Bump github.com/spf13/cobra from 1.8.1 to 1.9.1 (#12859 )

Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bump the go group across 3 directories with 11 updates (#12857 )
2025-02-17 04:30:24 -08:00 · 2025-02-17 03:32:22 -08:00 · 2025-02-17 03:16:23 -08:00 · 2025-02-17 02:18:22 -08:00 · 2025-02-15 01:10:20 -08:00 · 2025-02-14 14:48:21 -08:00
230 changed files with 3118 additions and 3923 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -71,6 +71,22 @@ jobs:
              - 'images/nginx/**'
            docs:
              - '**/*.md'
+            lua:
+              - '**/*.lua'
+
+  lua-lint:
+    runs-on: ubuntu-latest
+    needs: changes
+    if: |
+      (needs.changes.outputs.lua == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      
+      - name: Lint Lua
+        uses: lunarmodules/luacheck@v1
+        with:
+          args: --codes --globals lua_ingress --globals configuration --globals balancer --globals monitor --globals certificate --globals tcp_udp_configuration --globals tcp_udp_balancer --no-max-comment-line-length -q rootfs/etc/nginx/lua/

  test-go:
    runs-on: ubuntu-latest
@ -254,7 +270,7 @@ jobs:

    strategy:
      matrix:
-        k8s: [v1.26.15, v1.27.16, v1.28.15, v1.29.12, v1.30.8]
+        k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0]

    steps:
      - name: Checkout code
@ -285,26 +301,11 @@ jobs:
      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
    strategy:
      matrix:
-        k8s: [v1.26.15, v1.27.16, v1.28.15, v1.29.12, v1.30.8]
+        k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0]
    uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml
    with:
      k8s-version: ${{ matrix.k8s }}

-  kubernetes-validations:
-    name: Kubernetes with Validations
-    needs:
-      - changes
-      - build
-    if: |
-      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
-    strategy:
-      matrix:
-        k8s: [v1.26.15, v1.27.16, v1.28.15, v1.29.12, v1.30.8]
-    uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml
-    with:
-      k8s-version: ${{ matrix.k8s }}
-      variation: "VALIDATIONS"
-
  kubernetes-chroot:
    name: Kubernetes chroot
    needs:
@ -314,7 +315,7 @@ jobs:
      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
    strategy:
      matrix:
-        k8s: [v1.26.15, v1.27.16, v1.28.15, v1.29.12, v1.30.8]
+        k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0]
    uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml
    with:
      k8s-version: ${{ matrix.k8s }}
--- a/.github/workflows/images.yaml
+++ b/.github/workflows/images.yaml
@ -36,7 +36,6 @@ jobs:
      kube-webhook-certgen: ${{ steps.filter.outputs.kube-webhook-certgen }}
      ext-auth-example-authsvc: ${{ steps.filter.outputs.ext-auth-example-authsvc }}
      nginx: ${{ steps.filter.outputs.nginx }}
-      opentelemetry: ${{ steps.filter.outputs.opentelemetry }}

    steps:
      - name: Checkout
@ -64,8 +63,6 @@ jobs:
              - 'images/ext-auth-example-authsvc/**'
            nginx:
              - 'images/nginx/**'
-            opentelemetry:
-              - 'images/opentelemetry/**'

  #### TODO: Make the below jobs 'less dumb' and use the job name as parameter (the github.job context does not work here)
  cfssl:
@ -138,7 +135,7 @@ jobs:
      (needs.changes.outputs.kube-webhook-certgen == 'true')
    strategy:
      matrix:
-        k8s: [v1.26.15, v1.27.16, v1.28.15, v1.29.12, v1.30.8]
+        k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0]
    steps:
    - name: Checkout
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -163,23 +160,6 @@ jobs:
      run: |
        cd images/ && make NAME=kube-webhook-certgen test test-e2e

-  opentelemetry:
-    runs-on: ubuntu-latest
-    env:
-      PLATFORMS: linux/amd64,linux/arm,linux/arm64
-    needs: changes
-    if: |
-      (needs.changes.outputs.opentelemetry == 'true')
-    strategy:
-      matrix:
-        nginx: ['1.25.3', '1.21.6']
-    steps:
-    - name: Checkout
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-    - name: image build
-      run: |
-        cd images/opentelemetry && make NGINX_VERSION=${{ matrix.nginx }} build
-
  nginx:
    permissions:
      contents: write
--- a/.github/workflows/zz-tmpl-k8s-e2e.yaml
+++ b/.github/workflows/zz-tmpl-k8s-e2e.yaml
@ -43,7 +43,6 @@ jobs:
          SKIP_CLUSTER_CREATION: true
          SKIP_INGRESS_IMAGE_CREATION: true
          SKIP_E2E_IMAGE_CREATION: true
-          ENABLE_VALIDATIONS: ${{ inputs.variation == 'VALIDATIONS' }}
          IS_CHROOT: ${{ inputs.variation == 'CHROOT' }}
        run: |
          kind get kubeconfig > $HOME/.kube/kind-config-kind
--- a/.luacheckrc
+++ b/.luacheckrc
@ -1,6 +1,6 @@
 std = 'ngx_lua'
 max_line_length = 100
-exclude_files = {'./rootfs/etc/nginx/lua/test/**/*.lua', './rootfs/etc/nginx/lua/plugins/**/test/**/*.lua'}
