DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'main' into fix/ipallowlist-validate

Browse source
This commit is contained in:
James Strong 2025-01-13 11:15:52 -05:00 committed by GitHub
commit f1360bc955
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
314 changed files with 3958 additions and 6899 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/ISSUE_TEMPLATE/bug_report.md vendored
View file

@ -37,7 +37,7 @@ This questions are the first thing we need to know to understand the context.
<!-- What do you think went wrong? -->
**NGINX Ingress controller version** (exec into the pod and run nginx-ingress-controller --version.):
**NGINX Ingress controller version** (exec into the pod and run `/nginx-ingress-controller --version`):
<!--
POD_NAMESPACE=ingress-nginx
POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/name=ingress-nginx --field-selector=status.phase=Running -o jsonpath='{.items[0].metadata.name}')

1
.github/ISSUE_TEMPLATE/cve_report.md vendored
View file

@ -5,7 +5,6 @@ title: ''
labels: kind/bug
assignees:
- Gacko
- rikatz
- strongjz
---

54
.github/dependabot.yml vendored
View file

@ -1,33 +1,7 @@
---
version: 2
updates:
- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "weekly"
labels:
- "area/dependency"
- "release-note-none"
- "ok-to-test"
groups:
all:
update-types:
- "patch"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
labels:
- "area/dependency"
- "release-note-none"
- "ok-to-test"
groups:
all:
update-types:
- "minor"
- "patch"
- package-ecosystem: "docker"
directory: "/images"
schedule:
interval: "weekly"
labels:
@ -39,3 +13,31 @@ updates:
update-types:
- "minor"
- "patch"
- package-ecosystem: "docker"
directories:
- "**/rootfs"
schedule:
interval: "weekly"
labels:
- "area/dependency"
- "release-note-none"
- "ok-to-test"
groups:
docker:
update-types:
- "minor"
- "patch"
- package-ecosystem: "gomod"
directories:
- "/"
- "**/rootfs"
schedule:
interval: "weekly"
labels:
- "area/dependency"
- "release-note-none"
- "ok-to-test"
groups:
go:
update-types:
- "patch"

64
.github/workflows/chart.yaml vendored Normal file
View file

@ -0,0 +1,64 @@
name: Chart
on:
push:
branches:
- main
- release-*
paths:
- charts/ingress-nginx/Chart.yaml
workflow_dispatch:
permissions:
contents: read
jobs:
release:
name: Release
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Set up Python
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: 3.x
- name: Set up Helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
- name: Set up Helm Chart Testing
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
- name: Set up Artifact Hub
run: |
curl --fail --location https://github.com/artifacthub/hub/releases/download/v1.19.0/ah_1.19.0_linux_amd64.tar.gz --output /tmp/ah.tar.gz
echo "0e430493521ce387ca04d79b26646a86f92886dbcceb44985bb71082a9530ca5 /tmp/ah.tar.gz" | shasum --check
sudo tar --extract --file /tmp/ah.tar.gz --directory /usr/local/bin ah
- name: Set up Git
run: |
git config --global user.name "${GITHUB_ACTOR}"
git config --global user.email "${GITHUB_ACTOR}@users.noreply.github.com"
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Lint chart
run: |
ct lint --config .ct.yaml
ah lint --path charts/ingress-nginx
- name: Release chart
uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
env:
CR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CR_RELEASE_NAME_TEMPLATE: helm-chart-{{ .Version }}
CR_SKIP_EXISTING: true
with:
charts_dir: charts

152
.github/workflows/ci.yaml vendored
View file

@ -9,7 +9,7 @@ on:
- 'deploy/**'
- '**.md'
- 'images/**' # Images changes should be tested on their own workflow
- '!images/nginx-1.25/**'
- '!images/nginx/**'
push:
branches:
@ -47,7 +47,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: filter
@ -68,7 +68,7 @@ jobs:
- 'NGINX_BASE'
baseimage:
- 'NGINX_BASE'
- 'images/nginx-1.25/**'
- 'images/nginx/**'
docs:
- '**/*.md'
lua:
@ -81,7 +81,7 @@ jobs:
(needs.changes.outputs.lua == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Lint Lua
uses: lunarmodules/luacheck@v1
@ -95,14 +95,14 @@ jobs:
(needs.changes.outputs.go == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Get go version
run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
- name: Set up Go
id: go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: ${{ env.GOLANG_VERSION }}
check-latest: true
@ -119,12 +119,12 @@ jobs:
(needs.changes.outputs.go == 'true') || (needs.changes.outputs.docs == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Get go version
run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
- name: Set up Go
id: go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: ${{ env.GOLANG_VERSION }}
check-latest: true
@ -144,7 +144,7 @@ jobs:
PLATFORMS: linux/amd64
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Get go version
id: golangversion
@ -153,17 +153,17 @@ jobs:
- name: Set up Go
id: go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: ${{ steps.golangversion.outputs.version }}
check-latest: true
- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
with:
version: latest
@ -180,8 +180,8 @@ jobs:
if: |
needs.changes.outputs.baseimage == 'true'
run: |
export TAG=$(cat images/nginx-1.25/TAG)
cd images/nginx-1.25/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --load -t registry.k8s.io/ingress-nginx/nginx-1.25:${TAG} .
export TAG=$(cat images/nginx/TAG)
cd images/nginx/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --load -t registry.k8s.io/ingress-nginx/nginx:${TAG} .
- name: Build images
env:
@ -190,8 +190,8 @@ jobs:
REGISTRY: ingress-controller
run: |
echo "building images..."
export TAGNGINX=$(cat images/nginx-1.25/TAG)
make BASE_IMAGE=registry.k8s.io/ingress-nginx/nginx-1.25:${TAGNGINX} clean-image build image image-chroot
export TAGNGINX=$(cat images/nginx/TAG)
make BASE_IMAGE=registry.k8s.io/ingress-nginx/nginx:${TAGNGINX} clean-image build image image-chroot
make -C test/e2e-image image
echo "creating images cache..."
@ -202,118 +202,94 @@ jobs:
| gzip > docker.tar.gz
- name: cache
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: docker.tar.gz
path: docker.tar.gz
retention-days: 5
helm-lint:
name: Helm chart lint
chart-lint:
name: Chart / Lint
runs-on: ubuntu-latest
needs:
- changes
if: |
(needs.changes.outputs.charts == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
if: fromJSON(needs.changes.outputs.charts) || fromJSON(needs.changes.outputs.baseimage) || fromJSON(github.event.workflow_dispatch.run_e2e)
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Set up Python
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
fetch-depth: 0
python-version: 3.x
- name: Set up Helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
- uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
python-version: '3.x'
- name: Set up chart-testing
- name: Set up Helm Chart Testing
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
- name: Install Helm Unit Test Plugin
- name: Set up Artifact Hub
run: |
helm plugin install https://github.com/helm-unittest/helm-unittest
curl --fail --location https://github.com/artifacthub/hub/releases/download/v1.19.0/ah_1.19.0_linux_amd64.tar.gz --output /tmp/ah.tar.gz
echo "0e430493521ce387ca04d79b26646a86f92886dbcceb44985bb71082a9530ca5 /tmp/ah.tar.gz" | shasum --check
sudo tar --extract --file /tmp/ah.tar.gz --directory /usr/local/bin ah
- name: Run Helm Unit Tests
- name: Set up Helm Docs
uses: gabe565/setup-helm-docs-action@d5c35bdc9133cfbea3b671acadf50a29029e87c2 # v1.0.4
- name: Set up Helm Unit Test
run: helm plugin install https://github.com/helm-unittest/helm-unittest
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Lint chart
run: |
helm unittest charts/ingress-nginx -d
ct lint --config .ct.yaml
ah lint --path charts/ingress-nginx
- name: Run chart-testing (lint)
run: ct lint --config ./.ct.yaml
- name: Run helm-docs
- name: Check docs
run: |
GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.11.0
./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts
DIFF=$(git diff ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md)
if [ ! -z "$DIFF" ]; then
echo "Please use helm-docs in your clone, of your fork, of the project, and commit a updated README.md for the chart. https://github.com/kubernetes/ingress-nginx/blob/main/RELEASE.md#d-edit-the-valuesyaml-and-run-helm-docs"
fi
git diff --exit-code
rm -f ./helm-docs
helm-docs --chart-search-root charts
git diff --exit-code charts/ingress-nginx/README.md
- name: Run Artifact Hub lint
run: |
wget https://github.com/artifacthub/hub/releases/download/v1.5.0/ah_1.5.0_linux_amd64.tar.gz
echo 'ad0e44c6ea058ab6b85dbf582e88bad9fdbc64ded0d1dd4edbac65133e5c87da *ah_1.5.0_linux_amd64.tar.gz' | shasum -c
tar -xzvf ah_1.5.0_linux_amd64.tar.gz ah
./ah lint -p charts/ingress-nginx || exit 1
rm -f ./ah ./ah_1.5.0_linux_amd64.tar.gz
- name: Run tests
run: helm unittest charts/ingress-nginx --file "tests/**/*_test.yaml"
helm-test:
name: Helm chart testing
chart-test:
name: Chart / Test
runs-on: ubuntu-latest
needs:
- changes
- build
- helm-lint
if: |
(needs.changes.outputs.charts == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
- chart-lint
if: fromJSON(needs.changes.outputs.charts) || fromJSON(needs.changes.outputs.baseimage) || fromJSON(github.event.workflow_dispatch.run_e2e)
strategy:
matrix:
k8s: [v1.28.13, v1.29.8, v1.30.4, v1.31.0]
k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0]
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: ${{ needs.build.outputs.golangversion }}
check-latest: true
- name: cache
- name: Download cache
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: docker.tar.gz
- name: fix permissions
run: |
sudo mkdir -p $HOME/.kube
sudo chmod -R 777 $HOME/.kube
- name: Load cache
run: gzip --decompress --stdout docker.tar.gz | docker load
- name: Create Kubernetes ${{ matrix.k8s }} cluster
id: kind
run: |
kind create cluster --image=kindest/node:${{ matrix.k8s }}
- name: Load images from cache
run: |
echo "loading docker images..."
gzip -dc docker.tar.gz | docker load
- name: Test
- name: Run tests
env:
KIND_CLUSTER_NAME: kind
SKIP_CLUSTER_CREATION: true
K8S_VERSION: ${{ matrix.k8s }}
SKIP_IMAGE_CREATION: true
SKIP_INGRESS_IMAGE_CREATION: true
run: |
kind get kubeconfig > $HOME/.kube/kind-config-kind
sudo mkdir -pm 777 "${HOME}/.kube"
make kind-e2e-chart-tests
kubernetes:
@ -325,7 +301,7 @@ jobs:
(needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
strategy:
matrix:
k8s: [v1.28.13, v1.29.8, v1.30.4, v1.31.0]
k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0]
uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml
with:
k8s-version: ${{ matrix.k8s }}
@ -339,7 +315,7 @@ jobs:
(needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
strategy:
matrix:
k8s: [v1.28.13, v1.29.8, v1.30.4, v1.31.0]
k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0]
uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml
with:
k8s-version: ${{ matrix.k8s }}

4
.github/workflows/depreview.yaml vendored
View file

@ -9,6 +9,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: 'Dependency Review'
uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0

4
.github/workflows/docs.yaml vendored
View file

@ -23,7 +23,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: filter
@ -47,7 +47,7 @@ jobs:
steps:
- name: Checkout master
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Deploy
uses: ./.github/actions/mkdocs

9
.github/workflows/golangci-lint.yml vendored
View file

@ -15,19 +15,20 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Get go version
run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
- name: Set up Go
id: go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: ${{ env.GOLANG_VERSION }}
check-latest: true
- name: golangci-lint
uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
with:
version: v1.56
version: v1.62
only-new-issues: true

88
.github/workflows/helm.yaml vendored
View file

@ -1,88 +0,0 @@
name: Helm
on:
push:
branches:
- main
- release-*
workflow_dispatch:
permissions:
contents: read
jobs:
changes:
runs-on: ubuntu-latest
permissions:
contents: read # for dorny/paths-filter to fetch a list of changed files
if: github.repository == 'kubernetes/ingress-nginx'
outputs:
docs: ${{ steps.filter.outputs.docs }}
charts: ${{ steps.filter.outputs.charts }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Run Artifact Hub lint
run: |
wget https://github.com/artifacthub/hub/releases/download/v1.5.0/ah_1.5.0_linux_amd64.tar.gz
echo 'ad0e44c6ea058ab6b85dbf582e88bad9fdbc64ded0d1dd4edbac65133e5c87da *ah_1.5.0_linux_amd64.tar.gz' | shasum -c
tar -xzvf ah_1.5.0_linux_amd64.tar.gz ah
./ah lint -p charts/ingress-nginx || exit 1
rm -f ./ah ./ah_1.5.0_linux_amd64.tar.gz
- name: Set up chart-testing
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
- name: Run chart-testing (lint)
run: ct lint --target-branch ${{ github.ref_name }} --config ./.ct.yaml
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: filter
with:
token: ${{ secrets.GITHUB_TOKEN }}
filters: |
charts:
- 'charts/ingress-nginx/Chart.yaml'
- 'charts/ingress-nginx/values.yaml'
chart:
name: Release Chart
runs-on: ubuntu-latest
permissions:
contents: write # needed to write releases
needs:
- changes
if: ${{ needs.changes.outputs.charts == 'true' }}
steps:
- name: Checkout master
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
# Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896
fetch-depth: 0
ref: ${{ github.ref_name }}
- name: Setup
shell: bash
run: |
git config --global user.name "$GITHUB_ACTOR"
git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Helm Chart Releaser
uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
env:
CR_SKIP_EXISTING: true
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}"
with:
charts_dir: charts

