Bump github.com/spf13/cobra from 1.8.1 to 1.9.1 (#12859 )

Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bump the go group across 3 directories with 11 updates (#12857 )
2025-02-17 04:30:24 -08:00 · 2025-02-17 03:32:22 -08:00 · 2025-02-17 03:16:23 -08:00 · 2025-02-17 02:18:22 -08:00 · 2025-02-15 01:10:20 -08:00 · 2025-02-14 14:48:21 -08:00
1050 changed files with 103324 additions and 101333 deletions
--- a/.codecov.yml
+++ b/.codecov.yml
@ -1,8 +0,0 @@
-coverage:
-  status:
-    project:
-      default:
-        target: 40%
-        threshold: null
-    patch: false
-    changes: false
--- a/hack/verify-chart-lint.sh
+++ b/hack/verify-chart-lint.sh
@ -1,6 +1,4 @@
-#!/bin/bash
-
-# Copyright 2020 The Kubernetes Authors.
+# Copyright 2024 The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -13,11 +11,16 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+---
+remote: origin
+target-branch: main

-set -o errexit
-set -o nounset
-set -o pipefail
+validate-maintainers: false
+check-version-increment: false

-KUBE_ROOT="$( cd "$(dirname "$0")../" >/dev/null 2>&1 ; pwd -P )"
+chart-repos:
+  - ingress-nginx=https://kubernetes.github.io/ingress-nginx
+helm-extra-args: --timeout 800s

-ct lint --charts ${KUBE_ROOT}/charts/ingress-nginx --validate-maintainers=false
+chart-dirs:
+  - charts
--- a/.gcloudignore
+++ b/.gcloudignore
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -10,7 +10,8 @@ assignees: ''
 <!--

 Welcome to ingress-nginx!  For a smooth issue process, try to answer the following questions.
-Don't worry if they're not all applicable; just try to include what you can :-)
+Don't worry if they're not all applicable; just try to include what you can :-).
+More info helps better understanding of the issue (needless to say).

 If you need to include code snippets or logs, please put them in fenced code
 blocks.  If they're super-long, please use the details tag like
@ -27,7 +28,16 @@ This questions are the first thing we need to know to understand the context.

 -->

-**NGINX Ingress controller version** (exec into the pod and run nginx-ingress-controller --version.):
+**What happened**:
+
+<!-- (please include exact error messages if you can) -->
+
+**What you expected to happen**:
+
+<!-- What do you think went wrong? -->
+
+
+**NGINX Ingress controller version** (exec into the pod and run `/nginx-ingress-controller --version`):
 <!--
 POD_NAMESPACE=ingress-nginx
 POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/name=ingress-nginx --field-selector=status.phase=Running -o jsonpath='{.items[0].metadata.name}')
@ -50,7 +60,7 @@ kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --vers

 - **How was the ingress-nginx-controller installed**:
  - If helm was used then please show output of `helm ls -A | grep -i ingress`
-  - If helm was used then please show output of `helm -n <ingresscontrollernamepspace> get values <helmreleasename>`
+  - If helm was used then please show output of `helm -n <ingresscontrollernamespace> get values <helmreleasename>`
  - If helm was not used, then copy/paste the complete precise command used to install the controller, along with the flags and options used
  - if you have more than one instance of the ingress-nginx-controller installed in the same cluster, please provide details for all the instances

@ -61,7 +71,7 @@ kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --vers
  - `kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>`

 - **Current state of ingress object, if applicable**:
-  - `kubectl -n <appnnamespace> get all,ing -o wide`
+  - `kubectl -n <appnamespace> get all,ing -o wide`
  - `kubectl -n <appnamespace> describe ing <ingressname>`
  - If applicable, then, your complete and exact curl/grpcurl command (redacted if required) and the reponse to the curl/grpcurl command with the -v flag

@ -71,15 +81,8 @@ kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --vers
    - `kubectl describe ...` of any custom configmap(s) created and in use
    - Any other related information that may help

-**What happened**:

-<!-- (please include exact error messages if you can) -->
-
-**What you expected to happen**:
-
-<!-- What do you think went wrong? -->
-
-**How to reproduce it**:
+**How to reproduce this issue**:
 <!---

 As minimally and precisely as possible. Keep in mind we do not have access to your cluster or application.
--- a/.github/ISSUE_TEMPLATE/cve_report.md
+++ b/.github/ISSUE_TEMPLATE/cve_report.md
@ -0,0 +1,20 @@
+---
+name: CVE Finding Report
+about: CVE reporting for ingress-nginx
+title: ''
+labels: kind/bug
+assignees:
+    - Gacko
+    - strongjz
+---
+
+<!-- if you found something that impacts directly ingress-nginx and
+is not a public CVE yet, please reach out security@kubernetes.io" -->
+
+<!-- What scanner and version reported the CVE? -->
+
+<!-- What CVE was reported in the scanner findings? -->
+
+<!-- What versions of the controller did you test with?  -->
+
+<!-- Please provider other details that will help us determine the severity of the issue -->
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@ -7,18 +7,6 @@ assignees: ''

 ---

-<!--
-
-Welcome to ingress-nginx!  For a smooth feature request process, try to
-answer the following questions. Don't worry if they're not all applicable; just
-try to include what you can :-)
-
-If you need to include code snippets or logs, please put them in fenced code
-blocks.  If they're super-long, please use the details tag like
-<details><summary>super-long log</summary> lots of stuff </details>
-
-->
-
 <!-- What do you want to happen? -->

 <!-- Is there currently another issue associated with this? -->
@ -30,4 +18,4 @@ blocks.  If they're super-long, please use the details tag like
 <!-- 
 /kind documentation
 /remove-kind feature
-->
+-->
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@ -1,5 +1,6 @@
 <!--- Provide a general summary of your changes in the Title above --->
 <!--- Please don't @-mention people in PR or commit messages (do so in an additional comment). --->
+<!--- Please make sure you title is descriptive, it is used in the Release notes to let others know what it does ---> 

 ## What this PR does / why we need it:
 <!--- Why is this change required? What problem does it solve? -->
@ -9,6 +10,7 @@
 <!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
 - [ ] Bug fix (non-breaking change which fixes an issue)
 - [ ] New feature (non-breaking change which adds functionality)
+- [ ] CVE Report (Scanner found CVE and adding report)
 - [ ] Breaking change (fix or feature that would cause existing functionality to change)
 - [ ] Documentation only

@ -30,5 +32,5 @@ fixes #
 - [ ] My change requires a change to the documentation.
 - [ ] I have updated the documentation accordingly.
 - [ ] I've read the [CONTRIBUTION](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md) guide
- [ ] I have added tests to cover my changes.
+- [ ] I have added unit and/or e2e tests to cover my changes.
 - [ ] All new and existing tests passed.
--- a/.github/actions/mkdocs/Dockerfile
+++ b/.github/actions/mkdocs/Dockerfile
@ -1,6 +1,4 @@
-FROM squidfunk/mkdocs-material:6.2.4
-
-RUN pip install mkdocs-awesome-pages-plugin
+FROM squidfunk/mkdocs-material:9.4.5

 COPY action.sh /action.sh

--- a/.github/actions/mkdocs/action.sh
+++ b/.github/actions/mkdocs/action.sh
@ -16,7 +16,7 @@

 set -e

-REQUIREMENTS="${GITHUB_WORKSPACE}/requirements.txt"
+REQUIREMENTS="${GITHUB_WORKSPACE}/docs/requirements.txt"

 if [ -f "${REQUIREMENTS}" ]; then
    pip install -r "${REQUIREMENTS}"
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -1,7 +1,43 @@
---
 version: 2
 updates:
-  - package-ecosystem: "gomod"
+  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
+    labels:
+      - "area/dependency"
+      - "release-note-none"
+      - "ok-to-test"
+    groups:
+      actions:
+        update-types:
+          - "minor"
+          - "patch"
+  - package-ecosystem: "docker"
+    directories:
+      - "**/rootfs"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "area/dependency"
+      - "release-note-none"
+      - "ok-to-test"
+    groups:
+      docker:
+        update-types:
+          - "minor"
+          - "patch"
+  - package-ecosystem: "gomod"
+    directories:
+      - "/"
+      - "**/rootfs"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "area/dependency"
+      - "release-note-none"
+      - "ok-to-test"
+    groups:
+      go:
+        update-types:
+          - "patch"
--- a/.github/workflows/chart.yaml
+++ b/.github/workflows/chart.yaml
@ -0,0 +1,64 @@
+name: Chart
+
+on:
+  push:
+    branches:
+      - main
+      - release-*
+    paths:
+      - charts/ingress-nginx/Chart.yaml
+  
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+
+    steps:
+      - name: Set up Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+          python-version: 3.x
+
+      - name: Set up Helm
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+
+      - name: Set up Helm Chart Testing
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
+
+      - name: Set up Artifact Hub
+        run: |
+          curl --fail --location https://github.com/artifacthub/hub/releases/download/v1.20.0/ah_1.20.0_linux_amd64.tar.gz --output /tmp/ah.tar.gz
+          echo "9027626f19ff9f3ac668f222917130ac885e289e922e1428bfd2e7f066324e31  /tmp/ah.tar.gz" | shasum --check
+          sudo tar --extract --file /tmp/ah.tar.gz --directory /usr/local/bin ah
+
+      - name: Set up Git
+        run: |
+          git config --global user.name "${GITHUB_ACTOR}"
+          git config --global user.email "${GITHUB_ACTOR}@users.noreply.github.com"
+
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Lint chart
+        run: |
+          ct lint --config .ct.yaml
+          ah lint --path charts/ingress-nginx
+
+      - name: Release chart
+        uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0
+        env:
+          CR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CR_RELEASE_NAME_TEMPLATE: helm-chart-{{ .Version }}
+          CR_SKIP_EXISTING: true
+        with:
+          charts_dir: charts
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -4,10 +4,30 @@ on:
  pull_request:
    branches:
      - "*"
+    paths-ignore:
+      - 'docs/**'
+      - 'deploy/**'
+      - '**.md'
+      - 'images/**' # Images changes should be tested on their own workflow
+      - '!images/nginx/**'

  push:
    branches:
      - main
+      - release-*
+    paths-ignore:
+      - 'docs/**'
+      - 'deploy/**'
+      - '**.md'
+      - 'images/**' # Images changes should be tested on their own workflow
+
+  workflow_dispatch:
+    inputs:
+      run_e2e:
+        description: 'Force e2e to run'
+        required: false
+        type: boolean
+

 permissions:
  contents: read
@ -22,13 +42,14 @@ jobs:
    outputs:
      go: ${{ steps.filter.outputs.go }}
      charts: ${{ steps.filter.outputs.charts }}
+      baseimage: ${{ steps.filter.outputs.baseimage }}

    steps:

      - name: Checkout
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

-      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
        id: filter
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
@ -40,59 +61,128 @@ jobs:
              - 'rootfs/**/*'
              - 'TAG'
              - 'test/e2e/**/*'
+              - 'NGINX_BASE'
            charts:
              - 'charts/ingress-nginx/Chart.yaml'
              - 'charts/ingress-nginx/**/*'
+              - 'NGINX_BASE'
+            baseimage:
+              - 'NGINX_BASE'
+              - 'images/nginx/**'
+            docs:
+              - '**/*.md'
+            lua:
+              - '**/*.lua'

-  security:
+  lua-lint:
    runs-on: ubuntu-latest
+    needs: changes
+    if: |
+      (needs.changes.outputs.lua == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
    steps:
-
      - name: Checkout
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
-
-      - name: Run Gosec Security Scanner
-        uses: securego/gosec@b99b5f7838e43a4104354ad92a6a1774302ee1f9 # master
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      
+      - name: Lint Lua
+        uses: lunarmodules/luacheck@v1
        with:
-          # G601 for zz_generated.deepcopy.go
-          # G306 TODO: Expect WriteFile permissions to be 0600 or less
-          # G307 TODO: Deferring unsafe method "Close"
-          args: -exclude=G109,G601,G104,G204,G304,G306,G307 -tests=false -exclude-dir=test -exclude-dir=images/  -exclude-dir=docs/ ./...
+          args: --codes --globals lua_ingress --globals configuration --globals balancer --globals monitor --globals certificate --globals tcp_udp_configuration --globals tcp_udp_balancer --no-max-comment-line-length -q rootfs/etc/nginx/lua/
+
+  test-go:
+    runs-on: ubuntu-latest
+    needs: changes
+    if: |
+      (needs.changes.outputs.go == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Get go version
+        run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
+
+      - name: Set up Go
+        id: go
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
+          check-latest: true
+
+      - name: Run test
+        run: make test
+
+        
+  verify-docs:
+    name: Verify Doc generation
+    runs-on: ubuntu-latest
+    needs: changes
+    if: |
+      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.docs == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Get go version
+        run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
+      - name: Set up Go
+        id: go
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
+          check-latest: true
+      - name: Verify Docs
+        run: make verify-docs

  build:
    name: Build
    runs-on: ubuntu-latest
    needs: changes
+    outputs:
+      golangversion: ${{ steps.golangversion.outputs.version }}
+    if: |
+      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.charts == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}

+    env:
+        PLATFORMS: linux/amd64
    steps:
-
      - name: Checkout
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

-      - name: Set up Go 1.17
+      - name: Get go version
+        id: golangversion
+        run: |
+          echo "version=$(cat GOLANG_VERSION)" >> "$GITHUB_OUTPUT"
+
+      - name: Set up Go
        id: go
-        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
-          go-version: '1.17.6'
+          go-version: ${{ steps.golangversion.outputs.version }}
+          check-latest: true
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0

      - name: Set up Docker Buildx
        id: buildx
-        uses: crazy-max/ghaction-docker-buildx@e01797ad2ea9a981005ad58c99afa8d842e3d3eb # v1
+        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
        with:
-          buildx-version: latest
-          qemu-version: latest
+          version: latest

      - name: Available platforms
        run: echo ${{ steps.buildx.outputs.platforms }}

      - name: Prepare Host
        run: |
-          sudo apt-get -qq update || true
-          sudo apt-get install -y pigz
-          curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.17.0/bin/linux/amd64/kubectl
+          curl -LO https://dl.k8s.io/release/v1.32.2/bin/linux/amd64/kubectl
          chmod +x ./kubectl
          sudo mv ./kubectl /usr/local/bin/kubectl

+      - name: Build NGINX Base image
+        if: |
+          needs.changes.outputs.baseimage == 'true'
+        run: |
+            export TAG=$(cat images/nginx/TAG)
+            cd images/nginx/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --load -t registry.k8s.io/ingress-nginx/nginx:${TAG} .
+
      - name: Build images
        env:
          TAG: 1.0.0-dev
@ -100,7 +190,8 @@ jobs:
          REGISTRY: ingress-controller
        run: |
          echo "building images..."
-          make clean-image build image image-chroot
+          export TAGNGINX=$(cat images/nginx/TAG)
+          make BASE_IMAGE=registry.k8s.io/ingress-nginx/nginx:${TAGNGINX} clean-image build image image-chroot
          make -C test/e2e-image image

          echo "creating images cache..."
@ -108,309 +199,124 @@ jobs:
            nginx-ingress-controller:e2e \
            ingress-controller/controller:1.0.0-dev \
            ingress-controller/controller-chroot:1.0.0-dev \
-            | pigz > docker.tar.gz
+            | gzip > docker.tar.gz

      - name: cache
-        uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          name: docker.tar.gz
          path: docker.tar.gz
+          retention-days: 5

-  helm:
-    name: Helm chart
+  chart-lint:
+    name: Chart / Lint
+    runs-on: ubuntu-latest
+    needs:
+      - changes
+
+    if: fromJSON(needs.changes.outputs.charts) || fromJSON(needs.changes.outputs.baseimage) || fromJSON(github.event.workflow_dispatch.run_e2e)
+
+    steps:
+      - name: Set up Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+          python-version: 3.x
+
+      - name: Set up Helm
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+
+      - name: Set up Helm Chart Testing
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
+
+      - name: Set up Artifact Hub
+        run: |
+          curl --fail --location https://github.com/artifacthub/hub/releases/download/v1.20.0/ah_1.20.0_linux_amd64.tar.gz --output /tmp/ah.tar.gz
+          echo "9027626f19ff9f3ac668f222917130ac885e289e922e1428bfd2e7f066324e31  /tmp/ah.tar.gz" | shasum --check
+          sudo tar --extract --file /tmp/ah.tar.gz --directory /usr/local/bin ah
+
+      - name: Set up Helm Docs
+        uses: gabe565/setup-helm-docs-action@d5c35bdc9133cfbea3b671acadf50a29029e87c2 # v1.0.4
+
+      - name: Set up Helm Unit Test
+        run: helm plugin install https://github.com/helm-unittest/helm-unittest
+
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Lint chart
+        run: |
+          ct lint --config .ct.yaml
+          ah lint --path charts/ingress-nginx
+
+      - name: Check docs
+        run: |
+          helm-docs --chart-search-root charts
+          git diff --exit-code charts/ingress-nginx/README.md
+
+      - name: Run tests
+        run: helm unittest charts/ingress-nginx --file "tests/**/*_test.yaml"
+
+  chart-test:
+    name: Chart / Test
    runs-on: ubuntu-latest
    needs:
      - changes
      - build
-    if: |
-      (needs.changes.outputs.charts == 'true')
+      - chart-lint
+
+    if: fromJSON(needs.changes.outputs.charts) || fromJSON(needs.changes.outputs.baseimage) || fromJSON(github.event.workflow_dispatch.run_e2e)
+
+    strategy:
+      matrix:
+        k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0]

    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

-      - name: Checkout
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
-
-      - name: Setup Go
-        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2
-        with:
-          go-version: '1.17.6'
-
-      - name: cache
-        uses: actions/download-artifact@f023be2c48cc18debc3bacd34cb396e0295e2869 # v2
+      - name: Download cache
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: docker.tar.gz

-      - name: Lint
-        run: |
-          ./build/run-in-docker.sh ./hack/verify-chart-lint.sh
+      - name: Load cache
+        run: gzip --decompress --stdout docker.tar.gz | docker load

-      - name: Run helm-docs
-        run: |
-          GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.6.0
-          ./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts
-          DIFF=$(git diff ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md)
-          if [ ! -z "$DIFF" ]; then
-            echo "Please use helm-docs in your clone, of your fork, of the project, and commit a updated README.md for the chart. https://github.com/kubernetes/ingress-nginx/blob/main/RELEASE.md#d-edit-the-valuesyaml-and-run-helm-docs"
-          fi
-          git diff --exit-code
-          rm -f ./helm-docs
-
-      - name: Run Artifact Hub lint
-        run: |
-          wget https://github.com/artifacthub/hub/releases/download/v1.5.0/ah_1.5.0_linux_amd64.tar.gz
-          tar -xzvf ah_1.5.0_linux_amd64.tar.gz ah
-          ./ah lint -p charts/ingress-nginx || exit 1
-          rm -f ./ah ./ah_1.5.0_linux_amd64.tar.gz
-
-      - name: fix permissions
-        run: |
-          sudo mkdir -p $HOME/.kube
-          sudo chmod -R 777 $HOME/.kube
-
-      - name: Create Kubernetes cluster
-        id: kind
-        uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
-        with:
-          version: v0.11.1
-          image: kindest/node:v1.21.1
-
-      - uses: geekyeggo/delete-artifact@a6ab43859c960a8b74cbc6291f362c7fb51829ba # v1
-        with:
-          name: docker.tar.gz
-          failOnError: false
-
-      - name: Load images from cache
-        run: |
-          echo "loading docker images..."
-          pigz -dc docker.tar.gz | docker load
-
-      - name: Test
+      - name: Run tests
        env:
-          KIND_CLUSTER_NAME: kind
-          SKIP_CLUSTER_CREATION: true
+          K8S_VERSION: ${{ matrix.k8s }}
          SKIP_IMAGE_CREATION: true
        run: |
-          kind get kubeconfig > $HOME/.kube/kind-config-kind
+          sudo mkdir -pm 777 "${HOME}/.kube"
          make kind-e2e-chart-tests

  kubernetes:
    name: Kubernetes
-    runs-on: ubuntu-latest
    needs:
      - changes
      - build
    if: |
-      (needs.changes.outputs.go == 'true')
-
+      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
    strategy:
      matrix:
-        k8s: [v1.19.11, v1.20.7, v1.21.2, v1.22.0, v1.23.0]
-
-    steps:
-
-      - name: Checkout
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
-
-      - name: cache
-        uses: actions/download-artifact@f023be2c48cc18debc3bacd34cb396e0295e2869 # v2
-        with:
-          name: docker.tar.gz
-
-      - name: Create Kubernetes ${{ matrix.k8s }} cluster
-        id: kind
-        uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
-        with:
-          version: v0.11.1
-          config: test/e2e/kind.yaml
-          image: kindest/node:${{ matrix.k8s }}
-
-      - uses: geekyeggo/delete-artifact@a6ab43859c960a8b74cbc6291f362c7fb51829ba # v1
-        with:
-          name: docker.tar.gz
-          failOnError: false
-
-      - name: Prepare cluster for testing
-        id: local-path
-        run: |
-          kubectl version
-          echo
-          echo "installing helm 3..."
-          curl -sSL https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
-
-      - name: Load images from cache
-        run: |
-          echo "loading docker images..."
-          pigz -dc docker.tar.gz | docker load
-
-      - name: Run e2e tests
-        env:
-          KIND_CLUSTER_NAME: kind
-          SKIP_CLUSTER_CREATION: true
-          SKIP_IMAGE_CREATION: true
-        run: |
-          kind get kubeconfig > $HOME/.kube/kind-config-kind
-          make kind-e2e-test
+        k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0]
+    uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml
+    with:
+      k8s-version: ${{ matrix.k8s }}

  kubernetes-chroot:
    name: Kubernetes chroot
-    runs-on: ubuntu-latest
    needs:
      - changes
      - build
    if: |
-      (needs.changes.outputs.go == 'true')
-
+      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
    strategy:
      matrix:
-        k8s: [v1.21.10, v1.22.7, v1.23.4]
-
-    steps:
-
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      - name: cache
-        uses: actions/download-artifact@v2
-        with:
-          name: docker.tar.gz
-
-      - name: Create Kubernetes ${{ matrix.k8s }} cluster
-        id: kind
-        uses: engineerd/setup-kind@v0.5.0
-        with:
-          version: v0.12.0
-          config: test/e2e/kind.yaml
-          image: kindest/node:${{ matrix.k8s }}
-
-      - uses: geekyeggo/delete-artifact@v1
-        with:
-          name: docker.tar.gz
-          failOnError: false
-
-      - name: Prepare cluster for testing
-        id: local-path
-        run: |
-          kubectl version
-          echo
-          echo "installing helm 3..."
-          curl -sSL https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
-
-      - name: Load images from cache
-        run: |
-          echo "loading docker images..."
-          pigz -dc docker.tar.gz | docker load
-
-      - name: Run e2e tests
-        env:
-          KIND_CLUSTER_NAME: kind
-          SKIP_CLUSTER_CREATION: true
-          SKIP_IMAGE_CREATION: true
-          IS_CHROOT: true
-        run: |
-          kind get kubeconfig > $HOME/.kube/kind-config-kind
-          make kind-e2e-test
-
-  test-image-build:
-    permissions:
-      contents: read  # for dorny/paths-filter to fetch a list of changed files
-      pull-requests: read  # for dorny/paths-filter to read pull requests
-    runs-on: ubuntu-latest
-    env:
-      PLATFORMS: linux/amd64,linux/arm64
-    steps:
-      - name: Checkout
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
-
-      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2
-        id: filter-images
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          filters: |
-            custom-error-pages:
-              - 'images/custom-error-pages/**'
-            cfssl:
-              - 'images/cfssl/**'
-            fastcgi-helloserver:
-              - 'images/fastcgi-helloserver/**'
-            echo:
-              - 'images/echo/**'
-            go-grpc-greeter-server:
-              - 'images/go-grpc-greeter-server/**'
-            httpbin:
-              - 'images/httpbin/**'
-            kube-webhook-certgen:
-              - 'images/kube-webhook-certgen/**'
-            ext-auth-example-authsvc:
-              - 'images/ext-auth-example-authsvc/**'
-
-      - name: custom-error-pages image build
-        if: ${{ steps.filter-images.outputs.custom-error-pages == 'true' }}
-        run: |
-          cd images/custom-error-pages && make build
-      - name: cfssl image build
-        if: ${{ steps.filter-images.outputs.cfssl == 'true' }}
-        run: |
-          cd images/cfssl && make build
-      - name: fastcgi-helloserver
-        if: ${{ steps.filter-images.outputs.fastcgi-helloserver == 'true' }}
-        run: |
-          cd images/fastcgi-helloserver && make build
-      - name: echo image build
-        if: ${{ steps.filter-images.outputs.echo == 'true' }}
-        run: |
-          cd images/echo && make build
-      - name: go-grpc-greeter-server image build
-        if: ${{ steps.filter-images.outputs.go-grpc-greeter-server == 'true' }}
-        run: |
-          cd images/go-grpc-greeter-server && make build
-      - name: httpbin image build
-        if: ${{ steps.filter-images.outputs.httpbin == 'true' }}
-        run: |
-          cd images/httpbin && make build
-      - name: kube-webhook-certgen image build
-        if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
-        run: |
-          cd images/kube-webhook-certgen && make build
-      - name: ext-auth-example-authsvc
-        if: ${{ steps.filter-images.outputs.ext-auth-example-authsvc == 'true' }}
-        run: |
-          cd images/ext-auth-example-authsvc && make build
-
-  test-image:
-    permissions:
-      contents: read  # for dorny/paths-filter to fetch a list of changed files
-      pull-requests: read  # for dorny/paths-filter to read pull requests
-    runs-on: ubuntu-latest
-    env:
-      PLATFORMS: linux/amd64
-    steps:
-      - name: Checkout
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
-
-      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2
-        id: filter-images
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          filters: |
-            kube-webhook-certgen:
-              - 'images/kube-webhook-certgen/**'
-
-      - name: Create Kubernetes cluster
-        id: kind
-        if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
-        uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
-        with:
-          version: v0.11.1
-          image: kindest/node:v1.21.1
-
-      - name: Set up Go 1.17
-        id: go
-        if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
-        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2
-        with:
-          go-version: '1.17.6'
-
-      - name: kube-webhook-certgen image build
-        if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
-        run: |
-          cd images/kube-webhook-certgen && make test test-e2e
+        k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0]
+    uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml
+    with:
+      k8s-version: ${{ matrix.k8s }}
+      variation: "CHROOT"
--- a/.github/workflows/depreview.yaml
+++ b/.github/workflows/depreview.yaml
@ -9,6 +9,6 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v1
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@ -5,6 +5,9 @@ on:
    branches:
      - main

+permissions:
+  contents: read
+
 jobs:

  changes:
@ -19,11 +22,10 @@ jobs:
      charts: ${{ steps.filter.outputs.charts }}

    steps:
-
      - name: Checkout
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

-      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
        id: filter
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
@ -44,11 +46,10 @@ jobs:
      contents: write # needed to write releases

    steps:
-
      - name: Checkout master
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Deploy
        uses: ./.github/actions/mkdocs
        env:
-          PERSONAL_TOKEN: "${{ secrets.GITHUB_TOKEN }}" 
+          PERSONAL_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@ -0,0 +1,34 @@
+name: golangci-lint
+
+on:
+  pull_request:
+    paths:
+      - '**/*.go'
+      - '.github/workflows/golangci-lint.yml'
+
+permissions:
+  contents: read
+
+jobs:
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Get go version
+        run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
+
+      - name: Set up Go
+        id: go
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
+          check-latest: true
+
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837 # v6.5.0
+        with:
+          version: v1.62
+          only-new-issues: true
--- a/.github/workflows/helm.yaml
+++ b/.github/workflows/helm.yaml
@ -1,70 +0,0 @@
-name: Helm
-
-on:
-  push:
-    branches:
-      - main
-      - legacy
-
-jobs:
-
-  changes:
-    permissions:
-      contents: read  # for dorny/paths-filter to fetch a list of changed files
-      pull-requests: read  # for dorny/paths-filter to read pull requests
-    runs-on: ubuntu-latest
-    if: |
-      (github.repository == 'kubernetes/ingress-nginx')
-    outputs:
-      docs: ${{ steps.filter.outputs.docs }}
-      charts: ${{ steps.filter.outputs.charts }}
-
-    steps:
-
-      - name: Checkout
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
-
-      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2
-        id: filter
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          filters: |
-            charts:
-              - 'charts/ingress-nginx/Chart.yaml'
-              - 'charts/ingress-nginx/**/*'
-
-  chart:
-    name: Release Chart
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: write # needed to write releases
-
-    needs:
-      - changes
-    if: |
-      (github.repository == 'kubernetes/ingress-nginx') &&
-      (needs.changes.outputs.charts == 'true')
-
-    steps:
-
-      - name: Checkout master
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
-        with:
-          # Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896
-          fetch-depth: 0
-
-      - name: Setup
-        shell: bash
-        run: |
-          git config --global user.name "$GITHUB_ACTOR"
-          git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"
-      
-      - name: Helm Chart Releaser
-        uses: helm/chart-releaser-action@v1.4.0
-        env:
-          CR_SKIP_EXISTING: "false"
-          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-          CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}"
-        with:
-          charts_dir: charts
--- a/.github/workflows/images.yaml
+++ b/.github/workflows/images.yaml
@ -0,0 +1,192 @@
+name: Container Images
+
+on:
+  pull_request:
+    branches:
+      - "*"
+    paths:
+      - 'images/**'
+
+  push:
+    branches:
+      - main
+    paths:
+      - 'images/**'
+
+permissions:
+  contents: write
+  packages: write
+
+env:
+  PLATFORMS: linux/amd64
+
+jobs:
+  changes:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
+    runs-on: ubuntu-latest
+    outputs:
+      custom-error-pages: ${{ steps.filter.outputs.custom-error-pages }}
+      cfssl: ${{ steps.filter.outputs.cfssl }}
+      fastcgi-helloserver: ${{ steps.filter.outputs.fastcgi-helloserver }}
+      e2e-test-echo: ${{ steps.filter.outputs.e2e-test-echo }}
+      go-grpc-greeter-server: ${{ steps.filter.outputs.go-grpc-greeter-server }}
+      httpbun: ${{ steps.filter.outputs.httpbun }}
+      kube-webhook-certgen: ${{ steps.filter.outputs.kube-webhook-certgen }}
+      ext-auth-example-authsvc: ${{ steps.filter.outputs.ext-auth-example-authsvc }}
+      nginx: ${{ steps.filter.outputs.nginx }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: filter
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          filters: |
+            custom-error-pages:
+              - 'images/custom-error-pages/**'
+            cfssl:
+              - 'images/cfssl/**'
+            fastcgi-helloserver:
+              - 'images/fastcgi-helloserver/**'
+            e2e-test-echo:
+              - 'images/e2e-test-echo/**'
+            go-grpc-greeter-server:
+              - 'images/go-grpc-greeter-server/**'
+            httpbun:
+              - 'images/httpbun/**'
+            kube-webhook-certgen:
+              - 'images/kube-webhook-certgen/**'
+            ext-auth-example-authsvc:
+              - 'images/ext-auth-example-authsvc/**'
+            nginx:
+              - 'images/nginx/**'
+
+  #### TODO: Make the below jobs 'less dumb' and use the job name as parameter (the github.job context does not work here)
+  cfssl:
+    needs: changes
+    if: |
+      (needs.changes.outputs.cfssl == 'true')
+    uses: ./.github/workflows/zz-tmpl-images.yaml
+    with:
+      name: cfssl
+    secrets: inherit
+
+  custom-error-pages:
+    needs: changes
+    if: |
+      (needs.changes.outputs.custom-error-pages == 'true')
+    uses: ./.github/workflows/zz-tmpl-images.yaml
+    with:
+      name: custom-error-pages
+    secrets: inherit
+
+  e2e-test-echo:
+    needs: changes
+    if: |
+      (needs.changes.outputs.e2e-test-echo == 'true')
+    uses: ./.github/workflows/zz-tmpl-images.yaml
+    with:
+      name: e2e-test-echo
+    secrets: inherit
+
+  ext-auth-example-authsvc:
+    needs: changes
+    if: |
+      (needs.changes.outputs.ext-auth-example-authsvc == 'true')
+    uses: ./.github/workflows/zz-tmpl-images.yaml
+    with:
+      name: ext-auth-example-authsvc
+    secrets: inherit
+
+  fastcgi-helloserver:
+    needs: changes
+    if: |
+      (needs.changes.outputs.fastcgi-helloserver == 'true')
+    uses: ./.github/workflows/zz-tmpl-images.yaml
+    with:
+      name: fastcgi-helloserver
+    secrets: inherit
+
+  go-grpc-greeter-server:
+    needs: changes
+    if: |
+      (needs.changes.outputs.go-grpc-greeter-server == 'true')
+    uses: ./.github/workflows/zz-tmpl-images.yaml
+    with:
+      name: go-grpc-greeter-server
+    secrets: inherit
+
+  httpbun:
+    needs: changes
+    if: |
+      (needs.changes.outputs.httpbun == 'true')
+    uses: ./.github/workflows/zz-tmpl-images.yaml
+    with:
+      name: httpbun
+    secrets: inherit
+
+  kube-webhook-certgen:
+    runs-on: ubuntu-latest
+    needs: changes
+    if: |
+      (needs.changes.outputs.kube-webhook-certgen == 'true')
+    strategy:
+      matrix:
+        k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0]
+    steps:
+    - name: Checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+    - name: Get go version
+      run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
+
+    - name: Set up Go
+      id: go
+      uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+      with:
+        go-version: ${{ env.GOLANG_VERSION }}
+        check-latest: true
+    - name: image build
+      run: |
+        cd images/ && make NAME=kube-webhook-certgen build
+    - name: Create Kubernetes cluster
+      id: kind
+      run: |
+        kind create cluster --image=kindest/node:${{ matrix.k8s }}
+    - name: image test
+      run: |
+        cd images/ && make NAME=kube-webhook-certgen test test-e2e
+
+  nginx:
+    permissions:
+      contents: write
+      packages: write
+    runs-on: ubuntu-latest
+    needs: changes
+    if: |
+      (github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.changes.outputs.nginx == 'true')
+    env:
+      PLATFORMS: linux/amd64,linux/arm,linux/arm64
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
+        with:
+          version: latest
+          platforms: ${{ env.PLATFORMS }}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: build-image
+        run: |
+          export TAG=$(cat images/nginx/TAG)
+          cd images/nginx/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --push -t ingressnginx/nginx:${TAG} .
--- a/.github/workflows/junit-reports.yaml
+++ b/.github/workflows/junit-reports.yaml
@ -0,0 +1,22 @@
+name: 'E2E Test Report'
+
+on:
+  workflow_run:
+    workflows: ['CI']                     # runs after CI workflow
+    types:
+      - completed
+
+permissions:
+  checks: write
+
+jobs:
+  report:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 # v1.9.1
+        with:
+          artifact: /e2e-test-reports-(.*)/
+          name: JEST Tests $1               # Name of the check run which will be created
+          path: 'report*.xml'               # Path to test results (inside artifact .zip)
+          reporter: jest-junit              # Format of test results
+          fail-on-empty: 'true'
--- a/.github/workflows/perftest.yaml
+++ b/.github/workflows/perftest.yaml
@ -0,0 +1,72 @@
+name: Performance Test
+
+on:
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: 'Log level'
+        required: true
+        default: 'warning'
+      tags:
+        description: 'K6 Load Test'
+
+permissions:
+  contents: read
+
+jobs:
+  k6_test_run:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Install K6
+        run: |
+          wget https://github.com/grafana/k6/releases/download/v0.38.2/k6-v0.38.2-linux-amd64.tar.gz
+          echo '7c9e5a26aaa2c638c042f6dfda7416161b8d2e0d4cb930721a38083b8be109ab *k6-v0.38.2-linux-amd64.tar.gz' | shasum -c
+          tar -xvf k6-v0.38.2-linux-amd64.tar.gz k6-v0.38.2-linux-amd64/k6
+          mv k6-v0.38.2-linux-amd64/k6 .
+          ./k6
+
+      - name: Make dev-env
+        run: |
+          mkdir $HOME/.kube
+          make dev-env
+          podName=`kubectl -n ingress-nginx get po | grep -i controller | awk '{print $1}'`
+          if [[ -z ${podName} ]] ; then
+            sleep 5
+          fi
+          kubectl wait pod -n ingress-nginx --for condition=Ready $podName
+          kubectl get all -A
+
+      - name: Deploy workload
+        run: |
+          kubectl create deploy k6 --image kennethreitz/httpbin --port 80 && \
+            kubectl expose deploy k6 --port 80 && \
+            kubectl create ing k6 --class nginx \
+            --rule test.ingress-nginx-controller.ga/*=k6:80
+          podName=`kubectl get po | grep -i k6 | awk '{print $1}'`
+          if [[ -z ${podName} ]] ; then
+            sleep 5
+          fi
+          kubectl wait pod --for condition=Ready $podName
+          kubectl get all,secrets,ing
+
+      - name: Tune OS
+        run : |
+          sudo sysctl -A 2>/dev/null | egrep -i "local_port_range|tw_reuse|tcp_timestamps"
+          sudo sh -c "ulimit"
+          sudo sysctl -w net.ipv4.ip_local_port_range="1024 65535"
+          sudo sysctl -w net.ipv4.tcp_tw_reuse=1
+          sudo sysctl -w net.ipv4.tcp_timestamps=1
+          sudo sh -c "ulimit "
+
+      - name: Run smoke test
+        run: |
+          vmstat -at 5 | tee vmstat_report &
+          #./k6 login cloud -t $K6_TOKEN
+          #./k6 run -o cloud ./smoketest.js
+          ./k6 run test/k6/smoketest.js
+          pkill vmstat
+          cat vmstat_report
--- a/.github/workflows/plugin.yaml
+++ b/.github/workflows/plugin.yaml
@ -0,0 +1,50 @@
+name: kubectl plugin
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: write # for goreleaser/goreleaser-action
+
+jobs:
+  release-plugin:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Get go version
+        run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
+
+      - name: Set up Go
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
+          check-latest: true
+
+      - name: Run GoReleaser Snapshot
+        if: ${{ ! startsWith(github.ref, 'refs/tags/') }}
+        uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # v6.2.1
+        with:
+          version: "~> v2"
+          args: release --snapshot --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run GoReleaser
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # v6.2.1
+        with:
+          version: "~> v2"
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Update new version in krew-index
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        uses: rajatjindal/krew-release-bot@3d9faef30a82761d610544f62afddca00993eef9 # v0.0.47
+        with:
+          krew_template_file: cmd/plugin/krew.yaml
--- a/.github/workflows/project.yml
+++ b/.github/workflows/project.yml
@ -0,0 +1,19 @@
+name: Adds all issues
+
+on:
+  issues:
+    types:
+      - opened
+
+jobs:
+  add-to-project:
+    name: Add issue to project
+    runs-on: ubuntu-latest
+    permissions:
+      repository-projects: write
+      issues: write
+    steps:
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
+        with:
+          project-url: https://github.com/orgs/kubernetes/projects/104
+          github-token: ${{ secrets.PROJECT_WRITER }}
--- a/.github/workflows/release.txt
+++ b/.github/workflows/release.txt
@ -1,128 +0,0 @@
-name: Release
-
-on:
-  watch:
-    types: [started]
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    if: github.actor == 'aledbf'
-    steps:
-      - name: Checkout master
-        uses: actions/checkout@v2
-
-      - name: Set up Go 1.14
-        uses: actions/setup-go@master
-        with:
-          go-version: 1.14
-
-      - name: Build krew plugin
-        shell: bash
-        run: |
-          export PATH=${PATH}:`go env GOPATH`/bin
-          make build-plugin
-
-#      - name: Build and publish images
-#        shell: bash
-#        run: |
-#          cat <<EOF | > build/images/nginx/aws.tfvars
-#          access_key = "${{ secrets.AWS_ACCESS_KEY }}"
-#          secret_key = "${{ secrets.AWS_ACCESS_SECRET_KEY }}"
-#          EOF
-#
-#          cat <<EOF | > build/images/nginx/env.tfvars
-#          docker_username="${{ secrets.DOCKER_USERNAME }}"
-#          docker_password="${{ secrets.DOCKER_PASSWORD }}"
-#          EOF
-#
-#          ./build/build-ingress-controller.sh
-
-      - name: Create env variables
-        shell: bash
-        run: |
-          # $(cat cmd/plugin/release/ingress-nginx.yaml)
-          echo "::set-env name=RELEASE_VERSION::$(make show-version)"
-          echo "::set-env name=RELEASE_CHANGELOG::##CHANGELOG##"
-
-      - name: Create release
-        id: create_release
-        uses: actions/create-release@v1
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/controller')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: controller-${{ env.RELEASE_VERSION }}
-          release_name: "NGINX: ${{ env.RELEASE_VERSION }}"
-          body: |
-            **Image:** `quay.io/kubernetes-ingress-controller/nginx-ingress-controller:${{ env.RELEASE_VERSION }}`
-
-            ${{ env.RELEASE_CHANGELOG }}
-
-            Complete changelog [here](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md)
-
-          draft: false
-          prerelease: false
-
-      - name: Upload krew plugin Darwin
-        uses: actions/upload-release-asset@v1
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/controller')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: cmd/plugin/release/kubectl-ingress_nginx-darwin-amd64.tar.gz
-          asset_name: kubectl-ingress_nginx-darwin-amd64.tar.gz
-          asset_content_type: application/tar+gzip
-
-      - name: Upload krew plugin Linux
-        uses: actions/upload-release-asset@v1
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/controller')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: cmd/plugin/release/kubectl-ingress_nginx-linux-amd64.tar.gz
-          asset_name: kubectl-ingress_nginx-linux-amd64.tar.gz
-          asset_content_type: application/tar+gzip
-
-      - name: Upload krew plugin Windows
-        uses: actions/upload-release-asset@v1
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/controller')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: cmd/plugin/release/kubectl-ingress_nginx-windows-amd64.tar.gz
-          asset_name: kubectl-ingress_nginx-windows-amd64.tar.gz
-          asset_content_type: application/tar+gzip
-
-      - name: Upload krew plugin
-        uses: actions/upload-release-asset@v1
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/controller')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: cmd/plugin/release/ingress-nginx.yaml
-          asset_name: ingress-nginx.yaml
-          asset_content_type: text/x-yaml
-
-      - name: Create KREW_PLUGIN_BODY_PR env variable
-        shell: bash
-        run: |
-          echo "::set-env name=KREW_PLUGIN_BODY_PR::$(cat cmd/plugin/release/ingress-nginx.yaml)"
-
-#      - name: Open PR for new release of Krew Plugin
-#        uses: gha-utilities/init-pull-request@v0.1.2
-#        env:
-#          GITHUB_REPOSITORY: maintainer/repo-name
-#        with:
-#          verbose: true
-#          draft: false
-#          pull_request_token: ${{ secrets.GITHUB_TOKEN }}
-#          head: ingress-nginx:krew
-#          base: krew
-#          title: 'Update ingress-nginx krew plugin to ${{ env.RELEASE_VERSION }}'
-#          body: |
-#            ${{ env.KREW_PLUGIN_BODY_PR }}
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@ -0,0 +1,64 @@
+name: Scorecards supply-chain security
+
+on:
+  # Only the default branch is supported.
+  branch_protection_rule:
+  schedule:
+    - cron: '20 11 * * 5'
+  push:
+    branches:
+      - "main"
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge. (Upcoming feature)
+      id-token: write
+      # Needs for private repositories.
+      contents: read
+      actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecards on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+
+          # Publish the results for public repositories to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless
+          # of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        with:
+          sarif_file: results.sarif
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@ -0,0 +1,24 @@
+name: 'Stale Issues and PRs'
+
+on:
+  schedule:
+    - cron: '30 1 * * *'
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+
+    permissions:
+      issues: write
+      pull-requests: write
+
+    steps:
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
+        with:
+          stale-issue-message: "This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach `#ingress-nginx-dev` on Kubernetes Slack."
+          stale-pr-message: "This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach `#ingress-nginx-dev` on Kubernetes Slack."
+          stale-issue-label: lifecycle/frozen
+          stale-pr-label: lifecycle/frozen
+          days-before-issue-stale: 30
+          days-before-pr-stale: 45
+          days-before-close: -1  # dont not close issues/prs
--- a/.github/workflows/vulnerability-scans.yaml
+++ b/.github/workflows/vulnerability-scans.yaml
@ -0,0 +1,92 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Vulnerability Scan
+
+on:
+  workflow_dispatch:
+  release:
+  schedule:
+    - cron: '00 9 * * 1'
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  version:
+    runs-on: ubuntu-latest
+    outputs:
+      versions: ${{ steps.version.outputs.TAGS }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Latest Tag
+        id: version
+        shell: bash
+        run: |
+          readarray -t TAGS_ARRAY <<<"$(git tag --list 'controller-v*.*.*' --sort=-version:refname | grep -v 'beta\|alpha')"
+          FULL_TAGS=(${TAGS_ARRAY[0]} ${TAGS_ARRAY[1]} ${TAGS_ARRAY[2]})
+          SHORT_TAGS=()
+          for i in ${FULL_TAGS[@]}
+          do
+            echo "tag: $i"
+            short=$(echo "$i" | cut -d - -f 2)
+            SHORT_TAGS+=($short)
+          done
+          echo "${SHORT_TAGS[0]},${SHORT_TAGS[1]},${SHORT_TAGS[2]}"
+          TAGS_JSON="[\"${SHORT_TAGS[0]}\",\"${SHORT_TAGS[1]}\",\"${SHORT_TAGS[2]}\"]"
+          echo "${TAGS_JSON}"
+          echo "TAGS=${TAGS_JSON}" >> $GITHUB_OUTPUT
+
+  scan:
+    runs-on: ubuntu-latest
+    needs: version
+    strategy:
+      matrix:
+        versions: ${{ fromJSON(needs.version.outputs.versions) }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - shell: bash
+        id: test
+        run: echo "Scanning registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}"
+
+      - name: Scan image with AquaSec/Trivy
+        id: scan
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
+        with:
+          image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }}
+          format: 'sarif'
+          output: trivy-results-${{ matrix.versions }}.sarif
+          exit-code: 0
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
+
+      - name: Output Sarif File
+        shell: bash
+        run: cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif
+
+      # This step checks out a copy of your repository.
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        with:
+          token: ${{ github.token }}
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif
+
+      - name: Vulz Count
+        shell: bash
+        run: |
+          TRIVY_COUNT=$(cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif | jq '.runs[0].results | length')
+          echo "TRIVY_COUNT: $TRIVY_COUNT"
+          echo "Image Vulnerability scan output" >> $GITHUB_STEP_SUMMARY
+          echo "Image ID: registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "Trivy Count: $TRIVY_COUNT" >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/zz-tmpl-images.yaml
+++ b/.github/workflows/zz-tmpl-images.yaml
@ -0,0 +1,81 @@
+#### THIS IS A TEMPLATE ####
+# This workflow is created to be a template for every time an e2e test is required,
+
+on:
+  workflow_call:
+    inputs:
+      name:
+        required: true
+        type: string
+      platforms-test:
+        type: string
+        default: linux/amd64
+      platforms-publish:
+        type: string
+        default: linux/amd64
+
+env:
+  PLATFORMS: ${{ inputs.platforms-test }}
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  changestag:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.filter.outputs.tag }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: filter
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          filters: |
+            tag:
+              - 'images/**/TAG'
+
+  image-build:
+    name: Build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Build
+        run: |
+          cd images/ && make NAME=${{ inputs.name }} build
+
+  image-push:
+    name: Push
+    needs: changestag
+    if: |
+      (github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'kubernetes/ingress-nginx' && needs.changestag.outputs.tag == 'true')
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+    env:
+      PLATFORMS: ${{ inputs.platforms-publish }}
+    steps:
+    - name: Checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+    - name: Push
+      run: |
+          cd images/ && make REGISTRY=ingressnginx NAME=${{ inputs.name }} push
+
--- a/.github/workflows/zz-tmpl-k8s-e2e.yaml
+++ b/.github/workflows/zz-tmpl-k8s-e2e.yaml
@ -0,0 +1,57 @@
+#### THIS IS A TEMPLATE ####
+# This workflow is created to be a template for every time an e2e test is required,
+
+on:
+  workflow_call:
+    inputs:
+      k8s-version:
+        required: true
+        type: string
+      variation:
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  kubernetes:
+    name: Kubernetes ${{ inputs.variation }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: cache
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: docker.tar.gz
+
+      - name: Create Kubernetes ${{ inputs.k8s-version }} cluster
+        id: kind
+        run: |
+          kind create cluster --image=kindest/node:${{ inputs.k8s-version }} --config test/e2e/kind.yaml
+
+      - name: Load images from cache
+        run: |
+          echo "loading docker images..."
+          gzip -dc docker.tar.gz | docker load
+
+      - name: Run e2e tests ${{ inputs.variation }}
+        env:
+          KIND_CLUSTER_NAME: kind
+          SKIP_CLUSTER_CREATION: true
+          SKIP_INGRESS_IMAGE_CREATION: true
+          SKIP_E2E_IMAGE_CREATION: true
+          IS_CHROOT: ${{ inputs.variation == 'CHROOT' }}
+        run: |
+          kind get kubeconfig > $HOME/.kube/kind-config-kind
+          make kind-e2e-test
+
+      - name: Upload e2e junit-reports ${{ inputs.variation }}
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        if: success() || failure()
+        with:
+          name: e2e-test-reports-${{ inputs.k8s-version }}${{ inputs.variation }}
+          path: 'test/junitreports/report*.xml'
+
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,3 @@
-helm-docs
 # OSX
 ._*
 .DS_Store
@ -59,3 +58,6 @@ images/fastcgi-helloserver/rootfs/fastcgi-helloserver
 cmd/plugin/release/ingress-nginx.yaml
 cmd/plugin/release/*.tar.gz
 cmd/plugin/release/LICENSE
+tmp/
+test/junitreports/
+tests/__snapshot__
--- a/.golangci.yml
+++ b/.golangci.yml
@ -0,0 +1,236 @@
+run:
+  timeout: 10m
+  allow-parallel-runners: true
+
+issues:
+  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
+  max-issues-per-linter: 0
+
+  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
+  max-same-issues: 0
+linters:
+  disable-all: true
+  enable:
+    - asasalint
+    - asciicheck
+    - bidichk
+    - bodyclose
+    - contextcheck
+    - decorder
+    - dogsled
+    - dupl
+    - durationcheck
+    - errcheck
+    - errchkjson
+    - errname
+    - ginkgolinter
+    - gocheckcompilerdirectives
+    - goconst
+    - gocritic
+    - gocyclo
+    - godox
+    - gofmt
+    - gofumpt
+    - goheader
+    - goimports
+    - gomoddirectives
+    - gomodguard
+    - goprintffuncname
+    - gosec
+    - gosimple
+    - govet
+    - grouper
+    - importas
+    - ineffassign
+    - loggercheck
+    - makezero
+    - misspell
+    - musttag
+    - nakedret
+    - nolintlint
+    - nosprintfhostport
+    - prealloc
+    - predeclared
+    - promlinter
+    - reassign
+    - revive
+    - rowserrcheck
+    - sqlclosecheck
+    - staticcheck
+    - stylecheck
+    - tenv
+    - testableexamples
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - usestdlibvars
+    - whitespace
+    # - containedctx
+    # - cyclop
+    # - dupword
+    # - errorlint
+    # - exhaustive
+    # - exhaustruct
+    # - exportloopref
+    # - forbidigo
+    # - forcetypeassert
+    # - funlen
+    # - gci
+    # - gochecknoglobals
+    # - gochecknoinits
+    # - gocognit
+    # - godot
+    # - goerr113
+    # - gomnd
+    # - interfacebloat
+    # - ireturn
+    # - lll
+    # - maintidx
+    # - nestif
+    # - nilerr
+    # - nilnil
+    # - nlreturn
+    # - noctx
+    # - nonamedreturns
+    # - paralleltest
+    # - tagliatelle
+    # - testpackage
+    # - thelper
+    # - tparallel
+    # - varnamelen
+    # - wastedassign
+    # - wrapcheck
+    # - wsl
+linters-settings:
+  gocyclo:
+    min-complexity: 40
+  godox:
+    keywords:
+      - BUG
+      - FIXME
+      - HACK
+  errcheck:
+    check-type-assertions: true
+    check-blank: true
+  gocritic:
+    enabled-checks:
+      # Diagnostic
+      - appendAssign
+      - argOrder
+      - badCall
+      - badCond
+      - badLock
+      - badRegexp
+      - badSorting
+      - builtinShadowDecl
+      - caseOrder
+      - codegenComment
+      - commentedOutCode
+      - deferInLoop
+      - deprecatedComment
+      - dupArg
+      - dupBranchBody
+      - dupCase
+      - dupSubExpr
+      - dynamicFmtString
+      - emptyDecl
+      - evalOrder
+      - exitAfterDefer
+      - externalErrorReassign
+      - filepathJoin
+      - flagDeref
+      - flagName
+      - mapKey
+      - nilValReturn
+      - offBy1
+      - regexpPattern
+      - returnAfterHttpError
+      - sloppyReassign
+      - sloppyTypeAssert
+      - sortSlice
+      - sprintfQuotedString
+      - sqlQuery
+      - syncMapLoadAndDelete
+      - truncateCmp
+      - unnecessaryDefer
+      - weakCond
+
+      # Performance
+      - appendCombine
+      - equalFold
+      - hugeParam
+      - indexAlloc
+      - preferDecodeRune
+      - preferFprint
+      - preferStringWriter
+      - preferWriteByte
+      - rangeExprCopy
+      - rangeValCopy
+      - sliceClear
+      - stringXbytes
+
+      # Style
+      - assignOp
+      - boolExprSimplify
+      - captLocal
+      - commentFormatting
+      - commentedOutImport
+      - defaultCaseOrder
+      - deferUnlambda
+      - docStub
+      - dupImport
+      - elseif
+      - emptyFallthrough
+      - emptyStringTest
+      - exposedSyncMutex
+      - hexLiteral
+      - httpNoBody
+      - ifElseChain
+      - methodExprCall
+      - newDeref
+      - octalLiteral
+      - preferFilepathJoin
+      - redundantSprint
+      - regexpMust
+      - regexpSimplify
+      - ruleguard
+      - singleCaseSwitch
+      - sloppyLen
+      - stringConcatSimplify
+      - stringsCompare
+      - switchTrue
+      - timeExprSimplify
+      - tooManyResultsChecker
+      - typeAssertChain
+      - typeDefFirst
+      - typeSwitchVar
+      - underef
+      - unlabelStmt
+      - unlambda
+      - unslice
+      - valSwap
+      - whyNoLint
+      - wrapperFunc
+      - yodaStyleExpr
+
+      # Opinionated
+      - builtinShadow
+      - importShadow
+      - initClause
+      - nestingReduce
+      - paramTypeCombine
+      - ptrToRefParam
+      - typeUnparen
+      - unnamedResult
+      - unnecessaryBlock
+  nolintlint:
+    # Enable to ensure that nolint directives are all used. Default is true.
+    allow-unused: false
+    # Exclude following linters from requiring an explanation.  Default is [].
+    allow-no-explanation: []
+    # Enable to require an explanation of nonzero length after each nolint directive. Default is false.
+    # TODO(lint): Enforce explanations for `nolint` directives
+    require-explanation: false
+    # Enable to require nolint directives to mention the specific linter being suppressed. Default is false.
+    require-specific: true
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -0,0 +1,29 @@
+project_name: ingress-nginx
+release:
+  github:
+    owner: kubernetes
+    name: ingress-nginx
+builds:
+  - id: ingress-nginx
+    goos:
+    - darwin
+    - linux
+    - windows
+    goarch:
+    - arm64
+    - amd64
+    env:
+    - CGO_ENABLED=0
+    - GO111MODULE=on
+    main: cmd/plugin/main.go
+    binary: kubectl-ingress-nginx
+    ldflags: |
+      -s -w
+      -X k8s.io/ingress-nginx/version.COMMIT={{ .Commit }}
+      -X k8s.io/ingress-nginx/version.RELEASE={{ .Tag }}
+archives:
+  - id: ingress-nginx
+    builds:
+    - ingress-nginx
+    name_template: "kubectl-{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}"
+    format: tar.gz
--- a/.luacheckrc
+++ b/.luacheckrc
@ -1,6 +1,6 @@
 std = 'ngx_lua'
 max_line_length = 100
-exclude_files = {'./rootfs/etc/nginx/lua/test/**/*.lua', './rootfs/etc/nginx/lua/plugins/**/test/**/*.lua'}
+exclude_files = {'./rootfs/etc/nginx/lua/test/**/*.lua'}
 files["rootfs/etc/nginx/lua/lua_ingress.lua"] = {
  ignore = { "122" },
  -- TODO(elvinefendi) figure out why this does not work
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -2,7 +2,7 @@

