Bump github.com/spf13/cobra from 1.8.1 to 1.9.1 (#12859 )

Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bump the go group across 3 directories with 11 updates (#12857 )
2025-02-17 04:30:24 -08:00 · 2025-02-17 03:32:22 -08:00 · 2025-02-17 03:16:23 -08:00 · 2025-02-17 02:18:22 -08:00 · 2025-02-15 01:10:20 -08:00 · 2025-02-14 14:48:21 -08:00
1088 changed files with 130649 additions and 80173 deletions
--- a/.codecov.yml
+++ b/.codecov.yml
@ -1,8 +0,0 @@
-coverage:
-  status:
-    project:
-      default:
-        target: 40%
-        threshold: null
-    patch: false
-    changes: false
--- a/rootfs/ingress-controller/clean-nginx-conf.sh
+++ b/rootfs/ingress-controller/clean-nginx-conf.sh
@ -1,6 +1,4 @@
-#!/bin/bash
-
-# Copyright 2017 The Kubernetes Authors.
+# Copyright 2024 The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -13,15 +11,16 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+---
+remote: origin
+target-branch: main

-# This script removes consecutive empty lines in nginx.conf
-# Using sed is more simple than using a go regex
+validate-maintainers: false
+check-version-increment: false

-# Sed commands:
-# 1. remove the return carrier character/s
-# 2. remove empty lines
-# 3. replace multiple empty lines
+chart-repos:
+  - ingress-nginx=https://kubernetes.github.io/ingress-nginx
+helm-extra-args: --timeout 800s

-SCRIPT_ROOT=$(dirname ${BASH_SOURCE})
-
-sed -e 's/\r//g' | sed -e 's/^  *$/\'$'\n/g' | sed -e '/^$/{N;/^\n$/D;}' | ${SCRIPT_ROOT}/indent.sh
+chart-dirs:
+  - charts
--- a/images/grpc-fortune-teller/go.mod
+++ b/images/grpc-fortune-teller/go.mod
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -10,7 +10,8 @@ assignees: ''
 <!--

 Welcome to ingress-nginx!  For a smooth issue process, try to answer the following questions.
-Don't worry if they're not all applicable; just try to include what you can :-)
+Don't worry if they're not all applicable; just try to include what you can :-).
+More info helps better understanding of the issue (needless to say).

 If you need to include code snippets or logs, please put them in fenced code
 blocks.  If they're super-long, please use the details tag like
@ -27,7 +28,22 @@ This questions are the first thing we need to know to understand the context.

 -->

-**NGINX Ingress controller version**:
+**What happened**:
+
+<!-- (please include exact error messages if you can) -->
+
+**What you expected to happen**:
+
+<!-- What do you think went wrong? -->
+
+
+**NGINX Ingress controller version** (exec into the pod and run `/nginx-ingress-controller --version`):
+<!--
+POD_NAMESPACE=ingress-nginx
+POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/name=ingress-nginx --field-selector=status.phase=Running -o jsonpath='{.items[0].metadata.name}')
+
+kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version  
+-->

 **Kubernetes version** (use `kubectl version`):

@ -37,17 +53,36 @@ This questions are the first thing we need to know to understand the context.
 - **OS** (e.g. from /etc/os-release):
 - **Kernel** (e.g. `uname -a`):
 - **Install tools**:
+  - `Please mention how/where was the cluster created like kubeadm/kops/minikube/kind etc. `
+- **Basic cluster related info**:
+  - `kubectl version`
+  - `kubectl get nodes -o wide`
+
+- **How was the ingress-nginx-controller installed**:
+  - If helm was used then please show output of `helm ls -A | grep -i ingress`
+  - If helm was used then please show output of `helm -n <ingresscontrollernamespace> get values <helmreleasename>`
+  - If helm was not used, then copy/paste the complete precise command used to install the controller, along with the flags and options used
+  - if you have more than one instance of the ingress-nginx-controller installed in the same cluster, please provide details for all the instances
+
+- **Current State of the controller**:
+  - `kubectl describe ingressclasses`
+  - `kubectl -n <ingresscontrollernamespace> get all -A -o wide`
+  - `kubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>`
+  - `kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>`
+
+- **Current state of ingress object, if applicable**:
+  - `kubectl -n <appnamespace> get all,ing -o wide`
+  - `kubectl -n <appnamespace> describe ing <ingressname>`
+  - If applicable, then, your complete and exact curl/grpcurl command (redacted if required) and the reponse to the curl/grpcurl command with the -v flag
+
 - **Others**:
+  - Any other related information like ;
+    - copy/paste of the snippet (if applicable)
+    - `kubectl describe ...` of any custom configmap(s) created and in use
+    - Any other related information that may help

-**What happened**:

-<!-- (please include exact error messages if you can) -->
-
-**What you expected to happen**:
-
-<!-- What do you think went wrong? -->
-
-**How to reproduce it**:
+**How to reproduce this issue**:
 <!---

 As minimally and precisely as possible. Keep in mind we do not have access to your cluster or application.
@ -60,28 +95,34 @@ Help up us (if possible) reproducing the issue using minikube or kind.

 ## Install the ingress controller

-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/baremetal/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/baremetal/deploy.yaml

 ## Install an application that will act as default backend (is just an echo app)

-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/http-svc.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/http-svc.yaml

 ## Create an ingress (please add any additional annotation required)

 echo "
-  apiVersion: networking.k8s.io/v1beta1
+  apiVersion: networking.k8s.io/v1
  kind: Ingress
  metadata:
    name: foo-bar
+    annotations:
+      kubernetes.io/ingress.class: nginx
  spec:
+    ingressClassName: nginx # omit this if you're on controller version below 1.0.0
    rules:
    - host: foo.bar
      http:
        paths:
-        - backend:
-            serviceName: http-svc
-            servicePort: 80
-          path: /
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: http-svc
+              port: 
+                number: 80
 " | kubectl apply -f -

 ## make a request
@ -93,6 +134,9 @@ kubectl exec -it -n ingress-nginx $POD_NAME -- curl -H 'Host: foo.bar' localhost

 **Anything else we need to know**:

-<!-- If this is actually about documentation, add `/kind documentation` below -->
+<!-- If this is actually about documentation, uncomment the following block -->

-/kind bug
+<!-- 
+/kind documentation
+/remove-kind bug
+-->
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@ -0,0 +1,4 @@
+contact_links:
+  - name: Support Request/Question 
+    url: https://kubernetes.slack.com/messages/ingress-nginx/
+    about: Support request or question relating to Ingress NGINX in Kubernetes Slack
--- a/.github/ISSUE_TEMPLATE/cve_report.md
+++ b/.github/ISSUE_TEMPLATE/cve_report.md
@ -0,0 +1,20 @@
+---
+name: CVE Finding Report
+about: CVE reporting for ingress-nginx
+title: ''
+labels: kind/bug
+assignees:
+    - Gacko
+    - strongjz
+---
+
+<!-- if you found something that impacts directly ingress-nginx and
+is not a public CVE yet, please reach out security@kubernetes.io" -->
+
+<!-- What scanner and version reported the CVE? -->
+
+<!-- What CVE was reported in the scanner findings? -->
+
+<!-- What versions of the controller did you test with?  -->
+
+<!-- Please provider other details that will help us determine the severity of the issue -->
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@ -7,24 +7,15 @@ assignees: ''

 ---

-<!--
-
-Welcome to ingress-nginx!  For a smooth feature request process, try to
-answer the following questions. Don't worry if they're not all applicable; just
-try to include what you can :-)
-
-If you need to include code snippets or logs, please put them in fenced code
-blocks.  If they're super-long, please use the details tag like
-<details><summary>super-long log</summary> lots of stuff </details>
-
-->
-
 <!-- What do you want to happen? -->

 <!-- Is there currently another issue associated with this? -->

 <!-- Does it require a particular kubernetes version? -->

-<!-- If this is actually about documentation, add `/kind documentation` below -->
+<!-- If this is actually about documentation, uncomment the following block -->

-/kind feature
+<!-- 
+/kind documentation
+/remove-kind feature
+-->
--- a/.github/ISSUE_TEMPLATE/support-question.md
+++ b/.github/ISSUE_TEMPLATE/support-question.md
@ -1,37 +0,0 @@
---
-name: Question
-about: Any questions you might have.
-title: ''
-labels: triage/support
-assignees: ''
-
---
-
-<!--
-
-Welcome to ingress-nginx!
-
-You probably didn't want to be one this page.  It shouldn't really be here anyway.
-
-* If you want a quick response to a question, ask on the Kubernetes Slack instance in #ingress-nginx.
-
-* If this is actually a bug or a feature request, file one of those.  If you're
-  not sure which, just take a guess and we can always re-label.
-
-* If you think this might turn into a bug or feature request, but you're not
-  sure, try asking in Slack first.
-
-->
-
-<!--
-
-Still here?  Double-check that this hasn't been asked before, then put your question below
-with as many details as possible.
-
-If you need to include code snippets or logs, please put them in fenced code
-blocks.  If they're super-long, please use the details tag like
-<details><summary>super-long log</summary> lots of stuff </details>
-
-->
-
-/triage support
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@ -1,5 +1,6 @@
 <!--- Provide a general summary of your changes in the Title above --->
 <!--- Please don't @-mention people in PR or commit messages (do so in an additional comment). --->
+<!--- Please make sure you title is descriptive, it is used in the Release notes to let others know what it does ---> 

 ## What this PR does / why we need it:
 <!--- Why is this change required? What problem does it solve? -->
@ -9,7 +10,9 @@
 <!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
 - [ ] Bug fix (non-breaking change which fixes an issue)
 - [ ] New feature (non-breaking change which adds functionality)
+- [ ] CVE Report (Scanner found CVE and adding report)
 - [ ] Breaking change (fix or feature that would cause existing functionality to change)
+- [ ] Documentation only

 ## Which issue/s this PR fixes
 <!--
@ -28,6 +31,6 @@ fixes #
 <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
 - [ ] My change requires a change to the documentation.
 - [ ] I have updated the documentation accordingly.
- [ ] I've read the [CONTRIBUTION](https://github.com/kubernetes/ingress-nginx/blob/master/CONTRIBUTING.md) guide
- [ ] I have added tests to cover my changes.
+- [ ] I've read the [CONTRIBUTION](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md) guide
+- [ ] I have added unit and/or e2e tests to cover my changes.
 - [ ] All new and existing tests passed.
--- a/.github/actions/mkdocs/Dockerfile
+++ b/.github/actions/mkdocs/Dockerfile
@ -1,4 +1,4 @@
-FROM squidfunk/mkdocs-material:5.2.3
+FROM squidfunk/mkdocs-material:9.4.5

 COPY action.sh /action.sh

--- a/.github/actions/mkdocs/action.sh
+++ b/.github/actions/mkdocs/action.sh
@ -16,7 +16,7 @@

 set -e

-REQUIREMENTS="${GITHUB_WORKSPACE}/requirements.txt"
+REQUIREMENTS="${GITHUB_WORKSPACE}/docs/requirements.txt"

 if [ -f "${REQUIREMENTS}" ]; then
    pip install -r "${REQUIREMENTS}"
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,43 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "area/dependency"
+      - "release-note-none"
+      - "ok-to-test"
+    groups:
+      actions:
+        update-types:
+          - "minor"
+          - "patch"
+  - package-ecosystem: "docker"
+    directories:
+      - "**/rootfs"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "area/dependency"
+      - "release-note-none"
+      - "ok-to-test"
+    groups:
+      docker:
+        update-types:
+          - "minor"
+          - "patch"
+  - package-ecosystem: "gomod"
+    directories:
+      - "/"
+      - "**/rootfs"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "area/dependency"
+      - "release-note-none"
+      - "ok-to-test"
+    groups:
+      go:
+        update-types:
+          - "patch"
--- a/.github/workflows/chart.yaml
+++ b/.github/workflows/chart.yaml
@ -0,0 +1,64 @@
+name: Chart
+
+on:
+  push:
+    branches:
+      - main
+      - release-*
+    paths:
+      - charts/ingress-nginx/Chart.yaml
+  
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+
+    steps:
+      - name: Set up Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+          python-version: 3.x
+
+      - name: Set up Helm
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+
+      - name: Set up Helm Chart Testing
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
+
+      - name: Set up Artifact Hub
+        run: |
+          curl --fail --location https://github.com/artifacthub/hub/releases/download/v1.20.0/ah_1.20.0_linux_amd64.tar.gz --output /tmp/ah.tar.gz
+          echo "9027626f19ff9f3ac668f222917130ac885e289e922e1428bfd2e7f066324e31  /tmp/ah.tar.gz" | shasum --check
+          sudo tar --extract --file /tmp/ah.tar.gz --directory /usr/local/bin ah
+
+      - name: Set up Git
+        run: |
+          git config --global user.name "${GITHUB_ACTOR}"
+          git config --global user.email "${GITHUB_ACTOR}@users.noreply.github.com"
+
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Lint chart
+        run: |
+          ct lint --config .ct.yaml
+          ah lint --path charts/ingress-nginx
+
+      - name: Release chart
+        uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0
+        env:
+          CR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CR_RELEASE_NAME_TEMPLATE: helm-chart-{{ .Version }}
+          CR_SKIP_EXISTING: true
+        with:
+          charts_dir: charts
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -4,25 +4,52 @@ on:
  pull_request:
    branches:
      - "*"
+    paths-ignore:
+      - 'docs/**'
+      - 'deploy/**'
+      - '**.md'
+      - 'images/**' # Images changes should be tested on their own workflow
+      - '!images/nginx/**'

  push:
    branches:
-      - master
+      - main
+      - release-*
+    paths-ignore:
+      - 'docs/**'
+      - 'deploy/**'
+      - '**.md'
+      - 'images/**' # Images changes should be tested on their own workflow
+
+  workflow_dispatch:
+    inputs:
+      run_e2e:
+        description: 'Force e2e to run'
+        required: false
+        type: boolean
+
+
+permissions:
+  contents: read

 jobs:

  changes:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
    runs-on: ubuntu-latest
    outputs:
      go: ${{ steps.filter.outputs.go }}
      charts: ${{ steps.filter.outputs.charts }}
+      baseimage: ${{ steps.filter.outputs.baseimage }}

    steps:

      - name: Checkout
-        uses: actions/checkout@v1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

-      - uses: dorny/paths-filter@v2.2.0
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
        id: filter
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
@ -34,45 +61,128 @@ jobs:
              - 'rootfs/**/*'
              - 'TAG'
              - 'test/e2e/**/*'
+              - 'NGINX_BASE'
            charts:
              - 'charts/ingress-nginx/Chart.yaml'
-              - 'charts/ingress-nginx/*'
+              - 'charts/ingress-nginx/**/*'
+              - 'NGINX_BASE'
+            baseimage:
+              - 'NGINX_BASE'
+              - 'images/nginx/**'
+            docs:
+              - '**/*.md'
+            lua:
+              - '**/*.lua'
+
+  lua-lint:
+    runs-on: ubuntu-latest
+    needs: changes
+    if: |
+      (needs.changes.outputs.lua == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      
+      - name: Lint Lua
+        uses: lunarmodules/luacheck@v1
+        with:
+          args: --codes --globals lua_ingress --globals configuration --globals balancer --globals monitor --globals certificate --globals tcp_udp_configuration --globals tcp_udp_balancer --no-max-comment-line-length -q rootfs/etc/nginx/lua/
+
+  test-go:
+    runs-on: ubuntu-latest
+    needs: changes
+    if: |
+      (needs.changes.outputs.go == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Get go version
+        run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
+
+      - name: Set up Go
+        id: go
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
+          check-latest: true
+
+      - name: Run test
+        run: make test
+
+        
+  verify-docs:
+    name: Verify Doc generation
+    runs-on: ubuntu-latest
+    needs: changes
+    if: |
+      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.docs == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Get go version
+        run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
+      - name: Set up Go
+        id: go
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
+          check-latest: true
+      - name: Verify Docs
+        run: make verify-docs

  build:
    name: Build
    runs-on: ubuntu-latest
    needs: changes
-    if: ${{ needs.changes.outputs.go == 'true' }}
+    outputs:
+      golangversion: ${{ steps.golangversion.outputs.version }}
+    if: |
+      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.charts == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}

+    env:
+        PLATFORMS: linux/amd64
    steps:
-
      - name: Checkout
-        uses: actions/checkout@v1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

-      - name: Set up Go 1.15
+      - name: Get go version
+        id: golangversion
+        run: |
+          echo "version=$(cat GOLANG_VERSION)" >> "$GITHUB_OUTPUT"
+
+      - name: Set up Go
        id: go
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
-          go-version: 1.15
+          go-version: ${{ steps.golangversion.outputs.version }}
+          check-latest: true
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0

      - name: Set up Docker Buildx
        id: buildx
-        uses: crazy-max/ghaction-docker-buildx@v1
+        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
        with:
-          buildx-version: latest
-          qemu-version: latest
+          version: latest

      - name: Available platforms
        run: echo ${{ steps.buildx.outputs.platforms }}

      - name: Prepare Host
        run: |
-          sudo apt-get -qq update || true
-          sudo apt-get install -y pigz
-          curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.17.0/bin/linux/amd64/kubectl
+          curl -LO https://dl.k8s.io/release/v1.32.2/bin/linux/amd64/kubectl
          chmod +x ./kubectl
          sudo mv ./kubectl /usr/local/bin/kubectl

+      - name: Build NGINX Base image
+        if: |
+          needs.changes.outputs.baseimage == 'true'
+        run: |
+            export TAG=$(cat images/nginx/TAG)
+            cd images/nginx/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --load -t registry.k8s.io/ingress-nginx/nginx:${TAG} .
+
      - name: Build images
        env:
          TAG: 1.0.0-dev
@ -80,109 +190,133 @@ jobs:
          REGISTRY: ingress-controller
        run: |
          echo "building images..."
-          make clean-image build image
+          export TAGNGINX=$(cat images/nginx/TAG)
+          make BASE_IMAGE=registry.k8s.io/ingress-nginx/nginx:${TAGNGINX} clean-image build image image-chroot
          make -C test/e2e-image image

          echo "creating images cache..."
          docker save \
            nginx-ingress-controller:e2e \
            ingress-controller/controller:1.0.0-dev \
-            | pigz > docker.tar.gz
+            ingress-controller/controller-chroot:1.0.0-dev \
+            | gzip > docker.tar.gz

      - name: cache
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          name: docker.tar.gz
          path: docker.tar.gz
+          retention-days: 5

-  helm:
-    name: Helm chart
+  chart-lint:
+    name: Chart / Lint
    runs-on: ubuntu-latest
    needs:
      - changes
-    if: ${{ needs.changes.outputs.charts == 'true' }}
+
+    if: fromJSON(needs.changes.outputs.charts) || fromJSON(needs.changes.outputs.baseimage) || fromJSON(github.event.workflow_dispatch.run_e2e)

    steps:
-
-      - name: Checkout
-        uses: actions/checkout@v1
-
-      - name: Lint
-        run: |
-          ./build/run-in-docker.sh ./hack/verify-chart-lint.sh
-
-      - name: fix permissions
-        run: |
-          sudo mkdir -p $HOME/.kube
-          sudo chmod -R 777 $HOME/.kube
-
-      - name: Create Kubernetes cluster
-        id: kind
-        uses: engineerd/setup-kind@v0.4.0
+      - name: Set up Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
        with:
-          version: v0.8.1
-          image: kindest/node:v1.18.4
+          python-version: 3.x

-      - name: Test
-        env:
-          KIND_CLUSTER_NAME: kind
-          SKIP_CLUSTER_CREATION: true
+      - name: Set up Helm
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+
+      - name: Set up Helm Chart Testing
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
+
+      - name: Set up Artifact Hub
        run: |
-          kind get kubeconfig > $HOME/.kube/kind-config-kind
-          make kind-e2e-chart-tests
+          curl --fail --location https://github.com/artifacthub/hub/releases/download/v1.20.0/ah_1.20.0_linux_amd64.tar.gz --output /tmp/ah.tar.gz
+          echo "9027626f19ff9f3ac668f222917130ac885e289e922e1428bfd2e7f066324e31  /tmp/ah.tar.gz" | shasum --check
+          sudo tar --extract --file /tmp/ah.tar.gz --directory /usr/local/bin ah

-  kubernetes:
-    name: Kubernetes
+      - name: Set up Helm Docs
+        uses: gabe565/setup-helm-docs-action@d5c35bdc9133cfbea3b671acadf50a29029e87c2 # v1.0.4
+
+      - name: Set up Helm Unit Test
+        run: helm plugin install https://github.com/helm-unittest/helm-unittest
+
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Lint chart
+        run: |
+          ct lint --config .ct.yaml
+          ah lint --path charts/ingress-nginx
+
+      - name: Check docs
+        run: |
+          helm-docs --chart-search-root charts
+          git diff --exit-code charts/ingress-nginx/README.md
+
+      - name: Run tests
+        run: helm unittest charts/ingress-nginx --file "tests/**/*_test.yaml"
+
+  chart-test:
+    name: Chart / Test
    runs-on: ubuntu-latest
    needs:
      - changes
      - build
-    if: ${{ needs.changes.outputs.go == 'true' }}
+      - chart-lint
+
+    if: fromJSON(needs.changes.outputs.charts) || fromJSON(needs.changes.outputs.baseimage) || fromJSON(github.event.workflow_dispatch.run_e2e)
+
    strategy:
      matrix:
-        k8s: [v1.14.10, v1.15.11, v1.16.9, v1.17.5, v1.18.4]
+        k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0]

    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

-      - name: Checkout
-        uses: actions/checkout@v1
-
-      - name: cache
-        uses: actions/download-artifact@v2
+      - name: Download cache
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: docker.tar.gz

-      - name: Create Kubernetes ${{ matrix.k8s }} cluster
-        id: kind
-        uses: engineerd/setup-kind@v0.4.0
-        with:
-          version: v0.8.1
-          config: test/e2e/kind.yaml
-          image: kindest/node:${{ matrix.k8s }}
+      - name: Load cache
+        run: gzip --decompress --stdout docker.tar.gz | docker load

-      - uses: geekyeggo/delete-artifact@v1
-        with:
-          name: docker.tar.gz
-          failOnError: false
-
-      - name: Prepare cluster for testing
-        id: local-path
-        run: |
-          kubectl version
-          echo
-          echo "installing helm 3..."
-          curl -sSL https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
-
-      - name: Load images from cache
-        run: |
-          echo "loading docker images..."
-          pigz -dc docker.tar.gz | docker load
-
-      - name: Run e2e tests
+      - name: Run tests
        env:
-          KIND_CLUSTER_NAME: kind
-          SKIP_CLUSTER_CREATION: true
+          K8S_VERSION: ${{ matrix.k8s }}
          SKIP_IMAGE_CREATION: true
        run: |
-          kind get kubeconfig > $HOME/.kube/kind-config-kind
-          make kind-e2e-test
+          sudo mkdir -pm 777 "${HOME}/.kube"
+          make kind-e2e-chart-tests
+
+  kubernetes:
+    name: Kubernetes
+    needs:
+      - changes
+      - build
+    if: |
+      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
+    strategy:
+      matrix:
+        k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0]
+    uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml
+    with:
+      k8s-version: ${{ matrix.k8s }}
+
+  kubernetes-chroot:
+    name: Kubernetes chroot
+    needs:
+      - changes
+      - build
+    if: |
+      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
+    strategy:
+      matrix:
+        k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0]
+    uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml
+    with:
+      k8s-version: ${{ matrix.k8s }}
+      variation: "CHROOT"
--- a/.github/workflows/depreview.yaml
+++ b/.github/workflows/depreview.yaml
@ -0,0 +1,14 @@
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@ -0,0 +1,55 @@
+name: Documentation
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+
+  changes:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
+    runs-on: ubuntu-latest
+    if: |
+      (github.repository == 'kubernetes/ingress-nginx')
+    outputs:
+      docs: ${{ steps.filter.outputs.docs }}
+      charts: ${{ steps.filter.outputs.charts }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: filter
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          filters: |
+            docs:
+             - 'docs/**/*'
+
+  docs:
+    name: Update
+    runs-on: ubuntu-latest
+    needs:
+      - changes
+    if: |
+      (github.repository == 'kubernetes/ingress-nginx') &&
+      (needs.changes.outputs.docs == 'true')
+
+    permissions:
+      contents: write # needed to write releases
+
+    steps:
+      - name: Checkout master
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Deploy
+        uses: ./.github/actions/mkdocs
+        env:
+          PERSONAL_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@ -0,0 +1,34 @@
+name: golangci-lint
+
+on:
+  pull_request:
+    paths:
+      - '**/*.go'
+      - '.github/workflows/golangci-lint.yml'
+
+permissions:
+  contents: read
+
+jobs:
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Get go version
+        run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
+
+      - name: Set up Go
+        id: go
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
+          check-latest: true
+
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837 # v6.5.0
+        with:
+          version: v1.62
+          only-new-issues: true
--- a/.github/workflows/images.yaml
+++ b/.github/workflows/images.yaml
@ -0,0 +1,192 @@
+name: Container Images
+
+on:
+  pull_request:
+    branches:
+      - "*"
+    paths:
+      - 'images/**'
+
+  push:
+    branches:
+      - main
+    paths:
+      - 'images/**'
+
+permissions:
+  contents: write
+  packages: write
+
+env:
+  PLATFORMS: linux/amd64
+
+jobs:
+  changes:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
+    runs-on: ubuntu-latest
+    outputs:
+      custom-error-pages: ${{ steps.filter.outputs.custom-error-pages }}
+      cfssl: ${{ steps.filter.outputs.cfssl }}
+      fastcgi-helloserver: ${{ steps.filter.outputs.fastcgi-helloserver }}
+      e2e-test-echo: ${{ steps.filter.outputs.e2e-test-echo }}
+      go-grpc-greeter-server: ${{ steps.filter.outputs.go-grpc-greeter-server }}
+      httpbun: ${{ steps.filter.outputs.httpbun }}
+      kube-webhook-certgen: ${{ steps.filter.outputs.kube-webhook-certgen }}
+      ext-auth-example-authsvc: ${{ steps.filter.outputs.ext-auth-example-authsvc }}
+      nginx: ${{ steps.filter.outputs.nginx }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: filter
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          filters: |
+            custom-error-pages:
+              - 'images/custom-error-pages/**'
+            cfssl:
+              - 'images/cfssl/**'
+            fastcgi-helloserver:
+              - 'images/fastcgi-helloserver/**'
+            e2e-test-echo:
+              - 'images/e2e-test-echo/**'
+            go-grpc-greeter-server:
+              - 'images/go-grpc-greeter-server/**'
+            httpbun:
+              - 'images/httpbun/**'
+            kube-webhook-certgen:
+              - 'images/kube-webhook-certgen/**'
+            ext-auth-example-authsvc:
+              - 'images/ext-auth-example-authsvc/**'
+            nginx:
+              - 'images/nginx/**'
+
+  #### TODO: Make the below jobs 'less dumb' and use the job name as parameter (the github.job context does not work here)
+  cfssl:
+    needs: changes
+    if: |
+      (needs.changes.outputs.cfssl == 'true')
+    uses: ./.github/workflows/zz-tmpl-images.yaml
+    with:
+      name: cfssl
+    secrets: inherit
+
+  custom-error-pages:
+    needs: changes
+    if: |
+      (needs.changes.outputs.custom-error-pages == 'true')
+    uses: ./.github/workflows/zz-tmpl-images.yaml
+    with:
+      name: custom-error-pages
+    secrets: inherit
+
+  e2e-test-echo:
+    needs: changes
+    if: |
+      (needs.changes.outputs.e2e-test-echo == 'true')
+    uses: ./.github/workflows/zz-tmpl-images.yaml
+    with:
+      name: e2e-test-echo
+    secrets: inherit
+
+  ext-auth-example-authsvc:
+    needs: changes
+    if: |
+      (needs.changes.outputs.ext-auth-example-authsvc == 'true')
+    uses: ./.github/workflows/zz-tmpl-images.yaml
+    with:
+      name: ext-auth-example-authsvc
+    secrets: inherit
+
+  fastcgi-helloserver:
+    needs: changes
+    if: |
+      (needs.changes.outputs.fastcgi-helloserver == 'true')
+    uses: ./.github/workflows/zz-tmpl-images.yaml
+    with:
+      name: fastcgi-helloserver
+    secrets: inherit
+
+  go-grpc-greeter-server:
+    needs: changes
+    if: |
+      (needs.changes.outputs.go-grpc-greeter-server == 'true')
+    uses: ./.github/workflows/zz-tmpl-images.yaml
+    with:
+      name: go-grpc-greeter-server
+    secrets: inherit
+
+  httpbun:
+    needs: changes
+    if: |
+      (needs.changes.outputs.httpbun == 'true')
+    uses: ./.github/workflows/zz-tmpl-images.yaml
+    with:
+      name: httpbun
+    secrets: inherit
+
+  kube-webhook-certgen:
+    runs-on: ubuntu-latest
+    needs: changes
+    if: |
+      (needs.changes.outputs.kube-webhook-certgen == 'true')
+    strategy:
+      matrix:
+        k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0]
+    steps:
+    - name: Checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+    - name: Get go version
+      run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
+
+    - name: Set up Go
+      id: go
+      uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+      with:
+        go-version: ${{ env.GOLANG_VERSION }}
+        check-latest: true
+    - name: image build
+      run: |
+        cd images/ && make NAME=kube-webhook-certgen build
+    - name: Create Kubernetes cluster
+      id: kind
+      run: |
+        kind create cluster --image=kindest/node:${{ matrix.k8s }}
+    - name: image test
+      run: |
+        cd images/ && make NAME=kube-webhook-certgen test test-e2e
+
+  nginx:
+    permissions:
+      contents: write
+      packages: write
+    runs-on: ubuntu-latest
+    needs: changes
+    if: |
+      (github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.changes.outputs.nginx == 'true')
+    env:
+      PLATFORMS: linux/amd64,linux/arm,linux/arm64
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
+        with:
+          version: latest
+          platforms: ${{ env.PLATFORMS }}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: build-image
+        run: |
+          export TAG=$(cat images/nginx/TAG)
+          cd images/nginx/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --push -t ingressnginx/nginx:${TAG} .
--- a/.github/workflows/junit-reports.yaml
+++ b/.github/workflows/junit-reports.yaml
@ -0,0 +1,22 @@
+name: 'E2E Test Report'
+
+on:
+  workflow_run:
+    workflows: ['CI']                     # runs after CI workflow
+    types:
+      - completed
+
+permissions:
+  checks: write
+
+jobs:
+  report:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 # v1.9.1
+        with:
+          artifact: /e2e-test-reports-(.*)/
+          name: JEST Tests $1               # Name of the check run which will be created
+          path: 'report*.xml'               # Path to test results (inside artifact .zip)
+          reporter: jest-junit              # Format of test results
+          fail-on-empty: 'true'
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@ -1,68 +0,0 @@
-name: Documentation and Helm chart
-
-on:
-  push:
-    branches:
-      - master
-
-jobs:
-
-  changes:
-    runs-on: ubuntu-latest
-    outputs:
-      docs: ${{ steps.filter.outputs.docs }}
-      charts: ${{ steps.filter.outputs.charts }}
-    steps:
-
-      - name: Checkout
-        uses: actions/checkout@v1
-
-      - uses: dorny/paths-filter@v2.2.0
-        id: filter
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          filters: |
-            docs:
-              - 'docs/**/*'
-            charts:
-              - 'charts/ingress-nginx/Chart.yaml'
-
-  docs:
-    name: Update Documentation
-    runs-on: ubuntu-latest
-    needs:
-      - changes
-    if: ${{ needs.changes.outputs.docs == 'true' }}
-
-    steps:
-
-      - name: Checkout master
-        uses: actions/checkout@v1
-
-      - name: Deploy docs
-        uses: ./.github/actions/mkdocs
-        env:
-          PERSONAL_TOKEN: ${{ secrets.PERSONAL_TOKEN }}
-
-  chart:
-    name: Release Chart
-    runs-on: ubuntu-latest
-    needs:
-      - changes
-    if: ${{ needs.changes.outputs.charts == 'true' }}
-
-    steps:
-
-      - name: Checkout master
-        uses: actions/checkout@v1
-
-      - name: Setup
-        shell: bash
-        run: |
-          git config --global user.name "$GITHUB_ACTOR"
-          git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"
-
-      - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.0.0-rc.2
-        env:
-          CR_TOKEN: "${{ secrets.PERSONAL_TOKEN }}"
--- a/.github/workflows/perftest.yaml
+++ b/.github/workflows/perftest.yaml
@ -0,0 +1,72 @@
+name: Performance Test
+
+on:
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: 'Log level'
+        required: true
+        default: 'warning'
+      tags:
+        description: 'K6 Load Test'
+
+permissions:
+  contents: read
+
+jobs:
+  k6_test_run:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Install K6
+        run: |
+          wget https://github.com/grafana/k6/releases/download/v0.38.2/k6-v0.38.2-linux-amd64.tar.gz
+          echo '7c9e5a26aaa2c638c042f6dfda7416161b8d2e0d4cb930721a38083b8be109ab *k6-v0.38.2-linux-amd64.tar.gz' | shasum -c
+          tar -xvf k6-v0.38.2-linux-amd64.tar.gz k6-v0.38.2-linux-amd64/k6
+          mv k6-v0.38.2-linux-amd64/k6 .
+          ./k6
+
+      - name: Make dev-env
+        run: |
+          mkdir $HOME/.kube
+          make dev-env
+          podName=`kubectl -n ingress-nginx get po | grep -i controller | awk '{print $1}'`
+          if [[ -z ${podName} ]] ; then
+            sleep 5
+          fi
+          kubectl wait pod -n ingress-nginx --for condition=Ready $podName
+          kubectl get all -A
+
+      - name: Deploy workload
+        run: |
+          kubectl create deploy k6 --image kennethreitz/httpbin --port 80 && \
+            kubectl expose deploy k6 --port 80 && \
+            kubectl create ing k6 --class nginx \
+            --rule test.ingress-nginx-controller.ga/*=k6:80
+          podName=`kubectl get po | grep -i k6 | awk '{print $1}'`
+          if [[ -z ${podName} ]] ; then
+            sleep 5
+          fi
+          kubectl wait pod --for condition=Ready $podName
+          kubectl get all,secrets,ing
+
+      - name: Tune OS
+        run : |
+          sudo sysctl -A 2>/dev/null | egrep -i "local_port_range|tw_reuse|tcp_timestamps"
+          sudo sh -c "ulimit"
+          sudo sysctl -w net.ipv4.ip_local_port_range="1024 65535"
+          sudo sysctl -w net.ipv4.tcp_tw_reuse=1
+          sudo sysctl -w net.ipv4.tcp_timestamps=1
+          sudo sh -c "ulimit "
+
+      - name: Run smoke test
+        run: |
+          vmstat -at 5 | tee vmstat_report &
+          #./k6 login cloud -t $K6_TOKEN
+          #./k6 run -o cloud ./smoketest.js
+          ./k6 run test/k6/smoketest.js
+          pkill vmstat
+          cat vmstat_report
--- a/.github/workflows/plugin.yaml
+++ b/.github/workflows/plugin.yaml
@ -0,0 +1,50 @@
+name: kubectl plugin
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: write # for goreleaser/goreleaser-action
+
+jobs:
+  release-plugin:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Get go version
+        run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
+
+      - name: Set up Go
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
+          check-latest: true
+
+      - name: Run GoReleaser Snapshot
+        if: ${{ ! startsWith(github.ref, 'refs/tags/') }}
+        uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # v6.2.1
+        with:
+          version: "~> v2"
+          args: release --snapshot --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run GoReleaser
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # v6.2.1
+        with:
+          version: "~> v2"
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Update new version in krew-index
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        uses: rajatjindal/krew-release-bot@3d9faef30a82761d610544f62afddca00993eef9 # v0.0.47
+        with:
+          krew_template_file: cmd/plugin/krew.yaml
--- a/.github/workflows/project.yml
+++ b/.github/workflows/project.yml
@ -0,0 +1,19 @@
+name: Adds all issues
+
+on:
+  issues:
+    types:
+      - opened
+
+jobs:
+  add-to-project:
+    name: Add issue to project
+    runs-on: ubuntu-latest
+    permissions:
+      repository-projects: write
+      issues: write
+    steps:
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
+        with:
+          project-url: https://github.com/orgs/kubernetes/projects/104
+          github-token: ${{ secrets.PROJECT_WRITER }}
--- a/.github/workflows/release.txt
+++ b/.github/workflows/release.txt
@ -1,128 +0,0 @@
-name: Release
-
-on:
-  watch:
-    types: [started]
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    if: github.actor == 'aledbf'
-    steps:
-      - name: Checkout master
-        uses: actions/checkout@v1
-
-      - name: Set up Go 1.14
-        uses: actions/setup-go@master
-        with:
-          go-version: 1.14
-
-      - name: Build krew plugin
-        shell: bash
-        run: |
-          export PATH=${PATH}:`go env GOPATH`/bin
-          make build-plugin
-
-#      - name: Build and publish images
-#        shell: bash
-#        run: |
-#          cat <<EOF | > build/images/nginx/aws.tfvars
-#          access_key = "${{ secrets.AWS_ACCESS_KEY }}"
-#          secret_key = "${{ secrets.AWS_ACCESS_SECRET_KEY }}"
-#          EOF
-#
-#          cat <<EOF | > build/images/nginx/env.tfvars
-#          docker_username="${{ secrets.DOCKER_USERNAME }}"
-#          docker_password="${{ secrets.DOCKER_PASSWORD }}"
-#          EOF
-#
-#          ./build/build-ingress-controller.sh
-
-      - name: Create env variables
-        shell: bash
-        run: |
-          # $(cat cmd/plugin/release/ingress-nginx.yaml)
-          echo "::set-env name=RELEASE_VERSION::$(make show-version)"
-          echo "::set-env name=RELEASE_CHANGELOG::##CHANGELOG##"
-
-      - name: Create release
-        id: create_release
-        uses: actions/create-release@v1
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/controller')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: controller-${{ env.RELEASE_VERSION }}
-          release_name: "NGINX: ${{ env.RELEASE_VERSION }}"
-          body: |
-            **Image:** `quay.io/kubernetes-ingress-controller/nginx-ingress-controller:${{ env.RELEASE_VERSION }}`
-
-            ${{ env.RELEASE_CHANGELOG }}
-
-            Complete changelog [here](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md)
-
-          draft: false
-          prerelease: false
-
-      - name: Upload krew plugin Darwin
-        uses: actions/upload-release-asset@v1
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/controller')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: cmd/plugin/release/kubectl-ingress_nginx-darwin-amd64.tar.gz
-          asset_name: kubectl-ingress_nginx-darwin-amd64.tar.gz
-          asset_content_type: application/tar+gzip
-
-      - name: Upload krew plugin Linux
-        uses: actions/upload-release-asset@v1
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/controller')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: cmd/plugin/release/kubectl-ingress_nginx-linux-amd64.tar.gz
-          asset_name: kubectl-ingress_nginx-linux-amd64.tar.gz
-          asset_content_type: application/tar+gzip
-
-      - name: Upload krew plugin Windows
-        uses: actions/upload-release-asset@v1
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/controller')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: cmd/plugin/release/kubectl-ingress_nginx-windows-amd64.tar.gz
-          asset_name: kubectl-ingress_nginx-windows-amd64.tar.gz
-          asset_content_type: application/tar+gzip
-
-      - name: Upload krew plugin
-        uses: actions/upload-release-asset@v1
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/controller')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: cmd/plugin/release/ingress-nginx.yaml
-          asset_name: ingress-nginx.yaml
-          asset_content_type: text/x-yaml
-
-      - name: Create KREW_PLUGIN_BODY_PR env variable
-        shell: bash
-        run: |
-          echo "::set-env name=KREW_PLUGIN_BODY_PR::$(cat cmd/plugin/release/ingress-nginx.yaml)"
-
-#      - name: Open PR for new release of Krew Plugin
-#        uses: gha-utilities/init-pull-request@v0.1.2
-#        env:
-#          GITHUB_REPOSITORY: maintainer/repo-name
-#        with:
-#          verbose: true
-#          draft: false
-#          pull_request_token: ${{ secrets.GITHUB_TOKEN }}
-#          head: ingress-nginx:krew
-#          base: krew
-#          title: 'Update ingress-nginx krew plugin to ${{ env.RELEASE_VERSION }}'
-#          body: |
-#            ${{ env.KREW_PLUGIN_BODY_PR }}
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@ -0,0 +1,64 @@
+name: Scorecards supply-chain security
+
+on:
+  # Only the default branch is supported.
+  branch_protection_rule:
+  schedule:
+    - cron: '20 11 * * 5'
+  push:
+    branches:
+      - "main"
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge. (Upcoming feature)
+      id-token: write
+      # Needs for private repositories.
+      contents: read
+      actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecards on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+
+          # Publish the results for public repositories to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless
+          # of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        with:
+          sarif_file: results.sarif
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@ -0,0 +1,24 @@
+name: 'Stale Issues and PRs'
+
+on:
+  schedule:
+    - cron: '30 1 * * *'
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+
+    permissions:
+      issues: write
+      pull-requests: write
+
+    steps:
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
+        with:
+          stale-issue-message: "This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach `#ingress-nginx-dev` on Kubernetes Slack."
+          stale-pr-message: "This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach `#ingress-nginx-dev` on Kubernetes Slack."
+          stale-issue-label: lifecycle/frozen
+          stale-pr-label: lifecycle/frozen
+          days-before-issue-stale: 30
+          days-before-pr-stale: 45
+          days-before-close: -1  # dont not close issues/prs
--- a/.github/workflows/vulnerability-scans.yaml
+++ b/.github/workflows/vulnerability-scans.yaml
@ -0,0 +1,92 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Vulnerability Scan
+
+on:
+  workflow_dispatch:
+  release:
+  schedule:
+    - cron: '00 9 * * 1'
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  version:
+    runs-on: ubuntu-latest
+    outputs:
+      versions: ${{ steps.version.outputs.TAGS }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Latest Tag
+        id: version
+        shell: bash
+        run: |
+          readarray -t TAGS_ARRAY <<<"$(git tag --list 'controller-v*.*.*' --sort=-version:refname | grep -v 'beta\|alpha')"
+          FULL_TAGS=(${TAGS_ARRAY[0]} ${TAGS_ARRAY[1]} ${TAGS_ARRAY[2]})
+          SHORT_TAGS=()
+          for i in ${FULL_TAGS[@]}
+          do
+            echo "tag: $i"
+            short=$(echo "$i" | cut -d - -f 2)
+            SHORT_TAGS+=($short)
+          done
+          echo "${SHORT_TAGS[0]},${SHORT_TAGS[1]},${SHORT_TAGS[2]}"
+          TAGS_JSON="[\"${SHORT_TAGS[0]}\",\"${SHORT_TAGS[1]}\",\"${SHORT_TAGS[2]}\"]"
+          echo "${TAGS_JSON}"
+          echo "TAGS=${TAGS_JSON}" >> $GITHUB_OUTPUT
+
+  scan:
+    runs-on: ubuntu-latest
+    needs: version
+    strategy:
+      matrix:
+        versions: ${{ fromJSON(needs.version.outputs.versions) }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - shell: bash
+        id: test
+        run: echo "Scanning registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}"
+
+      - name: Scan image with AquaSec/Trivy
+        id: scan
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
+        with:
+          image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }}
+          format: 'sarif'
+          output: trivy-results-${{ matrix.versions }}.sarif
+          exit-code: 0
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
+
+      - name: Output Sarif File
+        shell: bash
+        run: cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif
+
+      # This step checks out a copy of your repository.
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        with:
+          token: ${{ github.token }}
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif
+
+      - name: Vulz Count
+        shell: bash
+        run: |
+          TRIVY_COUNT=$(cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif | jq '.runs[0].results | length')
+          echo "TRIVY_COUNT: $TRIVY_COUNT"
+          echo "Image Vulnerability scan output" >> $GITHUB_STEP_SUMMARY
+          echo "Image ID: registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "Trivy Count: $TRIVY_COUNT" >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/zz-tmpl-images.yaml
+++ b/.github/workflows/zz-tmpl-images.yaml
@ -0,0 +1,81 @@
+#### THIS IS A TEMPLATE ####
+# This workflow is created to be a template for every time an e2e test is required,
+
+on:
+  workflow_call:
+    inputs:
+      name:
+        required: true
+        type: string
+      platforms-test:
+        type: string
+        default: linux/amd64
+      platforms-publish:
+        type: string
+        default: linux/amd64
+
+env:
+  PLATFORMS: ${{ inputs.platforms-test }}
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  changestag:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.filter.outputs.tag }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: filter
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          filters: |
+            tag:
+              - 'images/**/TAG'
+
+  image-build:
+    name: Build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Build
+        run: |
+          cd images/ && make NAME=${{ inputs.name }} build
+
+  image-push:
+    name: Push
+    needs: changestag
+    if: |
+      (github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'kubernetes/ingress-nginx' && needs.changestag.outputs.tag == 'true')
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+    env:
+      PLATFORMS: ${{ inputs.platforms-publish }}
+    steps:
+    - name: Checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+    - name: Push
+      run: |
+          cd images/ && make REGISTRY=ingressnginx NAME=${{ inputs.name }} push
+
--- a/.github/workflows/zz-tmpl-k8s-e2e.yaml
+++ b/.github/workflows/zz-tmpl-k8s-e2e.yaml
@ -0,0 +1,57 @@
+#### THIS IS A TEMPLATE ####
+# This workflow is created to be a template for every time an e2e test is required,
+
+on:
+  workflow_call:
+    inputs:
+      k8s-version:
+        required: true
+        type: string
+      variation:
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  kubernetes:
+    name: Kubernetes ${{ inputs.variation }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: cache
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: docker.tar.gz
+
+      - name: Create Kubernetes ${{ inputs.k8s-version }} cluster
+        id: kind
+        run: |
+          kind create cluster --image=kindest/node:${{ inputs.k8s-version }} --config test/e2e/kind.yaml
+
+      - name: Load images from cache
+        run: |
+          echo "loading docker images..."
+          gzip -dc docker.tar.gz | docker load
+
+      - name: Run e2e tests ${{ inputs.variation }}
+        env:
+          KIND_CLUSTER_NAME: kind
+          SKIP_CLUSTER_CREATION: true
+          SKIP_INGRESS_IMAGE_CREATION: true
+          SKIP_E2E_IMAGE_CREATION: true
+          IS_CHROOT: ${{ inputs.variation == 'CHROOT' }}
+        run: |
+          kind get kubeconfig > $HOME/.kube/kind-config-kind
+          make kind-e2e-test
+
+      - name: Upload e2e junit-reports ${{ inputs.variation }}
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        if: success() || failure()
+        with:
+          name: e2e-test-reports-${{ inputs.k8s-version }}${{ inputs.variation }}
+          path: 'test/junitreports/report*.xml'
+
--- a/.gitignore
+++ b/.gitignore
@ -46,6 +46,7 @@ test/e2e/e2e\.test
 bin
 test/e2e-image/wait-for-nginx.sh
 .cache
+.modcache
 cover.out