47
.github/workflows/images.yaml vendored
View file

@ -36,12 +36,10 @@ jobs:
kube-webhook-certgen: ${{ steps.filter.outputs.kube-webhook-certgen }}
ext-auth-example-authsvc: ${{ steps.filter.outputs.ext-auth-example-authsvc }}
nginx: ${{ steps.filter.outputs.nginx }}
nginx125: ${{ steps.filter.outputs.nginx125 }}
opentelemetry: ${{ steps.filter.outputs.opentelemetry }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: filter
with:
@ -65,10 +63,6 @@ jobs:
- 'images/ext-auth-example-authsvc/**'
nginx:
- 'images/nginx/**'
opentelemetry:
- 'images/opentelemetry/**'
nginx125:
- 'images/nginx-1.25/TAG'
#### TODO: Make the below jobs 'less dumb' and use the job name as parameter (the github.job context does not work here)
cfssl:
@ -141,17 +135,17 @@ jobs:
(needs.changes.outputs.kube-webhook-certgen == 'true')
strategy:
matrix:
k8s: [v1.28.13, v1.29.8, v1.30.4, v1.31.0]
k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0]
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Get go version
run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
- name: Set up Go
id: go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: ${{ env.GOLANG_VERSION }}
check-latest: true
@ -166,41 +160,24 @@ jobs:
run: |
cd images/ && make NAME=kube-webhook-certgen test test-e2e
opentelemetry:
runs-on: ubuntu-latest
env:
PLATFORMS: linux/amd64,linux/arm,linux/arm64
needs: changes
if: |
(needs.changes.outputs.opentelemetry == 'true')
strategy:
matrix:
nginx: ['1.25.3', '1.21.6']
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: image build
run: |
cd images/opentelemetry && make NGINX_VERSION=${{ matrix.nginx }} build
nginx125:
nginx:
permissions:
contents: write
packages: write
runs-on: ubuntu-latest
needs: changes
if: |
(github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.changes.outputs.nginx125 == 'true')
(github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.changes.outputs.nginx == 'true')
env:
PLATFORMS: linux/amd64,linux/arm,linux/arm64,linux/s390x
PLATFORMS: linux/amd64,linux/arm,linux/arm64
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
with:
version: latest
platforms: ${{ env.PLATFORMS }}
@ -211,5 +188,5 @@ jobs:
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: build-image
run: |
export TAG=$(cat images/nginx-1.25/TAG)
cd images/nginx-1.25/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --push -t ingressnginx/nginx-1.25:${TAG} .
export TAG=$(cat images/nginx/TAG)
cd images/nginx/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --push -t ingressnginx/nginx:${TAG} .

2
.github/workflows/perftest.yaml vendored
View file

@ -19,7 +19,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install K6
run: |

14
.github/workflows/plugin.yaml vendored
View file

@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
@ -20,31 +20,31 @@ jobs:
run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
- name: Set up Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: ${{ env.GOLANG_VERSION }}
check-latest: true
- name: Run GoReleaser Snapshot
if: ${{ ! startsWith(github.ref, 'refs/tags/') }}
uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
with:
version: latest
version: "~> v2"
args: release --snapshot --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Run GoReleaser
if: ${{ startsWith(github.ref, 'refs/tags/') }}
uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
with:
version: latest
version: "~> v2"
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Update new version in krew-index
if: ${{ startsWith(github.ref, 'refs/tags/') }}
uses: rajatjindal/krew-release-bot@df3eb197549e3568be8b4767eec31c5e8e8e6ad8 # v0.0.46
uses: rajatjindal/krew-release-bot@3d9faef30a82761d610544f62afddca00993eef9 # v0.0.47
with:
krew_template_file: cmd/plugin/krew.yaml

6
.github/workflows/scorecards.yml vendored
View file

@ -27,7 +27,7 @@ jobs:
steps:
- name: "Checkout code"
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
@ -51,7 +51,7 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: SARIF file
path: results.sarif
@ -59,6 +59,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
with:
sarif_file: results.sarif

8
.github/workflows/vulnerability-scans.yaml vendored
View file

@ -22,7 +22,7 @@ jobs:
versions: ${{ steps.version.outputs.TAGS }}
steps:
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
@ -52,7 +52,7 @@ jobs:
versions: ${{ fromJSON(needs.version.outputs.versions) }}
steps:
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- shell: bash
id: test
@ -60,7 +60,7 @@ jobs:
- name: Scan image with AquaSec/Trivy
id: scan
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
with:
image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }}
format: 'sarif'
@ -75,7 +75,7 @@ jobs:
# This step checks out a copy of your repository.
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
with:
token: ${{ github.token }}
# Path to SARIF file relative to the root of the repository

6
.github/workflows/zz-tmpl-images.yaml vendored
View file

@ -31,7 +31,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: filter
with:
@ -48,7 +48,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Build
run: |
@ -67,7 +67,7 @@ jobs:
PLATFORMS: ${{ inputs.platforms-publish }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0

4
.github/workflows/zz-tmpl-k8s-e2e.yaml vendored
View file

@ -20,7 +20,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: cache
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
@ -49,7 +49,7 @@ jobs:
make kind-e2e-test
- name: Upload e2e junit-reports ${{ inputs.variation }}
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
if: success() || failure()
with:
name: e2e-test-reports-${{ inputs.k8s-version }}${{ inputs.variation }}

1
.gitignore vendored
View file

@ -1,4 +1,3 @@
helm-docs
# OSX
._*
.DS_Store

1
.golangci.yml
View file

@ -22,7 +22,6 @@ linters:
- errcheck
- errchkjson
- errname
- execinquery
- ginkgolinter
- gocheckcompilerdirectives
- goconst