 Read the following guide if you're interested in contributing to Ingress. [Make Ingress-Nginx Work for you, and the Community](https://youtu.be/GDm-7BlmPPg) from KubeCon Europe 2018 is a great video to get you started!!

-Note that this guide refers to contributing to actual sources of the repository. If you interested in contributing through issue triaging, have a look at [this guide](./ISSUE_TRIAGE.md). 
+Note that this guide refers to contributing to actual sources of the repository. If you interested in contributing through issue triaging, have a look at [this guide](./ISSUE_TRIAGE.md).

 ## Contributor License Agreements

@ -19,7 +19,7 @@ Follow either of the two links above to access the appropriate CLA and instructi

 ## Finding Issues That Need Help

-If you're new to the project and want to help, but don't know where to start, we have a semi-curated list of issues that should not need deep knowledge of the system. [Have a look and see if anything sounds interesting](https://github.com/kubernetes/ingress-nginx/issues?utf8=%E2%9C%93&q=is%3Aopen%20is%3Aissue%20label%3A%22help+wanted%22). 
+If you're new to the project and want to help, but don't know where to start, we have a semi-curated list of issues that should not need deep knowledge of the system. [Have a look and see if anything sounds interesting](https://github.com/kubernetes/ingress-nginx/issues?utf8=%E2%9C%93&q=is%3Aopen%20is%3Aissue%20label%3A%22help+wanted%22).

 Alternatively, search for the label [`triage-accepted`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3Atriage%2Faccepted+) if you have some experience with ingress-nginx. Note, that it could make sense to grab issues with higher priority first.

@ -34,9 +34,9 @@ All changes must be code reviewed. Coding conventions and standards are explaine

 ### Merge Approval

-Ingress Nginx collaborators may add "/lgtm" (Looks Good To Me) to indicate that a PR is acceptable. Any change requires at least one LGTM.  No pull requests can be merged until at least one Ingress Nginx collaborator signs off with an LGTM. Adding the "/lgtm" comment result in the prow bot adding the `lgtm` label. Note that a pull request still needs an `approve` label from one of the owners. 
+Ingress Nginx collaborators may add "/lgtm" (Looks Good To Me) to indicate that a PR is acceptable. Any change requires at least one LGTM.  No pull requests can be merged until at least one Ingress Nginx collaborator signs off with an LGTM. Adding the "/lgtm" comment result in the prow bot adding the `lgtm` label. Note that a pull request still needs an `approve` label from one of the owners.

-Reviewers or members who want to become reviewers according to the [k8s membership ladder](https://github.com/kubernetes/community/blob/master/community-membership.md), could actively search for [pull requests that need a review](https://github.com/kubernetes/ingress-nginx/pulls?q=is%3Aopen+is%3Apr+label%3Atriage%2Faccepted). 
+Reviewers or members who want to become reviewers according to the [k8s membership ladder](https://github.com/kubernetes/community/blob/master/community-membership.md), could actively search for [pull requests that need a review](https://github.com/kubernetes/ingress-nginx/pulls?q=is%3Aopen+is%3Apr+label%3Atriage%2Faccepted).

 ## Support Channels

@ -47,3 +47,6 @@ Whether you are a user or contributor, official support channels include:
 - Post: [Kubernetes Forum](https://discuss.kubernetes.io)

 Before opening a new issue or submitting a new pull request, it's helpful to search the project - it's likely that another user has already reported the issue you're facing, or it's a known issue that we're already aware of.
+
+## New Contributor Tips
+If you're a new contributor, you can follow the [New Contributor Tips guide](NEW_CONTRIBUTOR.md)
--- a/Changelog.md
+++ b/Changelog.md
@ -1,5 +1,390 @@
 # Changelog

+All New change are in [Changelog](./changelog)
+
+### 1.5.1
+
+* Upgrade NGINX to 1.21.6
+* Upgrade Golang 1.19.2
+* Fix Service Name length Bug [9245](https://github.com/kubernetes/ingress-nginx/pull/9245)
+* CVE fixes CVE-2022-32149, CVE-2022-27664, CVE-2022-1996
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.5.1@sha256:c1c091b88a6c936a83bd7b098662760a87868d12452529bad0d178fb36147345
+
+### All Changes:
+
+* chore Fixed to Support Versions table by @yutachaos in https://github.com/kubernetes/ingress-nginx/pull/9117
+* Updated incorrect version number in the Installation Guide by @afro-coder in https://github.com/kubernetes/ingress-nginx/pull/9120
+* Updated the Developer guide with New Contributor information by @afro-coder in https://github.com/kubernetes/ingress-nginx/pull/9114
+* Remove deprecated net dependency by @rikatz in https://github.com/kubernetes/ingress-nginx/pull/9110
+* Fixed docs helm-docs version by @yutachaos in https://github.com/kubernetes/ingress-nginx/pull/9121
+* Fix CVE 2022 27664 by @strongjz in https://github.com/kubernetes/ingress-nginx/pull/9109
+* upgrade to golang 1.19.2 by @strongjz in https://github.com/kubernetes/ingress-nginx/pull/9124
+* fix e2e resource leak when ginkgo exit before clear resource by @loveRhythm1990 in https://github.com/kubernetes/ingress-nginx/pull/9103
+* fix: handle 401 and 403 by external auth by @johanneswuerbach in https://github.com/kubernetes/ingress-nginx/pull/9131
+* Move bowei to emeritus owner by @rikatz in https://github.com/kubernetes/ingress-nginx/pull/9150
+* fix null ports by @tombokombo in https://github.com/kubernetes/ingress-nginx/pull/9149
+* Documentation added for  implemented redirection in the proxy to ensure image pulling by @Sanghamitra-PERSONAL in https://github.com/kubernetes/ingress-nginx/pull/9098
+* updating runner with golang 1.19.2 by @strongjz in https://github.com/kubernetes/ingress-nginx/pull/9158
+* Add install command for OVHcloud by @scraly in https://github.com/kubernetes/ingress-nginx/pull/9171
+* GitHub Templates: Remove trailing whitespaces. by @Gacko in https://github.com/kubernetes/ingress-nginx/pull/9172
+* Update helm chart changelog to show that kubernetes v1.21.x is no longer supported by @cskinfill in https://github.com/kubernetes/ingress-nginx/pull/9147
+* Add section to troubleshooting docs for failure to listen on port by @jrhunger in https://github.com/kubernetes/ingress-nginx/pull/9185
+* Implement parseFloat for annotations by @kirs in https://github.com/kubernetes/ingress-nginx/pull/9195
+* fix typo in docs. by @guettli in https://github.com/kubernetes/ingress-nginx/pull/9167
+* add:(admission-webhooks) ability to set securityContext by @ybelMekk in https://github.com/kubernetes/ingress-nginx/pull/9186
+* Fix Markdown header level by @jaens in https://github.com/kubernetes/ingress-nginx/pull/9210
+* chore: bump NGINX version v1.21.4 by @tao12345666333 in https://github.com/kubernetes/ingress-nginx/pull/8889
+* chore: update NGINX to 1.21.6 by @tao12345666333 in https://github.com/kubernetes/ingress-nginx/pull/9231
+* fix svc long name by @tombokombo in https://github.com/kubernetes/ingress-nginx/pull/9245
+* update base image of nginx to 1.21.6 by @strongjz in https://github.com/kubernetes/ingress-nginx/pull/9257
+* Fix CVE-2022-32149 by @esigo in https://github.com/kubernetes/ingress-nginx/pull/9258
+* Fix CVE-2022-1996 by @esigo in https://github.com/kubernetes/ingress-nginx/pull/9244
+* Adding support for disabling liveness and readiness probes to the Helm chart by @njegosrailic in https://github.com/kubernetes/ingress-nginx/pull/9238
+* fix CVE-2022-27664 by @esigo in https://github.com/kubernetes/ingress-nginx/pull/9273
+* Add CVE-2022-27664 #9273 in latest release  by @strongjz in https://github.com/kubernetes/ingress-nginx/pull/9275
+
+### Dependencies updates:
+
+* Bump docker/setup-buildx-action from 2.0.0 to 2.1.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9180
+* Bump dorny/paths-filter from 2.10.2 to 2.11.1 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9183
+* Bump helm/chart-releaser-action from 1.4.0 to 1.4.1 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9136
+* Bump github/codeql-action from 2.1.25 to 2.1.27 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9137
+* Bump ossf/scorecard-action from 2.0.3 to 2.0.4 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9138
+* Bump google.golang.org/grpc from 1.49.0 to 1.50.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9134
+* Bump actions/checkout from 3.0.2 to 3.1.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9135
+* Bump actions/dependency-review-action from 2.5.0 to 2.5.1 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9237
+* Bump github/codeql-action from 2.1.28 to 2.1.29 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9236
+* Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9233
+* Bump actions/upload-artifact from 3.1.0 to 3.1.1 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9234
+* Bump azure/setup-helm from 3.3 to 3.4 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9235
+* Bump github.com/onsi/ginkgo/v2 from 2.3.1 to 2.4.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9201
+* Bump goreleaser/goreleaser-action from 3.1.0 to 3.2.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9208
+* Bump github.com/stretchr/testify from 1.8.0 to 1.8.1 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9202
+* Bump ossf/scorecard-action from 2.0.4 to 2.0.6 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9203
+* Bump docker/setup-buildx-action from 2.1.0 to 2.2.1 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9204
+* Bump actions/setup-go from 3.3.0 to 3.3.1 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9205
+* Bump github/codeql-action from 2.1.27 to 2.1.28 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9206
+* Bump actions/download-artifact from 3.0.0 to 3.0.1 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9207
+* Bump github.com/prometheus/client_model from 0.2.0 to 0.3.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9200
+* Bump github.com/spf13/cobra from 1.5.0 to 1.6.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9173
+* Bump google.golang.org/grpc from 1.50.0 to 1.50.1 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9174
+* Bump k8s.io/component-base from 0.25.2 to 0.25.3 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9175
+* Bump github.com/fsnotify/fsnotify from 1.5.4 to 1.6.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9176
+* Bump github.com/onsi/ginkgo/v2 from 2.2.0 to 2.3.1 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9177
+* Bump geekyeggo/delete-artifact from 1.0.0 to 2.0.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9178
+* Bump actions/dependency-review-action from 2.4.0 to 2.5.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9179
+* Bump docker/setup-qemu-action from 2.0.0 to 2.1.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9181
+* Bump securego/gosec from 2.13.1 to 2.14.0 by @dependabot in https://github.com/kubernetes/ingress-nginx/pull/9182
+
+
+## New Contributors
+* @yutachaos made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9117
+* @Gacko made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9123
+* @loveRhythm1990 made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9103
+* @johanneswuerbach made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9131
+* @FutureMatt made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9133
+* @Sanghamitra-PERSONAL made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9098
+* @scraly made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9171
+* @cskinfill made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9147
+* @jrhunger made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9185
+* @guettli made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9167
+* @ybelMekk made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9186
+* @jaens made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9210
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.4.0...controller-v1.5.1
+
+###  1.4.0
+
+### Community Updates
+
+We will discuss the results of our Community Survey, progress on the stabilization project, and ideas going
+forward with the project at
+[Kubecon NA 2022 in Detroit](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/). Come join us
+and let us hear what you'd like to see in the future for ingress-nginx.
+
+https://kccncna2022.sched.com/event/18lgl?iframe=no
+
+[**Kubernetes Registry change notice**](https://twitter.com/BenTheElder/status/1575898507235323904)
+The [@kubernetesio](https://twitter.com/kubernetesio) container image host http://k8s.gcr.io is
+*actually* getting redirected to the community controlled http://registry.k8s.io starting with a small portion of
+traffic on October 3rd.
+
+If you notice any issues, *please* ping [Ben Elder](https://twitter.com/BenTheElder),
+[@thockin](https://twitter.com/thockin), [@ameukam](https://twitter.com/ameukam),or report issues in slack to
+[sig-k8s-infra slack channel](https://kubernetes.slack.com/archives/CCK68P2Q2).
+
+### What's Changed
+
+* 1.4.0 updates ingress-nginx to use Endpointslices instead of Endpoints. Thank you, @tombokombo, for your work in
+[8890](https://github.com/kubernetes/ingress-nginx/pull/8890)
+* Update to Prometheus metric names, more information [available here]( https://github.com/kubernetes/ingress-nginx/pull/8728
+)
+* Deprecated Kubernetes versions 1.20-1.21, Added support for, 1.25, currently supported versions v1.22, v1.23, v1.24, v1.25
+
+ADDED
+* `_request_duration_seconds` Histogram
+* `_connect_duration_seconds` Histogram
+* `_header_duration_seconds` Histogram
+* `_response_duration_seconds` Histogram
+
+Updated
+* `_response_size` Histogram
+* `_request_size` Histogram
+* `_requests` Counter
+
+DEPRECATED
+* `_bytes_sent` Histogram
+* _ingress_upstream_latency_seconds` Summary
+
+REMOVED
+* `ingress_upstream_header_seconds`  Summary
+
+Also upgraded to golang 1.19.1
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.4.0@sha256:34ee929b111ffc7aa426ffd409af44da48e5a0eea1eb2207994d9e0c0882d143
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.4.0@sha256:b67e889f1db8692de7e41d4d9aef8de56645bf048261f31fa7f8bfc6ea2222a0
+
+
+### All Changes:
+
+* [9104](https://github.com/kubernetes/ingress-nginx/pull/9104) Fix yaml formatting error with multiple annotations
+* [9090](https://github.com/kubernetes/ingress-nginx/pull/9090) fix chroot module mount path
+* [9088](https://github.com/kubernetes/ingress-nginx/pull/9088) Add annotation for setting sticky cookie domain
+* [9086](https://github.com/kubernetes/ingress-nginx/pull/9086) Update Version ModSecurity and Coreruleset
+* [9081](https://github.com/kubernetes/ingress-nginx/pull/9081) plugin - endpoints to slices
+* [9078](https://github.com/kubernetes/ingress-nginx/pull/9078) expand CI testing for all stable versions of Kubernetes
+* [9074](https://github.com/kubernetes/ingress-nginx/pull/9074) fix: do not apply job-patch psp on Kubernetes 1.25 and newer
+* [9072](https://github.com/kubernetes/ingress-nginx/pull/9072) Added a Link to the New Contributors Tips
+* [9069](https://github.com/kubernetes/ingress-nginx/pull/9069) Add missing space to error message
+* [9059](https://github.com/kubernetes/ingress-nginx/pull/9059) kubewebhookcertgen sha change after go1191
+* [9058](https://github.com/kubernetes/ingress-nginx/pull/9058) updated testrunner image sha after bump to go1191
+* [9046](https://github.com/kubernetes/ingress-nginx/pull/9046) Parameterize metrics port name
+* [9036](https://github.com/kubernetes/ingress-nginx/pull/9036) update OpenTelemetry image
+* [9035](https://github.com/kubernetes/ingress-nginx/pull/9035) Added instructions for Rancher Desktop
+* [9028](https://github.com/kubernetes/ingress-nginx/pull/9028) fix otel init_module
+* [9023](https://github.com/kubernetes/ingress-nginx/pull/9023) updates for fixing 1.3.1 release
+* [9018](https://github.com/kubernetes/ingress-nginx/pull/9018) Add v1.25 test and reduce amount of e2e tests
+* [9017](https://github.com/kubernetes/ingress-nginx/pull/9017) fix LD_LIBRARY_PATH for opentelemetry
+
+### Dependencies updates:
+
+* [9085](https://github.com/kubernetes/ingress-nginx/pull/9085) Bump actions/dependency-review-action from 2.1.0 to 2.4.0
+* [9084](https://github.com/kubernetes/ingress-nginx/pull/9084) Bump actions/checkout from 1 to 3
+* [9083](https://github.com/kubernetes/ingress-nginx/pull/9083) Bump github/codeql-action from 2.1.24 to 2.1.25
+* [9089](https://github.com/kubernetes/ingress-nginx/pull/9089) Bump k8s.io/component-base from 0.25.1 to 0.25.2
+* [9066](https://github.com/kubernetes/ingress-nginx/pull/9066) Bump github/codeql-action from 2.1.23 to 2.1.24
+* [9065](https://github.com/kubernetes/ingress-nginx/pull/9065) Bump k8s.io/component-base from 0.25.0 to 0.25.1
+* [9064](https://github.com/kubernetes/ingress-nginx/pull/9064) Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.2.0
+* [9057](https://github.com/kubernetes/ingress-nginx/pull/9057) bump go to v1.19.1
+* [9053](https://github.com/kubernetes/ingress-nginx/pull/9053) Bump ossf/scorecard-action from 2.0.2 to 2.0.3
+* [9052](https://github.com/kubernetes/ingress-nginx/pull/9052) Bump github/codeql-action from 2.1.22 to 2.1.23
+* [9045](https://github.com/kubernetes/ingress-nginx/pull/9045) Bump actions/upload-artifact from 3.0.0 to 3.1.0
+* [9044](https://github.com/kubernetes/ingress-nginx/pull/9044) Bump ossf/scorecard-action from 1.1.2 to 2.0.2
+* [9043](https://github.com/kubernetes/ingress-nginx/pull/9043) Bump k8s.io/klog/v2 from 2.80.0 to 2.80.1
+* [9022](https://github.com/kubernetes/ingress-nginx/pull/9022) Bump github.com/onsi/ginkgo/v2 from 2.1.4 to 2.1.6
+* [9021](https://github.com/kubernetes/ingress-nginx/pull/9021) Bump k8s.io/klog/v2 from 2.70.1 to 2.80.0
+
+## New Contributors
+* @gunamata made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9035
+* @afro-coder made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/8924
+* @wilmardo made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9074
+* @nicolasjulian made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9086
+* @mtneug made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9088
+* @knbnnate made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/8692
+* @mklauber made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9104
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.3.1...controller-v1.4.0
+
+### 1.3.1
+
+In v1.3.1 leader elections will be done entirely using the Lease API and no longer using configmaps.
+v1.3.0 is a safe transition version, using v1.3.0 can automatically complete the merging of election locks, and then you can safely upgrade to v1.3.1.
+
+Also, *important note*, with the Release of Kubernetes v1.25 we are dropping support for the legacy branches,
+Also, *important note*, with the release of Kubernetes v1.25, we are dropping support for the legacy edition,
+that means all version <1.0.0 of the ingress-nginx-controller.
+
+## Image:
+- registry.k8s.io/ingress-nginx/controller:v1.3.1@sha256:54f7fe2c6c5a9db9a0ebf1131797109bb7a4d91f56b9b362bde2abd237dd1974
+- registry.k8s.io/ingress-nginx/controller-chroot:v1.3.1@sha256:a8466b19c621bd550b1645e27a004a5cc85009c858a9ab19490216735ac432b1
+
+
+## What's Changed
+
+_IMPORTANT CHANGES:_
+- Update to golang 1.19
+- Started migration for Data and Control Plane splits
+- Upgrade to Alpine 3.16.2
+- New kubectl plugin release workflow
+- New CVE findings template
+
+All other Changes
+- [9006](https://github.com/kubernetes/ingress-nginx/pull/9006) issue:8739 fix doc issue
+- [9003](https://github.com/kubernetes/ingress-nginx/pull/9003) Bump github/codeql-action from 2.1.21 to 2.1.22
+- [9001](https://github.com/kubernetes/ingress-nginx/pull/9001) GitHub Workflows security hardening
+- [8992](https://github.com/kubernetes/ingress-nginx/pull/8992) Bump github.com/opencontainers/runc from 1.1.3 to 1.1.4
+- [8991](https://github.com/kubernetes/ingress-nginx/pull/8991) Bump google.golang.org/grpc from 1.48.0 to 1.49.0
+- [8986](https://github.com/kubernetes/ingress-nginx/pull/8986) Bump goreleaser/goreleaser-action from 3.0.0 to 3.1.0
+- [8984](https://github.com/kubernetes/ingress-nginx/pull/8984) fixed deprecated ginkgo flags
+- [8982](https://github.com/kubernetes/ingress-nginx/pull/8982) Bump github/codeql-action from 2.1.20 to 2.1.21
+- [8981](https://github.com/kubernetes/ingress-nginx/pull/8981) Bump actions/setup-go from 3.2.1 to 3.3.0
+- [8976](https://github.com/kubernetes/ingress-nginx/pull/8976) Update apiserver to 0.25 to remove v2 go-restful
+- [8970](https://github.com/kubernetes/ingress-nginx/pull/8970) bump Golang to 1.19 #8932
+- [8969](https://github.com/kubernetes/ingress-nginx/pull/8969) fix: go-restful CVE #8745
+- [8967](https://github.com/kubernetes/ingress-nginx/pull/8967) updated to testrunnerimage with updated yamale yamllint
+- [8966](https://github.com/kubernetes/ingress-nginx/pull/8966) added note on digitalocean annotations
+- [8960](https://github.com/kubernetes/ingress-nginx/pull/8960) upgrade yamale and yamllint version
+- [8959](https://github.com/kubernetes/ingress-nginx/pull/8959) revert changes to configmap resource permissions
+- [8957](https://github.com/kubernetes/ingress-nginx/pull/8957) Bump github/codeql-action from 2.1.19 to 2.1.20
+- [8956](https://github.com/kubernetes/ingress-nginx/pull/8956) Bump azure/setup-helm from 2.1 to 3.3
+- [8954](https://github.com/kubernetes/ingress-nginx/pull/8954) Bump actions/dependency-review-action from 2.0.4 to 2.1.0
+- [8953](https://github.com/kubernetes/ingress-nginx/pull/8953) Bump aquasecurity/trivy-action from 0.5.1 to 0.7.1
+- [8952](https://github.com/kubernetes/ingress-nginx/pull/8952) Bump securego/gosec from b99b5f7838e43a4104354ad92a6a1774302ee1f9 to 2.13.1
+- [8951](https://github.com/kubernetes/ingress-nginx/pull/8951) Bump geekyeggo/delete-artifact from a6ab43859c960a8b74cbc6291f362c7fb51829ba to 1
+- [8950](https://github.com/kubernetes/ingress-nginx/pull/8950) Bump github/codeql-action from 2.1.18 to 2.1.19
+- [8948](https://github.com/kubernetes/ingress-nginx/pull/8948) updated testrunner and testecho images
+- [8946](https://github.com/kubernetes/ingress-nginx/pull/8946) Clean old code and move helper functions
+- [8944](https://github.com/kubernetes/ingress-nginx/pull/8944) Make keep-alive documentation more explicit for clarity
+- [8939](https://github.com/kubernetes/ingress-nginx/pull/8939) bump baseimage alpine to v3.16.2 for zlib CVE fix
+
+## New Contributors
+* @mtnezm made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/8817
+* @tamcore made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/8821
+* @guilhem made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/8827
+* @lilien1010 made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/8830
+* @qilongqiu made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/8855
+* @dgoffredo made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/8848
+* @Volatus made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/8859
+* @europ made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/8841
+* @mrksngl made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/7892
+* @omichels made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/8895
+* @zeeZ made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/8881
+* @mjudeikis made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/8928
+* @NissesSenap made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/8873
+* @anders-swanson made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/8665
+* @aslafy-z made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/8905
+* @harry1064 made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/8825
+* @sashashura made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9001
+* @sreelakshminarayananm made their first contribution in https://github.com/kubernetes/ingress-nginx/pull/9006
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.3.0...controller-v1.3.1
+
+### 1.3.0
+
+Image:
+- registry.k8s.io/ingress-nginx/controller:v1.3.0@sha256:d1707ca76d3b044ab8a28277a2466a02100ee9f58a86af1535a3edf9323ea1b5
+- registry.k8s.io/ingress-nginx/controller-chroot:v1.3.0@sha256:0fcb91216a22aae43b374fc2e6a03b8afe9e8c78cbf07a09d75636dc4ea3c191
+
+_IMPORTANT CHANGES:_
+* This release removes support for Kubernetes v1.19.0
+* This release adds support for Kubernetes v1.24.0
+* Starting with this release, we will need permissions on the `coordination.k8s.io/leases` resource for leaderelection lock
+
+_KNOWN ISSUES:_
+* This release reports a false positive on go-restful library that will be fixed with Kubernetes v1.25 release - Issue #8745
+
+_Changes:_
+- "[8810](https://github.com/kubernetes/ingress-nginx/pull/8810) Prepare for v1.3.0"
+- "[8808](https://github.com/kubernetes/ingress-nginx/pull/8808) revert arch var name"
+- "[8805](https://github.com/kubernetes/ingress-nginx/pull/8805) Bump k8s.io/klog/v2 from 2.60.1 to 2.70.1"
+- "[8803](https://github.com/kubernetes/ingress-nginx/pull/8803) Update to nginx base with alpine v3.16"
+- "[8802](https://github.com/kubernetes/ingress-nginx/pull/8802) chore: start v1.3.0 release process"
+- "[8798](https://github.com/kubernetes/ingress-nginx/pull/8798) Add v1.24.0 to test matrix"
+- "[8796](https://github.com/kubernetes/ingress-nginx/pull/8796) fix: add MAC_OS variable for static-check"
+- "[8793](https://github.com/kubernetes/ingress-nginx/pull/8793) changed to alpine-v3.16"
+- "[8781](https://github.com/kubernetes/ingress-nginx/pull/8781) Bump github.com/stretchr/testify from 1.7.5 to 1.8.0"
+- "[8778](https://github.com/kubernetes/ingress-nginx/pull/8778) chore: remove stable.txt from release process"
+- "[8775](https://github.com/kubernetes/ingress-nginx/pull/8775) Remove stable"
+- "[8773](https://github.com/kubernetes/ingress-nginx/pull/8773) Bump github/codeql-action from 2.1.14 to 2.1.15"
+- "[8772](https://github.com/kubernetes/ingress-nginx/pull/8772) Bump ossf/scorecard-action from 1.1.1 to 1.1.2"
+- "[8771](https://github.com/kubernetes/ingress-nginx/pull/8771) fix bullet md format"
+- "[8770](https://github.com/kubernetes/ingress-nginx/pull/8770) Add condition for monitoring.coreos.com/v1 API"
+- "[8769](https://github.com/kubernetes/ingress-nginx/pull/8769) Fix typos and add links to developer guide"
+- "[8767](https://github.com/kubernetes/ingress-nginx/pull/8767) change v1.2.0 to v1.2.1 in deploy doc URLs"
+- "[8765](https://github.com/kubernetes/ingress-nginx/pull/8765) Bump github/codeql-action from 1.0.26 to 2.1.14"
+- "[8752](https://github.com/kubernetes/ingress-nginx/pull/8752) Bump github.com/spf13/cobra from 1.4.0 to 1.5.0"
+- "[8751](https://github.com/kubernetes/ingress-nginx/pull/8751) Bump github.com/stretchr/testify from 1.7.2 to 1.7.5"
+- "[8750](https://github.com/kubernetes/ingress-nginx/pull/8750) added announcement"
+- "[8740](https://github.com/kubernetes/ingress-nginx/pull/8740) change sha e2etestrunner and echoserver"
+- "[8738](https://github.com/kubernetes/ingress-nginx/pull/8738) Update docs to make it easier for noobs to follow step by step"
+- "[8737](https://github.com/kubernetes/ingress-nginx/pull/8737) updated baseimage sha"
+- "[8736](https://github.com/kubernetes/ingress-nginx/pull/8736) set ld-musl-path"
+- "[8733](https://github.com/kubernetes/ingress-nginx/pull/8733) feat: migrate leaderelection lock to leases"
+- "[8726](https://github.com/kubernetes/ingress-nginx/pull/8726) prometheus metric: upstream_latency_seconds"
+- "[8720](https://github.com/kubernetes/ingress-nginx/pull/8720) Ci pin deps"
+- "[8719](https://github.com/kubernetes/ingress-nginx/pull/8719) Working OpenTelemetry sidecar (base nginx image)"
+- "[8714](https://github.com/kubernetes/ingress-nginx/pull/8714) Create Openssf scorecard"
+- "[8708](https://github.com/kubernetes/ingress-nginx/pull/8708) Bump github.com/prometheus/common from 0.34.0 to 0.35.0"
+- "[8703](https://github.com/kubernetes/ingress-nginx/pull/8703) Bump actions/dependency-review-action from 1 to 2"
+- "[8701](https://github.com/kubernetes/ingress-nginx/pull/8701) Fix several typos"
+- "[8699](https://github.com/kubernetes/ingress-nginx/pull/8699) fix the gosec test and a make target for it"
+- "[8698](https://github.com/kubernetes/ingress-nginx/pull/8698) Bump actions/upload-artifact from 2.3.1 to 3.1.0"
+- "[8697](https://github.com/kubernetes/ingress-nginx/pull/8697) Bump actions/setup-go from 2.2.0 to 3.2.0"
+- "[8695](https://github.com/kubernetes/ingress-nginx/pull/8695) Bump actions/download-artifact from 2 to 3"
+- "[8694](https://github.com/kubernetes/ingress-nginx/pull/8694) Bump crazy-max/ghaction-docker-buildx from 1.6.2 to 3.3.1"
+
+### 1.2.1
+
+Image:
+- k8s.gcr.io/ingress-nginx/controller:v1.2.1@sha256:5516d103a9c2ecc4f026efbd4b40662ce22dc1f824fb129ed121460aaa5c47f8
+- k8s.gcr.io/ingress-nginx/controller-chroot:v1.2.1@sha256:d301551cf62bc3fb75c69fa56f7aa1d9e87b5079333adaf38afe84d9b7439355
+
+This release removes the root and alias directives in NGINX, this can avoid some potential security attacks.
+
+_Changes:_
+
+- [8459](https://github.com/kubernetes/ingress-nginx/pull/8459) Update default allowed CORS headers
+- [8202](https://github.com/kubernetes/ingress-nginx/pull/8202) disable modsecurity on error page
+- [8178](https://github.com/kubernetes/ingress-nginx/pull/8178) Add header Host into mirror annotations
+- [8458](https://github.com/kubernetes/ingress-nginx/pull/8458) Add portNamePreffix Helm chart parameter
+- [8587](https://github.com/kubernetes/ingress-nginx/pull/8587) Add CAP_SYS_CHROOT to DS/PSP when needed
+- [8213](https://github.com/kubernetes/ingress-nginx/pull/8213) feat: always set auth cookie
+- [8548](https://github.com/kubernetes/ingress-nginx/pull/8548) Implement reporting status classes in metrics
+- [8612](https://github.com/kubernetes/ingress-nginx/pull/8612) move so files under /etc/nginx/modules
+- [8624](https://github.com/kubernetes/ingress-nginx/pull/8624) Add patch to remove root and alias directives
+- [8623](https://github.com/kubernetes/ingress-nginx/pull/8623) Improve path rule
+
+### 1.2.0
+
+Image:
+- k8s.gcr.io/ingress-nginx/controller:v1.2.0@sha256:d8196e3bc1e72547c5dec66d6556c0ff92a23f6d0919b206be170bc90d5f9185
+- k8s.gcr.io/ingress-nginx/controller-chroot:v1.2.0@sha256:fb17f1700b77d4fcc52ca6f83ffc2821861ae887dbb87149cf5cbc52bea425e5
+
+This minor version release, introduces 2 breaking changes. For the first time, an option to jail/chroot the nginx process, inside the controller container, is being introduced. This provides an additional layer of security, for sensitive information like K8S serviceaccounts. This release also brings a special new feature of deep inspection into objects. The inspection is a walk through of all the spec, checking for possible attempts to escape configs. Currently such an inspection only occurs for `networking.Ingress`.  Additionally there are fixes for the recently announced CVEs on busybox & ssl_client. And there is a fix to a recently introduced redirection related bug, that was setting the protocol on URLs to "nil".
+
+_Changes:_
+
+- [8481](https://github.com/kubernetes/ingress-nginx/pull/8481) Fix log creation in chroot script
+- [8479](https://github.com/kubernetes/ingress-nginx/pull/8479) changed nginx base img tag to img built with alpine3.14.6
+- [8478](https://github.com/kubernetes/ingress-nginx/pull/8478) update base images and protobuf gomod
+- [8468](https://github.com/kubernetes/ingress-nginx/pull/8468) Fallback to ngx.var.scheme for redirectScheme with use-forward-headers when X-Forwarded-Proto is empty
+- [8456](https://github.com/kubernetes/ingress-nginx/pull/8456) Implement object deep inspector
+- [8455](https://github.com/kubernetes/ingress-nginx/pull/8455) Update dependencies
+- [8454](https://github.com/kubernetes/ingress-nginx/pull/8454) Update index.md
+- [8447](https://github.com/kubernetes/ingress-nginx/pull/8447) typo fixing
+- [8446](https://github.com/kubernetes/ingress-nginx/pull/8446) Fix suggested annotation-value-word-blocklist
+- [8444](https://github.com/kubernetes/ingress-nginx/pull/8444) replace deprecated topology key in example with current one
+- [8443](https://github.com/kubernetes/ingress-nginx/pull/8443) Add dependency review enforcement
+- [8434](https://github.com/kubernetes/ingress-nginx/pull/8434) added new auth-tls-match-cn annotation
+- [8426](https://github.com/kubernetes/ingress-nginx/pull/8426) Bump github.com/prometheus/common from 0.32.1 to 0.33.0
+- [8417](https://github.com/kubernetes/ingress-nginx/pull/8417) force helm release to artifact hub
+- [8405](https://github.com/kubernetes/ingress-nginx/pull/8405) kubectl-plugin code overview info
+- [8399](https://github.com/kubernetes/ingress-nginx/pull/8399) Darwin arm64
+- [8443](https://github.com/kubernetes/ingress-nginx/pull/8443) Add dependency review enforcement
+- [8444](https://github.com/kubernetes/ingress-nginx/pull/8444) replace deprecated topology key in example with current one
+- [8446](https://github.com/kubernetes/ingress-nginx/pull/8446) Fix suggested annotation-value-word-blocklist
+- [8219](https://github.com/kubernetes/ingress-nginx/pull/8219) Add keepalive support for auth requests
+- [8455](https://github.com/kubernetes/ingress-nginx/pull/8455) Update dependencies
+- [8456](https://github.com/kubernetes/ingress-nginx/pull/8456) Implement object deep inspector
+- [8325](https://github.com/kubernetes/ingress-nginx/pull/8325) Fix for buggy ingress sync with retries
+- [8322](https://github.com/kubernetes/ingress-nginx/pull/8322) Improve req handling dashboard
+
 ### 1.2.0-beta.0

 **Image:**
@ -34,12 +419,18 @@ _Changes:_
 **Image:**
 - k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2

-This release upgrades Alpine to 3.14.4 and nginx to 1.19.10 
+This release upgrades Alpine to 3.14.4 and nginx to 1.19.10

 Patches [OpenSSL CVE-2022-0778](https://github.com/kubernetes/ingress-nginx/issues/8339)

 Patches [Libxml2 CVE-2022-23308](https://github.com/kubernetes/ingress-nginx/issues/8321)

+_Breaking Changes:_
+
+- https://github.com/nginx/nginx/commit/d18e066d650bff39f1705d3038804873584007af Deprecated http2_recv_timeout in favor of client_header_timeout (client-header-timeout)
+- https://github.com/nginx/nginx/commit/51fea093e4374dbd857dc437ff9588060ef56471 Deprecated http2_max_field_size (http2-max-field-size) and http2_max_header_size (http2-max-header-size) in favor of large_client_header_buffers (large-client-header-buffers)
+- https://github.com/nginx/nginx/commit/49ab3312448495f0ee8e00143a29624dde46ef5c Deprecated http2_idle_timeout and http2_max_requests (http2-max-requests) in favor of keepalive_timeout (upstream-keepalive-timeout?) and keepalive_requests (upstream-keepalive-requests?) respectively
+
 _Changes:_

 - [8415](https://github.com/kubernetes/ingress-nginx/pull/8415) base img update for e2e-test-runner & opentelemetry
@ -69,7 +460,7 @@ _Changes:_

 ### 1.1.2

-**Image:** 
+**Image:**
 - k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c

 This release bumps grpc version to 1.44.0 & runc to version 1.1.0. The release also re-introduces the ingress.class annotation, which was previously declared as deprecated. Besides that, several bug fixes and improvements are listed below.
@ -111,7 +502,7 @@ _Changes:_

 ### 1.1.1

-**Image:** 
+**Image:**
 - k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de

 This release contains several fixes and improvements. This image is now built using Go v1.17.6 and gRPC v1.43.0. See detailed list below.
@ -180,9 +571,9 @@ _Changes:_

 _Possible Breaking Change_
 We now implement string sanitization in annotation values. This means that words like "location", "by_lua" and
-others will drop the reconciliation of an Ingress object. 
+others will drop the reconciliation of an Ingress object.

-Users from mod_security and other features should be aware that some blocked values may be used by those features 
+Users from mod_security and other features should be aware that some blocked values may be used by those features
 and must be manually unblocked by the Ingress Administrator.

