10.4.md @@ -0,0 +1,53 @@ +# Changelog + +### controller-v1.10.4 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.10.4@sha256:505b9048c02dde3d6c8667bf0b52aba7b36adf7b03da34c47d5fa312d2d4c6fc +* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.4@sha256:bf71acf6e71830a4470e2183e3bc93c4f006b954f8a05fb434242ef0f8a24858 + +### All changes: + +* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11811) +* Images: Trigger controller build. (#11808) +* Tests & Docs: Bump images. (#11804) +* Images: Trigger failed builds. (#11801) +* Images: Trigger other builds. (#11797) +* Controller: Fix panic in alternative backend merging. (#11793) +* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11791) +* Images: Trigger `test-runner` build. (#11786) +* Images: Bump `NGINX_BASE` to v0.0.12. (#11783) +* Images: Trigger NGINX build. (#11780) +* Cloud Build: Add missing config, remove unused ones. (#11776) +* Generate correct output on NumCPU() when using cgroups2 (#11775) +* Cloud Build: Tweak timeouts. (#11762) +* Cloud Build: Fix substitutions. (#11759) +* Cloud Build: Some chores. (#11756) +* Go: Bump to v1.22.6. (#11748) +* Images: Bump `NGINX_BASE` to v0.0.11. (#11744) +* Images: Trigger NGINX build. (#11736) +* docs: update OpenSSL Roadmap link (#11734) +* Go: Bump to v1.22.5. (#11731) +* Docs: Fix typo in AWS LB Controller reference (#11724) +* Perform some cleaning operations on line breaks. (#11722) +* Missing anchors in regular expression. (#11718) +* Docs: Fix `from-to-www` redirect description. (#11715) +* Chart: Remove `isControllerTagValid`. (#11714) +* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11704) +* Docs: Clarify `from-to-www` redirect direction. (#11692) +* added real-client-ip faq (#11665) +* Docs: Format NGINX configuration table. (#11660) + +### Dependency updates: + +* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11772) +* Bump the all group with 2 updates (#11770) +* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11768) +* Bump the all group with 3 updates (#11729) +* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11700) +* Bump the all group with 2 updates (#11697) +* Bump the all group with 4 updates (#11676) +* Bump the all group with 2 updates (#11674) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.3...controller-v1.10.4 diff --git a/changelog/controller-1.11.0.md b/changelog/controller-1.11.0.md index 34330c441..d462f9574 100644 --- a/changelog/controller-1.11.0.md +++ b/changelog/controller-1.11.0.md @@ -94,7 +94,7 @@ Images: * Chart: Improve IngressClass documentation. (#11104) * Chart: Deploy `PodDisruptionBudget` with KEDA. (#11032) * Undo #11062 since it breaks the nginx config (#11082) -* [mTLS] Fix acme verfication when mTLS and Client CN verification is enabled (#11062) +* [mTLS] Fix acme verification when mTLS and Client CN verification is enabled (#11062) * golangci-lint update, ci cleanup, group dependabot updates (#11071) * bump golang (#11070) * feature(leader_election): flag to disable leader election feature on controller (#11064) diff --git a/changelog/controller-1.11.2.md b/changelog/controller-1.11.2.md new file mode 100644 index 000000000..0979af15d --- /dev/null +++ b/changelog/controller-1.11.2.md @@ -0,0 +1,54 @@ +# Changelog + +### controller-v1.11.2 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.11.2@sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce +* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.2@sha256:21b55a2f0213a18b91612a8c0850167e00a8e34391fd595139a708f9c047e7a8 + +### All changes: + +* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11812) +* Images: Trigger controller build. (#11807) +* Tests & Docs: Bump images. (#11805) +* Images: Trigger failed builds. (#11802) +* Images: Trigger other builds. (#11798) +* Controller: Fix panic in alternative backend merging. (#11794) +* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11792) +* Images: Trigger `test-runner` build. (#11787) +* Images: Bump `NGINX_BASE` to v0.0.12. (#11784) +* Images: Trigger NGINX build. (#11781) +* Cloud Build: Add missing config, remove unused ones. (#11777) +* Generate correct output on NumCPU() when using cgroups2 (#11778) +* Cloud Build: Tweak timeouts. (#11763) +* Cloud Build: Fix substitutions. (#11760) +* Cloud Build: Some chores. (#11757) +* Go: Bump to v1.22.6. (#11749) +* Images: Bump `NGINX_BASE` to v0.0.11. (#11743) +* Images: Trigger NGINX build. (#11737) +* docs: update OpenSSL Roadmap link (#11733) +* Go: Bump to v1.22.5. (#11732) +* Docs: Fix typo in AWS LB Controller reference (#11725) +* Perform some cleaning operations on line breaks. (#11721) +* Missing anchors in regular expression. (#11719) +* Docs: Fix `from-to-www` redirect description. (#11716) +* Chart: Remove `isControllerTagValid`. (#11713) +* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11705) +* Docs: Clarify `from-to-www` redirect direction. (#11693) +* added real-client-ip faq (#11664) +* Docs: Format NGINX configuration table. (#11662) +* Docs: Update version in `deploy/index.md`. (#11652) + +### Dependency updates: + +* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11773) +* Bump the all group with 2 updates (#11771) +* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11769) +* Bump the all group with 3 updates (#11728) +* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11701) +* Bump the all group with 2 updates (#11698) +* Bump the all group with 4 updates (#11677) +* Bump the all group with 2 updates (#11675) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.1...controller-v1.11.2 diff --git a/changelog/controller-1.6.4.md b/changelog/controller-1.6.4.md index 256e5ec09..15b3f671a 100644 --- a/changelog/controller-1.6.4.md +++ b/changelog/controller-1.6.4.md @@ -83,7 +83,7 @@ Images: * ModSecurity dependencies update to avoid Memory Leaks (#9330) * fix(hpa): deprecated api version, bump to v2 (#9348) * fix(typo): pluralize provider (#9346) -* removed deprecation messsage for ingressClass annotation (#9357) +* removed deprecation message for ingressClass annotation (#9357) * added ginkgo junit reports (#9350) * Fix typos found by codespell (#9353) * bumped ginkgo to v2.5.1 in testrunner (#9340) diff --git a/changelog/controller-1.7.1.md b/changelog/controller-1.7.1.md index 632ffe963..a7a5c4bbf 100644 --- a/changelog/controller-1.7.1.md +++ b/changelog/controller-1.7.1.md @@ -15,7 +15,7 @@ Images: * Add support for --container flag (#9703) * Fix typo in OpenTelemetry (#9903) * ensure make lua-test runs locally (#9902) -* update k8s.io dependecies to v0.26.4 (#9893) +* update k8s.io dependencies to v0.26.4 (#9893) * Adding resource type to default HPA configuration to resolve issues with Terraform helm chart usage (#9803) * I have not been able to fulfill my maintainer responsibilities for a while already, making it official now. (#9883) * Update k8s versions (#9879) diff --git a/changelog/controller-1.8.0.md b/changelog/controller-1.8.0.md index 48b4cdefa..f335777d6 100644 --- a/changelog/controller-1.8.0.md +++ b/changelog/controller-1.8.0.md @@ -39,7 +39,7 @@ on our new [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernet * Correct annotations in monitoring docs (#9976) * fix: avoid builds and tests for changes to markdown (#9962) * Validate path types (#9967) -* HPA: Use capabilites & align manifests. (#9521) +* HPA: Use capabilities & align manifests. (#9521) * Use dl.k8s.io instead of hardcoded GCS URIs (#9946) * add option for annotations in PodDisruptionBudget (#9843) * chore: update httpbin to httpbun (#9919) diff --git a/changelog/controller-1.9.0-beta.0.md b/changelog/controller-1.9.0-beta.0.md index 79ecf596e..5ca5cfeeb 100644 --- a/changelog/controller-1.9.0-beta.0.md +++ b/changelog/controller-1.9.0-beta.0.md @@ -26,7 +26,7 @@ Images: * Add golangci github action and replace the deprecated golint (#10187) * BUGFIX incorrect indentation (#10254) * Upgrade OpenTelemetry to v1.11.0 and gRPC to v1.57.0 (#10352) -* fix: path with sepecial characters warning #10281 #10308 (#10330) +* fix: path with special characters warning #10281 #10308 (#10330) * Fix golangci-lint errors (#10196) * chore(build): Fix Run make dev-env syntax error (#10294) * Add firewall configuration to quick start documentation (#10357) diff --git a/changelog/controller-1.9.0.md b/changelog/controller-1.9.0.md index 25442894f..d6b000acc 100644 --- a/changelog/controller-1.9.0.md +++ b/changelog/controller-1.9.0.md @@ -26,7 +26,7 @@ Images: * Add golangci github action and replace the deprecated golint (#10187) * BUGFIX incorrect indentation (#10254) * Upgrade OpenTelemetry to v1.11.0 and gRPC to v1.57.0 (#10352) -* fix: path with sepecial characters warning #10281 #10308 (#10330) +* fix: path with special characters warning #10281 #10308 (#10330) * Fix golangci-lint errors (#10196) * chore(build): Fix Run make dev-env syntax error (#10294) * Add firewall configuration to quick start documentation (#10357) diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 62c880fc9..fd7b81030 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -1,9 +1,9 @@ annotations: artifacthub.io/changes: | - - Update Ingress-Nginx version controller-v1.11.1 + - Update Ingress-Nginx version controller-v1.11.2 artifacthub.io/prerelease: "false" apiVersion: v2 -appVersion: 1.11.1 +appVersion: 1.11.2 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer home: https://github.com/kubernetes/ingress-nginx @@ -22,4 +22,4 @@ maintainers: name: ingress-nginx sources: - https://github.com/kubernetes/ingress-nginx -version: 4.11.1 +version: 4.11.2 diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 64abf33cc..5475aaa79 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.11.1](https://img.shields.io/badge/Version-4.11.1-informational?style=flat-square) ![AppVersion: 1.11.1](https://img.shields.io/badge/AppVersion-1.11.1-informational?style=flat-square) +![Version: 4.11.2](https://img.shields.io/badge/Version-4.11.2-informational?style=flat-square) ![AppVersion: 1.11.2](https://img.shields.io/badge/AppVersion-1.11.2-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -244,7 +244,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.admissionWebhooks.createSecretJob.resources | object | `{}` | | | controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers | | controller.admissionWebhooks.enabled | bool | `true` | | -| controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one | | controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set | | controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use | | controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` | | @@ -253,11 +252,10 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.admissionWebhooks.namespaceSelector | object | `{}` | | | controller.admissionWebhooks.objectSelector | object | `{}` | | | controller.admissionWebhooks.patch.enabled | bool | `true` | | -| controller.admissionWebhooks.patch.image.digest | string | `"sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366"` | | +| controller.admissionWebhooks.patch.image.digest | string | `"sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f"` | | | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | | | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | | -| controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | | -| controller.admissionWebhooks.patch.image.tag | string | `"v1.4.1"` | | +| controller.admissionWebhooks.patch.image.tag | string | `"v1.4.4"` | | | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources | | controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | @@ -304,15 +302,14 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. | | controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' | | controller.electionTTL | string | `""` | Duration a leader election is valid before it's getting re-elected, e.g. `15s`, `10m` or `1h`. (Default: 30s) | -| controller.enableAnnotationValidations | bool | `false` | | +| controller.enableAnnotationValidations | bool | `true` | | | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # | | controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false | -| controller.existingPsp | string | `""` | Use an existing PSP instead of creating one | | controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use | | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. | | controller.extraEnvs | list | `[]` | Additional environment variables to set | | controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. | -| controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module | +| controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. | | controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. | | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. | | controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. | @@ -325,17 +322,16 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.image.allowPrivilegeEscalation | bool | `false` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `"sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a"` | | -| controller.image.digestChroot | string | `"sha256:7cabe4bd7558bfdf5b707976d7be56fd15ffece735d7c90fc238b6eda290fd8d"` | | +| controller.image.digest | string | `"sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce"` | | +| controller.image.digestChroot | string | `"sha256:21b55a2f0213a18b91612a8c0850167e00a8e34391fd595139a708f9c047e7a8"` | | | controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.readOnlyRootFilesystem | bool | `false` | | -| controller.image.registry | string | `"registry.k8s.io"` | | | controller.image.runAsGroup | int | `82` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) | | controller.image.runAsNonRoot | bool | `true` | | | controller.image.runAsUser | int | `101` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) | | controller.image.seccompProfile.type | string | `"RuntimeDefault"` | | -| controller.image.tag | string | `"v1.11.1"` | | +| controller.image.tag | string | `"v1.11.2"` | | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassResource | object | `{"aliases":[],"annotations":{},"controllerValue":"k8s.io/ingress-nginx","default":false,"enabled":true,"name":"nginx","parameters":{}}` | This section refers to the creation of the IngressClass resource. IngressClasses are immutable and cannot be changed after creation. We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. | @@ -367,21 +363,23 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.livenessProbe.periodSeconds | int | `10` | | | controller.livenessProbe.successThreshold | int | `1` | | | controller.livenessProbe.timeoutSeconds | int | `1` | | -| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. # https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases | +| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. # https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/ | | controller.metrics.enabled | bool | `false` | | | controller.metrics.port | int | `10254` | | | controller.metrics.portName | string | `"metrics"` | | | controller.metrics.prometheusRule.additionalLabels | object | `{}` | | +| controller.metrics.prometheusRule.annotations | object | `{}` | Annotations to be added to the PrometheusRule. | | controller.metrics.prometheusRule.enabled | bool | `false` | | | controller.metrics.prometheusRule.rules | list | `[]` | | | controller.metrics.service.annotations | object | `{}` | | +| controller.metrics.service.enabled | bool | `true` | Enable the metrics service or not. | | controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # | | controller.metrics.service.labels | object | `{}` | Labels to be added to the metrics service resource | | controller.metrics.service.loadBalancerSourceRanges | list | `[]` | | | controller.metrics.service.servicePort | int | `10254` | | | controller.metrics.service.type | string | `"ClusterIP"` | | | controller.metrics.serviceMonitor.additionalLabels | object | `{}` | | -| controller.metrics.serviceMonitor.annotations | object | `{}` | | +| controller.metrics.serviceMonitor.annotations | object | `{}` | Annotations to be added to the ServiceMonitor. | | controller.metrics.serviceMonitor.enabled | bool | `false` | | | controller.metrics.serviceMonitor.metricRelabelings | list | `[]` | | | controller.metrics.serviceMonitor.namespace | string | `""` | | @@ -394,25 +392,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.name | string | `"controller"` | | | controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | -| controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | -| controller.opentelemetry.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | | -| controller.opentelemetry.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | | -| controller.opentelemetry.containerSecurityContext.runAsGroup | int | `65532` | | -| controller.opentelemetry.containerSecurityContext.runAsNonRoot | bool | `true` | | -| controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. | -| controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | | -| controller.opentelemetry.enabled | bool | `false` | | -| controller.opentelemetry.image.digest | string | `"sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` | | -| controller.opentelemetry.image.distroless | bool | `true` | | -| controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry"` | | -| controller.opentelemetry.image.registry | string | `"registry.k8s.io"` | | -| controller.opentelemetry.image.tag | string | `"v20230721-3e2062ee5"` | | -| controller.opentelemetry.name | string | `"opentelemetry"` | | -| controller.opentelemetry.resources | object | `{}` | | | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # | | controller.podLabels | object | `{}` | Labels to add to the pod container metadata | | controller.podSecurityContext | object | `{}` | Security context for controller pods | | controller.priorityClassName | string | `""` | | +| controller.progressDeadlineSeconds | int | `0` | Specifies the number of seconds you want to wait for the controller deployment to progress before the system reports back that it has failed. Ref.: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds | | controller.proxySetHeaders | object | `{}` | Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers | | controller.publishService | object | `{"enabled":true,"pathOverride":""}` | Allows customization of the source of the IP address or FQDN to report in the ingress status field. By default, it reads the information provided by the service. If disable, the status field reports the IP address of the node or nodes where an ingress controller pod is running. | | controller.publishService.enabled | bool | `true` | Enable 'publishService' or not | @@ -485,6 +469,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ # | | controller.udp.annotations | object | `{}` | Annotations to be added to the udp config configmap | | controller.udp.configMapNamespace | string | `""` | Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) | +| controller.unhealthyPodEvictionPolicy | string | `""` | Eviction policy for unhealthy pods guarded by PodDisruptionBudget. Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ | | controller.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # | | controller.watchIngressWithoutClass | bool | `false` | Process Ingress objects without ingressClass annotation/ingressClassName field Overrides value for --watch-ingress-without-class flag of the controller binary Defaults to false | | defaultBackend.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity | @@ -496,7 +481,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` | | | defaultBackend.containerSecurityContext | object | `{}` | Security context for default backend containers | | defaultBackend.enabled | bool | `false` | | -| defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one | | defaultBackend.extraArgs | object | `{}` | | | defaultBackend.extraConfigMaps | list | `[]` | | | defaultBackend.extraEnvs | list | `[]` | Additional environment variables to set for defaultBackend pods | @@ -506,7 +490,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.image.image | string | `"defaultbackend-amd64"` | | | defaultBackend.image.pullPolicy | string | `"IfNotPresent"` | | | defaultBackend.image.readOnlyRootFilesystem | bool | `true` | | -| defaultBackend.image.registry | string | `"registry.k8s.io"` | | | defaultBackend.image.runAsGroup | int | `65534` | | | defaultBackend.image.runAsNonRoot | bool | `true` | | | defaultBackend.image.runAsUser | int | `65534` | | @@ -518,7 +501,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.livenessProbe.periodSeconds | int | `10` | | | defaultBackend.livenessProbe.successThreshold | int | `1` | | | defaultBackend.livenessProbe.timeoutSeconds | int | `5` | | -| defaultBackend.minAvailable | int | `1` | | +| defaultBackend.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. | | defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | defaultBackend.name | string | `"defaultbackend"` | | | defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | @@ -545,11 +528,12 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.serviceAccount.name | string | `""` | | | defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # | | defaultBackend.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. Ref.: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ | +| defaultBackend.unhealthyPodEvictionPolicy | string | `""` | Eviction policy for unhealthy pods guarded by PodDisruptionBudget. Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ | | defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # | | dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param | +| global.image.registry | string | `"registry.k8s.io"` | Registry host to pull images from. | | imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | | namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace | -| podSecurityPolicy.enabled | bool | `false` | | | portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration | | rbac.create | bool | `true` | | | rbac.scope | bool | `false` | | diff --git a/charts/ingress-nginx/changelog/helm-chart-4.1.2.md b/charts/ingress-nginx/changelog/helm-chart-4.1.2.md index 0a1d80cf1..20618557f 100644 --- a/charts/ingress-nginx/changelog/helm-chart-4.1.2.md +++ b/charts/ingress-nginx/changelog/helm-chart-4.1.2.md @@ -5,7 +5,7 @@ This file documents all notable changes to [ingress-nginx](https://github.com/ku ### 4.1.2 * [8587](https://github.com/kubernetes/ingress-nginx/pull/8587) Add CAP_SYS_CHROOT to DS/PSP when needed -* [8458](https://github.com/kubernetes/ingress-nginx/pull/8458) Add portNamePreffix Helm chart parameter +* [8458](https://github.com/kubernetes/ingress-nginx/pull/8458) Add portNamePrefix Helm chart parameter * [8522](https://github.com/kubernetes/ingress-nginx/pull/8522) Add documentation for controller.service.loadBalancerIP in Helm chart **Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.1.0...helm-chart-4.1.2 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.10.4.md b/charts/ingress-nginx/changelog/helm-chart-4.10.4.md new file mode 100644 index 000000000..661d3c9bb --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.10.4.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.10.4 + +* Update Ingress-Nginx version controller-v1.10.4 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.3...helm-chart-4.10.4 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.11.2.md b/charts/ingress-nginx/changelog/helm-chart-4.11.2.md new file mode 100644 index 000000000..c7645a5b6 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.11.2.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.11.2 + +* Update Ingress-Nginx version controller-v1.11.2 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.1...helm-chart-4.11.2 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.7.0.md b/charts/ingress-nginx/changelog/helm-chart-4.7.0.md index 7399da777..9d5407053 100644 --- a/charts/ingress-nginx/changelog/helm-chart-4.7.0.md +++ b/charts/ingress-nginx/changelog/helm-chart-4.7.0.md @@ -6,7 +6,7 @@ This file documents all notable changes to [ingress-nginx](https://github.com/ku * helm: Fix opentelemetry module installation for daemonset (#9792) * Update charts/* to keep project name display aligned (#9931) -* HPA: Use capabilites & align manifests. (#9521) +* HPA: Use capabilities & align manifests. (#9521) * PodDisruptionBudget spec logic update (#9904) * add option for annotations in PodDisruptionBudget (#9843) * Update Ingress-Nginx version controller-v1.8.0 diff --git a/charts/ingress-nginx/ci/deamonset-default-values.yaml b/charts/ingress-nginx/ci/admission-webhooks-cert-manager-values.yaml similarity index 79% rename from charts/ingress-nginx/ci/deamonset-default-values.yaml rename to charts/ingress-nginx/ci/admission-webhooks-cert-manager-values.yaml index 82fa23e85..7eafd0c5b 100644 --- a/charts/ingress-nginx/ci/deamonset-default-values.yaml +++ b/charts/ingress-nginx/ci/admission-webhooks-cert-manager-values.yaml @@ -1,10 +1,12 @@ controller: - kind: DaemonSet image: repository: ingress-controller/controller tag: 1.0.0-dev digest: null - admissionWebhooks: - enabled: false + service: type: ClusterIP + + admissionWebhooks: + certManager: + enabled: true diff --git a/charts/ingress-nginx/ci/controller-admission-tls-cert-manager-values.yaml b/charts/ingress-nginx/ci/controller-admission-tls-cert-manager-values.yaml deleted file mode 100644 index a13241cd4..000000000 --- a/charts/ingress-nginx/ci/controller-admission-tls-cert-manager-values.yaml +++ /dev/null @@ -1,6 +0,0 @@ -controller: - admissionWebhooks: - certManager: - enabled: true - service: - type: ClusterIP diff --git a/charts/ingress-nginx/ci/deployment-default-values.yaml b/charts/ingress-nginx/ci/controller-configmap-addheaders-values.yaml similarity index 76% rename from charts/ingress-nginx/ci/deployment-default-values.yaml rename to charts/ingress-nginx/ci/controller-configmap-addheaders-values.yaml index 9f46b4e7e..460a610ba 100644 --- a/charts/ingress-nginx/ci/deployment-default-values.yaml +++ b/charts/ingress-nginx/ci/controller-configmap-addheaders-values.yaml @@ -1,8 +1,11 @@ -# Left blank to test default values controller: image: repository: ingress-controller/controller tag: 1.0.0-dev digest: null + service: type: ClusterIP + + addHeaders: + X-Frame-Options: deny diff --git a/charts/ingress-nginx/ci/controller-configmap-proxyheaders-values.yaml b/charts/ingress-nginx/ci/controller-configmap-proxyheaders-values.yaml new file mode 100644 index 000000000..e23a13c0c --- /dev/null +++ b/charts/ingress-nginx/ci/controller-configmap-proxyheaders-values.yaml @@ -0,0 +1,11 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + + service: + type: ClusterIP + + proxySetHeaders: + X-Forwarded-Proto: https diff --git a/charts/ingress-nginx/ci/controller-configmap-values.yaml b/charts/ingress-nginx/ci/controller-configmap-values.yaml new file mode 100644 index 000000000..a7029895c --- /dev/null +++ b/charts/ingress-nginx/ci/controller-configmap-values.yaml @@ -0,0 +1,11 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + + service: + type: ClusterIP + + config: + use-proxy-protocol: "true" diff --git a/charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml b/charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml deleted file mode 100644 index b28a2326e..000000000 --- a/charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml +++ /dev/null @@ -1,7 +0,0 @@ -controller: - watchIngressWithoutClass: true - ingressClassResource: - name: custom-nginx - enabled: true - default: true - controllerValue: "k8s.io/custom-nginx" diff --git a/charts/ingress-nginx/ci/deamonset-webhook-values.yaml b/charts/ingress-nginx/ci/controller-daemonset-metrics-values.yaml similarity index 89% rename from charts/ingress-nginx/ci/deamonset-webhook-values.yaml rename to charts/ingress-nginx/ci/controller-daemonset-metrics-values.yaml index 54d364df1..7a98580cd 100644 --- a/charts/ingress-nginx/ci/deamonset-webhook-values.yaml +++ b/charts/ingress-nginx/ci/controller-daemonset-metrics-values.yaml @@ -1,10 +1,13 @@ controller: - kind: DaemonSet image: repository: ingress-controller/controller tag: 1.0.0-dev digest: null - admissionWebhooks: - enabled: true + service: type: ClusterIP + + kind: DaemonSet + + metrics: + enabled: true diff --git a/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml b/charts/ingress-nginx/ci/controller-daemonset-podannotations-values.yaml similarity index 81% rename from charts/ingress-nginx/ci/daemonset-podannotations-values.yaml rename to charts/ingress-nginx/ci/controller-daemonset-podannotations-values.yaml index 0b55306a1..405992ef3 100644 --- a/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml +++ b/charts/ingress-nginx/ci/controller-daemonset-podannotations-values.yaml @@ -1,17 +1,16 @@ controller: - kind: DaemonSet image: repository: ingress-controller/controller tag: 1.0.0-dev digest: null - admissionWebhooks: - enabled: false - metrics: - enabled: true + service: type: ClusterIP + + kind: DaemonSet + podAnnotations: - prometheus.io/path: /metrics + prometheus.io/scrape: "true" prometheus.io/port: "10254" prometheus.io/scheme: http - prometheus.io/scrape: "true" + prometheus.io/path: /metrics diff --git a/charts/ingress-nginx/ci/deployment-psp-values.yaml b/charts/ingress-nginx/ci/controller-daemonset-values.yaml similarity index 79% rename from charts/ingress-nginx/ci/deployment-psp-values.yaml rename to charts/ingress-nginx/ci/controller-daemonset-values.yaml index 2f332a7b2..d34025c80 100644 --- a/charts/ingress-nginx/ci/deployment-psp-values.yaml +++ b/charts/ingress-nginx/ci/controller-daemonset-values.yaml @@ -3,8 +3,8 @@ controller: repository: ingress-controller/controller tag: 1.0.0-dev digest: null + service: type: ClusterIP -podSecurityPolicy: - enabled: true + kind: DaemonSet diff --git a/charts/ingress-nginx/ci/deployment-webhook-values.yaml b/charts/ingress-nginx/ci/controller-deployment-metrics-values.yaml similarity index 82% rename from charts/ingress-nginx/ci/deployment-webhook-values.yaml rename to charts/ingress-nginx/ci/controller-deployment-metrics-values.yaml index 76669a530..9c95d347c 100644 --- a/charts/ingress-nginx/ci/deployment-webhook-values.yaml +++ b/charts/ingress-nginx/ci/controller-deployment-metrics-values.yaml @@ -3,7 +3,11 @@ controller: repository: ingress-controller/controller tag: 1.0.0-dev digest: null - admissionWebhooks: - enabled: true + service: type: ClusterIP + + kind: Deployment + + metrics: + enabled: true diff --git a/charts/ingress-nginx/ci/deployment-podannotations-values.yaml b/charts/ingress-nginx/ci/controller-deployment-podannotations-values.yaml similarity index 80% rename from charts/ingress-nginx/ci/deployment-podannotations-values.yaml rename to charts/ingress-nginx/ci/controller-deployment-podannotations-values.yaml index b48d93c46..cf1f2611e 100644 --- a/charts/ingress-nginx/ci/deployment-podannotations-values.yaml +++ b/charts/ingress-nginx/ci/controller-deployment-podannotations-values.yaml @@ -3,14 +3,14 @@ controller: repository: ingress-controller/controller tag: 1.0.0-dev digest: null - admissionWebhooks: - enabled: false - metrics: - enabled: true + service: type: ClusterIP + + kind: Deployment + podAnnotations: - prometheus.io/path: /metrics + prometheus.io/scrape: "true" prometheus.io/port: "10254" prometheus.io/scheme: http - prometheus.io/scrape: "true" + prometheus.io/path: /metrics diff --git a/charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml b/charts/ingress-nginx/ci/controller-deployment-values.yaml similarity index 79% rename from charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml rename to charts/ingress-nginx/ci/controller-deployment-values.yaml index fb3ef4446..1b092dc0c 100644 --- a/charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml +++ b/charts/ingress-nginx/ci/controller-deployment-values.yaml @@ -3,7 +3,8 @@ controller: repository: ingress-controller/controller tag: 1.0.0-dev digest: null + service: type: ClusterIP - opentelemetry: - enabled: true + + kind: Deployment diff --git a/charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml b/charts/ingress-nginx/ci/controller-hpa-values.yaml similarity index 71% rename from charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml rename to charts/ingress-nginx/ci/controller-hpa-values.yaml index dca3f35f8..54a0d2f75 100644 --- a/charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml +++ b/charts/ingress-nginx/ci/controller-hpa-values.yaml @@ -1,4 +1,12 @@ controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + + service: + type: ClusterIP + autoscaling: enabled: true behavior: @@ -8,7 +16,3 @@ controller: - type: Pods value: 1 periodSeconds: 180 - admissionWebhooks: - enabled: false - service: - type: ClusterIP diff --git a/charts/ingress-nginx/ci/controller-ingressclass-values.yaml b/charts/ingress-nginx/ci/controller-ingressclass-values.yaml new file mode 100644 index 000000000..c06429f97 --- /dev/null +++ b/charts/ingress-nginx/ci/controller-ingressclass-values.yaml @@ -0,0 +1,15 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + + service: + type: ClusterIP + + ingressClassResource: + name: custom-nginx + default: true + controllerValue: k8s.io/custom-nginx + + watchIngressWithoutClass: true diff --git a/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml b/charts/ingress-nginx/ci/controller-service-internal-values.yaml similarity index 81% rename from charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml rename to charts/ingress-nginx/ci/controller-service-internal-values.yaml index 0a200a746..11108fbce 100644 --- a/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml +++ b/charts/ingress-nginx/ci/controller-service-internal-values.yaml @@ -1,13 +1,12 @@ controller: - kind: DaemonSet image: repository: ingress-controller/controller tag: 1.0.0-dev digest: null - admissionWebhooks: - enabled: false + service: type: ClusterIP + internal: enabled: true annotations: diff --git a/charts/ingress-nginx/ci/deployment-customnodeport-values.yaml b/charts/ingress-nginx/ci/controller-service-values.yaml similarity index 69% rename from charts/ingress-nginx/ci/deployment-customnodeport-values.yaml rename to charts/ingress-nginx/ci/controller-service-values.yaml index a564eaf93..9039368c2 100644 --- a/charts/ingress-nginx/ci/deployment-customnodeport-values.yaml +++ b/charts/ingress-nginx/ci/controller-service-values.yaml @@ -3,18 +3,20 @@ controller: repository: ingress-controller/controller tag: 1.0.0-dev digest: null - admissionWebhooks: - enabled: false + service: type: NodePort + nodePorts: tcp: 9000: 30090 udp: 9001: 30091 +portNamePrefix: port + tcp: - 9000: "default/test:8080" + 9000: default/test:8080 udp: - 9001: "default/test:8080" + 9001: default/test:8080 diff --git a/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml b/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml deleted file mode 100644 index 4393a5bc0..000000000 --- a/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml +++ /dev/null @@ -1,14 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - kind: DaemonSet - allowSnippetAnnotations: false - admissionWebhooks: - enabled: false - service: - type: ClusterIP - - config: - use-proxy-protocol: "true" diff --git a/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml b/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml deleted file mode 100644 index 1d94be219..000000000 --- a/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml +++ /dev/null @@ -1,22 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - - service: - type: NodePort - nodePorts: - tcp: - 9000: 30090 - udp: - 9001: 30091 - -tcp: - 9000: "default/test:8080" - -udp: - 9001: "default/test:8080" diff --git a/charts/ingress-nginx/ci/daemonset-extra-modules.yaml b/charts/ingress-nginx/ci/daemonset-extra-modules.yaml deleted file mode 100644 index 52a32fcbd..000000000 --- a/charts/ingress-nginx/ci/daemonset-extra-modules.yaml +++ /dev/null @@ -1,13 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - service: - type: ClusterIP - extraModules: - - name: opentelemetry - image: - registry: registry.k8s.io - image: busybox - tag: latest diff --git a/charts/ingress-nginx/ci/daemonset-headers-values.yaml b/charts/ingress-nginx/ci/daemonset-headers-values.yaml deleted file mode 100644 index ab7d47bd4..000000000 --- a/charts/ingress-nginx/ci/daemonset-headers-values.yaml +++ /dev/null @@ -1,14 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - addHeaders: - X-Frame-Options: deny - proxySetHeaders: - X-Forwarded-Proto: https - service: - type: ClusterIP diff --git a/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml b/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml deleted file mode 100644 index 3b7aa2fcd..000000000 --- a/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml +++ /dev/null @@ -1,10 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: NodePort diff --git a/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml b/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml deleted file mode 100644 index acd86a77a..000000000 --- a/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml +++ /dev/null @@ -1,20 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: ClusterIP - tcp: - configMapNamespace: default - udp: - configMapNamespace: default - -tcp: - 9000: "default/test:8080" - -udp: - 9001: "default/test:8080" diff --git a/charts/ingress-nginx/ci/daemonset-tcp-udp-portNamePrefix-values.yaml b/charts/ingress-nginx/ci/daemonset-tcp-udp-portNamePrefix-values.yaml deleted file mode 100644 index 90b0f57a5..000000000 --- a/charts/ingress-nginx/ci/daemonset-tcp-udp-portNamePrefix-values.yaml +++ /dev/null @@ -1,18 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: ClusterIP - -tcp: - 9000: "default/test:8080" - -udp: - 9001: "default/test:8080" - -portNamePrefix: "port" diff --git a/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml b/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml deleted file mode 100644 index 25ee64d85..000000000 --- a/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml +++ /dev/null @@ -1,16 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: ClusterIP - -tcp: - 9000: "default/test:8080" - -udp: - 9001: "default/test:8080" diff --git a/charts/ingress-nginx/ci/daemonset-tcp-values.yaml b/charts/ingress-nginx/ci/daemonset-tcp-values.yaml deleted file mode 100644 index 380c8b4b1..000000000 --- a/charts/ingress-nginx/ci/daemonset-tcp-values.yaml +++ /dev/null @@ -1,14 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: ClusterIP - -tcp: - 9000: "default/test:8080" - 9001: "default/test:8080" diff --git a/charts/ingress-nginx/ci/deamonset-metrics-values.yaml b/charts/ingress-nginx/ci/deamonset-metrics-values.yaml deleted file mode 100644 index cb3cb54be..000000000 --- a/charts/ingress-nginx/ci/deamonset-metrics-values.yaml +++ /dev/null @@ -1,12 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - metrics: - enabled: true - service: - type: ClusterIP diff --git a/charts/ingress-nginx/ci/deamonset-psp-values.yaml b/charts/ingress-nginx/ci/deamonset-psp-values.yaml deleted file mode 100644 index 8026a6356..000000000 --- a/charts/ingress-nginx/ci/deamonset-psp-values.yaml +++ /dev/null @@ -1,13 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: ClusterIP - -podSecurityPolicy: - enabled: true diff --git a/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml b/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml deleted file mode 100644 index fccdb134c..000000000 --- a/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml +++ /dev/null @@ -1,13 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: true - service: - type: ClusterIP - -podSecurityPolicy: - enabled: true diff --git a/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml b/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml deleted file mode 100644 index b8b3ac686..000000000 --- a/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml +++ /dev/null @@ -1,11 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - autoscaling: - enabled: true - admissionWebhooks: - enabled: false - service: - type: ClusterIP diff --git a/charts/ingress-nginx/ci/deployment-customconfig-values.yaml b/charts/ingress-nginx/ci/deployment-customconfig-values.yaml deleted file mode 100644 index 174941848..000000000 --- a/charts/ingress-nginx/ci/deployment-customconfig-values.yaml +++ /dev/null @@ -1,12 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - config: - use-proxy-protocol: "true" - allowSnippetAnnotations: false - admissionWebhooks: - enabled: false - service: - type: ClusterIP diff --git a/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml b/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml deleted file mode 100644 index 91b1b98a8..000000000 --- a/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml +++ /dev/null @@ -1,15 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - service: - type: ClusterIP - containerSecurityContext: - allowPrivilegeEscalation: false - extraModules: - - name: opentelemetry - image: - registry: registry.k8s.io - image: busybox - tag: latest diff --git a/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml b/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml deleted file mode 100644 index b6013c7d0..000000000 --- a/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml +++ /dev/null @@ -1,15 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - service: - type: ClusterIP - extraModules: - - name: opentelemetry - image: - registry: registry.k8s.io - image: busybox - tag: latest - containerSecurityContext: - allowPrivilegeEscalation: false diff --git a/charts/ingress-nginx/ci/deployment-extra-modules.yaml b/charts/ingress-nginx/ci/deployment-extra-modules.yaml deleted file mode 100644 index 2fbe1cc01..000000000 --- a/charts/ingress-nginx/ci/deployment-extra-modules.yaml +++ /dev/null @@ -1,13 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - service: - type: ClusterIP - extraModules: - - name: opentelemetry - image: - registry: registry.k8s.io - image: busybox - tag: latest diff --git a/charts/ingress-nginx/ci/deployment-headers-values.yaml b/charts/ingress-nginx/ci/deployment-headers-values.yaml deleted file mode 100644 index 17a11ac37..000000000 --- a/charts/ingress-nginx/ci/deployment-headers-values.yaml +++ /dev/null @@ -1,13 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - addHeaders: - X-Frame-Options: deny - proxySetHeaders: - X-Forwarded-Proto: https - service: - type: ClusterIP diff --git a/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml b/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml deleted file mode 100644 index 663ccb9d1..000000000 --- a/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml +++ /dev/null @@ -1,19 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: ClusterIP - internal: - enabled: true - annotations: - service.beta.kubernetes.io/aws-load-balancer-internal: "true" - ports: - http: 443 - https: 80 - targetPorts: - http: 443 - https: 80 diff --git a/charts/ingress-nginx/ci/deployment-metrics-values.yaml b/charts/ingress-nginx/ci/deployment-metrics-values.yaml deleted file mode 100644 index 9209ad5a6..000000000 --- a/charts/ingress-nginx/ci/deployment-metrics-values.yaml +++ /dev/null @@ -1,11 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - metrics: - enabled: true - service: - type: ClusterIP diff --git a/charts/ingress-nginx/ci/deployment-nodeport-values.yaml b/charts/ingress-nginx/ci/deployment-nodeport-values.yaml deleted file mode 100644 index cd9b32352..000000000 --- a/charts/ingress-nginx/ci/deployment-nodeport-values.yaml +++ /dev/null @@ -1,9 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: NodePort diff --git a/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml b/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml deleted file mode 100644 index c51a4e91f..000000000 --- a/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml +++ /dev/null @@ -1,19 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: ClusterIP - tcp: - configMapNamespace: default - udp: - configMapNamespace: default - -tcp: - 9000: "default/test:8080" - -udp: - 9001: "default/test:8080" diff --git a/charts/ingress-nginx/ci/deployment-tcp-udp-portNamePrefix-values.yaml b/charts/ingress-nginx/ci/deployment-tcp-udp-portNamePrefix-values.yaml deleted file mode 100644 index 56323c5ee..000000000 --- a/charts/ingress-nginx/ci/deployment-tcp-udp-portNamePrefix-values.yaml +++ /dev/null @@ -1,17 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: ClusterIP - -tcp: - 9000: "default/test:8080" - -udp: - 9001: "default/test:8080" - -portNamePrefix: "port" diff --git a/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml b/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml deleted file mode 100644 index 5b45b69dc..000000000 --- a/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml +++ /dev/null @@ -1,15 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: ClusterIP - -tcp: - 9000: "default/test:8080" - -udp: - 9001: "default/test:8080" diff --git a/charts/ingress-nginx/ci/deployment-tcp-values.yaml b/charts/ingress-nginx/ci/deployment-tcp-values.yaml deleted file mode 100644 index ac0b6e60e..000000000 --- a/charts/ingress-nginx/ci/deployment-tcp-values.yaml +++ /dev/null @@ -1,11 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - service: - type: ClusterIP - -tcp: - 9000: "default/test:8080" - 9001: "default/test:8080" diff --git a/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml b/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml deleted file mode 100644 index 6195bb339..000000000 --- a/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml +++ /dev/null @@ -1,12 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: true - service: - type: ClusterIP - -podSecurityPolicy: - enabled: true diff --git a/charts/ingress-nginx/ci/deployment-webhook-extraEnvs-values.yaml b/charts/ingress-nginx/ci/deployment-webhook-extraEnvs-values.yaml deleted file mode 100644 index 95487b071..000000000 --- a/charts/ingress-nginx/ci/deployment-webhook-extraEnvs-values.yaml +++ /dev/null @@ -1,12 +0,0 @@ -controller: - service: - type: ClusterIP - admissionWebhooks: - enabled: true - extraEnvs: - - name: FOO - value: foo - - name: TEST - value: test - patch: - enabled: true diff --git a/charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml b/charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml deleted file mode 100644 index 49ebbb02c..000000000 --- a/charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml +++ /dev/null @@ -1,23 +0,0 @@ -controller: - service: - type: ClusterIP - admissionWebhooks: - enabled: true - createSecretJob: - resources: - limits: - cpu: 10m - memory: 20Mi - requests: - cpu: 10m - memory: 20Mi - patchWebhookJob: - resources: - limits: - cpu: 10m - memory: 20Mi - requests: - cpu: 10m - memory: 20Mi - patch: - enabled: true diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl index 271227cf0..6cbda2d4d 100644 --- a/charts/ingress-nginx/templates/_helpers.tpl +++ b/charts/ingress-nginx/templates/_helpers.tpl @@ -204,7 +204,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- end -}} {{/* -Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +Create the name of the default backend service account to use */}} {{- define "ingress-nginx.defaultBackend.serviceAccountName" -}} {{- if .Values.defaultBackend.serviceAccount.create -}} @@ -235,26 +235,6 @@ readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem } {{- end -}} {{- end -}} -{{/* -Return the appropriate apiGroup for PodSecurityPolicy. -*/}} -{{- define "podSecurityPolicy.apiGroup" -}} -{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "policy" -}} -{{- else -}} -{{- print "extensions" -}} -{{- end -}} -{{- end -}} - -{{/* -Check the ingress controller version tag is at most three versions behind the last release -*/}} -{{- define "isControllerTagValid" -}} -{{- if not (semverCompare ">=0.27.0-0" .Values.controller.image.tag) -}} -{{- fail "Controller container image tag should be 0.27.0 or higher" -}} -{{- end -}} -{{- end -}} - {{/* Extra modules. */}} diff --git a/charts/ingress-nginx/templates/_params.tpl b/charts/ingress-nginx/templates/_params.tpl index 48569a8b0..763e55570 100644 --- a/charts/ingress-nginx/templates/_params.tpl +++ b/charts/ingress-nginx/templates/_params.tpl @@ -1,7 +1,7 @@ {{- define "ingress-nginx.params" -}} - /nginx-ingress-controller -{{- if .Values.controller.enableAnnotationValidations }} -- --enable-annotation-validation=true +{{- if not .Values.controller.enableAnnotationValidations }} +- --enable-annotation-validation=false {{- end }} {{- if .Values.defaultBackend.enabled }} - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml index a21848201..54af7abb6 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml @@ -20,14 +20,4 @@ rules: verbs: - get - update -{{- if .Values.podSecurityPolicy.enabled }} - - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] - resources: ['podsecuritypolicies'] - verbs: ['use'] - {{- with .Values.controller.admissionWebhooks.existingPsp }} - resourceNames: [{{ . }}] - {{- else }} - resourceNames: [{{ include "ingress-nginx.admissionWebhooks.fullname" . }}] - {{- end }} -{{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml index 176616467..af3ea12a3 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -42,7 +42,7 @@ spec: {{- end }} containers: - name: create - {{- with .Values.controller.admissionWebhooks.patch.image }} + {{- with (merge .Values.controller.admissionWebhooks.patch.image .Values.global.image) }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml index f7d44a24d..87dd2c251 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -42,7 +42,7 @@ spec: {{- end }} containers: - name: patch - {{- with .Values.controller.admissionWebhooks.patch.image }} + {{- with (merge .Values.controller.admissionWebhooks.patch.image .Values.global.image) }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml deleted file mode 100644 index 8e5dc72ac..000000000 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml +++ /dev/null @@ -1,52 +0,0 @@ -{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} -{{- if and .Values.podSecurityPolicy.enabled .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} - annotations: - "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: admission-webhook - {{- with .Values.controller.admissionWebhooks.patch.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - privileged: false - hostPID: false - hostIPC: false - hostNetwork: false - volumes: - - configMap - - downwardAPI - - emptyDir - - secret - - projected - fsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: true - runAsUser: - rule: MustRunAsNonRoot - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - supplementalGroups: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - allowPrivilegeEscalation: false - requiredDropCapabilities: - - ALL - seLinux: - rule: RunAsAny -{{- end }} -{{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml index 4cd36a62e..0949cea75 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml @@ -40,6 +40,7 @@ webhooks: service: name: {{ include "ingress-nginx.controller.fullname" . }}-admission namespace: {{ include "ingress-nginx.namespace" . }} + port: {{ .Values.controller.admissionWebhooks.service.servicePort }} path: /networking/v1/ingresses {{- if .Values.controller.admissionWebhooks.timeoutSeconds }} timeoutSeconds: {{ .Values.controller.admissionWebhooks.timeoutSeconds }} diff --git a/charts/ingress-nginx/templates/controller-configmap.yaml b/charts/ingress-nginx/templates/controller-configmap.yaml index 22080d115..b73cdc2d0 100644 --- a/charts/ingress-nginx/templates/controller-configmap.yaml +++ b/charts/ingress-nginx/templates/controller-configmap.yaml @@ -13,7 +13,9 @@ metadata: name: {{ include "ingress-nginx.controller.fullname" . }} namespace: {{ include "ingress-nginx.namespace" . }} data: - allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}" +{{- if .Values.controller.allowSnippetAnnotations }} + allow-snippet-annotations: "true" +{{- end }} {{- if .Values.controller.addHeaders }} add-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers {{- end }} diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml index 509d7a4c4..fd1b13284 100644 --- a/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -1,5 +1,4 @@ {{- if eq .Values.controller.kind "DaemonSet" -}} -{{- include "isControllerTagValid" . -}} apiVersion: apps/v1 kind: DaemonSet metadata: @@ -76,7 +75,7 @@ spec: {{- end }} containers: - name: {{ .Values.controller.containerName }} - {{- with .Values.controller.image }} + {{- with (merge .Values.controller.image .Values.global.image) }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }} {{- end }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }} @@ -145,9 +144,9 @@ spec: hostPort: {{ $key }} {{- end }} {{- end }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }} volumeMounts: - {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} + {{- if .Values.controller.extraModules }} - name: modules {{- if .Values.controller.image.chroot }} mountPath: /chroot/modules_mount @@ -175,7 +174,7 @@ spec: {{- if .Values.controller.extraContainers }} {{- toYaml .Values.controller.extraContainers | nindent 8 }} {{- end }} - {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} + {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }} initContainers: {{- if .Values.controller.extraInitContainers }} {{- toYaml .Values.controller.extraInitContainers | nindent 8 }} @@ -183,13 +182,7 @@ spec: {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} - {{- end }} - {{- end }} - {{- if .Values.controller.opentelemetry.enabled }} - {{- with .Values.controller.opentelemetry }} - {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} + {{- include "extraModules" (dict "name" .name "image" (merge .image $.Values.global.image) "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} {{- end }} {{- end }} {{- end }} @@ -210,9 +203,9 @@ spec: {{- end }} serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }} volumes: - {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}} + {{- if .Values.controller.extraModules }} - name: modules emptyDir: {} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index 77ea0052f..cc41bfbc7 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -1,5 +1,4 @@ {{- if eq .Values.controller.kind "Deployment" -}} -{{- include "isControllerTagValid" . -}} apiVersion: apps/v1 kind: Deployment metadata: @@ -23,6 +22,9 @@ spec: replicas: {{ .Values.controller.replicaCount }} {{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + {{- if .Values.controller.progressDeadlineSeconds }} + progressDeadlineSeconds: {{ .Values.controller.progressDeadlineSeconds }} + {{- end }} {{- if .Values.controller.updateStrategy }} strategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }} {{- end }} @@ -79,7 +81,7 @@ spec: {{- end }} containers: - name: {{ .Values.controller.containerName }} - {{- with .Values.controller.image }} + {{- with (merge .Values.controller.image .Values.global.image) }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }} {{- end }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }} @@ -148,9 +150,9 @@ spec: hostPort: {{ $key }} {{- end }} {{- end }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }} volumeMounts: - {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} + {{- if .Values.controller.extraModules }} - name: modules {{- if .Values.controller.image.chroot }} mountPath: /chroot/modules_mount @@ -178,7 +180,7 @@ spec: {{- if .Values.controller.extraContainers }} {{- toYaml .Values.controller.extraContainers | nindent 8 }} {{- end }} - {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} + {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }} initContainers: {{- if .Values.controller.extraInitContainers }} {{- toYaml .Values.controller.extraInitContainers | nindent 8 }} @@ -186,13 +188,7 @@ spec: {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} - {{- end }} - {{- end }} - {{- if .Values.controller.opentelemetry.enabled }} - {{- with .Values.controller.opentelemetry }} - {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} + {{- include "extraModules" (dict "name" .name "image" (merge .image $.Values.global.image) "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} {{- end }} {{- end }} {{- end }} @@ -213,9 +209,9 @@ spec: {{- end }} serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }} volumes: - {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}} + {{- if .Values.controller.extraModules }} - name: modules emptyDir: {} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml index 8e0181f9f..a1f5fbba2 100644 --- a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml +++ b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml @@ -32,5 +32,8 @@ spec: {{- else if .Values.controller.maxUnavailable }} maxUnavailable: {{ .Values.controller.maxUnavailable }} {{- end }} + {{- if .Values.controller.unhealthyPodEvictionPolicy }} + unhealthyPodEvictionPolicy: {{ .Values.controller.unhealthyPodEvictionPolicy }} + {{- end }} {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-prometheusrules.yaml b/charts/ingress-nginx/templates/controller-prometheusrule.yaml similarity index 84% rename from charts/ingress-nginx/templates/controller-prometheusrules.yaml rename to charts/ingress-nginx/templates/controller-prometheusrule.yaml index 41684c370..4a9357f71 100644 --- a/charts/ingress-nginx/templates/controller-prometheusrules.yaml +++ b/charts/ingress-nginx/templates/controller-prometheusrule.yaml @@ -14,6 +14,9 @@ metadata: {{- if .Values.controller.metrics.prometheusRule.additionalLabels }} {{- toYaml .Values.controller.metrics.prometheusRule.additionalLabels | nindent 4 }} {{- end }} + {{- if .Values.controller.metrics.prometheusRule.annotations }} + annotations: {{ toYaml .Values.controller.metrics.prometheusRule.annotations | nindent 4 }} + {{- end }} spec: {{- if .Values.controller.metrics.prometheusRule.rules }} groups: diff --git a/charts/ingress-nginx/templates/controller-psp.yaml b/charts/ingress-nginx/templates/controller-psp.yaml deleted file mode 100644 index aad1d2736..000000000 --- a/charts/ingress-nginx/templates/controller-psp.yaml +++ /dev/null @@ -1,100 +0,0 @@ -{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} -{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "ingress-nginx.fullname" . }} - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: controller - {{- with .Values.controller.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - privileged: false - hostPID: false - hostIPC: false - hostNetwork: {{ .Values.controller.hostNetwork }} -{{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }} - hostPorts: - {{- if .Values.controller.hostNetwork }} - {{- range $key, $value := .Values.controller.containerPort }} - # controller.containerPort.{{ $key }} - - min: {{ $value }} - max: {{ $value }} - {{- end }} - {{- else if .Values.controller.hostPort.enabled }} - {{- range $key, $value := .Values.controller.hostPort.ports }} - # controller.hostPort.ports.{{ $key }} - - min: {{ $value }} - max: {{ $value }} - {{- end }} - {{- end }} - {{- if .Values.controller.metrics.enabled }} - # controller.metrics.port - - min: {{ .Values.controller.metrics.port }} - max: {{ .Values.controller.metrics.port }} - {{- end }} - {{- if .Values.controller.admissionWebhooks.enabled }} - # controller.admissionWebhooks.port - - min: {{ .Values.controller.admissionWebhooks.port }} - max: {{ .Values.controller.admissionWebhooks.port }} - {{- end }} - {{- range $key, $value := .Values.tcp }} - # tcp.{{ $key }} - - min: {{ $key }} - max: {{ $key }} - {{- end }} - {{- range $key, $value := .Values.udp }} - # udp.{{ $key }} - - min: {{ $key }} - max: {{ $key }} - {{- end }} -{{- end }} - volumes: - - configMap - - downwardAPI - - emptyDir - - secret - - projected - fsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: false - runAsUser: - rule: MustRunAsNonRoot - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - supplementalGroups: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }} - requiredDropCapabilities: - - ALL - allowedCapabilities: - - NET_BIND_SERVICE - {{- if .Values.controller.image.chroot }} - {{- if .Values.controller.image.seccompProfile }} - - SYS_ADMIN - {{- end }} - - SYS_CHROOT - {{- end }} - seLinux: - rule: RunAsAny -{{- if .Values.controller.sysctls }} - allowedUnsafeSysctls: - {{- range $sysctl, $value := .Values.controller.sysctls }} - - {{ $sysctl }} - {{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/ingress-nginx/templates/controller-role.yaml b/charts/ingress-nginx/templates/controller-role.yaml index a94b39978..127b368c4 100644 --- a/charts/ingress-nginx/templates/controller-role.yaml +++ b/charts/ingress-nginx/templates/controller-role.yaml @@ -91,14 +91,4 @@ rules: - list - watch - get -{{- if .Values.podSecurityPolicy.enabled }} - - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] - resources: ['podsecuritypolicies'] - verbs: ['use'] - {{- with .Values.controller.existingPsp }} - resourceNames: [{{ . }}] - {{- else }} - resourceNames: [{{ include "ingress-nginx.fullname" . }}] - {{- end }} -{{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-service-metrics.yaml b/charts/ingress-nginx/templates/controller-service-metrics.yaml index 7c153295f..4b25a840e 100644 --- a/charts/ingress-nginx/templates/controller-service-metrics.yaml +++ b/charts/ingress-nginx/templates/controller-service-metrics.yaml @@ -1,4 +1,4 @@ -{{- if .Values.controller.metrics.enabled -}} +{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.service.enabled -}} apiVersion: v1 kind: Service metadata: diff --git a/charts/ingress-nginx/templates/controller-service-webhook.yaml b/charts/ingress-nginx/templates/controller-service-webhook.yaml index 6dcf1a10a..67aac0d9a 100644 --- a/charts/ingress-nginx/templates/controller-service-webhook.yaml +++ b/charts/ingress-nginx/templates/controller-service-webhook.yaml @@ -29,7 +29,7 @@ spec: {{- end }} ports: - name: https-webhook - port: 443 + port: {{ .Values.controller.admissionWebhooks.service.servicePort }} targetPort: webhook {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} appProtocol: https diff --git a/charts/ingress-nginx/templates/default-backend-deployment.yaml b/charts/ingress-nginx/templates/default-backend-deployment.yaml index c6ccdd5c9..f7d9de121 100644 --- a/charts/ingress-nginx/templates/default-backend-deployment.yaml +++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml @@ -50,7 +50,7 @@ spec: {{- end }} containers: - name: {{ template "ingress-nginx.name" . }}-default-backend - {{- with .Values.defaultBackend.image }} + {{- with (merge .Values.defaultBackend.image .Values.global.image) }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }} @@ -102,7 +102,7 @@ spec: {{- if .Values.defaultBackend.nodeSelector }} nodeSelector: {{ toYaml .Values.defaultBackend.nodeSelector | nindent 8 }} {{- end }} - serviceAccountName: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} + serviceAccountName: {{ include "ingress-nginx.defaultBackend.serviceAccountName" . }} {{- if .Values.defaultBackend.tolerations }} tolerations: {{ toYaml .Values.defaultBackend.tolerations | nindent 8 }} {{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml index f869e4530..e399ea8a4 100644 --- a/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml +++ b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml @@ -1,5 +1,9 @@ {{- if .Values.defaultBackend.enabled -}} -{{- if or (gt (.Values.defaultBackend.replicaCount | int) 1) (gt (.Values.defaultBackend.autoscaling.minReplicas | int) 1) }} +{{- $replicas := .Values.defaultBackend.replicaCount }} +{{- if .Values.defaultBackend.autoscaling.enabled }} +{{- $replicas = .Values.defaultBackend.autoscaling.minReplicas }} +{{- end }} +{{- if gt ($replicas | int) 1 }} apiVersion: {{ ternary "policy/v1" "policy/v1beta1" (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} kind: PodDisruptionBudget metadata: @@ -16,6 +20,13 @@ spec: matchLabels: {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} app.kubernetes.io/component: default-backend + {{- if and .Values.defaultBackend.minAvailable (not (hasKey .Values.defaultBackend "maxUnavailable")) }} minAvailable: {{ .Values.defaultBackend.minAvailable }} + {{- else if .Values.defaultBackend.maxUnavailable }} + maxUnavailable: {{ .Values.defaultBackend.maxUnavailable }} + {{- end }} + {{- if .Values.defaultBackend.unhealthyPodEvictionPolicy }} + unhealthyPodEvictionPolicy: {{ .Values.defaultBackend.unhealthyPodEvictionPolicy }} + {{- end }} {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-psp.yaml b/charts/ingress-nginx/templates/default-backend-psp.yaml deleted file mode 100644 index 424109109..000000000 --- a/charts/ingress-nginx/templates/default-backend-psp.yaml +++ /dev/null @@ -1,50 +0,0 @@ -{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} -{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "ingress-nginx.fullname" . }}-backend - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: default-backend - {{- with .Values.defaultBackend.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - privileged: false - hostPID: false - hostIPC: false - hostNetwork: false - volumes: - - configMap - - downwardAPI - - emptyDir - - secret - - projected - fsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: true - runAsUser: - rule: MustRunAsNonRoot - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - supplementalGroups: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - allowPrivilegeEscalation: false - requiredDropCapabilities: - - ALL - seLinux: - rule: RunAsAny -{{- end }} -{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-role.yaml b/charts/ingress-nginx/templates/default-backend-role.yaml deleted file mode 100644 index dd7868aa0..000000000 --- a/charts/ingress-nginx/templates/default-backend-role.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: default-backend - {{- with .Values.defaultBackend.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - name: {{ include "ingress-nginx.fullname" . }}-backend - namespace: {{ include "ingress-nginx.namespace" . }} -rules: - - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] - resources: ['podsecuritypolicies'] - verbs: ['use'] - {{- with .Values.defaultBackend.existingPsp }} - resourceNames: [{{ . }}] - {{- else }} - resourceNames: [{{ include "ingress-nginx.fullname" . }}-backend] - {{- end }} -{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-rolebinding.yaml b/charts/ingress-nginx/templates/default-backend-rolebinding.yaml deleted file mode 100644 index 3203b6f57..000000000 --- a/charts/ingress-nginx/templates/default-backend-rolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: default-backend - {{- with .Values.defaultBackend.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - name: {{ include "ingress-nginx.fullname" . }}-backend - namespace: {{ include "ingress-nginx.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "ingress-nginx.fullname" . }}-backend -subjects: - - kind: ServiceAccount - name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} - namespace: {{ include "ingress-nginx.namespace" . }} -{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml b/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml index 2afaf0c04..6fd2d6234 100644 --- a/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml +++ b/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.serviceAccount.create -}} +{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount metadata: @@ -8,7 +8,7 @@ metadata: {{- with .Values.defaultBackend.labels }} {{- toYaml . | nindent 4 }} {{- end }} - name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} + name: {{ include "ingress-nginx.defaultBackend.serviceAccountName" . }} namespace: {{ include "ingress-nginx.namespace" . }} automountServiceAccountToken: {{ .Values.defaultBackend.serviceAccount.automountServiceAccountToken }} {{- end }} diff --git a/charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml new file mode 100644 index 000000000..b9d6d780b --- /dev/null +++ b/charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml @@ -0,0 +1,32 @@ +suite: Admission Webhooks > ValidatingWebhookConfiguration +templates: + - admission-webhooks/validating-webhook.yaml + +tests: + - it: should not create a ValidatingWebhookConfiguration if `controller.admissionWebhooks.enabled` is false + set: + controller.admissionWebhooks.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a ValidatingWebhookConfiguration if `controller.admissionWebhooks.enabled` is true + set: + controller.admissionWebhooks.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ValidatingWebhookConfiguration + - equal: + path: metadata.name + value: RELEASE-NAME-admission + + - it: should create a ValidatingWebhookConfiguration with a custom port if `controller.admissionWebhooks.service.servicePort` is set + set: + controller.admissionWebhooks.enabled: true + controller.admissionWebhooks.service.servicePort: 9443 + asserts: + - equal: + path: webhooks[0].clientConfig.service.port + value: 9443 diff --git a/charts/ingress-nginx/tests/controller-configmap_test.yaml b/charts/ingress-nginx/tests/controller-configmap_test.yaml index 9cfea9800..168b657d6 100644 --- a/charts/ingress-nginx/tests/controller-configmap_test.yaml +++ b/charts/ingress-nginx/tests/controller-configmap_test.yaml @@ -16,16 +16,16 @@ tests: - it: should create a ConfigMap with templated values if `controller.config` contains templates set: controller.config: - global-rate-limit-memcached-host: "memcached.{{ .Release.Namespace }}.svc.kubernetes.local" - global-rate-limit-memcached-port: 11211 - use-gzip: true + template: "test.{{ .Release.Namespace }}.svc.kubernetes.local" + integer: 12345 + boolean: true asserts: - equal: - path: data.global-rate-limit-memcached-host - value: memcached.NAMESPACE.svc.kubernetes.local + path: data.template + value: test.NAMESPACE.svc.kubernetes.local - equal: - path: data.global-rate-limit-memcached-port - value: "11211" + path: data.integer + value: "12345" - equal: - path: data.use-gzip + path: data.boolean value: "true" diff --git a/charts/ingress-nginx/tests/controller-daemonset_test.yaml b/charts/ingress-nginx/tests/controller-daemonset_test.yaml index 982c9c974..c28c6ee0d 100644 --- a/charts/ingress-nginx/tests/controller-daemonset_test.yaml +++ b/charts/ingress-nginx/tests/controller-daemonset_test.yaml @@ -147,3 +147,46 @@ tests: - equal: path: spec.template.spec.containers[0].securityContext.runAsGroup value: 1000 + + - it: should create a DaemonSet with a custom registry if `global.image.registry` is set + set: + global.image.registry: custom.registry.io + controller.kind: DaemonSet + controller.image.tag: v1.0.0-dev + controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: custom.registry.io/ingress-nginx/controller:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + + - it: should create a DaemonSet with a custom registry if `controller.image.registry` is set + set: + controller.kind: DaemonSet + controller.image.registry: custom.registry.io + controller.image.tag: v1.0.0-dev + controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: custom.registry.io/ingress-nginx/controller:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + + - it: should create a DaemonSet with a custom image if `controller.image.image` is set + set: + controller.kind: DaemonSet + controller.image.image: custom-repo/custom-image + controller.image.tag: v1.0.0-dev + controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: registry.k8s.io/custom-repo/custom-image:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + + - it: should create a DaemonSet with a custom tag if `controller.image.tag` is set + set: + controller.kind: DaemonSet + controller.image.tag: custom-tag + controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: registry.k8s.io/ingress-nginx/controller:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd diff --git a/charts/ingress-nginx/tests/controller-deployment_test.yaml b/charts/ingress-nginx/tests/controller-deployment_test.yaml index a2c5a15ea..2c57636fb 100644 --- a/charts/ingress-nginx/tests/controller-deployment_test.yaml +++ b/charts/ingress-nginx/tests/controller-deployment_test.yaml @@ -168,3 +168,50 @@ tests: - equal: path: spec.template.spec.containers[0].securityContext.runAsGroup value: 1000 + + - it: should create a Deployment with a custom registry if `global.image.registry` is set + set: + global.image.registry: custom.registry.io + controller.image.tag: v1.0.0-dev + controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: custom.registry.io/ingress-nginx/controller:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + + - it: should create a Deployment with a custom registry if `controller.image.registry` is set + set: + controller.image.registry: custom.registry.io + controller.image.tag: v1.0.0-dev + controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: custom.registry.io/ingress-nginx/controller:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + + - it: should create a Deployment with a custom image if `controller.image.image` is set + set: + controller.image.image: custom-repo/custom-image + controller.image.tag: v1.0.0-dev + controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: registry.k8s.io/custom-repo/custom-image:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + + - it: should create a Deployment with a custom tag if `controller.image.tag` is set + set: + controller.image.tag: custom-tag + controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: registry.k8s.io/ingress-nginx/controller:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + + - it: should create a Deployment with `progressDeadlineSeconds` if `controller.progressDeadlineSeconds` is set + set: + controller.progressDeadlineSeconds: 111 + asserts: + - equal: + path: spec.progressDeadlineSeconds + value: 111 diff --git a/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml b/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml index 48b4fafcc..5ac986fc7 100644 --- a/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml +++ b/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml @@ -71,3 +71,32 @@ tests: asserts: - hasDocuments: count: 0 + + - it: should create a PodDisruptionBudget without `minAvailable` and with `maxUnavailable` if `controller.minAvailable` and `controller.maxUnavailable` are set + set: + controller.replicaCount: 2 + controller.minAvailable: 1 + controller.maxUnavailable: 1 + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PodDisruptionBudget + - notExists: + path: spec.minAvailable + - equal: + path: spec.maxUnavailable + value: 1 + + - it: should create a PodDisruptionBudget with `unhealthyPodEvictionPolicy` if `controller.unhealthyPodEvictionPolicy` is set + set: + controller.replicaCount: 2 + controller.unhealthyPodEvictionPolicy: IfHealthyBudget + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PodDisruptionBudget + - equal: + path: spec.unhealthyPodEvictionPolicy + value: IfHealthyBudget diff --git a/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml b/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml new file mode 100644 index 000000000..2d330919d --- /dev/null +++ b/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml @@ -0,0 +1,29 @@ +suite: Controller > PrometheusRule +templates: + - controller-prometheusrule.yaml + +tests: + - it: should create a PrometheusRule if `controller.metrics.prometheusRule.enabled` is true + set: + controller.metrics.enabled: true + controller.metrics.prometheusRule.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PrometheusRule + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller + + - it: should create a PrometheusRule with annotations if `controller.metrics.prometheusRule.annotations` is set + set: + controller.metrics.enabled: true + controller.metrics.prometheusRule.enabled: true + controller.metrics.prometheusRule.annotations: + my-little-annotation: test-value + asserts: + - equal: + path: metadata.annotations + value: + my-little-annotation: test-value diff --git a/charts/ingress-nginx/tests/controller-service-metrics_test.yaml b/charts/ingress-nginx/tests/controller-service-metrics_test.yaml index afdb94046..ddb412e5b 100644 --- a/charts/ingress-nginx/tests/controller-service-metrics_test.yaml +++ b/charts/ingress-nginx/tests/controller-service-metrics_test.yaml @@ -3,16 +3,34 @@ templates: - controller-service-metrics.yaml tests: - - it: should not create a metrics Service if `controller.metrics.enabled` is false + - it: should not create a metrics Service if `controller.metrics.enabled` is false and `controller.metrics.service.enabled` is false set: controller.metrics.enabled: false + controller.metrics.service.enabled: false asserts: - hasDocuments: count: 0 - - it: should create a metrics Service if `controller.metrics.enabled` is true + - it: should not create a metrics Service if `controller.metrics.enabled` is false and `controller.metrics.service.enabled` is true + set: + controller.metrics.enabled: false + controller.metrics.service.enabled: true + asserts: + - hasDocuments: + count: 0 + + - it: should not create a metrics Service if `controller.metrics.enabled` is true and `controller.metrics.service.enabled` is false set: controller.metrics.enabled: true + controller.metrics.service.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a metrics Service if `controller.metrics.enabled` is true and `controller.metrics.service.enabled` is true + set: + controller.metrics.enabled: true + controller.metrics.service.enabled: true asserts: - hasDocuments: count: 1 diff --git a/charts/ingress-nginx/tests/controller-service-webhook_test.yaml b/charts/ingress-nginx/tests/controller-service-webhook_test.yaml new file mode 100644 index 000000000..1c759edbe --- /dev/null +++ b/charts/ingress-nginx/tests/controller-service-webhook_test.yaml @@ -0,0 +1,32 @@ +suite: Controller > Service > Webhook +templates: + - controller-service-webhook.yaml + +tests: + - it: should not create a webhook Service if `controller.admissionWebhooks.enabled` is false + set: + controller.admissionWebhooks.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a webhook Service if `controller.admissionWebhooks.enabled` is true + set: + controller.admissionWebhooks.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Service + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller-admission + + - it: should create a webhook Service with a custom port if `controller.admissionWebhooks.service.servicePort` is set + set: + controller.admissionWebhooks.enabled: true + controller.admissionWebhooks.service.servicePort: 9443 + asserts: + - equal: + path: spec.ports[0].port + value: 9443 diff --git a/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml b/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml new file mode 100644 index 000000000..310097c1a --- /dev/null +++ b/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml @@ -0,0 +1,29 @@ +suite: Controller > ServiceMonitor +templates: + - controller-servicemonitor.yaml + +tests: + - it: should create a ServiceMonitor if `controller.metrics.serviceMonitor.enabled` is true + set: + controller.metrics.enabled: true + controller.metrics.serviceMonitor.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceMonitor + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller + + - it: should create a ServiceMonitor with annotations if `controller.metrics.serviceMonitor.annotations` is set + set: + controller.metrics.enabled: true + controller.metrics.serviceMonitor.enabled: true + controller.metrics.serviceMonitor.annotations: + my-little-annotation: test-value + asserts: + - equal: + path: metadata.annotations + value: + my-little-annotation: test-value diff --git a/charts/ingress-nginx/tests/default-backend-deployment_test.yaml b/charts/ingress-nginx/tests/default-backend-deployment_test.yaml index 4321075e9..c3fa33968 100644 --- a/charts/ingress-nginx/tests/default-backend-deployment_test.yaml +++ b/charts/ingress-nginx/tests/default-backend-deployment_test.yaml @@ -144,3 +144,46 @@ tests: - equal: path: spec.template.spec.containers[0].securityContext.runAsGroup value: 1000 + + - it: should create a Deployment with a custom registry if `global.image.registry` is set + set: + global.image.registry: custom.registry.io + defaultBackend.enabled: true + defaultBackend.image.tag: v1.0.0-dev + defaultBackend.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: custom.registry.io/defaultbackend-amd64:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + + - it: should create a Deployment with a custom registry if `defaultBackend.image.registry` is set + set: + defaultBackend.enabled: true + defaultBackend.image.registry: custom.registry.io + defaultBackend.image.tag: v1.0.0-dev + defaultBackend.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: custom.registry.io/defaultbackend-amd64:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + + - it: should create a Deployment with a custom image if `defaultBackend.image.image` is set + set: + defaultBackend.enabled: true + defaultBackend.image.image: custom-repo/custom-image + defaultBackend.image.tag: v1.0.0-dev + defaultBackend.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: registry.k8s.io/custom-repo/custom-image:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + + - it: should create a Deployment with a custom tag if `defaultBackend.image.tag` is set + set: + defaultBackend.enabled: true + defaultBackend.image.tag: custom-tag + defaultBackend.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: registry.k8s.io/defaultbackend-amd64:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd diff --git a/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml b/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml new file mode 100644 index 000000000..bfe98e883 --- /dev/null +++ b/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml @@ -0,0 +1,79 @@ +suite: Default Backend > PodDisruptionBudget +templates: + - default-backend-poddisruptionbudget.yaml + +tests: + - it: should create a PodDisruptionBudget if `defaultBackend.replicaCount` is greater than 1 + set: + defaultBackend.enabled: true + defaultBackend.replicaCount: 2 + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PodDisruptionBudget + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-defaultbackend + + - it: should not create a PodDisruptionBudget if `defaultBackend.replicaCount` is less than or equal 1 + set: + defaultBackend.enabled: true + defaultBackend.replicaCount: 1 + asserts: + - hasDocuments: + count: 0 + + - it: should create a PodDisruptionBudget if `defaultBackend.autoscaling.enabled` is true and `defaultBackend.autoscaling.minReplicas` is greater than 1 + set: + defaultBackend.enabled: true + defaultBackend.autoscaling.enabled: true + defaultBackend.autoscaling.minReplicas: 2 + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PodDisruptionBudget + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-defaultbackend + + - it: should not create a PodDisruptionBudget if `defaultBackend.autoscaling.enabled` is true and `defaultBackend.autoscaling.minReplicas` is less than or equal 1 + set: + defaultBackend.enabled: true + defaultBackend.autoscaling.enabled: true + defaultBackend.autoscaling.minReplicas: 1 + asserts: + - hasDocuments: + count: 0 + + - it: should create a PodDisruptionBudget without `minAvailable` and with `maxUnavailable` if `defaultBackend.minAvailable` and `defaultBackend.maxUnavailable` are set + set: + defaultBackend.enabled: true + defaultBackend.replicaCount: 2 + defaultBackend.minAvailable: 1 + defaultBackend.maxUnavailable: 1 + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PodDisruptionBudget + - notExists: + path: spec.minAvailable + - equal: + path: spec.maxUnavailable + value: 1 + + - it: should create a PodDisruptionBudget with `unhealthyPodEvictionPolicy` if `defaultBackend.unhealthyPodEvictionPolicy` is set + set: + defaultBackend.enabled: true + defaultBackend.replicaCount: 2 + defaultBackend.unhealthyPodEvictionPolicy: IfHealthyBudget + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PodDisruptionBudget + - equal: + path: spec.unhealthyPodEvictionPolicy + value: IfHealthyBudget diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 9d309627d..2c76c8e85 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -2,6 +2,11 @@ ## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/index.md ## +global: + image: + # -- Registry host to pull images from. + registry: registry.k8s.io + ## Overrides for generated resource names # See templates/_helpers.tpl # nameOverride: @@ -17,18 +22,18 @@ commonLabels: {} controller: name: controller - enableAnnotationValidations: false + enableAnnotationValidations: true image: ## Keep false as default for now! chroot: false - registry: registry.k8s.io + # registry: registry.k8s.io image: ingress-nginx/controller ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: "v1.11.1" - digest: sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a - digestChroot: sha256:7cabe4bd7558bfdf5b707976d7be56fd15ffece735d7c90fc238b6eda290fd8d + tag: "v1.11.2" + digest: sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce + digestChroot: sha256:21b55a2f0213a18b91612a8c0850167e00a8e34391fd595139a708f9c047e7a8 pullPolicy: IfNotPresent runAsNonRoot: true # -- This value must not be changed using the official image. @@ -41,8 +46,6 @@ controller: seccompProfile: type: RuntimeDefault readOnlyRootFilesystem: false - # -- Use an existing PSP instead of creating one - existingPsp: "" # -- Configures the controller container name containerName: controller # -- Configures the ports that the nginx-controller listens on @@ -198,7 +201,7 @@ controller: # -- Annotations to be added to the udp config configmap annotations: {} # -- Maxmind license key to download GeoLite2 Databases. - ## https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases + ## https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/ maxmindLicenseKey: "" # -- Additional command line arguments to pass to Ingress-Nginx Controller # E.g. to specify the default SSL certificate you can use @@ -238,6 +241,10 @@ controller: # maxUnavailable: 1 # type: RollingUpdate + # -- Specifies the number of seconds you want to wait for the controller deployment to progress before the system reports back that it has failed. + # Ref.: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds + progressDeadlineSeconds: 0 + # -- `minReadySeconds` to avoid killing pods before we are ready ## minReadySeconds: 0 @@ -376,6 +383,9 @@ controller: minAvailable: 1 # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes ## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 @@ -677,11 +687,11 @@ controller: # image: busybox # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] - # -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module + # -- Modules, which are mounted into the core nginx image. extraModules: [] # - name: mytestmodule # image: - # registry: registry.k8s.io + # # registry: registry.k8s.io # image: ingress-nginx/mytestmodule # ## for backwards compatibility consider setting the full image url via the repository value below # ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail @@ -706,31 +716,6 @@ controller: # will be executed as initContainers, to move its config files within the # mounted volume. - opentelemetry: - enabled: false - name: opentelemetry - image: - registry: registry.k8s.io - image: ingress-nginx/opentelemetry - ## for backwards compatibility consider setting the full image url via the repository value below - ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail - ## repository: - tag: "v20230721-3e2062ee5" - digest: sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472 - distroless: true - containerSecurityContext: - runAsNonRoot: true - # -- The image's default user, inherited from its base image `cgr.dev/chainguard/static`. - runAsUser: 65532 - runAsGroup: 65532 - allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - resources: {} admissionWebhooks: name: admission annotations: {} @@ -758,8 +743,6 @@ controller: objectSelector: {} # -- Labels to be added to admission webhooks labels: {} - # -- Use an existing PSP instead of creating one - existingPsp: "" service: annotations: {} # clusterIP: "" @@ -807,13 +790,13 @@ controller: patch: enabled: true image: - registry: registry.k8s.io + # registry: registry.k8s.io image: ingress-nginx/kube-webhook-certgen ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: v1.4.1 - digest: sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + tag: v1.4.4 + digest: sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f pullPolicy: IfNotPresent # -- Provide a priority class name to the webhook patching job ## @@ -861,6 +844,8 @@ controller: # if this port is changed, change healthz-port: in extraArgs: accordingly enabled: false service: + # -- Enable the metrics service or not. + enabled: true annotations: {} # prometheus.io/scrape: "true" # prometheus.io/port: "10254" @@ -881,6 +866,7 @@ controller: serviceMonitor: enabled: false additionalLabels: {} + # -- Annotations to be added to the ServiceMonitor. annotations: {} ## The label to use to retrieve the job name from. ## jobLabel: "app.kubernetes.io/name" @@ -898,6 +884,8 @@ controller: prometheusRule: enabled: false additionalLabels: {} + # -- Annotations to be added to the PrometheusRule. + annotations: {} # namespace: "" rules: [] # # These are just examples rules, please adapt them to your needs @@ -961,7 +949,7 @@ defaultBackend: enabled: false name: defaultbackend image: - registry: registry.k8s.io + # registry: registry.k8s.io image: defaultbackend-amd64 ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail @@ -976,8 +964,6 @@ defaultBackend: seccompProfile: type: RuntimeDefault readOnlyRootFilesystem: true - # -- Use an existing PSP instead of creating one - existingPsp: "" extraArgs: {} serviceAccount: create: true @@ -1099,7 +1085,15 @@ defaultBackend: ## podAnnotations: {} replicaCount: 1 + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" + resources: {} # limits: # cpu: 10m @@ -1163,10 +1157,6 @@ defaultBackend: rbac: create: true scope: false -## If true, create & use Pod Security Policy resources -## https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -podSecurityPolicy: - enabled: false serviceAccount: create: true name: "" diff --git a/cloudbuild.yaml b/cloudbuild.yaml index d3f1eed62..0948b1f05 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -1,25 +1,14 @@ -# See https://cloud.google.com/cloud-build/docs/build-config - -timeout: 18000s options: + # Ignore Prow provided substitutions. substitution_option: ALLOW_LOOSE steps: - - name: 'gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90' - entrypoint: bash + - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20240718-5ef92b5c36 env: - - DOCKER_CLI_EXPERIMENTAL=enabled - REGISTRY=gcr.io/k8s-staging-ingress-nginx - REPO_INFO=https://github.com/kubernetes/ingress-nginx - - COMMIT_SHA=$_PULL_BASE_SHA - - BUILD_ID=$BUILD_ID - - HOME=/root - - USER=root + - COMMIT_SHA=${_PULL_BASE_SHA} + - BUILD_ID=${BUILD_ID} + entrypoint: bash args: - - -c - - | - gcloud auth configure-docker \ - && make release -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "main" - _PULL_BASE_SHA: '12345' + - -c + - gcloud auth configure-docker && make release diff --git a/cmd/annotations/annotations.tmpl b/cmd/annotations/annotations.tmpl new file mode 100644 index 000000000..91dd21de8 --- /dev/null +++ b/cmd/annotations/annotations.tmpl @@ -0,0 +1,7 @@ +# Annotations Scope and Risk + +|Group |Annotation | Risk | Scope | +|--------|------------------|------|-------| +{{- range $doc := . }} +| {{ $doc.Group }} | {{ $doc.Annotation }} | {{ $doc.Risk }} | {{ $doc.Scope }} | +{{- end }} diff --git a/cmd/annotations/main.go b/cmd/annotations/main.go new file mode 100644 index 000000000..78f26099c --- /dev/null +++ b/cmd/annotations/main.go @@ -0,0 +1,91 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package main + +import ( + "bytes" + "embed" + "flag" + "fmt" + "os" + "slices" + "strings" + "text/template" + + anns "k8s.io/ingress-nginx/internal/ingress/annotations" +) + +type Documentation struct { + Group string + Annotation string + Risk string + Scope string +} + +var output string + +//go:embed annotations.tmpl +var content embed.FS + +func main() { + flag.StringVar(&output, "output", "", "where to write documentation") + flag.Parse() + if output == "" { + panic(fmt.Errorf("output field is required")) + } + docEntries := make([]Documentation, 0) + annotationFactory := anns.NewAnnotationFactory(nil) + for group, val := range annotationFactory { + annotations := val.GetDocumentation() + intermediateDocs := make([]Documentation, len(annotations)) + i := 0 + for annotation, values := range annotations { + doc := Documentation{ + Group: group, + Annotation: annotation, + Scope: string(values.Scope), + Risk: values.Risk.ToString(), + } + intermediateDocs[i] = doc + i++ + } + slices.SortStableFunc(intermediateDocs, func(a, b Documentation) int { + return strings.Compare(a.Annotation, b.Annotation) + }) + docEntries = append(docEntries, intermediateDocs...) + } + slices.SortStableFunc(docEntries, func(a, b Documentation) int { + return strings.Compare(a.Group, b.Group) + }) + + tmpl, err := template.New("annotations.tmpl").ParseFS(content, "annotations.tmpl") + if err != nil { + panic(fmt.Errorf("error parsing template: %s", err)) + } + + tplBuffer := new(bytes.Buffer) + err = tmpl.Execute(tplBuffer, docEntries) + if err != nil { + panic(err) + } + tplBuffer.WriteString("\n") + + //nolint:gosec // no need to check file permission here + if err := os.WriteFile(output, tplBuffer.Bytes(), 0o755); err != nil { + panic(err) + } +} diff --git a/cmd/dataplane/main.go b/cmd/dataplane/main.go index 65f898df6..e7e4dc38f 100644 --- a/cmd/dataplane/main.go +++ b/cmd/dataplane/main.go @@ -66,7 +66,7 @@ func main() { mc := metric.NewDummyCollector() if conf.EnableMetrics { // TODO: Ingress class is not a part of dataplane anymore - mc, err = metric.NewCollector(conf.MetricsPerHost, conf.ReportStatusClasses, reg, conf.IngressClassConfiguration.Controller, *conf.MetricsBuckets, conf.ExcludeSocketMetrics) + mc, err = metric.NewCollector(conf.MetricsPerHost, conf.MetricsPerUndefinedHost, conf.ReportStatusClasses, reg, conf.IngressClassConfiguration.Controller, *conf.MetricsBuckets, conf.MetricsBucketFactor, conf.MetricsMaxBuckets, conf.ExcludeSocketMetrics) if err != nil { klog.Fatalf("Error creating prometheus collector: %v", err) } diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go index 5ab54aa93..781f3a8eb 100644 --- a/cmd/nginx/main.go +++ b/cmd/nginx/main.go @@ -130,7 +130,7 @@ func main() { mc := metric.NewDummyCollector() if conf.EnableMetrics { - mc, err = metric.NewCollector(conf.MetricsPerHost, conf.ReportStatusClasses, reg, conf.IngressClassConfiguration.Controller, *conf.MetricsBuckets, conf.ExcludeSocketMetrics) + mc, err = metric.NewCollector(conf.MetricsPerHost, conf.MetricsPerUndefinedHost, conf.ReportStatusClasses, reg, conf.IngressClassConfiguration.Controller, *conf.MetricsBuckets, conf.MetricsBucketFactor, conf.MetricsMaxBuckets, conf.ExcludeSocketMetrics) if err != nil { klog.Fatalf("Error creating prometheus collector: %v", err) } diff --git a/cmd/plugin/request/request.go b/cmd/plugin/request/request.go index 55df85d5e..57b02827e 100644 --- a/cmd/plugin/request/request.go +++ b/cmd/plugin/request/request.go @@ -131,7 +131,7 @@ func GetIngressDefinitions(flags *genericclioptions.ConfigFlags, namespace strin return pods.Items, nil } -// GetNumEndpoints counts the number of endpointslices adresses for the service with the given name +// GetNumEndpoints counts the number of endpointslices addresses for the service with the given name func GetNumEndpoints(flags *genericclioptions.ConfigFlags, namespace, serviceName string) (*int, error) { epss, err := GetEndpointSlicesByName(flags, namespace, serviceName) if err != nil { diff --git a/deploy/grafana/dashboards/request-handling-performance.json b/deploy/grafana/dashboards/request-handling-performance.json index 61db983a6..cde796384 100644 --- a/deploy/grafana/dashboards/request-handling-performance.json +++ b/deploy/grafana/dashboards/request-handling-performance.json @@ -893,104 +893,6 @@ ], "title": "Average Response Size by Method and Path", "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 10, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "never", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "links": [], - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green" - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "s" - }, - "overrides": [] - }, - "gridPos": { - "h": 8, - "w": 12, - "x": 0, - "y": 32 - }, - "id": 96, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "pluginVersion": "10.4.3", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "expr": "sum (\n rate(\n nginx_ingress_controller_ingress_upstream_latency_seconds_sum {\n ingress =~ \"$ingress\",\n }[5m]\n)) / sum (\n rate(\n nginx_ingress_controller_ingress_upstream_latency_seconds_count {\n ingress =~ \"$ingress\",\n }[5m]\n )\n)\n", - "hide": false, - "instant": false, - "interval": "", - "intervalFactor": 1, - "legendFormat": "average", - "refId": "B" - } - ], - "title": "Upstream Service Latency", - "type": "timeseries" } ], "refresh": "30s", diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml index f74fa7fab..fb4a91472 100644 --- a/deploy/static/provider/aws/deploy.yaml +++ b/deploy/static/provider/aws/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -329,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -345,7 +345,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -401,7 +401,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -423,7 +423,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 spec: containers: - args: @@ -448,7 +448,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.11.1@sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a + image: registry.k8s.io/ingress-nginx/controller:v1.11.2@sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -524,7 +524,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -535,7 +535,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-create spec: containers: @@ -549,7 +549,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 imagePullPolicy: IfNotPresent name: create securityContext: @@ -575,7 +575,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -586,7 +586,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-patch spec: containers: @@ -602,7 +602,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 imagePullPolicy: IfNotPresent name: patch securityContext: @@ -628,7 +628,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: nginx spec: controller: k8s.io/ingress-nginx @@ -641,7 +641,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml index 683e96446..4fff060c1 100644 --- a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml +++ b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -336,7 +336,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -354,7 +354,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -387,7 +387,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -410,7 +410,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -432,7 +432,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 spec: containers: - args: @@ -457,7 +457,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.11.1@sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a + image: registry.k8s.io/ingress-nginx/controller:v1.11.2@sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -536,7 +536,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -547,7 +547,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-create spec: containers: @@ -561,7 +561,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 imagePullPolicy: IfNotPresent name: create securityContext: @@ -587,7 +587,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -598,7 +598,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-patch spec: containers: @@ -614,7 +614,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 imagePullPolicy: IfNotPresent name: patch securityContext: @@ -640,7 +640,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: nginx spec: controller: k8s.io/ingress-nginx @@ -653,7 +653,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml index 481ede02e..8cad92d4c 100644 --- a/deploy/static/provider/baremetal/deploy.yaml +++ b/deploy/static/provider/baremetal/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -329,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -341,7 +341,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -373,7 +373,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -396,7 +396,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -418,7 +418,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 spec: containers: - args: @@ -442,7 +442,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.11.1@sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a + image: registry.k8s.io/ingress-nginx/controller:v1.11.2@sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -518,7 +518,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -529,7 +529,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-create spec: containers: @@ -543,7 +543,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 imagePullPolicy: IfNotPresent name: create securityContext: @@ -569,7 +569,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -580,7 +580,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-patch spec: containers: @@ -596,7 +596,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 imagePullPolicy: IfNotPresent name: patch securityContext: @@ -622,7 +622,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: nginx spec: controller: k8s.io/ingress-nginx @@ -635,7 +635,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml index 13e1163c1..f9ad071c6 100644 --- a/deploy/static/provider/cloud/deploy.yaml +++ b/deploy/static/provider/cloud/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -329,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -341,7 +341,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -374,7 +374,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -397,7 +397,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -419,7 +419,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 spec: containers: - args: @@ -444,7 +444,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.11.1@sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a + image: registry.k8s.io/ingress-nginx/controller:v1.11.2@sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -520,7 +520,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -531,7 +531,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-create spec: containers: @@ -545,7 +545,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 imagePullPolicy: IfNotPresent name: create securityContext: @@ -571,7 +571,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -582,7 +582,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-patch spec: containers: @@ -598,7 +598,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 imagePullPolicy: IfNotPresent name: patch securityContext: @@ -624,7 +624,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: nginx spec: controller: k8s.io/ingress-nginx @@ -637,7 +637,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml index e0729e116..43affe0f7 100644 --- a/deploy/static/provider/do/deploy.yaml +++ b/deploy/static/provider/do/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -330,7 +330,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -344,7 +344,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -377,7 +377,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -400,7 +400,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -422,7 +422,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 spec: containers: - args: @@ -447,7 +447,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.11.1@sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a + image: registry.k8s.io/ingress-nginx/controller:v1.11.2@sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -523,7 +523,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -534,7 +534,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-create spec: containers: @@ -548,7 +548,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 imagePullPolicy: IfNotPresent name: create securityContext: @@ -574,7 +574,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -585,7 +585,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-patch spec: containers: @@ -601,7 +601,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 imagePullPolicy: IfNotPresent name: patch securityContext: @@ -627,7 +627,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: nginx spec: controller: k8s.io/ingress-nginx @@ -640,7 +640,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml index 584ebe1d7..5639e287b 100644 --- a/deploy/static/provider/exoscale/deploy.yaml +++ b/deploy/static/provider/exoscale/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -329,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -350,7 +350,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -383,7 +383,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -406,7 +406,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -424,7 +424,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 spec: containers: - args: @@ -449,7 +449,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.11.1@sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a + image: registry.k8s.io/ingress-nginx/controller:v1.11.2@sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -529,7 +529,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -540,7 +540,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-create spec: containers: @@ -554,7 +554,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 imagePullPolicy: IfNotPresent name: create securityContext: @@ -580,7 +580,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -591,7 +591,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-patch spec: containers: @@ -607,7 +607,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 imagePullPolicy: IfNotPresent name: patch securityContext: @@ -633,7 +633,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: nginx spec: controller: k8s.io/ingress-nginx @@ -646,7 +646,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml index a11e4b253..8da72399b 100644 --- a/deploy/static/provider/kind/deploy.yaml +++ b/deploy/static/provider/kind/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -329,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -341,7 +341,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -373,7 +373,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -396,7 +396,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -418,7 +418,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 spec: containers: - args: @@ -444,7 +444,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.11.1@sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a + image: registry.k8s.io/ingress-nginx/controller:v1.11.2@sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -530,7 +530,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -541,7 +541,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-create spec: containers: @@ -555,7 +555,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 imagePullPolicy: IfNotPresent name: create securityContext: @@ -581,7 +581,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -592,7 +592,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-patch spec: containers: @@ -608,7 +608,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 imagePullPolicy: IfNotPresent name: patch securityContext: @@ -634,7 +634,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: nginx spec: controller: k8s.io/ingress-nginx @@ -647,7 +647,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/oracle/deploy.yaml b/deploy/static/provider/oracle/deploy.yaml index 86be29206..a85e0166f 100644 --- a/deploy/static/provider/oracle/deploy.yaml +++ b/deploy/static/provider/oracle/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -329,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -345,7 +345,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -401,7 +401,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -423,7 +423,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 spec: containers: - args: @@ -448,7 +448,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.11.1@sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a + image: registry.k8s.io/ingress-nginx/controller:v1.11.2@sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -524,7 +524,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -535,7 +535,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-create spec: containers: @@ -549,7 +549,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 imagePullPolicy: IfNotPresent name: create securityContext: @@ -575,7 +575,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -586,7 +586,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-patch spec: containers: @@ -602,7 +602,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 imagePullPolicy: IfNotPresent name: patch securityContext: @@ -628,7 +628,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: nginx spec: controller: k8s.io/ingress-nginx @@ -641,7 +641,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml index f37ff01d2..92c8ce880 100644 --- a/deploy/static/provider/scw/deploy.yaml +++ b/deploy/static/provider/scw/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -330,7 +330,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -344,7 +344,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -377,7 +377,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -400,7 +400,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -422,7 +422,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 spec: containers: - args: @@ -447,7 +447,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.11.1@sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a + image: registry.k8s.io/ingress-nginx/controller:v1.11.2@sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -523,7 +523,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -534,7 +534,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-create spec: containers: @@ -548,7 +548,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 imagePullPolicy: IfNotPresent name: create securityContext: @@ -574,7 +574,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -585,7 +585,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-patch spec: containers: @@ -601,7 +601,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.1@sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 imagePullPolicy: IfNotPresent name: patch securityContext: @@ -627,7 +627,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: nginx spec: controller: k8s.io/ingress-nginx @@ -640,7 +640,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/docs/deploy/hardening-guide.md b/docs/deploy/hardening-guide.md index cfbdb1466..2726b1a07 100644 --- a/docs/deploy/hardening-guide.md +++ b/docs/deploy/hardening-guide.md @@ -1,6 +1,8 @@ # Hardening Guide +Do not use in multi-tenant Kubernetes production installations. This project assumes that users that can create Ingress objects are administrators of the cluster. + ## Overview There are several ways to do hardening and securing of nginx. In this documentation two guides are used, the guides are overlapping in some points: diff --git a/docs/deploy/index.md b/docs/deploy/index.md index 9711f2b62..2ce632573 100644 --- a/docs/deploy/index.md +++ b/docs/deploy/index.md @@ -34,11 +34,11 @@ ingress controller for your particular environment or cloud provider. - ... [Bare-metal](#bare-metal-clusters) - [Miscellaneous](#miscellaneous) - ## Quick start @@ -67,14 +67,19 @@ helm show values ingress-nginx --repo https://kubernetes.github.io/ingress-nginx !!! attention "Helm install on AWS/GCP/Azure/Other providers" The *ingress-nginx-controller helm-chart is a generic install out of the box*. The default set of helm values is **not** configured for installation on any infra provider. The annotations that are applicable to the cloud provider must be customized by the users.