2
GOLANG_VERSION
View file

@ -1 +1 @@
1.22.6
1.23.4

11
MANUAL_RELEASE.md
View file

@ -226,19 +226,18 @@ Promoting the images basically means that images, that were pushed to staging co
```
### d. Edit the values.yaml and run helm-docs
- [Fields to edit in values.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml)
- tag
- digest
- [helm-docs](https://github.com/norwoodj/helm-docs) is a tool that generates the README.md for a helm-chart automatically. In the CI pipeline workflow of github actions (/.github/workflows/ci.yaml), you can see how helm-docs is used. But the CI pipeline is not designed to make commits back into the project. So we need to run helm-docs manually, and check in the resulting autogenerated README.md at the path /charts/ingress-nginx/README.md
- [helm-docs](https://github.com/norwoodj/helm-docs) is a tool that generates the README.md for a Helm chart automatically. In the CI pipeline workflow of GitHub actions (.github/workflows/ci.yaml), you can see how helm-docs is used. The CI pipeline is not designed to make commits back into the project, so we need to run helm-docs manually and commit the resulting generated README.md. You can obtain a recent version of the helm-docs binary here: https://github.com/norwoodj/helm-docs/releases.
```
GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.11.0
./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts
git diff --exit-code
rm -f ./helm-docs
helm-docs --chart-search-root charts
git diff charts/ingress-nginx/README.md
```
Watchout for mistakes like leaving the helm-docs executable in your clone workspace or not checking the new README.md manually etc.
Take care of not leaving the helm-docs executable in your clone workspace or not committing the new README.md.
### e. Edit the static manifests

2
Makefile
View file

@ -110,7 +110,7 @@ clean-chroot-image: ## Removes local image
.PHONY: build
build: ## Build ingress controller, debug tool and pre-stop hook.
E2E_IMAGE=golang:$(GO_VERSION)-alpine3.20 USE_SHELL=/bin/sh build/run-in-docker.sh \
E2E_IMAGE=golang:$(GO_VERSION)-alpine3.21 USE_SHELL=/bin/sh build/run-in-docker.sh \
MAC_OS=$(MAC_OS) \
PKG=$(PKG) \
ARCH=$(ARCH) \

2
NGINX_BASE
View file

@ -1 +1 @@
registry.k8s.io/ingress-nginx/nginx-1.25:v0.0.12@sha256:2d471b3a34dc43d10c3f3d7f2a6e8a2ecf7654a4197e56374261c1c708b16365
registry.k8s.io/ingress-nginx/nginx:v2.0.0@sha256:3e7bda4cf5111d283ed1e4ff5cc9a2b5cdc5ebe62d50ba67473d3e25b1389133

1
OWNERS
View file

@ -10,3 +10,4 @@ emeritus_approvers:
- aledbf # 2020-04-02
- bowei # 2022-10-12
- ElvinEfendi # 2023-04-23
- rikatz # 2024-12-15

23
OWNERS_ALIASES
View file

@ -1,40 +1,17 @@
# See the OWNERS docs: https://www.kubernetes.dev/docs/guide/owners
aliases:
sig-network-leads:
- caseydavenport
- dcbw
- thockin
ingress-nginx-admins:
- Gacko
- rikatz
- strongjz
ingress-nginx-maintainers:
- cpanato
- Gacko
- puerco
- rikatz
- strongjz
- tao12345666333
ingress-nginx-reviewers:
- cpanato
- Gacko
- puerco
- rikatz
- strongjz
- tao12345666333
ingress-nginx-helm-maintainers:
- ubergesundheit
ingress-nginx-helm-reviewers:
- ubergesundheit
ingress-nginx-docs-maintainers:
- longwuyuan
ingress-nginx-kube-webhook-certgen-reviewers:
- invidian

18
README.md
View file

@ -17,6 +17,8 @@ balancer.
See the [Getting Started](https://kubernetes.github.io/ingress-nginx/deploy/) document.
Do not use in multi-tenant Kubernetes production installations. This project assumes that users that can create Ingress objects are administrators of the cluster. See the [FAQ](https://kubernetes.github.io/ingress-nginx/faq/#faq) for more.
## Troubleshooting
If you encounter issues, review the [troubleshooting docs](docs/troubleshooting.md),
@ -37,14 +39,20 @@ the versions listed. Ingress-Nginx versions **may** work on older versions, but
| Supported | Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | Helm Chart Version |
| :-------: | --------------------- | ----------------------------- | -------------- | ------------- | ------------------ |
| 🔄 | **v1.12.0** | 1.32, 1.31, 1.30, 1.29, 1.28 | 3.21.0 | 1.25.5 | 4.12.0 |
| 🔄 | **v1.12.0-beta.0** | 1.32, 1.31, 1.30, 1.29, 1.28 | 3.20.3 | 1.25.5 | 4.12.0-beta.0 |
| 🔄 | **v1.11.4** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.21.0 | 1.25.5 | 4.11.4 |
| 🔄 | **v1.11.3** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.3 | 1.25.5 | 4.11.3 |
| 🔄 | **v1.11.2** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.11.2 |
| 🔄 | **v1.11.1** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.11.1 |
| 🔄 | **v1.11.0** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.11.0 |
| 🔄 | **v1.10.4** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.10.4 |
| 🔄 | **v1.10.3** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.10.3 |
| 🔄 | **v1.10.2** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.10.2 |
| 🔄 | **v1.10.1** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.19.1 | 1.25.3 | 4.10.1 |
| 🔄 | **v1.10.0** | 1.29, 1.28, 1.27, 1.26 | 3.19.1 | 1.25.3 | 4.10.0 |
| | **v1.10.6** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.21.0 | 1.25.5 | 4.10.6 |
| | **v1.10.5** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.3 | 1.25.5 | 4.10.5 |
| | **v1.10.4** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.10.4 |
| | **v1.10.3** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.10.3 |
| | **v1.10.2** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.10.2 |
| | **v1.10.1** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.19.1 | 1.25.3 | 4.10.1 |
| | **v1.10.0** | 1.29, 1.28, 1.27, 1.26 | 3.19.1 | 1.25.3 | 4.10.0 |
| | v1.9.6 | 1.29, 1.28, 1.27, 1.26, 1.25 | 3.19.0 | 1.21.6 | 4.9.1 |
| | v1.9.5 | 1.28, 1.27, 1.26, 1.25 | 3.18.4 | 1.21.6 | 4.9.0 |
| | v1.9.4 | 1.28, 1.27, 1.26, 1.25 | 3.18.4 | 1.21.6 | 4.8.3 |

1
SECURITY_CONTACTS
View file

@ -10,5 +10,4 @@
# DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
# INSTRUCTIONS AT https://kubernetes.io/security/
Gacko
rikatz
strongjz

4
build/run-in-docker.sh
View file

@ -44,7 +44,7 @@ function cleanup {
}
trap cleanup EXIT
E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20240829-2c421762@sha256:5b7809bfe9cbd9cd6bcb8033ca27576ca704f05ce729fe4dcb574810f7a25785}
E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20250112-a188f4eb@sha256:043038b1e30e5a0b64f3f919f096c5c9488ac3f617ac094b07fb9db8215f9441}
if [[ "$RUNTIME" == podman ]]; then
# Podman does not support both tag and digest
@ -82,7 +82,7 @@ if [[ "$DOCKER_IN_DOCKER_ENABLED" == "true" ]]; then
echo "..reached DIND check TRUE block, inside run-in-docker.sh"
echo "FLAGS=$FLAGS"
#go env
go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.20.2
go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.22.2
find / -type f -name ginkgo 2>/dev/null
which ginkgo
/bin/bash -c "${FLAGS}"

90
changelog/controller-1.10.5.md Normal file
View file

@ -0,0 +1,90 @@
# Changelog
### controller-v1.10.5
Images:
* registry.k8s.io/ingress-nginx/controller:v1.10.5@sha256:c84d11b1f7bd14ebbf49918a7f0dc01b31c0c6e757e0129520ea93453096315c
* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.5@sha256:030a43bdd5f0212a7e135cc4da76b15a6706ef65a6824eb4cc401f87a81c2987
### All changes:
* Images: Trigger controller build. (#12133)
* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12146)
* Images: Trigger `e2e-test-echo` build. (#12142)
* Images: Drop `s390x`. (#12139)
* Images: Build `s390x` controller. (#12128)
* Chart: Bump Kube Webhook CertGen. (#12122)
* Tests & Docs: Bump images. (#12120)
* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12116)
* Images: Trigger other builds. (#12111)
* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12104)
* Images: Trigger `test-runner` build. (#12101)
* Docs: Add a multi-tenant warning. (#12098)
* Go: Bump to v1.22.8. (#12093)
* Images: Bump `NGINX_BASE` to v0.1.0. (#12079)
* Images: Trigger NGINX build. (#12077)
* Images: Remove NGINX v1.21. (#12057)
* GitHub: Improve Dependabot. (#12037)
* Chart: Improve CI. (#12029)
* Chart: Extend image tests. (#12026)
* Docs: Add health check annotations for AWS. (#12021)
* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12007)
* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12001)
* Chart: Align default backend `PodDisruptionBudget`. (#11998)
* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#11985)
* Chart: Improve default backend service account. (#11973)
* Go: Bump to v1.22.7. (#11969)
* Images: Bump OpenTelemetry C++ Contrib. (#11950)
* Docs: Add note about `--watch-namespace`. (#11948)
* Images: Use latest Alpine 3.20 everywhere. (#11945)
* Fix minor typos (#11940)
* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11933)
* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11920)
* Images: Trigger `test-runner` build. (#11918)
* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11888)
* Annotations: Allow commas in URLs. (#11886)
* CI: Grant checks write permissions to E2E Test Report. (#11884)
* Update maxmind post link about geolite2 license changes (#11880)
* Go: Sync `go.work.sum`. (#11876)
* Replace deprecated queue method (#11858)
* Auto-generate annotation docs (#11835)
### Dependency updates:
* Bump the actions group with 3 updates (#12150)
* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12108)
* Bump the actions group with 3 updates (#12096)
* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12088)
* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12086)
* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12084)
* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12082)
* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12054)
* Bump the go group across 1 directory with 3 updates (#12052)
* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12048)
* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12044)
* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12045)
* Bump the all group with 2 updates (#12035)
* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12015)
* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12013)
* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12011)
* Bump the all group with 2 updates (#11979)
* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11978)
* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11960)
* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11959)
* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11956)
* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11929)
* Bump the all group with 2 updates (#11924)
* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11912)
* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11907)
* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11906)
* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11905)
* Bump the all group with 2 updates (#11870)
* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11869)
* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11848)
* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11847)
* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11846)
* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11841)
* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11833)
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.4...controller-v1.10.5

92
changelog/controller-1.10.6.md Normal file
View file

@ -0,0 +1,92 @@
# Changelog
### controller-v1.10.6
Images:
* registry.k8s.io/ingress-nginx/controller:v1.10.6@sha256:b6fbd102255edb3ba8e5421feebe14fd3e94cf53d199af9e40687f536152189c
* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.6@sha256:44ceedafc0e04a75521b5d472c1b6b5cc08afb8038b5bbfd79c21d066ccf300e
### All changes:
* Images: Trigger controller build. (#12611)
* Chart: Bump Kube Webhook CertGen. (#12608)
* Tests & Docs: Bump images. (#12605)
* Images: Trigger other builds (2/2). (#12598)
* Images: Trigger other builds (1/2). (#12597)
* Tests: Bump `e2e-test-runner` to v20241224-68ed4e7b. (#12592)
* Images: Trigger `test-runner` build. (#12586)
* Images: Bump `NGINX_BASE` to v0.2.0. (#12584)
* Images: Trigger NGINX build. (#12578)
* Go: Clean `go.work.sum`. (#12575)
* Repository: Update owners. (#12570)
* Images: Bump `gcb-docker-gcloud` to v20241217-ff46a068cd. (#12563)
* CI: Update KIND images. (#12559)
* Images: Bump Alpine to v3.21. (#12530)
* Docs: Add guide on how to set a Maintenance Page. (#12527)
* rikatz is stepping down (#12518)
* rikatz is stepping down (#12497)
* Go: Bump to v1.23.4. (#12485)
* Plugin: Bump `goreleaser` to v2. (#12442)
* GitHub: Fix `exec` in issue template. (#12389)
* CI: Update KIND images. (#12368)
* Images: Bump `gcb-docker-gcloud` to v20241110-72bb0b1665. (#12341)
* Go: Bump to v1.23.3. (#12339)
* Auth TLS: Add `_` to redirect RegEx. (#12328)
* Auth TLS: Improve redirect RegEx. (#12321)
* Tests: Bump `e2e-test-runner` to v20241104-02a3933e. (#12314)
* Images: Trigger `test-runner` build. (#12307)
* Config: Fix panic on invalid `lua-shared-dict`. (#12282)
* Docs: fix limit-rate-after references (#12280)
* Chart: Rework ServiceMonitor. (#12268)
* Chart: Add ServiceAccount tests. (#12266)
* CI: Fix chart testing. (#12260)
* [fix] fix nginx temp configs cleanup (#12224)
* Chart: Suggest `matchLabelKeys` in Topology Spread Constraints. (#12204)
* Docs: Add Pod Security Admission. (#12198)
* Docs: Clarify external & service port in TCP/UDP services explanation. (#12194)
### Dependency updates:
* Bump k8s.io/apiextensions-apiserver from 0.31.3 to 0.32.0 (#12565)
* Bump github.com/onsi/ginkgo/v2 from 2.22.0 to 2.22.1 (#12557)
* Bump k8s.io/code-generator from 0.31.3 to 0.32.0 (#12552)
* Bump k8s.io/cli-runtime from 0.31.3 to 0.32.0 (#12549)
* Bump k8s.io/apiserver from 0.31.3 to 0.32.0 (#12546)
* Bump the actions group with 2 updates (#12543)
* Bump google.golang.org/grpc from 1.68.1 to 1.69.2 (#12540)
* Bump k8s.io/client-go from 0.31.3 to 0.32.0 (#12514)
* Bump github.com/opencontainers/runc from 1.2.2 to 1.2.3 in the go group across 1 directory (#12511)
* Bump the actions group with 3 updates (#12508)
* Bump k8s.io/kube-aggregator from 0.31.3 to 0.32.0 in /images/kube-webhook-certgen/rootfs (#12504)
* Bump k8s.io/apimachinery from 0.31.3 to 0.32.0 in /images/ext-auth-example-authsvc/rootfs (#12501)
* Bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#12478)
* Bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /magefiles (#12473)
* Bump github.com/prometheus/common from 0.60.1 to 0.61.0 (#12466)
* Bump github/codeql-action from 3.27.5 to 3.27.6 in the actions group (#12463)
* Bump the go group across 1 directory with 2 updates (#12459)
* Bump github.com/onsi/ginkgo/v2 from 2.21.0 to 2.22.0 (#12425)
* Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#12416)
* Bump the go group across 3 directories with 10 updates (#12414)
* Bump the actions group with 3 updates (#12410)
* Bump github.com/opencontainers/runc from 1.2.1 to 1.2.2 in the go group across 1 directory (#12382)
* Bump github/codeql-action from 3.27.1 to 3.27.4 in the actions group (#12375)
* Bump golangci-lint on actions and disable deprecated linters (#12363)
* Bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#12356)
* Bump the actions group with 3 updates (#12353)
* Bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#12351)
* Bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#12297)
* Bump github.com/opencontainers/runc from 1.2.0 to 1.2.1 in the go group across 1 directory (#12294)
* Bump github.com/onsi/ginkgo/v2 from 2.20.2 to 2.21.0 (#12290)
* Bump actions/dependency-review-action from 4.3.5 to 4.4.0 in the actions group (#12275)
* Bump the go group across 3 directories with 11 updates (#12246)
* Bump github.com/opencontainers/runc from 1.1.15 to 1.2.0 (#12241)
* Bump the actions group with 5 updates (#12243)
