* added fsGroup to admission createSecret and patchWebhook job
* added fsGroup to admission createSecret and patchWebhook job
* modified helm/README.md to add value for fsGroup
* fixed patch job values ordering
* remove manually edited README for replacement with helm-docs generated version
* re-adding charts/README.md generated by helm-docs
When the ingress controller loads certificates (new ones or following a
secret update), it performs a series of check to ensure its validity.
In our systems, we detected a case where, when the secret object is
compromised, for example when the certificate does not match the secret
key, different pods of the ingress controller are serving a different
version of the certificate.
This behaviour is due to the cache mechanism of the ingress controller,
keeping the last known certificate in case of corruption. When this
happens, old ingress-controller pods will keep serving the old one,
while new pods, by failing to load the corrupted certificates, would
use the default certificate, causing invalid certificates for its
clients.
This generates a random error on the client side, depending on the
actual pod instance it reaches.
In order to allow detecting occurences of those situations, add a metric
to expose, for all ingress controlller pods, detailed informations of
the currently loaded certificate.
This will, for example, allow setting an alert when there is a
certificate discrepency across all ingress controller pods using a query
similar to `sum(nginx_ingress_controller_ssl_certificate_info{host="name.tld"})by(serial_number)`
This also allows to catch other exceptions loading certificates (failing
to load the certificate from the k8s API, ...
Co-authored-by: Daniel Ricart <danielricart@users.noreply.github.com>
Co-authored-by: Daniel Ricart <danielricart@users.noreply.github.com>
* fix inconsistent-label-cardinality
for prometheus metrics: nginx_ingress_controller_requests
* add host to collectorLabels only if metricsPerHost is true
The annotation for the controller class was inconsistent in the example. From my best understanding, I have tried to fix the inconsistency.
Also, removed an incomplete sentence. And made one sentence more clear by breaking it up.
* add explanation about ingressClassResource.default for helm users
Also cleaned up the entire "I have only one instance of the
Ingress-NGINX controller in my cluster" section
* docs: default ingressclass only when running one controller
* fix link to what is the flag watch ingress
* clarify usage of default ingress class annotation
* regenerate at 4.0.12
* bash for loop and static values files
* add .tool-versions
* fixup static manifests with kustomize instead of python
* remove spec.replicas where set
* generate manifests for all supported versions
* update docs
* remove all versions except default (1.20) for now
* update to 1.1.1/4.0.15
* clarify link
* Add section headers
* console blocks
* grpc example json was not valid
* multi-tls update text
The preceding point 1 related to 4f2cb51ef8/ingress/controllers/nginx/examples/ingress.yaml
and the deployments referenced in 4f2cb51ef8/ingress/controllers/nginx/examples/README.md
They are not relevant to the current instructions.
* add whitespace around parens
* grammar
setup would be a proper noun, but it is not the intended concept, which is a state
* grammar
* is-only
* via
* Use bullets for choices
* ingress-controller
nginx is a distinct brand.
generally this repo talks about ingress-controller, although it is quite inconsistent about how...
* drop stray paren
* OAuth is a brand and needs an article here
also GitHub is a brand
* Indent text under numbered lists
* use e.g.
* Document that customer header config maps changes do not trigger updates
This should be removed if
https://github.com/kubernetes/ingress-nginx/issues/5238
is fixed.
* article
* period
* infinitive verb + period
* clarify that the gRPC server is responsible for listening for TCP traffic and not some other part of the backend application
* avoid using ; and reword
* whitespace
* brand: gRPC
* only-does is the right form
`for` adds nothing here
* spelling: GitHub
* punctuation
`;` is generally not the right punctuation...
* drop stray `to`
* sentence
* backticks
* fix link
* Improve readability of compare/vs
* Renumber list
* punctuation
* Favor Ingress-NGINX and Ingress NGINX
* Simplify custom header restart text
* Undo typo damage
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
* remove opentelemetry from main nginx image
* add opentelemetry sidecar image
* handle extra modules in helm chart
* fix running helm chart
* mount the modules volume in the init container
* merge the mounted folder
* fix the otel image
* fix licence year
* fix cloudbuild image
* use the same nginx version as in the main image
* only retrieve /etc/nginx/modules for now