+exclude_files = {'./rootfs/etc/nginx/lua/test/**/*.lua'}
 files["rootfs/etc/nginx/lua/lua_ingress.lua"] = {
  ignore = { "122" },
  -- TODO(elvinefendi) figure out why this does not work
--- a/2
+++ b/2
@ -1 +1 @@
-registry.k8s.io/ingress-nginx/nginx:v0.3.0@sha256:73b4df804b128dc7aed9a769e17e9eaa70304895f26115c3d57e44e08ecc3685
+registry.k8s.io/ingress-nginx/nginx:v2.0.0@sha256:3e7bda4cf5111d283ed1e4ff5cc9a2b5cdc5ebe62d50ba67473d3e25b1389133
--- a/README.md
+++ b/README.md
@ -39,11 +39,17 @@ the versions listed. Ingress-Nginx versions **may** work on older versions, but

 | Supported | Ingress-NGINX version | k8s supported version         | Alpine Version | Nginx Version | Helm Chart Version |
 | :-------: | --------------------- | ----------------------------- | -------------- | ------------- | ------------------ |
-|    🔄     | **v1.11.4**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.21.0         | 1.25.5        | 4.11.4             |
+|    🔄     | **v1.12.0**           | 1.32, 1.31, 1.30, 1.29, 1.28  | 3.21.0         | 1.25.5        | 4.12.0             |
+|    🔄     | **v1.12.0-beta.0**    | 1.32, 1.31, 1.30, 1.29, 1.28  | 3.20.3         | 1.25.5        | 4.12.0-beta.0      |
+|    🔄     | **v1.11.4**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.21.0         | 1.25.5        | 4.11.4             |
 |    🔄     | **v1.11.3**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.3         | 1.25.5        | 4.11.3             |
 |    🔄     | **v1.11.2**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.11.2             |
 |    🔄     | **v1.11.1**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.11.1             |
 |    🔄     | **v1.11.0**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.11.0             |
+|           | **v1.10.6**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.21.0         | 1.25.5        | 4.10.6             |
+|           | **v1.10.5**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.3         | 1.25.5        | 4.10.5             |
+|           | **v1.10.4**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.10.4             |
+|           | **v1.10.3**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.10.3             |
 |           | **v1.10.2**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.10.2             |
 |           | **v1.10.1**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.19.1         | 1.25.3        | 4.10.1             |
 |           | **v1.10.0**           | 1.29, 1.28, 1.27, 1.26        | 3.19.1         | 1.25.3        | 4.10.0             |
--- a/1
+++ b/1
@ -1 +0,0 @@
-v1.11.4
--- a/build/run-in-docker.sh
+++ b/build/run-in-docker.sh
@ -41,7 +41,7 @@ function cleanup {
 }
 trap cleanup EXIT

-E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20250112-01b7af21@sha256:f77bb4625985462fe1a2bc846c430d668113abc90e5e5de6b4533403f56a048c}
+E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20250112-a188f4eb@sha256:043038b1e30e5a0b64f3f919f096c5c9488ac3f617ac094b07fb9db8215f9441}

 if [[ "$RUNTIME" == podman ]]; then
  # Podman does not support both tag and digest
--- a/changelog/controller-1.10.3.md
+++ b/changelog/controller-1.10.3.md
@ -0,0 +1,37 @@
+# Changelog
+
+### controller-v1.10.3
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.3@sha256:b5a5082f8e508cc1aac1c0ef101dc2f87b63d51598a5747d81d6cf6e7ba058fd
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.3@sha256:9033e04bd3cd01f92414f8d5999c5095734d4caceb4923942298152a38373d4b
+
+### All changes:
+
+* Images: Trigger `controller` v1.10.3 build. (#11648)
+* Tests: Bump `test-runner` to v20240717-1fe74b5f. (#11646)
+* Images: Re-run `test-runner` build. (#11643)
+* Images: Trigger `test-runner` build. (#11639)
+* Images: Bump `NGINX_BASE` to v0.0.10. (#11637)
+* Images: Trigger NGINX build. (#11631)
+* bump testing runner (#11626)
+* remove modsecurity coreruleset test files from nginx image (#11619)
+* unskip the ocsp tests and update images to fix cfssl bug (#11615)
+* Fix indent in YAML for example pod (#11609)
+* Images: Bump `test-runner`. (#11604)
+* Images: Bump `NGINX_BASE` to v0.0.9. (#11601)
+* revert module upgrade (#11595)
+* README: Fix support matrix. (#11593)
+* Mage: Stop mutating release notes. (#11582)
+* Images: Bump `kube-webhook-certgen`. (#11583)
+
+### Dependency updates:
+
+* Bump github.com/prometheus/common from 0.54.0 to 0.55.0 (#11622)
+* Bump the all group with 5 updates (#11613)
+* Bump golang.org/x/crypto from 0.24.0 to 0.25.0 (#11579)
+* Bump google.golang.org/grpc from 1.64.0 to 1.65.0 (#11577)
+* Bump the all group with 4 updates (#11574)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.2...controller-v1.10.3
--- a/changelog/controller-1.10.4.md
+++ b/changelog/controller-1.10.4.md
@ -0,0 +1,53 @@
+# Changelog
+
+### controller-v1.10.4