* Bump github.com/ncabatoff/process-exporter from 0.8.3 to 0.8.4 in the go group across 1 directory (#12219)
* Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 in the actions group (#12215)
* Bump github/codeql-action from 3.26.12 to 3.26.13 in the actions group (#12191)
* Bump the go group across 2 directories with 1 update (#12189)
* Bump the actions group with 2 updates (#12185)
* Bump github.com/opencontainers/runc from 1.1.14 to 1.1.15 in the go group across 1 directory (#12184)
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.5...controller-v1.10.6

91
changelog/controller-1.11.3.md Normal file
View file

@ -0,0 +1,91 @@
# Changelog
### controller-v1.11.3
Images:
* registry.k8s.io/ingress-nginx/controller:v1.11.3@sha256:d56f135b6462cfc476447cfe564b83a45e8bb7da2774963b00d12161112270b7
* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.3@sha256:22701f0fc0f2dd209ef782f4e281bfe2d8cccd50ededa00aec88e0cdbe7edd14
### All changes:
* Images: Trigger controller build. (#12134)
* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12145)
* Images: Trigger `e2e-test-echo` build. (#12141)
* Images: Drop `s390x`. (#12138)
* Images: Build `s390x` controller. (#12127)
* Chart: Bump Kube Webhook CertGen. (#12123)
* Tests & Docs: Bump images. (#12121)
* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12117)
* Images: Trigger other builds. (#12112)
* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12105)
* Images: Trigger `test-runner` build. (#12102)
* Docs: Add a multi-tenant warning. (#12099)
* Go: Bump to v1.22.8. (#12094)
* Images: Bump `NGINX_BASE` to v0.1.0. (#12080)
* Images: Trigger NGINX build. (#12076)
* Images: Remove NGINX v1.21. (#12058)
* GitHub: Improve Dependabot. (#12038)
* Chart: Improve CI. (#12030)
* Chart: Extend image tests. (#12027)
* Docs: Add health check annotations for AWS. (#12020)
* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12006)
* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12002)
* Chart: Align default backend `PodDisruptionBudget`. (#11999)
* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#11986)
* Chart: Improve default backend service account. (#11974)
* Go: Bump to v1.22.7. (#11970)
* Images: Bump OpenTelemetry C++ Contrib. (#11951)
* Docs: Add note about `--watch-namespace`. (#11949)
* Images: Use latest Alpine 3.20 everywhere. (#11946)
* Fix minor typos (#11941)
* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11934)
* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11921)
* Images: Trigger `test-runner` build. (#11917)
* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11889)
* Annotations: Allow commas in URLs. (#11887)
* CI: Grant checks write permissions to E2E Test Report. (#11885)
* Chart: Use generic values for `ConfigMap` test. (#11879)
* Update maxmind post link about geolite2 license changes (#11881)
* Go: Sync `go.work.sum`. (#11875)
* Replace deprecated queue method (#11859)
* Auto-generate annotation docs (#11831)
### Dependency updates:
* Bump the actions group with 3 updates (#12149)
* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12109)
* Bump the actions group with 3 updates (#12097)
* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12089)
* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12087)
* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12085)
* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12083)
* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12055)
* Bump the go group across 1 directory with 3 updates (#12053)
* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12049)
* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12047)
* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12046)
* Bump the all group with 2 updates (#12036)
* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12016)
* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12014)
* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12012)
* Bump the all group with 2 updates (#11981)
* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11980)
* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11961)
* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11958)
* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11957)
* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11930)
* Bump the all group with 2 updates (#11925)
* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11913)
* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11910)
* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11909)
* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11908)
* Bump the all group with 2 updates (#11871)
* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11868)
* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11840)
* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11839)
* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11837)
* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11836)
* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11834)
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.2...controller-v1.11.3

94
changelog/controller-1.11.4.md Normal file
View file

@ -0,0 +1,94 @@
# Changelog
### controller-v1.11.4
Images:
* registry.k8s.io/ingress-nginx/controller:v1.11.4@sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52
* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.4@sha256:f29d0f9e7a9ef4947eda59ed0c09ec13380b13639d1518cf1ab8ec09c3e22ef8
### All changes:
* Images: Trigger controller build. (#12610)
* Chart: Bump Kube Webhook CertGen. (#12607)
* Tests & Docs: Bump images. (#12604)
* Images: Trigger other builds (2/2). (#12600)
* Images: Trigger other builds (1/2). (#12596)
* Tests: Bump `e2e-test-runner` to v20241224-68ed4e7b. (#12591)
* Images: Trigger `test-runner` build. (#12588)
* Images: Bump `NGINX_BASE` to v0.2.0. (#12583)
* Images: Trigger NGINX build. (#12577)
* Go: Clean `go.work.sum`. (#12574)
* Repository: Update owners. (#12569)
* Images: Bump `gcb-docker-gcloud` to v20241217-ff46a068cd. (#12562)
* CI: Update KIND images. (#12558)
* Images: Bump Alpine to v3.21. (#12529)
* Docs: Add guide on how to set a Maintenance Page. (#12526)
* rikatz is stepping down (#12517)
* rikatz is stepping down (#12495)
* Go: Bump to v1.23.4. (#12484)
* Plugin: Bump `goreleaser` to v2. (#12441)
* GitHub: Fix `exec` in issue template. (#12388)
* CI: Update KIND images. (#12365)
* Images: Bump `gcb-docker-gcloud` to v20241110-72bb0b1665. (#12343)
* Go: Bump to v1.23.3. (#12338)
* Auth TLS: Add `_` to redirect RegEx. (#12327)
* Auth TLS: Improve redirect RegEx. (#12322)
* Update custom headers annotation documentation (#12319)
* Tests: Bump `e2e-test-runner` to v20241104-02a3933e. (#12313)
* Images: Trigger `test-runner` build. (#12306)
* Config: Fix panic on invalid `lua-shared-dict`. (#12284)
* Docs: fix limit-rate-after references (#12279)
* Chart: Rework ServiceMonitor. (#12270)
* Chart: Add ServiceAccount tests. (#12264)
* CI: Fix chart testing. (#12259)
* [fix] fix nginx temp configs cleanup (#12223)
* Chart: Suggest `matchLabelKeys` in Topology Spread Constraints. (#12203)
* Docs: Add Pod Security Admission. (#12197)
* Docs: Clarify external & service port in TCP/UDP services explanation. (#12193)
* Docs: Goodbye, v1.10. (#12159)
### Dependency updates:
* Bump k8s.io/apiextensions-apiserver from 0.31.3 to 0.32.0 (#12567)
* Bump github.com/onsi/ginkgo/v2 from 2.22.0 to 2.22.1 (#12556)
* Bump k8s.io/code-generator from 0.31.3 to 0.32.0 (#12551)
* Bump k8s.io/cli-runtime from 0.31.3 to 0.32.0 (#12548)
* Bump k8s.io/apiserver from 0.31.3 to 0.32.0 (#12545)
* Bump the actions group with 2 updates (#12542)
* Bump google.golang.org/grpc from 1.68.1 to 1.69.2 (#12539)
* Bump k8s.io/client-go from 0.31.3 to 0.32.0 (#12513)
* Bump github.com/opencontainers/runc from 1.2.2 to 1.2.3 in the go group across 1 directory (#12510)
* Bump the actions group with 3 updates (#12507)
* Bump k8s.io/kube-aggregator from 0.31.3 to 0.32.0 in /images/kube-webhook-certgen/rootfs (#12503)
* Bump k8s.io/apimachinery from 0.31.3 to 0.32.0 in /images/ext-auth-example-authsvc/rootfs (#12500)
* Bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#12477)
* Bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /magefiles (#12475)
* Bump github.com/prometheus/common from 0.60.1 to 0.61.0 (#12465)
* Bump github/codeql-action from 3.27.5 to 3.27.6 in the actions group (#12462)
* Bump the go group across 1 directory with 2 updates (#12458)
* Bump github.com/onsi/ginkgo/v2 from 2.21.0 to 2.22.0 (#12427)
* Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#12417)
* Bump the go group across 3 directories with 10 updates (#12415)
* Bump the actions group with 3 updates (#12411)
* Bump github.com/opencontainers/runc from 1.2.1 to 1.2.2 in the go group across 1 directory (#12381)
* Bump github/codeql-action from 3.27.1 to 3.27.4 in the actions group (#12374)
* Bump golangci-lint on actions and disable deprecated linters (#12362)
* Bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#12355)
* Bump the actions group with 3 updates (#12352)
* Bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#12350)
* Bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#12298)
* Bump github.com/opencontainers/runc from 1.2.0 to 1.2.1 in the go group across 1 directory (#12295)
* Bump github.com/onsi/ginkgo/v2 from 2.20.2 to 2.21.0 (#12289)
* Bump actions/dependency-review-action from 4.3.5 to 4.4.0 in the actions group (#12274)
* Bump the go group across 3 directories with 11 updates (#12245)
* Bump github.com/opencontainers/runc from 1.1.15 to 1.2.0 (#12239)
* Bump the actions group with 5 updates (#12240)
* Bump github.com/ncabatoff/process-exporter from 0.8.3 to 0.8.4 in the go group across 1 directory (#12220)
* Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 in the actions group (#12216)
* Bump github/codeql-action from 3.26.12 to 3.26.13 in the actions group (#12190)
* Bump the go group across 2 directories with 1 update (#12187)
* Bump the actions group with 2 updates (#12181)
* Bump github.com/opencontainers/runc from 1.1.14 to 1.1.15 in the go group across 1 directory (#12179)
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.3...controller-v1.11.4

216
changelog/controller-1.12.0-beta.0.md Normal file
View file

@ -0,0 +1,216 @@
# Changelog
### controller-v1.12.0-beta.0
Images:
* registry.k8s.io/ingress-nginx/controller:v1.12.0-beta.0@sha256:9724476b928967173d501040631b23ba07f47073999e80e34b120e8db5f234d5
* registry.k8s.io/ingress-nginx/controller-chroot:v1.12.0-beta.0@sha256:6e2f8f52e1f2571ff65bc4fc4826d5282d5def5835ec4ab433dcb8e659b2fbac
### All changes:
* Images: Trigger controller build. (#12154)
* ⚠️ Metrics: Disable by default. (#12153) ⚠️
This changes the default of the following CLI arguments:
* `--enable-metrics` gets disabled by default.
* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12147)
* Images: Trigger `e2e-test-echo` build. (#12140)
* ⚠️ Images: Drop `s390x`. (#12137) ⚠️
Support for the `s390x` architecture has already been removed from the controller image. This also removes it from the NGINX base image and CI relevant images.
* Images: Build `s390x` controller. (#12126)
* Chart: Bump Kube Webhook CertGen. (#12119)
* Tests & Docs: Bump images. (#12118)
* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12113)
* Images: Trigger other builds. (#12110)
* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12103)
* Images: Trigger `test-runner` build. (#12100)
* Docs: Add a multi-tenant warning. (#12091)
* Go: Bump to v1.22.8. (#12069)
* Images: Bump `NGINX_BASE` to v1.0.0. (#12066)
* Images: Trigger NGINX build. (#12063)
* Images: Remove NGINX v1.21. (#12031)
* Chart: Add `controller.metrics.service.enabled`. (#12056)
* GitHub: Improve Dependabot. (#12033)
* Chart: Add `global.image.registry`. (#12028)
* ⚠️ Images: Remove OpenTelemetry. (#12024) ⚠️
OpenTelemetry is still supported, but since the module is built into the controller image since v1.10, we hereby remove the init container and image which were used to install it upon controller startup.
* Chart: Improve CI. (#12003)
* Chart: Extend image tests. (#12025)
* Chart: Add `controller.progressDeadlineSeconds`. (#12017)
* Docs: Add health check annotations for AWS. (#12018)
* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12005)
* Chart: Implement `unhealthyPodEvictionPolicy`. (#11992)
* Chart: Add `defaultBackend.maxUnavailable`. (#11995)
* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12000)
* Chart: Align default backend `PodDisruptionBudget`. (#11993)
* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#10274)
* ⚠️ Chart: Remove Pod Security Policy. (#11971) ⚠️
This removes Pod Security Policies and related resources from the chart.
* Chart: Improve default backend service account. (#11972)
* Go: Bump to v1.22.7. (#11943)
* NGINX: Remove inline Lua from template. (#11806)
* Images: Bump OpenTelemetry C++ Contrib. (#11629)
* Docs: Add note about `--watch-namespace`. (#11947)
* Images: Use latest Alpine 3.20 everywhere. (#11944)
* Fix minor typos (#11935)
* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11931)
* Allow any protocol for cors origins (#11153)
* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11919)
* Images: Trigger `test-runner` build. (#11916)
* Chart: Add `controller.metrics.prometheusRule.annotations`. (#11849)
* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11883)
* Annotations: Allow commas in URLs. (#11882)
* CI: Grant checks write permissions to E2E Test Report. (#11862)
* Chart: Use generic values for `ConfigMap` test. (#11877)
* Security: Follow-up on recent changes. (#11874)
* Lua: Remove plugins from `.luacheckrc` & E2E docs. (#11872)
* Dashboard: Remove `ingress_upstream_latency_seconds`. (#11878)
* Metrics: Add `--metrics-per-undefined-host` argument. (#11818)
* Update maxmind post link about geolite2 license changes (#11861)
* ⚠️ Remove global-rate-limit feature (#11851) ⚠️
This removes the following configuration options:
* `global-rate-limit-memcached-host`
* `global-rate-limit-memcached-port`
* `global-rate-limit-memcached-connect-timeout`
* `global-rate-limit-memcached-max-idle-timeout`
* `global-rate-limit-memcached-pool-size`
* `global-rate-limit-status-code`
It also removes the following annotations:
* `global-rate-limit`
* `global-rate-limit-window`
* `global-rate-limit-key`
* `global-rate-limit-ignored-cidrs`
* Revert "docs: Add deployment for AWS NLB Proxy." (#11857)
* Add custom code handling for temporal redirect (#10651)
* Add native histogram support for histogram metrics (#9971)
* Replace deprecated queue method (#11853)
* ⚠️ Enable security features by default (#11819) ⚠️
This changes the default of the following CLI arguments:
* `--enable-annotation-validation` gets enabled by default.
It also changes the default of the following configuration options:
* `allow-cross-namespace-resources` gets disabled by default.
* `annotations-risk-level` gets lowered to "High" by default.
* `strict-validate-path-type` gets enabled by default.
* docs: Add deployment for AWS NLB Proxy. (#9565)
* ⚠️ Remove 3rd party lua plugin support (#11821) ⚠️
This removes the following configuration options:
* `plugins`
It also removes support for user provided Lua plugins in the `/etc/nginx/lua/plugins` directory.
* Auto-generate annotation docs (#11820)
* ⚠️ Metrics: Remove `ingress_upstream_latency_seconds`. (#11795) ⚠️
This metric has already been deprecated and is now getting removed.
* Release controller v1.11.2/v1.10.4 & chart v4.11.2/v4.10.4. (#11816)
* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11809)
* Tests & Docs: Bump images. (#11803)
* Images: Trigger failed builds. (#11800)