 # secret terraform variables
@ -57,3 +58,6 @@ images/fastcgi-helloserver/rootfs/fastcgi-helloserver
 cmd/plugin/release/ingress-nginx.yaml
 cmd/plugin/release/*.tar.gz
 cmd/plugin/release/LICENSE
+tmp/
+test/junitreports/
+tests/__snapshot__
--- a/.golangci.yml
+++ b/.golangci.yml
@ -0,0 +1,236 @@
+run:
+  timeout: 10m
+  allow-parallel-runners: true
+
+issues:
+  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
+  max-issues-per-linter: 0
+
+  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
+  max-same-issues: 0
+linters:
+  disable-all: true
+  enable:
+    - asasalint
+    - asciicheck
+    - bidichk
+    - bodyclose
+    - contextcheck
+    - decorder
+    - dogsled
+    - dupl
+    - durationcheck
+    - errcheck
+    - errchkjson
+    - errname
+    - ginkgolinter
+    - gocheckcompilerdirectives
+    - goconst
+    - gocritic
+    - gocyclo
+    - godox
+    - gofmt
+    - gofumpt
+    - goheader
+    - goimports
+    - gomoddirectives
+    - gomodguard
+    - goprintffuncname
+    - gosec
+    - gosimple
+    - govet
+    - grouper
+    - importas
+    - ineffassign
+    - loggercheck
+    - makezero
+    - misspell
+    - musttag
+    - nakedret
+    - nolintlint
+    - nosprintfhostport
+    - prealloc
+    - predeclared
+    - promlinter
+    - reassign
+    - revive
+    - rowserrcheck
+    - sqlclosecheck
+    - staticcheck
+    - stylecheck
+    - tenv
+    - testableexamples
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - usestdlibvars
+    - whitespace
+    # - containedctx
+    # - cyclop
+    # - dupword
+    # - errorlint
+    # - exhaustive
+    # - exhaustruct
+    # - exportloopref
+    # - forbidigo
+    # - forcetypeassert
+    # - funlen
+    # - gci
+    # - gochecknoglobals
+    # - gochecknoinits
+    # - gocognit
+    # - godot
+    # - goerr113
+    # - gomnd
+    # - interfacebloat
+    # - ireturn
+    # - lll
+    # - maintidx
+    # - nestif
+    # - nilerr
+    # - nilnil
+    # - nlreturn
+    # - noctx
+    # - nonamedreturns
+    # - paralleltest
+    # - tagliatelle
+    # - testpackage
+    # - thelper
+    # - tparallel
+    # - varnamelen
+    # - wastedassign
+    # - wrapcheck
+    # - wsl
+linters-settings:
+  gocyclo:
+    min-complexity: 40
+  godox:
+    keywords:
+      - BUG
+      - FIXME
+      - HACK
+  errcheck:
+    check-type-assertions: true
+    check-blank: true
+  gocritic:
+    enabled-checks:
+      # Diagnostic
+      - appendAssign
+      - argOrder
+      - badCall
+      - badCond
+      - badLock
+      - badRegexp
+      - badSorting
+      - builtinShadowDecl
+      - caseOrder
+      - codegenComment
+      - commentedOutCode
+      - deferInLoop
+      - deprecatedComment
+      - dupArg
+      - dupBranchBody
+      - dupCase
+      - dupSubExpr
+      - dynamicFmtString
+      - emptyDecl
+      - evalOrder
+      - exitAfterDefer
+      - externalErrorReassign
+      - filepathJoin
+      - flagDeref
+      - flagName
+      - mapKey
+      - nilValReturn
+      - offBy1
+      - regexpPattern
+      - returnAfterHttpError
+      - sloppyReassign
+      - sloppyTypeAssert
+      - sortSlice
+      - sprintfQuotedString
+      - sqlQuery
+      - syncMapLoadAndDelete
+      - truncateCmp
+      - unnecessaryDefer
+      - weakCond
+
+      # Performance
+      - appendCombine
+      - equalFold
+      - hugeParam
+      - indexAlloc
+      - preferDecodeRune
+      - preferFprint
+      - preferStringWriter
+      - preferWriteByte
+      - rangeExprCopy
+      - rangeValCopy
+      - sliceClear
+      - stringXbytes
+
+      # Style
+      - assignOp
+      - boolExprSimplify
+      - captLocal
+      - commentFormatting
+      - commentedOutImport
+      - defaultCaseOrder
+      - deferUnlambda
+      - docStub
+      - dupImport
+      - elseif
+      - emptyFallthrough
+      - emptyStringTest
+      - exposedSyncMutex
+      - hexLiteral
+      - httpNoBody
+      - ifElseChain
+      - methodExprCall
+      - newDeref
+      - octalLiteral
+      - preferFilepathJoin
+      - redundantSprint
+      - regexpMust
+      - regexpSimplify
+      - ruleguard
+      - singleCaseSwitch
+      - sloppyLen
+      - stringConcatSimplify
+      - stringsCompare
+      - switchTrue
+      - timeExprSimplify
+      - tooManyResultsChecker
+      - typeAssertChain
+      - typeDefFirst
+      - typeSwitchVar
+      - underef
+      - unlabelStmt
+      - unlambda
+      - unslice
+      - valSwap
+      - whyNoLint
+      - wrapperFunc
+      - yodaStyleExpr
+
+      # Opinionated
+      - builtinShadow
+      - importShadow
+      - initClause
+      - nestingReduce
+      - paramTypeCombine
+      - ptrToRefParam
+      - typeUnparen
+      - unnamedResult
+      - unnecessaryBlock
+  nolintlint:
+    # Enable to ensure that nolint directives are all used. Default is true.
+    allow-unused: false
+    # Exclude following linters from requiring an explanation.  Default is [].
+    allow-no-explanation: []
+    # Enable to require an explanation of nonzero length after each nolint directive. Default is false.
+    # TODO(lint): Enforce explanations for `nolint` directives
+    require-explanation: false
+    # Enable to require nolint directives to mention the specific linter being suppressed. Default is false.
+    require-specific: true
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -0,0 +1,29 @@
+project_name: ingress-nginx
+release:
+  github:
+    owner: kubernetes
+    name: ingress-nginx
+builds:
+  - id: ingress-nginx
+    goos:
+    - darwin
+    - linux
+    - windows
+    goarch:
+    - arm64
+    - amd64
+    env:
+    - CGO_ENABLED=0
+    - GO111MODULE=on
+    main: cmd/plugin/main.go
+    binary: kubectl-ingress-nginx
+    ldflags: |
+      -s -w
+      -X k8s.io/ingress-nginx/version.COMMIT={{ .Commit }}
+      -X k8s.io/ingress-nginx/version.RELEASE={{ .Tag }}
+archives:
+  - id: ingress-nginx
+    builds:
+    - ingress-nginx
+    name_template: "kubectl-{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}"
+    format: tar.gz
--- a/.luacheckrc
+++ b/.luacheckrc
@ -1,6 +1,6 @@
 std = 'ngx_lua'
 max_line_length = 100
-exclude_files = {'./rootfs/etc/nginx/lua/test/**/*.lua', './rootfs/etc/nginx/lua/plugins/**/test/**/*.lua'}
+exclude_files = {'./rootfs/etc/nginx/lua/test/**/*.lua'}
 files["rootfs/etc/nginx/lua/lua_ingress.lua"] = {
  ignore = { "122" },
  -- TODO(elvinefendi) figure out why this does not work
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -2,6 +2,8 @@

 Read the following guide if you're interested in contributing to Ingress. [Make Ingress-Nginx Work for you, and the Community](https://youtu.be/GDm-7BlmPPg) from KubeCon Europe 2018 is a great video to get you started!!

+Note that this guide refers to contributing to actual sources of the repository. If you interested in contributing through issue triaging, have a look at [this guide](./ISSUE_TRIAGE.md).
+
 ## Contributor License Agreements

 We'd love to accept your patches! Before we can take them, we have to jump a couple of legal hurdles.
@ -15,14 +17,16 @@ Follow either of the two links above to access the appropriate CLA and instructi

 ***NOTE***: Only original source code from you and other people that have signed the CLA can be accepted into the main repository.

-## Finding Things That Need Help
+## Finding Issues That Need Help

-If you're new to the project and want to help, but don't know where to start, we have a semi-curated list of issues that should not need deep knowledge of the system. [Have a look and see if anything sounds interesting](https://github.com/kubernetes/ingress-nginx/issues?utf8=%E2%9C%93&q=is%3Aopen%20is%3Aissue%20label%3A%22help+wanted%22). Alternatively, read some of the docs on other controllers and try to write your own, file and fix any/all issues that come up, including gaps in documentation!
+If you're new to the project and want to help, but don't know where to start, we have a semi-curated list of issues that should not need deep knowledge of the system. [Have a look and see if anything sounds interesting](https://github.com/kubernetes/ingress-nginx/issues?utf8=%E2%9C%93&q=is%3Aopen%20is%3Aissue%20label%3A%22help+wanted%22).
+
+Alternatively, search for the label [`triage-accepted`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3Atriage%2Faccepted+) if you have some experience with ingress-nginx. Note, that it could make sense to grab issues with higher priority first.

 ## Contributing a Patch

 1. If you haven't already done so, sign a Contributor License Agreement (see details above).
-1. Read the [Ingress development guide](docs/development.md).
+1. Read the [Ingress development guide](docs/developer-guide/getting-started.md).
 1. Fork the desired repo, develop and test your code changes.
 1. Submit a pull request.

@ -30,7 +34,9 @@ All changes must be code reviewed. Coding conventions and standards are explaine

 ### Merge Approval

-Ingress collaborators may add "LGTM" (Looks Good To Me) or an equivalent comment to indicate that a PR is acceptable. Any change requires at least one LGTM.  No pull requests can be merged until at least one Ingress collaborator signs off with an LGTM.
+Ingress Nginx collaborators may add "/lgtm" (Looks Good To Me) to indicate that a PR is acceptable. Any change requires at least one LGTM.  No pull requests can be merged until at least one Ingress Nginx collaborator signs off with an LGTM. Adding the "/lgtm" comment result in the prow bot adding the `lgtm` label. Note that a pull request still needs an `approve` label from one of the owners.
+
+Reviewers or members who want to become reviewers according to the [k8s membership ladder](https://github.com/kubernetes/community/blob/master/community-membership.md), could actively search for [pull requests that need a review](https://github.com/kubernetes/ingress-nginx/pulls?q=is%3Aopen+is%3Apr+label%3Atriage%2Faccepted).

 ## Support Channels

@ -41,3 +47,6 @@ Whether you are a user or contributor, official support channels include:
 - Post: [Kubernetes Forum](https://discuss.kubernetes.io)

 Before opening a new issue or submitting a new pull request, it's helpful to search the project - it's likely that another user has already reported the issue you're facing, or it's a known issue that we're already aware of.
+
+## New Contributor Tips
+If you're a new contributor, you can follow the [New Contributor Tips guide](NEW_CONTRIBUTOR.md)
--- a/Changelog.md
+++ b/Changelog.md
--- a/1
+++ b/1
@ -0,0 +1 @@
+1.23.6
--- a/ISSUE_TRIAGE.md
+++ b/ISSUE_TRIAGE.md
@ -0,0 +1,89 @@
+# Triage Process
+
+As any kind of contributor (triage, reviewer ...), always have in mind that if a user came to us and raised an issue, the user may have a real problem. We must assume that, and not the opposite (the user needs to prove to us that this is a bug). Keeping that in mind, **be nice with users, even if you don’t agree with them**
+
+Note that this guide refers to contributing through issue triaging. If you are interested in contributing to actual sources of the repository, see [this guide](./CONTRIBUTING.md). 
+
+## General Information 
+
+The triage process of the ingress-nginx maintainers is based on the [triage process guidelines](https://github.com/kubernetes/community/blob/master/contributors/guide/issue-triage.md) of the Kubernetes community  
+
+However the exact process of the ingress-nginx maintainers may differ in certain aspects. This doc gives a more precise overview on how the ingress-nginx maintainers approach the issue triage process and other processes that are related. 
+
+## Triage Flow (Issues)
+
+This section describes the different stages of the triage flow for issues.
+
+### Prepare Issues
+New issues come in with the labels `needs-triage` and `needs-priority` and one of: `kind/bug`, `kind/feature` or `kind/support`. Unfortunately there are also some legacy issues that only have a `kind/*` label but neither `needs-triage` nor `needs-priority` . However for every issue that does not have the `triage-accepted` label the following steps have to be done to prepare them for further processing:  
+
+* Filter for issues [without the `triage-accepted`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+-label%3Atriage%2Faccepted+is%3Aissue) label.
+* Check if all necessary information are available. This is basically true, if people filled out the issue template correctly. If necessary information is missing, ask the author to add the missing information and add the label `triage/needs-information` if not already present. If already present, send the author a friendly reminder to add those. 
+* Check if the used versions of ingress-nginx and Kubernetes is supported. Note that [we only support n-3 versions](https://github.com/kubernetes/ingress-nginx#support-versions-table). If the version is not supported, ask the author to upgrade to newer versions and see if the error still persists. 
+* Read through the issue description and comments briefly to understand what the issue is about. Also check if the kind and area is correct, and adjust it if necessary. If the issue is understandable add the label `triage-accepted`.
+* If at any point you don't know how to proceed with an issue during the triage process, tag one of the [core maintainers](OWNERS_ALIASES) in the issue to raise attention or alternatively come to [this slack channel](https://kubernetes.slack.com/archives/C021E147ZA4) which may be the quicker way as people tend to miss github notifications. 
+
+Note: Issues that are stale for 90 days are being closed automatically. However we could be missing a bug here, so from time to time it makes sense to go over the closed ones and see if there is something important. Use [this filter](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aclosed+is%3Aissue+label%3Alifecycle%2Frotten+) to find those. 
+
+Who and When?
+* Basically everyone who wants to contribute can do the mentioned steps at any time.
+
+### Issue Prioritization
+For all issues, where all necessary information is available thus triage is accepted, we need to do some prioritization: 
+
+* Go through all issues with label [`triage-accepted`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3Atriage%2Faccepted+).  
+* Add appropriate priority label: `priority/backlog`, `priority/critical-urgent`, `priority/awaiting-more-evidence`, `priority/important-longterm`, `priority/important-soon` or `good first issue`
+
+Who and When? 
+* Basically every contributor should be able to do that.
+* Tricky/important ones could be brought up during community meetings
+
+## Triage Flow (Pull Requests)
+
+This section describes the different stages of the triage flow for pull requests.
+
+### Prepare Pull Requests
+Pull requests come in with the labels `needs-triage`, `needs-priority` and `needs-kind` and one that indicates the size(`size/*`). Unfortunately there are also some legacy pull requests that only have a `size/*` label but neither `needs-triage` nor `needs-priority` . However for every pull request that does not have the `triage-accepted` label the following steps should be done to prepare them for further processing:   
+
+* Filter for pull requests [without the `triage-accepted`](https://github.com/kubernetes/ingress-nginx/pulls?q=is%3Aopen+-label%3Atriage%2Faccepted+is%3Apr) label.
+* Check if the cla is signed and all necessary information are available. This is basically true, if people filled out the pull request template correctly. If everything is fine add the `triage-accepted` label.
+* If at any point you don't know how to proceed with an issue during the triage process, tag one of the [core maintainers](OWNERS_ALIASES) in the issue to raise attention or alternatively come to [this slack channel](https://kubernetes.slack.com/archives/C021E147ZA4) which may be the quicker way as people tend to miss github notifications. 
+
+Who and When?
+* Basically everyone who wants to contribute can do the mentioned steps at any time.
+
+### Pull Request Prioritization
+For all pull requests, where all necessary information is available and cla is signed thus triage is accepted, we need to do some prioritization: 
+
+* Go through all pull requests with label [`triage-accepted`](https://github.com/kubernetes/ingress-nginx/pulls?q=is%3Aopen+is%3Apr+label%3Atriage%2Faccepted).  
+* Sync the `kind/*` and `priority/*` label from the linked issue for the pull request. If the pull request does not have any issue associated (which normally should not be the case), add an appropriate priority and kind label (one of: `priority/backlog`, `priority/critical-urgent`, `priority/important-longterm`, `priority/important-soon`) 
+
+Who and When? 
+* Basically every contributor should be able to do that.
+* Tricky/important ones could be brought up during community meetings
+
+## Labels 
+Labels are helpful for issues or pull requests to indicate in which lifecycle state they are currently and to categorize them. This section describes the most important ones with the additional info about how to add those. A complete label list of the Kubernetes community can be found [here](https://github.com/kubernetes/kubernetes/labels) while a complete label list for this project can be found [here](https://github.com/kubernetes/ingress-nginx/labels). However, here the most important ones: 
+
+* Triage:
+  * [`needs-triage`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3Aneeds-triage): Indicates that the issue or pull request needs triage. Automatically added. 
+  * [`triage/accepted`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Atriage%2Faccepted+is%3Aissue+): Indicates that the issue is ready for further processing. Add with `/triage accepted`.
+  * [`triage/needs-information`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Atriage%2Fneeds-information+is%3Aissue+): Indicates that the issue lacks information. Add with `/triage needs-information`.
+* Kind: 
+  * [`kind/bug`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Akind%2Fbug+is%3Aissue): Indicates that the issue is assumed to be a bug. Add with `/kind bug`. Remove with `/remove-kind bug`.
+  * [`kind/feature`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Akind%2Ffeature+is%3Aissue+): Indicates that the issue is a feature request. Add with `/kind feature`. Remove with `/remove-kind feature`.
+  * [`kind/documentation`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Akind%2Fdocumentation+is%3Aissue+): Indicates that the issue is documentation related. Add with `/kind documentation`. Remove with `/remove-kind documentation`.
+  * [`kind/support`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Akind%2Fsupport+is%3Aissue+): Indicates the the issue is a support request. Add with `/kind support`. Remove with `/remove-kind support`.
+* Area: 
+  * [`area/helm`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Aarea%2Fhelm+is%3Aissue+): Indicates that the issue is related to helm charts. Add with `/area helm`.
+  * [`area/lua`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Aarea%2Flua+is%3Aissue+): Indicates that the issue is related to lua. Add with `/area lua`.
+  * [`area/docs`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Aarea%2Fdocs+is%3Aissue): Indicates that the issue is related to documentation. Add with `/area docs` .
+* Priority: 
+  * [`needs-priority`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3Aneeds-priority): Indicates that the issue has no prioritization yet. Automatically added.
+  * [`priority/critical-urgent`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Apriority%2Fcritical-urgent+is%3Aissue+): indicates that the issue has highest priority. Add with `/priority critical-urgent`.
+  * [`priority/important-soon`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Apriority%2Fimportant-soon+is%3Aissue+): indicates that the issue should be worked on either currently soon, ideally in time for the next release. Add with `/priority important-soon`.
+  * [`priority/important-longterm`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Apriority%2Fimportant-longterm+is%3Aissue+): indicates that the issue is not important for now, but should be worked on in one of the upcoming releases. Add with `/priority important-longterm`.
+  * [`priority/backlog`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Apriority%2Fbacklog+is%3Aissue+): Indicates that the issue has the lowest priority. Add with `/priority backlog`.
+* Other: 
+  * [`help wanted`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22): indicates that the issue needs help from a contributor. Add with `/help`.
+  * [`good first issue`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22): indicates that the issue needs help from a contributor and is a good first issue for new contributors. Add with `/good-first-issue`.
--- a/MANUAL_RELEASE.md
+++ b/MANUAL_RELEASE.md
@ -0,0 +1,300 @@
+# RELEASE PROCESS
+
+## 1. BUILD the new Ingress-Nginx-Controller image
+
+### a. Make changes in codebase
+
+- Make changes as per issue
+
+### b. Make changes to appropriate files in [images directory ](images)
+
+- Make changes in /images
+
+### c. Create Pull Request
+
+- Open a Pull Request for your changes considering the following steps to fire cloudbuild of a new image for the Ingress-Nginx-Controller:
+
+  - In case of rare CVE fix or other reason to rebuild the nginx-base-image itself, look at the /images directory  [NGINX Base Image](https://github.com/kubernetes/ingress-nginx/tree/main/images/nginx).
+
+  - Example [NGINX_VERSION](images/nginx/rootfs/build.sh#L21), [SHA256](images/nginx/rootfs/build.sh#L124).
+
+  - If you are updating any component in [build.sh](images/nginx/rootfs/build.sh) please also update the SHA256 checksum of that component as well, the cloud build will fail with an exit 10 if not.
+
+### d. Merge
+
+- Merging will fire cloudbuild, which will result in images being promoted to the [staging container registry](https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx).
+
+### e. Make sure cloudbuild is a success
+
+- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx). If you don't have access to cloudbuild, you can also have a look at [this](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), to see the progress of the build.
+
+- Proceed only after cloud-build is successful in building a new Ingress-Nginx-Controller image.
+
+
+## 2. If applicable, BUILD other images
+
+- If applicable, then build a new image of any other related component, ONLY IF APPLICABLE TO THE RELEASE
+
+### a. If applicable then make changes in relevant codebase
+
+- Change code as per issue
+
+### b. Make changes to appropriate files in [images directory ](images)
+
+- Sometimes, you may also be needing to rebuild, images for one or multiple other related components of the Ingress-Nginx-Controller ecosystem. Make changes to the required files in the /images directory, if/as applicable, in the context of the release you are attempting.  :
+
+  - [e2e](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e-image)
+
+    - Update references to e2e-test-runner image [If applicable] :
+
+      - [e2e-image](https://github.com/kubernetes/ingress-nginx/blob/main/test/e2e-image/Dockerfile#L1)
+      - [run-in-docker.sh](https://github.com/kubernetes/ingress-nginx/blob/main/build/run-in-docker.sh#L37)
+
+  - [test-runner](https://github.com/kubernetes/ingress-nginx/tree/main/images/test-runner)
+
+  - [echo](https://github.com/kubernetes/ingress-nginx/tree/main/images/echo)
+
+  - [cfssl](https://github.com/kubernetes/ingress-nginx/tree/main/images/cfssl)
+
+  - [fastcgi-helloserver](https://github.com/kubernetes/ingress-nginx/tree/main/images/fastcgi-helloserver)
+
+  - [httpbin](https://github.com/kubernetes/ingress-nginx/tree/main/images/httpbin)
+
+  - [kube-webhook-certgen](https://github.com/kubernetes/ingress-nginx/tree/main/images/kube-webhook-certgen)
+
+### c. Create PR
+
+- Open pull request(s) accordingly, to fire cloudbuild for rebuilding the component's image (if applicable).
+
+### d. Merge
+
+- Merging will fire cloudbuild, which will result in images being promoted to the [staging container registry](https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx).
+
+### e. Make sure cloudbuild is a success
+
+- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx). If you don't have access to cloudbuild, you can also have a look at [this](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), to see the progress of the build.
+
+- Proceed only after cloud-build is successful in building a new Ingress-Nginx-Controller image.
+
+
+## 3. PROMOTE the Image(s):
+
+Promoting the images basically means that images, that were pushed to staging container registry in the steps above, now are also pushed to the public container registry. Thus are publicly available. Follow these steps to promote images:
+
+### a. Get the sha
+
+- Get the sha of the new image(s) of the controller, (and any other component image IF APPLICABLE to release), from the cloudbuild, from steps above
+
+  - The sha is available in output from [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx)
+
+  - The sha is also visible here https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx/global/controller
+
+  - The sha is also visible [here](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), after cloud build is finished. Click on the respective job, go to `Artifacts` section in the UI, then again `artifacts` in the directory browser. In the `build.log` at the very bottom you see something like this:
+
+  ```
+  ...
+  pushing manifest for us-central1-docker.pkg.dev/k8s-staging-images/ingress-nginx/controller:v1.0.2@sha256:e15fac6e8474d77e1f017edc33d804ce72a184e3c0a30963b2a0d7f0b89f6b16
+  ...
+  ```
+
+### b. Add the new image to [k8s.io](http://github.com/kubernetes/k8s.io)
+
+- The sha(s) from the step before (and the tag(s) for the new image(s) have to be added, as a new line, in a file, of the [k8s.io](http://github.com/kubernetes/k8s.io) project of Kubernetes organization.
+
+- Fork that other project (if you don't have a fork already).
+
+- Other project to fork  [GitHub repo kubernetes/k8s.io](http://github.com/kubernetes/k8s.io)
+
+- Fetch --all and rebase to upstream if already forked.
+
+- Create a branch in your fork, named as the issue number for this release
+
+- In the related branch, of your fork, edit the file /registry.k8s.io/images/k8s-staging-ingress-nginx/images.yaml.
+
+- For making, it easier, you can edit your branch directly in the browser. But be careful about making any mistake.
+
+- Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/registry.k8s.io/images/k8s-staging-ingress-nginx/images.yaml)  Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/2536) to see how it was done before
+
+- Save and commit
+
+### c. Create PR
+
+- Open pull request to promote the new controller image.
+
+### d. Merge
+
+- Merge success is required for next step
+
+- Proceed only after cloud-build is successful in building a new Ingress-Nginx-Controller image.
+
+
+## 4. PREPARE for a new Release
+
+- Make sure to get the tag and sha of the promoted image from the step before, either from cloudbuild or from [here](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/ingress-nginx/controller).
+
+- This involves editing of several files. So carefully follow the steps below and double check all changes with diff/grep etc., repeatedly. Mistakes here impact endusers.
+
+### a. Make sure your git workspace is ready
+
+- Get your git workspace ready
+
+  - If not using a pre-existing fork, then Fork the repo kubernetes/ingress-nginx
+
+  - Clone (to laptop or wherever)
+
+  - Add upstream
+
+  - Set upstream url to no_push
+
+  - Checkout & switch to branch, named as per related new-release-issue-number
+
+  - If already forked, and upstream already added, then `git fetch --all` and `git rebase upstream/main` (not  origin)
+
+  - Checkout a branch in your fork's clone
+
+  - Perform any other diligence as needed
+
+- Prefer to edit only and only in your branch, in your Fork
+
+### b. Edit the semver tag
+  - [TAG](https://github.com/kubernetes/ingress-nginx/blob/main/TAG#L1)
+
+### c. Edit the helm Chart
+  - Change the below-mentioned [Fields in Chart.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/Chart.yaml)
+    - version
+    - appVersion
+    - kubeVersion (**ONLY if applicable**)
+    - annotations
+      - artifacthub.io/prerelease: "true"
+      - artifacthub.io/changes: |
+        - Replace this line and other lines under this annotation with the Changelog. One process to generate the Changelog is described below
+          - Install and configure GitHub cli as per the docs of gh-cli  https://cli.github.com/,
+          - Change dir to your clone, of your fork, of the ingress-nginx project
+          - Run the below command and save the output to a txt file
+
+            ```
+            gh pr list -R kubernetes/ingress-nginx -s merged -L 38 -B main | cut -f1,2 | tee ~/Downloads/prlist.txt
+            ```
+            - The -L 38 was used for 2 reasons.
+              - Default number of results is 30 and there were more than 30 PRs merged while releasing v1.1.1. If you see the current/soon-to-be-old changelog, you can look at the most recent PR number that has been accounted for already, and start from after that last accounted for PR.
+              -  The other reason to use -L 38 was to omit the 39th, the 40th and the 41st line in the resulting list. These were non-relevant PRs.
+            - If you save the output of above command to a file called prlist.txt. It looks somewhat like this ;
+
+              ```
+              % cat ~/Downloads/prlist.txt
+              8129    fix syntax in docs for multi-tls example
+              8120    Update go in runner and release v1.1.1
+              8119    Update to go v1.17.6
+              8118    Remove deprecated libraries, update other libs
+              8117    Fix codegen errors
+              8115    chart/ghaction: set the correct permission to have access to push a release
+              ....
+              ```
+              You can delete the lines, that refer to PRs of the release process itself. We only need to list the feature/bugfix PRs. You can also delete the lines that are housekeeping or not really worth mentioning in the changelog.
+          -  you use some easy automation in bash/python/other, to get the PR-List that can be used in the changelog. For example, it's possible to use a bash scripty way, seen below, to convert those plaintext PR numbers into clickable links.
+
+            ```
+            #!/usr/bin/bash
+
+            file="$1"
+
+            while read -r line; do
+              pr_num=`echo "$line" | cut -f1`
+              pr_title=`echo "$line" | cut -f2`
+              echo "[$pr_num](https://github.com/kubernetes/ingress-nginx/pull/$pr_num) $pr_title"
+            done <$file
+
+            ```
+          - There was a parsing issue and path issue on MacOS, so above script had to be modified and MacOS monterey compatible script is below ;
+
+            ```
+            #!/bin/bash
+
+            file="$1"
+
+            while read -r line; do
+              pr_num=`echo "$line" | cut -f1`
+              pr_title=`echo "$line" | cut -f2`
+              echo \""[$pr_num](https://github.com/kubernetes/ingress-nginx/pull/$pr_num) $pr_title"\"
+            done <$file
+
+            ```
+          - If you saved the bash script content above, in a file like `$HOME/bin/prlist_to_changelog.sh`, then you could execute a command like this to get your prlist in a text file called changelog_content.txt;`
+
+          ```
+          prlist_to_changelog.sh ~/Downloads/prlist.txt | tee ~/Downloads//changelog_content.txt
+          ```
+
+### d. Edit the values.yaml and run helm-docs
+
+  - [Fields to edit in values.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml)
+
+    - tag
+    - digest
+
+  - [helm-docs](https://github.com/norwoodj/helm-docs) is a tool that generates the README.md for a Helm chart automatically. In the CI pipeline workflow of GitHub actions (.github/workflows/ci.yaml), you can see how helm-docs is used. The CI pipeline is not designed to make commits back into the project, so we need to run helm-docs manually and commit the resulting generated README.md. You can obtain a recent version of the helm-docs binary here: https://github.com/norwoodj/helm-docs/releases.
+    ```
+    helm-docs --chart-search-root charts
+    git diff charts/ingress-nginx/README.md
+    ```
+    Take care of not leaving the helm-docs executable in your clone workspace or not committing the new README.md.
+
+### e. Edit the static manifests
+
+  - Prepare to use a script to update the edit the static manifests and set the "image", "digest", "version" etc. fields to the desired value.
+
+  - This script depends on kustomize and helm. The versions are pinned in `hack/.tool-versions` and you can use [asdf](https://github.com/asdf-vm/asdf#asdf) to install them
+
+  - Execute the script to update static manifests using that script [hack/generate-deploy-scripts.sh](https://github.com/kubernetes/ingress-nginx/blob/main/hack/generate-deploy-scripts.sh)
+  - Open some of the manifests and check if the script worked properly
+
+  - Use `grep -ir image: | less` on the deploy directory, to view for any misses by the script on image digest value or other undesired changes. The script should properly set the image and the digest fields to the desired tag and semver
+
+
+### f. Edit the changelog
+
+  [Changelog.md](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md)
+- Each time a release is made, a new section is added to the Changelog.md file
+- A new section in the Changelog.md file consists of 3 components listed below
+  - the "Image"
+  - the "Description"
+  - the "PRs list"
+- Look at the previous content to understand what the 3 components look like.
+- You can easily get the "Image" from a yaml manifest but be sure to look at a manifest in your git clone now and not the upstream on github. This is because, if you are following this documentation, then you generated manifests with new updated digest for the image, in step 4e above. You also most likely promoted the new image in a step above. Look at the previous release section in Changelog.md. The format looks like `registry.k8s.io/ingress-nginx/controller:.......`. One example of a yaml file to look at is /deploy/static/provider/baremetal/deploy.yaml (in your git clone branch and not on the upstream).
+- Next, you need to have a good overview of the changes introduced in this release and based on that you write a description. Look at previous descriptions. Ask the ingress-nginx-dev channel if required.
+- And then you need to add a list of the PRs merged, since the previous release.
+- One process to generate this list of PRs is already described above in step 4c. So if you are following this document, then you have done this already and very likely have retained the file containing the list of PRs, in the format that is needed.
+
+### g. Edit the Documentation:
+
+- Update the version in [docs/deploy/index.md](docs/deploy/index.md)
+- Update Supported versions in the Support Versions table in the README.md
+- Execute the script to update e2e docs [hack/generate-e2e-suite-doc.sh](https://github.com/kubernetes/ingress-nginx/blob/main/hack/generate-e2e-suite-doc.sh)
+
+### h. Update README.md
+
+- Update the table in README.md in the root of the project to reflect the support matrix. Add the new release version and details in there.
+
+## 5. RELEASE new version
+
+### a. Create PR
+
+- Open PR for releasing the new version of the Ingress-Nginx-Controller ;
+  - Look at this PR for how it was done before [example PR](https://github.com/kubernetes/ingress-nginx/pull/7490)
+  - Create a PR
+
+### b. Merge
+
+- Merge should produce manifests as well as chart
+- Check
+ - `helm repo update`
+ - `helm search repo ingress-nginx`
+
+## 6. GitHub release
+
+- Release to github
+
+- Edit the ghpages file as needed
+
+## TODO
+- Automate & simplify as much as possible, whenever possible, however possible
--- a/165
+++ b/165
@ -29,11 +29,16 @@ SHELL=/bin/bash -o pipefail -o errexit
 # Use the 0.0 tag for testing, it shouldn't clobber any release builds
 TAG ?= $(shell cat TAG)

+# The env below is called GO_VERSION and not GOLANG_VERSION because 
+# the gcb image we use to build already defines GOLANG_VERSION and is a 
+# really old version
+GO_VERSION ?= $(shell cat GOLANG_VERSION)
+
 # e2e settings
 # Allow limiting the scope of the e2e tests. By default run everything
-FOCUS ?= .*
+FOCUS ?=
 # number of parallel test
-E2E_NODES ?= 8
+E2E_NODES ?= 7
 # run e2e test suite with tests that check for memory leaks? (default is false)
 E2E_CHECK_LEAKS ?=

@ -49,19 +54,24 @@ ifeq ($(ARCH),)
    $(error mandatory variable ARCH is empty, either set it when calling the command or make sure 'go env GOARCH' works)
 endif

-REGISTRY ?= gcr.io/k8s-staging-ingress-nginx
+ifneq ($(PLATFORM),)
+	PLATFORM_FLAG="--platform"
+endif

-BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:v20200812-g0673e5e17@sha256:3bafc6840f2477c05eb029580fa8ecf4bd33b0f0765e3cd9cc82ad91f817ccf3
+REGISTRY ?= us-central1-docker.pkg.dev/k8s-staging-images/ingress-nginx
+
+BASE_IMAGE ?= $(shell cat NGINX_BASE)