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.4@sha256:505b9048c02dde3d6c8667bf0b52aba7b36adf7b03da34c47d5fa312d2d4c6fc
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.4@sha256:bf71acf6e71830a4470e2183e3bc93c4f006b954f8a05fb434242ef0f8a24858
+
+### All changes:
+
+* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11811)
+* Images: Trigger controller build. (#11808)
+* Tests & Docs: Bump images. (#11804)
+* Images: Trigger failed builds. (#11801)
+* Images: Trigger other builds. (#11797)
+* Controller: Fix panic in alternative backend merging. (#11793)
+* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11791)
+* Images: Trigger `test-runner` build. (#11786)
+* Images: Bump `NGINX_BASE` to v0.0.12. (#11783)
+* Images: Trigger NGINX build. (#11780)
+* Cloud Build: Add missing config, remove unused ones. (#11776)
+* Generate correct output on NumCPU() when using cgroups2 (#11775)
+* Cloud Build: Tweak timeouts. (#11762)
+* Cloud Build: Fix substitutions. (#11759)
+* Cloud Build: Some chores. (#11756)
+* Go: Bump to v1.22.6. (#11748)
+* Images: Bump `NGINX_BASE` to v0.0.11. (#11744)
+* Images: Trigger NGINX build. (#11736)
+* docs: update OpenSSL Roadmap link (#11734)
+* Go: Bump to v1.22.5. (#11731)
+* Docs: Fix typo in AWS LB Controller reference (#11724)
+* Perform some cleaning operations on line breaks. (#11722)
+* Missing anchors in regular expression. (#11718)
+* Docs: Fix `from-to-www` redirect description. (#11715)
+* Chart: Remove `isControllerTagValid`. (#11714)
+* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11704)
+* Docs: Clarify `from-to-www` redirect direction. (#11692)
+* added real-client-ip faq (#11665)
+* Docs: Format NGINX configuration table. (#11660)
+
+### Dependency updates:
+
+* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11772)
+* Bump the all group with 2 updates (#11770)
+* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11768)
+* Bump the all group with 3 updates (#11729)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11700)
+* Bump the all group with 2 updates (#11697)
+* Bump the all group with 4 updates (#11676)
+* Bump the all group with 2 updates (#11674)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.3...controller-v1.10.4
--- a/changelog/controller-1.10.5.md
+++ b/changelog/controller-1.10.5.md
@ -0,0 +1,90 @@
+# Changelog
+
+### controller-v1.10.5
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.5@sha256:c84d11b1f7bd14ebbf49918a7f0dc01b31c0c6e757e0129520ea93453096315c
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.5@sha256:030a43bdd5f0212a7e135cc4da76b15a6706ef65a6824eb4cc401f87a81c2987
+
+### All changes:
+
+* Images: Trigger controller build. (#12133)
+* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12146)
+* Images: Trigger `e2e-test-echo` build. (#12142)
+* Images: Drop `s390x`. (#12139)
+* Images: Build `s390x` controller. (#12128)
+* Chart: Bump Kube Webhook CertGen. (#12122)
+* Tests & Docs: Bump images. (#12120)
+* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12116)
+* Images: Trigger other builds. (#12111)
+* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12104)
+* Images: Trigger `test-runner` build. (#12101)
+* Docs: Add a multi-tenant warning. (#12098)
+* Go: Bump to v1.22.8. (#12093)
+* Images: Bump `NGINX_BASE` to v0.1.0. (#12079)
+* Images: Trigger NGINX build. (#12077)
+* Images: Remove NGINX v1.21. (#12057)
+* GitHub: Improve Dependabot. (#12037)
+* Chart: Improve CI. (#12029)
+* Chart: Extend image tests. (#12026)
+* Docs: Add health check annotations for AWS. (#12021)
+* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12007)
+* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12001)
+* Chart: Align default backend `PodDisruptionBudget`. (#11998)
+* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#11985)
+* Chart: Improve default backend service account. (#11973)
+* Go: Bump to v1.22.7. (#11969)
+* Images: Bump OpenTelemetry C++ Contrib. (#11950)
+* Docs: Add note about `--watch-namespace`. (#11948)
+* Images: Use latest Alpine 3.20 everywhere. (#11945)
+* Fix minor typos (#11940)
+* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11933)
+* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11920)
+* Images: Trigger `test-runner` build. (#11918)
+* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11888)
+* Annotations: Allow commas in URLs. (#11886)
+* CI: Grant checks write permissions to E2E Test Report. (#11884)
+* Update maxmind post link about geolite2 license changes (#11880)
+* Go: Sync `go.work.sum`. (#11876)
+* Replace deprecated queue method (#11858)
+* Auto-generate annotation docs (#11835)
+
+### Dependency updates:
+
+* Bump the actions group with 3 updates (#12150)
+* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12108)
+* Bump the actions group with 3 updates (#12096)
+* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12088)
+* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12086)
+* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12084)
+* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12082)
+* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12054)
+* Bump the go group across 1 directory with 3 updates (#12052)
+* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12048)
+* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12044)
+* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12045)
+* Bump the all group with 2 updates (#12035)
+* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12015)
+* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12013)
+* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12011)
+* Bump the all group with 2 updates (#11979)
+* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11978)
+* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11960)
+* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11959)
+* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11956)
+* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11929)
+* Bump the all group with 2 updates (#11924)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11912)
+* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11907)
+* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11906)
+* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11905)
+* Bump the all group with 2 updates (#11870)
+* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11869)
+* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11848)
+* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11847)
+* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11846)
+* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11841)
+* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11833)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.4...controller-v1.10.5
--- a/changelog/controller-1.10.6.md
+++ b/changelog/controller-1.10.6.md
@ -0,0 +1,92 @@
+# Changelog
+
+### controller-v1.10.6
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.6@sha256:b6fbd102255edb3ba8e5421feebe14fd3e94cf53d199af9e40687f536152189c
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.6@sha256:44ceedafc0e04a75521b5d472c1b6b5cc08afb8038b5bbfd79c21d066ccf300e
+
+### All changes:
+
+* Images: Trigger controller build. (#12611)
+* Chart: Bump Kube Webhook CertGen. (#12608)
+* Tests & Docs: Bump images. (#12605)
+* Images: Trigger other builds (2/2). (#12598)
+* Images: Trigger other builds (1/2). (#12597)
+* Tests: Bump `e2e-test-runner` to v20241224-68ed4e7b. (#12592)
+* Images: Trigger `test-runner` build. (#12586)
+* Images: Bump `NGINX_BASE` to v0.2.0. (#12584)
+* Images: Trigger NGINX build. (#12578)
+* Go: Clean `go.work.sum`. (#12575)
+* Repository: Update owners. (#12570)
+* Images: Bump `gcb-docker-gcloud` to v20241217-ff46a068cd. (#12563)
+* CI: Update KIND images. (#12559)
+* Images: Bump Alpine to v3.21. (#12530)
+* Docs: Add guide on how to set a Maintenance Page. (#12527)
+* rikatz is stepping down (#12518)
+* rikatz is stepping down (#12497)
+* Go: Bump to v1.23.4. (#12485)
+* Plugin: Bump `goreleaser` to v2. (#12442)
+* GitHub: Fix `exec` in issue template. (#12389)
+* CI: Update KIND images. (#12368)
+* Images: Bump `gcb-docker-gcloud` to v20241110-72bb0b1665. (#12341)
+* Go: Bump to v1.23.3. (#12339)
+* Auth TLS: Add `_` to redirect RegEx. (#12328)
+* Auth TLS: Improve redirect RegEx. (#12321)
+* Tests: Bump `e2e-test-runner` to v20241104-02a3933e. (#12314)
+* Images: Trigger `test-runner` build. (#12307)
+* Config: Fix panic on invalid `lua-shared-dict`. (#12282)
+* Docs: fix limit-rate-after references (#12280)
+* Chart: Rework ServiceMonitor. (#12268)
+* Chart: Add ServiceAccount tests. (#12266)
+* CI: Fix chart testing. (#12260)
+* [fix] fix nginx temp configs cleanup (#12224)
+* Chart: Suggest `matchLabelKeys` in Topology Spread Constraints. (#12204)
+* Docs: Add Pod Security Admission. (#12198)
+* Docs: Clarify external & service port in TCP/UDP services explanation. (#12194)
+
+### Dependency updates:
+
+* Bump k8s.io/apiextensions-apiserver from 0.31.3 to 0.32.0 (#12565)
+* Bump github.com/onsi/ginkgo/v2 from 2.22.0 to 2.22.1 (#12557)
+* Bump k8s.io/code-generator from 0.31.3 to 0.32.0 (#12552)
+* Bump k8s.io/cli-runtime from 0.31.3 to 0.32.0 (#12549)
+* Bump k8s.io/apiserver from 0.31.3 to 0.32.0 (#12546)
+* Bump the actions group with 2 updates (#12543)
+* Bump google.golang.org/grpc from 1.68.1 to 1.69.2 (#12540)
+* Bump k8s.io/client-go from 0.31.3 to 0.32.0 (#12514)
+* Bump github.com/opencontainers/runc from 1.2.2 to 1.2.3 in the go group across 1 directory (#12511)
+* Bump the actions group with 3 updates (#12508)
+* Bump k8s.io/kube-aggregator from 0.31.3 to 0.32.0 in /images/kube-webhook-certgen/rootfs (#12504)