- See [AWS LB Constroller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/service/annotations/).
- Examples of some annotations needed for the service resource of `--type LoadBalancer` on AWS are below: + See [AWS LB Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/service/annotations/).
+ Examples of some annotations recommended (healthecheck ones are required for target-type IP) for the service resource of `--type LoadBalancer` on AWS are below: ```yaml annotations: + service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: deregistration_delay.timeout_seconds=270 + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip + service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /healthz + service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "10254" + service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: http + service.beta.kubernetes.io/aws-load-balancer-healthcheck-success-codes: 200-299 service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" - service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" service.beta.kubernetes.io/aws-load-balancer-type: nlb service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules: "true" service.beta.kubernetes.io/aws-load-balancer-access-log-enabled: "true" @@ -87,7 +92,7 @@ helm show values ingress-nginx --repo https://kubernetes.github.io/ingress-nginx **If you don't have Helm** or if you prefer to use a YAML manifest, you can run the following command instead: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.2/deploy/static/provider/cloud/deploy.yaml ``` !!! info @@ -266,11 +271,10 @@ In AWS, we use a Network load balancer (NLB) to expose the Ingress-Nginx Control [Network load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html) with [AWS Load Balancer Controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller). - ##### Network Load Balancer (NLB) ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.1/deploy/static/provider/aws/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.2/deploy/static/provider/aws/deploy.yaml ``` ##### TLS termination in AWS Load Balancer (NLB) @@ -278,10 +282,10 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS using an NLB. -1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template +1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.2/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template ```console - wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml + wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.2/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml ``` 2. Edit the file and change the VPC CIDR in use for the Kubernetes cluster: @@ -329,7 +333,7 @@ kubectl create clusterrolebinding cluster-admin-binding \ Then, the ingress controller can be installed like this: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.2/deploy/static/provider/cloud/deploy.yaml ``` !!! warning @@ -338,7 +342,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont `10254/tcp` to also allow access to port `8443/tcp`. More information can be found in the [Official GCP Documentation](https://cloud.google.com/load-balancing/docs/tcp/setting-up-tcp#config-hc-firewall). - See the [GKE documentation](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#add_firewall_rules) + See the [GKE documentation](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#add_firewall_rules) on adding rules and the [Kubernetes issue](https://github.com/kubernetes/kubernetes/issues/79739) for more detail. Proxy-protocol is supported in GCE check the [Official Documentations on how to enable.](https://cloud.google.com/load-balancing/docs/tcp/setting-up-tcp#proxy-protocol) @@ -346,7 +350,7 @@ Proxy-protocol is supported in GCE check the [Official Documentations on how to #### Azure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.2/deploy/static/provider/cloud/deploy.yaml ``` More information with regard to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller). @@ -354,7 +358,7 @@ More information with regard to Azure annotations for ingress controller can be #### Digital Ocean ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.1/deploy/static/provider/do/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.2/deploy/static/provider/do/deploy.yaml ``` - By default the service object of the ingress-nginx-controller for Digital-Ocean, only configures one annotation. Its this one `service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"`. While this makes the service functional, it was reported that the Digital-Ocean LoadBalancer graphs shows `no data`, unless a few other annotations are also configured. Some of these other annotations require values that can not be generic and hence not forced in a out-of-the-box installation. These annotations and a discussion on them is well documented in [this issue](https://github.com/kubernetes/ingress-nginx/issues/8965). Please refer to the issue to add annotations, with values specific to user, to get graphs of the DO-LB populated with data. @@ -362,10 +366,10 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont #### Scaleway ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.1/deploy/static/provider/scw/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.2/deploy/static/provider/scw/deploy.yaml ``` -Refer to the [dedicated tutorial](https://www.scaleway.com/en/docs/tutorials/proxy-protocol-v2-load-balancer/#configuring-proxy-protocol-for-ingress-nginx) in the Scaleway documentation for configuring the proxy protocol for ingress-nginx with the Scaleway load balancer. +Refer to the [dedicated tutorial](https://www.scaleway.com/en/docs/tutorials/proxy-protocol-v2-load-balancer/#configuring-proxy-protocol-for-ingress-nginx) in the Scaleway documentation for configuring the proxy protocol for ingress-nginx with the Scaleway load balancer. #### Exoscale @@ -379,7 +383,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale #### Oracle Cloud Infrastructure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.2/deploy/static/provider/cloud/deploy.yaml ``` A @@ -406,7 +410,7 @@ For quick testing, you can use a This should work on almost every cluster, but it will typically use a port in the range 30000-32767. ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.1/deploy/static/provider/baremetal/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.2/deploy/static/provider/baremetal/deploy.yaml ``` For more information about bare metal deployments (and how to use port 80 instead of a random port in the 30000-32767 range), @@ -428,7 +432,7 @@ kubectl exec $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version By default, the controller watches Ingress objects from all namespaces. If you want to change this behavior, use the flag `--watch-namespace` or check the Helm chart value `controller.scope` to limit the controller to a single -namespace. +namespace. Although the use of this flag is not popular, one important fact to note is that the secret containing the default-ssl-certificate needs to also be present in the watched namespace(s). See also [“How to easily install multiple instances of the Ingress NGINX controller in the same cluster”](https://kubernetes.github.io/ingress-nginx/#how-to-easily-install-multiple-instances-of-the-ingress-nginx-controller-in-the-same-cluster) diff --git a/docs/e2e-tests.md b/docs/e2e-tests.md index ca64b98c1..6dcf4e9f0 100644 --- a/docs/e2e-tests.md +++ b/docs/e2e-tests.md @@ -7,7 +7,6 @@ Do not try to edit it manually. ### [[Admission] admission controller](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L39) -- [reject ingress with global-rate-limit annotations when memcached is not configured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L47) - [should not allow overlaps of host and paths without canary annotations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L74) - [should allow overlaps of host and paths with canary annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L91) - [should block ingress with invalid path](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L112) @@ -173,8 +172,6 @@ Do not try to edit it manually. ### [from-to-www-redirect](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fromtowwwredirect.go#L31) - [should redirect from www HTTP to HTTP](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fromtowwwredirect.go#L38) - [should redirect from www HTTPS to HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fromtowwwredirect.go#L64) -### [annotation-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/globalratelimit.go#L30) -- [generates correct configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/globalratelimit.go#L38) ### [backend-protocol - GRPC](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L45) - [should use grpc_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L48) - [should return OK for service with backend protocol GRPC](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L71) @@ -268,6 +265,9 @@ Do not try to edit it manually. ### [x-forwarded-prefix](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/xforwardedprefix.go#L28) - [should set the X-Forwarded-Prefix to the annotation value](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/xforwardedprefix.go#L35) - [should not add X-Forwarded-Prefix if the annotation value is empty](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/xforwardedprefix.go#L57) +### [[CGroups] cgroups](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/cgroups/cgroups.go#L32) +- [detects cgroups version v1](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/cgroups/cgroups.go#L40) +- [detect cgroups version v2](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/cgroups/cgroups.go#L83) ### [Debug CLI](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/dbg/main.go#L29) - [should list the backend servers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/dbg/main.go#L37) - [should get information for a specific backend server](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/dbg/main.go#L56) @@ -291,7 +291,7 @@ Do not try to edit it manually. ### [[Shutdown] Grace period shutdown](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/gracefulshutdown/grace_period.go#L32) - [/healthz should return status code 500 during shutdown grace period](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/gracefulshutdown/grace_period.go#L35) ### [[Shutdown] ingress controller](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/gracefulshutdown/shutdown.go#L30) -- [should shutdown in less than 60 secons without pending connections](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/gracefulshutdown/shutdown.go#L40) +- [should shutdown in less than 60 seconds without pending connections](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/gracefulshutdown/shutdown.go#L40) ### [[Shutdown] Graceful shutdown with pending request](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/gracefulshutdown/slow_requests.go#L25) - [should let slow requests finish before shutting down](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/gracefulshutdown/slow_requests.go#L33) ### [[Ingress] DeepInspection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/deep_inspection.go#L27) @@ -417,8 +417,6 @@ Do not try to edit it manually. ### [global-options](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_options.go#L28) - [should have worker_rlimit_nofile option](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_options.go#L31) - [should have worker_rlimit_nofile option and be independent on amount of worker processes](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_options.go#L37) -### [settings-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/globalratelimit.go#L30) -- [generates correct NGINX configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/globalratelimit.go#L38) ### [GRPC](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/grpc.go#L39) - [should set the correct GRPC Buffer Size](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/grpc.go#L42) ### [gzip](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/gzip.go#L30) @@ -497,8 +495,6 @@ Do not try to edit it manually. - [should include opentelemetry_trust_incoming_spans on directive when enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L76) - [should not exists opentelemetry_operation_name directive when is empty](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L91) - [should exists opentelemetry_operation_name directive when is configured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L106) -### [plugins](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/plugins.go#L28) -- [should exist a x-hello-world header](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/plugins.go#L35) ### [proxy-connect-timeout](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_connect_timeout.go#L29) - [should set valid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_connect_timeout.go#L37) - [should not set invalid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_connect_timeout.go#L53) diff --git a/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml b/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml index 708a93831..fb07ac9fe 100644 --- a/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml +++ b/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml @@ -5,8 +5,8 @@ defaultBackend: enabled: true image: registry: registry.k8s.io - image: ingress-nginx/nginx-errors - tag: "v20230505@sha256:3600dcd1bbd0d05959bb01af4b272714e94d22d24a64e91838e7183c80e53f7f" + image: ingress-nginx/custom-error-pages + tag: v1.0.2@sha256:b2259cf6bfda813548a64bded551b1854cb600c4f095738b49b4c5cdf8ab9d21 extraVolumes: - name: custom-error-pages configMap: diff --git a/docs/examples/customization/custom-errors/custom-default-backend.yaml b/docs/examples/customization/custom-errors/custom-default-backend.yaml index e606c5b62..805cf90ab 100644 --- a/docs/examples/customization/custom-errors/custom-default-backend.yaml +++ b/docs/examples/customization/custom-errors/custom-default-backend.yaml @@ -36,7 +36,7 @@ spec: spec: containers: - name: nginx-error-server - image: registry.k8s.io/ingress-nginx/nginx-errors:v20230505@sha256:3600dcd1bbd0d05959bb01af4b272714e94d22d24a64e91838e7183c80e53f7f + image: registry.k8s.io/ingress-nginx/custom-error-pages:v1.0.2@sha256:b2259cf6bfda813548a64bded551b1854cb600c4f095738b49b4c5cdf8ab9d21 ports: - containerPort: 8080 # Setting the environment variable DEBUG we can see the headers sent diff --git a/docs/examples/customization/sysctl/patch.json b/docs/examples/customization/sysctl/patch.json index e87c9affa..fb4fc057f 100644 --- a/docs/examples/customization/sysctl/patch.json +++ b/docs/examples/customization/sysctl/patch.json @@ -4,7 +4,7 @@ "spec": { "initContainers": [{ "name": "sysctl", - "image": "alpine:3.18", + "image": "alpine:3.20", "securityContext": { "privileged": true }, diff --git a/docs/examples/index.md b/docs/examples/index.md index 59745e014..4efdae39f 100644 --- a/docs/examples/index.md +++ b/docs/examples/index.md @@ -23,7 +23,7 @@ Customization | [External authentication with response header propagation](custo Customization | [Sysctl tuning](customization/sysctl/README.md) | TODO | TODO Features | [Rewrite](rewrite/README.md) | TODO | TODO Features | [Session stickiness](affinity/cookie/README.md) | route requests consistently to the same endpoint | Advanced -Features | [Canary Deployments](canary/README.md) | weighted canary routing to a seperate deployment | Intermediate +Features | [Canary Deployments](canary/README.md) | weighted canary routing to a separate deployment | Intermediate Scaling | [Static IP](static-ip/README.md) | a single ingress gets a single static IP | Intermediate TLS | [Multi TLS certificate termination](multi-tls/README.md) | TODO | TODO TLS | [TLS termination](tls-termination/README.md) | TODO | TODO diff --git a/docs/examples/openpolicyagent/README.md b/docs/examples/openpolicyagent/README.md index 2d653a90c..8d6337a38 100644 --- a/docs/examples/openpolicyagent/README.md +++ b/docs/examples/openpolicyagent/README.md @@ -1,25 +1,25 @@ # OpenPolicyAgent and pathType enforcing -Ingress API allows users to specify different [pathType](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) -on Ingress object. +Ingress API allows users to specify different [pathType](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) +on Ingress object. While pathType `Exact` and `Prefix` should allow only a small set of characters, pathType `ImplementationSpecific` -allows any characters, as it may contain regexes, variables and other features that may be specific of the Ingress +allows any characters, as it may contain regexes, variables and other features that may be specific of the Ingress Controller being used. -This means that the Ingress Admins (the persona who deployed the Ingress Controller) should trust the users -allowed to use `pathType: ImplementationSpecific`, as this may allow arbitrary configuration, and this +This means that the Ingress Admins (the persona who deployed the Ingress Controller) should trust the users +allowed to use `pathType: ImplementationSpecific`, as this may allow arbitrary configuration, and this configuration may end on the proxy (aka Nginx) configuration. ## Example -The example in this repo uses [Gatekeeper](https://open-policy-agent.github.io/gatekeeper/website/) to block the usage of `pathType: ImplementationSpecific`, +The example in this repo uses [Gatekeeper](https://open-policy-agent.github.io/gatekeeper/website/) to block the usage of `pathType: ImplementationSpecific`, allowing just a specific list of namespaces to use it. It is recommended that the admin modifies this rules to enforce a specific set of characters when the usage of ImplementationSpecific is allowed, or in ways that best suits their needs. -First, the `ConstraintTemplate` from [template.yaml](template.yaml) will define a rule that validates if the Ingress object -is being created on an excempted namespace, and case not, will validate its pathType. +First, the `ConstraintTemplate` from [template.yaml](template.yaml) will define a rule that validates if the Ingress object +is being created on an exempted namespace, and case not, will validate its pathType. -Then, the rule `K8sBlockIngressPathType` contained in [rule.yaml](rule.yaml) will define the parameters: what kind of -object should be verified (Ingress), what are the excempted namespaces, and what kinds of pathType are blocked. +Then, the rule `K8sBlockIngressPathType` contained in [rule.yaml](rule.yaml) will define the parameters: what kind of +object should be verified (Ingress), what are the exempted namespaces, and what kinds of pathType are blocked. diff --git a/docs/examples/openpolicyagent/template.yaml b/docs/examples/openpolicyagent/template.yaml index ed2a6ba1c..4302415a2 100644 --- a/docs/examples/openpolicyagent/template.yaml +++ b/docs/examples/openpolicyagent/template.yaml @@ -17,11 +17,11 @@ spec: properties: blockedTypes: type: array - items: - type: string + items: + type: string namespacesExceptions: type: array - items: + items: type: string targets: - target: admission.k8s.gatekeeper.sh @@ -31,8 +31,8 @@ spec: violation[{"msg": msg}] { input.review.kind.kind == "Ingress" ns := input.review.object.metadata.namespace - excemptNS := [good | excempts = input.parameters.namespacesExceptions[_] ; good = excempts == ns] - not any(excemptNS) + exemptNS := [good | exempts = input.parameters.namespacesExceptions[_] ; good = exempts == ns] + not any(exemptNS) pathType := object.get(input.review.object.spec.rules[_].http.paths[_], "pathType", "") blockedPath := [blocked | blockedTypes = input.parameters.blockedTypes[_] ; blocked = blockedTypes == pathType] any(blockedPath) diff --git a/docs/examples/psp/README.md b/docs/examples/psp/README.md deleted file mode 100644 index f8426baf2..000000000 --- a/docs/examples/psp/README.md +++ /dev/null @@ -1,17 +0,0 @@ -# Pod Security Policy (PSP) - -In most clusters today, by default, all resources (e.g. `Deployments` and `ReplicatSets`) -have permissions to create pods. -Kubernetes however provides a more fine-grained authorization policy called -[Pod Security Policy (PSP)](https://kubernetes.io/docs/concepts/policy/pod-security-policy/). - -PSP allows the cluster owner to define the permission of each object, for example creating a pod. -If you have PSP enabled on the cluster, and you deploy ingress-nginx, -you will need to provide the `Deployment` with the permissions to create pods. - -Before applying any objects, first apply the PSP permissions by running: -```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/psp/psp.yaml -``` - -Note: PSP permissions must be granted before the creation of the `Deployment` and the `ReplicaSet`. diff --git a/docs/examples/psp/psp.yaml b/docs/examples/psp/psp.yaml deleted file mode 100644 index 0f859dece..000000000 --- a/docs/examples/psp/psp.yaml +++ /dev/null @@ -1,75 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: ingress-nginx - ---- - -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: ingress-nginx - namespace: ingress-nginx -spec: - allowedCapabilities: - - NET_BIND_SERVICE - privileged: false - allowPrivilegeEscalation: true - # Allow core volume types. - volumes: - - configMap - - secret - hostIPC: false - hostPID: false - runAsUser: - # Require the container to run without root privileges. - rule: MustRunAsNonRoot - supplementalGroups: - rule: MustRunAs - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - fsGroup: - rule: MustRunAs - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - readOnlyRootFilesystem: false - seLinux: - rule: RunAsAny - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ingress-nginx-psp - namespace: ingress-nginx -rules: -- apiGroups: [policy] - resources: [podsecuritypolicies] - verbs: [use] - resourceNames: [ingress-nginx] - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ingress-nginx-psp - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx-psp -subjects: -- kind: ServiceAccount - name: default -- kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx -- kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx diff --git a/docs/faq.md b/docs/faq.md index 020474d5c..97d3325ca 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -1,6 +1,16 @@ # FAQ +## Multi-tenant Kubernetes + +Do not use in multi-tenant Kubernetes production installations. This project assumes that users that can create Ingress objects are administrators of the cluster. + +For example, the Ingress NGINX control plane has global and per Ingress configuration options that make it insecure, if enabled, in a multi-tenant environment. + +For example, enabling snippets, a global configuration, allows any Ingress object to run arbitrary Lua code that could affect the security of all Ingress objects that a controller is running. + +We changed the default to allow snippets to `false` in https://github.com/kubernetes/ingress-nginx/pull/10393. + ## Multiple controller in one cluster Question - How can I easily install multiple instances of the ingress-nginx controller in the same cluster? diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index e1fd6956e..ffd8f839f 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -443,7 +443,7 @@ $ capsh --decode=0000000000000400 ``` ## Create a test pod as root -(Note, this may be restricted by PodSecurityPolicy, PodSecurityAdmission/Standards, OPA Gatekeeper, etc. in which case you will need to do the appropriate workaround for testing, e.g. deploy in a new namespace without the restrictions.) +(Note, this may be restricted by PodSecurityAdmission/Standards, OPA Gatekeeper, etc. in which case you will need to do the appropriate workaround for testing, e.g. deploy in a new namespace without the restrictions.) To test further you may want to install additional utilities, etc. Modify the pod yaml by: * changing runAsUser from 101 to 0 * removing the "drop..ALL" section from the capabilities. diff --git a/docs/user-guide/cli-arguments.md b/docs/user-guide/cli-arguments.md index f8fdc2ddb..1beb821c7 100644 --- a/docs/user-guide/cli-arguments.md +++ b/docs/user-guide/cli-arguments.md @@ -8,6 +8,7 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment |----------|-------------| | `--annotations-prefix` | Prefix of the Ingress annotations specific to the NGINX controller. (default "nginx.ingress.kubernetes.io") | | `--apiserver-host` | Address of the Kubernetes API server. Takes the form "protocol://address:port". If not specified, it is assumed the program runs inside a Kubernetes cluster and local discovery is attempted. | +| `--bucket-factor` | Bucket factor for native histograms. Value must be > 1 for enabling native histograms. (default 0) | | `--certificate-authority` | Path to a cert file for the certificate authority. This certificate is used only when the flag --apiserver-host is specified. | | `--configmap` | Name of the ConfigMap containing custom global configurations for the controller. | | `--controller-class` | Ingress Class Controller value this Ingress satisfies. The class of an Ingress object is set using the field IngressClassName in Kubernetes clusters version v1.19.0 or higher. The .spec.controller value of the IngressClass referenced in an Ingress Object should be the same value specified here to make this object be watched. | @@ -15,7 +16,7 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment | `--default-backend-service` | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form "namespace/name". The controller configures NGINX to forward requests to the first port of this Service. | | `--default-server-port` | Port to use for exposing the default server (catch-all). (default 8181) | | `--default-ssl-certificate` | Secret containing a SSL certificate to be used by the default HTTPS server (catch-all). Takes the form "namespace/name". | -| `--enable-annotation-validation` | If true, will enable the annotation validation feature. This value will be defaulted to true on a future release. | +| `--enable-annotation-validation` | If true, will enable the annotation validation feature. Defaults to true | | `--disable-catch-all` | Disable support for catch-all Ingresses. (default false) | | `--disable-full-test` | Disable full test of all merged ingresses at the admission stage and tests the template of the ingress being created or updated (full test of all ingresses is enabled by default). | | `--disable-svc-external-name` | Disable support for Services of type ExternalName. (default false) | @@ -40,12 +41,14 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment | `--internal-logger-address` | Address to be used when binding internal syslogger. (default 127.0.0.1:11514) | | `--kubeconfig` | Path to a kubeconfig file containing authorization and API server information. | | `--length-buckets` | Set of buckets which will be used for prometheus histogram metrics such as RequestLength, ResponseLength. (default `[10, 20, 30, 40, 50, 60, 70, 80, 90, 100]`) | +| `--max-buckets` | Maximum number of buckets for native histograms. (default 100) | | `--maxmind-edition-ids` | Maxmind edition ids to download GeoLite2 Databases. (default "GeoLite2-City,GeoLite2-ASN") | | `--maxmind-retries-timeout` | Maxmind downloading delay between 1st and 2nd attempt, 0s - do not retry to download if something went wrong. (default 0s) | | `--maxmind-retries-count` | Number of attempts to download the GeoIP DB. (default 1) | -| `--maxmind-license-key` | Maxmind license key to download GeoLite2 Databases. https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases . | +| `--maxmind-license-key` | Maxmind license key to download GeoLite2 Databases. https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/ . | | `--maxmind-mirror` | Maxmind mirror url (example: http://geoip.local/databases. | | `--metrics-per-host` | Export metrics per-host. (default true) | +| `--metrics-per-undefined-host` | Export metrics per-host even if the host is not defined in an ingress. Requires --metrics-per-host to be set to true. (default false) | | `--monitor-max-batch-size` | Max batch size of NGINX metrics. (default 10000)| | `--post-shutdown-grace-period` | Additional delay in seconds before controller container exits. (default 10) | | `--profiler-port` | Port to use for expose the ingress controller Go profiler when it is enabled. (default 10245) | diff --git a/docs/user-guide/monitoring.md b/docs/user-guide/monitoring.md index 28608e850..f08e1bc2f 100644 --- a/docs/user-guide/monitoring.md +++ b/docs/user-guide/monitoring.md @@ -166,7 +166,9 @@ According to the above example, this URL will be http://10.192.0.3:31086 #### Wildcard ingresses - - By default request metrics are labeled with the hostname. When you have a wildcard domain ingress, then there will be no metrics for that ingress (to prevent the metrics from exploding in cardinality). To get metrics in this case you need to run the ingress controller with `--metrics-per-host=false` (you will lose labeling by hostname, but still have labeling by ingress). + - By default request metrics are labeled with the hostname. When you have a wildcard domain ingress, then there will be no metrics for that ingress (to prevent the metrics from exploding in cardinality). To get metrics in this case you have two options: + - Run the ingress controller with `--metrics-per-host=false`. You will lose labeling by hostname, but still have labeling by ingress. + - Run the ingress controller with `--metrics-per-undefined-host=true --metrics-per-host=true`. You will get labeling by hostname even if the hostname is not explicitly defined on an ingress. Be warned that cardinality could explode due to many hostnames. ### Grafana dashboard using ingress resource - If you want to expose the dashboard for grafana using an ingress resource, then you can : @@ -386,10 +388,6 @@ Prometheus metrics are exposed on port 10254. The number of bytes sent to a client. **Deprecated**, use `nginx_ingress_controller_response_size`\ nginx var: `bytes_sent` -* `nginx_ingress_controller_ingress_upstream_latency_seconds` Summary\ - Upstream service latency per Ingress. **Deprecated**, use `nginx_ingress_controller_connect_duration_seconds`\ - nginx var: `upstream_connect_time` - ``` # HELP nginx_ingress_controller_bytes_sent The number of bytes sent to a client. DEPRECATED! Use nginx_ingress_controller_response_size # TYPE nginx_ingress_controller_bytes_sent histogram @@ -397,8 +395,6 @@ Prometheus metrics are exposed on port 10254. # TYPE nginx_ingress_controller_connect_duration_seconds nginx_ingress_controller_connect_duration_seconds * HELP nginx_ingress_controller_header_duration_seconds The time spent on receiving first header from the upstream server # TYPE nginx_ingress_controller_header_duration_seconds histogram -# HELP nginx_ingress_controller_ingress_upstream_latency_seconds Upstream service latency per Ingress DEPRECATED! Use nginx_ingress_controller_connect_duration_seconds -# TYPE nginx_ingress_controller_ingress_upstream_latency_seconds summary # HELP nginx_ingress_controller_request_duration_seconds The request processing time in milliseconds # TYPE nginx_ingress_controller_request_duration_seconds histogram # HELP nginx_ingress_controller_request_size The request length (including request line, header, and request body) diff --git a/docs/user-guide/nginx-configuration/annotations-risk.md b/docs/user-guide/nginx-configuration/annotations-risk.md new file mode 100755 index 000000000..3e3b93986 --- /dev/null +++ b/docs/user-guide/nginx-configuration/annotations-risk.md @@ -0,0 +1,139 @@ +# Annotations Scope and Risk + +|Group |Annotation | Risk | Scope | +|--------|------------------|------|-------| +| Aliases | server-alias | High | ingress | +| Allowlist | allowlist-source-range | Medium | location | +| BackendProtocol | backend-protocol | Low | location | +| BasicDigestAuth | auth-realm | Medium | location | +| BasicDigestAuth | auth-secret | Medium | location | +| BasicDigestAuth | auth-secret-type | Low | location | +| BasicDigestAuth | auth-type | Low | location | +| Canary | canary | Low | ingress | +| Canary | canary-by-cookie | Medium | ingress | +| Canary | canary-by-header | Medium | ingress | +| Canary | canary-by-header-pattern | Medium | ingress | +| Canary | canary-by-header-value | Medium | ingress | +| Canary | canary-weight | Low | ingress | +| Canary | canary-weight-total | Low | ingress | +| CertificateAuth | auth-tls-error-page | High | location | +| CertificateAuth | auth-tls-match-cn | High | location | +| CertificateAuth | auth-tls-pass-certificate-to-upstream | Low | location | +| CertificateAuth | auth-tls-secret | Medium | location | +| CertificateAuth | auth-tls-verify-client | Medium | location | +| CertificateAuth | auth-tls-verify-depth | Low | location | +| ClientBodyBufferSize | client-body-buffer-size | Low | location | +| ConfigurationSnippet | configuration-snippet | Critical | location | +| Connection | connection-proxy-header | Low | location | +| CorsConfig | cors-allow-credentials | Low | ingress | +| CorsConfig | cors-allow-headers | Medium | ingress | +| CorsConfig | cors-allow-methods | Medium | ingress | +| CorsConfig | cors-allow-origin | Medium | ingress | +| CorsConfig | cors-expose-headers | Medium | ingress | +| CorsConfig | cors-max-age | Low | ingress | +| CorsConfig | enable-cors | Low | ingress | +| CustomHTTPErrors | custom-http-errors | Low | location | +| CustomHeaders | custom-headers | Medium | location | +| DefaultBackend | default-backend | Low | location | +| Denylist | denylist-source-range | Medium | location | +| DisableProxyInterceptErrors | disable-proxy-intercept-errors | Low | location | +| EnableGlobalAuth | enable-global-auth | Low | location | +| ExternalAuth | auth-always-set-cookie | Low | location | +| ExternalAuth | auth-cache-duration | Medium | location | +| ExternalAuth | auth-cache-key | Medium | location | +| ExternalAuth | auth-keepalive | Low | location | +| ExternalAuth | auth-keepalive-requests | Low | location | +| ExternalAuth | auth-keepalive-share-vars | Low | location | +| ExternalAuth | auth-keepalive-timeout | Low | location | +| ExternalAuth | auth-method | Low | location | +| ExternalAuth | auth-proxy-set-headers | Medium | location | +| ExternalAuth | auth-request-redirect | Medium | location | +| ExternalAuth | auth-response-headers | Medium | location | +| ExternalAuth | auth-signin | High | location | +| ExternalAuth | auth-signin-redirect-param | Medium | location | +| ExternalAuth | auth-snippet | Critical | location | +| ExternalAuth | auth-url | High | location | +| FastCGI | fastcgi-index | Medium | location | +| FastCGI | fastcgi-params-configmap | Medium | location | +| HTTP2PushPreload | http2-push-preload | Low | location | +| LoadBalancing | load-balance | Low | location | +| Logs | enable-access-log | Low | location | +| Logs | enable-rewrite-log | Low | location | +| Mirror | mirror-host | High | ingress | +| Mirror | mirror-request-body | Low | ingress | +| Mirror | mirror-target | High | ingress | +| ModSecurity | enable-modsecurity | Low | ingress | +| ModSecurity | enable-owasp-core-rules | Low | ingress | +| ModSecurity | modsecurity-snippet | Critical | ingress | +| ModSecurity | modsecurity-transaction-id | High | ingress | +| Opentelemetry | enable-opentelemetry | Low | location | +| Opentelemetry | opentelemetry-operation-name | Medium | location | +| Opentelemetry | opentelemetry-trust-incoming-span | Low | location | +| Proxy | proxy-body-size | Medium | location | +| Proxy | proxy-buffer-size | Low | location | +| Proxy | proxy-buffering | Low | location | +| Proxy | proxy-buffers-number | Low | location | +| Proxy | proxy-connect-timeout | Low | location | +| Proxy | proxy-cookie-domain | Medium | location | +| Proxy | proxy-cookie-path | Medium | location | +| Proxy | proxy-http-version | Low | location | +| Proxy | proxy-max-temp-file-size | Low | location | +| Proxy | proxy-next-upstream | Medium | location | +| Proxy | proxy-next-upstream-timeout | Low | location | +| Proxy | proxy-next-upstream-tries | Low | location | +| Proxy | proxy-read-timeout | Low | location | +| Proxy | proxy-redirect-from | Medium | location | +| Proxy | proxy-redirect-to | Medium | location | +| Proxy | proxy-request-buffering | Low | location | +| Proxy | proxy-send-timeout | Low | location | +| ProxySSL | proxy-ssl-ciphers | Medium | ingress | +| ProxySSL | proxy-ssl-name | High | ingress | +| ProxySSL | proxy-ssl-protocols | Low | ingress | +| ProxySSL | proxy-ssl-secret | Medium | ingress | +| ProxySSL | proxy-ssl-server-name | Low | ingress | +| ProxySSL | proxy-ssl-verify | Low | ingress | +| ProxySSL | proxy-ssl-verify-depth | Low | ingress | +| RateLimit | limit-allowlist | Low | location | +| RateLimit | limit-burst-multiplier | Low | location | +| RateLimit | limit-connections | Low | location | +| RateLimit | limit-rate | Low | location | +| RateLimit | limit-rate-after | Low | location | +| RateLimit | limit-rpm | Low | location | +| RateLimit | limit-rps | Low | location | +| Redirect | from-to-www-redirect | Low | location | +| Redirect | permanent-redirect | Medium | location | +| Redirect | permanent-redirect-code | Low | location | +| Redirect | temporal-redirect | Medium | location | +| Redirect | temporal-redirect-code | Low | location | +| Rewrite | app-root | Medium | location | +| Rewrite | force-ssl-redirect | Medium | location | +| Rewrite | preserve-trailing-slash | Medium | location | +| Rewrite | rewrite-target | Medium | ingress | +| Rewrite | ssl-redirect | Low | location | +| Rewrite | use-regex | Low | location | +| SSLCipher | ssl-ciphers | Low | ingress | +| SSLCipher | ssl-prefer-server-ciphers | Low | ingress | +| SSLPassthrough | ssl-passthrough | Low | ingress | +| Satisfy | satisfy | Low | location | +| ServerSnippet | server-snippet | Critical | ingress | +| ServiceUpstream | service-upstream | Low | ingress | +| SessionAffinity | affinity | Low | ingress | +| SessionAffinity | affinity-canary-behavior | Low | ingress | +| SessionAffinity | affinity-mode | Medium | ingress | +| SessionAffinity | session-cookie-change-on-failure | Low | ingress | +| SessionAffinity | session-cookie-conditional-samesite-none | Low | ingress | +| SessionAffinity | session-cookie-domain | Medium | ingress | +| SessionAffinity | session-cookie-expires | Medium | ingress | +| SessionAffinity | session-cookie-max-age | Medium | ingress | +| SessionAffinity | session-cookie-name | Medium | ingress | +| SessionAffinity | session-cookie-path | Medium | ingress | +| SessionAffinity | session-cookie-samesite | Low | ingress | +| SessionAffinity | session-cookie-secure | Low | ingress | +| StreamSnippet | stream-snippet | Critical | ingress | +| UpstreamHashBy | upstream-hash-by | High | location | +| UpstreamHashBy | upstream-hash-by-subset | Low | location | +| UpstreamHashBy | upstream-hash-by-subset-size | Low | location | +| UpstreamVhost | upstream-vhost | Low | location | +| UsePortInRedirects | use-port-in-redirects | Low | location | +| XForwardedPrefix | x-forwarded-prefix | Medium | location | + diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md index f90e87868..29cd9cf14 100755 --- a/docs/user-guide/nginx-configuration/annotations.md +++ b/docs/user-guide/nginx-configuration/annotations.md @@ -64,13 +64,10 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz |[nginx.ingress.kubernetes.io/http2-push-preload](#http2-push-preload)|"true" or "false"| |[nginx.ingress.kubernetes.io/limit-connections](#rate-limiting)|number| |[nginx.ingress.kubernetes.io/limit-rps](#rate-limiting)|number| -|[nginx.ingress.kubernetes.io/global-rate-limit](#global-rate-limiting)|number| -|[nginx.ingress.kubernetes.io/global-rate-limit-window](#global-rate-limiting)|duration| -|[nginx.ingress.kubernetes.io/global-rate-limit-key](#global-rate-limiting)|string| -|[nginx.ingress.kubernetes.io/global-rate-limit-ignored-cidrs](#global-rate-limiting)|string| |[nginx.ingress.kubernetes.io/permanent-redirect](#permanent-redirect)|string| |[nginx.ingress.kubernetes.io/permanent-redirect-code](#permanent-redirect-code)|number| |[nginx.ingress.kubernetes.io/temporal-redirect](#temporal-redirect)|string| +|[nginx.ingress.kubernetes.io/temporal-redirect-code](#temporal-redirect-code)|number| |[nginx.ingress.kubernetes.io/preserve-trailing-slash](#server-side-https-enforcement-through-redirect)|"true" or "false"| |[nginx.ingress.kubernetes.io/proxy-body-size](#custom-max-body-size)|string| |[nginx.ingress.kubernetes.io/proxy-cookie-domain](#proxy-cookie-domain)|string| @@ -390,13 +387,13 @@ CORS can be controlled with the following annotations: * `nginx.ingress.kubernetes.io/cors-allow-origin`: Controls what's the accepted Origin for CORS. - This is a multi-valued field, separated by ','. It must follow this format: `http(s)://origin-site.com` or `http(s)://origin-site.com:port` + This is a multi-valued field, separated by ','. It must follow this format: `protocol://origin-site.com` or `protocol://origin-site.com:port` - Default: `*` - - Example: `nginx.ingress.kubernetes.io/cors-allow-origin: "https://origin-site.com:4443, http://origin-site.com, https://example.org:1199"` + - Example: `nginx.ingress.kubernetes.io/cors-allow-origin: "https://origin-site.com:4443, http://origin-site.com, myprotocol://example.org:1199"` - It also supports single level wildcard subdomains and follows this format: `http(s)://*.foo.bar`, `http(s)://*.bar.foo:8080` or `http(s)://*.abc.bar.foo:9000` - - Example: `nginx.ingress.kubernetes.io/cors-allow-origin: "https://*.origin-site.com:4443, http://*.origin-site.com, https://example.org:1199"` + It also supports single level wildcard subdomains and follows this format: `protocol://*.foo.bar`, `protocol://*.bar.foo:8080` or `protocol://*.abc.bar.foo:9000` + - Example: `nginx.ingress.kubernetes.io/cors-allow-origin: "https://*.origin-site.com:4443, http://*.origin-site.com, myprotocol://example.org:1199"` * `nginx.ingress.kubernetes.io/cors-allow-credentials`: Controls if credentials can be passed during CORS operations. @@ -559,46 +556,6 @@ To configure settings globally for all Ingress rules, the `limit-rate-after` and The client IP address will be set based on the use of [PROXY protocol](./configmap.md#use-proxy-protocol) or from the `X-Forwarded-For` header value when [use-forwarded-headers](./configmap.md#use-forwarded-headers) is enabled. -### Global Rate Limiting - -**Note:** Be careful when configuring both (Local) Rate Limiting and Global Rate Limiting at the same time. -They are two completely different rate limiting implementations. Whichever limit exceeds first will reject the -requests. It might be a good idea to configure both of them to ease load on Global Rate Limiting backend -in cases of spike in traffic. - -The stock NGINX rate limiting does not share its counters among different NGINX instances. -Given that most ingress-nginx deployments are elastic and number of replicas can change any day -it is impossible to configure a proper rate limit using stock NGINX functionalities. -Global Rate Limiting overcome this by using [lua-resty-global-throttle](https://github.com/ElvinEfendi/lua-resty-global-throttle). `lua-resty-global-throttle` shares its counters via a central store such as `memcached`. -The obvious shortcoming of this is users have to deploy and operate a `memcached` instance -in order to benefit from this functionality. Configure the `memcached` -using [these configmap settings](./configmap.md#global-rate-limit). - -**Here are a few remarks for ingress-nginx integration of `lua-resty-global-throttle`:** - -1. We minimize `memcached` access by caching exceeding limit decisions. The expiry of -cache entry is the desired delay `lua-resty-global-throttle` calculates for us. -The Lua Shared Dictionary used for that is `global_throttle_cache`. Currently its size defaults to 10M. -Customize it as per your needs using [lua-shared-dicts](./configmap.md#lua-shared-dicts). -When we fail to cache the exceeding limit decision then we log an NGINX error. You can monitor -for that error to decide if you need to bump the cache size. Without cache the cost of processing a -request is two memcached commands: `GET`, and `INCR`. With the cache it is only `INCR`. -1. Log NGINX variable `$global_rate_limit_exceeding`'s value to have some visibility into -what portion of requests are rejected (value `y`), whether they are rejected using cached decision (value `c`), -or if they are not rejected (default value `n`). You can use [log-format-upstream](./configmap.md#log-format-upstream) -to include that in access logs. -1. In case of an error it will log the error message and **fail open**. -1. The annotations below creates Global Rate Limiting instance per ingress. -That means if there are multiple paths configured under the same ingress, -the Global Rate Limiting will count requests to all the paths under the same counter. -Extract a path out into its own ingress if you need to isolate a certain path. - - -* `nginx.ingress.kubernetes.io/global-rate-limit`: Configures maximum allowed number of requests per window. Required. -* `nginx.ingress.kubernetes.io/global-rate-limit-window`: Configures a time window (i.e `1m`) that the limit is applied. Required. -* `nginx.ingress.kubernetes.io/global-rate-limit-key`: Configures a key for counting the samples. Defaults to `$remote_addr`. You can also combine multiple NGINX variables here, like `${remote_addr}-${http_x_api_client}` which would mean the limit will be applied to requests coming from the same API client (indicated by `X-API-Client` HTTP request header) with the same source IP address. -* `nginx.ingress.kubernetes.io/global-rate-limit-ignored-cidrs`: comma separated list of IPs and CIDRs to match client IP against. When there's a match request is not considered for rate limiting. - ### Permanent Redirect This annotation allows to return a permanent redirect (Return Code 301) instead of sending data to the upstream. For example `nginx.ingress.kubernetes.io/permanent-redirect: https://www.google.com` would redirect everything to Google. @@ -610,6 +567,10 @@ This annotation allows you to modify the status code used for permanent redirect ### Temporal Redirect This annotation allows you to return a temporal redirect (Return Code 302) instead of sending data to the upstream. For example `nginx.ingress.kubernetes.io/temporal-redirect: https://www.google.com` would redirect everything to Google with a Return Code of 302 (Moved Temporarily) +### Temporal Redirect Code + +This annotation allows you to modify the status code used for temporal redirects. For example `nginx.ingress.kubernetes.io/temporal-redirect-code: '307'` would return your temporal-redirect with a 307. + ### SSL Passthrough The annotation `nginx.ingress.kubernetes.io/ssl-passthrough` instructs the controller to send TLS connections directly @@ -657,7 +618,7 @@ To preserve the trailing slash in the URI with `ssl-redirect`, set `nginx.ingres In some scenarios, it is required to redirect from `www.domain.com` to `domain.com` or vice versa, which way the redirect is performed depends on the configured `host` value in the Ingress object. -For example, if `.spec.rules.host` is configured with a value like `www.example.com`, then this annotation will redirect to `example.com`. If `.spec.rules.host` is configured with a value like `example.com`, so without a `www`, then this annotation will redirect to `www.example.com` instead. +For example, if `.spec.rules.host` is configured with a value like `www.example.com`, then this annotation will redirect from `example.com` to `www.example.com`. If `.spec.rules.host` is configured with a value like `example.com`, so without a `www`, then this annotation will redirect from `www.example.com` to `example.com` instead. To enable this feature use the annotation `nginx.ingress.kubernetes.io/from-to-www-redirect: "true"` diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index 0b8e03af1..c2e6935d5 100644 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -29,9 +29,9 @@ The following table shows a configuration option's name, type, and the default v |:--------------------------------------------------------------------------------|:-------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------------------------------------------| | [add-headers](#add-headers) | string | "" | | | [allow-backend-server-header](#allow-backend-server-header) | bool | "false" | | -| [allow-cross-namespace-resources](#allow-cross-namespace-resources) | bool | "true" | | +| [allow-cross-namespace-resources](#allow-cross-namespace-resources) | bool | "false" | | | [allow-snippet-annotations](#allow-snippet-annotations) | bool | "false" | | -| [annotations-risk-level](#annotations-risk-level) | string | Critical | | +| [annotations-risk-level](#annotations-risk-level) | string | High | | | [annotation-value-word-blocklist](#annotation-value-word-blocklist) | string array | "" | | | [hide-headers](#hide-headers) | string array | empty | | | [access-log-params](#access-log-params) | string | "" | | @@ -82,7 +82,6 @@ The following table shows a configuration option's name, type, and the default v | [server-name-hash-bucket-size](#server-name-hash-bucket-size) | int | `` | | [proxy-headers-hash-max-size](#proxy-headers-hash-max-size) | int | 512 | | | [proxy-headers-hash-bucket-size](#proxy-headers-hash-bucket-size) | int | 64 | | -| [plugins](#plugins) | []string | | | | [reuse-port](#reuse-port) | bool | "true" | | | [server-tokens](#server-tokens) | bool | "false" | | | [ssl-ciphers](#ssl-ciphers) | string | "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" | | @@ -219,16 +218,10 @@ The following table shows a configuration option's name, type, and the default v | [block-referers](#block-referers) | []string | "" | | | [proxy-ssl-location-only](#proxy-ssl-location-only) | bool | "false" | | | [default-type](#default-type) | string | "text/html" | | -| [global-rate-limit-memcached-host](#global-rate-limit) | string | "" | | -| [global-rate-limit-memcached-port](#global-rate-limit) | int | 11211 | | -| [global-rate-limit-memcached-connect-timeout](#global-rate-limit) | int | 50 | | -| [global-rate-limit-memcached-max-idle-timeout](#global-rate-limit) | int | 10000 | | -| [global-rate-limit-memcached-pool-size](#global-rate-limit) | int | 50 | | -| [global-rate-limit-status-code](#global-rate-limit) | int | 429 | | | [service-upstream](#service-upstream) | bool | "false" | | | [ssl-reject-handshake](#ssl-reject-handshake) | bool | "false" | | | [debug-connections](#debug-connections) | []string | "127.0.0.1,1.1.1.1/24" | | -| [strict-validate-path-type](#strict-validate-path-type) | bool | "false" (v1.7.x) | | +| [strict-validate-path-type](#strict-validate-path-type) | bool | "true" | | | [grpc-buffer-size-kb](#grpc-buffer-size-kb) | int | 0 | | ## add-headers @@ -241,18 +234,16 @@ Enables the return of the header Server from the backend instead of the generic ## allow-cross-namespace-resources -Enables users to consume cross namespace resource on annotations, when was previously enabled . _**default:**_ true +Enables users to consume cross namespace resource on annotations, when was previously enabled . _**default:**_ false **Annotations that may be impacted with this change**: + * `auth-secret` * `auth-proxy-set-header` * `auth-tls-secret` * `fastcgi-params-configmap` * `proxy-ssl-secret` - -**This option will be defaulted to false in the next major release** - ## allow-snippet-annotations Enables Ingress to parse and add *-snippet annotations/directives created by the user. _**default:**_ `false` @@ -260,15 +251,13 @@ Enables Ingress to parse and add *-snippet annotations/directives created by the Warning: We recommend enabling this option only if you TRUST users with permission to create Ingress objects, as this may allow a user to add restricted configurations to the final nginx.conf file -**This option will be defaulted to false in the next major release** - ## annotations-risk-level Represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations with risk High and Critical will not be accepted. Accepted values are `Critical`, `High`, `Medium` and `Low`. -Defaults to `Critical` but will be changed to `High` on the next minor release +_**default:**_ `High` ## annotation-value-word-blocklist @@ -612,10 +601,6 @@ _References:_ - [https://nginx.org/en/docs/hash.html](https://nginx.org/en/docs/hash.html) - [https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_headers_hash_bucket_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_headers_hash_bucket_size) -## plugins - -Activates plugins installed in `/etc/nginx/lua/plugins`. Refer to [ingress-nginx plugins README](https://github.com/kubernetes/ingress-nginx/blob/main/rootfs/etc/nginx/lua/plugins/README.md) for more information on how to write and install a plugin. - ## server-tokens Send NGINX Server header in responses and display NGINX version in error pages. _**default:**_ is disabled @@ -725,7 +710,7 @@ _**default:**_ true ## use-geoip2 Enables the [geoip2 module](https://github.com/leev/ngx_http_geoip2_module) for NGINX. -Since `0.27.0` and due to a [change in the MaxMind databases](https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases) a license is required to have access to the databases. +Since `0.27.0` and due to a [change in the MaxMind databases](https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/) a license is required to have access to the databases. For this reason, it is required to define a new flag `--maxmind-license-key` in the ingress controller deployment to download the databases needed during the initialization of the ingress controller. Alternatively, it is possible to use a volume to mount the files `/etc/ingress-controller/geoip/GeoLite2-City.mmdb` and `/etc/ingress-controller/geoip/GeoLite2-ASN.mmdb`, avoiding the overhead of the download. @@ -1354,22 +1339,6 @@ _**default:**_ text/html _References:_ [https://nginx.org/en/docs/http/ngx_http_core_module.html#default_type](https://nginx.org/en/docs/http/ngx_http_core_module.html#default_type) -## global-rate-limit - -* `global-rate-limit-status-code`: configure HTTP status code to return when rejecting requests. Defaults to 429. - -Configure `memcached` client for [Global Rate Limiting](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#global-rate-limiting). - -* `global-rate-limit-memcached-host`: IP/FQDN of memcached server to use. Required to enable Global Rate Limiting. -* `global-rate-limit-memcached-port`: port of memcached server to use. Defaults default memcached port of `11211`. -* `global-rate-limit-memcached-connect-timeout`: configure timeout for connect, send and receive operations. Unit is millisecond. Defaults to 50ms. -* `global-rate-limit-memcached-max-idle-timeout`: configure timeout for cleaning idle connections. Unit is millisecond. Defaults to 50ms. -* `global-rate-limit-memcached-pool-size`: configure number of max connections to keep alive. Make sure your `memcached` server can handle -`global-rate-limit-memcached-pool-size * worker-processes * ` simultaneous connections. - -These settings get used by [lua-resty-global-throttle](https://github.com/ElvinEfendi/lua-resty-global-throttle) -that ingress-nginx includes. Refer to the link to learn more about `lua-resty-global-throttle`. - ## service-upstream Set if the service's Cluster IP and port should be used instead of a list of all endpoints. This can be overwritten by an annotation on an Ingress rule. @@ -1391,6 +1360,7 @@ _References:_ [http://nginx.org/en/docs/ngx_core_module.html#debug_connection](http://nginx.org/en/docs/ngx_core_module.html#debug_connection) ## strict-validate-path-type + Ingress objects contains a field called pathType that defines the proxy behavior. It can be `Exact`, `Prefix` and `ImplementationSpecific`. When pathType is configured as `Exact` or `Prefix`, there should be a more strict validation, allowing only paths starting with "/" and @@ -1404,6 +1374,8 @@ This means that Ingress objects that rely on paths containing regex characters s The cluster admin should establish validation rules using mechanisms like [Open Policy Agent](https://www.openpolicyagent.org/) to validate that only authorized users can use `ImplementationSpecific` pathType and that only the authorized characters can be used. +_**default:**_ "true" + ## grpc-buffer-size-kb Sets the configuration for the GRPC Buffer Size parameter. If not set it will use the default from NGINX. diff --git a/docs/user-guide/third-party-addons/opentelemetry.md b/docs/user-guide/third-party-addons/opentelemetry.md index e681e1c69..255ba1ffa 100644 --- a/docs/user-guide/third-party-addons/opentelemetry.md +++ b/docs/user-guide/third-party-addons/opentelemetry.md @@ -1,314 +1,304 @@ -# OpenTelemetry - -Enables requests served by NGINX for distributed telemetry via The OpenTelemetry Project. - -Using the third party module [opentelemetry-cpp-contrib/nginx](https://github.com/open-telemetry/opentelemetry-cpp-contrib/tree/main/instrumentation/nginx) the Ingress-Nginx Controller can configure NGINX to enable [OpenTelemetry](http://opentelemetry.io) instrumentation. -By default this feature is disabled. - -Check out this demo showcasing OpenTelemetry in Ingress NGINX. The video provides an overview and -practical demonstration of how OpenTelemetry can be utilized in Ingress NGINX for observability -and monitoring purposes. - -

- - Video Thumbnail - -

- -

Demo: OpenTelemetry in Ingress NGINX.

- -## Usage - -To enable the instrumentation we must enable OpenTelemetry in the configuration ConfigMap: -```yaml -data: - enable-opentelemetry: "true" -``` - -To enable or disable instrumentation for a single Ingress, use -the `enable-opentelemetry` annotation: -```yaml -kind: Ingress -metadata: - annotations: - nginx.ingress.kubernetes.io/enable-opentelemetry: "true" -``` - -We must also set the host to use when uploading traces: - -```yaml -otlp-collector-host: "otel-coll-collector.otel.svc" -``` -NOTE: While the option is called `otlp-collector-host`, you will need to point this to any backend that receives otlp-grpc. - -Next you will need to deploy a distributed telemetry system which uses OpenTelemetry. -[opentelemetry-collector](https://github.com/open-telemetry/opentelemetry-collector), [Jaeger](https://www.jaegertracing.io/) -[Tempo](https://github.com/grafana/tempo), and [zipkin](https://zipkin.io/) -have been tested. - -Other optional configuration options: -```yaml -# specifies the name to use for the server span -opentelemetry-operation-name - -# sets whether or not to trust incoming telemetry spans -opentelemetry-trust-incoming-span - -# specifies the port to use when uploading traces, Default: 4317 -otlp-collector-port - -# specifies the service name to use for any traces created, Default: nginx -otel-service-name - -# The maximum queue size. After the size is reached data are dropped. -otel-max-queuesize - -# The delay interval in milliseconds between two consecutive exports. -otel-schedule-delay-millis - -# How long the export can run before it is cancelled. -otel-schedule-delay-millis - -# The maximum batch size of every export. It must be smaller or equal to maxQueueSize. -otel-max-export-batch-size - -# specifies sample rate for any traces created, Default: 0.01 -otel-sampler-ratio - -# specifies the sampler to be used when sampling traces. -# The available samplers are: AlwaysOn, AlwaysOff, TraceIdRatioBased, Default: AlwaysOff -otel-sampler - -# Uses sampler implementation which by default will take a sample if parent Activity is sampled, Default: false -otel-sampler-parent-based -``` - -Note that you can also set whether to trust incoming spans (global default is true) per-location using annotations like the following: -```yaml -kind: Ingress -metadata: - annotations: - nginx.ingress.kubernetes.io/opentelemetry-trust-incoming-span: "true" -``` - -## Examples - -The following examples show how to deploy and test different distributed telemetry systems. These example can be performed using Docker Desktop. - -In the [esigo/nginx-example](https://github.com/esigo/nginx-example) -GitHub repository is an example of a simple hello service: - -```mermaid -graph TB - subgraph Browser - start["http://esigo.dev/hello/nginx"] - end - - subgraph app - sa[service-a] - sb[service-b] - sa --> |name: nginx| sb - sb --> |hello nginx!| sa - end - - subgraph otel - otc["Otel Collector"] - end - - subgraph observability - tempo["Tempo"] - grafana["Grafana"] - backend["Jaeger"] - zipkin["Zipkin"] - end - - subgraph ingress-nginx - ngx[nginx] - end - - subgraph ngx[nginx] - ng[nginx] - om[OpenTelemetry module] - end - - subgraph Node - app - otel - observability - ingress-nginx - om --> |otlp-gRPC| otc --> |jaeger| backend - otc --> |zipkin| zipkin - otc --> |otlp-gRPC| tempo --> grafana - sa --> |otlp-gRPC| otc - sb --> |otlp-gRPC| otc - start --> ng --> sa - end -``` - -To install the example and collectors run: - -1. Enable Ingress addon with: - - ```yaml - opentelemetry: - enabled: true - image: registry.k8s.io/ingress-nginx/opentelemetry:v20230527@sha256:fd7ec835f31b7b37187238eb4fdad4438806e69f413a203796263131f4f02ed0 - containerSecurityContext: - allowPrivilegeEscalation: false - ``` - -2. Enable OpenTelemetry and set the otlp-collector-host: - - ```yaml - $ echo ' - apiVersion: v1 - kind: ConfigMap - data: - enable-opentelemetry: "true" - opentelemetry-config: "/etc/nginx/opentelemetry.toml" - opentelemetry-operation-name: "HTTP $request_method $service_name $uri" - opentelemetry-trust-incoming-span: "true" - otlp-collector-host: "otel-coll-collector.otel.svc" - otlp-collector-port: "4317" - otel-max-queuesize: "2048" - otel-schedule-delay-millis: "5000" - otel-max-export-batch-size: "512" - otel-service-name: "nginx-proxy" # Opentelemetry resource name - otel-sampler: "AlwaysOn" # Also: AlwaysOff, TraceIdRatioBased - otel-sampler-ratio: "1.0" - otel-sampler-parent-based: "false" - metadata: - name: ingress-nginx-controller - namespace: ingress-nginx - ' | kubectl replace -f - - ``` - -4. Deploy otel-collector, grafana and Jaeger backend: - - ```bash - # add helm charts needed for grafana and OpenTelemetry collector - helm repo add open-telemetry https://open-telemetry.github.io/opentelemetry-helm-charts - helm repo add grafana https://grafana.github.io/helm-charts - helm repo update - # deply cert-manager needed for OpenTelemetry collector operator - kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.yaml - # create observability namespace - kubectl apply -f https://raw.githubusercontent.com/esigo/nginx-example/main/observability/namespace.yaml - # install OpenTelemetry collector operator - helm upgrade --install otel-collector-operator -n otel --create-namespace open-telemetry/opentelemetry-operator - # deploy OpenTelemetry collector - kubectl apply -f https://raw.githubusercontent.com/esigo/nginx-example/main/observability/collector.yaml - # deploy Jaeger all-in-one - kubectl apply -f https://github.com/jaegertracing/jaeger-operator/releases/download/v1.37.0/jaeger-operator.yaml -n observability - kubectl apply -f https://raw.githubusercontent.com/esigo/nginx-example/main/observability/jaeger.yaml -n observability - # deploy zipkin - kubectl apply -f https://raw.githubusercontent.com/esigo/nginx-example/main/observability/zipkin.yaml -n observability - # deploy tempo and grafana - helm upgrade --install tempo grafana/tempo --create-namespace -n observability - helm upgrade -f https://raw.githubusercontent.com/esigo/nginx-example/main/observability/grafana/grafana-values.yaml --install grafana grafana/grafana --create-namespace -n observability - ``` - -3. Build and deploy demo app: - - ```bash - # build images - make images - - # deploy demo app: - make deploy-app - ``` - -5. Make a few requests to the Service: - - ```bash - kubectl port-forward --namespace=ingress-nginx service/ingress-nginx-controller 8090:80 - curl http://esigo.dev:8090/hello/nginx - - - StatusCode : 200 - StatusDescription : OK - Content : {"v":"hello nginx!"} - - RawContent : HTTP/1.1 200 OK - Connection: keep-alive - Content-Length: 21 - Content-Type: text/plain; charset=utf-8 - Date: Mon, 10 Oct 2022 17:43:33 GMT - - {"v":"hello nginx!"} - - Forms : {} - Headers : {[Connection, keep-alive], [Content-Length, 21], [Content-Type, text/plain; charset=utf-8], [Date, - Mon, 10 Oct 2022 17:43:33 GMT]} - Images : {} - InputFields : {} - Links : {} - ParsedHtml : System.__ComObject - RawContentLength : 21 - ``` - -6. View the Grafana UI: - - ```bash - kubectl port-forward --namespace=observability service/grafana 3000:80 - ``` - In the Grafana interface we can see the details: - ![grafana screenshot](../../images/otel-grafana-demo.png "grafana screenshot") - -7. View the Jaeger UI: - - ```bash - kubectl port-forward --namespace=observability service/jaeger-all-in-one-query 16686:16686 - ``` - In the Jaeger interface we can see the details: - ![Jaeger screenshot](../../images/otel-jaeger-demo.png "Jaeger screenshot") - -8. View the Zipkin UI: - - ```bash - kubectl port-forward --namespace=observability service/zipkin 9411:9411 - ``` - In the Zipkin interface we can see the details: - ![zipkin screenshot](../../images/otel-zipkin-demo.png "zipkin screenshot") - -## Migration from OpenTracing, Jaeger, Zipkin and Datadog - -If you are migrating from OpenTracing, Jaeger, Zipkin, or Datadog to OpenTelemetry, -you may need to update various annotations and configurations. Here are the mappings -for common annotations and configurations: - -### Annotations - -| Legacy | OpenTelemetry | -|---------------------------------------------------------------|-----------------------------------------------------------------| -| `nginx.ingress.kubernetes.io/enable-opentracing` | `nginx.ingress.kubernetes.io/enable-opentelemetry` | -| `nginx.ingress.kubernetes.io/opentracing-trust-incoming-span` | `nginx.ingress.kubernetes.io/opentelemetry-trust-incoming-span` | - -### Configs - -| Legacy | OpenTelemetry | -|---------------------------------------|----------------------------------------------| -| `opentracing-operation-name` | `opentelemetry-operation-name` | -| `opentracing-location-operation-name` | `opentelemetry-operation-name` | -| `opentracing-trust-incoming-span` | `opentelemetry-trust-incoming-span` | -| `zipkin-collector-port` | `otlp-collector-port` | -| `zipkin-service-name` | `otel-service-name` | -| `zipkin-sample-rate` | `otel-sampler-ratio` | -| `jaeger-collector-port` | `otlp-collector-port` | -| `jaeger-endpoint` | `otlp-collector-port`, `otlp-collector-host` | -| `jaeger-service-name` | `otel-service-name` | -| `jaeger-propagation-format` | `N/A` | -| `jaeger-sampler-type` | `otel-sampler` | -| `jaeger-sampler-param` | `otel-sampler` | -| `jaeger-sampler-host` | `N/A` | -| `jaeger-sampler-port` | `N/A` | -| `jaeger-trace-context-header-name` | `N/A` | -| `jaeger-debug-header` | `N/A` | -| `jaeger-baggage-header` | `N/A` | -| `jaeger-tracer-baggage-header-prefix` | `N/A` | -| `datadog-collector-port` | `otlp-collector-port` | -| `datadog-service-name` | `otel-service-name` | -| `datadog-environment` | `N/A` | -| `datadog-operation-name-override` | `N/A` | -| `datadog-priority-sampling` | `otel-sampler` | -| `datadog-sample-rate` | `otel-sampler-ratio` | +# OpenTelemetry + +Enables requests served by NGINX for distributed telemetry via The OpenTelemetry Project. + +Using the third party module [opentelemetry-cpp-contrib/nginx](https://github.com/open-telemetry/opentelemetry-cpp-contrib/tree/main/instrumentation/nginx) the Ingress-Nginx Controller can configure NGINX to enable [OpenTelemetry](http://opentelemetry.io) instrumentation. +By default this feature is disabled. + +Check out this demo showcasing OpenTelemetry in Ingress NGINX. The video provides an overview and +practical demonstration of how OpenTelemetry can be utilized in Ingress NGINX for observability +and monitoring purposes. + +

+ + Video Thumbnail + +

+ +

Demo: OpenTelemetry in Ingress NGINX.