 GOARCH=$(ARCH)

 help:  ## Display this help
-	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z0-9_-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)

 .PHONY: image
 image: clean-image ## Build image for a particular arch.
 	echo "Building docker image ($(ARCH))..."
-	@docker build \
+	docker build \
+		${PLATFORM_FLAG} ${PLATFORM} \
 		--no-cache \
 		--build-arg BASE_IMAGE="$(BASE_IMAGE)" \
 		--build-arg VERSION="$(TAG)" \
@ -70,89 +80,123 @@ image: clean-image ## Build image for a particular arch.
 		--build-arg BUILD_ID="$(BUILD_ID)" \
 		-t $(REGISTRY)/controller:$(TAG) rootfs

+.PHONY: gosec
+gosec:
+	docker run --rm -it -w /source/ -v "$(pwd)"/:/source securego/gosec:2.11.0 -exclude=G109,G601,G104,G204,G304,G306,G307 -tests=false -exclude-dir=test -exclude-dir=images/  -exclude-dir=docs/ /source/...
+
+.PHONY: image-chroot
+image-chroot: clean-chroot-image ## Build image for a particular arch.
+	echo "Building docker image ($(ARCH))..."
+	docker build \
+		--no-cache \
+		--build-arg BASE_IMAGE="$(BASE_IMAGE)" \
+		--build-arg VERSION="$(TAG)" \
+		--build-arg TARGETARCH="$(ARCH)" \
+		--build-arg COMMIT_SHA="$(COMMIT_SHA)" \
+		--build-arg BUILD_ID="$(BUILD_ID)" \
+		-t $(REGISTRY)/controller-chroot:$(TAG) rootfs -f rootfs/Dockerfile-chroot
+
 .PHONY: clean-image
 clean-image: ## Removes local image
 	echo "removing old image $(REGISTRY)/controller:$(TAG)"
 	@docker rmi -f $(REGISTRY)/controller:$(TAG) || true

+
+.PHONY: clean-chroot-image
+clean-chroot-image: ## Removes local image
+	echo "removing old image $(REGISTRY)/controller-chroot:$(TAG)"
+	@docker rmi -f $(REGISTRY)/controller-chroot:$(TAG) || true
+
+
 .PHONY: build
 build:  ## Build ingress controller, debug tool and pre-stop hook.
-	@build/run-in-docker.sh \
+	E2E_IMAGE=golang:$(GO_VERSION)-alpine3.21 USE_SHELL=/bin/sh build/run-in-docker.sh \
+		MAC_OS=$(MAC_OS) \
 		PKG=$(PKG) \
 		ARCH=$(ARCH) \
 		COMMIT_SHA=$(COMMIT_SHA) \
 		REPO_INFO=$(REPO_INFO) \
 		TAG=$(TAG) \
-		GOBUILD_FLAGS=$(GOBUILD_FLAGS) \
 		build/build.sh

-.PHONY: build-plugin
-build-plugin:  ## Build ingress-nginx krew plugin.
-	@build/run-in-docker.sh \
-		PKG=$(PKG) \
-		ARCH=$(ARCH) \
-		COMMIT_SHA=$(COMMIT_SHA) \
-		REPO_INFO=$(REPO_INFO) \
-		TAG=$(TAG) \
-		GOBUILD_FLAGS=$(GOBUILD_FLAGS) \
-		build/build-plugin.sh

 .PHONY: clean
 clean: ## Remove .gocache directory.
 	rm -rf bin/ .gocache/ .cache/

+.PHONY: verify-docs
+verify-docs: ## Verify doc generation
+	hack/verify-annotation-docs.sh
+
 .PHONY: static-check
 static-check: ## Run verification script for boilerplate, codegen, gofmt, golint, lualint and chart-lint.
 	@build/run-in-docker.sh \
+	    MAC_OS=$(MAC_OS) \
 		hack/verify-all.sh

+.PHONY: golint-check
+golint-check:
+	@build/run-in-docker.sh \
+	    MAC_OS=$(MAC_OS) \
+		hack/verify-golint.sh
+
+###############################
+# Tests for ingress-nginx
+###############################
+
 .PHONY: test
 test:  ## Run go unit tests.
 	@build/run-in-docker.sh \
 		PKG=$(PKG) \
+		MAC_OS=$(MAC_OS) \
 		ARCH=$(ARCH) \
 		COMMIT_SHA=$(COMMIT_SHA) \
 		REPO_INFO=$(REPO_INFO) \
 		TAG=$(TAG) \
-		GOBUILD_FLAGS=$(GOBUILD_FLAGS) \
-		build/test.sh
+		GOFLAGS="-buildvcs=false" \
+		test/test.sh

 .PHONY: lua-test
 lua-test: ## Run lua unit tests.
 	@build/run-in-docker.sh \
-		BUSTED_ARGS=$(BUSTED_ARGS) \
-		build/test-lua.sh
+		MAC_OS=$(MAC_OS) \
+		test/test-lua.sh

 .PHONY: e2e-test
 e2e-test:  ## Run e2e tests (expects access to a working Kubernetes cluster).
-	@build/run-e2e-suite.sh
+	@test/e2e/run-e2e-suite.sh
+
+.PHONY: kind-e2e-test
+kind-e2e-test:  ## Run e2e tests using kind.
+	@test/e2e/run-kind-e2e.sh
+
+.PHONY: kind-e2e-chart-tests
+kind-e2e-chart-tests: ## Run helm chart e2e tests
+	@test/e2e/run-chart-test.sh

 .PHONY: e2e-test-binary
 e2e-test-binary:  ## Build binary for e2e tests.
 	@build/run-in-docker.sh \
+		MAC_OS=$(MAC_OS) \
 		ginkgo build ./test/e2e

 .PHONY: print-e2e-suite
 print-e2e-suite: e2e-test-binary ## Prints information about the suite of e2e tests.
 	@build/run-in-docker.sh \
+		MAC_OS=$(MAC_OS) \
 		hack/print-e2e-suite.sh

-.PHONY: cover
-cover:  ## Run go coverage unit tests.
-	@build/cover.sh
-	echo "Uploading coverage results..."
-	@curl -s https://codecov.io/bash | bash
-
 .PHONY: vet
 vet:
 	@go vet $(shell go list ${PKG}/internal/... | grep -v vendor)

 .PHONY: check_dead_links
 check_dead_links: ## Check if the documentation contains dead links.
-	@docker run -t \
-	  -v $$PWD:/tmp aledbf/awesome_bot:0.1 \
+	@docker run ${PLATFORM_FLAG} ${PLATFORM} -t \
+	  -w /tmp \
+	  -v $$PWD:/tmp dkhamsing/awesome_bot:1.20.0 \
 	  --allow-dupe \
-	  --allow-redirect $(shell find $$PWD -mindepth 1 -name "*.md" -printf '%P\n' | grep -v vendor | grep -v Changelog.md)
+	  --allow-redirect $(shell find $$PWD -mindepth 1 -name vendor -prune -o -name .modcache -prune -o -iname Changelog.md -prune -o -name "*.md" | sed -e "s#$$PWD/##")

 .PHONY: dev-env
 dev-env:  ## Starts a local Kubernetes cluster using kind, building and deploying the ingress controller.
@ -162,29 +206,28 @@ dev-env:  ## Starts a local Kubernetes cluster using kind, building and deployin
 dev-env-stop: ## Deletes local Kubernetes cluster created by kind.
 	@kind delete cluster --name ingress-nginx-dev

+
+
 .PHONY: live-docs
-live-docs: ## Build and launch a local copy of the documentation website in http://localhost:3000
-	@docker run --rm -it \
+live-docs: ## Build and launch a local copy of the documentation website in http://localhost:8000
+	@docker build ${PLATFORM_FLAG} ${PLATFORM} \
+                  		--no-cache \
+                  		 -t ingress-nginx-docs .github/actions/mkdocs
+	@docker run ${PLATFORM_FLAG} ${PLATFORM} --rm -it \
 		-p 8000:8000 \
 		-v ${PWD}:/docs \
-		squidfunk/mkdocs-material:5.2.3
+		--entrypoint /bin/bash   \
+		ingress-nginx-docs \
+		-c "pip install -r /docs/docs/requirements.txt && mkdocs serve --dev-addr=0.0.0.0:8000"

 .PHONY: misspell
 misspell:  ## Check for spelling errors.
-	@go get github.com/client9/misspell/cmd/misspell
+	@go install github.com/client9/misspell/cmd/misspell@latest
 	misspell \
 		-locale US \
 		-error \
 		cmd/* internal/* deploy/* docs/* design/* test/* README.md

-.PHONY: kind-e2e-test
-kind-e2e-test:  ## Run e2e tests using kind.
-	@test/e2e/run.sh
-
-.PHONY: kind-e2e-chart-tests
-kind-e2e-chart-tests: ## Run helm chart e2e tests
-	@test/e2e/run-chart-test.sh
-
 .PHONY: run-ingress-controller
 run-ingress-controller: ## Run the ingress controller locally using a kubectl proxy connection.
 	@build/run-ingress-controller.sh
@ -197,25 +240,43 @@ ensure-buildx:
 show-version:
 	echo -n $(TAG)

-PLATFORMS ?= amd64 arm arm64 s390x
-
-EMPTY :=
-SPACE := $(EMPTY) $(EMPTY)
-COMMA := ,
+PLATFORMS ?= amd64 arm arm64
+BUILDX_PLATFORMS ?= linux/amd64,linux/arm,linux/arm64

 .PHONY: release # Build a multi-arch docker image
 release: ensure-buildx clean
 	echo "Building binaries..."
 	$(foreach PLATFORM,$(PLATFORMS), echo -n "$(PLATFORM)..."; ARCH=$(PLATFORM) make build;)

-	echo "Building and pushing ingress-nginx image..."
-	@docker buildx build \
+	echo "Building and pushing ingress-nginx image...$(BUILDX_PLATFORMS)"
+
+	docker buildx build \
 		--no-cache \
+		$(MAC_DOCKER_FLAGS) \
 		--push \
+		--pull \
 		--progress plain \
-		--platform $(subst $(SPACE),$(COMMA),$(PLATFORMS)) \
+		--platform $(BUILDX_PLATFORMS) \
 		--build-arg BASE_IMAGE="$(BASE_IMAGE)" \
 		--build-arg VERSION="$(TAG)" \
 		--build-arg COMMIT_SHA="$(COMMIT_SHA)" \
 		--build-arg BUILD_ID="$(BUILD_ID)" \
 		-t $(REGISTRY)/controller:$(TAG) rootfs
+
+	docker buildx build \
+		--no-cache \
+		$(MAC_DOCKER_FLAGS) \
+		--push \
+		--pull \
+		--progress plain \
+		--platform $(BUILDX_PLATFORMS)  \
+		--build-arg BASE_IMAGE="$(BASE_IMAGE)" \
+		--build-arg VERSION="$(TAG)" \
+		--build-arg COMMIT_SHA="$(COMMIT_SHA)" \
+		--build-arg BUILD_ID="$(BUILD_ID)" \
+		-t $(REGISTRY)/controller-chroot:$(TAG) rootfs -f rootfs/Dockerfile-chroot
+
+.PHONY: build-docs
+build-docs:
+	pip install -r docs/requirements.txt
+	mkdocs build --config-file mkdocs.yml
--- a/NEW_CONTRIBUTOR.md
+++ b/NEW_CONTRIBUTOR.md
@ -0,0 +1,852 @@
+## New Contributor Tips
+
+Welcome to the Ingress Nginx new contributor tips.
+This guide briefly outlines the necessary knowledge & tools, required to start working on Ingress-NGINX Issues.
+
+### Prerequisites
+- Basic understanding of linux
+- Familiarity with the command line on linux
+- OSI Model(Links below)
+
+### Introduction
+It all starts with the OSI model...
+> The Open Systems Interconnection (OSI) model describes seven layers that computer systems use to communicate over a network. It was the first standard model for network communications, adopted by all major computer and telecommunication companies
+
+![Describes the 7 Layers of the OSI Model](https://i.imgur.com/qF0KjBq.png)
+
+#### Reading material for OSI Model
+[OSI Model CertificationKits](https://www.certificationkits.com/cisco-certification/cisco-ccna-640-802-exam-certification-guide/cisco-ccna-the-osi-model/)
+
+### Approaching the problem
+
+
+Not everybody knows everything. But the factors that help are a love/passion for this to begin. But to move forward, it's the approach and not the knowledge that sustains prolonged joy, while working on issues. If the approach is simple and powered by good-wishes-for-community, then info & tools are forthcoming and easy.
+
+Here we take a bird's eye-view of the hops in the network plumbing, that a packet takes, from source to destination, when we run `curl`, from a laptop to a nginx webserver process, running in a container, inside a pod, inside a Kubernetes cluster, created using `kind` or `minikube` or any other cluster-management tool.
+
+### [Kind](https://kind.sigs.k8s.io/) cluster example on a Linux Host
+
+#### TL;DR
+The destination of the packet from the curl command, is looked up, in the `routing table`. Based on the route, the packet first travels to the virtual bridge `172.18.0.1` interface, created by docker, when we created the kind cluster on a laptop. Next the packet is forwarded to `172.18.0.2`(See below on how we got this IP address), within the kind cluster. The `kube-proxy` container creates iptables rules that make sure the packet goes to the correct pod ip in this case `10.244.0.5`
+
+Command:
+```
+# docker ps
+CONTAINER ID   IMAGE                  COMMAND                  CREATED       STATUS          PORTS                       NAMES
+230e7246a32c   kindest/node:v1.24.1   "/usr/local/bin/entr…"   2 weeks ago   Up 54 seconds   127.0.0.1:38143->6443/tcp   kind-control-plane
+
+# docker inspect kind-control-plane -f '{{ .NetworkSettings.Networks.kind.IPAddress }}'
+172.18.0.2
+
+```
+
+
+
+If this part is confusing, you would first need to understand what a [bridge](https://tldp.org/HOWTO/BRIDGE-STP-HOWTO/what-is-a-bridge.html) is and what [docker network](https://docs.docker.com/network/) is.
+
+
+
+#### The journey of a curl packet.
+Let's begin with creating a [Kind](https://kind.sigs.k8s.io/docs/user/quick-start/) Cluster on your laptop
+```
+# kind create cluster
+```
+This will create a cluster called `kind`, to view the clusters type
+```
+# kind get clusters                                                                                                                              
+kind
+```
+Kind ships with `kubectl`, so we can use that to communicate with our clusters.
+```
+# kubectl get no -o wide                                                                                                                             
+NAME                 STATUS   ROLES           AGE     VERSION   INTERNAL-IP   EXTERNAL-IP   OS-IMAGE       KERNEL-VERSION    CONTAINER-RUNTIME
+kind-control-plane   Ready    control-plane   5d23h   v1.24.1   172.18.0.2    <none>        Ubuntu 21.10   5.18.12-arch1-1   containerd://1.6.4
+```
+Kind creates  a cluster using docker container as nodes, it does this using [containerd](https://containerd.io/) within the docker container.
+The concept of Docker in Docker is very important here.
+
+To start with simply create a nginx deployment using `kubectl`.
+```
+# kubectl create deployment nginx --image nginx:alpine --port=80
+deployment.apps/nginx created
+```
+Then we expose this as a NodePort Service.
+```
+# kubectl expose deployment/nginx --type=NodePort
+service/nginx-new exposed
+```
+Command: Now we can see that the service has been exposed.
+```
+# kubectl get svc -o wide
+NAME           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE     SELECTOR
+nginx          NodePort    10.96.176.241   <none>        80:32329/TCP   4d8h    app=nginx
+```
+Output Relevance: From the above output, we can see that our nginx pod is being exposed as the `NodePort` service type, and now we can curl the Node IP `172.18.0.2` with the exposed port `32329`
+
+Command: The pod has an IP as shown below
+```
+# kubectl get po -o wide                                                                                                                            
+NAME                               READY   STATUS    RESTARTS      AGE     IP            NODE                 NOMINATED NODE   READINESS GATES
+nginx-6c8b449b8f-pdvdk             1/1     Running   1 (32h ago)   4d8h    10.244.0.5    kind-control-plane   <none>           <none>
+```
+
+Command: We can use `curl` on the laptop to view the nginx container that is running on port `32329`.
+
+```
+# curl  172.18.0.2:32329
+
+<!DOCTYPE html>
+<html>
+<head>
+<title>Welcome to nginx!</title>
+<style>
+html { color-scheme: light dark; }
+body { width: 35em; margin: 0 auto;
+font-family: Tahoma, Verdana, Arial, sans-serif; }
+</style>
+</head>
+<body>
+<h1>Welcome to nginx!</h1>
+<p>If you see this page, the nginx web server is successfully installed and
+working. Further configuration is required.</p>
+
+<p>For online documentation and support please refer to
+<a href="http://nginx.org/">nginx.org</a>.<br/>
+Commercial support is available at
+<a href="http://nginx.com/">nginx.com</a>.</p>
+
+<p><em>Thank you for using nginx.</em></p>
+</body>
+</html>
+```
+Now, we can check the ip interfaces as well subnets for our system is connected to:
+
+```
+$ ifconfig
+ethbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
+        inet 192.168.31.9  netmask 255.255.255.0  broadcast 192.168.31.255
+        inet6 fe80::7530:9ae5:3e8d:e45a  prefixlen 64  scopeid 0x20<link>
+        ether 2e:90:b3:e8:52:5b  txqueuelen 1000  (Ethernet)
+        RX packets 31220566  bytes 44930589084 (41.8 GiB)
+        RX errors 0  dropped 0  overruns 0  frame 0
+        TX packets 18104006  bytes 1757183680 (1.6 GiB)
+        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+
+br-2fffe5cd5d9e: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
+        inet 172.18.0.1  netmask 255.255.0.0  broadcast 172.18.255.255
+        inet6 fc00:f853:ccd:e793::1  prefixlen 64  scopeid 0x0<global>
+        inet6 fe80::42:12ff:fed3:8fb0  prefixlen 64  scopeid 0x20<link>
+        inet6 fe80::1  prefixlen 64  scopeid 0x20<link>
+        ether 02:42:12:d3:8f:b0  txqueuelen 0  (Ethernet)
+        RX packets 3547  bytes 414792 (405.0 KiB)
+        RX errors 0  dropped 0  overruns 0  frame 0
+        TX packets 6267  bytes 8189931 (7.8 MiB)
+        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
+        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
+        inet6 fe80::42:a2ff:fe09:5edb  prefixlen 64  scopeid 0x20<link>
+        ether 02:42:a2:09:5e:db  txqueuelen 0  (Ethernet)
+        RX packets 14  bytes 2143 (2.0 KiB)
+        RX errors 0  dropped 0  overruns 0  frame 0
+        TX packets 40  bytes 6406 (6.2 KiB)
+        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+```
+From the above output we can see that, there are two bridges connected to our systems network interface,one is the docker default bridge`docker0` and the other created by kind
+`br-2fffe5cd5d9e`.
+
+Since kind creates nodes as containers, this is easily accessible via `docker ps`.
+```
+$ docker ps
+
+CONTAINER ID   IMAGE                  COMMAND                  CREATED      STATUS        PORTS                       NAMES
+230e7246a32c   kindest/node:v1.24.1   "/usr/local/bin/entr…"   6 days ago   Up 33 hours   127.0.0.1:38143->6443/tcp   kind-control-plane
+```
+If we do a docker `exec` we can enter the container, we can also see the network interfaces within the container.
+```
+# docker exec -it 230e7246a32c bash
+
+# root@kind-control-plane:/# ip a
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+       valid_lft forever preferred_lft forever
+    inet6 ::1/128 scope host
+       valid_lft forever preferred_lft forever
+2: vethdb0d1da1@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether a2:a1:ce:08:d2:39 brd ff:ff:ff:ff:ff:ff link-netns cni-ddc25710-030a-cc05-c600-5a183fae01f7
+    inet 10.244.0.1/32 scope global vethdb0d1da1
+       valid_lft forever preferred_lft forever
+3: veth4d76603f@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 9a:9b:6b:3e:d1:53 brd ff:ff:ff:ff:ff:ff link-netns cni-f2270000-8fc8-6f89-e56b-4759ae10a084
+    inet 10.244.0.1/32 scope global veth4d76603f
+       valid_lft forever preferred_lft forever
+4: vethcc2586d6@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 52:f9:20:63:62:a2 brd ff:ff:ff:ff:ff:ff link-netns cni-97e337cd-1322-c1fa-7523-789af94f397f
+    inet 10.244.0.1/32 scope global vethcc2586d6
+       valid_lft forever preferred_lft forever
+5: veth783189a9@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether ba:e1:55:1f:6f:12 brd ff:ff:ff:ff:ff:ff link-netns cni-90849001-668a-03d2-7d9e-192de79ccc59
+    inet 10.244.0.1/32 scope global veth783189a9
+       valid_lft forever preferred_lft forever
+6: veth79c98c12@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 22:05:55:c7:86:e9 brd ff:ff:ff:ff:ff:ff link-netns cni-734dfac9-9f70-ab33-265b-21569d90312a
+    inet 10.244.0.1/32 scope global veth79c98c12
+       valid_lft forever preferred_lft forever
+7: veth5b221c83@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 92:3f:04:54:72:5a brd ff:ff:ff:ff:ff:ff link-netns cni-d8f6666b-1cfb-ef08-4bf8-237a7fc32da2
+    inet 10.244.0.1/32 scope global veth5b221c83
+       valid_lft forever preferred_lft forever
+8: vethad630fb8@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 32:78:ec:f6:01:ea brd ff:ff:ff:ff:ff:ff link-netns cni-6cb3c179-cb17-3b81-2051-27231c44a3c4
+    inet 10.244.0.1/32 scope global vethad630fb8
+       valid_lft forever preferred_lft forever
+9: veth573a629b@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether e2:57:f8:c9:bc:94 brd ff:ff:ff:ff:ff:ff link-netns cni-d2dbb903-8310-57b4-7ba4-9f353dbc79dc
+    inet 10.244.0.1/32 scope global veth573a629b
+       valid_lft forever preferred_lft forever
+10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
+    inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0
+       valid_lft forever preferred_lft forever
+    inet6 fc00:f853:ccd:e793::2/64 scope global nodad
+       valid_lft forever preferred_lft forever
+    inet6 fe80::42:acff:fe12:2/64 scope link
+       valid_lft forever preferred_lft forever
+11: vethd7368e27@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 8a:74:ec:f6:d6:c9 brd ff:ff:ff:ff:ff:ff link-netns cni-7c7eb9cd-bbb1-65b0-0480-b8f1265f2f36
+    inet 10.244.0.1/32 scope global vethd7368e27
+       valid_lft forever preferred_lft forever
+12: veth7cadbf2b@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 12:48:10:b7:b8:f5 brd ff:ff:ff:ff:ff:ff link-netns cni-b39e37b5-1bc8-626a-a553-a0be2f94a117
+    inet 10.244.0.1/32 scope global veth7cadbf2b
+       valid_lft forever preferred_lft forever
+
+```
+When we run `curl  172.18.0.2:32329` on the laptop it first needs to figure out where `172.18.0.2`, to do this it refers to the host routing table.
+```
+sudo netstat -rn                                                                                                                           main 
+Kernel IP routing table
+Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
+0.0.0.0         192.168.31.1    0.0.0.0         UG        0 0          0 ethbr0
+172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
+172.18.0.0      0.0.0.0         255.255.0.0     U         0 0          0 br-2fffe5cd5d9e
+172.19.0.0      0.0.0.0         255.255.0.0     U         0 0          0 br-be5b544733a3
+192.168.31.0    0.0.0.0         255.255.255.0   U         0 0          0 ethbr0
+192.168.31.0    0.0.0.0         255.255.255.0   U         0 0          0 ethbr0
+192.168.39.0    0.0.0.0         255.255.255.0   U         0 0          0 virbr2
+192.168.122.0   0.0.0.0         255.255.255.0   U         0 0          0 virbr0
+```
+Output Relevance: From the above output, you can see that the `iface`(Interface) for `172.18.0.0` is `br-2fffe5cd5d9e`, which means traffic that needs to go to `172.18.0.0` will go through `br-2fffe5cd5d9e` which is created by docker for the kind container (this is the node in case of kind cluster).
+
+Now we need to understand how the packet travels from the container interface to the pod with IP `10.244.0.5`. The component that handles this is called kube-proxy
+
+So what exactly is [kube-proxy](https://kubernetes.io/docs/concepts/overview/components/#kube-proxy):
+> Kube-Proxy is a network proxy that runs on each node in your cluster, implementing part of the Kubernetes Service concept.
+kube-proxy maintains network rules on nodes. These network rules allow network communication to your Pods from network sessions inside or outside of your cluster
+
+So, as we can see that kube proxy handles the network rules required to aid the communication to the pods, we will look at the [iptables](https://linux.die.net/man/8/iptables)
+> `iptables` is a command line interface used to set up and maintain tables for the Netfilter firewall for IPv4, included in the Linux kernel. The firewall matches packets with rules defined in these tables and then takes the specified action on a possible match. Tables is the name for a set of chains
+
+Command:
+```
+# iptables -t nat -L PREROUTING -n
+Chain PREROUTING (policy ACCEPT)
+target     prot opt source               destination
+KUBE-SERVICES  all  --  0.0.0.0/0            0.0.0.0/0            /* kubernetes service portals */
+DOCKER_OUTPUT  all  --  0.0.0.0/0            172.18.0.1
+CNI-HOSTPORT-DNAT  all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
+```
+
+```
+# iptables-save | grep PREROUTING
+-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
+```
+Output Relevance:
+> -A: append new iptable rule
+> -j: jump to the target
+> KUBE-SERVICES: target
+
+> The above output appends a new rule for PREROUTING which every network packet will go through first as they try to access any kubernetes service
+
+
+What is `PREROUTING` in iptables?
+>PREROUTING: This chain is used to make any routing related decisions before (PRE) sending any packets
+
+To dig in further we need to go to the target, `KUBE-SERVICES` for our nginx service.
+```
+# iptables -t nat -L KUBE-SERVICES -n| grep nginx
+KUBE-SVC-2CMXP7HKUVJN7L6M  tcp  --  0.0.0.0/0            10.96.176.241        /* default/nginx cluster IP */ tcp dpt:80
+```
+Command:
+```
+# iptables -t nat -L KUBE-SVC-2CMXP7HKUVJN7L6M -n
+Chain KUBE-SVC-2CMXP7HKUVJN7L6M (2 references)
+target     prot opt source               destination
+KUBE-MARK-MASQ  tcp  -- !10.244.0.0/16        10.96.176.241        /* default/nginx cluster IP */ tcp dpt:80
+KUBE-SEP-4IEO3WJHPKXV3AOH  all  --  0.0.0.0/0            0.0.0.0/0            /* default/nginx -> 10.244.0.5:80 */
+
+# iptables -t nat -L KUBE-MARK-MASQ -n
+Chain KUBE-MARK-MASQ (31 references)
+target     prot opt source               destination
+MARK       all  --  0.0.0.0/0            0.0.0.0/0            MARK or 0x4000
+
+# iptables -t nat -L KUBE-SEP-4IEO3WJHPKXV3AOH -n
+Chain KUBE-SEP-4IEO3WJHPKXV3AOH (1 references)
+target     prot opt source               destination
+KUBE-MARK-MASQ  all  --  10.244.0.5           0.0.0.0/0            /* default/nginx */
+DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            /* default/nginx */ tcp to:10.244.0.5:80
+```
+
+
+```
+iptables-save | grep 10.96.176.241
+
+-A KUBE-SERVICES -d 10.96.176.241/32 -p tcp -m comment --comment "default/nginx cluster IP" -m tcp --dport 80 -j KUBE-SVC-2CMXP7HKUVJN7L6M
+-A KUBE-SVC-2CMXP7HKUVJN7L6M ! -s 10.244.0.0/16 -d 10.96.176.241/32 -p tcp -m comment --comment "default/nginx cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
+```
+
+As you can see the rules added by `kube-proxy` helps the packet reach to the destination service.
+
+### Minikube KVM VM Example on Linux
+
+#### TL;DR
+Now we look at the curl packet journey on minikube. The `routing table` is looked up to know the destination of the curl packet. The packet then first travels to the virtual bridge `192.168.39.1`, created by minikube kvm2 driver, when we created the minikube cluster, on a linux laptop. Then this packet is forwarded to `192.168.39.57`, within the minikube VM. We have docker containers running in the VM. Among them, the `kube-proxy` container creates iptables rules that make sure the packet goes to the correct pod ip, in this case `172.17.0.4`.
+
+
+To begin with the minikube example, we first need to create a minikube cluster on a linux laptop. In this example I'll be using the `kvm2` driver option for `minikube start` command, as default.
+
+```
+minikube start
+😄  minikube v1.26.0 on Arch "rolling"
+🆕  Kubernetes 1.24.2 is now available. If you would like to upgrade, specify: --kubernetes-version=v1.24.2
+✨  Using the kvm2 driver based on existing profile
+👍  Starting control plane node minikube in cluster minikube
+🏃  Updating the running kvm2 "minikube" VM ...
+🐳  Preparing Kubernetes v1.23.3 on Docker 20.10.12 ...
+    ▪ kubelet.housekeeping-interval=5m
+🔎  Verifying Kubernetes components...
+    ▪ Using image registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1
+    ▪ Using image registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1
+    ▪ Using image registry.k8s.io/ingress-nginx/controller:v1.2.1
+    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
+🔎  Verifying ingress addon...
+🌟  Enabled addons: ingress, storage-provisioner, default-storageclass
+🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default
+```
+**Note**: The KVM driver provides a lot of options on customizing the cluster, however that is currently beyond the scope of this guide.
+
+Next we will get the Node IP.
+```
+$ kubectl get no -o wide                                                                                                                   
+NAME       STATUS   ROLES                  AGE   VERSION   INTERNAL-IP     EXTERNAL-IP   OS-IMAGE              KERNEL-VERSION   CONTAINER-RUNTIME
+minikube   Ready    control-plane,master   25d   v1.23.3   192.168.39.57   <none>        Buildroot 2021.02.4   4.19.202         docker://20.10.12
+```
+Minikube creates a Virtual Machine using the KVM2 driver(Other drivers such as Virtualbox do exist see `minikube start --help` for more information ), you should be able to see this with the following output(You may have to use sudo to get this output)
+
+```
+$ virsh --connect qemu:///system list
+ Id   Name       State
+--------------------------
+ 1    minikube   running
+
+ or
+
+ $ sudo virsh list
+ Id   Name       State
+--------------------------
+ 1    minikube   running
+
+```
+
+Moving on, simply create a nginx deployment using `kubectl`.
+```
+# kubectl create deployment nginx --image nginx:alpine --port=80
+deployment.apps/nginx created
+```
+Then we expose this as a NodePort Service.
+```
+# kubectl expose deployment/nginx --type=NodePort
+service/nginx-new exposed
+```
+Command: Now we can see that the service has been exposed.
+```
+# kubectl get svc -o wide                                                                                                                            main 
+NAME             TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)        AGE   SELECTOR
+kubernetes       ClusterIP   10.96.0.1    <none>        443/TCP        25d   <none>
+nginx-minikube   NodePort    10.97.44.4   <none>        80:32007/TCP   45h   app=nginx-minikube
+```
+Output Relevance: From the above output, we can see that our nginx pod is being exposed as the `NodePort` service type, and now we can curl the Node IP `192.168.39.57` with the exposed port `32007`
+
+Command: The pod has an IP as shown below
+```
+# kubectl get po -o wide
+NAME                              READY   STATUS    RESTARTS      AGE   IP           NODE       NOMINATED NODE   READINESS GATES
+nginx-minikube-7546f79bd8-x88bt   1/1     Running   3 (43m ago)   45h   172.17.0.4   minikube   <none>           <none>
+
+```
+
+Command: We can use `curl` on the laptop to view the nginx container that is running on port `32007`.
+```
+curl  192.168.39.57:32007
+<!DOCTYPE html>
+<html>
+<head>
+<title>Welcome to nginx!</title>
+<style>
+html { color-scheme: light dark; }
+body { width: 35em; margin: 0 auto;
+font-family: Tahoma, Verdana, Arial, sans-serif; }
+</style>
+</head>
+<body>
+<h1>Welcome to nginx!</h1>
+<p>If you see this page, the nginx web server is successfully installed and
+working. Further configuration is required.</p>
+
+<p>For online documentation and support please refer to
+<a href="http://nginx.org/">nginx.org</a>.<br/>
+Commercial support is available at
+<a href="http://nginx.com/">nginx.com</a>.</p>
+
+<p><em>Thank you for using nginx.</em></p>
+</body>
+</html>
+```
+
+So, how does this packet travel, lets dive in.
+We can check the ip interfaces as well subnets for our system is connected to:
+```
+$ ifconfig
+virbr2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
+        inet 192.168.39.1  netmask 255.255.255.0  broadcast 192.168.39.255
+        ether 52:54:00:19:29:93  txqueuelen 1000  (Ethernet)
+        RX packets 5132  bytes 1777099 (1.6 MiB)
+        RX errors 0  dropped 0  overruns 0  frame 0
+        TX packets 6113  bytes 998530 (975.1 KiB)
+        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+
+virbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
+        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
+        ether 52:54:00:48:ee:35  txqueuelen 1000  (Ethernet)
+        RX packets 23648  bytes 1265196 (1.2 MiB)
+        RX errors 0  dropped 0  overruns 0  frame 0
+        TX packets 40751  bytes 60265308 (57.4 MiB)
+        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+```
+Output Relevance: From the above output you can see there are two Virtual Bridges created by minikube when we created the cluster on the network. Here, `virbr0` is the default NAT network bridge while `virbr2` is a isolated network bridge on which the pods run.
+
+Minikube creates a Virtual Machine, to enter the virtual machine we can simply do:
+```
+# minikube ssh
+```
+
+The interfaces within the Virtual Machine are as follows.
+```
+docker0   Link encap:Ethernet  HWaddr 02:42:03:24:26:78
+          inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:31478 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:36704 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:0
+          RX bytes:3264056 (3.1 MiB)  TX bytes:14061883 (13.4 MiB)
+
+eth0      Link encap:Ethernet  HWaddr 52:54:00:C9:3A:73
+          inet addr:192.168.39.57  Bcast:192.168.39.255  Mask:255.255.255.0
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:8245 errors:0 dropped:9 overruns:0 frame:0
+          TX packets:3876 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:1000
+          RX bytes:812006 (792.9 KiB)  TX bytes:1044724 (1020.2 KiB)
+
+eth1      Link encap:Ethernet  HWaddr 52:54:00:7B:37:79
+          inet addr:192.168.122.35  Bcast:192.168.122.255  Mask:255.255.255.0
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:4459 errors:0 dropped:9 overruns:0 frame:0
+          TX packets:201 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:1000
+          RX bytes:298528 (291.5 KiB)  TX bytes:25813 (25.2 KiB)
+
+lo        Link encap:Local Loopback
+          inet addr:127.0.0.1  Mask:255.0.0.0
+          UP LOOPBACK RUNNING  MTU:65536  Metric:1
+          RX packets:946772 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:946772 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:1000
+          RX bytes:213465460 (203.5 MiB)  TX bytes:213465460 (203.5 MiB)
+
+vetha4f1dc5 Link encap:Ethernet  HWaddr 3E:1C:FE:C9:75:86
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:10 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:0
+          RX bytes:1413 (1.3 KiB)  TX bytes:955 (955.0 B)
+
+vethbf35613 Link encap:Ethernet  HWaddr BA:31:7D:AE:2A:BF
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:3526 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:3934 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:0
+          RX bytes:342408 (334.3 KiB)  TX bytes:380193 (371.2 KiB)
+
+vethe092a51 Link encap:Ethernet  HWaddr 8A:37:D3:D9:D9:0E
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:9603 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:11151 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:0
+          RX bytes:1199235 (1.1 MiB)  TX bytes:5449408 (5.1 MiB)
+```
+Output Relevance: Here we have the Virtual Ethernet and we have docker bridges too since docker runs within the Virtual Machine.
+
+When we do a `curl` to `192.168.39.57:32007` on the laptop the packet first goes to the route table
+```
+Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
+0.0.0.0         192.168.31.1    0.0.0.0         UG        0 0          0 ethbr0
+172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
+172.18.0.0      0.0.0.0         255.255.0.0     U         0 0          0 br-2fffe5cd5d9e
+172.19.0.0      0.0.0.0         255.255.0.0     U         0 0          0 br-be5b544733a3
+192.168.31.0    0.0.0.0         255.255.255.0   U         0 0          0 ethbr0
+192.168.31.0    0.0.0.0         255.255.255.0   U         0 0          0 ethbr0
+192.168.39.0    0.0.0.0         255.255.255.0   U         0 0          0 virbr2
+192.168.122.0   0.0.0.0         255.255.255.0   U         0 0          0 virbr0
+```
+Output Relevance: As you can see multiple routes are defined here, of which our Virtual Machine Node IP(192.168.39.57) is also shown in the table, so the packet now knows where it has to go.
+
+With that clear we now know how the packet goes from the laptop to the virtual bridge and then enters the Virtual Machine.
+
+Inside the virtual machine, [kube-proxy](https://kubernetes.io/docs/concepts/overview/components/#kube-proxy) handles the routing using iptables.
+
+So what exactly is [kube-proxy](https://kubernetes.io/docs/concepts/overview/components/#kube-proxy)(For those who skipped the kind example):
+> Kube-Proxy is a network proxy that runs on each node in your cluster, implementing part of the Kubernetes Service concept.
+kube-proxy maintains network rules on nodes. These network rules allow network communication to your Pods from network sessions inside or outside of your cluster
+
+So, as we can see that kube proxy handles the network rules required to aid the communication to the pods, we will look at the [iptables](https://linux.die.net/man/8/iptables)
+> `iptables` is a command line interface used to set up and maintain tables for the Netfilter firewall for IPv4, included in the Linux kernel. The firewall matches packets with rules defined in these tables and then takes the specified action on a possible match. Tables is the name for a set of chains
+
+Command:
+
+```
+# minikube ssh                                                                                                                                      
+                         _             _
+            _         _ ( )           ( )
+  ___ ___  (_)  ___  (_)| |/')  _   _ | |_      __
+/' _ ` _ `\| |/' _ `\| || , <  ( ) ( )| '_`\  /'__`\
+| ( ) ( ) || || ( ) || || |\`\ | (_) || |_) )(  ___/
+(_) (_) (_)(_)(_) (_)(_)(_) (_)`\___/'(_,__/'`\____)
+
+$ sudo iptables -t nat -L PREROUTING -n
+Chain PREROUTING (policy ACCEPT)
+target     prot opt source               destination
+KUBE-SERVICES  all  --  0.0.0.0/0            0.0.0.0/0            /* kubernetes service portals */
+DOCKER     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
+
+$ iptables-save | grep PREROUTING
+-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
+
+```
+
+Output Relevance:
+> -A: append new iptable rule
+> -j: jump to the target
+> KUBE-SERVICES: target
+
+> The above output appends a new rule for PREROUTING which every network packet will go through first as they try to access any kubernetes service
+
+
+What is `PREROUTING` in iptables?
+>PREROUTING: This chain is used to make any routing related decisions before (PRE) sending any packets
+
+To dig in further we need to go to the target, `KUBE-SERVICES` for our nginx service.
+```
+# iptables -t nat -L KUBE-SERVICES -n| grep nginx
+KUBE-SVC-NRDCJV6H42SDXARP  tcp  --  0.0.0.0/0            10.97.44.4           /* default/nginx-minikube cluster IP */ tcp dpt:80
+```
+Command:
+```
+$ sudo iptables -t nat -L| grep KUBE-SVC-NRDCJV6H42SDXARP
+KUBE-SVC-NRDCJV6H42SDXARP  tcp  --  0.0.0.0/0            0.0.0.0/0            /* default/nginx-minikube */ tcp dpt:32007
+KUBE-SVC-NRDCJV6H42SDXARP  tcp  --  0.0.0.0/0            10.97.44.4           /* default/nginx-minikube cluster IP */ tcp dpt:80
+
+$ sudo iptables -t nat -L KUBE-MARK-MASQ -n
+Chain KUBE-MARK-MASQ (19 references)
+target     prot opt source               destination
+MARK       all  --  0.0.0.0/0            0.0.0.0/0            MARK or 0x4000
+
+sudo iptables-save | grep 172.17.0.4
+-A KUBE-SEP-AHQQ7ZFXMEBNX76B -s 172.17.0.4/32 -m comment --comment "default/nginx-minikube" -j KUBE-MARK-MASQ
+-A KUBE-SEP-AHQQ7ZFXMEBNX76B -p tcp -m comment --comment "default/nginx-minikube" -m tcp -j DNAT --to-destination 172.17.0.4:80
+```
+As you can see the rules added by kube-proxy helps the packet reach to the destination service.
+
+
+### Connection termination
+Connection termination is a type of event that occurs when there are load balancers present, the information for this is quite scarce, however I've found the following article, [IBM - Network Termination](https://www.ibm.com/docs/en/sva/9.0.4?topic=balancer-network-termination) that describes what it means by connection termination between clients(laptop) and server(load balancer) and the various other services.
+
+### Different types of connection errors.
+The following article on [TCP/IP errors](https://www.ibm.com/docs/en/db2/11.1?topic=message-tcpip-errors) has a list of the important tcp timeout errors that we need to know.
+
+
+| Common TCP/IP errors | Meaning |
+| -------- | -------- |
+| Resource temporarily unavailable.| Self-explanatory.     |
+| No space is left on a device or system table.|The disk partition is full|
+|No route to the host is available.|The routing table doesn't know where to route the packet.|
+|Connection was reset by the partner.|This usually means the packet was dropped as soon as it reached the server can be due to a firewall.|
+|The connection was timed out.|This indicates the firewall blocking your connection or the connection took too long.|
+
+## OSI Model Layer 7 (Application Layer)
+
+[What is layer 7?](https://www.cloudflare.com/learning/ddos/what-is-layer-7/)
+#### Summary
+Layer 7 refers to the seventh and topmost layer of the Open Systems Interconnect (OSI) Model known as the application layer. This is the highest layer which supports end-user processes and applications. Layer 7 identifies the communicating parties and the quality of service between them, considers privacy and user authentication, as well as identifies any constraints on the data syntax. This layer is wholly application-specific.
+
+
+## Setting up Ingress-Nginx Controller
+
+Since we are doing this on our local laptop, we are going to use the following tools:
+- [Minikube using KVM driver](https://minikube.sigs.k8s.io/docs/start/) - The host is linux-based in our example
+- [Metallb](https://metallb.universe.tf/) - Baremetal load-balancer.
+- [KVM](https://www.linux-kvm.org/page/Main_Page) / [Oracle VirtualBox](https://www.virtualbox.org/wiki/Downloads) / [VMWare](https://www.vmware.com/in/products/workstation-pro.html)
+
+
+### So let's begin with Metallb and Ingress-Nginx setup.
+
+For setting up metallb, we are going to follow the below steps:
+
+ - To begin the installation, we will execute:
+```
+minikube start
+```
+- To install Metallb, one can install it using the [manifest](https://metallb.universe.tf/installation/#installation-by-manifest) or by using [helm](https://metallb.universe.tf/installation/#installation-with-helm), for now we will use the Manifest method:
+```
+kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.4/config/manifests/metallb-native.yaml
+```
+
+- We need to now configure Metallb, we are using [Layer 2 configuration](https://metallb.universe.tf/configuration/#announce-the-service-ips), let's head over to the [Metallb Configuration](https://metallb.universe.tf/configuration/) website, here you will see how to setup metallb.
+>Layer 2 mode does not require the IPs to be bound to the network interfaces of your worker nodes. It works by responding to ARP requests on your local network directly, to give the machine’s MAC address to clients.
+In order to advertise the IP coming from an IPAddressPool, an L2Advertisement instance must be associated to the IPAddressPool.
+-  We have modified the IP address pool so that our loadbalancer knows which subnet to choose an IP from.Since we have only one minikube IP we need to modify the code given in the documentation.
+Save this as `metallb-config.yaml`:
+```
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: first-pool
+  namespace: metallb-system
+spec:
+  addresses:
+  # The configuration website show's you this
+
+  #- 192.168.10.0/24
+  #- 192.168.9.1-192.168.9.5
+  #- fc00:f853:0ccd:e799::/124
+
+  # We are going to change this to `minikube ip` as such
+  - 192.168.39.57/32
+```
+Now deploy it using `kubectl`
+```
+kubectl apply -f metallb-config.yaml
+```
+- Now that metallb is setup, let's install [ingress-nginx](https://kubernetes.github.io/ingress-nginx/deploy/#quick-start) on the laptop.
+Note: We are using the install by manifest option from the Installation manual
+```
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.0/deploy/static/provider/cloud/deploy.yaml
+```
+or one can also install it using the minikube addons:
+```
+minikube addons enable ingress
+```
+ - Once your Ingress-Nginx controller is created you can run the following commands to see the output of the setup done.
+```
+kubectl get pods -n ingress-nginx
+NAME                                        READY   STATUS      RESTARTS   AGE
+ingress-nginx-admission-create-65bld        0/1     Completed   0          14m
+ingress-nginx-admission-patch-rwq4x         0/1     Completed   0          14m
+ingress-nginx-controller-6dc865cd86-7c5zd   1/1     Running     0          14m
+```
+The Ingress controller creates a Service with the type LoadBalancer and metallb provides the IP address.
+
+```
+kubectl -n ingress-nginx get svc
+
+NAME                                 TYPE           CLUSTER-IP      EXTERNAL-IP      PORT(S)                      AGE
+ingress-nginx-controller             LoadBalancer   10.108.154.53   192.168.39.223   80:30367/TCP,443:31491/TCP   4d15h
+ingress-nginx-controller-admission   ClusterIP      10.98.54.3      <none>           443/TCP                      4d15h
+```
+
+#### Creating an Ingress
+
+We will deploy a `httpd` service in a `httpd` namespace and create a ingress for it.
+
+First, let's create a namespace.
+```
+kubectl create namespace httpd
+```
+
+Next we will create a deployment
+```
+kubectl create deployment httpd -n httpd --image=httpd:alpine
+```
+
+Now, In order to create a service, let's expose this deployment
+```
+kubectl expose deployment -n httpd httpd --port 80
+```
+Let's check the `pod` that is created
+
+```
+kubectl get po -n httpd
+NAME                    READY   STATUS    RESTARTS   AGE
+httpd-fb7fcdc77-w287c   1/1     Running   0          64s
+```
+
+Let's list the services in the `httpd` namespace
+```
+kubectl get svc -n httpd
+NAME    TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
+httpd   ClusterIP   10.104.111.0   <none>        80/TCP    13s
+```
+
+Once we have this we can now create an ingress using the following
+```
+kubectl -n httpd create ingress httpd --class nginx --rule httpd.dev.leonnunes.com/"*"=httpd:80
+```
+The above output, creates an ingress, for us with the rule to match the service if the host is `httpd.dev.leonnunes.com`. The class here is retrieved from the below command.
+
+To list the `ingressclasses` use
+```
+kubectl get ingressclasses
+NAME    CONTROLLER             PARAMETERS   AGE
+nginx   k8s.io/ingress-nginx   <none>       6h49m
+```
+
+The following command shows the ingress created
+```
+$ kubectl get ingress -A -o wide
+
+NAMESPACE   NAME    CLASS   HOSTS                     ADDRESS          PORTS   AGE
+httpd       httpd   nginx   httpd.dev.leonnunes.com   192.168.39.223   80      11d
+```
+
+To test if the rule works we can now do
+```
+$ minikube ip
+192.168.39.223
+
+$ curl --resolve httpd.dev.leonnunes.com:80:192.168.39.223 httpd.dev.leonnunes.com
+<html><body><h1>It works!</h1></body></html>
+
+or
+
+curl -H "Host: httpd.dev.leonnunes.com" 192.168.39.223
+```
+
+#### Example of Information found on layer 7
+We have setup `Ingress-Nginx`, using `nginx` as a class and `httpd` for this example.
+
+In order to display the info on Layer - 7, we have extracted the Layer 7 information from a simple `curl` request, and then using `tcpdump` command within the `httpd` pod we extracted the network packets and opened it using the `Wireshark` utility.
+
+Below given is the output that is important:
+```bash
+Frame 4: 391 bytes on wire (3128 bits), 391 bytes captured (3128 bits)
+Linux cooked capture v2
+Internet Protocol Version 4, Src: 172.17.0.4, Dst: 172.17.0.3
+Transmission Control Protocol, Src Port: 49074, Dst Port: 80, Seq: 1, Ack: 1, Len: 319
+Hypertext Transfer Protocol
+    GET / HTTP/1.1\r\n
+    Host: httpd.dev.leonnunes.com\r\n
+    X-Request-ID: 6e1a790412a0d1615dc0231358dc9c8b\r\n
+    X-Real-IP: 172.17.0.1\r\n
+    X-Forwarded-For: 172.17.0.1\r\n
+    X-Forwarded-Host: httpd.dev.leonnunes.com\r\n
+    X-Forwarded-Port: 80\r\n
+    X-Forwarded-Proto: http\r\n
+    X-Forwarded-Scheme: http\r\n
+    X-Scheme: http\r\n
+    User-Agent: curl/7.84.0\r\n
+    Accept: */*\r\n
+    \r\n
+    [Full request URI: http://httpd.dev.leonnunes.com/]
+    [HTTP request 1/1]
+    [Response in frame: 6]
+
+```
+The above output shows the information that the `httpd` pod receives. The `curl` command sends the host header, `Host: httpd.dev.leonnunes.com`, to the nginx controller, that then matches the rule and sends the information to the right controller
+
+The following output shows what is sent via the laptop.
+```
+curl --resolve httpd.dev.leonnunes.com:80:192.168.39.57 -H "Host: httpd.dev.leonnunes.com" 192.168.39.57 -vL
+* Added httpd.dev.leonnunes.com:80:192.168.39.57 to DNS cache
+*   Trying 192.168.39.57:80...
+* Connected to 192.168.39.57 (192.168.39.57) port 80 (#0)
+> GET / HTTP/1.1
+> Host: httpd.dev.leonnunes.com
+> User-Agent: curl/7.84.0
+> Accept: */*
+>
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 200 OK
+< Date: Mon, 22 Aug 2022 16:05:27 GMT
+< Content-Type: text/html
+< Content-Length: 45
+< Connection: keep-alive
+< Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT
+< ETag: "2d-432a5e4a73a80"
+< Accept-Ranges: bytes
+<
+<html><body><h1>It works!</h1></body></html>
+* Connection #0 to host 192.168.39.57 left intact
+```
+As you can see from the above output there are several headers added to the curl output after it reaches the `httpd` pod, these headers are added by the Ingress Nginx Controller.
+
+
+### References
+#### Basics of Networking
+   - https://www.cisco.com/en/US/docs/security/vpn5000/manager/reference/guide/appA.html
+   - http://web.stanford.edu/class/cs101/
+   - https://www.geeksforgeeks.org/basics-computer-networking/
+   - Subnetting
+     - https://www.computernetworkingnotes.com/ccna-study-guide/subnetting-tutorial-subnetting-explained-with-examples.html
+
+#### Video Links
+   - https://www.youtube.com/playlist?list=PLhfrWIlLOoKPc2RecyiM_A9nf3fUU3e6g
+   - https://www.youtube.com/watch?v=S7MNX_UD7vY&list=PLIhvC56v63IJVXv0GJcl9vO5Z6znCVb1P
+
+### Topics to read about
+   - Docker in Docker
+   - [Docker/Containers](https://www.oreilly.com/library/view/docker-deep-dive/9781800565135/)
+   - Containers
+
+### Basics of Kubernetes
+#### Reading Material
+- https://nubenetes.com/kubernetes-tutorials/
+- https://kubernetes.io/docs/concepts/
+#### Video Material
+- [Techworld with Nana 101](https://www.youtube.com/playlist?list=PLy7NrYWoggjziYQIDorlXjTvvwweTYoNC)
+- [Jeff Geerling Kubernetes 101](https://www.youtube.com/watch?v=IcslsH7OoYo&list=PL2_OBreMn7FoYmfx27iSwocotjiikS5BD)
+
+#### Hands-On Kubernetes
+- https://kube.academy/
+- https://www.civo.com/academy
+
+### Networking in Kubernetes
+- [Kubernetes Networking 101](https://youtu.be/CYnwBIpvSlM?t=284)
+- [CNCF Kubernetes 101](https://www.youtube.com/watch?v=cUGXu2tiZMc)
+
+### Tools/Commands to help with troubleshooting.
+- [mtr](https://www.redhat.com/sysadmin/linux-mtr-command) - Tracing the packet from the source to destination
+- [tcpdump](https://linuxconfig.org/how-to-use-tcpdump-command-on-linux) - Monitor packets
+- [wireshark](https://www.lifewire.com/wireshark-tutorial-4143298) - Read/Sniff packets
+- [nslookup](https://phoenixnap.com/kb/nslookup-command) - Lookup Nameservers
+- [netstat](https://www.lifewire.com/netstat-command-2618098) - List network details
+- [curl](https://linuxhandbook.com/curl-command-examples/) - Curl a website from the command line
+- [ifconfig](https://www.tecmint.com/ifconfig-command-examples/)/[ip](https://www.geeksforgeeks.org/ip-command-in-linux-with-examples/) - Show ip address configuration
+- [dig](https://www.geeksforgeeks.org/dig-command-in-linux-with-examples/) - Query Nameservers
+- [ipcalc](https://www.linux.com/topic/networking/how-calculate-network-addresses-ipcalc/) - Calculate IP addresses
+- Advanced Tools for troubleshooting
+    - [Netshoot](https://github.com/nicolaka/netshoot) - Troubleshoot Networks
+- Cluster Creation tools
+    - [kind](https://kind.sigs.k8s.io/docs/user/quick-start/)
+    - [minikube](https://minikube.sigs.k8s.io/docs/start/)
+- MacOS users
+	- [docker-mac-net-connect](https://github.com/chipmk/docker-mac-net-connect) - See this [issue](https://github.com/kubernetes/minikube/issues/7332)
--- a/NEW_RELEASE_PROCESS.md
+++ b/NEW_RELEASE_PROCESS.md
@ -0,0 +1,9 @@
+# Semi-Automated Release Process 
+
+1. Update TAG
+2. Cloud Build 
+3. k8s.io PR 
+4. git pull origin main 
+5. git checkout -b $RELEASE_VERSION 
+6. mage release:newrelease $RELEASE_VERSION 
+7. Wait for PR
--- a/1
+++ b/1
@ -0,0 +1 @@
+registry.k8s.io/ingress-nginx/nginx:v2.0.0@sha256:3e7bda4cf5111d283ed1e4ff5cc9a2b5cdc5ebe62d50ba67473d3e25b1389133
--- a/16
+++ b/16
@ -1,11 +1,13 @@
-# See the OWNERS docs: https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md
+# See the OWNERS docs: https://www.kubernetes.dev/docs/guide/owners