+* Bump k8s.io/apimachinery from 0.31.3 to 0.32.0 in /images/ext-auth-example-authsvc/rootfs (#12501)
+* Bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#12478)
+* Bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /magefiles (#12473)
+* Bump github.com/prometheus/common from 0.60.1 to 0.61.0 (#12466)
+* Bump github/codeql-action from 3.27.5 to 3.27.6 in the actions group (#12463)
+* Bump the go group across 1 directory with 2 updates (#12459)
+* Bump github.com/onsi/ginkgo/v2 from 2.21.0 to 2.22.0 (#12425)
+* Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#12416)
+* Bump the go group across 3 directories with 10 updates (#12414)
+* Bump the actions group with 3 updates (#12410)
+* Bump github.com/opencontainers/runc from 1.2.1 to 1.2.2 in the go group across 1 directory (#12382)
+* Bump github/codeql-action from 3.27.1 to 3.27.4 in the actions group (#12375)
+* Bump golangci-lint on actions and disable deprecated linters (#12363)
+* Bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#12356)
+* Bump the actions group with 3 updates (#12353)
+* Bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#12351)
+* Bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#12297)
+* Bump github.com/opencontainers/runc from 1.2.0 to 1.2.1 in the go group across 1 directory (#12294)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.2 to 2.21.0 (#12290)
+* Bump actions/dependency-review-action from 4.3.5 to 4.4.0 in the actions group (#12275)
+* Bump the go group across 3 directories with 11 updates (#12246)
+* Bump github.com/opencontainers/runc from 1.1.15 to 1.2.0 (#12241)
+* Bump the actions group with 5 updates (#12243)
+* Bump github.com/ncabatoff/process-exporter from 0.8.3 to 0.8.4 in the go group across 1 directory (#12219)
+* Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 in the actions group (#12215)
+* Bump github/codeql-action from 3.26.12 to 3.26.13 in the actions group (#12191)
+* Bump the go group across 2 directories with 1 update (#12189)
+* Bump the actions group with 2 updates (#12185)
+* Bump github.com/opencontainers/runc from 1.1.14 to 1.1.15 in the go group across 1 directory (#12184)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.5...controller-v1.10.6
--- a/changelog/controller-1.12.0-beta.0.md
+++ b/changelog/controller-1.12.0-beta.0.md
@ -0,0 +1,216 @@
+# Changelog
+
+### controller-v1.12.0-beta.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.12.0-beta.0@sha256:9724476b928967173d501040631b23ba07f47073999e80e34b120e8db5f234d5
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.12.0-beta.0@sha256:6e2f8f52e1f2571ff65bc4fc4826d5282d5def5835ec4ab433dcb8e659b2fbac
+
+### All changes:
+
+* Images: Trigger controller build. (#12154)
+* ⚠️ Metrics: Disable by default. (#12153) ⚠️
+
+  This changes the default of the following CLI arguments:
+
+  * `--enable-metrics` gets disabled by default.
+
+* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12147)
+* Images: Trigger `e2e-test-echo` build. (#12140)
+* ⚠️ Images: Drop `s390x`. (#12137) ⚠️
+
+  Support for the `s390x` architecture has already been removed from the controller image. This also removes it from the NGINX base image and CI relevant images.
+
+* Images: Build `s390x` controller. (#12126)
+* Chart: Bump Kube Webhook CertGen. (#12119)
+* Tests & Docs: Bump images. (#12118)
+* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12113)
+* Images: Trigger other builds. (#12110)
+* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12103)
+* Images: Trigger `test-runner` build. (#12100)
+* Docs: Add a multi-tenant warning. (#12091)
+* Go: Bump to v1.22.8. (#12069)
+* Images: Bump `NGINX_BASE` to v1.0.0. (#12066)
+* Images: Trigger NGINX build. (#12063)
+* Images: Remove NGINX v1.21. (#12031)
+* Chart: Add `controller.metrics.service.enabled`. (#12056)
+* GitHub: Improve Dependabot. (#12033)
+* Chart: Add `global.image.registry`. (#12028)
+* ⚠️ Images: Remove OpenTelemetry. (#12024) ⚠️
+
+  OpenTelemetry is still supported, but since the module is built into the controller image since v1.10, we hereby remove the init container and image which were used to install it upon controller startup.
+
+* Chart: Improve CI. (#12003)
+* Chart: Extend image tests. (#12025)
+* Chart: Add `controller.progressDeadlineSeconds`. (#12017)
+* Docs: Add health check annotations for AWS. (#12018)
+* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12005)
+* Chart: Implement `unhealthyPodEvictionPolicy`. (#11992)
+* Chart: Add `defaultBackend.maxUnavailable`. (#11995)
+* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12000)
+* Chart: Align default backend `PodDisruptionBudget`. (#11993)
+* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#10274)
+* ⚠️ Chart: Remove Pod Security Policy. (#11971) ⚠️
+
+  This removes Pod Security Policies and related resources from the chart.