+ +## Usage + +To enable the instrumentation we must enable OpenTelemetry in the configuration ConfigMap: +```yaml +data: + enable-opentelemetry: "true" +``` + +To enable or disable instrumentation for a single Ingress, use +the `enable-opentelemetry` annotation: +```yaml +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/enable-opentelemetry: "true" +``` + +We must also set the host to use when uploading traces: + +```yaml +otlp-collector-host: "otel-coll-collector.otel.svc" +``` +NOTE: While the option is called `otlp-collector-host`, you will need to point this to any backend that receives otlp-grpc. + +Next you will need to deploy a distributed telemetry system which uses OpenTelemetry. +[opentelemetry-collector](https://github.com/open-telemetry/opentelemetry-collector), [Jaeger](https://www.jaegertracing.io/) +[Tempo](https://github.com/grafana/tempo), and [zipkin](https://zipkin.io/) +have been tested. + +Other optional configuration options: +```yaml +# specifies the name to use for the server span +opentelemetry-operation-name + +# sets whether or not to trust incoming telemetry spans +opentelemetry-trust-incoming-span + +# specifies the port to use when uploading traces, Default: 4317 +otlp-collector-port + +# specifies the service name to use for any traces created, Default: nginx +otel-service-name + +# The maximum queue size. After the size is reached data are dropped. +otel-max-queuesize + +# The delay interval in milliseconds between two consecutive exports. +otel-schedule-delay-millis + +# How long the export can run before it is cancelled. +otel-schedule-delay-millis + +# The maximum batch size of every export. It must be smaller or equal to maxQueueSize. +otel-max-export-batch-size + +# specifies sample rate for any traces created, Default: 0.01 +otel-sampler-ratio + +# specifies the sampler to be used when sampling traces. +# The available samplers are: AlwaysOn, AlwaysOff, TraceIdRatioBased, Default: AlwaysOff +otel-sampler + +# Uses sampler implementation which by default will take a sample if parent Activity is sampled, Default: false +otel-sampler-parent-based +``` + +Note that you can also set whether to trust incoming spans (global default is true) per-location using annotations like the following: +```yaml +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/opentelemetry-trust-incoming-span: "true" +``` + +## Examples + +The following examples show how to deploy and test different distributed telemetry systems. These example can be performed using Docker Desktop. + +In the [esigo/nginx-example](https://github.com/esigo/nginx-example) +GitHub repository is an example of a simple hello service: + +```mermaid +graph TB + subgraph Browser + start["http://esigo.dev/hello/nginx"] + end + + subgraph app + sa[service-a] + sb[service-b] + sa --> |name: nginx| sb + sb --> |hello nginx!| sa + end + + subgraph otel + otc["Otel Collector"] + end + + subgraph observability + tempo["Tempo"] + grafana["Grafana"] + backend["Jaeger"] + zipkin["Zipkin"] + end + + subgraph ingress-nginx + ngx[nginx] + end + + subgraph ngx[nginx] + ng[nginx] + om[OpenTelemetry module] + end + + subgraph Node + app + otel + observability + ingress-nginx + om --> |otlp-gRPC| otc --> |jaeger| backend + otc --> |zipkin| zipkin + otc --> |otlp-gRPC| tempo --> grafana + sa --> |otlp-gRPC| otc + sb --> |otlp-gRPC| otc + start --> ng --> sa + end +``` + +To install the example and collectors run: + +1. Enable OpenTelemetry and set the otlp-collector-host: + + ```yaml + $ echo ' + apiVersion: v1 + kind: ConfigMap + data: + enable-opentelemetry: "true" + opentelemetry-config: "/etc/nginx/opentelemetry.toml" + opentelemetry-operation-name: "HTTP $request_method $service_name $uri" + opentelemetry-trust-incoming-span: "true" + otlp-collector-host: "otel-coll-collector.otel.svc" + otlp-collector-port: "4317" + otel-max-queuesize: "2048" + otel-schedule-delay-millis: "5000" + otel-max-export-batch-size: "512" + otel-service-name: "nginx-proxy" # Opentelemetry resource name + otel-sampler: "AlwaysOn" # Also: AlwaysOff, TraceIdRatioBased + otel-sampler-ratio: "1.0" + otel-sampler-parent-based: "false" + metadata: + name: ingress-nginx-controller + namespace: ingress-nginx + ' | kubectl replace -f - + ``` + +2. Deploy otel-collector, grafana and Jaeger backend: + + ```bash + # add helm charts needed for grafana and OpenTelemetry collector + helm repo add open-telemetry https://open-telemetry.github.io/opentelemetry-helm-charts + helm repo add grafana https://grafana.github.io/helm-charts + helm repo update + # deploy cert-manager needed for OpenTelemetry collector operator + kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.3/cert-manager.yaml + # create observability namespace + kubectl apply -f https://raw.githubusercontent.com/esigo/nginx-example/main/observability/namespace.yaml + # install OpenTelemetry collector operator + helm upgrade --install otel-collector-operator -n otel --create-namespace open-telemetry/opentelemetry-operator + # deploy OpenTelemetry collector + kubectl apply -f https://raw.githubusercontent.com/esigo/nginx-example/main/observability/collector.yaml + # deploy Jaeger all-in-one + kubectl apply -f https://github.com/jaegertracing/jaeger-operator/releases/download/v1.37.0/jaeger-operator.yaml -n observability + kubectl apply -f https://raw.githubusercontent.com/esigo/nginx-example/main/observability/jaeger.yaml -n observability + # deploy zipkin + kubectl apply -f https://raw.githubusercontent.com/esigo/nginx-example/main/observability/zipkin.yaml -n observability + # deploy tempo and grafana + helm upgrade --install tempo grafana/tempo --create-namespace -n observability + helm upgrade -f https://raw.githubusercontent.com/esigo/nginx-example/main/observability/grafana/grafana-values.yaml --install grafana grafana/grafana --create-namespace -n observability + ``` + +3. Build and deploy demo app: + + ```bash + # build images + make images + + # deploy demo app: + make deploy-app + ``` + +4. Make a few requests to the Service: + + ```bash + kubectl port-forward --namespace=ingress-nginx service/ingress-nginx-controller 8090:80 + curl http://esigo.dev:8090/hello/nginx + + + StatusCode : 200 + StatusDescription : OK + Content : {"v":"hello nginx!"} + + RawContent : HTTP/1.1 200 OK + Connection: keep-alive + Content-Length: 21 + Content-Type: text/plain; charset=utf-8 + Date: Mon, 10 Oct 2022 17:43:33 GMT + + {"v":"hello nginx!"} + + Forms : {} + Headers : {[Connection, keep-alive], [Content-Length, 21], [Content-Type, text/plain; charset=utf-8], [Date, + Mon, 10 Oct 2022 17:43:33 GMT]} + Images : {} + InputFields : {} + Links : {} + ParsedHtml : System.__ComObject + RawContentLength : 21 + ``` + +5. View the Grafana UI: + + ```bash + kubectl port-forward --namespace=observability service/grafana 3000:80 + ``` + In the Grafana interface we can see the details: + ![grafana screenshot](../../images/otel-grafana-demo.png "grafana screenshot") + +6. View the Jaeger UI: + + ```bash + kubectl port-forward --namespace=observability service/jaeger-all-in-one-query 16686:16686 + ``` + In the Jaeger interface we can see the details: + ![Jaeger screenshot](../../images/otel-jaeger-demo.png "Jaeger screenshot") + +7. View the Zipkin UI: + + ```bash + kubectl port-forward --namespace=observability service/zipkin 9411:9411 + ``` + In the Zipkin interface we can see the details: + ![zipkin screenshot](../../images/otel-zipkin-demo.png "zipkin screenshot") + +## Migration from OpenTracing, Jaeger, Zipkin and Datadog + +If you are migrating from OpenTracing, Jaeger, Zipkin, or Datadog to OpenTelemetry, +you may need to update various annotations and configurations. Here are the mappings +for common annotations and configurations: + +### Annotations + +| Legacy | OpenTelemetry | +|---------------------------------------------------------------|-----------------------------------------------------------------| +| `nginx.ingress.kubernetes.io/enable-opentracing` | `nginx.ingress.kubernetes.io/enable-opentelemetry` | +| `nginx.ingress.kubernetes.io/opentracing-trust-incoming-span` | `nginx.ingress.kubernetes.io/opentelemetry-trust-incoming-span` | + +### Configs + +| Legacy | OpenTelemetry | +|---------------------------------------|----------------------------------------------| +| `opentracing-operation-name` | `opentelemetry-operation-name` | +| `opentracing-location-operation-name` | `opentelemetry-operation-name` | +| `opentracing-trust-incoming-span` | `opentelemetry-trust-incoming-span` | +| `zipkin-collector-port` | `otlp-collector-port` | +| `zipkin-service-name` | `otel-service-name` | +| `zipkin-sample-rate` | `otel-sampler-ratio` | +| `jaeger-collector-port` | `otlp-collector-port` | +| `jaeger-endpoint` | `otlp-collector-port`, `otlp-collector-host` | +| `jaeger-service-name` | `otel-service-name` | +| `jaeger-propagation-format` | `N/A` | +| `jaeger-sampler-type` | `otel-sampler` | +| `jaeger-sampler-param` | `otel-sampler` | +| `jaeger-sampler-host` | `N/A` | +| `jaeger-sampler-port` | `N/A` | +| `jaeger-trace-context-header-name` | `N/A` | +| `jaeger-debug-header` | `N/A` | +| `jaeger-baggage-header` | `N/A` | +| `jaeger-tracer-baggage-header-prefix` | `N/A` | +| `datadog-collector-port` | `otlp-collector-port` | +| `datadog-service-name` | `otel-service-name` | +| `datadog-environment` | `N/A` | +| `datadog-operation-name-override` | `N/A` | +| `datadog-priority-sampling` | `otel-sampler` | +| `datadog-sample-rate` | `otel-sampler-ratio` | diff --git a/go.mod b/go.mod index 62241e201..3f0637f03 100644 --- a/go.mod +++ b/go.mod @@ -1,11 +1,9 @@ module k8s.io/ingress-nginx -go 1.22.0 - -toolchain go1.22.4 +go 1.22.8 require ( - dario.cat/mergo v1.0.0 + dario.cat/mergo v1.0.1 github.com/armon/go-proxyproto v0.1.0 github.com/eapache/channels v1.1.0 github.com/fsnotify/fsnotify v1.7.0 @@ -16,35 +14,44 @@ require ( github.com/mitchellh/mapstructure v1.5.0 github.com/moul/pb v0.0.0-20220425114252-bca18df4138c github.com/ncabatoff/process-exporter v0.8.3 - github.com/onsi/ginkgo/v2 v2.19.1 - github.com/opencontainers/runc v1.1.13 - github.com/pmezard/go-difflib v1.0.0 - github.com/prometheus/client_golang v1.19.1 + github.com/onsi/ginkgo/v2 v2.20.2 + github.com/opencontainers/runc v1.1.14 + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 + github.com/prometheus/client_golang v1.20.4 github.com/prometheus/client_model v0.6.1 - github.com/prometheus/common v0.55.0 + github.com/prometheus/common v0.60.0 github.com/spf13/cobra v1.8.1 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.9.0 github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20221221105603-fcedb00c5b30 - golang.org/x/crypto v0.25.0 - golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f - google.golang.org/grpc v1.65.0 + golang.org/x/crypto v0.28.0 + golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 + google.golang.org/grpc v1.67.1 google.golang.org/grpc/examples v0.0.0-20240223204917-5ccf176a08ab gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 - k8s.io/api v0.30.3 - k8s.io/apiextensions-apiserver v0.30.1 - k8s.io/apimachinery v0.30.3 - k8s.io/apiserver v0.30.1 - k8s.io/cli-runtime v0.30.0 - k8s.io/client-go v0.30.3 - k8s.io/code-generator v0.30.1 - k8s.io/component-base v0.30.3 + k8s.io/api v0.31.1 + k8s.io/apiextensions-apiserver v0.31.1 + k8s.io/apimachinery v0.31.1 + k8s.io/apiserver v0.31.1 + k8s.io/cli-runtime v0.31.1 + k8s.io/client-go v0.31.1 + k8s.io/code-generator v0.31.1 + k8s.io/component-base v0.31.1 k8s.io/klog/v2 v2.130.1 pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 - sigs.k8s.io/controller-runtime v0.18.4 - sigs.k8s.io/mdtoc v1.1.0 + sigs.k8s.io/controller-runtime v0.19.0 + sigs.k8s.io/mdtoc v1.4.0 +) + +require ( + github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect + github.com/fxamacker/cbor/v2 v2.7.0 // indirect + github.com/klauspost/compress v1.17.9 // indirect + github.com/x448/float16 v0.8.4 // indirect + gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect + sigs.k8s.io/release-utils v0.8.3 // indirect ) require ( @@ -56,10 +63,9 @@ require ( github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/coreos/go-systemd/v22 v22.5.0 // indirect github.com/cyphar/filepath-securejoin v0.2.4 // indirect - github.com/davecgh/go-spew v1.1.1 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/eapache/queue v1.1.0 // indirect github.com/emicklei/go-restful/v3 v3.12.0 // indirect - github.com/evanphx/json-patch v5.9.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.9.0 // indirect github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa // indirect github.com/go-errors/errors v1.5.1 // indirect @@ -72,12 +78,12 @@ require ( github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.4 // indirect - github.com/gomarkdown/markdown v0.0.0-20231222211730-1d6d20845b47 // indirect + github.com/gomarkdown/markdown v0.0.0-20240328165702-4d01890c35c0 // indirect github.com/google/btree v1.1.2 // indirect github.com/google/gnostic-models v0.6.8 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 // indirect + github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect github.com/google/uuid v1.6.0 // indirect github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect @@ -108,28 +114,27 @@ require ( github.com/yudai/pp v2.0.1+incompatible // indirect go.starlark.net v0.0.0-20240123142251-f86470692795 // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/mod v0.17.0 // indirect - golang.org/x/net v0.26.0 // indirect - golang.org/x/oauth2 v0.21.0 // indirect - golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.22.0 // indirect - golang.org/x/term v0.22.0 // indirect - golang.org/x/text v0.16.0 // indirect + golang.org/x/mod v0.20.0 // indirect + golang.org/x/net v0.29.0 // indirect + golang.org/x/oauth2 v0.23.0 // indirect + golang.org/x/sync v0.8.0 // indirect + golang.org/x/sys v0.26.0 // indirect + golang.org/x/term v0.25.0 // indirect + golang.org/x/text v0.19.0 // indirect golang.org/x/time v0.5.0 // indirect - golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 // indirect + golang.org/x/tools v0.24.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 // indirect google.golang.org/protobuf v1.34.2 // indirect - gopkg.in/evanphx/json-patch.v5 v5.9.0 // indirect gopkg.in/go-playground/assert.v1 v1.2.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/gengo/v2 v2.0.0-20240404160639-a0386bf69313 // indirect k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f // indirect - k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect + k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/kustomize/api v0.16.0 // indirect - sigs.k8s.io/kustomize/kyaml v0.16.0 // indirect + sigs.k8s.io/kustomize/api v0.17.2 // indirect + sigs.k8s.io/kustomize/kyaml v0.17.1 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect sigs.k8s.io/yaml v1.4.0 // indirect ) diff --git a/go.sum b/go.sum index 68326360f..470599f77 100644 --- a/go.sum +++ b/go.sum @@ -1,10 +1,9 @@ -dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk= -dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= +dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s= +dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= github.com/Anddd7/pb v0.0.0-20240425032658-369b0f6a404c h1:uhBf0CHXi7nCFZXxHV7l1cBcYFEEVRK4FYxvm1l9lKg= github.com/Anddd7/pb v0.0.0-20240425032658-369b0f6a404c/go.mod h1:vYWKbnXd2KAZHUECLPzSE0Er3FgiEmOdPtxwSIRihck= github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= -github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8= github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/armon/go-proxyproto v0.1.0 h1:TWWcSsjco7o2itn6r25/5AqKBiWmsiuzsUDLT/MTl7k= @@ -15,6 +14,8 @@ github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL2kskAlV9ckgEsNQXscjIaLiOYiZ75d4e94E6dcQ= +github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w= github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= @@ -23,16 +24,15 @@ github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/eapache/channels v1.1.0 h1:F1taHcn7/F0i8DYqKXJnyhJcVpp2kgFcNePxXtnyu4k= github.com/eapache/channels v1.1.0/go.mod h1:jMm2qB5Ubtg9zLd+inMZd2/NUvXgzmWXsDaLyQIGfH0= github.com/eapache/queue v1.1.0 h1:YOEu7KNc61ntiQlcEeUIoDTJ2o8mQznoNvUhiigpIqc= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk= github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls= -github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= @@ -42,6 +42,8 @@ github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyT github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA= github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa h1:RDBNVkRviHZtvDvId8XSGPu3rmpmSe+wKRcEWNgsfWU= github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk= github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= @@ -73,9 +75,8 @@ github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvq github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= -github.com/gomarkdown/markdown v0.0.0-20210514010506-3b9f47219fe7/go.mod h1:aii0r/K0ZnHv7G0KF7xy1v0A7s2Ljrb5byB7MO5p6TU= -github.com/gomarkdown/markdown v0.0.0-20231222211730-1d6d20845b47 h1:k4Tw0nt6lwro3Uin8eqoET7MDA4JnT8YgbCjc/g5E3k= -github.com/gomarkdown/markdown v0.0.0-20231222211730-1d6d20845b47/go.mod h1:JDGcbDT52eL4fju3sZ4TeHGsQwhG9nbDV21aMyhwPoA= +github.com/gomarkdown/markdown v0.0.0-20240328165702-4d01890c35c0 h1:4gjrh/PN2MuWCCElk8/I4OCKRKWCCo2zEct3VKCbibU= +github.com/gomarkdown/markdown v0.0.0-20240328165702-4d01890c35c0/go.mod h1:JDGcbDT52eL4fju3sZ4TeHGsQwhG9nbDV21aMyhwPoA= github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= @@ -89,8 +90,8 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg= -github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= +github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 h1:5iH8iuqE5apketRbSFBy+X1V0o+l+8NF1avt4HWl7cA= +github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= @@ -108,6 +109,8 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= +github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= @@ -160,32 +163,33 @@ github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.19.1 h1:QXgq3Z8Crl5EL1WBAC98A5sEBHARrAJNzAmMxzLcRF0= -github.com/onsi/ginkgo/v2 v2.19.1/go.mod h1:O3DtEWQkPa/F7fBMgmZQKKsluAy8pd3rEQdrjkPb9zA= +github.com/onsi/ginkgo/v2 v2.20.2 h1:7NVCeyIWROIAheY21RLS+3j2bb52W0W82tkberYytp4= +github.com/onsi/ginkgo/v2 v2.20.2/go.mod h1:K9gyxPIlb+aIvnZ8bd9Ak+YP18w3APlR+5coaZoE2ag= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/onsi/gomega v1.34.0 h1:eSSPsPNp6ZpsG8X1OVmOTxig+CblTc4AxpPBykhe2Os= -github.com/onsi/gomega v1.34.0/go.mod h1:MIKI8c+f+QLWk+hxbePD4i0LMJSExPaZOVfkoex4cAo= -github.com/opencontainers/runc v1.1.13 h1:98S2srgG9vw0zWcDpFMn5TRrh8kLxa/5OFUstuUhmRs= -github.com/opencontainers/runc v1.1.13/go.mod h1:R016aXacfp/gwQBYw2FDGa9m+n6atbLWrYY8hNMT/sA= +github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k= +github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY= +github.com/opencontainers/runc v1.1.14 h1:rgSuzbmgz5DUJjeSnw337TxDbRuqjs6iqQck/2weR6w= +github.com/opencontainers/runc v1.1.14/go.mod h1:E4C2z+7BxR7GHXp0hAY53mek+x49X1LjPNeMTfRGvOA= github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk= github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= -github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_golang v1.20.4 h1:Tgh3Yr67PaOv/uTqloMsCEdeuFTatm5zIq5+qNN23vI= +github.com/prometheus/client_golang v1.20.4/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= -github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= -github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8= +github.com/prometheus/common v0.60.0 h1:+V9PAREWNvJMAuJ1x1BaWl9dewMW4YrHZQbx0sJNllA= +github.com/prometheus/common v0.60.0/go.mod h1:h0LYf1R1deLSKtD4Vdg8gy4RuOvENW2J/h19V5NADQw= github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= -github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= -github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= @@ -206,6 +210,8 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/urfave/cli v1.17.1-0.20160602030128-01a33823596e/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= github.com/yudai/gojsondiff v1.0.0 h1:27cbfqXLVEJ1o8I6v3y9lg8Ydm53EKqHXAOMxEGlCOA= @@ -226,34 +232,33 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= -golang.org/dl v0.0.0-20190829154251-82a15e2f2ead/go.mod h1:IUMfjQLJQd4UTqG1Z90tenwKoCX93Gn3MAQJMOSBsDQ= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= -golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= -golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f h1:99ci1mjWVBWwJiEKYY6jWa4d2nTQVIEhZIptnrVb1XY= -golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f/go.mod h1:/lliqkxwWAhPjf5oSOIJup2XcqJaw8RGS6k3TGEc7GI= +golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= +golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= -golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= +golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= -golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= -golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= -golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= +golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= +golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs= +golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -268,14 +273,14 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= -golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk= -golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= +golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= +golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= +golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= -golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= +golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= +golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -283,18 +288,18 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg= -golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= +golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= +golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 h1:Zy9XzmMEflZ/MAaA7vNcoebnRAld7FsPW1EeBB7V0m8= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0= -google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= -google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 h1:e7S5W7MGGLaSu8j3YjdezkZ+m1/Nm0uRVRMEMGk26Xs= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= +google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= google.golang.org/grpc/examples v0.0.0-20240223204917-5ccf176a08ab h1:tg8hvIl5RmFBuXlcJMuL0h4Psh1gx5Q5xEMwzBZIzWA= google.golang.org/grpc/examples v0.0.0-20240223204917-5ccf176a08ab/go.mod h1:liVNnGuZDITxuksuZ+BBvdy7FcJfeNk+efF9qgqNUmc= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= @@ -309,8 +314,8 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/evanphx/json-patch.v5 v5.9.0 h1:hx1VU2SGj4F8r9b8GUwJLdc8DNO8sy79ZGui0G05GLo= -gopkg.in/evanphx/json-patch.v5 v5.9.0/go.mod h1:/kvTRh1TVm5wuM6OkHxqXtE/1nUZZpihg29RtuIyfvk= +gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= +gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/go-playground/assert.v1 v1.2.1 h1:xoYuJVE7KT85PYWrN730RguIQO0ePzVRfFMXadIrXTM= gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8bDuhia5mkpMnE= @@ -331,42 +336,44 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ= -k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04= -k8s.io/apiextensions-apiserver v0.30.1 h1:4fAJZ9985BmpJG6PkoxVRpXv9vmPUOVzl614xarePws= -k8s.io/apiextensions-apiserver v0.30.1/go.mod h1:R4GuSrlhgq43oRY9sF2IToFh7PVlF1JjfWdoG3pixk4= -k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc= -k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= -k8s.io/apiserver v0.30.1 h1:BEWEe8bzS12nMtDKXzCF5Q5ovp6LjjYkSp8qOPk8LZ8= -k8s.io/apiserver v0.30.1/go.mod h1:i87ZnQ+/PGAmSbD/iEKM68bm1D5reX8fO4Ito4B01mo= -k8s.io/cli-runtime v0.30.0 h1:0vn6/XhOvn1RJ2KJOC6IRR2CGqrpT6QQF4+8pYpWQ48= -k8s.io/cli-runtime v0.30.0/go.mod h1:vATpDMATVTMA79sZ0YUCzlMelf6rUjoBzlp+RnoM+cg= -k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k= -k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U= -k8s.io/code-generator v0.30.1 h1:ZsG++q5Vt0ScmKCeLhynUuWgcwFGg1Hl1AGfatqPJBI= -k8s.io/code-generator v0.30.1/go.mod h1:hFgxRsvOUg79mbpbVKfjJvRhVz1qLoe40yZDJ/hwRH4= -k8s.io/component-base v0.30.3 h1:Ci0UqKWf4oiwy8hr1+E3dsnliKnkMLZMVbWzeorlk7s= -k8s.io/component-base v0.30.3/go.mod h1:C1SshT3rGPCuNtBs14RmVD2xW0EhRSeLvBh7AGk1quA= +k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= +k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= +k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40= +k8s.io/apiextensions-apiserver v0.31.1/go.mod h1:tWMPR3sgW+jsl2xm9v7lAyRF1rYEK71i9G5dRtkknoQ= +k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= +k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/apiserver v0.31.1 h1:Sars5ejQDCRBY5f7R3QFHdqN3s61nhkpaX8/k1iEw1c= +k8s.io/apiserver v0.31.1/go.mod h1:lzDhpeToamVZJmmFlaLwdYZwd7zB+WYRYIboqA1kGxM= +k8s.io/cli-runtime v0.31.1 h1:/ZmKhmZ6hNqDM+yf9s3Y4KEYakNXUn5sod2LWGGwCuk= +k8s.io/cli-runtime v0.31.1/go.mod h1:pKv1cDIaq7ehWGuXQ+A//1OIF+7DI+xudXtExMCbe9U= +k8s.io/client-go v0.31.1 h1:f0ugtWSbWpxHR7sjVpQwuvw9a3ZKLXX0u0itkFXufb0= +k8s.io/client-go v0.31.1/go.mod h1:sKI8871MJN2OyeqRlmA4W4KM9KBdBUpDLu/43eGemCg= +k8s.io/code-generator v0.31.1 h1:GvkRZEP2g2UnB2QKT2Dgc/kYxIkDxCHENv2Q1itioVs= +k8s.io/code-generator v0.31.1/go.mod h1:oL2ky46L48osNqqZAeOcWWy0S5BXj50vVdwOtTefqIs= +k8s.io/component-base v0.31.1 h1:UpOepcrX3rQ3ab5NB6g5iP0tvsgJWzxTyAo20sgYSy8= +k8s.io/component-base v0.31.1/go.mod h1:WGeaw7t/kTsqpVTaCoVEtillbqAhF2/JgvO0LDOMa0w= k8s.io/gengo/v2 v2.0.0-20240404160639-a0386bf69313 h1:bKcdZJOPICVmIIuaM9+MXmapE94dn5AYv5ODs1jA43o= k8s.io/gengo/v2 v2.0.0-20240404160639-a0386bf69313/go.mod h1:VH3AT8AaQOqiGjMF9p0/IM1Dj+82ZwjfxUP1IxaHE+8= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f h1:0LQagt0gDpKqvIkAMPaRGcXawNMouPECM1+F9BVxEaM= k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f/go.mod h1:S9tOR0FxgyusSNR+MboCuiDpVWkAifZvaYI1Q2ubgro= -k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak= -k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 h1:SAElp8THCfmBdM+4lmWX5gebiSSkEr7PAYDVF91qpfg= pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732/go.mod h1:lpvCfhqEHNJSSpG5R5A2EgsVzG8RTt4RfPoQuRAcDmg= -sigs.k8s.io/controller-runtime v0.18.4 h1:87+guW1zhvuPLh1PHybKdYFLU0YJp4FhJRmiHvm5BZw= -sigs.k8s.io/controller-runtime v0.18.4/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg= +sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= +sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/kustomize/api v0.16.0 h1:/zAR4FOQDCkgSDmVzV2uiFbuy9bhu3jEzthrHCuvm1g= -sigs.k8s.io/kustomize/api v0.16.0/go.mod h1:MnFZ7IP2YqVyVwMWoRxPtgl/5hpA+eCCrQR/866cm5c= -sigs.k8s.io/kustomize/kyaml v0.16.0 h1:6J33uKSoATlKZH16unr2XOhDI+otoe2sR3M8PDzW3K0= -sigs.k8s.io/kustomize/kyaml v0.16.0/go.mod h1:xOK/7i+vmE14N2FdFyugIshB8eF6ALpy7jI87Q2nRh4= -sigs.k8s.io/mdtoc v1.1.0 h1:q3YtqYzmC2e0hgLXRIOm7/QLuPux1CX3ZHCwlbABxZo= -sigs.k8s.io/mdtoc v1.1.0/go.mod h1:QZLVEdHH2iNIR4uHAZyvFRtjloHgVItk8lo/mzCtq3w= +sigs.k8s.io/kustomize/api v0.17.2 h1:E7/Fjk7V5fboiuijoZHgs4aHuexi5Y2loXlVOAVAG5g= +sigs.k8s.io/kustomize/api v0.17.2/go.mod h1:UWTz9Ct+MvoeQsHcJ5e+vziRRkwimm3HytpZgIYqye0= +sigs.k8s.io/kustomize/kyaml v0.17.1 h1:TnxYQxFXzbmNG6gOINgGWQt09GghzgTP6mIurOgrLCQ= +sigs.k8s.io/kustomize/kyaml v0.17.1/go.mod h1:9V0mCjIEYjlXuCdYsSXvyoy2BTsLESH7TlGV81S282U= +sigs.k8s.io/mdtoc v1.4.0 h1:2pDEwJSjoVrGr5BPkG+LoLkYLKvgtGYurrBY8ul3SxQ= +sigs.k8s.io/mdtoc v1.4.0/go.mod h1:KVnRRtK1rX9aQ95qF0rt3x2ytTxf3r7W7N41H+0KF0k= +sigs.k8s.io/release-utils v0.8.3 h1:KtOtA4qDmzJyeQ2zkDsFVI25+NViwms/o5eL2NftFdA= +sigs.k8s.io/release-utils v0.8.3/go.mod h1:fp82Fma06OXBhEJ+GUJKqvcplDBomruK1R/1fWJnsrQ= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= diff --git a/go.work b/go.work index c963e3c0e..b98909b34 100644 --- a/go.work +++ b/go.work @@ -1,4 +1,4 @@ -go 1.22.0 +go 1.22.8 use ( . diff --git a/go.work.sum b/go.work.sum index 3a38ab8ec..8b186c739 100644 --- a/go.work.sum +++ b/go.work.sum @@ -1,3 +1,4 @@ +cel.dev/expr v0.15.0 h1:O1jzfJCQBfL5BFoYktaxwIhuttaQPsVWerH9/EEKx0w= cel.dev/expr v0.15.0/go.mod h1:TRSuuV7DlVCE/uwv5QbAiW/v8l5O8C4eEPHeu7gf7Sg= cloud.google.com/go v0.110.2 h1:sdFPBr6xG9/wkBbfhmUz/JmZC7X6LavQgcrVINrKiVA= cloud.google.com/go v0.110.4/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI= @@ -123,6 +124,7 @@ cloud.google.com/go/cloudtasks v1.12.6/go.mod h1:b7c7fe4+TJsFZfDyzO51F7cjq7HLUlR cloud.google.com/go/compute v1.21.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= cloud.google.com/go/compute v1.23.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= cloud.google.com/go/compute v1.23.1/go.mod h1:CqB3xpmPKKt3OJpW2ndFIXnA9A4xAy/F3Xp1ixncW78= +cloud.google.com/go/compute v1.23.3 h1:6sVlXXBmbd7jNX0Ipq0trII3e4n1/MsADLK6a+aiVlk= cloud.google.com/go/compute v1.23.3/go.mod h1:VCgBUoMnIVIR0CscqQiPJLAG25E3ZRZMzcFZeQ+h8CI= cloud.google.com/go/compute v1.24.0 h1:phWcR2eWzRJaL/kOiJwfFsPs4BaKq1j6vnpZrc1YlVg= cloud.google.com/go/compute v1.24.0/go.mod h1:kw1/T+h/+tK2LJK0wiPPx1intgdAM3j/g3hFDlscY40= @@ -569,6 +571,8 @@ github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY github.com/antihax/optional v1.0.0 h1:xK2lYat7ZLaVVcIuj82J8kIro4V6kDe0AUDFboUCwcg= github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df h1:7RFfzj4SSt6nnvCPbCqijJi1nWCd+TqAT3bYCStRC18= github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM= +github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI= +github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g= github.com/apache/arrow/go/v10 v10.0.1 h1:n9dERvixoC/1JjDmBcs9FPaEryoANa2sCgVFo6ez9cI= github.com/apache/arrow/go/v11 v11.0.0 h1:hqauxvFQxww+0mEU/2XHG6LT7eZternCZq+A5Yly2uM= github.com/apache/thrift v0.16.0 h1:qEy6UW60iVOlUy+b9ZR0d5WzUWYGOo4HfopoyBaNmoY= @@ -583,6 +587,8 @@ github.com/bytedance/sonic v1.9.1 h1:6iJ6NqdoxCDr6mbY8h18oSO+cShGSMRGCEo7F2h0x8s github.com/bytedance/sonic v1.9.1/go.mod h1:i736AoUSYt75HyZLoJW9ERYxcy6eaN6h4BZXU064P/U= github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= +github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g= github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= @@ -615,6 +621,7 @@ github.com/cncf/xds/go v0.0.0-20231109132714-523115ebc101/go.mod h1:eXthEFrGJvWH github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa h1:jQCWAUqqlij9Pgj2i/PB79y4KOPYVyFYdROxgaCwdTQ= github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa/go.mod h1:x/1Gn8zydmfq8dk6e9PdstVsDgu9RuyIIJqAaF//0IM= github.com/cncf/xds/go v0.0.0-20240318125728-8a4994d93e50/go.mod h1:5e1+Vvlzido69INQaVO6d87Qn543Xr6nooe9Kz7oBFM= +github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b h1:ga8SEFjZ60pxLcmhnThWgvH2wg8376yUJmPhEH4H3kw= github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= github.com/containerd/console v1.0.3 h1:lIr7SlA5PxZyMV30bDW0MGbiOPXwc63yRuCP0ARubLw= github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U= @@ -624,6 +631,7 @@ github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e h1:Wf6HqHfScWJN9/ZjdUKyjop4mf3Qdd+1TvvltAvM3m8= github.com/cpuguy83/go-md2man/v2 v2.0.3 h1:qMCsGGgs+MAzDFyp9LpAe1Lqy/fY/qCovCm0qnXZOBM= +github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4= github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw= github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815 h1:bWDMxwH3px2JBh6AyO7hdCn/PkvCZXii8TGj7sbtEbQ= @@ -636,12 +644,14 @@ github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRr github.com/envoyproxy/go-control-plane v0.11.1/go.mod h1:uhMcXKCQMEJHiAb0w+YGefQLaTEw+YhGluxZkrTmD0g= github.com/envoyproxy/go-control-plane v0.12.0 h1:4X+VP1GHd1Mhj6IB5mMeGbLCleqxjletLK6K0rbxyZI= github.com/envoyproxy/go-control-plane v0.12.0/go.mod h1:ZBTaoJ23lqITozF0M6G4/IragXCQKCnYbmlmtHvwRG0= +github.com/envoyproxy/go-control-plane v0.12.1-0.20240621013728-1eb8caab5155/go.mod h1:5Wkq+JduFtdAXihLmeTJf+tRYIT4KBc2vPXDhwVo1pA= github.com/envoyproxy/protoc-gen-validate v1.0.2/go.mod h1:GpiZQP3dDbg4JouG/NNS7QWXpgx6x8QiMKdmN72jogE= github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk= github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/fogleman/gg v1.3.0 h1:/7zJX8F6AaYQc57WQCyN9cAIz+4bCJGO9B+dyW29am8= github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA= @@ -678,6 +688,7 @@ github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaL github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-openapi/swag v0.22.4/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-openapi/swag v0.22.5/go.mod h1:Gl91UqO+btAM0plGGxHqJcQZ1ZTy6jbmridBTsDy8A0= github.com/go-openapi/swag v0.22.6/go.mod h1:Gl91UqO+btAM0plGGxHqJcQZ1ZTy6jbmridBTsDy8A0= github.com/go-pdf/fpdf v0.6.0 h1:MlgtGIfsdMEEQJr2le6b/HNr1ZlQwxyWr77r2aj2U/8= @@ -703,6 +714,7 @@ github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 h1:DACJavvAHhabrF0 github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ= github.com/golang/glog v1.2.0 h1:uCdmnmatrKCgMBlM4rMuJZWOkPDqdbZPnrMXDY4gI68= github.com/golang/glog v1.2.0/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w= +github.com/golang/glog v1.2.1 h1:OptwRhECazUx5ix5TTWC3EZhsZEHWcYWY4FQHTIubm4= github.com/golang/glog v1.2.1/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w= github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -711,6 +723,8 @@ github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9 github.com/google/cel-go v0.17.7/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY= github.com/google/cel-go v0.17.8 h1:j9m730pMZt1Fc4oKhCLUHfjj6527LuhYcYw0Rl8gqto= github.com/google/cel-go v0.17.8/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY= +github.com/google/cel-go v0.20.1 h1:nDx9r8S3L4pE61eDdt8igGj8rf5kjYR3ILxWIpWNi84= +github.com/google/cel-go v0.20.1/go.mod h1:kWcIzTsPX0zmQ+H3TirHstLLf9ep5QTsZBN9u4dOYLg= github.com/google/flatbuffers v2.0.8+incompatible h1:ivUb1cGomAB101ZM1T0nOiWz9pSrTMoa9+EiY7igmkM= github.com/google/go-pkcs11 v0.2.1-0.20230907215043-c6f79328ddf9/go.mod h1:6eQoGcuNJpa7jnd5pMGdkSaQpNDYvPlXWMcjXXThLlY= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -718,6 +732,8 @@ github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPg github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw= github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= +github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= github.com/google/renameio v0.1.0 h1:GOZbcHa3HfsPKPlmyPyN2KEohoMXOhdMbHrvbpl2QaA= github.com/google/s2a-go v0.1.4 h1:1kZ/sQM3srePvKs3tXAvQzo66XfcReoqFpIpIccE7Oc= github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= @@ -743,6 +759,8 @@ github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms= github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k= github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+dAcgU= github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= github.com/iancoleman/strcase v0.2.0 h1:05I4QRnGpI0m37iZQRuskXh+w77mr6Z41lwQzuHLwW0= @@ -795,6 +813,8 @@ github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8 h1:AMFGa4R4MiIpsp github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3 h1:+n/aFZefKZp7spd8DFdX7uMikMLXX4oubIzJF4kv/wI= github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8= github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= +github.com/moby/spdystream v0.4.0 h1:Vy79D6mHeJJjiPdFEL2yku1kl0chZpJfZcPpb16BRl8= +github.com/moby/spdystream v0.4.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI= github.com/mrunalp/fileutils v0.5.1 h1:F+S7ZlNKnrwHfSwdlgNSkKo67ReVf8o9fel6C3dkm/Q= github.com/mrunalp/fileutils v0.5.1/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= @@ -825,6 +845,7 @@ github.com/pierrec/lz4/v4 v4.1.15 h1:MO0/ucJhngq7299dKLwIMtgTfbkoSPF6AoMYDd8Q4q0 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e h1:aoZm08cpOy4WuID//EZDgcC4zIxODThtZNPirFr42+A= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pkg/sftp v1.13.1 h1:I2qBYMChEhIjOgazfJmV3/mZM256btk6wkCDRmW7JYs= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= github.com/pquerna/cachecontrol v0.1.0 h1:yJMy84ti9h/+OEWa752kBTKv4XC30OtVVHYv/8cTqKc= github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI= github.com/prometheus/exporter-toolkit v0.11.0 h1:yNTsuZ0aNCNFQ3aFTD2uhPOvr4iD7fdBvKPAEGkNf+g= @@ -871,8 +892,6 @@ github.com/vishvananda/netlink v1.1.0 h1:1iyaYNBLmP6L0220aDnYQpo1QEV4t4hJ+xEEhhJ github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df h1:OviZH7qLw/7ZovXvuNyL3XQl8UFofeikI1NW1Gypu7k= github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= -github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= -github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/xhit/go-str2duration v1.2.0 h1:BcV5u025cITWxEQKGWr1URRzrcXtu7uk8+luz3Yuhwc= github.com/xhit/go-str2duration/v2 v2.1.0 h1:lxklc02Drh6ynqX+DdPyp5pCKLUQpRT8bp8Ydu2Bstc= github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU= @@ -883,50 +902,84 @@ github.com/zeebo/assert v1.3.0 h1:g7C04CbJuIDKNPFHmsk4hwZDO5O+kntRxzaUoNXj+IQ= github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0= go.etcd.io/bbolt v1.3.8 h1:xs88BrvEv273UsB79e0hcVrlUWmS0a8upikMFhSyAtA= go.etcd.io/bbolt v1.3.8/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw= +go.etcd.io/bbolt v1.3.9 h1:8x7aARPEXiXbHmtUwAIv7eV2fQFHrLLavdiJ3uzJXoI= +go.etcd.io/bbolt v1.3.9/go.mod h1:zaO32+Ti0PK1ivdPtgMESzuzL2VPoIG1PCQNvOdo/dE= go.etcd.io/etcd/api/v3 v3.5.10 h1:szRajuUUbLyppkhs9K6BRtjY37l66XQQmw7oZRANE4k= go.etcd.io/etcd/api/v3 v3.5.10/go.mod h1:TidfmT4Uycad3NM/o25fG3J07odo4GBB9hoxaodFCtI= +go.etcd.io/etcd/api/v3 v3.5.14 h1:vHObSCxyB9zlF60w7qzAdTcGaglbJOpSj1Xj9+WGxq0= +go.etcd.io/etcd/api/v3 v3.5.14/go.mod h1:BmtWcRlQvwa1h3G2jvKYwIQy4PkHlDej5t7uLMUdJUU= go.etcd.io/etcd/client/pkg/v3 v3.5.10 h1:kfYIdQftBnbAq8pUWFXfpuuxFSKzlmM5cSn76JByiT0= go.etcd.io/etcd/client/pkg/v3 v3.5.10/go.mod h1:DYivfIviIuQ8+/lCq4vcxuseg2P2XbHygkKwFo9fc8U= +go.etcd.io/etcd/client/pkg/v3 v3.5.14 h1:SaNH6Y+rVEdxfpA2Jr5wkEvN6Zykme5+YnbCkxvuWxQ= +go.etcd.io/etcd/client/pkg/v3 v3.5.14/go.mod h1:8uMgAokyG1czCtIdsq+AGyYQMvpIKnSvPjFMunkgeZI= go.etcd.io/etcd/client/v2 v2.305.10 h1:MrmRktzv/XF8CvtQt+P6wLUlURaNpSDJHFZhe//2QE4= go.etcd.io/etcd/client/v2 v2.305.10/go.mod h1:m3CKZi69HzilhVqtPDcjhSGp+kA1OmbNn0qamH80xjA= +go.etcd.io/etcd/client/v2 v2.305.13 h1:RWfV1SX5jTU0lbCvpVQe3iPQeAHETWdOTb6pxhd77C8= +go.etcd.io/etcd/client/v2 v2.305.13/go.mod h1:iQnL7fepbiomdXMb3om1rHq96htNNGv2sJkEcZGDRRg= go.etcd.io/etcd/client/v3 v3.5.10 h1:W9TXNZ+oB3MCd/8UjxHTWK5J9Nquw9fQBLJd5ne5/Ao= go.etcd.io/etcd/client/v3 v3.5.10/go.mod h1:RVeBnDz2PUEZqTpgqwAtUd8nAPf5kjyFyND7P1VkOKc= +go.etcd.io/etcd/client/v3 v3.5.14 h1:CWfRs4FDaDoSz81giL7zPpZH2Z35tbOrAJkkjMqOupg= +go.etcd.io/etcd/client/v3 v3.5.14/go.mod h1:k3XfdV/VIHy/97rqWjoUzrj9tk7GgJGH9J8L4dNXmAk= go.etcd.io/etcd/pkg/v3 v3.5.10 h1:WPR8K0e9kWl1gAhB5A7gEa5ZBTNkT9NdNWrR8Qpo1CM= go.etcd.io/etcd/pkg/v3 v3.5.10/go.mod h1:TKTuCKKcF1zxmfKWDkfz5qqYaE3JncKKZPFf8c1nFUs= +go.etcd.io/etcd/pkg/v3 v3.5.13 h1:st9bDWNsKkBNpP4PR1MvM/9NqUPfvYZx/YXegsYEH8M= +go.etcd.io/etcd/pkg/v3 v3.5.13/go.mod h1:N+4PLrp7agI/Viy+dUYpX7iRtSPvKq+w8Y14d1vX+m0= go.etcd.io/etcd/raft/v3 v3.5.10 h1:cgNAYe7xrsrn/5kXMSaH8kM/Ky8mAdMqGOxyYwpP0LA= go.etcd.io/etcd/raft/v3 v3.5.10/go.mod h1:odD6kr8XQXTy9oQnyMPBOr0TVe+gT0neQhElQ6jbGRc= +go.etcd.io/etcd/raft/v3 v3.5.13 h1:7r/NKAOups1YnKcfro2RvGGo2PTuizF/xh26Z2CTAzA= +go.etcd.io/etcd/raft/v3 v3.5.13/go.mod h1:uUFibGLn2Ksm2URMxN1fICGhk8Wu96EfDQyuLhAcAmw= go.etcd.io/etcd/server/v3 v3.5.10 h1:4NOGyOwD5sUZ22PiWYKmfxqoeh72z6EhYjNosKGLmZg= go.etcd.io/etcd/server/v3 v3.5.10/go.mod h1:gBplPHfs6YI0L+RpGkTQO7buDbHv5HJGG/Bst0/zIPo= +go.etcd.io/etcd/server/v3 v3.5.13 h1:V6KG+yMfMSqWt+lGnhFpP5z5dRUj1BDRJ5k1fQ9DFok= +go.etcd.io/etcd/server/v3 v3.5.13/go.mod h1:K/8nbsGupHqmr5MkgaZpLlH1QdX1pcNQLAkODy44XcQ= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.42.0 h1:ZOLJc06r4CB42laIXg/7udr0pbZyuAihN10A/XuiQRY= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.42.0/go.mod h1:5z+/ZWJQKXa9YT34fQNx5K8Hd1EoIhvtUygUQPqEOgQ= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1/go.mod h1:4UoMYEZOC0yN/sPGH76KPkkU7zgiEWYWL9vwmbnTJPE= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0/go.mod h1:r9vWsPS/3AQItv3OSlEJ/E4mbrhUbbw18meOjArPtKQ= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 h1:9G6E0TXzGFVfTnawRzrPl83iHOAV7L8NJiR8RSGYV1g= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0 h1:KfYpVmrjI7JuToy5k8XV3nkapjWx48k4E4JOtVstzQI= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0/go.mod h1:SeQhzAEccGVZVEy7aH87Nh0km+utSpo1pTv6eMMop48= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1/go.mod h1:sEGXWArGqc3tVa+ekntsN65DmVbVeW+7lTKTjZF3/Fo= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0/go.mod h1:SK2UL73Zy1quvRPonmOmRDiWk1KBV3LyIeeIxcEApWw= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= go.opentelemetry.io/otel v1.19.0 h1:MuS/TNf4/j4IXsZuJegVzI1cwut7Qc00344rgH7p8bs= go.opentelemetry.io/otel v1.19.0/go.mod h1:i0QyjOq3UPoTzff0PJB2N66fb4S0+rSbSB15/oyH9fY= go.opentelemetry.io/otel v1.21.0/go.mod h1:QZzNPQPm1zLX4gZK4cMi+71eaorMSGT3A4znnUvNNEo= go.opentelemetry.io/otel v1.22.0/go.mod h1:eoV4iAi3Ea8LkAEI9+GFT44O6T/D0GWAVFyZVCC6pMI= +go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo= +go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 h1:Mne5On7VWdx7omSrSSZvM4Kw7cS7NQkOOmLcgscI51U= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0/go.mod h1:IPtUMKL4O3tH5y+iXVyAXqpAwMuzC1IrxVS81rummfE= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0 h1:3d+S281UTjM+AbF31XSOYn1qXn3BgIdWl8HNEpx08Jk= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0/go.mod h1:0+KuTDyKL4gjKCF75pHOX4wuzYDUZYfAQdSu43o+Z2I= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ= go.opentelemetry.io/otel/metric v1.19.0 h1:aTzpGtV0ar9wlV4Sna9sdJyII5jTVJEvKETPiOKwvpE= go.opentelemetry.io/otel/metric v1.19.0/go.mod h1:L5rUsV9kM1IxCj1MmSdS+JQAcVm319EUrDVLrt7jqt8= go.opentelemetry.io/otel/metric v1.21.0/go.mod h1:o1p3CA8nNHW8j5yuQLdc1eeqEaPfzug24uvsyIEJRWM= go.opentelemetry.io/otel/metric v1.22.0/go.mod h1:evJGjVpZv0mQ5QBRJoBF64yMuOf4xCWdXjK8pzFvliY= +go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q= +go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s= go.opentelemetry.io/otel/sdk v1.19.0 h1:6USY6zH+L8uMH8L3t1enZPR3WFEmSTADlqldyHtJi3o= go.opentelemetry.io/otel/sdk v1.19.0/go.mod h1:NedEbbS4w3C6zElbLdPJKOpJQOrGUJ+GfzpjUvI0v1A= go.opentelemetry.io/otel/sdk v1.21.0/go.mod h1:Nna6Yv7PWTdgJHVRD9hIYywQBRx7pbox6nwBnZIxl/E= +go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE= +go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg= go.opentelemetry.io/otel/trace v1.19.0 h1:DFVQmlVbfVeOuBRrwdtaehRrWiL1JoVs9CPIQ1Dzxpg= go.opentelemetry.io/otel/trace v1.19.0/go.mod h1:mfaSyvGyEJEI0nyV2I4qhNQnbBOUUmYZpYojqMnX2vo= go.opentelemetry.io/otel/trace v1.21.0/go.mod h1:LGbsEB0f9LGjN+OZaQQ26sohbOmiMR+BaslueVtS/qQ= go.opentelemetry.io/otel/trace v1.22.0/go.mod h1:RbbHXVqKES9QhzZq/fE5UnOSILqRt40a21sPw2He1xo= +go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g= +go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI= go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= +go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= +go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ= go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go.uber.org/goleak v1.2.0/go.mod h1:XJYK+MuIchqpmGmUSAzotztawfKvYLUIgg7guXrwVUo= @@ -944,6 +997,7 @@ golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028 h1:4+4C/Iv2U4fMZBiMCc98MG golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= @@ -951,6 +1005,8 @@ golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ= golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8= +golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= +golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI= golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk= golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0= @@ -958,18 +1014,25 @@ golang.org/x/oauth2 v0.14.0/go.mod h1:lAtNWgaWfL4cm7j2OV8TxGi9Qb7ECORx8DktCY74Ow golang.org/x/oauth2 v0.15.0/go.mod h1:q48ptWNTY5XWf+JNten23lcvHpLJ0ZSxF5ttTHKVCAM= golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA= golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/telemetry v0.0.0-20240208230135-b75ee8823808/go.mod h1:KG1lNk5ZFNssSZLrpVb4sMXKMpGwGXOxSG3rnu2gZQQ= golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2 h1:IRJeR9r1pYWsHKTRe/IInb7lYvbBVIqOgsX/u0mbOWY= golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE= +golang.org/x/telemetry v0.0.0-20240521205824-bda55230c457 h1:zf5N6UOrA487eEFacMePxjXAJctxKmyjKUsjA11Uzuk= +golang.org/x/telemetry v0.0.0-20240521205824-bda55230c457/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0= golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ= golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM= @@ -977,6 +1040,8 @@ golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58 golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= golang.org/x/tools v0.18.0/go.mod h1:GL7B4CwcLLeo59yx/9UWWuNOW1n3VZ4f5axWfML7Lcg= golang.org/x/tools v0.20.0/go.mod h1:WvitBU7JJf6A4jOdg4S1tviW9bhUxkgeCui/0JHctQg= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= +golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90= @@ -1022,7 +1087,9 @@ google.golang.org/genproto/googleapis/api v0.0.0-20240213162025-012b6fc9bca9/go. google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de h1:jFNzHPIeuzhdRwVhbZdiym9q0ory/xY3sA+v2wPg8I0= google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:5iCWqnniDlqZHrd3neWVTOwvh/v6s3232omMecelax8= google.golang.org/genproto/googleapis/api v0.0.0-20240318140521-94a12d6c2237/go.mod h1:Z5Iiy3jtmioajWHDGFk7CeugTyHtPvMHA4UTmUkyalE= +google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 h1:7whR9kGa5LUwFtpLm2ArCEejtnxlGeLbAyjFY8sGNFw= google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157/go.mod h1:99sLkeliLXfdj2J75X3Ho+rrVCaJze0uwN7zDDkjPVU= +google.golang.org/genproto/googleapis/api v0.0.0-20240604185151-ef581f913117/go.mod h1:OimBR/bc1wPO9iV4NC2bpyjy3VnAwZh5EBPQdtaE5oo= google.golang.org/genproto/googleapis/bytestream v0.0.0-20230530153820-e85fd2cbaebc h1:g3hIDl0jRNd9PPTs2uBzYuaD5mQuwOkZY0vSc0LR32o= google.golang.org/genproto/googleapis/bytestream v0.0.0-20231030173426-d783a09b4405/go.mod h1:GRUCuLdzVqZte8+Dl/D4N25yLzcGqqWaYkeVOwulFqw= google.golang.org/genproto/googleapis/bytestream v0.0.0-20231212172506-995d672761c0/go.mod h1:guYXGPwC6jwxgWKW5Y405fKWOFNwlvUlUnzyp9i0uqo= @@ -1064,6 +1131,8 @@ k8s.io/kms v0.29.3/go.mod h1:TBGbJKpRUMk59neTMDMddjIDL+D4HuFUbpuiuzmOPg0= k8s.io/kms v0.30.0 h1:ZlnD/ei5lpvUlPw6eLfVvH7d8i9qZ6HwUQgydNVks8g= k8s.io/kms v0.30.0/go.mod h1:GrMurD0qk3G4yNgGcsCEmepqf9KyyIrTXYR2lyUOJC4= k8s.io/kms v0.30.1/go.mod h1:GrMurD0qk3G4yNgGcsCEmepqf9KyyIrTXYR2lyUOJC4= +k8s.io/kms v0.31.0 h1:KchILPfB1ZE+ka7223mpU5zeFNkmb45jl7RHnlImUaI= +k8s.io/kms v0.31.0/go.mod h1:OZKwl1fan3n3N5FFxnW5C4V3ygrah/3YXeJWS3O6+94= k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= @@ -1088,6 +1157,8 @@ rsc.io/sampler v1.3.0 h1:7uVkIFmeBqHfdjD+gZwtXXI+RODJ2Wc4O7MPEh/QiW4= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0/go.mod h1:VHVDI/KrK4fjnV61bE2g3sA7tiETLn8sooImelsCx3Y= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0 h1:/U5vjBbQn3RChhv7P11uhYvCSm5G2GaIi5AIGBS6r4c= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0/go.mod h1:z7+wmGM2dfIiLRfrC6jb5kV2Mq/sK1ZP303cxzkV5Y4= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= diff --git a/hack/update-annotation-doc.sh b/hack/update-annotation-doc.sh new file mode 100755 index 000000000..c4feb41ce --- /dev/null +++ b/hack/update-annotation-doc.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +# Copyright 2024 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset + +SCRIPT_ROOT=$(dirname "${BASH_SOURCE}")/.. +ANNOTATIONFILE="${SCRIPT_ROOT}/docs/user-guide/nginx-configuration/annotations-risk.md" + +go run "${SCRIPT_ROOT}"/cmd/annotations/main.go -output "${ANNOTATIONFILE}" \ No newline at end of file diff --git a/hack/verify-annotation-docs.sh b/hack/verify-annotation-docs.sh new file mode 100755 index 000000000..54034539b --- /dev/null +++ b/hack/verify-annotation-docs.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +# Copyright 2024 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset +set -o pipefail + +SCRIPT_ROOT=$(dirname "${BASH_SOURCE}")/.. + +ANNOTATIONFILE="${SCRIPT_ROOT}/docs/user-guide/nginx-configuration/annotations-risk.md" +TMP_DIFFROOT="${SCRIPT_ROOT}/_tmp" +TMP_FILE="${TMP_DIFFROOT}/annotations-risk.md" + +cleanup() { + rm -rf "${TMP_DIFFROOT}" +} +trap "cleanup" EXIT SIGINT + +cleanup + +mkdir -p "${TMP_DIFFROOT}" + +go run cmd/annotations/main.go -output "${TMP_FILE}" +echo "diffing ${ANNOTATIONFILE} against freshly generated annotation doc" +ret=0 +diff -Naupr --no-dereference "${ANNOTATIONFILE}" "${TMP_FILE}" || ret=1 + +if [[ $ret -eq 0 ]]; then + echo "${ANNOTATIONFILE} up to date." +else + echo "${ANNOTATIONFILE} is out of date. Please run hack/update-annotation-doc.sh" + exit 1 +fi diff --git a/hack/verify-lualint.sh b/hack/verify-lualint.sh index 1f6048de0..769d7a6cd 100755 --- a/hack/verify-lualint.sh +++ b/hack/verify-lualint.sh @@ -18,6 +18,13 @@ set -o errexit set -o nounset set -o pipefail -luacheck --codes -q rootfs/etc/nginx/lua/ +luacheck --codes --globals lua_ingress \ + --globals configuration \ + --globals balancer \ + --globals monitor \ + --globals certificate \ + --globals tcp_udp_configuration \ + --globals tcp_udp_balancer \ + --no-max-comment-line-length -q rootfs/etc/nginx/lua/ find rootfs/etc/nginx/lua/ -name "*.lua" -not -path "*/test/*" -exec lj-releng -L -s {} + && echo "lj-releng validation is success!" diff --git a/images/cfssl/TAG b/images/cfssl/TAG index 7df503e63..b18d46540 100644 --- a/images/cfssl/TAG +++ b/images/cfssl/TAG @@ -1 +1 @@ -v0.0.4 +v1.0.1 diff --git a/images/cfssl/cloudbuild.yaml b/images/cfssl/cloudbuild.yaml index 32d91ca83..a17f86196 100644 --- a/images/cfssl/cloudbuild.yaml +++ b/images/cfssl/cloudbuild.yaml @@ -1,17 +1,11 @@ -timeout: 600s options: + # Ignore Prow provided substitutions. substitution_option: ALLOW_LOOSE steps: - - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90 - entrypoint: bash + - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20240718-5ef92b5c36 env: - - DOCKER_CLI_EXPERIMENTAL=enabled - REGISTRY=gcr.io/k8s-staging-ingress-nginx - # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx - # set the home to /root explicitly to if using docker buildx - - HOME=/root + entrypoint: bash args: - - -c - - | - gcloud auth configure-docker \ - && cd images && make NAME=cfssl push + - -c + - gcloud auth configure-docker && cd images && make NAME=cfssl push diff --git a/images/cfssl/rootfs/Dockerfile b/images/cfssl/rootfs/Dockerfile index c23f66d49..7f7003f10 100644 --- a/images/cfssl/rootfs/Dockerfile +++ b/images/cfssl/rootfs/Dockerfile @@ -12,9 +12,9 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine:3.20.0 +FROM alpine:3.20 -RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories +RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories RUN apk update \ && apk upgrade && \ apk add --no-cache \ diff --git a/images/custom-error-pages/README.md b/images/custom-error-pages/README.md deleted file mode 100644 index cd6df3e0a..000000000 --- a/images/custom-error-pages/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# custom-error-pages - -Example of Custom error pages for the Ingress-Nginx Controller diff --git a/images/custom-error-pages/TAG b/images/custom-error-pages/TAG index 8ce995b80..570c79651 100644 --- a/images/custom-error-pages/TAG +++ b/images/custom-error-pages/TAG @@ -1 +1 @@ -v0.0.3 \ No newline at end of file +v1.0.2 diff --git a/images/custom-error-pages/cloudbuild.yaml b/images/custom-error-pages/cloudbuild.yaml index bb74da6b8..99a8d78b6 100644 --- a/images/custom-error-pages/cloudbuild.yaml +++ b/images/custom-error-pages/cloudbuild.yaml @@ -1,17 +1,11 @@ -timeout: 1800s options: + # Ignore Prow provided substitutions. substitution_option: ALLOW_LOOSE steps: - - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90 - entrypoint: bash + - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20240718-5ef92b5c36 env: - - DOCKER_CLI_EXPERIMENTAL=enabled - REGISTRY=gcr.io/k8s-staging-ingress-nginx - # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx - # set the home to /root explicitly to if using docker buildx - - HOME=/root + entrypoint: bash args: - - -c - - | - gcloud auth configure-docker \ - && cd images/ && make NAME=custom-error-pages push + - -c + - gcloud auth configure-docker && cd images && make NAME=custom-error-pages push diff --git a/images/custom-error-pages/rootfs/go.mod b/images/custom-error-pages/rootfs/go.mod index eebc562a5..4cee1baf5 100644 --- a/images/custom-error-pages/rootfs/go.mod +++ b/images/custom-error-pages/rootfs/go.mod @@ -1,17 +1,17 @@ module k8s.io/ingress-nginx/custom-error-pages -go 1.21 +go 1.22.8 -require github.com/prometheus/client_golang v1.11.1 +require github.com/prometheus/client_golang v1.20.4 require ( github.com/beorn7/perks v1.0.1 // indirect - github.com/cespare/xxhash/v2 v2.1.1 // indirect - github.com/golang/protobuf v1.5.0 // indirect - github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect - github.com/prometheus/client_model v0.2.0 // indirect - github.com/prometheus/common v0.26.0 // indirect - github.com/prometheus/procfs v0.6.0 // indirect - golang.org/x/sys v0.1.0 // indirect - google.golang.org/protobuf v1.33.0 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect + github.com/klauspost/compress v1.17.9 // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/prometheus/client_model v0.6.1 // indirect + github.com/prometheus/common v0.55.0 // indirect + github.com/prometheus/procfs v0.15.1 // indirect + golang.org/x/sys v0.22.0 // indirect + google.golang.org/protobuf v1.34.2 // indirect ) diff --git a/images/custom-error-pages/rootfs/go.sum b/images/custom-error-pages/rootfs/go.sum index 99c959a36..a228b18fb 100644 --- a/images/custom-error-pages/rootfs/go.sum +++ b/images/custom-error-pages/rootfs/go.sum @@ -1,141 +1,24 @@ -cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= -github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= -github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= -github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= -github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= -github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= -github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= -github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY= -github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= -github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= -github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= -github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= -github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= -github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= -github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= -github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= -github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= -github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= -github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= -github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= -github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= -github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/golang/protobuf v1.5.0 h1:LUVKkCeviFUMKqHa4tXIIij/lbhnMbP7Fn5wKdKkRh4= -github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= -github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= -github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= -github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= -github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= -github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= -github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= -github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= -github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= -github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= -github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU= -github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= -github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= -github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= -github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= -github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= -github.com/prometheus/client_golang v1.11.1 h1:+4eQaD7vAZ6DsfsxB15hbE0odUjGI5ARs9yskGu1v4s= -github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= -github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= -github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M= -github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= -github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= -github.com/prometheus/common v0.26.0 h1:iMAkS2TDoNWnKM+Kopnx/8tnEStIfpYA0ur0xQzzhMQ= -github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= -github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= -github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= -github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= -github.com/prometheus/procfs v0.6.0 h1:mxy4L2jP6qMonqmq+aTtOx1ifVWUgG/TAmntgbh3xv4= -github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= -github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= -github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= -github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= -github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= -golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= -golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= -google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= -google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= -google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= -google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= -google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= -google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= -gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= +github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/prometheus/client_golang v1.20.4 h1:Tgh3Yr67PaOv/uTqloMsCEdeuFTatm5zIq5+qNN23vI= +github.com/prometheus/client_golang v1.20.4/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= +github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= +github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= +github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= +github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8= +github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= +github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= +golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= +golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= diff --git a/images/e2e-test-echo/TAG b/images/e2e-test-echo/TAG index 8ce995b80..0ec25f750 100644 --- a/images/e2e-test-echo/TAG +++ b/images/e2e-test-echo/TAG @@ -1 +1 @@ -v0.0.3 \ No newline at end of file +v1.0.0 diff --git a/images/e2e-test-echo/cloudbuild.yaml b/images/e2e-test-echo/cloudbuild.yaml new file mode 100644 index 000000000..1d525e413 --- /dev/null +++ b/images/e2e-test-echo/cloudbuild.yaml @@ -0,0 +1,11 @@ +options: + # Ignore Prow provided substitutions. + substitution_option: ALLOW_LOOSE +steps: + - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20240718-5ef92b5c36 + env: + - REGISTRY=gcr.io/k8s-staging-ingress-nginx + entrypoint: bash + args: + - -c + - gcloud auth configure-docker && cd images && make NAME=e2e-test-echo push diff --git a/images/ext-auth-example-authsvc/TAG b/images/ext-auth-example-authsvc/TAG index 8ce995b80..0ec25f750 100644 --- a/images/ext-auth-example-authsvc/TAG +++ b/images/ext-auth-example-authsvc/TAG @@ -1 +1 @@ -v0.0.3 \ No newline at end of file +v1.0.0 diff --git a/images/ext-auth-example-authsvc/cloudbuild.yaml b/images/ext-auth-example-authsvc/cloudbuild.yaml deleted file mode 100644 index 506e20111..000000000 --- a/images/ext-auth-example-authsvc/cloudbuild.yaml +++ /dev/null @@ -1,19 +0,0 @@ -timeout: 1200s -options: - substitution_option: ALLOW_LOOSE - # job builds a multi-arch docker image for amd64,arm,arm64 and s390x. - machineType: E2_HIGHCPU_8 -steps: - - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90 - entrypoint: bash - env: - - DOCKER_CLI_EXPERIMENTAL=enabled - - REGISTRY=gcr.io/k8s-staging-ingress-nginx - # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx - # set the home to /root explicitly to if using docker buildx - - HOME=/root - args: - - -c - - | - gcloud auth configure-docker \ - && cd images/ && make NAME=ext-auth-example-authsvc push \ No newline at end of file diff --git a/images/ext-auth-example-authsvc/rootfs/Dockerfile b/images/ext-auth-example-authsvc/rootfs/Dockerfile index ec611fa54..5942ac5b9 100644 --- a/images/ext-auth-example-authsvc/rootfs/Dockerfile +++ b/images/ext-auth-example-authsvc/rootfs/Dockerfile @@ -1,6 +1,6 @@ ARG GOLANG_VERSION -FROM golang:${GOLANG_VERSION}-alpine3.18 as builder +FROM golang:${GOLANG_VERSION}-alpine3.20 as builder RUN mkdir /authsvc WORKDIR /authsvc COPY . ./ @@ -9,4 +9,4 @@ RUN CGO_ENABLED=0 GOOS=linux go build -o authsvc authsvc.go FROM gcr.io/distroless/base-debian11 COPY --from=builder /authsvc/authsvc / EXPOSE 8080 -ENTRYPOINT ["/authsvc"] \ No newline at end of file +ENTRYPOINT ["/authsvc"] diff --git a/images/ext-auth-example-authsvc/rootfs/go.mod b/images/ext-auth-example-authsvc/rootfs/go.mod index 8c3abdcf2..7e488b484 100644 --- a/images/ext-auth-example-authsvc/rootfs/go.mod +++ b/images/ext-auth-example-authsvc/rootfs/go.mod @@ -1,7 +1,7 @@ module example.com/authsvc -go 1.21 +go 1.22.8 -require k8s.io/apimachinery v0.23.1 +require k8s.io/apimachinery v0.31.1 -require github.com/google/uuid v1.1.2 // indirect +require github.com/google/uuid v1.6.0 // indirect diff --git a/images/ext-auth-example-authsvc/rootfs/go.sum b/images/ext-auth-example-authsvc/rootfs/go.sum index 6e3fab295..a3b9e420d 100644 --- a/images/ext-auth-example-authsvc/rootfs/go.sum +++ b/images/ext-auth-example-authsvc/rootfs/go.sum @@ -1,215 +1,4 @@ -cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= -github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= -github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= -github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= -github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= -github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= -github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= -github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= -github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= -github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg= -github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= -github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= -github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= -github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= -github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= -github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= -github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= -github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= -github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= -github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= -github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= -github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= -github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y= -github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU= -github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA= -github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= -github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= -github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= -github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= -github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= -github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= -github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= -github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= -github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= -github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= -github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= -github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= -github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= -github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= -github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= -github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= -github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= -github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= -github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= -github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= -github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= -github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= -golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= -golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= -golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= -google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= -google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= -google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= -google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= -google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= -google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= -google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= -google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= -google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= -google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= -google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= -gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= -gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= -gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/apimachinery v0.23.1 h1:sfBjlDFwj2onG0Ijx5C+SrAoeUscPrmghm7wHP+uXlo= -k8s.io/apimachinery v0.23.1/go.mod h1:SADt2Kl8/sttJ62RRsi9MIV4o8f5S3coArm0Iu3fBno= -k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= -k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= -k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= -k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65/go.mod h1:sX9MT8g7NVZM5lVL/j8QyCCJe8YSMW30QvGZWaCIDIk= -k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= -sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= -sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= -sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= +k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= diff --git a/images/fastcgi-helloserver/TAG b/images/fastcgi-helloserver/TAG index 8ce995b80..570c79651 100644 --- a/images/fastcgi-helloserver/TAG +++ b/images/fastcgi-helloserver/TAG @@ -1 +1 @@ -v0.0.3 \ No newline at end of file +v1.0.2 diff --git a/images/fastcgi-helloserver/cloudbuild.yaml b/images/fastcgi-helloserver/cloudbuild.yaml index e3ab3b375..7eb047612 100644 --- a/images/fastcgi-helloserver/cloudbuild.yaml +++ b/images/fastcgi-helloserver/cloudbuild.yaml @@ -1,17 +1,11 @@ -timeout: 1800s options: + # Ignore Prow provided substitutions. substitution_option: ALLOW_LOOSE steps: - - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90 - entrypoint: bash + - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20240718-5ef92b5c36 env: - - DOCKER_CLI_EXPERIMENTAL=enabled - REGISTRY=gcr.io/k8s-staging-ingress-nginx - # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx - # set the home to /root explicitly to if using docker buildx - - HOME=/root + entrypoint: bash args: - - -c - - | - gcloud auth configure-docker \ - && cd images/ && make NAME=fastcgi-helloserver push \ No newline at end of file + - -c + - gcloud auth configure-docker && cd images && make NAME=fastcgi-helloserver push diff --git a/images/fastcgi-helloserver/rootfs/Dockerfile b/images/fastcgi-helloserver/rootfs/Dockerfile index eec93c844..2b91887c9 100755 --- a/images/fastcgi-helloserver/rootfs/Dockerfile +++ b/images/fastcgi-helloserver/rootfs/Dockerfile @@ -13,7 +13,7 @@ # limitations under the License. ARG GOLANG_VERSION -FROM golang:${GOLANG_VERSION}-alpine3.18 as builder +FROM golang:${GOLANG_VERSION}-alpine3.20 as builder WORKDIR /go/src/k8s.io/ingress-nginx/images/fastcgi @@ -30,4 +30,4 @@ FROM gcr.io/distroless/static:nonroot COPY --from=builder /go/src/k8s.io/ingress-nginx/images/fastcgi/fastcgi-helloserver / USER nonroot:nonroot -CMD ["/fastcgi-helloserver"] \ No newline at end of file +CMD ["/fastcgi-helloserver"] diff --git a/images/go-grpc-greeter-server/TAG b/images/go-grpc-greeter-server/TAG index 8ce995b80..0ec25f750 100644 --- a/images/go-grpc-greeter-server/TAG +++ b/images/go-grpc-greeter-server/TAG @@ -1 +1 @@ -v0.0.3 \ No newline at end of file +v1.0.0 diff --git a/images/go-grpc-greeter-server/cloudbuild.yaml b/images/go-grpc-greeter-server/cloudbuild.yaml deleted file mode 100644 index b690ffbec..000000000 --- a/images/go-grpc-greeter-server/cloudbuild.yaml +++ /dev/null @@ -1,19 +0,0 @@ -timeout: 1200s -options: - substitution_option: ALLOW_LOOSE - # job builds a multi-arch docker image for amd64,arm,arm64 and s390x. - machineType: E2_HIGHCPU_8 -steps: - - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90 - entrypoint: bash - env: - - DOCKER_CLI_EXPERIMENTAL=enabled - - REGISTRY=gcr.io/k8s-staging-ingress-nginx - # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx - # set the home to /root explicitly to if using docker buildx - - HOME=/root - args: - - -c - - | - gcloud auth configure-docker \ - && cd images/ && make NAME=go-grpc-greeter-server push \ No newline at end of file diff --git a/images/go-grpc-greeter-server/rootfs/Dockerfile b/images/go-grpc-greeter-server/rootfs/Dockerfile index 79693eaeb..f07b1d667 100644 --- a/images/go-grpc-greeter-server/rootfs/Dockerfile +++ b/images/go-grpc-greeter-server/rootfs/Dockerfile @@ -1,6 +1,6 @@ ARG GOLANG_VERSION -FROM golang:${GOLANG_VERSION}-alpine3.18 as build +FROM golang:${GOLANG_VERSION}-alpine3.20 as build WORKDIR /go/src/greeter-server @@ -15,4 +15,4 @@ COPY --from=build /greeter-server / EXPOSE 50051 -CMD ["/greeter-server"] \ No newline at end of file +CMD ["/greeter-server"] diff --git a/images/httpbun/TAG b/images/httpbun/TAG index 8ce995b80..570c79651 100644 --- a/images/httpbun/TAG +++ b/images/httpbun/TAG @@ -1 +1 @@ -v0.0.3 \ No newline at end of file +v1.0.2 diff --git a/images/httpbun/cloudbuild.yaml b/images/httpbun/cloudbuild.yaml index c532a3908..4df9d090c 100644 --- a/images/httpbun/cloudbuild.yaml +++ b/images/httpbun/cloudbuild.yaml @@ -1,19 +1,11 @@ -timeout: 1200s options: + # Ignore Prow provided substitutions. substitution_option: ALLOW_LOOSE - # job builds a multi-arch docker image for amd64,arm,arm64 and s390x. - machineType: E2_HIGHCPU_8 steps: - - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90 - entrypoint: bash + - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20240718-5ef92b5c36 env: - - DOCKER_CLI_EXPERIMENTAL=enabled - REGISTRY=gcr.io/k8s-staging-ingress-nginx - # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx - # set the home to /root explicitly to if using docker buildx - - HOME=/root + entrypoint: bash args: - - -c - - | - gcloud auth configure-docker \ - && cd images/ && make NAME=httpbun push \ No newline at end of file + - -c + - gcloud auth configure-docker && cd images && make NAME=httpbun push diff --git a/images/kube-webhook-certgen/TAG b/images/kube-webhook-certgen/TAG index c432e90f2..61919cdd8 100644 --- a/images/kube-webhook-certgen/TAG +++ b/images/kube-webhook-certgen/TAG @@ -1 +1 @@ -v1.4.2 +v1.4.4 diff --git a/images/kube-webhook-certgen/cloudbuild.yaml b/images/kube-webhook-certgen/cloudbuild.yaml index 690f13126..74f4a04a1 100644 --- a/images/kube-webhook-certgen/cloudbuild.yaml +++ b/images/kube-webhook-certgen/cloudbuild.yaml @@ -1,32 +1,11 @@ - -# Copyright 2021 The Kubernetes Authors. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -timeout: 10800s options: + # Ignore Prow provided substitutions. substitution_option: ALLOW_LOOSE steps: - - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90 - entrypoint: bash + - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20240718-5ef92b5c36 env: - - DOCKER_CLI_EXPERIMENTAL=enabled - REGISTRY=gcr.io/k8s-staging-ingress-nginx - # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx - # set the home to /root explicitly to if using docker buildx - - HOME=/root + entrypoint: bash args: - - -c - - | - gcloud auth configure-docker \ - && cd images/ && make NAME=kube-webhook-certgen push + - -c + - gcloud auth configure-docker && cd images && make NAME=kube-webhook-certgen push diff --git a/images/kube-webhook-certgen/rootfs/go.mod b/images/kube-webhook-certgen/rootfs/go.mod index b32fd22bd..5caee19a2 100644 --- a/images/kube-webhook-certgen/rootfs/go.mod +++ b/images/kube-webhook-certgen/rootfs/go.mod @@ -1,21 +1,21 @@ module github.com/jet/kube-webhook-certgen -go 1.21 +go 1.22.8 require ( github.com/onrik/logrus v0.11.0 github.com/sirupsen/logrus v1.9.3 - github.com/spf13/cobra v1.8.0 - k8s.io/api v0.29.3 - k8s.io/apimachinery v0.29.3 - k8s.io/client-go v0.29.3 - k8s.io/kube-aggregator v0.29.3 + github.com/spf13/cobra v1.8.1 + k8s.io/api v0.31.1 + k8s.io/apimachinery v0.31.1 + k8s.io/client-go v0.31.1 + k8s.io/kube-aggregator v0.31.1 ) require ( - github.com/davecgh/go-spew v1.1.1 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/emicklei/go-restful/v3 v3.11.3 // indirect - github.com/evanphx/json-patch v5.9.0+incompatible // indirect + github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-logr/logr v1.4.2 // indirect github.com/go-openapi/jsonpointer v0.20.2 // indirect github.com/go-openapi/jsonreference v0.20.4 // indirect @@ -23,6 +23,7 @@ require ( github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/protobuf v1.5.4 // indirect github.com/google/gnostic-models v0.6.8 // indirect + github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/uuid v1.6.0 // indirect github.com/imdario/mergo v0.3.16 // indirect @@ -33,25 +34,25 @@ require ( github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect - github.com/onsi/ginkgo/v2 v2.19.1 // indirect - github.com/onsi/gomega v1.34.0 // indirect + github.com/onsi/ginkgo/v2 v2.20.2 // indirect + github.com/onsi/gomega v1.34.1 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/spf13/pflag v1.0.5 // indirect - github.com/stretchr/testify v1.9.0 // indirect - golang.org/x/net v0.25.0 // indirect - golang.org/x/oauth2 v0.18.0 // indirect - golang.org/x/sys v0.21.0 // indirect - golang.org/x/term v0.20.0 // indirect - golang.org/x/text v0.15.0 // indirect + github.com/x448/float16 v0.8.4 // indirect + golang.org/x/net v0.28.0 // indirect + golang.org/x/oauth2 v0.21.0 // indirect + golang.org/x/sys v0.24.0 // indirect + golang.org/x/term v0.23.0 // indirect + golang.org/x/text v0.17.0 // indirect golang.org/x/time v0.5.0 // indirect - google.golang.org/appengine v1.6.8 // indirect - google.golang.org/protobuf v1.34.1 // indirect + google.golang.org/protobuf v1.34.2 // indirect + gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/klog/v2 v2.120.1 // indirect - k8s.io/kube-openapi v0.0.0-20240224005224-582cce78233b // indirect - k8s.io/utils v0.0.0-20240102154912-e7106e64919e // indirect + k8s.io/klog/v2 v2.130.1 // indirect + k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect + k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect sigs.k8s.io/yaml v1.4.0 // indirect diff --git a/images/kube-webhook-certgen/rootfs/go.sum b/images/kube-webhook-certgen/rootfs/go.sum index 4229215bd..da633e6db 100644 --- a/images/kube-webhook-certgen/rootfs/go.sum +++ b/images/kube-webhook-certgen/rootfs/go.sum @@ -1,11 +1,12 @@ -github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/emicklei/go-restful/v3 v3.11.3 h1:yagOQz/38xJmcNeZJtrUcKjkHRltIaIFXKWeG1SkWGE= github.com/emicklei/go-restful/v3 v3.11.3/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls= -github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-openapi/jsonpointer v0.20.2 h1:mQc3nmndL8ZBzStEo3JYF8wzmeWffDH4VbXz58sAx6Q= @@ -14,26 +15,22 @@ github.com/go-openapi/jsonreference v0.20.4 h1:bKlDxQxQJgwpUSgOENiMPzCTBVuc7vTdX github.com/go-openapi/jsonreference v0.20.4/go.mod h1:5pZJyJP2MnYCpoeoMAql78cCHauHj0V9Lhc506VOpw4= github.com/go-openapi/swag v0.22.9 h1:XX2DssF+mQKM2DHsbgZK74y/zj4mo9I99+89xUmuZCE= github.com/go-openapi/swag v0.22.9/go.mod h1:3/OXnFfnMAwBD099SwYRk7GD3xOrr1iL7d/XNLXVVwE= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= -github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg= -github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= +github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 h1:5iH8iuqE5apketRbSFBy+X1V0o+l+8NF1avt4HWl7cA= +github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= @@ -61,21 +58,22 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/onrik/logrus v0.11.0 h1:pu+BCaWL36t0yQaj/2UHK2erf88dwssAKOT51mxPUVs= github.com/onrik/logrus v0.11.0/go.mod h1:fO2vlZwIdti6PidD3gV5YKt9Lq5ptpnP293RAe1ITwk= -github.com/onsi/ginkgo/v2 v2.19.1 h1:QXgq3Z8Crl5EL1WBAC98A5sEBHARrAJNzAmMxzLcRF0= -github.com/onsi/ginkgo/v2 v2.19.1/go.mod h1:O3DtEWQkPa/F7fBMgmZQKKsluAy8pd3rEQdrjkPb9zA= -github.com/onsi/gomega v1.34.0 h1:eSSPsPNp6ZpsG8X1OVmOTxig+CblTc4AxpPBykhe2Os= -github.com/onsi/gomega v1.34.0/go.mod h1:MIKI8c+f+QLWk+hxbePD4i0LMJSExPaZOVfkoex4cAo= +github.com/onsi/ginkgo/v2 v2.20.2 h1:7NVCeyIWROIAheY21RLS+3j2bb52W0W82tkberYytp4= +github.com/onsi/ginkgo/v2 v2.20.2/go.mod h1:K9gyxPIlb+aIvnZ8bd9Ak+YP18w3APlR+5coaZoE2ag= +github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k= +github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= -github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= -github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= +github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= +github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -89,72 +87,59 @@ github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs= github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac= -golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= -golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI= -golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8= +golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= +golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= +golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= +golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= -golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= -golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= +golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= +golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU= +golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= -golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= -golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= +golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw= -golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= +golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= +golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= -google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= -google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg= -google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= +gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -163,20 +148,20 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.29.3 h1:2ORfZ7+bGC3YJqGpV0KSDDEVf8hdGQ6A03/50vj8pmw= -k8s.io/api v0.29.3/go.mod h1:y2yg2NTyHUUkIoTC+phinTnEa3KFM6RZ3szxt014a80= -k8s.io/apimachinery v0.29.3 h1:2tbx+5L7RNvqJjn7RIuIKu9XTsIZ9Z5wX2G22XAa5EU= -k8s.io/apimachinery v0.29.3/go.mod h1:hx/S4V2PNW4OMg3WizRrHutyB5la0iCUbZym+W0EQIU= -k8s.io/client-go v0.29.3 h1:R/zaZbEAxqComZ9FHeQwOh3Y1ZUs7FaHKZdQtIc2WZg= -k8s.io/client-go v0.29.3/go.mod h1:tkDisCvgPfiRpxGnOORfkljmS+UrW+WtXAy2fTvXJB0= -k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= -k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-aggregator v0.29.3 h1:5KvTyFN8sQq2imq8tMAHWEKoE64Zg9WSMaGX78KV6ps= -k8s.io/kube-aggregator v0.29.3/go.mod h1:xGJqV/SJJ1fbwTGfQLAZfwgqX1EMoaqfotDTkDrqqSk= -k8s.io/kube-openapi v0.0.0-20240224005224-582cce78233b h1:1dzw/KqgSPod72SUp2tuTOmK33TlY2fHlrVU2M9VrOM= -k8s.io/kube-openapi v0.0.0-20240224005224-582cce78233b/go.mod h1:Pa1PvrP7ACSkuX6I7KYomY6cmMA0Tx86waBhDUgoKPw= -k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ= -k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= +k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= +k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= +k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/client-go v0.31.1 h1:f0ugtWSbWpxHR7sjVpQwuvw9a3ZKLXX0u0itkFXufb0= +k8s.io/client-go v0.31.1/go.mod h1:sKI8871MJN2OyeqRlmA4W4KM9KBdBUpDLu/43eGemCg= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kube-aggregator v0.31.1 h1:vrYBTTs3xMrpiEsmBjsLETZE9uuX67oQ8B3i1BFfMPw= +k8s.io/kube-aggregator v0.31.1/go.mod h1:+aW4NX50uneozN+BtoCxI4g7ND922p8Wy3tWKFDiWVk= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= diff --git a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go index f11bef981..b326697b6 100644 --- a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go +++ b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go @@ -186,7 +186,7 @@ func Test_Patching_objects(t *testing.T) { }) // This is to preserve old behavior and log format, it could be improved. - t.Run("diffent_non_empty_names_are_specified_for_validating_and_mutating_webhook", func(t *testing.T) { + t.Run("different_non_empty_names_are_specified_for_validating_and_mutating_webhook", func(t *testing.T) { t.Parallel() k := testK8sWithUnpatchedObjects() diff --git a/images/nginx-1.25/Makefile b/images/nginx-1.25/Makefile deleted file mode 100644 index cdd3e2a3c..000000000 --- a/images/nginx-1.25/Makefile +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright 2024 The Kubernetes Authors. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -.DEFAULT_GOAL:=build - -# set default shell -SHELL=/bin/bash -o pipefail -o errexit - -DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) -INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh - -# 0.0.0 shouldn't clobber any released builds -SHORT_SHA ?=$(shell git rev-parse --short HEAD) -TAG ?=$(shell cat TAG) - -REGISTRY ?= gcr.io/k8s-staging-ingress-nginx - -IMAGE = $(REGISTRY)/nginx-1.25 - -# required to enable buildx -export DOCKER_CLI_EXPERIMENTAL=enabled - -# build with buildx -PLATFORMS?=linux/amd64,linux/arm,linux/arm64,linux/s390x -OUTPUT= -PROGRESS=plain -build: ensure-buildx - docker buildx build \ - --platform=${PLATFORMS} $(OUTPUT) \ - --progress=$(PROGRESS) \ - --pull \ - --tag $(IMAGE):$(TAG) rootfs - -# push the cross built image -push: OUTPUT=--push -push: build - -# enable buildx -ensure-buildx: -# this is required for cloudbuild -ifeq ("$(wildcard $(INIT_BUILDX))","") - @curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/init-buildx.sh | bash -else - @exec $(INIT_BUILDX) -endif - @echo "done" - -.PHONY: build push ensure-buildx \ No newline at end of file diff --git a/images/nginx-1.25/README.md b/images/nginx-1.25/README.md deleted file mode 100644 index b5c6d593f..000000000 --- a/images/nginx-1.25/README.md +++ /dev/null @@ -1,47 +0,0 @@ -NGINX 1.25 base image - -### HTTP/3 Support - -**HTTP/3 support is experimental and under development** - -[HTTP/3](https://datatracker.ietf.org/doc/html/rfc9114)\ -[QUIC](https://datatracker.ietf.org/doc/html/rfc9000) - -[According to the documentation, NGINX 1.25.0 or higher supports HTTP/3:](https://nginx.org/en/docs/quic.html) - -> Support for QUIC and HTTP/3 protocols is available since 1.25.0. - -But this requires adding a new flag during the build: - -> When configuring nginx, it is possible to enable QUIC and HTTP/3 using the --with-http_v3_module configuration parameter. - -[We have added this flag](https://github.com/kubernetes/ingress-nginx/pull/11470), but it is not enough to use HTTP/3 in ingress-nginx, this is the first step. - -The next steps will be: - -1. **Waiting for OpenSSL 3.4.**\ - The main problem is, that we still use OpenSSL (3.x) and it does not support the important mechanism of TLS 1.3 - [early_data](https://datatracker.ietf.org/doc/html/rfc8446#section-2.3): - - > Otherwise, the OpenSSL compatibility layer will be used that does not support early data. - - [And although another part of the documentation says that the directive is supported with OpenSSL:](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data) - - > The directive is supported when using OpenSSL 1.1.1 or higher. - - But this is incomplete support, because OpenSSL does not support this feature, and [it has only client side support:](https://github.com/openssl/openssl) - - > ... the QUIC (currently client side only) version 1 protocol - - [And also there are some issues even with client side](https://github.com/openssl/openssl/discussions/23339) - - Due to this, we currently have incomplete HTTP/3 support, without important security and performance features.\ - But the good news is that [OpenSSL plans to add server-side support in 3.4](https://www.openssl.org/roadmap.html): - - > Server-side QUIC support - - [Overview of SSL libraries(HAProxy Documentation)](https://github.com/haproxy/wiki/wiki/SSL-Libraries-Support-Status#tldr) - -2. **Adding [parameters](https://nginx.org/en/docs/http/ngx_http_v3_module.html) to the configmap to configure HTTP/3 and quic(enableHTTP3, enableHTTP/0.9, maxCurrentStream, and so on).** -3. **Adding options to the nginx config template(`listen 443 quic` to server blocks and `add_header Alt-Svc 'h3=":8443"; ma=86400';` to location blocks).** -4. **Opening the https port for UDP in the container(because QUIC uses UDP).** -5. **Adding tests.** diff --git a/images/nginx-1.25/TAG b/images/nginx-1.25/TAG deleted file mode 100644 index 51bbb66dc..000000000 --- a/images/nginx-1.25/TAG +++ /dev/null @@ -1 +0,0 @@ -v0.0.10 diff --git a/images/nginx-1.25/cloudbuild.yaml b/images/nginx-1.25/cloudbuild.yaml deleted file mode 100644 index c94539165..000000000 --- a/images/nginx-1.25/cloudbuild.yaml +++ /dev/null @@ -1,17 +0,0 @@ -timeout: 10800s -options: - substitution_option: ALLOW_LOOSE - # job builds a multi-arch docker image for amd64,arm,arm64 - machineType: E2_HIGHCPU_32 -steps: - - name: 'gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90' - entrypoint: bash - env: - - DOCKER_CLI_EXPERIMENTAL=enabled - - REGISTRY=gcr.io/k8s-staging-ingress-nginx - - HOME=/root - args: - - -c - - | - gcloud auth configure-docker \ - && cd images/nginx-1.25 && make push \ No newline at end of file diff --git a/images/nginx-1.25/rootfs/Dockerfile b/images/nginx-1.25/rootfs/Dockerfile deleted file mode 100644 index 13dcec33d..000000000 --- a/images/nginx-1.25/rootfs/Dockerfile +++ /dev/null @@ -1,74 +0,0 @@ -# Copyright 2024 The Kubernetes Authors. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -FROM alpine:3.20.0 as builder - -COPY . / - -RUN apk update \ - && apk upgrade \ - && apk add -U bash --no-cache \ - && /build.sh - -# Use a multi-stage build -FROM alpine:3.20.0 - -ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin - -ENV LUA_PATH="/usr/local/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1/?.lua;/usr/local/lib/lua/?.lua;;" -ENV LUA_CPATH="/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;" - -COPY --from=builder /usr/local /usr/local -COPY --from=builder /usr/lib/libopentelemetry* /usr/local/lib -COPY --from=builder /opt /opt -COPY --from=builder /etc/nginx /etc/nginx - -RUN apk update \ - && apk upgrade \ - && apk add -U --no-cache \ - bash \ - openssl \ - pcre \ - zlib \ - ca-certificates \ - patch \ - yajl \ - lmdb \ - libxml2 \ - libmaxminddb \ - yaml-cpp \ - dumb-init \ - tzdata \ - grpc-cpp \ - libprotobuf \ - && ln -s /usr/local/nginx/sbin/nginx /sbin/nginx \ - && adduser -S -D -H -u 101 -h /usr/local/nginx \ - -s /sbin/nologin -G www-data -g www-data www-data \ - && bash -eu -c ' \ - writeDirs=( \ - /var/log/nginx \ - /var/lib/nginx/body \ - /var/lib/nginx/fastcgi \ - /var/lib/nginx/proxy \ - /var/lib/nginx/scgi \ - /var/lib/nginx/uwsgi \ - /var/log/audit \ - ); \ - for dir in "${writeDirs[@]}"; do \ - mkdir -p ${dir}; \ - chown -R www-data.www-data ${dir}; \ - done' - -EXPOSE 80 443 - -CMD ["nginx", "-g", "daemon off;"] diff --git a/images/nginx-1.25/rootfs/build.sh b/images/nginx-1.25/rootfs/build.sh deleted file mode 100755 index f60a260f9..000000000 --- a/images/nginx-1.25/rootfs/build.sh +++ /dev/null @@ -1,628 +0,0 @@ -#!/bin/bash - -# Copyright 2023 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -o errexit -set -o nounset -set -o pipefail - -export NGINX_VERSION=1.25.5 - -# Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.3...master -export NDK_VERSION=v0.3.3 - -# Check for recent changes: https://github.com/openresty/set-misc-nginx-module/compare/v0.33...master -export SETMISC_VERSION=796f5a3e518748eb29a93bd450324e0ad45b704e - -# Check for recent changes: https://github.com/openresty/headers-more-nginx-module/compare/v0.37...master -export MORE_HEADERS_VERSION=v0.37 - -# Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...atomx:master -export NGINX_DIGEST_AUTH=v1.0.0 - -# Check for recent changes: https://github.com/yaoweibin/ngx_http_substitutions_filter_module/compare/v0.6.4...master -export NGINX_SUBSTITUTIONS=e12e965ac1837ca709709f9a26f572a54d83430e - -# Check for recent changes: https://github.com/SpiderLabs/ModSecurity-nginx/compare/v1.0.3...master -export MODSECURITY_VERSION=v1.0.3 - -# Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.8...v3/master -export MODSECURITY_LIB_VERSION=v3.0.12 - -# Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v3.3.5...v4.0/main -export OWASP_MODSECURITY_CRS_VERSION=v4.4.0 - -# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.26``...master -export LUA_NGX_VERSION=v0.10.26 - -# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/bea8a0c0de94cede71554f53818ac0267d675d63...master -export LUA_STREAM_NGX_VERSION=bea8a0c0de94cede71554f53818ac0267d675d63 - -# Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/8aa93ead98ba2060d4efd594ae33a35d153589bf...master -export LUA_UPSTREAM_VERSION=542be0893543a4e42d89f6dd85372972f5ff2a36 - -# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.13...openresty:master -export LUA_CJSON_VERSION=2.1.0.13 - -# Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/a607a41a8115fecfc05b5c283c81532a3d605425...master -export GEOIP2_VERSION=a607a41a8115fecfc05b5c283c81532a3d605425 - -# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20240314...v2.1-agentzh -export LUAJIT_VERSION=v2.1-20240314 - -# Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/1cd4363c0a239afe4765ec607dcfbbb4e5900eea...master -export LUA_RESTY_BALANCER=1cd4363c0a239afe4765ec607dcfbbb4e5900eea - -# Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/99e7578465b40f36f596d099b82eab404f2b42ed...master -export LUA_RESTY_CACHE=99e7578465b40f36f596d099b82eab404f2b42ed - -# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.27...master -export LUA_RESTY_CORE=v0.1.28 - -# Check for recent changes: https://github.com/cloudflare/lua-resty-cookie/compare/f418d77082eaef48331302e84330488fdc810ef4...master -export LUA_RESTY_COOKIE_VERSION=f418d77082eaef48331302e84330488fdc810ef4 - -# Check for recent changes: https://github.com/openresty/lua-resty-dns/compare/8bb53516e2933e61c317db740a9b7c2048847c2f...master -export LUA_RESTY_DNS=8bb53516e2933e61c317db740a9b7c2048847c2f - -# Check for recent changes: https://github.com/ledgetech/lua-resty-http/compare/v0.17.1...master -export LUA_RESTY_HTTP=v0.17.1 - -# Check for recent changes: https://github.com/openresty/lua-resty-lock/compare/v0.09...master -export LUA_RESTY_LOCK=405d0bf4cbfa74d742c6ed3158d442221e6212a9 - -# Check for recent changes: https://github.com/openresty/lua-resty-upload/compare/v0.11...master -export LUA_RESTY_UPLOAD_VERSION=979372cce011f3176af3c9aff53fd0e992c4bfd3 - -# Check for recent changes: https://github.com/openresty/lua-resty-string/compare/v0.15...master -export LUA_RESTY_STRING_VERSION=6f1bc21d86daef804df3cc34d6427ef68da26844 - -# Check for recent changes: https://github.com/openresty/lua-resty-memcached/compare/v0.17...master -export LUA_RESTY_MEMCACHED_VERSION=2f02b68bf65fa2332cce070674a93a69a6c7239b - -# Check for recent changes: https://github.com/openresty/lua-resty-redis/compare/v0.30...master -export LUA_RESTY_REDIS_VERSION=8641b9f1b6f75cca50c90cf8ca5c502ad8950aa8 - -# Check for recent changes: https://github.com/api7/lua-resty-ipmatcher/compare/v0.6.1...master -export LUA_RESTY_IPMATCHER_VERSION=3e93c53eb8c9884efe939ef070486a0e507cc5be - -# Check for recent changes: https://github.com/ElvinEfendi/lua-resty-global-throttle/compare/v0.2.0...main -export LUA_RESTY_GLOBAL_THROTTLE_VERSION=v0.2.0 - -# Check for recent changes: https://github.com/microsoft/mimalloc/compare/v2.1.7...master -export MIMALOC_VERSION=v2.1.7 - -# Check on https://github.com/open-telemetry/opentelemetry-cpp -export OPENTELEMETRY_CPP_VERSION="v1.11.0" -# Check on https://github.com/open-telemetry/opentelemetry-proto -export OPENTELEMETRY_PROTO_VERSION="v1.1.0" - -export BUILD_PATH=/tmp/build - -ARCH=$(uname -m) - -get_src() -{ - hash="$1" - url="$2" - dest="${3-}" - ARGS="" - f=$(basename "$url") - - echo "Downloading $url" - - curl -sSL "$url" -o "$f" - # TODO: Reenable checksum verification but make it smarter - # echo "$hash $f" | sha256sum -c - || exit 10 - if [ ! -z "$dest" ]; then - mkdir ${BUILD_PATH}/${dest} - ARGS="-C ${BUILD_PATH}/${dest} --strip-components=1" - fi - tar xvzf "$f" $ARGS - rm -rf "$f" -} - -# install required packages to build -# Dependencies from "ninja" and below are OTEL dependencies -apk add \ - bash \ - gcc \ - clang \ - libc-dev \ - make \ - automake \ - openssl-dev \ - pcre-dev \ - zlib-dev \ - linux-headers \ - libxslt-dev \ - gd-dev \ - perl-dev \ - libedit-dev \ - mercurial \ - alpine-sdk \ - findutils \ - curl \ - ca-certificates \ - patch \ - libaio-dev \ - openssl \ - cmake \ - util-linux \ - lmdb-tools \ - wget \ - curl-dev \ - libprotobuf \ - git g++ pkgconf flex bison doxygen yajl-dev lmdb-dev libtool autoconf libxml2 libxml2-dev \ - python3 \ - libmaxminddb-dev \ - bc \ - unzip \ - dos2unix \ - yaml-cpp \ - coreutils \ - ninja \ - gtest-dev \ - git \ - build-base \ - pkgconfig \ - c-ares-dev \ - re2-dev \ - grpc-dev \ - protobuf-dev - -# apk add -X http://dl-cdn.alpinelinux.org/alpine/edge/testing opentelemetry-cpp-dev - -# There is some bug with some platforms and git, so force HTTP/1.1 -git config --global http.version HTTP/1.1 -git config --global http.postBuffer 157286400 - -mkdir -p /etc/nginx - -mkdir --verbose -p "$BUILD_PATH" -cd "$BUILD_PATH" - -# download, verify and extract the source files -get_src 66dc7081488811e9f925719e34d1b4504c2801c81dee2920e5452a86b11405ae \ - "https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz" - -get_src aa961eafb8317e0eb8da37eb6e2c9ff42267edd18b56947384e719b85188f58b \ - "https://github.com/vision5/ngx_devel_kit/archive/$NDK_VERSION.tar.gz" "ngx_devel_kit" - -get_src abc123 \ - "https://github.com/open-telemetry/opentelemetry-cpp/archive/$OPENTELEMETRY_CPP_VERSION.tar.gz" "opentelemetry-cpp" - -get_src abc123 \ - "https://github.com/open-telemetry/opentelemetry-proto/archive/$OPENTELEMETRY_PROTO_VERSION.tar.gz" "opentelemetry-proto" - -get_src cd5e2cc834bcfa30149e7511f2b5a2183baf0b70dc091af717a89a64e44a2985 \ - "https://github.com/openresty/set-misc-nginx-module/archive/$SETMISC_VERSION.tar.gz" "set-misc-nginx-module" - -get_src 0c0d2ced2ce895b3f45eb2b230cd90508ab2a773299f153de14a43e44c1209b3 \ - "https://github.com/openresty/headers-more-nginx-module/archive/$MORE_HEADERS_VERSION.tar.gz" "headers-more-nginx-module" - -get_src f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b \ - "https://github.com/atomx/nginx-http-auth-digest/archive/$NGINX_DIGEST_AUTH.tar.gz" "nginx-http-auth-digest" - -get_src a98b48947359166326d58700ccdc27256d2648218072da138ab6b47de47fbd8f \ - "https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/$NGINX_SUBSTITUTIONS.tar.gz" "ngx_http_substitutions_filter_module" - -get_src 32a42256616cc674dca24c8654397390adff15b888b77eb74e0687f023c8751b \ - "https://github.com/SpiderLabs/ModSecurity-nginx/archive/$MODSECURITY_VERSION.tar.gz" "ModSecurity-nginx" - -get_src bc764db42830aeaf74755754b900253c233ad57498debe7a441cee2c6f4b07c2 \ - "https://github.com/openresty/lua-nginx-module/archive/$LUA_NGX_VERSION.tar.gz" "lua-nginx-module" - -get_src 01b715754a8248cc7228e0c8f97f7488ae429d90208de0481394e35d24cef32f \ - "https://github.com/openresty/stream-lua-nginx-module/archive/$LUA_STREAM_NGX_VERSION.tar.gz" "stream-lua-nginx-module" - -get_src a92c9ee6682567605ece55d4eed5d1d54446ba6fba748cff0a2482aea5713d5f \ - "https://github.com/openresty/lua-upstream-nginx-module/archive/$LUA_UPSTREAM_VERSION.tar.gz" "lua-upstream-nginx-module" - -get_src 77bbcbb24c3c78f51560017288f3118d995fe71240aa379f5818ff6b166712ff \ - "https://github.com/openresty/luajit2/archive/$LUAJIT_VERSION.tar.gz" "luajit2" - -get_src b6c9c09fd43eb34a71e706ad780b2ead26549a9a9f59280fe558f5b7b980b7c6 \ - "https://github.com/leev/ngx_http_geoip2_module/archive/$GEOIP2_VERSION.tar.gz" "ngx_http_geoip2_module" - -get_src deb4ab1ffb9f3d962c4b4a2c4bdff692b86a209e3835ae71ebdf3b97189e40a9 \ - "https://github.com/openresty/lua-resty-upload/archive/$LUA_RESTY_UPLOAD_VERSION.tar.gz" "lua-resty-upload" - -get_src bdbf271003d95aa91cab0a92f24dca129e99b33f79c13ebfcdbbcbb558129491 \ - "https://github.com/openresty/lua-resty-string/archive/$LUA_RESTY_STRING_VERSION.tar.gz" "lua-resty-string" - -get_src 16d72ed133f0c6df376a327386c3ef4e9406cf51003a700737c3805770ade7c5 \ - "https://github.com/openresty/lua-resty-balancer/archive/$LUA_RESTY_BALANCER.tar.gz" "lua-resty-balancer" - -get_src 39baab9e2b31cc48cecf896cea40ef6e80559054fd8a6e440cc804a858ea84d4 \ - "https://github.com/openresty/lua-resty-core/archive/$LUA_RESTY_CORE.tar.gz" "lua-resty-core" - -get_src a77b9de160d81712f2f442e1de8b78a5a7ef0d08f13430ff619f79235db974d4 \ - "https://github.com/openresty/lua-cjson/archive/$LUA_CJSON_VERSION.tar.gz" "lua-cjson" - -get_src 5ed48c36231e2622b001308622d46a0077525ac2f751e8cc0c9905914254baa4 \ - "https://github.com/cloudflare/lua-resty-cookie/archive/$LUA_RESTY_COOKIE_VERSION.tar.gz" "lua-resty-cookie" - -get_src 573184006b98ccee2594b0d134fa4d05e5d2afd5141cbad315051ccf7e9b6403 \ - "https://github.com/openresty/lua-resty-lrucache/archive/$LUA_RESTY_CACHE.tar.gz" "lua-resty-lrucache" - -get_src b4ddcd47db347e9adf5c1e1491a6279a6ae2a3aff3155ef77ea0a65c998a69c1 \ - "https://github.com/openresty/lua-resty-lock/archive/$LUA_RESTY_LOCK.tar.gz" "lua-resty-lock" - -get_src 70e9a01eb32ccade0d5116a25bcffde0445b94ad35035ce06b94ccd260ad1bf0 \ - "https://github.com/openresty/lua-resty-dns/archive/$LUA_RESTY_DNS.tar.gz" "lua-resty-dns" - -get_src 9fcb6db95bc37b6fce77d3b3dc740d593f9d90dce0369b405eb04844d56ac43f \ - "https://github.com/ledgetech/lua-resty-http/archive/$LUA_RESTY_HTTP.tar.gz" "lua-resty-http" - -get_src 02733575c4aed15f6cab662378e4b071c0a4a4d07940c4ef19a7319e9be943d4 \ - "https://github.com/openresty/lua-resty-memcached/archive/$LUA_RESTY_MEMCACHED_VERSION.tar.gz" "lua-resty-memcached" - -get_src c15aed1a01c88a3a6387d9af67a957dff670357f5fdb4ee182beb44635eef3f1 \ - "https://github.com/openresty/lua-resty-redis/archive/$LUA_RESTY_REDIS_VERSION.tar.gz" "lua-resty-redis" - -get_src efb767487ea3f6031577b9b224467ddbda2ad51a41c5867a47582d4ad85d609e \ - "https://github.com/api7/lua-resty-ipmatcher/archive/$LUA_RESTY_IPMATCHER_VERSION.tar.gz" "lua-resty-ipmatcher" - -get_src 0fb790e394510e73fdba1492e576aaec0b8ee9ef08e3e821ce253a07719cf7ea \ - "https://github.com/ElvinEfendi/lua-resty-global-throttle/archive/$LUA_RESTY_GLOBAL_THROTTLE_VERSION.tar.gz" "lua-resty-global-throttle" - -get_src d74f86ada2329016068bc5a243268f1f555edd620b6a7d6ce89295e7d6cf18da \ - "https://github.com/microsoft/mimalloc/archive/${MIMALOC_VERSION}.tar.gz" "mimalloc" - -# improve compilation times -CORES=$(($(grep -c ^processor /proc/cpuinfo) - 1)) - -export MAKEFLAGS=-j${CORES} -export CTEST_BUILD_FLAGS=${MAKEFLAGS} - -# Install luajit from openresty fork -export LUAJIT_LIB=/usr/local/lib -export LUA_LIB_DIR="$LUAJIT_LIB/lua" -export LUAJIT_INC=/usr/local/include/luajit-2.1 - -cd "$BUILD_PATH/luajit2" -make CCDEBUG=-g -make install - -ln -s /usr/local/bin/luajit /usr/local/bin/lua -ln -s "$LUAJIT_INC" /usr/local/include/lua - -cd "$BUILD_PATH/opentelemetry-cpp" -export CXXFLAGS="-DBENCHMARK_HAS_NO_INLINE_ASSEMBLY" -cmake -B build -G Ninja -Wno-dev \ - -DOTELCPP_PROTO_PATH="${BUILD_PATH}/opentelemetry-proto/" \ - -DCMAKE_INSTALL_PREFIX=/usr \ - -DBUILD_SHARED_LIBS=ON \ - -DBUILD_TESTING="OFF" \ - -DBUILD_W3CTRACECONTEXT_TEST="OFF" \ - -DCMAKE_BUILD_TYPE=None \ - -DWITH_ABSEIL=ON \ - -DWITH_STL=ON \ - -DWITH_EXAMPLES=OFF \ - -DWITH_ZPAGES=OFF \ - -DWITH_OTLP_GRPC=ON \ - -DWITH_OTLP_HTTP=ON \ - -DWITH_ZIPKIN=ON \ - -DWITH_PROMETHEUS=OFF \ - -DWITH_ASYNC_EXPORT_PREVIEW=OFF \ - -DWITH_METRICS_EXEMPLAR_PREVIEW=OFF - cmake --build build - cmake --install build - -# Git tuning -git config --global --add core.compression -1 - -# Get Brotli source and deps -cd "$BUILD_PATH" -git clone --depth=100 https://github.com/google/ngx_brotli.git -cd ngx_brotli -# https://github.com/google/ngx_brotli/issues/156 -git reset --hard 63ca02abdcf79c9e788d2eedcc388d2335902e52 -git submodule init -git submodule update - -cd "$BUILD_PATH" -git clone --depth=1 https://github.com/ssdeep-project/ssdeep -cd ssdeep/ - -./bootstrap -./configure - -make -make install - -# build modsecurity library -cd "$BUILD_PATH" -git clone -n https://github.com/SpiderLabs/ModSecurity -cd ModSecurity/ -git checkout $MODSECURITY_LIB_VERSION -git submodule init -git submodule update - -sh build.sh - -# https://github.com/SpiderLabs/ModSecurity/issues/1909#issuecomment-465926762 -sed -i '115i LUA_CFLAGS="${LUA_CFLAGS} -DWITH_LUA_JIT_2_1"' build/lua.m4 -sed -i '117i AC_SUBST(LUA_CFLAGS)' build/lua.m4 - -./configure \ - --disable-doxygen-doc \ - --disable-doxygen-html \ - --disable-examples - -make -make install - -mkdir -p /etc/nginx/modsecurity -cp modsecurity.conf-recommended /etc/nginx/modsecurity/modsecurity.conf -cp unicode.mapping /etc/nginx/modsecurity/unicode.mapping - -# Replace serial logging with concurrent -sed -i 's|SecAuditLogType Serial|SecAuditLogType Concurrent|g' /etc/nginx/modsecurity/modsecurity.conf - -# Concurrent logging implies the log is stored in several files -echo "SecAuditLogStorageDir /var/log/audit/" >> /etc/nginx/modsecurity/modsecurity.conf - -# Download owasp modsecurity crs -cd /etc/nginx/ - -git clone -b $OWASP_MODSECURITY_CRS_VERSION https://github.com/coreruleset/coreruleset -mv coreruleset owasp-modsecurity-crs -cd owasp-modsecurity-crs - -mv crs-setup.conf.example crs-setup.conf -mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf -mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf -cd .. - -# OWASP CRS v4 rules -echo " -Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-922-MULTIPART-ATTACK.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-955-WEB-SHELLS.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf -" > /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf - -# build nginx -cd "$BUILD_PATH/nginx-$NGINX_VERSION" - -# apply nginx patches -for PATCH in `ls /patches`;do - echo "Patch: $PATCH" - if [[ "$PATCH" == *.txt ]]; then - patch -p0 < /patches/$PATCH - else - patch -p1 < /patches/$PATCH - fi -done - -WITH_FLAGS="--with-debug \ - --with-compat \ - --with-pcre-jit \ - --with-http_ssl_module \ - --with-http_stub_status_module \ - --with-http_realip_module \ - --with-http_auth_request_module \ - --with-http_addition_module \ - --with-http_gzip_static_module \ - --with-http_sub_module \ - --with-http_v2_module \ - --with-http_v3_module \ - --with-stream \ - --with-stream_ssl_module \ - --with-stream_realip_module \ - --with-stream_ssl_preread_module \ - --with-threads \ - --with-http_secure_link_module \ - --with-http_gunzip_module" - -# "Combining -flto with -g is currently experimental and expected to produce unexpected results." -# https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html -CC_OPT="-g -O2 -fPIE -fstack-protector-strong \ - -Wformat \ - -Werror=format-security \ - -Wno-deprecated-declarations \ - -fno-strict-aliasing \ - -D_FORTIFY_SOURCE=2 \ - --param=ssp-buffer-size=4 \ - -DTCP_FASTOPEN=23 \ - -fPIC \ - -Wno-cast-function-type" - -LD_OPT="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now" - -if [[ ${ARCH} != "aarch64" ]]; then - WITH_FLAGS+=" --with-file-aio" -fi - -if [[ ${ARCH} == "x86_64" ]]; then - CC_OPT+=' -m64 -mtune=generic' -fi - -WITH_MODULES=" \ - --add-module=$BUILD_PATH/ngx_devel_kit \ - --add-module=$BUILD_PATH/set-misc-nginx-module \ - --add-module=$BUILD_PATH/headers-more-nginx-module \ - --add-module=$BUILD_PATH/ngx_http_substitutions_filter_module \ - --add-module=$BUILD_PATH/lua-nginx-module \ - --add-module=$BUILD_PATH/stream-lua-nginx-module \ - --add-module=$BUILD_PATH/lua-upstream-nginx-module \ - --add-dynamic-module=$BUILD_PATH/nginx-http-auth-digest \ - --add-dynamic-module=$BUILD_PATH/ModSecurity-nginx \ - --add-dynamic-module=$BUILD_PATH/ngx_http_geoip2_module \ - --add-dynamic-module=$BUILD_PATH/ngx_brotli" - -./configure \ - --prefix=/usr/local/nginx \ - --conf-path=/etc/nginx/nginx.conf \ - --modules-path=/etc/nginx/modules \ - --http-log-path=/var/log/nginx/access.log \ - --error-log-path=/var/log/nginx/error.log \ - --lock-path=/var/lock/nginx.lock \ - --pid-path=/run/nginx.pid \ - --http-client-body-temp-path=/var/lib/nginx/body \ - --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ - --http-proxy-temp-path=/var/lib/nginx/proxy \ - --http-scgi-temp-path=/var/lib/nginx/scgi \ - --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \ - ${WITH_FLAGS} \ - --without-mail_pop3_module \ - --without-mail_smtp_module \ - --without-mail_imap_module \ - --without-http_uwsgi_module \ - --without-http_scgi_module \ - --with-cc-opt="${CC_OPT}" \ - --with-ld-opt="${LD_OPT}" \ - --user=www-data \ - --group=www-data \ - ${WITH_MODULES} - -make -make modules -make install - -export OPENTELEMETRY_CONTRIB_COMMIT=aaa51e2297bcb34297f3c7aa44fa790497d2f7f3 -cd "$BUILD_PATH" - -git clone https://github.com/open-telemetry/opentelemetry-cpp-contrib.git opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT} - -cd ${BUILD_PATH}/opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT} -git reset --hard ${OPENTELEMETRY_CONTRIB_COMMIT} - -export OTEL_TEMP_INSTALL=/tmp/otel -mkdir -p ${OTEL_TEMP_INSTALL} - -cd ${BUILD_PATH}/opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT}/instrumentation/nginx -mkdir -p build -cd build -cmake -DCMAKE_BUILD_TYPE=Release \ - -G Ninja \ - -DCMAKE_CXX_STANDARD=17 \ - -DCMAKE_INSTALL_PREFIX=${OTEL_TEMP_INSTALL} \ - -DBUILD_SHARED_LIBS=ON \ - -DNGINX_VERSION=${NGINX_VERSION} \ - .. -cmake --build . -j ${CORES} --target install - -mkdir -p /etc/nginx/modules -cp ${OTEL_TEMP_INSTALL}/otel_ngx_module.so /etc/nginx/modules/otel_ngx_module.so - - -cd "$BUILD_PATH/lua-resty-core" -make install - -cd "$BUILD_PATH/lua-resty-balancer" -make all -make install - -export LUA_INCLUDE_DIR=/usr/local/include/luajit-2.1 -ln -s $LUA_INCLUDE_DIR /usr/include/lua5.1 - -cd "$BUILD_PATH/lua-cjson" -make all -make install - -cd "$BUILD_PATH/lua-resty-cookie" -make all -make install - -cd "$BUILD_PATH/lua-resty-lrucache" -make install - -cd "$BUILD_PATH/lua-resty-dns" -make install - -cd "$BUILD_PATH/lua-resty-lock" -make install - -# required for OCSP verification -cd "$BUILD_PATH/lua-resty-http" -make install - -cd "$BUILD_PATH/lua-resty-upload" -make install - -cd "$BUILD_PATH/lua-resty-string" -make install - -cd "$BUILD_PATH/lua-resty-memcached" -make install - -cd "$BUILD_PATH/lua-resty-redis" -make install - -cd "$BUILD_PATH/lua-resty-ipmatcher" -INST_LUADIR=/usr/local/lib/lua make install - -cd "$BUILD_PATH/lua-resty-global-throttle" -make install - -cd "$BUILD_PATH/mimalloc" -mkdir -p out/release -cd out/release - -cmake ../.. - -make -make install - -# update image permissions -writeDirs=( \ - /etc/nginx \ - /usr/local/nginx \ - /opt/modsecurity/var/log \ - /opt/modsecurity/var/upload \ - /opt/modsecurity/var/audit \ - /var/log/audit \ - /var/log/nginx \ -); - -adduser -S -D -H -u 101 -h /usr/local/nginx -s /sbin/nologin -G www-data -g www-data www-data - -for dir in "${writeDirs[@]}"; do - mkdir -p ${dir}; - chown -R www-data.www-data ${dir}; -done - -rm -rf /etc/nginx/owasp-modsecurity-crs/.git -rm -rf /etc/nginx/owasp-modsecurity-crs/tests - -# remove .a files -find /usr/local -name "*.a" -print | xargs /bin/rm diff --git a/images/nginx/Makefile b/images/nginx/Makefile index b54a7739b..103ba217f 100644 --- a/images/nginx/Makefile +++ b/images/nginx/Makefile @@ -1,4 +1,4 @@ -# Copyright 2017 The Kubernetes Authors. All rights reserved. +# Copyright 2024 The Kubernetes Authors. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +22,7 @@ INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh # 0.0.0 shouldn't clobber any released builds SHORT_SHA ?=$(shell git rev-parse --short HEAD) -TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA) +TAG ?=$(shell cat TAG) REGISTRY ?= gcr.io/k8s-staging-ingress-nginx diff --git a/images/nginx/README.md b/images/nginx/README.md index da6994fb5..768077215 100644 --- a/images/nginx/README.md +++ b/images/nginx/README.md @@ -1,27 +1,47 @@ -NGINX base image using [alpine](https://www.alpinelinux.org/) +NGINX base image -This custom image contains: +### HTTP/3 Support -- [nginx-http-auth-digest](https://github.com/atomx/nginx-http-auth-digest) -- [ngx_http_substitutions_filter_module](https://github.com/yaoweibin/ngx_http_substitutions_filter_module) -- [OpenTelemetry-CPP](https://github.com/open-telemetry/opentelemetry-cpp) -- [OpenTelemetry-CPP-Nginx](https://github.com/open-telemetry/opentelemetry-cpp-contrib/tree/main/instrumentation/nginx) -- [nginx-opentracing](https://github.com/opentracing-contrib/nginx-opentracing) -- [opentracing-cpp](https://github.com/opentracing/opentracing-cpp) -- [zipkin-cpp-opentracing](https://github.com/rnburn/zipkin-cpp-opentracing) -- [dd-opentracing-cpp](https://github.com/DataDog/dd-opentracing-cpp) -- [ModSecurity-nginx](https://github.com/SpiderLabs/ModSecurity-nginx) (only supported in x86_64) -- [brotli](https://github.com/google/brotli) -- [geoip2](https://github.com/leev/ngx_http_geoip2_module) +**HTTP/3 support is experimental and under development** -**How to use this image:** -This image provides a default configuration file with no backend servers. +[HTTP/3](https://datatracker.ietf.org/doc/html/rfc9114)\ +[QUIC](https://datatracker.ietf.org/doc/html/rfc9000) -_Using docker_ +[According to the documentation, NGINX 1.25.0 or higher supports HTTP/3:](https://nginx.org/en/docs/quic.html) -NGINX base image we use is defined in NGINX_BASE file at the root of the project +> Support for QUIC and HTTP/3 protocols is available since 1.25.0. -```console -docker run -v /some/nginx.conf:/etc/nginx/nginx.conf:ro $(cat ../../NGINX_BASE) -``` +But this requires adding a new flag during the build: +> When configuring nginx, it is possible to enable QUIC and HTTP/3 using the --with-http_v3_module configuration parameter. + +[We have added this flag](https://github.com/kubernetes/ingress-nginx/pull/11470), but it is not enough to use HTTP/3 in ingress-nginx, this is the first step. + +The next steps will be: + +1. **Waiting for OpenSSL 3.4.**\ + The main problem is, that we still use OpenSSL (3.x) and it does not support the important mechanism of TLS 1.3 - [early_data](https://datatracker.ietf.org/doc/html/rfc8446#section-2.3): + + > Otherwise, the OpenSSL compatibility layer will be used that does not support early data. + + [And although another part of the documentation says that the directive is supported with OpenSSL:](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data) + + > The directive is supported when using OpenSSL 1.1.1 or higher. + + But this is incomplete support, because OpenSSL does not support this feature, and [it has only client side support:](https://github.com/openssl/openssl) + + > ... the QUIC (currently client side only) version 1 protocol + + [And also there are some issues even with client side](https://github.com/openssl/openssl/discussions/23339) + + Due to this, we currently have incomplete HTTP/3 support, without important security and performance features.\ + But the good news is that [OpenSSL plans to add server-side support in 3.4](https://github.com/openssl/web/blob/master/roadmap.md): + + > Server-side QUIC support + + [Overview of SSL libraries(HAProxy Documentation)](https://github.com/haproxy/wiki/wiki/SSL-Libraries-Support-Status#tldr) + +2. **Adding [parameters](https://nginx.org/en/docs/http/ngx_http_v3_module.html) to the configmap to configure HTTP/3 and quic(enableHTTP3, enableHTTP/0.9, maxCurrentStream, and so on).** +3. **Adding options to the nginx config template(`listen 443 quic` to server blocks and `add_header Alt-Svc 'h3=":8443"; ma=86400';` to location blocks).** +4. **Opening the https port for UDP in the container(because QUIC uses UDP).** +5. **Adding tests.** diff --git a/images/nginx/TAG b/images/nginx/TAG index bbdeab622..0ec25f750 100644 --- a/images/nginx/TAG +++ b/images/nginx/TAG @@ -1 +1 @@ -0.0.5 +v1.0.0 diff --git a/images/nginx/cloudbuild.yaml b/images/nginx/cloudbuild.yaml index 71051f26d..c53259ad1 100644 --- a/images/nginx/cloudbuild.yaml +++ b/images/nginx/cloudbuild.yaml @@ -1,17 +1,14 @@ -timeout: 10800s options: - substitution_option: ALLOW_LOOSE - # job builds a multi-arch docker image for amd64,arm,arm64 and s390x. + # Increase machine type for multi-arch builds. machineType: E2_HIGHCPU_32 + # Ignore Prow provided substitutions. + substitution_option: ALLOW_LOOSE steps: - - name: 'gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90' - entrypoint: bash + - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20240718-5ef92b5c36 env: - - DOCKER_CLI_EXPERIMENTAL=enabled - REGISTRY=gcr.io/k8s-staging-ingress-nginx - - HOME=/root + entrypoint: bash args: - - -c - - | - gcloud auth configure-docker \ - && cd images/nginx && make push + - -c + - gcloud auth configure-docker && cd images/nginx && make push +timeout: 7200s diff --git a/images/nginx/rc.yaml b/images/nginx/rc.yaml deleted file mode 100644 index bcf2b0274..000000000 --- a/images/nginx/rc.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -spec: - type: NodePort - ports: - - port: 80 - protocol: TCP - name: http - - port: 443 - protocol: TCP - name: https - selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx ---- -apiVersion: v1 -kind: ReplicationController -metadata: - name: nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -spec: - replicas: 1 - selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - template: - metadata: - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - spec: - containers: - - name: nginx - image: registry.k8s.io/ingress-nginx/nginx:c5766dc011965f22fac2f4437e86d0fd9960a50c@sha256:94ff9b435a5f3f4570bbdaed4a3a523f63a54ce2ad6b132b5640bae2af5d9d90 - ports: - - containerPort: 80 - - containerPort: 443 diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile index f3d61017e..1d2b6b623 100644 --- a/images/nginx/rootfs/Dockerfile +++ b/images/nginx/rootfs/Dockerfile @@ -1,4 +1,4 @@ -# Copyright 2015 The Kubernetes Authors. All rights reserved. +# Copyright 2024 The Kubernetes Authors. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -11,7 +11,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine:3.20.0 as builder +FROM alpine:3.20 as builder COPY . / @@ -21,7 +21,7 @@ RUN apk update \ && /build.sh # Use a multi-stage build -FROM alpine:3.20.0 +FROM alpine:3.20 ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin @@ -29,11 +29,10 @@ ENV LUA_PATH="/usr/local/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1 ENV LUA_CPATH="/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;" COPY --from=builder /usr/local /usr/local +COPY --from=builder /usr/lib/libopentelemetry* /usr/local/lib COPY --from=builder /opt /opt COPY --from=builder /etc/nginx /etc/nginx -LABEL org.opencontainers.image.source=https://github.com/kubernetes/ingress-nginx - RUN apk update \ && apk upgrade \ && apk add -U --no-cache \ @@ -50,6 +49,8 @@ RUN apk update \ yaml-cpp \ dumb-init \ tzdata \ + grpc-cpp \ + libprotobuf \ && ln -s /usr/local/nginx/sbin/nginx /sbin/nginx \ && adduser -S -D -H -u 101 -h /usr/local/nginx \ -s /sbin/nologin -G www-data -g www-data www-data \ diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh index 2f5f3c66f..3baf775fc 100755 --- a/images/nginx/rootfs/build.sh +++ b/images/nginx/rootfs/build.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright 2015 The Kubernetes Authors. +# Copyright 2023 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,139 +18,121 @@ set -o errexit set -o nounset set -o pipefail -export NGINX_VERSION=1.21.6 +export NGINX_VERSION=1.25.5 -# Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.2...master -export NDK_VERSION=0.3.2 +# Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.3...master +export NDK_VERSION=v0.3.3 # Check for recent changes: https://github.com/openresty/set-misc-nginx-module/compare/v0.33...master -export SETMISC_VERSION=0.33 +export SETMISC_VERSION=796f5a3e518748eb29a93bd450324e0ad45b704e # Check for recent changes: https://github.com/openresty/headers-more-nginx-module/compare/v0.37...master -export MORE_HEADERS_VERSION=0.37 +export MORE_HEADERS_VERSION=v0.37 # Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...atomx:master -export NGINX_DIGEST_AUTH=1.0.0 +export NGINX_DIGEST_AUTH=v1.0.0 # Check for recent changes: https://github.com/yaoweibin/ngx_http_substitutions_filter_module/compare/v0.6.4...master -export NGINX_SUBSTITUTIONS=b8a71eacc7f986ba091282ab8b1bbbc6ae1807e0 - -# Check for recent changes: https://github.com/opentracing-contrib/nginx-opentracing/compare/v0.19.0...master -export NGINX_OPENTRACING_VERSION=0.19.0 - -#Check for recent changes: https://github.com/opentracing/opentracing-cpp/compare/v1.6.0...master -export OPENTRACING_CPP_VERSION=f86b33f3d9e7322b1298ba62d5ffa7a9519c4c41 - -# Check for recent changes: https://github.com/rnburn/zipkin-cpp-opentracing/compare/v0.5.2...master -export ZIPKIN_CPP_VERSION=f69593138ff84ca2f6bc115992e18ca3d35f344a - -# Check for recent changes: https://github.com/jbeder/yaml-cpp/compare/yaml-cpp-0.7.0...master -export YAML_CPP_VERSION=yaml-cpp-0.7.0 - -# Check for recent changes: https://github.com/jaegertracing/jaeger-client-cpp/compare/v0.7.0...master -export JAEGER_VERSION=0.7.0 - -# Check for recent changes: https://github.com/msgpack/msgpack-c/compare/cpp-3.3.0...master -export MSGPACK_VERSION=3.3.0 - -# Check for recent changes: https://github.com/DataDog/dd-opentracing-cpp/compare/v1.3.7...master -export DATADOG_CPP_VERSION=1.3.7 +export NGINX_SUBSTITUTIONS=e12e965ac1837ca709709f9a26f572a54d83430e # Check for recent changes: https://github.com/SpiderLabs/ModSecurity-nginx/compare/v1.0.3...master -export MODSECURITY_VERSION=1.0.3 +export MODSECURITY_VERSION=v1.0.3 -# Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.11...v3/master -export MODSECURITY_LIB_VERSION=bbde9381cbccb49ea73f6194b08b478adc53f3bc +# Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.8...v3/master +export MODSECURITY_LIB_VERSION=v3.0.12 -# Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v3.3.2...v3.3/master -export OWASP_MODSECURITY_CRS_VERSION=v3.3.5 +# Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v3.3.5...v4.0/main +export OWASP_MODSECURITY_CRS_VERSION=v4.4.0 -# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.25...master -export LUA_NGX_VERSION=0.10.25 +# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.26``...master +export LUA_NGX_VERSION=v0.10.26 -# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/v0.0.13...master -export LUA_STREAM_NGX_VERSION=0.0.13 +# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/bea8a0c0de94cede71554f53818ac0267d675d63...master +export LUA_STREAM_NGX_VERSION=bea8a0c0de94cede71554f53818ac0267d675d63 # Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/8aa93ead98ba2060d4efd594ae33a35d153589bf...master -export LUA_UPSTREAM_VERSION=8aa93ead98ba2060d4efd594ae33a35d153589bf +export LUA_UPSTREAM_VERSION=542be0893543a4e42d89f6dd85372972f5ff2a36 -# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.11...openresty:master -export LUA_CJSON_VERSION=2.1.0.11 +# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.13...openresty:master +export LUA_CJSON_VERSION=2.1.0.13 -# Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/3.4...master +# Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/a607a41a8115fecfc05b5c283c81532a3d605425...master export GEOIP2_VERSION=a607a41a8115fecfc05b5c283c81532a3d605425 -# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20230410...v2.1-agentzh -export LUAJIT_VERSION=2.1-20230410 +# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20240314...v2.1-agentzh +export LUAJIT_VERSION=v2.1-20240314 -# Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/v0.04...master -export LUA_RESTY_BALANCER=0.04 +# Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/1cd4363c0a239afe4765ec607dcfbbb4e5900eea...master +export LUA_RESTY_BALANCER=1cd4363c0a239afe4765ec607dcfbbb4e5900eea -# Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/v0.13...master -export LUA_RESTY_CACHE=0.13 +# Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/99e7578465b40f36f596d099b82eab404f2b42ed...master +export LUA_RESTY_CACHE=99e7578465b40f36f596d099b82eab404f2b42ed # Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.27...master -export LUA_RESTY_CORE=0.1.27 +export LUA_RESTY_CORE=v0.1.28 -# Check for recent changes: https://github.com/utix/lua-resty-cookie/compare/9533f47...master -export LUA_RESTY_COOKIE_VERSION=9533f479371663107b515590fc9daf00d61ebf11 +# Check for recent changes: https://github.com/cloudflare/lua-resty-cookie/compare/f418d77082eaef48331302e84330488fdc810ef4...master +export LUA_RESTY_COOKIE_VERSION=f418d77082eaef48331302e84330488fdc810ef4 -# Check for recent changes: https://github.com/openresty/lua-resty-dns/compare/v0.22...master -export LUA_RESTY_DNS=0.22 +# Check for recent changes: https://github.com/openresty/lua-resty-dns/compare/8bb53516e2933e61c317db740a9b7c2048847c2f...master +export LUA_RESTY_DNS=8bb53516e2933e61c317db740a9b7c2048847c2f -# Check for recent changes: https://github.com/ledgetech/lua-resty-http/compare/v0.16.1...master -export LUA_RESTY_HTTP=0ce55d6d15da140ecc5966fa848204c6fd9074e8 +# Check for recent changes: https://github.com/ledgetech/lua-resty-http/compare/v0.17.1...master +export LUA_RESTY_HTTP=v0.17.1 # Check for recent changes: https://github.com/openresty/lua-resty-lock/compare/v0.09...master -export LUA_RESTY_LOCK=0.09 +export LUA_RESTY_LOCK=405d0bf4cbfa74d742c6ed3158d442221e6212a9 # Check for recent changes: https://github.com/openresty/lua-resty-upload/compare/v0.11...master -export LUA_RESTY_UPLOAD_VERSION=0.11 +export LUA_RESTY_UPLOAD_VERSION=979372cce011f3176af3c9aff53fd0e992c4bfd3 # Check for recent changes: https://github.com/openresty/lua-resty-string/compare/v0.15...master -export LUA_RESTY_STRING_VERSION=0.15 +export LUA_RESTY_STRING_VERSION=6f1bc21d86daef804df3cc34d6427ef68da26844 # Check for recent changes: https://github.com/openresty/lua-resty-memcached/compare/v0.17...master -export LUA_RESTY_MEMCACHED_VERSION=0.17 +export LUA_RESTY_MEMCACHED_VERSION=2f02b68bf65fa2332cce070674a93a69a6c7239b # Check for recent changes: https://github.com/openresty/lua-resty-redis/compare/v0.30...master -export LUA_RESTY_REDIS_VERSION=0.30 +export LUA_RESTY_REDIS_VERSION=8641b9f1b6f75cca50c90cf8ca5c502ad8950aa8 # Check for recent changes: https://github.com/api7/lua-resty-ipmatcher/compare/v0.6.1...master -export LUA_RESTY_IPMATCHER_VERSION=0.6.1 +export LUA_RESTY_IPMATCHER_VERSION=3e93c53eb8c9884efe939ef070486a0e507cc5be -# Check for recent changes: https://github.com/ElvinEfendi/lua-resty-global-throttle/compare/v0.2.0...main -export LUA_RESTY_GLOBAL_THROTTLE_VERSION=0.2.0 +# Check for recent changes: https://github.com/microsoft/mimalloc/compare/v2.1.7...master +export MIMALOC_VERSION=v2.1.7 -# Check for recent changes: https://github.com/microsoft/mimalloc/compare/v1.7.6...master -export MIMALOC_VERSION=1.7.6 +# Check on https://github.com/open-telemetry/opentelemetry-cpp +export OPENTELEMETRY_CPP_VERSION="v1.11.0" +# Check on https://github.com/open-telemetry/opentelemetry-proto +export OPENTELEMETRY_PROTO_VERSION="v1.1.0" export BUILD_PATH=/tmp/build ARCH=$(uname -m) -if [[ ${ARCH} == "s390x" ]]; then - export LUAJIT_VERSION=9d5750d28478abfdcaefdfdc408f87752a21e431 - export LUA_RESTY_CORE=0.1.17 - export LUA_NGX_VERSION=0.10.15 - export LUA_STREAM_NGX_VERSION=0.0.7 -fi - get_src() { hash="$1" url="$2" + dest="${3-}" + ARGS="" f=$(basename "$url") echo "Downloading $url" curl -sSL "$url" -o "$f" - echo "$hash $f" | sha256sum -c - || exit 10 - tar xzf "$f" + # TODO: Reenable checksum verification but make it smarter + # echo "$hash $f" | sha256sum -c - || exit 10 + if [ ! -z "$dest" ]; then + mkdir ${BUILD_PATH}/${dest} + ARGS="-C ${BUILD_PATH}/${dest} --strip-components=1" + fi + tar xvzf "$f" $ARGS rm -rf "$f" } # install required packages to build +# Dependencies from "ninja" and below are OTEL dependencies apk add \ bash \ gcc \ @@ -187,7 +169,22 @@ apk add \ unzip \ dos2unix \ yaml-cpp \ - coreutils + coreutils \ + ninja \ + gtest-dev \ + git \ + build-base \ + pkgconfig \ + c-ares-dev \ + re2-dev \ + grpc-dev \ + protobuf-dev + +# apk add -X http://dl-cdn.alpinelinux.org/alpine/edge/testing opentelemetry-cpp-dev + +# There is some bug with some platforms and git, so force HTTP/1.1 +git config --global http.version HTTP/1.1 +git config --global http.postBuffer 157286400 mkdir -p /etc/nginx @@ -199,274 +196,135 @@ get_src 66dc7081488811e9f925719e34d1b4504c2801c81dee2920e5452a86b11405ae \ "https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz" get_src aa961eafb8317e0eb8da37eb6e2c9ff42267edd18b56947384e719b85188f58b \ - "https://github.com/vision5/ngx_devel_kit/archive/v$NDK_VERSION.tar.gz" + "https://github.com/vision5/ngx_devel_kit/archive/$NDK_VERSION.tar.gz" "ngx_devel_kit" + +get_src abc123 \ + "https://github.com/open-telemetry/opentelemetry-cpp/archive/$OPENTELEMETRY_CPP_VERSION.tar.gz" "opentelemetry-cpp" + +get_src abc123 \ + "https://github.com/open-telemetry/opentelemetry-proto/archive/$OPENTELEMETRY_PROTO_VERSION.tar.gz" "opentelemetry-proto" get_src cd5e2cc834bcfa30149e7511f2b5a2183baf0b70dc091af717a89a64e44a2985 \ - "https://github.com/openresty/set-misc-nginx-module/archive/v$SETMISC_VERSION.tar.gz" + "https://github.com/openresty/set-misc-nginx-module/archive/$SETMISC_VERSION.tar.gz" "set-misc-nginx-module" -get_src cf6e169d6b350c06d0c730b0eaf4973394026ad40094cddd3b3a5b346577019d \ - "https://github.com/openresty/headers-more-nginx-module/archive/v$MORE_HEADERS_VERSION.tar.gz" +get_src 0c0d2ced2ce895b3f45eb2b230cd90508ab2a773299f153de14a43e44c1209b3 \ + "https://github.com/openresty/headers-more-nginx-module/archive/$MORE_HEADERS_VERSION.tar.gz" "headers-more-nginx-module" get_src f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b \ - "https://github.com/atomx/nginx-http-auth-digest/archive/v$NGINX_DIGEST_AUTH.tar.gz" + "https://github.com/atomx/nginx-http-auth-digest/archive/$NGINX_DIGEST_AUTH.tar.gz" "nginx-http-auth-digest" get_src a98b48947359166326d58700ccdc27256d2648218072da138ab6b47de47fbd8f \ - "https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/$NGINX_SUBSTITUTIONS.tar.gz" - -get_src 6f97776ebdf019b105a755c7736b70bdbd7e575c7f0d39db5fe127873c7abf17 \ - "https://github.com/opentracing-contrib/nginx-opentracing/archive/v$NGINX_OPENTRACING_VERSION.tar.gz" - -get_src cbe625cba85291712253db5bc3870d60c709acfad9a8af5a302673d3d201e3ea \ - "https://github.com/opentracing/opentracing-cpp/archive/$OPENTRACING_CPP_VERSION.tar.gz" - -get_src 71de3d0658935db7ccea20e006b35e58ddc7e4c18878b9523f2addc2371e9270 \ - "https://github.com/rnburn/zipkin-cpp-opentracing/archive/$ZIPKIN_CPP_VERSION.tar.gz" + "https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/$NGINX_SUBSTITUTIONS.tar.gz" "ngx_http_substitutions_filter_module" get_src 32a42256616cc674dca24c8654397390adff15b888b77eb74e0687f023c8751b \ - "https://github.com/SpiderLabs/ModSecurity-nginx/archive/v$MODSECURITY_VERSION.tar.gz" + "https://github.com/SpiderLabs/ModSecurity-nginx/archive/$MODSECURITY_VERSION.tar.gz" "ModSecurity-nginx" -get_src 43e6a9fcb146ad871515f0d0873947e5d497a1c9c60c58cb102a97b47208b7c3 \ - "https://github.com/jbeder/yaml-cpp/archive/$YAML_CPP_VERSION.tar.gz" - -get_src 3a3a03060bf5e3fef52c9a2de02e6035cb557f389453d8f3b0c1d3d570636994 \ - "https://github.com/jaegertracing/jaeger-client-cpp/archive/v$JAEGER_VERSION.tar.gz" - -get_src 754c3ace499a63e45b77ef4bcab4ee602c2c414f58403bce826b76ffc2f77d0b \ - "https://github.com/msgpack/msgpack-c/archive/cpp-$MSGPACK_VERSION.tar.gz" - -if [[ ${ARCH} == "s390x" ]]; then -get_src 7d5f3439c8df56046d0564b5857fd8a30296ab1bd6df0f048aed7afb56a0a4c2 \ - "https://github.com/openresty/lua-nginx-module/archive/v$LUA_NGX_VERSION.tar.gz" -get_src 99c47c75c159795c9faf76bbb9fa58e5a50b75286c86565ffcec8514b1c74bf9 \ - "https://github.com/openresty/stream-lua-nginx-module/archive/v$LUA_STREAM_NGX_VERSION.tar.gz" -else get_src bc764db42830aeaf74755754b900253c233ad57498debe7a441cee2c6f4b07c2 \ - "https://github.com/openresty/lua-nginx-module/archive/v$LUA_NGX_VERSION.tar.gz" + "https://github.com/openresty/lua-nginx-module/archive/$LUA_NGX_VERSION.tar.gz" "lua-nginx-module" get_src 01b715754a8248cc7228e0c8f97f7488ae429d90208de0481394e35d24cef32f \ - "https://github.com/openresty/stream-lua-nginx-module/archive/v$LUA_STREAM_NGX_VERSION.tar.gz" - -fi + "https://github.com/openresty/stream-lua-nginx-module/archive/$LUA_STREAM_NGX_VERSION.tar.gz" "stream-lua-nginx-module" get_src a92c9ee6682567605ece55d4eed5d1d54446ba6fba748cff0a2482aea5713d5f \ - "https://github.com/openresty/lua-upstream-nginx-module/archive/$LUA_UPSTREAM_VERSION.tar.gz" + "https://github.com/openresty/lua-upstream-nginx-module/archive/$LUA_UPSTREAM_VERSION.tar.gz" "lua-upstream-nginx-module" -if [[ ${ARCH} == "s390x" ]]; then -get_src 266ed1abb70a9806d97cb958537a44b67db6afb33d3b32292a2d68a2acedea75 \ - "https://github.com/openresty/luajit2/archive/$LUAJIT_VERSION.tar.gz" -else get_src 77bbcbb24c3c78f51560017288f3118d995fe71240aa379f5818ff6b166712ff \ - "https://github.com/openresty/luajit2/archive/v$LUAJIT_VERSION.tar.gz" -fi - -get_src 8d39c6b23f941a2d11571daaccc04e69539a3fcbcc50a631837560d5861a7b96 \ - "https://github.com/DataDog/dd-opentracing-cpp/archive/v$DATADOG_CPP_VERSION.tar.gz" + "https://github.com/openresty/luajit2/archive/$LUAJIT_VERSION.tar.gz" "luajit2" get_src b6c9c09fd43eb34a71e706ad780b2ead26549a9a9f59280fe558f5b7b980b7c6 \ - "https://github.com/leev/ngx_http_geoip2_module/archive/$GEOIP2_VERSION.tar.gz" + "https://github.com/leev/ngx_http_geoip2_module/archive/$GEOIP2_VERSION.tar.gz" "ngx_http_geoip2_module" get_src deb4ab1ffb9f3d962c4b4a2c4bdff692b86a209e3835ae71ebdf3b97189e40a9 \ - "https://github.com/openresty/lua-resty-upload/archive/v$LUA_RESTY_UPLOAD_VERSION.tar.gz" + "https://github.com/openresty/lua-resty-upload/archive/$LUA_RESTY_UPLOAD_VERSION.tar.gz" "lua-resty-upload" get_src bdbf271003d95aa91cab0a92f24dca129e99b33f79c13ebfcdbbcbb558129491 \ - "https://github.com/openresty/lua-resty-string/archive/v$LUA_RESTY_STRING_VERSION.tar.gz" + "https://github.com/openresty/lua-resty-string/archive/$LUA_RESTY_STRING_VERSION.tar.gz" "lua-resty-string" get_src 16d72ed133f0c6df376a327386c3ef4e9406cf51003a700737c3805770ade7c5 \ - "https://github.com/openresty/lua-resty-balancer/archive/v$LUA_RESTY_BALANCER.tar.gz" + "https://github.com/openresty/lua-resty-balancer/archive/$LUA_RESTY_BALANCER.tar.gz" "lua-resty-balancer" -if [[ ${ARCH} == "s390x" ]]; then -get_src 8f5f76d2689a3f6b0782f0a009c56a65e4c7a4382be86422c9b3549fe95b0dc4 \ - "https://github.com/openresty/lua-resty-core/archive/v$LUA_RESTY_CORE.tar.gz" -else get_src 39baab9e2b31cc48cecf896cea40ef6e80559054fd8a6e440cc804a858ea84d4 \ - "https://github.com/openresty/lua-resty-core/archive/v$LUA_RESTY_CORE.tar.gz" -fi + "https://github.com/openresty/lua-resty-core/archive/$LUA_RESTY_CORE.tar.gz" "lua-resty-core" get_src a77b9de160d81712f2f442e1de8b78a5a7ef0d08f13430ff619f79235db974d4 \ - "https://github.com/openresty/lua-cjson/archive/$LUA_CJSON_VERSION.tar.gz" + "https://github.com/openresty/lua-cjson/archive/$LUA_CJSON_VERSION.tar.gz" "lua-cjson" -get_src a404c790553617424d743b82a9f01feccd0d2930b306b370c665ca3b7c09ccb6 \ - "https://github.com/utix/lua-resty-cookie/archive/$LUA_RESTY_COOKIE_VERSION.tar.gz" +get_src 5ed48c36231e2622b001308622d46a0077525ac2f751e8cc0c9905914254baa4 \ + "https://github.com/cloudflare/lua-resty-cookie/archive/$LUA_RESTY_COOKIE_VERSION.tar.gz" "lua-resty-cookie" get_src 573184006b98ccee2594b0d134fa4d05e5d2afd5141cbad315051ccf7e9b6403 \ - "https://github.com/openresty/lua-resty-lrucache/archive/v$LUA_RESTY_CACHE.tar.gz" + "https://github.com/openresty/lua-resty-lrucache/archive/$LUA_RESTY_CACHE.tar.gz" "lua-resty-lrucache" get_src b4ddcd47db347e9adf5c1e1491a6279a6ae2a3aff3155ef77ea0a65c998a69c1 \ - "https://github.com/openresty/lua-resty-lock/archive/v$LUA_RESTY_LOCK.tar.gz" + "https://github.com/openresty/lua-resty-lock/archive/$LUA_RESTY_LOCK.tar.gz" "lua-resty-lock" get_src 70e9a01eb32ccade0d5116a25bcffde0445b94ad35035ce06b94ccd260ad1bf0 \ - "https://github.com/openresty/lua-resty-dns/archive/v$LUA_RESTY_DNS.tar.gz" + "https://github.com/openresty/lua-resty-dns/archive/$LUA_RESTY_DNS.tar.gz" "lua-resty-dns" get_src 9fcb6db95bc37b6fce77d3b3dc740d593f9d90dce0369b405eb04844d56ac43f \ - "https://github.com/ledgetech/lua-resty-http/archive/$LUA_RESTY_HTTP.tar.gz" + "https://github.com/ledgetech/lua-resty-http/archive/$LUA_RESTY_HTTP.tar.gz" "lua-resty-http" get_src 02733575c4aed15f6cab662378e4b071c0a4a4d07940c4ef19a7319e9be943d4 \ - "https://github.com/openresty/lua-resty-memcached/archive/v$LUA_RESTY_MEMCACHED_VERSION.tar.gz" + "https://github.com/openresty/lua-resty-memcached/archive/$LUA_RESTY_MEMCACHED_VERSION.tar.gz" "lua-resty-memcached" get_src c15aed1a01c88a3a6387d9af67a957dff670357f5fdb4ee182beb44635eef3f1 \ - "https://github.com/openresty/lua-resty-redis/archive/v$LUA_RESTY_REDIS_VERSION.tar.gz" + "https://github.com/openresty/lua-resty-redis/archive/$LUA_RESTY_REDIS_VERSION.tar.gz" "lua-resty-redis" get_src efb767487ea3f6031577b9b224467ddbda2ad51a41c5867a47582d4ad85d609e \ - "https://github.com/api7/lua-resty-ipmatcher/archive/v$LUA_RESTY_IPMATCHER_VERSION.tar.gz" - -get_src 0fb790e394510e73fdba1492e576aaec0b8ee9ef08e3e821ce253a07719cf7ea \ - "https://github.com/ElvinEfendi/lua-resty-global-throttle/archive/v$LUA_RESTY_GLOBAL_THROTTLE_VERSION.tar.gz" + "https://github.com/api7/lua-resty-ipmatcher/archive/$LUA_RESTY_IPMATCHER_VERSION.tar.gz" "lua-resty-ipmatcher" get_src d74f86ada2329016068bc5a243268f1f555edd620b6a7d6ce89295e7d6cf18da \ - "https://github.com/microsoft/mimalloc/archive/refs/tags/v${MIMALOC_VERSION}.tar.gz" + "https://github.com/microsoft/mimalloc/archive/${MIMALOC_VERSION}.tar.gz" "mimalloc" # improve compilation times CORES=$(($(grep -c ^processor /proc/cpuinfo) - 1)) export MAKEFLAGS=-j${CORES} export CTEST_BUILD_FLAGS=${MAKEFLAGS} -export HUNTER_JOBS_NUMBER=${CORES} -export HUNTER_USE_CACHE_SERVERS=true # Install luajit from openresty fork export LUAJIT_LIB=/usr/local/lib export LUA_LIB_DIR="$LUAJIT_LIB/lua" export LUAJIT_INC=/usr/local/include/luajit-2.1 -cd "$BUILD_PATH/luajit2-$LUAJIT_VERSION" +cd "$BUILD_PATH/luajit2" make CCDEBUG=-g make install ln -s /usr/local/bin/luajit /usr/local/bin/lua ln -s "$LUAJIT_INC" /usr/local/include/lua -cd "$BUILD_PATH" +cd "$BUILD_PATH/opentelemetry-cpp" +export CXXFLAGS="-DBENCHMARK_HAS_NO_INLINE_ASSEMBLY" +cmake -B build -G Ninja -Wno-dev \ + -DOTELCPP_PROTO_PATH="${BUILD_PATH}/opentelemetry-proto/" \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DBUILD_SHARED_LIBS=ON \ + -DBUILD_TESTING="OFF" \ + -DBUILD_W3CTRACECONTEXT_TEST="OFF" \ + -DCMAKE_BUILD_TYPE=None \ + -DWITH_ABSEIL=ON \ + -DWITH_STL=ON \ + -DWITH_EXAMPLES=OFF \ + -DWITH_ZPAGES=OFF \ + -DWITH_OTLP_GRPC=ON \ + -DWITH_OTLP_HTTP=ON \ + -DWITH_ZIPKIN=ON \ + -DWITH_PROMETHEUS=OFF \ + -DWITH_ASYNC_EXPORT_PREVIEW=OFF \ + -DWITH_METRICS_EXEMPLAR_PREVIEW=OFF + cmake --build build + cmake --install build # Git tuning git config --global --add core.compression -1 -# build opentracing lib -cd "$BUILD_PATH/opentracing-cpp-$OPENTRACING_CPP_VERSION" -mkdir .build -cd .build - -cmake -DCMAKE_BUILD_TYPE=Release \ - -DBUILD_TESTING=OFF \ - -DBUILD_SHARED_LIBS=OFF \ - -DBUILD_MOCKTRACER=OFF \ - -DBUILD_STATIC_LIBS=ON \ - -DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true \ - .. - -make -make install - -# build yaml-cpp -# TODO @timmysilv: remove this and jaeger sed calls once it is fixed in jaeger-client-cpp -cd "$BUILD_PATH/yaml-cpp-$YAML_CPP_VERSION" -mkdir .build -cd .build - -cmake -DCMAKE_BUILD_TYPE=Release \ - -DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true \ - -DYAML_BUILD_SHARED_LIBS=ON \ - -DYAML_CPP_BUILD_TESTS=OFF \ - -DYAML_CPP_BUILD_TOOLS=OFF \ - .. - -make -make install - -# build jaeger lib -cd "$BUILD_PATH/jaeger-client-cpp-$JAEGER_VERSION" -sed -i 's/-Werror/-Wno-psabi/' CMakeLists.txt -# use the above built yaml-cpp instead until a new version of jaeger-client-cpp fixes the yaml-cpp issue -# tl;dr new hunter is needed for new yaml-cpp, but new hunter has a conflict with old Thrift and new Boost -sed -i 's/hunter_add_package(yaml-cpp)/#hunter_add_package(yaml-cpp)/' CMakeLists.txt -sed -i 's/yaml-cpp::yaml-cpp/yaml-cpp/' CMakeLists.txt - -cat < export.map -{ - global: - OpenTracingMakeTracerFactory; - local: *; -}; -EOF - -mkdir .build -cd .build - -cmake -DCMAKE_BUILD_TYPE=Release \ - -DBUILD_TESTING=OFF \ - -DJAEGERTRACING_BUILD_EXAMPLES=OFF \ - -DJAEGERTRACING_BUILD_CROSSDOCK=OFF \ - -DJAEGERTRACING_COVERAGE=OFF \ - -DJAEGERTRACING_PLUGIN=ON \ - -DHUNTER_CONFIGURATION_TYPES=Release \ - -DBUILD_SHARED_LIBS=OFF \ - -DJAEGERTRACING_WITH_YAML_CPP=ON \ - -DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true \ - .. - -make -make install - -export HUNTER_INSTALL_DIR=$(cat _3rdParty/Hunter/install-root-dir) \ - -mv libjaegertracing_plugin.so /usr/local/lib/libjaegertracing_plugin.so - - -# build zipkin lib -cd "$BUILD_PATH/zipkin-cpp-opentracing-$ZIPKIN_CPP_VERSION" - -cat < export.map -{ - global: - OpenTracingMakeTracerFactory; - local: *; -}; -EOF - -mkdir .build -cd .build - -cmake -DCMAKE_BUILD_TYPE=Release \ - -DBUILD_SHARED_LIBS=OFF \ - -DBUILD_PLUGIN=ON \ - -DBUILD_TESTING=OFF \ - -DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true \ - .. - -make -make install - -# build msgpack lib -cd "$BUILD_PATH/msgpack-c-cpp-$MSGPACK_VERSION" - -mkdir .build -cd .build -cmake -DCMAKE_BUILD_TYPE=Release \ - -DBUILD_SHARED_LIBS=OFF \ - -DMSGPACK_BUILD_EXAMPLES=OFF \ - -DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true \ - .. - -make -make install - -# build datadog lib -cd "$BUILD_PATH/dd-opentracing-cpp-$DATADOG_CPP_VERSION" - -mkdir .build -cd .build - -cmake -DCMAKE_BUILD_TYPE=Release \ - -DBUILD_TESTING=OFF \ - -DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true \ - .. - -make -make install - # Get Brotli source and deps cd "$BUILD_PATH" -git clone --depth=1 https://github.com/google/ngx_brotli.git +git clone --depth=100 https://github.com/google/ngx_brotli.git cd ngx_brotli +# https://github.com/google/ngx_brotli/issues/156 +git reset --hard 63ca02abdcf79c9e788d2eedcc388d2335902e52 git submodule init git submodule update @@ -524,17 +382,13 @@ mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-E mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf cd .. -# OWASP CRS v3 rules +# OWASP CRS v4 rules echo " Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf @@ -543,7 +397,7 @@ Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LF Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf @@ -554,6 +408,7 @@ Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.co Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-955-WEB-SHELLS.conf Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf @@ -583,6 +438,7 @@ WITH_FLAGS="--with-debug \ --with-http_gzip_static_module \ --with-http_sub_module \ --with-http_v2_module \ + --with-http_v3_module \ --with-stream \ --with-stream_ssl_module \ --with-stream_realip_module \ @@ -602,10 +458,9 @@ CC_OPT="-g -O2 -fPIE -fstack-protector-strong \ --param=ssp-buffer-size=4 \ -DTCP_FASTOPEN=23 \ -fPIC \ - -I$HUNTER_INSTALL_DIR/include \ -Wno-cast-function-type" -LD_OPT="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now -L$HUNTER_INSTALL_DIR/lib" +LD_OPT="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now" if [[ ${ARCH} != "aarch64" ]]; then WITH_FLAGS+=" --with-file-aio" @@ -616,17 +471,16 @@ if [[ ${ARCH} == "x86_64" ]]; then fi WITH_MODULES=" \ - --add-module=$BUILD_PATH/ngx_devel_kit-$NDK_VERSION \ - --add-module=$BUILD_PATH/set-misc-nginx-module-$SETMISC_VERSION \ - --add-module=$BUILD_PATH/headers-more-nginx-module-$MORE_HEADERS_VERSION \ - --add-module=$BUILD_PATH/ngx_http_substitutions_filter_module-$NGINX_SUBSTITUTIONS \ - --add-module=$BUILD_PATH/lua-nginx-module-$LUA_NGX_VERSION \ - --add-module=$BUILD_PATH/stream-lua-nginx-module-$LUA_STREAM_NGX_VERSION \ - --add-module=$BUILD_PATH/lua-upstream-nginx-module-$LUA_UPSTREAM_VERSION \ - --add-dynamic-module=$BUILD_PATH/nginx-http-auth-digest-$NGINX_DIGEST_AUTH \ - --add-dynamic-module=$BUILD_PATH/nginx-opentracing-$NGINX_OPENTRACING_VERSION/opentracing \ - --add-dynamic-module=$BUILD_PATH/ModSecurity-nginx-$MODSECURITY_VERSION \ - --add-dynamic-module=$BUILD_PATH/ngx_http_geoip2_module-${GEOIP2_VERSION} \ + --add-module=$BUILD_PATH/ngx_devel_kit \ + --add-module=$BUILD_PATH/set-misc-nginx-module \ + --add-module=$BUILD_PATH/headers-more-nginx-module \ + --add-module=$BUILD_PATH/ngx_http_substitutions_filter_module \ + --add-module=$BUILD_PATH/lua-nginx-module \ + --add-module=$BUILD_PATH/stream-lua-nginx-module \ + --add-module=$BUILD_PATH/lua-upstream-nginx-module \ + --add-dynamic-module=$BUILD_PATH/nginx-http-auth-digest \ + --add-dynamic-module=$BUILD_PATH/ModSecurity-nginx \ + --add-dynamic-module=$BUILD_PATH/ngx_http_geoip2_module \ --add-dynamic-module=$BUILD_PATH/ngx_brotli" ./configure \ @@ -658,56 +512,80 @@ make make modules make install -cd "$BUILD_PATH/lua-resty-core-$LUA_RESTY_CORE" +export OPENTELEMETRY_CONTRIB_COMMIT=e11348bb400d5472bf1da5d6128bead66fa111ff +cd "$BUILD_PATH" + +git clone https://github.com/open-telemetry/opentelemetry-cpp-contrib.git opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT} + +cd ${BUILD_PATH}/opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT} +git reset --hard ${OPENTELEMETRY_CONTRIB_COMMIT} + +export OTEL_TEMP_INSTALL=/tmp/otel +mkdir -p ${OTEL_TEMP_INSTALL} + +cd ${BUILD_PATH}/opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT}/instrumentation/nginx +mkdir -p build +cd build +cmake -DCMAKE_BUILD_TYPE=Release \ + -G Ninja \ + -DCMAKE_CXX_STANDARD=17 \ + -DCMAKE_INSTALL_PREFIX=${OTEL_TEMP_INSTALL} \ + -DBUILD_SHARED_LIBS=ON \ + -DNGINX_VERSION=${NGINX_VERSION} \ + .. +cmake --build . -j ${CORES} --target install + +mkdir -p /etc/nginx/modules +cp ${OTEL_TEMP_INSTALL}/otel_ngx_module.so /etc/nginx/modules/otel_ngx_module.so + + +cd "$BUILD_PATH/lua-resty-core" make install -cd "$BUILD_PATH/lua-resty-balancer-$LUA_RESTY_BALANCER" +cd "$BUILD_PATH/lua-resty-balancer" make all make install export LUA_INCLUDE_DIR=/usr/local/include/luajit-2.1 ln -s $LUA_INCLUDE_DIR /usr/include/lua5.1 -cd "$BUILD_PATH/lua-cjson-$LUA_CJSON_VERSION" +cd "$BUILD_PATH/lua-cjson" make all make install -cd "$BUILD_PATH/lua-resty-cookie-$LUA_RESTY_COOKIE_VERSION" +cd "$BUILD_PATH/lua-resty-cookie" make all make install -cd "$BUILD_PATH/lua-resty-lrucache-$LUA_RESTY_CACHE" +cd "$BUILD_PATH/lua-resty-lrucache" make install -cd "$BUILD_PATH/lua-resty-dns-$LUA_RESTY_DNS" +cd "$BUILD_PATH/lua-resty-dns" make install -cd "$BUILD_PATH/lua-resty-lock-$LUA_RESTY_LOCK" +cd "$BUILD_PATH/lua-resty-lock" make install # required for OCSP verification -cd "$BUILD_PATH/lua-resty-http-$LUA_RESTY_HTTP" +cd "$BUILD_PATH/lua-resty-http" make install -cd "$BUILD_PATH/lua-resty-upload-$LUA_RESTY_UPLOAD_VERSION" +cd "$BUILD_PATH/lua-resty-upload" make install -cd "$BUILD_PATH/lua-resty-string-$LUA_RESTY_STRING_VERSION" +cd "$BUILD_PATH/lua-resty-string" make install -cd "$BUILD_PATH/lua-resty-memcached-$LUA_RESTY_MEMCACHED_VERSION" +cd "$BUILD_PATH/lua-resty-memcached" make install -cd "$BUILD_PATH/lua-resty-redis-$LUA_RESTY_REDIS_VERSION" +cd "$BUILD_PATH/lua-resty-redis" make install -cd "$BUILD_PATH/lua-resty-ipmatcher-$LUA_RESTY_IPMATCHER_VERSION" +cd "$BUILD_PATH/lua-resty-ipmatcher" INST_LUADIR=/usr/local/lib/lua make install -cd "$BUILD_PATH/lua-resty-global-throttle-$LUA_RESTY_GLOBAL_THROTTLE_VERSION" -make install - -cd "$BUILD_PATH/mimalloc-$MIMALOC_VERSION" +cd "$BUILD_PATH/mimalloc" mkdir -p out/release cd out/release diff --git a/images/nginx-1.25/rootfs/patches/00_drop-alias-root.patch b/images/nginx/rootfs/patches/00_drop-alias-root.