 For more details please check [https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#annotation-value-word-blocklist]
@ -201,7 +592,7 @@ _Changes:_
 - k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef

 _Possible Breaking Change_
-We have disabled the builtin ssl_session_cache due to possible memory fragmentation. This should not impact the majority of users, but please let us know 
+We have disabled the builtin ssl_session_cache due to possible memory fragmentation. This should not impact the majority of users, but please let us know
 if you face any problem

 _Changes:_
@ -217,7 +608,7 @@ _Changes:_
 - k8s.gcr.io/ingress-nginx/controller:v1.0.3@sha256:4ade87838eb8256b094fbb5272d7dda9b6c7fa8b759e6af5383c1300996a7452

 **Known Issues**
-* Ingress controller now (starting from v1.0.0) mandates cluster scoped access to IngressClass. This leads to problems when updating old Ingress controller to newest version, as described [here](https://github.com/kubernetes/ingress-nginx/issues/7510). We plan to fix it in v1.0.4, see [this](https://github.com/kubernetes/ingress-nginx/pull/7578). 
+* Ingress controller now (starting from v1.0.0) mandates cluster scoped access to IngressClass. This leads to problems when updating old Ingress controller to newest version, as described [here](https://github.com/kubernetes/ingress-nginx/issues/7510). We plan to fix it in v1.0.4, see [this](https://github.com/kubernetes/ingress-nginx/pull/7578).

 _New Features:_

@ -233,7 +624,7 @@ _Changes:_
 - k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049

 **Known Issues**
-* Ingress controller now (starting from v1.0.0) mandates cluster scoped access to IngressClass. This leads to problems when updating old Ingress controller to newest version, as described [here](https://github.com/kubernetes/ingress-nginx/issues/7510). We plan to fix it in v1.0.3, see [this](https://github.com/kubernetes/ingress-nginx/pull/7578). 
+* Ingress controller now (starting from v1.0.0) mandates cluster scoped access to IngressClass. This leads to problems when updating old Ingress controller to newest version, as described [here](https://github.com/kubernetes/ingress-nginx/issues/7510). We plan to fix it in v1.0.3, see [this](https://github.com/kubernetes/ingress-nginx/pull/7578).

 _New Features:_

@ -249,7 +640,7 @@ _Changes:_
 - k8s.gcr.io/ingress-nginx/controller:v1.0.1@sha256:26bbd57f32bac3b30f90373005ef669aae324a4de4c19588a13ddba399c6664e

 **Known Issues**
-* Ingress controller now (starting from v1.0.0) mandates cluster scoped access to IngressClass. This leads to problems when updating old Ingress controller to newest version, as described [here](https://github.com/kubernetes/ingress-nginx/issues/7510). We plan to fix it in v1.0.2, see [this](https://github.com/kubernetes/ingress-nginx/pull/7578). 
+* Ingress controller now (starting from v1.0.0) mandates cluster scoped access to IngressClass. This leads to problems when updating old Ingress controller to newest version, as described [here](https://github.com/kubernetes/ingress-nginx/issues/7510). We plan to fix it in v1.0.2, see [this](https://github.com/kubernetes/ingress-nginx/pull/7578).

 _New Features:_

@ -492,7 +883,7 @@ _Changes:_
  test #7255 
 - [X] [#7216](https://github.com/kubernetes/ingress-nginx/pull/7216) Admission: Skip validation checks if an ingress 
  is marked as deleted #7216
-  
+
 ### 1.0.0-beta.3
 ** This is a breaking change**

@ -1666,7 +2057,7 @@ _Breaking Changes:_

  ```
  Due to upcoming data privacy regulations, we are making significant changes to how you access free GeoLite2 databases starting December 30, 2019.
-  Learn more on our blog https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/
+  Learn more on our blog https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/
  ```

  Because of this change, it is not clear we can provide the databases directly from the docker image.
@ -1802,7 +2193,7 @@ _New Features:_

  If the active connections end before that, the pod will terminate gracefully at that time.

-  To efectively take advantage of this feature, the Configmap feature [worker-shutdown-timeout](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#worker-shutdown-timeout) new value is `240s` instead of `10s`.
+  To effectively take advantage of this feature, the Configmap feature [worker-shutdown-timeout](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#worker-shutdown-timeout) new value is `240s` instead of `10s`.

  **IMPORTANT:** this value has a side effect during reloads, consuming more memory until the old NGINX workers are replaced.

@ -2212,7 +2603,7 @@ _New Features:_
 _Breaking changes:_

 - The NGINX server listening in port 18080 was removed. It was replaced by a server using an unix socket as port [#3684](https://github.com/kubernetes/ingress-nginx/pull/3684)
-  This server was internal to the ingress controller. In case this was being acceded from the outside, you can restore the old server using the `http-snipet` feature in the configuration configmap like:
+  This server was internal to the ingress controller. In case this was being acceded from the outside, you can restore the old server using the `http-snippet` feature in the configuration configmap like:

  ```yaml
  http-snippet: |
--- a/1
+++ b/1
@ -0,0 +1 @@
+1.23.6
--- a/MANUAL_RELEASE.md
+++ b/MANUAL_RELEASE.md
@ -89,11 +89,11 @@ Promoting the images basically means that images, that were pushed to staging co

  - The sha is also visible here https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx/global/controller

-  - The sha is also visible [here]((https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*)), after cloud build is finished. Click on the respective job, go to `Artifacts` section in the UI, then again `artifacts` in the directory browser. In the `build.log` at the very bottom you see something like this:
+  - The sha is also visible [here](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), after cloud build is finished. Click on the respective job, go to `Artifacts` section in the UI, then again `artifacts` in the directory browser. In the `build.log` at the very bottom you see something like this:

  ```
  ...
-  pushing manifest for gcr.io/k8s-staging-ingress-nginx/controller:v1.0.2@sha256:e15fac6e8474d77e1f017edc33d804ce72a184e3c0a30963b2a0d7f0b89f6b16
+  pushing manifest for us-central1-docker.pkg.dev/k8s-staging-images/ingress-nginx/controller:v1.0.2@sha256:e15fac6e8474d77e1f017edc33d804ce72a184e3c0a30963b2a0d7f0b89f6b16
  ...
  ```

@ -103,17 +103,17 @@ Promoting the images basically means that images, that were pushed to staging co

 - Fork that other project (if you don't have a fork already).

- Other project to fork  [Github repo kubernetes/k8s.io](http://github.com/kubernetes/k8s.io)
+- Other project to fork  [GitHub repo kubernetes/k8s.io](http://github.com/kubernetes/k8s.io)

 - Fetch --all and rebase to upstream if already forked.

 - Create a branch in your fork, named as the issue number for this release

- In the related branch, of your fork, edit the file /k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml.
+- In the related branch, of your fork, edit the file /registry.k8s.io/images/k8s-staging-ingress-nginx/images.yaml.

- For making it easier, you can edit your branch directly in the browser. But be careful about making any mistake.
+- For making, it easier, you can edit your branch directly in the browser. But be careful about making any mistake.

- Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml)  Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/2536) to see how it was done before
+- Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/registry.k8s.io/images/k8s-staging-ingress-nginx/images.yaml)  Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/2536) to see how it was done before

 - Save and commit

@ -132,7 +132,7 @@ Promoting the images basically means that images, that were pushed to staging co

 - Make sure to get the tag and sha of the promoted image from the step before, either from cloudbuild or from [here](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/ingress-nginx/controller).

- This involves editing of several different files. So carefully follow the steps below and double check all changes with diff/grep etc., repeatedly. Mistakes here impact endusers.
+- This involves editing of several files. So carefully follow the steps below and double check all changes with diff/grep etc., repeatedly. Mistakes here impact endusers.

 ### a. Make sure your git workspace is ready

@ -160,7 +160,7 @@ Promoting the images basically means that images, that were pushed to staging co
  - [TAG](https://github.com/kubernetes/ingress-nginx/blob/main/TAG#L1)

 ### c. Edit the helm Chart
-  - Change the below mentioned [Fields in Chart.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/Chart.yaml)
+  - Change the below-mentioned [Fields in Chart.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/Chart.yaml)
    - version
    - appVersion
    - kubeVersion (**ONLY if applicable**)
@ -168,30 +168,30 @@ Promoting the images basically means that images, that were pushed to staging co
      - artifacthub.io/prerelease: "true"
      - artifacthub.io/changes: |
        - Replace this line and other lines under this annotation with the Changelog. One process to generate the Changelog is described below
-          - Install and configure github cli as per the docs of gh-cli  https://cli.github.com/,
+          - Install and configure GitHub cli as per the docs of gh-cli  https://cli.github.com/,
          - Change dir to your clone, of your fork, of the ingress-nginx project
          - Run the below command and save the output to a txt file

            ```
-            gh pr list -s merged -L 38 -B main | cut -f1,2 > ~/tmp/prlist.txt
+            gh pr list -R kubernetes/ingress-nginx -s merged -L 38 -B main | cut -f1,2 | tee ~/Downloads/prlist.txt
            ```
            - The -L 38 was used for 2 reasons.
-              - Default number of results is 30 and there were more than 30 PRs merged while releasing v1.1.1.
-              -  The other reason to use -L 38 was to ommit the 39th, the 40th and the 41st line in the resulting list. These were non-relevant PRs.
+              - Default number of results is 30 and there were more than 30 PRs merged while releasing v1.1.1. If you see the current/soon-to-be-old changelog, you can look at the most recent PR number that has been accounted for already, and start from after that last accounted for PR.
+              -  The other reason to use -L 38 was to omit the 39th, the 40th and the 41st line in the resulting list. These were non-relevant PRs.
            - If you save the output of above command to a file called prlist.txt. It looks somewhat like this ;

              ```
-              % cat ~/Downloads/prlist.txt 
+              % cat ~/Downloads/prlist.txt
              8129    fix syntax in docs for multi-tls example
              8120    Update go in runner and release v1.1.1
              8119    Update to go v1.17.6
              8118    Remove deprecated libraries, update other libs
              8117    Fix codegen errors
-              8115    chart/ghaction: set the correct permission to have access to push a release 
+              8115    chart/ghaction: set the correct permission to have access to push a release
              ....
              ```
-              You can delete the lines, that refer to PRs of the release process itself. We only need to list the feature/bugfix PRs.
-          - Now you use some easy automation in bash/python/other, to get the PR-List that can be used in the changelog. For example, its possible to use a bash scripty way, seen below, to convert those plaintext PR numbers into clickable links. 
+              You can delete the lines, that refer to PRs of the release process itself. We only need to list the feature/bugfix PRs. You can also delete the lines that are housekeeping or not really worth mentioning in the changelog.
+          -  you use some easy automation in bash/python/other, to get the PR-List that can be used in the changelog. For example, it's possible to use a bash scripty way, seen below, to convert those plaintext PR numbers into clickable links.

            ```
            #!/usr/bin/bash
@ -204,27 +204,40 @@ Promoting the images basically means that images, that were pushed to staging co
              echo "[$pr_num](https://github.com/kubernetes/ingress-nginx/pull/$pr_num) $pr_title"
            done <$file

+            ```
+          - There was a parsing issue and path issue on MacOS, so above script had to be modified and MacOS monterey compatible script is below ;
+
+            ```
+            #!/bin/bash
+
+            file="$1"
+
+            while read -r line; do
+              pr_num=`echo "$line" | cut -f1`
+              pr_title=`echo "$line" | cut -f2`
+              echo \""[$pr_num](https://github.com/kubernetes/ingress-nginx/pull/$pr_num) $pr_title"\"
+            done <$file
+
            ```
          - If you saved the bash script content above, in a file like `$HOME/bin/prlist_to_changelog.sh`, then you could execute a command like this to get your prlist in a text file called changelog_content.txt;`

          ```
-          prlist_to_changelog.sh prlist.txt > /tmp/changelog_content.txt`
+          prlist_to_changelog.sh ~/Downloads/prlist.txt | tee ~/Downloads//changelog_content.txt
          ```

 ### d. Edit the values.yaml and run helm-docs
+
  - [Fields to edit in values.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml)

    - tag
    - digest

-  - [helm-docs](https://github.com/norwoodj/helm-docs) is a tool that generates the README.md for a helm-chart automatically. In the CI pipeline workflow of github actions (/.github/workflows/ci.yaml), you can see how helm-docs is used. But the CI pipeline is not designed to make commits back into the project. So we need to run helm-docs manually, and check in the resulting autogenerated README.md at the path /charts/ingress-nginx/README.md 
+  - [helm-docs](https://github.com/norwoodj/helm-docs) is a tool that generates the README.md for a Helm chart automatically. In the CI pipeline workflow of GitHub actions (.github/workflows/ci.yaml), you can see how helm-docs is used. The CI pipeline is not designed to make commits back into the project, so we need to run helm-docs manually and commit the resulting generated README.md. You can obtain a recent version of the helm-docs binary here: https://github.com/norwoodj/helm-docs/releases.
    ```
-          GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.6.0
-          ./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts
-          git diff --exit-code
-          rm -f ./helm-docs
+    helm-docs --chart-search-root charts
+    git diff charts/ingress-nginx/README.md
    ```
-    Watchout for mistakes like leaving the helm-docs executable in your clone workspace or not checking the new README.md manually etc.
+    Take care of not leaving the helm-docs executable in your clone workspace or not committing the new README.md.

 ### e. Edit the static manifests

@ -247,7 +260,7 @@ Promoting the images basically means that images, that were pushed to staging co
  - the "Description"
  - the "PRs list"
 - Look at the previous content to understand what the 3 components look like.
- You can easily get the "Image" from a yaml manifest but be sure to look at a manifest in your git clone now and not the upstream on github. This is because, if you are following this documentation, then you generated manifests with new updated digest for the image, in step 4e above. You also most likely promoted the new image in a step above. Look at the previous release section in Changelog.md. The format looks like `k8s.gcr.io/ingress-nginx/controller:.......`. One example of a yaml file to look at is /deploy/static/provider/baremetal/deploy.yaml (in your git clone branch and not on the upstream).
+- You can easily get the "Image" from a yaml manifest but be sure to look at a manifest in your git clone now and not the upstream on github. This is because, if you are following this documentation, then you generated manifests with new updated digest for the image, in step 4e above. You also most likely promoted the new image in a step above. Look at the previous release section in Changelog.md. The format looks like `registry.k8s.io/ingress-nginx/controller:.......`. One example of a yaml file to look at is /deploy/static/provider/baremetal/deploy.yaml (in your git clone branch and not on the upstream).
 - Next, you need to have a good overview of the changes introduced in this release and based on that you write a description. Look at previous descriptions. Ask the ingress-nginx-dev channel if required.
 - And then you need to add a list of the PRs merged, since the previous release.
 - One process to generate this list of PRs is already described above in step 4c. So if you are following this document, then you have done this already and very likely have retained the file containing the list of PRs, in the format that is needed.
@ -256,14 +269,11 @@ Promoting the images basically means that images, that were pushed to staging co

 - Update the version in [docs/deploy/index.md](docs/deploy/index.md)
 - Update Supported versions in the Support Versions table in the README.md
+- Execute the script to update e2e docs [hack/generate-e2e-suite-doc.sh](https://github.com/kubernetes/ingress-nginx/blob/main/hack/generate-e2e-suite-doc.sh)

-### h. Edit stable.txt
+### h. Update README.md

- Edit the [stable.txt](stable.txt) file(if applicable), in the root of the repo, to reflect the release to be created
- Criteria is a release that has been GA for a while but reported issues are not bugs but mostly /kind support or feature
-
-### i. Update README.md
- Update the table in README.md in the root of the projet to reflect the support matrix. Add the new release version and details in there.
+- Update the table in README.md in the root of the project to reflect the support matrix. Add the new release version and details in there.

 ## 5. RELEASE new version

@ -280,7 +290,7 @@ Promoting the images basically means that images, that were pushed to staging co
 - `helm repo update`
 - `helm search repo ingress-nginx`

-## 6. Github release
+## 6. GitHub release

 - Release to github

--- a/121
+++ b/121
@ -29,9 +29,14 @@ SHELL=/bin/bash -o pipefail -o errexit
 # Use the 0.0 tag for testing, it shouldn't clobber any release builds
 TAG ?= $(shell cat TAG)

+# The env below is called GO_VERSION and not GOLANG_VERSION because 
+# the gcb image we use to build already defines GOLANG_VERSION and is a 
+# really old version
+GO_VERSION ?= $(shell cat GOLANG_VERSION)
+
 # e2e settings
 # Allow limiting the scope of the e2e tests. By default run everything
-FOCUS ?= .*
+FOCUS ?=
 # number of parallel test
 E2E_NODES ?= 7
 # run e2e test suite with tests that check for memory leaks? (default is false)
@ -53,9 +58,9 @@ ifneq ($(PLATFORM),)
 	PLATFORM_FLAG="--platform"
 endif

-REGISTRY ?= gcr.io/k8s-staging-ingress-nginx
+REGISTRY ?= us-central1-docker.pkg.dev/k8s-staging-images/ingress-nginx

-BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:5402d35663917ccbbf77ff48a22b8c6f77097f48@sha256:ec8a104df307f5c6d68157b7ac8e5e1e2c2f0ea07ddf25bb1c6c43c67e351180
+BASE_IMAGE ?= $(shell cat NGINX_BASE)

 GOARCH=$(ARCH)

@ -65,7 +70,7 @@ help:  ## Display this help
 .PHONY: image
 image: clean-image ## Build image for a particular arch.
 	echo "Building docker image ($(ARCH))..."
-	@docker build \
+	docker build \
 		${PLATFORM_FLAG} ${PLATFORM} \
 		--no-cache \
 		--build-arg BASE_IMAGE="$(BASE_IMAGE)" \
@ -75,17 +80,21 @@ image: clean-image ## Build image for a particular arch.
 		--build-arg BUILD_ID="$(BUILD_ID)" \
 		-t $(REGISTRY)/controller:$(TAG) rootfs

+.PHONY: gosec
+gosec:
+	docker run --rm -it -w /source/ -v "$(pwd)"/:/source securego/gosec:2.11.0 -exclude=G109,G601,G104,G204,G304,G306,G307 -tests=false -exclude-dir=test -exclude-dir=images/  -exclude-dir=docs/ /source/...
+
 .PHONY: image-chroot
 image-chroot: clean-chroot-image ## Build image for a particular arch.
 	echo "Building docker image ($(ARCH))..."
-	@docker build \
+	docker build \
 		--no-cache \
 		--build-arg BASE_IMAGE="$(BASE_IMAGE)" \
 		--build-arg VERSION="$(TAG)" \
 		--build-arg TARGETARCH="$(ARCH)" \
 		--build-arg COMMIT_SHA="$(COMMIT_SHA)" \
 		--build-arg BUILD_ID="$(BUILD_ID)" \
-		-t $(REGISTRY)/controller-chroot:$(TAG) rootfs -f rootfs/Dockerfile.chroot
+		-t $(REGISTRY)/controller-chroot:$(TAG) rootfs -f rootfs/Dockerfile-chroot

 .PHONY: clean-image
 clean-image: ## Removes local image
@ -101,64 +110,80 @@ clean-chroot-image: ## Removes local image

 .PHONY: build
 build:  ## Build ingress controller, debug tool and pre-stop hook.
-	@build/run-in-docker.sh \
+	E2E_IMAGE=golang:$(GO_VERSION)-alpine3.21 USE_SHELL=/bin/sh build/run-in-docker.sh \
+		MAC_OS=$(MAC_OS) \
 		PKG=$(PKG) \
 		ARCH=$(ARCH) \
 		COMMIT_SHA=$(COMMIT_SHA) \
 		REPO_INFO=$(REPO_INFO) \
 		TAG=$(TAG) \
-		GOBUILD_FLAGS=$(GOBUILD_FLAGS) \
 		build/build.sh

-.PHONY: build-plugin
-build-plugin:  ## Build ingress-nginx krew plugin.
-	@build/run-in-docker.sh \
-		PKG=$(PKG) \
-		ARCH=$(ARCH) \
-		COMMIT_SHA=$(COMMIT_SHA) \
-		REPO_INFO=$(REPO_INFO) \
-		TAG=$(TAG) \
-		GOBUILD_FLAGS=$(GOBUILD_FLAGS) \
-		build/build-plugin.sh

 .PHONY: clean
 clean: ## Remove .gocache directory.
 	rm -rf bin/ .gocache/ .cache/

+.PHONY: verify-docs
+verify-docs: ## Verify doc generation
+	hack/verify-annotation-docs.sh
+
 .PHONY: static-check
 static-check: ## Run verification script for boilerplate, codegen, gofmt, golint, lualint and chart-lint.
 	@build/run-in-docker.sh \
+	    MAC_OS=$(MAC_OS) \
 		hack/verify-all.sh

+.PHONY: golint-check
+golint-check:
+	@build/run-in-docker.sh \
+	    MAC_OS=$(MAC_OS) \
+		hack/verify-golint.sh
+
+###############################
+# Tests for ingress-nginx
+###############################
+
 .PHONY: test
 test:  ## Run go unit tests.
 	@build/run-in-docker.sh \
 		PKG=$(PKG) \
+		MAC_OS=$(MAC_OS) \
 		ARCH=$(ARCH) \
 		COMMIT_SHA=$(COMMIT_SHA) \
 		REPO_INFO=$(REPO_INFO) \
 		TAG=$(TAG) \
-		GOBUILD_FLAGS=$(GOBUILD_FLAGS) \
-		build/test.sh
+		GOFLAGS="-buildvcs=false" \
+		test/test.sh

 .PHONY: lua-test
 lua-test: ## Run lua unit tests.
 	@build/run-in-docker.sh \
-		BUSTED_ARGS=$(BUSTED_ARGS) \
-		build/test-lua.sh
+		MAC_OS=$(MAC_OS) \
+		test/test-lua.sh

 .PHONY: e2e-test
 e2e-test:  ## Run e2e tests (expects access to a working Kubernetes cluster).
-	@build/run-e2e-suite.sh
+	@test/e2e/run-e2e-suite.sh
+
+.PHONY: kind-e2e-test
+kind-e2e-test:  ## Run e2e tests using kind.
+	@test/e2e/run-kind-e2e.sh
+
+.PHONY: kind-e2e-chart-tests
+kind-e2e-chart-tests: ## Run helm chart e2e tests
+	@test/e2e/run-chart-test.sh

 .PHONY: e2e-test-binary
 e2e-test-binary:  ## Build binary for e2e tests.
 	@build/run-in-docker.sh \
+		MAC_OS=$(MAC_OS) \
 		ginkgo build ./test/e2e

 .PHONY: print-e2e-suite
 print-e2e-suite: e2e-test-binary ## Prints information about the suite of e2e tests.
 	@build/run-in-docker.sh \
+		MAC_OS=$(MAC_OS) \
 		hack/print-e2e-suite.sh

 .PHONY: vet
@ -181,14 +206,19 @@ dev-env:  ## Starts a local Kubernetes cluster using kind, building and deployin
 dev-env-stop: ## Deletes local Kubernetes cluster created by kind.
 	@kind delete cluster --name ingress-nginx-dev

+
+
 .PHONY: live-docs
 live-docs: ## Build and launch a local copy of the documentation website in http://localhost:8000
-	@docker build ${PLATFORM_FLAG} ${PLATFORM} -t ingress-nginx-docs .github/actions/mkdocs
+	@docker build ${PLATFORM_FLAG} ${PLATFORM} \
+                  		--no-cache \
+                  		 -t ingress-nginx-docs .github/actions/mkdocs
 	@docker run ${PLATFORM_FLAG} ${PLATFORM} --rm -it \
 		-p 8000:8000 \
 		-v ${PWD}:/docs \
-		--entrypoint mkdocs \
-		ingress-nginx-docs serve --dev-addr=0.0.0.0:8000
+		--entrypoint /bin/bash   \
+		ingress-nginx-docs \
+		-c "pip install -r /docs/docs/requirements.txt && mkdocs serve --dev-addr=0.0.0.0:8000"

 .PHONY: misspell
 misspell:  ## Check for spelling errors.
@ -198,14 +228,6 @@ misspell:  ## Check for spelling errors.
 		-error \
 		cmd/* internal/* deploy/* docs/* design/* test/* README.md

-.PHONY: kind-e2e-test
-kind-e2e-test:  ## Run e2e tests using kind.
-	@test/e2e/run.sh
-
-.PHONY: kind-e2e-chart-tests
-kind-e2e-chart-tests: ## Run helm chart e2e tests
-	@test/e2e/run-chart-test.sh
-
 .PHONY: run-ingress-controller
 run-ingress-controller: ## Run the ingress controller locally using a kubectl proxy connection.
 	@build/run-ingress-controller.sh
@ -218,36 +240,43 @@ ensure-buildx:
 show-version:
 	echo -n $(TAG)

-PLATFORMS ?= amd64 arm arm64 s390x
-
-EMPTY :=
-SPACE := $(EMPTY) $(EMPTY)
-COMMA := ,
+PLATFORMS ?= amd64 arm arm64
+BUILDX_PLATFORMS ?= linux/amd64,linux/arm,linux/arm64

 .PHONY: release # Build a multi-arch docker image
 release: ensure-buildx clean
 	echo "Building binaries..."
 	$(foreach PLATFORM,$(PLATFORMS), echo -n "$(PLATFORM)..."; ARCH=$(PLATFORM) make build;)