 approvers:
-  - ingress-nginx-admins
-  - ingress-nginx-maintainers
-  - ElvinEfendi
+- ingress-nginx-maintainers

 reviewers:
-  - aledbf
-  - ElvinEfendi
-  - cmluciano
+- ingress-nginx-reviewers
+
+emeritus_approvers:
+- aledbf # 2020-04-02
+- bowei # 2022-10-12
+- ElvinEfendi # 2023-04-23
+- rikatz # 2024-12-15
--- a/23
+++ b/23
@ -1,12 +1,17 @@
-# See the OWNERS docs: https://git.k8s.io/community/docs/devel/owners.md
+# See the OWNERS docs: https://www.kubernetes.dev/docs/guide/owners

 aliases:
-  sig-network-leads:
-    - caseydavenport
-    - dcbw
-    - thockin
-  ingress-nginx-admins:
-    - bowei
-    - aledbf
  ingress-nginx-maintainers:
-    - aledbf
+  - cpanato
+  - Gacko
+  - strongjz
+  - tao12345666333
+
+  ingress-nginx-reviewers:
+  - cpanato
+  - Gacko
+  - strongjz
+  - tao12345666333
+
+  ingress-nginx-docs-maintainers:
+  - longwuyuan
--- a/README.md
+++ b/README.md
@ -1,57 +1,94 @@
-## Help us to improve the NGINX Ingress controller [completing the survey](https://docs.google.com/forms/d/15ULTOvYDsV920V0GWrspew4yyjEmTAi740Wr34UgKwA/viewform)
+# Ingress NGINX Controller

---
-
-# NGINX Ingress Controller
-
-[![Coverage Status](https://codecov.io/gh/kubernetes/ingress-nginx/branch/master/graph/badge.svg)](https://codecov.io/gh/kubernetes/ingress-nginx)
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5691/badge)](https://bestpractices.coreinfrastructure.org/projects/5691)
 [![Go Report Card](https://goreportcard.com/badge/github.com/kubernetes/ingress-nginx)](https://goreportcard.com/report/github.com/kubernetes/ingress-nginx)
-[![GitHub license](https://img.shields.io/github/license/kubernetes/ingress-nginx.svg)](https://github.com/kubernetes/ingress-nginx/blob/master/LICENSE)
+[![GitHub license](https://img.shields.io/github/license/kubernetes/ingress-nginx.svg)](https://github.com/kubernetes/ingress-nginx/blob/main/LICENSE)
 [![GitHub stars](https://img.shields.io/github/stars/kubernetes/ingress-nginx.svg)](https://github.com/kubernetes/ingress-nginx/stargazers)
-[![GitHub stars](https://img.shields.io/badge/contributions-welcome-orange.svg)](https://github.com/kubernetes/ingress-nginx/blob/master/CONTRIBUTING.md)
-[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fkubernetes%2Fingress-nginx.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Fkubernetes%2Fingress-nginx?ref=badge_shield)
+[![GitHub stars](https://img.shields.io/badge/contributions-welcome-orange.svg)](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md)

 ## Overview

-ingress-nginx is an Ingress controller for Kubernetes using [NGINX](https://www.nginx.org/) as a reverse proxy and load balancer.
+ingress-nginx is an Ingress controller for Kubernetes using [NGINX](https://www.nginx.org/) as a reverse proxy and load
+balancer.

-Learn more about Ingress on the main [Kubernetes](https://kubernetes.io/docs/concepts/services-networking/ingress/) documentation site.
+[Learn more about Ingress on the Kubernetes documentation site](https://kubernetes.io/docs/concepts/services-networking/ingress/).

 ## Get started

 See the [Getting Started](https://kubernetes.github.io/ingress-nginx/deploy/) document.

+Do not use in multi-tenant Kubernetes production installations. This project assumes that users that can create Ingress objects are administrators of the cluster. See the [FAQ](https://kubernetes.github.io/ingress-nginx/faq/#faq) for more.
+
 ## Troubleshooting

-If you encounter issues, review the [troubleshooting docs](docs/troubleshooting.md), [file an issue](https://github.com/kubernetes/ingress-nginx/issues), or talk to us on the [#ingress-nginx channel](https://kubernetes.slack.com/messages/ingress-nginx) on the Kubernetes Slack server.
-
-## Contributing
-
-Thanks for taking the time to join our community and start contributing!
-
- This project adheres to the [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md). By participating in this project, you agree to abide by its terms.
- See [CONTRIBUTING.md](CONTRIBUTING.md) for information about setting up your environment, the workflow that we expect, and instructions on the developer certificate of origin that we require.
- Check out the [open issues](https://github.com/kubernetes/ingress-nginx).
- Join our Kubernetes Slack channel: [#ingress-nginx](https://kubernetes.slack.com/messages/CANQGM8BA/)
+If you encounter issues, review the [troubleshooting docs](docs/troubleshooting.md),
+[file an issue](https://github.com/kubernetes/ingress-nginx/issues), or talk to us on the
+[#ingress-nginx channel](https://kubernetes.slack.com/messages/ingress-nginx) on the Kubernetes Slack server.

 ## Changelog

-See [the list of releases](https://github.com/kubernetes/ingress-nginx/releases) to find out about feature changes
-For detailed changes for each release; please check the [Changelog.md](Changelog.md)
+See [the list of releases](https://github.com/kubernetes/ingress-nginx/releases) for all changes.
+For detailed changes for each release, please check the [changelog-$version.md](./changelog) file for the release version.
+For detailed changes on the `ingress-nginx` helm chart, please check the changelog folder for a specific version.
+[CHANGELOG-$current-version.md](./charts/ingress-nginx/changelog) file.

-# Get Involved
+### Supported Versions table

- **Contributing**: Pull requests are welcome!
-  - Read [`CONTRIBUTING.md`](CONTRIBUTING.md) and check out [help-wanted](https://github.com/kubernetes/ingress-nginx/labels/help%20wanted) issues
-  - Submit github issues for any feature enhancements, bugs or documentation problems
- **Support**: Join to [Kubernetes Slack](http://slack.kubernetes.io/) in the [#ingress-nginx](https://kubernetes.slack.com/messages/CANQGM8BA/) channel to ask questions to get support from the maintainers and other users
-  - The [github issues](https://github.com/kubernetes/ingress-nginx/issues) in the repository are **exclusively** for bug reports and feature requests.
- **Discuss**: Tweet using the `#IngressNginx` hashtag
+Supported versions for the ingress-nginx project mean that we have completed E2E tests, and they are passing for
+the versions listed. Ingress-Nginx versions **may** work on older versions, but the project does not make that guarantee.

-## Issues
+| Supported | Ingress-NGINX version | k8s supported version         | Alpine Version | Nginx Version | Helm Chart Version |
+| :-------: | --------------------- | ----------------------------- | -------------- | ------------- | ------------------ |
+|    🔄     | **v1.12.0**           | 1.32, 1.31, 1.30, 1.29, 1.28  | 3.21.0         | 1.25.5        | 4.12.0             |
+|    🔄     | **v1.12.0-beta.0**    | 1.32, 1.31, 1.30, 1.29, 1.28  | 3.20.3         | 1.25.5        | 4.12.0-beta.0      |
+|    🔄     | **v1.11.4**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.21.0         | 1.25.5        | 4.11.4             |
+|    🔄     | **v1.11.3**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.3         | 1.25.5        | 4.11.3             |
+|    🔄     | **v1.11.2**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.11.2             |
+|    🔄     | **v1.11.1**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.11.1             |
+|    🔄     | **v1.11.0**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.11.0             |
+|           | **v1.10.6**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.21.0         | 1.25.5        | 4.10.6             |
+|           | **v1.10.5**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.3         | 1.25.5        | 4.10.5             |
+|           | **v1.10.4**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.10.4             |
+|           | **v1.10.3**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.10.3             |
+|           | **v1.10.2**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.10.2             |
+|           | **v1.10.1**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.19.1         | 1.25.3        | 4.10.1             |
+|           | **v1.10.0**           | 1.29, 1.28, 1.27, 1.26        | 3.19.1         | 1.25.3        | 4.10.0             |
+|           | v1.9.6                | 1.29, 1.28, 1.27, 1.26, 1.25  | 3.19.0         | 1.21.6        | 4.9.1              |
+|           | v1.9.5                | 1.28, 1.27, 1.26, 1.25        | 3.18.4         | 1.21.6        | 4.9.0              |
+|           | v1.9.4                | 1.28, 1.27, 1.26, 1.25        | 3.18.4         | 1.21.6        | 4.8.3              |
+|           | v1.9.3                | 1.28, 1.27, 1.26, 1.25        | 3.18.4         | 1.21.6        | 4.8.*              |
+|           | v1.9.1                | 1.28, 1.27, 1.26, 1.25        | 3.18.4         | 1.21.6        | 4.8.*              |
+|           | v1.9.0                | 1.28, 1.27, 1.26, 1.25        | 3.18.2         | 1.21.6        | 4.8.*              |
+|           | v1.8.4                | 1.27, 1.26, 1.25, 1.24        | 3.18.2         | 1.21.6        | 4.7.*              |
+|           | v1.7.1                | 1.27, 1.26, 1.25, 1.24        | 3.17.2         | 1.21.6        | 4.6.*              |
+|           | v1.6.4                | 1.26, 1.25, 1.24, 1.23        | 3.17.0         | 1.21.6        | 4.5.*              |
+|           | v1.5.1                | 1.25, 1.24, 1.23              | 3.16.2         | 1.21.6        | 4.4.*              |
+|           | v1.4.0                | 1.25, 1.24, 1.23, 1.22        | 3.16.2         | 1.19.10†      | 4.3.0              |
+|           | v1.3.1                | 1.24, 1.23, 1.22, 1.21, 1.20  | 3.16.2         | 1.19.10†      | 4.2.5              |

-Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/master/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines **may be closed immediately**.
+See [this article](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) if you want upgrade to the stable
+Ingress API.
+
+## Get Involved
+
+Thanks for taking the time to join our community and start contributing!
+
+- This project adheres to the [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md).
+  By participating in this project, you agree to abide by its terms.
+- **Contributing**: Contributions of all kinds are welcome!
+
+  - Read [`CONTRIBUTING.md`](CONTRIBUTING.md) for information about setting up your environment, the workflow that we
+    expect, and instructions on the developer certificate of origin that we require.
+  - Join our Kubernetes Slack channel for developer discussion : [#ingress-nginx-dev](https://kubernetes.slack.com/archives/C021E147ZA4).
+  - Submit GitHub issues for any feature enhancements, bugs, or documentation problems.
+    - Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines **may be closed immediately**.
+  - Join our [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w)
+- **Support**:
+
+  - Join the [#ingress-nginx-users](https://kubernetes.slack.com/messages/CANQGM8BA/) channel inside the [Kubernetes Slack](http://slack.kubernetes.io/) to ask questions or get support from the maintainers and other users.
+  - The [GitHub issues](https://github.com/kubernetes/ingress-nginx/issues) in the repository are **exclusively** for bug reports and feature requests.
+  - **Discuss**: Tweet using the `#IngressNginx` hashtag or sharing with us [@IngressNginx](https://twitter.com/IngressNGINX).

 ## License

-[Apache License 2.0](https://github.com/kubernetes/ingress-nginx/blob/master/LICENSE)
+[Apache License 2.0](https://github.com/kubernetes/ingress-nginx/blob/main/LICENSE)
--- a/4
+++ b/4
@ -9,5 +9,5 @@
 #
 # DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
 # INSTRUCTIONS AT https://kubernetes.io/security/
-
-aledbf
+Gacko
+strongjz
--- a/1
+++ b/1
@ -1 +0,0 @@
-v0.35.0
--- a/build/build-plugin.sh
+++ b/build/build-plugin.sh
@ -1,79 +0,0 @@
-#!/bin/bash
-
-# Copyright 2018 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-if [ -n "$DEBUG" ]; then
-	set -x
-fi
-
-set -o errexit
-set -o nounset
-set -o pipefail
-
-declare -a mandatory
-mandatory=(
-  PKG
-  ARCH
-  COMMIT_SHA
-  REPO_INFO
-  TAG
-)
-
-missing=false
-for var in "${mandatory[@]}"; do
-  if [[ -z "${!var:-}" ]]; then
-    echo "Environment variable $var must be set"
-    missing=true
-  fi
-done
-
-if [ "$missing" = true ]; then
-  exit 1
-fi
-
-export CGO_ENABLED=0
-
-release=cmd/plugin/release
-
-function build_for_arch(){
-  os=$1
-  arch=$2
-  extension=$3
-
-  env GOOS="${os}" GOARCH="${arch}" go build \
-    "${GOBUILD_FLAGS}" \
-    -trimpath -ldflags="-buildid= -w -s" \
-      -X ${PKG}/version.RELEASE=${TAG} \
-      -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
-      -X ${PKG}/version.REPO=${REPO_INFO}" \
-    -o "${release}/kubectl-ingress_nginx${extension}" "${PKG}/cmd/plugin"
-
-    cp LICENSE ${release}
-    tar -C "${release}" -zcvf "${release}/kubectl-ingress_nginx-${os}-${arch}.tar.gz" "kubectl-ingress_nginx${extension}" LICENSE
-    rm "${release}/kubectl-ingress_nginx${extension}"
-    hash=$(sha256sum "${release}/kubectl-ingress_nginx-${os}-${arch}.tar.gz" | awk '{ print $1 }')
-    sed -i "s/%%%shasum_${os}_${arch}%%%/${hash}/g" "${release}/ingress-nginx.yaml"
-}
-
-rm -rf "${release}"
-mkdir "${release}"
-
-cp cmd/plugin/ingress-nginx.yaml.tmpl "${release}/ingress-nginx.yaml"
-
-sed -i "s/%%%tag%%%/${TAG}/g" ${release}/ingress-nginx.yaml
-
-build_for_arch darwin amd64 ''
-build_for_arch linux amd64 ''
-build_for_arch windows amd64 '.exe'
--- a/build/build.sh
+++ b/build/build.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh

 # Copyright 2018 The Kubernetes Authors.
 #
@ -14,55 +14,56 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-if [ -n "$DEBUG" ]; then
-	set -x
-fi
+GO_BUILD_CMD="go build"
+
+#if [ -n "$DEBUG" ]; then
+#	set -x
+#	GO_BUILD_CMD="go build -v"
+#fi

 set -o errexit
 set -o nounset
 set -o pipefail

-declare -a mandatory
-mandatory=(
-  PKG
-  ARCH
-  COMMIT_SHA
-  REPO_INFO
-  TAG
-)

-missing=false
-for var in "${mandatory[@]}"; do
-  if [[ -z "${!var:-}" ]]; then
-    echo "Environment variable $var must be set"
-    missing=true
-  fi
-done
-
-if [ "$missing" = true ]; then
-  exit 1
+if [ -z "$PKG" ] || [ -z "$ARCH" ] || [ -z "$COMMIT_SHA" ] || [ -z "$REPO_INFO" ] || [ -z "$TAG" ]; then
+  echo "Environments PKG, ARCH, COMMIT_SHA, REPO_INFO and TAG are required"
+  exit 1 
 fi

+
 export CGO_ENABLED=0
-export GOARCH=${ARCH}
+export GOARCH="${ARCH}"

-go build \
-  -trimpath -ldflags="-buildid= -w -s \
-    -X ${PKG}/version.RELEASE=${TAG} \
-    -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
-    -X ${PKG}/version.REPO=${REPO_INFO}" \
-  -o "rootfs/bin/${ARCH}/nginx-ingress-controller" "${PKG}/cmd/nginx"
+TARGETS_DIR="rootfs/bin/${ARCH}"
+echo "Building targets for ${ARCH}, generated targets in ${TARGETS_DIR} directory."

-go build \
-  -trimpath -ldflags="-buildid= -w -s \
-    -X ${PKG}/version.RELEASE=${TAG} \
-    -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
-    -X ${PKG}/version.REPO=${REPO_INFO}" \
-  -o "rootfs/bin/${ARCH}/dbg" "${PKG}/cmd/dbg"
+echo "Building ${PKG}/cmd/nginx"

-go build \
+${GO_BUILD_CMD} \
  -trimpath -ldflags="-buildid= -w -s \
-    -X ${PKG}/version.RELEASE=${TAG} \
-    -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
-    -X ${PKG}/version.REPO=${REPO_INFO}" \
-  -o "rootfs/bin/${ARCH}/wait-shutdown" "${PKG}/cmd/waitshutdown"
+  -X ${PKG}/version.RELEASE=${TAG} \
+  -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
+  -X ${PKG}/version.REPO=${REPO_INFO}" \
+  -buildvcs=false \
+  -o "${TARGETS_DIR}/nginx-ingress-controller" "${PKG}/cmd/nginx"
+
+echo "Building ${PKG}/cmd/dbg"
+
+${GO_BUILD_CMD} \
+  -trimpath -ldflags="-buildid= -w -s \
+  -X ${PKG}/version.RELEASE=${TAG} \
+  -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
+  -X ${PKG}/version.REPO=${REPO_INFO}" \
+  -buildvcs=false \
+  -o "${TARGETS_DIR}/dbg" "${PKG}/cmd/dbg"
+
+echo "Building ${PKG}/cmd/waitshutdown"
+
+${GO_BUILD_CMD} \
+  -trimpath -ldflags="-buildid= -w -s \
+  -X ${PKG}/version.RELEASE=${TAG} \
+  -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
+  -X ${PKG}/version.REPO=${REPO_INFO}" \
+  -buildvcs=false \
+  -o "${TARGETS_DIR}/wait-shutdown" "${PKG}/cmd/waitshutdown"
--- a/build/dev-env.sh
+++ b/build/dev-env.sh
@ -36,7 +36,7 @@ if ! command -v kind &> /dev/null; then
 fi

 if ! command -v kubectl &> /dev/null; then
-  echo "Please install kubectl 1.15 or higher"
+  echo "Please install kubectl 1.24.0 or higher"
  exit 1
 fi

@ -45,15 +45,18 @@ if ! command -v helm &> /dev/null; then
  exit 1
 fi

-HELM_VERSION=$(helm version 2>&1 | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+') || true
-if [[ ${HELM_VERSION} < "v3.0.0" ]]; then
-  echo "Please upgrade helm to v3.0.0 or higher"
+function ver { printf "%d%03d%03d" $(echo "$1" | tr '.' ' '); }
+
+HELM_VERSION=$(helm version 2>&1 | cut -f1 -d"," | grep -oE '[0-9]+\.[0-9]+\.[0-9]+') || true
+echo $HELM_VERSION
+if [[ $(ver $HELM_VERSION) -lt $(ver "3.10.0") ]]; then
+  echo "Please upgrade helm to v3.10.0 or higher"
  exit 1
 fi

-KUBE_CLIENT_VERSION=$(kubectl version --client --short | awk '{print $3}' | cut -d. -f2) || true
-if [[ ${KUBE_CLIENT_VERSION} -lt 14 ]]; then
-  echo "Please update kubectl to 1.15 or higher"
+KUBE_CLIENT_VERSION=$(kubectl version --client -oyaml 2>/dev/null | grep "minor:" | awk '{print $2}' | tr -d '"') || true
+if [[ ${KUBE_CLIENT_VERSION} -lt 24 ]]; then
+  echo "Please update kubectl to 1.24.2 or higher"
  exit 1
 fi

@ -61,32 +64,13 @@ echo "[dev-env] building image"
 make build image
 docker tag "${REGISTRY}/controller:${TAG}" "${DEV_IMAGE}"

-export K8S_VERSION=${K8S_VERSION:-v1.18.4@sha256:d8ff5fc405fc679dd3dd0cccc01543ba4942ed90823817d2e9e2c474a5343c4f}
+export K8S_VERSION=${K8S_VERSION:-v1.32.0@sha256:c48c62eac5da28cdadcf560d1d8616cfa6783b58f0d94cf63ad1bf49600cb027}

 KIND_CLUSTER_NAME="ingress-nginx-dev"

 if ! kind get clusters -q | grep -q ${KIND_CLUSTER_NAME}; then
-echo "[dev-env] creating Kubernetes cluster with kind"
-cat <<EOF | kind create cluster --name ${KIND_CLUSTER_NAME} --image "kindest/node:${K8S_VERSION}" --config=-
-kind: Cluster
-apiVersion: kind.x-k8s.io/v1alpha4
-nodes:
- role: control-plane
-  kubeadmConfigPatches:
-  - |
-    kind: InitConfiguration
-    nodeRegistration:
-      kubeletExtraArgs:
-        node-labels: "ingress-ready=true"
-        authorization-mode: "AlwaysAllow"
-  extraPortMappings:
-  - containerPort: 80
-    hostPort: 80
-    protocol: TCP
-  - containerPort: 443
-    hostPort: 443
-    protocol: TCP
-EOF
+  echo "[dev-env] creating Kubernetes cluster with kind"
+  kind create cluster --name ${KIND_CLUSTER_NAME} --image "kindest/node:${K8S_VERSION}" --config ${DIR}/kind.yaml
 else
  echo "[dev-env] using existing Kubernetes kind cluster"
 fi
--- a/build/kind.yaml
+++ b/build/kind.yaml
@ -0,0 +1,18 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+  - role: control-plane
+    kubeadmConfigPatches:
+      - |
+        kind: InitConfiguration
+        nodeRegistration:
+          kubeletExtraArgs:
+            node-labels: "ingress-ready=true"
+            authorization-mode: "AlwaysAllow"
+    extraPortMappings:
+      - containerPort: 80
+        hostPort: 80
+        protocol: TCP
+      - containerPort: 443
+        hostPort: 443
+        protocol: TCP
--- a/build/run-in-docker.sh
+++ b/build/run-in-docker.sh
@ -14,27 +14,39 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-if [ -n "$DEBUG" ]; then
+DEBUG=${DEBUG:-"false"}
+if [ "$DEBUG" == "true" ]; then
  set -x
 fi

+RUNTIME=${RUNTIME:-"docker"}
+
 set -o errexit
 set -o nounset
 set -o pipefail

 # temporal directory for the /etc/ingress-controller directory
-INGRESS_VOLUME=$(mktemp -d)
-
 if [[ "$OSTYPE" == darwin* ]]; then
-  INGRESS_VOLUME=/private$INGRESS_VOLUME
+  mkdir -p "tmp"
+  INGRESS_VOLUME=$(pwd)/$(mktemp -d tmp/XXXXXX)
+else
+  INGRESS_VOLUME=$(mktemp -d)
 fi

+# make sure directory for SSL cert storage exists under ingress volume
+mkdir "${INGRESS_VOLUME}/ssl"
+
 function cleanup {
  rm -rf "${INGRESS_VOLUME}"
 }
 trap cleanup EXIT

-E2E_IMAGE=${E2E_IMAGE:-k8s.gcr.io/ingress-nginx/e2e-test-runner:v20200812-gf6dce060b@sha256:a2b6585d6badd2bbf8805cb1f576e7eb6be8fd1e5ece7c362eaa9610f22786ba}
+E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20250112-a188f4eb@sha256:043038b1e30e5a0b64f3f919f096c5c9488ac3f617ac094b07fb9db8215f9441}
+
+if [[ "$RUNTIME" == podman ]]; then
+  # Podman does not support both tag and digest
+  E2E_IMAGE=$(echo $E2E_IMAGE | awk -F "@sha" '{print $1}')
+fi

 DOCKER_OPTS=${DOCKER_OPTS:-}
 DOCKER_IN_DOCKER_ENABLED=${DOCKER_IN_DOCKER_ENABLED:-}
@ -52,21 +64,33 @@ fi
 # create output directory as current user to avoid problem with docker.
 mkdir -p "${KUBE_ROOT}/bin" "${KUBE_ROOT}/bin/${ARCH}"