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/00_drop-alias-root.patch rename to images/nginx/rootfs/patches/00_drop-alias-root.patch diff --git a/images/nginx-1.25/rootfs/patches/01_nginx-1.25.3-win32_max_err_str.patch b/images/nginx/rootfs/patches/01_nginx-1.25.3-win32_max_err_str.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/01_nginx-1.25.3-win32_max_err_str.patch rename to images/nginx/rootfs/patches/01_nginx-1.25.3-win32_max_err_str.patch diff --git a/images/nginx-1.25/rootfs/patches/02_nginx-1.25.3-stream_balancer_export.patch b/images/nginx/rootfs/patches/02_nginx-1.25.3-stream_balancer_export.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/02_nginx-1.25.3-stream_balancer_export.patch rename to images/nginx/rootfs/patches/02_nginx-1.25.3-stream_balancer_export.patch diff --git a/images/nginx-1.25/rootfs/patches/03_nginx-1.25.3-stream_proxy_get_next_upstream_tries.patch b/images/nginx/rootfs/patches/03_nginx-1.25.3-stream_proxy_get_next_upstream_tries.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/03_nginx-1.25.3-stream_proxy_get_next_upstream_tries.patch rename to images/nginx/rootfs/patches/03_nginx-1.25.3-stream_proxy_get_next_upstream_tries.patch diff --git a/images/nginx-1.25/rootfs/patches/04_nginx-1.25.3-stream_proxy_timeout_fields.patch b/images/nginx/rootfs/patches/04_nginx-1.25.3-stream_proxy_timeout_fields.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/04_nginx-1.25.3-stream_proxy_timeout_fields.patch rename to images/nginx/rootfs/patches/04_nginx-1.25.3-stream_proxy_timeout_fields.patch diff --git a/images/nginx-1.25/rootfs/patches/05_nginx-1.25.3-stream_ssl_preread_no_skip.patch b/images/nginx/rootfs/patches/05_nginx-1.25.3-stream_ssl_preread_no_skip.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/05_nginx-1.25.3-stream_ssl_preread_no_skip.patch rename to images/nginx/rootfs/patches/05_nginx-1.25.3-stream_ssl_preread_no_skip.patch diff --git a/images/nginx-1.25/rootfs/patches/06_nginx-1.25.3-resolver_conf_parsing.patch b/images/nginx/rootfs/patches/06_nginx-1.25.3-resolver_conf_parsing.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/06_nginx-1.25.3-resolver_conf_parsing.patch rename to images/nginx/rootfs/patches/06_nginx-1.25.3-resolver_conf_parsing.patch diff --git a/images/nginx-1.25/rootfs/patches/07_nginx-1.25.3-daemon_destroy_pool.patch b/images/nginx/rootfs/patches/07_nginx-1.25.3-daemon_destroy_pool.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/07_nginx-1.25.3-daemon_destroy_pool.patch rename to images/nginx/rootfs/patches/07_nginx-1.25.3-daemon_destroy_pool.patch diff --git a/images/nginx-1.25/rootfs/patches/08_nginx-1.25.3-init_cycle_pool_release.patch b/images/nginx/rootfs/patches/08_nginx-1.25.3-init_cycle_pool_release.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/08_nginx-1.25.3-init_cycle_pool_release.patch rename to images/nginx/rootfs/patches/08_nginx-1.25.3-init_cycle_pool_release.patch diff --git a/images/nginx-1.25/rootfs/patches/09_nginx-1.25.3-balancer_status_code.patch b/images/nginx/rootfs/patches/09_nginx-1.25.3-balancer_status_code.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/09_nginx-1.25.3-balancer_status_code.patch rename to images/nginx/rootfs/patches/09_nginx-1.25.3-balancer_status_code.patch diff --git a/images/nginx-1.25/rootfs/patches/10_nginx-1.25.3-delayed_posted_events.patch b/images/nginx/rootfs/patches/10_nginx-1.25.3-delayed_posted_events.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/10_nginx-1.25.3-delayed_posted_events.patch rename to images/nginx/rootfs/patches/10_nginx-1.25.3-delayed_posted_events.patch diff --git a/images/nginx-1.25/rootfs/patches/11_nginx-1.25.3-privileged_agent_process.patch b/images/nginx/rootfs/patches/11_nginx-1.25.3-privileged_agent_process.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/11_nginx-1.25.3-privileged_agent_process.patch rename to images/nginx/rootfs/patches/11_nginx-1.25.3-privileged_agent_process.patch diff --git a/images/nginx-1.25/rootfs/patches/12_nginx-1.25.3-privileged_agent_process_connections.patch b/images/nginx/rootfs/patches/12_nginx-1.25.3-privileged_agent_process_connections.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/12_nginx-1.25.3-privileged_agent_process_connections.patch rename to images/nginx/rootfs/patches/12_nginx-1.25.3-privileged_agent_process_connections.patch diff --git a/images/nginx-1.25/rootfs/patches/13_nginx-1.25.3-privileged_agent_process_thread_pool.patch b/images/nginx/rootfs/patches/13_nginx-1.25.3-privileged_agent_process_thread_pool.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/13_nginx-1.25.3-privileged_agent_process_thread_pool.patch rename to images/nginx/rootfs/patches/13_nginx-1.25.3-privileged_agent_process_thread_pool.patch diff --git a/images/nginx-1.25/rootfs/patches/14_nginx-1.25.3-single_process_graceful_exit.patch b/images/nginx/rootfs/patches/14_nginx-1.25.3-single_process_graceful_exit.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/14_nginx-1.25.3-single_process_graceful_exit.patch rename to images/nginx/rootfs/patches/14_nginx-1.25.3-single_process_graceful_exit.patch diff --git a/images/nginx-1.25/rootfs/patches/15_nginx-1.25.3-intercept_error_log.patch b/images/nginx/rootfs/patches/15_nginx-1.25.3-intercept_error_log.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/15_nginx-1.25.3-intercept_error_log.patch rename to images/nginx/rootfs/patches/15_nginx-1.25.3-intercept_error_log.patch diff --git a/images/nginx-1.25/rootfs/patches/16_nginx-1.25.3-upstream_pipelining.patch b/images/nginx/rootfs/patches/16_nginx-1.25.3-upstream_pipelining.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/16_nginx-1.25.3-upstream_pipelining.patch rename to images/nginx/rootfs/patches/16_nginx-1.25.3-upstream_pipelining.patch diff --git a/images/nginx-1.25/rootfs/patches/17_nginx-1.25.3-no_error_pages.patch b/images/nginx/rootfs/patches/17_nginx-1.25.3-no_error_pages.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/17_nginx-1.25.3-no_error_pages.patch rename to images/nginx/rootfs/patches/17_nginx-1.25.3-no_error_pages.patch diff --git a/images/nginx-1.25/rootfs/patches/18_nginx-1.25.3-no_Werror.patch b/images/nginx/rootfs/patches/18_nginx-1.25.3-no_Werror.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/18_nginx-1.25.3-no_Werror.patch rename to images/nginx/rootfs/patches/18_nginx-1.25.3-no_Werror.patch diff --git a/images/nginx-1.25/rootfs/patches/19_nginx-1.25.3-log_escape_non_ascii.patch b/images/nginx/rootfs/patches/19_nginx-1.25.3-log_escape_non_ascii.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/19_nginx-1.25.3-log_escape_non_ascii.patch rename to images/nginx/rootfs/patches/19_nginx-1.25.3-log_escape_non_ascii.patch diff --git a/images/nginx-1.25/rootfs/patches/20_nginx-1.25.3-proxy_host_port_vars.patch b/images/nginx/rootfs/patches/20_nginx-1.25.3-proxy_host_port_vars.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/20_nginx-1.25.3-proxy_host_port_vars.patch rename to images/nginx/rootfs/patches/20_nginx-1.25.3-proxy_host_port_vars.patch diff --git a/images/nginx-1.25/rootfs/patches/21_nginx-1.25.3-cache_manager_exit.patch b/images/nginx/rootfs/patches/21_nginx-1.25.3-cache_manager_exit.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/21_nginx-1.25.3-cache_manager_exit.patch rename to images/nginx/rootfs/patches/21_nginx-1.25.3-cache_manager_exit.patch diff --git a/images/nginx-1.25/rootfs/patches/22_nginx-1.25.3-larger_max_error_str.patch b/images/nginx/rootfs/patches/22_nginx-1.25.3-larger_max_error_str.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/22_nginx-1.25.3-larger_max_error_str.patch rename to images/nginx/rootfs/patches/22_nginx-1.25.3-larger_max_error_str.patch diff --git a/images/nginx-1.25/rootfs/patches/23_nginx-1.25.3-pcre_conf_opt.patch b/images/nginx/rootfs/patches/23_nginx-1.25.3-pcre_conf_opt.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/23_nginx-1.25.3-pcre_conf_opt.patch rename to images/nginx/rootfs/patches/23_nginx-1.25.3-pcre_conf_opt.patch diff --git a/images/nginx-1.25/rootfs/patches/24_nginx-1.25.3-always_enable_cc_feature_tests.patch b/images/nginx/rootfs/patches/24_nginx-1.25.3-always_enable_cc_feature_tests.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/24_nginx-1.25.3-always_enable_cc_feature_tests.patch rename to images/nginx/rootfs/patches/24_nginx-1.25.3-always_enable_cc_feature_tests.patch diff --git a/images/nginx-1.25/rootfs/patches/25_nginx-1.25.3-ssl_cert_cb_yield.patch b/images/nginx/rootfs/patches/25_nginx-1.25.3-ssl_cert_cb_yield.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/25_nginx-1.25.3-ssl_cert_cb_yield.patch rename to images/nginx/rootfs/patches/25_nginx-1.25.3-ssl_cert_cb_yield.patch diff --git a/images/nginx-1.25/rootfs/patches/26_nginx-1.25.3-ssl_sess_cb_yield.patch b/images/nginx/rootfs/patches/26_nginx-1.25.3-ssl_sess_cb_yield.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/26_nginx-1.25.3-ssl_sess_cb_yield.patch rename to images/nginx/rootfs/patches/26_nginx-1.25.3-ssl_sess_cb_yield.patch diff --git a/images/nginx-1.25/rootfs/patches/27_nginx-1.25.3-ssl_client_hello_cb_yield.patch b/images/nginx/rootfs/patches/27_nginx-1.25.3-ssl_client_hello_cb_yield.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/27_nginx-1.25.3-ssl_client_hello_cb_yield.patch rename to images/nginx/rootfs/patches/27_nginx-1.25.3-ssl_client_hello_cb_yield.patch diff --git a/images/nginx-1.25/rootfs/patches/28_nginx-1.25.3-upstream_timeout_fields.patch b/images/nginx/rootfs/patches/28_nginx-1.25.3-upstream_timeout_fields.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/28_nginx-1.25.3-upstream_timeout_fields.patch rename to images/nginx/rootfs/patches/28_nginx-1.25.3-upstream_timeout_fields.patch diff --git a/images/nginx-1.25/rootfs/patches/29_nginx-1.25.3-safe_resolver_ipv6_option.patch b/images/nginx/rootfs/patches/29_nginx-1.25.3-safe_resolver_ipv6_option.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/29_nginx-1.25.3-safe_resolver_ipv6_option.patch rename to images/nginx/rootfs/patches/29_nginx-1.25.3-safe_resolver_ipv6_option.patch diff --git a/images/nginx-1.25/rootfs/patches/30_nginx-1.25.3-socket_cloexec.patch b/images/nginx/rootfs/patches/30_nginx-1.25.3-socket_cloexec.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/30_nginx-1.25.3-socket_cloexec.patch rename to images/nginx/rootfs/patches/30_nginx-1.25.3-socket_cloexec.patch diff --git a/images/nginx-1.25/rootfs/patches/31_nginx-1.25.3-reuseport_close_unused_fds.patch b/images/nginx/rootfs/patches/31_nginx-1.25.3-reuseport_close_unused_fds.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/31_nginx-1.25.3-reuseport_close_unused_fds.patch rename to images/nginx/rootfs/patches/31_nginx-1.25.3-reuseport_close_unused_fds.patch diff --git a/images/nginx/rootfs/patches/drop-alias-root.patch b/images/nginx/rootfs/patches/drop-alias-root.patch deleted file mode 100644 index a92e08bd0..000000000 --- a/images/nginx/rootfs/patches/drop-alias-root.patch +++ /dev/null @@ -1,144 +0,0 @@ -:100644 100644 c7463dcd 00000000 M src/http/ngx_http_core_module.c -diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c -index c7463dcd..e2e45931 100644 ---- a/src/http/ngx_http_core_module.c -+++ b/src/http/ngx_http_core_module.c -@@ -55,7 +55,6 @@ static char *ngx_http_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, - void *conf); - static char *ngx_http_core_server_name(ngx_conf_t *cf, ngx_command_t *cmd, - void *conf); --static char *ngx_http_core_root(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); - static char *ngx_http_core_limit_except(ngx_conf_t *cf, ngx_command_t *cmd, - void *conf); - static char *ngx_http_core_set_aio(ngx_conf_t *cf, ngx_command_t *cmd, -@@ -323,21 +322,6 @@ static ngx_command_t ngx_http_core_commands[] = { - offsetof(ngx_http_core_loc_conf_t, default_type), - NULL }, - -- { ngx_string("root"), -- NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -- |NGX_CONF_TAKE1, -- ngx_http_core_root, -- NGX_HTTP_LOC_CONF_OFFSET, -- 0, -- NULL }, -- -- { ngx_string("alias"), -- NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, -- ngx_http_core_root, -- NGX_HTTP_LOC_CONF_OFFSET, -- 0, -- NULL }, -- - { ngx_string("limit_except"), - NGX_HTTP_LOC_CONF|NGX_CONF_BLOCK|NGX_CONF_1MORE, - ngx_http_core_limit_except, -@@ -4312,108 +4296,6 @@ ngx_http_core_server_name(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) - } - - --static char * --ngx_http_core_root(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) --{ -- ngx_http_core_loc_conf_t *clcf = conf; -- -- ngx_str_t *value; -- ngx_int_t alias; -- ngx_uint_t n; -- ngx_http_script_compile_t sc; -- -- alias = (cmd->name.len == sizeof("alias") - 1) ? 1 : 0; -- -- if (clcf->root.data) { -- -- if ((clcf->alias != 0) == alias) { -- return "is duplicate"; -- } -- -- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -- "\"%V\" directive is duplicate, " -- "\"%s\" directive was specified earlier", -- &cmd->name, clcf->alias ? "alias" : "root"); -- -- return NGX_CONF_ERROR; -- } -- -- if (clcf->named && alias) { -- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -- "the \"alias\" directive cannot be used " -- "inside the named location"); -- -- return NGX_CONF_ERROR; -- } -- -- value = cf->args->elts; -- -- if (ngx_strstr(value[1].data, "$document_root") -- || ngx_strstr(value[1].data, "${document_root}")) -- { -- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -- "the $document_root variable cannot be used " -- "in the \"%V\" directive", -- &cmd->name); -- -- return NGX_CONF_ERROR; -- } -- -- if (ngx_strstr(value[1].data, "$realpath_root") -- || ngx_strstr(value[1].data, "${realpath_root}")) -- { -- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -- "the $realpath_root variable cannot be used " -- "in the \"%V\" directive", -- &cmd->name); -- -- return NGX_CONF_ERROR; -- } -- -- clcf->alias = alias ? clcf->name.len : 0; -- clcf->root = value[1]; -- -- if (!alias && clcf->root.len > 0 -- && clcf->root.data[clcf->root.len - 1] == '/') -- { -- clcf->root.len--; -- } -- -- if (clcf->root.data[0] != '$') { -- if (ngx_conf_full_name(cf->cycle, &clcf->root, 0) != NGX_OK) { -- return NGX_CONF_ERROR; -- } -- } -- -- n = ngx_http_script_variables_count(&clcf->root); -- -- ngx_memzero(&sc, sizeof(ngx_http_script_compile_t)); -- sc.variables = n; -- --#if (NGX_PCRE) -- if (alias && clcf->regex) { -- clcf->alias = NGX_MAX_SIZE_T_VALUE; -- n = 1; -- } --#endif -- -- if (n) { -- sc.cf = cf; -- sc.source = &clcf->root; -- sc.lengths = &clcf->root_lengths; -- sc.values = &clcf->root_values; -- sc.complete_lengths = 1; -- sc.complete_values = 1; -- -- if (ngx_http_script_compile(&sc) != NGX_OK) { -- return NGX_CONF_ERROR; -- } -- } -- -- return NGX_CONF_OK; --} -- -- - static ngx_http_method_name_t ngx_methods_names[] = { - { (u_char *) "GET", (uint32_t) ~NGX_HTTP_GET }, - { (u_char *) "HEAD", (uint32_t) ~NGX_HTTP_HEAD }, diff --git a/images/nginx/rootfs/patches/nginx-1.21.4-balancer_status_code.patch b/images/nginx/rootfs/patches/nginx-1.21.4-balancer_status_code.patch deleted file mode 100644 index c4d87e2fb..000000000 --- a/images/nginx/rootfs/patches/nginx-1.21.4-balancer_status_code.patch +++ /dev/null @@ -1,72 +0,0 @@ -diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c -index f8d5707d..6efe0047 100644 ---- a/src/http/ngx_http_upstream.c -+++ b/src/http/ngx_http_upstream.c -@@ -1515,6 +1515,11 @@ ngx_http_upstream_connect(ngx_http_request_t *r, ngx_http_upstream_t *u) - return; - } - -+ if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { -+ ngx_http_upstream_finalize_request(r, u, rc); -+ return; -+ } -+ - u->state->peer = u->peer.name; - - if (rc == NGX_BUSY) { -diff --git a/src/http/ngx_http_upstream.h b/src/http/ngx_http_upstream.h -index 3e714e5b..dfbb25e0 100644 ---- a/src/http/ngx_http_upstream.h -+++ b/src/http/ngx_http_upstream.h -@@ -427,4 +427,9 @@ extern ngx_conf_bitmask_t ngx_http_upstream_cache_method_mask[]; - extern ngx_conf_bitmask_t ngx_http_upstream_ignore_headers_masks[]; - - -+#ifndef HAVE_BALANCER_STATUS_CODE_PATCH -+#define HAVE_BALANCER_STATUS_CODE_PATCH -+#endif -+ -+ - #endif /* _NGX_HTTP_UPSTREAM_H_INCLUDED_ */ -diff --git a/src/stream/ngx_stream.h b/src/stream/ngx_stream.h -index 09d24593..d8b4b584 100644 ---- a/src/stream/ngx_stream.h -+++ b/src/stream/ngx_stream.h -@@ -27,6 +27,7 @@ typedef struct ngx_stream_session_s ngx_stream_session_t; - - - #define NGX_STREAM_OK 200 -+#define NGX_STREAM_SPECIAL_RESPONSE 300 - #define NGX_STREAM_BAD_REQUEST 400 - #define NGX_STREAM_FORBIDDEN 403 - #define NGX_STREAM_INTERNAL_SERVER_ERROR 500 -diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c -index 818d7329..329dcdc6 100644 ---- a/src/stream/ngx_stream_proxy_module.c -+++ b/src/stream/ngx_stream_proxy_module.c -@@ -691,6 +691,11 @@ ngx_stream_proxy_connect(ngx_stream_session_t *s) - return; - } - -+ if (rc >= NGX_STREAM_SPECIAL_RESPONSE) { -+ ngx_stream_proxy_finalize(s, rc); -+ return; -+ } -+ - u->state->peer = u->peer.name; - - if (rc == NGX_BUSY) { -diff --git a/src/stream/ngx_stream_upstream.h b/src/stream/ngx_stream_upstream.h -index 73947f46..21bc0ad7 100644 ---- a/src/stream/ngx_stream_upstream.h -+++ b/src/stream/ngx_stream_upstream.h -@@ -151,4 +151,9 @@ ngx_stream_upstream_srv_conf_t *ngx_stream_upstream_add(ngx_conf_t *cf, - extern ngx_module_t ngx_stream_upstream_module; - - -+#ifndef HAVE_BALANCER_STATUS_CODE_PATCH -+#define HAVE_BALANCER_STATUS_CODE_PATCH -+#endif -+ -+ - #endif /* _NGX_STREAM_UPSTREAM_H_INCLUDED_ */ diff --git a/images/nginx/rootfs/patches/nginx-1.21.4-cache_manager_exit.patch b/images/nginx/rootfs/patches/nginx-1.21.4-cache_manager_exit.patch deleted file mode 100644 index 91ee63a26..000000000 --- a/images/nginx/rootfs/patches/nginx-1.21.4-cache_manager_exit.patch +++ /dev/null @@ -1,19 +0,0 @@ -# HG changeset patch -# User Yichun Zhang -# Date 1383598130 28800 -# Node ID f64218e1ac963337d84092536f588b8e0d99bbaa -# Parent dea321e5c0216efccbb23e84bbce7cf3e28f130c -Cache: gracefully exit the cache manager process. - -diff -r dea321e5c021 -r f64218e1ac96 src/os/unix/ngx_process_cycle.c ---- a/src/os/unix/ngx_process_cycle.c Thu Oct 31 18:23:49 2013 +0400 -+++ b/src/os/unix/ngx_process_cycle.c Mon Nov 04 12:48:50 2013 -0800 -@@ -1134,7 +1134,7 @@ - - if (ngx_terminate || ngx_quit) { - ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting"); -- exit(0); -+ ngx_worker_process_exit(cycle); - } - - if (ngx_reopen) { diff --git a/images/nginx/rootfs/patches/nginx-1.21.4-delayed_posted_events.patch b/images/nginx/rootfs/patches/nginx-1.21.4-delayed_posted_events.patch deleted file mode 100644 index 687584324..000000000 --- a/images/nginx/rootfs/patches/nginx-1.21.4-delayed_posted_events.patch +++ /dev/null @@ -1,98 +0,0 @@ -diff --git a/src/event/ngx_event.c b/src/event/ngx_event.c -index 57af8132..4853945f 100644 ---- a/src/event/ngx_event.c -+++ b/src/event/ngx_event.c -@@ -196,6 +196,9 @@ ngx_process_events_and_timers(ngx_cycle_t *cycle) - ngx_uint_t flags; - ngx_msec_t timer, delta; - -+ ngx_queue_t *q; -+ ngx_event_t *ev; -+ - if (ngx_timer_resolution) { - timer = NGX_TIMER_INFINITE; - flags = 0; -@@ -215,6 +218,13 @@ ngx_process_events_and_timers(ngx_cycle_t *cycle) - #endif - } - -+ if (!ngx_queue_empty(&ngx_posted_delayed_events)) { -+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, cycle->log, 0, -+ "posted delayed event queue not empty" -+ " making poll timeout 0"); -+ timer = 0; -+ } -+ - if (ngx_use_accept_mutex) { - if (ngx_accept_disabled > 0) { - ngx_accept_disabled--; -@@ -257,6 +267,35 @@ ngx_process_events_and_timers(ngx_cycle_t *cycle) - } - - ngx_event_process_posted(cycle, &ngx_posted_events); -+ -+ while (!ngx_queue_empty(&ngx_posted_delayed_events)) { -+ q = ngx_queue_head(&ngx_posted_delayed_events); -+ -+ ev = ngx_queue_data(q, ngx_event_t, queue); -+ if (ev->delayed) { -+ /* start of newly inserted nodes */ -+ for (/* void */; -+ q != ngx_queue_sentinel(&ngx_posted_delayed_events); -+ q = ngx_queue_next(q)) -+ { -+ ev = ngx_queue_data(q, ngx_event_t, queue); -+ ev->delayed = 0; -+ -+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, cycle->log, 0, -+ "skipping delayed posted event %p," -+ " till next iteration", ev); -+ } -+ -+ break; -+ } -+ -+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, cycle->log, 0, -+ "delayed posted event %p", ev); -+ -+ ngx_delete_posted_event(ev); -+ -+ ev->handler(ev); -+ } - } - - -@@ -600,6 +639,7 @@ ngx_event_process_init(ngx_cycle_t *cycle) - - ngx_queue_init(&ngx_posted_accept_events); - ngx_queue_init(&ngx_posted_events); -+ ngx_queue_init(&ngx_posted_delayed_events); - - if (ngx_event_timer_init(cycle->log) == NGX_ERROR) { - return NGX_ERROR; -diff --git a/src/event/ngx_event_posted.c b/src/event/ngx_event_posted.c -index d851f3d1..b6cea009 100644 ---- a/src/event/ngx_event_posted.c -+++ b/src/event/ngx_event_posted.c -@@ -12,6 +12,7 @@ - - ngx_queue_t ngx_posted_accept_events; - ngx_queue_t ngx_posted_events; -+ngx_queue_t ngx_posted_delayed_events; - - - void -diff --git a/src/event/ngx_event_posted.h b/src/event/ngx_event_posted.h -index 145d30fe..6c388553 100644 ---- a/src/event/ngx_event_posted.h -+++ b/src/event/ngx_event_posted.h -@@ -43,6 +43,9 @@ void ngx_event_process_posted(ngx_cycle_t *cycle, ngx_queue_t *posted); - - extern ngx_queue_t ngx_posted_accept_events; - extern ngx_queue_t ngx_posted_events; -+extern ngx_queue_t ngx_posted_delayed_events; -+ -+#define HAVE_POSTED_DELAYED_EVENTS_PATCH - - - #endif /* _NGX_EVENT_POSTED_H_INCLUDED_ */ diff --git a/images/nginx/rootfs/patches/nginx-1.21.4-hash_overflow.patch b/images/nginx/rootfs/patches/nginx-1.21.4-hash_overflow.patch deleted file mode 100644 index 449d214ba..000000000 --- a/images/nginx/rootfs/patches/nginx-1.21.4-hash_overflow.patch +++ /dev/null @@ -1,20 +0,0 @@ -# HG changeset patch -# User Yichun Zhang -# Date 1412276417 25200 -# Thu Oct 02 12:00:17 2014 -0700 -# Node ID 4032b992f23b054c1a2cfb0be879330d2c6708e5 -# Parent 1ff0f68d9376e3d184d65814a6372856bf65cfcd -Hash: buffer overflow might happen when exceeding the pre-configured limits. - -diff -r 1ff0f68d9376 -r 4032b992f23b src/core/ngx_hash.c ---- a/src/core/ngx_hash.c Tue Sep 30 15:50:28 2014 -0700 -+++ b/src/core/ngx_hash.c Thu Oct 02 12:00:17 2014 -0700 -@@ -312,6 +312,8 @@ ngx_hash_init(ngx_hash_init_t *hinit, ng - continue; - } - -+ size--; -+ - ngx_log_error(NGX_LOG_WARN, hinit->pool->log, 0, - "could not build optimal %s, you should increase " - "either %s_max_size: %i or %s_bucket_size: %i; " diff --git a/images/nginx/rootfs/patches/nginx-1.21.4-http2.patch b/images/nginx/rootfs/patches/nginx-1.21.4-http2.patch deleted file mode 100644 index 3b9d57736..000000000 --- a/images/nginx/rootfs/patches/nginx-1.21.4-http2.patch +++ /dev/null @@ -1,57 +0,0 @@ -#commit 6ceef192e7af1c507826ac38a2d43f08bf265fb9 -#repository: https://github.com/nginx/nginx -#Author: Maxim Dounin -#Date: Tue Oct 10 15:13:39 2023 +0300 -diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c -index 7c05ff1e7..410a8be24 100644 ---- a/src/http/v2/ngx_http_v2.c -+++ b/src/http/v2/ngx_http_v2.c -@@ -347,6 +347,7 @@ ngx_http_v2_read_handler(ngx_event_t *rev) - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http2 read handler"); - - h2c->blocked = 1; -+ h2c->new_streams = 0; - - if (c->close) { - c->close = 0; -@@ -1284,6 +1285,14 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos, - goto rst_stream; - } - -+ if (h2c->new_streams++ >= 2 * h2scf->concurrent_streams) { -+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, -+ "client sent too many streams at once"); -+ -+ status = NGX_HTTP_V2_REFUSED_STREAM; -+ goto rst_stream; -+ } -+ - if (!h2c->settings_ack - && !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG) - && h2scf->preread_size < NGX_HTTP_V2_DEFAULT_WINDOW) -@@ -1349,6 +1358,12 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos, - - rst_stream: - -+ if (h2c->refused_streams++ > ngx_max(h2scf->concurrent_streams, 100)) { -+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, -+ "client sent too many refused streams"); -+ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_NO_ERROR); -+ } -+ - if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, status) != NGX_OK) { - return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR); - } -diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h -index cb9014ccf..6751b3026 100644 ---- a/src/http/v2/ngx_http_v2.h -+++ b/src/http/v2/ngx_http_v2.h -@@ -131,6 +131,8 @@ struct ngx_http_v2_connection_s { - ngx_uint_t processing; - ngx_uint_t frames; - ngx_uint_t idle; -+ ngx_uint_t new_streams; -+ ngx_uint_t refused_streams; - ngx_uint_t priority_limit; - - size_t send_window; \ No newline at end of file diff --git a/images/nginx/rootfs/patches/nginx-1.21.4-init_cycle_pool_release.patch b/images/nginx/rootfs/patches/nginx-1.21.4-init_cycle_pool_release.patch deleted file mode 100644 index 9cfa4f7cb..000000000 --- a/images/nginx/rootfs/patches/nginx-1.21.4-init_cycle_pool_release.patch +++ /dev/null @@ -1,59 +0,0 @@ -diff -rup nginx-1.21.4/src/core/nginx.c nginx-1.21.4-patched/src/core/nginx.c ---- nginx-1.21.4/src/core/nginx.c 2017-12-17 00:00:38.136470108 -0800 -+++ nginx-1.21.4-patched/src/core/nginx.c 2017-12-16 23:59:51.680958322 -0800 -@@ -186,6 +186,7 @@ static u_char *ngx_prefix; - static u_char *ngx_conf_file; - static u_char *ngx_conf_params; - static char *ngx_signal; -+ngx_pool_t *saved_init_cycle_pool = NULL; - - - static char **ngx_os_environ; -@@ -253,6 +254,8 @@ main(int argc, char *const *argv) - return 1; - } - -+ saved_init_cycle_pool = init_cycle.pool; -+ - if (ngx_save_argv(&init_cycle, argc, argv) != NGX_OK) { - return 1; - } -diff -rup nginx-1.21.4/src/core/ngx_core.h nginx-1.21.4-patched/src/core/ngx_core.h ---- nginx-1.21.4/src/core/ngx_core.h 2017-10-10 08:22:51.000000000 -0700 -+++ nginx-1.21.4-patched/src/core/ngx_core.h 2017-12-16 23:59:51.679958370 -0800 -@@ -108,4 +108,6 @@ void ngx_cpuinfo(void); - #define NGX_DISABLE_SYMLINKS_NOTOWNER 2 - #endif - -+extern ngx_pool_t *saved_init_cycle_pool; -+ - #endif /* _NGX_CORE_H_INCLUDED_ */ -diff -rup nginx-1.21.4/src/core/ngx_cycle.c nginx-1.21.4-patched/src/core/ngx_cycle.c ---- nginx-1.21.4/src/core/ngx_cycle.c 2017-10-10 08:22:51.000000000 -0700 -+++ nginx-1.21.4-patched/src/core/ngx_cycle.c 2017-12-16 23:59:51.678958419 -0800 -@@ -748,6 +748,10 @@ old_shm_zone_done: - - if (ngx_process == NGX_PROCESS_MASTER || ngx_is_init_cycle(old_cycle)) { - -+ if (ngx_is_init_cycle(old_cycle)) { -+ saved_init_cycle_pool = NULL; -+ } -+ - ngx_destroy_pool(old_cycle->pool); - cycle->old_cycle = NULL; - -diff -rup nginx-1.21.4/src/os/unix/ngx_process_cycle.c nginx-1.21.4-patched/src/os/unix/ngx_process_cycle.c ---- nginx-1.21.4/src/os/unix/ngx_process_cycle.c 2017-12-17 00:00:38.142469762 -0800 -+++ nginx-1.21.4-patched/src/os/unix/ngx_process_cycle.c 2017-12-16 23:59:51.691957791 -0800 -@@ -687,6 +692,11 @@ ngx_master_process_exit(ngx_cycle_t *cyc - ngx_exit_cycle.files_n = ngx_cycle->files_n; - ngx_cycle = &ngx_exit_cycle; - -+ if (saved_init_cycle_pool != NULL && saved_init_cycle_pool != cycle->pool) { -+ ngx_destroy_pool(saved_init_cycle_pool); -+ saved_init_cycle_pool = NULL; -+ } -+ - ngx_destroy_pool(cycle->pool); - - exit(0); diff --git a/images/nginx/rootfs/patches/nginx-1.21.4-larger_max_error_str.patch b/images/nginx/rootfs/patches/nginx-1.21.4-larger_max_error_str.patch deleted file mode 100644 index c89032c9f..000000000 --- a/images/nginx/rootfs/patches/nginx-1.21.4-larger_max_error_str.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- nginx-1.21.4/src/core/ngx_log.h 2013-10-08 05:07:14.000000000 -0700 -+++ nginx-1.21.4-patched/src/core/ngx_log.h 2013-12-05 20:35:35.996236720 -0800 -@@ -64,7 +64,9 @@ struct ngx_log_s { - }; - - --#define NGX_MAX_ERROR_STR 2048 -+#ifndef NGX_MAX_ERROR_STR -+#define NGX_MAX_ERROR_STR 4096 -+#endif - - - /*********************************/ diff --git a/images/nginx/rootfs/patches/nginx-1.21.4-no_Werror.patch b/images/nginx/rootfs/patches/nginx-1.21.4-no_Werror.patch deleted file mode 100644 index f4d6fd0e5..000000000 --- a/images/nginx/rootfs/patches/nginx-1.21.4-no_Werror.patch +++ /dev/null @@ -1,36 +0,0 @@ -diff -urp nginx-1.21.4/auto/cc/clang nginx-1.21.4-patched/auto/cc/clang ---- nginx-1.21.4/auto/cc/clang 2014-03-04 03:39:24.000000000 -0800 -+++ nginx-1.21.4-patched/auto/cc/clang 2014-03-13 20:54:26.241413360 -0700 -@@ -89,7 +89,7 @@ CFLAGS="$CFLAGS -Wconditional-uninitiali - CFLAGS="$CFLAGS -Wno-unused-parameter" - - # stop on warning --CFLAGS="$CFLAGS -Werror" -+#CFLAGS="$CFLAGS -Werror" - - # debug - CFLAGS="$CFLAGS -g" -diff -urp nginx-1.21.4/auto/cc/gcc nginx-1.21.4-patched/auto/cc/gcc ---- nginx-1.21.4/auto/cc/gcc 2014-03-04 03:39:24.000000000 -0800 -+++ nginx-1.21.4-patched/auto/cc/gcc 2014-03-13 20:54:13.301355329 -0700 -@@ -168,7 +168,7 @@ esac - - - # stop on warning --CFLAGS="$CFLAGS -Werror" -+#CFLAGS="$CFLAGS -Werror" - - # debug - CFLAGS="$CFLAGS -g" -diff -urp nginx-1.21.4/auto/cc/icc nginx-1.21.4-patched/auto/cc/icc ---- nginx-1.21.4/auto/cc/icc 2014-03-04 03:39:24.000000000 -0800 -+++ nginx-1.21.4-patched/auto/cc/icc 2014-03-13 20:54:13.301355329 -0700 -@@ -115,7 +115,7 @@ case "$NGX_ICC_VER" in - esac - - # stop on warning --CFLAGS="$CFLAGS -Werror" -+#CFLAGS="$CFLAGS -Werror" - - # debug - CFLAGS="$CFLAGS -g" diff --git a/images/nginx/rootfs/patches/nginx-1.21.4-proxy_host_port_vars.patch b/images/nginx/rootfs/patches/nginx-1.21.4-proxy_host_port_vars.patch deleted file mode 100644 index 01cebd65a..000000000 --- a/images/nginx/rootfs/patches/nginx-1.21.4-proxy_host_port_vars.patch +++ /dev/null @@ -1,19 +0,0 @@ ---- nginx-1.21.4/src/http/modules/ngx_http_proxy_module.c 2017-07-16 14:02:51.000000000 +0800 -+++ nginx-1.21.4-patched/src/http/modules/ngx_http_proxy_module.c 2017-07-16 14:02:51.000000000 +0800 -@@ -793,13 +793,13 @@ static ngx_keyval_t ngx_http_proxy_cach - static ngx_http_variable_t ngx_http_proxy_vars[] = { - - { ngx_string("proxy_host"), NULL, ngx_http_proxy_host_variable, 0, -- NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 }, -+ NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 }, - - { ngx_string("proxy_port"), NULL, ngx_http_proxy_port_variable, 0, -- NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 }, -+ NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 }, - - { ngx_string("proxy_add_x_forwarded_for"), NULL, -- ngx_http_proxy_add_x_forwarded_for_variable, 0, NGX_HTTP_VAR_NOHASH, 0 }, -+ ngx_http_proxy_add_x_forwarded_for_variable, 0, 0, 0 }, - - #if 0 - { ngx_string("proxy_add_via"), NULL, NULL, 0, NGX_HTTP_VAR_NOHASH, 0 }, diff --git a/images/nginx/rootfs/patches/nginx-1.21.4-resolver_conf_parsing.patch b/images/nginx/rootfs/patches/nginx-1.21.4-resolver_conf_parsing.patch deleted file mode 100644 index 8638cdf2a..000000000 --- a/images/nginx/rootfs/patches/nginx-1.21.4-resolver_conf_parsing.patch +++ /dev/null @@ -1,263 +0,0 @@ -diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c -index cd55520c..dade1846 100644 ---- a/src/core/ngx_resolver.c -+++ b/src/core/ngx_resolver.c -@@ -9,12 +9,26 @@ - #include - #include - -+#if !(NGX_WIN32) -+#include -+#endif -+ - - #define NGX_RESOLVER_UDP_SIZE 4096 - - #define NGX_RESOLVER_TCP_RSIZE (2 + 65535) - #define NGX_RESOLVER_TCP_WSIZE 8192 - -+#if !(NGX_WIN32) -+/* -+ * note that 2KB should be more than enough for majority of the -+ * resolv.conf files out there. it also acts as a safety guard to prevent -+ * abuse. -+ */ -+#define NGX_RESOLVER_FILE_BUF_SIZE 2048 -+#define NGX_RESOLVER_FILE_NAME "/etc/resolv.conf" -+#endif -+ - - typedef struct { - u_char ident_hi; -@@ -131,6 +145,191 @@ static ngx_resolver_node_t *ngx_resolver_lookup_addr6(ngx_resolver_t *r, - #endif - - -+#if !(NGX_WIN32) -+static ngx_int_t -+ngx_resolver_read_resolv_conf(ngx_conf_t *cf, ngx_resolver_t *r, u_char *path, -+ size_t path_len) -+{ -+ ngx_url_t u; -+ ngx_resolver_connection_t *rec; -+ ngx_fd_t fd; -+ ngx_file_t file; -+ u_char buf[NGX_RESOLVER_FILE_BUF_SIZE]; -+ u_char ipv6_buf[NGX_INET6_ADDRSTRLEN]; -+ ngx_uint_t address = 0, j, total = 0; -+ ssize_t n, i; -+ enum { -+ sw_nameserver, -+ sw_spaces, -+ sw_address, -+ sw_skip -+ } state; -+ -+ file.name.data = path; -+ file.name.len = path_len; -+ -+ if (ngx_conf_full_name(cf->cycle, &file.name, 1) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY, -+ NGX_FILE_OPEN, 0); -+ -+ if (fd == NGX_INVALID_FILE) { -+ ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, -+ ngx_open_file_n " \"%s\" failed", file.name.data); -+ -+ return NGX_ERROR; -+ } -+ -+ ngx_memzero(&file, sizeof(ngx_file_t)); -+ -+ file.fd = fd; -+ file.log = cf->log; -+ -+ state = sw_nameserver; -+ -+ n = ngx_read_file(&file, buf, NGX_RESOLVER_FILE_BUF_SIZE, 0); -+ -+ if (n == NGX_ERROR) { -+ ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno, -+ ngx_read_file_n " \"%s\" failed", file.name.data); -+ } -+ -+ if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { -+ ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno, -+ ngx_close_file_n " \"%s\" failed", file.name.data); -+ } -+ -+ if (n == NGX_ERROR) { -+ return NGX_ERROR; -+ } -+ -+ if (n == 0) { -+ return NGX_OK; -+ } -+ -+ for (i = 0; i < n && total < MAXNS; /* void */) { -+ if (buf[i] == '#' || buf[i] == ';') { -+ state = sw_skip; -+ } -+ -+ switch (state) { -+ -+ case sw_nameserver: -+ -+ if ((size_t) n - i >= sizeof("nameserver") - 1 -+ && ngx_memcmp(buf + i, "nameserver", -+ sizeof("nameserver") - 1) == 0) -+ { -+ state = sw_spaces; -+ i += sizeof("nameserver") - 1; -+ -+ continue; -+ } -+ -+ break; -+ -+ case sw_spaces: -+ if (buf[i] != '\t' && buf[i] != ' ') { -+ address = i; -+ state = sw_address; -+ } -+ -+ break; -+ -+ case sw_address: -+ -+ if (buf[i] == CR || buf[i] == LF || i == n - 1) { -+ ngx_memzero(&u, sizeof(ngx_url_t)); -+ -+ u.url.data = buf + address; -+ -+ if (i == n - 1 && buf[i] != CR && buf[i] != LF) { -+ u.url.len = n - address; -+ -+ } else { -+ u.url.len = i - address; -+ } -+ -+ u.default_port = 53; -+ -+ /* IPv6? */ -+ if (ngx_strlchr(u.url.data, u.url.data + u.url.len, -+ ':') != NULL) -+ { -+ if (u.url.len + 2 > sizeof(ipv6_buf)) { -+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -+ "IPv6 resolver address is too long:" -+ " \"%V\"", &u.url); -+ -+ return NGX_ERROR; -+ } -+ -+ ipv6_buf[0] = '['; -+ ngx_memcpy(ipv6_buf + 1, u.url.data, u.url.len); -+ ipv6_buf[u.url.len + 1] = ']'; -+ -+ u.url.data = ipv6_buf; -+ u.url.len = u.url.len + 2; -+ } -+ -+ if (ngx_parse_url(cf->pool, &u) != NGX_OK) { -+ if (u.err) { -+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -+ "%s in resolver \"%V\"", -+ u.err, &u.url); -+ } -+ -+ return NGX_ERROR; -+ } -+ -+ rec = ngx_array_push_n(&r->connections, u.naddrs); -+ if (rec == NULL) { -+ return NGX_ERROR; -+ } -+ -+ ngx_memzero(rec, u.naddrs * sizeof(ngx_resolver_connection_t)); -+ -+ for (j = 0; j < u.naddrs; j++) { -+ rec[j].sockaddr = u.addrs[j].sockaddr; -+ rec[j].socklen = u.addrs[j].socklen; -+ rec[j].server = u.addrs[j].name; -+ rec[j].resolver = r; -+ } -+ -+ total++; -+ -+#if (NGX_DEBUG) -+ /* -+ * logs with level below NGX_LOG_NOTICE will not be printed -+ * in this early phase -+ */ -+ ngx_conf_log_error(NGX_LOG_NOTICE, cf, 0, -+ "parsed a resolver: \"%V\"", &u.url); -+#endif -+ -+ state = sw_nameserver; -+ } -+ -+ break; -+ -+ case sw_skip: -+ if (buf[i] == CR || buf[i] == LF) { -+ state = sw_nameserver; -+ } -+ -+ break; -+ } -+ -+ i++; -+ } -+ -+ return NGX_OK; -+} -+#endif -+ -+ - ngx_resolver_t * - ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n) - { -@@ -246,6 +445,39 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n) - } - #endif - -+#if !(NGX_WIN32) -+ if (ngx_strncmp(names[i].data, "local=", 6) == 0) { -+ -+ if (ngx_strcmp(&names[i].data[6], "on") == 0) { -+ if (ngx_resolver_read_resolv_conf(cf, r, -+ (u_char *) -+ NGX_RESOLVER_FILE_NAME, -+ sizeof(NGX_RESOLVER_FILE_NAME) -+ - 1) -+ != NGX_OK) -+ { -+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -+ "unable to parse local resolver"); -+ return NULL; -+ } -+ -+ } else if (ngx_strcmp(&names[i].data[6], "off") != 0) { -+ if (ngx_resolver_read_resolv_conf(cf, r, -+ &names[i].data[6], -+ names[i].len - 6) -+ != NGX_OK) -+ { -+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -+ "unable to parse local resolver"); -+ return NULL; -+ } -+ -+ } -+ -+ continue; -+ } -+#endif -+ - ngx_memzero(&u, sizeof(ngx_url_t)); - - u.url = names[i]; diff --git a/images/nginx/rootfs/patches/nginx-1.21.4-reuseport_close_unused_fds.patch b/images/nginx/rootfs/patches/nginx-1.21.4-reuseport_close_unused_fds.patch deleted file mode 100644 index ff4a36fd2..000000000 --- a/images/nginx/rootfs/patches/nginx-1.21.4-reuseport_close_unused_fds.patch +++ /dev/null @@ -1,38 +0,0 @@ -diff --git a/src/core/ngx_connection.c b/src/core/ngx_connection.c ---- a/src/core/ngx_connection.c -+++ b/src/core/ngx_connection.c -@@ -1118,6 +1118,12 @@ ngx_close_listening_sockets(ngx_cycle_t *cycle) - ls = cycle->listening.elts; - for (i = 0; i < cycle->listening.nelts; i++) { - -+#if (NGX_HAVE_REUSEPORT) -+ if (ls[i].fd == (ngx_socket_t) -1) { -+ continue; -+ } -+#endif -+ - c = ls[i].connection; - - if (c) { -diff --git a/src/event/ngx_event.c b/src/event/ngx_event.c ---- a/src/event/ngx_event.c -+++ b/src/event/ngx_event.c -@@ -775,6 +775,18 @@ ngx_event_process_init(ngx_cycle_t *cycle) - - #if (NGX_HAVE_REUSEPORT) - if (ls[i].reuseport && ls[i].worker != ngx_worker) { -+ ngx_log_debug2(NGX_LOG_DEBUG_CORE, cycle->log, 0, -+ "closing unused fd:%d listening on %V", -+ ls[i].fd, &ls[i].addr_text); -+ -+ if (ngx_close_socket(ls[i].fd) == -1) { -+ ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_socket_errno, -+ ngx_close_socket_n " %V failed", -+ &ls[i].addr_text); -+ } -+ -+ ls[i].fd = (ngx_socket_t) -1; -+ - continue; - } - #endif diff --git a/images/nginx/rootfs/patches/nginx-1.21.4-single_process_graceful_exit.patch b/images/nginx/rootfs/patches/nginx-1.21.4-single_process_graceful_exit.patch deleted file mode 100644 index 2754fc2fe..000000000 --- a/images/nginx/rootfs/patches/nginx-1.21.4-single_process_graceful_exit.patch +++ /dev/null @@ -1,75 +0,0 @@ -diff --git a/src/os/unix/ngx_process.c b/src/os/unix/ngx_process.c -index 15680237..12a8c687 100644 ---- a/src/os/unix/ngx_process.c -+++ b/src/os/unix/ngx_process.c -@@ -362,8 +362,15 @@ ngx_signal_handler(int signo, siginfo_t *siginfo, void *ucontext) - break; - - case ngx_signal_value(NGX_RECONFIGURE_SIGNAL): -- ngx_reconfigure = 1; -- action = ", reconfiguring"; -+ if (ngx_process == NGX_PROCESS_SINGLE) { -+ ngx_terminate = 1; -+ action = ", exiting"; -+ -+ } else { -+ ngx_reconfigure = 1; -+ action = ", reconfiguring"; -+ } -+ - break; - - case ngx_signal_value(NGX_REOPEN_SIGNAL): -diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c -index 5817a2c2..f3d58e97 100644 ---- a/src/os/unix/ngx_process_cycle.c -+++ b/src/os/unix/ngx_process_cycle.c -@@ -305,11 +305,26 @@ ngx_single_process_cycle(ngx_cycle_t *cycle) - } - - for ( ;; ) { -+ if (ngx_exiting) { -+ if (ngx_event_no_timers_left() == NGX_OK) { -+ ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting"); -+ -+ for (i = 0; cycle->modules[i]; i++) { -+ if (cycle->modules[i]->exit_process) { -+ cycle->modules[i]->exit_process(cycle); -+ } -+ } -+ -+ ngx_master_process_exit(cycle); -+ } -+ } -+ - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, cycle->log, 0, "worker cycle"); - - ngx_process_events_and_timers(cycle); - -- if (ngx_terminate || ngx_quit) { -+ if (ngx_terminate) { -+ ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting"); - - for (i = 0; cycle->modules[i]; i++) { - if (cycle->modules[i]->exit_process) { -@@ -320,6 +335,20 @@ ngx_single_process_cycle(ngx_cycle_t *cycle) - ngx_master_process_exit(cycle); - } - -+ if (ngx_quit) { -+ ngx_quit = 0; -+ ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, -+ "gracefully shutting down"); -+ ngx_setproctitle("process is shutting down"); -+ -+ if (!ngx_exiting) { -+ ngx_exiting = 1; -+ ngx_set_shutdown_timer(cycle); -+ ngx_close_listening_sockets(cycle); -+ ngx_close_idle_connections(cycle); -+ } -+ } -+ - if (ngx_reconfigure) { - ngx_reconfigure = 0; - ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "reconfiguring"); diff --git a/images/nginx/rootfs/patches/nginx-1.21.4-socket_cloexec.patch b/images/nginx/rootfs/patches/nginx-1.21.4-socket_cloexec.patch deleted file mode 100644 index 8ffe4c167..000000000 --- a/images/nginx/rootfs/patches/nginx-1.21.4-socket_cloexec.patch +++ /dev/null @@ -1,185 +0,0 @@ -diff --git a/auto/unix b/auto/unix -index 10835f6c..b5b33bb3 100644 ---- a/auto/unix -+++ b/auto/unix -@@ -990,3 +990,27 @@ ngx_feature_test='struct addrinfo *res; - if (getaddrinfo("localhost", NULL, NULL, &res) != 0) return 1; - freeaddrinfo(res)' - . auto/feature -+ -+ngx_feature="SOCK_CLOEXEC support" -+ngx_feature_name="NGX_HAVE_SOCKET_CLOEXEC" -+ngx_feature_run=no -+ngx_feature_incs="#include -+ #include " -+ngx_feature_path= -+ngx_feature_libs= -+ngx_feature_test="int fd; -+ fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);" -+. auto/feature -+ -+ngx_feature="FD_CLOEXEC support" -+ngx_feature_name="NGX_HAVE_FD_CLOEXEC" -+ngx_feature_run=no -+ngx_feature_incs="#include -+ #include -+ #include " -+ngx_feature_path= -+ngx_feature_libs= -+ngx_feature_test="int fd; -+ fd = socket(AF_INET, SOCK_STREAM, 0); -+ fcntl(fd, F_SETFD, FD_CLOEXEC);" -+. auto/feature -diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c -index cd55520c..438e0806 100644 ---- a/src/core/ngx_resolver.c -+++ b/src/core/ngx_resolver.c -@@ -4466,8 +4466,14 @@ ngx_tcp_connect(ngx_resolver_connection_t *rec) - ngx_event_t *rev, *wev; - ngx_connection_t *c; - -+#if (NGX_HAVE_SOCKET_CLOEXEC) -+ s = ngx_socket(rec->sockaddr->sa_family, SOCK_STREAM | SOCK_CLOEXEC, 0); -+ -+#else - s = ngx_socket(rec->sockaddr->sa_family, SOCK_STREAM, 0); - -+#endif -+ - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, &rec->log, 0, "TCP socket %d", s); - - if (s == (ngx_socket_t) -1) { -@@ -4494,6 +4500,15 @@ ngx_tcp_connect(ngx_resolver_connection_t *rec) - goto failed; - } - -+#if (NGX_HAVE_FD_CLOEXEC) -+ if (ngx_cloexec(s) == -1) { -+ ngx_log_error(NGX_LOG_ALERT, &rec->log, ngx_socket_errno, -+ ngx_cloexec_n " failed"); -+ -+ goto failed; -+ } -+#endif -+ - rev = c->read; - wev = c->write; - -diff --git a/src/event/ngx_event.h b/src/event/ngx_event.h -index 19fec68..8c2f01a 100644 ---- a/src/event/ngx_event.h -+++ b/src/event/ngx_event.h -@@ -73,6 +73,9 @@ struct ngx_event_s { - /* to test on worker exit */ - unsigned channel:1; - unsigned resolver:1; -+#if (HAVE_SOCKET_CLOEXEC_PATCH) -+ unsigned skip_socket_leak_check:1; -+#endif - - unsigned cancelable:1; - -diff --git a/src/event/ngx_event_accept.c b/src/event/ngx_event_accept.c -index 77563709..5827b9d0 100644 ---- a/src/event/ngx_event_accept.c -+++ b/src/event/ngx_event_accept.c -@@ -62,7 +62,9 @@ ngx_event_accept(ngx_event_t *ev) - - #if (NGX_HAVE_ACCEPT4) - if (use_accept4) { -- s = accept4(lc->fd, &sa.sockaddr, &socklen, SOCK_NONBLOCK); -+ s = accept4(lc->fd, &sa.sockaddr, &socklen, -+ SOCK_NONBLOCK | SOCK_CLOEXEC); -+ - } else { - s = accept(lc->fd, &sa.sockaddr, &socklen); - } -@@ -202,6 +204,16 @@ ngx_event_accept(ngx_event_t *ev) - ngx_close_accepted_connection(c); - return; - } -+ -+#if (NGX_HAVE_FD_CLOEXEC) -+ if (ngx_cloexec(s) == -1) { -+ ngx_log_error(NGX_LOG_ALERT, ev->log, ngx_socket_errno, -+ ngx_cloexec_n " failed"); -+ ngx_close_accepted_connection(c); -+ return; -+ } -+#endif -+ - } - } - -diff --git a/src/event/ngx_event_connect.c b/src/event/ngx_event_connect.c -index c5bb8068..cf33b1d2 100644 ---- a/src/event/ngx_event_connect.c -+++ b/src/event/ngx_event_connect.c -@@ -38,8 +38,15 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc) - - type = (pc->type ? pc->type : SOCK_STREAM); - -+#if (NGX_HAVE_SOCKET_CLOEXEC) -+ s = ngx_socket(pc->sockaddr->sa_family, type | SOCK_CLOEXEC, 0); -+ -+#else - s = ngx_socket(pc->sockaddr->sa_family, type, 0); - -+#endif -+ -+ - ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pc->log, 0, "%s socket %d", - (type == SOCK_STREAM) ? "stream" : "dgram", s); - -@@ -80,6 +87,15 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc) - goto failed; - } - -+#if (NGX_HAVE_FD_CLOEXEC) -+ if (ngx_cloexec(s) == -1) { -+ ngx_log_error(NGX_LOG_ALERT, pc->log, ngx_socket_errno, -+ ngx_cloexec_n " failed"); -+ -+ goto failed; -+ } -+#endif -+ - if (pc->local) { - - #if (NGX_HAVE_TRANSPARENT_PROXY) -diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c -index c4376a5..48e8fa8 100644 ---- a/src/os/unix/ngx_process_cycle.c -+++ b/src/os/unix/ngx_process_cycle.c -@@ -960,6 +1029,9 @@ ngx_worker_process_exit(ngx_cycle_t *cycle) - for (i = 0; i < cycle->connection_n; i++) { - if (c[i].fd != -1 - && c[i].read -+#if (HAVE_SOCKET_CLOEXEC_PATCH) -+ && !c[i].read->skip_socket_leak_check -+#endif - && !c[i].read->accept - && !c[i].read->channel - && !c[i].read->resolver) -diff --git a/src/os/unix/ngx_socket.h b/src/os/unix/ngx_socket.h -index fcc51533..d1eebf47 100644 ---- a/src/os/unix/ngx_socket.h -+++ b/src/os/unix/ngx_socket.h -@@ -38,6 +38,17 @@ int ngx_blocking(ngx_socket_t s); - - #endif - -+#if (NGX_HAVE_FD_CLOEXEC) -+ -+#define ngx_cloexec(s) fcntl(s, F_SETFD, FD_CLOEXEC) -+#define ngx_cloexec_n "fcntl(FD_CLOEXEC)" -+ -+/* at least FD_CLOEXEC is required to ensure connection fd is closed -+ * after execve */ -+#define HAVE_SOCKET_CLOEXEC_PATCH 1 -+ -+#endif -+ - int ngx_tcp_nopush(ngx_socket_t s); - int ngx_tcp_push(ngx_socket_t s); - diff --git a/images/nginx/rootfs/patches/nginx-1.21.4-ssl_cert_cb_yield.patch b/images/nginx/rootfs/patches/nginx-1.21.4-ssl_cert_cb_yield.patch deleted file mode 100644 index 89773c05e..000000000 --- a/images/nginx/rootfs/patches/nginx-1.21.4-ssl_cert_cb_yield.patch +++ /dev/null @@ -1,64 +0,0 @@ -# HG changeset patch -# User Yichun Zhang -# Date 1451762084 28800 -# Sat Jan 02 11:14:44 2016 -0800 -# Node ID 449f0461859c16e95bdb18e8be6b94401545d3dd -# Parent 78b4e10b4367b31367aad3c83c9c3acdd42397c4 -SSL: handled SSL_CTX_set_cert_cb() callback yielding. - -OpenSSL 1.0.2+ introduces SSL_CTX_set_cert_cb() to allow custom -callbacks to serve the SSL certificiates and private keys dynamically -and lazily. The callbacks may yield for nonblocking I/O or sleeping. -Here we added support for such usage in NGINX 3rd-party modules -(like ngx_lua) in NGINX's event handlers for downstream SSL -connections. - -diff -r 78b4e10b4367 -r 449f0461859c src/event/ngx_event_openssl.c ---- a/src/event/ngx_event_openssl.c Thu Dec 17 16:39:15 2015 +0300 -+++ b/src/event/ngx_event_openssl.c Sat Jan 02 11:14:44 2016 -0800 -@@ -1445,6 +1445,23 @@ ngx_ssl_handshake(ngx_connection_t *c) - return NGX_AGAIN; - } - -+#if OPENSSL_VERSION_NUMBER >= 0x10002000L -+ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) { -+ c->read->handler = ngx_ssl_handshake_handler; -+ c->write->handler = ngx_ssl_handshake_handler; -+ -+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ if (ngx_handle_write_event(c->write, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ return NGX_AGAIN; -+ } -+#endif -+ - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - - c->ssl->no_wait_shutdown = 1; -@@ -1558,6 +1575,21 @@ ngx_ssl_try_early_data(ngx_connection_t *c) - return NGX_AGAIN; - } - -+ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) { -+ c->read->handler = ngx_ssl_handshake_handler; -+ c->write->handler = ngx_ssl_handshake_handler; -+ -+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ if (ngx_handle_write_event(c->write, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ return NGX_AGAIN; -+ } -+ - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - - c->ssl->no_wait_shutdown = 1; diff --git a/images/nginx/rootfs/patches/nginx-1.21.4-ssl_sess_cb_yield.patch b/images/nginx/rootfs/patches/nginx-1.21.4-ssl_sess_cb_yield.patch deleted file mode 100644 index ac5fe65eb..000000000 --- a/images/nginx/rootfs/patches/nginx-1.21.4-ssl_sess_cb_yield.patch +++ /dev/null @@ -1,41 +0,0 @@ -diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c ---- a/src/event/ngx_event_openssl.c -+++ b/src/event/ngx_event_openssl.c -@@ -1446,7 +1446,12 @@ ngx_ssl_handshake(ngx_connection_t *c) - } - - #if OPENSSL_VERSION_NUMBER >= 0x10002000L -- if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) { -+ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP -+# ifdef SSL_ERROR_PENDING_SESSION -+ || sslerr == SSL_ERROR_PENDING_SESSION -+# endif -+ ) -+ { - c->read->handler = ngx_ssl_handshake_handler; - c->write->handler = ngx_ssl_handshake_handler; - -@@ -1575,6 +1580,23 @@ ngx_ssl_try_early_data(ngx_connection_t *c) - return NGX_AGAIN; - } - -+#ifdef SSL_ERROR_PENDING_SESSION -+ if (sslerr == SSL_ERROR_PENDING_SESSION) { -+ c->read->handler = ngx_ssl_handshake_handler; -+ c->write->handler = ngx_ssl_handshake_handler; -+ -+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ if (ngx_handle_write_event(c->write, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ return NGX_AGAIN; -+ } -+#endif -+ - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - - c->ssl->no_wait_shutdown = 1; diff --git a/images/nginx/rootfs/patches/nginx-1.21.4-stream_proxy_get_next_upstream_tries.patch b/images/nginx/rootfs/patches/nginx-1.21.4-stream_proxy_get_next_upstream_tries.patch deleted file mode 100644 index cb881f070..000000000 --- a/images/nginx/rootfs/patches/nginx-1.21.4-stream_proxy_get_next_upstream_tries.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff --git a/src/stream/ngx_stream.h b/src/stream/ngx_stream.h -index 09d2459..de92724 100644 ---- a/src/stream/ngx_stream.h -+++ b/src/stream/ngx_stream.h -@@ -303,4 +303,7 @@ typedef ngx_int_t (*ngx_stream_filter_pt)(ngx_stream_session_t *s, - extern ngx_stream_filter_pt ngx_stream_top_filter; - - -+#define HAS_NGX_STREAM_PROXY_GET_NEXT_UPSTREAM_TRIES_PATCH 1 -+ -+ - #endif /* _NGX_STREAM_H_INCLUDED_ */ -diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c -index 0afde1c..3254ce1 100644 ---- a/src/stream/ngx_stream_proxy_module.c -+++ b/src/stream/ngx_stream_proxy_module.c -@@ -2156,3 +2156,14 @@ ngx_stream_proxy_bind(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) - - return NGX_CONF_OK; - } -+ -+ -+ngx_uint_t -+ngx_stream_proxy_get_next_upstream_tries(ngx_stream_session_t *s) -+{ -+ ngx_stream_proxy_srv_conf_t *pscf; -+ -+ pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module); -+ -+ return pscf->next_upstream_tries; -+} diff --git a/images/nginx/rootfs/patches/nginx-1.21.4-stream_ssl_preread_no_skip.patch b/images/nginx/rootfs/patches/nginx-1.21.4-stream_ssl_preread_no_skip.patch deleted file mode 100644 index e45e9f69a..000000000 --- a/images/nginx/rootfs/patches/nginx-1.21.4-stream_ssl_preread_no_skip.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/src/stream/ngx_stream_ssl_preread_module.c b/src/stream/ngx_stream_ssl_preread_module.c -index e3d11fd9..3717b5fe 100644 ---- a/src/stream/ngx_stream_ssl_preread_module.c -+++ b/src/stream/ngx_stream_ssl_preread_module.c -@@ -159,7 +159,7 @@ ngx_stream_ssl_preread_handler(ngx_stream_session_t *s) - - rc = ngx_stream_ssl_preread_parse_record(ctx, p, p + len); - if (rc != NGX_AGAIN) { -- return rc; -+ return rc == NGX_OK ? NGX_DECLINED : rc; - } - - p += len; diff --git a/images/nginx/rootfs/patches/nginx-1.21.4-upstream_pipelining.patch b/images/nginx/rootfs/patches/nginx-1.21.4-upstream_pipelining.patch deleted file mode 100644 index aed80365a..000000000 --- a/images/nginx/rootfs/patches/nginx-1.21.4-upstream_pipelining.patch +++ /dev/null @@ -1,23 +0,0 @@ -commit f9907b72a76a21ac5413187b83177a919475c75f -Author: Yichun Zhang (agentzh) -Date: Wed Feb 10 16:05:08 2016 -0800 - - bugfix: upstream: keep sending request data after the first write attempt. - - See - http://mailman.nginx.org/pipermail/nginx-devel/2012-March/002040.html - for more details on the issue. - -diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c -index 69019417..92b7c97f 100644 ---- a/src/http/ngx_http_upstream.c -+++ b/src/http/ngx_http_upstream.c -@@ -2239,7 +2239,7 @@ ngx_http_upstream_send_request_handler(ngx_http_request_t *r, - - #endif - -- if (u->header_sent && !u->conf->preserve_output) { -+ if (u->request_body_sent && !u->conf->preserve_output) { - u->write_event_handler = ngx_http_upstream_dummy_handler; - - (void) ngx_handle_write_event(c->write, 0); diff --git a/images/nginx/rootfs/patches/nginx-1.21.4-upstream_timeout_fields.patch b/images/nginx/rootfs/patches/nginx-1.21.4-upstream_timeout_fields.patch deleted file mode 100644 index 2314ddf80..000000000 --- a/images/nginx/rootfs/patches/nginx-1.21.4-upstream_timeout_fields.patch +++ /dev/null @@ -1,112 +0,0 @@ -diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c -index 69019417..2265d8f7 100644 ---- a/src/http/ngx_http_upstream.c -+++ b/src/http/ngx_http_upstream.c -@@ -509,12 +509,19 @@ void - ngx_http_upstream_init(ngx_http_request_t *r) - { - ngx_connection_t *c; -+ ngx_http_upstream_t *u; - - c = r->connection; - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http init upstream, client timer: %d", c->read->timer_set); - -+ u = r->upstream; -+ -+ u->connect_timeout = u->conf->connect_timeout; -+ u->send_timeout = u->conf->send_timeout; -+ u->read_timeout = u->conf->read_timeout; -+ - #if (NGX_HTTP_V2) - if (r->stream) { - ngx_http_upstream_init_request(r); -@@ -1626,7 +1633,7 @@ ngx_http_upstream_connect(ngx_http_request_t *r, ngx_http_upstream_t *u) - u->request_body_blocked = 0; - - if (rc == NGX_AGAIN) { -- ngx_add_timer(c->write, u->conf->connect_timeout); -+ ngx_add_timer(c->write, u->connect_timeout); - return; - } - -@@ -1704,7 +1711,7 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r, - if (rc == NGX_AGAIN) { - - if (!c->write->timer_set) { -- ngx_add_timer(c->write, u->conf->connect_timeout); -+ ngx_add_timer(c->write, u->connect_timeout); - } - - c->ssl->handler = ngx_http_upstream_ssl_handshake_handler; -@@ -2022,7 +2029,7 @@ ngx_http_upstream_send_request(ngx_http_request_t *r, ngx_http_upstream_t *u, - - if (rc == NGX_AGAIN) { - if (!c->write->ready || u->request_body_blocked) { -- ngx_add_timer(c->write, u->conf->send_timeout); -+ ngx_add_timer(c->write, u->send_timeout); - - } else if (c->write->timer_set) { - ngx_del_timer(c->write); -@@ -2084,7 +2091,7 @@ ngx_http_upstream_send_request(ngx_http_request_t *r, ngx_http_upstream_t *u, - return; - } - -- ngx_add_timer(c->read, u->conf->read_timeout); -+ ngx_add_timer(c->read, u->read_timeout); - - if (c->read->ready) { - ngx_http_upstream_process_header(r, u); -@@ -3213,7 +3220,7 @@ ngx_http_upstream_send_response(ngx_http_request_t *r, ngx_http_upstream_t *u) - p->cyclic_temp_file = 0; - } - -- p->read_timeout = u->conf->read_timeout; -+ p->read_timeout = u->read_timeout; - p->send_timeout = clcf->send_timeout; - p->send_lowat = clcf->send_lowat; - -@@ -3458,7 +3465,7 @@ ngx_http_upstream_process_upgraded(ngx_http_request_t *r, - } - - if (upstream->write->active && !upstream->write->ready) { -- ngx_add_timer(upstream->write, u->conf->send_timeout); -+ ngx_add_timer(upstream->write, u->send_timeout); - - } else if (upstream->write->timer_set) { - ngx_del_timer(upstream->write); -@@ -3470,7 +3477,7 @@ ngx_http_upstream_process_upgraded(ngx_http_request_t *r, - } - - if (upstream->read->active && !upstream->read->ready) { -- ngx_add_timer(upstream->read, u->conf->read_timeout); -+ ngx_add_timer(upstream->read, u->read_timeout); - - } else if (upstream->read->timer_set) { - ngx_del_timer(upstream->read); -@@ -3664,7 +3671,7 @@ ngx_http_upstream_process_non_buffered_request(ngx_http_request_t *r, - } - - if (upstream->read->active && !upstream->read->ready) { -- ngx_add_timer(upstream->read, u->conf->read_timeout); -+ ngx_add_timer(upstream->read, u->read_timeout); - - } else if (upstream->read->timer_set) { - ngx_del_timer(upstream->read); -diff --git a/src/http/ngx_http_upstream.h b/src/http/ngx_http_upstream.h -index c2f4dc0b..b9eef118 100644 ---- a/src/http/ngx_http_upstream.h -+++ b/src/http/ngx_http_upstream.h -@@ -333,6 +333,11 @@ struct ngx_http_upstream_s { - ngx_array_t *caches; - #endif - -+#define HAVE_NGX_UPSTREAM_TIMEOUT_FIELDS 1 -+ ngx_msec_t connect_timeout; -+ ngx_msec_t send_timeout; -+ ngx_msec_t read_timeout; -+ - ngx_http_upstream_headers_in_t headers_in; - - ngx_http_upstream_resolved_t *resolved; diff --git a/images/opentelemetry/Makefile b/images/opentelemetry/Makefile deleted file mode 100644 index eae435bef..000000000 --- a/images/opentelemetry/Makefile +++ /dev/null @@ -1,69 +0,0 @@ -# Copyright 2024 The Kubernetes Authors. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -.DEFAULT_GOAL:=build - -# set default shell -SHELL=/bin/bash -o pipefail -o errexit - -DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) -INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh - -# 0.0.0 shouldn't clobber any released builds -SHORT_SHA ?=$(shell git rev-parse --short HEAD) -TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA) - -REGISTRY ?= gcr.io/k8s-staging-ingress-nginx - -IMAGE = $(REGISTRY)/opentelemetry - -# required to enable buildx -export DOCKER_CLI_EXPERIMENTAL=enabled - -# build with buildx -PLATFORMS?=linux/amd64,linux/arm,linux/arm64 -OUTPUT= -PROGRESS=plain - -precheck: -ifndef NGINX_VERSION - $(error NGINX_VERSION variable is required) -endif - -build: precheck ensure-buildx - docker buildx build \ - --label=org.opencontainers.image.source=https://github.com/kubernetes/ingress-nginx \ - --label=org.opencontainers.image.licenses=Apache-2.0 \ - --label=org.opencontainers.image.description="Ingress NGINX Opentelemetry image" \ - --platform=${PLATFORMS} $(OUTPUT) \ - --progress=$(PROGRESS) \ - --build-arg=NGINX_VERSION=$(NGINX_VERSION) \ - --pull \ - --tag $(IMAGE)-$(NGINX_VERSION):$(TAG) rootfs - -# push the cross built image -push: OUTPUT=--push -push: build - -# enable buildx -ensure-buildx: -# this is required for cloudbuild -ifeq ("$(wildcard $(INIT_BUILDX))","") - @curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/init-buildx.sh | bash -else - @exec $(INIT_BUILDX) -endif - @echo "done" - -.PHONY: build precheck push ensure-buildx diff --git a/images/opentelemetry/README.md b/images/opentelemetry/README.md deleted file mode 100644 index f5c3d90de..000000000 --- a/images/opentelemetry/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# OpenTelemetry library builder - -**How to use this image:** -This image only contains the necessary files in /usr/local and /etc/nginx/opentelemetry to -be copied to Ingress Controller deployment when OpenTelemetry is enabled diff --git a/images/opentelemetry/TAG b/images/opentelemetry/TAG deleted file mode 100644 index a3dce6cd3..000000000 --- a/images/opentelemetry/TAG +++ /dev/null @@ -1 +0,0 @@ -v0.0.2 diff --git a/images/opentelemetry/cloudbuild.yaml b/images/opentelemetry/cloudbuild.yaml deleted file mode 100644 index bc48a93f4..000000000 --- a/images/opentelemetry/cloudbuild.yaml +++ /dev/null @@ -1,20 +0,0 @@ -timeout: 10800s -options: - substitution_option: ALLOW_LOOSE - # job builds a multi-arch docker image for amd64,arm,arm64 and s390x. - machineType: E2_HIGHCPU_32 -steps: - - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90 - entrypoint: bash - env: - - DOCKER_CLI_EXPERIMENTAL=enabled - - REGISTRY=gcr.io/k8s-staging-ingress-nginx - # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx - # set the home to /root explicitly to if using docker buildx - - HOME=/root - args: - - -c - - | - gcloud auth configure-docker \ - && cd images/opentelemetry && make NGINX_VERSION=1.25.3 push \ - && make NGINX_VERSION=1.21.6 push diff --git a/images/opentelemetry/rootfs/CMakeLists.txt b/images/opentelemetry/rootfs/CMakeLists.txt deleted file mode 100644 index 1c68d6fc6..000000000 --- a/images/opentelemetry/rootfs/CMakeLists.txt +++ /dev/null @@ -1,74 +0,0 @@ -#!