* Images: Trigger other builds. (#11796)
* Controller: Fix panic in alternative backend merging. (#11789)
* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11788)
* Images: Trigger `test-runner` build. (#11785)
* Images: Bump `NGINX_BASE` to v0.0.12. (#11782)
* Images: Trigger NGINX build. (#11779)
* Cloud Build: Add missing config, remove unused ones. (#11774)
* Cloud Build: Tweak timeouts. (#11761)
* Cloud Build: Fix substitutions. (#11758)
* Cloud Build: Some chores. (#11633)
* Go: Bump to v1.22.6. (#11747)
* Images: Bump `NGINX_BASE` to v0.0.11. (#11741)
* Images: Trigger NGINX build. (#11735)
* docs: update OpenSSL Roadmap link (#11730)
* Go: Bump to v1.22.5. (#11634)
* Docs: Fix typo in AWS LB Controller reference (#11723)
* Perform some cleaning operations on line breaks. (#11720)
* Missing anchors in regular expression. (#11717)
* Docs: Fix `from-to-www` redirect description. (#11712)
* Chart: Remove `isControllerTagValid`. (#11710)
* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11702)
* Chart: Explicitly set `runAsGroup`. (#11679)
* Docs: Clarify `from-to-www` redirect direction. (#11682)
* added real-client-ip faq (#11663)
* Docs: Format NGINX configuration table. (#11659)
* Release controller v1.11.1/v1.10.3 & chart v4.11.1/v4.10.3. (#11654)
* Tests: Bump `test-runner` to v20240717-1fe74b5f. (#11645)
* Images: Trigger `test-runner` build. (#11636)
* Images: Bump `NGINX_BASE` to v0.0.10. (#11635)
* remove modsecurity coreruleset test files from nginx image (#11617)
* unskip the ocsp tests and update images to fix cfssl bug (#11606)
* Fix indent in YAML for example pod (#11598)
* Images: Bump `test-runner`. (#11600)
* Images: Bump `NGINX_BASE` to v0.0.9. (#11599)
* revert module upgrade (#11594)
* README: Fix support matrix. (#11586)
* Repository: Add changelogs from `release-v1.10`. (#11587)
### Dependency updates:
* Bump the actions group with 3 updates (#12152)
* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12107)
* Bump the actions group with 3 updates (#12092)
* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12062)
* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12060)
* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12059)
* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12061)
* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12051)
* Bump the go group across 1 directory with 3 updates (#12050)
* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12043)
* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12041)
* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12040)
* Bump the all group with 2 updates (#12032)
* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12010)
* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12009)
* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12008)
* Bump the all group with 2 updates (#11977)
* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11976)
* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11954)
* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11955)
* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11953)
* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11928)
* Bump the all group with 2 updates (#11922)
* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11901)
* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11902)
* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11903)
* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11904)
* Bump the all group with 2 updates (#11865)
* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11867)
* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11832)
* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11823)
* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11822)
* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11825)
* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11826)
* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11766)
* Bump the all group with 2 updates (#11767)
* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11765)
* Bump the all group with 3 updates (#11727)
* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11696)
* Bump the all group with 2 updates (#11695)
* Bump the all group with 4 updates (#11673)
* Bump the all group with 2 updates (#11672)
* Bump github.com/prometheus/common from 0.54.0 to 0.55.0 (#11522)
* Bump the all group with 5 updates (#11611)
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.0...controller-v1.12.0-beta.0

294
changelog/controller-1.12.0.md Normal file
View file

@ -0,0 +1,294 @@
# Changelog
### controller-v1.12.0
Images:
* registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
* registry.k8s.io/ingress-nginx/controller-chroot:v1.12.0@sha256:87c88e1c38a6c8d4483c8f70b69e2cca49853bb3ec3124b9b1be648edf139af3
### All changes:
* Images: Trigger controller build. (#12609)
* Chart: Bump Kube Webhook CertGen. (#12606)
* Tests & Docs: Bump images. (#12603)
* Images: Trigger other builds (2/2). (#12599)
* Images: Trigger other builds (1/2). (#12595)
* Tests: Bump `e2e-test-runner` to v20241224-68ed4e7b. (#12590)
* Images: Trigger `test-runner` build. (#12587)
* Images: Bump `NGINX_BASE` to v1.1.0. (#12582)
* Images: Trigger NGINX build. (#12579)
* Go: Clean `go.work.sum`. (#12573)
* Repository: Update owners. (#12568)
* Images: Bump `gcb-docker-gcloud` to v20241217-ff46a068cd. (#12561)
* CI: Update KIND images. (#12560)
* Images: Bump Alpine to v3.21. (#12528)
* Docs: Add guide on how to set a Maintenance Page. (#12525)
* rikatz is stepping down (#12516)
* rikatz is stepping down (#12494)
* Go: Bump to v1.23.4. (#12483)
* Plugin: Bump `goreleaser` to v2. (#12440)
* GitHub: Fix `exec` in issue template. (#12387)
* CI: Update KIND images. (#12367)
* Images: Bump `gcb-docker-gcloud` to v20241110-72bb0b1665. (#12342)
* Go: Bump to v1.23.3. (#12337)
* Auth TLS: Add `_` to redirect RegEx. (#12326)
* Auth TLS: Improve redirect RegEx. (#12323)
* Update custom headers annotation documentation (#12318)
* Tests: Bump `e2e-test-runner` to v20241104-02a3933e. (#12312)
* Docs: Add CPU usage note for `--metrics-per-undefined-host`. (#12310)
* Images: Trigger `test-runner` build. (#12308)
* Config: Fix panic on invalid `lua-shared-dict`. (#12283)
* Docs: fix limit-rate-after references (#12278)
* Chart: Rework ServiceMonitor. (#12269)
* Chart: Add ServiceAccount tests. (#12263)
* CI: Fix chart testing. (#12258)
* [fix] fix nginx temp configs cleanup (#12225)
* Chart: Suggest `matchLabelKeys` in Topology Spread Constraints. (#12202)
* Docs: Add Pod Security Admission. (#12195)
* Docs: Clarify external & service port in TCP/UDP services explanation. (#12192)
* Images: Trigger controller build. (#12154)
* ⚠️ Metrics: Disable by default. (#12153) ⚠️
This changes the default of the following CLI arguments:
* `--enable-metrics` gets disabled by default.
* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12147)
* Images: Trigger `e2e-test-echo` build. (#12140)
* ⚠️ Images: Drop `s390x`. (#12137) ⚠️
Support for the `s390x` architecture has already been removed from the controller image. This also removes it from the NGINX base image and CI relevant images.
* Images: Build `s390x` controller. (#12126)
* Chart: Bump Kube Webhook CertGen. (#12119)
* Tests & Docs: Bump images. (#12118)
* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12113)
* Images: Trigger other builds. (#12110)
* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12103)
* Images: Trigger `test-runner` build. (#12100)
* Docs: Add a multi-tenant warning. (#12091)
* Go: Bump to v1.22.8. (#12069)
* Images: Bump `NGINX_BASE` to v1.0.0. (#12066)
* Images: Trigger NGINX build. (#12063)
* Images: Remove NGINX v1.21. (#12031)
* Chart: Add `controller.metrics.service.enabled`. (#12056)
* GitHub: Improve Dependabot. (#12033)
* Chart: Add `global.image.registry`. (#12028)
* ⚠️ Images: Remove OpenTelemetry. (#12024) ⚠️
OpenTelemetry is still supported, but since the module is built into the controller image since v1.10, we hereby remove the init container and image which were used to install it upon controller startup.
* Chart: Improve CI. (#12003)
* Chart: Extend image tests. (#12025)
* Chart: Add `controller.progressDeadlineSeconds`. (#12017)
* Docs: Add health check annotations for AWS. (#12018)
* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12005)
* Chart: Implement `unhealthyPodEvictionPolicy`. (#11992)
* Chart: Add `defaultBackend.maxUnavailable`. (#11995)
* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12000)
* Chart: Align default backend `PodDisruptionBudget`. (#11993)
* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#10274)
* ⚠️ Chart: Remove Pod Security Policy. (#11971) ⚠️
This removes Pod Security Policies and related resources from the chart.
* Chart: Improve default backend service account. (#11972)
* Go: Bump to v1.22.7. (#11943)
* NGINX: Remove inline Lua from template. (#11806)
* Images: Bump OpenTelemetry C++ Contrib. (#11629)
* Docs: Add note about `--watch-namespace`. (#11947)
* Images: Use latest Alpine 3.20 everywhere. (#11944)
* Fix minor typos (#11935)
* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11931)
* Allow any protocol for cors origins (#11153)
* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11919)
* Images: Trigger `test-runner` build. (#11916)
* Chart: Add `controller.metrics.prometheusRule.annotations`. (#11849)
* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11883)
* Annotations: Allow commas in URLs. (#11882)
* CI: Grant checks write permissions to E2E Test Report. (#11862)
* Chart: Use generic values for `ConfigMap` test. (#11877)
* Security: Follow-up on recent changes. (#11874)
* Lua: Remove plugins from `.luacheckrc` & E2E docs. (#11872)
* Dashboard: Remove `ingress_upstream_latency_seconds`. (#11878)
* Metrics: Add `--metrics-per-undefined-host` argument. (#11818)
* Update maxmind post link about geolite2 license changes (#11861)
* ⚠️ Remove global-rate-limit feature (#11851) ⚠️
This removes the following configuration options:
* `global-rate-limit-memcached-host`
* `global-rate-limit-memcached-port`
* `global-rate-limit-memcached-connect-timeout`
* `global-rate-limit-memcached-max-idle-timeout`
* `global-rate-limit-memcached-pool-size`
* `global-rate-limit-status-code`
It also removes the following annotations:
* `global-rate-limit`
* `global-rate-limit-window`
* `global-rate-limit-key`
* `global-rate-limit-ignored-cidrs`
* Revert "docs: Add deployment for AWS NLB Proxy." (#11857)
* Add custom code handling for temporal redirect (#10651)
* Add native histogram support for histogram metrics (#9971)
* Replace deprecated queue method (#11853)
* ⚠️ Enable security features by default (#11819) ⚠️
This changes the default of the following CLI arguments:
* `--enable-annotation-validation` gets enabled by default.
It also changes the default of the following configuration options:
* `allow-cross-namespace-resources` gets disabled by default.
* `annotations-risk-level` gets lowered to "High" by default.
* `strict-validate-path-type` gets enabled by default.
* docs: Add deployment for AWS NLB Proxy. (#9565)
* ⚠️ Remove 3rd party lua plugin support (#11821) ⚠️
This removes the following configuration options:
* `plugins`
It also removes support for user provided Lua plugins in the `/etc/nginx/lua/plugins` directory.
* Auto-generate annotation docs (#11820)
* ⚠️ Metrics: Remove `ingress_upstream_latency_seconds`. (#11795) ⚠️
This metric has already been deprecated and is now getting removed.
* Release controller v1.11.2/v1.10.4 & chart v4.11.2/v4.10.4. (#11816)
* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11809)
* Tests & Docs: Bump images. (#11803)
* Images: Trigger failed builds. (#11800)
* Images: Trigger other builds. (#11796)
* Controller: Fix panic in alternative backend merging. (#11789)
* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11788)
* Images: Trigger `test-runner` build. (#11785)
* Images: Bump `NGINX_BASE` to v0.0.12. (#11782)
* Images: Trigger NGINX build. (#11779)
* Cloud Build: Add missing config, remove unused ones. (#11774)
* Cloud Build: Tweak timeouts. (#11761)
* Cloud Build: Fix substitutions. (#11758)
* Cloud Build: Some chores. (#11633)
* Go: Bump to v1.22.6. (#11747)
* Images: Bump `NGINX_BASE` to v0.0.11. (#11741)
* Images: Trigger NGINX build. (#11735)
* docs: update OpenSSL Roadmap link (#11730)
* Go: Bump to v1.22.5. (#11634)
* Docs: Fix typo in AWS LB Controller reference (#11723)
* Perform some cleaning operations on line breaks. (#11720)
* Missing anchors in regular expression. (#11717)
* Docs: Fix `from-to-www` redirect description. (#11712)
* Chart: Remove `isControllerTagValid`. (#11710)
* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11702)
* Chart: Explicitly set `runAsGroup`. (#11679)
* Docs: Clarify `from-to-www` redirect direction. (#11682)
* added real-client-ip faq (#11663)
* Docs: Format NGINX configuration table. (#11659)
* Release controller v1.11.1/v1.10.3 & chart v4.11.1/v4.10.3. (#11654)
* Tests: Bump `test-runner` to v20240717-1fe74b5f. (#11645)
* Images: Trigger `test-runner` build. (#11636)
* Images: Bump `NGINX_BASE` to v0.0.10. (#11635)
* remove modsecurity coreruleset test files from nginx image (#11617)
* unskip the ocsp tests and update images to fix cfssl bug (#11606)
* Fix indent in YAML for example pod (#11598)
* Images: Bump `test-runner`. (#11600)
* Images: Bump `NGINX_BASE` to v0.0.9. (#11599)
* revert module upgrade (#11594)
* README: Fix support matrix. (#11586)
* Repository: Add changelogs from `release-v1.10`. (#11587)
### Dependency updates:
* Bump k8s.io/apiextensions-apiserver from 0.31.3 to 0.32.0 (#12566)
* Bump github.com/onsi/ginkgo/v2 from 2.22.0 to 2.22.1 (#12555)
* Bump k8s.io/code-generator from 0.31.3 to 0.32.0 (#12550)
* Bump k8s.io/cli-runtime from 0.31.3 to 0.32.0 (#12547)
* Bump k8s.io/apiserver from 0.31.3 to 0.32.0 (#12544)
* Bump the actions group with 2 updates (#12541)
* Bump google.golang.org/grpc from 1.68.1 to 1.69.2 (#12538)
* Bump k8s.io/client-go from 0.31.3 to 0.32.0 (#12512)
* Bump github.com/opencontainers/runc from 1.2.2 to 1.2.3 in the go group across 1 directory (#12509)
* Bump the actions group with 3 updates (#12506)
* Bump k8s.io/kube-aggregator from 0.31.3 to 0.32.0 in /images/kube-webhook-certgen/rootfs (#12505)
* Bump k8s.io/apimachinery from 0.31.3 to 0.32.0 in /images/ext-auth-example-authsvc/rootfs (#12502)
* Bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#12476)
* Bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /magefiles (#12472)
* Bump github.com/prometheus/common from 0.60.1 to 0.61.0 (#12464)
* Bump github/codeql-action from 3.27.5 to 3.27.6 in the actions group (#12461)
* Bump the go group across 1 directory with 2 updates (#12460)
* Bump github.com/onsi/ginkgo/v2 from 2.21.0 to 2.22.0 (#12426)
* Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#12418)
* Bump the go group across 3 directories with 10 updates (#12413)
* Bump the actions group with 3 updates (#12412)
* Bump github.com/opencontainers/runc from 1.2.1 to 1.2.2 in the go group across 1 directory (#12380)
* Bump github/codeql-action from 3.27.1 to 3.27.4 in the actions group (#12373)
* Bump golangci-lint on actions and disable deprecated linters (#12361)
* Bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#12357)
* Bump the actions group with 3 updates (#12354)
* Bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#12349)
* Bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#12299)
* Bump github.com/opencontainers/runc from 1.2.0 to 1.2.1 in the go group across 1 directory (#12296)
* Bump github.com/onsi/ginkgo/v2 from 2.20.2 to 2.21.0 (#12288)