+PLATFORM="${PLATFORM:-}"
+if [[ -n "$PLATFORM" ]]; then
+  PLATFORM_FLAG=--platform
+else
+  PLATFORM_FLAG=
+fi
+
+USER=${USER:-nobody}
+
+USE_SHELL=${USE_SHELL:-"/bin/bash"}
+
 if [[ "$DOCKER_IN_DOCKER_ENABLED" == "true" ]]; then
+  echo "..reached DIND check TRUE block, inside run-in-docker.sh"
+  echo "FLAGS=$FLAGS"
+  #go env
+  go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.22.2
+  find / -type f -name ginkgo 2>/dev/null
+  which ginkgo
  /bin/bash -c "${FLAGS}"
 else
-  docker run                                            \
-    --tty                                               \
-    --rm                                                \
-    ${DOCKER_OPTS}                                      \
-    -e GOCACHE="/go/src/${PKG}/.cache"                  \
-    -e DOCKER_IN_DOCKER_ENABLED="true"                  \
-    -v "${HOME}/.kube:${HOME}/.kube"                    \
-    -v "${KUBE_ROOT}:/go/src/${PKG}"                    \
-    -v "${KUBE_ROOT}/bin/${ARCH}:/go/bin/linux_${ARCH}" \
-    -v "/var/run/docker.sock:/var/run/docker.sock"      \
-    -v "${INGRESS_VOLUME}:/etc/ingress-controller/"     \
-    -w "/go/src/${PKG}"                                 \
-    -u $(id -u ${USER}):$(id -g ${USER})                \
-    ${E2E_IMAGE} /bin/bash -c "${FLAGS}"
+  echo "Reached DIND check ELSE block, inside run-in-docker.sh"
+
+  args="${PLATFORM_FLAG} ${PLATFORM} --tty --rm ${DOCKER_OPTS} -e DEBUG=${DEBUG} -e GOCACHE="/go/src/${PKG}/.cache" -e GOMODCACHE="/go/src/${PKG}/.modcache" -e DOCKER_IN_DOCKER_ENABLED="true" -v "${HOME}/.kube:${HOME}/.kube" -v "${KUBE_ROOT}:/go/src/${PKG}" -v "${KUBE_ROOT}/bin/${ARCH}:/go/bin/linux_${ARCH}" -v "${INGRESS_VOLUME}:/etc/ingress-controller/" -w "/go/src/${PKG}""
+
+  if [[ "$RUNTIME" == "docker" ]]; then
+    args="$args -v /var/run/docker.sock:/var/run/docker.sock"
+  fi
+
+  ${RUNTIME} run $args ${E2E_IMAGE} ${USE_SHELL} -c "${FLAGS}"
 fi
--- a/build/run-ingress-controller.sh
+++ b/build/run-ingress-controller.sh
@ -49,7 +49,7 @@ fi
 SSL_VOLUME=$(mktemp -d)