/bin/bash - -# Copyright 2021 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -cmake_minimum_required(VERSION 3.11 FATAL_ERROR) - -project( - dependencies - LANGUAGES CXX - VERSION 0.0.1) - -set(CMAKE_CXX_STANDARD 17) -set(CMAKE_CXX_EXTENSIONS OFF) -set(CMAKE_CXX_STANDARD_REQUIRED ON) -set(CMAKE_CXX_FLAGS "-O2 -fpic") -set(CMAKE_VERBOSE_MAKEFILE ON CACHE BOOL "ON" FORCE) - -set(CMAKE_BUILD_TYPE - Release - CACHE STRING "Build type" FORCE) - -include(GNUInstallDirs) - -set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY - ${PROJECT_BINARY_DIR}/${CMAKE_INSTALL_LIBDIR}) -set(CMAKE_LIBRARY_OUTPUT_DIRECTORY - ${PROJECT_BINARY_DIR}/${CMAKE_INSTALL_LIBDIR}) -set(CMAKE_RUNTIME_OUTPUT_DIRECTORY - ${PROJECT_BINARY_DIR}/${CMAKE_INSTALL_BINDIR}) - -set(INSTALL_LIBDIR - ${CMAKE_INSTALL_LIBDIR} - CACHE PATH "directory for libraries") -set(INSTALL_BINDIR - ${CMAKE_INSTALL_BINDIR} - CACHE PATH "directory for executables") -set(INSTALL_INCLUDEDIR - ${CMAKE_INSTALL_INCLUDEDIR} - CACHE PATH "directory for header files") - -set(DEF_INSTALL_CMAKEDIR share/cmake/${PROJECT_NAME}) -set(INSTALL_CMAKEDIR - ${DEF_INSTALL_CMAKEDIR} - CACHE PATH "directory for CMake files") - -set_property(DIRECTORY PROPERTY EP_BASE ${CMAKE_BINARY_DIR}/subs) - -set(STAGED_INSTALL_PREFIX ${CMAKE_BINARY_DIR}/stage) -message(STATUS "${PROJECT_NAME} staged install: ${STAGED_INSTALL_PREFIX}") - -find_package(OpenSSL REQUIRED) -message("OpenSSL include dir: ${OPENSSL_INCLUDE_DIR}") -message("OpenSSL libraries: ${OPENSSL_LIBRARIES}") - -find_package(Protobuf REQUIRED) -find_package(gRPC REQUIRED) -find_package(OpentelemetryCPP REQUIRED) - -install( - DIRECTORY ${STAGED_INSTALL_PREFIX}/ - DESTINATION . - USE_SOURCE_PERMISSIONS) diff --git a/images/opentelemetry/rootfs/Dockerfile b/images/opentelemetry/rootfs/Dockerfile deleted file mode 100644 index eb951e5c4..000000000 --- a/images/opentelemetry/rootfs/Dockerfile +++ /dev/null @@ -1,46 +0,0 @@ -# Copyright 2021 The Kubernetes Authors. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -FROM alpine:3.20.0 as base - -RUN mkdir -p /opt/third_party/install -COPY . /opt/third_party/ - -# install build tools -RUN apk update \ - && apk upgrade \ - && apk add -U bash \ - && bash /opt/third_party/build.sh -p - -ENV NINJA_STATUS "[%p/%f/%t] " - -# install otel_ngx_module.so -FROM base as nginx -ARG NGINX_VERSION=1.25.3 -RUN bash /opt/third_party/build.sh -n ${NGINX_VERSION} - -FROM golang:1.21.6-bullseye as build-init - -WORKDIR /go/src/app -COPY . . - -RUN go mod download -RUN CGO_ENABLED=0 go build -o /go/bin/init_module - -FROM gcr.io/distroless/static-debian11 as final -COPY --from=build-init /go/bin/init_module / -COPY --from=nginx /etc/nginx/modules /etc/nginx/modules - -CMD ["/init_module"] diff --git a/images/opentelemetry/rootfs/build.sh b/images/opentelemetry/rootfs/build.sh deleted file mode 100755 index d46ab9fe5..000000000 --- a/images/opentelemetry/rootfs/build.sh +++ /dev/null @@ -1,162 +0,0 @@ -#!/bin/bash - -# Copyright 2021 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -o errexit -set -o nounset -set -o pipefail -set -x -# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp/compare/v1.2.0...main -export OPENTELEMETRY_CPP_VERSION=${OPENTELEMETRY_CPP_VERSION:="v1.11.0"} -export INSTALL_DIR=/opt/third_party/install - -export NGINX_VERSION=${NGINX_VERSION:="1.25.3"} -# improve compilation times -CORES=$(($(grep -c ^processor /proc/cpuinfo) - 1)) - -rm -rf \ - /var/cache/debconf/* \ - /var/lib/apt/lists/* \ - /var/log/* \ - /tmp/* \ - /var/tmp/* - -export BUILD_PATH=/tmp/build -mkdir --verbose -p "$BUILD_PATH" - -Help() -{ - # Display Help - echo "Add description of the script functions here." - echo - echo "Syntax: scriptTemplate [-h|o|n|p|]" - echo "options:" - echo "h Print Help." - echo "o OpenTelemetry git tag" - echo "n install nginx" - echo "p prepare" - echo -} - -prepare() -{ - echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories - apk add \ - linux-headers \ - cmake \ - ninja \ - openssl \ - curl-dev \ - openssl-dev \ - gtest-dev \ - c-ares-dev \ - pcre-dev \ - curl \ - git \ - build-base \ - coreutils \ - build-base \ - openssl-dev \ - pkgconfig \ - c-ares-dev \ - re2-dev \ - grpc-dev \ - protobuf-dev \ - opentelemetry-cpp-dev - - git config --global http.version HTTP/1.1 - git config --global http.postBuffer 157286400 -} - -install_otel() -{ - cd ${BUILD_PATH} - export LD_LIBRARY_PATH="${LD_LIBRARY_PATH:+LD_LIBRARY_PATH:}${INSTALL_DIR}/lib:/usr/local" - export PATH="${PATH}:${INSTALL_DIR}/bin" - git clone --recurse-submodules -j ${CORES} --depth=1 -b \ - ${OPENTELEMETRY_CPP_VERSION} https://github.com/open-telemetry/opentelemetry-cpp.git opentelemetry-cpp-${OPENTELEMETRY_CPP_VERSION} - cd "opentelemetry-cpp-${OPENTELEMETRY_CPP_VERSION}" - mkdir -p .build - cd .build - - cmake -DCMAKE_BUILD_TYPE=Release \ - -G Ninja \ - -DCMAKE_CXX_STANDARD=17 \ - -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE \ - -DWITH_ZIPKIN=OFF \ - -DCMAKE_INSTALL_PREFIX=${INSTALL_DIR} \ - -DBUILD_TESTING=OFF \ - -DWITH_BENCHMARK=OFF \ - -DWITH_FUNC_TESTS=OFF \ - -DBUILD_SHARED_LIBS=OFF \ - -DWITH_OTLP_GRPC=ON \ - -DWITH_OTLP_HTTP=OFF \ - -DWITH_ABSEIL=ON \ - -DWITH_EXAMPLES=OFF \ - -DWITH_NO_DEPRECATED_CODE=ON \ - .. - cmake --build . -j ${CORES} --target install -} - -install_nginx() -{ - - # Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp-contrib/compare/2656a4...main - export OPENTELEMETRY_CONTRIB_COMMIT=aaa51e2297bcb34297f3c7aa44fa790497d2f7f3 - - mkdir -p /etc/nginx - cd "$BUILD_PATH" - - # TODO fix curl - # get_src 0528e793a97f942868616449d49326160f9cb67b2253fb2c4864603ac6ab09a9 \ - # "https://github.com/open-telemetry/opentelemetry-cpp-contrib/archive/$OPENTELEMETRY_CONTRIB_COMMIT.tar.gz" - - git clone https://github.com/open-telemetry/opentelemetry-cpp-contrib.git \ - opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT} - cd ${BUILD_PATH}/opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT} - git reset --hard ${OPENTELEMETRY_CONTRIB_COMMIT} - cd ${BUILD_PATH}/opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT}/instrumentation/nginx - mkdir -p build - cd build - cmake -DCMAKE_BUILD_TYPE=Release \ - -G Ninja \ - -DCMAKE_CXX_STANDARD=17 \ - -DCMAKE_INSTALL_PREFIX=${INSTALL_DIR} \ - -DBUILD_SHARED_LIBS=ON \ - -DNGINX_VERSION=${NGINX_VERSION} \ - .. - cmake --build . -j ${CORES} --target install - - mkdir -p /etc/nginx/modules - cp ${INSTALL_DIR}/otel_ngx_module.so /etc/nginx/modules/otel_ngx_module.so -} - -while getopts ":phn:" option; do - case $option in - h) # display Help - Help - exit;; - p) # prepare - prepare - exit;; - n) # install nginx - NGINX_VERSION=${OPTARG} - install_nginx - exit;; - \?) - Help - exit;; - esac -done diff --git a/images/opentelemetry/rootfs/go.mod b/images/opentelemetry/rootfs/go.mod deleted file mode 100644 index 9c183ef06..000000000 --- a/images/opentelemetry/rootfs/go.mod +++ /dev/null @@ -1,3 +0,0 @@ -module init-otel - -go 1.21 diff --git a/images/opentelemetry/rootfs/init_module.go b/images/opentelemetry/rootfs/init_module.go deleted file mode 100644 index 5d285052d..000000000 --- a/images/opentelemetry/rootfs/init_module.go +++ /dev/null @@ -1,103 +0,0 @@ -/* -Copyright 2023 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main - -import ( - "fmt" - "io" - "os" - "path/filepath" -) - -func main() { - // Enable error handling for all operations - err := run() - if err != nil { - fmt.Fprintf(os.Stderr, "Error: %v\n", err) - os.Exit(1) - } -} - -func run() error { - // Create the target directory if it doesn't exist - targetDir := "/modules_mount/etc/nginx/modules/otel" - err := os.MkdirAll(targetDir, os.ModePerm) - if err != nil { - return fmt.Errorf("failed to create target directory: %w", err) - } - - // Copy files from source directory to target directory - sourceDir := "/etc/nginx/modules/" - err = filepath.Walk(sourceDir, func(path string, info os.FileInfo, err error) error { - if err != nil { - return err - } - - // Skip directories - if info.IsDir() { - return nil - } - - // Calculate the destination path - relPath, err := filepath.Rel(sourceDir, path) - if err != nil { - return err - } - destPath := filepath.Join(targetDir, relPath) - - // Create the destination directory if it doesn't exist - destDir := filepath.Dir(destPath) - err = os.MkdirAll(destDir, os.ModePerm) - if err != nil { - return err - } - - // Copy the file - err = copyFile(path, destPath) - if err != nil { - return err - } - - return nil - }) - if err != nil { - return fmt.Errorf("failed to copy files: %w", err) - } - - return nil -} - -func copyFile(sourcePath, destPath string) error { - sourceFile, err := os.Open(sourcePath) - if err != nil { - return err - } - defer sourceFile.Close() - - destFile, err := os.Create(destPath) - if err != nil { - return err - } - defer destFile.Close() - - _, err = io.Copy(destFile, sourceFile) - if err != nil { - return err - } - - return nil -} diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile index 9045b8a53..74da2082f 100644 --- a/images/test-runner/Makefile +++ b/images/test-runner/Makefile @@ -59,7 +59,7 @@ image: --build-arg YAML_LINT_VERSION=1.33.0 \ --build-arg YAMALE_VERSION=4.0.4 \ --build-arg HELM_VERSION=3.14.4 \ - --build-arg GINKGO_VERSION=2.19.1 \ + --build-arg GINKGO_VERSION=2.20.2 \ --build-arg GOLINT_VERSION=latest \ -t ${IMAGE}:${TAG} rootfs @@ -80,7 +80,7 @@ build: ensure-buildx --build-arg YAML_LINT_VERSION=1.33.0 \ --build-arg YAMALE_VERSION=4.0.4 \ --build-arg HELM_VERSION=3.14.4 \ - --build-arg GINKGO_VERSION=2.19.1 \ + --build-arg GINKGO_VERSION=2.20.2 \ --build-arg GOLINT_VERSION=latest \ -t ${IMAGE}:${TAG} rootfs diff --git a/images/test-runner/TAG b/images/test-runner/TAG index 3ce186fb7..795460fce 100644 --- a/images/test-runner/TAG +++ b/images/test-runner/TAG @@ -1 +1 @@ -v0.0.8 +v1.1.0 diff --git a/images/test-runner/cloudbuild.yaml b/images/test-runner/cloudbuild.yaml index b17de9b31..b9df15a5e 100644 --- a/images/test-runner/cloudbuild.yaml +++ b/images/test-runner/cloudbuild.yaml @@ -1,17 +1,11 @@ -timeout: 3600s options: + # Ignore Prow provided substitutions. substitution_option: ALLOW_LOOSE steps: - - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90 - entrypoint: bash + - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20240718-5ef92b5c36 env: - - DOCKER_CLI_EXPERIMENTAL=enabled - REGISTRY=gcr.io/k8s-staging-ingress-nginx - # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx - # set the home to /root explicitly to if using docker buildx - - HOME=/root + entrypoint: bash args: - - -c - - | - gcloud auth configure-docker \ - && cd images/test-runner && make push + - -c + - gcloud auth configure-docker && cd images/test-runner && make push diff --git a/images/test-runner/rootfs/Dockerfile b/images/test-runner/rootfs/Dockerfile index ff031182d..7bcc2f25c 100644 --- a/images/test-runner/rootfs/Dockerfile +++ b/images/test-runner/rootfs/Dockerfile @@ -48,7 +48,7 @@ RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH" COPY --from=etcd /usr/local/bin/etcd /usr/local/bin/etcd -RUN echo "@testing https://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories +RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories RUN apk update && apk upgrade && apk add --no-cache \ bash \ @@ -66,8 +66,8 @@ RUN apk update && apk upgrade && apk add --no-cache \ openssl \ cfssl@testing \ tzdata \ - libc6-compat \ - sqlite-dev + libc6-compat \ + sqlite-dev RUN go install -v github.com/onsi/ginkgo/v2/ginkgo@v${GINKGO_VERSION} \ && go install golang.org/x/lint/golint@${GOLINT_VERSION} diff --git a/internal/admission/controller/server.go b/internal/admission/controller/server.go index 7fc61bcbb..74f55fd01 100644 --- a/internal/admission/controller/server.go +++ b/internal/admission/controller/server.go @@ -47,7 +47,7 @@ type AdmissionControllerServer struct { AdmissionController AdmissionController } -// NewAdmissionControllerServer instanciates an admission controller server with +// NewAdmissionControllerServer instantiates an admission controller server with // a default codec func NewAdmissionControllerServer(ac AdmissionController) *AdmissionControllerServer { return &AdmissionControllerServer{ diff --git a/internal/ingress/annotations/annotations.go b/internal/ingress/annotations/annotations.go index 0bb2ac7b8..e10cc9be1 100644 --- a/internal/ingress/annotations/annotations.go +++ b/internal/ingress/annotations/annotations.go @@ -19,19 +19,10 @@ package annotations import ( "dario.cat/mergo" - "k8s.io/ingress-nginx/internal/ingress/annotations/canary" - "k8s.io/ingress-nginx/internal/ingress/annotations/customheaders" - "k8s.io/ingress-nginx/internal/ingress/annotations/disableproxyintercepterrors" - "k8s.io/ingress-nginx/internal/ingress/annotations/modsecurity" - "k8s.io/ingress-nginx/internal/ingress/annotations/opentelemetry" - "k8s.io/ingress-nginx/internal/ingress/annotations/proxyssl" - "k8s.io/ingress-nginx/internal/ingress/annotations/sslcipher" - "k8s.io/ingress-nginx/internal/ingress/annotations/streamsnippet" - "k8s.io/klog/v2" - apiv1 "k8s.io/api/core/v1" networking "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/klog/v2" "k8s.io/ingress-nginx/internal/ingress/annotations/alias" "k8s.io/ingress-nginx/internal/ingress/annotations/auth" @@ -39,22 +30,27 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/authreqglobal" "k8s.io/ingress-nginx/internal/ingress/annotations/authtls" "k8s.io/ingress-nginx/internal/ingress/annotations/backendprotocol" + "k8s.io/ingress-nginx/internal/ingress/annotations/canary" "k8s.io/ingress-nginx/internal/ingress/annotations/clientbodybuffersize" "k8s.io/ingress-nginx/internal/ingress/annotations/connection" "k8s.io/ingress-nginx/internal/ingress/annotations/cors" + "k8s.io/ingress-nginx/internal/ingress/annotations/customheaders" "k8s.io/ingress-nginx/internal/ingress/annotations/customhttperrors" "k8s.io/ingress-nginx/internal/ingress/annotations/defaultbackend" + "k8s.io/ingress-nginx/internal/ingress/annotations/disableproxyintercepterrors" "k8s.io/ingress-nginx/internal/ingress/annotations/fastcgi" - "k8s.io/ingress-nginx/internal/ingress/annotations/globalratelimit" "k8s.io/ingress-nginx/internal/ingress/annotations/http2pushpreload" "k8s.io/ingress-nginx/internal/ingress/annotations/ipallowlist" "k8s.io/ingress-nginx/internal/ingress/annotations/ipdenylist" "k8s.io/ingress-nginx/internal/ingress/annotations/loadbalancing" "k8s.io/ingress-nginx/internal/ingress/annotations/log" "k8s.io/ingress-nginx/internal/ingress/annotations/mirror" + "k8s.io/ingress-nginx/internal/ingress/annotations/modsecurity" + "k8s.io/ingress-nginx/internal/ingress/annotations/opentelemetry" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/ingress/annotations/portinredirect" "k8s.io/ingress-nginx/internal/ingress/annotations/proxy" + "k8s.io/ingress-nginx/internal/ingress/annotations/proxyssl" "k8s.io/ingress-nginx/internal/ingress/annotations/ratelimit" "k8s.io/ingress-nginx/internal/ingress/annotations/redirect" "k8s.io/ingress-nginx/internal/ingress/annotations/rewrite" @@ -63,7 +59,9 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/serviceupstream" "k8s.io/ingress-nginx/internal/ingress/annotations/sessionaffinity" "k8s.io/ingress-nginx/internal/ingress/annotations/snippet" + "k8s.io/ingress-nginx/internal/ingress/annotations/sslcipher" "k8s.io/ingress-nginx/internal/ingress/annotations/sslpassthrough" + "k8s.io/ingress-nginx/internal/ingress/annotations/streamsnippet" "k8s.io/ingress-nginx/internal/ingress/annotations/upstreamhashby" "k8s.io/ingress-nginx/internal/ingress/annotations/upstreamvhost" "k8s.io/ingress-nginx/internal/ingress/annotations/xforwardedprefix" @@ -99,7 +97,6 @@ type Ingress struct { Proxy proxy.Config ProxySSL proxyssl.Config RateLimit ratelimit.Config - GlobalRateLimit globalratelimit.Config Redirect redirect.Config Rewrite rewrite.Config Satisfy string @@ -126,52 +123,55 @@ type Extractor struct { annotations map[string]parser.IngressAnnotation } +func NewAnnotationFactory(cfg resolver.Resolver) map[string]parser.IngressAnnotation { + return map[string]parser.IngressAnnotation{ + "Aliases": alias.NewParser(cfg), + "BasicDigestAuth": auth.NewParser(auth.AuthDirectory, cfg), + "Canary": canary.NewParser(cfg), + "CertificateAuth": authtls.NewParser(cfg), + "ClientBodyBufferSize": clientbodybuffersize.NewParser(cfg), + "CustomHeaders": customheaders.NewParser(cfg), + "ConfigurationSnippet": snippet.NewParser(cfg), + "Connection": connection.NewParser(cfg), + "CorsConfig": cors.NewParser(cfg), + "CustomHTTPErrors": customhttperrors.NewParser(cfg), + "DisableProxyInterceptErrors": disableproxyintercepterrors.NewParser(cfg), + "DefaultBackend": defaultbackend.NewParser(cfg), + "FastCGI": fastcgi.NewParser(cfg), + "ExternalAuth": authreq.NewParser(cfg), + "EnableGlobalAuth": authreqglobal.NewParser(cfg), + "HTTP2PushPreload": http2pushpreload.NewParser(cfg), + "Opentelemetry": opentelemetry.NewParser(cfg), + "Proxy": proxy.NewParser(cfg), + "ProxySSL": proxyssl.NewParser(cfg), + "RateLimit": ratelimit.NewParser(cfg), + "Redirect": redirect.NewParser(cfg), + "Rewrite": rewrite.NewParser(cfg), + "Satisfy": satisfy.NewParser(cfg), + "ServerSnippet": serversnippet.NewParser(cfg), + "ServiceUpstream": serviceupstream.NewParser(cfg), + "SessionAffinity": sessionaffinity.NewParser(cfg), + "SSLPassthrough": sslpassthrough.NewParser(cfg), + "UsePortInRedirects": portinredirect.NewParser(cfg), + "UpstreamHashBy": upstreamhashby.NewParser(cfg), + "LoadBalancing": loadbalancing.NewParser(cfg), + "UpstreamVhost": upstreamvhost.NewParser(cfg), + "Allowlist": ipallowlist.NewParser(cfg), + "Denylist": ipdenylist.NewParser(cfg), + "XForwardedPrefix": xforwardedprefix.NewParser(cfg), + "SSLCipher": sslcipher.NewParser(cfg), + "Logs": log.NewParser(cfg), + "BackendProtocol": backendprotocol.NewParser(cfg), + "ModSecurity": modsecurity.NewParser(cfg), + "Mirror": mirror.NewParser(cfg), + "StreamSnippet": streamsnippet.NewParser(cfg), + } +} + // NewAnnotationExtractor creates a new annotations extractor func NewAnnotationExtractor(cfg resolver.Resolver) Extractor { return Extractor{ - map[string]parser.IngressAnnotation{ - "Aliases": alias.NewParser(cfg), - "BasicDigestAuth": auth.NewParser(auth.AuthDirectory, cfg), - "Canary": canary.NewParser(cfg), - "CertificateAuth": authtls.NewParser(cfg), - "ClientBodyBufferSize": clientbodybuffersize.NewParser(cfg), - "CustomHeaders": customheaders.NewParser(cfg), - "ConfigurationSnippet": snippet.NewParser(cfg), - "Connection": connection.NewParser(cfg), - "CorsConfig": cors.NewParser(cfg), - "CustomHTTPErrors": customhttperrors.NewParser(cfg), - "DisableProxyInterceptErrors": disableproxyintercepterrors.NewParser(cfg), - "DefaultBackend": defaultbackend.NewParser(cfg), - "FastCGI": fastcgi.NewParser(cfg), - "ExternalAuth": authreq.NewParser(cfg), - "EnableGlobalAuth": authreqglobal.NewParser(cfg), - "HTTP2PushPreload": http2pushpreload.NewParser(cfg), - "Opentelemetry": opentelemetry.NewParser(cfg), - "Proxy": proxy.NewParser(cfg), - "ProxySSL": proxyssl.NewParser(cfg), - "RateLimit": ratelimit.NewParser(cfg), - "GlobalRateLimit": globalratelimit.NewParser(cfg), - "Redirect": redirect.NewParser(cfg), - "Rewrite": rewrite.NewParser(cfg), - "Satisfy": satisfy.NewParser(cfg), - "ServerSnippet": serversnippet.NewParser(cfg), - "ServiceUpstream": serviceupstream.NewParser(cfg), - "SessionAffinity": sessionaffinity.NewParser(cfg), - "SSLPassthrough": sslpassthrough.NewParser(cfg), - "UsePortInRedirects": portinredirect.NewParser(cfg), - "UpstreamHashBy": upstreamhashby.NewParser(cfg), - "LoadBalancing": loadbalancing.NewParser(cfg), - "UpstreamVhost": upstreamvhost.NewParser(cfg), - "Allowlist": ipallowlist.NewParser(cfg), - "Denylist": ipdenylist.NewParser(cfg), - "XForwardedPrefix": xforwardedprefix.NewParser(cfg), - "SSLCipher": sslcipher.NewParser(cfg), - "Logs": log.NewParser(cfg), - "BackendProtocol": backendprotocol.NewParser(cfg), - "ModSecurity": modsecurity.NewParser(cfg), - "Mirror": mirror.NewParser(cfg), - "StreamSnippet": streamsnippet.NewParser(cfg), - }, + NewAnnotationFactory(cfg), } } diff --git a/internal/ingress/annotations/authtls/main.go b/internal/ingress/annotations/authtls/main.go index b331a215e..1c6bad485 100644 --- a/internal/ingress/annotations/authtls/main.go +++ b/internal/ingress/annotations/authtls/main.go @@ -41,7 +41,7 @@ const ( ) var ( - authVerifyClientRegex = regexp.MustCompile(`on|off|optional|optional_no_ca`) + authVerifyClientRegex = regexp.MustCompile(`^(on|off|optional|optional_no_ca)$`) redirectRegex = regexp.MustCompile(`^((https?://)?[A-Za-z0-9\-.]*(:\d+)?/[A-Za-z0-9\-.]*)?$`) ) diff --git a/internal/ingress/annotations/cors/main.go b/internal/ingress/annotations/cors/main.go index d6e92b34d..b81514820 100644 --- a/internal/ingress/annotations/cors/main.go +++ b/internal/ingress/annotations/cors/main.go @@ -43,9 +43,9 @@ var ( // * Sets a group that can be (https?://)?*?.something.com:port? // * Allows this to be repeated as much as possible, and separated by comma // Otherwise it should be '*' - corsOriginRegexValidator = regexp.MustCompile(`^((((https?://)?(\*\.)?[A-Za-z0-9\-.]*(:\d+)?,?)+)|\*)?$`) + corsOriginRegexValidator = regexp.MustCompile(`^(((([a-z]+://)?(\*\.)?[A-Za-z0-9\-.]*(:\d+)?,?)+)|\*)?$`) // corsOriginRegex defines the regex for validation inside Parse - corsOriginRegex = regexp.MustCompile(`^(https?://(\*\.)?[A-Za-z0-9\-.]*(:\d+)?|\*)?$`) + corsOriginRegex = regexp.MustCompile(`^([a-z]+://(\*\.)?[A-Za-z0-9\-.]*(:\d+)?|\*)?$`) // Method must contain valid methods list (PUT, GET, POST, BLA) // May contain or not spaces between each verb corsMethodsRegex = regexp.MustCompile(`^([A-Za-z]+,?\s?)+$`) @@ -78,8 +78,9 @@ var corsAnnotation = parser.Annotation{ Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation controls what's the accepted Origin for CORS. - This is a multi-valued field, separated by ','. It must follow this format: http(s)://origin-site.com or http(s)://origin-site.com:port - It also supports single level wildcard subdomains and follows this format: http(s)://*.foo.bar, http(s)://*.bar.foo:8080 or http(s)://*.abc.bar.foo:9000`, + This is a multi-valued field, separated by ','. It must follow this format: protocol://origin-site.com or protocol://origin-site.com:port + It also supports single level wildcard subdomains and follows this format: https://*.foo.bar, http://*.bar.foo:8080 or myprotocol://*.abc.bar.foo:9000 + Protocol can be any lowercase string, like http, https, or mycustomprotocol.`, }, corsAllowHeadersAnnotation: { Validator: parser.ValidateRegex(parser.HeadersVariable, true), diff --git a/internal/ingress/annotations/cors/main_test.go b/internal/ingress/annotations/cors/main_test.go index a69390a17..dee36fcae 100644 --- a/internal/ingress/annotations/cors/main_test.go +++ b/internal/ingress/annotations/cors/main_test.go @@ -27,6 +27,8 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const enableAnnotation = "true" + func buildIngress() *networking.Ingress { defaultBackend := networking.IngressBackend{ Service: &networking.IngressServiceBackend{ @@ -76,7 +78,7 @@ func TestIngressCorsConfigValid(t *testing.T) { data := map[string]string{} // Valid - data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)] = "true" + data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)] = enableAnnotation data[parser.GetAnnotationWithPrefix(corsAllowHeadersAnnotation)] = "DNT,X-CustomHeader, Keep-Alive,User-Agent" data[parser.GetAnnotationWithPrefix(corsAllowCredentialsAnnotation)] = "false" data[parser.GetAnnotationWithPrefix(corsAllowMethodsAnnotation)] = "GET, PATCH" @@ -178,7 +180,7 @@ func TestIngresCorsConfigAllowOriginWithTrailingComma(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)] = "true" + data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)] = enableAnnotation // Include a trailing comma and an empty value between the commas. data[parser.GetAnnotationWithPrefix(corsAllowOriginAnnotation)] = "https://origin123.test.com:4443, ,https://origin321.test.com:4443," @@ -203,3 +205,33 @@ func TestIngresCorsConfigAllowOriginWithTrailingComma(t *testing.T) { t.Errorf("expected %v but returned %v", expectedCorsAllowOrigins, nginxCors.CorsAllowOrigin) } } + +func TestIngressCorsConfigAllowOriginWithNonHttpProtocol(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)] = enableAnnotation + + // Include a trailing comma and an empty value between the commas. + data[parser.GetAnnotationWithPrefix(corsAllowOriginAnnotation)] = "test://localhost" + ing.SetAnnotations(data) + + corst, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("error parsing annotations: %v", err) + } + + nginxCors, ok := corst.(*Config) + if !ok { + t.Errorf("expected a Config type but returned %t", corst) + } + + if !nginxCors.CorsEnabled { + t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)], nginxCors.CorsEnabled) + } + + expectedCorsAllowOrigins := []string{"test://localhost"} + if !reflect.DeepEqual(nginxCors.CorsAllowOrigin, expectedCorsAllowOrigins) { + t.Errorf("expected %v but returned %v", expectedCorsAllowOrigins, nginxCors.CorsAllowOrigin) + } +} diff --git a/internal/ingress/annotations/globalratelimit/main.go b/internal/ingress/annotations/globalratelimit/main.go deleted file mode 100644 index 0aec29f66..000000000 --- a/internal/ingress/annotations/globalratelimit/main.go +++ /dev/null @@ -1,179 +0,0 @@ -/* -Copyright 2020 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package globalratelimit - -import ( - "fmt" - "strings" - "time" - - networking "k8s.io/api/networking/v1" - "k8s.io/klog/v2" - - "k8s.io/ingress-nginx/internal/ingress/annotations/parser" - ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" - "k8s.io/ingress-nginx/internal/ingress/resolver" - "k8s.io/ingress-nginx/internal/net" - "k8s.io/ingress-nginx/pkg/util/sets" -) - -const defaultKey = "$remote_addr" - -const ( - globalRateLimitAnnotation = "global-rate-limit" - globalRateLimitWindowAnnotation = "global-rate-limit-window" - globalRateLimitKeyAnnotation = "global-rate-limit-key" - globalRateLimitIgnoredCidrsAnnotation = "global-rate-limit-ignored-cidrs" -) - -var globalRateLimitAnnotationConfig = parser.Annotation{ - Group: "ratelimit", - Annotations: parser.AnnotationFields{ - globalRateLimitAnnotation: { - Validator: parser.ValidateInt, - Scope: parser.AnnotationScopeIngress, - Risk: parser.AnnotationRiskLow, - Documentation: `This annotation configures maximum allowed number of requests per window`, - }, - globalRateLimitWindowAnnotation: { - Validator: parser.ValidateDuration, - Scope: parser.AnnotationScopeIngress, - Risk: parser.AnnotationRiskLow, - Documentation: `Configures a time window (i.e 1m) that the limit is applied`, - }, - globalRateLimitKeyAnnotation: { - Validator: parser.ValidateRegex(parser.NGINXVariable, true), - Scope: parser.AnnotationScopeIngress, - Risk: parser.AnnotationRiskHigh, - Documentation: `This annotation Configures a key for counting the samples. Defaults to $remote_addr. - You can also combine multiple NGINX variables here, like ${remote_addr}-${http_x_api_client} which would mean the limit will be applied to - requests coming from the same API client (indicated by X-API-Client HTTP request header) with the same source IP address`, - }, - globalRateLimitIgnoredCidrsAnnotation: { - Validator: parser.ValidateCIDRs, - Scope: parser.AnnotationScopeIngress, - Risk: parser.AnnotationRiskMedium, - Documentation: `This annotation defines a comma separated list of IPs and CIDRs to match client IP against. - When there's a match request is not considered for rate limiting.`, - }, - }, -} - -// Config encapsulates all global rate limit attributes -type Config struct { - Namespace string `json:"namespace"` - Limit int `json:"limit"` - WindowSize int `json:"window-size"` - Key string `json:"key"` - IgnoredCIDRs []string `json:"ignored-cidrs"` -} - -// Equal tests for equality between two Config types -func (l *Config) Equal(r *Config) bool { - if l.Namespace != r.Namespace { - return false - } - if l.Limit != r.Limit { - return false - } - if l.WindowSize != r.WindowSize { - return false - } - if l.Key != r.Key { - return false - } - if len(l.IgnoredCIDRs) != len(r.IgnoredCIDRs) || !sets.StringElementsMatch(l.IgnoredCIDRs, r.IgnoredCIDRs) { - return false - } - - return true -} - -type globalratelimit struct { - r resolver.Resolver - annotationConfig parser.Annotation -} - -// NewParser creates a new globalratelimit annotation parser -func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return globalratelimit{ - r: r, - annotationConfig: globalRateLimitAnnotationConfig, - } -} - -// Parse extracts globalratelimit annotations from the given ingress -// and returns them structured as Config type -func (a globalratelimit) Parse(ing *networking.Ingress) (interface{}, error) { - config := &Config{} - - limit, err := parser.GetIntAnnotation(globalRateLimitAnnotation, ing, a.annotationConfig.Annotations) - if err != nil && ing_errors.IsInvalidContent(err) { - return nil, err - } - rawWindowSize, err := parser.GetStringAnnotation(globalRateLimitWindowAnnotation, ing, a.annotationConfig.Annotations) - if err != nil && ing_errors.IsValidationError(err) { - return config, ing_errors.LocationDeniedError{ - Reason: fmt.Errorf("failed to parse 'global-rate-limit-window' value: %w", err), - } - } - - if limit == 0 || rawWindowSize == "" { - return config, nil - } - - windowSize, err := time.ParseDuration(rawWindowSize) - if err != nil { - return config, ing_errors.LocationDeniedError{ - Reason: fmt.Errorf("failed to parse 'global-rate-limit-window' value: %w", err), - } - } - - key, err := parser.GetStringAnnotation(globalRateLimitKeyAnnotation, ing, a.annotationConfig.Annotations) - if err != nil { - klog.Warningf("invalid %s, defaulting to %s", globalRateLimitKeyAnnotation, defaultKey) - } - if key == "" { - key = defaultKey - } - - rawIgnoredCIDRs, err := parser.GetStringAnnotation(globalRateLimitIgnoredCidrsAnnotation, ing, a.annotationConfig.Annotations) - if err != nil && ing_errors.IsInvalidContent(err) { - return nil, err - } - ignoredCIDRs, err := net.ParseCIDRs(rawIgnoredCIDRs) - if err != nil { - return nil, err - } - - config.Namespace = strings.ReplaceAll(string(ing.UID), "-", "") - config.Limit = limit - config.WindowSize = int(windowSize.Seconds()) - config.Key = key - config.IgnoredCIDRs = ignoredCIDRs - - return config, nil -} - -func (a globalratelimit) GetDocumentation() parser.AnnotationFields { - return a.annotationConfig.Annotations -} - -func (a globalratelimit) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) - return parser.CheckAnnotationRisk(anns, maxrisk, globalRateLimitAnnotationConfig.Annotations) -} diff --git a/internal/ingress/annotations/globalratelimit/main_test.go b/internal/ingress/annotations/globalratelimit/main_test.go deleted file mode 100644 index b1a7ab71b..000000000 --- a/internal/ingress/annotations/globalratelimit/main_test.go +++ /dev/null @@ -1,211 +0,0 @@ -/* -Copyright 2020 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package globalratelimit - -import ( - "encoding/json" - "fmt" - "testing" - - api "k8s.io/api/core/v1" - networking "k8s.io/api/networking/v1" - meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - "k8s.io/ingress-nginx/internal/ingress/annotations/parser" - ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" - "k8s.io/ingress-nginx/internal/ingress/resolver" -) - -const ( - UID = "31285d47-b150-4dcf-bd6f-12c46d769f6e" - expectedUID = "31285d47b1504dcfbd6f12c46d769f6e" -) - -func buildIngress() *networking.Ingress { - defaultBackend := networking.IngressBackend{ - Service: &networking.IngressServiceBackend{ - Name: "default-backend", - Port: networking.ServiceBackendPort{ - Number: 80, - }, - }, - } - - return &networking.Ingress{ - ObjectMeta: meta_v1.ObjectMeta{ - Name: "foo", - Namespace: api.NamespaceDefault, - UID: UID, - }, - Spec: networking.IngressSpec{ - DefaultBackend: &networking.IngressBackend{ - Service: &networking.IngressServiceBackend{ - Name: "default-backend", - Port: networking.ServiceBackendPort{ - Number: 80, - }, - }, - }, - Rules: []networking.IngressRule{ - { - Host: "foo.bar.com", - IngressRuleValue: networking.IngressRuleValue{ - HTTP: &networking.HTTPIngressRuleValue{ - Paths: []networking.HTTPIngressPath{ - { - Path: "/foo", - Backend: defaultBackend, - }, - }, - }, - }, - }, - }, - }, - } -} - -type mockBackend struct { - resolver.Mock -} - -func TestGlobalRateLimiting(t *testing.T) { - ing := buildIngress() - - annRateLimit := parser.GetAnnotationWithPrefix("global-rate-limit") - annRateLimitWindow := parser.GetAnnotationWithPrefix("global-rate-limit-window") - annRateLimitKey := parser.GetAnnotationWithPrefix("global-rate-limit-key") - annRateLimitIgnoredCIDRs := parser.GetAnnotationWithPrefix("global-rate-limit-ignored-cidrs") - - testCases := []struct { - title string - annotations map[string]string - expectedConfig *Config - expectedErr error - }{ - { - "no annotation", - nil, - &Config{}, - nil, - }, - { - "minimum required annotations", - map[string]string{ - annRateLimit: "100", - annRateLimitWindow: "2m", - }, - &Config{ - Namespace: expectedUID, - Limit: 100, - WindowSize: 120, - Key: "$remote_addr", - IgnoredCIDRs: make([]string, 0), - }, - nil, - }, - { - "global-rate-limit-key annotation", - map[string]string{ - annRateLimit: "100", - annRateLimitWindow: "2m", - annRateLimitKey: "$http_x_api_user", - }, - &Config{ - Namespace: expectedUID, - Limit: 100, - WindowSize: 120, - Key: "$http_x_api_user", - IgnoredCIDRs: make([]string, 0), - }, - nil, - }, - { - "global-rate-limit-ignored-cidrs annotation", - map[string]string{ - annRateLimit: "100", - annRateLimitWindow: "2m", - annRateLimitKey: "$http_x_api_user", - annRateLimitIgnoredCIDRs: "127.0.0.1, 200.200.24.0/24", - }, - &Config{ - Namespace: expectedUID, - Limit: 100, - WindowSize: 120, - Key: "$http_x_api_user", - IgnoredCIDRs: []string{"127.0.0.1", "200.200.24.0/24"}, - }, - nil, - }, - { - "global-rate-limit-complex-key", - map[string]string{ - annRateLimit: "100", - annRateLimitWindow: "2m", - annRateLimitKey: "${http_x_api_user}${otherinfo}", - }, - &Config{ - Namespace: expectedUID, - Limit: 100, - WindowSize: 120, - Key: "${http_x_api_user}${otherinfo}", - IgnoredCIDRs: make([]string, 0), - }, - nil, - }, - { - "incorrect duration for window", - map[string]string{ - annRateLimit: "100", - annRateLimitWindow: "2mb", - annRateLimitKey: "$http_x_api_user", - }, - &Config{}, - ing_errors.ValidationError{ - Reason: fmt.Errorf("failed to parse 'global-rate-limit-window' value: annotation nginx.ingress.kubernetes.io/global-rate-limit-window contains invalid value"), - }, - }, - } - - for _, testCase := range testCases { - ing.SetAnnotations(testCase.annotations) - - i, actualErr := NewParser(mockBackend{}).Parse(ing) - if (testCase.expectedErr == nil || actualErr == nil) && testCase.expectedErr != actualErr { - t.Errorf("%s expected error '%v' but got '%v'", testCase.title, testCase.expectedErr, actualErr) - } else if testCase.expectedErr != nil && actualErr != nil && - testCase.expectedErr.Error() != actualErr.Error() { - t.Errorf("expected error '%v' but got '%v'", testCase.expectedErr, actualErr) - } - - actualConfig, ok := i.(*Config) - if !ok { - t.Errorf("expected Config type but got %T", i) - } - if !testCase.expectedConfig.Equal(actualConfig) { - expectedJSON, err := json.Marshal(testCase.expectedConfig) - if err != nil { - t.Errorf("failed to marshal expected config: %v", err) - } - actualJSON, err := json.Marshal(actualConfig) - if err != nil { - t.Errorf("failed to marshal actual config: %v", err) - } - t.Errorf("%v: expected config '%s' but got '%s'", testCase.title, expectedJSON, actualJSON) - } - } -} diff --git a/internal/ingress/annotations/loadbalancing/main.go b/internal/ingress/annotations/loadbalancing/main.go index ee89d2c1b..0e5ca8bd8 100644 --- a/internal/ingress/annotations/loadbalancing/main.go +++ b/internal/ingress/annotations/loadbalancing/main.go @@ -23,22 +23,22 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) -// LB Alghorithms are defined in https://github.com/kubernetes/ingress-nginx/blob/d3e75b056f77be54e01bdb18675f1bb46caece31/rootfs/etc/nginx/lua/balancer.lua#L28 +// LB Algorithms are defined in https://github.com/kubernetes/ingress-nginx/blob/d3e75b056f77be54e01bdb18675f1bb46caece31/rootfs/etc/nginx/lua/balancer.lua#L28 const ( - loadBalanceAlghoritmAnnotation = "load-balance" + loadBalanceAlgorithmAnnotation = "load-balance" ) -var loadBalanceAlghoritms = []string{"round_robin", "chash", "chashsubset", "sticky_balanced", "sticky_persistent", "ewma"} +var loadBalanceAlgorithms = []string{"round_robin", "chash", "chashsubset", "sticky_balanced", "sticky_persistent", "ewma"} var loadBalanceAnnotations = parser.Annotation{ Group: "backend", Annotations: parser.AnnotationFields{ - loadBalanceAlghoritmAnnotation: { - Validator: parser.ValidateOptions(loadBalanceAlghoritms, true, true), + loadBalanceAlgorithmAnnotation: { + Validator: parser.ValidateOptions(loadBalanceAlgorithms, true, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskLow, - Documentation: `This annotation allows setting the load balancing alghorithm that should be used. If none is specified, defaults to + Documentation: `This annotation allows setting the load balancing algorithm that should be used. If none is specified, defaults to the default configured by Ingress admin, otherwise to round_robin`, }, }, @@ -61,7 +61,7 @@ func NewParser(r resolver.Resolver) parser.IngressAnnotation { // used to indicate if the location/s contains a fragment of // configuration to be included inside the paths of the rules func (a loadbalancing) Parse(ing *networking.Ingress) (interface{}, error) { - return parser.GetStringAnnotation(loadBalanceAlghoritmAnnotation, ing, a.annotationConfig.Annotations) + return parser.GetStringAnnotation(loadBalanceAlgorithmAnnotation, ing, a.annotationConfig.Annotations) } func (a loadbalancing) GetDocumentation() parser.AnnotationFields { diff --git a/internal/ingress/annotations/mirror/main_test.go b/internal/ingress/annotations/mirror/main_test.go index 1f6b44d61..805f1ef6d 100644 --- a/internal/ingress/annotations/mirror/main_test.go +++ b/internal/ingress/annotations/mirror/main_test.go @@ -90,7 +90,7 @@ func TestParse(t *testing.T) { Target: "http://some.test.env.com:2121/$someparam=1&$someotherparam=2", Host: "some.test.env.com", }}, - {map[string]string{backendURL: "http://some.test.env.com", host: "someInvalidParm.%^&*()_=!@#'\""}, &Config{ + {map[string]string{backendURL: "http://some.test.env.com", host: "someInvalidParam.%^&*()_=!@#'\""}, &Config{ Source: ngxURI, RequestBody: "on", Target: "http://some.test.env.com", diff --git a/internal/ingress/annotations/parser/main.go b/internal/ingress/annotations/parser/main.go index 554ad9dde..3137afbfd 100644 --- a/internal/ingress/annotations/parser/main.go +++ b/internal/ingress/annotations/parser/main.go @@ -210,6 +210,21 @@ func StringRiskToRisk(risk string) AnnotationRisk { } } +func (a AnnotationRisk) ToString() string { + switch a { + case AnnotationRiskCritical: + return "Critical" + case AnnotationRiskHigh: + return "High" + case AnnotationRiskMedium: + return "Medium" + case AnnotationRiskLow: + return "Low" + default: + return "Unknown" + } +} + func normalizeString(input string) string { trimmedContent := []string{} for _, line := range strings.Split(input, "\n") { diff --git a/internal/ingress/annotations/parser/validators.go b/internal/ingress/annotations/parser/validators.go index ffb4d9ba9..31524508f 100644 --- a/internal/ingress/annotations/parser/validators.go +++ b/internal/ingress/annotations/parser/validators.go @@ -44,7 +44,7 @@ var ( alphaNumericChars = `\-\.\_\~a-zA-Z0-9\/:` extendedAlphaNumeric = alphaNumericChars + ", " regexEnabledChars = regexp.QuoteMeta(`^$[](){}*+?|&=\`) - urlEnabledChars = regexp.QuoteMeta(`:?&=`) + urlEnabledChars = regexp.QuoteMeta(`,:?&=`) ) // IsValidRegex checks if the tested string can be used as a regex, but without any weird character. diff --git a/internal/ingress/annotations/parser/validators_test.go b/internal/ingress/annotations/parser/validators_test.go index ed8449452..6c88342e4 100644 --- a/internal/ingress/annotations/parser/validators_test.go +++ b/internal/ingress/annotations/parser/validators_test.go @@ -55,6 +55,11 @@ func TestValidateArrayOfServerName(t *testing.T) { value: "*.so*mething.com,bla.com", wantErr: false, }, + { + name: "should allow comma separated query params", + value: "https://oauth.example/oauth2/auth?allowed_groups=gid1,gid2", + wantErr: false, + }, { name: "should deny names with weird characters", value: "something.com,lolo;xpto.com,nothing.com", diff --git a/internal/ingress/annotations/redirect/redirect.go b/internal/ingress/annotations/redirect/redirect.go index e774b2fe8..0716e1ce1 100644 --- a/internal/ingress/annotations/redirect/redirect.go +++ b/internal/ingress/annotations/redirect/redirect.go @@ -28,7 +28,10 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) -const defaultPermanentRedirectCode = http.StatusMovedPermanently +const ( + defaultPermanentRedirectCode = http.StatusMovedPermanently + defaultTemporalRedirectCode = http.StatusFound +) // Config returns the redirect configuration for an Ingress rule type Config struct { @@ -40,6 +43,7 @@ type Config struct { const ( fromToWWWRedirAnnotation = "from-to-www-redirect" temporalRedirectAnnotation = "temporal-redirect" + temporalRedirectAnnotationCode = "temporal-redirect-code" permanentRedirectAnnotation = "permanent-redirect" permanentRedirectAnnotationCode = "permanent-redirect-code" ) @@ -60,6 +64,12 @@ var redirectAnnotations = parser.Annotation{ Documentation: `This annotation allows you to return a temporal redirect (Return Code 302) instead of sending data to the upstream. For example setting this annotation to https://www.google.com would redirect everything to Google with a Return Code of 302 (Moved Temporarily).`, }, + temporalRedirectAnnotationCode: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `This annotation allows you to modify the status code used for temporal redirects.`, + }, permanentRedirectAnnotation: { Validator: parser.ValidateRegex(parser.URLIsValidRegex, false), Scope: parser.AnnotationScopeLocation, @@ -105,13 +115,22 @@ func (r redirect) Parse(ing *networking.Ingress) (interface{}, error) { } if tr != "" { + trc, err := parser.GetIntAnnotation(temporalRedirectAnnotationCode, ing, r.annotationConfig.Annotations) + if err != nil && !errors.IsMissingAnnotations(err) { + return nil, err + } + + if trc < http.StatusMultipleChoices || trc > http.StatusTemporaryRedirect { + trc = defaultTemporalRedirectCode + } + if err := isValidURL(tr); err != nil { return nil, err } return &Config{ URL: tr, - Code: http.StatusFound, + Code: trc, FromToWWW: r3w, }, nil } diff --git a/internal/ingress/annotations/redirect/redirect_test.go b/internal/ingress/annotations/redirect/redirect_test.go index bd2f98211..b5c34879e 100644 --- a/internal/ingress/annotations/redirect/redirect_test.go +++ b/internal/ingress/annotations/redirect/redirect_test.go @@ -103,7 +103,7 @@ func TestPermanentRedirectWithCustomCode(t *testing.T) { } } -func TestTemporalRedirect(t *testing.T) { +func TestTemporalRedirectWithDefaultCode(t *testing.T) { rp := NewParser(resolver.Mock{}) if rp == nil { t.Fatalf("Expected a parser.IngressAnnotation but returned nil") @@ -128,10 +128,49 @@ func TestTemporalRedirect(t *testing.T) { t.Errorf("Expected %v as redirect but returned %s", defRedirectURL, redirect.URL) } if redirect.Code != http.StatusFound { - t.Errorf("Expected %v as redirect to have a code %d but had %d", defRedirectURL, defaultPermanentRedirectCode, redirect.Code) + t.Errorf("Expected %v as redirect to have a code %d but had %d", defRedirectURL, http.StatusFound, redirect.Code) } - if redirect.FromToWWW != true { - t.Errorf("Expected %v as redirect to have from-to-www as %v but got %v", defRedirectURL, true, redirect.FromToWWW) +} + +func TestTemporalRedirectWithCustomCode(t *testing.T) { + rp := NewParser(resolver.Mock{}) + if rp == nil { + t.Fatalf("Expected a parser.IngressAnnotation but returned nil") + } + + testCases := map[string]struct { + input int + expectOutput int + }{ + "valid code": {http.StatusTemporaryRedirect, http.StatusTemporaryRedirect}, + "invalid code": {http.StatusTeapot, http.StatusFound}, + } + + for n, tc := range testCases { + t.Run(n, func(t *testing.T) { + ing := new(networking.Ingress) + + data := make(map[string]string, 2) + data[parser.GetAnnotationWithPrefix(fromToWWWRedirAnnotation)] = "true" + data[parser.GetAnnotationWithPrefix(temporalRedirectAnnotation)] = defRedirectURL + data[parser.GetAnnotationWithPrefix(temporalRedirectAnnotationCode)] = strconv.Itoa(tc.input) + ing.SetAnnotations(data) + + i, err := rp.Parse(ing) + if err != nil { + t.Errorf("Unexpected error with ingress: %v", err) + } + redirect, ok := i.(*Config) + if !ok { + t.Errorf("Expected a Redirect type") + } + if redirect.URL != defRedirectURL { + t.Errorf("Expected %v as redirect but returned %s", defRedirectURL, redirect.URL) + } + if redirect.Code != tc.expectOutput { + t.Errorf("Expected %v as redirect to have a code %d but had %d", defRedirectURL, tc.expectOutput, redirect.Code) + } + }) } } diff --git a/internal/ingress/annotations/serversnippet/main.go b/internal/ingress/annotations/serversnippet/main.go index aa15608d0..bce764e69 100644 --- a/internal/ingress/annotations/serversnippet/main.go +++ b/internal/ingress/annotations/serversnippet/main.go @@ -33,7 +33,7 @@ var serverSnippetAnnotations = parser.Annotation{ serverSnippetAnnotation: { Validator: parser.ValidateNull, Scope: parser.AnnotationScopeIngress, - Risk: parser.AnnotationRiskCritical, // Critical, this annotation is not validated at all and allows arbitrary configutations + Risk: parser.AnnotationRiskCritical, // Critical, this annotation is not validated at all and allows arbitrary configurations Documentation: `This annotation allows setting a custom NGINX configuration on a server block. This annotation does not contain any validation and it's usage is not recommended!`, }, }, diff --git a/internal/ingress/annotations/serviceupstream/main.go b/internal/ingress/annotations/serviceupstream/main.go index d1851bc7b..7819d87d8 100644 --- a/internal/ingress/annotations/serviceupstream/main.go +++ b/internal/ingress/annotations/serviceupstream/main.go @@ -34,7 +34,7 @@ var serviceUpstreamAnnotations = parser.Annotation{ serviceUpstreamAnnotation: { Validator: parser.ValidateBool, Scope: parser.AnnotationScopeIngress, - Risk: parser.AnnotationRiskLow, // Critical, this annotation is not validated at all and allows arbitrary configutations + Risk: parser.AnnotationRiskLow, // Critical, this annotation is not validated at all and allows arbitrary configurations Documentation: `This annotation makes NGINX use Service's Cluster IP and Port instead of Endpoints as the backend endpoints`, }, }, diff --git a/internal/ingress/annotations/snippet/main.go b/internal/ingress/annotations/snippet/main.go index 2406093c5..c2df84cdd 100644 --- a/internal/ingress/annotations/snippet/main.go +++ b/internal/ingress/annotations/snippet/main.go @@ -33,7 +33,7 @@ var configurationSnippetAnnotations = parser.Annotation{ configurationSnippetAnnotation: { Validator: parser.ValidateNull, Scope: parser.AnnotationScopeLocation, - Risk: parser.AnnotationRiskCritical, // Critical, this annotation is not validated at all and allows arbitrary configutations + Risk: parser.AnnotationRiskCritical, // Critical, this annotation is not validated at all and allows arbitrary configurations Documentation: `This annotation allows setting a custom NGINX configuration on a location block. This annotation does not contain any validation and it's usage is not recommended!`, }, }, diff --git a/internal/ingress/annotations/streamsnippet/main.go b/internal/ingress/annotations/streamsnippet/main.go index 71ff3b140..7743d3fee 100644 --- a/internal/ingress/annotations/streamsnippet/main.go +++ b/internal/ingress/annotations/streamsnippet/main.go @@ -33,7 +33,7 @@ var streamSnippetAnnotations = parser.Annotation{ streamSnippetAnnotation: { Validator: parser.ValidateNull, Scope: parser.AnnotationScopeIngress, - Risk: parser.AnnotationRiskCritical, // Critical, this annotation is not validated at all and allows arbitrary configutations + Risk: parser.AnnotationRiskCritical, // Critical, this annotation is not validated at all and allows arbitrary configurations Documentation: `This annotation allows setting a custom NGINX configuration on a stream block. This annotation does not contain any validation and it's usage is not recommended!`, }, }, diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index 5e0ca2296..a0275697f 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -119,7 +119,7 @@ type Configuration struct { // By default this is disabled AllowBackendServerHeader bool `json:"allow-backend-server-header"` - // AccessLogParams sets additionals params for access_log + // AccessLogParams sets additional params for access_log // http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log // By default it's empty AccessLogParams string `json:"access-log-params,omitempty"` @@ -318,11 +318,6 @@ type Configuration struct { NginxStatusIpv4Whitelist []string `json:"nginx-status-ipv4-whitelist,omitempty"` NginxStatusIpv6Whitelist []string `json:"nginx-status-ipv6-whitelist,omitempty"` - // Plugins configures plugins to use placed in the directory /etc/nginx/lua/plugins. - // Every plugin has to have main.lua in the root. Every plugin has to bundle all of its dependencies. - // The execution order follows the definition. - Plugins []string `json:"plugins,omitempty"` - // If UseProxyProtocol is enabled ProxyRealIPCIDR defines the default the IP/network address // of your external load balancer ProxyRealIPCIDR []string `json:"proxy-real-ip-cidr,omitempty"` @@ -423,7 +418,7 @@ type Configuration struct { // Example '60s' ProxyProtocolHeaderTimeout time.Duration `json:"proxy-protocol-header-timeout,omitempty"` - // Enables or disables the directive aio_write that writes files files asynchronously + // Enables or disables the directive aio_write that writes files asynchronously // https://nginx.org/en/docs/http/ngx_http_core_module.html#aio_write EnableAioWrite bool `json:"enable-aio-write,omitempty"` @@ -617,7 +612,7 @@ type Configuration struct { // Default: 0.01 OtelSamplerRatio float32 `json:"otel-sampler-ratio"` - // OtelSamplerParentBased specifies the parent based sampler to be use for any traces created + // OtelSamplerParentBased specifies the parent based sampler to be used for any traces created // Default: true OtelSamplerParentBased bool `json:"otel-sampler-parent-based"` @@ -714,7 +709,7 @@ type Configuration struct { DefaultSSLCertificate *ingress.SSLCert `json:"-"` // ProxySSLLocationOnly controls whether the proxy-ssl parameters defined in the - // proxy-ssl-* annotations are applied on on location level only in the nginx.conf file + // proxy-ssl-* annotations are applied on location level only in the nginx.conf file // Default is that those are applied on server level, too ProxySSLLocationOnly bool `json:"proxy-ssl-location-only"` @@ -723,31 +718,6 @@ type Configuration struct { // Default: text/html DefaultType string `json:"default-type"` - // GlobalRateLimitMemcachedHost configures memcached host. - GlobalRateLimitMemcachedHost string `json:"global-rate-limit-memcached-host"` - - // GlobalRateLimitMemcachedPort configures memcached port. - GlobalRateLimitMemcachedPort int `json:"global-rate-limit-memcached-port"` - - // GlobalRateLimitMemcachedConnectTimeout configures timeout when connecting to memcached. - // The unit is millisecond. - GlobalRateLimitMemcachedConnectTimeout int `json:"global-rate-limit-memcached-connect-timeout"` - - // GlobalRateLimitMemcachedMaxIdleTimeout configured how long connections - // should be kept alive in idle state. The unit is millisecond. - GlobalRateLimitMemcachedMaxIdleTimeout int `json:"global-rate-limit-memcached-max-idle-timeout"` - - // GlobalRateLimitMemcachedPoolSize configures how many connections - // should be kept alive in the pool. - // Note that this is per NGINX worker. Make sure your memcached server can - // handle `MemcachedPoolSize * * ` - // simultaneous connections. - GlobalRateLimitMemcachedPoolSize int `json:"global-rate-limit-memcached-pool-size"` - - // GlobalRateLimitStatusCode determines the HTTP status code to return - // when limit is exceeding during global rate limiting. - GlobalRateLimitStatusCode int `json:"global-rate-limit-status-code"` - // DebugConnections Enables debugging log for selected client connections // http://nginx.org/en/docs/ngx_core_module.html#debug_connection // Default: "" @@ -781,10 +751,10 @@ func NewDefault() Configuration { cfg := Configuration{ AllowSnippetAnnotations: false, - AllowCrossNamespaceResources: true, + AllowCrossNamespaceResources: false, AllowBackendServerHeader: false, AnnotationValueWordBlocklist: "", - AnnotationsRiskLevel: "Critical", + AnnotationsRiskLevel: "High", AccessLogPath: "/var/log/nginx/access.log", AccessLogParams: "", EnableAccessLogForDefaultBackend: false, @@ -898,39 +868,34 @@ func NewDefault() Configuration { ServiceUpstream: false, AllowedResponseHeaders: []string{}, }, - UpstreamKeepaliveConnections: 320, - UpstreamKeepaliveTime: "1h", - UpstreamKeepaliveTimeout: 60, - UpstreamKeepaliveRequests: 10000, - LimitConnZoneVariable: defaultLimitConnZoneVariable, - BindAddressIpv4: defBindAddress, - BindAddressIpv6: defBindAddress, - OpentelemetryTrustIncomingSpan: true, - OpentelemetryConfig: "/etc/ingress-controller/telemetry/opentelemetry.toml", - OtlpCollectorPort: "4317", - OtelServiceName: "nginx", - OtelSampler: "AlwaysOn", - OtelSamplerRatio: 0.01, - OtelSamplerParentBased: true, - OtelScheduleDelayMillis: 5000, - OtelMaxExportBatchSize: 512, - OtelMaxQueueSize: 2048, - LimitReqStatusCode: 503, - LimitConnStatusCode: 503, - SyslogPort: 514, - NoTLSRedirectLocations: "/.well-known/acme-challenge", - NoAuthLocations: "/.well-known/acme-challenge", - GlobalExternalAuth: defGlobalExternalAuth, - ProxySSLLocationOnly: false, - DefaultType: "text/html", - GlobalRateLimitMemcachedPort: 11211, - GlobalRateLimitMemcachedConnectTimeout: 50, - GlobalRateLimitMemcachedMaxIdleTimeout: 10000, - GlobalRateLimitMemcachedPoolSize: 50, - GlobalRateLimitStatusCode: 429, - DebugConnections: []string{}, - StrictValidatePathType: false, // TODO: This will be true in future releases - GRPCBufferSizeKb: 0, + UpstreamKeepaliveConnections: 320, + UpstreamKeepaliveTime: "1h", + UpstreamKeepaliveTimeout: 60, + UpstreamKeepaliveRequests: 10000, + LimitConnZoneVariable: defaultLimitConnZoneVariable, + BindAddressIpv4: defBindAddress, + BindAddressIpv6: defBindAddress, + OpentelemetryTrustIncomingSpan: true, + OpentelemetryConfig: "/etc/ingress-controller/telemetry/opentelemetry.toml", + OtlpCollectorPort: "4317", + OtelServiceName: "nginx", + OtelSampler: "AlwaysOn", + OtelSamplerRatio: 0.01, + OtelSamplerParentBased: true, + OtelScheduleDelayMillis: 5000, + OtelMaxExportBatchSize: 512, + OtelMaxQueueSize: 2048, + LimitReqStatusCode: 503, + LimitConnStatusCode: 503, + SyslogPort: 514, + NoTLSRedirectLocations: "/.well-known/acme-challenge", + NoAuthLocations: "/.well-known/acme-challenge", + GlobalExternalAuth: defGlobalExternalAuth, + ProxySSLLocationOnly: false, + DefaultType: "text/html", + DebugConnections: []string{}, + StrictValidatePathType: true, + GRPCBufferSizeKb: 0, } if klog.V(5).Enabled() { diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 2e782f485..aa8f4c4b9 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -105,11 +105,14 @@ type Configuration struct { EnableProfiling bool - EnableMetrics bool - MetricsPerHost bool - MetricsBuckets *collectors.HistogramBuckets - ReportStatusClasses bool - ExcludeSocketMetrics []string + EnableMetrics bool + MetricsPerHost bool + MetricsPerUndefinedHost bool + MetricsBuckets *collectors.HistogramBuckets + MetricsBucketFactor float64 + MetricsMaxBuckets uint32 + ReportStatusClasses bool + ExcludeSocketMetrics []string FakeCertificate *ingress.SSLCert @@ -377,10 +380,6 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { if !cfg.AllowSnippetAnnotations && strings.HasSuffix(key, "-snippet") { return fmt.Errorf("%s annotation cannot be used. Snippet directives are disabled by the Ingress administrator", key) } - - if cfg.GlobalRateLimitMemcachedHost == "" && strings.HasPrefix(key, fmt.Sprintf("%s/%s", parser.AnnotationsPrefix, "global-rate-limit")) { - return fmt.Errorf("'global-rate-limit*' annotations require 'global-rate-limit-memcached-host' settings configured in the global configmap") - } } k8s.SetDefaultNGINXPathType(ing) @@ -1514,7 +1513,6 @@ func locationApplyAnnotations(loc *ingress.Location, anns *annotations.Ingress) loc.Proxy = anns.Proxy loc.ProxySSL = anns.ProxySSL loc.RateLimit = anns.RateLimit - loc.GlobalRateLimit = anns.GlobalRateLimit loc.Redirect = anns.Redirect loc.Rewrite = anns.Rewrite loc.UpstreamVhost = anns.UpstreamVhost @@ -1594,7 +1592,11 @@ func mergeAlternativeBackends(ing *ingress.Ingress, upstreams map[string]*ingres altEqualsPri := false for _, loc := range servers[defServerName].Locations { - priUps := upstreams[loc.Backend] + priUps, ok := upstreams[loc.Backend] + if !ok { + klog.Warningf("cannot find primary backend %s for location %s%s", loc.Backend, servers[defServerName].Hostname, loc.Path) + continue + } altEqualsPri = altUps.Name == priUps.Name if altEqualsPri { klog.Warningf("alternative upstream %s in Ingress %s/%s is primary upstream in Other Ingress for location %s%s!", @@ -1653,7 +1655,11 @@ func mergeAlternativeBackends(ing *ingress.Ingress, upstreams map[string]*ingres // find matching paths for _, loc := range server.Locations { - priUps := upstreams[loc.Backend] + priUps, ok := upstreams[loc.Backend] + if !ok { + klog.Warningf("cannot find primary backend %s for location %s%s", loc.Backend, server.Hostname, loc.Path) + continue + } altEqualsPri = altUps.Name == priUps.Name if altEqualsPri { klog.Warningf("alternative upstream %s in Ingress %s/%s is primary upstream in Other Ingress for location %s%s!", diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go index e257dd1f1..9d3fea470 100644 --- a/internal/ingress/controller/controller_test.go +++ b/internal/ingress/controller/controller_test.go @@ -1292,6 +1292,74 @@ func TestMergeAlternativeBackends(t *testing.T) { }, }, }, + "alternative backend does not merge for missing upstream": { + &ingress.Ingress{ + Ingress: networking.Ingress{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "example", + }, + Spec: networking.IngressSpec{ + Rules: []networking.IngressRule{ + { + Host: "example.com", + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + Path: "/", + PathType: &pathTypePrefix, + Backend: networking.IngressBackend{ + Service: &networking.IngressServiceBackend{ + Name: "http-svc-canary", + Port: networking.ServiceBackendPort{ + Number: 80, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + map[string]*ingress.Backend{ + "example-http-svc-canary-80": { + Name: "example-http-svc-canary-80", + NoServer: true, + TrafficShapingPolicy: ingress.TrafficShapingPolicy{ + Weight: 20, + }, + }, + }, + map[string]*ingress.Server{ + "example.com": { + Hostname: "example.com", + Locations: []*ingress.Location{ + { + Path: "/", + PathType: &pathTypePrefix, + Backend: "example-http-svc-80", + }, + }, + }, + }, + map[string]*ingress.Backend{}, + map[string]*ingress.Server{ + "example.com": { + Hostname: "example.com", + Locations: []*ingress.Location{ + { + Path: "/", + PathType: &pathTypePrefix, + Backend: "example-http-svc-80", + }, + }, + }, + }, + }, } for title, tc := range testCases { diff --git a/internal/ingress/controller/endpointslices.go b/internal/ingress/controller/endpointslices.go index 4f98e3ce7..ed46e2c85 100644 --- a/internal/ingress/controller/endpointslices.go +++ b/internal/ingress/controller/endpointslices.go @@ -115,7 +115,7 @@ func getEndpointsFromSlices(s *corev1.Service, port *corev1.ServicePort, proto c useTopologyHints = false if zoneForHints != emptyZone { useTopologyHints = true - // check if all endpointslices has zone hints + // check if all endpointslices have zone hints for _, ep := range eps.Endpoints { if ep.Hints == nil || len(ep.Hints.ForZones) == 0 { useTopologyHints = false diff --git a/internal/ingress/controller/nginx.go b/internal/ingress/controller/nginx.go index f74b3245e..7d6dcc3fa 100644 --- a/internal/ingress/controller/nginx.go +++ b/internal/ingress/controller/nginx.go @@ -690,6 +690,10 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error { return err } + err = n.createLuaConfig(&cfg) + if err != nil { + return err + } err = createOpentelemetryCfg(&cfg) if err != nil { return err @@ -1079,6 +1083,32 @@ func createOpentelemetryCfg(cfg *ngx_config.Configuration) error { return os.WriteFile(cfg.OpentelemetryConfig, tmplBuf.Bytes(), file.ReadWriteByUser) } +func (n *NGINXController) createLuaConfig(cfg *ngx_config.Configuration) error { + luaconfigs := &ngx_template.LuaConfig{ + EnableMetrics: n.cfg.EnableMetrics, + ListenPorts: ngx_template.LuaListenPorts{ + HTTPSPort: strconv.Itoa(n.cfg.ListenPorts.HTTPS), + StatusPort: strconv.Itoa(nginx.StatusPort), + SSLProxyPort: strconv.Itoa(n.cfg.ListenPorts.SSLProxy), + }, + UseProxyProtocol: cfg.UseProxyProtocol, + UseForwardedHeaders: cfg.UseForwardedHeaders, + IsSSLPassthroughEnabled: n.cfg.EnableSSLPassthrough, + HTTPRedirectCode: cfg.HTTPRedirectCode, + EnableOCSP: cfg.EnableOCSP, + MonitorBatchMaxSize: n.cfg.MonitorMaxBatchSize, + HSTS: cfg.HSTS, + HSTSMaxAge: cfg.HSTSMaxAge, + HSTSIncludeSubdomains: cfg.HSTSIncludeSubdomains, + HSTSPreload: cfg.HSTSPreload, + } + jsonCfg, err := json.Marshal(luaconfigs) + if err != nil { + return err + } + return os.WriteFile(luaCfgPath, jsonCfg, file.ReadWriteByUser) +} + func cleanTempNginxCfg() error { var files []string diff --git a/internal/ingress/controller/nginx_test.go b/internal/ingress/controller/nginx_test.go index 27180e066..7b00916c7 100644 --- a/internal/ingress/controller/nginx_test.go +++ b/internal/ingress/controller/nginx_test.go @@ -410,7 +410,7 @@ func TestCleanTempNginxCfg(t *testing.T) { } } -//nolint:unparam // Ingnore `network` always receives `"tcp"` error +//nolint:unparam // Ignore `network` always receives `"tcp"` error func tryListen(network, address string) (l net.Listener, err error) { condFunc := func() (bool, error) { l, err = net.Listen(network, address) diff --git a/internal/ingress/controller/store/endpointslice_test.go b/internal/ingress/controller/store/endpointslice_test.go index 5d423a3a6..0bdb3aa33 100644 --- a/internal/ingress/controller/store/endpointslice_test.go +++ b/internal/ingress/controller/store/endpointslice_test.go @@ -88,7 +88,7 @@ func TestEndpointSliceLister(t *testing.T) { } eps, err := el.MatchByKey(key) if err != nil { - t.Errorf("unexpeted error %v", err) + t.Errorf("unexpected error %v", err) } if err == nil && len(eps) != 1 { t.Errorf("expected one slice %v, error, got %d slices", endpointSlice, len(eps)) @@ -130,7 +130,7 @@ func TestEndpointSliceLister(t *testing.T) { } eps, err := el.MatchByKey(key) if err != nil { - t.Errorf("unexpeted error %v", err) + t.Errorf("unexpected error %v", err) } if len(eps) != 1 { t.Errorf("expected one slice %v, error, got %d slices", endpointSlice, len(eps)) diff --git a/internal/ingress/controller/store/store_test.go b/internal/ingress/controller/store/store_test.go index 317c0f36c..9c719af3b 100644 --- a/internal/ingress/controller/store/store_test.go +++ b/internal/ingress/controller/store/store_test.go @@ -1208,13 +1208,13 @@ func TestStore(t *testing.T) { } }(updateCh) - namesapceSelector, err := labels.Parse("foo=bar") + namespaceSelector, err := labels.Parse("foo=bar") if err != nil { t.Errorf("unexpected error: %v", err) } storer := New( ns, - namesapceSelector, + namespaceSelector, fmt.Sprintf("%v/config", ns), fmt.Sprintf("%v/tcp", ns), fmt.Sprintf("%v/udp", ns), @@ -1274,7 +1274,7 @@ func TestStore(t *testing.T) { t.Errorf("expected 0 events of type Delete but %v occurred", del) } }) - // test add ingress with secret it doesn't exists and then add secret + // test add ingress with secret it doesn't exist and then add secret // check secret is generated on fs // check ocsp // check invalid secret (missing crt) diff --git a/internal/ingress/controller/template/configmap.go b/internal/ingress/controller/template/configmap.go index 1a7f15f1c..481724793 100644 --- a/internal/ingress/controller/template/configmap.go +++ b/internal/ingress/controller/template/configmap.go @@ -67,7 +67,6 @@ const ( globalAuthCacheDuration = "global-auth-cache-duration" globalAuthAlwaysSetCookie = "global-auth-always-set-cookie" luaSharedDictsKey = "lua-shared-dicts" - plugins = "plugins" debugConnections = "debug-connections" workerSerialReloads = "enable-serial-reloads" ) @@ -83,7 +82,6 @@ var ( "balancer_ewma_locks": 1024, "certificate_servers": 5120, "ocsp_response_cache": 5120, // keep this same as certificate_servers - "global_throttle_cache": 10240, } defaultGlobalAuthRedirectParam = "rd" ) @@ -416,11 +414,6 @@ func ReadConfig(src map[string]string) config.Configuration { delete(conf, workerSerialReloads) } - if val, ok := conf[plugins]; ok { - to.Plugins = splitAndTrimSpace(val, ",") - delete(conf, plugins) - } - if val, ok := conf[debugConnections]; ok { delete(conf, debugConnections) for _, i := range splitAndTrimSpace(val, ",") { diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go index c70406cf0..d2c8a05a9 100644 --- a/internal/ingress/controller/template/template.go +++ b/internal/ingress/controller/template/template.go @@ -136,6 +136,13 @@ func cleanConf(in, out *bytes.Buffer) error { case ' ', '\t': needOutput = lineStarted case '\r': + rest := in.Bytes() + if len(rest) > 0 { + if rest[0] != '\n' { + c = ' ' + needOutput = lineStarted + } + } case '\n': needOutput = !(!lineStarted && emptyLineWritten) nextLineStarted = false @@ -150,6 +157,13 @@ func cleanConf(in, out *bytes.Buffer) error { case stateComment: switch c { case '\r': + rest := in.Bytes() + if len(rest) > 0 { + if rest[0] != '\n' { + c = ' ' + needOutput = lineStarted + } + } case '\n': needOutput = true nextLineStarted = false @@ -180,6 +194,41 @@ func cleanConf(in, out *bytes.Buffer) error { } } +/* LuaConfig defines the structure that will be written as a config for lua scripts +The json format should follow what's expected by lua: + use_forwarded_headers = %t, + use_proxy_protocol = %t, + is_ssl_passthrough_enabled = %t, + http_redirect_code = %v, + listen_ports = { ssl_proxy = "%v", https = "%v" }, + + hsts = %t, + hsts_max_age = %v, + hsts_include_subdomains = %t, + hsts_preload = %t, +*/ + +type LuaConfig struct { + EnableMetrics bool `json:"enable_metrics"` + ListenPorts LuaListenPorts `json:"listen_ports"` + UseForwardedHeaders bool `json:"use_forwarded_headers"` + UseProxyProtocol bool `json:"use_proxy_protocol"` + IsSSLPassthroughEnabled bool `json:"is_ssl_passthrough_enabled"` + HTTPRedirectCode int `json:"http_redirect_code"` + EnableOCSP bool `json:"enable_ocsp"` + MonitorBatchMaxSize int `json:"monitor_batch_max_size"` + HSTS bool `json:"hsts"` + HSTSMaxAge string `json:"hsts_max_age"` + HSTSIncludeSubdomains bool `json:"hsts_include_subdomains"` + HSTSPreload bool `json:"hsts_preload"` +} + +type LuaListenPorts struct { + HTTPSPort string `json:"https"` + StatusPort string `json:"status_port"` + SSLProxyPort string `json:"ssl_proxy"` +} + // Write populates a buffer using a template with NGINX configuration // and the servers and upstreams created by Ingress rules func (t *Template) Write(conf *config.TemplateConfig) ([]byte, error) { @@ -242,7 +291,6 @@ var funcMap = text_template.FuncMap{ "filterRateLimits": filterRateLimits, "buildRateLimitZones": buildRateLimitZones, "buildRateLimit": buildRateLimit, - "configForLua": configForLua, "locationConfigForLua": locationConfigForLua, "buildResolvers": buildResolvers, "buildUpstreamName": buildUpstreamName, @@ -369,54 +417,6 @@ func luaConfigurationRequestBodySize(c interface{}) string { return dictKbToStr(size) } -// configForLua returns some general configuration as Lua table represented as string -func configForLua(input interface{}) string { - all, ok := input.(config.TemplateConfig) - if !ok { - klog.Errorf("expected a 'config.TemplateConfig' type but %T was given", input) - return "{}" - } - - return fmt.Sprintf(`{ - use_forwarded_headers = %t, - use_proxy_protocol = %t, - is_ssl_passthrough_enabled = %t, - http_redirect_code = %v, - listen_ports = { ssl_proxy = "%v", https = "%v" }, - - hsts = %t, - hsts_max_age = %v, - hsts_include_subdomains = %t, - hsts_preload = %t, - - global_throttle = { - memcached = { - host = "%v", port = %d, connect_timeout = %d, max_idle_timeout = %d, pool_size = %d, - }, - status_code = %d, - } - }`, - all.Cfg.UseForwardedHeaders, - all.Cfg.UseProxyProtocol, - all.IsSSLPassthroughEnabled, - all.Cfg.HTTPRedirectCode, - all.ListenPorts.SSLProxy, - all.ListenPorts.HTTPS, - - all.Cfg.HSTS, - all.Cfg.HSTSMaxAge, - all.Cfg.HSTSIncludeSubdomains, - all.Cfg.HSTSPreload, - - all.Cfg.GlobalRateLimitMemcachedHost, - all.Cfg.GlobalRateLimitMemcachedPort, - all.Cfg.GlobalRateLimitMemcachedConnectTimeout, - all.Cfg.GlobalRateLimitMemcachedMaxIdleTimeout, - all.Cfg.GlobalRateLimitMemcachedPoolSize, - all.Cfg.GlobalRateLimitStatusCode, - ) -} - // locationConfigForLua formats some location specific configuration into Lua table represented as string func locationConfigForLua(l, a interface{}) string { location, ok := l.