-	echo "Building and pushing ingress-nginx image..."
-	@docker buildx build \
+	echo "Building and pushing ingress-nginx image...$(BUILDX_PLATFORMS)"
+
+	docker buildx build \
 		--no-cache \
+		$(MAC_DOCKER_FLAGS) \
 		--push \
+		--pull \
 		--progress plain \
-		--platform $(subst $(SPACE),$(COMMA),$(PLATFORMS)) \
+		--platform $(BUILDX_PLATFORMS) \
 		--build-arg BASE_IMAGE="$(BASE_IMAGE)" \
 		--build-arg VERSION="$(TAG)" \
 		--build-arg COMMIT_SHA="$(COMMIT_SHA)" \
 		--build-arg BUILD_ID="$(BUILD_ID)" \
 		-t $(REGISTRY)/controller:$(TAG) rootfs
-	
-	@docker buildx build \
+
+	docker buildx build \
 		--no-cache \
+		$(MAC_DOCKER_FLAGS) \
 		--push \
+		--pull \
 		--progress plain \
-		--platform $(subst $(SPACE),$(COMMA),$(PLATFORMS)) \
+		--platform $(BUILDX_PLATFORMS)  \
 		--build-arg BASE_IMAGE="$(BASE_IMAGE)" \
 		--build-arg VERSION="$(TAG)" \
 		--build-arg COMMIT_SHA="$(COMMIT_SHA)" \
 		--build-arg BUILD_ID="$(BUILD_ID)" \
-		-t $(REGISTRY)/controller-chroot:$(TAG) rootfs -f rootfs/Dockerfile.chroot
+		-t $(REGISTRY)/controller-chroot:$(TAG) rootfs -f rootfs/Dockerfile-chroot
+
+.PHONY: build-docs
+build-docs:
+	pip install -r docs/requirements.txt
+	mkdocs build --config-file mkdocs.yml
--- a/NEW_CONTRIBUTOR.md
+++ b/NEW_CONTRIBUTOR.md
@ -0,0 +1,852 @@
+## New Contributor Tips
+
+Welcome to the Ingress Nginx new contributor tips.
+This guide briefly outlines the necessary knowledge & tools, required to start working on Ingress-NGINX Issues.
+
+### Prerequisites
+- Basic understanding of linux
+- Familiarity with the command line on linux
+- OSI Model(Links below)
+
+### Introduction
+It all starts with the OSI model...
+> The Open Systems Interconnection (OSI) model describes seven layers that computer systems use to communicate over a network. It was the first standard model for network communications, adopted by all major computer and telecommunication companies
+
+![Describes the 7 Layers of the OSI Model](https://i.imgur.com/qF0KjBq.png)
+
+#### Reading material for OSI Model
+[OSI Model CertificationKits](https://www.certificationkits.com/cisco-certification/cisco-ccna-640-802-exam-certification-guide/cisco-ccna-the-osi-model/)
+
+### Approaching the problem
+
+
+Not everybody knows everything. But the factors that help are a love/passion for this to begin. But to move forward, it's the approach and not the knowledge that sustains prolonged joy, while working on issues. If the approach is simple and powered by good-wishes-for-community, then info & tools are forthcoming and easy.
+
+Here we take a bird's eye-view of the hops in the network plumbing, that a packet takes, from source to destination, when we run `curl`, from a laptop to a nginx webserver process, running in a container, inside a pod, inside a Kubernetes cluster, created using `kind` or `minikube` or any other cluster-management tool.
+
+### [Kind](https://kind.sigs.k8s.io/) cluster example on a Linux Host
+
+#### TL;DR
+The destination of the packet from the curl command, is looked up, in the `routing table`. Based on the route, the packet first travels to the virtual bridge `172.18.0.1` interface, created by docker, when we created the kind cluster on a laptop. Next the packet is forwarded to `172.18.0.2`(See below on how we got this IP address), within the kind cluster. The `kube-proxy` container creates iptables rules that make sure the packet goes to the correct pod ip in this case `10.244.0.5`
+
+Command:
+```
+# docker ps
+CONTAINER ID   IMAGE                  COMMAND                  CREATED       STATUS          PORTS                       NAMES
+230e7246a32c   kindest/node:v1.24.1   "/usr/local/bin/entr…"   2 weeks ago   Up 54 seconds   127.0.0.1:38143->6443/tcp   kind-control-plane
+
+# docker inspect kind-control-plane -f '{{ .NetworkSettings.Networks.kind.IPAddress }}'
+172.18.0.2
+
+```
+
+
+
+If this part is confusing, you would first need to understand what a [bridge](https://tldp.org/HOWTO/BRIDGE-STP-HOWTO/what-is-a-bridge.html) is and what [docker network](https://docs.docker.com/network/) is.
+
+
+
+#### The journey of a curl packet.
+Let's begin with creating a [Kind](https://kind.sigs.k8s.io/docs/user/quick-start/) Cluster on your laptop
+```
+# kind create cluster
+```
+This will create a cluster called `kind`, to view the clusters type
+```
+# kind get clusters                                                                                                                              
+kind
+```
+Kind ships with `kubectl`, so we can use that to communicate with our clusters.
+```
+# kubectl get no -o wide                                                                                                                             
+NAME                 STATUS   ROLES           AGE     VERSION   INTERNAL-IP   EXTERNAL-IP   OS-IMAGE       KERNEL-VERSION    CONTAINER-RUNTIME
+kind-control-plane   Ready    control-plane   5d23h   v1.24.1   172.18.0.2    <none>        Ubuntu 21.10   5.18.12-arch1-1   containerd://1.6.4
+```
+Kind creates  a cluster using docker container as nodes, it does this using [containerd](https://containerd.io/) within the docker container.
+The concept of Docker in Docker is very important here.
+
+To start with simply create a nginx deployment using `kubectl`.
+```
+# kubectl create deployment nginx --image nginx:alpine --port=80
+deployment.apps/nginx created
+```
+Then we expose this as a NodePort Service.
+```
+# kubectl expose deployment/nginx --type=NodePort
+service/nginx-new exposed
+```
+Command: Now we can see that the service has been exposed.
+```
+# kubectl get svc -o wide
+NAME           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE     SELECTOR
+nginx          NodePort    10.96.176.241   <none>        80:32329/TCP   4d8h    app=nginx
+```
+Output Relevance: From the above output, we can see that our nginx pod is being exposed as the `NodePort` service type, and now we can curl the Node IP `172.18.0.2` with the exposed port `32329`
+
+Command: The pod has an IP as shown below
+```
+# kubectl get po -o wide                                                                                                                            
+NAME                               READY   STATUS    RESTARTS      AGE     IP            NODE                 NOMINATED NODE   READINESS GATES
+nginx-6c8b449b8f-pdvdk             1/1     Running   1 (32h ago)   4d8h    10.244.0.5    kind-control-plane   <none>           <none>
+```
+
+Command: We can use `curl` on the laptop to view the nginx container that is running on port `32329`.
+
+```
+# curl  172.18.0.2:32329
+
+<!DOCTYPE html>
+<html>
+<head>
+<title>Welcome to nginx!</title>
+<style>
+html { color-scheme: light dark; }
+body { width: 35em; margin: 0 auto;
+font-family: Tahoma, Verdana, Arial, sans-serif; }
+</style>
+</head>
+<body>
+<h1>Welcome to nginx!</h1>
+<p>If you see this page, the nginx web server is successfully installed and
+working. Further configuration is required.</p>
+
+<p>For online documentation and support please refer to
+<a href="http://nginx.org/">nginx.org</a>.<br/>
+Commercial support is available at
+<a href="http://nginx.com/">nginx.com</a>.</p>
+
+<p><em>Thank you for using nginx.</em></p>
+</body>
+</html>
+```
+Now, we can check the ip interfaces as well subnets for our system is connected to:
+
+```
+$ ifconfig
+ethbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
+        inet 192.168.31.9  netmask 255.255.255.0  broadcast 192.168.31.255
+        inet6 fe80::7530:9ae5:3e8d:e45a  prefixlen 64  scopeid 0x20<link>
+        ether 2e:90:b3:e8:52:5b  txqueuelen 1000  (Ethernet)
+        RX packets 31220566  bytes 44930589084 (41.8 GiB)
+        RX errors 0  dropped 0  overruns 0  frame 0
+        TX packets 18104006  bytes 1757183680 (1.6 GiB)
+        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+
+br-2fffe5cd5d9e: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
+        inet 172.18.0.1  netmask 255.255.0.0  broadcast 172.18.255.255
+        inet6 fc00:f853:ccd:e793::1  prefixlen 64  scopeid 0x0<global>
+        inet6 fe80::42:12ff:fed3:8fb0  prefixlen 64  scopeid 0x20<link>
+        inet6 fe80::1  prefixlen 64  scopeid 0x20<link>
+        ether 02:42:12:d3:8f:b0  txqueuelen 0  (Ethernet)
+        RX packets 3547  bytes 414792 (405.0 KiB)
+        RX errors 0  dropped 0  overruns 0  frame 0
+        TX packets 6267  bytes 8189931 (7.8 MiB)
+        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
+        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
+        inet6 fe80::42:a2ff:fe09:5edb  prefixlen 64  scopeid 0x20<link>
+        ether 02:42:a2:09:5e:db  txqueuelen 0  (Ethernet)
+        RX packets 14  bytes 2143 (2.0 KiB)
+        RX errors 0  dropped 0  overruns 0  frame 0
+        TX packets 40  bytes 6406 (6.2 KiB)
+        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+```
+From the above output we can see that, there are two bridges connected to our systems network interface,one is the docker default bridge`docker0` and the other created by kind
+`br-2fffe5cd5d9e`.
+
+Since kind creates nodes as containers, this is easily accessible via `docker ps`.
+```
+$ docker ps
+
+CONTAINER ID   IMAGE                  COMMAND                  CREATED      STATUS        PORTS                       NAMES
+230e7246a32c   kindest/node:v1.24.1   "/usr/local/bin/entr…"   6 days ago   Up 33 hours   127.0.0.1:38143->6443/tcp   kind-control-plane
+```
+If we do a docker `exec` we can enter the container, we can also see the network interfaces within the container.
+```
+# docker exec -it 230e7246a32c bash
+
+# root@kind-control-plane:/# ip a
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+       valid_lft forever preferred_lft forever
+    inet6 ::1/128 scope host
+       valid_lft forever preferred_lft forever
+2: vethdb0d1da1@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether a2:a1:ce:08:d2:39 brd ff:ff:ff:ff:ff:ff link-netns cni-ddc25710-030a-cc05-c600-5a183fae01f7
+    inet 10.244.0.1/32 scope global vethdb0d1da1
+       valid_lft forever preferred_lft forever
+3: veth4d76603f@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 9a:9b:6b:3e:d1:53 brd ff:ff:ff:ff:ff:ff link-netns cni-f2270000-8fc8-6f89-e56b-4759ae10a084
+    inet 10.244.0.1/32 scope global veth4d76603f
+       valid_lft forever preferred_lft forever
+4: vethcc2586d6@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 52:f9:20:63:62:a2 brd ff:ff:ff:ff:ff:ff link-netns cni-97e337cd-1322-c1fa-7523-789af94f397f
+    inet 10.244.0.1/32 scope global vethcc2586d6
+       valid_lft forever preferred_lft forever
+5: veth783189a9@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether ba:e1:55:1f:6f:12 brd ff:ff:ff:ff:ff:ff link-netns cni-90849001-668a-03d2-7d9e-192de79ccc59
+    inet 10.244.0.1/32 scope global veth783189a9
+       valid_lft forever preferred_lft forever
+6: veth79c98c12@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 22:05:55:c7:86:e9 brd ff:ff:ff:ff:ff:ff link-netns cni-734dfac9-9f70-ab33-265b-21569d90312a
+    inet 10.244.0.1/32 scope global veth79c98c12
+       valid_lft forever preferred_lft forever
+7: veth5b221c83@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 92:3f:04:54:72:5a brd ff:ff:ff:ff:ff:ff link-netns cni-d8f6666b-1cfb-ef08-4bf8-237a7fc32da2
+    inet 10.244.0.1/32 scope global veth5b221c83
+       valid_lft forever preferred_lft forever
+8: vethad630fb8@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 32:78:ec:f6:01:ea brd ff:ff:ff:ff:ff:ff link-netns cni-6cb3c179-cb17-3b81-2051-27231c44a3c4
+    inet 10.244.0.1/32 scope global vethad630fb8
+       valid_lft forever preferred_lft forever
+9: veth573a629b@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether e2:57:f8:c9:bc:94 brd ff:ff:ff:ff:ff:ff link-netns cni-d2dbb903-8310-57b4-7ba4-9f353dbc79dc
+    inet 10.244.0.1/32 scope global veth573a629b
+       valid_lft forever preferred_lft forever
+10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
+    inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0
+       valid_lft forever preferred_lft forever
+    inet6 fc00:f853:ccd:e793::2/64 scope global nodad
+       valid_lft forever preferred_lft forever
+    inet6 fe80::42:acff:fe12:2/64 scope link
+       valid_lft forever preferred_lft forever
+11: vethd7368e27@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 8a:74:ec:f6:d6:c9 brd ff:ff:ff:ff:ff:ff link-netns cni-7c7eb9cd-bbb1-65b0-0480-b8f1265f2f36
+    inet 10.244.0.1/32 scope global vethd7368e27
+       valid_lft forever preferred_lft forever
+12: veth7cadbf2b@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 12:48:10:b7:b8:f5 brd ff:ff:ff:ff:ff:ff link-netns cni-b39e37b5-1bc8-626a-a553-a0be2f94a117
+    inet 10.244.0.1/32 scope global veth7cadbf2b
+       valid_lft forever preferred_lft forever
+
+```
+When we run `curl  172.18.0.2:32329` on the laptop it first needs to figure out where `172.18.0.2`, to do this it refers to the host routing table.
+```
+sudo netstat -rn                                                                                                                           main 
+Kernel IP routing table
+Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
+0.0.0.0         192.168.31.1    0.0.0.0         UG        0 0          0 ethbr0
+172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
+172.18.0.0      0.0.0.0         255.255.0.0     U         0 0          0 br-2fffe5cd5d9e
+172.19.0.0      0.0.0.0         255.255.0.0     U         0 0          0 br-be5b544733a3
+192.168.31.0    0.0.0.0         255.255.255.0   U         0 0          0 ethbr0
+192.168.31.0    0.0.0.0         255.255.255.0   U         0 0          0 ethbr0
+192.168.39.0    0.0.0.0         255.255.255.0   U         0 0          0 virbr2
+192.168.122.0   0.0.0.0         255.255.255.0   U         0 0          0 virbr0
+```
+Output Relevance: From the above output, you can see that the `iface`(Interface) for `172.18.0.0` is `br-2fffe5cd5d9e`, which means traffic that needs to go to `172.18.0.0` will go through `br-2fffe5cd5d9e` which is created by docker for the kind container (this is the node in case of kind cluster).
+
+Now we need to understand how the packet travels from the container interface to the pod with IP `10.244.0.5`. The component that handles this is called kube-proxy
+
+So what exactly is [kube-proxy](https://kubernetes.io/docs/concepts/overview/components/#kube-proxy):
+> Kube-Proxy is a network proxy that runs on each node in your cluster, implementing part of the Kubernetes Service concept.
+kube-proxy maintains network rules on nodes. These network rules allow network communication to your Pods from network sessions inside or outside of your cluster
+
+So, as we can see that kube proxy handles the network rules required to aid the communication to the pods, we will look at the [iptables](https://linux.die.net/man/8/iptables)
+> `iptables` is a command line interface used to set up and maintain tables for the Netfilter firewall for IPv4, included in the Linux kernel. The firewall matches packets with rules defined in these tables and then takes the specified action on a possible match. Tables is the name for a set of chains
+
+Command:
+```
+# iptables -t nat -L PREROUTING -n
+Chain PREROUTING (policy ACCEPT)
+target     prot opt source               destination
+KUBE-SERVICES  all  --  0.0.0.0/0            0.0.0.0/0            /* kubernetes service portals */
+DOCKER_OUTPUT  all  --  0.0.0.0/0            172.18.0.1
+CNI-HOSTPORT-DNAT  all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
+```
+
+```
+# iptables-save | grep PREROUTING
+-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
+```
+Output Relevance:
+> -A: append new iptable rule
+> -j: jump to the target
+> KUBE-SERVICES: target
+
+> The above output appends a new rule for PREROUTING which every network packet will go through first as they try to access any kubernetes service
+
+
+What is `PREROUTING` in iptables?
+>PREROUTING: This chain is used to make any routing related decisions before (PRE) sending any packets
+
+To dig in further we need to go to the target, `KUBE-SERVICES` for our nginx service.
+```
+# iptables -t nat -L KUBE-SERVICES -n| grep nginx
+KUBE-SVC-2CMXP7HKUVJN7L6M  tcp  --  0.0.0.0/0            10.96.176.241        /* default/nginx cluster IP */ tcp dpt:80
+```
+Command:
+```
+# iptables -t nat -L KUBE-SVC-2CMXP7HKUVJN7L6M -n
+Chain KUBE-SVC-2CMXP7HKUVJN7L6M (2 references)
+target     prot opt source               destination
+KUBE-MARK-MASQ  tcp  -- !10.244.0.0/16        10.96.176.241        /* default/nginx cluster IP */ tcp dpt:80
+KUBE-SEP-4IEO3WJHPKXV3AOH  all  --  0.0.0.0/0            0.0.0.0/0            /* default/nginx -> 10.244.0.5:80 */
+
+# iptables -t nat -L KUBE-MARK-MASQ -n
+Chain KUBE-MARK-MASQ (31 references)
+target     prot opt source               destination
+MARK       all  --  0.0.0.0/0            0.0.0.0/0            MARK or 0x4000
+
+# iptables -t nat -L KUBE-SEP-4IEO3WJHPKXV3AOH -n
+Chain KUBE-SEP-4IEO3WJHPKXV3AOH (1 references)
+target     prot opt source               destination
+KUBE-MARK-MASQ  all  --  10.244.0.5           0.0.0.0/0            /* default/nginx */
+DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            /* default/nginx */ tcp to:10.244.0.5:80
+```
+
+
+```
+iptables-save | grep 10.96.176.241
+
+-A KUBE-SERVICES -d 10.96.176.241/32 -p tcp -m comment --comment "default/nginx cluster IP" -m tcp --dport 80 -j KUBE-SVC-2CMXP7HKUVJN7L6M
+-A KUBE-SVC-2CMXP7HKUVJN7L6M ! -s 10.244.0.0/16 -d 10.96.176.241/32 -p tcp -m comment --comment "default/nginx cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
+```
+
+As you can see the rules added by `kube-proxy` helps the packet reach to the destination service.
+
+### Minikube KVM VM Example on Linux
+
+#### TL;DR
+Now we look at the curl packet journey on minikube. The `routing table` is looked up to know the destination of the curl packet. The packet then first travels to the virtual bridge `192.168.39.1`, created by minikube kvm2 driver, when we created the minikube cluster, on a linux laptop. Then this packet is forwarded to `192.168.39.57`, within the minikube VM. We have docker containers running in the VM. Among them, the `kube-proxy` container creates iptables rules that make sure the packet goes to the correct pod ip, in this case `172.17.0.4`.
+
+
+To begin with the minikube example, we first need to create a minikube cluster on a linux laptop. In this example I'll be using the `kvm2` driver option for `minikube start` command, as default.
+
+```
+minikube start
+😄  minikube v1.26.0 on Arch "rolling"
+🆕  Kubernetes 1.24.2 is now available. If you would like to upgrade, specify: --kubernetes-version=v1.24.2
+✨  Using the kvm2 driver based on existing profile
+👍  Starting control plane node minikube in cluster minikube
+🏃  Updating the running kvm2 "minikube" VM ...
+🐳  Preparing Kubernetes v1.23.3 on Docker 20.10.12 ...
+    ▪ kubelet.housekeeping-interval=5m
+🔎  Verifying Kubernetes components...
+    ▪ Using image registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1
+    ▪ Using image registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1
+    ▪ Using image registry.k8s.io/ingress-nginx/controller:v1.2.1
+    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
+🔎  Verifying ingress addon...
+🌟  Enabled addons: ingress, storage-provisioner, default-storageclass
+🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default
+```
+**Note**: The KVM driver provides a lot of options on customizing the cluster, however that is currently beyond the scope of this guide.
+
+Next we will get the Node IP.
+```
+$ kubectl get no -o wide                                                                                                                   
+NAME       STATUS   ROLES                  AGE   VERSION   INTERNAL-IP     EXTERNAL-IP   OS-IMAGE              KERNEL-VERSION   CONTAINER-RUNTIME
+minikube   Ready    control-plane,master   25d   v1.23.3   192.168.39.57   <none>        Buildroot 2021.02.4   4.19.202         docker://20.10.12
+```
+Minikube creates a Virtual Machine using the KVM2 driver(Other drivers such as Virtualbox do exist see `minikube start --help` for more information ), you should be able to see this with the following output(You may have to use sudo to get this output)
+
+```
+$ virsh --connect qemu:///system list
+ Id   Name       State
+--------------------------
+ 1    minikube   running
+
+ or
+
+ $ sudo virsh list
+ Id   Name       State
+--------------------------
+ 1    minikube   running
+
+```
+
+Moving on, simply create a nginx deployment using `kubectl`.
+```
+# kubectl create deployment nginx --image nginx:alpine --port=80
+deployment.apps/nginx created
+```
+Then we expose this as a NodePort Service.
+```
+# kubectl expose deployment/nginx --type=NodePort
+service/nginx-new exposed
+```
+Command: Now we can see that the service has been exposed.
+```
+# kubectl get svc -o wide                                                                                                                            main 
+NAME             TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)        AGE   SELECTOR
+kubernetes       ClusterIP   10.96.0.1    <none>        443/TCP        25d   <none>
+nginx-minikube   NodePort    10.97.44.4   <none>        80:32007/TCP   45h   app=nginx-minikube
+```
+Output Relevance: From the above output, we can see that our nginx pod is being exposed as the `NodePort` service type, and now we can curl the Node IP `192.168.39.57` with the exposed port `32007`
+
+Command: The pod has an IP as shown below
+```
+# kubectl get po -o wide
+NAME                              READY   STATUS    RESTARTS      AGE   IP           NODE       NOMINATED NODE   READINESS GATES
+nginx-minikube-7546f79bd8-x88bt   1/1     Running   3 (43m ago)   45h   172.17.0.4   minikube   <none>           <none>
+
+```
+
+Command: We can use `curl` on the laptop to view the nginx container that is running on port `32007`.
+```
+curl  192.168.39.57:32007
+<!DOCTYPE html>
+<html>
+<head>
+<title>Welcome to nginx!</title>
+<style>
+html { color-scheme: light dark; }
+body { width: 35em; margin: 0 auto;
+font-family: Tahoma, Verdana, Arial, sans-serif; }
+</style>
+</head>
+<body>
+<h1>Welcome to nginx!</h1>
+<p>If you see this page, the nginx web server is successfully installed and
+working. Further configuration is required.</p>
+
+<p>For online documentation and support please refer to
+<a href="http://nginx.org/">nginx.org</a>.<br/>
+Commercial support is available at
+<a href="http://nginx.com/">nginx.com</a>.</p>
+
+<p><em>Thank you for using nginx.</em></p>
+</body>
+</html>
+```
+
+So, how does this packet travel, lets dive in.
+We can check the ip interfaces as well subnets for our system is connected to:
+```
+$ ifconfig
+virbr2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
+        inet 192.168.39.1  netmask 255.255.255.0  broadcast 192.168.39.255
+        ether 52:54:00:19:29:93  txqueuelen 1000  (Ethernet)
+        RX packets 5132  bytes 1777099 (1.6 MiB)
+        RX errors 0  dropped 0  overruns 0  frame 0
+        TX packets 6113  bytes 998530 (975.1 KiB)
+        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+
+virbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
+        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
+        ether 52:54:00:48:ee:35  txqueuelen 1000  (Ethernet)
+        RX packets 23648  bytes 1265196 (1.2 MiB)
+        RX errors 0  dropped 0  overruns 0  frame 0
+        TX packets 40751  bytes 60265308 (57.4 MiB)
+        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+```
+Output Relevance: From the above output you can see there are two Virtual Bridges created by minikube when we created the cluster on the network. Here, `virbr0` is the default NAT network bridge while `virbr2` is a isolated network bridge on which the pods run.
+
+Minikube creates a Virtual Machine, to enter the virtual machine we can simply do:
+```
+# minikube ssh
+```
+
+The interfaces within the Virtual Machine are as follows.
+```
+docker0   Link encap:Ethernet  HWaddr 02:42:03:24:26:78
+          inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:31478 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:36704 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:0
+          RX bytes:3264056 (3.1 MiB)  TX bytes:14061883 (13.4 MiB)
+
+eth0      Link encap:Ethernet  HWaddr 52:54:00:C9:3A:73
+          inet addr:192.168.39.57  Bcast:192.168.39.255  Mask:255.255.255.0
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:8245 errors:0 dropped:9 overruns:0 frame:0
+          TX packets:3876 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:1000
+          RX bytes:812006 (792.9 KiB)  TX bytes:1044724 (1020.2 KiB)
+
+eth1      Link encap:Ethernet  HWaddr 52:54:00:7B:37:79
+          inet addr:192.168.122.35  Bcast:192.168.122.255  Mask:255.255.255.0
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:4459 errors:0 dropped:9 overruns:0 frame:0
+          TX packets:201 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:1000
+          RX bytes:298528 (291.5 KiB)  TX bytes:25813 (25.2 KiB)
+
+lo        Link encap:Local Loopback
+          inet addr:127.0.0.1  Mask:255.0.0.0
+          UP LOOPBACK RUNNING  MTU:65536  Metric:1
+          RX packets:946772 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:946772 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:1000
+          RX bytes:213465460 (203.5 MiB)  TX bytes:213465460 (203.5 MiB)
+
+vetha4f1dc5 Link encap:Ethernet  HWaddr 3E:1C:FE:C9:75:86
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:10 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:0
+          RX bytes:1413 (1.3 KiB)  TX bytes:955 (955.0 B)
+
+vethbf35613 Link encap:Ethernet  HWaddr BA:31:7D:AE:2A:BF
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:3526 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:3934 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:0
+          RX bytes:342408 (334.3 KiB)  TX bytes:380193 (371.2 KiB)
+
+vethe092a51 Link encap:Ethernet  HWaddr 8A:37:D3:D9:D9:0E
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:9603 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:11151 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:0
+          RX bytes:1199235 (1.1 MiB)  TX bytes:5449408 (5.1 MiB)
+```
+Output Relevance: Here we have the Virtual Ethernet and we have docker bridges too since docker runs within the Virtual Machine.
+
+When we do a `curl` to `192.168.39.57:32007` on the laptop the packet first goes to the route table
+```
+Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
+0.0.0.0         192.168.31.1    0.0.0.0         UG        0 0          0 ethbr0
+172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
+172.18.0.0      0.0.0.0         255.255.0.0     U         0 0          0 br-2fffe5cd5d9e
+172.19.0.0      0.0.0.0         255.255.0.0     U         0 0          0 br-be5b544733a3
+192.168.31.0    0.0.0.0         255.255.255.0   U         0 0          0 ethbr0
+192.168.31.0    0.0.0.0         255.255.255.0   U         0 0          0 ethbr0
+192.168.39.0    0.0.0.0         255.255.255.0   U         0 0          0 virbr2
+192.168.122.0   0.0.0.0         255.255.255.0   U         0 0          0 virbr0
+```
+Output Relevance: As you can see multiple routes are defined here, of which our Virtual Machine Node IP(192.168.39.57) is also shown in the table, so the packet now knows where it has to go.
+
+With that clear we now know how the packet goes from the laptop to the virtual bridge and then enters the Virtual Machine.
+
+Inside the virtual machine, [kube-proxy](https://kubernetes.io/docs/concepts/overview/components/#kube-proxy) handles the routing using iptables.
+
+So what exactly is [kube-proxy](https://kubernetes.io/docs/concepts/overview/components/#kube-proxy)(For those who skipped the kind example):
+> Kube-Proxy is a network proxy that runs on each node in your cluster, implementing part of the Kubernetes Service concept.
+kube-proxy maintains network rules on nodes. These network rules allow network communication to your Pods from network sessions inside or outside of your cluster
+
+So, as we can see that kube proxy handles the network rules required to aid the communication to the pods, we will look at the [iptables](https://linux.die.net/man/8/iptables)
+> `iptables` is a command line interface used to set up and maintain tables for the Netfilter firewall for IPv4, included in the Linux kernel. The firewall matches packets with rules defined in these tables and then takes the specified action on a possible match. Tables is the name for a set of chains
+
+Command:
+
+```
+# minikube ssh                                                                                                                                      
+                         _             _
+            _         _ ( )           ( )
+  ___ ___  (_)  ___  (_)| |/')  _   _ | |_      __
+/' _ ` _ `\| |/' _ `\| || , <  ( ) ( )| '_`\  /'__`\
+| ( ) ( ) || || ( ) || || |\`\ | (_) || |_) )(  ___/
+(_) (_) (_)(_)(_) (_)(_)(_) (_)`\___/'(_,__/'`\____)
+
+$ sudo iptables -t nat -L PREROUTING -n
+Chain PREROUTING (policy ACCEPT)
+target     prot opt source               destination
+KUBE-SERVICES  all  --  0.0.0.0/0            0.0.0.0/0            /* kubernetes service portals */
+DOCKER     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
+
+$ iptables-save | grep PREROUTING
+-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
+
+```
+
+Output Relevance:
+> -A: append new iptable rule
+> -j: jump to the target
+> KUBE-SERVICES: target
+
+> The above output appends a new rule for PREROUTING which every network packet will go through first as they try to access any kubernetes service
+
+
+What is `PREROUTING` in iptables?
+>PREROUTING: This chain is used to make any routing related decisions before (PRE) sending any packets
+
+To dig in further we need to go to the target, `KUBE-SERVICES` for our nginx service.
+```
+# iptables -t nat -L KUBE-SERVICES -n| grep nginx
+KUBE-SVC-NRDCJV6H42SDXARP  tcp  --  0.0.0.0/0            10.97.44.4           /* default/nginx-minikube cluster IP */ tcp dpt:80
+```
+Command:
+```
+$ sudo iptables -t nat -L| grep KUBE-SVC-NRDCJV6H42SDXARP
+KUBE-SVC-NRDCJV6H42SDXARP  tcp  --  0.0.0.0/0            0.0.0.0/0            /* default/nginx-minikube */ tcp dpt:32007
+KUBE-SVC-NRDCJV6H42SDXARP  tcp  --  0.0.0.0/0            10.97.44.4           /* default/nginx-minikube cluster IP */ tcp dpt:80
+
+$ sudo iptables -t nat -L KUBE-MARK-MASQ -n
+Chain KUBE-MARK-MASQ (19 references)
+target     prot opt source               destination
+MARK       all  --  0.0.0.0/0            0.0.0.0/0            MARK or 0x4000
+
+sudo iptables-save | grep 172.17.0.4
+-A KUBE-SEP-AHQQ7ZFXMEBNX76B -s 172.17.0.4/32 -m comment --comment "default/nginx-minikube" -j KUBE-MARK-MASQ
+-A KUBE-SEP-AHQQ7ZFXMEBNX76B -p tcp -m comment --comment "default/nginx-minikube" -m tcp -j DNAT --to-destination 172.17.0.4:80
+```
+As you can see the rules added by kube-proxy helps the packet reach to the destination service.
+
+
+### Connection termination
+Connection termination is a type of event that occurs when there are load balancers present, the information for this is quite scarce, however I've found the following article, [IBM - Network Termination](https://www.ibm.com/docs/en/sva/9.0.4?topic=balancer-network-termination) that describes what it means by connection termination between clients(laptop) and server(load balancer) and the various other services.
+
+### Different types of connection errors.
+The following article on [TCP/IP errors](https://www.ibm.com/docs/en/db2/11.1?topic=message-tcpip-errors) has a list of the important tcp timeout errors that we need to know.
+
+
+| Common TCP/IP errors | Meaning |
+| -------- | -------- |
+| Resource temporarily unavailable.| Self-explanatory.     |
+| No space is left on a device or system table.|The disk partition is full|
+|No route to the host is available.|The routing table doesn't know where to route the packet.|
+|Connection was reset by the partner.|This usually means the packet was dropped as soon as it reached the server can be due to a firewall.|
+|The connection was timed out.|This indicates the firewall blocking your connection or the connection took too long.|
+
+## OSI Model Layer 7 (Application Layer)
+
+[What is layer 7?](https://www.cloudflare.com/learning/ddos/what-is-layer-7/)
+#### Summary
+Layer 7 refers to the seventh and topmost layer of the Open Systems Interconnect (OSI) Model known as the application layer. This is the highest layer which supports end-user processes and applications. Layer 7 identifies the communicating parties and the quality of service between them, considers privacy and user authentication, as well as identifies any constraints on the data syntax. This layer is wholly application-specific.
+
+
+## Setting up Ingress-Nginx Controller
+
+Since we are doing this on our local laptop, we are going to use the following tools:
+- [Minikube using KVM driver](https://minikube.sigs.k8s.io/docs/start/) - The host is linux-based in our example
+- [Metallb](https://metallb.universe.tf/) - Baremetal load-balancer.
+- [KVM](https://www.linux-kvm.org/page/Main_Page) / [Oracle VirtualBox](https://www.virtualbox.org/wiki/Downloads) / [VMWare](https://www.vmware.com/in/products/workstation-pro.html)
+
+
+### So let's begin with Metallb and Ingress-Nginx setup.
+
+For setting up metallb, we are going to follow the below steps:
+
+ - To begin the installation, we will execute:
+```
+minikube start
+```
+- To install Metallb, one can install it using the [manifest](https://metallb.universe.tf/installation/#installation-by-manifest) or by using [helm](https://metallb.universe.tf/installation/#installation-with-helm), for now we will use the Manifest method:
+```
+kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.4/config/manifests/metallb-native.yaml
+```
+
+- We need to now configure Metallb, we are using [Layer 2 configuration](https://metallb.universe.tf/configuration/#announce-the-service-ips), let's head over to the [Metallb Configuration](https://metallb.universe.tf/configuration/) website, here you will see how to setup metallb.
+>Layer 2 mode does not require the IPs to be bound to the network interfaces of your worker nodes. It works by responding to ARP requests on your local network directly, to give the machine’s MAC address to clients.
+In order to advertise the IP coming from an IPAddressPool, an L2Advertisement instance must be associated to the IPAddressPool.
+-  We have modified the IP address pool so that our loadbalancer knows which subnet to choose an IP from.Since we have only one minikube IP we need to modify the code given in the documentation.
+Save this as `metallb-config.yaml`:
+```
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: first-pool
+  namespace: metallb-system
+spec:
+  addresses:
+  # The configuration website show's you this
+
+  #- 192.168.10.0/24
+  #- 192.168.9.1-192.168.9.5
+  #- fc00:f853:0ccd:e799::/124
+
+  # We are going to change this to `minikube ip` as such
+  - 192.168.39.57/32
+```
+Now deploy it using `kubectl`
+```
+kubectl apply -f metallb-config.yaml
+```
+- Now that metallb is setup, let's install [ingress-nginx](https://kubernetes.github.io/ingress-nginx/deploy/#quick-start) on the laptop.
+Note: We are using the install by manifest option from the Installation manual
+```
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.0/deploy/static/provider/cloud/deploy.yaml
+```
+or one can also install it using the minikube addons:
+```
+minikube addons enable ingress
+```
+ - Once your Ingress-Nginx controller is created you can run the following commands to see the output of the setup done.
+```
+kubectl get pods -n ingress-nginx
+NAME                                        READY   STATUS      RESTARTS   AGE
+ingress-nginx-admission-create-65bld        0/1     Completed   0          14m
+ingress-nginx-admission-patch-rwq4x         0/1     Completed   0          14m
+ingress-nginx-controller-6dc865cd86-7c5zd   1/1     Running     0          14m
+```
+The Ingress controller creates a Service with the type LoadBalancer and metallb provides the IP address.
+
+```
+kubectl -n ingress-nginx get svc
+
+NAME                                 TYPE           CLUSTER-IP      EXTERNAL-IP      PORT(S)                      AGE
+ingress-nginx-controller             LoadBalancer   10.108.154.53   192.168.39.223   80:30367/TCP,443:31491/TCP   4d15h
+ingress-nginx-controller-admission   ClusterIP      10.98.54.3      <none>           443/TCP                      4d15h
+```
+
+#### Creating an Ingress
+
+We will deploy a `httpd` service in a `httpd` namespace and create a ingress for it.
+
+First, let's create a namespace.
+```
+kubectl create namespace httpd
+```
+
+Next we will create a deployment
+```
+kubectl create deployment httpd -n httpd --image=httpd:alpine
+```
+
+Now, In order to create a service, let's expose this deployment
+```
+kubectl expose deployment -n httpd httpd --port 80
+```
+Let's check the `pod` that is created
+
+```
+kubectl get po -n httpd
+NAME                    READY   STATUS    RESTARTS   AGE
+httpd-fb7fcdc77-w287c   1/1     Running   0          64s
+```
+
+Let's list the services in the `httpd` namespace
+```
+kubectl get svc -n httpd
+NAME    TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
+httpd   ClusterIP   10.104.111.0   <none>        80/TCP    13s
+```
+
+Once we have this we can now create an ingress using the following
+```
+kubectl -n httpd create ingress httpd --class nginx --rule httpd.dev.leonnunes.com/"*"=httpd:80
+```
+The above output, creates an ingress, for us with the rule to match the service if the host is `httpd.dev.leonnunes.com`. The class here is retrieved from the below command.
+
+To list the `ingressclasses` use
+```
+kubectl get ingressclasses
+NAME    CONTROLLER             PARAMETERS   AGE
+nginx   k8s.io/ingress-nginx   <none>       6h49m
+```
+
+The following command shows the ingress created
+```
+$ kubectl get ingress -A -o wide
+
+NAMESPACE   NAME    CLASS   HOSTS                     ADDRESS          PORTS   AGE
+httpd       httpd   nginx   httpd.dev.leonnunes.com   192.168.39.223   80      11d
+```
+
+To test if the rule works we can now do
+```
+$ minikube ip
+192.168.39.223
+
+$ curl --resolve httpd.dev.leonnunes.com:80:192.168.39.223 httpd.dev.leonnunes.com
+<html><body><h1>It works!</h1></body></html>
+
+or
+
+curl -H "Host: httpd.dev.leonnunes.com" 192.168.39.223
+```
+
+#### Example of Information found on layer 7
+We have setup `Ingress-Nginx`, using `nginx` as a class and `httpd` for this example.
+
+In order to display the info on Layer - 7, we have extracted the Layer 7 information from a simple `curl` request, and then using `tcpdump` command within the `httpd` pod we extracted the network packets and opened it using the `Wireshark` utility.
+
+Below given is the output that is important:
+```bash
+Frame 4: 391 bytes on wire (3128 bits), 391 bytes captured (3128 bits)
+Linux cooked capture v2
+Internet Protocol Version 4, Src: 172.17.0.4, Dst: 172.17.0.3
+Transmission Control Protocol, Src Port: 49074, Dst Port: 80, Seq: 1, Ack: 1, Len: 319
+Hypertext Transfer Protocol
+    GET / HTTP/1.1\r\n
+    Host: httpd.dev.leonnunes.com\r\n
+    X-Request-ID: 6e1a790412a0d1615dc0231358dc9c8b\r\n
+    X-Real-IP: 172.17.0.1\r\n
+    X-Forwarded-For: 172.17.0.1\r\n
+    X-Forwarded-Host: httpd.dev.leonnunes.com\r\n
+    X-Forwarded-Port: 80\r\n
+    X-Forwarded-Proto: http\r\n
+    X-Forwarded-Scheme: http\r\n
+    X-Scheme: http\r\n
+    User-Agent: curl/7.84.0\r\n
+    Accept: */*\r\n
+    \r\n
+    [Full request URI: http://httpd.dev.leonnunes.com/]
+    [HTTP request 1/1]
+    [Response in frame: 6]
+
+```
+The above output shows the information that the `httpd` pod receives. The `curl` command sends the host header, `Host: httpd.dev.leonnunes.com`, to the nginx controller, that then matches the rule and sends the information to the right controller
+
+The following output shows what is sent via the laptop.
+```
+curl --resolve httpd.dev.leonnunes.com:80:192.168.39.57 -H "Host: httpd.dev.leonnunes.com" 192.168.39.57 -vL
+* Added httpd.dev.leonnunes.com:80:192.168.39.57 to DNS cache
+*   Trying 192.168.39.57:80...
+* Connected to 192.168.39.57 (192.168.39.57) port 80 (#0)
+> GET / HTTP/1.1
+> Host: httpd.dev.leonnunes.com
+> User-Agent: curl/7.84.0
+> Accept: */*
+>
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 200 OK
+< Date: Mon, 22 Aug 2022 16:05:27 GMT
+< Content-Type: text/html
+< Content-Length: 45
+< Connection: keep-alive
+< Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT
+< ETag: "2d-432a5e4a73a80"
+< Accept-Ranges: bytes
+<
+<html><body><h1>It works!</h1></body></html>
+* Connection #0 to host 192.168.39.57 left intact
+```
+As you can see from the above output there are several headers added to the curl output after it reaches the `httpd` pod, these headers are added by the Ingress Nginx Controller.
+
+
+### References
+#### Basics of Networking
+   - https://www.cisco.com/en/US/docs/security/vpn5000/manager/reference/guide/appA.html
+   - http://web.stanford.edu/class/cs101/
+   - https://www.geeksforgeeks.org/basics-computer-networking/
+   - Subnetting
+     - https://www.computernetworkingnotes.com/ccna-study-guide/subnetting-tutorial-subnetting-explained-with-examples.html
+
+#### Video Links
+   - https://www.youtube.com/playlist?list=PLhfrWIlLOoKPc2RecyiM_A9nf3fUU3e6g
+   - https://www.youtube.com/watch?v=S7MNX_UD7vY&list=PLIhvC56v63IJVXv0GJcl9vO5Z6znCVb1P
+
+### Topics to read about
+   - Docker in Docker
+   - [Docker/Containers](https://www.oreilly.com/library/view/docker-deep-dive/9781800565135/)
+   - Containers
+
+### Basics of Kubernetes
+#### Reading Material
+- https://nubenetes.com/kubernetes-tutorials/
+- https://kubernetes.io/docs/concepts/
+#### Video Material
+- [Techworld with Nana 101](https://www.youtube.com/playlist?list=PLy7NrYWoggjziYQIDorlXjTvvwweTYoNC)
+- [Jeff Geerling Kubernetes 101](https://www.youtube.com/watch?v=IcslsH7OoYo&list=PL2_OBreMn7FoYmfx27iSwocotjiikS5BD)
+
+#### Hands-On Kubernetes
+- https://kube.academy/
+- https://www.civo.com/academy
+
+### Networking in Kubernetes
+- [Kubernetes Networking 101](https://youtu.be/CYnwBIpvSlM?t=284)
+- [CNCF Kubernetes 101](https://www.youtube.com/watch?v=cUGXu2tiZMc)
+
+### Tools/Commands to help with troubleshooting.
+- [mtr](https://www.redhat.com/sysadmin/linux-mtr-command) - Tracing the packet from the source to destination
+- [tcpdump](https://linuxconfig.org/how-to-use-tcpdump-command-on-linux) - Monitor packets
+- [wireshark](https://www.lifewire.com/wireshark-tutorial-4143298) - Read/Sniff packets
+- [nslookup](https://phoenixnap.com/kb/nslookup-command) - Lookup Nameservers
+- [netstat](https://www.lifewire.com/netstat-command-2618098) - List network details
+- [curl](https://linuxhandbook.com/curl-command-examples/) - Curl a website from the command line
+- [ifconfig](https://www.tecmint.com/ifconfig-command-examples/)/[ip](https://www.geeksforgeeks.org/ip-command-in-linux-with-examples/) - Show ip address configuration
+- [dig](https://www.geeksforgeeks.org/dig-command-in-linux-with-examples/) - Query Nameservers
+- [ipcalc](https://www.linux.com/topic/networking/how-calculate-network-addresses-ipcalc/) - Calculate IP addresses
+- Advanced Tools for troubleshooting
+    - [Netshoot](https://github.com/nicolaka/netshoot) - Troubleshoot Networks
+- Cluster Creation tools
+    - [kind](https://kind.sigs.k8s.io/docs/user/quick-start/)
+    - [minikube](https://minikube.sigs.k8s.io/docs/start/)
+- MacOS users
+	- [docker-mac-net-connect](https://github.com/chipmk/docker-mac-net-connect) - See this [issue](https://github.com/kubernetes/minikube/issues/7332)
--- a/NEW_RELEASE_PROCESS.md
+++ b/NEW_RELEASE_PROCESS.md
@ -0,0 +1,9 @@
+# Semi-Automated Release Process 
+
+1. Update TAG
+2. Cloud Build 
+3. k8s.io PR 
+4. git pull origin main 
+5. git checkout -b $RELEASE_VERSION 
+6. mage release:newrelease $RELEASE_VERSION 
+7. Wait for PR
--- a/1
+++ b/1
@ -0,0 +1 @@
+registry.k8s.io/ingress-nginx/nginx:v2.0.0@sha256:3e7bda4cf5111d283ed1e4ff5cc9a2b5cdc5ebe62d50ba67473d3e25b1389133
--- a/7
+++ b/7
@ -1,4 +1,4 @@
-# See the OWNERS docs: https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md
+# See the OWNERS docs: https://www.kubernetes.dev/docs/guide/owners

 approvers:
 - ingress-nginx-maintainers
@ -7,4 +7,7 @@ reviewers:
 - ingress-nginx-reviewers

 emeritus_approvers:
- aledbf  # 2020-04-02
+- aledbf # 2020-04-02
+- bowei # 2022-10-12
+- ElvinEfendi # 2023-04-23
+- rikatz # 2024-12-15
--- a/34
+++ b/34
@ -1,39 +1,17 @@
-# See the OWNERS docs: https://git.k8s.io/community/docs/devel/owners.md
+# See the OWNERS docs: https://www.kubernetes.dev/docs/guide/owners

 aliases:
-  sig-network-leads:
-  - caseydavenport
-  - dcbw
-  - thockin
-
-  ingress-nginx-admins:
-  - bowei
-  - rikatz
-  - strongjz
-
  ingress-nginx-maintainers:
-  - ElvinEfendi
-  - rikatz
+  - cpanato
+  - Gacko
  - strongjz
+  - tao12345666333

  ingress-nginx-reviewers:
-  - ElvinEfendi
-  - rikatz
+  - cpanato
+  - Gacko
  - strongjz
  - tao12345666333

-  ingress-nginx-helm-maintainers:
-  - ChiefAlexander
-  - cpanato
-
-  ingress-nginx-helm-reviewers:
-  - ChiefAlexander
-  - cpanato
-
  ingress-nginx-docs-maintainers:
-  - IamNoah1
  - longwuyuan
-  - tao12345666333
-
-  ingress-nginx-kube-webhook-certgen-reviewers:
-  - invidian
--- a/README.md
+++ b/README.md
@ -5,72 +5,89 @@
 [![GitHub license](https://img.shields.io/github/license/kubernetes/ingress-nginx.svg)](https://github.com/kubernetes/ingress-nginx/blob/main/LICENSE)
 [![GitHub stars](https://img.shields.io/github/stars/kubernetes/ingress-nginx.svg)](https://github.com/kubernetes/ingress-nginx/stargazers)
 [![GitHub stars](https://img.shields.io/badge/contributions-welcome-orange.svg)](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md)
-[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fkubernetes%2Fingress-nginx.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Fkubernetes%2Fingress-nginx?ref=badge_shield)

 ## Overview

-ingress-nginx is an Ingress controller for Kubernetes using [NGINX](https://www.nginx.org/) as a reverse proxy and load balancer.
+ingress-nginx is an Ingress controller for Kubernetes using [NGINX](https://www.nginx.org/) as a reverse proxy and load
+balancer.

-[Learn more about Ingress on the main Kubernetes documentation site](https://kubernetes.io/docs/concepts/services-networking/ingress/).
+[Learn more about Ingress on the Kubernetes documentation site](https://kubernetes.io/docs/concepts/services-networking/ingress/).

 ## Get started

 See the [Getting Started](https://kubernetes.github.io/ingress-nginx/deploy/) document.

+Do not use in multi-tenant Kubernetes production installations. This project assumes that users that can create Ingress objects are administrators of the cluster. See the [FAQ](https://kubernetes.github.io/ingress-nginx/faq/#faq) for more.
+
 ## Troubleshooting

-If you encounter issues, review the [troubleshooting docs](docs/troubleshooting.md), [file an issue](https://github.com/kubernetes/ingress-nginx/issues), or talk to us on the [#ingress-nginx channel](https://kubernetes.slack.com/messages/ingress-nginx) on the Kubernetes Slack server.
+If you encounter issues, review the [troubleshooting docs](docs/troubleshooting.md),
+[file an issue](https://github.com/kubernetes/ingress-nginx/issues), or talk to us on the
+[#ingress-nginx channel](https://kubernetes.slack.com/messages/ingress-nginx) on the Kubernetes Slack server.

 ## Changelog

-See [the list of releases](https://github.com/kubernetes/ingress-nginx/releases) to find out about feature changes.
-For detailed changes for each release; please check the [Changelog.md](Changelog.md) file.
-For detailed changes on the `ingress-nginx` helm chart, please check the following [CHANGELOG.md](charts/ingress-nginx/CHANGELOG.md) file.
+See [the list of releases](https://github.com/kubernetes/ingress-nginx/releases) for all changes.
+For detailed changes for each release, please check the [changelog-$version.md](./changelog) file for the release version.
+For detailed changes on the `ingress-nginx` helm chart, please check the changelog folder for a specific version.
+[CHANGELOG-$current-version.md](./charts/ingress-nginx/changelog) file.

-### Support Versions table 
+### Supported Versions table

-| Ingress-NGINX version | k8s supported version        | Alpine Version | Nginx Version |
-|-----------------------|------------------------------|----------------|---------------|
-| v1.1.3                | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.4         | 1.19.10†      |
-| v1.1.2                | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2         | 1.19.9†       |
-| v1.1.1                | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2         | 1.19.9†       |
-| v1.1.0                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         | 1.19.9†       |
-| v1.0.5                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         | 1.19.9†       |
-| v1.0.4                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         | 1.19.9†       |
-| v1.0.3                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         | 1.19.9†       |
-| v1.0.2                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         | 1.19.9†       |
-| v1.0.1                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         | 1.19.9†       |
-| v1.0.0                | 1.22, 1.21, 1.20, 1.19       | 3.13.5         | 1.20.1        |
-| v0.50.0               | 1.21, 1.20, 1.19             | 3.14.2         | 1.19.9†       |
-| v0.49.3               | 1.21, 1.20, 1.19             | 3.14.2         | 1.19.9†       |
-| v0.49.2               | 1.21, 1.20, 1.19             | 3.14.2         | 1.19.9†       |
-| v0.49.1               | 1.21, 1.20, 1.19             | 3.14.2         | 1.19.9†       |
-| v0.49.0               | 1.21, 1.20, 1.19             | 3.13.5         | 1.20.1        |
-| v0.48.1               | 1.21, 1.20, 1.19             | 3.13.5         | 1.20.1        |
+Supported versions for the ingress-nginx project mean that we have completed E2E tests, and they are passing for
+the versions listed. Ingress-Nginx versions **may** work on older versions, but the project does not make that guarantee.

-† _This build is [patched against CVE-2021-23017](https://github.com/openresty/openresty/commit/4b5ec7edd78616f544abc194308e0cf4b788725b#diff-42ef841dc27fe0b5aa2d06bd31308bb63a59cdcddcbcddd917248349d22020a3)._
+| Supported | Ingress-NGINX version | k8s supported version         | Alpine Version | Nginx Version | Helm Chart Version |
+| :-------: | --------------------- | ----------------------------- | -------------- | ------------- | ------------------ |
+|    🔄     | **v1.12.0**           | 1.32, 1.31, 1.30, 1.29, 1.28  | 3.21.0         | 1.25.5        | 4.12.0             |
+|    🔄     | **v1.12.0-beta.0**    | 1.32, 1.31, 1.30, 1.29, 1.28  | 3.20.3         | 1.25.5        | 4.12.0-beta.0      |
+|    🔄     | **v1.11.4**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.21.0         | 1.25.5        | 4.11.4             |
+|    🔄     | **v1.11.3**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.3         | 1.25.5        | 4.11.3             |
+|    🔄     | **v1.11.2**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.11.2             |
+|    🔄     | **v1.11.1**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.11.1             |
+|    🔄     | **v1.11.0**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.11.0             |
+|           | **v1.10.6**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.21.0         | 1.25.5        | 4.10.6             |
+|           | **v1.10.5**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.3         | 1.25.5        | 4.10.5             |
+|           | **v1.10.4**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.10.4             |
+|           | **v1.10.3**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.10.3             |
+|           | **v1.10.2**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.10.2             |
+|           | **v1.10.1**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.19.1         | 1.25.3        | 4.10.1             |
+|           | **v1.10.0**           | 1.29, 1.28, 1.27, 1.26        | 3.19.1         | 1.25.3        | 4.10.0             |
+|           | v1.9.6                | 1.29, 1.28, 1.27, 1.26, 1.25  | 3.19.0         | 1.21.6        | 4.9.1              |
+|           | v1.9.5                | 1.28, 1.27, 1.26, 1.25        | 3.18.4         | 1.21.6        | 4.9.0              |
+|           | v1.9.4                | 1.28, 1.27, 1.26, 1.25        | 3.18.4         | 1.21.6        | 4.8.3              |
+|           | v1.9.3                | 1.28, 1.27, 1.26, 1.25        | 3.18.4         | 1.21.6        | 4.8.*              |
+|           | v1.9.1                | 1.28, 1.27, 1.26, 1.25        | 3.18.4         | 1.21.6        | 4.8.*              |
+|           | v1.9.0                | 1.28, 1.27, 1.26, 1.25        | 3.18.2         | 1.21.6        | 4.8.*              |
+|           | v1.8.4                | 1.27, 1.26, 1.25, 1.24        | 3.18.2         | 1.21.6        | 4.7.*              |
+|           | v1.7.1                | 1.27, 1.26, 1.25, 1.24        | 3.17.2         | 1.21.6        | 4.6.*              |
+|           | v1.6.4                | 1.26, 1.25, 1.24, 1.23        | 3.17.0         | 1.21.6        | 4.5.*              |
+|           | v1.5.1                | 1.25, 1.24, 1.23              | 3.16.2         | 1.21.6        | 4.4.*              |
+|           | v1.4.0                | 1.25, 1.24, 1.23, 1.22        | 3.16.2         | 1.19.10†      | 4.3.0              |
+|           | v1.3.1                | 1.24, 1.23, 1.22, 1.21, 1.20  | 3.16.2         | 1.19.10†      | 4.2.5              |

-See [this article](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) if you want upgrade to the stable Ingress API. 
+See [this article](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) if you want upgrade to the stable
+Ingress API.

 ## Get Involved

 Thanks for taking the time to join our community and start contributing!

- This project adheres to the [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md). By participating in this project, you agree to abide by its terms.
-
- **Contributing**: Contributions of all kind are welcome!
-  
-  - Read [`CONTRIBUTING.md`](CONTRIBUTING.md) for information about setting up your environment, the workflow that we expect, and instructions on the developer certificate of origin that we require.
+- This project adheres to the [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md).
+  By participating in this project, you agree to abide by its terms.
+- **Contributing**: Contributions of all kinds are welcome!

+  - Read [`CONTRIBUTING.md`](CONTRIBUTING.md) for information about setting up your environment, the workflow that we
+    expect, and instructions on the developer certificate of origin that we require.
  - Join our Kubernetes Slack channel for developer discussion : [#ingress-nginx-dev](https://kubernetes.slack.com/archives/C021E147ZA4).
-  
-  - Submit github issues for any feature enhancements, bugs or documentation problems. Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines **may be closed immediately**.
+  - Submit GitHub issues for any feature enhancements, bugs, or documentation problems.
+    - Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines **may be closed immediately**.
+  - Join our [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w)
+- **Support**:

- **Support**: Join the the [#ingress-nginx-users](https://kubernetes.slack.com/messages/CANQGM8BA/) channel inside the [Kubernetes Slack](http://slack.kubernetes.io/) to ask questions or get support from the maintainers and other users.
-  
-  - The [github issues](https://github.com/kubernetes/ingress-nginx/issues) in the repository are **exclusively** for bug reports and feature requests.
-
- **Discuss**: Tweet using the `#IngressNginx` hashtag.
+  - Join the [#ingress-nginx-users](https://kubernetes.slack.com/messages/CANQGM8BA/) channel inside the [Kubernetes Slack](http://slack.kubernetes.io/) to ask questions or get support from the maintainers and other users.
+  - The [GitHub issues](https://github.com/kubernetes/ingress-nginx/issues) in the repository are **exclusively** for bug reports and feature requests.
+  - **Discuss**: Tweet using the `#IngressNginx` hashtag or sharing with us [@IngressNginx](https://twitter.com/IngressNGINX).

 ## License

--- a/3
+++ b/3
@ -9,6 +9,5 @@
 #
 # DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
 # INSTRUCTIONS AT https://kubernetes.io/security/
-bowei
-rikatz
+Gacko
 strongjz
--- a/1
+++ b/1
@ -1 +0,0 @@
-v1.2.0-beta.0
--- a/build/build-plugin.sh
+++ b/build/build-plugin.sh
@ -1,84 +0,0 @@
-#!/bin/bash
-
-# Copyright 2018 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-if [ -n "$DEBUG" ]; then
-	set -x
-fi
-
-set -o errexit
-set -o nounset
-set -o pipefail
-
-declare -a mandatory
-mandatory=(
-  PKG
-  ARCH
-  COMMIT_SHA
-  REPO_INFO
-  TAG
-)
-
-missing=false
-for var in "${mandatory[@]}"; do
-  if [[ -z "${!var:-}" ]]; then
-    echo "Environment variable $var must be set"
-    missing=true
-  fi
-done
-
-if [ "$missing" = true ]; then
-  exit 1
-fi
-
-export CGO_ENABLED=0
-
-release=cmd/plugin/release
-
-function build_for_arch(){
-  os=$1
-  arch=$2
-  extension=$3
-
-  echo "> building targets for ${os}-${arch}"
-
-  env GOOS="${os}" GOARCH="${arch}" go build \
-    ${GOBUILD_FLAGS} \
-    -trimpath -ldflags="-buildid= -w -s \
-      -X ${PKG}/version.RELEASE=${TAG} \
-      -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
-      -X ${PKG}/version.REPO=${REPO_INFO}" \
-    -o "${release}/kubectl-ingress_nginx${extension}" "${PKG}/cmd/plugin"
-
-    cp LICENSE ${release}
-    tar -C "${release}" -zcvf "${release}/kubectl-ingress_nginx-${os}-${arch}.tar.gz" "kubectl-ingress_nginx${extension}" LICENSE
-    rm "${release}/kubectl-ingress_nginx${extension}"
-    hash=$(sha256sum "${release}/kubectl-ingress_nginx-${os}-${arch}.tar.gz" | awk '{ print $1 }')
-    sed -i "s/%%%shasum_${os}_${arch}%%%/${hash}/g" "${release}/ingress-nginx.yaml"
-}
-
-rm -rf "${release}"
-mkdir "${release}"
-
-cp cmd/plugin/ingress-nginx.yaml.tmpl "${release}/ingress-nginx.yaml"
-
-sed -i "s/%%%tag%%%/${TAG}/g" ${release}/ingress-nginx.yaml
-
-echo "Generated targets in ${release} directory."
-
-build_for_arch darwin amd64 ''
-build_for_arch darwin arm64 ''
-build_for_arch linux amd64 ''
-build_for_arch windows amd64 '.exe'
--- a/build/build.sh
+++ b/build/build.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh

 # Copyright 2018 The Kubernetes Authors.
 #
@ -14,59 +14,56 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-if [ -n "$DEBUG" ]; then
-	set -x
-fi
+GO_BUILD_CMD="go build"
+
+#if [ -n "$DEBUG" ]; then
+#	set -x
+#	GO_BUILD_CMD="go build -v"
+#fi

 set -o errexit
 set -o nounset
 set -o pipefail

-declare -a mandatory
-mandatory=(
-  PKG
-  ARCH
-  COMMIT_SHA
-  REPO_INFO
-  TAG
-)

-missing=false
-for var in "${mandatory[@]}"; do
-  if [[ -z "${!var:-}" ]]; then
-    echo "Environment variable $var must be set"
-    missing=true
-  fi
-done
-
-if [ "$missing" = true ]; then
-  exit 1
+if [ -z "$PKG" ] || [ -z "$ARCH" ] || [ -z "$COMMIT_SHA" ] || [ -z "$REPO_INFO" ] || [ -z "$TAG" ]; then
+  echo "Environments PKG, ARCH, COMMIT_SHA, REPO_INFO and TAG are required"
+  exit 1 
 fi

+
 export CGO_ENABLED=0
-export GOARCH=${ARCH}
+export GOARCH="${ARCH}"

 TARGETS_DIR="rootfs/bin/${ARCH}"
 echo "Building targets for ${ARCH}, generated targets in ${TARGETS_DIR} directory."

-go build \
+echo "Building ${PKG}/cmd/nginx"
+
+${GO_BUILD_CMD} \
  -trimpath -ldflags="-buildid= -w -s \
-    -X ${PKG}/version.RELEASE=${TAG} \
-    -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
-    -X ${PKG}/version.REPO=${REPO_INFO}" \
+  -X ${PKG}/version.RELEASE=${TAG} \
+  -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
+  -X ${PKG}/version.REPO=${REPO_INFO}" \
+  -buildvcs=false \
  -o "${TARGETS_DIR}/nginx-ingress-controller" "${PKG}/cmd/nginx"

-go build \
+echo "Building ${PKG}/cmd/dbg"
+
+${GO_BUILD_CMD} \
  -trimpath -ldflags="-buildid= -w -s \
-    -X ${PKG}/version.RELEASE=${TAG} \
-    -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
-    -X ${PKG}/version.REPO=${REPO_INFO}" \
+  -X ${PKG}/version.RELEASE=${TAG} \
+  -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
+  -X ${PKG}/version.REPO=${REPO_INFO}" \
+  -buildvcs=false \
  -o "${TARGETS_DIR}/dbg" "${PKG}/cmd/dbg"

-go build \
-  -trimpath -ldflags="-buildid= -w -s \
-    -X ${PKG}/version.RELEASE=${TAG} \
-    -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
-    -X ${PKG}/version.REPO=${REPO_INFO}" \
-  -o "${TARGETS_DIR}/wait-shutdown" "${PKG}/cmd/waitshutdown"
+echo "Building ${PKG}/cmd/waitshutdown"

+${GO_BUILD_CMD} \
+  -trimpath -ldflags="-buildid= -w -s \
+  -X ${PKG}/version.RELEASE=${TAG} \
+  -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
+  -X ${PKG}/version.REPO=${REPO_INFO}" \
+  -buildvcs=false \
+  -o "${TARGETS_DIR}/wait-shutdown" "${PKG}/cmd/waitshutdown"
--- a/build/dev-env.sh
+++ b/build/dev-env.sh
@ -36,7 +36,7 @@ if ! command -v kind &> /dev/null; then
 fi

 if ! command -v kubectl &> /dev/null; then
-  echo "Please install kubectl 1.15 or higher"
+  echo "Please install kubectl 1.24.0 or higher"
  exit 1
 fi

@ -45,15 +45,18 @@ if ! command -v helm &> /dev/null; then
  exit 1
 fi

-HELM_VERSION=$(helm version 2>&1 | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+') || true
-if [[ ${HELM_VERSION} < "v3.0.0" ]]; then
-  echo "Please upgrade helm to v3.0.0 or higher"
+function ver { printf "%d%03d%03d" $(echo "$1" | tr '.' ' '); }
+
+HELM_VERSION=$(helm version 2>&1 | cut -f1 -d"," | grep -oE '[0-9]+\.[0-9]+\.[0-9]+') || true
+echo $HELM_VERSION
+if [[ $(ver $HELM_VERSION) -lt $(ver "3.10.0") ]]; then
+  echo "Please upgrade helm to v3.10.0 or higher"
  exit 1
 fi

-KUBE_CLIENT_VERSION=$(kubectl version --client --short | awk '{print $3}' | cut -d. -f2) || true
-if [[ ${KUBE_CLIENT_VERSION} -lt 14 ]]; then
-  echo "Please update kubectl to 1.15 or higher"
+KUBE_CLIENT_VERSION=$(kubectl version --client -oyaml 2>/dev/null | grep "minor:" | awk '{print $2}' | tr -d '"') || true
+if [[ ${KUBE_CLIENT_VERSION} -lt 24 ]]; then
+  echo "Please update kubectl to 1.24.2 or higher"
  exit 1
 fi

@ -61,32 +64,13 @@ echo "[dev-env] building image"
 make build image
 docker tag "${REGISTRY}/controller:${TAG}" "${DEV_IMAGE}"

-export K8S_VERSION=${K8S_VERSION:-v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6}
+export K8S_VERSION=${K8S_VERSION:-v1.32.0@sha256:c48c62eac5da28cdadcf560d1d8616cfa6783b58f0d94cf63ad1bf49600cb027}

 KIND_CLUSTER_NAME="ingress-nginx-dev"

 if ! kind get clusters -q | grep -q ${KIND_CLUSTER_NAME}; then
-echo "[dev-env] creating Kubernetes cluster with kind"
-cat <<EOF | kind create cluster --name ${KIND_CLUSTER_NAME} --image "kindest/node:${K8S_VERSION}" --config=-
-kind: Cluster
-apiVersion: kind.x-k8s.io/v1alpha4
-nodes:
- role: control-plane
-  kubeadmConfigPatches:
-  - |
-    kind: InitConfiguration
-    nodeRegistration:
-      kubeletExtraArgs:
-        node-labels: "ingress-ready=true"
-        authorization-mode: "AlwaysAllow"
-  extraPortMappings:
-  - containerPort: 80
-    hostPort: 80
-    protocol: TCP
-  - containerPort: 443
-    hostPort: 443
-    protocol: TCP
-EOF
+  echo "[dev-env] creating Kubernetes cluster with kind"
+  kind create cluster --name ${KIND_CLUSTER_NAME} --image "kindest/node:${K8S_VERSION}" --config ${DIR}/kind.yaml
 else
  echo "[dev-env] using existing Kubernetes kind cluster"
 fi
--- a/build/kind.yaml
+++ b/build/kind.yaml
@ -0,0 +1,18 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+  - role: control-plane
+    kubeadmConfigPatches:
+      - |
+        kind: InitConfiguration
+        nodeRegistration:
+          kubeletExtraArgs:
+            node-labels: "ingress-ready=true"
+            authorization-mode: "AlwaysAllow"
+    extraPortMappings:
+      - containerPort: 80
+        hostPort: 80
+        protocol: TCP
+      - containerPort: 443
+        hostPort: 443
+        protocol: TCP
--- a/build/run-in-docker.sh
+++ b/build/run-in-docker.sh
@ -14,30 +14,39 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-if [ -n "$DEBUG" ]; then
+DEBUG=${DEBUG:-"false"}
+if [ "$DEBUG" == "true" ]; then
  set -x
 fi

+RUNTIME=${RUNTIME:-"docker"}
+
 set -o errexit
 set -o nounset
 set -o pipefail

 # temporal directory for the /etc/ingress-controller directory
-INGRESS_VOLUME=$(mktemp -d)
+if [[ "$OSTYPE" == darwin* ]]; then
+  mkdir -p "tmp"
+  INGRESS_VOLUME=$(pwd)/$(mktemp -d tmp/XXXXXX)
+else
+  INGRESS_VOLUME=$(mktemp -d)
+fi

 # make sure directory for SSL cert storage exists under ingress volume
 mkdir "${INGRESS_VOLUME}/ssl"

-if [[ "$OSTYPE" == darwin* ]]; then
-  INGRESS_VOLUME=/private$INGRESS_VOLUME
-fi
-
 function cleanup {
  rm -rf "${INGRESS_VOLUME}"
 }
 trap cleanup EXIT

-E2E_IMAGE=${E2E_IMAGE:-k8s.gcr.io/ingress-nginx/e2e-test-runner:v20220331-controller-v1.1.2-31-gf1cb2b73c@sha256:baa326f5c726d65be828852943a259c1f0572883590b9081b7e8fa982d64d96e}
+E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20250112-a188f4eb@sha256:043038b1e30e5a0b64f3f919f096c5c9488ac3f617ac094b07fb9db8215f9441}
+
+if [[ "$RUNTIME" == podman ]]; then
+  # Podman does not support both tag and digest
+  E2E_IMAGE=$(echo $E2E_IMAGE | awk -F "@sha" '{print $1}')
+fi

 DOCKER_OPTS=${DOCKER_OPTS:-}
 DOCKER_IN_DOCKER_ENABLED=${DOCKER_IN_DOCKER_ENABLED:-}
@ -62,23 +71,26 @@ else
  PLATFORM_FLAG=
 fi