* Bump actions/dependency-review-action from 4.3.5 to 4.4.0 in the actions group (#12273)
* Bump the go group across 3 directories with 11 updates (#12244)
* Bump github.com/opencontainers/runc from 1.1.15 to 1.2.0 (#12242)
* Bump the actions group with 5 updates (#12236)
* Bump github.com/ncabatoff/process-exporter from 0.8.3 to 0.8.4 in the go group across 1 directory (#12218)
* Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 in the actions group (#12217)
* Bump github/codeql-action from 3.26.12 to 3.26.13 in the actions group (#12188)
* Bump the go group across 2 directories with 1 update (#12186)
* Bump the actions group with 2 updates (#12180)
* Bump github.com/opencontainers/runc from 1.1.14 to 1.1.15 in the go group across 1 directory (#12178)
* Bump the actions group with 3 updates (#12152)
* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12107)
* Bump the actions group with 3 updates (#12092)
* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12062)
* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12060)
* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12059)
* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12061)
* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12051)
* Bump the go group across 1 directory with 3 updates (#12050)
* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12043)
* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12041)
* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12040)
* Bump the all group with 2 updates (#12032)
* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12010)
* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12009)
* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12008)
* Bump the all group with 2 updates (#11977)
* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11976)
* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11954)
* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11955)
* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11953)
* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11928)
* Bump the all group with 2 updates (#11922)
* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11901)
* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11902)
* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11903)
* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11904)
* Bump the all group with 2 updates (#11865)
* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11867)
* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11832)
* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11823)
* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11822)
* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11825)
* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11826)
* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11766)
* Bump the all group with 2 updates (#11767)
* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11765)
* Bump the all group with 3 updates (#11727)
* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11696)
* Bump the all group with 2 updates (#11695)
* Bump the all group with 4 updates (#11673)
* Bump the all group with 2 updates (#11672)
* Bump github.com/prometheus/common from 0.54.0 to 0.55.0 (#11522)
* Bump the all group with 5 updates (#11611)
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.0...controller-v1.12.0

9
charts/ingress-nginx/Chart.yaml
View file

@ -1,9 +1,10 @@
annotations:
artifacthub.io/changes: |
- Update Ingress-Nginx version controller-v1.11.2
- 'CI: Fix chart testing. (#12258)'
- Update Ingress-Nginx version controller-v1.12.0
artifacthub.io/prerelease: "false"
apiVersion: v2
appVersion: 1.11.2
appVersion: 1.12.0
description: Ingress controller for Kubernetes using NGINX as a reverse proxy and
load balancer
home: https://github.com/kubernetes/ingress-nginx
@ -15,11 +16,9 @@ kubeVersion: '>=1.21.0-0'
maintainers:
- name: cpanato
- name: Gacko
- name: puerco
- name: rikatz
- name: strongjz
- name: tao12345666333
name: ingress-nginx
sources:
- https://github.com/kubernetes/ingress-nginx
version: 4.11.2
version: 4.12.0

6
charts/ingress-nginx/OWNERS
View file

@ -1,10 +1,4 @@
# See the OWNERS docs: https://www.kubernetes.dev/docs/guide/owners
approvers:
- ingress-nginx-helm-maintainers
reviewers:
- ingress-nginx-helm-reviewers
labels:
- area/helm

71
charts/ingress-nginx/README.md
View file

@ -2,7 +2,7 @@
[ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
![Version: 4.11.2](https://img.shields.io/badge/Version-4.11.2-informational?style=flat-square) ![AppVersion: 1.11.2](https://img.shields.io/badge/AppVersion-1.11.2-informational?style=flat-square)
![Version: 4.12.0](https://img.shields.io/badge/Version-4.12.0-informational?style=flat-square) ![AppVersion: 1.12.0](https://img.shields.io/badge/AppVersion-1.12.0-informational?style=flat-square)
To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
@ -229,6 +229,24 @@ Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13
As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered.
### Pod Security Admission
You can use Pod Security Admission by applying labels to the `ingress-nginx` namespace as instructed by the [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels).
Example:
```yaml
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
labels:
kubernetes.io/metadata.name: ingress-nginx
name: ingress-nginx
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: v1.31
```
## Values
| Key | Type | Default | Description |
@ -244,7 +262,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.admissionWebhooks.createSecretJob.resources | object | `{}` | |
| controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers |
| controller.admissionWebhooks.enabled | bool | `true` | |
| controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one |
| controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set |
| controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use |
| controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` | |
@ -253,11 +270,10 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.admissionWebhooks.namespaceSelector | object | `{}` | |
| controller.admissionWebhooks.objectSelector | object | `{}` | |
| controller.admissionWebhooks.patch.enabled | bool | `true` | |
| controller.admissionWebhooks.patch.image.digest | string | `"sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3"` | |
| controller.admissionWebhooks.patch.image.digest | string | `"sha256:0de05718b59dc33b57ddfb4d8ad5f637cefd13eafdec0e1579d782b3483c27c3"` | |
| controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | |
| controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | |
| controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | |
| controller.admissionWebhooks.patch.image.tag | string | `"v1.4.3"` | |
| controller.admissionWebhooks.patch.image.tag | string | `"v1.5.1"` | |
| controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
| controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
| controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | |
@ -307,12 +323,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.enableAnnotationValidations | bool | `true` | |
| controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # |
| controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false |
| controller.existingPsp | string | `""` | Use an existing PSP instead of creating one |
| controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use |
| controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. |
| controller.extraEnvs | list | `[]` | Additional environment variables to set |
| controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. |
| controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module |
| controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. |
| controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. |
| controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. |
| controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. |
@ -325,17 +340,16 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.hostname | object | `{}` | Optionally customize the pod hostname. |
| controller.image.allowPrivilegeEscalation | bool | `false` | |
| controller.image.chroot | bool | `false` | |
| controller.image.digest | string | `"sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce"` | |
| controller.image.digestChroot | string | `"sha256:21b55a2f0213a18b91612a8c0850167e00a8e34391fd595139a708f9c047e7a8"` | |
| controller.image.digest | string | `"sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa"` | |
| controller.image.digestChroot | string | `"sha256:87c88e1c38a6c8d4483c8f70b69e2cca49853bb3ec3124b9b1be648edf139af3"` | |
| controller.image.image | string | `"ingress-nginx/controller"` | |
| controller.image.pullPolicy | string | `"IfNotPresent"` | |
| controller.image.readOnlyRootFilesystem | bool | `false` | |
| controller.image.registry | string | `"registry.k8s.io"` | |
| controller.image.runAsGroup | int | `82` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) |
| controller.image.runAsNonRoot | bool | `true` | |
| controller.image.runAsUser | int | `101` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) |
| controller.image.seccompProfile.type | string | `"RuntimeDefault"` | |
| controller.image.tag | string | `"v1.11.2"` | |
| controller.image.tag | string | `"v1.12.0"` | |
| controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
| controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
| controller.ingressClassResource | object | `{"aliases":[],"annotations":{},"controllerValue":"k8s.io/ingress-nginx","default":false,"enabled":true,"name":"nginx","parameters":{}}` | This section refers to the creation of the IngressClass resource. IngressClasses are immutable and cannot be changed after creation. We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. |
@ -376,6 +390,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.metrics.prometheusRule.enabled | bool | `false` | |
| controller.metrics.prometheusRule.rules | list | `[]` | |
| controller.metrics.service.annotations | object | `{}` | |
| controller.metrics.service.enabled | bool | `true` | Enable the metrics service or not. |
| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
| controller.metrics.service.labels | object | `{}` | Labels to be added to the metrics service resource |
| controller.metrics.service.loadBalancerSourceRanges | list | `[]` | |
@ -384,36 +399,27 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.metrics.serviceMonitor.additionalLabels | object | `{}` | |
| controller.metrics.serviceMonitor.annotations | object | `{}` | Annotations to be added to the ServiceMonitor. |
| controller.metrics.serviceMonitor.enabled | bool | `false` | |
| controller.metrics.serviceMonitor.labelLimit | int | `0` | Per-scrape limit on number of labels that will be accepted for a sample. |
| controller.metrics.serviceMonitor.labelNameLengthLimit | int | `0` | Per-scrape limit on length of labels name that will be accepted for a sample. |
| controller.metrics.serviceMonitor.labelValueLengthLimit | int | `0` | Per-scrape limit on length of labels value that will be accepted for a sample. |
| controller.metrics.serviceMonitor.metricRelabelings | list | `[]` | |
| controller.metrics.serviceMonitor.namespace | string | `""` | |
| controller.metrics.serviceMonitor.namespaceSelector | object | `{}` | |
| controller.metrics.serviceMonitor.relabelings | list | `[]` | |
| controller.metrics.serviceMonitor.sampleLimit | int | `0` | Defines a per-scrape limit on the number of scraped samples that will be accepted. |
| controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` | |
| controller.metrics.serviceMonitor.targetLabels | list | `[]` | |
| controller.metrics.serviceMonitor.targetLimit | int | `0` | Defines a limit on the number of scraped targets that will be accepted. |
| controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. |
| controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
| controller.name | string | `"controller"` | |
| controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
| controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | |
| controller.opentelemetry.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | |
| controller.opentelemetry.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | |
| controller.opentelemetry.containerSecurityContext.runAsGroup | int | `65532` | |
| controller.opentelemetry.containerSecurityContext.runAsNonRoot | bool | `true` | |
| controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. |
| controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| controller.opentelemetry.enabled | bool | `false` | |
| controller.opentelemetry.image.digest | string | `"sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922"` | |
| controller.opentelemetry.image.distroless | bool | `true` | |
| controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry-1.25.3"` | |
| controller.opentelemetry.image.registry | string | `"registry.k8s.io"` | |
| controller.opentelemetry.image.tag | string | `"v20240813-b933310d"` | |
| controller.opentelemetry.name | string | `"opentelemetry"` | |
| controller.opentelemetry.resources | object | `{}` | |
| controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # |
| controller.podLabels | object | `{}` | Labels to add to the pod container metadata |
| controller.podSecurityContext | object | `{}` | Security context for controller pods |
| controller.priorityClassName | string | `""` | |
| controller.progressDeadlineSeconds | int | `0` | Specifies the number of seconds you want to wait for the controller deployment to progress before the system reports back that it has failed. Ref.: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds |
| controller.proxySetHeaders | object | `{}` | Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers |
| controller.publishService | object | `{"enabled":true,"pathOverride":""}` | Allows customization of the source of the IP address or FQDN to report in the ingress status field. By default, it reads the information provided by the service. If disable, the status field reports the IP address of the node or nodes where an ingress controller pod is running. |
| controller.publishService.enabled | bool | `true` | Enable 'publishService' or not |
@ -436,6 +442,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.service.annotations | object | `{}` | Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service. |
| controller.service.appProtocol | bool | `true` | Declare the app protocol of the external HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol |
| controller.service.clusterIP | string | `""` | Pre-defined cluster internal IP address of the external controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
| controller.service.clusterIPs | list | `[]` | Pre-defined cluster internal IP addresses of the external controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
| controller.service.enableHttp | bool | `true` | Enable the HTTP listener on both controller services or not. |
| controller.service.enableHttps | bool | `true` | Enable the HTTPS listener on both controller services or not. |
| controller.service.enabled | bool | `true` | Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service. |
@ -445,6 +452,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.service.internal.annotations | object | `{}` | Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer |
| controller.service.internal.appProtocol | bool | `true` | Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol |
| controller.service.internal.clusterIP | string | `""` | Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
| controller.service.internal.clusterIPs | list | `[]` | Pre-defined cluster internal IP addresses of the internal controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
| controller.service.internal.enabled | bool | `false` | Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this. |
| controller.service.internal.externalIPs | list | `[]` | List of node IP addresses at which the internal controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips |
| controller.service.internal.externalTrafficPolicy | string | `""` | External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip |
@ -460,6 +468,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.service.internal.ports | object | `{}` | |
| controller.service.internal.sessionAffinity | string | `""` | Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity |
| controller.service.internal.targetPorts | object | `{}` | |
| controller.service.internal.trafficDistribution | string | `""` | Traffic distribution policy of the internal controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution |
| controller.service.internal.type | string | `""` | Type of the internal controller service. Defaults to the value of `controller.service.type`. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
| controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
| controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
@ -476,6 +485,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.service.sessionAffinity | string | `""` | Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity |
| controller.service.targetPorts.http | string | `"http"` | Port of the ingress controller the external HTTP listener is mapped to. |
| controller.service.targetPorts.https | string | `"https"` | Port of the ingress controller the external HTTPS listener is mapped to. |
| controller.service.trafficDistribution | string | `""` | Traffic distribution policy of the external controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution |
| controller.service.type | string | `"LoadBalancer"` | Type of the external controller service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
| controller.shareProcessNamespace | bool | `false` | |
| controller.sysctls | object | `{}` | sysctls for controller pods # Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ |
@ -486,6 +496,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ # |
| controller.udp.annotations | object | `{}` | Annotations to be added to the udp config configmap |
| controller.udp.configMapNamespace | string | `""` | Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) |
| controller.unhealthyPodEvictionPolicy | string | `""` | Eviction policy for unhealthy pods guarded by PodDisruptionBudget. Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ |
| controller.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
| controller.watchIngressWithoutClass | bool | `false` | Process Ingress objects without ingressClass annotation/ingressClassName field Overrides value for --watch-ingress-without-class flag of the controller binary Defaults to false |
| defaultBackend.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity |
@ -497,7 +508,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` | |
| defaultBackend.containerSecurityContext | object | `{}` | Security context for default backend containers |
| defaultBackend.enabled | bool | `false` | |
| defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one |
| defaultBackend.extraArgs | object | `{}` | |
| defaultBackend.extraConfigMaps | list | `[]` | |
| defaultBackend.extraEnvs | list | `[]` | Additional environment variables to set for defaultBackend pods |
@ -507,7 +517,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.image.image | string | `"defaultbackend-amd64"` | |
| defaultBackend.image.pullPolicy | string | `"IfNotPresent"` | |
| defaultBackend.image.readOnlyRootFilesystem | bool | `true` | |
| defaultBackend.image.registry | string | `"registry.k8s.io"` | |
| defaultBackend.image.runAsGroup | int | `65534` | |
| defaultBackend.image.runAsNonRoot | bool | `true` | |
| defaultBackend.image.runAsUser | int | `65534` | |
@ -519,7 +528,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.livenessProbe.periodSeconds | int | `10` | |
| defaultBackend.livenessProbe.successThreshold | int | `1` | |
| defaultBackend.livenessProbe.timeoutSeconds | int | `5` | |
| defaultBackend.minAvailable | int | `1` | |
| defaultBackend.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. |
| defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
| defaultBackend.name | string | `"defaultbackend"` | |
| defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
@ -537,6 +546,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.replicaCount | int | `1` | |
| defaultBackend.resources | object | `{}` | |
| defaultBackend.service.annotations | object | `{}` | |
| defaultBackend.service.clusterIPs | list | `[]` | Pre-defined cluster internal IP addresses of the default backend service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
| defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
| defaultBackend.service.loadBalancerSourceRanges | list | `[]` | |
| defaultBackend.service.servicePort | int | `80` | |
@ -546,11 +556,12 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.serviceAccount.name | string | `""` | |
| defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # |
| defaultBackend.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. Ref.: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ |
| defaultBackend.unhealthyPodEvictionPolicy | string | `""` | Eviction policy for unhealthy pods guarded by PodDisruptionBudget. Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ |
| defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
| dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param |
| global.image.registry | string | `"registry.k8s.io"` | Registry host to pull images from. |
| imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
| namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace |
| podSecurityPolicy.enabled | bool | `false` | |
| portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration |
| rbac.create | bool | `true` | |
| rbac.scope | bool | `false` | |

18
charts/ingress-nginx/README.md.gotmpl
View file

@ -226,4 +226,22 @@ Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13
As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered.
### Pod Security Admission
You can use Pod Security Admission by applying labels to the `ingress-nginx` namespace as instructed by the [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels).
Example:
```yaml
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
labels:
kubernetes.io/metadata.name: ingress-nginx
name: ingress-nginx
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: v1.31
```
{{ template "chart.valuesSection" . }}

9
charts/ingress-nginx/changelog/helm-chart-4.10.5.md Normal file
View file

@ -0,0 +1,9 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.10.5
* Update Ingress-Nginx version controller-v1.10.5
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.4...helm-chart-4.10.5

10
charts/ingress-nginx/changelog/helm-chart-4.10.6.md Normal file
View file

@ -0,0 +1,10 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.10.6
* CI: Fix chart testing. (#12260)
* Update Ingress-Nginx version controller-v1.10.6
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.5...helm-chart-4.10.6

9
charts/ingress-nginx/changelog/helm-chart-4.11.3.md Normal file
View file

@ -0,0 +1,9 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.11.3
* Update Ingress-Nginx version controller-v1.11.3
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.2...helm-chart-4.11.3

10
charts/ingress-nginx/changelog/helm-chart-4.11.4.md Normal file
View file

@ -0,0 +1,10 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.11.4
* CI: Fix chart testing. (#12259)
* Update Ingress-Nginx version controller-v1.11.4
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.3...helm-chart-4.11.4

9
charts/ingress-nginx/changelog/helm-chart-4.12.0-beta.0.md Normal file
View file

@ -0,0 +1,9 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.12.0-beta.0
* Update Ingress-Nginx version controller-v1.12.0-beta.0
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.0...helm-chart-4.12.0-beta.0

10
charts/ingress-nginx/changelog/helm-chart-4.12.0.md Normal file
View file

@ -0,0 +1,10 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.12.0
* CI: Fix chart testing. (#12258)
* Update Ingress-Nginx version controller-v1.12.0
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.0...helm-chart-4.12.0

8
charts/ingress-nginx/ci/deamonset-default-values.yaml → charts/ingress-nginx/ci/admission-webhooks-cert-manager-values.yaml
View file

@ -1,10 +1,12 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
admissionWebhooks:
certManager:
enabled: true

6
charts/ingress-nginx/ci/controller-admission-tls-cert-manager-values.yaml
View file

@ -1,6 +0,0 @@
controller:
admissionWebhooks:
certManager:
enabled: true
service:
type: ClusterIP

5
charts/ingress-nginx/ci/deployment-default-values.yaml → charts/ingress-nginx/ci/controller-configmap-addheaders-values.yaml
View file

@ -1,8 +1,11 @@
# Left blank to test default values
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
addHeaders:
X-Frame-Options: deny

11
charts/ingress-nginx/ci/controller-configmap-proxyheaders-values.yaml Normal file
View file

@ -0,0 +1,11 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
proxySetHeaders:
X-Forwarded-Proto: https

11
charts/ingress-nginx/ci/controller-configmap-values.yaml Normal file
View file

@ -0,0 +1,11 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
config:
use-proxy-protocol: "true"

7
charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml
View file

@ -1,7 +0,0 @@
controller:
watchIngressWithoutClass: true
ingressClassResource:
name: custom-nginx
enabled: true
default: true
controllerValue: "k8s.io/custom-nginx"

9
charts/ingress-nginx/ci/deamonset-webhook-values.yaml → charts/ingress-nginx/ci/controller-daemonset-metrics-values.yaml
View file

@ -1,10 +1,13 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: true
service:
type: ClusterIP
kind: DaemonSet
metrics:
enabled: true

13
charts/ingress-nginx/ci/daemonset-podannotations-values.yaml → charts/ingress-nginx/ci/controller-daemonset-podannotations-values.yaml
View file

@ -1,17 +1,16 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
metrics:
enabled: true
service:
type: ClusterIP
kind: DaemonSet
podAnnotations:
prometheus.io/path: /metrics
prometheus.io/scrape: "true"
prometheus.io/port: "10254"
prometheus.io/scheme: http
prometheus.io/scrape: "true"
prometheus.io/path: /metrics

4
charts/ingress-nginx/ci/deployment-psp-values.yaml → charts/ingress-nginx/ci/controller-daemonset-values.yaml
View file

@ -3,8 +3,8 @@ controller:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
podSecurityPolicy:
enabled: true
kind: DaemonSet

8
charts/ingress-nginx/ci/deployment-webhook-values.yaml → charts/ingress-nginx/ci/controller-deployment-metrics-values.yaml
View file

@ -3,7 +3,11 @@ controller:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: true
service:
type: ClusterIP
kind: Deployment
metrics:
enabled: true

12
charts/ingress-nginx/ci/deployment-podannotations-values.yaml → charts/ingress-nginx/ci/controller-deployment-podannotations-values.yaml
View file

@ -3,14 +3,14 @@ controller:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
metrics:
enabled: true
service:
type: ClusterIP
kind: Deployment
podAnnotations:
prometheus.io/path: /metrics
prometheus.io/scrape: "true"
prometheus.io/port: "10254"
prometheus.io/scheme: http
prometheus.io/scrape: "true"
prometheus.io/path: /metrics

5
charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml → charts/ingress-nginx/ci/controller-deployment-values.yaml
View file

@ -3,7 +3,8 @@ controller:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
opentelemetry:
enabled: true
kind: Deployment

12
charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml → charts/ingress-nginx/ci/controller-hpa-values.yaml
View file

@ -1,4 +1,12 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
autoscaling:
enabled: true
behavior:
@ -8,7 +16,3 @@ controller:
- type: Pods
value: 1
periodSeconds: 180
admissionWebhooks:
enabled: false
service:
type: ClusterIP

15
charts/ingress-nginx/ci/controller-ingressclass-values.yaml Normal file
View file

@ -0,0 +1,15 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
ingressClassResource:
name: custom-nginx
default: true
controllerValue: k8s.io/custom-nginx
watchIngressWithoutClass: true

5
charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml → charts/ingress-nginx/ci/controller-service-internal-values.yaml
View file

@ -1,13 +1,12 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
internal:
enabled: true
annotations:

10
charts/ingress-nginx/ci/deployment-customnodeport-values.yaml → charts/ingress-nginx/ci/controller-service-values.yaml
View file

@ -3,18 +3,20 @@ controller:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: NodePort
nodePorts:
tcp:
9000: 30090
udp:
9001: 30091
portNamePrefix: port
tcp:
9000: "default/test:8080"
9000: default/test:8080
udp:
9001: "default/test:8080"
9001: default/test:8080

14
charts/ingress-nginx/ci/daemonset-customconfig-values.yaml
View file

@ -1,14 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
kind: DaemonSet
allowSnippetAnnotations: false
admissionWebhooks:
enabled: false
service:
type: ClusterIP
config:
use-proxy-protocol: "true"

22
charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml
View file

@ -1,22 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: NodePort
nodePorts:
tcp:
9000: 30090
udp:
9001: 30091
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"

13
charts/ingress-nginx/ci/daemonset-extra-modules.yaml
View file

@ -1,13 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
service:
type: ClusterIP
extraModules:
- name: opentelemetry
image:
registry: registry.k8s.io
image: busybox
tag: latest

14
charts/ingress-nginx/ci/daemonset-headers-values.yaml
View file

@ -1,14 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
addHeaders:
X-Frame-Options: deny
proxySetHeaders:
X-Forwarded-Proto: https
service:
type: ClusterIP

10
charts/ingress-nginx/ci/daemonset-nodeport-values.yaml
View file

@ -1,10 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: NodePort

20
charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml
View file

@ -1,20 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
tcp:
configMapNamespace: default
udp:
configMapNamespace: default
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"

18
charts/ingress-nginx/ci/daemonset-tcp-udp-portNamePrefix-values.yaml
View file

@ -1,18 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"
portNamePrefix: "port"

16
charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml
View file

@ -1,16 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"

14
charts/ingress-nginx/ci/daemonset-tcp-values.yaml
View file

@ -1,14 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
tcp:
9000: "default/test:8080"
9001: "default/test:8080"

12
charts/ingress-nginx/ci/deamonset-metrics-values.yaml
View file

@ -1,12 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
metrics:
enabled: true
service:
type: ClusterIP

13
charts/ingress-nginx/ci/deamonset-psp-values.yaml
View file

@ -1,13 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