(*ingress.Location) @@ -431,30 +431,26 @@ func locationConfigForLua(l, a interface{}) string { return "{}" } - ignoredCIDRs, err := convertGoSliceIntoLuaTable(location.GlobalRateLimit.IgnoredCIDRs, false) - if err != nil { - klog.Errorf("failed to convert %v into Lua table: %q", location.GlobalRateLimit.IgnoredCIDRs, err) - ignoredCIDRs = "{}" - } + /* Lua expects the following vars + force_ssl_redirect = string_to_bool(ngx.var.force_ssl_redirect), + ssl_redirect = string_to_bool(ngx.var.ssl_redirect), + force_no_ssl_redirect = string_to_bool(ngx.var.force_no_ssl_redirect), + preserve_trailing_slash = string_to_bool(ngx.var.preserve_trailing_slash), + use_port_in_redirects = string_to_bool(ngx.var.use_port_in_redirects), + */ - return fmt.Sprintf(`{ - force_ssl_redirect = %t, - ssl_redirect = %t, - force_no_ssl_redirect = %t, - preserve_trailing_slash = %t, - use_port_in_redirects = %t, - global_throttle = { namespace = "%v", limit = %d, window_size = %d, key = %v, ignored_cidrs = %v }, - }`, + return fmt.Sprintf(` + set $force_ssl_redirect "%t"; + set $ssl_redirect "%t"; + set $force_no_ssl_redirect "%t"; + set $preserve_trailing_slash "%t"; + set $use_port_in_redirects "%t"; + `, location.Rewrite.ForceSSLRedirect, location.Rewrite.SSLRedirect, isLocationInLocationList(l, all.Cfg.NoTLSRedirectLocations), location.Rewrite.PreserveTrailingSlash, location.UsePortInRedirects, - location.GlobalRateLimit.Namespace, - location.GlobalRateLimit.Limit, - location.GlobalRateLimit.WindowSize, - parseComplexNginxVarIntoLuaTable(location.GlobalRateLimit.Key), - ignoredCIDRs, ) } @@ -1676,54 +1672,6 @@ func buildServerName(hostname string) string { return `~^(?[\w-]+)\.` + strings.Join(parts, "\\.") + `$` } -// parseComplexNginxVarIntoLuaTable parses things like "$my${complex}ngx\$var" into -// [["$var", "complex", "my", "ngx"]]. In other words, 2nd and 3rd elements -// in the result are actual NGINX variable names, whereas first and 4th elements -// are string literals. -func parseComplexNginxVarIntoLuaTable(ngxVar string) string { - r := regexp.MustCompile(`(\\\$[0-9a-zA-Z_]+)|\$\{([0-9a-zA-Z_]+)\}|\$([0-9a-zA-Z_]+)|(\$|[^$\\]+)`) - matches := r.FindAllStringSubmatch(ngxVar, -1) - components := make([][]string, len(matches)) - for i, match := range matches { - components[i] = match[1:] - } - - luaTable, err := convertGoSliceIntoLuaTable(components, true) - if err != nil { - klog.Errorf("unexpected error: %v", err) - luaTable = "{}" - } - return luaTable -} - -func convertGoSliceIntoLuaTable(goSliceInterface interface{}, emptyStringAsNil bool) (string, error) { - goSlice := reflect.ValueOf(goSliceInterface) - kind := goSlice.Kind() - - switch kind { - case reflect.String: - if emptyStringAsNil && goSlice.Interface().(string) == "" { - return "nil", nil - } - return fmt.Sprintf(`"%v"`, goSlice.Interface()), nil - case reflect.Int, reflect.Bool: - return fmt.Sprintf(`%v`, goSlice.Interface()), nil - case reflect.Slice, reflect.Array: - luaTable := "{ " - for i := 0; i < goSlice.Len(); i++ { - luaEl, err := convertGoSliceIntoLuaTable(goSlice.Index(i).Interface(), emptyStringAsNil) - if err != nil { - return "", err - } - luaTable = luaTable + luaEl + ", " - } - luaTable += "}" - return luaTable, nil - default: - return "", fmt.Errorf("could not process type: %s", kind) - } -} - func buildOriginRegex(origin string) string { origin = regexp.QuoteMeta(origin) origin = strings.Replace(origin, "\\*", `[A-Za-z0-9\-]+`, 1) diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go index 3089e3b32..59d2d6256 100644 --- a/internal/ingress/controller/template/template_test.go +++ b/internal/ingress/controller/template/template_test.go @@ -1926,89 +1926,6 @@ func TestBuildServerName(t *testing.T) { } } -func TestParseComplexNginxVarIntoLuaTable(t *testing.T) { - testCases := []struct { - ngxVar string - expectedLuaTable string - }{ - {"foo", `{ { nil, nil, nil, "foo", }, }`}, - {"$foo", `{ { nil, nil, "foo", nil, }, }`}, - {"${foo}", `{ { nil, "foo", nil, nil, }, }`}, - {"\\$foo", `{ { "\$foo", nil, nil, nil, }, }`}, - { - "foo\\$bar$baz${daz}xiyar$pomidor", - `{ { nil, nil, nil, "foo", }, { "\$bar", nil, nil, nil, }, { nil, nil, "baz", nil, }, ` + - `{ nil, "daz", nil, nil, }, { nil, nil, nil, "xiyar", }, { nil, nil, "pomidor", nil, }, }`, - }, - } - - for _, testCase := range testCases { - actualLuaTable := parseComplexNginxVarIntoLuaTable(testCase.ngxVar) - if actualLuaTable != testCase.expectedLuaTable { - t.Errorf("expected %v but returned %v", testCase.expectedLuaTable, actualLuaTable) - } - } -} - -func TestConvertGoSliceIntoLuaTablet(t *testing.T) { - testCases := []struct { - title string - goSlice interface{} - emptyStringAsNil bool - expectedLuaTable string - expectedErr error - }{ - { - "flat string slice", - []string{"one", "two", "three"}, - false, - `{ "one", "two", "three", }`, - nil, - }, - { - "nested string slice", - [][]string{{"one", "", "three"}, {"foo", "bar"}}, - false, - `{ { "one", "", "three", }, { "foo", "bar", }, }`, - nil, - }, - { - "converts empty string to nil when enabled", - [][]string{{"one", "", "three"}, {"foo", "bar"}}, - true, - `{ { "one", nil, "three", }, { "foo", "bar", }, }`, - nil, - }, - { - "boolean slice", - []bool{true, true, false}, - false, - `{ true, true, false, }`, - nil, - }, - { - "integer slice", - []int{4, 3, 6}, - false, - `{ 4, 3, 6, }`, - nil, - }, - } - - for _, testCase := range testCases { - actualLuaTable, err := convertGoSliceIntoLuaTable(testCase.goSlice, testCase.emptyStringAsNil) - if testCase.expectedErr != nil && err != nil && testCase.expectedErr.Error() != err.Error() { - t.Errorf("expected error '%v' but returned '%v'", testCase.expectedErr, err) - } - if testCase.expectedErr == nil && err != nil { - t.Errorf("expected error to be nil but returned '%v'", err) - } - if testCase.expectedLuaTable != actualLuaTable { - t.Errorf("%v: expected '%v' but returned '%v'", testCase.title, testCase.expectedLuaTable, actualLuaTable) - } - } -} - func TestCleanConf(t *testing.T) { testDataDir, err := getTestDataDir() if err != nil { diff --git a/internal/ingress/controller/util.go b/internal/ingress/controller/util.go index 8851f323f..975fb822a 100644 --- a/internal/ingress/controller/util.go +++ b/internal/ingress/controller/util.go @@ -98,8 +98,9 @@ func rlimitMaxNumFiles() int { } const ( - defBinary = "/usr/bin/nginx" - cfgPath = "/etc/nginx/nginx.conf" + defBinary = "/usr/bin/nginx" + cfgPath = "/etc/nginx/nginx.conf" + luaCfgPath = "/etc/nginx/lua/cfg.json" ) // NginxExecTester defines the interface to execute @@ -129,7 +130,7 @@ func NewNginxCommand() NginxCommand { return command } -// ExecCommand instanciates an exec.Cmd object to call nginx program +// ExecCommand instantiates an exec.Cmd object to call nginx program func (nc NginxCommand) ExecCommand(args ...string) *exec.Cmd { cmdArgs := []string{} diff --git a/internal/ingress/metric/collectors/controller.go b/internal/ingress/metric/collectors/controller.go index 4ee84bc56..0df04c1d0 100644 --- a/internal/ingress/metric/collectors/controller.go +++ b/internal/ingress/metric/collectors/controller.go @@ -225,7 +225,7 @@ func (cm *Controller) IncCheckErrorCount(namespace, name string) { cm.checkIngressOperationErrors.MustCurryWith(cm.constLabels).With(labels).Inc() } -// IncOrphanIngress sets the the orphaned ingress gauge to one +// IncOrphanIngress sets the orphaned ingress gauge to one func (cm *Controller) IncOrphanIngress(namespace, name, orphanityType string) { labels := prometheus.Labels{ "namespace": namespace, @@ -235,7 +235,7 @@ func (cm *Controller) IncOrphanIngress(namespace, name, orphanityType string) { cm.OrphanIngress.MustCurryWith(cm.constLabels).With(labels).Set(1.0) } -// DecOrphanIngress sets the the orphaned ingress gauge to zero (all services has their endpoints) +// DecOrphanIngress sets the orphaned ingress gauge to zero (all services has their endpoints) func (cm *Controller) DecOrphanIngress(namespace, name, orphanityType string) { labels := prometheus.Labels{ "namespace": namespace, @@ -305,13 +305,14 @@ func (cm *Controller) SetSSLExpireTime(servers []*ingress.Server) { } labels["host"] = s.Hostname labels["secret_name"] = s.SSLCert.Name + labels["namespace"] = s.SSLCert.Namespace labels["identifier"] = s.SSLCert.Identifier() cm.sslExpireTime.With(labels).Set(float64(s.SSLCert.ExpireTime.Unix())) } } -// SetSSLInfo creates a metric with all certificates informations +// SetSSLInfo creates a metric with all certificate information func (cm *Controller) SetSSLInfo(servers []*ingress.Server) { for _, s := range servers { if s.SSLCert == nil || s.SSLCert.Certificate == nil || s.SSLCert.Certificate.SerialNumber == nil { diff --git a/internal/ingress/metric/collectors/controller_test.go b/internal/ingress/metric/collectors/controller_test.go index 7c7ea8a67..a77293c20 100644 --- a/internal/ingress/metric/collectors/controller_test.go +++ b/internal/ingress/metric/collectors/controller_test.go @@ -88,6 +88,8 @@ func TestControllerCounters(t *testing.T) { Hostname: "demo", SSLCert: &ingress.SSLCert{ ExpireTime: t1, + Name: "secret-name", + Namespace: "secret-namespace", Certificate: &x509.Certificate{ PublicKeyAlgorithm: x509.ECDSA, Issuer: pkix.Name{ @@ -111,7 +113,7 @@ func TestControllerCounters(t *testing.T) { want: ` # HELP nginx_ingress_controller_ssl_expire_time_seconds Number of seconds since 1970 to the SSL Certificate expire.\n An example to check if this certificate will expire in 10 days is: "nginx_ingress_controller_ssl_expire_time_seconds < (time() + (10 * 24 * 3600))" # TYPE nginx_ingress_controller_ssl_expire_time_seconds gauge - nginx_ingress_controller_ssl_expire_time_seconds{class="nginx",host="demo",identifier="abcd1234-100",namespace="default",secret_name=""} 1.351807721e+09 + nginx_ingress_controller_ssl_expire_time_seconds{class="nginx",host="demo",identifier="abcd1234-100",namespace="secret-namespace",secret_name="secret-name"} 1.351807721e+09 `, metrics: []string{"nginx_ingress_controller_ssl_expire_time_seconds"}, }, diff --git a/internal/ingress/metric/collectors/socket.go b/internal/ingress/metric/collectors/socket.go index 248f23f63..0bdd816ae 100644 --- a/internal/ingress/metric/collectors/socket.go +++ b/internal/ingress/metric/collectors/socket.go @@ -64,11 +64,10 @@ type metricMapping map[string]prometheus.Collector type SocketCollector struct { prometheus.Collector - upstreamLatency *prometheus.SummaryVec // TODO: DEPRECATED, remove - connectTime *prometheus.HistogramVec - headerTime *prometheus.HistogramVec - requestTime *prometheus.HistogramVec - responseTime *prometheus.HistogramVec + connectTime *prometheus.HistogramVec + headerTime *prometheus.HistogramVec + requestTime *prometheus.HistogramVec + responseTime *prometheus.HistogramVec requestLength *prometheus.HistogramVec responseLength *prometheus.HistogramVec @@ -82,8 +81,9 @@ type SocketCollector struct { hosts sets.Set[string] - metricsPerHost bool - reportStatusClasses bool + metricsPerHost bool + metricsPerUndefinedHost bool + reportStatusClasses bool } var requestTags = []string{ @@ -98,13 +98,9 @@ var requestTags = []string{ "canary", } -// DefObjectives was removed in https://github.com/prometheus/client_golang/pull/262 -// updating the library to latest version changed the output of the metrics -var defObjectives = map[float64]float64{0.5: 0.05, 0.9: 0.01, 0.99: 0.001} - // NewSocketCollector creates a new SocketCollector instance using // the ingress watch namespace and class used by the controller -func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStatusClasses bool, buckets HistogramBuckets, excludeMetrics []string) (*SocketCollector, error) { +func NewSocketCollector(pod, namespace, class string, metricsPerHost, metricsPerUndefinedHost, reportStatusClasses bool, buckets HistogramBuckets, bucketFactor float64, maxBuckets uint32, excludeMetrics []string) (*SocketCollector, error) { socket := "/tmp/nginx/prometheus-nginx.socket" // unix sockets must be unlink()ed before being used //nolint:errcheck // Ignore unlink error @@ -144,16 +140,19 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat sc := &SocketCollector{ listener: listener, - metricsPerHost: metricsPerHost, - reportStatusClasses: reportStatusClasses, + metricsPerHost: metricsPerHost, + metricsPerUndefinedHost: metricsPerUndefinedHost, + reportStatusClasses: reportStatusClasses, connectTime: histogramMetric( &prometheus.HistogramOpts{ - Name: "connect_duration_seconds", - Help: "The time spent on establishing a connection with the upstream server", - Namespace: PrometheusNamespace, - ConstLabels: constLabels, - Buckets: buckets.TimeBuckets, + Name: "connect_duration_seconds", + Help: "The time spent on establishing a connection with the upstream server", + Namespace: PrometheusNamespace, + ConstLabels: constLabels, + Buckets: buckets.TimeBuckets, + NativeHistogramBucketFactor: bucketFactor, + NativeHistogramMaxBucketNumber: maxBuckets, }, requestTags, em, @@ -162,11 +161,13 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat headerTime: histogramMetric( &prometheus.HistogramOpts{ - Name: "header_duration_seconds", - Help: "The time spent on receiving first header from the upstream server", - Namespace: PrometheusNamespace, - ConstLabels: constLabels, - Buckets: buckets.TimeBuckets, + Name: "header_duration_seconds", + Help: "The time spent on receiving first header from the upstream server", + Namespace: PrometheusNamespace, + ConstLabels: constLabels, + Buckets: buckets.TimeBuckets, + NativeHistogramBucketFactor: bucketFactor, + NativeHistogramMaxBucketNumber: maxBuckets, }, requestTags, em, @@ -174,11 +175,13 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat ), responseTime: histogramMetric( &prometheus.HistogramOpts{ - Name: "response_duration_seconds", - Help: "The time spent on receiving the response from the upstream server", - Namespace: PrometheusNamespace, - ConstLabels: constLabels, - Buckets: buckets.TimeBuckets, + Name: "response_duration_seconds", + Help: "The time spent on receiving the response from the upstream server", + Namespace: PrometheusNamespace, + ConstLabels: constLabels, + Buckets: buckets.TimeBuckets, + NativeHistogramBucketFactor: bucketFactor, + NativeHistogramMaxBucketNumber: maxBuckets, }, requestTags, em, @@ -187,11 +190,13 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat requestTime: histogramMetric( &prometheus.HistogramOpts{ - Name: "request_duration_seconds", - Help: "The request processing time in milliseconds", - Namespace: PrometheusNamespace, - ConstLabels: constLabels, - Buckets: buckets.TimeBuckets, + Name: "request_duration_seconds", + Help: "The request processing time in milliseconds", + Namespace: PrometheusNamespace, + ConstLabels: constLabels, + Buckets: buckets.TimeBuckets, + NativeHistogramBucketFactor: bucketFactor, + NativeHistogramMaxBucketNumber: maxBuckets, }, requestTags, em, @@ -200,11 +205,13 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat responseLength: histogramMetric( &prometheus.HistogramOpts{ - Name: "response_size", - Help: "The response length (including request line, header, and request body)", - Namespace: PrometheusNamespace, - ConstLabels: constLabels, - Buckets: buckets.LengthBuckets, + Name: "response_size", + Help: "The response length (including request line, header, and request body)", + Namespace: PrometheusNamespace, + ConstLabels: constLabels, + Buckets: buckets.LengthBuckets, + NativeHistogramBucketFactor: bucketFactor, + NativeHistogramMaxBucketNumber: maxBuckets, }, requestTags, em, @@ -213,11 +220,13 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat requestLength: histogramMetric( &prometheus.HistogramOpts{ - Name: "request_size", - Help: "The request length (including request line, header, and request body)", - Namespace: PrometheusNamespace, - ConstLabels: constLabels, - Buckets: buckets.LengthBuckets, + Name: "request_size", + Help: "The request length (including request line, header, and request body)", + Namespace: PrometheusNamespace, + ConstLabels: constLabels, + Buckets: buckets.LengthBuckets, + NativeHistogramBucketFactor: bucketFactor, + NativeHistogramMaxBucketNumber: maxBuckets, }, requestTags, em, @@ -248,19 +257,6 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat em, mm, ), - - upstreamLatency: summaryMetric( - &prometheus.SummaryOpts{ - Name: "ingress_upstream_latency_seconds", - Help: "DEPRECATED Upstream service latency per Ingress", - Namespace: PrometheusNamespace, - ConstLabels: constLabels, - Objectives: defObjectives, - }, - []string{"ingress", "namespace", "service", "canary"}, - em, - mm, - ), } sc.metricMapping = mm @@ -275,18 +271,6 @@ func containsMetric(excludeMetrics map[string]struct{}, name string) bool { return false } -func summaryMetric(opts *prometheus.SummaryOpts, requestTags []string, excludeMetrics map[string]struct{}, metricMapping metricMapping) *prometheus.SummaryVec { - if containsMetric(excludeMetrics, opts.Name) { - return nil - } - m := prometheus.NewSummaryVec( - *opts, - requestTags, - ) - metricMapping[prometheus.BuildFQName(PrometheusNamespace, "", opts.Name)] = m - return m -} - func counterMetric(opts *prometheus.CounterOpts, requestTags []string, excludeMetrics map[string]struct{}, metricMapping metricMapping) *prometheus.CounterVec { if containsMetric(excludeMetrics, opts.Name) { return nil @@ -324,8 +308,8 @@ func (sc *SocketCollector) handleMessage(msg []byte) { for i := range statsBatch { stats := &statsBatch[i] - if sc.metricsPerHost && !sc.hosts.Has(stats.Host) { - klog.V(3).InfoS("Skipping metric for host not being served", "host", stats.Host) + if sc.metricsPerHost && !sc.hosts.Has(stats.Host) && !sc.metricsPerUndefinedHost { + klog.V(3).InfoS("Skipping metric for host not explicitly defined in an ingress", "host", stats.Host) continue } @@ -358,13 +342,6 @@ func (sc *SocketCollector) handleMessage(msg []byte) { collectorLabels["host"] = stats.Host } - latencyLabels := prometheus.Labels{ - "namespace": stats.Namespace, - "ingress": stats.Ingress, - "service": stats.Service, - "canary": stats.Canary, - } - if sc.requests != nil { requestsMetric, err := sc.requests.GetMetricWith(collectorLabels) if err != nil { @@ -383,15 +360,6 @@ func (sc *SocketCollector) handleMessage(msg []byte) { connectTimeMetric.Observe(stats.Latency) } } - - if sc.upstreamLatency != nil { - latencyMetric, err := sc.upstreamLatency.GetMetricWith(latencyLabels) - if err != nil { - klog.ErrorS(err, "Error fetching latency metric") - } else { - latencyMetric.Observe(stats.Latency) - } - } } if stats.HeaderTime != -1 && sc.headerTime != nil { diff --git a/internal/ingress/metric/collectors/socket_test.go b/internal/ingress/metric/collectors/socket_test.go index 2113b4725..3a1f29f35 100644 --- a/internal/ingress/metric/collectors/socket_test.go +++ b/internal/ingress/metric/collectors/socket_test.go @@ -83,15 +83,19 @@ func TestCollector(t *testing.T) { prometheus.ExponentialBuckets(10, 10, 7), } + bucketFactor := 1.1 + maxBuckets := uint32(100) + cases := []struct { - name string - data []string - metrics []string - useStatusClasses bool - excludeMetrics []string - wantBefore string - removeIngresses []string - wantAfter string + name string + data []string + metrics []string + metricsPerUndefinedHost bool + useStatusClasses bool + excludeMetrics []string + wantBefore string + removeIngresses []string + wantAfter string }{ { name: "invalid metric object should not increase prometheus metrics", @@ -588,13 +592,69 @@ func TestCollector(t *testing.T) { nginx_ingress_controller_response_duration_seconds_count{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx"} 1 `, }, + { + name: "metrics with a host should not be dropped when the host is not in the hosts slice but metricsPerUndefinedHost is true", + data: []string{`[{ + "host":"wildcard.testshop.com", + "status":"200", + "bytesSent":150.0, + "method":"GET", + "path":"/admin", + "requestLength":300.0, + "requestTime":60.0, + "upstreamLatency":1.0, + "upstreamHeaderTime":5.0, + "upstreamName":"test-upstream", + "upstreamIP":"1.1.1.1:8080", + "upstreamResponseTime":200, + "upstreamStatus":"220", + "namespace":"test-app-production", + "ingress":"web-yml", + "service":"test-app", + "canary":"" + }]`}, + excludeMetrics: []string{"response_duration_seconds2", "test.*", "nginx_ingress_.*", "response_duration_secon"}, + metrics: []string{"nginx_ingress_controller_requests"}, + metricsPerUndefinedHost: true, + useStatusClasses: true, + wantBefore: ` + # HELP nginx_ingress_controller_requests The total number of client requests + # TYPE nginx_ingress_controller_requests counter + nginx_ingress_controller_requests{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="wildcard.testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx"} 1 + `, + }, + { + name: "metrics with a host should be dropped when the host is not in the hosts slice", + data: []string{`[{ + "host":"wildcard.testshop.com", + "status":"200", + "bytesSent":150.0, + "method":"GET", + "path":"/admin", + "requestLength":300.0, + "requestTime":60.0, + "upstreamLatency":1.0, + "upstreamHeaderTime":5.0, + "upstreamName":"test-upstream", + "upstreamIP":"1.1.1.1:8080", + "upstreamResponseTime":200, + "upstreamStatus":"220", + "namespace":"test-app-production", + "ingress":"web-yml", + "service":"test-app", + "canary":"" + }]`}, + excludeMetrics: []string{"response_duration_seconds2", "test.*", "nginx_ingress_.*", "response_duration_secon"}, + metrics: []string{"nginx_ingress_controller_requests"}, + useStatusClasses: true, + }, } for _, c := range cases { t.Run(c.name, func(t *testing.T) { registry := prometheus.NewPedanticRegistry() - sc, err := NewSocketCollector("pod", "default", "ingress", true, c.useStatusClasses, buckets, c.excludeMetrics) + sc, err := NewSocketCollector("pod", "default", "ingress", true, c.metricsPerUndefinedHost, c.useStatusClasses, buckets, bucketFactor, maxBuckets, c.excludeMetrics) if err != nil { t.Errorf("%v: unexpected error creating new SocketCollector: %v", c.name, err) } diff --git a/internal/ingress/metric/main.go b/internal/ingress/metric/main.go index 93c31622c..9ed401d19 100644 --- a/internal/ingress/metric/main.go +++ b/internal/ingress/metric/main.go @@ -71,7 +71,7 @@ type collector struct { } // NewCollector creates a new metric collector the for ingress controller -func NewCollector(metricsPerHost, reportStatusClasses bool, registry *prometheus.Registry, ingressclass string, buckets collectors.HistogramBuckets, excludedSocketMetrics []string) (Collector, error) { +func NewCollector(metricsPerHost, metricsPerUndefinedHost, reportStatusClasses bool, registry *prometheus.Registry, ingressclass string, buckets collectors.HistogramBuckets, bucketFactor float64, maxBuckets uint32, excludedSocketMetrics []string) (Collector, error) { podNamespace := os.Getenv("POD_NAMESPACE") if podNamespace == "" { podNamespace = "default" @@ -89,7 +89,7 @@ func NewCollector(metricsPerHost, reportStatusClasses bool, registry *prometheus return nil, err } - s, err := collectors.NewSocketCollector(podName, podNamespace, ingressclass, metricsPerHost, reportStatusClasses, buckets, excludedSocketMetrics) + s, err := collectors.NewSocketCollector(podName, podNamespace, ingressclass, metricsPerHost, metricsPerUndefinedHost, reportStatusClasses, buckets, bucketFactor, maxBuckets, excludedSocketMetrics) if err != nil { return nil, err } diff --git a/internal/ingress/resolver/main.go b/internal/ingress/resolver/main.go index 7d17f4e16..259f44e49 100644 --- a/internal/ingress/resolver/main.go +++ b/internal/ingress/resolver/main.go @@ -29,10 +29,10 @@ type Resolver interface { // GetSecurityConfiguration returns the configuration options from Ingress GetSecurityConfiguration() defaults.SecurityConfiguration - // GetConfigMap searches for configmap containing the namespace and name usting the character / + // GetConfigMap searches for configmap containing the namespace and name using the character / GetConfigMap(string) (*apiv1.ConfigMap, error) - // GetSecret searches for secrets containing the namespace and name using a the character / + // GetSecret searches for secrets containing the namespace and name using the character / GetSecret(string) (*apiv1.Secret, error) // GetAuthCertificate resolves a given secret name into an SSL certificate and CRL. @@ -42,7 +42,7 @@ type Resolver interface { // ca.crl: contains the revocation list used for authentication GetAuthCertificate(string) (*AuthSSLCert, error) - // GetService searches for services containing the namespace and name using a the character / + // GetService searches for services containing the namespace and name using the character / GetService(string) (*apiv1.Service, error) } diff --git a/internal/ingress/resolver/mock.go b/internal/ingress/resolver/mock.go index 679c3b13c..3abfe7eda 100644 --- a/internal/ingress/resolver/mock.go +++ b/internal/ingress/resolver/mock.go @@ -39,7 +39,7 @@ func (m Mock) GetDefaultBackend() defaults.Backend { func (m Mock) GetSecurityConfiguration() defaults.SecurityConfiguration { defRisk := m.AnnotationsRiskLevel if defRisk == "" { - defRisk = "Critical" + defRisk = "High" } return defaults.SecurityConfiguration{ AnnotationsRiskLevel: defRisk, @@ -47,7 +47,7 @@ func (m Mock) GetSecurityConfiguration() defaults.SecurityConfiguration { } } -// GetSecret searches for secrets contenating the namespace and name using a the character / +// GetSecret searches for secrets containing the namespace and name using the character / func (m Mock) GetSecret(string) (*apiv1.Secret, error) { return nil, nil } @@ -60,12 +60,12 @@ func (m Mock) GetAuthCertificate(string) (*AuthSSLCert, error) { return nil, nil } -// GetService searches for services contenating the namespace and name using a the character / +// GetService searches for services containing the namespace and name using the character / func (m Mock) GetService(string) (*apiv1.Service, error) { return nil, nil } -// GetConfigMap searches for configMaps contenating the namespace and name using a the character / +// GetConfigMap searches for configMaps containing the namespace and name using the character / func (m Mock) GetConfigMap(name string) (*apiv1.ConfigMap, error) { if v, ok := m.ConfigMaps[name]; ok { return v, nil diff --git a/internal/net/ssl/ssl.go b/internal/net/ssl/ssl.go index f8bac2377..0592303bc 100644 --- a/internal/net/ssl/ssl.go +++ b/internal/net/ssl/ssl.go @@ -442,7 +442,7 @@ func getFakeHostSSLCert(host string) (cert, key []byte) { // fullChainCert checks if a certificate file contains issues in the intermediate CA chain // Returns a new certificate with the intermediate certificates. -// If the certificate does not contains issues with the chain it return an empty byte array +// If the certificate does not contain issues with the chain it returns an empty byte array func fullChainCert(in []byte) ([]byte, error) { cert, err := certUtil.DecodeCertificate(in) if err != nil { @@ -523,7 +523,7 @@ func (tl *TLSListener) GetCertificate(*tls.ClientHelloInfo) (*tls.Certificate, e return tl.certificate, tl.err } -// TLSConfig instanciates a TLS configuration, always providing an up to date certificate +// TLSConfig instantiates a TLS configuration, always providing an up to date certificate func (tl *TLSListener) TLSConfig() *tls.Config { return &tls.Config{ GetCertificate: tl.GetCertificate, diff --git a/internal/task/queue.go b/internal/task/queue.go index f92f2a501..8753bed34 100644 --- a/internal/task/queue.go +++ b/internal/task/queue.go @@ -36,7 +36,7 @@ var keyFunc = cache.DeletionHandlingMetaNamespaceKeyFunc // which timestamp is older than the last successful get operation. type Queue struct { // queue is the work queue the worker polls - queue workqueue.RateLimitingInterface + queue workqueue.TypedRateLimitingInterface[any] // sync is called for each item in the queue sync func(interface{}) error // workerDone is closed when the worker exits @@ -172,7 +172,7 @@ func NewTaskQueue(syncFn func(interface{}) error) *Queue { // NewCustomTaskQueue creates a new custom task queue with the given sync function. func NewCustomTaskQueue(syncFn func(interface{}) error, fn func(interface{}) (interface{}, error)) *Queue { q := &Queue{ - queue: workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter()), + queue: workqueue.NewTypedRateLimitingQueue(workqueue.DefaultTypedControllerRateLimiter[any]()), sync: syncFn, workerDone: make(chan bool), fn: fn, diff --git a/magefiles/go.mod b/magefiles/go.mod index d41baf17e..8c58b526c 100644 --- a/magefiles/go.mod +++ b/magefiles/go.mod @@ -1,6 +1,6 @@ module k8s.io/ingress-nginx/magefiles -go 1.21 +go 1.22.8 require ( github.com/blang/semver/v4 v4.0.0 diff --git a/magefiles/steps/helm.go b/magefiles/steps/helm.go index 245f5e1c0..73c9b0b3b 100644 --- a/magefiles/steps/helm.go +++ b/magefiles/steps/helm.go @@ -170,7 +170,7 @@ func runHelmDocs() error { if err != nil { return err } - err = sh.RunV("helm-docs", "--chart-search-root=${PWD}/charts") + err = sh.RunV("helm-docs", "--chart-search-root", "${PWD}/charts") if err != nil { return err } @@ -181,7 +181,7 @@ func installHelmDocs() error { utils.Info("HELM Install HelmDocs") g0 := sh.RunCmd("go") - err := g0("install", "github.com/norwoodj/helm-docs/cmd/helm-docs@v1.11.0") + err := g0("install", "github.com/norwoodj/helm-docs/cmd/helm-docs@latest") if err != nil { return err } diff --git a/magefiles/utils/helm.go b/magefiles/utils/helm.go index dea68caab..cb8acae57 100644 --- a/magefiles/utils/helm.go +++ b/magefiles/utils/helm.go @@ -31,7 +31,6 @@ type IngressChartValue struct { RunAsUser int `yaml:"runAsUser"` AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` } `yaml:"image"` - ExistingPsp string `yaml:"existingPsp"` ContainerName string `yaml:"containerName"` ContainerPort struct { HTTP int `yaml:"http"` @@ -208,13 +207,6 @@ type IngressChartValue struct { ExtraVolumes []interface{} `yaml:"extraVolumes"` ExtraInitContainers []interface{} `yaml:"extraInitContainers"` ExtraModules []interface{} `yaml:"extraModules"` - Opentelemetry struct { - Enabled bool `yaml:"enabled"` - Image string `yaml:"image"` - ContainerSecurityContext struct { - AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` - } `yaml:"containerSecurityContext"` - } `yaml:"opentelemetry"` AdmissionWebhooks struct { Annotations struct{} `yaml:"annotations"` Enabled bool `yaml:"enabled"` @@ -226,7 +218,6 @@ type IngressChartValue struct { NamespaceSelector struct{} `yaml:"namespaceSelector"` ObjectSelector struct{} `yaml:"objectSelector"` Labels struct{} `yaml:"labels"` - ExistingPsp string `yaml:"existingPsp"` NetworkPolicyEnabled bool `yaml:"networkPolicyEnabled"` Service struct { Annotations struct{} `yaml:"annotations"` @@ -329,7 +320,6 @@ type IngressChartValue struct { ReadOnlyRootFilesystem bool `yaml:"readOnlyRootFilesystem"` AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` } `yaml:"image"` - ExistingPsp string `yaml:"existingPsp"` ExtraArgs struct{} `yaml:"extraArgs"` ServiceAccount struct { Create bool `yaml:"create"` @@ -388,9 +378,6 @@ type IngressChartValue struct { Create bool `yaml:"create"` Scope bool `yaml:"scope"` } `yaml:"rbac"` - PodSecurityPolicy struct { - Enabled bool `yaml:"enabled"` - } `yaml:"podSecurityPolicy"` ServiceAccount struct { Create bool `yaml:"create"` Name string `yaml:"name"` diff --git a/mkdocs.yml b/mkdocs.yml index cbc2988ce..b9cf7917a 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -83,6 +83,7 @@ nav: - Introduction: "user-guide/nginx-configuration/index.md" - Basic usage: "user-guide/basic-usage.md" - Annotations: "user-guide/nginx-configuration/annotations.md" + - Annotations Risks: "user-guide/nginx-configuration/annotations-risk.md" - ConfigMap: "user-guide/nginx-configuration/configmap.md" - Custom NGINX template: "user-guide/nginx-configuration/custom-template.md" - Log format: "user-guide/nginx-configuration/log-format.md" @@ -123,7 +124,6 @@ nav: - Rewrite: "examples/rewrite/README.md" - Static IPs: "examples/static-ip/README.md" - TLS termination: "examples/tls-termination/README.md" - - Pod Security Policy (PSP): "examples/psp/README.md" - Open Policy Agent rules: "examples/openpolicyagent/README.md" - Canary Deployments: "examples/canary/README.md" - Developer Guide: diff --git a/pkg/apis/ingress/types.go b/pkg/apis/ingress/types.go index 36067732e..ccdd49fe9 100644 --- a/pkg/apis/ingress/types.go +++ b/pkg/apis/ingress/types.go @@ -29,7 +29,6 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/cors" "k8s.io/ingress-nginx/internal/ingress/annotations/customheaders" "k8s.io/ingress-nginx/internal/ingress/annotations/fastcgi" - "k8s.io/ingress-nginx/internal/ingress/annotations/globalratelimit" "k8s.io/ingress-nginx/internal/ingress/annotations/ipallowlist" "k8s.io/ingress-nginx/internal/ingress/annotations/ipdenylist" "k8s.io/ingress-nginx/internal/ingress/annotations/log" @@ -199,10 +198,10 @@ type Server struct { Aliases []string `json:"aliases,omitempty"` // RedirectFromToWWW returns if a redirect to/from prefix www is required RedirectFromToWWW bool `json:"redirectFromToWWW,omitempty"` - // CertificateAuth indicates the this server requires mutual authentication + // CertificateAuth indicates this server requires mutual authentication // +optional CertificateAuth authtls.Config `json:"certificateAuth"` - // ProxySSL indicates the this server uses client certificate to access backends + // ProxySSL indicates this server uses client certificate to access backends // +optional ProxySSL proxyssl.Config `json:"proxySSL"` // ServerSnippet returns the snippet of server @@ -220,7 +219,7 @@ type Server struct { // Location describes an URI inside a server. // Also contains additional information about annotations in the Ingress. // -// In some cases when more than one annotations is defined a particular order in the execution +// In some cases when more than one annotation is defined a particular order in the execution // is required. // The chain in the execution order of annotations should be: // - Denylist @@ -285,10 +284,6 @@ type Location struct { // The Redirect annotation precedes RateLimit // +optional RateLimit ratelimit.Config `json:"rateLimit,omitempty"` - // GlobalRateLimit similar to RateLimit - // but this is applied globally across multiple replicas. - // +optional - GlobalRateLimit globalratelimit.Config `json:"globalRateLimit,omitempty"` // Redirect describes a temporal o permanent redirection this location. // +optional Redirect redirect.Config `json:"redirect,omitempty"` @@ -347,7 +342,7 @@ type Location struct { // CustomHTTPErrors specifies the error codes that should be intercepted. // +optional CustomHTTPErrors []int `json:"custom-http-errors"` - // ProxyInterceptErrors disables error intecepting when using CustomHTTPErrors + // ProxyInterceptErrors disables error interception when using CustomHTTPErrors // e.g. custom 404 and 503 when service-a does not exist or is not available // but service-a can return 404 and 503 error codes without intercept // +optional diff --git a/pkg/apis/ingress/types_equals.go b/pkg/apis/ingress/types_equals.go index e8ef2af4d..6fba3bd45 100644 --- a/pkg/apis/ingress/types_equals.go +++ b/pkg/apis/ingress/types_equals.go @@ -390,9 +390,6 @@ func (l1 *Location) Equal(l2 *Location) bool { if !(&l1.RateLimit).Equal(&l2.RateLimit) { return false } - if !(&l1.GlobalRateLimit).Equal(&l2.GlobalRateLimit) { - return false - } if !(&l1.Redirect).Equal(&l2.Redirect) { return false } diff --git a/pkg/flags/flags.go b/pkg/flags/flags.go index 5891f636b..a64a37193 100644 --- a/pkg/flags/flags.go +++ b/pkg/flags/flags.go @@ -17,6 +17,7 @@ limitations under the License. package flags import ( + "errors" "flag" "fmt" "net" @@ -158,8 +159,8 @@ Requires the update-status parameter.`) annotationsPrefix = flags.String("annotations-prefix", parser.DefaultAnnotationsPrefix, `Prefix of the Ingress annotations specific to the NGINX controller.`) - enableAnnotationValidation = flags.Bool("enable-annotation-validation", false, - `If true, will enable the annotation validation feature. This value will be defaulted to true on a future release`) + enableAnnotationValidation = flags.Bool("enable-annotation-validation", true, + `If true, will enable the annotation validation feature. Defaults to true`) enableSSLChainCompletion = flags.Bool("enable-ssl-chain-completion", false, `Autocomplete SSL certificate chains with missing intermediate CA certificates. @@ -177,12 +178,16 @@ Requires the update-status parameter.`) `Enables the collection of NGINX metrics.`) metricsPerHost = flags.Bool("metrics-per-host", true, `Export metrics per-host.`) + metricsPerUndefinedHost = flags.Bool("metrics-per-undefined-host", false, + `Export metrics per-host even if the host is not defined in an ingress. Requires --metrics-per-host to be set to true.`) reportStatusClasses = flags.Bool("report-status-classes", false, `Use status classes (2xx, 3xx, 4xx and 5xx) instead of status codes in metrics.`) timeBuckets = flags.Float64Slice("time-buckets", prometheus.DefBuckets, "Set of buckets which will be used for prometheus histogram metrics such as RequestTime, ResponseTime.") lengthBuckets = flags.Float64Slice("length-buckets", prometheus.LinearBuckets(10, 10, 10), "Set of buckets which will be used for prometheus histogram metrics such as RequestLength, ResponseLength.") sizeBuckets = flags.Float64Slice("size-buckets", prometheus.ExponentialBuckets(10, 10, 7), "Set of buckets which will be used for prometheus histogram metrics such as BytesSent.") + bucketFactor = flags.Float64("bucket-factor", 0, "Bucket factor for native histograms. Value must be > 1 for enabling native histograms.") + maxBuckets = flags.Uint32("max-buckets", 100, "Maximum number of buckets for native histograms.") excludeSocketMetrics = flags.StringSlice("exclude-socket-metrics", []string{}, "et of socket request metrics to exclude which won't be exported nor being calculated. E.g. 'nginx_ingress_controller_success,nginx_ingress_controller_header_duration_seconds'.") monitorMaxBatchSize = flags.Int("monitor-max-batch-size", 10000, "Max batch size of NGINX metrics.") @@ -232,7 +237,7 @@ Takes the form ":port". If not provided, no admission controller is starte flags.StringVar(&nginx.MaxmindMirror, "maxmind-mirror", "", `Maxmind mirror url (example: http://geoip.local/databases.`) flags.StringVar(&nginx.MaxmindLicenseKey, "maxmind-license-key", "", `Maxmind license key to download GeoLite2 Databases. -https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases .`) +https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/ .`) flags.StringVar(&nginx.MaxmindEditionIDs, "maxmind-edition-ids", "GeoLite2-City,GeoLite2-ASN", `Maxmind edition ids to download GeoLite2 Databases.`) flags.IntVar(&nginx.MaxmindRetriesCount, "maxmind-retries-count", 1, "Number of attempts to download the GeoIP DB.") flags.DurationVar(&nginx.MaxmindRetriesTimeout, "maxmind-retries-timeout", time.Second*0, "Maxmind downloading delay between 1st and 2nd attempt, 0s - do not retry to download if something went wrong.") @@ -317,6 +322,10 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g } } + if *metricsPerUndefinedHost && !*metricsPerHost { + return false, nil, errors.New("--metrics-per-undefined-host=true must be passed with --metrics-per-host=true") + } + if *electionTTL <= 0 { *electionTTL = 30 * time.Second } @@ -338,7 +347,10 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g EnableProfiling: *profiling, EnableMetrics: *enableMetrics, MetricsPerHost: *metricsPerHost, + MetricsPerUndefinedHost: *metricsPerUndefinedHost, MetricsBuckets: histogramBuckets, + MetricsBucketFactor: *bucketFactor, + MetricsMaxBuckets: *maxBuckets, ReportStatusClasses: *reportStatusClasses, ExcludeSocketMetrics: *excludeSocketMetrics, MonitorMaxBatchSize: *monitorMaxBatchSize, diff --git a/pkg/flags/flags_test.go b/pkg/flags/flags_test.go index e51d5fa6c..fdf153021 100644 --- a/pkg/flags/flags_test.go +++ b/pkg/flags/flags_test.go @@ -212,3 +212,29 @@ func TestLeaderElectionTTLParseValueInHours(t *testing.T) { t.Fatalf("Expected --election-ttl and conf.ElectionTTL as 1h, but found: %v", conf.ElectionTTL) } } + +func TestMetricsPerUndefinedHost(t *testing.T) { + ResetForTesting(func() { t.Fatal("Parsing failed") }) + + oldArgs := os.Args + defer func() { os.Args = oldArgs }() + os.Args = []string{"cmd", "--metrics-per-undefined-host=true"} + + _, _, err := ParseFlags() + if err != nil { + t.Fatalf("Expected no error but got: %s", err) + } +} + +func TestMetricsPerUndefinedHostWithMetricsPerHostFalse(t *testing.T) { + ResetForTesting(func() { t.Fatal("Parsing failed") }) + + oldArgs := os.Args + defer func() { os.Args = oldArgs }() + os.Args = []string{"cmd", "--metrics-per-host=false", "--metrics-per-undefined-host=true"} + + _, _, err := ParseFlags() + if err == nil { + t.Fatalf("Expected an error parsing flags but none returned") + } +} diff --git a/pkg/util/runtime/cpu_linux.go b/pkg/util/runtime/cpu_linux.go index cfc49d924..7db609053 100644 --- a/pkg/util/runtime/cpu_linux.go +++ b/pkg/util/runtime/cpu_linux.go @@ -36,15 +36,42 @@ import ( // // https://www.kernel.org/doc/Documentation/scheduler/sched-bwc.txt func NumCPU() int { + return NumCPUWithCustomPath("") +} + +func NumCPUWithCustomPath(path string) int { cpus := runtime.NumCPU() - cgroupPath, err := libcontainercgroups.FindCgroupMountpoint("", "cpu") - if err != nil { - return cpus + cgroupVersionCheckPath := path + + if cgroupVersionCheckPath == "" { + cgroupVersionCheckPath = "/sys/fs/cgroup/" } - cpuQuota := readCgroupFileToInt64(cgroupPath, "cpu.cfs_quota_us") - cpuPeriod := readCgroupFileToInt64(cgroupPath, "cpu.cfs_period_us") + cgroupVersion := GetCgroupVersion(cgroupVersionCheckPath) + cpuQuota := int64(-1) + cpuPeriod := int64(-1) + + if cgroupVersion == 1 { + cgroupPath := "" + if path == "" { + cgroupPathRd, err := libcontainercgroups.FindCgroupMountpoint("", "cpu") + if err != nil { + return cpus + } + cgroupPath = cgroupPathRd + } else { + cgroupPath = path + } + cpuQuota = readCgroupFileToInt64(cgroupPath, "cpu.cfs_quota_us") + cpuPeriod = readCgroupFileToInt64(cgroupPath, "cpu.cfs_period_us") + } else if cgroupVersion == 2 { + cgroupPath := "/sys/fs/cgroup/" + if path != "" { + cgroupPath = path + } + cpuQuota, cpuPeriod = readCgroup2FileToInt64Tuple(cgroupPath, "cpu.max") + } if cpuQuota == -1 || cpuPeriod == -1 { return cpus @@ -53,16 +80,66 @@ func NumCPU() int { return int(math.Ceil(float64(cpuQuota) / float64(cpuPeriod))) } -func readCgroupFileToInt64(cgroupPath, cgroupFile string) int64 { - contents, err := os.ReadFile(filepath.Join(cgroupPath, cgroupFile)) - if err != nil { - return -1 +func GetCgroupVersion(cgroupPath string) int64 { + // /sys/fs/cgroup/cgroup.controllers will not exist with cgroupsv1 + if _, err := os.Stat(filepath.Join(cgroupPath, "cgroup.controllers")); err == nil { + return 2 } - strValue := strings.TrimSpace(string(contents)) + return 1 +} + +func readCgroup2StringToInt64Tuple(cgroupString string) (quota, period int64) { + // file contents looks like: $MAX $PERIOD + // $MAX can have value "max" indicating no limit + // it is possible for $PERIOD to be unset + + values := strings.Fields(cgroupString) + + if values[0] == "max" { + return -1, -1 + } + + cpuQuota, err := strconv.ParseInt(values[0], 10, 64) + if err != nil { + return -1, -1 + } + + if len(values) == 1 { + return cpuQuota, 100000 + } + + cpuPeriod, err := strconv.ParseInt(values[1], 10, 64) + if err != nil { + return -1, -1 + } + + return cpuQuota, cpuPeriod +} + +func readCgroup2FileToInt64Tuple(cgroupPath, cgroupFile string) (quota, period int64) { + contents, err := os.ReadFile(filepath.Join(cgroupPath, cgroupFile)) + if err != nil { + return -1, -1 + } + + return readCgroup2StringToInt64Tuple(string(contents)) +} + +func readCgroupStringToInt64(contents string) int64 { + strValue := strings.TrimSpace(contents) if value, err := strconv.ParseInt(strValue, 10, 64); err == nil { return value } return -1 } + +func readCgroupFileToInt64(cgroupPath, cgroupFile string) int64 { + contents, err := os.ReadFile(filepath.Join(cgroupPath, cgroupFile)) + if err != nil { + return -1 + } + + return readCgroupStringToInt64(string(contents)) +} diff --git a/rootfs/Dockerfile-chroot b/rootfs/Dockerfile-chroot index c06db2252..b719f2fc3 100644 --- a/rootfs/Dockerfile-chroot +++ b/rootfs/Dockerfile-chroot @@ -23,7 +23,7 @@ RUN apk update \ && apk upgrade \ && /chroot.sh -FROM alpine:3.20.0 +FROM alpine:3.20 ARG TARGETARCH ARG VERSION diff --git a/rootfs/etc/nginx/lua/global_throttle.lua b/rootfs/etc/nginx/lua/global_throttle.lua deleted file mode 100644 index bea8cfd17..000000000 --- a/rootfs/etc/nginx/lua/global_throttle.lua +++ /dev/null @@ -1,131 +0,0 @@ -local resty_global_throttle = require("resty.global_throttle") -local resty_ipmatcher = require("resty.ipmatcher") -local util = require("util") - -local ngx = ngx -local ngx_exit = ngx.exit -local ngx_log = ngx.log -local ngx_ERR = ngx.ERR -local ngx_INFO = ngx.INFO - -local _M = {} - -local DECISION_CACHE = ngx.shared.global_throttle_cache - --- it does not make sense to cache decision for too little time --- the benefit of caching likely is negated if we cache for too little time --- Lua Shared Dict's time resolution for expiry is 0.001. -local CACHE_THRESHOLD = 0.001 - -local DEFAULT_RAW_KEY = "remote_addr" - -local function should_ignore_request(ignored_cidrs) - if not ignored_cidrs or #ignored_cidrs == 0 then - return false - end - - local ignored_cidrs_matcher, err = resty_ipmatcher.new(ignored_cidrs) - if not ignored_cidrs_matcher then - ngx_log(ngx_ERR, "failed to initialize resty-ipmatcher: ", err) - return false - end - - local is_ignored - is_ignored, err = ignored_cidrs_matcher:match(ngx.var.remote_addr) - if err then - ngx_log(ngx_ERR, "failed to match ip: '", - ngx.var.remote_addr, "': ", err) - return false - end - - return is_ignored -end - -local function is_enabled(config, location_config) - if config.memcached.host == "" or config.memcached.port == 0 then - return false - end - if location_config.limit == 0 or - location_config.window_size == 0 then - return false - end - - if should_ignore_request(location_config.ignored_cidrs) then - return false - end - - return true -end - -local function get_namespaced_key_value(namespace, key_value) - return namespace .. key_value -end - -function _M.throttle(config, location_config) - if not is_enabled(config, location_config) then - return - end - - local key_value = util.generate_var_value(location_config.key) - if not key_value or key_value == "" then - key_value = ngx.var[DEFAULT_RAW_KEY] - end - - local namespaced_key_value = - get_namespaced_key_value(location_config.namespace, key_value) - - local is_limit_exceeding = DECISION_CACHE:get(namespaced_key_value) - if is_limit_exceeding then - ngx.var.global_rate_limit_exceeding = "c" - return ngx_exit(config.status_code) - end - - local my_throttle, err = resty_global_throttle.new( - location_config.namespace, - location_config.limit, - location_config.window_size, - { - provider = "memcached", - host = config.memcached.host, - port = config.memcached.port, - connect_timeout = config.memcached.connect_timeout, - max_idle_timeout = config.memcached.max_idle_timeout, - pool_size = config.memcached.pool_size, - } - ) - if err then - ngx.log(ngx.ERR, "faled to initialize resty_global_throttle: ", err) - -- fail open - return - end - - local desired_delay, estimated_final_count - estimated_final_count, desired_delay, err = my_throttle:process(key_value) - if err then - ngx.log(ngx.ERR, "error while processing key: ", err) - -- fail open - return - end - - if desired_delay then - if desired_delay > CACHE_THRESHOLD then - local ok - ok, err = - DECISION_CACHE:safe_add(namespaced_key_value, true, desired_delay) - if not ok then - if err ~= "exists" then - ngx_log(ngx_ERR, "failed to cache decision: ", err) - end - end - end - - ngx.var.global_rate_limit_exceeding = "y" - ngx_log(ngx_INFO, "limit is exceeding for ", - location_config.namespace, "/", key_value, - " with estimated_final_count: ", estimated_final_count) - - return ngx_exit(config.status_code) - end -end - -return _M diff --git a/rootfs/etc/nginx/lua/lua_ingress.lua b/rootfs/etc/nginx/lua/lua_ingress.lua index 49e0f5b05..a513928cf 100644 --- a/rootfs/etc/nginx/lua/lua_ingress.lua +++ b/rootfs/etc/nginx/lua/lua_ingress.lua @@ -1,8 +1,8 @@ local ngx_re_split = require("ngx.re").split +local string_to_bool = require("util").string_to_bool local certificate_configured_for_current_request = require("certificate").configured_for_current_request -local global_throttle = require("global_throttle") local ngx = ngx local io = io @@ -109,7 +109,16 @@ end -- rewrite gets called in every location context. -- This is where we do variable assignments to be used in subsequent -- phases or redirection -function _M.rewrite(location_config) +function _M.rewrite() + + local location_config = { + force_ssl_redirect = string_to_bool(ngx.var.force_ssl_redirect), + ssl_redirect = string_to_bool(ngx.var.ssl_redirect), + force_no_ssl_redirect = string_to_bool(ngx.var.force_no_ssl_redirect), + preserve_trailing_slash = string_to_bool(ngx.var.preserve_trailing_slash), + use_port_in_redirects = string_to_bool(ngx.var.use_port_in_redirects), + } + ngx.var.pass_access_scheme = ngx.var.scheme ngx.var.best_http_host = ngx.var.http_host or ngx.var.host @@ -164,7 +173,6 @@ function _M.rewrite(location_config) return ngx_redirect(uri, config.http_redirect_code) end - global_throttle.throttle(config.global_throttle, location_config.global_throttle) end function _M.header() diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_balancer.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_balancer.lua new file mode 100644 index 000000000..977d3e964 --- /dev/null +++ b/rootfs/etc/nginx/lua/nginx/ngx_conf_balancer.lua @@ -0,0 +1,2 @@ +local balancer = require("balancer") +balancer.balance() \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_balancer_tcp_udp.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_balancer_tcp_udp.lua new file mode 100644 index 000000000..0442df7d8 --- /dev/null +++ b/rootfs/etc/nginx/lua/nginx/ngx_conf_balancer_tcp_udp.lua @@ -0,0 +1,2 @@ +local tcp_udp_balancer = require("tcp_udp_balancer") +tcp_udp_balancer.balance() \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_certificate.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_certificate.lua new file mode 100644 index 000000000..d33d2171b --- /dev/null +++ b/rootfs/etc/nginx/lua/nginx/ngx_conf_certificate.lua @@ -0,0 +1,2 @@ +local certificate = require("certificate") +certificate.call() \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_configuration.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_configuration.lua new file mode 100644 index 000000000..7864f40ef --- /dev/null +++ b/rootfs/etc/nginx/lua/nginx/ngx_conf_configuration.lua @@ -0,0 +1,2 @@ +local configuration = require("configuration") +configuration.call() \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_content_tcp_udp.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_content_tcp_udp.lua new file mode 100644 index 000000000..ed81e7ff3 --- /dev/null +++ b/rootfs/etc/nginx/lua/nginx/ngx_conf_content_tcp_udp.lua @@ -0,0 +1,2 @@ +local tcp_udp_configuration = require("tcp_udp_configuration") +tcp_udp_configuration.call() \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_init_tcp_udp.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_init_tcp_udp.lua new file mode 100644 index 000000000..926ab7a03 --- /dev/null +++ b/rootfs/etc/nginx/lua/nginx/ngx_conf_init_tcp_udp.lua @@ -0,0 +1,2 @@ +local tcp_udp_balancer = require("tcp_udp_balancer") +tcp_udp_balancer.init_worker() \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_is_dynamic_lb_initialized.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_is_dynamic_lb_initialized.lua new file mode 100644 index 000000000..ade3114b1 --- /dev/null +++ b/rootfs/etc/nginx/lua/nginx/ngx_conf_is_dynamic_lb_initialized.lua @@ -0,0 +1,9 @@ +local configuration = require("configuration") +local backend_data = configuration.get_backends_data() +if not backend_data then + ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR) + return +end + +ngx.say("OK") +ngx.exit(ngx.HTTP_OK) \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_log.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_log.lua new file mode 100644 index 000000000..8f3d57be6 --- /dev/null +++ b/rootfs/etc/nginx/lua/nginx/ngx_conf_log.lua @@ -0,0 +1,2 @@ +local monitor = require("monitor") +monitor.call() \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_log_block.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_log_block.lua new file mode 100644 index 000000000..72f6a6430 --- /dev/null +++ b/rootfs/etc/nginx/lua/nginx/ngx_conf_log_block.lua @@ -0,0 +1,11 @@ +local balancer = require("balancer") +local monitor = require("monitor") + +local luaconfig = ngx.shared.luaconfig +local enablemetrics = luaconfig:get("enablemetrics") + +balancer.log() + +if enablemetrics then + monitor.call() +end \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_rewrite_auth.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_rewrite_auth.lua new file mode 100644 index 000000000..0d16faba0 --- /dev/null +++ b/rootfs/etc/nginx/lua/nginx/ngx_conf_rewrite_auth.lua @@ -0,0 +1 @@ +ngx.var.cache_key = ngx.encode_base64(ngx.sha1_bin(ngx.var.tmp_cache_key)) \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_srv_hdr_filter.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_srv_hdr_filter.lua new file mode 100644 index 000000000..311a9b433 --- /dev/null +++ b/rootfs/etc/nginx/lua/nginx/ngx_conf_srv_hdr_filter.lua @@ -0,0 +1,2 @@ +local lua_ingress = require("lua_ingress") +lua_ingress.header() \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_rewrite.lua b/rootfs/etc/nginx/lua/nginx/ngx_rewrite.lua new file mode 100644 index 000000000..66fdd6d55 --- /dev/null +++ b/rootfs/etc/nginx/lua/nginx/ngx_rewrite.lua @@ -0,0 +1,5 @@ +local lua_ingress = require("lua_ingress") +local balancer = require("balancer") + +lua_ingress.rewrite() +balancer.rewrite() \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_srv_redirect.lua b/rootfs/etc/nginx/lua/nginx/ngx_srv_redirect.lua new file mode 100644 index 000000000..4b9445d00 --- /dev/null +++ b/rootfs/etc/nginx/lua/nginx/ngx_srv_redirect.lua @@ -0,0 +1,24 @@ +local request_uri = ngx.var.request_uri +local redirect_to = ngx.arg[1] + +local luaconfig = ngx.shared.luaconfig +local use_forwarded_headers = luaconfig:get("use_forwarded_headers") + +if string.sub(request_uri, -1) == "/" then + request_uri = string.sub(request_uri, 1, -2) +end + +local redirectScheme = ngx.var.scheme +local redirectPort = ngx.var.server_port + +if use_forwarded_headers then + if ngx.var.http_x_forwarded_proto then + redirectScheme = ngx.var.http_x_forwarded_proto + end + if ngx.var.http_x_forwarded_port then + redirectPort = ngx.var.http_x_forwarded_port + end +end + +return string.format("%s://%s:%s%s", redirectScheme, + redirect_to, redirectPort, request_uri) \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/ngx_conf_init.lua b/rootfs/etc/nginx/lua/ngx_conf_init.lua new file mode 100644 index 000000000..9789386ac --- /dev/null +++ b/rootfs/etc/nginx/lua/ngx_conf_init.lua @@ -0,0 +1,53 @@ +local cjson = require("cjson.safe") + +collectgarbage("collect") +local f = io.open("/etc/nginx/lua/cfg.json", "r") +local content = f:read("*a") +f:close() +local configfile = cjson.decode(content) + +local luaconfig = ngx.shared.luaconfig +luaconfig:set("enablemetrics", configfile.enable_metrics) +luaconfig:set("use_forwarded_headers", configfile.use_forwarded_headers) +-- init modules +local ok, res +ok, res = pcall(require, "lua_ingress") +if not ok then + error("require failed: " .. tostring(res)) +else + lua_ingress = res + lua_ingress.set_config(configfile) +end +ok, res = pcall(require, "configuration") +if not ok then + error("require failed: " .. tostring(res)) +else + configuration = res + if not configfile.listen_ports.status_port then + error("required status port not found") + end + configuration.prohibited_localhost_port = configfile.listen_ports.status_port +end +ok, res = pcall(require, "balancer") +if not ok then + error("require failed: " .. tostring(res)) +else + balancer = res +end +if configfile.enable_metrics then + ok, res = pcall(require, "monitor") + if not ok then + error("require failed: " .. tostring(res)) + else + monitor = res + end +end +ok, res = pcall(require, "certificate") +if not ok then + error("require failed: " .. tostring(res)) +else + certificate = res + if configfile.enable_ocsp then + certificate.is_ocsp_stapling_enabled = configfile.enable_ocsp + end +end \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/ngx_conf_init_stream.lua b/rootfs/etc/nginx/lua/ngx_conf_init_stream.lua new file mode 100644 index 000000000..a78062d0a --- /dev/null +++ b/rootfs/etc/nginx/lua/ngx_conf_init_stream.lua @@ -0,0 +1,30 @@ +local cjson = require("cjson.safe") +collectgarbage("collect") +local f = io.open("/etc/nginx/lua/cfg.json", "r") +local content = f:read("*a") +f:close() +local configfile = cjson.decode(content) +-- init modules +local ok, res +ok, res = pcall(require, "configuration") +if not ok then + error("require failed: " .. tostring(res)) +else + configuration = res +end +ok, res = pcall(require, "tcp_udp_configuration") +if not ok then + error("require failed: " .. tostring(res)) +else + tcp_udp_configuration = res + if not configfile.listen_ports.status_port then + error("required status port not found") + end + tcp_udp_configuration.prohibited_localhost_port = configfile.listen_ports.status_port +end +ok, res = pcall(require, "tcp_udp_balancer") +if not ok then + error("require failed: " .. tostring(res)) +else + tcp_udp_balancer = res +end diff --git a/rootfs/etc/nginx/lua/ngx_conf_init_worker.lua b/rootfs/etc/nginx/lua/ngx_conf_init_worker.lua new file mode 100644 index 000000000..cba866136 --- /dev/null +++ b/rootfs/etc/nginx/lua/ngx_conf_init_worker.lua @@ -0,0 +1,15 @@ +local cjson = require("cjson.safe") + +local f = io.open("/etc/nginx/lua/cfg.json", "r") +local content = f:read("*a") +f:close() +local configfile = cjson.decode(content) + +local lua_ingress = require("lua_ingress") +local balancer = require("balancer") +local monitor = require("monitor") +lua_ingress.init_worker() +balancer.init_worker() +if configfile.enable_metrics and configfile.monitor_batch_max_size then + monitor.init_worker(configfile.monitor_batch_max_size) +end \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/plugins.lua b/rootfs/etc/nginx/lua/plugins.lua deleted file mode 100644 index 55e208a32..000000000 --- a/rootfs/etc/nginx/lua/plugins.lua +++ /dev/null @@ -1,61 +0,0 @@ -local require = require -local ngx = ngx -local ipairs = ipairs -local string_format = string.format -local ngx_log = ngx.log -local INFO = ngx.INFO -local ERR = ngx.ERR -local pcall = pcall - -local _M = {} -local MAX_NUMBER_OF_PLUGINS = 20 -local plugins = {} - -local function load_plugin(name) - local path = string_format("plugins.