+USER=${USER:-nobody}
+
+USE_SHELL=${USE_SHELL:-"/bin/bash"}
+
 if [[ "$DOCKER_IN_DOCKER_ENABLED" == "true" ]]; then
+  echo "..reached DIND check TRUE block, inside run-in-docker.sh"
+  echo "FLAGS=$FLAGS"
+  #go env
+  go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.22.2
+  find / -type f -name ginkgo 2>/dev/null
+  which ginkgo
  /bin/bash -c "${FLAGS}"
 else
-  docker run                                            \
-    ${PLATFORM_FLAG} ${PLATFORM}                        \
-    --tty                                               \
-    --rm                                                \
-    ${DOCKER_OPTS}                                      \
-    -e GOCACHE="/go/src/${PKG}/.cache"                  \
-    -e GOMODCACHE="/go/src/${PKG}/.modcache"                  \
-    -e DOCKER_IN_DOCKER_ENABLED="true"                  \
-    -v "${HOME}/.kube:${HOME}/.kube"                    \
-    -v "${KUBE_ROOT}:/go/src/${PKG}"                    \
-    -v "${KUBE_ROOT}/bin/${ARCH}:/go/bin/linux_${ARCH}" \
-    -v "/var/run/docker.sock:/var/run/docker.sock"      \
-    -v "${INGRESS_VOLUME}:/etc/ingress-controller/"     \
-    -w "/go/src/${PKG}"                                 \
-    -u $(id -u ${USER}):$(id -g ${USER})                \
-    ${E2E_IMAGE} /bin/bash -c "${FLAGS}"
+  echo "Reached DIND check ELSE block, inside run-in-docker.sh"
+
+  args="${PLATFORM_FLAG} ${PLATFORM} --tty --rm ${DOCKER_OPTS} -e DEBUG=${DEBUG} -e GOCACHE="/go/src/${PKG}/.cache" -e GOMODCACHE="/go/src/${PKG}/.modcache" -e DOCKER_IN_DOCKER_ENABLED="true" -v "${HOME}/.kube:${HOME}/.kube" -v "${KUBE_ROOT}:/go/src/${PKG}" -v "${KUBE_ROOT}/bin/${ARCH}:/go/bin/linux_${ARCH}" -v "${INGRESS_VOLUME}:/etc/ingress-controller/" -w "/go/src/${PKG}""
+
+  if [[ "$RUNTIME" == "docker" ]]; then
+    args="$args -v /var/run/docker.sock:/var/run/docker.sock"
+  fi
+
+  ${RUNTIME} run $args ${E2E_IMAGE} ${USE_SHELL} -c "${FLAGS}"
 fi
--- a/build/run-ingress-controller.sh
+++ b/build/run-ingress-controller.sh
@ -49,7 +49,7 @@ fi
 SSL_VOLUME=$(mktemp -d)