+
+* Chart: Improve default backend service account. (#11972)
+* Go: Bump to v1.22.7. (#11943)
+* NGINX: Remove inline Lua from template. (#11806)
+* Images: Bump OpenTelemetry C++ Contrib. (#11629)
+* Docs: Add note about `--watch-namespace`. (#11947)
+* Images: Use latest Alpine 3.20 everywhere. (#11944)
+* Fix minor typos (#11935)
+* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11931)
+* Allow any protocol for cors origins (#11153)
+* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11919)
+* Images: Trigger `test-runner` build. (#11916)
+* Chart: Add `controller.metrics.prometheusRule.annotations`. (#11849)
+* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11883)
+* Annotations: Allow commas in URLs. (#11882)
+* CI: Grant checks write permissions to E2E Test Report. (#11862)
+* Chart: Use generic values for `ConfigMap` test. (#11877)
+* Security: Follow-up on recent changes. (#11874)
+* Lua: Remove plugins from `.luacheckrc` & E2E docs. (#11872)
+* Dashboard: Remove `ingress_upstream_latency_seconds`. (#11878)
+* Metrics: Add `--metrics-per-undefined-host` argument. (#11818)
+* Update maxmind post link about geolite2 license changes (#11861)
+* ⚠️ Remove global-rate-limit feature (#11851) ⚠️
+
+  This removes the following configuration options:
+
+  * `global-rate-limit-memcached-host`
+  * `global-rate-limit-memcached-port`
+  * `global-rate-limit-memcached-connect-timeout`
+  * `global-rate-limit-memcached-max-idle-timeout`
+  * `global-rate-limit-memcached-pool-size`
+  * `global-rate-limit-status-code`
+
+  It also removes the following annotations:
+
+  * `global-rate-limit`
+  * `global-rate-limit-window`
+  * `global-rate-limit-key`
+  * `global-rate-limit-ignored-cidrs`
+
+* Revert "docs: Add deployment for AWS NLB Proxy." (#11857)
+* Add custom code handling for temporal redirect (#10651)
+* Add native histogram support for histogram metrics (#9971)
+* Replace deprecated queue method (#11853)
+* ⚠️ Enable security features by default (#11819) ⚠️
+
+  This changes the default of the following CLI arguments:
+
+  * `--enable-annotation-validation` gets enabled by default.
+
+  It also changes the default of the following configuration options:
+
+  * `allow-cross-namespace-resources` gets disabled by default.
+  * `annotations-risk-level` gets lowered to "High" by default.
+  * `strict-validate-path-type` gets enabled by default.
+
+* docs: Add deployment for AWS NLB Proxy. (#9565)
+* ⚠️ Remove 3rd party lua plugin support (#11821) ⚠️
+
+  This removes the following configuration options:
+
+  * `plugins`
+
+  It also removes support for user provided Lua plugins in the `/etc/nginx/lua/plugins` directory.
+
+* Auto-generate annotation docs (#11820)
+* ⚠️ Metrics: Remove `ingress_upstream_latency_seconds`. (#11795) ⚠️
+
+  This metric has already been deprecated and is now getting removed.
+
+* Release controller v1.11.2/v1.10.4 & chart v4.11.2/v4.10.4. (#11816)
+* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11809)
+* Tests & Docs: Bump images. (#11803)
+* Images: Trigger failed builds. (#11800)
+* Images: Trigger other builds. (#11796)
+* Controller: Fix panic in alternative backend merging. (#11789)
+* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11788)
+* Images: Trigger `test-runner` build. (#11785)
+* Images: Bump `NGINX_BASE` to v0.0.12. (#11782)
+* Images: Trigger NGINX build. (#11779)
+* Cloud Build: Add missing config, remove unused ones. (#11774)
+* Cloud Build: Tweak timeouts. (#11761)
+* Cloud Build: Fix substitutions. (#11758)
+* Cloud Build: Some chores. (#11633)
+* Go: Bump to v1.22.6. (#11747)
+* Images: Bump `NGINX_BASE` to v0.0.11. (#11741)
+* Images: Trigger NGINX build. (#11735)
+* docs: update OpenSSL Roadmap link (#11730)
+* Go: Bump to v1.22.5. (#11634)
+* Docs: Fix typo in AWS LB Controller reference (#11723)
+* Perform some cleaning operations on line breaks. (#11720)
+* Missing anchors in regular expression. (#11717)
+* Docs: Fix `from-to-www` redirect description. (#11712)
+* Chart: Remove `isControllerTagValid`. (#11710)
+* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11702)
+* Chart: Explicitly set `runAsGroup`. (#11679)
+* Docs: Clarify `from-to-www` redirect direction. (#11682)
+* added real-client-ip faq (#11663)
+* Docs: Format NGINX configuration table. (#11659)
+* Release controller v1.11.1/v1.10.3 & chart v4.11.1/v4.10.3. (#11654)
+* Tests: Bump `test-runner` to v20240717-1fe74b5f. (#11645)
+* Images: Trigger `test-runner` build. (#11636)
+* Images: Bump `NGINX_BASE` to v0.0.10. (#11635)
+* remove modsecurity coreruleset test files from nginx image (#11617)
+* unskip the ocsp tests and update images to fix cfssl bug (#11606)
+* Fix indent in YAML for example pod (#11598)
+* Images: Bump `test-runner`. (#11600)
+* Images: Bump `NGINX_BASE` to v0.0.9. (#11599)
+* revert module upgrade (#11594)
+* README: Fix support matrix. (#11586)
+* Repository: Add changelogs from `release-v1.10`. (#11587)
+
+### Dependency updates:
+
+* Bump the actions group with 3 updates (#12152)
+* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12107)
+* Bump the actions group with 3 updates (#12092)
+* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12062)
+* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12060)
+* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12059)
+* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12061)
+* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12051)
+* Bump the go group across 1 directory with 3 updates (#12050)
+* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12043)
+* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12041)
+* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12040)
+* Bump the all group with 2 updates (#12032)
+* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12010)
+* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12009)
+* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12008)
+* Bump the all group with 2 updates (#11977)
+* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11976)
+* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11954)
+* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11955)
+* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11953)
+* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11928)
+* Bump the all group with 2 updates (#11922)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11901)
+* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11902)
+* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11903)
+* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11904)
+* Bump the all group with 2 updates (#11865)
+* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11867)
+* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11832)
+* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11823)
+* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11822)
+* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11825)
+* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11826)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11766)
+* Bump the all group with 2 updates (#11767)
+* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11765)
+* Bump the all group with 3 updates (#11727)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11696)
+* Bump the all group with 2 updates (#11695)
+* Bump the all group with 4 updates (#11673)
+* Bump the all group with 2 updates (#11672)
+* Bump github.com/prometheus/common from 0.54.0 to 0.55.0 (#11522)
+* Bump the all group with 5 updates (#11611)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.0...controller-v1.12.0-beta.0
--- a/changelog/controller-1.12.0.md
+++ b/changelog/controller-1.12.0.md
@ -0,0 +1,294 @@
+# Changelog
+
+### controller-v1.12.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.12.0@sha256:87c88e1c38a6c8d4483c8f70b69e2cca49853bb3ec3124b9b1be648edf139af3
+
+### All changes:
+
+* Images: Trigger controller build. (#12609)
+* Chart: Bump Kube Webhook CertGen. (#12606)
+* Tests & Docs: Bump images. (#12603)
+* Images: Trigger other builds (2/2). (#12599)
+* Images: Trigger other builds (1/2). (#12595)
+* Tests: Bump `e2e-test-runner` to v20241224-68ed4e7b. (#12590)
+* Images: Trigger `test-runner` build. (#12587)
+* Images: Bump `NGINX_BASE` to v1.1.0. (#12582)
+* Images: Trigger NGINX build. (#12579)
+* Go: Clean `go.work.sum`. (#12573)
+* Repository: Update owners. (#12568)
+* Images: Bump `gcb-docker-gcloud` to v20241217-ff46a068cd. (#12561)
+* CI: Update KIND images. (#12560)
+* Images: Bump Alpine to v3.21. (#12528)
+* Docs: Add guide on how to set a Maintenance Page. (#12525)
+* rikatz is stepping down (#12516)
+* rikatz is stepping down (#12494)
+* Go: Bump to v1.23.4. (#12483)
+* Plugin: Bump `goreleaser` to v2. (#12440)
+* GitHub: Fix `exec` in issue template. (#12387)
+* CI: Update KIND images. (#12367)
+* Images: Bump `gcb-docker-gcloud` to v20241110-72bb0b1665. (#12342)
+* Go: Bump to v1.23.3. (#12337)
+* Auth TLS: Add `_` to redirect RegEx. (#12326)
+* Auth TLS: Improve redirect RegEx. (#12323)
+* Update custom headers annotation documentation (#12318)
+* Tests: Bump `e2e-test-runner` to v20241104-02a3933e. (#12312)
+* Docs: Add CPU usage note for `--metrics-per-undefined-host`. (#12310)
+* Images: Trigger `test-runner` build. (#12308)
+* Config: Fix panic on invalid `lua-shared-dict`. (#12283)
+* Docs: fix limit-rate-after references (#12278)
+* Chart: Rework ServiceMonitor. (#12269)
+* Chart: Add ServiceAccount tests. (#12263)
+* CI: Fix chart testing. (#12258)
+* [fix] fix nginx temp configs cleanup (#12225)
+* Chart: Suggest `matchLabelKeys` in Topology Spread Constraints. (#12202)
+* Docs: Add Pod Security Admission. (#12195)
+* Docs: Clarify external & service port in TCP/UDP services explanation. (#12192)
+* Images: Trigger controller build. (#12154)
+* ⚠️ Metrics: Disable by default. (#12153) ⚠️
+
+  This changes the default of the following CLI arguments:
+
+  * `--enable-metrics` gets disabled by default.
+
+* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12147)
+* Images: Trigger `e2e-test-echo` build. (#12140)
+* ⚠️ Images: Drop `s390x`. (#12137) ⚠️
+
+  Support for the `s390x` architecture has already been removed from the controller image. This also removes it from the NGINX base image and CI relevant images.