 function cleanup {
-    echo -e "${BGREEN}Stoping kubectl proxy${NC}"
+    echo -e "${BGREEN}Stopping kubectl proxy${NC}"
    rm -rf "${SSL_VOLUME}"
    kill "$proxy_pid"
 }
--- a/changelog/controller-1.10.0.md
+++ b/changelog/controller-1.10.0.md
@ -0,0 +1,68 @@
+# Changelog
+
+This release is the first using NGINX v1.25.0!
+
+## Breaking changes
+* This version does not support chroot image, this will be fixed on a future minor patch release
+* This version dropped Opentracing and zipkin modules, just Opentelemetry is supported
+* This version dropped support for PodSecurityPolicy
+* This version dropped support for GeoIP (legacy). Only GeoIP2 is supported
+
+### controller-v1.10.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.0@sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c
+
+### All changes:
+
+* Start the release of v1.10.0 (#11038)
+* bump nginx and Go, remove tag file and old CI jobs (#11037)
+* Fix kubewebhook image tag (#11033)
+* add missing backend-protocol annotation option (#9545)
+* Update controller-prometheusrules.yaml (#8902)
+* Stop reporting interrupted tests (#11027)
+* test(gzip): reach ingress (#9541)
+* fix datasource, $exported_namespace variable in grafana nginx dashboard (#9092)
+* Properly support a TLS-wrapped OCSP responder (#10164)
+* Fix print-e2e-suite (#9536)
+* chore(deps): upgrade headers-more module to 0.37 (#10991)
+* Update ingress-path-matching.md (#11008)
+* Update ingress-path-matching.md (#11007)
+* E2E Tests: Explicitly enable metrics. (#10962)
+* Chart: Set `--enable-metrics` depending on `controller.metrics.enabled`. (#10959)
+* Chart: Remove useless `default` from `_params.tpl`. (#10957)
+* Fix golang makefile var name (#10932)
+* Fixing image push (#10931)
+* fix: live-docs script (#10928)
+* docs: Add vouch-proxy OAuth example (#10929)
+* Add OTEL build test and for NGINX v1.25 (#10889)
+* docs: update annotations docs with missing session-cookie section (#10917)
+* Release controller 1.9.6 and helm 4.9.1 (#10919)
+
+### Dependency updates:
+
+* Bump kubewebhook certgen (#11034)
+* Bump go libraries (#11023)
+* Bump modsecurity on nginx 1.25 (#11024)
+* Bump grpc and reintroduce OTEL compilation (#11021)
+* Bump github/codeql-action from 3.24.0 to 3.24.5 (#11017)
+* Bump actions/dependency-review-action from 4.0.0 to 4.1.3 (#11016)
+* Bump dorny/paths-filter from 3.0.0 to 3.0.1 (#10994)
+* Bump github.com/prometheus/client_model from 0.5.0 to 0.6.0 (#10998)
+* Bump actions/upload-artifact from 4.3.0 to 4.3.1 (#10978)
+* Bump actions/download-artifact from 4.1.1 to 4.1.2 (#10981)
+* Bump aquasecurity/trivy-action from 0.16.1 to 0.17.0 (#10979)
+* Bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (#10980)
+* Bump golang.org/x/crypto from 0.18.0 to 0.19.0 (#10976)
+* Bump github/codeql-action from 3.23.2 to 3.24.0 (#10971)
+* Bump github.com/opencontainers/runc from 1.1.11 to 1.1.12 (#10951)
+* Bump google.golang.org/grpc from 1.60.1 to 1.61.0 (#10938)
+* Bump actions/upload-artifact from 4.2.0 to 4.3.0 (#10937)
+* Bump dorny/test-reporter from 1.7.0 to 1.8.0 (#10936)
+* Bump github/codeql-action from 3.23.1 to 3.23.2 (#10935)
+* Bump dorny/paths-filter from 2.11.1 to 3.0.0 (#10934)
+* Bump alpine to 3.19.1 (#10930)
+* Bump go to v1.21.6 and set a single source of truth (#10926)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.9.6...controller-v1.10.0
--- a/changelog/controller-1.10.1.md
+++ b/changelog/controller-1.10.1.md
@ -0,0 +1,57 @@
+# Changelog
+
+### controller-v1.10.1
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.1@sha256:e24f39d3eed6bcc239a56f20098878845f62baa34b9f2be2fd2c38ce9fb0f29e
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.1@sha256:c155954116b397163c88afcb3252462771bd7867017e8a17623e83601bab7ac7
+
+### All changes:
+
+* start 1.10.1 build (#11246)
+* force nginx rebuild (#11245)
+* update k8s version to latest kind release (#11241)
+* remove _ssl_expire_time_seconds metric by identifier (#11239)
+* update post submit helm ci and clean up (#11221)
+* Chart: Add unit tests for default backend & topology spread constraints. (#11219)
+* sort default backend hpa metrics (#11217)
+* updated certgen image shatag (#11216)
+* changed testrunner image sha (#11211)
+* bumped certgeimage tag (#11213)
+* updated baseimage & deleted a useless file (#11209)
+* bump ginkgo to 2-17-1 in testrunner (#11204)
+* chunking related faq update (#11205)
+* Fix-semver (#11199)
+* refactor helm ci tests part I (#11188)
+* Proposal: e2e tests for regex patterns (#11185)
+* bump ginkgo to v2.17.1 (#11186)
+* fixes brotli build issue (#11187)
+* fix geoip2 configuration docs (#11151)
+* Fix typos in OTel doc (#11081) (#11129)
+* Chart: Render `controller.ingressClassResource.parameters` natively. (#11126)
+* Fix admission controller logging of `admissionTime` and `testedConfigurationSize` (#11114)
+* Chart: Align HPA & KEDA conditions. (#11113)
+* Chart: Improve IngressClass documentation. (#11111)
+* Chart: Add Gacko to maintainers. Again. (#11112)
+* Chart: Deploy `PodDisruptionBudget` with KEDA. (#11105)
+* Chores: Pick patches from main. (#11103)
+
+### Dependency updates:
+
+* Bump google.golang.org/grpc from 1.63.0 to 1.63.2 (#11238)
+* Bump google.golang.org/grpc from 1.62.1 to 1.63.0 (#11234)
+* Bump github.com/prometheus/common from 0.51.1 to 0.52.2 (#11233)
+* Bump golang.org/x/crypto from 0.21.0 to 0.22.0 (#11232)
+* Bump github.com/prometheus/client_model in the all group (#11231)
+* Bump the all group with 3 updates (#11230)
+* Bump the all group with 2 updates (#11190)
+* Bump actions/add-to-project from 0.6.1 to 1.0.0 (#11189)
+* Bump the all group with 3 updates (#11166)
+* Bump github.com/prometheus/common from 0.50.0 to 0.51.1 (#11160)
+* Bump the all group with 4 updates (#11140)
+* Bump the all group with 1 update (#11136)
+* Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /magefiles (#11127)
+* Bump google.golang.org/protobuf in /images/custom-error-pages/rootfs (#11128)
+* Bump google.golang.org/protobuf in /images/kube-webhook-certgen/rootfs (#11122)
+
--- a/changelog/controller-1.10.2.md
+++ b/changelog/controller-1.10.2.md
@ -0,0 +1,130 @@
+# Changelog
+
+### controller-v1.10.2
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.2@sha256:e3311b3d9671bc52d90572bcbfb7ee5b71c985d6d6cffd445c241f1e2703363c
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.2@sha256:c4395cba98f9721e3381d3c06e7994371bae20f5ab30e457cd7debe44a8c8c54
+
+### All changes:
+
+* update test runner to latest build (#11557)
+* add k8s 1.30 to ci build (#11553)
+* update test runner go base to 3.20 (#11550)
+* tag new test runner image with new nginx base 0.0.8 (#11549)
+* bump NGINX_BASE to v0.0.8 (#11543)
+* trigger build for NGINX-1.25 v0.0.8 (#11542)
+* Upgrade OWASP_MODSECURITY_CRS_VERSION 3.3.5 to 4.4.0 and update docs (#11548)
+* [feature] bump nginx to 1.25.5 and add http3 module (#11541)
+* add ssl patches to nginx-1.25 image for coroutines to work in lua client hello and cert ssl blocks (#11534)
+* bump alpine version to 3.20 to custom-error-pages (#11537)
+* fix: Ensure changes in MatchCN annotation are detected (#11528)
+* Docs: Add information about HTTP/3 support. (#11525)
+* Docs: Specify `ingressClass` for multi-controller setup. (#11520)
+* Docs: Improve default certificate usage. (#11519)
+* docs: Update Ingress-NGINX v1.10.1 compatibility with Kubernetes v1.30 (#11500)
+* Update getting-started.md with new prerequisites (#11487)
+* Fix boolean configuration (#11484)
+* Chores: Align security contacts & chart maintainers to actual owners. (#11480)
+* CI: Bump forgotten Ginkgo versions. (#11469)
+* Tests: Replace deprecated `grpc.Dial` by `grpc.NewClient`. (#11468)
+* Owners: Promote Gacko to admin. (#11464)
+* fixed fastcgi userguide (#11455)
+* Remove unnecessary space character (#11451)
+* fix for docs issue 11432 (#11446)
+* Update index.md (#11445)
+* upgrade to alpine 3.20 (#11438)
+* update golang to 1.22.4 (#11431)
+* Adapt dashboards for Grafana 11 compatibility (#11414)
+* Rename variable to fix typo (#11413)
+* Fix helm install on cloud provider admonition block (#11412)
+* edited helm-install tips (#11411)
+* added info for aws helm install (#11410)
+* added multiplecontrollers-howto to faq (#11409)
+* removed tlsv1 & tlsv1.1 (#11408)
+* Docs: Remove opentracing and zipkin from docs (#11405)
+* Go: Sync modules from `main`. (#11398)
+* add workflow to helm release and update ct for branch (#11317)
+* Merge pull request #11277 from strongjz/chart-1.10.1 (#11314)
+* Release Helm Chart on branch update (#11306)
+* Release controller 1.10.1 (#11298)
+* fix path in file changed detected message (#11286)
+* chore: fix function names in comment (#11281)
+* fix: update kube version requirement to 1.21 (#11279)
+* release helm chart from release branch (#11278)
+* start 1.10.1 build (#11246)
+* force nginx rebuild (#11245)
+* update k8s version to latest kind release (#11241)
+* remove _ssl_expire_time_seconds metric by identifier (#11239)
+* update post submit helm ci and clean up (#11221)
+* Chart: Add unit tests for default backend & topology spread constraints. (#11219)
+* sort default backend hpa metrics (#11217)
+* updated certgen image shatag (#11216)
+* changed testrunner image sha (#11211)
+* bumped certgeimage tag (#11213)
+* updated baseimage & deleted a useless file (#11209)
+* bump ginkgo to 2-17-1 in testrunner (#11204)
+* chunking related faq update (#11205)
+* Fix-semver (#11199)
+* refactor helm ci tests part I (#11188)
+* Proposal: e2e tests for regex patterns (#11185)
+* bump ginkgo to v2.17.1 (#11186)
+* fixes brotli build issue (#11187)
+* fix geoip2 configuration docs (#11151)
+* Fix typos in OTel doc (#11081) (#11129)
+* Chart: Render `controller.ingressClassResource.parameters` natively. (#11126)
+* Fix admission controller logging of `admissionTime` and `testedConfigurationSize` (#11114)
+* Chart: Align HPA & KEDA conditions. (#11113)
+* Chart: Improve IngressClass documentation. (#11111)
+* Chart: Add Gacko to maintainers. Again. (#11112)
+* Chart: Deploy `PodDisruptionBudget` with KEDA. (#11105)
+* Chores: Pick patches from main. (#11103)
+* Start the release of v1.10.0 (#11038)
+
+### Dependency updates:
+
+* Bump the all group with 2 updates (#11524)
+* Bump k8s.io/klog/v2 from 2.130.0 to 2.130.1 in the all group (#11521)
+* Bump aquasecurity/trivy-action from 0.22.0 to 0.23.0 in the all group (#11501)
+* Bump k8s.io/klog/v2 from 2.120.1 to 2.130.0 (#11479)
+* Bump the all group with 3 updates (#11478)
+* Bump the all group with 2 updates (#11477)
+* Bump golang.org/x/crypto from 0.23.0 to 0.24.0 (#11471)
+* Bump sigs.k8s.io/controller-runtime in the all group (#11449)
+* Bump github.com/prometheus/common from 0.53.0 to 0.54.0 (#11447)
+* Bump the all group with 3 updates (#11450)
+* Bump goreleaser/goreleaser-action from 5.1.0 to 6.0.0 (#11448)
+* Bump github.com/onsi/ginkgo/v2 from 2.17.2 to 2.19.0 (#11422)
+* Bump the all group with 2 updates (#11421)
+* Bump google.golang.org/grpc from 1.63.2 to 1.64.0 (#11423)
+* Bump the all group across 1 directory with 6 updates (#11407)
+* Bump golangci/golangci-lint-action from 5.3.0 to 6.0.1 (#11406)
+* Bump the all group with 3 updates (#11404)
+* Bump Kubernetes version on images (#11403)
+* Bump golangci/golangci-lint-action from 4.0.0 to 5.0.0 (#11402)
+* Bump the all group with 4 updates (#11380)
+* Bump k8s.io/component-base from 0.29.3 to 0.30.0 (#11301)
+* Bump github.com/prometheus/common from 0.52.3 to 0.53.0 (#11300)
+* Bump golang.org/x/net from 0.22.0 to 0.23.0 (#11285)
+* Bump golang.org/x/net in /images/kube-webhook-certgen/rootfs (#11284)
+* Bump the all group with 2 updates (#11266)
+* Bump azure/setup-helm from 3.5 to 4 (#11265)
+* Bump actions/add-to-project from 1.0.0 to 1.0.1 in the all group (#11264)
+* Bump google.golang.org/grpc from 1.63.0 to 1.63.2 (#11238)
+* Bump google.golang.org/grpc from 1.62.1 to 1.63.0 (#11234)
+* Bump github.com/prometheus/common from 0.51.1 to 0.52.2 (#11233)
+* Bump golang.org/x/crypto from 0.21.0 to 0.22.0 (#11232)
+* Bump github.com/prometheus/client_model in the all group (#11231)
+* Bump the all group with 3 updates (#11230)
+* Bump the all group with 2 updates (#11190)
+* Bump actions/add-to-project from 0.6.1 to 1.0.0 (#11189)
+* Bump the all group with 3 updates (#11166)
+* Bump github.com/prometheus/common from 0.50.0 to 0.51.1 (#11160)
+* Bump the all group with 4 updates (#11140)
+* Bump the all group with 1 update (#11136)
+* Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /magefiles (#11127)
+* Bump google.golang.org/protobuf in /images/custom-error-pages/rootfs (#11128)
+* Bump google.golang.org/protobuf in /images/kube-webhook-certgen/rootfs (#11122)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.1...controller-v1.10.2
--- a/changelog/controller-1.10.3.md
+++ b/changelog/controller-1.10.3.md
@ -0,0 +1,37 @@
+# Changelog
+
+### controller-v1.10.3
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.3@sha256:b5a5082f8e508cc1aac1c0ef101dc2f87b63d51598a5747d81d6cf6e7ba058fd
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.3@sha256:9033e04bd3cd01f92414f8d5999c5095734d4caceb4923942298152a38373d4b
+
+### All changes:
+
+* Images: Trigger `controller` v1.10.3 build. (#11648)
+* Tests: Bump `test-runner` to v20240717-1fe74b5f. (#11646)
+* Images: Re-run `test-runner` build. (#11643)
+* Images: Trigger `test-runner` build. (#11639)
+* Images: Bump `NGINX_BASE` to v0.0.10. (#11637)
+* Images: Trigger NGINX build. (#11631)
+* bump testing runner (#11626)
+* remove modsecurity coreruleset test files from nginx image (#11619)
+* unskip the ocsp tests and update images to fix cfssl bug (#11615)
+* Fix indent in YAML for example pod (#11609)
+* Images: Bump `test-runner`. (#11604)
+* Images: Bump `NGINX_BASE` to v0.0.9. (#11601)
+* revert module upgrade (#11595)
+* README: Fix support matrix. (#11593)
+* Mage: Stop mutating release notes. (#11582)
+* Images: Bump `kube-webhook-certgen`. (#11583)
+
+### Dependency updates:
+
+* Bump github.com/prometheus/common from 0.54.0 to 0.55.0 (#11622)
+* Bump the all group with 5 updates (#11613)
+* Bump golang.org/x/crypto from 0.24.0 to 0.25.0 (#11579)
+* Bump google.golang.org/grpc from 1.64.0 to 1.65.0 (#11577)
+* Bump the all group with 4 updates (#11574)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.2...controller-v1.10.3
--- a/changelog/controller-1.10.4.md
+++ b/changelog/controller-1.10.4.md
@ -0,0 +1,53 @@
+# Changelog
+
+### controller-v1.10.4
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.4@sha256:505b9048c02dde3d6c8667bf0b52aba7b36adf7b03da34c47d5fa312d2d4c6fc
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.4@sha256:bf71acf6e71830a4470e2183e3bc93c4f006b954f8a05fb434242ef0f8a24858
+
+### All changes:
+
+* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11811)
+* Images: Trigger controller build. (#11808)
+* Tests & Docs: Bump images. (#11804)
+* Images: Trigger failed builds. (#11801)
+* Images: Trigger other builds. (#11797)
+* Controller: Fix panic in alternative backend merging. (#11793)
+* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11791)
+* Images: Trigger `test-runner` build. (#11786)
+* Images: Bump `NGINX_BASE` to v0.0.12. (#11783)
+* Images: Trigger NGINX build. (#11780)
+* Cloud Build: Add missing config, remove unused ones. (#11776)
+* Generate correct output on NumCPU() when using cgroups2 (#11775)
+* Cloud Build: Tweak timeouts. (#11762)
+* Cloud Build: Fix substitutions. (#11759)
+* Cloud Build: Some chores. (#11756)
+* Go: Bump to v1.22.6. (#11748)
+* Images: Bump `NGINX_BASE` to v0.0.11. (#11744)
+* Images: Trigger NGINX build. (#11736)
+* docs: update OpenSSL Roadmap link (#11734)
+* Go: Bump to v1.22.5. (#11731)
+* Docs: Fix typo in AWS LB Controller reference (#11724)
+* Perform some cleaning operations on line breaks. (#11722)
+* Missing anchors in regular expression. (#11718)
+* Docs: Fix `from-to-www` redirect description. (#11715)
+* Chart: Remove `isControllerTagValid`. (#11714)
+* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11704)
+* Docs: Clarify `from-to-www` redirect direction. (#11692)
+* added real-client-ip faq (#11665)
+* Docs: Format NGINX configuration table. (#11660)
+
+### Dependency updates:
+
+* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11772)
+* Bump the all group with 2 updates (#11770)
+* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11768)
+* Bump the all group with 3 updates (#11729)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11700)
+* Bump the all group with 2 updates (#11697)
+* Bump the all group with 4 updates (#11676)
+* Bump the all group with 2 updates (#11674)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.3...controller-v1.10.4
--- a/changelog/controller-1.10.5.md
+++ b/changelog/controller-1.10.5.md
@ -0,0 +1,90 @@
+# Changelog
+
+### controller-v1.10.5
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.5@sha256:c84d11b1f7bd14ebbf49918a7f0dc01b31c0c6e757e0129520ea93453096315c
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.5@sha256:030a43bdd5f0212a7e135cc4da76b15a6706ef65a6824eb4cc401f87a81c2987
+
+### All changes:
+
+* Images: Trigger controller build. (#12133)
+* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12146)
+* Images: Trigger `e2e-test-echo` build. (#12142)
+* Images: Drop `s390x`. (#12139)
+* Images: Build `s390x` controller. (#12128)
+* Chart: Bump Kube Webhook CertGen. (#12122)
+* Tests & Docs: Bump images. (#12120)
+* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12116)
+* Images: Trigger other builds. (#12111)
+* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12104)
+* Images: Trigger `test-runner` build. (#12101)
+* Docs: Add a multi-tenant warning. (#12098)
+* Go: Bump to v1.22.8. (#12093)
+* Images: Bump `NGINX_BASE` to v0.1.0. (#12079)
+* Images: Trigger NGINX build. (#12077)
+* Images: Remove NGINX v1.21. (#12057)
+* GitHub: Improve Dependabot. (#12037)
+* Chart: Improve CI. (#12029)
+* Chart: Extend image tests. (#12026)
+* Docs: Add health check annotations for AWS. (#12021)
+* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12007)
+* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12001)
+* Chart: Align default backend `PodDisruptionBudget`. (#11998)
+* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#11985)
+* Chart: Improve default backend service account. (#11973)
+* Go: Bump to v1.22.7. (#11969)
+* Images: Bump OpenTelemetry C++ Contrib. (#11950)
+* Docs: Add note about `--watch-namespace`. (#11948)
+* Images: Use latest Alpine 3.20 everywhere. (#11945)
+* Fix minor typos (#11940)
+* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11933)
+* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11920)
+* Images: Trigger `test-runner` build. (#11918)
+* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11888)
+* Annotations: Allow commas in URLs. (#11886)
+* CI: Grant checks write permissions to E2E Test Report. (#11884)
+* Update maxmind post link about geolite2 license changes (#11880)
+* Go: Sync `go.work.sum`. (#11876)
+* Replace deprecated queue method (#11858)
+* Auto-generate annotation docs (#11835)
+
+### Dependency updates:
+
+* Bump the actions group with 3 updates (#12150)
+* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12108)
+* Bump the actions group with 3 updates (#12096)
+* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12088)
+* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12086)
+* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12084)
+* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12082)
+* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12054)
+* Bump the go group across 1 directory with 3 updates (#12052)
+* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12048)
+* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12044)
+* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12045)
+* Bump the all group with 2 updates (#12035)
+* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12015)
+* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12013)
+* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12011)
+* Bump the all group with 2 updates (#11979)
+* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11978)
+* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11960)
+* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11959)
+* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11956)
+* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11929)
+* Bump the all group with 2 updates (#11924)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11912)
+* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11907)
+* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11906)
+* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11905)
+* Bump the all group with 2 updates (#11870)
+* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11869)
+* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11848)
+* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11847)
+* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11846)
+* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11841)
+* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11833)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.4...controller-v1.10.5
--- a/changelog/controller-1.10.6.md
+++ b/changelog/controller-1.10.6.md
@ -0,0 +1,92 @@
+# Changelog
+
+### controller-v1.10.6
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.6@sha256:b6fbd102255edb3ba8e5421feebe14fd3e94cf53d199af9e40687f536152189c
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.6@sha256:44ceedafc0e04a75521b5d472c1b6b5cc08afb8038b5bbfd79c21d066ccf300e
+
+### All changes:
+
+* Images: Trigger controller build. (#12611)
+* Chart: Bump Kube Webhook CertGen. (#12608)
+* Tests & Docs: Bump images. (#12605)
+* Images: Trigger other builds (2/2). (#12598)
+* Images: Trigger other builds (1/2). (#12597)
+* Tests: Bump `e2e-test-runner` to v20241224-68ed4e7b. (#12592)
+* Images: Trigger `test-runner` build. (#12586)
+* Images: Bump `NGINX_BASE` to v0.2.0. (#12584)
+* Images: Trigger NGINX build. (#12578)
+* Go: Clean `go.work.sum`. (#12575)
+* Repository: Update owners. (#12570)
+* Images: Bump `gcb-docker-gcloud` to v20241217-ff46a068cd. (#12563)
+* CI: Update KIND images. (#12559)
+* Images: Bump Alpine to v3.21. (#12530)
+* Docs: Add guide on how to set a Maintenance Page. (#12527)
+* rikatz is stepping down (#12518)
+* rikatz is stepping down (#12497)
+* Go: Bump to v1.23.4. (#12485)
+* Plugin: Bump `goreleaser` to v2. (#12442)
+* GitHub: Fix `exec` in issue template. (#12389)
+* CI: Update KIND images. (#12368)
+* Images: Bump `gcb-docker-gcloud` to v20241110-72bb0b1665. (#12341)
+* Go: Bump to v1.23.3. (#12339)
+* Auth TLS: Add `_` to redirect RegEx. (#12328)
+* Auth TLS: Improve redirect RegEx. (#12321)
+* Tests: Bump `e2e-test-runner` to v20241104-02a3933e. (#12314)
+* Images: Trigger `test-runner` build. (#12307)
+* Config: Fix panic on invalid `lua-shared-dict`. (#12282)
+* Docs: fix limit-rate-after references (#12280)
+* Chart: Rework ServiceMonitor. (#12268)
+* Chart: Add ServiceAccount tests. (#12266)
+* CI: Fix chart testing. (#12260)
+* [fix] fix nginx temp configs cleanup (#12224)
+* Chart: Suggest `matchLabelKeys` in Topology Spread Constraints. (#12204)
+* Docs: Add Pod Security Admission. (#12198)
+* Docs: Clarify external & service port in TCP/UDP services explanation. (#12194)
+
+### Dependency updates:
+
+* Bump k8s.io/apiextensions-apiserver from 0.31.3 to 0.32.0 (#12565)
+* Bump github.com/onsi/ginkgo/v2 from 2.22.0 to 2.22.1 (#12557)
+* Bump k8s.io/code-generator from 0.31.3 to 0.32.0 (#12552)
+* Bump k8s.io/cli-runtime from 0.31.3 to 0.32.0 (#12549)
+* Bump k8s.io/apiserver from 0.31.3 to 0.32.0 (#12546)
+* Bump the actions group with 2 updates (#12543)
+* Bump google.golang.org/grpc from 1.68.1 to 1.69.2 (#12540)
+* Bump k8s.io/client-go from 0.31.3 to 0.32.0 (#12514)
+* Bump github.com/opencontainers/runc from 1.2.2 to 1.2.3 in the go group across 1 directory (#12511)
+* Bump the actions group with 3 updates (#12508)
+* Bump k8s.io/kube-aggregator from 0.31.3 to 0.32.0 in /images/kube-webhook-certgen/rootfs (#12504)
+* Bump k8s.io/apimachinery from 0.31.3 to 0.32.0 in /images/ext-auth-example-authsvc/rootfs (#12501)
+* Bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#12478)
+* Bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /magefiles (#12473)
+* Bump github.com/prometheus/common from 0.60.1 to 0.61.0 (#12466)
+* Bump github/codeql-action from 3.27.5 to 3.27.6 in the actions group (#12463)
+* Bump the go group across 1 directory with 2 updates (#12459)
+* Bump github.com/onsi/ginkgo/v2 from 2.21.0 to 2.22.0 (#12425)
+* Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#12416)
+* Bump the go group across 3 directories with 10 updates (#12414)
+* Bump the actions group with 3 updates (#12410)
+* Bump github.com/opencontainers/runc from 1.2.1 to 1.2.2 in the go group across 1 directory (#12382)
+* Bump github/codeql-action from 3.27.1 to 3.27.4 in the actions group (#12375)
+* Bump golangci-lint on actions and disable deprecated linters (#12363)
+* Bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#12356)
+* Bump the actions group with 3 updates (#12353)
+* Bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#12351)
+* Bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#12297)
+* Bump github.com/opencontainers/runc from 1.2.0 to 1.2.1 in the go group across 1 directory (#12294)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.2 to 2.21.0 (#12290)
+* Bump actions/dependency-review-action from 4.3.5 to 4.4.0 in the actions group (#12275)
+* Bump the go group across 3 directories with 11 updates (#12246)
+* Bump github.com/opencontainers/runc from 1.1.15 to 1.2.0 (#12241)
+* Bump the actions group with 5 updates (#12243)
+* Bump github.com/ncabatoff/process-exporter from 0.8.3 to 0.8.4 in the go group across 1 directory (#12219)
+* Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 in the actions group (#12215)
+* Bump github/codeql-action from 3.26.12 to 3.26.13 in the actions group (#12191)
+* Bump the go group across 2 directories with 1 update (#12189)
+* Bump the actions group with 2 updates (#12185)
+* Bump github.com/opencontainers/runc from 1.1.14 to 1.1.15 in the go group across 1 directory (#12184)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.5...controller-v1.10.6
--- a/changelog/controller-1.11.0.md
+++ b/changelog/controller-1.11.0.md
@ -0,0 +1,164 @@
+# Changelog
+
+### controller-v1.11.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.11.0@sha256:a886e56d532d1388c77c8340261149d974370edca1093af4c97a96fb1467cb39
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.0@sha256:f16dfed1c94d216b65e5dcb7508ab46148641a99649c5a700749db6f01a7039e
+
+### All changes:
+
+* update test runner to latest build (#11558)
+* add k8s 1.30 to ci build (#11554)
+* update test runner go base to 3.20 (#11552)
+* tag new test runner image with new nginx base 0.0.8 (#11551)
+* bump NGINX_BASE to v0.0.8 (#11544)
+* add ssl patches to nginx-1.25 image for coroutines to work in lua client hello and cert ssl blocks (#11535)
+* trigger build for NGINX-1.25 v0.0.8 (#11539)
+* bump alpine version to 3.20 to custom-error-pages (#11538)
+* fix: Ensure changes in MatchCN annotation are detected (#11529)
+* Docs: Add information about HTTP/3 support. (#11513)
+* Docs: Specify `ingressClass` for multi-controller setup. (#11493)
+* Docs: Improve default certificate usage. (#11504)
+* Upgrade OWASP_MODSECURITY_CRS_VERSION 3.3.5 to 4.4.0 and update docs (#11511)
+* docs: Update Ingress-NGINX v1.10.1 compatibility with Kubernetes v1.30 (#11495)
+* Update getting-started.md with new prerequisites (#11486)
+* [feature] bump nginx to 1.25.5 and add http3 module (#11470)
+* Fix boolean configuration (#11483)
+* Chores: Align security contacts & chart maintainers to actual owners. (#11465)
+* CI: Bump forgotten Ginkgo versions. (#11467)
+* Tests: Replace deprecated `grpc.Dial` by `grpc.NewClient`. (#11462)
+* Owners: Promote Gacko to admin. (#11463)
+* Chart: Make pod affinity templatable. (#11453)
+* fixed fastcgi userguide (#11454)
+* Remove unnecessary space character (#11434)
+* upgrade to alpine 3.20 (#11428)
+* fix for docs issue 11432 (#11433)
+* Update index.md (#11437)
+* update golang to 1.22.4 (#11427)
+* Chart: Fix `IngressClass` annotations. (#11416)
+* Chart: Make admission webhook patch job RBAC configurable. (#11376)
+* Merge pull request #11277 from strongjz/chart-1.10.1 (#11415)
+* Chart: Remove `controller.enableWorkerSerialReloads`. (#11400)
+* Adapt dashboards for Grafana 11 compatibility (#11399)
+* Rename variable to fix typo (#11395)
+* Fix helm install on cloud provider admonition block (#11394)
+* edited helm-install tips (#11393)
+* added info for aws helm install (#11390)
+* added multiplecontrollers-howto to faq (#11389)
+* removed tlsv1 & tlsv1.1 (#11343)
+* feat: Add grpc timeouts annotations (#11258)
+* sfix position of options (#11379)
+* add workflow to helm release and update ct for branch (#11378)
+* Accept user defined annotations in IngressClass (#11362)
+* Docs: Remove opentracing and zipkin from docs (#11361)
+* Allow configuring nginx worker reload behaviour, to prevent multiple concurrent worker reloads which can lead to high resource usage and OOMKill (#10884)
+* chore(deps): group update k8s.io packages to v0.30.0 (#11344)
+* Fix function name in comment (#11296)
+* fix path in file changed detected message (#11271)
+* chore: fix function names in comment (#11280)
+* fix: update kube version requirement to 1.21 (#11275)
+* release helm chart from release branch (#11276)
+* update k8s version to latest kind release (#11240)
+* feat: add annotation to allow to add custom response headers (#9742)
+* remove _ssl_expire_time_seconds metric by identifier (#9706)
+* update post submit helm ci and clean up (#11220)
+* Chart: Add unit tests for default backend & topology spread constraints. (#11218)
+* sort default backend hpa metrics (#11215)
+* updated certgen image shatag (#11214)
+* feature(default_backend): topologySpreadConstraints on default backend (#11197)
+* bumped certgeimage tag (#11212)
+* changed testrunner image sha (#11207)
+* updated baseimage & deleted a useless file (#11208)
+* Chart: Make `controller.config` templatable. (#11181)
+* chunking related faq update (#11196)
+* bump ginkgo to 2-17-1 in testrunner (#11202)
+* Owners: Promote Gacko to `ingress-nginx-maintainers` & `ingress-nginx-reviewers`. (#11165)
+* Fix-semver (#11193)
+* refactor helm ci tests part I (#11178)
+* fixes brotli build issue (#10484)
+* bump ginkgo to v2.17.1 (#11177)
+* Proposal: e2e tests for regex patterns (#11174)
+* Controller: Make Leader Election TTL configurable. (#11142)
+* Chores: Remove recently added whitespaces. (#11156)
+* Add GRPC Buffer Size to the Configmap (#11155)
+* fix geoip2 configuration docs (#11150)
+* feature(geoip2_autoreload): Enable GeoIP2 auto_reload config  (#11079)
+* Chart: Add IngressClass aliases. (#11109)
+* Fix typos in OTel doc (#11081)
+* Chart: Render `controller.ingressClassResource.parameters` natively. (#11108)
+* Fix admission controller logging of `admissionTime` and `testedConfigurationSize` (#11089)
+* Chart: Align HPA & KEDA conditions. (#11110)
+* Chart: Add Gacko to maintainers. Again. (#11107)
+* Chart: Improve IngressClass documentation. (#11104)
+* Chart: Deploy `PodDisruptionBudget` with KEDA. (#11032)
+* Undo #11062 since it breaks the nginx config (#11082)
+* [mTLS] Fix acme verification when mTLS and Client CN verification is enabled (#11062)
+* golangci-lint update, ci cleanup, group dependabot updates (#11071)
+* bump golang (#11070)
+* feature(leader_election): flag to disable leader election feature on controller (#11064)
+* docs: update the 404 link to FAQ (#11069)
+* Update README.md (#11065)
+* quotes around numbers fort ports definitions (#11052)
+
+### Dependency updates:
+
+* Bump the all group with 2 updates (#11523)
+* Bump k8s.io/klog/v2 from 2.130.0 to 2.130.1 in the all group (#11499)
+* Bump aquasecurity/trivy-action from 0.22.0 to 0.23.0 in the all group (#11497)
+* Bump k8s.io/klog/v2 from 2.120.1 to 2.130.0 (#11475)
+* Bump the all group with 3 updates (#11474)
+* Bump the all group with 2 updates (#11476)
+* Bump golang.org/x/crypto from 0.23.0 to 0.24.0 (#11442)
+* Bump the all group with 3 updates (#11443)
+* Bump sigs.k8s.io/controller-runtime in the all group (#11440)
+* Bump goreleaser/goreleaser-action from 5.1.0 to 6.0.0 (#11444)
+* Bump github.com/prometheus/common from 0.53.0 to 0.54.0 (#11441)
+* Bump the all group with 2 updates (#11419)
+* Bump github.com/onsi/ginkgo/v2 from 2.17.2 to 2.19.0 (#11418)
+* Bump google.golang.org/grpc from 1.63.2 to 1.64.0 (#11417)
+* Bump the all group across 1 directory with 3 updates (#11384)
+* Bump the all group across 1 directory with 6 updates (#11383)
+* Bump golang.org/x/crypto from 0.22.0 to 0.23.0 (#11357)
+* Bump golangci/golangci-lint-action from 5.3.0 to 6.0.1 (#11355)
+* Bump the all group with 3 updates (#11348)
+* Bump Kubernetes version on images (#11346)
+* Bump sigs.k8s.io/controller-runtime from 0.17.3 to 0.18.1 (#11345)
+* Bump golangci/golangci-lint-action from 4.0.0 to 5.0.0 (#11328)
+* Bump the all group with 4 updates (#11327)
+* Bump k8s.io/component-base from 0.29.3 to 0.30.0 (#11291)
+* Bump github.com/prometheus/common from 0.52.3 to 0.53.0 (#11290)
+* Bump golang.org/x/net from 0.22.0 to 0.23.0 (#11282)
+* Bump golang.org/x/net in /images/kube-webhook-certgen/rootfs (#11283)
+* Bump the all group with 2 updates (#11261)
+* Bump azure/setup-helm from 3.5 to 4 (#11263)
+* Bump actions/add-to-project from 1.0.0 to 1.0.1 in the all group (#11262)
+* Bump google.golang.org/grpc from 1.63.0 to 1.63.2 (#11237)
+* Bump google.golang.org/grpc from 1.62.1 to 1.63.0 (#11228)
+* Bump github.com/prometheus/common from 0.51.1 to 0.52.2 (#11227)
+* Bump golang.org/x/crypto from 0.21.0 to 0.22.0 (#11229)
+* Bump github.com/prometheus/client_model in the all group (#11226)
+* Bump the all group with 3 updates (#11225)
+* Bump the all group with 2 updates (#11183)
+* Bump actions/add-to-project from 0.6.1 to 1.0.0 (#11184)
+* Bump the all group with 3 updates (#11157)
+* Bump github.com/prometheus/common from 0.50.0 to 0.51.1 (#11159)
+* Bump the all group with 4 updates (#11133)
+* Bump the all group with 1 update (#11134)
+* Bump google.golang.org/protobuf in /images/custom-error-pages/rootfs (#11119)
+* Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /magefiles (#11121)
+* Bump google.golang.org/protobuf in /images/kube-webhook-certgen/rootfs (#11120)
+* Bump github.com/onsi/ginkgo/v2 from 2.15.0 to 2.16.0 (#11076)
+* Bump the all group with 1 update (#11073)
+* Bump the all group with 1 update (#11072)
+* Bump github.com/prometheus/common from 0.49.0 to 0.50.0 (#11075)
+* Bump actions/download-artifact from 4.1.2 to 4.1.4 (#11059)
+* Bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (#11055)
+* Bump docker/setup-buildx-action from 3.0.0 to 3.1.0 (#11057)
+* Bump github.com/prometheus/common from 0.48.0 to 0.49.0 (#11056)
+* Bump github/codeql-action from 3.24.5 to 3.24.6 (#11060)
+* Bump aquasecurity/trivy-action from 0.17.0 to 0.18.0 (#11058)
+* Bump dorny/paths-filter from 3.0.1 to 3.0.2 (#11061)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.2...controller-v1.11.0
--- a/changelog/controller-1.11.1.md
+++ b/changelog/controller-1.11.1.md
@ -0,0 +1,45 @@
+# Changelog
+
+### controller-v1.11.1
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.11.1@sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.1@sha256:7cabe4bd7558bfdf5b707976d7be56fd15ffece735d7c90fc238b6eda290fd8d
+
+### All changes:
+
+* Tests: Bump `test-runner` to v20240717-1fe74b5f. (#11647)
+* Images: Re-run `test-runner` build. (#11644)
+* Images: Trigger `test-runner` build. (#11640)
+* Images: Bump `NGINX_BASE` to v0.0.10. (#11638)
+* Images: Trigger NGINX build. (#11632)
+* bump testing runner (#11627)
+* remove modsecurity coreruleset test files from nginx image (#11620)
+* unskip the ocsp tests and update images to fix cfssl bug (#11616)
+* Fix indent in YAML for example pod (#11610)
+* Images: Bump `test-runner`. (#11605)
+* Images: Bump `NGINX_BASE` to v0.0.9. (#11602)
+* revert module upgrade (#11597)
+* Release: Apply changes from `main`. (#11589)
+* Mage: Stop mutating release notes. (#11581)
+* Images: Bump `kube-webhook-certgen`. (#11584)
+* update test runner to latest build (#11558)
+* add k8s 1.30 to ci build (#11554)
+* update test runner go base to 3.20 (#11552)
+* tag new test runner image with new nginx base 0.0.8 (#11551)
+* bump NGINX_BASE to v0.0.8 (#11544)
+* add ssl patches to nginx-1.25 image for coroutines to work in lua client hello and cert ssl blocks (#11535)
+* trigger build for NGINX-1.25 v0.0.8 (#11539)
+* bump alpine version to 3.20 to custom-error-pages (#11538)
+* fix: Ensure changes in MatchCN annotation are detected (#11529)
+
+### Dependency updates:
+
+* Bump github.com/prometheus/common from 0.54.0 to 0.55.0 (#11621)
+* Bump the all group with 5 updates (#11614)
+* Bump golang.org/x/crypto from 0.24.0 to 0.25.0 (#11580)
+* Bump google.golang.org/grpc from 1.64.0 to 1.65.0 (#11576)
+* Bump the all group with 4 updates (#11575)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.0...controller-v1.11.1
--- a/changelog/controller-1.11.2.md
+++ b/changelog/controller-1.11.2.md
@ -0,0 +1,54 @@
+# Changelog
+
+### controller-v1.11.2
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.11.2@sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.2@sha256:21b55a2f0213a18b91612a8c0850167e00a8e34391fd595139a708f9c047e7a8
+
+### All changes:
+
+* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11812)
+* Images: Trigger controller build. (#11807)
+* Tests & Docs: Bump images. (#11805)
+* Images: Trigger failed builds. (#11802)
+* Images: Trigger other builds. (#11798)
+* Controller: Fix panic in alternative backend merging. (#11794)
+* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11792)
+* Images: Trigger `test-runner` build. (#11787)
+* Images: Bump `NGINX_BASE` to v0.0.12. (#11784)
+* Images: Trigger NGINX build. (#11781)
+* Cloud Build: Add missing config, remove unused ones. (#11777)
+* Generate correct output on NumCPU() when using cgroups2 (#11778)
+* Cloud Build: Tweak timeouts. (#11763)
+* Cloud Build: Fix substitutions. (#11760)
+* Cloud Build: Some chores. (#11757)
+* Go: Bump to v1.22.6. (#11749)
+* Images: Bump `NGINX_BASE` to v0.0.11. (#11743)
+* Images: Trigger NGINX build. (#11737)
+* docs: update OpenSSL Roadmap link (#11733)
+* Go: Bump to v1.22.5. (#11732)
+* Docs: Fix typo in AWS LB Controller reference (#11725)
+* Perform some cleaning operations on line breaks. (#11721)
+* Missing anchors in regular expression. (#11719)
+* Docs: Fix `from-to-www` redirect description. (#11716)
+* Chart: Remove `isControllerTagValid`. (#11713)
+* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11705)
+* Docs: Clarify `from-to-www` redirect direction. (#11693)
+* added real-client-ip faq (#11664)
+* Docs: Format NGINX configuration table. (#11662)
+* Docs: Update version in `deploy/index.md`. (#11652)
+
+### Dependency updates:
+
+* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11773)
+* Bump the all group with 2 updates (#11771)
+* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11769)
+* Bump the all group with 3 updates (#11728)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11701)
+* Bump the all group with 2 updates (#11698)
+* Bump the all group with 4 updates (#11677)
+* Bump the all group with 2 updates (#11675)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.1...controller-v1.11.2
--- a/changelog/controller-1.11.3.md
+++ b/changelog/controller-1.11.3.md
@ -0,0 +1,91 @@
+# Changelog
+
+### controller-v1.11.3
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.11.3@sha256:d56f135b6462cfc476447cfe564b83a45e8bb7da2774963b00d12161112270b7
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.3@sha256:22701f0fc0f2dd209ef782f4e281bfe2d8cccd50ededa00aec88e0cdbe7edd14
+
+### All changes:
+
+* Images: Trigger controller build. (#12134)
+* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12145)
+* Images: Trigger `e2e-test-echo` build. (#12141)
+* Images: Drop `s390x`. (#12138)
+* Images: Build `s390x` controller. (#12127)
+* Chart: Bump Kube Webhook CertGen. (#12123)
+* Tests & Docs: Bump images. (#12121)
+* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12117)
+* Images: Trigger other builds. (#12112)
+* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12105)
+* Images: Trigger `test-runner` build. (#12102)
+* Docs: Add a multi-tenant warning. (#12099)
+* Go: Bump to v1.22.8. (#12094)
+* Images: Bump `NGINX_BASE` to v0.1.0. (#12080)
+* Images: Trigger NGINX build. (#12076)
+* Images: Remove NGINX v1.21. (#12058)
+* GitHub: Improve Dependabot. (#12038)
+* Chart: Improve CI. (#12030)
+* Chart: Extend image tests. (#12027)
+* Docs: Add health check annotations for AWS. (#12020)
+* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12006)
+* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12002)
+* Chart: Align default backend `PodDisruptionBudget`. (#11999)
+* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#11986)
+* Chart: Improve default backend service account. (#11974)
+* Go: Bump to v1.22.7. (#11970)
+* Images: Bump OpenTelemetry C++ Contrib. (#11951)
+* Docs: Add note about `--watch-namespace`. (#11949)
+* Images: Use latest Alpine 3.20 everywhere. (#11946)
+* Fix minor typos (#11941)
+* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11934)
+* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11921)
+* Images: Trigger `test-runner` build. (#11917)
+* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11889)
+* Annotations: Allow commas in URLs. (#11887)
+* CI: Grant checks write permissions to E2E Test Report. (#11885)
+* Chart: Use generic values for `ConfigMap` test. (#11879)
+* Update maxmind post link about geolite2 license changes (#11881)
+* Go: Sync `go.work.sum`. (#11875)
+* Replace deprecated queue method (#11859)
+* Auto-generate annotation docs (#11831)
+
+### Dependency updates:
+
+* Bump the actions group with 3 updates (#12149)
+* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12109)
+* Bump the actions group with 3 updates (#12097)
+* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12089)
+* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12087)
+* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12085)
+* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12083)
+* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12055)
+* Bump the go group across 1 directory with 3 updates (#12053)
+* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12049)
+* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12047)
+* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12046)
+* Bump the all group with 2 updates (#12036)
+* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12016)
+* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12014)
+* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12012)
+* Bump the all group with 2 updates (#11981)
+* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11980)
+* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11961)
+* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11958)
+* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11957)
+* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11930)
+* Bump the all group with 2 updates (#11925)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11913)
+* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11910)
+* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11909)
+* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11908)
+* Bump the all group with 2 updates (#11871)
+* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11868)
+* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11840)
+* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11839)
+* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11837)
+* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11836)
+* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11834)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.2...controller-v1.11.3
--- a/changelog/controller-1.11.4.md
+++ b/changelog/controller-1.11.4.md
@ -0,0 +1,94 @@
+# Changelog
+
+### controller-v1.11.4
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.11.4@sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.4@sha256:f29d0f9e7a9ef4947eda59ed0c09ec13380b13639d1518cf1ab8ec09c3e22ef8
+
+### All changes:
+
+* Images: Trigger controller build. (#12610)
+* Chart: Bump Kube Webhook CertGen. (#12607)
+* Tests & Docs: Bump images. (#12604)
+* Images: Trigger other builds (2/2). (#12600)
+* Images: Trigger other builds (1/2). (#12596)
+* Tests: Bump `e2e-test-runner` to v20241224-68ed4e7b. (#12591)
+* Images: Trigger `test-runner` build. (#12588)
+* Images: Bump `NGINX_BASE` to v0.2.0. (#12583)
+* Images: Trigger NGINX build. (#12577)
+* Go: Clean `go.work.sum`. (#12574)
+* Repository: Update owners. (#12569)
+* Images: Bump `gcb-docker-gcloud` to v20241217-ff46a068cd. (#12562)
+* CI: Update KIND images. (#12558)
+* Images: Bump Alpine to v3.21. (#12529)
+* Docs: Add guide on how to set a Maintenance Page. (#12526)
+* rikatz is stepping down (#12517)
+* rikatz is stepping down (#12495)
+* Go: Bump to v1.23.4. (#12484)
+* Plugin: Bump `goreleaser` to v2. (#12441)
+* GitHub: Fix `exec` in issue template. (#12388)
+* CI: Update KIND images. (#12365)
+* Images: Bump `gcb-docker-gcloud` to v20241110-72bb0b1665. (#12343)
+* Go: Bump to v1.23.3. (#12338)
+* Auth TLS: Add `_` to redirect RegEx. (#12327)
+* Auth TLS: Improve redirect RegEx. (#12322)
+* Update custom headers annotation documentation (#12319)
+* Tests: Bump `e2e-test-runner` to v20241104-02a3933e. (#12313)
+* Images: Trigger `test-runner` build. (#12306)
+* Config: Fix panic on invalid `lua-shared-dict`. (#12284)
+* Docs: fix limit-rate-after references (#12279)
+* Chart: Rework ServiceMonitor. (#12270)
+* Chart: Add ServiceAccount tests. (#12264)
+* CI: Fix chart testing. (#12259)
+* [fix] fix nginx temp configs cleanup (#12223)
+* Chart: Suggest `matchLabelKeys` in Topology Spread Constraints. (#12203)
+* Docs: Add Pod Security Admission. (#12197)
+* Docs: Clarify external & service port in TCP/UDP services explanation. (#12193)
+* Docs: Goodbye, v1.10. (#12159)
+
+### Dependency updates:
+
+* Bump k8s.io/apiextensions-apiserver from 0.31.3 to 0.32.0 (#12567)
+* Bump github.com/onsi/ginkgo/v2 from 2.22.0 to 2.22.1 (#12556)
+* Bump k8s.io/code-generator from 0.31.3 to 0.32.0 (#12551)
+* Bump k8s.io/cli-runtime from 0.31.3 to 0.32.0 (#12548)
+* Bump k8s.io/apiserver from 0.31.3 to 0.32.0 (#12545)
+* Bump the actions group with 2 updates (#12542)
+* Bump google.golang.org/grpc from 1.68.1 to 1.69.2 (#12539)
+* Bump k8s.io/client-go from 0.31.3 to 0.32.0 (#12513)
+* Bump github.com/opencontainers/runc from 1.2.2 to 1.2.3 in the go group across 1 directory (#12510)
+* Bump the actions group with 3 updates (#12507)
+* Bump k8s.io/kube-aggregator from 0.31.3 to 0.32.0 in /images/kube-webhook-certgen/rootfs (#12503)
+* Bump k8s.io/apimachinery from 0.31.3 to 0.32.0 in /images/ext-auth-example-authsvc/rootfs (#12500)
+* Bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#12477)
+* Bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /magefiles (#12475)
+* Bump github.com/prometheus/common from 0.60.1 to 0.61.0 (#12465)
+* Bump github/codeql-action from 3.27.5 to 3.27.6 in the actions group (#12462)
+* Bump the go group across 1 directory with 2 updates (#12458)
+* Bump github.com/onsi/ginkgo/v2 from 2.21.0 to 2.22.0 (#12427)
+* Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#12417)
+* Bump the go group across 3 directories with 10 updates (#12415)
+* Bump the actions group with 3 updates (#12411)
+* Bump github.com/opencontainers/runc from 1.2.1 to 1.2.2 in the go group across 1 directory (#12381)
+* Bump github/codeql-action from 3.27.1 to 3.27.4 in the actions group (#12374)
+* Bump golangci-lint on actions and disable deprecated linters (#12362)
+* Bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#12355)
+* Bump the actions group with 3 updates (#12352)
+* Bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#12350)
+* Bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#12298)
+* Bump github.com/opencontainers/runc from 1.2.0 to 1.2.1 in the go group across 1 directory (#12295)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.2 to 2.21.0 (#12289)
+* Bump actions/dependency-review-action from 4.3.5 to 4.4.0 in the actions group (#12274)
+* Bump the go group across 3 directories with 11 updates (#12245)
+* Bump github.com/opencontainers/runc from 1.1.15 to 1.2.0 (#12239)
+* Bump the actions group with 5 updates (#12240)
+* Bump github.com/ncabatoff/process-exporter from 0.8.3 to 0.8.4 in the go group across 1 directory (#12220)
+* Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 in the actions group (#12216)
+* Bump github/codeql-action from 3.26.12 to 3.26.13 in the actions group (#12190)
+* Bump the go group across 2 directories with 1 update (#12187)
+* Bump the actions group with 2 updates (#12181)
+* Bump github.com/opencontainers/runc from 1.1.14 to 1.1.15 in the go group across 1 directory (#12179)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.3...controller-v1.11.4
--- a/changelog/controller-1.12.0-beta.0.md
+++ b/changelog/controller-1.12.0-beta.0.md
@ -0,0 +1,216 @@
+# Changelog
+
+### controller-v1.12.0-beta.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.12.0-beta.0@sha256:9724476b928967173d501040631b23ba07f47073999e80e34b120e8db5f234d5
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.12.0-beta.0@sha256:6e2f8f52e1f2571ff65bc4fc4826d5282d5def5835ec4ab433dcb8e659b2fbac
+
+### All changes:
+
+* Images: Trigger controller build. (#12154)
+* ⚠️ Metrics: Disable by default. (#12153) ⚠️
+
+  This changes the default of the following CLI arguments:
+
+  * `--enable-metrics` gets disabled by default.
+
+* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12147)
+* Images: Trigger `e2e-test-echo` build. (#12140)
+* ⚠️ Images: Drop `s390x`. (#12137) ⚠️
+
+  Support for the `s390x` architecture has already been removed from the controller image. This also removes it from the NGINX base image and CI relevant images.
+
+* Images: Build `s390x` controller. (#12126)
+* Chart: Bump Kube Webhook CertGen. (#12119)
+* Tests & Docs: Bump images. (#12118)
+* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12113)
+* Images: Trigger other builds. (#12110)
+* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12103)
+* Images: Trigger `test-runner` build. (#12100)
+* Docs: Add a multi-tenant warning. (#12091)
+* Go: Bump to v1.22.8. (#12069)
+* Images: Bump `NGINX_BASE` to v1.0.0. (#12066)
+* Images: Trigger NGINX build. (#12063)
+* Images: Remove NGINX v1.21. (#12031)
+* Chart: Add `controller.metrics.service.enabled`. (#12056)
+* GitHub: Improve Dependabot. (#12033)
+* Chart: Add `global.image.registry`. (#12028)
+* ⚠️ Images: Remove OpenTelemetry. (#12024) ⚠️
+
+  OpenTelemetry is still supported, but since the module is built into the controller image since v1.10, we hereby remove the init container and image which were used to install it upon controller startup.
+
+* Chart: Improve CI. (#12003)
+* Chart: Extend image tests. (#12025)
+* Chart: Add `controller.progressDeadlineSeconds`. (#12017)
+* Docs: Add health check annotations for AWS. (#12018)
+* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12005)
+* Chart: Implement `unhealthyPodEvictionPolicy`. (#11992)
+* Chart: Add `defaultBackend.maxUnavailable`. (#11995)
+* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12000)
+* Chart: Align default backend `PodDisruptionBudget`. (#11993)
+* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#10274)
+* ⚠️ Chart: Remove Pod Security Policy. (#11971) ⚠️
+
+  This removes Pod Security Policies and related resources from the chart.
+
+* Chart: Improve default backend service account. (#11972)
+* Go: Bump to v1.22.7. (#11943)
+* NGINX: Remove inline Lua from template. (#11806)
+* Images: Bump OpenTelemetry C++ Contrib. (#11629)
+* Docs: Add note about `--watch-namespace`. (#11947)
+* Images: Use latest Alpine 3.20 everywhere. (#11944)
+* Fix minor typos (#11935)
+* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11931)
+* Allow any protocol for cors origins (#11153)
+* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11919)
+* Images: Trigger `test-runner` build. (#11916)
+* Chart: Add `controller.metrics.prometheusRule.annotations`. (#11849)
+* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11883)
+* Annotations: Allow commas in URLs. (#11882)
+* CI: Grant checks write permissions to E2E Test Report. (#11862)
+* Chart: Use generic values for `ConfigMap` test. (#11877)
+* Security: Follow-up on recent changes. (#11874)
+* Lua: Remove plugins from `.luacheckrc` & E2E docs. (#11872)
+* Dashboard: Remove `ingress_upstream_latency_seconds`. (#11878)
+* Metrics: Add `--metrics-per-undefined-host` argument. (#11818)
+* Update maxmind post link about geolite2 license changes (#11861)
+* ⚠️ Remove global-rate-limit feature (#11851) ⚠️
+
+  This removes the following configuration options:
+
+  * `global-rate-limit-memcached-host`
+  * `global-rate-limit-memcached-port`
+  * `global-rate-limit-memcached-connect-timeout`
+  * `global-rate-limit-memcached-max-idle-timeout`
+  * `global-rate-limit-memcached-pool-size`
+  * `global-rate-limit-status-code`
+
+  It also removes the following annotations:
+
+  * `global-rate-limit`
+  * `global-rate-limit-window`
+  * `global-rate-limit-key`
+  * `global-rate-limit-ignored-cidrs`
+
+* Revert "docs: Add deployment for AWS NLB Proxy." (#11857)
+* Add custom code handling for temporal redirect (#10651)
+* Add native histogram support for histogram metrics (#9971)
+* Replace deprecated queue method (#11853)
+* ⚠️ Enable security features by default (#11819) ⚠️
+
+  This changes the default of the following CLI arguments:
+
+  * `--enable-annotation-validation` gets enabled by default.
+
+  It also changes the default of the following configuration options:
+
+  * `allow-cross-namespace-resources` gets disabled by default.
+  * `annotations-risk-level` gets lowered to "High" by default.
+  * `strict-validate-path-type` gets enabled by default.
+
+* docs: Add deployment for AWS NLB Proxy. (#9565)
+* ⚠️ Remove 3rd party lua plugin support (#11821) ⚠️
+
+  This removes the following configuration options:
+
+  * `plugins`
+
+  It also removes support for user provided Lua plugins in the `/etc/nginx/lua/plugins` directory.
+
+* Auto-generate annotation docs (#11820)
+* ⚠️ Metrics: Remove `ingress_upstream_latency_seconds`. (#11795) ⚠️
+
+  This metric has already been deprecated and is now getting removed.
+
+* Release controller v1.11.2/v1.10.4 & chart v4.11.2/v4.10.4. (#11816)
+* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11809)
+* Tests & Docs: Bump images. (#11803)
+* Images: Trigger failed builds. (#11800)
+* Images: Trigger other builds. (#11796)
+* Controller: Fix panic in alternative backend merging. (#11789)
+* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11788)
+* Images: Trigger `test-runner` build. (#11785)
+* Images: Bump `NGINX_BASE` to v0.0.12. (#11782)
+* Images: Trigger NGINX build. (#11779)
+* Cloud Build: Add missing config, remove unused ones. (#11774)
+* Cloud Build: Tweak timeouts. (#11761)
+* Cloud Build: Fix substitutions. (#11758)
+* Cloud Build: Some chores. (#11633)
+* Go: Bump to v1.22.6. (#11747)
+* Images: Bump `NGINX_BASE` to v0.0.11. (#11741)
+* Images: Trigger NGINX build. (#11735)
+* docs: update OpenSSL Roadmap link (#11730)
+* Go: Bump to v1.22.5. (#11634)
+* Docs: Fix typo in AWS LB Controller reference (#11723)
+* Perform some cleaning operations on line breaks. (#11720)
+* Missing anchors in regular expression. (#11717)
+* Docs: Fix `from-to-www` redirect description. (#11712)
+* Chart: Remove `isControllerTagValid`. (#11710)
+* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11702)
+* Chart: Explicitly set `runAsGroup`. (#11679)
+* Docs: Clarify `from-to-www` redirect direction. (#11682)
+* added real-client-ip faq (#11663)
+* Docs: Format NGINX configuration table. (#11659)
+* Release controller v1.11.1/v1.10.3 & chart v4.11.1/v4.10.3. (#11654)
+* Tests: Bump `test-runner` to v20240717-1fe74b5f. (#11645)
+* Images: Trigger `test-runner` build. (#11636)
+* Images: Bump `NGINX_BASE` to v0.0.10. (#11635)
+* remove modsecurity coreruleset test files from nginx image (#11617)
+* unskip the ocsp tests and update images to fix cfssl bug (#11606)
+* Fix indent in YAML for example pod (#11598)
+* Images: Bump `test-runner`. (#11600)
+* Images: Bump `NGINX_BASE` to v0.0.9. (#11599)
+* revert module upgrade (#11594)
+* README: Fix support matrix. (#11586)
+* Repository: Add changelogs from `release-v1.10`. (#11587)
+
+### Dependency updates:
+
+* Bump the actions group with 3 updates (#12152)
+* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12107)
+* Bump the actions group with 3 updates (#12092)
+* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12062)
+* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12060)
+* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12059)
+* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12061)
+* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12051)
+* Bump the go group across 1 directory with 3 updates (#12050)
+* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12043)
+* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12041)
+* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12040)
+* Bump the all group with 2 updates (#12032)
+* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12010)
+* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12009)
+* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12008)
+* Bump the all group with 2 updates (#11977)
+* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11976)
+* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11954)
+* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11955)
+* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11953)
+* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11928)
+* Bump the all group with 2 updates (#11922)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11901)
+* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11902)
+* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11903)
+* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11904)
+* Bump the all group with 2 updates (#11865)
+* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11867)
+* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11832)
+* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11823)
+* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11822)
+* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11825)
+* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11826)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11766)
+* Bump the all group with 2 updates (#11767)
+* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11765)
+* Bump the all group with 3 updates (#11727)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11696)
+* Bump the all group with 2 updates (#11695)
+* Bump the all group with 4 updates (#11673)
+* Bump the all group with 2 updates (#11672)
+* Bump github.com/prometheus/common from 0.54.0 to 0.55.0 (#11522)
+* Bump the all group with 5 updates (#11611)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.0...controller-v1.12.0-beta.0
--- a/changelog/controller-1.12.0.md
+++ b/changelog/controller-1.12.0.md
@ -0,0 +1,294 @@
+# Changelog
+
+### controller-v1.12.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.12.0@sha256:87c88e1c38a6c8d4483c8f70b69e2cca49853bb3ec3124b9b1be648edf139af3
+
+### All changes:
+
+* Images: Trigger controller build. (#12609)
+* Chart: Bump Kube Webhook CertGen. (#12606)
+* Tests & Docs: Bump images. (#12603)
+* Images: Trigger other builds (2/2). (#12599)
+* Images: Trigger other builds (1/2). (#12595)
+* Tests: Bump `e2e-test-runner` to v20241224-68ed4e7b. (#12590)
+* Images: Trigger `test-runner` build. (#12587)
+* Images: Bump `NGINX_BASE` to v1.1.0. (#12582)
+* Images: Trigger NGINX build. (#12579)
+* Go: Clean `go.work.sum`. (#12573)
+* Repository: Update owners. (#12568)
+* Images: Bump `gcb-docker-gcloud` to v20241217-ff46a068cd. (#12561)
+* CI: Update KIND images. (#12560)
+* Images: Bump Alpine to v3.21. (#12528)
+* Docs: Add guide on how to set a Maintenance Page. (#12525)
+* rikatz is stepping down (#12516)
+* rikatz is stepping down (#12494)
+* Go: Bump to v1.23.4. (#12483)
+* Plugin: Bump `goreleaser` to v2. (#12440)
+* GitHub: Fix `exec` in issue template. (#12387)
+* CI: Update KIND images. (#12367)
+* Images: Bump `gcb-docker-gcloud` to v20241110-72bb0b1665. (#12342)
+* Go: Bump to v1.23.3. (#12337)
+* Auth TLS: Add `_` to redirect RegEx. (#12326)
+* Auth TLS: Improve redirect RegEx. (#12323)
+* Update custom headers annotation documentation (#12318)
+* Tests: Bump `e2e-test-runner` to v20241104-02a3933e. (#12312)
+* Docs: Add CPU usage note for `--metrics-per-undefined-host`. (#12310)
+* Images: Trigger `test-runner` build. (#12308)
+* Config: Fix panic on invalid `lua-shared-dict`. (#12283)
+* Docs: fix limit-rate-after references (#12278)
+* Chart: Rework ServiceMonitor. (#12269)
+* Chart: Add ServiceAccount tests. (#12263)
+* CI: Fix chart testing. (#12258)
+* [fix] fix nginx temp configs cleanup (#12225)
+* Chart: Suggest `matchLabelKeys` in Topology Spread Constraints. (#12202)
+* Docs: Add Pod Security Admission. (#12195)
+* Docs: Clarify external & service port in TCP/UDP services explanation. (#12192)
+* Images: Trigger controller build. (#12154)
+* ⚠️ Metrics: Disable by default. (#12153) ⚠️
+
+  This changes the default of the following CLI arguments:
+
+  * `--enable-metrics` gets disabled by default.
+
+* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12147)
+* Images: Trigger `e2e-test-echo` build. (#12140)
+* ⚠️ Images: Drop `s390x`. (#12137) ⚠️
+
+  Support for the `s390x` architecture has already been removed from the controller image. This also removes it from the NGINX base image and CI relevant images.
+
+* Images: Build `s390x` controller. (#12126)
+* Chart: Bump Kube Webhook CertGen. (#12119)
+* Tests & Docs: Bump images. (#12118)
+* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12113)
+* Images: Trigger other builds. (#12110)
+* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12103)
+* Images: Trigger `test-runner` build. (#12100)
+* Docs: Add a multi-tenant warning. (#12091)
+* Go: Bump to v1.22.8. (#12069)
+* Images: Bump `NGINX_BASE` to v1.0.0. (#12066)
+* Images: Trigger NGINX build. (#12063)
+* Images: Remove NGINX v1.21. (#12031)
+* Chart: Add `controller.metrics.service.enabled`. (#12056)
+* GitHub: Improve Dependabot. (#12033)
+* Chart: Add `global.image.registry`. (#12028)
+* ⚠️ Images: Remove OpenTelemetry. (#12024) ⚠️
+
+  OpenTelemetry is still supported, but since the module is built into the controller image since v1.10, we hereby remove the init container and image which were used to install it upon controller startup.
+
+* Chart: Improve CI. (#12003)
+* Chart: Extend image tests. (#12025)
+* Chart: Add `controller.progressDeadlineSeconds`. (#12017)
+* Docs: Add health check annotations for AWS. (#12018)
+* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12005)
+* Chart: Implement `unhealthyPodEvictionPolicy`. (#11992)
+* Chart: Add `defaultBackend.maxUnavailable`. (#11995)
+* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12000)
+* Chart: Align default backend `PodDisruptionBudget`. (#11993)
+* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#10274)
+* ⚠️ Chart: Remove Pod Security Policy. (#11971) ⚠️
+
+  This removes Pod Security Policies and related resources from the chart.
+
+* Chart: Improve default backend service account. (#11972)
+* Go: Bump to v1.22.7. (#11943)
+* NGINX: Remove inline Lua from template. (#11806)
+* Images: Bump OpenTelemetry C++ Contrib. (#11629)
+* Docs: Add note about `--watch-namespace`. (#11947)
+* Images: Use latest Alpine 3.20 everywhere. (#11944)
+* Fix minor typos (#11935)
+* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11931)
+* Allow any protocol for cors origins (#11153)
+* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11919)
+* Images: Trigger `test-runner` build. (#11916)
+* Chart: Add `controller.metrics.prometheusRule.annotations`. (#11849)
+* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11883)
+* Annotations: Allow commas in URLs. (#11882)
+* CI: Grant checks write permissions to E2E Test Report. (#11862)
+* Chart: Use generic values for `ConfigMap` test. (#11877)
+* Security: Follow-up on recent changes. (#11874)
+* Lua: Remove plugins from `.luacheckrc` & E2E docs. (#11872)
+* Dashboard: Remove `ingress_upstream_latency_seconds`. (#11878)
+* Metrics: Add `--metrics-per-undefined-host` argument. (#11818)
+* Update maxmind post link about geolite2 license changes (#11861)
+* ⚠️ Remove global-rate-limit feature (#11851) ⚠️
+
+  This removes the following configuration options:
+
+  * `global-rate-limit-memcached-host`
+  * `global-rate-limit-memcached-port`
+  * `global-rate-limit-memcached-connect-timeout`
+  * `global-rate-limit-memcached-max-idle-timeout`
+  * `global-rate-limit-memcached-pool-size`
+  * `global-rate-limit-status-code`
+
+  It also removes the following annotations:
+
+  * `global-rate-limit`
+  * `global-rate-limit-window`
+  * `global-rate-limit-key`
+  * `global-rate-limit-ignored-cidrs`
+
+* Revert "docs: Add deployment for AWS NLB Proxy." (#11857)
+* Add custom code handling for temporal redirect (#10651)
+* Add native histogram support for histogram metrics (#9971)
+* Replace deprecated queue method (#11853)
+* ⚠️ Enable security features by default (#11819) ⚠️
+
+  This changes the default of the following CLI arguments:
+
+  * `--enable-annotation-validation` gets enabled by default.
+
+  It also changes the default of the following configuration options:
+
+  * `allow-cross-namespace-resources` gets disabled by default.
+  * `annotations-risk-level` gets lowered to "High" by default.
+  * `strict-validate-path-type` gets enabled by default.
+
+* docs: Add deployment for AWS NLB Proxy. (#9565)
+* ⚠️ Remove 3rd party lua plugin support (#11821) ⚠️
+
+  This removes the following configuration options:
+
+  * `plugins`
+
+  It also removes support for user provided Lua plugins in the `/etc/nginx/lua/plugins` directory.
+
+* Auto-generate annotation docs (#11820)
+* ⚠️ Metrics: Remove `ingress_upstream_latency_seconds`. (#11795) ⚠️
+
+  This metric has already been deprecated and is now getting removed.
+
+* Release controller v1.11.2/v1.10.4 & chart v4.11.2/v4.10.4. (#11816)
+* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11809)
+* Tests & Docs: Bump images. (#11803)
+* Images: Trigger failed builds. (#11800)
+* Images: Trigger other builds. (#11796)
+* Controller: Fix panic in alternative backend merging. (#11789)
+* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11788)
+* Images: Trigger `test-runner` build. (#11785)
+* Images: Bump `NGINX_BASE` to v0.0.12. (#11782)
+* Images: Trigger NGINX build. (#11779)
+* Cloud Build: Add missing config, remove unused ones. (#11774)
+* Cloud Build: Tweak timeouts. (#11761)
+* Cloud Build: Fix substitutions. (#11758)
+* Cloud Build: Some chores. (#11633)
+* Go: Bump to v1.22.6. (#11747)
+* Images: Bump `NGINX_BASE` to v0.0.11. (#11741)
+* Images: Trigger NGINX build. (#11735)
+* docs: update OpenSSL Roadmap link (#11730)
+* Go: Bump to v1.22.5. (#11634)
+* Docs: Fix typo in AWS LB Controller reference (#11723)
+* Perform some cleaning operations on line breaks. (#11720)
+* Missing anchors in regular expression. (#11717)
+* Docs: Fix `from-to-www` redirect description. (#11712)
+* Chart: Remove `isControllerTagValid`. (#11710)
+* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11702)
+* Chart: Explicitly set `runAsGroup`. (#11679)
+* Docs: Clarify `from-to-www` redirect direction. (#11682)
+* added real-client-ip faq (#11663)
+* Docs: Format NGINX configuration table. (#11659)
+* Release controller v1.11.1/v1.10.3 & chart v4.11.1/v4.10.3. (#11654)
+* Tests: Bump `test-runner` to v20240717-1fe74b5f. (#11645)
+* Images: Trigger `test-runner` build. (#11636)
+* Images: Bump `NGINX_BASE` to v0.0.10. (#11635)
+* remove modsecurity coreruleset test files from nginx image (#11617)
+* unskip the ocsp tests and update images to fix cfssl bug (#11606)
+* Fix indent in YAML for example pod (#11598)
+* Images: Bump `test-runner`. (#11600)
+* Images: Bump `NGINX_BASE` to v0.0.9. (#11599)
+* revert module upgrade (#11594)
+* README: Fix support matrix. (#11586)
+* Repository: Add changelogs from `release-v1.10`. (#11587)
+
+### Dependency updates:
+
+* Bump k8s.io/apiextensions-apiserver from 0.31.3 to 0.32.0 (#12566)
+* Bump github.com/onsi/ginkgo/v2 from 2.22.0 to 2.22.1 (#12555)
+* Bump k8s.io/code-generator from 0.31.3 to 0.32.0 (#12550)
+* Bump k8s.io/cli-runtime from 0.31.3 to 0.32.0 (#12547)
+* Bump k8s.io/apiserver from 0.31.3 to 0.32.0 (#12544)
+* Bump the actions group with 2 updates (#12541)
+* Bump google.golang.org/grpc from 1.68.1 to 1.69.2 (#12538)
+* Bump k8s.io/client-go from 0.31.3 to 0.32.0 (#12512)
+* Bump github.com/opencontainers/runc from 1.2.2 to 1.2.3 in the go group across 1 directory (#12509)
+* Bump the actions group with 3 updates (#12506)
+* Bump k8s.io/kube-aggregator from 0.31.3 to 0.32.0 in /images/kube-webhook-certgen/rootfs (#12505)
+* Bump k8s.io/apimachinery from 0.31.3 to 0.32.0 in /images/ext-auth-example-authsvc/rootfs (#12502)
+* Bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#12476)
+* Bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /magefiles (#12472)
+* Bump github.com/prometheus/common from 0.60.1 to 0.61.0 (#12464)
+* Bump github/codeql-action from 3.27.5 to 3.27.6 in the actions group (#12461)
+* Bump the go group across 1 directory with 2 updates (#12460)
+* Bump github.com/onsi/ginkgo/v2 from 2.21.0 to 2.22.0 (#12426)
+* Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#12418)
+* Bump the go group across 3 directories with 10 updates (#12413)
+* Bump the actions group with 3 updates (#12412)
+* Bump github.com/opencontainers/runc from 1.2.1 to 1.2.2 in the go group across 1 directory (#12380)
+* Bump github/codeql-action from 3.27.1 to 3.27.4 in the actions group (#12373)
+* Bump golangci-lint on actions and disable deprecated linters (#12361)
+* Bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#12357)
+* Bump the actions group with 3 updates (#12354)
+* Bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#12349)
+* Bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#12299)
+* Bump github.com/opencontainers/runc from 1.2.0 to 1.2.1 in the go group across 1 directory (#12296)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.2 to 2.21.0 (#12288)
+* Bump actions/dependency-review-action from 4.3.5 to 4.4.0 in the actions group (#12273)
+* Bump the go group across 3 directories with 11 updates (#12244)
+* Bump github.com/opencontainers/runc from 1.1.15 to 1.2.0 (#12242)
+* Bump the actions group with 5 updates (#12236)
+* Bump github.com/ncabatoff/process-exporter from 0.8.3 to 0.8.4 in the go group across 1 directory (#12218)
+* Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 in the actions group (#12217)
+* Bump github/codeql-action from 3.26.12 to 3.26.13 in the actions group (#12188)
+* Bump the go group across 2 directories with 1 update (#12186)
+* Bump the actions group with 2 updates (#12180)
+* Bump github.com/opencontainers/runc from 1.1.14 to 1.1.15 in the go group across 1 directory (#12178)
+* Bump the actions group with 3 updates (#12152)
+* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12107)
+* Bump the actions group with 3 updates (#12092)
+* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12062)
+* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12060)
+* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12059)
+* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12061)
+* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12051)
+* Bump the go group across 1 directory with 3 updates (#12050)
+* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12043)
+* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12041)
+* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12040)
+* Bump the all group with 2 updates (#12032)
+* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12010)
+* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12009)
+* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12008)
+* Bump the all group with 2 updates (#11977)
+* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11976)
+* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11954)
+* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11955)
+* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11953)
+* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11928)
+* Bump the all group with 2 updates (#11922)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11901)
+* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11902)
+* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11903)
+* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11904)
+* Bump the all group with 2 updates (#11865)
+* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11867)
+* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11832)
+* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11823)
+* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11822)
+* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11825)
+* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11826)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11766)
+* Bump the all group with 2 updates (#11767)
+* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11765)
+* Bump the all group with 3 updates (#11727)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11696)
+* Bump the all group with 2 updates (#11695)
+* Bump the all group with 4 updates (#11673)
+* Bump the all group with 2 updates (#11672)
+* Bump github.com/prometheus/common from 0.54.0 to 0.55.0 (#11522)
+* Bump the all group with 5 updates (#11611)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.0...controller-v1.12.0
--- a/changelog/controller-1.6.4.md
+++ b/changelog/controller-1.6.4.md
@ -0,0 +1,138 @@
+# Changelog
+
+### 1.6.4
+
+Images:
+
+* registry.k8s.io/controller:controller-v1.6.4@sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f
+* registry.k8s.io/controller-chroot:controller-v1.6.4@sha256:0de01e2c316c3ca7847ca13b32d077af7910d07f21a4a82f81061839764f8f81
+
+### All changes:
+
+* remove tests and regex path checks (#9626)
+* Fix incorrect annotation name in upstream hashing configuration (#9617)
+* Release docs for Controller v1.6.3 and Helm v4.5.0 (#9614)
+* Revert Implement pathType validation (#9511) (#9607)
+* update history and allow to pass a target test  (#9605)
+* Allow to pass a target test (#9542)
+* Replace deprecated command with environment file (#9581)
+* build 1.6.2 to fix (#9569)
+* add lint on chart before release (#9570)
+* tcpproxy: increase buffer size to 16K (#9548)
+* Move and spell-check Kubernetes 1.22 migration FAQ (#9544)
+* Add CORS template check inside location for externalAuth.SignURL (#8814)
+* fix(grafana-dashboard): remove hardcoded namespace references (#9523)
+* Replace deprecated command with environment file (#9581)
+* add lint on chart before release (#9570)
+* Switch logic on path type validation and setting it to false (#9543)
+* tcpproxy: increase buffer size to 16K (#9548)
+* Move and spell-check Kubernetes 1.22 migration FAQ (#9544)
+* Add CORS template check inside location for externalAuth.SignURL (#8814)
+* fix(grafana-dashboard): remove hardcoded namespace references (#9523)
+* Align default value for keepalive_request with NGINX default (#9518)
+* feat(configmap): expose gzip-disable (#9505)
+* Values: Add missing `controller.metrics.service.labels`. (#9501)
+* Add docs about orphan_ingress metric (#9514)
+* Add new prometheus metric for orphaned ingress (#8230)
+* Sanitise request metrics in monitoring docs (#9384)
+* Change default value of enable-brotli (#9500)
+* feat: support topology aware hints (#9165)
+* Remove 1.5.2 from readme (#9498)
+* Remove nonexistent load flag from docker build commands (#9122)
+* added option to disable sync event creation (#8528)
+* Add buildResolvers to the stream module (#9184)
+* fix: disable auth access logs (#9049)
+* Adding ipdenylist annotation (#8795)
+* Add update updateStrategy and minReadySeconds for defaultBackend (#8506)
+* Fix indentation on serviceAccount annotation (#9129)
+* Update monitoring.md (#9269)
+* add github actions stale bot (#9439)
+* Admission Webhooks/Job: Add `NetworkPolicy`. (#9218)
+* update OpenTelemetry image (#9491)
+* bump OpenTelemetry (#9489)
+* Optional podman support (#9294)
+* fix change images (#9463)
+* move tests to gh actions (#9461)
+* Automated Release Controller 1.5.2 (#9455)
+* Add sslpassthrough tests (#9457)
+* updated the link in RELEASE.md file (#9456)
+* restart 1.5.2 release process (#9450)
+* Update command line arguments documentation (#9224)
+* start release 1.5.2 (#9445)
+* upgrade nginx base image (#9436)
+* test the new e2e test images (#9444)
+* avoid builds and tests for non-code changes (#9392)
+* CI updates (#9440)
+* HPA: Add `controller.autoscaling.annotations` to `values.yaml`. (#9253)
+* update the nginx run container for alpine:3.17.0 (#9430)
+* cleanup: remove ioutil for new go version (#9427)
+* start upgrade to golang 1.19.4 and alpine 3.17.0 (#9417)
+* ci: remove setup-helm step (#9404)
+* ci: remove setup-kind step (#9401)
+* Add reporter for all tests (#9395)
+* added action for issues to project (#9386)
+* doc: update NEW_CONTRIBUTOR.md (#9381)
+* feat(helm): Optionally use cert-manager instead admission patch (#9279)
+* integrated junit-reports with ghactions (#9361)
+* [user-guide configmap] fix doc for global-auth-snippet (#9372)
+* update OpenTelemetry image (#9308)
+* fix: missing CORS headers when auth fails (#9251)
+* Fix styling in canary annotation docs. (#9259)
+* resolved ginkgo deprecation message (#9365)
+* Enable profiler-address to be configured (#9311)
+* ModSecurity dependencies update to avoid Memory Leaks (#9330)
+* fix(hpa): deprecated api version, bump to v2 (#9348)
+* fix(typo): pluralize provider (#9346)
+* removed deprecation message for ingressClass annotation (#9357)
+* added ginkgo junit reports (#9350)
+* Fix typos found by codespell (#9353)
+* bumped ginkgo to v2.5.1 in testrunner (#9340)
+* create nsswitch-conf if missing (#9339)
+* remove the configmap related permissions (#9310)
+* remove hardcoded datasource from grafana dashboard (#9284)
+* update gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b to 3.0.0 (#9277)
+* added SAN to cert create command (#9295)
+* Missing controller.ingressClass (#9304)
+* OpenTelemetry static linking (#9286)
+* Fixed indentation in commented-out autoscaling (#9225)
+* run helm release on main only and when the chart/value changes only (#9290)
+* fix broken annotation yaml (#9243)
+* PDB: Add `maxUnavailable`. (#9278)
+* add containerSecurityContext to extraModules init containers (kubernetes#9016) (#9242)
+
+### Dependency updates:
+
+* Bump google.golang.org/grpc from 1.52.0 to 1.52.3 (#9555)
+* Bump k8s.io/klog/v2 from 2.80.1 to 2.90.0 (#9553)
+* Bump sigs.k8s.io/controller-runtime from 0.13.1 to 0.14.2 (#9552)
+* Bump google.golang.org/grpc from 1.51.0 to 1.52.0 (#9512)
+* Bump `client-go` to remove dependence on go-autorest dependency (#9488)
+* Bump google.golang.org/grpc from 1.52.0 to 1.52.3 (#9555)
+* Bump k8s.io/klog/v2 from 2.80.1 to 2.90.0 (#9553)
+* Bump sigs.k8s.io/controller-runtime from 0.13.1 to 0.14.2 (#9552)
+* Bump google.golang.org/grpc from 1.51.0 to 1.52.0 (#9512)
+* Bump `client-go` to remove dependence on go-autorest dependency (#9488)
+* Bump golang.org/x/crypto from 0.4.0 to 0.5.0 (#9494)
+* Bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#9397)
+* Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.6.1 (#9432)
+* Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.6.1 (#9421)
+* Bump github/codeql-action from 2.1.36 to 2.1.37 (#9423)
+* Bump actions/checkout from 3.1.0 to 3.2.0 (#9425)
+* Bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (#9426)
+* Bump actions/dependency-review-action from 3.0.1 to 3.0.2 (#9424)
+* Bump ossf/scorecard-action from 2.0.6 to 2.1.0 (#9422)
+* Bump github.com/prometheus/common from 0.37.0 to 0.39.0 (#9416)
+* Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.6.0 (#9408)
+* Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.6.0 (#9398)
+* Bump github/codeql-action from 2.1.35 to 2.1.36 (#9400)
+* Bump actions/setup-go from 3.3.1 to 3.4.0 (#9370)
+* Bump github/codeql-action from 2.1.31 to 2.1.35 (#9369)
+* Bump google.golang.org/grpc from 1.50.1 to 1.51.0 (#9316)
+* Bump github.com/prometheus/client_golang from 1.13.1 to 1.14.0 (#9298)
+* Bump actions/dependency-review-action from 3.0.0 to 3.0.1 (#9319)
+* Bump golang.org/x/crypto from 0.1.0 to 0.3.0 (#9318)
+* Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.1 (#9317)
+* Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (#9301)
+* Bump k8s.io/component-base from 0.25.3 to 0.25.4 (#9300)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.5.1...controller-controller-v1.6.4
--- a/changelog/controller-1.7.0.md
+++ b/changelog/controller-1.7.0.md
@ -0,0 +1,80 @@
+# Changelog
+
+### 1.7.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.7.0@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.7.0@sha256:e84ef3b44c8efeefd8b0aa08770a886bfea1f04c53b61b4ba9a7204e9f1a7edc
+
+### All changes:
+
+* kick off 1.7.0 build (#9775)
+* Update exposing-tcp-udp-services.md (#9777)
+* feat: OpenTelemetry module integration (#9062)
+* drop k8s 1.23 support (#9772)
+* Fix canary-weight-total annotation ignored in rule backends (#9729)
+* fix: controller psp's volume config (#9740)
+* Fix several Helm YAML issues with extraModules and extraInitContainers (#9709)
+* docs(helm): fix value key in readme for enabling certManager (#9640)
+* updated digest and sha for e2e-test-echo (#9760)
+* updated digest and sha for e2e-test-fastcgi-helloserver (#9759)
+* updated digest and sha for opentelemetry (#9758)
+* updated digest and sha for e2e-test-cfssl (#9757)
+* updated kube-webhook-certgen digest and tags (#9756)
+* updated nginx-error digest and tags (#9755)
+* added upgrade ginkgo documentation for contributors (#9753)
+* changes Makefile of echo folder to trigger code-build (#9754)
+* Chart: Drop `controller.headers`, rework DH param secret. (#9659)
+* updated NGINX_BASE image with latest tag (#9747)
+* Deployment/DaemonSet: Label pods using `ingress-nginx.labels`. (#9732)
+* bumped ginkgo to v2.9.0 (#9722)
+* HPA: autoscaling/v2beta1 deprecated, bump apiVersion to v2 for defaultBackend (#9731)
+* update to golang 1.20 (#9690)
+* Indent values.yaml using 2 instead of 4 spaces (#9656)
+* fix some comments (#9688)
+* migrate mitchellh/hashstructure to v2 (#9651)
+* changed v1.6.3 to v1.6.4 on deploy docs (#9647)
+* controller: Don't panic when ready condition in a endpointslice is missing (#9550)
+* Rework Ginkgo usage (#9522)
+* code clean for fsnotify (#9571)
+* Optimize the document for readability (#9551)
+* sets.String is deprecated: use generic Set instead. new ways: s1 := Set[string]{} s2 := New[string]() (#9589)
+* Adjust the import package order and use http library variables (#9587)
+* Optimize the judgment mode to remove redundant transformations (#9588)
+* Fix rewrite example (#9633)
+* remove tests and regex path checks (#9626)
+* Fix incorrect annotation name in upstream hashing configuration (#9617)
+* Release docs for Controller v1.6.3 and Helm v4.5.0 (#9614)
+
+### Dependency updates:
+
+* Bump aquasecurity/trivy-action from 0.8.0 to 0.9.2 (#9767)
+* Bump k8s.io/component-base from 0.26.2 to 0.26.3 (#9764)
+* Bump actions/dependency-review-action from 3.0.3 to 3.0.4 (#9766)
+* Bump actions/add-to-project from 0.4.0 to 0.4.1 (#9765)
+* Bump actions/dependency-review-action from 3.0.2 to 3.0.3 (#9727)
+* Bump github.com/prometheus/common from 0.41.0 to 0.42.0 (#9724)
+* Bump golang.org/x/crypto from 0.6.0 to 0.7.0 (#9723)
+* Bump actions/download-artifact from 3.0.1 to 3.0.2 (#9721)
+* Bump goreleaser/goreleaser-action from 4.1.0 to 4.2.0 (#9718)
+* Bump actions/upload-artifact from 3.1.1 to 3.1.2 (#9717)
+* Bump docker/setup-buildx-action from 2.2.1 to 2.5.0 (#9719)
+* Bump helm/chart-releaser-action from 1.4.1 to 1.5.0 (#9720)
+* Bump github.com/onsi/ginkgo/v2 from 2.6.1 to 2.9.0 (#9695)
+* Bump k8s.io/klog/v2 from 2.90.0 to 2.90.1 (#9694)
+* Bump golang.org/x/crypto in /magefiles (#9691)
+* Bump k8s.io/component-base from 0.26.1 to 0.26.2 (#9696)
+* Bump github.com/prometheus/common from 0.40.0 to 0.41.0 (#9698)
+* Bump sigs.k8s.io/controller-runtime from 0.14.2 to 0.14.5 (#9697)
+* Bump golang.org/x/net in /magefiles (#9692)
+* Bump golang.org/x/sys in /images/custom-error-pages/rootfs (#9671)
+* Bump github.com/stretchr/testify from 1.8.1 to 1.8.2 (#9675)
+* Bump github.com/prometheus/common from 0.39.0 to 0.40.0 (#9653)
+* Bump golang.org/x/net from 0.6.0 to 0.7.0 (#9646)
+* Bump golang.org/x/net in /images/kube-webhook-certgen/rootfs (#9645)
+* Bump google.golang.org/grpc from 1.52.3 to 1.53.0 (#9610)
+* Bump github.com/prometheus/client_golang (#9630)
+* Bump golang.org/x/crypto from 0.5.0 to 0.6.0 (#9609)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.6.3...controller-controller-v1.7.0
--- a/changelog/controller-1.7.1.md
+++ b/changelog/controller-1.7.1.md
@ -0,0 +1,54 @@
+# Changelog
+
+### 1.7.1
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.7.1@sha256:e35d5ab487861b9d419c570e3530589229224a0762c7b4d2e2222434abb8d988
+
+### All changes:
+
+* Update TAG - 1.7.1 (#9922)
+* Update dependabot to watch docker images (#9600)
+* [helm] Support custom port configuration for internal service (#9846)
+* Add support for --container flag (#9703)
+* Fix typo in OpenTelemetry (#9903)
+* ensure make lua-test runs locally (#9902)
+* update k8s.io dependencies to v0.26.4 (#9893)
+* Adding resource type to default HPA configuration to resolve issues with Terraform helm chart usage (#9803)
+* I have not been able to fulfill my maintainer responsibilities for a while already, making it official now. (#9883)
+* Update k8s versions (#9879)
+* README: Update `external-dns` link. (#9866)
+* Fastcgi configmap should be on the same namespace of ingress (#9863)
+* Deprecate and remove influxdb feature (#9861)
+* Remove deprecated annotation secure-upstream (#9862)
+* Exclude socket metrics (#9770)
+* Chart: Improve `README.md`. (#9831)
+* update all container tags with date and sha, upgrade all containers (#9834)
+* updated NGINX_BASE image in project (#9829)
+* ISO 8601 date format (#9682)
+* Values: Fix indention of commented values. (#9812)
+* The Ingress-Nginx project recently released version 1.7.0 of the controller, but the deployment documentation still referenced version 1.6.4. This commit updates the documentation to reference the latest version, ensuring that users have access to the most up-to-date information. Fixes#9787 (#9788)
+
+### Dependency updates:
+
+* Bump github.com/opencontainers/runc from 1.1.6 to 1.1.7 (#9912)
+* Bump github.com/prometheus/client_golang from 1.14.0 to 1.15.0 (#9868)
+* Bump aquasecurity/trivy-action from 0.9.2 to 0.10.0 (#9888)
+* Bump github.com/opencontainers/runc from 1.1.5 to 1.1.6 (#9867)
+* Bump actions/checkout from 3.5.0 to 3.5.2 (#9870)
+* Bump golang.org/x/crypto from 0.7.0 to 0.8.0 (#9838)
+* Bump github.com/spf13/cobra from 1.6.1 to 1.7.0 (#9839)
+* Bump actions/add-to-project from 0.4.1 to 0.5.0 (#9840)
+* Bump actions/checkout from 3.4.0 to 3.5.0 (#9798)
+* Bump ossf/scorecard-action from 2.1.2 to 2.1.3 (#9823)
+* Bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 (#9806)
+* Bump actions/stale from 7.0.0 to 8.0.0 (#9799)
+* Bump rajatjindal/krew-release-bot from 0.0.43 to 0.0.46 (#9797)
+* Bump actions/setup-go from 3.5.0 to 4.0.0 (#9796)
+* Bump github.com/imdario/mergo from 0.3.13 to 0.3.15 (#9795)
+* Bump google.golang.org/grpc from 1.53.0 to 1.54.0 (#9794)
+* Bump sigs.k8s.io/controller-runtime from 0.14.5 to 0.14.6 (#9822)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.7.0...controller-controller-v1.7.1
--- a/changelog/controller-1.8.0.md
+++ b/changelog/controller-1.8.0.md
@ -0,0 +1,64 @@
+# Changelog
+
+### 1.8.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.8.0@sha256:a45e41cd2b7670adf829759878f512d4208d0aec1869dae593a0fecd09a5e49e
+
+### Important changes:
+
+* Validate path types (#9967)
+* images: upgrade to Alpine 3.18 (#9997)
+* Update documentation to reflect project name; Ingress-Nginx Controller
+
+For improving security, our 1.8.0 release includes a [new, **optional** validation ](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type) that limits the characters accepted  on ".spec paths.path" when pathType=Exact or athType=Prefix, to alphanumeric characters only.
+
+More information can be found on our [Google doc](https://docs.google.com/document/d/1HPvaEwHRuMSkXYkVIJ-w7IpijKdHfNynm_4N2Akt0CQ/edit?usp=sharing), our new [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w) or in our [docs](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type)
+
+### Community Updates
+
+We are now posting updates and release to our twitter handle, [@IngressNginx](https://twitter.com/IngressNGINX) and
+on our new [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w)
+
+### All changes:
+
+* Add legacy to OpenTelemetry migration doc (#10011)
+* changed tagsha to recent builds (#10001)
+* change to alpine318 baseimage (#10000)
+* images: upgrade to Alpine 3.18 (#9997)
+* openssl CVE fix (#9996)
+* PodDisruptionBudget spec logic update (#9904)
+* Admission warning (#9975)
+* Add OPA examples on pathType restrictions (#9992)
+* updated testrunner image tag+sha (#9987)
+* bumped ginkgo to v2.9.5 (#9985)
+* helm: Fix opentelemetry module installation for daemonset (#9792)
+* OpenTelemetry default config (#9978)
+* Correct annotations in monitoring docs (#9976)
+* fix: avoid builds and tests for changes to markdown (#9962)
+* Validate path types (#9967)
+* HPA: Use capabilities & align manifests. (#9521)
+* Use dl.k8s.io instead of hardcoded GCS URIs (#9946)
+* add option for annotations in PodDisruptionBudget (#9843)
+* chore: update httpbin to httpbun (#9919)
+* image_update (#9942)
+* Add geoname id value into $geoip2_*_geoname_id variables (#9527)
+* Update annotations.md (#9933)
+* Update charts/* to keep project name display aligned (#9931)
+* Keep project name display aligned (#9920)
+
+### Dependencies updates:
+* Bump github.com/imdario/mergo from 0.3.15 to 0.3.16 (#10008)
+* Bump github.com/prometheus/common from 0.43.0 to 0.44.0 (#10007)
+* Bump k8s.io/klog/v2 from 2.90.1 to 2.100.1 (#9913)
+* Bump github.com/onsi/ginkgo/v2 from 2.9.0 to 2.9.5 (#9980)
+* Bump golang.org/x/crypto from 0.8.0 to 0.9.0 (#9982)
+* Bump actions/setup-go from 4.0.0 to 4.0.1 (#9984)
+* Bump securego/gosec from 2.15.0 to 2.16.0 (#9983)
+* Bump github.com/prometheus/common from 0.42.0 to 0.43.0 (#9981)
+* Bump github.com/prometheus/client_model from 0.3.0 to 0.4.0 (#9937)
+* Bump google.golang.org/grpc from 1.54.0 to 1.55.0 (#9936)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.7.1...controller-controller-v1.8.0
--- a/changelog/controller-1.8.1.md
+++ b/changelog/controller-1.8.1.md
@ -0,0 +1,69 @@
+# Changelog
+
+### 1.8.1
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.8.1@sha256:e0d4121e3c5e39de9122e55e331a32d5ebf8d4d257227cb93ab54a1b912a7627
+
+### All changes:
+
+* netlify: Only trigger preview when there are changes in docs. (#10144)
+* changed to updated baseimage and reverted tag (#10143)
+* Fix loadBalancerClass value (#10139)
+* Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406)
+* Set grpc :authority header from request header (#8912)
+* bump pinned golang to 1.20.5 (#10127)
+* update test runner (#10125)
+* chore: remove echo from snippet tests (#10110)
+* Update typo in docs for lb scheme (#10117)
+* golang 1.20.5 bump (#10120)
+* feat(helm): Add loadBalancerClass (#9562)
+* chore: remove echo friom canary tests (#10089)
+* fix: obsolete warnings (#10029)
+* docs: change Dockefile url ref main (#10087)
+* Revert "Remove fastcgi feature" (#10081)
+* docs: add netlify configuration (#10073)
+* add distroless otel init (#10035)
+* chore: move httpbun to be part of framework (#9955)
+* Remove fastcgi feature (#9864)
+* Fix mirror-target values without path separator and port (#9889)
+* Adding feature to upgrade Oracle Cloud Infrastructure's Flexible Load Balancer and adjusting Health Check that were critical in the previous configuration (#9961)
+* add support for keda fallback settings (#9993)
+* unnecessary use of fmt.Sprint (S1039) (#10049)
+* chore: pkg imported more than once (#10048)
+* tracing: upgrade to dd-opentracing-cpp v1.3.7 (#10031)
+* fix: add canary to sidebar in examples (#10068)
+* docs: add lua testing documentation (#10060)
+* docs: canary weighted deployments example (#10067)
+* Update Internal Load Balancer docs (#10062)
+* fix broken kubernetes.io/user-guide/ docs links (#10055)
+* docs: Updated the content of deploy/rbac.md (#10054)
+* ensured hpa mem spec before cpu spec (#10043)
+* Fix typo in controller_test (#10034)
+* chore(dep): upgrade github.com/emicklei/go-restful/v3 to 3.10 (#10028)
+* Upgrade to Golang 1.20.4 (#10016)
+* perf: avoid unnecessary byte/string conversion (#10012)
+* added note on dns for localtesting (#10021)
+* added helmshowvalues example (#10019)
+* release controller 1.8.0 and chart 4.7.0 (#10017)
+
+### Dependency updates:
+
+* Bump ossf/scorecard-action from 2.1.3 to 2.2.0 (#10133)
+* Bump google.golang.org/grpc from 1.56.0 to 1.56.1 (#10134)
+* Bump github.com/prometheus/client_golang from 1.15.1 to 1.16.0 (#10106)
+* Bump golang.org/x/crypto from 0.9.0 to 0.10.0 (#10105)
+* Bump google.golang.org/grpc from 1.55.0 to 1.56.0 (#10103)
+* Bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 (#10101)
+* Bump docker/setup-buildx-action from 2.6.0 to 2.7.0 (#10102)
+* Bump actions/checkout from 3.5.2 to 3.5.3 (#10076)
+* Bump docker/setup-qemu-action from 2.1.0 to 2.2.0 (#10075)
+* Bump aquasecurity/trivy-action from 0.10.0 to 0.11.2 (#10078)
+* Bump docker/setup-buildx-action from 2.5.0 to 2.6.0 (#10077)
+* Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#10042)
+* Bump github.com/stretchr/testify from 1.8.3 to 1.8.4 (#10041)
+* Bump github.com/stretchr/testify from 1.8.2 to 1.8.3 (#10005)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.8.0...controller-controller-v1.8.1
--- a/changelog/controller-1.8.2.md
+++ b/changelog/controller-1.8.2.md
@ -0,0 +1,19 @@
+# Changelog
+
+### 1.8.2
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.8.2@sha256:74834d3d25b336b62cabeb8bf7f1d788706e2cf1cfd64022de4137ade8881ff2
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.8.2@sha256:1317a563219f755a6094d990057c78e5c4dcea5e31f4ce1db8641e732a7d6133
+
+### All changes:
+
+* Release v1.8.2 and Update Go to v1.21.1 (#10379)
+* Making auth access logs optional (#10380)
+* [release-1.8] Disable Modsecurity from internal processing which affects large ingresses  (#10375)
+* promote distroless otel init image (#10270)
+* [release-1.8] Update images tags after adding git data in gcloud (#10233)
+* [release-1.8] Golang 1.20.6 for test runner (#10231)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.8.1...controller-controller-v1.8.2
--- a/changelog/controller-1.9.0-beta.0.md
+++ b/changelog/controller-1.9.0-beta.0.md
@ -0,0 +1,95 @@
+# Changelog
+
+### 1.9.0-beta.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.9.0-beta.0@sha256:531377e4cc9dc62af40d742402222603259673f5a755a64d74122f256dfad8f9
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.0-beta.0@sha256:60b4c95349ce2a81a3b2a76423ee483b847b89d3fa8cb148468434f606f3fa0c
+
+### All changes:
+
+* Rework mage (#10418)
+* Start release of v1.9.0 beta0 (#10407)
+* Update k8s versions on CI (#10406)
+* Add a flag to enable or disable aio_write (#10394)
+* Update external-articles.md - advanced setup with GKE/Cloud Armor/IAP (#10372)
+* Fix e2e test suite doc (#10396)
+* Disable user snippets per default (#10393)
+* Deployment/DaemonSet: Fix templating & value. (#10240)
+* Fix deferInLoop error (#10387)
+* Remove gofmt (#10385)
+* Deployment/DaemonSet: Template `topologySpreadConstraints`. (#10259)
+* release notes 1.8.2 (#10389)
+* fix: remove curl on base container #9716 (#10306)
+* Fix http default backend test (#10382)
+* Add golangci github action and replace the deprecated golint (#10187)
+* BUGFIX incorrect indentation (#10254)
+* Upgrade OpenTelemetry to v1.11.0 and gRPC to v1.57.0 (#10352)
+* fix: path with special characters warning #10281 #10308 (#10330)
+* Fix golangci-lint errors (#10196)
+* chore(build): Fix Run make dev-env syntax error (#10294)
+* Add firewall configuration to quick start documentation (#10357)
+* Making auth access logs optional (#10335)
+* Fix “dev-env” Makefile target to work with kubectl 1.28+ (#10350)
+* fix: update action file to auto release plugin #10197 (#10321)
+* Use gzip instead of pigz in CI (#10348)
+* Disable Modsecurity from internal processing which affects large ingresses  (#10316)
+* fix: add /etc/mime.types #10309 (#10310)
+* Remove curl dependencies in e2e tests #9716 (#10296)
+* docs: swap explanation to match example (#10220)
+* ci(helm): fix Helm Chart release action 422 error (#10237)
+* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249)
+* Updated index.md - Fix typos (#10256)
+* Handle request_id variable correctly in auth requests (#9219)
+* test kind updates (#10272)
+* promote distroless otel init image (#10257)
+* [helm] configure allow to configure hostAliases (#10180)
+* Add rolling update strategy to each static deployment file (#10129)
+* Implement annotation validation (#9673)
+* Golang 1.20.6 for test runner (#10230)
+* [helm] pass service annotations through helm tpl engine (#10084)
+* Ignore deployment template's replicas if KEDA is enabled (#9534)
+* chore: bump OpenResty to v1.21.4.2 (#10219)
+* Scanning port 10247 lead to tcp connection 502 error (#9815)
+* revise Datadog trace sampling configuration (#10151)
+* Clarify TCP/UDP service docs (#10146)
+* Exposed continent data as  variable in the case of Maxmind city files (#10157)
+* Cleanup errcheck code (#10166)
+* Fix golang-ci linter errors (#10128)
+* Deprecate and remove AJP support (#10158)
+* release notes 1.8.1 (#10161)
+
+### Dependency updates:
+
+* Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.12.0 (#10355)
+* Bump golang.org/x/crypto from 0.12.0 to 0.13.0 (#10399)
+* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10403)
+* Bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 (#10402)
+* Bump actions/upload-artifact from 3.1.2 to 3.1.3 (#10404)
+* Bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#10400)
+* Bump google.golang.org/grpc from 1.57.0 to 1.58.0 (#10398)
+* Bump actions/dependency-review-action from 3.0.8 to 3.1.0 (#10401)
+* Bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4 (#10373)
+* Bump github.com/cyphar/filepath-securejoin in /magefiles (#10374)
+* Bump Go version to 1.21.1 (#10377)
+* Bump Go version to 1.21.1 on testrunner (#10378)
+* Bump aquasecurity/trivy-action from 0.11.2 to 0.12.0 (#10365)
+* Bump docker/setup-buildx-action from 2.9.1 to 2.10.0 (#10353)
+* Bump actions/checkout from 3.5.3 to 3.6.0 (#10354)
+* Bump actions/dependency-review-action from 3.0.6 to 3.0.8 (#10333)
+* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10313)
+* Bump securego/gosec from 2.16.0 to 2.17.0 (#10332)
+* Bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 (#10314)
+* Bump github.com/opencontainers/runc from 1.1.8 to 1.1.9 (#10298)
+* Bump k8s.io/component-base from 0.26.4 to 0.27.4 (Replace Topology Aware Hints with Topology Aware Routing) (#10282)
+* Bump google.golang.org/grpc from 1.56.2 to 1.57.0 (#10258)
+* Bump golang.org/x/crypto from 0.11.0 to 0.12.0 (#10280)
+* Bump github.com/opencontainers/runc from 1.1.7 to 1.1.8 (#10244)
+* Bump google.golang.org/grpc from 1.56.1 to 1.56.2 (#10193)
+* Bump docker/setup-buildx-action from 2.9.0 to 2.9.1 (#10207)
+* Bump golang.org/x/crypto from 0.10.0 to 0.11.0 (#10192)
+* Bump docker/setup-buildx-action from 2.8.0 to 2.9.0 (#10191)
+* Bump docker/setup-buildx-action from 2.7.0 to 2.8.0 (#10165)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-release-1.8...controller-controller-v1.9.0-beta.0
--- a/changelog/controller-1.9.0.md
+++ b/changelog/controller-1.9.0.md
@ -0,0 +1,95 @@
+# Changelog
+
+### 1.9.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.9.0@sha256:c15d1a617858d90fb8f8a2dd60b0676f2bb85c54e3ed11511794b86ec30c8c60
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.0@sha256:d9fa7a136de2104fb2ecfcf1666978bfab927f4a125b75c0fb471e6104366ab5
+
+### All changes:
+
+* Rework mage (#10418)
+* Start release of v1.9.0 beta0 (#10407)
+* Update k8s versions on CI (#10406)
+* Add a flag to enable or disable aio_write (#10394)
+* Update external-articles.md - advanced setup with GKE/Cloud Armor/IAP (#10372)
+* Fix e2e test suite doc (#10396)
+* Disable user snippets per default (#10393)
+* Deployment/DaemonSet: Fix templating & value. (#10240)
+* Fix deferInLoop error (#10387)
+* Remove gofmt (#10385)
+* Deployment/DaemonSet: Template `topologySpreadConstraints`. (#10259)
+* release notes 1.8.2 (#10389)
+* fix: remove curl on base container #9716 (#10306)
+* Fix http default backend test (#10382)
+* Add golangci github action and replace the deprecated golint (#10187)
+* BUGFIX incorrect indentation (#10254)
+* Upgrade OpenTelemetry to v1.11.0 and gRPC to v1.57.0 (#10352)
+* fix: path with special characters warning #10281 #10308 (#10330)
+* Fix golangci-lint errors (#10196)
+* chore(build): Fix Run make dev-env syntax error (#10294)
+* Add firewall configuration to quick start documentation (#10357)
+* Making auth access logs optional (#10335)
+* Fix “dev-env” Makefile target to work with kubectl 1.28+ (#10350)
+* fix: update action file to auto release plugin #10197 (#10321)
+* Use gzip instead of pigz in CI (#10348)
+* Disable Modsecurity from internal processing which affects large ingresses  (#10316)
+* fix: add /etc/mime.types #10309 (#10310)
+* Remove curl dependencies in e2e tests #9716 (#10296)
+* docs: swap explanation to match example (#10220)
+* ci(helm): fix Helm Chart release action 422 error (#10237)
+* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249)
+* Updated index.md - Fix typos (#10256)
+* Handle request_id variable correctly in auth requests (#9219)
+* test kind updates (#10272)
+* promote distroless otel init image (#10257)
+* [helm] configure allow to configure hostAliases (#10180)
+* Add rolling update strategy to each static deployment file (#10129)
+* Implement annotation validation (#9673)
+* Golang 1.20.6 for test runner (#10230)
+* [helm] pass service annotations through helm tpl engine (#10084)
+* Ignore deployment template's replicas if KEDA is enabled (#9534)
+* chore: bump OpenResty to v1.21.4.2 (#10219)
+* Scanning port 10247 lead to tcp connection 502 error (#9815)
+* revise Datadog trace sampling configuration (#10151)
+* Clarify TCP/UDP service docs (#10146)
+* Exposed continent data as  variable in the case of Maxmind city files (#10157)
+* Cleanup errcheck code (#10166)
+* Fix golang-ci linter errors (#10128)
+* Deprecate and remove AJP support (#10158)
+* release notes 1.8.1 (#10161)
+
+### Dependency updates:
+
+* Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.12.0 (#10355)
+* Bump golang.org/x/crypto from 0.12.0 to 0.13.0 (#10399)
+* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10403)
+* Bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 (#10402)
+* Bump actions/upload-artifact from 3.1.2 to 3.1.3 (#10404)
+* Bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#10400)
+* Bump google.golang.org/grpc from 1.57.0 to 1.58.0 (#10398)
+* Bump actions/dependency-review-action from 3.0.8 to 3.1.0 (#10401)
+* Bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4 (#10373)
+* Bump github.com/cyphar/filepath-securejoin in /magefiles (#10374)
+* Bump Go version to 1.21.1 (#10377)
+* Bump Go version to 1.21.1 on testrunner (#10378)
+* Bump aquasecurity/trivy-action from 0.11.2 to 0.12.0 (#10365)
+* Bump docker/setup-buildx-action from 2.9.1 to 2.10.0 (#10353)
+* Bump actions/checkout from 3.5.3 to 3.6.0 (#10354)
+* Bump actions/dependency-review-action from 3.0.6 to 3.0.8 (#10333)
+* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10313)
+* Bump securego/gosec from 2.16.0 to 2.17.0 (#10332)
+* Bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 (#10314)
+* Bump github.com/opencontainers/runc from 1.1.8 to 1.1.9 (#10298)
+* Bump k8s.io/component-base from 0.26.4 to 0.27.4 (Replace Topology Aware Hints with Topology Aware Routing) (#10282)
+* Bump google.golang.org/grpc from 1.56.2 to 1.57.0 (#10258)
+* Bump golang.org/x/crypto from 0.11.0 to 0.12.0 (#10280)
+* Bump github.com/opencontainers/runc from 1.1.7 to 1.1.8 (#10244)
+* Bump google.golang.org/grpc from 1.56.1 to 1.56.2 (#10193)
+* Bump docker/setup-buildx-action from 2.9.0 to 2.9.1 (#10207)
+* Bump golang.org/x/crypto from 0.10.0 to 0.11.0 (#10192)
+* Bump docker/setup-buildx-action from 2.8.0 to 2.9.0 (#10191)
+* Bump docker/setup-buildx-action from 2.7.0 to 2.8.0 (#10165)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-release-1.8...controller-controller-v1.9.0
--- a/changelog/controller-1.9.1.md
+++ b/changelog/controller-1.9.1.md
@ -0,0 +1,21 @@
+# Changelog
+
+### 1.9.1
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.9.1@sha256:605a737877de78969493a4b1213b21de4ee425d2926906857b98050f57a95b25
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.1@sha256:2ac744ef08850ee86ad7162451a6879f47c1a41c6a757f6b6f913c52103b8836
+
+### All changes:
+
+* upgrade owasp modsecurity core rule set to v3.3.5 (#10437)
+* Start v1.9.1 release (#10463)
+* Accept backend protocol on any case (#10461)
+* Chart: Rework network policies. (#10438)
+
+### Dependency updates:
+
+* Bump google.golang.org/grpc from 1.58.0 to 1.58.1 (#10436)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.9.0...controller-controller-v1.9.1
--- a/changelog/controller-1.9.3.md
+++ b/changelog/controller-1.9.3.md
@ -0,0 +1,29 @@
+# Changelog
+
+### 1.9.3
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.9.3@sha256:8fd21d59428507671ce0fb47f818b1d859c92d2ad07bb7c947268d433030ba98
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.3@sha256:df4931fd6859fbf1a71e785f02a44b2f9a16f010ae852c442e9bb779cbefdc86
+
+### All changes:
+
+* update nginx base, httpbun, e2e, helm webhook cert gen (#10506)
+* added warning for configuration-snippets usage (#10492)
+* Remove legacy GeoIP from controller (#10495)
+* add upstream patch for CVE-2023-44487 (#10494)
+* Revert "Remove curl from nginx base image (#10477)" (#10479)
+* update error and otel to have all the arch we support (#10476)
+* Remove curl from nginx base image (#10477)
+
+### Dependency updates:
+
+* Bump x/net (#10514)
+* Bump curl and Go version (#10503)
+* Bump google.golang.org/grpc from 1.58.2 to 1.58.3 (#10496)
+* Bump github.com/prometheus/client_model (#10486)
+* Bump ossf/scorecard-action from 2.2.0 to 2.3.0 (#10487)
+* Bump golang.org/x/crypto from 0.13.0 to 0.14.0 (#10485)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.9.1...controller-controller-v1.9.3
--- a/changelog/controller-1.9.4.md
+++ b/changelog/controller-1.9.4.md
@ -0,0 +1,14 @@
+# Changelog
+
+### 1.9.4
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.4@sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26
+
+### All changes:
+
+* Cherry pick fcgi fix and release v1.9.4 (#10544)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.9.3...controller-controller-v1.9.4
--- a/changelog/controller-1.9.5.md
+++ b/changelog/controller-1.9.5.md
@ -0,0 +1,37 @@
+# Changelog
+
+### controller-v1.9.5
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.9.5@sha256:b3aba22b1da80e7acfc52b115cae1d4c687172cbf2b742d5b502419c25ff340e
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.5@sha256:9a8d7b25a846a6461cd044b9aea9cf6cad972bcf2e64d9fd246c0279979aad2d
+
+### All changes:
+
+* update nginx build (#10781)
+* update images from golang upgrade (#10762)
+* fix: remove tcpproxy copy error handling (#10715)
+* Ignore fake certificate for NGINXCertificateExpiry (#10694)
+* Comment NGINXCertificateExpiry alert label matcher (#10692)
+* chart: allow setting allocateLoadBalancerNodePorts (#10693)
+* [release-1.9] feat(helm): add documentation about metric args (#10695)
+* chore(dep): change lua-resty-cookie's repo (#10691)
+* annotation validation - extended URLWithNginxVariableRegex from alphaNumericChars to extendedAlphaNumeric (#10656)
+* fix: adjust unfulfillable validation check for session-cookie-samesite annotation (#10604)
+* fix: Validate x-forwarded-prefix annotation with RegexPathWithCapture (#10603)
+* Increase HSTS max-age to default to one year (#10580)
+* [release-1.9] update nginx base, httpbun, e2e, helm webhook cert gen (#10507)
+* [release-1.9] add upstream patch for CVE-2023-44487 (#10499)
+* fix brotli build issues (#10468)
+* upgrade owasp modsecurity core rule set to v3.3.5 (#10437)
+* Accept backend protocol on any case (#10461)
+* Chart: Rework network policies. (#10438)
+* Rework mage (#10418)
+
+### Dependency updates:
+
+* Bump x/net (#10517)
+* Bump google.golang.org/grpc from 1.58.0 to 1.58.1 (#10436)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.9.4...controller-v1.9.5
--- a/changelog/controller-1.9.6.md
+++ b/changelog/controller-1.9.6.md
@ -0,0 +1,21 @@
+# Changelog
+
+### controller-v1.9.6
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.9.6@sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.6@sha256:7eb46ff733429e0e46892903c7394aff149ac6d284d92b3946f3baf7ff26a096
+
+### All changes:
+
+* update web hook cert gen to latest release v20231226-1a7112e06
+* annotation validation: validate regex in common name annotation (#10880)
+* change MODSECURITY_VERSION_LIB to 3.0.11 (#10879)
+* Include SECLEVEL and STRENGTH as part of ssl-cipher list validation (#10871)
+
+### Dependency updates:
+
+* Bump github.com/opencontainers/runc from 1.1.10 to 1.1.11 (#10878)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.9.5...controller-v1.9.6
--- a/changelog/controller.md.gotmpl
+++ b/changelog/controller.md.gotmpl
@ -0,0 +1,22 @@
+# Changelog
+
+### {{ .NewControllerVersion }}
+{{ with .ControllerImages }}
+Images:
+{{ range . }}
+* {{ .Registry }}/{{ .Name }}:{{ .Tag}}@{{ .Digest }}
+{{- end }}
+{{ end }}
+{{- with .Updates }}
+### All changes:
+{{ range . }}
+* {{ . }}
+{{- end }}
+{{ end }}
+{{- with .DepUpdates }}
+### Dependency updates:
+{{ range . }}
+* {{ . }}
+{{- end }}
+{{ end }}
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/{{ .PreviousControllerVersion }}...{{ .NewControllerVersion }}
--- a/charts/ingress-nginx/.helmignore
+++ b/charts/ingress-nginx/.helmignore
@ -20,3 +20,4 @@
 .idea/
 *.tmproj
 .vscode/
+__snapshot__
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@ -1,16 +1,24 @@
-apiVersion: v1
-name: ingress-nginx
-version: 2.13.0
-appVersion: 0.35.0
+annotations:
+  artifacthub.io/changes: |
+    - 'CI: Fix chart testing. (#12258)'
+    - Update Ingress-Nginx version controller-v1.12.0
+  artifacthub.io/prerelease: "false"
+apiVersion: v2
+appVersion: 1.12.0
+description: Ingress controller for Kubernetes using NGINX as a reverse proxy and
+  load balancer
 home: https://github.com/kubernetes/ingress-nginx
-description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
 keywords:
-  - ingress
-  - nginx
-sources:
-  - https://github.com/kubernetes/ingress-nginx
+- ingress
+- nginx
+kubeVersion: '>=1.21.0-0'
 maintainers:
-  - name: ChiefAlexander
-engine: gotpl
-kubeVersion: ">=1.10.0-0"
+- name: cpanato
+- name: Gacko
+- name: strongjz
+- name: tao12345666333
+name: ingress-nginx
+sources:
+- https://github.com/kubernetes/ingress-nginx
+version: 4.12.0
--- a/charts/ingress-nginx/OWNERS
+++ b/charts/ingress-nginx/OWNERS
@ -1,5 +1,4 @@
-approvers:
-  - ChiefAlexander
+# See the OWNERS docs: https://www.kubernetes.dev/docs/guide/owners