 function cleanup {
-    echo -e "${BGREEN}Stoping kubectl proxy${NC}"
+    echo -e "${BGREEN}Stopping kubectl proxy${NC}"
    rm -rf "${SSL_VOLUME}"
    kill "$proxy_pid"
 }
--- a/changelog/controller-1.10.0.md
+++ b/changelog/controller-1.10.0.md
@ -0,0 +1,68 @@
+# Changelog
+
+This release is the first using NGINX v1.25.0!
+
+## Breaking changes
+* This version does not support chroot image, this will be fixed on a future minor patch release
+* This version dropped Opentracing and zipkin modules, just Opentelemetry is supported
+* This version dropped support for PodSecurityPolicy
+* This version dropped support for GeoIP (legacy). Only GeoIP2 is supported
+
+### controller-v1.10.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.0@sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c
+
+### All changes:
+
+* Start the release of v1.10.0 (#11038)
+* bump nginx and Go, remove tag file and old CI jobs (#11037)
+* Fix kubewebhook image tag (#11033)
+* add missing backend-protocol annotation option (#9545)
+* Update controller-prometheusrules.yaml (#8902)
+* Stop reporting interrupted tests (#11027)
+* test(gzip): reach ingress (#9541)
+* fix datasource, $exported_namespace variable in grafana nginx dashboard (#9092)
+* Properly support a TLS-wrapped OCSP responder (#10164)
+* Fix print-e2e-suite (#9536)
+* chore(deps): upgrade headers-more module to 0.37 (#10991)
+* Update ingress-path-matching.md (#11008)
+* Update ingress-path-matching.md (#11007)
+* E2E Tests: Explicitly enable metrics. (#10962)
+* Chart: Set `--enable-metrics` depending on `controller.metrics.enabled`. (#10959)
+* Chart: Remove useless `default` from `_params.tpl`. (#10957)
+* Fix golang makefile var name (#10932)
+* Fixing image push (#10931)
+* fix: live-docs script (#10928)
+* docs: Add vouch-proxy OAuth example (#10929)
+* Add OTEL build test and for NGINX v1.25 (#10889)
+* docs: update annotations docs with missing session-cookie section (#10917)
+* Release controller 1.9.6 and helm 4.9.1 (#10919)
+
+### Dependency updates:
+
+* Bump kubewebhook certgen (#11034)
+* Bump go libraries (#11023)
+* Bump modsecurity on nginx 1.25 (#11024)
+* Bump grpc and reintroduce OTEL compilation (#11021)
+* Bump github/codeql-action from 3.24.0 to 3.24.5 (#11017)
+* Bump actions/dependency-review-action from 4.0.0 to 4.1.3 (#11016)
+* Bump dorny/paths-filter from 3.0.0 to 3.0.1 (#10994)
+* Bump github.com/prometheus/client_model from 0.5.0 to 0.6.0 (#10998)
+* Bump actions/upload-artifact from 4.3.0 to 4.3.1 (#10978)
+* Bump actions/download-artifact from 4.1.1 to 4.1.2 (#10981)
+* Bump aquasecurity/trivy-action from 0.16.1 to 0.17.0 (#10979)
+* Bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (#10980)
+* Bump golang.org/x/crypto from 0.18.0 to 0.19.0 (#10976)
+* Bump github/codeql-action from 3.23.2 to 3.24.0 (#10971)
+* Bump github.com/opencontainers/runc from 1.1.11 to 1.1.12 (#10951)
+* Bump google.golang.org/grpc from 1.60.1 to 1.61.0 (#10938)
+* Bump actions/upload-artifact from 4.2.0 to 4.3.0 (#10937)
+* Bump dorny/test-reporter from 1.7.0 to 1.8.0 (#10936)
+* Bump github/codeql-action from 3.23.1 to 3.23.2 (#10935)
+* Bump dorny/paths-filter from 2.11.1 to 3.0.0 (#10934)
+* Bump alpine to 3.19.1 (#10930)
+* Bump go to v1.21.6 and set a single source of truth (#10926)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.9.6...controller-v1.10.0
--- a/changelog/controller-1.10.1.md
+++ b/changelog/controller-1.10.1.md
@ -0,0 +1,57 @@
+# Changelog
+
+### controller-v1.10.1
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.1@sha256:e24f39d3eed6bcc239a56f20098878845f62baa34b9f2be2fd2c38ce9fb0f29e
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.1@sha256:c155954116b397163c88afcb3252462771bd7867017e8a17623e83601bab7ac7
+
+### All changes:
+
+* start 1.10.1 build (#11246)
+* force nginx rebuild (#11245)
+* update k8s version to latest kind release (#11241)
+* remove _ssl_expire_time_seconds metric by identifier (#11239)
+* update post submit helm ci and clean up (#11221)
+* Chart: Add unit tests for default backend & topology spread constraints. (#11219)
+* sort default backend hpa metrics (#11217)
+* updated certgen image shatag (#11216)
+* changed testrunner image sha (#11211)
+* bumped certgeimage tag (#11213)
+* updated baseimage & deleted a useless file (#11209)
+* bump ginkgo to 2-17-1 in testrunner (#11204)
+* chunking related faq update (#11205)
+* Fix-semver (#11199)
+* refactor helm ci tests part I (#11188)
+* Proposal: e2e tests for regex patterns (#11185)
+* bump ginkgo to v2.17.1 (#11186)
+* fixes brotli build issue (#11187)
+* fix geoip2 configuration docs (#11151)
+* Fix typos in OTel doc (#11081) (#11129)
+* Chart: Render `controller.ingressClassResource.parameters` natively. (#11126)
+* Fix admission controller logging of `admissionTime` and `testedConfigurationSize` (#11114)
+* Chart: Align HPA & KEDA conditions. (#11113)
+* Chart: Improve IngressClass documentation. (#11111)
+* Chart: Add Gacko to maintainers. Again. (#11112)
+* Chart: Deploy `PodDisruptionBudget` with KEDA. (#11105)
+* Chores: Pick patches from main. (#11103)
+
+### Dependency updates:
+
+* Bump google.golang.org/grpc from 1.63.0 to 1.63.2 (#11238)
+* Bump google.golang.org/grpc from 1.62.1 to 1.63.0 (#11234)
+* Bump github.com/prometheus/common from 0.51.1 to 0.52.2 (#11233)
+* Bump golang.org/x/crypto from 0.21.0 to 0.22.0 (#11232)
+* Bump github.com/prometheus/client_model in the all group (#11231)
+* Bump the all group with 3 updates (#11230)
+* Bump the all group with 2 updates (#11190)
+* Bump actions/add-to-project from 0.6.1 to 1.0.0 (#11189)
+* Bump the all group with 3 updates (#11166)
+* Bump github.com/prometheus/common from 0.50.0 to 0.51.1 (#11160)
+* Bump the all group with 4 updates (#11140)
+* Bump the all group with 1 update (#11136)
+* Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /magefiles (#11127)
+* Bump google.golang.org/protobuf in /images/custom-error-pages/rootfs (#11128)
+* Bump google.golang.org/protobuf in /images/kube-webhook-certgen/rootfs (#11122)
+
--- a/changelog/controller-1.10.2.md
+++ b/changelog/controller-1.10.2.md
@ -0,0 +1,130 @@
+# Changelog
+
+### controller-v1.10.2
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.2@sha256:e3311b3d9671bc52d90572bcbfb7ee5b71c985d6d6cffd445c241f1e2703363c
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.2@sha256:c4395cba98f9721e3381d3c06e7994371bae20f5ab30e457cd7debe44a8c8c54
+
+### All changes:
+
+* update test runner to latest build (#11557)
+* add k8s 1.30 to ci build (#11553)
+* update test runner go base to 3.20 (#11550)
+* tag new test runner image with new nginx base 0.0.8 (#11549)
+* bump NGINX_BASE to v0.0.8 (#11543)
+* trigger build for NGINX-1.25 v0.0.8 (#11542)
+* Upgrade OWASP_MODSECURITY_CRS_VERSION 3.3.5 to 4.4.0 and update docs (#11548)
+* [feature] bump nginx to 1.25.5 and add http3 module (#11541)
+* add ssl patches to nginx-1.25 image for coroutines to work in lua client hello and cert ssl blocks (#11534)
+* bump alpine version to 3.20 to custom-error-pages (#11537)
+* fix: Ensure changes in MatchCN annotation are detected (#11528)
+* Docs: Add information about HTTP/3 support. (#11525)
+* Docs: Specify `ingressClass` for multi-controller setup. (#11520)
+* Docs: Improve default certificate usage. (#11519)
+* docs: Update Ingress-NGINX v1.10.1 compatibility with Kubernetes v1.30 (#11500)
+* Update getting-started.md with new prerequisites (#11487)
+* Fix boolean configuration (#11484)
+* Chores: Align security contacts & chart maintainers to actual owners. (#11480)
+* CI: Bump forgotten Ginkgo versions. (#11469)
+* Tests: Replace deprecated `grpc.Dial` by `grpc.NewClient`. (#11468)
+* Owners: Promote Gacko to admin. (#11464)
+* fixed fastcgi userguide (#11455)
+* Remove unnecessary space character (#11451)
+* fix for docs issue 11432 (#11446)
+* Update index.md (#11445)
+* upgrade to alpine 3.20 (#11438)
+* update golang to 1.22.4 (#11431)
+* Adapt dashboards for Grafana 11 compatibility (#11414)
+* Rename variable to fix typo (#11413)
+* Fix helm install on cloud provider admonition block (#11412)
+* edited helm-install tips (#11411)
+* added info for aws helm install (#11410)
+* added multiplecontrollers-howto to faq (#11409)
+* removed tlsv1 & tlsv1.1 (#11408)
+* Docs: Remove opentracing and zipkin from docs (#11405)
+* Go: Sync modules from `main`. (#11398)
+* add workflow to helm release and update ct for branch (#11317)
+* Merge pull request #11277 from strongjz/chart-1.10.1 (#11314)
+* Release Helm Chart on branch update (#11306)
+* Release controller 1.10.1 (#11298)
+* fix path in file changed detected message (#11286)
+* chore: fix function names in comment (#11281)
+* fix: update kube version requirement to 1.21 (#11279)
+* release helm chart from release branch (#11278)
+* start 1.10.1 build (#11246)
+* force nginx rebuild (#11245)
+* update k8s version to latest kind release (#11241)
+* remove _ssl_expire_time_seconds metric by identifier (#11239)
+* update post submit helm ci and clean up (#11221)
+* Chart: Add unit tests for default backend & topology spread constraints. (#11219)
+* sort default backend hpa metrics (#11217)
+* updated certgen image shatag (#11216)
+* changed testrunner image sha (#11211)
+* bumped certgeimage tag (#11213)
+* updated baseimage & deleted a useless file (#11209)
+* bump ginkgo to 2-17-1 in testrunner (#11204)
+* chunking related faq update (#11205)
+* Fix-semver (#11199)
+* refactor helm ci tests part I (#11188)
+* Proposal: e2e tests for regex patterns (#11185)
+* bump ginkgo to v2.17.1 (#11186)
+* fixes brotli build issue (#11187)
+* fix geoip2 configuration docs (#11151)
+* Fix typos in OTel doc (#11081) (#11129)
+* Chart: Render `controller.ingressClassResource.parameters` natively. (#11126)
+* Fix admission controller logging of `admissionTime` and `testedConfigurationSize` (#11114)
+* Chart: Align HPA & KEDA conditions. (#11113)
+* Chart: Improve IngressClass documentation. (#11111)
+* Chart: Add Gacko to maintainers. Again. (#11112)
+* Chart: Deploy `PodDisruptionBudget` with KEDA. (#11105)
+* Chores: Pick patches from main. (#11103)
+* Start the release of v1.10.0 (#11038)
+
+### Dependency updates:
+
+* Bump the all group with 2 updates (#11524)
+* Bump k8s.io/klog/v2 from 2.130.0 to 2.130.1 in the all group (#11521)
+* Bump aquasecurity/trivy-action from 0.22.0 to 0.23.0 in the all group (#11501)
+* Bump k8s.io/klog/v2 from 2.120.1 to 2.130.0 (#11479)
+* Bump the all group with 3 updates (#11478)
+* Bump the all group with 2 updates (#11477)
+* Bump golang.org/x/crypto from 0.23.0 to 0.24.0 (#11471)
+* Bump sigs.k8s.io/controller-runtime in the all group (#11449)
+* Bump github.com/prometheus/common from 0.53.0 to 0.54.0 (#11447)
+* Bump the all group with 3 updates (#11450)
+* Bump goreleaser/goreleaser-action from 5.1.0 to 6.0.0 (#11448)
+* Bump github.com/onsi/ginkgo/v2 from 2.17.2 to 2.19.0 (#11422)
+* Bump the all group with 2 updates (#11421)
+* Bump google.golang.org/grpc from 1.63.2 to 1.64.0 (#11423)
+* Bump the all group across 1 directory with 6 updates (#11407)
+* Bump golangci/golangci-lint-action from 5.3.0 to 6.0.1 (#11406)
+* Bump the all group with 3 updates (#11404)
+* Bump Kubernetes version on images (#11403)
+* Bump golangci/golangci-lint-action from 4.0.0 to 5.0.0 (#11402)
+* Bump the all group with 4 updates (#11380)
+* Bump k8s.io/component-base from 0.29.3 to 0.30.0 (#11301)
+* Bump github.com/prometheus/common from 0.52.3 to 0.53.0 (#11300)
+* Bump golang.org/x/net from 0.22.0 to 0.23.0 (#11285)
+* Bump golang.org/x/net in /images/kube-webhook-certgen/rootfs (#11284)
+* Bump the all group with 2 updates (#11266)
+* Bump azure/setup-helm from 3.5 to 4 (#11265)
+* Bump actions/add-to-project from 1.0.0 to 1.0.1 in the all group (#11264)
+* Bump google.golang.org/grpc from 1.63.0 to 1.63.2 (#11238)
+* Bump google.golang.org/grpc from 1.62.1 to 1.63.0 (#11234)
+* Bump github.com/prometheus/common from 0.51.1 to 0.52.2 (#11233)
+* Bump golang.org/x/crypto from 0.21.0 to 0.22.0 (#11232)
+* Bump github.com/prometheus/client_model in the all group (#11231)
+* Bump the all group with 3 updates (#11230)
+* Bump the all group with 2 updates (#11190)
+* Bump actions/add-to-project from 0.6.1 to 1.0.0 (#11189)
+* Bump the all group with 3 updates (#11166)
+* Bump github.com/prometheus/common from 0.50.0 to 0.51.1 (#11160)
+* Bump the all group with 4 updates (#11140)
+* Bump the all group with 1 update (#11136)
+* Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /magefiles (#11127)
+* Bump google.golang.org/protobuf in /images/custom-error-pages/rootfs (#11128)
+* Bump google.golang.org/protobuf in /images/kube-webhook-certgen/rootfs (#11122)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.1...controller-v1.10.2
--- a/changelog/controller-1.10.3.md
+++ b/changelog/controller-1.10.3.md
@ -0,0 +1,37 @@
+# Changelog
+
+### controller-v1.10.3
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.3@sha256:b5a5082f8e508cc1aac1c0ef101dc2f87b63d51598a5747d81d6cf6e7ba058fd
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.3@sha256:9033e04bd3cd01f92414f8d5999c5095734d4caceb4923942298152a38373d4b
+
+### All changes:
+
+* Images: Trigger `controller` v1.10.3 build. (#11648)
+* Tests: Bump `test-runner` to v20240717-1fe74b5f. (#11646)
+* Images: Re-run `test-runner` build. (#11643)
+* Images: Trigger `test-runner` build. (#11639)
+* Images: Bump `NGINX_BASE` to v0.0.10. (#11637)
+* Images: Trigger NGINX build. (#11631)
+* bump testing runner (#11626)
+* remove modsecurity coreruleset test files from nginx image (#11619)
+* unskip the ocsp tests and update images to fix cfssl bug (#11615)
+* Fix indent in YAML for example pod (#11609)
+* Images: Bump `test-runner`. (#11604)
+* Images: Bump `NGINX_BASE` to v0.0.9. (#11601)
+* revert module upgrade (#11595)
+* README: Fix support matrix. (#11593)
+* Mage: Stop mutating release notes. (#11582)
+* Images: Bump `kube-webhook-certgen`. (#11583)
+
+### Dependency updates:
+
+* Bump github.com/prometheus/common from 0.54.0 to 0.55.0 (#11622)
+* Bump the all group with 5 updates (#11613)
+* Bump golang.org/x/crypto from 0.24.0 to 0.25.0 (#11579)
+* Bump google.golang.org/grpc from 1.64.0 to 1.65.0 (#11577)
+* Bump the all group with 4 updates (#11574)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.2...controller-v1.10.3
--- a/changelog/controller-1.10.4.md
+++ b/changelog/controller-1.10.4.md
@ -0,0 +1,53 @@
+# Changelog
+
+### controller-v1.10.4
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.4@sha256:505b9048c02dde3d6c8667bf0b52aba7b36adf7b03da34c47d5fa312d2d4c6fc
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.4@sha256:bf71acf6e71830a4470e2183e3bc93c4f006b954f8a05fb434242ef0f8a24858
+
+### All changes:
+
+* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11811)
+* Images: Trigger controller build. (#11808)
+* Tests & Docs: Bump images. (#11804)
+* Images: Trigger failed builds. (#11801)
+* Images: Trigger other builds. (#11797)
+* Controller: Fix panic in alternative backend merging. (#11793)
+* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11791)
+* Images: Trigger `test-runner` build. (#11786)
+* Images: Bump `NGINX_BASE` to v0.0.12. (#11783)
+* Images: Trigger NGINX build. (#11780)
+* Cloud Build: Add missing config, remove unused ones. (#11776)
+* Generate correct output on NumCPU() when using cgroups2 (#11775)
+* Cloud Build: Tweak timeouts. (#11762)
+* Cloud Build: Fix substitutions. (#11759)
+* Cloud Build: Some chores. (#11756)
+* Go: Bump to v1.22.6. (#11748)
+* Images: Bump `NGINX_BASE` to v0.0.11. (#11744)
+* Images: Trigger NGINX build. (#11736)
+* docs: update OpenSSL Roadmap link (#11734)
+* Go: Bump to v1.22.5. (#11731)
+* Docs: Fix typo in AWS LB Controller reference (#11724)
+* Perform some cleaning operations on line breaks. (#11722)
+* Missing anchors in regular expression. (#11718)
+* Docs: Fix `from-to-www` redirect description. (#11715)
+* Chart: Remove `isControllerTagValid`. (#11714)
+* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11704)
+* Docs: Clarify `from-to-www` redirect direction. (#11692)
+* added real-client-ip faq (#11665)
+* Docs: Format NGINX configuration table. (#11660)
+
+### Dependency updates:
+
+* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11772)
+* Bump the all group with 2 updates (#11770)
+* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11768)
+* Bump the all group with 3 updates (#11729)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11700)
+* Bump the all group with 2 updates (#11697)
+* Bump the all group with 4 updates (#11676)
+* Bump the all group with 2 updates (#11674)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.3...controller-v1.10.4
--- a/changelog/controller-1.10.5.md
+++ b/changelog/controller-1.10.5.md
@ -0,0 +1,90 @@
+# Changelog
+
+### controller-v1.10.5
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.5@sha256:c84d11b1f7bd14ebbf49918a7f0dc01b31c0c6e757e0129520ea93453096315c
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.5@sha256:030a43bdd5f0212a7e135cc4da76b15a6706ef65a6824eb4cc401f87a81c2987
+
+### All changes:
+
+* Images: Trigger controller build. (#12133)
+* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12146)
+* Images: Trigger `e2e-test-echo` build. (#12142)
+* Images: Drop `s390x`. (#12139)
+* Images: Build `s390x` controller. (#12128)
+* Chart: Bump Kube Webhook CertGen. (#12122)
+* Tests & Docs: Bump images. (#12120)
+* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12116)
+* Images: Trigger other builds. (#12111)
+* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12104)
+* Images: Trigger `test-runner` build. (#12101)
+* Docs: Add a multi-tenant warning. (#12098)
+* Go: Bump to v1.22.8. (#12093)
+* Images: Bump `NGINX_BASE` to v0.1.0. (#12079)
+* Images: Trigger NGINX build. (#12077)
+* Images: Remove NGINX v1.21. (#12057)
+* GitHub: Improve Dependabot. (#12037)
+* Chart: Improve CI. (#12029)
+* Chart: Extend image tests. (#12026)
+* Docs: Add health check annotations for AWS. (#12021)
+* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12007)
+* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12001)
+* Chart: Align default backend `PodDisruptionBudget`. (#11998)
+* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#11985)
+* Chart: Improve default backend service account. (#11973)
+* Go: Bump to v1.22.7. (#11969)
+* Images: Bump OpenTelemetry C++ Contrib. (#11950)
+* Docs: Add note about `--watch-namespace`. (#11948)
+* Images: Use latest Alpine 3.20 everywhere. (#11945)
+* Fix minor typos (#11940)
+* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11933)
+* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11920)
+* Images: Trigger `test-runner` build. (#11918)
+* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11888)
+* Annotations: Allow commas in URLs. (#11886)
+* CI: Grant checks write permissions to E2E Test Report. (#11884)
+* Update maxmind post link about geolite2 license changes (#11880)
+* Go: Sync `go.work.sum`. (#11876)
+* Replace deprecated queue method (#11858)
+* Auto-generate annotation docs (#11835)
+
+### Dependency updates:
+
+* Bump the actions group with 3 updates (#12150)
+* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12108)
+* Bump the actions group with 3 updates (#12096)
+* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12088)
+* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12086)
+* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12084)
+* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12082)
+* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12054)
+* Bump the go group across 1 directory with 3 updates (#12052)
+* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12048)
+* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12044)
+* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12045)
+* Bump the all group with 2 updates (#12035)
+* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12015)
+* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12013)
+* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12011)
+* Bump the all group with 2 updates (#11979)
+* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11978)
+* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11960)
+* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11959)
+* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11956)
+* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11929)
+* Bump the all group with 2 updates (#11924)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11912)
+* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11907)
+* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11906)
+* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11905)
+* Bump the all group with 2 updates (#11870)
+* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11869)
+* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11848)
+* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11847)
+* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11846)
+* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11841)
+* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11833)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.4...controller-v1.10.5
--- a/changelog/controller-1.10.6.md
+++ b/changelog/controller-1.10.6.md
@ -0,0 +1,92 @@
+# Changelog
+
+### controller-v1.10.6
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.6@sha256:b6fbd102255edb3ba8e5421feebe14fd3e94cf53d199af9e40687f536152189c
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.6@sha256:44ceedafc0e04a75521b5d472c1b6b5cc08afb8038b5bbfd79c21d066ccf300e
+
+### All changes:
+
+* Images: Trigger controller build. (#12611)
+* Chart: Bump Kube Webhook CertGen. (#12608)
+* Tests & Docs: Bump images. (#12605)
+* Images: Trigger other builds (2/2). (#12598)
+* Images: Trigger other builds (1/2). (#12597)
+* Tests: Bump `e2e-test-runner` to v20241224-68ed4e7b. (#12592)
+* Images: Trigger `test-runner` build. (#12586)
+* Images: Bump `NGINX_BASE` to v0.2.0. (#12584)
+* Images: Trigger NGINX build. (#12578)
+* Go: Clean `go.work.sum`. (#12575)
+* Repository: Update owners. (#12570)
+* Images: Bump `gcb-docker-gcloud` to v20241217-ff46a068cd. (#12563)
+* CI: Update KIND images. (#12559)
+* Images: Bump Alpine to v3.21. (#12530)
+* Docs: Add guide on how to set a Maintenance Page. (#12527)
+* rikatz is stepping down (#12518)
+* rikatz is stepping down (#12497)
+* Go: Bump to v1.23.4. (#12485)
+* Plugin: Bump `goreleaser` to v2. (#12442)
+* GitHub: Fix `exec` in issue template. (#12389)
+* CI: Update KIND images. (#12368)
+* Images: Bump `gcb-docker-gcloud` to v20241110-72bb0b1665. (#12341)
+* Go: Bump to v1.23.3. (#12339)
+* Auth TLS: Add `_` to redirect RegEx. (#12328)
+* Auth TLS: Improve redirect RegEx. (#12321)
+* Tests: Bump `e2e-test-runner` to v20241104-02a3933e. (#12314)
+* Images: Trigger `test-runner` build. (#12307)
+* Config: Fix panic on invalid `lua-shared-dict`. (#12282)
+* Docs: fix limit-rate-after references (#12280)
+* Chart: Rework ServiceMonitor. (#12268)
+* Chart: Add ServiceAccount tests. (#12266)
+* CI: Fix chart testing. (#12260)
+* [fix] fix nginx temp configs cleanup (#12224)
+* Chart: Suggest `matchLabelKeys` in Topology Spread Constraints. (#12204)
+* Docs: Add Pod Security Admission. (#12198)
+* Docs: Clarify external & service port in TCP/UDP services explanation. (#12194)
+
+### Dependency updates:
+
+* Bump k8s.io/apiextensions-apiserver from 0.31.3 to 0.32.0 (#12565)
+* Bump github.com/onsi/ginkgo/v2 from 2.22.0 to 2.22.1 (#12557)
+* Bump k8s.io/code-generator from 0.31.3 to 0.32.0 (#12552)
+* Bump k8s.io/cli-runtime from 0.31.3 to 0.32.0 (#12549)
+* Bump k8s.io/apiserver from 0.31.3 to 0.32.0 (#12546)
+* Bump the actions group with 2 updates (#12543)
+* Bump google.golang.org/grpc from 1.68.1 to 1.69.2 (#12540)
+* Bump k8s.io/client-go from 0.31.3 to 0.32.0 (#12514)
+* Bump github.com/opencontainers/runc from 1.2.2 to 1.2.3 in the go group across 1 directory (#12511)
+* Bump the actions group with 3 updates (#12508)
+* Bump k8s.io/kube-aggregator from 0.31.3 to 0.32.0 in /images/kube-webhook-certgen/rootfs (#12504)
+* Bump k8s.io/apimachinery from 0.31.3 to 0.32.0 in /images/ext-auth-example-authsvc/rootfs (#12501)
+* Bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#12478)
+* Bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /magefiles (#12473)
+* Bump github.com/prometheus/common from 0.60.1 to 0.61.0 (#12466)
+* Bump github/codeql-action from 3.27.5 to 3.27.6 in the actions group (#12463)
+* Bump the go group across 1 directory with 2 updates (#12459)
+* Bump github.com/onsi/ginkgo/v2 from 2.21.0 to 2.22.0 (#12425)
+* Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#12416)
+* Bump the go group across 3 directories with 10 updates (#12414)
+* Bump the actions group with 3 updates (#12410)
+* Bump github.com/opencontainers/runc from 1.2.1 to 1.2.2 in the go group across 1 directory (#12382)
+* Bump github/codeql-action from 3.27.1 to 3.27.4 in the actions group (#12375)
+* Bump golangci-lint on actions and disable deprecated linters (#12363)
+* Bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#12356)
+* Bump the actions group with 3 updates (#12353)
+* Bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#12351)
+* Bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#12297)
+* Bump github.com/opencontainers/runc from 1.2.0 to 1.2.1 in the go group across 1 directory (#12294)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.2 to 2.21.0 (#12290)
+* Bump actions/dependency-review-action from 4.3.5 to 4.4.0 in the actions group (#12275)
+* Bump the go group across 3 directories with 11 updates (#12246)
+* Bump github.com/opencontainers/runc from 1.1.15 to 1.2.0 (#12241)
+* Bump the actions group with 5 updates (#12243)
+* Bump github.com/ncabatoff/process-exporter from 0.8.3 to 0.8.4 in the go group across 1 directory (#12219)
+* Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 in the actions group (#12215)
+* Bump github/codeql-action from 3.26.12 to 3.26.13 in the actions group (#12191)
+* Bump the go group across 2 directories with 1 update (#12189)
+* Bump the actions group with 2 updates (#12185)
+* Bump github.com/opencontainers/runc from 1.1.14 to 1.1.15 in the go group across 1 directory (#12184)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.5...controller-v1.10.6
--- a/changelog/controller-1.11.0.md
+++ b/changelog/controller-1.11.0.md
@ -0,0 +1,164 @@
+# Changelog
+
+### controller-v1.11.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.11.0@sha256:a886e56d532d1388c77c8340261149d974370edca1093af4c97a96fb1467cb39
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.0@sha256:f16dfed1c94d216b65e5dcb7508ab46148641a99649c5a700749db6f01a7039e
+
+### All changes:
+
+* update test runner to latest build (#11558)
+* add k8s 1.30 to ci build (#11554)
+* update test runner go base to 3.20 (#11552)
+* tag new test runner image with new nginx base 0.0.8 (#11551)
+* bump NGINX_BASE to v0.0.8 (#11544)
+* add ssl patches to nginx-1.25 image for coroutines to work in lua client hello and cert ssl blocks (#11535)
+* trigger build for NGINX-1.25 v0.0.8 (#11539)
+* bump alpine version to 3.20 to custom-error-pages (#11538)
+* fix: Ensure changes in MatchCN annotation are detected (#11529)
+* Docs: Add information about HTTP/3 support. (#11513)
+* Docs: Specify `ingressClass` for multi-controller setup. (#11493)
+* Docs: Improve default certificate usage. (#11504)
+* Upgrade OWASP_MODSECURITY_CRS_VERSION 3.3.5 to 4.4.0 and update docs (#11511)
+* docs: Update Ingress-NGINX v1.10.1 compatibility with Kubernetes v1.30 (#11495)
+* Update getting-started.md with new prerequisites (#11486)
+* [feature] bump nginx to 1.25.5 and add http3 module (#11470)
+* Fix boolean configuration (#11483)
+* Chores: Align security contacts & chart maintainers to actual owners. (#11465)
+* CI: Bump forgotten Ginkgo versions. (#11467)
+* Tests: Replace deprecated `grpc.Dial` by `grpc.NewClient`. (#11462)
+* Owners: Promote Gacko to admin. (#11463)
+* Chart: Make pod affinity templatable. (#11453)
+* fixed fastcgi userguide (#11454)
+* Remove unnecessary space character (#11434)
+* upgrade to alpine 3.20 (#11428)
+* fix for docs issue 11432 (#11433)
+* Update index.md (#11437)
+* update golang to 1.22.4 (#11427)
+* Chart: Fix `IngressClass` annotations. (#11416)
+* Chart: Make admission webhook patch job RBAC configurable. (#11376)
+* Merge pull request #11277 from strongjz/chart-1.10.1 (#11415)
+* Chart: Remove `controller.enableWorkerSerialReloads`. (#11400)
+* Adapt dashboards for Grafana 11 compatibility (#11399)
+* Rename variable to fix typo (#11395)
+* Fix helm install on cloud provider admonition block (#11394)
+* edited helm-install tips (#11393)
+* added info for aws helm install (#11390)
+* added multiplecontrollers-howto to faq (#11389)
+* removed tlsv1 & tlsv1.1 (#11343)
+* feat: Add grpc timeouts annotations (#11258)
+* sfix position of options (#11379)
+* add workflow to helm release and update ct for branch (#11378)
+* Accept user defined annotations in IngressClass (#11362)
+* Docs: Remove opentracing and zipkin from docs (#11361)
+* Allow configuring nginx worker reload behaviour, to prevent multiple concurrent worker reloads which can lead to high resource usage and OOMKill (#10884)
+* chore(deps): group update k8s.io packages to v0.30.0 (#11344)
+* Fix function name in comment (#11296)
+* fix path in file changed detected message (#11271)
+* chore: fix function names in comment (#11280)
+* fix: update kube version requirement to 1.21 (#11275)
+* release helm chart from release branch (#11276)
+* update k8s version to latest kind release (#11240)
+* feat: add annotation to allow to add custom response headers (#9742)
+* remove _ssl_expire_time_seconds metric by identifier (#9706)
+* update post submit helm ci and clean up (#11220)
+* Chart: Add unit tests for default backend & topology spread constraints. (#11218)
+* sort default backend hpa metrics (#11215)
+* updated certgen image shatag (#11214)
+* feature(default_backend): topologySpreadConstraints on default backend (#11197)
+* bumped certgeimage tag (#11212)
+* changed testrunner image sha (#11207)
+* updated baseimage & deleted a useless file (#11208)
+* Chart: Make `controller.config` templatable. (#11181)
+* chunking related faq update (#11196)
+* bump ginkgo to 2-17-1 in testrunner (#11202)
+* Owners: Promote Gacko to `ingress-nginx-maintainers` & `ingress-nginx-reviewers`. (#11165)
+* Fix-semver (#11193)
+* refactor helm ci tests part I (#11178)
+* fixes brotli build issue (#10484)
+* bump ginkgo to v2.17.1 (#11177)
+* Proposal: e2e tests for regex patterns (#11174)
+* Controller: Make Leader Election TTL configurable. (#11142)
+* Chores: Remove recently added whitespaces. (#11156)
+* Add GRPC Buffer Size to the Configmap (#11155)
+* fix geoip2 configuration docs (#11150)
+* feature(geoip2_autoreload): Enable GeoIP2 auto_reload config  (#11079)
+* Chart: Add IngressClass aliases. (#11109)
+* Fix typos in OTel doc (#11081)
+* Chart: Render `controller.ingressClassResource.parameters` natively. (#11108)
+* Fix admission controller logging of `admissionTime` and `testedConfigurationSize` (#11089)
+* Chart: Align HPA & KEDA conditions. (#11110)
+* Chart: Add Gacko to maintainers. Again. (#11107)
+* Chart: Improve IngressClass documentation. (#11104)
+* Chart: Deploy `PodDisruptionBudget` with KEDA. (#11032)
+* Undo #11062 since it breaks the nginx config (#11082)
+* [mTLS] Fix acme verification when mTLS and Client CN verification is enabled (#11062)
+* golangci-lint update, ci cleanup, group dependabot updates (#11071)
+* bump golang (#11070)
+* feature(leader_election): flag to disable leader election feature on controller (#11064)
+* docs: update the 404 link to FAQ (#11069)
+* Update README.md (#11065)
+* quotes around numbers fort ports definitions (#11052)
+
+### Dependency updates:
+
+* Bump the all group with 2 updates (#11523)
+* Bump k8s.io/klog/v2 from 2.130.0 to 2.130.1 in the all group (#11499)
+* Bump aquasecurity/trivy-action from 0.22.0 to 0.23.0 in the all group (#11497)
+* Bump k8s.io/klog/v2 from 2.120.1 to 2.130.0 (#11475)
+* Bump the all group with 3 updates (#11474)
+* Bump the all group with 2 updates (#11476)
+* Bump golang.org/x/crypto from 0.23.0 to 0.24.0 (#11442)
+* Bump the all group with 3 updates (#11443)
+* Bump sigs.k8s.io/controller-runtime in the all group (#11440)
+* Bump goreleaser/goreleaser-action from 5.1.0 to 6.0.0 (#11444)
+* Bump github.com/prometheus/common from 0.53.0 to 0.54.0 (#11441)
+* Bump the all group with 2 updates (#11419)
+* Bump github.com/onsi/ginkgo/v2 from 2.17.2 to 2.19.0 (#11418)
+* Bump google.golang.org/grpc from 1.63.2 to 1.64.0 (#11417)
+* Bump the all group across 1 directory with 3 updates (#11384)
+* Bump the all group across 1 directory with 6 updates (#11383)
+* Bump golang.org/x/crypto from 0.22.0 to 0.23.0 (#11357)
+* Bump golangci/golangci-lint-action from 5.3.0 to 6.0.1 (#11355)
+* Bump the all group with 3 updates (#11348)
+* Bump Kubernetes version on images (#11346)
+* Bump sigs.k8s.io/controller-runtime from 0.17.3 to 0.18.1 (#11345)
+* Bump golangci/golangci-lint-action from 4.0.0 to 5.0.0 (#11328)
+* Bump the all group with 4 updates (#11327)
+* Bump k8s.io/component-base from 0.29.3 to 0.30.0 (#11291)
+* Bump github.com/prometheus/common from 0.52.3 to 0.53.0 (#11290)
+* Bump golang.org/x/net from 0.22.0 to 0.23.0 (#11282)
+* Bump golang.org/x/net in /images/kube-webhook-certgen/rootfs (#11283)
+* Bump the all group with 2 updates (#11261)
+* Bump azure/setup-helm from 3.5 to 4 (#11263)
+* Bump actions/add-to-project from 1.0.0 to 1.0.1 in the all group (#11262)
+* Bump google.golang.org/grpc from 1.63.0 to 1.63.2 (#11237)
+* Bump google.golang.org/grpc from 1.62.1 to 1.63.0 (#11228)
+* Bump github.com/prometheus/common from 0.51.1 to 0.52.2 (#11227)
+* Bump golang.org/x/crypto from 0.21.0 to 0.22.0 (#11229)
+* Bump github.com/prometheus/client_model in the all group (#11226)
+* Bump the all group with 3 updates (#11225)
+* Bump the all group with 2 updates (#11183)
+* Bump actions/add-to-project from 0.6.1 to 1.0.0 (#11184)
+* Bump the all group with 3 updates (#11157)
+* Bump github.com/prometheus/common from 0.50.0 to 0.51.1 (#11159)
+* Bump the all group with 4 updates (#11133)
+* Bump the all group with 1 update (#11134)
+* Bump google.golang.org/protobuf in /images/custom-error-pages/rootfs (#11119)
+* Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /magefiles (#11121)
+* Bump google.golang.org/protobuf in /images/kube-webhook-certgen/rootfs (#11120)
+* Bump github.com/onsi/ginkgo/v2 from 2.15.0 to 2.16.0 (#11076)
+* Bump the all group with 1 update (#11073)
+* Bump the all group with 1 update (#11072)
+* Bump github.com/prometheus/common from 0.49.0 to 0.50.0 (#11075)
+* Bump actions/download-artifact from 4.1.2 to 4.1.4 (#11059)
+* Bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (#11055)
+* Bump docker/setup-buildx-action from 3.0.0 to 3.1.0 (#11057)
+* Bump github.com/prometheus/common from 0.48.0 to 0.49.0 (#11056)
+* Bump github/codeql-action from 3.24.5 to 3.24.6 (#11060)
+* Bump aquasecurity/trivy-action from 0.17.0 to 0.18.0 (#11058)
+* Bump dorny/paths-filter from 3.0.1 to 3.0.2 (#11061)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.2...controller-v1.11.0
--- a/changelog/controller-1.11.1.md
+++ b/changelog/controller-1.11.1.md
@ -0,0 +1,45 @@
+# Changelog
+
+### controller-v1.11.1
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.11.1@sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.1@sha256:7cabe4bd7558bfdf5b707976d7be56fd15ffece735d7c90fc238b6eda290fd8d
+
+### All changes:
+
+* Tests: Bump `test-runner` to v20240717-1fe74b5f. (#11647)
+* Images: Re-run `test-runner` build. (#11644)
+* Images: Trigger `test-runner` build. (#11640)
+* Images: Bump `NGINX_BASE` to v0.0.10. (#11638)
+* Images: Trigger NGINX build. (#11632)
+* bump testing runner (#11627)
+* remove modsecurity coreruleset test files from nginx image (#11620)
+* unskip the ocsp tests and update images to fix cfssl bug (#11616)
+* Fix indent in YAML for example pod (#11610)
+* Images: Bump `test-runner`. (#11605)
+* Images: Bump `NGINX_BASE` to v0.0.9. (#11602)
+* revert module upgrade (#11597)
+* Release: Apply changes from `main`. (#11589)
+* Mage: Stop mutating release notes. (#11581)
+* Images: Bump `kube-webhook-certgen`. (#11584)
+* update test runner to latest build (#11558)
+* add k8s 1.30 to ci build (#11554)
+* update test runner go base to 3.20 (#11552)
+* tag new test runner image with new nginx base 0.0.8 (#11551)
+* bump NGINX_BASE to v0.0.8 (#11544)
+* add ssl patches to nginx-1.25 image for coroutines to work in lua client hello and cert ssl blocks (#11535)
+* trigger build for NGINX-1.25 v0.0.8 (#11539)
+* bump alpine version to 3.20 to custom-error-pages (#11538)
+* fix: Ensure changes in MatchCN annotation are detected (#11529)
+
+### Dependency updates:
+
+* Bump github.com/prometheus/common from 0.54.0 to 0.55.0 (#11621)
+* Bump the all group with 5 updates (#11614)
+* Bump golang.org/x/crypto from 0.24.0 to 0.25.0 (#11580)
+* Bump google.golang.org/grpc from 1.64.0 to 1.65.0 (#11576)
+* Bump the all group with 4 updates (#11575)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.0...controller-v1.11.1
--- a/changelog/controller-1.11.2.md
+++ b/changelog/controller-1.11.2.md
@ -0,0 +1,54 @@
+# Changelog
+
+### controller-v1.11.2
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.11.2@sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.2@sha256:21b55a2f0213a18b91612a8c0850167e00a8e34391fd595139a708f9c047e7a8
+
+### All changes:
+
+* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11812)
+* Images: Trigger controller build. (#11807)
+* Tests & Docs: Bump images. (#11805)
+* Images: Trigger failed builds. (#11802)
+* Images: Trigger other builds. (#11798)
+* Controller: Fix panic in alternative backend merging. (#11794)
+* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11792)
+* Images: Trigger `test-runner` build. (#11787)
+* Images: Bump `NGINX_BASE` to v0.0.12. (#11784)
+* Images: Trigger NGINX build. (#11781)
+* Cloud Build: Add missing config, remove unused ones. (#11777)
+* Generate correct output on NumCPU() when using cgroups2 (#11778)
+* Cloud Build: Tweak timeouts. (#11763)
+* Cloud Build: Fix substitutions. (#11760)
+* Cloud Build: Some chores. (#11757)
+* Go: Bump to v1.22.6. (#11749)
+* Images: Bump `NGINX_BASE` to v0.0.11. (#11743)
+* Images: Trigger NGINX build. (#11737)
+* docs: update OpenSSL Roadmap link (#11733)
+* Go: Bump to v1.22.5. (#11732)
+* Docs: Fix typo in AWS LB Controller reference (#11725)
+* Perform some cleaning operations on line breaks. (#11721)
+* Missing anchors in regular expression. (#11719)
+* Docs: Fix `from-to-www` redirect description. (#11716)
+* Chart: Remove `isControllerTagValid`. (#11713)
+* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11705)
+* Docs: Clarify `from-to-www` redirect direction. (#11693)
+* added real-client-ip faq (#11664)
+* Docs: Format NGINX configuration table. (#11662)
+* Docs: Update version in `deploy/index.md`. (#11652)
+
+### Dependency updates:
+
+* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11773)
+* Bump the all group with 2 updates (#11771)
+* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11769)
+* Bump the all group with 3 updates (#11728)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11701)
+* Bump the all group with 2 updates (#11698)
+* Bump the all group with 4 updates (#11677)
+* Bump the all group with 2 updates (#11675)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.1...controller-v1.11.2
--- a/changelog/controller-1.11.3.md
+++ b/changelog/controller-1.11.3.md
@ -0,0 +1,91 @@
+# Changelog
+
+### controller-v1.11.3
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.11.3@sha256:d56f135b6462cfc476447cfe564b83a45e8bb7da2774963b00d12161112270b7
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.3@sha256:22701f0fc0f2dd209ef782f4e281bfe2d8cccd50ededa00aec88e0cdbe7edd14
+
+### All changes:
+
+* Images: Trigger controller build. (#12134)
+* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12145)
+* Images: Trigger `e2e-test-echo` build. (#12141)
+* Images: Drop `s390x`. (#12138)
+* Images: Build `s390x` controller. (#12127)
+* Chart: Bump Kube Webhook CertGen. (#12123)
+* Tests & Docs: Bump images. (#12121)
+* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12117)
+* Images: Trigger other builds. (#12112)
+* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12105)
+* Images: Trigger `test-runner` build. (#12102)
+* Docs: Add a multi-tenant warning. (#12099)
+* Go: Bump to v1.22.8. (#12094)
+* Images: Bump `NGINX_BASE` to v0.1.0. (#12080)
+* Images: Trigger NGINX build. (#12076)
+* Images: Remove NGINX v1.21. (#12058)
+* GitHub: Improve Dependabot. (#12038)
+* Chart: Improve CI. (#12030)
+* Chart: Extend image tests. (#12027)
+* Docs: Add health check annotations for AWS. (#12020)
+* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12006)
+* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12002)
+* Chart: Align default backend `PodDisruptionBudget`. (#11999)
+* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#11986)
+* Chart: Improve default backend service account. (#11974)
+* Go: Bump to v1.22.7. (#11970)
+* Images: Bump OpenTelemetry C++ Contrib. (#11951)
+* Docs: Add note about `--watch-namespace`. (#11949)
+* Images: Use latest Alpine 3.20 everywhere. (#11946)
+* Fix minor typos (#11941)
+* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11934)
+* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11921)
+* Images: Trigger `test-runner` build. (#11917)
+* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11889)
+* Annotations: Allow commas in URLs. (#11887)
+* CI: Grant checks write permissions to E2E Test Report. (#11885)
+* Chart: Use generic values for `ConfigMap` test. (#11879)
+* Update maxmind post link about geolite2 license changes (#11881)
+* Go: Sync `go.work.sum`. (#11875)
+* Replace deprecated queue method (#11859)
+* Auto-generate annotation docs (#11831)
+
+### Dependency updates:
+
+* Bump the actions group with 3 updates (#12149)
+* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12109)
+* Bump the actions group with 3 updates (#12097)
+* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12089)
+* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12087)
+* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12085)
+* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12083)
+* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12055)
+* Bump the go group across 1 directory with 3 updates (#12053)
+* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12049)
+* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12047)
+* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12046)
+* Bump the all group with 2 updates (#12036)
+* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12016)
+* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12014)
+* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12012)
+* Bump the all group with 2 updates (#11981)
+* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11980)
+* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11961)
+* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11958)
+* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11957)
+* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11930)
+* Bump the all group with 2 updates (#11925)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11913)
+* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11910)
+* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11909)
+* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11908)
+* Bump the all group with 2 updates (#11871)
+* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11868)
+* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11840)
+* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11839)
+* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11837)
+* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11836)
+* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11834)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.2...controller-v1.11.3
--- a/changelog/controller-1.11.4.md
+++ b/changelog/controller-1.11.4.md
@ -0,0 +1,94 @@
+# Changelog
+
+### controller-v1.11.4
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.11.4@sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.4@sha256:f29d0f9e7a9ef4947eda59ed0c09ec13380b13639d1518cf1ab8ec09c3e22ef8
+
+### All changes:
+
+* Images: Trigger controller build. (#12610)
+* Chart: Bump Kube Webhook CertGen. (#12607)
+* Tests & Docs: Bump images. (#12604)
+* Images: Trigger other builds (2/2). (#12600)
+* Images: Trigger other builds (1/2). (#12596)
+* Tests: Bump `e2e-test-runner` to v20241224-68ed4e7b. (#12591)
+* Images: Trigger `test-runner` build. (#12588)
+* Images: Bump `NGINX_BASE` to v0.2.0. (#12583)
+* Images: Trigger NGINX build. (#12577)
+* Go: Clean `go.work.sum`. (#12574)
+* Repository: Update owners. (#12569)
+* Images: Bump `gcb-docker-gcloud` to v20241217-ff46a068cd. (#12562)
+* CI: Update KIND images. (#12558)
+* Images: Bump Alpine to v3.21. (#12529)
+* Docs: Add guide on how to set a Maintenance Page. (#12526)
+* rikatz is stepping down (#12517)
+* rikatz is stepping down (#12495)
+* Go: Bump to v1.23.4. (#12484)
+* Plugin: Bump `goreleaser` to v2. (#12441)
+* GitHub: Fix `exec` in issue template. (#12388)
+* CI: Update KIND images. (#12365)
+* Images: Bump `gcb-docker-gcloud` to v20241110-72bb0b1665. (#12343)
+* Go: Bump to v1.23.3. (#12338)
+* Auth TLS: Add `_` to redirect RegEx. (#12327)
+* Auth TLS: Improve redirect RegEx. (#12322)
+* Update custom headers annotation documentation (#12319)
+* Tests: Bump `e2e-test-runner` to v20241104-02a3933e. (#12313)
+* Images: Trigger `test-runner` build. (#12306)
+* Config: Fix panic on invalid `lua-shared-dict`. (#12284)
+* Docs: fix limit-rate-after references (#12279)
+* Chart: Rework ServiceMonitor. (#12270)
+* Chart: Add ServiceAccount tests. (#12264)
+* CI: Fix chart testing. (#12259)
+* [fix] fix nginx temp configs cleanup (#12223)
+* Chart: Suggest `matchLabelKeys` in Topology Spread Constraints. (#12203)
+* Docs: Add Pod Security Admission. (#12197)
+* Docs: Clarify external & service port in TCP/UDP services explanation. (#12193)
+* Docs: Goodbye, v1.10. (#12159)
+
+### Dependency updates:
+
+* Bump k8s.io/apiextensions-apiserver from 0.31.3 to 0.32.0 (#12567)
+* Bump github.com/onsi/ginkgo/v2 from 2.22.0 to 2.22.1 (#12556)
+* Bump k8s.io/code-generator from 0.31.3 to 0.32.0 (#12551)
+* Bump k8s.io/cli-runtime from 0.31.3 to 0.32.0 (#12548)
+* Bump k8s.io/apiserver from 0.31.3 to 0.32.0 (#12545)
+* Bump the actions group with 2 updates (#12542)
+* Bump google.golang.org/grpc from 1.68.1 to 1.69.2 (#12539)
+* Bump k8s.io/client-go from 0.31.3 to 0.32.0 (#12513)
+* Bump github.com/opencontainers/runc from 1.2.2 to 1.2.3 in the go group across 1 directory (#12510)
+* Bump the actions group with 3 updates (#12507)
+* Bump k8s.io/kube-aggregator from 0.31.3 to 0.32.0 in /images/kube-webhook-certgen/rootfs (#12503)
+* Bump k8s.io/apimachinery from 0.31.3 to 0.32.0 in /images/ext-auth-example-authsvc/rootfs (#12500)
+* Bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#12477)
+* Bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /magefiles (#12475)
+* Bump github.com/prometheus/common from 0.60.1 to 0.61.0 (#12465)
+* Bump github/codeql-action from 3.27.5 to 3.27.6 in the actions group (#12462)
+* Bump the go group across 1 directory with 2 updates (#12458)
+* Bump github.com/onsi/ginkgo/v2 from 2.21.0 to 2.22.0 (#12427)
+* Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#12417)
+* Bump the go group across 3 directories with 10 updates (#12415)
+* Bump the actions group with 3 updates (#12411)
+* Bump github.com/opencontainers/runc from 1.2.1 to 1.2.2 in the go group across 1 directory (#12381)
+* Bump github/codeql-action from 3.27.1 to 3.27.4 in the actions group (#12374)
+* Bump golangci-lint on actions and disable deprecated linters (#12362)
+* Bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#12355)
+* Bump the actions group with 3 updates (#12352)
+* Bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#12350)
+* Bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#12298)
+* Bump github.com/opencontainers/runc from 1.2.0 to 1.2.1 in the go group across 1 directory (#12295)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.2 to 2.21.0 (#12289)
+* Bump actions/dependency-review-action from 4.3.5 to 4.4.0 in the actions group (#12274)
+* Bump the go group across 3 directories with 11 updates (#12245)
+* Bump github.com/opencontainers/runc from 1.1.15 to 1.2.0 (#12239)
+* Bump the actions group with 5 updates (#12240)
+* Bump github.com/ncabatoff/process-exporter from 0.8.3 to 0.8.4 in the go group across 1 directory (#12220)
+* Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 in the actions group (#12216)
+* Bump github/codeql-action from 3.26.12 to 3.26.13 in the actions group (#12190)
+* Bump the go group across 2 directories with 1 update (#12187)
+* Bump the actions group with 2 updates (#12181)
+* Bump github.com/opencontainers/runc from 1.1.14 to 1.1.15 in the go group across 1 directory (#12179)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.3...controller-v1.11.4
--- a/changelog/controller-1.12.0-beta.0.md
+++ b/changelog/controller-1.12.0-beta.0.md
@ -0,0 +1,216 @@
+# Changelog
+
+### controller-v1.12.0-beta.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.12.0-beta.0@sha256:9724476b928967173d501040631b23ba07f47073999e80e34b120e8db5f234d5
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.12.0-beta.0@sha256:6e2f8f52e1f2571ff65bc4fc4826d5282d5def5835ec4ab433dcb8e659b2fbac
+
+### All changes:
+
+* Images: Trigger controller build. (#12154)
+* ⚠️ Metrics: Disable by default. (#12153) ⚠️
+
+  This changes the default of the following CLI arguments:
+
+  * `--enable-metrics` gets disabled by default.
+
+* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12147)
+* Images: Trigger `e2e-test-echo` build. (#12140)
+* ⚠️ Images: Drop `s390x`. (#12137) ⚠️
+
+  Support for the `s390x` architecture has already been removed from the controller image. This also removes it from the NGINX base image and CI relevant images.
+
+* Images: Build `s390x` controller. (#12126)
+* Chart: Bump Kube Webhook CertGen. (#12119)
+* Tests & Docs: Bump images. (#12118)
+* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12113)
+* Images: Trigger other builds. (#12110)
+* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12103)
+* Images: Trigger `test-runner` build. (#12100)
+* Docs: Add a multi-tenant warning. (#12091)
+* Go: Bump to v1.22.8. (#12069)
+* Images: Bump `NGINX_BASE` to v1.0.0. (#12066)
+* Images: Trigger NGINX build. (#12063)
+* Images: Remove NGINX v1.21. (#12031)
+* Chart: Add `controller.metrics.service.enabled`. (#12056)
+* GitHub: Improve Dependabot. (#12033)
+* Chart: Add `global.image.registry`. (#12028)
+* ⚠️ Images: Remove OpenTelemetry. (#12024) ⚠️
+
+  OpenTelemetry is still supported, but since the module is built into the controller image since v1.10, we hereby remove the init container and image which were used to install it upon controller startup.
+
+* Chart: Improve CI. (#12003)
+* Chart: Extend image tests. (#12025)
+* Chart: Add `controller.progressDeadlineSeconds`. (#12017)
+* Docs: Add health check annotations for AWS. (#12018)
+* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12005)
+* Chart: Implement `unhealthyPodEvictionPolicy`. (#11992)
+* Chart: Add `defaultBackend.maxUnavailable`. (#11995)
+* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12000)
+* Chart: Align default backend `PodDisruptionBudget`. (#11993)
+* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#10274)
+* ⚠️ Chart: Remove Pod Security Policy. (#11971) ⚠️
+
+  This removes Pod Security Policies and related resources from the chart.
+
+* Chart: Improve default backend service account. (#11972)
+* Go: Bump to v1.22.7. (#11943)
+* NGINX: Remove inline Lua from template. (#11806)
+* Images: Bump OpenTelemetry C++ Contrib. (#11629)
+* Docs: Add note about `--watch-namespace`. (#11947)
+* Images: Use latest Alpine 3.20 everywhere. (#11944)
+* Fix minor typos (#11935)
+* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11931)
+* Allow any protocol for cors origins (#11153)
+* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11919)
+* Images: Trigger `test-runner` build. (#11916)
+* Chart: Add `controller.metrics.prometheusRule.annotations`. (#11849)
+* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11883)
+* Annotations: Allow commas in URLs. (#11882)
+* CI: Grant checks write permissions to E2E Test Report. (#11862)
+* Chart: Use generic values for `ConfigMap` test. (#11877)
+* Security: Follow-up on recent changes. (#11874)
+* Lua: Remove plugins from `.luacheckrc` & E2E docs. (#11872)
+* Dashboard: Remove `ingress_upstream_latency_seconds`. (#11878)
+* Metrics: Add `--metrics-per-undefined-host` argument. (#11818)
+* Update maxmind post link about geolite2 license changes (#11861)
+* ⚠️ Remove global-rate-limit feature (#11851) ⚠️
+
+  This removes the following configuration options:
+
+  * `global-rate-limit-memcached-host`
+  * `global-rate-limit-memcached-port`
+  * `global-rate-limit-memcached-connect-timeout`
+  * `global-rate-limit-memcached-max-idle-timeout`
+  * `global-rate-limit-memcached-pool-size`
+  * `global-rate-limit-status-code`
+
+  It also removes the following annotations:
+
+  * `global-rate-limit`
+  * `global-rate-limit-window`
+  * `global-rate-limit-key`
+  * `global-rate-limit-ignored-cidrs`
+
+* Revert "docs: Add deployment for AWS NLB Proxy." (#11857)
+* Add custom code handling for temporal redirect (#10651)
+* Add native histogram support for histogram metrics (#9971)
+* Replace deprecated queue method (#11853)
+* ⚠️ Enable security features by default (#11819) ⚠️
+
+  This changes the default of the following CLI arguments:
+
+  * `--enable-annotation-validation` gets enabled by default.
+
+  It also changes the default of the following configuration options:
+
+  * `allow-cross-namespace-resources` gets disabled by default.
+  * `annotations-risk-level` gets lowered to "High" by default.
+  * `strict-validate-path-type` gets enabled by default.
+
+* docs: Add deployment for AWS NLB Proxy. (#9565)
+* ⚠️ Remove 3rd party lua plugin support (#11821) ⚠️
+
+  This removes the following configuration options:
+
+  * `plugins`
+
+  It also removes support for user provided Lua plugins in the `/etc/nginx/lua/plugins` directory.
+
+* Auto-generate annotation docs (#11820)
+* ⚠️ Metrics: Remove `ingress_upstream_latency_seconds`. (#11795) ⚠️
+
+  This metric has already been deprecated and is now getting removed.
+
+* Release controller v1.11.2/v1.10.4 & chart v4.11.2/v4.10.4. (#11816)
+* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11809)
+* Tests & Docs: Bump images. (#11803)
+* Images: Trigger failed builds. (#11800)
+* Images: Trigger other builds. (#11796)
+* Controller: Fix panic in alternative backend merging. (#11789)
+* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11788)
+* Images: Trigger `test-runner` build. (#11785)
+* Images: Bump `NGINX_BASE` to v0.0.12. (#11782)
+* Images: Trigger NGINX build. (#11779)
+* Cloud Build: Add missing config, remove unused ones. (#11774)
+* Cloud Build: Tweak timeouts. (#11761)
+* Cloud Build: Fix substitutions. (#11758)
+* Cloud Build: Some chores. (#11633)
+* Go: Bump to v1.22.6. (#11747)
+* Images: Bump `NGINX_BASE` to v0.0.11. (#11741)
+* Images: Trigger NGINX build. (#11735)
+* docs: update OpenSSL Roadmap link (#11730)
+* Go: Bump to v1.22.5. (#11634)
+* Docs: Fix typo in AWS LB Controller reference (#11723)
+* Perform some cleaning operations on line breaks. (#11720)
+* Missing anchors in regular expression. (#11717)
+* Docs: Fix `from-to-www` redirect description. (#11712)
+* Chart: Remove `isControllerTagValid`. (#11710)
+* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11702)
+* Chart: Explicitly set `runAsGroup`. (#11679)
+* Docs: Clarify `from-to-www` redirect direction. (#11682)
+* added real-client-ip faq (#11663)
+* Docs: Format NGINX configuration table. (#11659)
+* Release controller v1.11.1/v1.10.3 & chart v4.11.1/v4.10.3. (#11654)
+* Tests: Bump `test-runner` to v20240717-1fe74b5f. (#11645)
+* Images: Trigger `test-runner` build. (#11636)
+* Images: Bump `NGINX_BASE` to v0.0.10. (#11635)
+* remove modsecurity coreruleset test files from nginx image (#11617)
+* unskip the ocsp tests and update images to fix cfssl bug (#11606)
+* Fix indent in YAML for example pod (#11598)
+* Images: Bump `test-runner`. (#11600)
+* Images: Bump `NGINX_BASE` to v0.0.9. (#11599)
+* revert module upgrade (#11594)
+* README: Fix support matrix. (#11586)
+* Repository: Add changelogs from `release-v1.10`. (#11587)
+
+### Dependency updates:
+
+* Bump the actions group with 3 updates (#12152)
+* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12107)
+* Bump the actions group with 3 updates (#12092)
+* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12062)
+* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12060)
+* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12059)
+* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12061)
+* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12051)
+* Bump the go group across 1 directory with 3 updates (#12050)
+* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12043)
+* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12041)
+* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12040)
+* Bump the all group with 2 updates (#12032)
+* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12010)
+* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12009)
+* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12008)
+* Bump the all group with 2 updates (#11977)
+* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11976)
+* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11954)
+* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11955)
+* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11953)
+* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11928)
+* Bump the all group with 2 updates (#11922)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11901)
+* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11902)
+* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11903)
+* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11904)
+* Bump the all group with 2 updates (#11865)
+* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11867)
+* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11832)
+* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11823)
+* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11822)
+* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11825)
+* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11826)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11766)
+* Bump the all group with 2 updates (#11767)
+* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11765)
+* Bump the all group with 3 updates (#11727)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11696)
+* Bump the all group with 2 updates (#11695)
+* Bump the all group with 4 updates (#11673)
+* Bump the all group with 2 updates (#11672)
+* Bump github.com/prometheus/common from 0.54.0 to 0.55.0 (#11522)
+* Bump the all group with 5 updates (#11611)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.0...controller-v1.12.0-beta.0
--- a/changelog/controller-1.12.0.md
+++ b/changelog/controller-1.12.0.md
@ -0,0 +1,294 @@
+# Changelog
+
+### controller-v1.12.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.12.0@sha256:87c88e1c38a6c8d4483c8f70b69e2cca49853bb3ec3124b9b1be648edf139af3
+
+### All changes:
+
+* Images: Trigger controller build. (#12609)
+* Chart: Bump Kube Webhook CertGen. (#12606)
+* Tests & Docs: Bump images. (#12603)
+* Images: Trigger other builds (2/2). (#12599)
+* Images: Trigger other builds (1/2). (#12595)
+* Tests: Bump `e2e-test-runner` to v20241224-68ed4e7b. (#12590)
+* Images: Trigger `test-runner` build. (#12587)
+* Images: Bump `NGINX_BASE` to v1.1.0. (#12582)
+* Images: Trigger NGINX build. (#12579)
+* Go: Clean `go.work.sum`. (#12573)
+* Repository: Update owners. (#12568)
+* Images: Bump `gcb-docker-gcloud` to v20241217-ff46a068cd. (#12561)
+* CI: Update KIND images. (#12560)
+* Images: Bump Alpine to v3.21. (#12528)
+* Docs: Add guide on how to set a Maintenance Page. (#12525)
+* rikatz is stepping down (#12516)
+* rikatz is stepping down (#12494)
+* Go: Bump to v1.23.4. (#12483)
+* Plugin: Bump `goreleaser` to v2. (#12440)
+* GitHub: Fix `exec` in issue template. (#12387)
+* CI: Update KIND images. (#12367)
+* Images: Bump `gcb-docker-gcloud` to v20241110-72bb0b1665. (#12342)
+* Go: Bump to v1.23.3. (#12337)
+* Auth TLS: Add `_` to redirect RegEx. (#12326)
+* Auth TLS: Improve redirect RegEx. (#12323)
+* Update custom headers annotation documentation (#12318)
+* Tests: Bump `e2e-test-runner` to v20241104-02a3933e. (#12312)
+* Docs: Add CPU usage note for `--metrics-per-undefined-host`. (#12310)
+* Images: Trigger `test-runner` build. (#12308)
+* Config: Fix panic on invalid `lua-shared-dict`. (#12283)
+* Docs: fix limit-rate-after references (#12278)
+* Chart: Rework ServiceMonitor. (#12269)
+* Chart: Add ServiceAccount tests. (#12263)
+* CI: Fix chart testing. (#12258)
+* [fix] fix nginx temp configs cleanup (#12225)
+* Chart: Suggest `matchLabelKeys` in Topology Spread Constraints. (#12202)
+* Docs: Add Pod Security Admission. (#12195)
+* Docs: Clarify external & service port in TCP/UDP services explanation. (#12192)
+* Images: Trigger controller build. (#12154)
+* ⚠️ Metrics: Disable by default. (#12153) ⚠️
+
+  This changes the default of the following CLI arguments:
+
+  * `--enable-metrics` gets disabled by default.
+
+* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12147)
+* Images: Trigger `e2e-test-echo` build. (#12140)
+* ⚠️ Images: Drop `s390x`. (#12137) ⚠️
+
+  Support for the `s390x` architecture has already been removed from the controller image. This also removes it from the NGINX base image and CI relevant images.
+
+* Images: Build `s390x` controller. (#12126)
+* Chart: Bump Kube Webhook CertGen. (#12119)
+* Tests & Docs: Bump images. (#12118)
+* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12113)
+* Images: Trigger other builds. (#12110)
+* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12103)
+* Images: Trigger `test-runner` build. (#12100)
+* Docs: Add a multi-tenant warning. (#12091)
+* Go: Bump to v1.22.8. (#12069)
+* Images: Bump `NGINX_BASE` to v1.0.0. (#12066)
+* Images: Trigger NGINX build. (#12063)
+* Images: Remove NGINX v1.21. (#12031)
+* Chart: Add `controller.metrics.service.enabled`. (#12056)
+* GitHub: Improve Dependabot. (#12033)
+* Chart: Add `global.image.registry`. (#12028)
+* ⚠️ Images: Remove OpenTelemetry. (#12024) ⚠️
+
+  OpenTelemetry is still supported, but since the module is built into the controller image since v1.10, we hereby remove the init container and image which were used to install it upon controller startup.
+
+* Chart: Improve CI. (#12003)
+* Chart: Extend image tests. (#12025)
+* Chart: Add `controller.progressDeadlineSeconds`. (#12017)
+* Docs: Add health check annotations for AWS. (#12018)
+* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12005)
+* Chart: Implement `unhealthyPodEvictionPolicy`. (#11992)
+* Chart: Add `defaultBackend.maxUnavailable`. (#11995)
+* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12000)
+* Chart: Align default backend `PodDisruptionBudget`. (#11993)
+* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#10274)
+* ⚠️ Chart: Remove Pod Security Policy. (#11971) ⚠️
+
+  This removes Pod Security Policies and related resources from the chart.
+
+* Chart: Improve default backend service account. (#11972)
+* Go: Bump to v1.22.7. (#11943)
+* NGINX: Remove inline Lua from template. (#11806)
+* Images: Bump OpenTelemetry C++ Contrib. (#11629)
+* Docs: Add note about `--watch-namespace`. (#11947)
+* Images: Use latest Alpine 3.20 everywhere. (#11944)
+* Fix minor typos (#11935)
+* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11931)
+* Allow any protocol for cors origins (#11153)
+* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11919)
+* Images: Trigger `test-runner` build. (#11916)
+* Chart: Add `controller.metrics.prometheusRule.annotations`. (#11849)
+* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11883)
+* Annotations: Allow commas in URLs. (#11882)
+* CI: Grant checks write permissions to E2E Test Report. (#11862)
+* Chart: Use generic values for `ConfigMap` test. (#11877)
+* Security: Follow-up on recent changes. (#11874)
+* Lua: Remove plugins from `.luacheckrc` & E2E docs. (#11872)
+* Dashboard: Remove `ingress_upstream_latency_seconds`. (#11878)
+* Metrics: Add `--metrics-per-undefined-host` argument. (#11818)
+* Update maxmind post link about geolite2 license changes (#11861)
+* ⚠️ Remove global-rate-limit feature (#11851) ⚠️
+
+  This removes the following configuration options:
+
+  * `global-rate-limit-memcached-host`
+  * `global-rate-limit-memcached-port`
+  * `global-rate-limit-memcached-connect-timeout`
+  * `global-rate-limit-memcached-max-idle-timeout`
+  * `global-rate-limit-memcached-pool-size`
+  * `global-rate-limit-status-code`
+
+  It also removes the following annotations:
+
+  * `global-rate-limit`
+  * `global-rate-limit-window`
+  * `global-rate-limit-key`
+  * `global-rate-limit-ignored-cidrs`
+
+* Revert "docs: Add deployment for AWS NLB Proxy." (#11857)
+* Add custom code handling for temporal redirect (#10651)
+* Add native histogram support for histogram metrics (#9971)
+* Replace deprecated queue method (#11853)