%s.main", name) - - local ok, plugin = pcall(require, path) - if not ok then - ngx_log(ERR, string_format("error loading plugin \"%s\": %s", path, plugin)) - return - end - local index = #plugins - if (plugin.name == nil or plugin.name == '') then - plugin.name = name - end - plugins[index + 1] = plugin -end - -function _M.init(names) - local count = 0 - for _, name in ipairs(names) do - if count >= MAX_NUMBER_OF_PLUGINS then - ngx_log(ERR, "the total number of plugins exceed the maximum number: ", MAX_NUMBER_OF_PLUGINS) - break - end - load_plugin(name) - count = count + 1 -- ignore loading failure, just count the total - end -end - -function _M.run() - local phase = ngx.get_phase() - - for _, plugin in ipairs(plugins) do - if plugin[phase] then - ngx_log(INFO, string_format("running plugin \"%s\" in phase \"%s\"", plugin.name, phase)) - - -- TODO: consider sandboxing this, should we? - -- probably yes, at least prohibit plugin from accessing env vars etc - -- but since the plugins are going to be installed by ingress-nginx - -- operator they can be assumed to be safe also - local ok, err = pcall(plugin[phase]) - if not ok then - ngx_log(ERR, string_format("error while running plugin \"%s\" in phase \"%s\": %s", - plugin.name, phase, err)) - end - end - end -end - -return _M diff --git a/rootfs/etc/nginx/lua/plugins/README.md b/rootfs/etc/nginx/lua/plugins/README.md deleted file mode 100644 index 64f4912f0..000000000 --- a/rootfs/etc/nginx/lua/plugins/README.md +++ /dev/null @@ -1,36 +0,0 @@ -# Custom Lua plugins - -ingress-nginx uses [https://github.com/openresty/lua-nginx-module](https://github.com/openresty/lua-nginx-module) to run custom Lua code -within Nginx workers. It is recommended to familiarize yourself with that ecosystem before deploying your custom Lua based ingress-nginx plugin. - -### Writing a plugin - -Every ingress-nginx Lua plugin is expected to have `main.lua` file and all of its dependencies. -`main.lua` is the entry point of the plugin. The plugin manager uses convention over configuration -strategy and automatically runs functions defined in `main.lua` in the corresponding Nginx phase based on their name. - -Nginx has different [request processing phases](https://nginx.org/en/docs/dev/development_guide.html#http_phases). -By defining functions with the following names, you can run your custom Lua code in the corresponding Nginx phase: - - - `init_worker`: useful for initializing some data per Nginx worker process - - `rewrite`: useful for modifying request, changing headers, redirection, dropping request, doing authentication etc - - `header_filter`: this is called when backend response header is received, it is useful for modifying response headers - - `body_filter`: this is called when response body is received, it is useful for logging response body - - `log`: this is called when request processing is completed and a response is delivered to the client - -Check this [`hello_world`](https://github.com/kubernetes/ingress-nginx/tree/main/rootfs/etc/nginx/lua/plugins/hello_world) plugin as a simple example or refer to [OpenID Connect integration](https://github.com/ElvinEfendi/ingress-nginx-openidc/tree/master/rootfs/etc/nginx/lua/plugins/openidc) for more advanced usage. - -Do not forget to write tests for your plugin. - -### Installing a plugin - -There are two options: - - - mount your plugin into `/etc/nginx/lua/plugins/` in the ingress-nginx pod - - build your own ingress-nginx image like it is done in the [example](https://github.com/ElvinEfendi/ingress-nginx-openidc/tree/master/rootfs/etc/nginx/lua/plugins/openidc) and install your plugin during image build - -Mounting is the quickest option. - -### Enabling plugins - -Once your plugin is ready you need to use [`plugins` configuration setting](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#plugins) to activate it. Let's say you want to activate `hello_world` and `open_idc` plugins, then you set `plugins` setting to `"hello_world, open_idc"`. _Note_ that the plugins will be executed in the given order. diff --git a/rootfs/etc/nginx/lua/plugins/hello_world/main.lua b/rootfs/etc/nginx/lua/plugins/hello_world/main.lua deleted file mode 100644 index 03316c3ee..000000000 --- a/rootfs/etc/nginx/lua/plugins/hello_world/main.lua +++ /dev/null @@ -1,13 +0,0 @@ -local ngx = ngx - -local _M = {} - -function _M.rewrite() - local ua = ngx.var.http_user_agent - - if ua == "hello" then - ngx.req.set_header("x-hello-world", "1") - end -end - -return _M diff --git a/rootfs/etc/nginx/lua/plugins/hello_world/test/main_test.lua b/rootfs/etc/nginx/lua/plugins/hello_world/test/main_test.lua deleted file mode 100644 index 5eda52259..000000000 --- a/rootfs/etc/nginx/lua/plugins/hello_world/test/main_test.lua +++ /dev/null @@ -1,24 +0,0 @@ - -local main = require("plugins.hello_world.main") - --- The unit tests are run within a timer phase in a headless Nginx process. --- Since `set_header` and `ngx.var.http_` API are disabled in this phase we have to stub it --- to avoid `API disabled in the current context` error. - -describe("main", function() - describe("rewrite", function() - it("sets x-hello-world header to 1 when user agent is hello", function() - ngx.var = { http_user_agent = "hello" } - stub(ngx.req, "set_header") - main.rewrite() - assert.stub(ngx.req.set_header).was_called_with("x-hello-world", "1") - end) - - it("does not set x-hello-world header to 1 when user agent is not hello", function() - ngx.var = { http_user_agent = "not-hello" } - stub(ngx.req, "set_header") - main.rewrite() - assert.stub(ngx.req.set_header).was_not_called_with("x-hello-world", "1") - end) - end) -end) diff --git a/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua b/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua index 80d0c0d0e..70723143b 100644 --- a/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua +++ b/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua @@ -357,7 +357,7 @@ describe("Sticky", function() for _ = 1, 100 do local new_upstream = sticky_balancer_instance:balance() if change_on_failure == false then - -- upstream should be the same inspite of error, if change_on_failure option is false + -- upstream should be the same in spite of error, if change_on_failure option is false assert.equal(new_upstream, old_upstream) else -- upstream should change after error, if change_on_failure option is true diff --git a/rootfs/etc/nginx/lua/test/global_throttle_test.lua b/rootfs/etc/nginx/lua/test/global_throttle_test.lua deleted file mode 100644 index b8db740ad..000000000 --- a/rootfs/etc/nginx/lua/test/global_throttle_test.lua +++ /dev/null @@ -1,258 +0,0 @@ -local util = require("util") - -local function assert_request_rejected(config, location_config, opts) - stub(ngx, "exit") - - local global_throttle = require_without_cache("global_throttle") - assert.has_no.errors(function() - global_throttle.throttle(config, location_config) - end) - - assert.stub(ngx.exit).was_called_with(config.status_code) - if opts.with_cache then - assert.are.same("c", ngx.var.global_rate_limit_exceeding) - else - assert.are.same("y", ngx.var.global_rate_limit_exceeding) - end -end - -local function assert_request_not_rejected(config, location_config) - stub(ngx, "exit") - local cache_safe_add_spy = spy.on(ngx.shared.global_throttle_cache, "safe_add") - - local global_throttle = require_without_cache("global_throttle") - assert.has_no.errors(function() - global_throttle.throttle(config, location_config) - end) - - assert.stub(ngx.exit).was_not_called() - assert.is_nil(ngx.var.global_rate_limit_exceeding) - assert.spy(cache_safe_add_spy).was_not_called() -end - -local function assert_short_circuits(f) - local cache_get_spy = spy.on(ngx.shared.global_throttle_cache, "get") - - local resty_global_throttle = require_without_cache("resty.global_throttle") - local resty_global_throttle_new_spy = spy.on(resty_global_throttle, "new") - - local global_throttle = require_without_cache("global_throttle") - - f(global_throttle) - - assert.spy(resty_global_throttle_new_spy).was_not_called() - assert.spy(cache_get_spy).was_not_called() -end - -local function assert_fails_open(config, location_config, ...) - stub(ngx, "exit") - stub(ngx, "log") - - local global_throttle = require_without_cache("global_throttle") - - assert.has_no.errors(function() - global_throttle.throttle(config, location_config) - end) - - assert.stub(ngx.exit).was_not_called() - assert.stub(ngx.log).was_called_with(ngx.ERR, ...) - assert.is_nil(ngx.var.global_rate_limit_exceeding) -end - -local function stub_resty_global_throttle_process(ret1, ret2, ret3, f) - local resty_global_throttle = require_without_cache("resty.global_throttle") - local resty_global_throttle_mock = { - process = function(self, key) return ret1, ret2, ret3 end - } - stub(resty_global_throttle, "new", resty_global_throttle_mock) - - f() - - assert.stub(resty_global_throttle.new).was_called() -end - -local function cache_rejection_decision(namespace, key_value, desired_delay) - local namespaced_key_value = namespace .. key_value - local ok, err = ngx.shared.global_throttle_cache:safe_add(namespaced_key_value, true, desired_delay) - assert.is_nil(err) - assert.is_true(ok) - assert.is_true(ngx.shared.global_throttle_cache:get(namespaced_key_value)) -end - -describe("global_throttle", function() - local snapshot - - local NAMESPACE = "31285d47b1504dcfbd6f12c46d769f6e" - local LOCATION_CONFIG = { - namespace = NAMESPACE, - limit = 10, - window_size = 60, - key = {}, - ignored_cidrs = {}, - } - local CONFIG = { - memcached = { - host = "memc.default.svc.cluster.local", port = 11211, - connect_timeout = 50, max_idle_timeout = 10000, pool_size = 50, - }, - status_code = 429, - } - - before_each(function() - snapshot = assert:snapshot() - - ngx.var = { remote_addr = "127.0.0.1", global_rate_limit_exceeding = nil } - end) - - after_each(function() - snapshot:revert() - - ngx.shared.global_throttle_cache:flush_all() - reset_ngx() - end) - - it("short circuits when memcached is not configured", function() - assert_short_circuits(function(global_throttle) - assert.has_no.errors(function() - global_throttle.throttle({ memcached = { host = "", port = 0 } }, LOCATION_CONFIG) - end) - end) - end) - - it("short circuits when limit or window_size is not configured", function() - assert_short_circuits(function(global_throttle) - local location_config_copy = util.deepcopy(LOCATION_CONFIG) - location_config_copy.limit = 0 - assert.has_no.errors(function() - global_throttle.throttle(CONFIG, location_config_copy) - end) - end) - - assert_short_circuits(function(global_throttle) - local location_config_copy = util.deepcopy(LOCATION_CONFIG) - location_config_copy.window_size = 0 - assert.has_no.errors(function() - global_throttle.throttle(CONFIG, location_config_copy) - end) - end) - end) - - it("short circuits when remote_addr is in ignored_cidrs", function() - local global_throttle = require_without_cache("global_throttle") - local location_config = util.deepcopy(LOCATION_CONFIG) - location_config.ignored_cidrs = { ngx.var.remote_addr } - assert_short_circuits(function(global_throttle) - assert.has_no.errors(function() - global_throttle.throttle(CONFIG, location_config) - end) - end) - end) - - it("rejects when exceeding limit has already been cached", function() - local key_value = "foo" - local location_config = util.deepcopy(LOCATION_CONFIG) - location_config.key = { { nil, nil, nil, key_value } } - cache_rejection_decision(NAMESPACE, key_value, 0.5) - - assert_request_rejected(CONFIG, location_config, { with_cache = true }) - end) - - describe("when resty_global_throttle fails", function() - it("fails open in case of initialization error", function() - local too_long_namespace = "" - for i=1,36,1 do - too_long_namespace = too_long_namespace .. "a" - end - - local location_config = util.deepcopy(LOCATION_CONFIG) - location_config.namespace = too_long_namespace - - assert_fails_open(CONFIG, location_config, "faled to initialize resty_global_throttle: ", "'namespace' can be at most 35 characters") - end) - - it("fails open in case of key processing error", function() - stub_resty_global_throttle_process(nil, nil, "failed to process", function() - assert_fails_open(CONFIG, LOCATION_CONFIG, "error while processing key: ", "failed to process") - end) - end) - end) - - it("initializes resty_global_throttle with the right parameters", function() - local resty_global_throttle = require_without_cache("resty.global_throttle") - local resty_global_throttle_original_new = resty_global_throttle.new - resty_global_throttle.new = function(namespace, limit, window_size, store_opts) - local o, err = resty_global_throttle_original_new(namespace, limit, window_size, store_opts) - if not o then - return nil, err - end - o.process = function(self, key) return 1, nil, nil end - - local expected = LOCATION_CONFIG - assert.are.same(expected.namespace, namespace) - assert.are.same(expected.limit, limit) - assert.are.same(expected.window_size, window_size) - - assert.are.same("memcached", store_opts.provider) - assert.are.same(CONFIG.memcached.host, store_opts.host) - assert.are.same(CONFIG.memcached.port, store_opts.port) - assert.are.same(CONFIG.memcached.connect_timeout, store_opts.connect_timeout) - assert.are.same(CONFIG.memcached.max_idle_timeout, store_opts.max_idle_timeout) - assert.are.same(CONFIG.memcached.pool_size, store_opts.pool_size) - - return o, nil - end - local resty_global_throttle_new_spy = spy.on(resty_global_throttle, "new") - - local global_throttle = require_without_cache("global_throttle") - - assert.has_no.errors(function() - global_throttle.throttle(CONFIG, LOCATION_CONFIG) - end) - - assert.spy(resty_global_throttle_new_spy).was_called() - end) - - it("rejects request and caches decision when limit is exceeding after processing a key", function() - local desired_delay = 0.015 - - stub_resty_global_throttle_process(LOCATION_CONFIG.limit + 1, desired_delay, nil, function() - assert_request_rejected(CONFIG, LOCATION_CONFIG, { with_cache = false }) - - local cache_key = LOCATION_CONFIG.namespace .. ngx.var.remote_addr - assert.is_true(ngx.shared.global_throttle_cache:get(cache_key)) - - -- we assume it won't take more than this after caching - -- until we execute the assertion below - local delta = 0.001 - local ttl = ngx.shared.global_throttle_cache:ttl(cache_key) - assert.is_true(ttl > desired_delay - delta) - assert.is_true(ttl <= desired_delay) - end) - end) - - it("rejects request and skip caching of decision when limit is exceeding after processing a key but desired delay is lower than the threshold", function() - local desired_delay = 0.0009 - - stub_resty_global_throttle_process(LOCATION_CONFIG.limit, desired_delay, nil, function() - assert_request_rejected(CONFIG, LOCATION_CONFIG, { with_cache = false }) - - local cache_key = LOCATION_CONFIG.namespace .. ngx.var.remote_addr - assert.is_nil(ngx.shared.global_throttle_cache:get(cache_key)) - end) - end) - - it("allows the request when limit is not exceeding after processing a key", function() - stub_resty_global_throttle_process(LOCATION_CONFIG.limit - 3, nil, nil, - function() - assert_request_not_rejected(CONFIG, LOCATION_CONFIG) - end - ) - end) - - it("rejects with custom status code", function() - cache_rejection_decision(NAMESPACE, ngx.var.remote_addr, 0.3) - local config = util.deepcopy(CONFIG) - config.status_code = 503 - assert_request_rejected(config, LOCATION_CONFIG, { with_cache = true }) - end) -end) diff --git a/rootfs/etc/nginx/lua/test/plugins_test.lua b/rootfs/etc/nginx/lua/test/plugins_test.lua deleted file mode 100644 index d7f789d0f..000000000 --- a/rootfs/etc/nginx/lua/test/plugins_test.lua +++ /dev/null @@ -1,23 +0,0 @@ -describe("plugins", function() - describe("#run", function() - it("runs the plugins in the given order", function() - ngx.get_phase = function() return "rewrite" end - local plugins = require("plugins") - local called_plugins = {} - local plugins_to_mock = {"plugins.pluginfirst.main", "plugins.pluginsecond.main", "plugins.pluginthird.main"} - for i=1, 3, 1 - do - package.loaded[plugins_to_mock[i]] = { - rewrite = function() - called_plugins[#called_plugins + 1] = plugins_to_mock[i] - end - } - end - assert.has_no.errors(function() - plugins.init({"pluginfirst", "pluginsecond", "pluginthird"}) - end) - assert.has_no.errors(plugins.run) - assert.are.same(plugins_to_mock, called_plugins) - end) - end) -end) \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/util.lua b/rootfs/etc/nginx/lua/util.lua index 7389f3226..1e4cd7c01 100644 --- a/rootfs/etc/nginx/lua/util.lua +++ b/rootfs/etc/nginx/lua/util.lua @@ -146,6 +146,10 @@ function _M.is_blank(str) return str == nil or string_len(str) == 0 end +function _M.string_to_bool(str) + return str == "true" +end + -- this implementation is taken from: -- https://github.com/luafun/luafun/blob/master/fun.lua#L33 -- SHA: 04c99f9c393e54a604adde4b25b794f48104e0d0 diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 93a04e3e6..f32860dc2 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -68,71 +68,11 @@ http { {{ buildLuaSharedDictionaries $cfg $servers }} - init_by_lua_block { - collectgarbage("collect") + lua_shared_dict luaconfig 5m; - -- init modules - local ok, res + init_by_lua_file /etc/nginx/lua/ngx_conf_init.lua; - ok, res = pcall(require, "lua_ingress") - if not ok then - error("require failed: " .. tostring(res)) - else - lua_ingress = res - lua_ingress.set_config({{ configForLua $all }}) - end - - ok, res = pcall(require, "configuration") - if not ok then - error("require failed: " .. tostring(res)) - else - configuration = res - configuration.prohibited_localhost_port = '{{ .StatusPort }}' - end - - ok, res = pcall(require, "balancer") - if not ok then - error("require failed: " .. tostring(res)) - else - balancer = res - end - - {{ if $all.EnableMetrics }} - ok, res = pcall(require, "monitor") - if not ok then - error("require failed: " .. tostring(res)) - else - monitor = res - end - {{ end }} - - ok, res = pcall(require, "certificate") - if not ok then - error("require failed: " .. tostring(res)) - else - certificate = res - certificate.is_ocsp_stapling_enabled = {{ $cfg.EnableOCSP }} - end - - ok, res = pcall(require, "plugins") - if not ok then - error("require failed: " .. tostring(res)) - else - plugins = res - end - -- load all plugins that'll be used here - plugins.init({ {{ range $idx, $plugin := $cfg.Plugins }}{{ if $idx }},{{ end }}{{ $plugin | quote }}{{ end }} }) - } - - init_worker_by_lua_block { - lua_ingress.init_worker() - balancer.init_worker() - {{ if $all.EnableMetrics }} - monitor.init_worker({{ $all.MonitorMaxBatchSize }}) - {{ end }} - - plugins.run() - } + init_worker_by_lua_file /etc/nginx/lua/ngx_conf_init_worker.lua; {{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}} {{/* we use the value of the real IP for the geo_ip module */}} @@ -550,9 +490,7 @@ http { server 0.0.0.1; # placeholder - balancer_by_lua_block { - balancer.balance() - } + balancer_by_lua_file /etc/nginx/lua/nginx/ngx_conf_balancer.lua; {{ if (gt $cfg.UpstreamKeepaliveConnections 0) }} keepalive {{ $cfg.UpstreamKeepaliveConnections }}; @@ -617,9 +555,7 @@ http { {{ buildHTTPListener $all $redirect.From }} {{ buildHTTPSListener $all $redirect.From }} - ssl_certificate_by_lua_block { - certificate.call() - } + ssl_certificate_by_lua_file /etc/nginx/lua/nginx/ngx_conf_certificate.lua; {{ if gt (len $cfg.BlockUserAgents) 0 }} if ($block_ua) { @@ -632,30 +568,7 @@ http { } {{ end }} - set_by_lua_block $redirect_to { - local request_uri = ngx.var.request_uri - if string.sub(request_uri, -1) == "/" then - request_uri = string.sub(request_uri, 1, -2) - end - - {{ if $cfg.UseForwardedHeaders }} - local redirectScheme - if not ngx.var.http_x_forwarded_proto then - redirectScheme = ngx.var.scheme - else - redirectScheme = ngx.var.http_x_forwarded_proto - end - {{ else }} - local redirectScheme = ngx.var.scheme - {{ end }} - - {{ if ne $all.ListenPorts.HTTPS 443 }} - {{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }} - return string.format("%s://%s%s%s", redirectScheme, "{{ $redirect.To }}", "{{ $redirect_port }}", request_uri) - {{ else }} - return string.format("%s://%s%s", redirectScheme, "{{ $redirect.To }}", request_uri) - {{ end }} - } + set_by_lua_file $redirect_to /etc/nginx/lua/nginx/ngx_srv_redirect.lua {{ $redirect.To }}; return {{ $all.Cfg.HTTPRedirectCode }} $redirect_to; } @@ -750,17 +663,7 @@ http { } location /is-dynamic-lb-initialized { - content_by_lua_block { - local configuration = require("configuration") - local backend_data = configuration.get_backends_data() - if not backend_data then - ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR) - return - end - - ngx.say("OK") - ngx.exit(ngx.HTTP_OK) - } + content_by_lua_file /etc/nginx/lua/nginx/ngx_conf_is_dynamic_lb_initialized.lua; } location {{ .StatusPath }} { @@ -772,15 +675,11 @@ http { client_body_buffer_size {{ luaConfigurationRequestBodySize $cfg }}; proxy_buffering off; - content_by_lua_block { - configuration.call() - } + content_by_lua_file /etc/nginx/lua/nginx/ngx_conf_configuration.lua; } location / { - content_by_lua_block { - ngx.exit(ngx.HTTP_NOT_FOUND) - } + return 404; } } } @@ -792,39 +691,9 @@ stream { {{ buildResolvers $cfg.Resolver $cfg.DisableIpv6DNS }} - init_by_lua_block { - collectgarbage("collect") + init_by_lua_file /etc/nginx/lua/ngx_conf_init_stream.lua; - -- init modules - local ok, res - - ok, res = pcall(require, "configuration") - if not ok then - error("require failed: " .. tostring(res)) - else - configuration = res - end - - ok, res = pcall(require, "tcp_udp_configuration") - if not ok then - error("require failed: " .. tostring(res)) - else - tcp_udp_configuration = res - tcp_udp_configuration.prohibited_localhost_port = '{{ .StatusPort }}' - - end - - ok, res = pcall(require, "tcp_udp_balancer") - if not ok then - error("require failed: " .. tostring(res)) - else - tcp_udp_balancer = res - end - } - - init_worker_by_lua_block { - tcp_udp_balancer.init_worker() - } + init_worker_by_lua_file /etc/nginx/lua/nginx/ngx_conf_init_tcp_udp.lua; lua_add_variable $proxy_upstream_name; @@ -846,10 +715,7 @@ stream { upstream upstream_balancer { server 0.0.0.1:1234; # placeholder - - balancer_by_lua_block { - tcp_udp_balancer.balance() - } + balancer_by_lua_file /etc/nginx/lua/nginx/ngx_conf_balancer_tcp_udp.lua; } server { @@ -857,9 +723,7 @@ stream { access_log off; - content_by_lua_block { - tcp_udp_configuration.call() - } + content_by_lua_file /etc/nginx/lua/nginx/ngx_conf_content_tcp_udp.lua; } # TCP services @@ -959,11 +823,9 @@ stream { rewrite (.*) / break; proxy_pass http://upstream_balancer; - log_by_lua_block { - {{ if $enableMetrics }} - monitor.call() - {{ end }} - } + {{ if $enableMetrics }} + log_by_lua_file /etc/nginx/lua/nginx/ngx_conf_log.lua; + {{ end }} } {{ end }} {{ end }} @@ -1023,9 +885,7 @@ stream { ssl_reject_handshake {{ if $all.Cfg.SSLRejectHandshake }}on{{ else }}off{{ end }}; {{ end }} - ssl_certificate_by_lua_block { - certificate.call() - } + ssl_certificate_by_lua_file /etc/nginx/lua/nginx/ngx_conf_certificate.lua; {{ if not (empty $server.AuthTLSError) }} # {{ $server.AuthTLSError }} @@ -1126,9 +986,7 @@ stream { set $tmp_cache_key '{{ $server.Hostname }}{{ $authPath }}{{ $externalAuth.AuthCacheKey }}'; set $cache_key ''; - rewrite_by_lua_block { - ngx.var.cache_key = ngx.encode_base64(ngx.sha1_bin(ngx.var.tmp_cache_key)) - } + rewrite_by_lua_file /etc/nginx/lua/nginx/ngx_conf_rewrite_auth.lua; proxy_cache auth_cache; @@ -1253,7 +1111,6 @@ stream { set $service_name {{ $ing.Service | quote }}; set $service_port {{ $ing.ServicePort | quote }}; set $location_path {{ $ing.Path | escapeLiteralDollar | quote }}; - set $global_rate_limit_exceeding n; {{ buildOpentelemetryForLocation $all.Cfg.EnableOpentelemetry $all.Cfg.OpentelemetryTrustIncomingSpan $location }} @@ -1262,35 +1119,13 @@ stream { mirror_request_body {{ $location.Mirror.RequestBody }}; {{ end }} - rewrite_by_lua_block { - lua_ingress.rewrite({{ locationConfigForLua $location $all }}) - balancer.rewrite() - plugins.run() - } + {{ locationConfigForLua $location $all }} - # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any - # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)` - # other authentication method such as basic auth or external auth useless - all requests will be allowed. - #access_by_lua_block { - #} + rewrite_by_lua_file /etc/nginx/lua/nginx/ngx_rewrite.lua; - header_filter_by_lua_block { - lua_ingress.header() - plugins.run() - } + header_filter_by_lua_file /etc/nginx/lua/nginx/ngx_conf_srv_hdr_filter.lua; - body_filter_by_lua_block { - plugins.run() - } - - log_by_lua_block { - balancer.log() - {{ if $all.EnableMetrics }} - monitor.call() - {{ end }} - - plugins.run() - } + log_by_lua_file /etc/nginx/lua/nginx/ngx_conf_log_block.lua; {{ if not $location.Logs.Access }} access_log off; diff --git a/test/data/cleanConf.expected.conf b/test/data/cleanConf.expected.conf index 7c4a16824..9c0513b37 100644 --- a/test/data/cleanConf.expected.conf +++ b/test/data/cleanConf.expected.conf @@ -67,8 +67,6 @@ http { balancer.init_worker() monitor.init_worker(10000) - - plugins.run() } map $request_uri $loggable { @@ -120,7 +118,6 @@ http { use_port_in_redirects = false, }) balancer.rewrite() - plugins.run() } # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any @@ -130,7 +127,6 @@ http { header_filter_by_lua_block { lua_ingress.header() - plugins.run() } } diff --git a/test/data/cleanConf.src.conf b/test/data/cleanConf.src.conf index 89954cf0d..6da578106 100644 --- a/test/data/cleanConf.src.conf +++ b/test/data/cleanConf.src.conf @@ -86,11 +86,8 @@ lua_shared_dict ocsp_response_cache 5M; init_worker_by_lua_block { lua_ingress.init_worker() balancer.init_worker() - - monitor.init_worker(10000) - - plugins.run() + monitor.init_worker(10000) } @@ -164,7 +161,6 @@ lua_shared_dict ocsp_response_cache 5M; use_port_in_redirects = false, }) balancer.rewrite() - plugins.run() } # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any @@ -174,7 +170,6 @@ lua_shared_dict ocsp_response_cache 5M; header_filter_by_lua_block { lua_ingress.header() - plugins.run() } diff --git a/test/e2e-image/Dockerfile b/test/e2e-image/Dockerfile index 7bd7c9c1c..5e7417477 100644 --- a/test/e2e-image/Dockerfile +++ b/test/e2e-image/Dockerfile @@ -1,7 +1,7 @@ ARG E2E_BASE_IMAGE FROM ${E2E_BASE_IMAGE} AS BASE -FROM alpine:3.20.0 +FROM alpine:3.20 RUN apk update \ && apk upgrade && apk add -U --no-cache \ diff --git a/test/e2e-image/Makefile b/test/e2e-image/Makefile index 9ade9961f..e3b0d609f 100644 --- a/test/e2e-image/Makefile +++ b/test/e2e-image/Makefile @@ -1,6 +1,6 @@ DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) -E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v20240729-04899b27@sha256:9f067e6c861343da47f5851bf255aecdeb33a61fc5991a6c659fb237a3f619f9" +E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v20241004-114a6abb@sha256:1389ec0589abbf5c431c9290c4c307437c8396995c63dda5eac26abd70963dc8" image: echo "..entered Makefile in /test/e2e-image" diff --git a/test/e2e/HTTPBUN_IMAGE b/test/e2e/HTTPBUN_IMAGE index 7e83b49fe..7ea3fdc70 100644 --- a/test/e2e/HTTPBUN_IMAGE +++ b/test/e2e/HTTPBUN_IMAGE @@ -1 +1 @@ -registry.k8s.io/ingress-nginx/e2e-test-httpbun:v20231011-8b53cabe0 +registry.k8s.io/ingress-nginx/httpbun:v1.0.2@sha256:d4079f3027dba27e2a1d7fcfb3144d6dd9e15307fb7fa80ca649232d08e90d16 diff --git a/test/e2e/admission/admission.go b/test/e2e/admission/admission.go index c41105e2d..873e6719d 100644 --- a/test/e2e/admission/admission.go +++ b/test/e2e/admission/admission.go @@ -44,33 +44,6 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", f.NewSlowEchoDeployment() }) - ginkgo.It("reject ingress with global-rate-limit annotations when memcached is not configured", func() { - host := admissionTestHost - - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/global-rate-limit": "100", - "nginx.ingress.kubernetes.io/global-rate-limit-window": "1m", - } - ing := framework.NewSingleIngress("first-ingress", "/", host, f.Namespace, framework.EchoService, 80, annotations) - - ginkgo.By("rejects ingress when memcached is not configured") - - _, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), ing, metav1.CreateOptions{}) - assert.NotNil(ginkgo.GinkgoT(), err, "creating ingress with global throttle annotations when memcached is not configured") - - ginkgo.By("accepts ingress when memcached is not configured") - - f.UpdateNginxConfigMapData("global-rate-limit-memcached-host", "memc.default.svc.cluster.local") - - _, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), ing, metav1.CreateOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "creating ingress with global throttle annotations when memcached is configured") - - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %v", host)) - }) - }) - ginkgo.It("should not allow overlaps of host and paths without canary annotations", func() { host := admissionTestHost @@ -127,14 +100,8 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", }) ginkgo.It("should return an error if there is an error validating the ingress definition", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := admissionTestHost @@ -241,14 +208,8 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", }) ginkgo.It("should return an error if the Ingress V1 definition contains invalid annotations", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() out, err := createIngress(f.Namespace, invalidV1Ingress) assert.Empty(ginkgo.GinkgoT(), out) @@ -261,14 +222,8 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", }) ginkgo.It("should not return an error for an invalid Ingress when it has unknown class", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() out, err := createIngress(f.Namespace, invalidV1IngressWithOtherClass) assert.Equal(ginkgo.GinkgoT(), "ingress.networking.k8s.io/extensions-invalid-other created\n", out) assert.Nil(ginkgo.GinkgoT(), err, "creating an invalid ingress with unknown class using kubectl") diff --git a/test/e2e/annotations/auth.go b/test/e2e/annotations/auth.go index ea33fdf32..01c14be39 100644 --- a/test/e2e/annotations/auth.go +++ b/test/e2e/annotations/auth.go @@ -277,14 +277,8 @@ var _ = framework.DescribeAnnotation("auth-*", func() { "nginx.ingress.kubernetes.io/auth-snippet": ` proxy_set_header My-Custom-Header 42;`, } - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -297,15 +291,8 @@ var _ = framework.DescribeAnnotation("auth-*", func() { ginkgo.It(`should not set snippet "proxy_set_header My-Custom-Header 42;" when external auth is not configured`, func() { host := authHost - - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-snippet": ` diff --git a/test/e2e/annotations/cors.go b/test/e2e/annotations/cors.go index a14a5761f..58f4445f7 100644 --- a/test/e2e/annotations/cors.go +++ b/test/e2e/annotations/cors.go @@ -669,4 +669,33 @@ var _ = framework.DescribeAnnotation("cors-*", func() { Headers(). NotContainsKey("Access-Control-Allow-Origin") }) + + ginkgo.It("should allow - origins with non-http[s] protocols", func() { + host := corsHost + origin := "test://localhost" + origin2 := "tauri://localhost:3000" + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/enable-cors": "true", + "nginx.ingress.kubernetes.io/cors-allow-origin": "test://localhost, tauri://localhost:3000", + } + + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + f.EnsureIngress(ing) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithHeader("Origin", origin). + Expect(). + Status(http.StatusOK).Headers(). + ValueEqual("Access-Control-Allow-Origin", []string{"test://localhost"}) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithHeader("Origin", origin2). + Expect(). + Status(http.StatusOK).Headers(). + ValueEqual("Access-Control-Allow-Origin", []string{"tauri://localhost:3000"}) + }) }) diff --git a/test/e2e/annotations/fromtowwwredirect.go b/test/e2e/annotations/fromtowwwredirect.go index b69cce93e..a3fb3b9b5 100644 --- a/test/e2e/annotations/fromtowwwredirect.go +++ b/test/e2e/annotations/fromtowwwredirect.go @@ -58,18 +58,12 @@ var _ = framework.DescribeAnnotation("from-to-www-redirect", func() { WithHeader("Host", fmt.Sprintf("%s.%s", "www", host)). Expect(). Status(http.StatusPermanentRedirect). - Header("Location").Equal("http://fromtowwwredirect.bar.com/foo") + Header("Location").Equal("http://fromtowwwredirect.bar.com:80/foo") }) ginkgo.It("should redirect from www HTTPS to HTTPS", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() ginkgo.By("setting up server for redirect from www") @@ -107,7 +101,7 @@ var _ = framework.DescribeAnnotation("from-to-www-redirect", func() { WithHeader("Host", toHost). Expect(). Status(http.StatusPermanentRedirect). - Header("Location").Equal(fmt.Sprintf("https://%v", fromHost)) + Header("Location").Equal(fmt.Sprintf("https://%v:443", fromHost)) ginkgo.By("sending request to domain should not redirect to www") f.HTTPTestClientWithTLSConfig(&tls.Config{ diff --git a/test/e2e/annotations/globalratelimit.go b/test/e2e/annotations/globalratelimit.go deleted file mode 100644 index 96be467fe..000000000 --- a/test/e2e/annotations/globalratelimit.go +++ /dev/null @@ -1,88 +0,0 @@ -/* -Copyright 2020 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package annotations - -import ( - "fmt" - "net/http" - "strings" - - "github.com/onsi/ginkgo/v2" - "github.com/stretchr/testify/assert" - - "k8s.io/ingress-nginx/test/e2e/framework" -) - -var _ = framework.DescribeAnnotation("annotation-global-rate-limit", func() { - f := framework.NewDefaultFramework("global-rate-limit") - host := "global-rate-limit-annotation" - - ginkgo.BeforeEach(func() { - f.NewEchoDeployment() - }) - - ginkgo.It("generates correct configuration", func() { - annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/global-rate-limit"] = "5" - annotations["nginx.ingress.kubernetes.io/global-rate-limit-window"] = "2m" - - // We need to allow { and } characters for this annotation to work - f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "load_module, lua_package, _by_lua, location, root") - // Sleep a while just to guarantee that the configmap is applied - framework.Sleep() - - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - ing = f.EnsureIngress(ing) - namespace := strings.ReplaceAll(string(ing.UID), "-", "") - - serverConfig := "" - f.WaitForNginxServer(host, func(server string) bool { - serverConfig = server - return true - }) - assert.Contains(ginkgo.GinkgoT(), serverConfig, - fmt.Sprintf(`global_throttle = { namespace = "%v", `+ - `limit = 5, window_size = 120, key = { { nil, nil, "remote_addr", nil, }, }, `+ - `ignored_cidrs = { } }`, - namespace)) - - f.HTTPTestClient().GET("/").WithHeader("Host", host).Expect().Status(http.StatusOK) - - ginkgo.By("regenerating the correct configuration after update") - annotations["nginx.ingress.kubernetes.io/global-rate-limit-key"] = "${remote_addr}${http_x_api_client}" - annotations["nginx.ingress.kubernetes.io/global-rate-limit-ignored-cidrs"] = "192.168.1.1, 234.234.234.0/24" - ing.SetAnnotations(annotations) - - f.WaitForReload(func() { - ing = f.UpdateIngress(ing) - }) - - serverConfig = "" - f.WaitForNginxServer(host, func(server string) bool { - serverConfig = server - return true - }) - assert.Contains(ginkgo.GinkgoT(), serverConfig, - fmt.Sprintf(`global_throttle = { namespace = "%v", `+ - `limit = 5, window_size = 120, `+ - `key = { { nil, "remote_addr", nil, nil, }, { nil, "http_x_api_client", nil, nil, }, }, `+ - `ignored_cidrs = { "192.168.1.1", "234.234.234.0/24", } }`, - namespace)) - - f.HTTPTestClient().GET("/").WithHeader("Host", host).Expect().Status(http.StatusOK) - }) -}) diff --git a/test/e2e/annotations/grpc.go b/test/e2e/annotations/grpc.go index 530d16729..2a9c5a983 100644 --- a/test/e2e/annotations/grpc.go +++ b/test/e2e/annotations/grpc.go @@ -193,14 +193,8 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { ginkgo.It("should return OK for service with backend protocol GRPCS", func() { f.NewGRPCBinDeployment() - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := echoHost diff --git a/test/e2e/annotations/modsecurity/modsecurity.go b/test/e2e/annotations/modsecurity/modsecurity.go index a3e7d80ba..730fc76e7 100644 --- a/test/e2e/annotations/modsecurity/modsecurity.go +++ b/test/e2e/annotations/modsecurity/modsecurity.go @@ -100,14 +100,8 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity with snippet", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := modSecurityFooHost nameSpace := f.Namespace @@ -173,14 +167,8 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity with snippet and block requests", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := modSecurityFooHost nameSpace := f.Namespace @@ -212,14 +200,8 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity globally and with modsecurity-snippet block requests", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := modSecurityFooHost nameSpace := f.Namespace @@ -251,16 +233,11 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity when enable-owasp-modsecurity-crs is set to true", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - "enable-modsecurity": "true", - "enable-owasp-modsecurity-crs": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() + + f.UpdateNginxConfigMapData("enable-modsecurity", "true") + f.UpdateNginxConfigMapData("enable-owasp-modsecurity-crs", "true") host := modSecurityFooHost nameSpace := f.Namespace @@ -290,6 +267,8 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity through the config map", func() { + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := modSecurityFooHost nameSpace := f.Namespace @@ -310,17 +289,9 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { f.EnsureIngress(ing) expectedComment := "SecRuleEngine On" - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - "enable-modsecurity": "true", - "enable-owasp-modsecurity-crs": "true", - "modsecurity-snippet": expectedComment, - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + f.UpdateNginxConfigMapData("enable-modsecurity", "true") + f.UpdateNginxConfigMapData("enable-owasp-modsecurity-crs", "true") + f.UpdateNginxConfigMapData("modsecurity-snippet", expectedComment) f.WaitForNginxServer(host, func(server string) bool { @@ -339,6 +310,9 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { host := modSecurityFooHost nameSpace := f.Namespace + f.UpdateNginxConfigMapData("annotations-risk-level", "Critical") // To enable snippet configurations + defer f.UpdateNginxConfigMapData("annotations-risk-level", "High") + snippet := `SecRequestBodyAccess On SecAuditEngine RelevantOnly SecAuditLogParts ABIJDEFHZ @@ -378,14 +352,9 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should disable default modsecurity conf setting when modsecurity-snippet is specified", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() + host := modSecurityFooHost nameSpace := f.Namespace diff --git a/test/e2e/annotations/serversnippet.go b/test/e2e/annotations/serversnippet.go index 1195b728a..c94960a3d 100644 --- a/test/e2e/annotations/serversnippet.go +++ b/test/e2e/annotations/serversnippet.go @@ -33,14 +33,8 @@ var _ = framework.DescribeAnnotation("server-snippet", func() { }) ginkgo.It(`add valid directives to server via server snippet`, func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := "serversnippet.foo.com" annotations := map[string]string{ @@ -68,14 +62,8 @@ var _ = framework.DescribeAnnotation("server-snippet", func() { }) ginkgo.It(`drops server snippet if disabled by the administrator`, func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + f.UpdateNginxConfigMapData("annotations-risk-level", "Critical") // To enable snippet configurations + defer f.UpdateNginxConfigMapData("annotations-risk-level", "High") host := "noserversnippet.foo.com" annotations := map[string]string{ @@ -85,11 +73,6 @@ var _ = framework.DescribeAnnotation("server-snippet", func() { } ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.UpdateNginxConfigMapData("allow-snippet-annotations", "false") - defer func() { - // Return to the original value - f.UpdateNginxConfigMapData("allow-snippet-annotations", "true") - }() // Sleep a while just to guarantee that the configmap is applied framework.Sleep() f.EnsureIngress(ing) diff --git a/test/e2e/annotations/snippet.go b/test/e2e/annotations/snippet.go index 0c6148a4f..9e3160dcc 100644 --- a/test/e2e/annotations/snippet.go +++ b/test/e2e/annotations/snippet.go @@ -33,15 +33,8 @@ var _ = framework.DescribeAnnotation("configuration-snippet", func() { ginkgo.It("set snippet more_set_headers in all locations", func() { host := "configurationsnippet.foo.com" - - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() annotations := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_headers "Foo1: Bar1";`, @@ -71,6 +64,8 @@ var _ = framework.DescribeAnnotation("configuration-snippet", func() { }) ginkgo.It("drops snippet more_set_header in all locations if disabled by admin", func() { + f.UpdateNginxConfigMapData("annotations-risk-level", "Critical") // To enable snippet configurations + defer f.UpdateNginxConfigMapData("annotations-risk-level", "High") host := "noconfigurationsnippet.foo.com" annotations := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_headers "Foo1: Bar1";`, diff --git a/test/e2e/annotations/streamsnippet.go b/test/e2e/annotations/streamsnippet.go index 432537b4a..f91cdc34e 100644 --- a/test/e2e/annotations/streamsnippet.go +++ b/test/e2e/annotations/streamsnippet.go @@ -39,14 +39,8 @@ var _ = framework.DescribeSetting("stream-snippet", func() { }) ginkgo.It("should add value of stream-snippet to nginx config", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := "foo.com" diff --git a/test/e2e/cgroups/cgroups.go b/test/e2e/cgroups/cgroups.go new file mode 100644 index 000000000..eab194324 --- /dev/null +++ b/test/e2e/cgroups/cgroups.go @@ -0,0 +1,115 @@ +/* +Copyright 2020 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package cgroups + +import ( + "log" + "os" + "path/filepath" + + "github.com/onsi/ginkgo/v2" + "github.com/stretchr/testify/assert" + + "k8s.io/ingress-nginx/test/e2e/framework" + + "k8s.io/ingress-nginx/pkg/util/runtime" +) + +var _ = framework.IngressNginxDescribeSerial("[CGroups] cgroups", func() { + f := framework.NewDefaultFramework("cgroups") + + ginkgo.BeforeEach(func() { + f.NewEchoDeployment() + f.NewSlowEchoDeployment() + }) + + ginkgo.It("detects cgroups version v1", func() { + cgroupPath := "/testing/sys/fs/cgroup/" + if err := os.MkdirAll(cgroupPath, os.ModePerm); err != nil { + log.Fatal(err) + } + + quotaFile, err := os.Create(filepath.Join(cgroupPath, "cpu.cfs_quota_us")) + if err != nil { + log.Fatal(err) + } + + periodFile, err := os.Create(filepath.Join(cgroupPath, "cpu.cfs_period_us")) + if err != nil { + log.Fatal(err) + } + + _, err = quotaFile.WriteString("4") + if err != nil { + log.Fatal(err) + } + + err = quotaFile.Sync() + if err != nil { + log.Fatal(err) + } + + _, err = periodFile.WriteString("2") + if err != nil { + log.Fatal(err) + } + + err = periodFile.Sync() + if err != nil { + log.Fatal(err) + } + + assert.Equal(ginkgo.GinkgoT(), runtime.GetCgroupVersion(cgroupPath), int64(1)) + assert.Equal(ginkgo.GinkgoT(), runtime.NumCPUWithCustomPath(cgroupPath), 2) + + os.Remove(filepath.Join(cgroupPath, "cpu.cfs_quota_us")) + os.Remove(filepath.Join(cgroupPath, "cpu.cfs_period_us")) + }) + + ginkgo.It("detect cgroups version v2", func() { + cgroupPath := "/testing/sys/fs/cgroup/" + if err := os.MkdirAll(cgroupPath, os.ModePerm); err != nil { + log.Fatal(err) + } + + _, err := os.Create(filepath.Join(cgroupPath, "cgroup.controllers")) + if err != nil { + log.Fatal(err) + } + + file, err := os.Create(filepath.Join(cgroupPath, "cpu.max")) + if err != nil { + log.Fatal(err) + } + + _, err = file.WriteString("4 2") + if err != nil { + log.Fatal(err) + } + + err = file.Sync() + if err != nil { + log.Fatal(err) + } + + assert.Equal(ginkgo.GinkgoT(), runtime.GetCgroupVersion(cgroupPath), int64(2)) + assert.Equal(ginkgo.GinkgoT(), runtime.NumCPUWithCustomPath(cgroupPath), 2) + + os.Remove(filepath.Join(cgroupPath, "cpu.max")) + os.Remove(filepath.Join(cgroupPath, "cgroup.controllers")) + }) +}) diff --git a/test/e2e/e2e.go b/test/e2e/e2e.go index 9abfe7c2c..9bf005164 100644 --- a/test/e2e/e2e.go +++ b/test/e2e/e2e.go @@ -32,6 +32,7 @@ import ( _ "k8s.io/ingress-nginx/test/e2e/admission" _ "k8s.io/ingress-nginx/test/e2e/annotations" _ "k8s.io/ingress-nginx/test/e2e/annotations/modsecurity" + _ "k8s.io/ingress-nginx/test/e2e/cgroups" _ "k8s.io/ingress-nginx/test/e2e/dbg" _ "k8s.io/ingress-nginx/test/e2e/defaultbackend" _ "k8s.io/ingress-nginx/test/e2e/disableleaderelection" diff --git a/test/e2e/endpointslices/topology.go b/test/e2e/endpointslices/topology.go index 38c5f8b76..70f7ff86b 100644 --- a/test/e2e/endpointslices/topology.go +++ b/test/e2e/endpointslices/topology.go @@ -84,7 +84,7 @@ var _ = framework.IngressNginxDescribeSerial("[TopologyHints] topology aware rou } if gotHints { - // we have 2 replics, if there is just one backend it means that we are routing according slices hints to same zone as controller is + // we have 2 replicas, if there is just one backend it means that we are routing according slices hints to same zone as controller is assert.Equal(ginkgo.GinkgoT(), 1, gotBackends) } else { // two replicas should have two endpoints without topology hints diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go index 08a5353b2..9eaf42565 100644 --- a/test/e2e/framework/deployment.go +++ b/test/e2e/framework/deployment.go @@ -43,7 +43,7 @@ const HTTPBunService = "httpbun" // NipService name of external service using nip.io const NIPService = "external-nip" -// HTTPBunImage is the default image that is used to deploy HTTPBun with the framwork +// HTTPBunImage is the default image that is used to deploy HTTPBun with the framework var HTTPBunImage = os.Getenv("HTTPBUN_IMAGE") // EchoImage is the default image to be used by the echo service diff --git a/test/e2e/framework/exec.go b/test/e2e/framework/exec.go index 580a8f58e..8d528c37a 100644 --- a/test/e2e/framework/exec.go +++ b/test/e2e/framework/exec.go @@ -117,11 +117,7 @@ func (f *Framework) newIngressController(namespace, namespaceOverlay string) err isChroot = "false" } - enableAnnotationValidations, ok := os.LookupEnv("ENABLE_VALIDATIONS") - if !ok { - enableAnnotationValidations = "false" - } - cmd := exec.Command("./wait-for-nginx.sh", namespace, namespaceOverlay, isChroot, enableAnnotationValidations) + cmd := exec.Command("./wait-for-nginx.sh", namespace, namespaceOverlay, isChroot) out, err := cmd.CombinedOutput() if err != nil { return fmt.Errorf("unexpected error waiting for ingress controller deployment: %v.\nLogs:\n%v", err, string(out)) diff --git a/test/e2e/framework/fastcgi_helloserver.go b/test/e2e/framework/fastcgi_helloserver.go index 73f9ef340..804bb7898 100644 --- a/test/e2e/framework/fastcgi_helloserver.go +++ b/test/e2e/framework/fastcgi_helloserver.go @@ -59,7 +59,7 @@ func (f *Framework) NewNewFastCGIHelloServerDeploymentWithReplicas(replicas int3 Containers: []corev1.Container{ { Name: "fastcgi-helloserver", - Image: "registry.k8s.io/ingress-nginx/e2e-test-fastcgi-helloserver@sha256:0e08c836cc58f1ea862578de99b13bc4264fe071e816f96dc1d79857bfba7473", + Image: "registry.k8s.io/ingress-nginx/fastcgi-helloserver:v1.0.2@sha256:dc400fc69d7e0b27dcfe86be29946e19c2a853391305e2790f387267c2e6473e", Env: []corev1.EnvVar{}, Ports: []corev1.ContainerPort{ { diff --git a/test/e2e/framework/framework.go b/test/e2e/framework/framework.go index b71d84baa..204da7df0 100644 --- a/test/e2e/framework/framework.go +++ b/test/e2e/framework/framework.go @@ -16,6 +16,7 @@ package framework import ( "context" "crypto/tls" + "encoding/json" "fmt" "net" "net/http" @@ -100,7 +101,7 @@ func NewDefaultFramework(baseName string, opts ...func(*Framework)) *Framework { } // NewSimpleFramework makes a new framework that allows the usage of a namespace -// for arbitraty tests. +// for arbitrary tests. func NewSimpleFramework(baseName string, opts ...func(*Framework)) *Framework { defer ginkgo.GinkgoRecover() @@ -283,6 +284,15 @@ func (f *Framework) WaitForNginxConfiguration(matcher func(cfg string) bool) { Sleep(1 * time.Second) } +// WaitForLuaConfiguration waits until the nginx configuration contains a particular configuration +// `cfg` passed to matcher is normalized by replacing all tabs and spaces with single space. +func (f *Framework) WaitForLuaConfiguration(matcher func(jsonCfg map[string]interface{}) bool) { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated + err := wait.Poll(Poll, DefaultTimeout, f.matchLuaConditions(matcher)) + assert.Nil(ginkgo.GinkgoT(), err, "waiting for nginx lua configuration condition/s") + Sleep(1 * time.Second) +} + // WaitForNginxCustomConfiguration waits until the nginx configuration given part (from, to) contains a particular configuration func (f *Framework) WaitForNginxCustomConfiguration(from, to string, matcher func(cfg string) bool) { //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated @@ -326,6 +336,29 @@ func (f *Framework) matchNginxConditions(name string, matcher func(cfg string) b } } +func (f *Framework) matchLuaConditions(matcher func(jsonCfg map[string]interface{}) bool) wait.ConditionFunc { + return func() (bool, error) { + cmd := "cat /etc/nginx/lua/cfg.json" + + o, err := f.ExecCommand(f.pod, cmd) + if err != nil { + return false, nil + } + + if klog.V(10).Enabled() && o != "" { + klog.InfoS("Lua", "configuration", o) + } + + luaConfig := make(map[string]interface{}) // Use unstructured so we can walk through JSON + if err := json.Unmarshal([]byte(o), &luaConfig); err != nil { + return false, err + } + + // passes the lua interface to the function + return matcher(luaConfig), nil + } +} + func (f *Framework) matchNginxCustomConditions(from, to string, matcher func(cfg string) bool) wait.ConditionFunc { return func() (bool, error) { cmd := fmt.Sprintf("cat /etc/nginx/nginx.conf| awk '/%v/,/%v/'", from, to) @@ -383,6 +416,20 @@ func (f *Framework) SetNginxConfigMapData(cmData map[string]string) { f.WaitForReload(fn) } +// SetNginxConfigMapData sets ingress-nginx's nginx-ingress-controller configMap data +func (f *Framework) AllowSnippetConfiguration() func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + "annotations-risk-level": "Critical", // To enable snippet configurations + }) + return func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + "annotations-risk-level": "High", + }) + } +} + // CreateConfigMap creates a new configmap in the current namespace func (f *Framework) CreateConfigMap(name string, data map[string]string) { _, err := f.KubeClientSet.CoreV1().ConfigMaps(f.Namespace).Create(context.TODO(), &v1.ConfigMap{ diff --git a/test/e2e/gracefulshutdown/shutdown.go b/test/e2e/gracefulshutdown/shutdown.go index 604143da8..e9883338f 100644 --- a/test/e2e/gracefulshutdown/shutdown.go +++ b/test/e2e/gracefulshutdown/shutdown.go @@ -37,7 +37,7 @@ var _ = framework.IngressNginxDescribe("[Shutdown] ingress controller", func() { f.NewSlowEchoDeployment() }) - ginkgo.It("should shutdown in less than 60 secons without pending connections", func() { + ginkgo.It("should shutdown in less than 60 seconds without pending connections", func() { f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.SlowEchoService, 80, nil)) f.WaitForNginxServer(host, diff --git a/test/e2e/ingress/multiple_rules.go b/test/e2e/ingress/multiple_rules.go index f44b2f8dd..9247dc1d3 100644 --- a/test/e2e/ingress/multiple_rules.go +++ b/test/e2e/ingress/multiple_rules.go @@ -36,14 +36,8 @@ var _ = framework.IngressNginxDescribe("single ingress - multiple hosts", func() }) ginkgo.It("should set the correct $service_name NGINX variable", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() annotations := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "service-name: $service_name";`, diff --git a/test/e2e/ingress/pathtype_exact.go b/test/e2e/ingress/pathtype_exact.go index d0564cbf6..2660e32a4 100644 --- a/test/e2e/ingress/pathtype_exact.go +++ b/test/e2e/ingress/pathtype_exact.go @@ -35,14 +35,8 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] exact", func() { }) ginkgo.It("should choose exact location for /exact", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := "exact.path" diff --git a/test/e2e/ingress/pathtype_mixed.go b/test/e2e/ingress/pathtype_mixed.go index e7bf2532e..3212089c9 100644 --- a/test/e2e/ingress/pathtype_mixed.go +++ b/test/e2e/ingress/pathtype_mixed.go @@ -37,14 +37,8 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] mix Exact and Prefi exactPathType := networking.PathTypeExact ginkgo.It("should choose the correct location", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := "mixed.path" diff --git a/test/e2e/lua/dynamic_configuration.go b/test/e2e/lua/dynamic_configuration.go index 8ec1ef839..a5e2196ce 100644 --- a/test/e2e/lua/dynamic_configuration.go +++ b/test/e2e/lua/dynamic_configuration.go @@ -48,12 +48,7 @@ var _ = framework.IngressNginxDescribe("[Lua] dynamic configuration", func() { ginkgo.It("configures balancer Lua middleware correctly", func() { f.WaitForNginxConfiguration(func(cfg string) bool { - return strings.Contains(cfg, "balancer.init_worker()") && strings.Contains(cfg, "balancer.balance()") - }) - - host := "foo.com" - f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "balancer.rewrite()") && strings.Contains(server, "balancer.log()") + return strings.Contains(cfg, "balancer_by_lua_file /etc/nginx/lua/nginx/ngx_conf_balancer.lua") }) }) diff --git a/test/e2e/metrics/metrics.go b/test/e2e/metrics/metrics.go index 907b53732..bec09bb37 100644 --- a/test/e2e/metrics/metrics.go +++ b/test/e2e/metrics/metrics.go @@ -36,6 +36,7 @@ const waitForMetrics = 2 * time.Second var _ = framework.IngressNginxDescribe("[metrics] exported prometheus metrics", func() { f := framework.NewDefaultFramework("metrics") host := "foo.com" + wildcardHost := "wildcard." + host ginkgo.BeforeEach(func() { f.NewEchoDeployment() @@ -91,4 +92,50 @@ var _ = framework.IngressNginxDescribe("[metrics] exported prometheus metrics", assert.Nil(ginkgo.GinkgoT(), err) assert.NotNil(ginkgo.GinkgoT(), mf) }) + ginkgo.It("request metrics per undefined host are present when flag is set", func() { + err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error { + args := deployment.Spec.Template.Spec.Containers[0].Args + args = append(args, "--metrics-per-undefined-host=true") + deployment.Spec.Template.Spec.Containers[0].Args = args + _, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{}) + return err + }) + assert.Nil(ginkgo.GinkgoT(), err, "updating deployment") + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", wildcardHost). + Expect(). + Status(http.StatusNotFound) + time.Sleep(waitForMetrics) + + ip := f.GetNginxPodIP() + reqMetrics, err := f.GetMetric("nginx_ingress_controller_requests", ip) + assert.Nil(ginkgo.GinkgoT(), err) + assert.NotNil(ginkgo.GinkgoT(), reqMetrics.Metric) + assert.Len(ginkgo.GinkgoT(), reqMetrics.Metric, 1) + + containedLabel := false + for _, label := range reqMetrics.Metric[0].Label { + if *label.Name == "host" && *label.Value == wildcardHost { + containedLabel = true + break + } + } + + assert.Truef(ginkgo.GinkgoT(), containedLabel, "expected reqMetrics to contain label with \"name\"=\"host\" \"value\"=%q, but it did not: %s", wildcardHost, reqMetrics.String()) + }) + ginkgo.It("request metrics per undefined host are not present when flag is not set", func() { + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", wildcardHost). + Expect(). + Status(http.StatusNotFound) + time.Sleep(waitForMetrics) + + ip := f.GetNginxPodIP() + reqMetrics, err := f.GetMetric("nginx_ingress_controller_requests", ip) + assert.EqualError(ginkgo.GinkgoT(), err, "there is no metric with name nginx_ingress_controller_requests") + assert.Nil(ginkgo.GinkgoT(), reqMetrics) + }) }) diff --git a/test/e2e/run-chart-test.sh b/test/e2e/run-chart-test.sh index 106029c77..587dbe98b 100755 --- a/test/e2e/run-chart-test.sh +++ b/test/e2e/run-chart-test.sh @@ -78,7 +78,7 @@ fi if [ "${SKIP_IMAGE_CREATION:-false}" = "false" ]; then if ! command -v ginkgo &> /dev/null; then - go install github.com/onsi/ginkgo/v2/ginkgo@v2.19.1 + go install github.com/onsi/ginkgo/v2/ginkgo@v2.20.2 fi echo "[dev-env] building image" make -C ${DIR}/../../ clean-image build image @@ -91,25 +91,28 @@ echo "[dev-env] copying docker images to cluster..." kind load docker-image --name="${KIND_CLUSTER_NAME}" --nodes=${KIND_WORKERS} ${REGISTRY}/controller:${TAG} if [ "${SKIP_CERT_MANAGER_CREATION:-false}" = "false" ]; then - curl -fsSL -o cmctl.tar.gz https://github.com/cert-manager/cert-manager/releases/download/v1.11.1/cmctl-linux-amd64.tar.gz - tar xzf cmctl.tar.gz - chmod +x cmctl - ./cmctl help - echo "[dev-env] apply cert-manager ..." - kubectl apply --wait -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml - kubectl wait --timeout=30s --for=condition=available deployment/cert-manager -n cert-manager - kubectl get validatingwebhookconfigurations cert-manager-webhook -ojson | jq '.webhooks[].clientConfig' - kubectl get endpoints -n cert-manager cert-manager-webhook - ./cmctl check api --wait=2m + echo "[dev-env] deploying cert-manager..." + + # Get OS & platform for downloading cmctl. + os="$(uname -o | tr "[:upper:]" "[:lower:]" | sed "s/gnu\///")" + platform="$(uname -m | sed "s/aarch64/arm64/;s/x86_64/amd64/")" + + # Download cmctl. Cannot validate checksum as OS & platform may vary. + curl --fail --location "https://github.com/cert-manager/cmctl/releases/download/v2.1.1/cmctl_${os}_${platform}.tar.gz" | tar --extract --gzip cmctl + + # Install cert-manager. + ./cmctl x install + ./cmctl check api --wait 1m fi echo "[dev-env] running helm chart e2e tests..." -docker run --rm --interactive --network host \ - --name ct \ - --volume $KUBECONFIG:/root/.kube/config \ - --volume "${DIR}/../../":/workdir \ - --workdir /workdir \ - registry.k8s.io/ingress-nginx/e2e-test-runner:v20240729-04899b27@sha256:9f067e6c861343da47f5851bf255aecdeb33a61fc5991a6c659fb237a3f619f9 \ - ct install \ - --charts charts/ingress-nginx \ - --helm-extra-args "--timeout 60s" +docker run \ + --name ct \ + --volume "${KUBECONFIG}:/root/.kube/config:ro" \ + --volume "${DIR}/../../:/workdir" \ + --network host \ + --workdir /workdir \ + --entrypoint ct \ + --rm \ + registry.k8s.io/ingress-nginx/e2e-test-runner:v20241004-114a6abb@sha256:1389ec0589abbf5c431c9290c4c307437c8396995c63dda5eac26abd70963dc8 \ + install --charts charts/ingress-nginx diff --git a/test/e2e/run-e2e-suite.sh b/test/e2e/run-e2e-suite.sh index 9333ee61f..909368e96 100755 --- a/test/e2e/run-e2e-suite.sh +++ b/test/e2e/run-e2e-suite.sh @@ -78,7 +78,6 @@ kubectl run --rm \ --env="E2E_NODES=${E2E_NODES}" \ --env="FOCUS=${FOCUS}" \ --env="IS_CHROOT=${IS_CHROOT:-false}"\ - --env="ENABLE_VALIDATIONS=${ENABLE_VALIDATIONS:-false}"\ --env="SKIP_OPENTELEMETRY_TESTS=${SKIP_OPENTELEMETRY_TESTS:-false}"\ --env="E2E_CHECK_LEAKS=${E2E_CHECK_LEAKS}" \ --env="NGINX_BASE_IMAGE=${NGINX_BASE_IMAGE}" \ diff --git a/test/e2e/run-kind-e2e.sh b/test/e2e/run-kind-e2e.sh index 9ef6f5acd..c2242e6f1 100755 --- a/test/e2e/run-kind-e2e.sh +++ b/test/e2e/run-kind-e2e.sh @@ -39,7 +39,6 @@ fi KIND_LOG_LEVEL="1" IS_CHROOT="${IS_CHROOT:-false}" -ENABLE_VALIDATIONS="${ENABLE_VALIDATIONS:-false}" export KIND_CLUSTER_NAME=${KIND_CLUSTER_NAME:-ingress-nginx-dev} DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" # Use 1.0.0-dev to make sure we use the latest configuration in the helm template @@ -96,7 +95,7 @@ fi if [ "${SKIP_E2E_IMAGE_CREATION}" = "false" ]; then if ! command -v ginkgo &> /dev/null; then - go install github.com/onsi/ginkgo/v2/ginkgo@v2.19.1 + go install github.com/onsi/ginkgo/v2/ginkgo@v2.20.2 fi echo "[dev-env] .. done building controller images" diff --git a/test/e2e/settings/badannotationvalues.go b/test/e2e/settings/badannotationvalues.go index f61b5bada..aa9906909 100644 --- a/test/e2e/settings/badannotationvalues.go +++ b/test/e2e/settings/badannotationvalues.go @@ -34,14 +34,8 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { }) ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := "invalid-value-test" annotations := map[string]string{ @@ -50,7 +44,6 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { } ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.UpdateNginxConfigMapData("allow-snippet-annotations", "true") f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "something_forbidden,otherthing_forbidden,{") f.EnsureIngress(ing) @@ -73,14 +66,8 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { }) ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := "forbidden-value-test" @@ -93,7 +80,6 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { } ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.UpdateNginxConfigMapData("allow-snippet-annotations", "true") f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "something_forbidden,otherthing_forbidden,content_by_lua_block") // Sleep a while just to guarantee that the configmap is applied framework.Sleep() @@ -117,14 +103,9 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { }) ginkgo.It("[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() + hostValid := "custom-allowed-value-test" annotationsValid := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": ` @@ -155,14 +136,8 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { }) ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := "custom-forbidden-value-test" annotations := map[string]string{ diff --git a/test/e2e/settings/geoip2.go b/test/e2e/settings/geoip2.go index 064863734..9c6d59dc5 100644 --- a/test/e2e/settings/geoip2.go +++ b/test/e2e/settings/geoip2.go @@ -69,15 +69,9 @@ var _ = framework.DescribeSetting("Geoip2", func() { ginkgo.It("should only allow requests from specific countries", func() { ginkgo.Skip("GeoIP test are temporarily disabled") - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - "use-geoip2": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() + f.UpdateNginxConfigMapData("use-geoip2", "true") httpSnippetAllowingOnlyAustralia := `map $geoip2_city_country_code $blocked_country { default 1; diff --git a/test/e2e/settings/global_external_auth.go b/test/e2e/settings/global_external_auth.go index 741e6f955..f589a63e9 100644 --- a/test/e2e/settings/global_external_auth.go +++ b/test/e2e/settings/global_external_auth.go @@ -32,8 +32,8 @@ import ( ) const ( - disable = "false" - noAuthLocaltionSetting = "no-auth-locations" + disable = "false" + noAuthLocationSetting = "no-auth-locations" ) var _ = framework.DescribeSetting("[Security] global-auth-url", func() { @@ -51,7 +51,7 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { fooPath := "/foo" barPath := "/bar" - noAuthSetting := noAuthLocaltionSetting + noAuthSetting := noAuthLocationSetting noAuthLocations := barPath enableGlobalExternalAuthAnnotation := "nginx.ingress.kubernetes.io/enable-global-auth" diff --git a/test/e2e/settings/globalratelimit.go b/test/e2e/settings/globalratelimit.go deleted file mode 100644 index e266350ad..000000000 --- a/test/e2e/settings/globalratelimit.go +++ /dev/null @@ -1,96 +0,0 @@ -/* -Copyright 2020 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package settings - -import ( - "fmt" - "net/http" - "strconv" - "strings" - - "github.com/onsi/ginkgo/v2" - "github.com/stretchr/testify/assert" - "k8s.io/ingress-nginx/test/e2e/framework" -) - -var _ = framework.DescribeSetting("settings-global-rate-limit", func() { - f := framework.NewDefaultFramework("global-rate-limit") - host := "global-rate-limit" - - ginkgo.BeforeEach(func() { - f.NewEchoDeployment() - }) - - ginkgo.It("generates correct NGINX configuration", func() { - annotations := make(map[string]string) - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) - - ginkgo.By("generating correct defaults") - - ngxCfg := "" - f.WaitForNginxConfiguration(func(cfg string) bool { - if strings.Contains(cfg, "global_throttle") { - ngxCfg = cfg - return true - } - return false - }) - - assert.Contains(ginkgo.GinkgoT(), ngxCfg, fmt.Sprintf(`global_throttle = { `+ - `memcached = { host = "%v", port = %d, connect_timeout = %d, max_idle_timeout = %d, `+ - `pool_size = %d, }, status_code = %d, }`, - "", 11211, 50, 10000, 50, 429)) - - f.HTTPTestClient().GET("/").WithHeader("Host", host).Expect().Status(http.StatusOK) - - ginkgo.By("applying customizations") - - memcachedHost := "memc.default.svc.cluster.local" - memcachedPort := 11211 - memcachedConnectTimeout := 100 - memcachedMaxIdleTimeout := 5000 - memcachedPoolSize := 100 - statusCode := 503 - - f.SetNginxConfigMapData(map[string]string{ - "global-rate-limit-memcached-host": memcachedHost, - "global-rate-limit-memcached-port": strconv.Itoa(memcachedPort), - "global-rate-limit-memcached-connect-timeout": strconv.Itoa(memcachedConnectTimeout), - "global-rate-limit-memcached-max-idle-timeout": strconv.Itoa(memcachedMaxIdleTimeout), - "global-rate-limit-memcached-pool-size": strconv.Itoa(memcachedPoolSize), - "global-rate-limit-status-code": strconv.Itoa(statusCode), - }) - - ngxCfg = "" - f.WaitForNginxConfiguration(func(cfg string) bool { - if strings.Contains(cfg, "global_throttle") { - ngxCfg = cfg - return true - } - return false - }) - - assert.Contains(ginkgo.GinkgoT(), ngxCfg, fmt.Sprintf(`global_throttle = { `+ - `memcached = { host = "%v", port = %d, connect_timeout = %d, max_idle_timeout = %d, `+ - `pool_size = %d, }, status_code = %d, }`, - memcachedHost, memcachedPort, memcachedConnectTimeout, memcachedMaxIdleTimeout, - memcachedPoolSize, statusCode)) - - f.HTTPTestClient().GET("/").WithHeader("Host", host).Expect().Status(http.StatusOK) - }) -}) diff --git a/test/e2e/settings/no_tls_redirect_locations.go b/test/e2e/settings/no_tls_redirect_locations.go index 8339eb23e..18fd09e26 100644 --- a/test/e2e/settings/no_tls_redirect_locations.go +++ b/test/e2e/settings/no_tls_redirect_locations.go @@ -33,7 +33,7 @@ var _ = framework.DescribeSetting("Add no tls redirect locations", func() { f.EnsureIngress(ing) f.WaitForNginxConfiguration(func(server string) bool { - return !strings.Contains(server, "force_no_ssl_redirect = true,") + return strings.Contains(server, "set $force_no_ssl_redirect \"false\"") }) wlKey := "no-tls-redirect-locations" @@ -42,7 +42,7 @@ var _ = framework.DescribeSetting("Add no tls redirect locations", func() { f.UpdateNginxConfigMapData(wlKey, wlValue) f.WaitForNginxConfiguration(func(server string) bool { - return strings.Contains(server, "force_no_ssl_redirect = true,") + return strings.Contains(server, "set $force_no_ssl_redirect \"true\"") }) }) }) diff --git a/test/e2e/settings/ocsp/ocsp.go b/test/e2e/settings/ocsp/ocsp.go index 21cda3008..a53b90b80 100644 --- a/test/e2e/settings/ocsp/ocsp.go +++ b/test/e2e/settings/ocsp/ocsp.go @@ -34,6 +34,7 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/ingress-nginx/test/e2e/framework" @@ -107,8 +108,9 @@ var _ = framework.DescribeSetting("OCSP", func() { err = framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, "ocspserve", f.Namespace, 1) assert.Nil(ginkgo.GinkgoT(), err, "waiting for endpoints to become ready") - f.WaitForNginxConfiguration(func(cfg string) bool { - return strings.Contains(cfg, "certificate.is_ocsp_stapling_enabled = true") + f.WaitForLuaConfiguration(func(jsonCfg map[string]interface{}) bool { + val, ok, err := unstructured.NestedBool(jsonCfg, "enable_ocsp") + return err == nil && ok && val }) f.WaitForNginxServer(host, @@ -295,7 +297,7 @@ func ocspserveDeployment(namespace string) (*appsv1.Deployment, *corev1.Service) Containers: []corev1.Container{ { Name: name, - Image: "registry.k8s.io/ingress-nginx/e2e-test-cfssl@sha256:48869cf72b0ceb1d8c82029f85961e423daf3ff8a04f4a455150000f90a90606", + Image: "registry.k8s.io/ingress-nginx/cfssl:v1.0.1@sha256:12425bab3f5e41ed20b850fd1e3737a48474f9ad48363efb116243a853db754a", Command: []string{ "/bin/bash", "-c", diff --git a/test/e2e/settings/plugins.go b/test/e2e/settings/plugins.go deleted file mode 100644 index 659acd42c..000000000 --- a/test/e2e/settings/plugins.go +++ /dev/null @@ -1,55 +0,0 @@ -/* -Copyright 2020 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package settings - -import ( - "fmt" - "net/http" - "strings" - - "github.com/onsi/ginkgo/v2" - "k8s.io/ingress-nginx/test/e2e/framework" -) - -var _ = framework.IngressNginxDescribe("plugins", func() { - f := framework.NewDefaultFramework("plugins") - - ginkgo.BeforeEach(func() { - f.NewEchoDeployment() - }) - - ginkgo.It("should exist a x-hello-world header", func() { - f.UpdateNginxConfigMapData("plugins", "hello_world, invalid") - - host := "example.com" - f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)) - - f.WaitForNginxConfiguration( - func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %v", host)) && - strings.Contains(server, `plugins.init({ "hello_world","invalid" })`) - }) - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("User-Agent", "hello"). - Expect(). - Status(http.StatusOK). - Body().Contains("x-hello-world=1") - }) -}) diff --git a/test/e2e/settings/proxy_host.go b/test/e2e/settings/proxy_host.go index 35aafc53d..bb5dc9c01 100644 --- a/test/e2e/settings/proxy_host.go +++ b/test/e2e/settings/proxy_host.go @@ -34,14 +34,9 @@ var _ = framework.IngressNginxDescribe("Dynamic $proxy_host", func() { }) ginkgo.It("should exist a proxy_host", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() + upstreamName := fmt.Sprintf("%v-%v-80", f.Namespace, framework.EchoService) annotations := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_headers "Custom-Header: $proxy_host"`, @@ -63,14 +58,8 @@ var _ = framework.IngressNginxDescribe("Dynamic $proxy_host", func() { }) ginkgo.It("should exist a proxy_host using the upstream-vhost annotation value", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() upstreamName := fmt.Sprintf("%v-%v-80", f.Namespace, framework.EchoService) upstreamVHost := "different.host" diff --git a/test/e2e/settings/server_snippet.go b/test/e2e/settings/server_snippet.go index 8ddf10fd9..1e2084bd8 100644 --- a/test/e2e/settings/server_snippet.go +++ b/test/e2e/settings/server_snippet.go @@ -38,6 +38,7 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() { f.SetNginxConfigMapData(map[string]string{ "allow-snippet-annotations": "true", + "annotations-risk-level": "Critical", "server-snippet": ` more_set_headers "Globalfoo: Foooo";`, }) @@ -45,6 +46,7 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() { defer func() { f.SetNginxConfigMapData(map[string]string{ "allow-snippet-annotations": "false", + "annotations-risk-level": "High", }) }() annotations := map[string]string{ @@ -101,6 +103,7 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() { f.SetNginxConfigMapData(map[string]string{ "allow-snippet-annotations": "false", + "annotations-risk-level": "Critical", // To allow Configuration Snippet "server-snippet": ` more_set_headers "Globalfoo: Foooo";`, }) @@ -108,6 +111,7 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() { defer func() { f.SetNginxConfigMapData(map[string]string{ "allow-snippet-annotations": "false", + "annotations-risk-level": "High", }) }() annotations := map[string]string{ diff --git a/test/e2e/settings/tls.go b/test/e2e/settings/tls.go index 51f760df8..1ebf358c1 100644 --- a/test/e2e/settings/tls.go +++ b/test/e2e/settings/tls.go @@ -25,10 +25,11 @@ import ( "github.com/onsi/ginkgo/v2" "github.com/stretchr/testify/assert" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/ingress-nginx/test/e2e/framework" ) -var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", func() { +var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers", func() { f := framework.NewDefaultFramework("settings-tls") host := "settings-tls" @@ -109,8 +110,9 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f ginkgo.It("setting max-age parameter", func() { f.UpdateNginxConfigMapData(hstsMaxAge, "86400") - f.WaitForNginxConfiguration(func(server string) bool { - return strings.Contains(server, `hsts_max_age = 86400,`) + f.WaitForLuaConfiguration(func(jsonCfg map[string]interface{}) bool { + val, ok, err := unstructured.NestedString(jsonCfg, "hsts_max_age") + return err == nil && ok && val == "86400" }) f.HTTPTestClientWithTLSConfig(tlsConfig). @@ -128,8 +130,9 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f hstsIncludeSubdomains: "false", }) - f.WaitForNginxConfiguration(func(server string) bool { - return strings.Contains(server, `hsts_include_subdomains = false,`) + f.WaitForLuaConfiguration(func(jsonCfg map[string]interface{}) bool { + val, ok, err := unstructured.NestedBool(jsonCfg, "hsts_include_subdomains") + return err == nil && ok && !val }) f.HTTPTestClientWithTLSConfig(tlsConfig). @@ -148,8 +151,9 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f hstsIncludeSubdomains: "false", }) - f.WaitForNginxConfiguration(func(server string) bool { - return strings.Contains(server, `hsts_preload = true,`) + f.WaitForLuaConfiguration(func(jsonCfg map[string]interface{}) bool { + val, ok, err := unstructured.NestedBool(jsonCfg, "hsts_preload") + return err == nil && ok && val }) f.HTTPTestClientWithTLSConfig(tlsConfig). diff --git a/test/e2e/settings/validations/validations.go b/test/e2e/settings/validations/validations.go index ac95a453a..881de39b4 100644 --- a/test/e2e/settings/validations/validations.go +++ b/test/e2e/settings/validations/validations.go @@ -48,8 +48,8 @@ var _ = framework.IngressNginxDescribeSerial("annotation validations", func() { framework.Sleep() annotations := map[string]string{ - "nginx.ingress.kubernetes.io/default-backend": "default/bla", // low risk - "nginx.ingress.kubernetes.io/denylist-source-range": "1.1.1.1/32", // medium risk + "nginx.ingress.kubernetes.io/default-backend": "bla", // low risk + "nginx.ingress.kubernetes.io/denylist-source-range": "1.1.1.1/32", // medium risk } ginkgo.By("allow ingress with low/medium risk annotations") @@ -82,8 +82,8 @@ var _ = framework.IngressNginxDescribeSerial("annotation validations", func() { framework.Sleep() annotations := map[string]string{ - "nginx.ingress.kubernetes.io/default-backend": "default/bla", // low risk - "nginx.ingress.kubernetes.io/denylist-source-range": "1.1.1.1/32", // medium risk + "nginx.ingress.kubernetes.io/default-backend": "bla", // low risk + "nginx.ingress.kubernetes.io/denylist-source-range": "1.1.1.1/32", // medium risk } ginkgo.By("allow ingress with low/medium risk annotations") diff --git a/test/e2e/wait-for-nginx.sh b/test/e2e/wait-for-nginx.sh index ac0584962..73023aba1 100755 --- a/test/e2e/wait-for-nginx.sh +++ b/test/e2e/wait-for-nginx.sh @@ -24,7 +24,6 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" export NAMESPACE=$1 export NAMESPACE_OVERLAY=$2 export IS_CHROOT=$3 -export ENABLE_VALIDATIONS=$4 echo "deploying NGINX Ingress controller in namespace $NAMESPACE" @@ -59,7 +58,6 @@ else # TODO: remove the need to use fullnameOverride fullnameOverride: nginx-ingress controller: - enableAnnotationValidations: ${ENABLE_VALIDATIONS} image: repository: ingress-controller/controller chroot: ${IS_CHROOT} diff --git a/test/k6/loadtest.js b/test/k6/loadtest.js index 2396948fc..51801765e 100644 --- a/test/k6/loadtest.js +++ b/test/k6/loadtest.js @@ -1,6 +1,6 @@ // This is a loadtest under development // Test here is spec'd to have 100virtual-users -// Other specs currently similar to smoktest +// Other specs currently similar to smoketest // But loadtest needs testplan that likely uses auth & data-transfer import http from 'k6/http'; @@ -35,7 +35,7 @@ export default function () { const req3 = { params: { headers: { - 'Content-Type': 'application/x-www-form-urlencoded' + 'Content-Type': 'application/x-www-form-urlencoded' }, }, method: 'POST', diff --git a/test/k6/smoketest.js b/test/k6/smoketest.js index 8fe9e950a..12691b63a 100644 --- a/test/k6/smoketest.js +++ b/test/k6/smoketest.js @@ -1,4 +1,4 @@ -// smotest.js edited after copy/pasting from https://k6.io docs +// smoketest.js edited after copy/pasting from https://k6.io docs // Using this like loadtest because of limited cpu/memory/other import http from 'k6/http'; @@ -22,7 +22,7 @@ export const options = { }; export default function () { - // docs of k6 say this is how to adds host header + // docs of k6 say this is how to add host header // needed as ingress is created with this host value const params = { headers: {'host': 'test.ingress-nginx-controller.ga'}, @@ -39,7 +39,7 @@ export default function () { const req3 = { params: { headers: { - 'Content-Type': 'application/json' + 'Content-Type': 'application/json' }, }, method: 'POST', diff --git a/test/test-lua.sh b/test/test-lua.sh index fc60023f8..e7ee5843e 100755 --- a/test/test-lua.sh +++ b/test/test-lua.sh @@ -36,12 +36,11 @@ SHDICT_ARGS=( "--shdict" "high_throughput_tracker 1M" "--shdict" "balancer_ewma_last_touched_at 1M" "--shdict" "balancer_ewma_locks 512k" - "--shdict" "global_throttle_cache 5M" "./rootfs/etc/nginx/lua/test/run.lua" ) if [ $# -eq 0 ]; then - resty "${SHDICT_ARGS[@]}" ./rootfs/etc/nginx/lua/test/ ./rootfs/etc/nginx/lua/plugins/**/test ${BUSTED_ARGS} + resty "${SHDICT_ARGS[@]}" ./rootfs/etc/nginx/lua/test/ ${BUSTED_ARGS} else resty "${SHDICT_ARGS[@]}" $@ ${BUSTED_ARGS} fi