podSecurityPolicy:
enabled: true

13
charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml
View file

@ -1,13 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: true
service:
type: ClusterIP
podSecurityPolicy:
enabled: true

11
charts/ingress-nginx/ci/deployment-autoscaling-values.yaml
View file

@ -1,11 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
autoscaling:
enabled: true
admissionWebhooks:
enabled: false
service:
type: ClusterIP

12
charts/ingress-nginx/ci/deployment-customconfig-values.yaml
View file

@ -1,12 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
config:
use-proxy-protocol: "true"
allowSnippetAnnotations: false
admissionWebhooks:
enabled: false
service:
type: ClusterIP

15
charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml
View file

@ -1,15 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
containerSecurityContext:
allowPrivilegeEscalation: false
extraModules:
- name: opentelemetry
image:
registry: registry.k8s.io
image: busybox
tag: latest

15
charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml
View file

@ -1,15 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
extraModules:
- name: opentelemetry
image:
registry: registry.k8s.io
image: busybox
tag: latest
containerSecurityContext:
allowPrivilegeEscalation: false

13
charts/ingress-nginx/ci/deployment-extra-modules.yaml
View file

@ -1,13 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
extraModules:
- name: opentelemetry
image:
registry: registry.k8s.io
image: busybox
tag: latest

13
charts/ingress-nginx/ci/deployment-headers-values.yaml
View file

@ -1,13 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
addHeaders:
X-Frame-Options: deny
proxySetHeaders:
X-Forwarded-Proto: https
service:
type: ClusterIP

19
charts/ingress-nginx/ci/deployment-internal-lb-values.yaml
View file

@ -1,19 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
internal:
enabled: true
annotations:
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
ports:
http: 443
https: 80
targetPorts:
http: 443
https: 80

11
charts/ingress-nginx/ci/deployment-metrics-values.yaml
View file

@ -1,11 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
metrics:
enabled: true
service:
type: ClusterIP

9
charts/ingress-nginx/ci/deployment-nodeport-values.yaml
View file

@ -1,9 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: NodePort

19
charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml
View file

@ -1,19 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
tcp:
configMapNamespace: default
udp:
configMapNamespace: default
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"

17
charts/ingress-nginx/ci/deployment-tcp-udp-portNamePrefix-values.yaml
View file

@ -1,17 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"
portNamePrefix: "port"

15
charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml
View file

@ -1,15 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"

11
charts/ingress-nginx/ci/deployment-tcp-values.yaml
View file

@ -1,11 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
tcp:
9000: "default/test:8080"
9001: "default/test:8080"

12
charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml
View file

@ -1,12 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: true
service:
type: ClusterIP
podSecurityPolicy:
enabled: true

12
charts/ingress-nginx/ci/deployment-webhook-extraEnvs-values.yaml
View file

@ -1,12 +0,0 @@
controller:
service:
type: ClusterIP
admissionWebhooks:
enabled: true
extraEnvs:
- name: FOO
value: foo
- name: TEST
value: test
patch:
enabled: true

23
charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml
View file

@ -1,23 +0,0 @@
controller:
service:
type: ClusterIP
admissionWebhooks:
enabled: true
createSecretJob:
resources:
limits:
cpu: 10m
memory: 20Mi
requests:
cpu: 10m
memory: 20Mi
patchWebhookJob:
resources:
limits:
cpu: 10m
memory: 20Mi
requests:
cpu: 10m
memory: 20Mi
patch:
enabled: true

13
charts/ingress-nginx/templates/_helpers.tpl
View file

@ -204,7 +204,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- end -}}
{{/*
Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
Create the name of the default backend service account to use
*/}}
{{- define "ingress-nginx.defaultBackend.serviceAccountName" -}}
{{- if .Values.defaultBackend.serviceAccount.create -}}
@ -235,17 +235,6 @@ readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem }
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiGroup for PodSecurityPolicy.
*/}}
{{- define "podSecurityPolicy.apiGroup" -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "policy" -}}
{{- else -}}
{{- print "extensions" -}}
{{- end -}}
{{- end -}}
{{/*
Extra modules.
*/}}

2
charts/ingress-nginx/templates/_params.tpl
View file

@ -54,7 +54,7 @@
{{- if .Values.controller.watchIngressWithoutClass }}
- --watch-ingress-without-class=true
{{- end }}
{{- if not .Values.controller.metrics.enabled }}
{{- if .Values.controller.metrics.enabled }}
- --enable-metrics={{ .Values.controller.metrics.enabled }}
{{- end }}
{{- if .Values.controller.enableTopologyAwareRouting }}

10
charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
View file

@ -20,14 +20,4 @@ rules:
verbs:
- get
- update
{{- if .Values.podSecurityPolicy.enabled }}
- apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}]
resources: ['podsecuritypolicies']
verbs: ['use']
{{- with .Values.controller.admissionWebhooks.existingPsp }}
resourceNames: [{{ . }}]
{{- else }}
resourceNames: [{{ include "ingress-nginx.admissionWebhooks.fullname" . }}]
{{- end }}
{{- end }}
{{- end }}

3
charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
View file

@ -42,7 +42,7 @@ spec:
{{- end }}
containers:
- name: create
{{- with .Values.controller.admissionWebhooks.patch.image }}
{{- with (merge .Values.controller.admissionWebhooks.patch.image .Values.global.image) }}
image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }}
{{- end }}
imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
@ -67,6 +67,7 @@ spec:
{{- end }}
restartPolicy: OnFailure
serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken }}
{{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
{{- end }}

3
charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
View file

@ -42,7 +42,7 @@ spec:
{{- end }}
containers:
- name: patch
{{- with .Values.controller.admissionWebhooks.patch.image }}
{{- with (merge .Values.controller.admissionWebhooks.patch.image .Values.global.image) }}
image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }}
{{- end }}
imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
@ -69,6 +69,7 @@ spec:
{{- end }}
restartPolicy: OnFailure
serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken }}
{{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
{{- end }}

52
charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
View file

@ -1,52 +0,0 @@
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
{{- if and .Values.podSecurityPolicy.enabled .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
{{- with .Values.controller.admissionWebhooks.patch.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
privileged: false
hostPID: false
hostIPC: false
hostNetwork: false
volumes:
- configMap
- downwardAPI
- emptyDir
- secret
- projected
fsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: true
runAsUser:
rule: MustRunAsNonRoot
runAsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
seLinux:
rule: RunAsAny
{{- end }}
{{- end }}

21
charts/ingress-nginx/templates/controller-daemonset.yaml
View file

@ -75,7 +75,7 @@ spec:
{{- end }}
containers:
- name: {{ .Values.controller.containerName }}
{{- with .Values.controller.image }}
{{- with (merge .Values.controller.image .Values.global.image) }}
image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}
{{- end }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
@ -144,9 +144,9 @@ spec:
hostPort: {{ $key }}
{{- end }}
{{- end }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }}
volumeMounts:
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
{{- if .Values.controller.extraModules }}
- name: modules
{{- if .Values.controller.image.chroot }}
mountPath: /chroot/modules_mount
@ -174,7 +174,7 @@ spec:
{{- if .Values.controller.extraContainers }}
{{- toYaml .Values.controller.extraContainers | nindent 8 }}
{{- end }}
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }}
initContainers:
{{- if .Values.controller.extraInitContainers }}
{{- toYaml .Values.controller.extraInitContainers | nindent 8 }}
@ -182,13 +182,7 @@ spec:
{{- if .Values.controller.extraModules }}
{{- range .Values.controller.extraModules }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.controller.opentelemetry.enabled }}
{{- with .Values.controller.opentelemetry }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- include "extraModules" (dict "name" .name "image" (merge .image $.Values.global.image) "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}
@ -208,10 +202,11 @@ spec:
topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }}
volumes:
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}}
{{- if .Values.controller.extraModules }}
- name: modules
emptyDir: {}
{{- end }}

24
charts/ingress-nginx/templates/controller-deployment.yaml
View file

@ -22,6 +22,9 @@ spec:
replicas: {{ .Values.controller.replicaCount }}
{{- end }}
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
{{- if .Values.controller.progressDeadlineSeconds }}
progressDeadlineSeconds: {{ .Values.controller.progressDeadlineSeconds }}
{{- end }}
{{- if .Values.controller.updateStrategy }}
strategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }}
{{- end }}
@ -78,7 +81,7 @@ spec:
{{- end }}
containers:
- name: {{ .Values.controller.containerName }}
{{- with .Values.controller.image }}
{{- with (merge .Values.controller.image .Values.global.image) }}
image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}
{{- end }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
@ -147,9 +150,9 @@ spec:
hostPort: {{ $key }}
{{- end }}
{{- end }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }}
volumeMounts:
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
{{- if .Values.controller.extraModules }}
- name: modules
{{- if .Values.controller.image.chroot }}
mountPath: /chroot/modules_mount
@ -177,7 +180,7 @@ spec:
{{- if .Values.controller.extraContainers }}
{{- toYaml .Values.controller.extraContainers | nindent 8 }}
{{- end }}
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }}
initContainers:
{{- if .Values.controller.extraInitContainers }}
{{- toYaml .Values.controller.extraInitContainers | nindent 8 }}
@ -185,13 +188,7 @@ spec:
{{- if .Values.controller.extraModules }}
{{- range .Values.controller.extraModules }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.controller.opentelemetry.enabled }}
{{- with .Values.controller.opentelemetry }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- include "extraModules" (dict "name" .name "image" (merge .image $.Values.global.image) "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}
@ -211,10 +208,11 @@ spec:
topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }}
volumes:
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}}
{{- if .Values.controller.extraModules }}
- name: modules
emptyDir: {}
{{- end }}

3
charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml
View file

@ -32,5 +32,8 @@ spec:
{{- else if .Values.controller.maxUnavailable }}
maxUnavailable: {{ .Values.controller.maxUnavailable }}
{{- end }}
{{- if .Values.controller.unhealthyPodEvictionPolicy }}
unhealthyPodEvictionPolicy: {{ .Values.controller.unhealthyPodEvictionPolicy }}
{{- end }}
{{- end }}
{{- end }}

100
charts/ingress-nginx/templates/controller-psp.yaml
View file

@ -1,100 +0,0 @@
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "ingress-nginx.fullname" . }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- with .Values.controller.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
privileged: false
hostPID: false
hostIPC: false
hostNetwork: {{ .Values.controller.hostNetwork }}
{{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }}
hostPorts:
{{- if .Values.controller.hostNetwork }}
{{- range $key, $value := .Values.controller.containerPort }}
# controller.containerPort.{{ $key }}
- min: {{ $value }}
max: {{ $value }}
{{- end }}
{{- else if .Values.controller.hostPort.enabled }}
{{- range $key, $value := .Values.controller.hostPort.ports }}
# controller.hostPort.ports.{{ $key }}
- min: {{ $value }}
max: {{ $value }}
{{- end }}
{{- end }}
{{- if .Values.controller.metrics.enabled }}
# controller.metrics.port
- min: {{ .Values.controller.metrics.port }}
max: {{ .Values.controller.metrics.port }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
# controller.admissionWebhooks.port
- min: {{ .Values.controller.admissionWebhooks.port }}
max: {{ .Values.controller.admissionWebhooks.port }}
{{- end }}
{{- range $key, $value := .Values.tcp }}
# tcp.{{ $key }}
- min: {{ $key }}
max: {{ $key }}
{{- end }}
{{- range $key, $value := .Values.udp }}
# udp.{{ $key }}
- min: {{ $key }}
max: {{ $key }}
{{- end }}
{{- end }}
volumes:
- configMap
- downwardAPI
- emptyDir
- secret
- projected
fsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
runAsUser:
rule: MustRunAsNonRoot
runAsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }}
requiredDropCapabilities:
- ALL
allowedCapabilities:
- NET_BIND_SERVICE
{{- if .Values.controller.image.chroot }}
{{- if .Values.controller.image.seccompProfile }}
- SYS_ADMIN
{{- end }}
- SYS_CHROOT
{{- end }}
seLinux:
rule: RunAsAny
{{- if .Values.controller.sysctls }}
allowedUnsafeSysctls:
{{- range $sysctl, $value := .Values.controller.sysctls }}
- {{ $sysctl }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

10
charts/ingress-nginx/templates/controller-role.yaml
View file

@ -91,14 +91,4 @@ rules:
- list
- watch
- get
{{- if .Values.podSecurityPolicy.enabled }}
- apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}]
resources: ['podsecuritypolicies']
verbs: ['use']
{{- with .Values.controller.existingPsp }}
resourceNames: [{{ . }}]
{{- else }}
resourceNames: [{{ include "ingress-nginx.fullname" . }}]
{{- end }}
{{- end }}
{{- end }}

8
charts/ingress-nginx/templates/controller-service-internal.yaml
View file

@ -19,6 +19,9 @@ spec:
{{- if .Values.controller.service.internal.clusterIP }}
clusterIP: {{ .Values.controller.service.internal.clusterIP }}
{{- end }}
{{- if .Values.controller.service.internal.clusterIPs }}
clusterIPs: {{ toYaml .Values.controller.service.internal.clusterIPs | nindent 4 }}
{{- end }}
{{- if .Values.controller.service.internal.externalIPs }}
externalIPs: {{ toYaml .Values.controller.service.internal.externalIPs | nindent 4 }}
{{- end }}
@ -43,6 +46,11 @@ spec:
{{- if .Values.controller.service.internal.healthCheckNodePort }}
healthCheckNodePort: {{ .Values.controller.service.internal.healthCheckNodePort }}
{{- end }}
{{- if semverCompare ">=1.31.0-0" .Capabilities.KubeVersion.Version -}}
{{- if .Values.controller.service.internal.trafficDistribution }}
trafficDistribution: {{ .Values.controller.service.internal.trafficDistribution }}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}}
{{- if .Values.controller.service.internal.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.controller.service.internal.ipFamilyPolicy }}

2
charts/ingress-nginx/templates/controller-service-metrics.yaml
View file

@ -1,4 +1,4 @@
{{- if .Values.controller.metrics.enabled -}}
{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.service.enabled -}}
apiVersion: v1
kind: Service
metadata:

Some files were not shown because too many files have changed in this diff Show more