+* ⚠️ Enable security features by default (#11819) ⚠️
+
+  This changes the default of the following CLI arguments:
+
+  * `--enable-annotation-validation` gets enabled by default.
+
+  It also changes the default of the following configuration options:
+
+  * `allow-cross-namespace-resources` gets disabled by default.
+  * `annotations-risk-level` gets lowered to "High" by default.
+  * `strict-validate-path-type` gets enabled by default.
+
+* docs: Add deployment for AWS NLB Proxy. (#9565)
+* ⚠️ Remove 3rd party lua plugin support (#11821) ⚠️
+
+  This removes the following configuration options:
+
+  * `plugins`
+
+  It also removes support for user provided Lua plugins in the `/etc/nginx/lua/plugins` directory.
+
+* Auto-generate annotation docs (#11820)
+* ⚠️ Metrics: Remove `ingress_upstream_latency_seconds`. (#11795) ⚠️
+
+  This metric has already been deprecated and is now getting removed.
+
+* Release controller v1.11.2/v1.10.4 & chart v4.11.2/v4.10.4. (#11816)
+* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11809)
+* Tests & Docs: Bump images. (#11803)
+* Images: Trigger failed builds. (#11800)
+* Images: Trigger other builds. (#11796)
+* Controller: Fix panic in alternative backend merging. (#11789)
+* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11788)
+* Images: Trigger `test-runner` build. (#11785)
+* Images: Bump `NGINX_BASE` to v0.0.12. (#11782)
+* Images: Trigger NGINX build. (#11779)
+* Cloud Build: Add missing config, remove unused ones. (#11774)
+* Cloud Build: Tweak timeouts. (#11761)
+* Cloud Build: Fix substitutions. (#11758)
+* Cloud Build: Some chores. (#11633)
+* Go: Bump to v1.22.6. (#11747)
+* Images: Bump `NGINX_BASE` to v0.0.11. (#11741)
+* Images: Trigger NGINX build. (#11735)
+* docs: update OpenSSL Roadmap link (#11730)
+* Go: Bump to v1.22.5. (#11634)
+* Docs: Fix typo in AWS LB Controller reference (#11723)
+* Perform some cleaning operations on line breaks. (#11720)
+* Missing anchors in regular expression. (#11717)
+* Docs: Fix `from-to-www` redirect description. (#11712)
+* Chart: Remove `isControllerTagValid`. (#11710)
+* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11702)
+* Chart: Explicitly set `runAsGroup`. (#11679)
+* Docs: Clarify `from-to-www` redirect direction. (#11682)
+* added real-client-ip faq (#11663)
+* Docs: Format NGINX configuration table. (#11659)
+* Release controller v1.11.1/v1.10.3 & chart v4.11.1/v4.10.3. (#11654)
+* Tests: Bump `test-runner` to v20240717-1fe74b5f. (#11645)
+* Images: Trigger `test-runner` build. (#11636)
+* Images: Bump `NGINX_BASE` to v0.0.10. (#11635)
+* remove modsecurity coreruleset test files from nginx image (#11617)
+* unskip the ocsp tests and update images to fix cfssl bug (#11606)
+* Fix indent in YAML for example pod (#11598)
+* Images: Bump `test-runner`. (#11600)
+* Images: Bump `NGINX_BASE` to v0.0.9. (#11599)
+* revert module upgrade (#11594)
+* README: Fix support matrix. (#11586)
+* Repository: Add changelogs from `release-v1.10`. (#11587)
+
+### Dependency updates:
+
+* Bump k8s.io/apiextensions-apiserver from 0.31.3 to 0.32.0 (#12566)
+* Bump github.com/onsi/ginkgo/v2 from 2.22.0 to 2.22.1 (#12555)
+* Bump k8s.io/code-generator from 0.31.3 to 0.32.0 (#12550)
+* Bump k8s.io/cli-runtime from 0.31.3 to 0.32.0 (#12547)
+* Bump k8s.io/apiserver from 0.31.3 to 0.32.0 (#12544)
+* Bump the actions group with 2 updates (#12541)
+* Bump google.golang.org/grpc from 1.68.1 to 1.69.2 (#12538)
+* Bump k8s.io/client-go from 0.31.3 to 0.32.0 (#12512)
+* Bump github.com/opencontainers/runc from 1.2.2 to 1.2.3 in the go group across 1 directory (#12509)
+* Bump the actions group with 3 updates (#12506)
+* Bump k8s.io/kube-aggregator from 0.31.3 to 0.32.0 in /images/kube-webhook-certgen/rootfs (#12505)
+* Bump k8s.io/apimachinery from 0.31.3 to 0.32.0 in /images/ext-auth-example-authsvc/rootfs (#12502)
+* Bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#12476)
+* Bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /magefiles (#12472)
+* Bump github.com/prometheus/common from 0.60.1 to 0.61.0 (#12464)
+* Bump github/codeql-action from 3.27.5 to 3.27.6 in the actions group (#12461)
+* Bump the go group across 1 directory with 2 updates (#12460)
+* Bump github.com/onsi/ginkgo/v2 from 2.21.0 to 2.22.0 (#12426)
+* Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#12418)
+* Bump the go group across 3 directories with 10 updates (#12413)
+* Bump the actions group with 3 updates (#12412)
+* Bump github.com/opencontainers/runc from 1.2.1 to 1.2.2 in the go group across 1 directory (#12380)
+* Bump github/codeql-action from 3.27.1 to 3.27.4 in the actions group (#12373)
+* Bump golangci-lint on actions and disable deprecated linters (#12361)
+* Bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#12357)
+* Bump the actions group with 3 updates (#12354)
+* Bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#12349)
+* Bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#12299)
+* Bump github.com/opencontainers/runc from 1.2.0 to 1.2.1 in the go group across 1 directory (#12296)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.2 to 2.21.0 (#12288)
+* Bump actions/dependency-review-action from 4.3.5 to 4.4.0 in the actions group (#12273)
+* Bump the go group across 3 directories with 11 updates (#12244)
+* Bump github.com/opencontainers/runc from 1.1.15 to 1.2.0 (#12242)
+* Bump the actions group with 5 updates (#12236)
+* Bump github.com/ncabatoff/process-exporter from 0.8.3 to 0.8.4 in the go group across 1 directory (#12218)
+* Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 in the actions group (#12217)
+* Bump github/codeql-action from 3.26.12 to 3.26.13 in the actions group (#12188)
+* Bump the go group across 2 directories with 1 update (#12186)
+* Bump the actions group with 2 updates (#12180)
+* Bump github.com/opencontainers/runc from 1.1.14 to 1.1.15 in the go group across 1 directory (#12178)
+* Bump the actions group with 3 updates (#12152)
+* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12107)
+* Bump the actions group with 3 updates (#12092)
+* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12062)
+* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12060)
+* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12059)
+* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12061)
+* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12051)
+* Bump the go group across 1 directory with 3 updates (#12050)
+* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12043)
+* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12041)
+* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12040)
+* Bump the all group with 2 updates (#12032)
+* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12010)
+* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12009)
+* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12008)
+* Bump the all group with 2 updates (#11977)
+* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11976)
+* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11954)
+* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11955)
+* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11953)
+* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11928)
+* Bump the all group with 2 updates (#11922)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11901)
+* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11902)
+* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11903)
+* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11904)
+* Bump the all group with 2 updates (#11865)
+* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11867)
+* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11832)
+* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11823)
+* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11822)
+* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11825)
+* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11826)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11766)
+* Bump the all group with 2 updates (#11767)
+* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11765)
+* Bump the all group with 3 updates (#11727)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11696)
+* Bump the all group with 2 updates (#11695)
+* Bump the all group with 4 updates (#11673)
+* Bump the all group with 2 updates (#11672)
+* Bump github.com/prometheus/common from 0.54.0 to 0.55.0 (#11522)
+* Bump the all group with 5 updates (#11611)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.0...controller-v1.12.0
--- a/changelog/controller-1.6.4.md
+++ b/changelog/controller-1.6.4.md
@ -0,0 +1,138 @@
+# Changelog
+
+### 1.6.4
+
+Images:
+
+* registry.k8s.io/controller:controller-v1.6.4@sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f
+* registry.k8s.io/controller-chroot:controller-v1.6.4@sha256:0de01e2c316c3ca7847ca13b32d077af7910d07f21a4a82f81061839764f8f81
+
+### All changes:
+
+* remove tests and regex path checks (#9626)
+* Fix incorrect annotation name in upstream hashing configuration (#9617)
+* Release docs for Controller v1.6.3 and Helm v4.5.0 (#9614)
+* Revert Implement pathType validation (#9511) (#9607)
+* update history and allow to pass a target test  (#9605)
+* Allow to pass a target test (#9542)
+* Replace deprecated command with environment file (#9581)
+* build 1.6.2 to fix (#9569)
+* add lint on chart before release (#9570)
+* tcpproxy: increase buffer size to 16K (#9548)
+* Move and spell-check Kubernetes 1.22 migration FAQ (#9544)
+* Add CORS template check inside location for externalAuth.SignURL (#8814)
+* fix(grafana-dashboard): remove hardcoded namespace references (#9523)
+* Replace deprecated command with environment file (#9581)
+* add lint on chart before release (#9570)
+* Switch logic on path type validation and setting it to false (#9543)
+* tcpproxy: increase buffer size to 16K (#9548)
+* Move and spell-check Kubernetes 1.22 migration FAQ (#9544)
+* Add CORS template check inside location for externalAuth.SignURL (#8814)
+* fix(grafana-dashboard): remove hardcoded namespace references (#9523)
+* Align default value for keepalive_request with NGINX default (#9518)
+* feat(configmap): expose gzip-disable (#9505)
+* Values: Add missing `controller.metrics.service.labels`. (#9501)
+* Add docs about orphan_ingress metric (#9514)
+* Add new prometheus metric for orphaned ingress (#8230)
+* Sanitise request metrics in monitoring docs (#9384)
+* Change default value of enable-brotli (#9500)
+* feat: support topology aware hints (#9165)
+* Remove 1.5.2 from readme (#9498)
+* Remove nonexistent load flag from docker build commands (#9122)
+* added option to disable sync event creation (#8528)
+* Add buildResolvers to the stream module (#9184)
+* fix: disable auth access logs (#9049)
+* Adding ipdenylist annotation (#8795)
+* Add update updateStrategy and minReadySeconds for defaultBackend (#8506)
+* Fix indentation on serviceAccount annotation (#9129)
+* Update monitoring.md (#9269)
+* add github actions stale bot (#9439)
+* Admission Webhooks/Job: Add `NetworkPolicy`. (#9218)
+* update OpenTelemetry image (#9491)
+* bump OpenTelemetry (#9489)
+* Optional podman support (#9294)
+* fix change images (#9463)
+* move tests to gh actions (#9461)
+* Automated Release Controller 1.5.2 (#9455)
+* Add sslpassthrough tests (#9457)
+* updated the link in RELEASE.md file (#9456)
+* restart 1.5.2 release process (#9450)
+* Update command line arguments documentation (#9224)
+* start release 1.5.2 (#9445)
+* upgrade nginx base image (#9436)
+* test the new e2e test images (#9444)
+* avoid builds and tests for non-code changes (#9392)
+* CI updates (#9440)
+* HPA: Add `controller.autoscaling.annotations` to `values.yaml`. (#9253)
+* update the nginx run container for alpine:3.17.0 (#9430)
+* cleanup: remove ioutil for new go version (#9427)
+* start upgrade to golang 1.19.4 and alpine 3.17.0 (#9417)
+* ci: remove setup-helm step (#9404)
+* ci: remove setup-kind step (#9401)
+* Add reporter for all tests (#9395)
+* added action for issues to project (#9386)
+* doc: update NEW_CONTRIBUTOR.md (#9381)
+* feat(helm): Optionally use cert-manager instead admission patch (#9279)
+* integrated junit-reports with ghactions (#9361)
+* [user-guide configmap] fix doc for global-auth-snippet (#9372)
+* update OpenTelemetry image (#9308)
+* fix: missing CORS headers when auth fails (#9251)
+* Fix styling in canary annotation docs. (#9259)
+* resolved ginkgo deprecation message (#9365)
+* Enable profiler-address to be configured (#9311)
+* ModSecurity dependencies update to avoid Memory Leaks (#9330)
+* fix(hpa): deprecated api version, bump to v2 (#9348)
+* fix(typo): pluralize provider (#9346)
+* removed deprecation message for ingressClass annotation (#9357)
+* added ginkgo junit reports (#9350)
+* Fix typos found by codespell (#9353)
+* bumped ginkgo to v2.5.1 in testrunner (#9340)
+* create nsswitch-conf if missing (#9339)
+* remove the configmap related permissions (#9310)
+* remove hardcoded datasource from grafana dashboard (#9284)
+* update gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b to 3.0.0 (#9277)
+* added SAN to cert create command (#9295)
+* Missing controller.ingressClass (#9304)
+* OpenTelemetry static linking (#9286)
+* Fixed indentation in commented-out autoscaling (#9225)
+* run helm release on main only and when the chart/value changes only (#9290)
+* fix broken annotation yaml (#9243)
+* PDB: Add `maxUnavailable`. (#9278)
+* add containerSecurityContext to extraModules init containers (kubernetes#9016) (#9242)
+
+### Dependency updates:
+
+* Bump google.golang.org/grpc from 1.52.0 to 1.52.3 (#9555)
+* Bump k8s.io/klog/v2 from 2.80.1 to 2.90.0 (#9553)
+* Bump sigs.k8s.io/controller-runtime from 0.13.1 to 0.14.2 (#9552)
+* Bump google.golang.org/grpc from 1.51.0 to 1.52.0 (#9512)
+* Bump `client-go` to remove dependence on go-autorest dependency (#9488)
+* Bump google.golang.org/grpc from 1.52.0 to 1.52.3 (#9555)
+* Bump k8s.io/klog/v2 from 2.80.1 to 2.90.0 (#9553)
+* Bump sigs.k8s.io/controller-runtime from 0.13.1 to 0.14.2 (#9552)
+* Bump google.golang.org/grpc from 1.51.0 to 1.52.0 (#9512)
+* Bump `client-go` to remove dependence on go-autorest dependency (#9488)
+* Bump golang.org/x/crypto from 0.4.0 to 0.5.0 (#9494)
+* Bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#9397)
+* Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.6.1 (#9432)
+* Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.6.1 (#9421)
+* Bump github/codeql-action from 2.1.36 to 2.1.37 (#9423)
+* Bump actions/checkout from 3.1.0 to 3.2.0 (#9425)
+* Bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (#9426)
+* Bump actions/dependency-review-action from 3.0.1 to 3.0.2 (#9424)
+* Bump ossf/scorecard-action from 2.0.6 to 2.1.0 (#9422)
+* Bump github.com/prometheus/common from 0.37.0 to 0.39.0 (#9416)
+* Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.6.0 (#9408)
+* Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.6.0 (#9398)
+* Bump github/codeql-action from 2.1.35 to 2.1.36 (#9400)
+* Bump actions/setup-go from 3.3.1 to 3.4.0 (#9370)
+* Bump github/codeql-action from 2.1.31 to 2.1.35 (#9369)
+* Bump google.golang.org/grpc from 1.50.1 to 1.51.0 (#9316)
+* Bump github.com/prometheus/client_golang from 1.13.1 to 1.14.0 (#9298)
+* Bump actions/dependency-review-action from 3.0.0 to 3.0.1 (#9319)
+* Bump golang.org/x/crypto from 0.1.0 to 0.3.0 (#9318)
+* Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.1 (#9317)
+* Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (#9301)
+* Bump k8s.io/component-base from 0.25.3 to 0.25.4 (#9300)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.5.1...controller-controller-v1.6.4
--- a/changelog/controller-1.7.0.md
+++ b/changelog/controller-1.7.0.md
@ -0,0 +1,80 @@
+# Changelog
+
+### 1.7.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.7.0@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.7.0@sha256:e84ef3b44c8efeefd8b0aa08770a886bfea1f04c53b61b4ba9a7204e9f1a7edc
+
+### All changes:
+
+* kick off 1.7.0 build (#9775)
+* Update exposing-tcp-udp-services.md (#9777)
+* feat: OpenTelemetry module integration (#9062)
+* drop k8s 1.23 support (#9772)
+* Fix canary-weight-total annotation ignored in rule backends (#9729)
+* fix: controller psp's volume config (#9740)
+* Fix several Helm YAML issues with extraModules and extraInitContainers (#9709)
+* docs(helm): fix value key in readme for enabling certManager (#9640)
+* updated digest and sha for e2e-test-echo (#9760)
+* updated digest and sha for e2e-test-fastcgi-helloserver (#9759)
+* updated digest and sha for opentelemetry (#9758)
+* updated digest and sha for e2e-test-cfssl (#9757)
+* updated kube-webhook-certgen digest and tags (#9756)
+* updated nginx-error digest and tags (#9755)
+* added upgrade ginkgo documentation for contributors (#9753)
+* changes Makefile of echo folder to trigger code-build (#9754)
+* Chart: Drop `controller.headers`, rework DH param secret. (#9659)
+* updated NGINX_BASE image with latest tag (#9747)
+* Deployment/DaemonSet: Label pods using `ingress-nginx.labels`. (#9732)
+* bumped ginkgo to v2.9.0 (#9722)
+* HPA: autoscaling/v2beta1 deprecated, bump apiVersion to v2 for defaultBackend (#9731)
+* update to golang 1.20 (#9690)
+* Indent values.yaml using 2 instead of 4 spaces (#9656)
+* fix some comments (#9688)
+* migrate mitchellh/hashstructure to v2 (#9651)
+* changed v1.6.3 to v1.6.4 on deploy docs (#9647)
+* controller: Don't panic when ready condition in a endpointslice is missing (#9550)
+* Rework Ginkgo usage (#9522)
+* code clean for fsnotify (#9571)
+* Optimize the document for readability (#9551)
+* sets.String is deprecated: use generic Set instead. new ways: s1 := Set[string]{} s2 := New[string]() (#9589)
+* Adjust the import package order and use http library variables (#9587)
+* Optimize the judgment mode to remove redundant transformations (#9588)
+* Fix rewrite example (#9633)
+* remove tests and regex path checks (#9626)
+* Fix incorrect annotation name in upstream hashing configuration (#9617)
+* Release docs for Controller v1.6.3 and Helm v4.5.0 (#9614)
+
+### Dependency updates:
+
+* Bump aquasecurity/trivy-action from 0.8.0 to 0.9.2 (#9767)
+* Bump k8s.io/component-base from 0.26.2 to 0.26.3 (#9764)
+* Bump actions/dependency-review-action from 3.0.3 to 3.0.4 (#9766)
+* Bump actions/add-to-project from 0.4.0 to 0.4.1 (#9765)
+* Bump actions/dependency-review-action from 3.0.2 to 3.0.3 (#9727)
+* Bump github.com/prometheus/common from 0.41.0 to 0.42.0 (#9724)
+* Bump golang.org/x/crypto from 0.6.0 to 0.7.0 (#9723)
+* Bump actions/download-artifact from 3.0.1 to 3.0.2 (#9721)
+* Bump goreleaser/goreleaser-action from 4.1.0 to 4.2.0 (#9718)
+* Bump actions/upload-artifact from 3.1.1 to 3.1.2 (#9717)
+* Bump docker/setup-buildx-action from 2.2.1 to 2.5.0 (#9719)
+* Bump helm/chart-releaser-action from 1.4.1 to 1.5.0 (#9720)
+* Bump github.com/onsi/ginkgo/v2 from 2.6.1 to 2.9.0 (#9695)
+* Bump k8s.io/klog/v2 from 2.90.0 to 2.90.1 (#9694)
+* Bump golang.org/x/crypto in /magefiles (#9691)
+* Bump k8s.io/component-base from 0.26.1 to 0.26.2 (#9696)
+* Bump github.com/prometheus/common from 0.40.0 to 0.41.0 (#9698)
+* Bump sigs.k8s.io/controller-runtime from 0.14.2 to 0.14.5 (#9697)
+* Bump golang.org/x/net in /magefiles (#9692)
+* Bump golang.org/x/sys in /images/custom-error-pages/rootfs (#9671)
+* Bump github.com/stretchr/testify from 1.8.1 to 1.8.2 (#9675)
+* Bump github.com/prometheus/common from 0.39.0 to 0.40.0 (#9653)
+* Bump golang.org/x/net from 0.6.0 to 0.7.0 (#9646)
+* Bump golang.org/x/net in /images/kube-webhook-certgen/rootfs (#9645)
+* Bump google.golang.org/grpc from 1.52.3 to 1.53.0 (#9610)
+* Bump github.com/prometheus/client_golang (#9630)
+* Bump golang.org/x/crypto from 0.5.0 to 0.6.0 (#9609)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.6.3...controller-controller-v1.7.0
--- a/changelog/controller-1.7.1.md
+++ b/changelog/controller-1.7.1.md
@ -0,0 +1,54 @@
+# Changelog
+
+### 1.7.1
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.7.1@sha256:e35d5ab487861b9d419c570e3530589229224a0762c7b4d2e2222434abb8d988
+
+### All changes:
+
+* Update TAG - 1.7.1 (#9922)
+* Update dependabot to watch docker images (#9600)
+* [helm] Support custom port configuration for internal service (#9846)
+* Add support for --container flag (#9703)
+* Fix typo in OpenTelemetry (#9903)
+* ensure make lua-test runs locally (#9902)
+* update k8s.io dependencies to v0.26.4 (#9893)
+* Adding resource type to default HPA configuration to resolve issues with Terraform helm chart usage (#9803)
+* I have not been able to fulfill my maintainer responsibilities for a while already, making it official now. (#9883)
+* Update k8s versions (#9879)
+* README: Update `external-dns` link. (#9866)
+* Fastcgi configmap should be on the same namespace of ingress (#9863)
+* Deprecate and remove influxdb feature (#9861)
+* Remove deprecated annotation secure-upstream (#9862)
+* Exclude socket metrics (#9770)
+* Chart: Improve `README.md`. (#9831)
+* update all container tags with date and sha, upgrade all containers (#9834)
+* updated NGINX_BASE image in project (#9829)
+* ISO 8601 date format (#9682)
+* Values: Fix indention of commented values. (#9812)
+* The Ingress-Nginx project recently released version 1.7.0 of the controller, but the deployment documentation still referenced version 1.6.4. This commit updates the documentation to reference the latest version, ensuring that users have access to the most up-to-date information. Fixes#9787 (#9788)
+
+### Dependency updates:
+
+* Bump github.com/opencontainers/runc from 1.1.6 to 1.1.7 (#9912)
+* Bump github.com/prometheus/client_golang from 1.14.0 to 1.15.0 (#9868)
+* Bump aquasecurity/trivy-action from 0.9.2 to 0.10.0 (#9888)
+* Bump github.com/opencontainers/runc from 1.1.5 to 1.1.6 (#9867)
+* Bump actions/checkout from 3.5.0 to 3.5.2 (#9870)
+* Bump golang.org/x/crypto from 0.7.0 to 0.8.0 (#9838)
+* Bump github.com/spf13/cobra from 1.6.1 to 1.7.0 (#9839)
+* Bump actions/add-to-project from 0.4.1 to 0.5.0 (#9840)
+* Bump actions/checkout from 3.4.0 to 3.5.0 (#9798)
+* Bump ossf/scorecard-action from 2.1.2 to 2.1.3 (#9823)
+* Bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 (#9806)
+* Bump actions/stale from 7.0.0 to 8.0.0 (#9799)
+* Bump rajatjindal/krew-release-bot from 0.0.43 to 0.0.46 (#9797)
+* Bump actions/setup-go from 3.5.0 to 4.0.0 (#9796)
+* Bump github.com/imdario/mergo from 0.3.13 to 0.3.15 (#9795)
+* Bump google.golang.org/grpc from 1.53.0 to 1.54.0 (#9794)
+* Bump sigs.k8s.io/controller-runtime from 0.14.5 to 0.14.6 (#9822)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.7.0...controller-controller-v1.7.1
--- a/changelog/controller-1.8.0.md
+++ b/changelog/controller-1.8.0.md
@ -0,0 +1,64 @@
+# Changelog
+
+### 1.8.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.8.0@sha256:a45e41cd2b7670adf829759878f512d4208d0aec1869dae593a0fecd09a5e49e
+
+### Important changes:
+
+* Validate path types (#9967)
+* images: upgrade to Alpine 3.18 (#9997)
+* Update documentation to reflect project name; Ingress-Nginx Controller
+
+For improving security, our 1.8.0 release includes a [new, **optional** validation ](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type) that limits the characters accepted  on ".spec paths.path" when pathType=Exact or athType=Prefix, to alphanumeric characters only.
+
+More information can be found on our [Google doc](https://docs.google.com/document/d/1HPvaEwHRuMSkXYkVIJ-w7IpijKdHfNynm_4N2Akt0CQ/edit?usp=sharing), our new [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w) or in our [docs](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type)
+
+### Community Updates
+
+We are now posting updates and release to our twitter handle, [@IngressNginx](https://twitter.com/IngressNGINX) and
+on our new [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w)
+
+### All changes:
+
+* Add legacy to OpenTelemetry migration doc (#10011)
+* changed tagsha to recent builds (#10001)
+* change to alpine318 baseimage (#10000)
+* images: upgrade to Alpine 3.18 (#9997)
+* openssl CVE fix (#9996)
+* PodDisruptionBudget spec logic update (#9904)
+* Admission warning (#9975)
+* Add OPA examples on pathType restrictions (#9992)
+* updated testrunner image tag+sha (#9987)
+* bumped ginkgo to v2.9.5 (#9985)
+* helm: Fix opentelemetry module installation for daemonset (#9792)
+* OpenTelemetry default config (#9978)
+* Correct annotations in monitoring docs (#9976)
+* fix: avoid builds and tests for changes to markdown (#9962)
+* Validate path types (#9967)
+* HPA: Use capabilities & align manifests. (#9521)
+* Use dl.k8s.io instead of hardcoded GCS URIs (#9946)
+* add option for annotations in PodDisruptionBudget (#9843)
+* chore: update httpbin to httpbun (#9919)
+* image_update (#9942)
+* Add geoname id value into $geoip2_*_geoname_id variables (#9527)
+* Update annotations.md (#9933)
+* Update charts/* to keep project name display aligned (#9931)
+* Keep project name display aligned (#9920)
+
+### Dependencies updates:
+* Bump github.com/imdario/mergo from 0.3.15 to 0.3.16 (#10008)
+* Bump github.com/prometheus/common from 0.43.0 to 0.44.0 (#10007)
+* Bump k8s.io/klog/v2 from 2.90.1 to 2.100.1 (#9913)
+* Bump github.com/onsi/ginkgo/v2 from 2.9.0 to 2.9.5 (#9980)
+* Bump golang.org/x/crypto from 0.8.0 to 0.9.0 (#9982)
+* Bump actions/setup-go from 4.0.0 to 4.0.1 (#9984)
+* Bump securego/gosec from 2.15.0 to 2.16.0 (#9983)
+* Bump github.com/prometheus/common from 0.42.0 to 0.43.0 (#9981)
+* Bump github.com/prometheus/client_model from 0.3.0 to 0.4.0 (#9937)
+* Bump google.golang.org/grpc from 1.54.0 to 1.55.0 (#9936)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.7.1...controller-controller-v1.8.0
--- a/changelog/controller-1.8.1.md
+++ b/changelog/controller-1.8.1.md
@ -0,0 +1,69 @@
+# Changelog
+
+### 1.8.1
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.8.1@sha256:e0d4121e3c5e39de9122e55e331a32d5ebf8d4d257227cb93ab54a1b912a7627
+
+### All changes:
+
+* netlify: Only trigger preview when there are changes in docs. (#10144)
+* changed to updated baseimage and reverted tag (#10143)
+* Fix loadBalancerClass value (#10139)
+* Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406)
+* Set grpc :authority header from request header (#8912)
+* bump pinned golang to 1.20.5 (#10127)
+* update test runner (#10125)
+* chore: remove echo from snippet tests (#10110)
+* Update typo in docs for lb scheme (#10117)
+* golang 1.20.5 bump (#10120)
+* feat(helm): Add loadBalancerClass (#9562)
+* chore: remove echo friom canary tests (#10089)
+* fix: obsolete warnings (#10029)
+* docs: change Dockefile url ref main (#10087)
+* Revert "Remove fastcgi feature" (#10081)
+* docs: add netlify configuration (#10073)
+* add distroless otel init (#10035)
+* chore: move httpbun to be part of framework (#9955)
+* Remove fastcgi feature (#9864)
+* Fix mirror-target values without path separator and port (#9889)
+* Adding feature to upgrade Oracle Cloud Infrastructure's Flexible Load Balancer and adjusting Health Check that were critical in the previous configuration (#9961)
+* add support for keda fallback settings (#9993)
+* unnecessary use of fmt.Sprint (S1039) (#10049)
+* chore: pkg imported more than once (#10048)
+* tracing: upgrade to dd-opentracing-cpp v1.3.7 (#10031)
+* fix: add canary to sidebar in examples (#10068)
+* docs: add lua testing documentation (#10060)
+* docs: canary weighted deployments example (#10067)
+* Update Internal Load Balancer docs (#10062)
+* fix broken kubernetes.io/user-guide/ docs links (#10055)
+* docs: Updated the content of deploy/rbac.md (#10054)
+* ensured hpa mem spec before cpu spec (#10043)
+* Fix typo in controller_test (#10034)
+* chore(dep): upgrade github.com/emicklei/go-restful/v3 to 3.10 (#10028)
+* Upgrade to Golang 1.20.4 (#10016)
+* perf: avoid unnecessary byte/string conversion (#10012)
+* added note on dns for localtesting (#10021)
+* added helmshowvalues example (#10019)
+* release controller 1.8.0 and chart 4.7.0 (#10017)
+
+### Dependency updates:
+
+* Bump ossf/scorecard-action from 2.1.3 to 2.2.0 (#10133)
+* Bump google.golang.org/grpc from 1.56.0 to 1.56.1 (#10134)
+* Bump github.com/prometheus/client_golang from 1.15.1 to 1.16.0 (#10106)
+* Bump golang.org/x/crypto from 0.9.0 to 0.10.0 (#10105)
+* Bump google.golang.org/grpc from 1.55.0 to 1.56.0 (#10103)
+* Bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 (#10101)
+* Bump docker/setup-buildx-action from 2.6.0 to 2.7.0 (#10102)
+* Bump actions/checkout from 3.5.2 to 3.5.3 (#10076)
+* Bump docker/setup-qemu-action from 2.1.0 to 2.2.0 (#10075)
+* Bump aquasecurity/trivy-action from 0.10.0 to 0.11.2 (#10078)
+* Bump docker/setup-buildx-action from 2.5.0 to 2.6.0 (#10077)
+* Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#10042)
+* Bump github.com/stretchr/testify from 1.8.3 to 1.8.4 (#10041)
+* Bump github.com/stretchr/testify from 1.8.2 to 1.8.3 (#10005)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.8.0...controller-controller-v1.8.1
--- a/changelog/controller-1.8.2.md
+++ b/changelog/controller-1.8.2.md
@ -0,0 +1,19 @@
+# Changelog
+
+### 1.8.2
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.8.2@sha256:74834d3d25b336b62cabeb8bf7f1d788706e2cf1cfd64022de4137ade8881ff2
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.8.2@sha256:1317a563219f755a6094d990057c78e5c4dcea5e31f4ce1db8641e732a7d6133
+
+### All changes:
+
+* Release v1.8.2 and Update Go to v1.21.1 (#10379)
+* Making auth access logs optional (#10380)
+* [release-1.8] Disable Modsecurity from internal processing which affects large ingresses  (#10375)
+* promote distroless otel init image (#10270)
+* [release-1.8] Update images tags after adding git data in gcloud (#10233)
+* [release-1.8] Golang 1.20.6 for test runner (#10231)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.8.1...controller-controller-v1.8.2
--- a/changelog/controller-1.9.0-beta.0.md
+++ b/changelog/controller-1.9.0-beta.0.md
@ -0,0 +1,95 @@
+# Changelog
+
+### 1.9.0-beta.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.9.0-beta.0@sha256:531377e4cc9dc62af40d742402222603259673f5a755a64d74122f256dfad8f9
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.0-beta.0@sha256:60b4c95349ce2a81a3b2a76423ee483b847b89d3fa8cb148468434f606f3fa0c
+
+### All changes:
+
+* Rework mage (#10418)
+* Start release of v1.9.0 beta0 (#10407)
+* Update k8s versions on CI (#10406)
+* Add a flag to enable or disable aio_write (#10394)
+* Update external-articles.md - advanced setup with GKE/Cloud Armor/IAP (#10372)
+* Fix e2e test suite doc (#10396)
+* Disable user snippets per default (#10393)
+* Deployment/DaemonSet: Fix templating & value. (#10240)
+* Fix deferInLoop error (#10387)
+* Remove gofmt (#10385)
+* Deployment/DaemonSet: Template `topologySpreadConstraints`. (#10259)
+* release notes 1.8.2 (#10389)
+* fix: remove curl on base container #9716 (#10306)
+* Fix http default backend test (#10382)
+* Add golangci github action and replace the deprecated golint (#10187)
+* BUGFIX incorrect indentation (#10254)
+* Upgrade OpenTelemetry to v1.11.0 and gRPC to v1.57.0 (#10352)
+* fix: path with special characters warning #10281 #10308 (#10330)
+* Fix golangci-lint errors (#10196)
+* chore(build): Fix Run make dev-env syntax error (#10294)
+* Add firewall configuration to quick start documentation (#10357)
+* Making auth access logs optional (#10335)
+* Fix “dev-env” Makefile target to work with kubectl 1.28+ (#10350)
+* fix: update action file to auto release plugin #10197 (#10321)
+* Use gzip instead of pigz in CI (#10348)
+* Disable Modsecurity from internal processing which affects large ingresses  (#10316)
+* fix: add /etc/mime.types #10309 (#10310)
+* Remove curl dependencies in e2e tests #9716 (#10296)
+* docs: swap explanation to match example (#10220)
+* ci(helm): fix Helm Chart release action 422 error (#10237)
+* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249)
+* Updated index.md - Fix typos (#10256)
+* Handle request_id variable correctly in auth requests (#9219)
+* test kind updates (#10272)
+* promote distroless otel init image (#10257)
+* [helm] configure allow to configure hostAliases (#10180)
+* Add rolling update strategy to each static deployment file (#10129)
+* Implement annotation validation (#9673)
+* Golang 1.20.6 for test runner (#10230)
+* [helm] pass service annotations through helm tpl engine (#10084)
+* Ignore deployment template's replicas if KEDA is enabled (#9534)
+* chore: bump OpenResty to v1.21.4.2 (#10219)
+* Scanning port 10247 lead to tcp connection 502 error (#9815)
+* revise Datadog trace sampling configuration (#10151)
+* Clarify TCP/UDP service docs (#10146)
+* Exposed continent data as  variable in the case of Maxmind city files (#10157)
+* Cleanup errcheck code (#10166)
+* Fix golang-ci linter errors (#10128)
+* Deprecate and remove AJP support (#10158)
+* release notes 1.8.1 (#10161)
+
+### Dependency updates:
+
+* Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.12.0 (#10355)
+* Bump golang.org/x/crypto from 0.12.0 to 0.13.0 (#10399)
+* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10403)
+* Bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 (#10402)
+* Bump actions/upload-artifact from 3.1.2 to 3.1.3 (#10404)
+* Bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#10400)
+* Bump google.golang.org/grpc from 1.57.0 to 1.58.0 (#10398)
+* Bump actions/dependency-review-action from 3.0.8 to 3.1.0 (#10401)
+* Bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4 (#10373)
+* Bump github.com/cyphar/filepath-securejoin in /magefiles (#10374)
+* Bump Go version to 1.21.1 (#10377)
+* Bump Go version to 1.21.1 on testrunner (#10378)
+* Bump aquasecurity/trivy-action from 0.11.2 to 0.12.0 (#10365)
+* Bump docker/setup-buildx-action from 2.9.1 to 2.10.0 (#10353)
+* Bump actions/checkout from 3.5.3 to 3.6.0 (#10354)
+* Bump actions/dependency-review-action from 3.0.6 to 3.0.8 (#10333)
+* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10313)
+* Bump securego/gosec from 2.16.0 to 2.17.0 (#10332)
+* Bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 (#10314)
+* Bump github.com/opencontainers/runc from 1.1.8 to 1.1.9 (#10298)
+* Bump k8s.io/component-base from 0.26.4 to 0.27.4 (Replace Topology Aware Hints with Topology Aware Routing) (#10282)
+* Bump google.golang.org/grpc from 1.56.2 to 1.57.0 (#10258)
+* Bump golang.org/x/crypto from 0.11.0 to 0.12.0 (#10280)
+* Bump github.com/opencontainers/runc from 1.1.7 to 1.1.8 (#10244)
+* Bump google.golang.org/grpc from 1.56.1 to 1.56.2 (#10193)
+* Bump docker/setup-buildx-action from 2.9.0 to 2.9.1 (#10207)
+* Bump golang.org/x/crypto from 0.10.0 to 0.11.0 (#10192)
+* Bump docker/setup-buildx-action from 2.8.0 to 2.9.0 (#10191)
+* Bump docker/setup-buildx-action from 2.7.0 to 2.8.0 (#10165)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-release-1.8...controller-controller-v1.9.0-beta.0
--- a/changelog/controller-1.9.0.md
+++ b/changelog/controller-1.9.0.md
@ -0,0 +1,95 @@
+# Changelog
+
+### 1.9.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.9.0@sha256:c15d1a617858d90fb8f8a2dd60b0676f2bb85c54e3ed11511794b86ec30c8c60
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.0@sha256:d9fa7a136de2104fb2ecfcf1666978bfab927f4a125b75c0fb471e6104366ab5
+
+### All changes:
+
+* Rework mage (#10418)
+* Start release of v1.9.0 beta0 (#10407)
+* Update k8s versions on CI (#10406)
+* Add a flag to enable or disable aio_write (#10394)
+* Update external-articles.md - advanced setup with GKE/Cloud Armor/IAP (#10372)
+* Fix e2e test suite doc (#10396)
+* Disable user snippets per default (#10393)
+* Deployment/DaemonSet: Fix templating & value. (#10240)
+* Fix deferInLoop error (#10387)
+* Remove gofmt (#10385)
+* Deployment/DaemonSet: Template `topologySpreadConstraints`. (#10259)
+* release notes 1.8.2 (#10389)
+* fix: remove curl on base container #9716 (#10306)
+* Fix http default backend test (#10382)
+* Add golangci github action and replace the deprecated golint (#10187)
+* BUGFIX incorrect indentation (#10254)
+* Upgrade OpenTelemetry to v1.11.0 and gRPC to v1.57.0 (#10352)
+* fix: path with special characters warning #10281 #10308 (#10330)
+* Fix golangci-lint errors (#10196)
+* chore(build): Fix Run make dev-env syntax error (#10294)
+* Add firewall configuration to quick start documentation (#10357)
+* Making auth access logs optional (#10335)
+* Fix “dev-env” Makefile target to work with kubectl 1.28+ (#10350)
+* fix: update action file to auto release plugin #10197 (#10321)
+* Use gzip instead of pigz in CI (#10348)
+* Disable Modsecurity from internal processing which affects large ingresses  (#10316)
+* fix: add /etc/mime.types #10309 (#10310)
+* Remove curl dependencies in e2e tests #9716 (#10296)
+* docs: swap explanation to match example (#10220)
+* ci(helm): fix Helm Chart release action 422 error (#10237)
+* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249)
+* Updated index.md - Fix typos (#10256)
+* Handle request_id variable correctly in auth requests (#9219)
+* test kind updates (#10272)
+* promote distroless otel init image (#10257)
+* [helm] configure allow to configure hostAliases (#10180)
+* Add rolling update strategy to each static deployment file (#10129)
+* Implement annotation validation (#9673)
+* Golang 1.20.6 for test runner (#10230)
+* [helm] pass service annotations through helm tpl engine (#10084)
+* Ignore deployment template's replicas if KEDA is enabled (#9534)
+* chore: bump OpenResty to v1.21.4.2 (#10219)
+* Scanning port 10247 lead to tcp connection 502 error (#9815)
+* revise Datadog trace sampling configuration (#10151)
+* Clarify TCP/UDP service docs (#10146)
+* Exposed continent data as  variable in the case of Maxmind city files (#10157)
+* Cleanup errcheck code (#10166)
+* Fix golang-ci linter errors (#10128)
+* Deprecate and remove AJP support (#10158)
+* release notes 1.8.1 (#10161)
+
+### Dependency updates:
+
+* Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.12.0 (#10355)
+* Bump golang.org/x/crypto from 0.12.0 to 0.13.0 (#10399)
+* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10403)
+* Bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 (#10402)
+* Bump actions/upload-artifact from 3.1.2 to 3.1.3 (#10404)
+* Bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#10400)
+* Bump google.golang.org/grpc from 1.57.0 to 1.58.0 (#10398)
+* Bump actions/dependency-review-action from 3.0.8 to 3.1.0 (#10401)
+* Bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4 (#10373)
+* Bump github.com/cyphar/filepath-securejoin in /magefiles (#10374)
+* Bump Go version to 1.21.1 (#10377)
+* Bump Go version to 1.21.1 on testrunner (#10378)
+* Bump aquasecurity/trivy-action from 0.11.2 to 0.12.0 (#10365)
+* Bump docker/setup-buildx-action from 2.9.1 to 2.10.0 (#10353)
+* Bump actions/checkout from 3.5.3 to 3.6.0 (#10354)
+* Bump actions/dependency-review-action from 3.0.6 to 3.0.8 (#10333)
+* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10313)
+* Bump securego/gosec from 2.16.0 to 2.17.0 (#10332)
+* Bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 (#10314)
+* Bump github.com/opencontainers/runc from 1.1.8 to 1.1.9 (#10298)
+* Bump k8s.io/component-base from 0.26.4 to 0.27.4 (Replace Topology Aware Hints with Topology Aware Routing) (#10282)
+* Bump google.golang.org/grpc from 1.56.2 to 1.57.0 (#10258)
+* Bump golang.org/x/crypto from 0.11.0 to 0.12.0 (#10280)
+* Bump github.com/opencontainers/runc from 1.1.7 to 1.1.8 (#10244)
+* Bump google.golang.org/grpc from 1.56.1 to 1.56.2 (#10193)
+* Bump docker/setup-buildx-action from 2.9.0 to 2.9.1 (#10207)
+* Bump golang.org/x/crypto from 0.10.0 to 0.11.0 (#10192)
+* Bump docker/setup-buildx-action from 2.8.0 to 2.9.0 (#10191)
+* Bump docker/setup-buildx-action from 2.7.0 to 2.8.0 (#10165)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-release-1.8...controller-controller-v1.9.0
--- a/changelog/controller-1.9.1.md
+++ b/changelog/controller-1.9.1.md
@ -0,0 +1,21 @@
+# Changelog
+
+### 1.9.1
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.9.1@sha256:605a737877de78969493a4b1213b21de4ee425d2926906857b98050f57a95b25
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.1@sha256:2ac744ef08850ee86ad7162451a6879f47c1a41c6a757f6b6f913c52103b8836
+
+### All changes:
+
+* upgrade owasp modsecurity core rule set to v3.3.5 (#10437)
+* Start v1.9.1 release (#10463)
+* Accept backend protocol on any case (#10461)
+* Chart: Rework network policies. (#10438)
+
+### Dependency updates:
+
+* Bump google.golang.org/grpc from 1.58.0 to 1.58.1 (#10436)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.9.0...controller-controller-v1.9.1
--- a/changelog/controller-1.9.3.md
+++ b/changelog/controller-1.9.3.md
@ -0,0 +1,29 @@
+# Changelog
+
+### 1.9.3
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.9.3@sha256:8fd21d59428507671ce0fb47f818b1d859c92d2ad07bb7c947268d433030ba98
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.3@sha256:df4931fd6859fbf1a71e785f02a44b2f9a16f010ae852c442e9bb779cbefdc86
+
+### All changes:
+
+* update nginx base, httpbun, e2e, helm webhook cert gen (#10506)
+* added warning for configuration-snippets usage (#10492)
+* Remove legacy GeoIP from controller (#10495)
+* add upstream patch for CVE-2023-44487 (#10494)
+* Revert "Remove curl from nginx base image (#10477)" (#10479)
+* update error and otel to have all the arch we support (#10476)
+* Remove curl from nginx base image (#10477)
+
+### Dependency updates:
+
+* Bump x/net (#10514)
+* Bump curl and Go version (#10503)
+* Bump google.golang.org/grpc from 1.58.2 to 1.58.3 (#10496)
+* Bump github.com/prometheus/client_model (#10486)
+* Bump ossf/scorecard-action from 2.2.0 to 2.3.0 (#10487)
+* Bump golang.org/x/crypto from 0.13.0 to 0.14.0 (#10485)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.9.1...controller-controller-v1.9.3
--- a/changelog/controller-1.9.4.md
+++ b/changelog/controller-1.9.4.md
@ -0,0 +1,14 @@
+# Changelog
+
+### 1.9.4
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.4@sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26
+
+### All changes:
+
+* Cherry pick fcgi fix and release v1.9.4 (#10544)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.9.3...controller-controller-v1.9.4
--- a/changelog/controller-1.9.5.md
+++ b/changelog/controller-1.9.5.md
@ -0,0 +1,37 @@
+# Changelog
+
+### controller-v1.9.5
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.9.5@sha256:b3aba22b1da80e7acfc52b115cae1d4c687172cbf2b742d5b502419c25ff340e
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.5@sha256:9a8d7b25a846a6461cd044b9aea9cf6cad972bcf2e64d9fd246c0279979aad2d
+
+### All changes:
+
+* update nginx build (#10781)
+* update images from golang upgrade (#10762)
+* fix: remove tcpproxy copy error handling (#10715)
+* Ignore fake certificate for NGINXCertificateExpiry (#10694)
+* Comment NGINXCertificateExpiry alert label matcher (#10692)
+* chart: allow setting allocateLoadBalancerNodePorts (#10693)
+* [release-1.9] feat(helm): add documentation about metric args (#10695)
+* chore(dep): change lua-resty-cookie's repo (#10691)
+* annotation validation - extended URLWithNginxVariableRegex from alphaNumericChars to extendedAlphaNumeric (#10656)
+* fix: adjust unfulfillable validation check for session-cookie-samesite annotation (#10604)
+* fix: Validate x-forwarded-prefix annotation with RegexPathWithCapture (#10603)
+* Increase HSTS max-age to default to one year (#10580)
+* [release-1.9] update nginx base, httpbun, e2e, helm webhook cert gen (#10507)
+* [release-1.9] add upstream patch for CVE-2023-44487 (#10499)
+* fix brotli build issues (#10468)
+* upgrade owasp modsecurity core rule set to v3.3.5 (#10437)
+* Accept backend protocol on any case (#10461)
+* Chart: Rework network policies. (#10438)
+* Rework mage (#10418)
+
+### Dependency updates:
+
+* Bump x/net (#10517)
+* Bump google.golang.org/grpc from 1.58.0 to 1.58.1 (#10436)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.9.4...controller-v1.9.5
--- a/changelog/controller-1.9.6.md
+++ b/changelog/controller-1.9.6.md
@ -0,0 +1,21 @@
+# Changelog
+
+### controller-v1.9.6
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.9.6@sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.6@sha256:7eb46ff733429e0e46892903c7394aff149ac6d284d92b3946f3baf7ff26a096
+
+### All changes:
+
+* update web hook cert gen to latest release v20231226-1a7112e06
+* annotation validation: validate regex in common name annotation (#10880)
+* change MODSECURITY_VERSION_LIB to 3.0.11 (#10879)
+* Include SECLEVEL and STRENGTH as part of ssl-cipher list validation (#10871)
+
+### Dependency updates:
+
+* Bump github.com/opencontainers/runc from 1.1.10 to 1.1.11 (#10878)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.9.5...controller-v1.9.6
--- a/changelog/controller.md.gotmpl
+++ b/changelog/controller.md.gotmpl
@ -0,0 +1,22 @@
+# Changelog
+
+### {{ .NewControllerVersion }}
+{{ with .ControllerImages }}
+Images:
+{{ range . }}
+* {{ .Registry }}/{{ .Name }}:{{ .Tag}}@{{ .Digest }}
+{{- end }}
+{{ end }}
+{{- with .Updates }}
+### All changes:
+{{ range . }}
+* {{ . }}
+{{- end }}
+{{ end }}
+{{- with .DepUpdates }}
+### Dependency updates:
+{{ range . }}
+* {{ . }}
+{{- end }}
+{{ end }}
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/{{ .PreviousControllerVersion }}...{{ .NewControllerVersion }}
--- a/charts/ingress-nginx/.helmignore
+++ b/charts/ingress-nginx/.helmignore
@ -20,3 +20,4 @@
 .idea/
 *.tmproj
 .vscode/
+__snapshot__
--- a/charts/ingress-nginx/CHANGELOG.md
+++ b/charts/ingress-nginx/CHANGELOG.md
@ -1,375 +0,0 @@
-# Changelog
-
-This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
-
-### 4.0.18
-"[8291](https://github.com/kubernetes/ingress-nginx/pull/8291) remove git tag env from cloud build"
-"[8286](https://github.com/kubernetes/ingress-nginx/pull/8286) Fix OpenTelemetry sidecar image build"
-"[8277](https://github.com/kubernetes/ingress-nginx/pull/8277) Add OpenSSF Best practices badge"
-"[8273](https://github.com/kubernetes/ingress-nginx/pull/8273) Issue#8241"
-"[8267](https://github.com/kubernetes/ingress-nginx/pull/8267) Add fsGroup value to admission-webhooks/job-patch charts"
-"[8262](https://github.com/kubernetes/ingress-nginx/pull/8262) Updated confusing error"
-"[8256](https://github.com/kubernetes/ingress-nginx/pull/8256) fix: deny locations with invalid auth-url annotation"
-"[8253](https://github.com/kubernetes/ingress-nginx/pull/8253) Add a certificate info metric"
-"[8236](https://github.com/kubernetes/ingress-nginx/pull/8236) webhook: remove useless code."
-"[8227](https://github.com/kubernetes/ingress-nginx/pull/8227) Update libraries in webhook image"
-"[8225](https://github.com/kubernetes/ingress-nginx/pull/8225) fix inconsistent-label-cardinality for prometheus metrics: nginx_ingress_controller_requests"
-"[8221](https://github.com/kubernetes/ingress-nginx/pull/8221) Do not validate ingresses with unknown ingress class in admission webhook endpoint"
-"[8210](https://github.com/kubernetes/ingress-nginx/pull/8210) Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.1"
-"[8209](https://github.com/kubernetes/ingress-nginx/pull/8209) Bump google.golang.org/grpc from 1.43.0 to 1.44.0"
-"[8204](https://github.com/kubernetes/ingress-nginx/pull/8204) Add Artifact Hub lint"
-"[8203](https://github.com/kubernetes/ingress-nginx/pull/8203) Fix Indentation of example and link to cert-manager tutorial"
-"[8201](https://github.com/kubernetes/ingress-nginx/pull/8201) feat(metrics): add path and method labels to requests countera"
-"[8199](https://github.com/kubernetes/ingress-nginx/pull/8199) use functional options to reduce number of methods creating an EchoDeployment"
-"[8196](https://github.com/kubernetes/ingress-nginx/pull/8196) docs: fix inconsistent controller annotation"
-"[8191](https://github.com/kubernetes/ingress-nginx/pull/8191) Using Go install for misspell"
-"[8186](https://github.com/kubernetes/ingress-nginx/pull/8186) prometheus+grafana using servicemonitor"
-"[8185](https://github.com/kubernetes/ingress-nginx/pull/8185) Append elements on match, instead of removing for cors-annotations"
-"[8179](https://github.com/kubernetes/ingress-nginx/pull/8179) Bump github.com/opencontainers/runc from 1.0.3 to 1.1.0"
-"[8173](https://github.com/kubernetes/ingress-nginx/pull/8173) Adding annotations to the controller service account"
-"[8163](https://github.com/kubernetes/ingress-nginx/pull/8163) Update the $req_id placeholder description"
-"[8162](https://github.com/kubernetes/ingress-nginx/pull/8162) Versioned static manifests"
-"[8159](https://github.com/kubernetes/ingress-nginx/pull/8159) Adding some geoip variables and default values"
-"[8155](https://github.com/kubernetes/ingress-nginx/pull/8155) #7271 feat: avoid-pdb-creation-when-default-backend-disabled-and-replicas-gt-1"
-"[8151](https://github.com/kubernetes/ingress-nginx/pull/8151) Automatically generate helm docs"
-"[8143](https://github.com/kubernetes/ingress-nginx/pull/8143) Allow to configure delay before controller exits"
-"[8136](https://github.com/kubernetes/ingress-nginx/pull/8136) add ingressClass option to helm chart - back compatibility with ingress.class annotations"
-"[8126](https://github.com/kubernetes/ingress-nginx/pull/8126) Example for JWT"
-
-
-### 4.0.15
-
- [8120] https://github.com/kubernetes/ingress-nginx/pull/8120    Update go in runner and release v1.1.1
- [8119] https://github.com/kubernetes/ingress-nginx/pull/8119    Update to go v1.17.6
- [8118] https://github.com/kubernetes/ingress-nginx/pull/8118    Remove deprecated libraries, update other libs
- [8117] https://github.com/kubernetes/ingress-nginx/pull/8117    Fix codegen errors
- [8115] https://github.com/kubernetes/ingress-nginx/pull/8115    chart/ghaction: set the correct permission to have access to push a release
- [8098] https://github.com/kubernetes/ingress-nginx/pull/8098    generating SHA for CA only certs in backend_ssl.go + comparision of P…
- [8088] https://github.com/kubernetes/ingress-nginx/pull/8088    Fix Edit this page link to use main branch
- [8072] https://github.com/kubernetes/ingress-nginx/pull/8072    Expose GeoIP2 Continent code as variable
- [8061] https://github.com/kubernetes/ingress-nginx/pull/8061    docs(charts): using helm-docs for chart
- [8058] https://github.com/kubernetes/ingress-nginx/pull/8058    Bump github.com/spf13/cobra from 1.2.1 to 1.3.0
- [8054] https://github.com/kubernetes/ingress-nginx/pull/8054    Bump google.golang.org/grpc from 1.41.0 to 1.43.0
- [8051] https://github.com/kubernetes/ingress-nginx/pull/8051    align bug report with feature request regarding kind documentation
- [8046] https://github.com/kubernetes/ingress-nginx/pull/8046    Report expired certificates (#8045)
- [8044] https://github.com/kubernetes/ingress-nginx/pull/8044    remove G109 check till gosec resolves issues
- [8042] https://github.com/kubernetes/ingress-nginx/pull/8042    docs_multiple_instances_one_cluster_ticket_7543
- [8041] https://github.com/kubernetes/ingress-nginx/pull/8041    docs: fix typo'd executible name
- [8035] https://github.com/kubernetes/ingress-nginx/pull/8035    Comment busy owners
- [8029] https://github.com/kubernetes/ingress-nginx/pull/8029    Add stream-snippet as a ConfigMap and Annotation option
- [8023] https://github.com/kubernetes/ingress-nginx/pull/8023    fix nginx compilation flags
- [8021] https://github.com/kubernetes/ingress-nginx/pull/8021    Disable default modsecurity_rules_file if modsecurity-snippet is specified
- [8019] https://github.com/kubernetes/ingress-nginx/pull/8019    Revise main documentation page
- [8018] https://github.com/kubernetes/ingress-nginx/pull/8018    Preserve order of plugin invocation
- [8015] https://github.com/kubernetes/ingress-nginx/pull/8015    Add newline indenting to admission webhook annotations
- [8014] https://github.com/kubernetes/ingress-nginx/pull/8014    Add link to example error page manifest in docs
- [8009] https://github.com/kubernetes/ingress-nginx/pull/8009    Fix spelling in documentation and top-level files
- [8008] https://github.com/kubernetes/ingress-nginx/pull/8008    Add relabelings in controller-servicemonitor.yaml
- [8003] https://github.com/kubernetes/ingress-nginx/pull/8003    Minor improvements (formatting, consistency) in install guide
- [8001] https://github.com/kubernetes/ingress-nginx/pull/8001    fix: go-grpc Dockerfile
- [7999] https://github.com/kubernetes/ingress-nginx/pull/7999    images: use k8s-staging-test-infra/gcb-docker-gcloud
- [7996] https://github.com/kubernetes/ingress-nginx/pull/7996    doc: improvement
- [7983] https://github.com/kubernetes/ingress-nginx/pull/7983    Fix a couple of misspellings in the annotations documentation.
- [7979] https://github.com/kubernetes/ingress-nginx/pull/7979    allow set annotations for admission Jobs
- [7977] https://github.com/kubernetes/ingress-nginx/pull/7977    Add ssl_reject_handshake to defaul server
- [7975] https://github.com/kubernetes/ingress-nginx/pull/7975    add legacy version update v0.50.0 to main changelog
- [7972] https://github.com/kubernetes/ingress-nginx/pull/7972    updated service upstream definition
-
-### 4.0.14
-
- [8061] https://github.com/kubernetes/ingress-nginx/pull/8061 Using helm-docs to populate values table in README.md
-
-### 4.0.13
-
- [8008] https://github.com/kubernetes/ingress-nginx/pull/8008 Add relabelings in controller-servicemonitor.yaml
-
-### 4.0.12
-
- [7978] https://github.com/kubernetes/ingress-nginx/pull/7979 Support custom annotations in admissions Jobs
-
-### 4.0.11
-
- [7873] https://github.com/kubernetes/ingress-nginx/pull/7873 Makes the [appProtocol](https://kubernetes.io/docs/concepts/services-networking/_print/#application-protocol) field optional.
-
-### 4.0.10
-
- [7964] https://github.com/kubernetes/ingress-nginx/pull/7964 Update controller version to v1.1.0
-
-### 4.0.9
-
- [6992] https://github.com/kubernetes/ingress-nginx/pull/6992 Add ability to specify labels for all resources
-
-### 4.0.7
-
- [7923] https://github.com/kubernetes/ingress-nginx/pull/7923 Release v1.0.5 of ingress-nginx
- [7806] https://github.com/kubernetes/ingress-nginx/pull/7806 Choice option for internal/external loadbalancer type service
-
-### 4.0.6
-
- [7804] https://github.com/kubernetes/ingress-nginx/pull/7804 Release v1.0.4 of ingress-nginx
- [7651] https://github.com/kubernetes/ingress-nginx/pull/7651 Support ipFamilyPolicy and ipFamilies fields in Helm Chart
- [7798] https://github.com/kubernetes/ingress-nginx/pull/7798 Exoscale: use HTTP Healthcheck mode
- [7793] https://github.com/kubernetes/ingress-nginx/pull/7793 Update kube-webhook-certgen to v1.1.1
-
-### 4.0.5
-
- [7740] https://github.com/kubernetes/ingress-nginx/pull/7740 Release v1.0.3 of ingress-nginx
-
-### 4.0.3
-
- [7707] https://github.com/kubernetes/ingress-nginx/pull/7707 Release v1.0.2 of ingress-nginx
-
-### 4.0.2 
-
- [7681] https://github.com/kubernetes/ingress-nginx/pull/7681 Release v1.0.1 of ingress-nginx
-
-### 4.0.1 
-
- [7535] https://github.com/kubernetes/ingress-nginx/pull/7535 Release v1.0.0 ingress-nginx
-
-### 3.34.0
-
- [7256] https://github.com/kubernetes/ingress-nginx/pull/7256 Add namespace field in the namespace scoped resource templates
-
-### 3.33.0
-
- [7164] https://github.com/kubernetes/ingress-nginx/pull/7164 Update nginx to v1.20.1
-
-### 3.32.0
-
- [7117] https://github.com/kubernetes/ingress-nginx/pull/7117 Add annotations for HPA
-
-### 3.31.0
-
- [7137] https://github.com/kubernetes/ingress-nginx/pull/7137 Add support for custom probes
-
-### 3.30.0
-
- [#7092](https://github.com/kubernetes/ingress-nginx/pull/7092) Removes the possibility of using localhost in ExternalNames as endpoints
-
-### 3.29.0
-
- [X] [#6945](https://github.com/kubernetes/ingress-nginx/pull/7020) Add option to specify job label for ServiceMonitor
-
-### 3.28.0
-
- [ ] [#6900](https://github.com/kubernetes/ingress-nginx/pull/6900) Support existing PSPs
-
-### 3.27.0
-
- Update ingress-nginx v0.45.0
-
-### 3.26.0
-
- [X] [#6979](https://github.com/kubernetes/ingress-nginx/pull/6979) Changed servicePort value for metrics
-
-### 3.25.0
-
- [X] [#6957](https://github.com/kubernetes/ingress-nginx/pull/6957) Add ability to specify automountServiceAccountToken
-
-### 3.24.0
-
- [X] [#6908](https://github.com/kubernetes/ingress-nginx/pull/6908) Add volumes to default-backend deployment
-
-### 3.23.0
-
- Update ingress-nginx v0.44.0
-
-### 3.22.0
-
- [X] [#6802](https://github.com/kubernetes/ingress-nginx/pull/6802) Add value for configuring a custom Diffie-Hellman parameters file
- [X] [#6815](https://github.com/kubernetes/ingress-nginx/pull/6815) Allow use of numeric namespaces in helm chart
-
-### 3.21.0
-
- [X] [#6783](https://github.com/kubernetes/ingress-nginx/pull/6783) Add custom annotations to ScaledObject
- [X] [#6761](https://github.com/kubernetes/ingress-nginx/pull/6761) Adding quotes in the serviceAccount name in Helm values
- [X] [#6767](https://github.com/kubernetes/ingress-nginx/pull/6767) Remove ClusterRole when scope option is enabled
- [X] [#6785](https://github.com/kubernetes/ingress-nginx/pull/6785) Update kube-webhook-certgen image to v1.5.1
-
-### 3.20.1
-
- Do not create KEDA in case of DaemonSets.
- Fix KEDA v2 definition
-
-### 3.20.0
-
- [X] [#6730](https://github.com/kubernetes/ingress-nginx/pull/6730) Do not create HPA for defaultBackend if not enabled.
-
-### 3.19.0
-
- Update ingress-nginx v0.43.0
-
-### 3.18.0
-
- [X] [#6688](https://github.com/kubernetes/ingress-nginx/pull/6688) Allow volume-type emptyDir in controller podsecuritypolicy
- [X] [#6691](https://github.com/kubernetes/ingress-nginx/pull/6691) Improve parsing of helm parameters
-
-### 3.17.0
-
- Update ingress-nginx v0.42.0
-
-### 3.16.1
-
- Fix chart-releaser action
-
-### 3.16.0
-
- [X] [#6646](https://github.com/kubernetes/ingress-nginx/pull/6646) Added LoadBalancerIP value for internal service
-
-### 3.15.1
-
- Fix chart-releaser action
-
-### 3.15.0
-
- [X] [#6586](https://github.com/kubernetes/ingress-nginx/pull/6586) Fix 'maxmindLicenseKey' location in values.yaml
-
-### 3.14.0
-
- [X] [#6469](https://github.com/kubernetes/ingress-nginx/pull/6469) Allow custom service names for controller and backend
-
-### 3.13.0
-
- [X] [#6544](https://github.com/kubernetes/ingress-nginx/pull/6544) Fix default backend HPA name variable
-
-### 3.12.0
-
- [X] [#6514](https://github.com/kubernetes/ingress-nginx/pull/6514) Remove helm2 support and update docs
-
-### 3.11.1
-
- [X] [#6505](https://github.com/kubernetes/ingress-nginx/pull/6505) Reorder HPA resource list to work with GitOps tooling
-
-### 3.11.0
-
- Support Keda Autoscaling
-
-### 3.10.1
-
- Fix regression introduced in 0.41.0 with external authentication
-
-### 3.10.0
-
- Fix routing regression introduced in 0.41.0 with PathType Exact
-
-### 3.9.0
-
- [X] [#6423](https://github.com/kubernetes/ingress-nginx/pull/6423) Add Default backend HPA autoscaling
-
-### 3.8.0
-
- [X] [#6395](https://github.com/kubernetes/ingress-nginx/pull/6395) Update jettech/kube-webhook-certgen image
- [X] [#6377](https://github.com/kubernetes/ingress-nginx/pull/6377) Added loadBalancerSourceRanges for internal lbs
- [X] [#6356](https://github.com/kubernetes/ingress-nginx/pull/6356) Add securitycontext settings on defaultbackend
- [X] [#6401](https://github.com/kubernetes/ingress-nginx/pull/6401) Fix controller service annotations
- [X] [#6403](https://github.com/kubernetes/ingress-nginx/pull/6403) Initial helm chart changelog
-
-### 3.7.1
-
- [X] [#6326](https://github.com/kubernetes/ingress-nginx/pull/6326) Fix liveness and readiness probe path in daemonset chart
-
-### 3.7.0
-
- [X] [#6316](https://github.com/kubernetes/ingress-nginx/pull/6316) Numerals in podAnnotations in quotes [#6315](https://github.com/kubernetes/ingress-nginx/issues/6315)
-
-### 3.6.0
-
- [X] [#6305](https://github.com/kubernetes/ingress-nginx/pull/6305) Add default linux nodeSelector
-
-### 3.5.1
-
- [X] [#6299](https://github.com/kubernetes/ingress-nginx/pull/6299) Fix helm chart release
-
-### 3.5.0
-
- [X] [#6260](https://github.com/kubernetes/ingress-nginx/pull/6260) Allow Helm Chart to customize admission webhook's annotations, timeoutSeconds, namespaceSelector, objectSelector and cert files locations
-
-### 3.4.0
-
- [X] [#6268](https://github.com/kubernetes/ingress-nginx/pull/6268) Update to 0.40.2 in helm chart #6288
-
-### 3.3.1
-
- [X] [#6259](https://github.com/kubernetes/ingress-nginx/pull/6259) Release helm chart
- [X] [#6258](https://github.com/kubernetes/ingress-nginx/pull/6258) Fix chart markdown link
- [X] [#6253](https://github.com/kubernetes/ingress-nginx/pull/6253) Release v0.40.0
-
-### 3.3.1
-
- [X] [#6233](https://github.com/kubernetes/ingress-nginx/pull/6233) Add admission controller e2e test
-
-### 3.3.0
-
- [X] [#6203](https://github.com/kubernetes/ingress-nginx/pull/6203) Refactor parsing of key values
- [X] [#6162](https://github.com/kubernetes/ingress-nginx/pull/6162) Add helm chart options to expose metrics service as NodePort
- [X] [#6180](https://github.com/kubernetes/ingress-nginx/pull/6180) Fix helm chart admissionReviewVersions regression
- [X] [#6169](https://github.com/kubernetes/ingress-nginx/pull/6169) Fix Typo in example prometheus rules
-
-### 3.0.0
-
- [X] [#6167](https://github.com/kubernetes/ingress-nginx/pull/6167) Update chart requirements
-
-### 2.16.0
-
- [X] [#6154](https://github.com/kubernetes/ingress-nginx/pull/6154) add `topologySpreadConstraint` to controller
-
-### 2.15.0
-
- [X] [#6087](https://github.com/kubernetes/ingress-nginx/pull/6087) Adding parameter for externalTrafficPolicy in internal controller service spec
-
-### 2.14.0
-
- [X] [#6104](https://github.com/kubernetes/ingress-nginx/pull/6104) Misc fixes for nginx-ingress chart for better keel and prometheus-operator integration
-
-### 2.13.0
-
- [X] [#6093](https://github.com/kubernetes/ingress-nginx/pull/6093) Release v0.35.0
-
-### 2.13.0
-
- [X] [#6093](https://github.com/kubernetes/ingress-nginx/pull/6093) Release v0.35.0
- [X] [#6080](https://github.com/kubernetes/ingress-nginx/pull/6080) Switch images to k8s.gcr.io after Vanity Domain Flip
-
-### 2.12.1
-
- [X] [#6075](https://github.com/kubernetes/ingress-nginx/pull/6075) Sync helm chart affinity examples
-
-### 2.12.0
-
- [X] [#6039](https://github.com/kubernetes/ingress-nginx/pull/6039) Add configurable serviceMonitor metricRelabelling and targetLabels
- [X] [#6044](https://github.com/kubernetes/ingress-nginx/pull/6044) Fix YAML linting
-
-### 2.11.3
-
- [X] [#6038](https://github.com/kubernetes/ingress-nginx/pull/6038) Bump chart version PATCH
-
-### 2.11.2
-
- [X] [#5951](https://github.com/kubernetes/ingress-nginx/pull/5951) Bump chart patch version
-
-### 2.11.1
-
- [X] [#5900](https://github.com/kubernetes/ingress-nginx/pull/5900) Release helm chart for v0.34.1
-
-### 2.11.0
-
- [X] [#5879](https://github.com/kubernetes/ingress-nginx/pull/5879) Update helm chart for v0.34.0
- [X] [#5671](https://github.com/kubernetes/ingress-nginx/pull/5671) Make liveness probe more fault tolerant than readiness probe
-
-### 2.10.0
-
- [X] [#5843](https://github.com/kubernetes/ingress-nginx/pull/5843) Update jettech/kube-webhook-certgen image
-
-### 2.9.1
-
- [X] [#5823](https://github.com/kubernetes/ingress-nginx/pull/5823) Add quoting to sysctls because numeric values need to be presented as strings (#5823)
-
-### 2.9.0
-
- [X] [#5795](https://github.com/kubernetes/ingress-nginx/pull/5795) Use fully qualified images to avoid cri-o issues
-
-
-### TODO
-
-Keep building the changelog using *git log charts* checking the tag
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@ -1,37 +1,24 @@
+annotations:
+  artifacthub.io/changes: |
+    - 'CI: Fix chart testing. (#12258)'
+    - Update Ingress-Nginx version controller-v1.12.0
+  artifacthub.io/prerelease: "false"
 apiVersion: v2
-name: ingress-nginx
-# When the version is modified, make sure the artifacthub.io/changes list is updated
-# Also update CHANGELOG.md
-version: 4.1.0-beta.0
-appVersion: 1.2.0-beta.0
+appVersion: 1.12.0
+description: Ingress controller for Kubernetes using NGINX as a reverse proxy and
+  load balancer
 home: https://github.com/kubernetes/ingress-nginx
-description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
 keywords:
-  - ingress
-  - nginx
-sources:
-  - https://github.com/kubernetes/ingress-nginx
-type: application
+- ingress
+- nginx
+kubeVersion: '>=1.21.0-0'
 maintainers:
-  - name: rikatz
-  - name: strongjz
-  - name: tao12345666333
-engine: gotpl
-kubeVersion: ">=1.19.0-0"
-annotations:
-  # Use this annotation to indicate that this chart version is a pre-release.
-  # https://artifacthub.io/docs/topics/annotations/helm/
-  artifacthub.io/prerelease: "true"
-  # List of changes for the release in artifacthub.io
-  # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog
-  artifacthub.io/changes: |
-    - "#8426	Bump github.com/prometheus/common from 0.32.1 to 0.33.0"
-    - "#8444	replace deprecated topology key in example with current one"
-    - "#8446	Fix suggested annotation-value-word-blocklist"
-    - "#8219    Add keepalive support for auth requests"
-    - "#8337	Jail/chroot nginx process inside controller container"
-    - "#8455	Update dependencies"
-    - "#8456	Implement object deep inspector"
-    - "#8325	Fix for buggy ingress sync with retries"
-    - "#8322	Improve req handling dashboard"
+- name: cpanato
+- name: Gacko
+- name: strongjz
+- name: tao12345666333
+name: ingress-nginx
+sources:
+- https://github.com/kubernetes/ingress-nginx
+version: 4.12.0
--- a/charts/ingress-nginx/OWNERS
+++ b/charts/ingress-nginx/OWNERS
@ -1,10 +1,4 @@
-# See the OWNERS docs: https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md
-
-approvers:
- ingress-nginx-helm-maintainers
-
-reviewers:
- ingress-nginx-helm-reviewers
+# See the OWNERS docs: https://www.kubernetes.dev/docs/guide/owners