-reviewers:
-  - ChiefAlexander
+labels:
+- area/helm
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@ -2,30 +2,29 @@

 [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer

-To use, add the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
+![Version: 4.12.0](https://img.shields.io/badge/Version-4.12.0-informational?style=flat-square) ![AppVersion: 1.12.0](https://img.shields.io/badge/AppVersion-1.12.0-informational?style=flat-square)
+
+To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.

 This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.

-## Prerequisites
+## Requirements

- Kubernetes 1.6+
+Kubernetes: `>=1.21.0-0`

 ## Get Repo Info

 ```console
 helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
-helm repo add stable https://kubernetes-charts.storage.googleapis.com/
 helm repo update
 ```

 ## Install Chart

-```console
-# Helm 3
-$ helm install [RELEASE_NAME] ingress-nginx/ingress-nginx
+**Important:** only helm3 is supported

-# Helm 2
-$ helm install --name [RELEASE_NAME] ingress-nginx/ingress-nginx
+```console
+helm install [RELEASE_NAME] ingress-nginx/ingress-nginx
 ```

 The command deploys ingress-nginx on the Kubernetes cluster in the default configuration.
@ -37,11 +36,7 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen
 ## Uninstall Chart

 ```console
-# Helm 3
-$ helm uninstall [RELEASE_NAME]
-
-# Helm 2
-# helm delete --purge [RELEASE_NAME]
+helm uninstall [RELEASE_NAME]
 ```

 This removes all the Kubernetes components associated with the chart and deletes the release.
@ -51,16 +46,11 @@ _See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command doc
 ## Upgrading Chart

 ```console
-# Helm 3 or 2
-$ helm upgrade [RELEASE_NAME] [CHART] --install
+helm upgrade [RELEASE_NAME] [CHART] --install
 ```

 _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._

-### Upgrading With Zero Downtime in Production
-
-By default the ingress-nginx controller has service interruptions whenever it's pods are restarted or redeployed. In order to fix that, see the excellent blog post by Lindsay Landry from Codecademy: [Kubernetes: Nginx and Zero Downtime in Production](https://medium.com/codecademy-engineering/kubernetes-nginx-and-zero-downtime-in-production-2c910c6a5ed8).
-
 ### Migrating from stable/nginx-ingress

 There are two main ways to migrate a release from `stable/nginx-ingress` to `ingress-nginx/ingress-nginx` chart:
@ -71,7 +61,6 @@ There are two main ways to migrate a release from `stable/nginx-ingress` to `ing
    1. Redirect your DNS traffic from the old controller to the new controller
    1. Log traffic from both controllers during this changeover
    1. [Uninstall](#uninstall-chart) the old controller once traffic has fully drained from it
-    1. For details on all of these steps see [Upgrading With Zero Downtime in Production](#upgrading-with-zero-downtime-in-production)

 Note that there are some different and upgraded configurations between the two charts, described by Rimas Mocevicius from JFrog in the "Upgrading to ingress-nginx Helm chart" section of [Migrating from Helm chart nginx-ingress to ingress-nginx](https://rimusz.net/migrating-to-ingress-nginx). As the `ingress-nginx/ingress-nginx` chart continues to update, you will want to check current differences by running [helm configuration](#configuration) commands on both charts.

@ -80,11 +69,7 @@ Note that there are some different and upgraded configurations between the two c
 See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands:

 ```console
-# Helm 2
-$ helm inspect values ingress-nginx/ingress-nginx
-
-# Helm 3
-$ helm show values ingress-nginx/ingress-nginx
+helm show values ingress-nginx/ingress-nginx
 ```

 ### PodDisruptionBudget
@ -94,21 +79,22 @@ else it would make it impossible to evacuate a node. See [gh issue #7127](https:

 ### Prometheus Metrics

-The Nginx ingress controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.
+The Ingress-Nginx Controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.

-You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`. Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`.
+You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`.
+Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. And set `controller.metrics.serviceMonitor.additionalLabels.release="prometheus"`. "release=prometheus" should match the label configured in the prometheus servicemonitor ( see `kubectl get servicemonitor prometheus-kube-prom-prometheus -oyaml -n prometheus`)

 ### ingress-nginx nginx\_status page/stats server

-Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller:
+Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in Ingress-Nginx Controller:

- In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed
- In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost.
-  You can use `curl --unix-socket /tmp/nginx-status-server.sock http://localhost/nginx_status` inside the controller container to access it locally, or use the snippet from [nginx-ingress changelog](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0230) to re-enable the http server
+- In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed
+- In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost.
+  You can use `curl --unix-socket /tmp/nginx-status-server.sock http://localhost/nginx_status` inside the controller container to access it locally, or use the snippet from [nginx-ingress changelog](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230) to re-enable the http server

 ### ExternalDNS Service Configuration

-Add an [ExternalDNS](https://github.com/kubernetes-incubator/external-dns) annotation to the LoadBalancer service:
+Add an [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) annotation to the LoadBalancer service:

 ```yaml
 controller:
@ -119,7 +105,7 @@ controller:

 ### AWS L7 ELB with SSL Termination

-Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/master/deploy/aws/l7/service-l7.yaml):
+Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/ab3a789caae65eec4ad6e3b46b19750b481b6bce/deploy/aws/l7/service-l7.yaml):

 ```yaml
 controller:
@ -134,19 +120,6 @@ controller:
      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
 ```

-### AWS route53-mapper
-
-To configure the LoadBalancer service with the [route53-mapper addon](https://github.com/kubernetes/kops/tree/master/addons/route53-mapper), add the `domainName` annotation and `dns` label:
-
-```yaml
-controller:
-  service:
-    labels:
-      dns: "route53"
-    annotations:
-      domainName: "kubernetes-example.com"
-```
-
 ### Additional Internal Load Balancer

 This setup is useful when you need both external and internal load balancers but don't want to have multiple ingress controllers and multiple ingress objects per application.
@ -170,8 +143,10 @@ controller:
    internal:
      enabled: true
      annotations:
-        # Create internal ELB
-        service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
+        # Create internal NLB
+        service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
+        # Create internal ELB(Deprecated)
+        # service.beta.kubernetes.io/aws-load-balancer-internal: "true"
        # Any other annotation can be declared here.
 ```

@ -183,20 +158,65 @@ controller:
    internal:
      enabled: true
      annotations:
-        # Create internal LB
-        cloud.google.com/load-balancer-type: "Internal"
+        # Create internal LB. More information: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing
+        # For GKE versions 1.17 and later
+        networking.gke.io/load-balancer-type: "Internal"
+        # For earlier versions
+        # cloud.google.com/load-balancer-type: "Internal"
+
        # Any other annotation can be declared here.
 ```

+Example for Azure:
+
+```yaml
+controller:
+  service:
+      annotations:
+        # Create internal LB
+        service.beta.kubernetes.io/azure-load-balancer-internal: "true"
+        # Any other annotation can be declared here.
+```
+
+Example for Oracle Cloud Infrastructure:
+
+```yaml
+controller:
+  service:
+      annotations:
+        # Create internal LB
+        service.beta.kubernetes.io/oci-load-balancer-internal: "true"
+        # Any other annotation can be declared here.
+```
+
+The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer).
+
 An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object.

+Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`.
+
 ### Ingress Admission Webhooks

-With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
+With nginx-ingress-controller version 0.25+, the Ingress-Nginx Controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
 **This feature is enabled by default since 0.31.0.**

 With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521)

+#### How the Chart Configures the Hooks
+A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks.
+
+1. A pre-install hook provisions a certificate into the same namespace using a format compatible with provisioning using end user certificates. If the certificate already exists, the hook exits.
+2. The Ingress-Nginx Controller pod is configured to use a TLS proxy container, which will load that certificate.
+3. Validating and Mutating webhook configurations are created in the cluster.
+4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations
+
+#### Alternatives
+It should be possible to use [cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) if a more complete solution is required.
+
+You can enable automatic self-signed TLS certificate provisioning via cert-manager by setting the `controller.admissionWebhooks.certManager.enabled` value to true.
+
+Please ensure that cert-manager is correctly installed and configured.
+
 ### Helm Error When Upgrading: spec.clusterIP: Invalid value: ""

 If you are upgrading this chart from a version between 0.31.0 and 1.2.2 then you may get an error like this:
@ -208,3 +228,349 @@ Error: UPGRADE FAILED: Service "?????-controller" is invalid: spec.clusterIP: In
 Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13646) but to resolve this you can set `xxxx.service.omitClusterIP` to `true` where `xxxx` is the service referenced in the error.

 As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered.
+
+### Pod Security Admission
+
+You can use Pod Security Admission by applying labels to the `ingress-nginx` namespace as instructed by the [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels).
+
+Example:
+
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ingress-nginx
+  labels:
+    kubernetes.io/metadata.name: ingress-nginx
+    name: ingress-nginx
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: v1.31
+```
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| commonLabels | object | `{}` |  |
+| controller.addHeaders | object | `{}` | Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers |
+| controller.admissionWebhooks.annotations | object | `{}` |  |
+| controller.admissionWebhooks.certManager.admissionCert.duration | string | `""` |  |
+| controller.admissionWebhooks.certManager.enabled | bool | `false` |  |
+| controller.admissionWebhooks.certManager.rootCert.duration | string | `""` |  |
+| controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` |  |
+| controller.admissionWebhooks.createSecretJob.name | string | `"create"` |  |
+| controller.admissionWebhooks.createSecretJob.resources | object | `{}` |  |
+| controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers |
+| controller.admissionWebhooks.enabled | bool | `true` |  |
+| controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set |
+| controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use |
+| controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` |  |
+| controller.admissionWebhooks.labels | object | `{}` | Labels to be added to admission webhooks |
+| controller.admissionWebhooks.name | string | `"admission"` |  |
+| controller.admissionWebhooks.namespaceSelector | object | `{}` |  |
+| controller.admissionWebhooks.objectSelector | object | `{}` |  |
+| controller.admissionWebhooks.patch.enabled | bool | `true` |  |
+| controller.admissionWebhooks.patch.image.digest | string | `"sha256:0de05718b59dc33b57ddfb4d8ad5f637cefd13eafdec0e1579d782b3483c27c3"` |  |
+| controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` |  |
+| controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` |  |
+| controller.admissionWebhooks.patch.image.tag | string | `"v1.5.1"` |  |
+| controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
+| controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
+| controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
+| controller.admissionWebhooks.patch.podAnnotations | object | `{}` |  |
+| controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # |
+| controller.admissionWebhooks.patch.rbac | object | `{"create":true}` | Admission webhook patch job RBAC |
+| controller.admissionWebhooks.patch.rbac.create | bool | `true` | Create RBAC or not |
+| controller.admissionWebhooks.patch.securityContext | object | `{}` | Security context for secret creation & webhook patch pods |
+| controller.admissionWebhooks.patch.serviceAccount | object | `{"automountServiceAccountToken":true,"create":true,"name":""}` | Admission webhook patch job service account |
+| controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken | bool | `true` | Auto-mount service account token or not |
+| controller.admissionWebhooks.patch.serviceAccount.create | bool | `true` | Create a service account or not |
+| controller.admissionWebhooks.patch.serviceAccount.name | string | `""` | Custom service account name |
+| controller.admissionWebhooks.patch.tolerations | list | `[]` |  |
+| controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` |  |
+| controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` |  |
+| controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers |
+| controller.admissionWebhooks.port | int | `8443` |  |
+| controller.admissionWebhooks.service.annotations | object | `{}` |  |
+| controller.admissionWebhooks.service.externalIPs | list | `[]` |  |
+| controller.admissionWebhooks.service.loadBalancerSourceRanges | list | `[]` |  |
+| controller.admissionWebhooks.service.servicePort | int | `443` |  |
+| controller.admissionWebhooks.service.type | string | `"ClusterIP"` |  |
+| controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # |
+| controller.allowSnippetAnnotations | bool | `false` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected |
+| controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # |
+| controller.autoscaling.annotations | object | `{}` |  |
+| controller.autoscaling.behavior | object | `{}` |  |
+| controller.autoscaling.enabled | bool | `false` |  |
+| controller.autoscaling.maxReplicas | int | `11` |  |
+| controller.autoscaling.minReplicas | int | `1` |  |
+| controller.autoscaling.targetCPUUtilizationPercentage | int | `50` |  |
+| controller.autoscaling.targetMemoryUtilizationPercentage | int | `50` |  |
+| controller.autoscalingTemplate | list | `[]` |  |
+| controller.config | object | `{}` | Global configuration passed to the ConfigMap consumed by the controller. Values may contain Helm templates. Ref.: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ |
+| controller.configAnnotations | object | `{}` | Annotations to be added to the controller config configuration configmap. |
+| controller.configMapNamespace | string | `""` | Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) |
+| controller.containerName | string | `"controller"` | Configures the controller container name |
+| controller.containerPort | object | `{"http":80,"https":443}` | Configures the ports that the nginx-controller listens on |
+| controller.containerSecurityContext | object | `{}` | Security context for controller containers |
+| controller.customTemplate.configMapKey | string | `""` |  |
+| controller.customTemplate.configMapName | string | `""` |  |
+| controller.disableLeaderElection | bool | `false` | This configuration disable Nginx Controller Leader Election |
+| controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. |
+| controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. |
+| controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' |
+| controller.electionTTL | string | `""` | Duration a leader election is valid before it's getting re-elected, e.g. `15s`, `10m` or `1h`. (Default: 30s) |
+| controller.enableAnnotationValidations | bool | `true` |  |
+| controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # |
+| controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false |
+| controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use |
+| controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. |
+| controller.extraEnvs | list | `[]` | Additional environment variables to set |
+| controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. |
+| controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. |
+| controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. |
+| controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. |
+| controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. |
+| controller.healthCheckPath | string | `"/healthz"` | Path of the health check endpoint. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. |
+| controller.hostAliases | list | `[]` | Optionally customize the pod hostAliases. |
+| controller.hostNetwork | bool | `false` | Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 is merged |
+| controller.hostPort.enabled | bool | `false` | Enable 'hostPort' or not |
+| controller.hostPort.ports.http | int | `80` | 'hostPort' http port |
+| controller.hostPort.ports.https | int | `443` | 'hostPort' https port |
+| controller.hostname | object | `{}` | Optionally customize the pod hostname. |
+| controller.image.allowPrivilegeEscalation | bool | `false` |  |
+| controller.image.chroot | bool | `false` |  |
+| controller.image.digest | string | `"sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa"` |  |
+| controller.image.digestChroot | string | `"sha256:87c88e1c38a6c8d4483c8f70b69e2cca49853bb3ec3124b9b1be648edf139af3"` |  |
+| controller.image.image | string | `"ingress-nginx/controller"` |  |
+| controller.image.pullPolicy | string | `"IfNotPresent"` |  |
+| controller.image.readOnlyRootFilesystem | bool | `false` |  |
+| controller.image.runAsGroup | int | `82` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) |
+| controller.image.runAsNonRoot | bool | `true` |  |
+| controller.image.runAsUser | int | `101` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) |
+| controller.image.seccompProfile.type | string | `"RuntimeDefault"` |  |
+| controller.image.tag | string | `"v1.12.0"` |  |
+| controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
+| controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
+| controller.ingressClassResource | object | `{"aliases":[],"annotations":{},"controllerValue":"k8s.io/ingress-nginx","default":false,"enabled":true,"name":"nginx","parameters":{}}` | This section refers to the creation of the IngressClass resource. IngressClasses are immutable and cannot be changed after creation. We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. |
+| controller.ingressClassResource.aliases | list | `[]` | Aliases of this IngressClass. Creates copies with identical settings but the respective alias as name. Useful for development environments with only one Ingress Controller but production-like Ingress resources. `default` gets enabled on the original IngressClass only. |
+| controller.ingressClassResource.annotations | object | `{}` | Annotations to be added to the IngressClass resource. |
+| controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller of the IngressClass. An Ingress Controller looks for IngressClasses it should reconcile by this value. This value is also being set as the `--controller-class` argument of this Ingress Controller. Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class |
+| controller.ingressClassResource.default | bool | `false` | If true, Ingresses without `ingressClassName` get assigned to this IngressClass on creation. Ingress creation gets rejected if there are multiple default IngressClasses. Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class |
+| controller.ingressClassResource.enabled | bool | `true` | Create the IngressClass or not |
+| controller.ingressClassResource.name | string | `"nginx"` | Name of the IngressClass |
+| controller.ingressClassResource.parameters | object | `{}` | A link to a custom resource containing additional configuration for the controller. This is optional if the controller consuming this IngressClass does not require additional parameters. Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class |
+| controller.keda.apiVersion | string | `"keda.sh/v1alpha1"` |  |
+| controller.keda.behavior | object | `{}` |  |
+| controller.keda.cooldownPeriod | int | `300` |  |
+| controller.keda.enabled | bool | `false` |  |
+| controller.keda.maxReplicas | int | `11` |  |
+| controller.keda.minReplicas | int | `1` |  |
+| controller.keda.pollingInterval | int | `30` |  |
+| controller.keda.restoreToOriginalReplicaCount | bool | `false` |  |
+| controller.keda.scaledObject.annotations | object | `{}` |  |
+| controller.keda.triggers | list | `[]` |  |
+| controller.kind | string | `"Deployment"` | Use a `DaemonSet` or `Deployment` |
+| controller.labels | object | `{}` | Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels # |
+| controller.lifecycle | object | `{"preStop":{"exec":{"command":["/wait-shutdown"]}}}` | Improve connection draining when ingress controller pod is deleted using a lifecycle hook: With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds to 300, allowing the draining of connections up to five minutes. If the active connections end before that, the pod will terminate gracefully at that time. To effectively take advantage of this feature, the Configmap feature worker-shutdown-timeout new value is 240s instead of 10s. # |
+| controller.livenessProbe.failureThreshold | int | `5` |  |
+| controller.livenessProbe.httpGet.path | string | `"/healthz"` |  |
+| controller.livenessProbe.httpGet.port | int | `10254` |  |
+| controller.livenessProbe.httpGet.scheme | string | `"HTTP"` |  |
+| controller.livenessProbe.initialDelaySeconds | int | `10` |  |
+| controller.livenessProbe.periodSeconds | int | `10` |  |
+| controller.livenessProbe.successThreshold | int | `1` |  |
+| controller.livenessProbe.timeoutSeconds | int | `1` |  |
+| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. # https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/ |
+| controller.metrics.enabled | bool | `false` |  |
+| controller.metrics.port | int | `10254` |  |
+| controller.metrics.portName | string | `"metrics"` |  |
+| controller.metrics.prometheusRule.additionalLabels | object | `{}` |  |
+| controller.metrics.prometheusRule.annotations | object | `{}` | Annotations to be added to the PrometheusRule. |
+| controller.metrics.prometheusRule.enabled | bool | `false` |  |
+| controller.metrics.prometheusRule.rules | list | `[]` |  |
+| controller.metrics.service.annotations | object | `{}` |  |
+| controller.metrics.service.enabled | bool | `true` | Enable the metrics service or not. |
+| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
+| controller.metrics.service.labels | object | `{}` | Labels to be added to the metrics service resource |
+| controller.metrics.service.loadBalancerSourceRanges | list | `[]` |  |
+| controller.metrics.service.servicePort | int | `10254` |  |
+| controller.metrics.service.type | string | `"ClusterIP"` |  |
+| controller.metrics.serviceMonitor.additionalLabels | object | `{}` |  |
+| controller.metrics.serviceMonitor.annotations | object | `{}` | Annotations to be added to the ServiceMonitor. |
+| controller.metrics.serviceMonitor.enabled | bool | `false` |  |
+| controller.metrics.serviceMonitor.labelLimit | int | `0` | Per-scrape limit on number of labels that will be accepted for a sample. |
+| controller.metrics.serviceMonitor.labelNameLengthLimit | int | `0` | Per-scrape limit on length of labels name that will be accepted for a sample. |
+| controller.metrics.serviceMonitor.labelValueLengthLimit | int | `0` | Per-scrape limit on length of labels value that will be accepted for a sample. |
+| controller.metrics.serviceMonitor.metricRelabelings | list | `[]` |  |
+| controller.metrics.serviceMonitor.namespace | string | `""` |  |
+| controller.metrics.serviceMonitor.namespaceSelector | object | `{}` |  |
+| controller.metrics.serviceMonitor.relabelings | list | `[]` |  |
+| controller.metrics.serviceMonitor.sampleLimit | int | `0` | Defines a per-scrape limit on the number of scraped samples that will be accepted. |
+| controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` |  |
+| controller.metrics.serviceMonitor.targetLabels | list | `[]` |  |
+| controller.metrics.serviceMonitor.targetLimit | int | `0` | Defines a limit on the number of scraped targets that will be accepted. |
+| controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. |
+| controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
+| controller.name | string | `"controller"` |  |
+| controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
+| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
+| controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # |
+| controller.podLabels | object | `{}` | Labels to add to the pod container metadata |
+| controller.podSecurityContext | object | `{}` | Security context for controller pods |
+| controller.priorityClassName | string | `""` |  |
+| controller.progressDeadlineSeconds | int | `0` | Specifies the number of seconds you want to wait for the controller deployment to progress before the system reports back that it has failed. Ref.: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds |
+| controller.proxySetHeaders | object | `{}` | Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers |
+| controller.publishService | object | `{"enabled":true,"pathOverride":""}` | Allows customization of the source of the IP address or FQDN to report in the ingress status field. By default, it reads the information provided by the service. If disable, the status field reports the IP address of the node or nodes where an ingress controller pod is running. |
+| controller.publishService.enabled | bool | `true` | Enable 'publishService' or not |
+| controller.publishService.pathOverride | string | `""` | Allows overriding of the publish service to bind to Must be <namespace>/<service_name> |
+| controller.readinessProbe.failureThreshold | int | `3` |  |
+| controller.readinessProbe.httpGet.path | string | `"/healthz"` |  |
+| controller.readinessProbe.httpGet.port | int | `10254` |  |
+| controller.readinessProbe.httpGet.scheme | string | `"HTTP"` |  |
+| controller.readinessProbe.initialDelaySeconds | int | `10` |  |
+| controller.readinessProbe.periodSeconds | int | `10` |  |
+| controller.readinessProbe.successThreshold | int | `1` |  |
+| controller.readinessProbe.timeoutSeconds | int | `1` |  |
+| controller.replicaCount | int | `1` |  |
+| controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply |
+| controller.resources.requests.cpu | string | `"100m"` |  |
+| controller.resources.requests.memory | string | `"90Mi"` |  |
+| controller.scope.enabled | bool | `false` | Enable 'scope' or not |
+| controller.scope.namespace | string | `""` | Namespace to limit the controller to; defaults to $(POD_NAMESPACE) |
+| controller.scope.namespaceSelector | string | `""` | When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. |
+| controller.service.annotations | object | `{}` | Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service. |
+| controller.service.appProtocol | bool | `true` | Declare the app protocol of the external HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol |
+| controller.service.clusterIP | string | `""` | Pre-defined cluster internal IP address of the external controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
+| controller.service.clusterIPs | list | `[]` | Pre-defined cluster internal IP addresses of the external controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
+| controller.service.enableHttp | bool | `true` | Enable the HTTP listener on both controller services or not. |
+| controller.service.enableHttps | bool | `true` | Enable the HTTPS listener on both controller services or not. |
+| controller.service.enabled | bool | `true` | Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service. |
+| controller.service.external.enabled | bool | `true` | Enable the external controller service or not. Useful for internal-only deployments. |
+| controller.service.external.labels | object | `{}` | Labels to be added to the external controller service. |
+| controller.service.externalIPs | list | `[]` | List of node IP addresses at which the external controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips |
+| controller.service.externalTrafficPolicy | string | `""` | External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip |
+| controller.service.internal.annotations | object | `{}` | Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer |
+| controller.service.internal.appProtocol | bool | `true` | Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol |
+| controller.service.internal.clusterIP | string | `""` | Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
+| controller.service.internal.clusterIPs | list | `[]` | Pre-defined cluster internal IP addresses of the internal controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
+| controller.service.internal.enabled | bool | `false` | Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this. |
+| controller.service.internal.externalIPs | list | `[]` | List of node IP addresses at which the internal controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips |
+| controller.service.internal.externalTrafficPolicy | string | `""` | External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip |
+| controller.service.internal.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
+| controller.service.internal.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
+| controller.service.internal.labels | object | `{}` | Labels to be added to the internal controller service. |
+| controller.service.internal.loadBalancerClass | string | `""` | Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class |
+| controller.service.internal.loadBalancerIP | string | `""` | Deprecated: Pre-defined IP address of the internal controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer |
+| controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access to the internal controller service. Values must be CIDRs. Allows any source address by default. |
+| controller.service.internal.nodePorts.http | string | `""` | Node port allocated for the internal HTTP listener. If left empty, the service controller allocates one from the configured node port range. |
+| controller.service.internal.nodePorts.https | string | `""` | Node port allocated for the internal HTTPS listener. If left empty, the service controller allocates one from the configured node port range. |
+| controller.service.internal.nodePorts.tcp | object | `{}` | Node port mapping for internal TCP listeners. If left empty, the service controller allocates them from the configured node port range. Example: tcp:   8080: 30080 |
+| controller.service.internal.nodePorts.udp | object | `{}` | Node port mapping for internal UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp:   53: 30053 |
+| controller.service.internal.ports | object | `{}` |  |
+| controller.service.internal.sessionAffinity | string | `""` | Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity |
+| controller.service.internal.targetPorts | object | `{}` |  |
+| controller.service.internal.trafficDistribution | string | `""` | Traffic distribution policy of the internal controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution |
+| controller.service.internal.type | string | `""` | Type of the internal controller service. Defaults to the value of `controller.service.type`. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
+| controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
+| controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
+| controller.service.labels | object | `{}` | Labels to be added to both controller services. |
+| controller.service.loadBalancerClass | string | `""` | Load balancer class of the external controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class |
+| controller.service.loadBalancerIP | string | `""` | Deprecated: Pre-defined IP address of the external controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer |
+| controller.service.loadBalancerSourceRanges | list | `[]` | Restrict access to the external controller service. Values must be CIDRs. Allows any source address by default. |
+| controller.service.nodePorts.http | string | `""` | Node port allocated for the external HTTP listener. If left empty, the service controller allocates one from the configured node port range. |
+| controller.service.nodePorts.https | string | `""` | Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range. |
+| controller.service.nodePorts.tcp | object | `{}` | Node port mapping for external TCP listeners. If left empty, the service controller allocates them from the configured node port range. Example: tcp:   8080: 30080 |
+| controller.service.nodePorts.udp | object | `{}` | Node port mapping for external UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp:   53: 30053 |
+| controller.service.ports.http | int | `80` | Port the external HTTP listener is published with. |
+| controller.service.ports.https | int | `443` | Port the external HTTPS listener is published with. |
+| controller.service.sessionAffinity | string | `""` | Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity |
+| controller.service.targetPorts.http | string | `"http"` | Port of the ingress controller the external HTTP listener is mapped to. |
+| controller.service.targetPorts.https | string | `"https"` | Port of the ingress controller the external HTTPS listener is mapped to. |
+| controller.service.trafficDistribution | string | `""` | Traffic distribution policy of the external controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution |
+| controller.service.type | string | `"LoadBalancer"` | Type of the external controller service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
+| controller.shareProcessNamespace | bool | `false` |  |
+| controller.sysctls | object | `{}` | sysctls for controller pods # Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ |
+| controller.tcp.annotations | object | `{}` | Annotations to be added to the tcp config configmap |
+| controller.tcp.configMapNamespace | string | `""` | Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) |
+| controller.terminationGracePeriodSeconds | int | `300` | `terminationGracePeriodSeconds` to avoid killing pods before we are ready # wait up to five minutes for the drain of connections # |
+| controller.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # |
+| controller.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ # |
+| controller.udp.annotations | object | `{}` | Annotations to be added to the udp config configmap |
+| controller.udp.configMapNamespace | string | `""` | Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) |
+| controller.unhealthyPodEvictionPolicy | string | `""` | Eviction policy for unhealthy pods guarded by PodDisruptionBudget. Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ |
+| controller.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
+| controller.watchIngressWithoutClass | bool | `false` | Process Ingress objects without ingressClass annotation/ingressClassName field Overrides value for --watch-ingress-without-class flag of the controller binary Defaults to false |
+| defaultBackend.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity |
+| defaultBackend.autoscaling.annotations | object | `{}` |  |
+| defaultBackend.autoscaling.enabled | bool | `false` |  |
+| defaultBackend.autoscaling.maxReplicas | int | `2` |  |
+| defaultBackend.autoscaling.minReplicas | int | `1` |  |
+| defaultBackend.autoscaling.targetCPUUtilizationPercentage | int | `50` |  |
+| defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` |  |
+| defaultBackend.containerSecurityContext | object | `{}` | Security context for default backend containers |
+| defaultBackend.enabled | bool | `false` |  |
+| defaultBackend.extraArgs | object | `{}` |  |
+| defaultBackend.extraConfigMaps | list | `[]` |  |
+| defaultBackend.extraEnvs | list | `[]` | Additional environment variables to set for defaultBackend pods |
+| defaultBackend.extraVolumeMounts | list | `[]` |  |
+| defaultBackend.extraVolumes | list | `[]` |  |
+| defaultBackend.image.allowPrivilegeEscalation | bool | `false` |  |
+| defaultBackend.image.image | string | `"defaultbackend-amd64"` |  |
+| defaultBackend.image.pullPolicy | string | `"IfNotPresent"` |  |
+| defaultBackend.image.readOnlyRootFilesystem | bool | `true` |  |
+| defaultBackend.image.runAsGroup | int | `65534` |  |
+| defaultBackend.image.runAsNonRoot | bool | `true` |  |
+| defaultBackend.image.runAsUser | int | `65534` |  |
+| defaultBackend.image.seccompProfile.type | string | `"RuntimeDefault"` |  |
+| defaultBackend.image.tag | string | `"1.5"` |  |
+| defaultBackend.labels | object | `{}` | Labels to be added to the default backend resources |
+| defaultBackend.livenessProbe.failureThreshold | int | `3` |  |
+| defaultBackend.livenessProbe.initialDelaySeconds | int | `30` |  |
+| defaultBackend.livenessProbe.periodSeconds | int | `10` |  |
+| defaultBackend.livenessProbe.successThreshold | int | `1` |  |
+| defaultBackend.livenessProbe.timeoutSeconds | int | `5` |  |
+| defaultBackend.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. |
+| defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
+| defaultBackend.name | string | `"defaultbackend"` |  |
+| defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
+| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
+| defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # |
+| defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata |
+| defaultBackend.podSecurityContext | object | `{}` | Security context for default backend pods |
+| defaultBackend.port | int | `8080` |  |
+| defaultBackend.priorityClassName | string | `""` |  |
+| defaultBackend.readinessProbe.failureThreshold | int | `6` |  |
+| defaultBackend.readinessProbe.initialDelaySeconds | int | `0` |  |
+| defaultBackend.readinessProbe.periodSeconds | int | `5` |  |
+| defaultBackend.readinessProbe.successThreshold | int | `1` |  |
+| defaultBackend.readinessProbe.timeoutSeconds | int | `5` |  |
+| defaultBackend.replicaCount | int | `1` |  |
+| defaultBackend.resources | object | `{}` |  |
+| defaultBackend.service.annotations | object | `{}` |  |
+| defaultBackend.service.clusterIPs | list | `[]` | Pre-defined cluster internal IP addresses of the default backend service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
+| defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
+| defaultBackend.service.loadBalancerSourceRanges | list | `[]` |  |
+| defaultBackend.service.servicePort | int | `80` |  |
+| defaultBackend.service.type | string | `"ClusterIP"` |  |
+| defaultBackend.serviceAccount.automountServiceAccountToken | bool | `true` |  |
+| defaultBackend.serviceAccount.create | bool | `true` |  |
+| defaultBackend.serviceAccount.name | string | `""` |  |
+| defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # |
+| defaultBackend.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. Ref.: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ |
+| defaultBackend.unhealthyPodEvictionPolicy | string | `""` | Eviction policy for unhealthy pods guarded by PodDisruptionBudget. Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ |
+| defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
+| dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param |
+| global.image.registry | string | `"registry.k8s.io"` | Registry host to pull images from. |
+| imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
+| namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace |
+| portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration |
+| rbac.create | bool | `true` |  |
+| rbac.scope | bool | `false` |  |
+| revisionHistoryLimit | int | `10` | Rollback limit # |
+| serviceAccount.annotations | object | `{}` | Annotations for the controller service account |
+| serviceAccount.automountServiceAccountToken | bool | `true` |  |
+| serviceAccount.create | bool | `true` |  |
+| serviceAccount.name | string | `""` |  |
+| tcp | object | `{}` | TCP service key-value pairs # Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md # |
+| udp | object | `{}` | UDP service key-value pairs # Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md # |
--- a/charts/ingress-nginx/README.md.gotmpl
+++ b/charts/ingress-nginx/README.md.gotmpl
@ -0,0 +1,247 @@
+{{ template "chart.header" . }}
+[ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
+
+{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
+
+To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
+
+This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+{{ template "chart.requirementsSection" . }}
+
+## Get Repo Info
+
+```console
+helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
+helm repo update
+```
+
+## Install Chart
+
+**Important:** only helm3 is supported
+
+```console
+helm install [RELEASE_NAME] ingress-nginx/ingress-nginx
+```
+
+The command deploys ingress-nginx on the Kubernetes cluster in the default configuration.
+
+_See [configuration](#configuration) below._
+
+_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
+
+## Uninstall Chart
+
+```console
+helm uninstall [RELEASE_NAME]
+```
+
+This removes all the Kubernetes components associated with the chart and deletes the release.
+
+_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._
+
+## Upgrading Chart
+
+```console
+helm upgrade [RELEASE_NAME] [CHART] --install
+```
+
+_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._
+
+### Migrating from stable/nginx-ingress
+
+There are two main ways to migrate a release from `stable/nginx-ingress` to `ingress-nginx/ingress-nginx` chart:
+
+1. For Nginx Ingress controllers used for non-critical services, the easiest method is to [uninstall](#uninstall-chart) the old release and [install](#install-chart) the new one
+1. For critical services in production that require zero-downtime, you will want to:
+    1. [Install](#install-chart) a second Ingress controller
+    1. Redirect your DNS traffic from the old controller to the new controller
+    1. Log traffic from both controllers during this changeover
+    1. [Uninstall](#uninstall-chart) the old controller once traffic has fully drained from it
+
+Note that there are some different and upgraded configurations between the two charts, described by Rimas Mocevicius from JFrog in the "Upgrading to ingress-nginx Helm chart" section of [Migrating from Helm chart nginx-ingress to ingress-nginx](https://rimusz.net/migrating-to-ingress-nginx). As the `ingress-nginx/ingress-nginx` chart continues to update, you will want to check current differences by running [helm configuration](#configuration) commands on both charts.
+
+## Configuration
+
+See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands:
+
+```console
+helm show values ingress-nginx/ingress-nginx
+```
+
+### PodDisruptionBudget
+
+Note that the PodDisruptionBudget resource will only be defined if the replicaCount is greater than one,
+else it would make it impossible to evacuate a node. See [gh issue #7127](https://github.com/helm/charts/issues/7127) for more info.
+
+### Prometheus Metrics
+
+The Ingress-Nginx Controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.
+
+You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`.
+Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. And set `controller.metrics.serviceMonitor.additionalLabels.release="prometheus"`. "release=prometheus" should match the label configured in the prometheus servicemonitor ( see `kubectl get servicemonitor prometheus-kube-prom-prometheus -oyaml -n prometheus`)
+
+### ingress-nginx nginx\_status page/stats server
+
+Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in Ingress-Nginx Controller:
+
+- In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed
+- In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost.
+  You can use `curl --unix-socket /tmp/nginx-status-server.sock http://localhost/nginx_status` inside the controller container to access it locally, or use the snippet from [nginx-ingress changelog](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230) to re-enable the http server
+
+### ExternalDNS Service Configuration
+
+Add an [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) annotation to the LoadBalancer service:
+
+```yaml
+controller:
+  service:
+    annotations:
+      external-dns.alpha.kubernetes.io/hostname: kubernetes-example.com.
+```
+
+### AWS L7 ELB with SSL Termination
+
+Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/ab3a789caae65eec4ad6e3b46b19750b481b6bce/deploy/aws/l7/service-l7.yaml):
+
+```yaml
+controller:
+  service:
+    targetPorts:
+      http: http
+      https: http
+    annotations:
+      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:XX-XXXX-X:XXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX
+      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
+      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
+      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
+```
+
+### Additional Internal Load Balancer
+
+This setup is useful when you need both external and internal load balancers but don't want to have multiple ingress controllers and multiple ingress objects per application.
+
+By default, the ingress object will point to the external load balancer address, but if correctly configured, you can make use of the internal one if the URL you are looking up resolves to the internal load balancer's URL.
+
+You'll need to set both the following values:
+
+`controller.service.internal.enabled`
+`controller.service.internal.annotations`
+
+If one of them is missing the internal load balancer will not be deployed. Example you may have `controller.service.internal.enabled=true` but no annotations set, in this case no action will be taken.
+
+`controller.service.internal.annotations` varies with the cloud service you're using.
+
+Example for AWS:
+
+```yaml
+controller:
+  service:
+    internal:
+      enabled: true
+      annotations:
+        # Create internal NLB
+        service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
+        # Create internal ELB(Deprecated)
+        # service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+        # Any other annotation can be declared here.
+```
+
+Example for GCE:
+
+```yaml
+controller:
+  service:
+    internal:
+      enabled: true
+      annotations:
+        # Create internal LB. More information: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing
+        # For GKE versions 1.17 and later
+        networking.gke.io/load-balancer-type: "Internal"
+        # For earlier versions
+        # cloud.google.com/load-balancer-type: "Internal"
+
+        # Any other annotation can be declared here.
+```
+
+Example for Azure:
+
+```yaml
+controller:
+  service:
+      annotations:
+        # Create internal LB
+        service.beta.kubernetes.io/azure-load-balancer-internal: "true"
+        # Any other annotation can be declared here.
+```
+
+Example for Oracle Cloud Infrastructure:
+
+```yaml
+controller:
+  service:
+      annotations:
+        # Create internal LB
+        service.beta.kubernetes.io/oci-load-balancer-internal: "true"
+        # Any other annotation can be declared here.
+```
+
+The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer).
+
+An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object.
+
+Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`.
+
+### Ingress Admission Webhooks
+
+With nginx-ingress-controller version 0.25+, the Ingress-Nginx Controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
+**This feature is enabled by default since 0.31.0.**
+
+With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521)
+
+#### How the Chart Configures the Hooks
+A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks.
+
+1. A pre-install hook provisions a certificate into the same namespace using a format compatible with provisioning using end user certificates. If the certificate already exists, the hook exits.
+2. The Ingress-Nginx Controller pod is configured to use a TLS proxy container, which will load that certificate.
+3. Validating and Mutating webhook configurations are created in the cluster.
+4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations
+
+#### Alternatives
+It should be possible to use [cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) if a more complete solution is required.
+
+You can enable automatic self-signed TLS certificate provisioning via cert-manager by setting the `controller.admissionWebhooks.certManager.enabled` value to true.
+
+Please ensure that cert-manager is correctly installed and configured.
+
+### Helm Error When Upgrading: spec.clusterIP: Invalid value: ""
+
+If you are upgrading this chart from a version between 0.31.0 and 1.2.2 then you may get an error like this:
+
+```console
+Error: UPGRADE FAILED: Service "?????-controller" is invalid: spec.clusterIP: Invalid value: "": field is immutable
+```
+
+Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13646) but to resolve this you can set `xxxx.service.omitClusterIP` to `true` where `xxxx` is the service referenced in the error.
+
+As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered.
+
+### Pod Security Admission
+
+You can use Pod Security Admission by applying labels to the `ingress-nginx` namespace as instructed by the [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels).
+
+Example:
+
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ingress-nginx
+  labels:
+    kubernetes.io/metadata.name: ingress-nginx
+    name: ingress-nginx
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: v1.31
+```
+
+{{ template "chart.valuesSection" . }}
--- a/charts/ingress-nginx/changelog/helm-chart-2.10.0.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.10.0.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.10.0
+
+* [#5843](https://github.com/kubernetes/ingress-nginx/pull/5843) Update jettech/kube-webhook-certgen image
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.9.1...ingress-nginx-2.10.0
--- a/charts/ingress-nginx/changelog/helm-chart-2.11.0.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.11.0.md
@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.11.0
+
+* [#5879](https://github.com/kubernetes/ingress-nginx/pull/5879) Update helm chart for v0.34.0
+* [#5671](https://github.com/kubernetes/ingress-nginx/pull/5671) Make liveness probe more fault tolerant than readiness probe
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.10.0...ingress-nginx-2.11.0
--- a/charts/ingress-nginx/changelog/helm-chart-2.11.1.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.11.1.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.11.1
+
+* [#5900](https://github.com/kubernetes/ingress-nginx/pull/5900) Release helm chart for v0.34.1
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.11.0...ingress-nginx-2.11.1
--- a/charts/ingress-nginx/changelog/helm-chart-2.11.2.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.11.2.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.11.2
+
+* [#5951](https://github.com/kubernetes/ingress-nginx/pull/5951) Bump chart patch version
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.11.1...ingress-nginx-2.11.2
--- a/charts/ingress-nginx/changelog/helm-chart-2.11.3.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.11.3.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.11.3
+
+* [#6038](https://github.com/kubernetes/ingress-nginx/pull/6038) Bump chart version PATCH
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.11.2...ingress-nginx-2.11.3
--- a/charts/ingress-nginx/changelog/helm-chart-2.12.0.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.12.0.md
@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.12.0
+
+* [#6039](https://github.com/kubernetes/ingress-nginx/pull/6039) Add configurable serviceMonitor metricRelabelling and targetLabels
+* [#6044](https://github.com/kubernetes/ingress-nginx/pull/6044) Fix YAML linting
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.11.3...ingress-nginx-2.12.0
--- a/charts/ingress-nginx/changelog/helm-chart-2.12.1.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.12.1.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.12.1
+
+* [#6075](https://github.com/kubernetes/ingress-nginx/pull/6075) Sync helm chart affinity examples
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.12.0...ingress-nginx-2.12.1
--- a/charts/ingress-nginx/changelog/helm-chart-2.13.0.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.13.0.md
@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.13.0
+
+* [#6093](https://github.com/kubernetes/ingress-nginx/pull/6093) Release v0.35.0
+* [#6080](https://github.com/kubernetes/ingress-nginx/pull/6080) Switch images to k8s.gcr.io after Vanity Domain Flip
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.12.1...ingress-nginx-2.13.0
--- a/charts/ingress-nginx/changelog/helm-chart-2.14.0.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.14.0.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.14.0
+
+* [#6104](https://github.com/kubernetes/ingress-nginx/pull/6104) Misc fixes for nginx-ingress chart for better keel and prometheus-operator integration
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.13.0...ingress-nginx-2.14.0
--- a/charts/ingress-nginx/changelog/helm-chart-2.15.0.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.15.0.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.15.0
+
+* [#6087](https://github.com/kubernetes/ingress-nginx/pull/6087) Adding parameter for externalTrafficPolicy in internal controller service spec
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.14.0...ingress-nginx-2.15.0
--- a/charts/ingress-nginx/changelog/helm-chart-2.16.0.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.16.0.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.16.0
+
+* [#6154](https://github.com/kubernetes/ingress-nginx/pull/6154) add `topologySpreadConstraint` to controller
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.15.0...ingress-nginx-2.16.0
--- a/charts/ingress-nginx/changelog/helm-chart-2.9.0.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.9.0.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.9.0
+
+* [#5795](https://github.com/kubernetes/ingress-nginx/pull/5795) Use fully qualified images to avoid cri-o issues
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-TODO...ingress-nginx-2.9.0
--- a/charts/ingress-nginx/changelog/helm-chart-2.9.1.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.9.1.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.9.1
+
+* [#5823](https://github.com/kubernetes/ingress-nginx/pull/5823) Add quoting to sysctls because numeric values need to be presented as strings (#5823)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.9.0...ingress-nginx-2.9.1
--- a/charts/ingress-nginx/changelog/helm-chart-3.0.0.md
+++ b/charts/ingress-nginx/changelog/helm-chart-3.0.0.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.0.0
+
+* [#6167](https://github.com/kubernetes/ingress-nginx/pull/6167) Update chart requirements
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.16.0...ingress-nginx-3.0.0
--- a/Show more
+++ b/Show more
				`@ -0,0 +1 @@`
				`registry.k8s.io/ingress-nginx/nginx:v2.0.0@sha256:3e7bda4cf5111d283ed1e4ff5cc9a2b5cdc5ebe62d50ba67473d3e25b1389133`