 labels:
 - area/helm
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@ -2,16 +2,15 @@

 [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer

-![Version: 4.1.0-beta.0](https://img.shields.io/badge/Version-4.1.0--beta.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.0-beta.0](https://img.shields.io/badge/AppVersion-1.2.0--beta.0-informational?style=flat-square)
+![Version: 4.12.0](https://img.shields.io/badge/Version-4.12.0-informational?style=flat-square) ![AppVersion: 1.12.0](https://img.shields.io/badge/AppVersion-1.12.0-informational?style=flat-square)

 To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.

 This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.

-## Prerequisites
+## Requirements

- Chart version 3.x.x: Kubernetes v1.16+
- Chart version 4.x.x and above: Kubernetes v1.19+
+Kubernetes: `>=1.21.0-0`

 ## Get Repo Info

@ -52,10 +51,6 @@ helm upgrade [RELEASE_NAME] [CHART] --install

 _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._

-### Upgrading With Zero Downtime in Production
-
-By default the ingress-nginx controller has service interruptions whenever it's pods are restarted or redeployed. In order to fix that, see the excellent blog post by Lindsay Landry from Codecademy: [Kubernetes: Nginx and Zero Downtime in Production](https://medium.com/codecademy-engineering/kubernetes-nginx-and-zero-downtime-in-production-2c910c6a5ed8).
-
 ### Migrating from stable/nginx-ingress

 There are two main ways to migrate a release from `stable/nginx-ingress` to `ingress-nginx/ingress-nginx` chart:
@ -66,7 +61,6 @@ There are two main ways to migrate a release from `stable/nginx-ingress` to `ing
    1. Redirect your DNS traffic from the old controller to the new controller
    1. Log traffic from both controllers during this changeover
    1. [Uninstall](#uninstall-chart) the old controller once traffic has fully drained from it
-    1. For details on all of these steps see [Upgrading With Zero Downtime in Production](#upgrading-with-zero-downtime-in-production)

 Note that there are some different and upgraded configurations between the two charts, described by Rimas Mocevicius from JFrog in the "Upgrading to ingress-nginx Helm chart" section of [Migrating from Helm chart nginx-ingress to ingress-nginx](https://rimusz.net/migrating-to-ingress-nginx). As the `ingress-nginx/ingress-nginx` chart continues to update, you will want to check current differences by running [helm configuration](#configuration) commands on both charts.

@ -85,14 +79,14 @@ else it would make it impossible to evacuate a node. See [gh issue #7127](https:

 ### Prometheus Metrics

-The Nginx ingress controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.
+The Ingress-Nginx Controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.

 You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`.
 Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. And set `controller.metrics.serviceMonitor.additionalLabels.release="prometheus"`. "release=prometheus" should match the label configured in the prometheus servicemonitor ( see `kubectl get servicemonitor prometheus-kube-prom-prometheus -oyaml -n prometheus`)

 ### ingress-nginx nginx\_status page/stats server

-Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller:
+Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in Ingress-Nginx Controller:

 - In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed
 - In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost.
@ -100,7 +94,7 @@ Previous versions of this chart had a `controller.stats.*` configuration block,

 ### ExternalDNS Service Configuration

-Add an [ExternalDNS](https://github.com/kubernetes-incubator/external-dns) annotation to the LoadBalancer service:
+Add an [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) annotation to the LoadBalancer service:

 ```yaml
 controller:
@ -126,19 +120,6 @@ controller:
      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
 ```

-### AWS route53-mapper
-
-To configure the LoadBalancer service with the [route53-mapper addon](https://github.com/kubernetes/kops/blob/be63d4f1a7a46daaf1c4c482527328236850f111/addons/route53-mapper/README.md), add the `domainName` annotation and `dns` label:
-
-```yaml
-controller:
-  service:
-    labels:
-      dns: "route53"
-    annotations:
-      domainName: "kubernetes-example.com"
-```
-
 ### Additional Internal Load Balancer

 This setup is useful when you need both external and internal load balancers but don't want to have multiple ingress controllers and multiple ingress objects per application.
@ -162,8 +143,10 @@ controller:
    internal:
      enabled: true
      annotations:
-        # Create internal ELB
-        service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+        # Create internal NLB
+        service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
+        # Create internal ELB(Deprecated)
+        # service.beta.kubernetes.io/aws-load-balancer-internal: "true"
        # Any other annotation can be declared here.
 ```

@ -175,7 +158,7 @@ controller:
    internal:
      enabled: true
      annotations:
-        # Create internal LB. More informations: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing
+        # Create internal LB. More information: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing
        # For GKE versions 1.17 and later
        networking.gke.io/load-balancer-type: "Internal"
        # For earlier versions
@ -206,17 +189,34 @@ controller:
        # Any other annotation can be declared here.
 ```

+The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer).
+
 An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object.

 Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`.

 ### Ingress Admission Webhooks

-With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
+With nginx-ingress-controller version 0.25+, the Ingress-Nginx Controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
 **This feature is enabled by default since 0.31.0.**

 With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521)

+#### How the Chart Configures the Hooks
+A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks.
+
+1. A pre-install hook provisions a certificate into the same namespace using a format compatible with provisioning using end user certificates. If the certificate already exists, the hook exits.
+2. The Ingress-Nginx Controller pod is configured to use a TLS proxy container, which will load that certificate.
+3. Validating and Mutating webhook configurations are created in the cluster.
+4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations
+
+#### Alternatives
+It should be possible to use [cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) if a more complete solution is required.
+
+You can enable automatic self-signed TLS certificate provisioning via cert-manager by setting the `controller.admissionWebhooks.certManager.enabled` value to true.
+
+Please ensure that cert-manager is correctly installed and configured.
+
 ### Helm Error When Upgrading: spec.clusterIP: Invalid value: ""

 If you are upgrading this chart from a version between 0.31.0 and 1.2.2 then you may get an error like this:
@ -229,9 +229,23 @@ Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13

 As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered.

-## Requirements
+### Pod Security Admission

-Kubernetes: `>=1.19.0-0`
+You can use Pod Security Admission by applying labels to the `ingress-nginx` namespace as instructed by the [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels).
+
+Example:
+
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ingress-nginx
+  labels:
+    kubernetes.io/metadata.name: ingress-nginx
+    name: ingress-nginx
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: v1.31
+```

 ## Values

@ -240,38 +254,52 @@ Kubernetes: `>=1.19.0-0`
 | commonLabels | object | `{}` |  |
 | controller.addHeaders | object | `{}` | Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers |
 | controller.admissionWebhooks.annotations | object | `{}` |  |
+| controller.admissionWebhooks.certManager.admissionCert.duration | string | `""` |  |
+| controller.admissionWebhooks.certManager.enabled | bool | `false` |  |
+| controller.admissionWebhooks.certManager.rootCert.duration | string | `""` |  |
 | controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` |  |
+| controller.admissionWebhooks.createSecretJob.name | string | `"create"` |  |
 | controller.admissionWebhooks.createSecretJob.resources | object | `{}` |  |
+| controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers |
 | controller.admissionWebhooks.enabled | bool | `true` |  |
-| controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one |
-| controller.admissionWebhooks.failurePolicy | string | `"Fail"` |  |
+| controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set |
+| controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use |
 | controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` |  |
 | controller.admissionWebhooks.labels | object | `{}` | Labels to be added to admission webhooks |
+| controller.admissionWebhooks.name | string | `"admission"` |  |
 | controller.admissionWebhooks.namespaceSelector | object | `{}` |  |
 | controller.admissionWebhooks.objectSelector | object | `{}` |  |
 | controller.admissionWebhooks.patch.enabled | bool | `true` |  |
-| controller.admissionWebhooks.patch.fsGroup | int | `2000` |  |
-| controller.admissionWebhooks.patch.image.digest | string | `"sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660"` |  |
+| controller.admissionWebhooks.patch.image.digest | string | `"sha256:0de05718b59dc33b57ddfb4d8ad5f637cefd13eafdec0e1579d782b3483c27c3"` |  |
 | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` |  |
 | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` |  |
-| controller.admissionWebhooks.patch.image.registry | string | `"k8s.gcr.io"` |  |
-| controller.admissionWebhooks.patch.image.tag | string | `"v1.1.1"` |  |
+| controller.admissionWebhooks.patch.image.tag | string | `"v1.5.1"` |  |
 | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
+| controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
 | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
 | controller.admissionWebhooks.patch.podAnnotations | object | `{}` |  |
-| controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job |
-| controller.admissionWebhooks.patch.runAsUser | int | `2000` |  |
+| controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # |
+| controller.admissionWebhooks.patch.rbac | object | `{"create":true}` | Admission webhook patch job RBAC |
+| controller.admissionWebhooks.patch.rbac.create | bool | `true` | Create RBAC or not |
+| controller.admissionWebhooks.patch.securityContext | object | `{}` | Security context for secret creation & webhook patch pods |
+| controller.admissionWebhooks.patch.serviceAccount | object | `{"automountServiceAccountToken":true,"create":true,"name":""}` | Admission webhook patch job service account |
+| controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken | bool | `true` | Auto-mount service account token or not |
+| controller.admissionWebhooks.patch.serviceAccount.create | bool | `true` | Create a service account or not |
+| controller.admissionWebhooks.patch.serviceAccount.name | string | `""` | Custom service account name |
 | controller.admissionWebhooks.patch.tolerations | list | `[]` |  |
+| controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` |  |
 | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` |  |
+| controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers |
 | controller.admissionWebhooks.port | int | `8443` |  |
 | controller.admissionWebhooks.service.annotations | object | `{}` |  |
 | controller.admissionWebhooks.service.externalIPs | list | `[]` |  |
 | controller.admissionWebhooks.service.loadBalancerSourceRanges | list | `[]` |  |
 | controller.admissionWebhooks.service.servicePort | int | `443` |  |
 | controller.admissionWebhooks.service.type | string | `"ClusterIP"` |  |
-| controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes |
-| controller.allowSnippetAnnotations | bool | `true` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected |
-| controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet |
+| controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # |
+| controller.allowSnippetAnnotations | bool | `false` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected |
+| controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # |
+| controller.autoscaling.annotations | object | `{}` |  |
 | controller.autoscaling.behavior | object | `{}` |  |
 | controller.autoscaling.enabled | bool | `false` |  |
 | controller.autoscaling.maxReplicas | int | `11` |  |
@ -279,48 +307,59 @@ Kubernetes: `>=1.19.0-0`
 | controller.autoscaling.targetCPUUtilizationPercentage | int | `50` |  |
 | controller.autoscaling.targetMemoryUtilizationPercentage | int | `50` |  |
 | controller.autoscalingTemplate | list | `[]` |  |
-| controller.config | object | `{}` | Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ |
+| controller.config | object | `{}` | Global configuration passed to the ConfigMap consumed by the controller. Values may contain Helm templates. Ref.: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ |
 | controller.configAnnotations | object | `{}` | Annotations to be added to the controller config configuration configmap. |
 | controller.configMapNamespace | string | `""` | Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) |
 | controller.containerName | string | `"controller"` | Configures the controller container name |
 | controller.containerPort | object | `{"http":80,"https":443}` | Configures the ports that the nginx-controller listens on |
+| controller.containerSecurityContext | object | `{}` | Security context for controller containers |
 | controller.customTemplate.configMapKey | string | `""` |  |
 | controller.customTemplate.configMapName | string | `""` |  |
+| controller.disableLeaderElection | bool | `false` | This configuration disable Nginx Controller Leader Election |
 | controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. |
 | controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. |
-| controller.electionID | string | `"ingress-controller-leader"` | Election ID to use for status update |
-| controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. |
-| controller.existingPsp | string | `""` | Use an existing PSP instead of creating one |
-| controller.extraArgs | object | `{}` | Additional command line arguments to pass to nginx-ingress-controller E.g. to specify the default SSL certificate you can use |
+| controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' |
+| controller.electionTTL | string | `""` | Duration a leader election is valid before it's getting re-elected, e.g. `15s`, `10m` or `1h`. (Default: 30s) |
+| controller.enableAnnotationValidations | bool | `true` |  |
+| controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # |
+| controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false |
+| controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use |
 | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. |
 | controller.extraEnvs | list | `[]` | Additional environment variables to set |
 | controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. |
-| controller.extraModules | list | `[]` |  |
+| controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. |
 | controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. |
 | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. |
-| controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the ingress nginx controller is running in the `hostNetwork: true` mode. |
+| controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. |
 | controller.healthCheckPath | string | `"/healthz"` | Path of the health check endpoint. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. |
+| controller.hostAliases | list | `[]` | Optionally customize the pod hostAliases. |
 | controller.hostNetwork | bool | `false` | Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 is merged |
 | controller.hostPort.enabled | bool | `false` | Enable 'hostPort' or not |
 | controller.hostPort.ports.http | int | `80` | 'hostPort' http port |
 | controller.hostPort.ports.https | int | `443` | 'hostPort' https port |
 | controller.hostname | object | `{}` | Optionally customize the pod hostname. |
-| controller.image.allowPrivilegeEscalation | bool | `true` |  |
+| controller.image.allowPrivilegeEscalation | bool | `false` |  |
 | controller.image.chroot | bool | `false` |  |
-| controller.image.digest | string | `"sha256:92115f5062568ebbcd450cd2cf9bffdef8df9fc61e7d5868ba8a7c9d773e0961"` |  |
-| controller.image.digestChroot | string | `"sha256:0082f0f547b147a30ad85a5d6d2ceb3edbf0848b2008ed754365b6678bdea9a5"` |  |
+| controller.image.digest | string | `"sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa"` |  |
+| controller.image.digestChroot | string | `"sha256:87c88e1c38a6c8d4483c8f70b69e2cca49853bb3ec3124b9b1be648edf139af3"` |  |
 | controller.image.image | string | `"ingress-nginx/controller"` |  |
 | controller.image.pullPolicy | string | `"IfNotPresent"` |  |
-| controller.image.registry | string | `"k8s.gcr.io"` |  |
-| controller.image.runAsUser | int | `101` |  |
-| controller.image.tag | string | `"v1.2.0-beta.0"` |  |
+| controller.image.readOnlyRootFilesystem | bool | `false` |  |
+| controller.image.runAsGroup | int | `82` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) |
+| controller.image.runAsNonRoot | bool | `true` |  |
+| controller.image.runAsUser | int | `101` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) |
+| controller.image.seccompProfile.type | string | `"RuntimeDefault"` |  |
+| controller.image.tag | string | `"v1.12.0"` |  |
 | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
 | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
-| controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass |
-| controller.ingressClassResource.default | bool | `false` | Is this the default ingressClass for the cluster |
-| controller.ingressClassResource.enabled | bool | `true` | Is this ingressClass enabled or not |
-| controller.ingressClassResource.name | string | `"nginx"` | Name of the ingressClass |
-| controller.ingressClassResource.parameters | object | `{}` | Parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters. |
+| controller.ingressClassResource | object | `{"aliases":[],"annotations":{},"controllerValue":"k8s.io/ingress-nginx","default":false,"enabled":true,"name":"nginx","parameters":{}}` | This section refers to the creation of the IngressClass resource. IngressClasses are immutable and cannot be changed after creation. We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. |
+| controller.ingressClassResource.aliases | list | `[]` | Aliases of this IngressClass. Creates copies with identical settings but the respective alias as name. Useful for development environments with only one Ingress Controller but production-like Ingress resources. `default` gets enabled on the original IngressClass only. |
+| controller.ingressClassResource.annotations | object | `{}` | Annotations to be added to the IngressClass resource. |
+| controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller of the IngressClass. An Ingress Controller looks for IngressClasses it should reconcile by this value. This value is also being set as the `--controller-class` argument of this Ingress Controller. Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class |
+| controller.ingressClassResource.default | bool | `false` | If true, Ingresses without `ingressClassName` get assigned to this IngressClass on creation. Ingress creation gets rejected if there are multiple default IngressClasses. Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class |
+| controller.ingressClassResource.enabled | bool | `true` | Create the IngressClass or not |
+| controller.ingressClassResource.name | string | `"nginx"` | Name of the IngressClass |
+| controller.ingressClassResource.parameters | object | `{}` | A link to a custom resource containing additional configuration for the controller. This is optional if the controller consuming this IngressClass does not require additional parameters. Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class |
 | controller.keda.apiVersion | string | `"keda.sh/v1alpha1"` |  |
 | controller.keda.behavior | object | `{}` |  |
 | controller.keda.cooldownPeriod | int | `300` |  |
@ -332,8 +371,8 @@ Kubernetes: `>=1.19.0-0`
 | controller.keda.scaledObject.annotations | object | `{}` |  |
 | controller.keda.triggers | list | `[]` |  |
 | controller.kind | string | `"Deployment"` | Use a `DaemonSet` or `Deployment` |
-| controller.labels | object | `{}` | Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels |
-| controller.lifecycle | object | `{"preStop":{"exec":{"command":["/wait-shutdown"]}}}` | Improve connection draining when ingress controller pod is deleted using a lifecycle hook: With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds to 300, allowing the draining of connections up to five minutes. If the active connections end before that, the pod will terminate gracefully at that time. To effectively take advantage of this feature, the Configmap feature worker-shutdown-timeout new value is 240s instead of 10s. |
+| controller.labels | object | `{}` | Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels # |
+| controller.lifecycle | object | `{"preStop":{"exec":{"command":["/wait-shutdown"]}}}` | Improve connection draining when ingress controller pod is deleted using a lifecycle hook: With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds to 300, allowing the draining of connections up to five minutes. If the active connections end before that, the pod will terminate gracefully at that time. To effectively take advantage of this feature, the Configmap feature worker-shutdown-timeout new value is 240s instead of 10s. # |
 | controller.livenessProbe.failureThreshold | int | `5` |  |
 | controller.livenessProbe.httpGet.path | string | `"/healthz"` |  |
 | controller.livenessProbe.httpGet.port | int | `10254` |  |
@ -342,33 +381,45 @@ Kubernetes: `>=1.19.0-0`
 | controller.livenessProbe.periodSeconds | int | `10` |  |
 | controller.livenessProbe.successThreshold | int | `1` |  |
 | controller.livenessProbe.timeoutSeconds | int | `1` |  |
-| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. |
+| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. # https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/ |
 | controller.metrics.enabled | bool | `false` |  |
 | controller.metrics.port | int | `10254` |  |
+| controller.metrics.portName | string | `"metrics"` |  |
 | controller.metrics.prometheusRule.additionalLabels | object | `{}` |  |
+| controller.metrics.prometheusRule.annotations | object | `{}` | Annotations to be added to the PrometheusRule. |
 | controller.metrics.prometheusRule.enabled | bool | `false` |  |
 | controller.metrics.prometheusRule.rules | list | `[]` |  |
 | controller.metrics.service.annotations | object | `{}` |  |
-| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available |
+| controller.metrics.service.enabled | bool | `true` | Enable the metrics service or not. |
+| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
+| controller.metrics.service.labels | object | `{}` | Labels to be added to the metrics service resource |
 | controller.metrics.service.loadBalancerSourceRanges | list | `[]` |  |
 | controller.metrics.service.servicePort | int | `10254` |  |
 | controller.metrics.service.type | string | `"ClusterIP"` |  |
 | controller.metrics.serviceMonitor.additionalLabels | object | `{}` |  |
+| controller.metrics.serviceMonitor.annotations | object | `{}` | Annotations to be added to the ServiceMonitor. |
 | controller.metrics.serviceMonitor.enabled | bool | `false` |  |
+| controller.metrics.serviceMonitor.labelLimit | int | `0` | Per-scrape limit on number of labels that will be accepted for a sample. |
+| controller.metrics.serviceMonitor.labelNameLengthLimit | int | `0` | Per-scrape limit on length of labels name that will be accepted for a sample. |
+| controller.metrics.serviceMonitor.labelValueLengthLimit | int | `0` | Per-scrape limit on length of labels value that will be accepted for a sample. |
 | controller.metrics.serviceMonitor.metricRelabelings | list | `[]` |  |
 | controller.metrics.serviceMonitor.namespace | string | `""` |  |
 | controller.metrics.serviceMonitor.namespaceSelector | object | `{}` |  |
 | controller.metrics.serviceMonitor.relabelings | list | `[]` |  |
+| controller.metrics.serviceMonitor.sampleLimit | int | `0` | Defines a per-scrape limit on the number of scraped samples that will be accepted. |
 | controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` |  |
 | controller.metrics.serviceMonitor.targetLabels | list | `[]` |  |
-| controller.minAvailable | int | `1` |  |
-| controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready |
+| controller.metrics.serviceMonitor.targetLimit | int | `0` | Defines a limit on the number of scraped targets that will be accepted. |
+| controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. |
+| controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
 | controller.name | string | `"controller"` |  |
-| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment |
-| controller.podAnnotations | object | `{}` | Annotations to be added to controller pods |
+| controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
+| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
+| controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # |
 | controller.podLabels | object | `{}` | Labels to add to the pod container metadata |
-| controller.podSecurityContext | object | `{}` | Security Context policies for controller pods |
+| controller.podSecurityContext | object | `{}` | Security context for controller pods |
 | controller.priorityClassName | string | `""` |  |
+| controller.progressDeadlineSeconds | int | `0` | Specifies the number of seconds you want to wait for the controller deployment to progress before the system reports back that it has failed. Ref.: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds |
 | controller.proxySetHeaders | object | `{}` | Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers |
 | controller.publishService | object | `{"enabled":true,"pathOverride":""}` | Allows customization of the source of the IP address or FQDN to report in the ingress status field. By default, it reads the information provided by the service. If disable, the status field reports the IP address of the node or nodes where an ingress controller pod is running. |
 | controller.publishService.enabled | bool | `true` | Enable 'publishService' or not |
@ -382,57 +433,85 @@ Kubernetes: `>=1.19.0-0`
 | controller.readinessProbe.successThreshold | int | `1` |  |
 | controller.readinessProbe.timeoutSeconds | int | `1` |  |
 | controller.replicaCount | int | `1` |  |
-| controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply |
+| controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply |
 | controller.resources.requests.cpu | string | `"100m"` |  |
 | controller.resources.requests.memory | string | `"90Mi"` |  |
 | controller.scope.enabled | bool | `false` | Enable 'scope' or not |
 | controller.scope.namespace | string | `""` | Namespace to limit the controller to; defaults to $(POD_NAMESPACE) |
 | controller.scope.namespaceSelector | string | `""` | When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. |
-| controller.service.annotations | object | `{}` |  |
-| controller.service.appProtocol | bool | `true` | If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http It allows choosing the protocol for each backend specified in the Kubernetes service. See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 Will be ignored for Kubernetes versions older than 1.20 |
-| controller.service.enableHttp | bool | `true` |  |
-| controller.service.enableHttps | bool | `true` |  |
-| controller.service.enabled | bool | `true` |  |
-| controller.service.external.enabled | bool | `true` |  |
-| controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available |
-| controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. |
-| controller.service.internal.enabled | bool | `false` | Enables an additional internal load balancer (besides the external one). |
-| controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. |
-| controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. |
-| controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack-ness requested or required by this Service. Possible values are SingleStack, PreferDualStack or RequireDualStack. The ipFamilies and clusterIPs fields depend on the value of this field. |
-| controller.service.labels | object | `{}` |  |
-| controller.service.loadBalancerSourceRanges | list | `[]` |  |
-| controller.service.nodePorts.http | string | `""` |  |
-| controller.service.nodePorts.https | string | `""` |  |
-| controller.service.nodePorts.tcp | object | `{}` |  |
-| controller.service.nodePorts.udp | object | `{}` |  |
-| controller.service.ports.http | int | `80` |  |
-| controller.service.ports.https | int | `443` |  |
-| controller.service.targetPorts.http | string | `"http"` |  |
-| controller.service.targetPorts.https | string | `"https"` |  |
-| controller.service.type | string | `"LoadBalancer"` |  |
-| controller.shareProcessNamespace | bool | `false` |  This can be used for example to signal log rotation using `kill -USR1` from a sidecar. |
-| controller.sysctls | object | `{}` | See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls |
+| controller.service.annotations | object | `{}` | Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service. |
+| controller.service.appProtocol | bool | `true` | Declare the app protocol of the external HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol |
+| controller.service.clusterIP | string | `""` | Pre-defined cluster internal IP address of the external controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
+| controller.service.clusterIPs | list | `[]` | Pre-defined cluster internal IP addresses of the external controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
+| controller.service.enableHttp | bool | `true` | Enable the HTTP listener on both controller services or not. |
+| controller.service.enableHttps | bool | `true` | Enable the HTTPS listener on both controller services or not. |
+| controller.service.enabled | bool | `true` | Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service. |
+| controller.service.external.enabled | bool | `true` | Enable the external controller service or not. Useful for internal-only deployments. |
+| controller.service.external.labels | object | `{}` | Labels to be added to the external controller service. |
+| controller.service.externalIPs | list | `[]` | List of node IP addresses at which the external controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips |
+| controller.service.externalTrafficPolicy | string | `""` | External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip |
+| controller.service.internal.annotations | object | `{}` | Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer |
+| controller.service.internal.appProtocol | bool | `true` | Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol |
+| controller.service.internal.clusterIP | string | `""` | Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
+| controller.service.internal.clusterIPs | list | `[]` | Pre-defined cluster internal IP addresses of the internal controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
+| controller.service.internal.enabled | bool | `false` | Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this. |
+| controller.service.internal.externalIPs | list | `[]` | List of node IP addresses at which the internal controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips |
+| controller.service.internal.externalTrafficPolicy | string | `""` | External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip |
+| controller.service.internal.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
+| controller.service.internal.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
+| controller.service.internal.labels | object | `{}` | Labels to be added to the internal controller service. |
+| controller.service.internal.loadBalancerClass | string | `""` | Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class |
+| controller.service.internal.loadBalancerIP | string | `""` | Deprecated: Pre-defined IP address of the internal controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer |
+| controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access to the internal controller service. Values must be CIDRs. Allows any source address by default. |
+| controller.service.internal.nodePorts.http | string | `""` | Node port allocated for the internal HTTP listener. If left empty, the service controller allocates one from the configured node port range. |
+| controller.service.internal.nodePorts.https | string | `""` | Node port allocated for the internal HTTPS listener. If left empty, the service controller allocates one from the configured node port range. |
+| controller.service.internal.nodePorts.tcp | object | `{}` | Node port mapping for internal TCP listeners. If left empty, the service controller allocates them from the configured node port range. Example: tcp:   8080: 30080 |
+| controller.service.internal.nodePorts.udp | object | `{}` | Node port mapping for internal UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp:   53: 30053 |
+| controller.service.internal.ports | object | `{}` |  |
+| controller.service.internal.sessionAffinity | string | `""` | Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity |
+| controller.service.internal.targetPorts | object | `{}` |  |
+| controller.service.internal.trafficDistribution | string | `""` | Traffic distribution policy of the internal controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution |
+| controller.service.internal.type | string | `""` | Type of the internal controller service. Defaults to the value of `controller.service.type`. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
+| controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
+| controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
+| controller.service.labels | object | `{}` | Labels to be added to both controller services. |
+| controller.service.loadBalancerClass | string | `""` | Load balancer class of the external controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class |
+| controller.service.loadBalancerIP | string | `""` | Deprecated: Pre-defined IP address of the external controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer |
+| controller.service.loadBalancerSourceRanges | list | `[]` | Restrict access to the external controller service. Values must be CIDRs. Allows any source address by default. |
+| controller.service.nodePorts.http | string | `""` | Node port allocated for the external HTTP listener. If left empty, the service controller allocates one from the configured node port range. |
+| controller.service.nodePorts.https | string | `""` | Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range. |
+| controller.service.nodePorts.tcp | object | `{}` | Node port mapping for external TCP listeners. If left empty, the service controller allocates them from the configured node port range. Example: tcp:   8080: 30080 |
+| controller.service.nodePorts.udp | object | `{}` | Node port mapping for external UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp:   53: 30053 |
+| controller.service.ports.http | int | `80` | Port the external HTTP listener is published with. |
+| controller.service.ports.https | int | `443` | Port the external HTTPS listener is published with. |
+| controller.service.sessionAffinity | string | `""` | Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity |
+| controller.service.targetPorts.http | string | `"http"` | Port of the ingress controller the external HTTP listener is mapped to. |
+| controller.service.targetPorts.https | string | `"https"` | Port of the ingress controller the external HTTPS listener is mapped to. |
+| controller.service.trafficDistribution | string | `""` | Traffic distribution policy of the external controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution |
+| controller.service.type | string | `"LoadBalancer"` | Type of the external controller service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
+| controller.shareProcessNamespace | bool | `false` |  |
+| controller.sysctls | object | `{}` | sysctls for controller pods # Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ |
 | controller.tcp.annotations | object | `{}` | Annotations to be added to the tcp config configmap |
 | controller.tcp.configMapNamespace | string | `""` | Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) |
-| controller.terminationGracePeriodSeconds | int | `300` | `terminationGracePeriodSeconds` to avoid killing pods before we are ready |
-| controller.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints |
-| controller.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. |
+| controller.terminationGracePeriodSeconds | int | `300` | `terminationGracePeriodSeconds` to avoid killing pods before we are ready # wait up to five minutes for the drain of connections # |
+| controller.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # |
+| controller.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ # |
 | controller.udp.annotations | object | `{}` | Annotations to be added to the udp config configmap |
 | controller.udp.configMapNamespace | string | `""` | Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) |
-| controller.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet |
+| controller.unhealthyPodEvictionPolicy | string | `""` | Eviction policy for unhealthy pods guarded by PodDisruptionBudget. Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ |
+| controller.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
 | controller.watchIngressWithoutClass | bool | `false` | Process Ingress objects without ingressClass annotation/ingressClassName field Overrides value for --watch-ingress-without-class flag of the controller binary Defaults to false |
-| defaultBackend.affinity | object | `{}` |  |
+| defaultBackend.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity |
 | defaultBackend.autoscaling.annotations | object | `{}` |  |
 | defaultBackend.autoscaling.enabled | bool | `false` |  |
 | defaultBackend.autoscaling.maxReplicas | int | `2` |  |
 | defaultBackend.autoscaling.minReplicas | int | `1` |  |
 | defaultBackend.autoscaling.targetCPUUtilizationPercentage | int | `50` |  |
 | defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` |  |
-| defaultBackend.containerSecurityContext | object | `{}` | Security Context policies for controller main container. See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls |
+| defaultBackend.containerSecurityContext | object | `{}` | Security context for default backend containers |
 | defaultBackend.enabled | bool | `false` |  |
-| defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one |
 | defaultBackend.extraArgs | object | `{}` |  |
+| defaultBackend.extraConfigMaps | list | `[]` |  |
 | defaultBackend.extraEnvs | list | `[]` | Additional environment variables to set for defaultBackend pods |
 | defaultBackend.extraVolumeMounts | list | `[]` |  |
 | defaultBackend.extraVolumes | list | `[]` |  |
@ -440,9 +519,10 @@ Kubernetes: `>=1.19.0-0`
 | defaultBackend.image.image | string | `"defaultbackend-amd64"` |  |
 | defaultBackend.image.pullPolicy | string | `"IfNotPresent"` |  |
 | defaultBackend.image.readOnlyRootFilesystem | bool | `true` |  |
-| defaultBackend.image.registry | string | `"k8s.gcr.io"` |  |
+| defaultBackend.image.runAsGroup | int | `65534` |  |
 | defaultBackend.image.runAsNonRoot | bool | `true` |  |
 | defaultBackend.image.runAsUser | int | `65534` |  |
+| defaultBackend.image.seccompProfile.type | string | `"RuntimeDefault"` |  |
 | defaultBackend.image.tag | string | `"1.5"` |  |
 | defaultBackend.labels | object | `{}` | Labels to be added to the default backend resources |
 | defaultBackend.livenessProbe.failureThreshold | int | `3` |  |
@ -450,12 +530,14 @@ Kubernetes: `>=1.19.0-0`
 | defaultBackend.livenessProbe.periodSeconds | int | `10` |  |
 | defaultBackend.livenessProbe.successThreshold | int | `1` |  |
 | defaultBackend.livenessProbe.timeoutSeconds | int | `5` |  |
-| defaultBackend.minAvailable | int | `1` |  |
+| defaultBackend.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. |
+| defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
 | defaultBackend.name | string | `"defaultbackend"` |  |
-| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment |
-| defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods |
+| defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
+| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
+| defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # |
 | defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata |
-| defaultBackend.podSecurityContext | object | `{}` | Security Context policies for controller pods See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls |
+| defaultBackend.podSecurityContext | object | `{}` | Security context for default backend pods |
 | defaultBackend.port | int | `8080` |  |
 | defaultBackend.priorityClassName | string | `""` |  |
 | defaultBackend.readinessProbe.failureThreshold | int | `6` |  |
@ -466,24 +548,29 @@ Kubernetes: `>=1.19.0-0`
 | defaultBackend.replicaCount | int | `1` |  |
 | defaultBackend.resources | object | `{}` |  |
 | defaultBackend.service.annotations | object | `{}` |  |
-| defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available |
+| defaultBackend.service.clusterIPs | list | `[]` | Pre-defined cluster internal IP addresses of the default backend service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
+| defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
 | defaultBackend.service.loadBalancerSourceRanges | list | `[]` |  |
 | defaultBackend.service.servicePort | int | `80` |  |
 | defaultBackend.service.type | string | `"ClusterIP"` |  |
 | defaultBackend.serviceAccount.automountServiceAccountToken | bool | `true` |  |
 | defaultBackend.serviceAccount.create | bool | `true` |  |
 | defaultBackend.serviceAccount.name | string | `""` |  |
-| defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints |
-| dhParam | string | `nil` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` |
-| imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials |
-| podSecurityPolicy.enabled | bool | `false` |  |
+| defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # |
+| defaultBackend.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. Ref.: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ |
+| defaultBackend.unhealthyPodEvictionPolicy | string | `""` | Eviction policy for unhealthy pods guarded by PodDisruptionBudget. Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ |
+| defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
+| dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param |
+| global.image.registry | string | `"registry.k8s.io"` | Registry host to pull images from. |
+| imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
+| namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace |
+| portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration |
 | rbac.create | bool | `true` |  |
 | rbac.scope | bool | `false` |  |
-| revisionHistoryLimit | int | `10` | Rollback limit |
+| revisionHistoryLimit | int | `10` | Rollback limit # |
 | serviceAccount.annotations | object | `{}` | Annotations for the controller service account |
 | serviceAccount.automountServiceAccountToken | bool | `true` |  |
 | serviceAccount.create | bool | `true` |  |
 | serviceAccount.name | string | `""` |  |
-| tcp | object | `{}` | TCP service key:value pairs |
-| udp | object | `{}` | UDP service key:value pairs |
-
+| tcp | object | `{}` | TCP service key-value pairs # Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md # |
+| udp | object | `{}` | UDP service key-value pairs # Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md # |
--- a/charts/ingress-nginx/README.md.gotmpl
+++ b/charts/ingress-nginx/README.md.gotmpl
@ -7,10 +7,7 @@ To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.c

 This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.

-## Prerequisites
-
- Chart version 3.x.x: Kubernetes v1.16+
- Chart version 4.x.x and above: Kubernetes v1.19+
+{{ template "chart.requirementsSection" . }}

 ## Get Repo Info

@ -51,10 +48,6 @@ helm upgrade [RELEASE_NAME] [CHART] --install

 _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._

-### Upgrading With Zero Downtime in Production
-
-By default the ingress-nginx controller has service interruptions whenever it's pods are restarted or redeployed. In order to fix that, see the excellent blog post by Lindsay Landry from Codecademy: [Kubernetes: Nginx and Zero Downtime in Production](https://medium.com/codecademy-engineering/kubernetes-nginx-and-zero-downtime-in-production-2c910c6a5ed8).
-
 ### Migrating from stable/nginx-ingress

 There are two main ways to migrate a release from `stable/nginx-ingress` to `ingress-nginx/ingress-nginx` chart:
@ -65,7 +58,6 @@ There are two main ways to migrate a release from `stable/nginx-ingress` to `ing
    1. Redirect your DNS traffic from the old controller to the new controller
    1. Log traffic from both controllers during this changeover
    1. [Uninstall](#uninstall-chart) the old controller once traffic has fully drained from it
-    1. For details on all of these steps see [Upgrading With Zero Downtime in Production](#upgrading-with-zero-downtime-in-production)

 Note that there are some different and upgraded configurations between the two charts, described by Rimas Mocevicius from JFrog in the "Upgrading to ingress-nginx Helm chart" section of [Migrating from Helm chart nginx-ingress to ingress-nginx](https://rimusz.net/migrating-to-ingress-nginx). As the `ingress-nginx/ingress-nginx` chart continues to update, you will want to check current differences by running [helm configuration](#configuration) commands on both charts.

@ -84,14 +76,14 @@ else it would make it impossible to evacuate a node. See [gh issue #7127](https:

 ### Prometheus Metrics

-The Nginx ingress controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.
+The Ingress-Nginx Controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.

 You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`.
 Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. And set `controller.metrics.serviceMonitor.additionalLabels.release="prometheus"`. "release=prometheus" should match the label configured in the prometheus servicemonitor ( see `kubectl get servicemonitor prometheus-kube-prom-prometheus -oyaml -n prometheus`)

 ### ingress-nginx nginx\_status page/stats server

-Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller:
+Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in Ingress-Nginx Controller:

 - In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed
 - In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost.
@ -99,7 +91,7 @@ Previous versions of this chart had a `controller.stats.*` configuration block,

 ### ExternalDNS Service Configuration

-Add an [ExternalDNS](https://github.com/kubernetes-incubator/external-dns) annotation to the LoadBalancer service:
+Add an [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) annotation to the LoadBalancer service:

 ```yaml
 controller:
@ -125,19 +117,6 @@ controller:
      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
 ```

-### AWS route53-mapper
-
-To configure the LoadBalancer service with the [route53-mapper addon](https://github.com/kubernetes/kops/blob/be63d4f1a7a46daaf1c4c482527328236850f111/addons/route53-mapper/README.md), add the `domainName` annotation and `dns` label:
-
-```yaml
-controller:
-  service:
-    labels:
-      dns: "route53"
-    annotations:
-      domainName: "kubernetes-example.com"
-```
-
 ### Additional Internal Load Balancer

 This setup is useful when you need both external and internal load balancers but don't want to have multiple ingress controllers and multiple ingress objects per application.
@ -161,8 +140,10 @@ controller:
    internal:
      enabled: true
      annotations:
-        # Create internal ELB
-        service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+        # Create internal NLB
+        service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
+        # Create internal ELB(Deprecated)
+        # service.beta.kubernetes.io/aws-load-balancer-internal: "true"
        # Any other annotation can be declared here.
 ```

@ -174,7 +155,7 @@ controller:
    internal:
      enabled: true
      annotations:
-        # Create internal LB. More informations: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing
+        # Create internal LB. More information: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing
        # For GKE versions 1.17 and later
        networking.gke.io/load-balancer-type: "Internal"
        # For earlier versions
@ -205,17 +186,34 @@ controller:
        # Any other annotation can be declared here.
 ```

+The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer).
+
 An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object.

 Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`.

 ### Ingress Admission Webhooks

-With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
+With nginx-ingress-controller version 0.25+, the Ingress-Nginx Controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
 **This feature is enabled by default since 0.31.0.**

 With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521)

+#### How the Chart Configures the Hooks
+A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks.
+
+1. A pre-install hook provisions a certificate into the same namespace using a format compatible with provisioning using end user certificates. If the certificate already exists, the hook exits.
+2. The Ingress-Nginx Controller pod is configured to use a TLS proxy container, which will load that certificate.
+3. Validating and Mutating webhook configurations are created in the cluster.
+4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations
+
+#### Alternatives
+It should be possible to use [cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) if a more complete solution is required.
+
+You can enable automatic self-signed TLS certificate provisioning via cert-manager by setting the `controller.admissionWebhooks.certManager.enabled` value to true.
+
+Please ensure that cert-manager is correctly installed and configured.
+
 ### Helm Error When Upgrading: spec.clusterIP: Invalid value: ""

 If you are upgrading this chart from a version between 0.31.0 and 1.2.2 then you may get an error like this:
@ -228,8 +226,22 @@ Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13

 As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered.

-{{ template "chart.requirementsSection" . }}
+### Pod Security Admission
+
+You can use Pod Security Admission by applying labels to the `ingress-nginx` namespace as instructed by the [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels).
+
+Example:
+
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ingress-nginx
+  labels:
+    kubernetes.io/metadata.name: ingress-nginx
+    name: ingress-nginx
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: v1.31
+```

 {{ template "chart.valuesSection" . }}
-
-{{ template "helm-docs.versionFooter" . }}
--- a/charts/ingress-nginx/changelog/helm-chart-2.10.0.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.10.0.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.10.0
+
+* [#5843](https://github.com/kubernetes/ingress-nginx/pull/5843) Update jettech/kube-webhook-certgen image
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.9.1...ingress-nginx-2.10.0
--- a/charts/ingress-nginx/changelog/helm-chart-2.11.0.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.11.0.md
@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.11.0
+
+* [#5879](https://github.com/kubernetes/ingress-nginx/pull/5879) Update helm chart for v0.34.0
+* [#5671](https://github.com/kubernetes/ingress-nginx/pull/5671) Make liveness probe more fault tolerant than readiness probe
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.10.0...ingress-nginx-2.11.0
--- a/charts/ingress-nginx/changelog/helm-chart-2.11.1.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.11.1.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.11.1
+
+* [#5900](https://github.com/kubernetes/ingress-nginx/pull/5900) Release helm chart for v0.34.1
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.11.0...ingress-nginx-2.11.1
--- a/charts/ingress-nginx/changelog/helm-chart-2.11.2.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.11.2.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.11.2
+
+* [#5951](https://github.com/kubernetes/ingress-nginx/pull/5951) Bump chart patch version
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.11.1...ingress-nginx-2.11.2
--- a/charts/ingress-nginx/changelog/helm-chart-2.11.3.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.11.3.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.11.3
+
+* [#6038](https://github.com/kubernetes/ingress-nginx/pull/6038) Bump chart version PATCH
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.11.2...ingress-nginx-2.11.3
--- a/charts/ingress-nginx/changelog/helm-chart-2.12.0.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.12.0.md
@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.12.0
+
+* [#6039](https://github.com/kubernetes/ingress-nginx/pull/6039) Add configurable serviceMonitor metricRelabelling and targetLabels
+* [#6044](https://github.com/kubernetes/ingress-nginx/pull/6044) Fix YAML linting
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.11.3...ingress-nginx-2.12.0
--- a/charts/ingress-nginx/changelog/helm-chart-2.12.1.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.12.1.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.12.1
+
+* [#6075](https://github.com/kubernetes/ingress-nginx/pull/6075) Sync helm chart affinity examples
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.12.0...ingress-nginx-2.12.1
--- a/charts/ingress-nginx/changelog/helm-chart-2.13.0.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.13.0.md
@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.13.0
+
+* [#6093](https://github.com/kubernetes/ingress-nginx/pull/6093) Release v0.35.0
+* [#6080](https://github.com/kubernetes/ingress-nginx/pull/6080) Switch images to k8s.gcr.io after Vanity Domain Flip
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.12.1...ingress-nginx-2.13.0
--- a/charts/ingress-nginx/changelog/helm-chart-2.14.0.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.14.0.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.14.0
+
+* [#6104](https://github.com/kubernetes/ingress-nginx/pull/6104) Misc fixes for nginx-ingress chart for better keel and prometheus-operator integration
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.13.0...ingress-nginx-2.14.0
--- a/charts/ingress-nginx/changelog/helm-chart-2.15.0.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.15.0.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.15.0
+
+* [#6087](https://github.com/kubernetes/ingress-nginx/pull/6087) Adding parameter for externalTrafficPolicy in internal controller service spec
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.14.0...ingress-nginx-2.15.0
--- a/charts/ingress-nginx/changelog/helm-chart-2.16.0.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.16.0.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.16.0
+
+* [#6154](https://github.com/kubernetes/ingress-nginx/pull/6154) add `topologySpreadConstraint` to controller
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.15.0...ingress-nginx-2.16.0
--- a/charts/ingress-nginx/changelog/helm-chart-2.9.0.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.9.0.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.9.0
+
+* [#5795](https://github.com/kubernetes/ingress-nginx/pull/5795) Use fully qualified images to avoid cri-o issues
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-TODO...ingress-nginx-2.9.0
--- a/charts/ingress-nginx/changelog/helm-chart-2.9.1.md
+++ b/charts/ingress-nginx/changelog/helm-chart-2.9.1.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.9.1
+
+* [#5823](https://github.com/kubernetes/ingress-nginx/pull/5823) Add quoting to sysctls because numeric values need to be presented as strings (#5823)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.9.0...ingress-nginx-2.9.1
--- a/charts/ingress-nginx/changelog/helm-chart-3.0.0.md
+++ b/charts/ingress-nginx/changelog/helm-chart-3.0.0.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.0.0
+
+* [#6167](https://github.com/kubernetes/ingress-nginx/pull/6167) Update chart requirements
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.16.0...ingress-nginx-3.0.0
--- a/charts/ingress-nginx/changelog/helm-chart-3.10.0.md
+++ b/charts/ingress-nginx/changelog/helm-chart-3.10.0.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.10.0
+
+* Fix routing regression introduced in 0.41.0 with PathType Exact
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.9.0...ingress-nginx-3.10.0
--- a/charts/ingress-nginx/changelog/helm-chart-3.10.1.md
+++ b/charts/ingress-nginx/changelog/helm-chart-3.10.1.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.10.1
+
+* Fix regression introduced in 0.41.0 with external authentication
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.10.0...ingress-nginx-3.10.1
--- a/Show more
+++ b/Show more
				`@ -0,0 +1 @@`
				`registry.k8s.io/ingress-nginx/nginx:v2.0.0@sha256:3e7bda4cf5111d283ed1e4ff5cc9a2b5cdc5ebe62d50ba67473d3e25b1389133`