+
+* Images: Build `s390x` controller. (#12126)
+* Chart: Bump Kube Webhook CertGen. (#12119)
+* Tests & Docs: Bump images. (#12118)
+* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12113)
+* Images: Trigger other builds. (#12110)
+* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12103)
+* Images: Trigger `test-runner` build. (#12100)
+* Docs: Add a multi-tenant warning. (#12091)
+* Go: Bump to v1.22.8. (#12069)
+* Images: Bump `NGINX_BASE` to v1.0.0. (#12066)
+* Images: Trigger NGINX build. (#12063)
+* Images: Remove NGINX v1.21. (#12031)
+* Chart: Add `controller.metrics.service.enabled`. (#12056)
+* GitHub: Improve Dependabot. (#12033)
+* Chart: Add `global.image.registry`. (#12028)
+* ⚠️ Images: Remove OpenTelemetry. (#12024) ⚠️
+
+  OpenTelemetry is still supported, but since the module is built into the controller image since v1.10, we hereby remove the init container and image which were used to install it upon controller startup.
+
+* Chart: Improve CI. (#12003)
+* Chart: Extend image tests. (#12025)
+* Chart: Add `controller.progressDeadlineSeconds`. (#12017)
+* Docs: Add health check annotations for AWS. (#12018)
+* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12005)
+* Chart: Implement `unhealthyPodEvictionPolicy`. (#11992)
+* Chart: Add `defaultBackend.maxUnavailable`. (#11995)
+* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12000)
+* Chart: Align default backend `PodDisruptionBudget`. (#11993)
+* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#10274)
+* ⚠️ Chart: Remove Pod Security Policy. (#11971) ⚠️
+
+  This removes Pod Security Policies and related resources from the chart.
+
+* Chart: Improve default backend service account. (#11972)
+* Go: Bump to v1.22.7. (#11943)
+* NGINX: Remove inline Lua from template. (#11806)
+* Images: Bump OpenTelemetry C++ Contrib. (#11629)
+* Docs: Add note about `--watch-namespace`. (#11947)
+* Images: Use latest Alpine 3.20 everywhere. (#11944)
+* Fix minor typos (#11935)
+* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11931)
+* Allow any protocol for cors origins (#11153)
+* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11919)
+* Images: Trigger `test-runner` build. (#11916)
+* Chart: Add `controller.metrics.prometheusRule.annotations`. (#11849)
+* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11883)
+* Annotations: Allow commas in URLs. (#11882)
+* CI: Grant checks write permissions to E2E Test Report. (#11862)
+* Chart: Use generic values for `ConfigMap` test. (#11877)
+* Security: Follow-up on recent changes. (#11874)
+* Lua: Remove plugins from `.luacheckrc` & E2E docs. (#11872)
+* Dashboard: Remove `ingress_upstream_latency_seconds`. (#11878)
+* Metrics: Add `--metrics-per-undefined-host` argument. (#11818)
+* Update maxmind post link about geolite2 license changes (#11861)
+* ⚠️ Remove global-rate-limit feature (#11851) ⚠️
+
+  This removes the following configuration options:
+
+  * `global-rate-limit-memcached-host`
+  * `global-rate-limit-memcached-port`
+  * `global-rate-limit-memcached-connect-timeout`
+  * `global-rate-limit-memcached-max-idle-timeout`
+  * `global-rate-limit-memcached-pool-size`
+  * `global-rate-limit-status-code`
+
+  It also removes the following annotations:
+
+  * `global-rate-limit`
+  * `global-rate-limit-window`
+  * `global-rate-limit-key`
+  * `global-rate-limit-ignored-cidrs`
+
+* Revert "docs: Add deployment for AWS NLB Proxy." (#11857)
+* Add custom code handling for temporal redirect (#10651)
+* Add native histogram support for histogram metrics (#9971)
+* Replace deprecated queue method (#11853)
+* ⚠️ Enable security features by default (#11819) ⚠️
+
+  This changes the default of the following CLI arguments:
+
+  * `--enable-annotation-validation` gets enabled by default.
+
+  It also changes the default of the following configuration options:
+
+  * `allow-cross-namespace-resources` gets disabled by default.
+  * `annotations-risk-level` gets lowered to "High" by default.
+  * `strict-validate-path-type` gets enabled by default.
+
+* docs: Add deployment for AWS NLB Proxy. (#9565)
+* ⚠️ Remove 3rd party lua plugin support (#11821) ⚠️
+
+  This removes the following configuration options:
+
+  * `plugins`
+
+  It also removes support for user provided Lua plugins in the `/etc/nginx/lua/plugins` directory.
+
+* Auto-generate annotation docs (#11820)
+* ⚠️ Metrics: Remove `ingress_upstream_latency_seconds`. (#11795) ⚠️
+
+  This metric has already been deprecated and is now getting removed.
+
+* Release controller v1.11.2/v1.10.4 & chart v4.11.2/v4.10.4. (#11816)
+* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11809)
+* Tests & Docs: Bump images. (#11803)
+* Images: Trigger failed builds. (#11800)
+* Images: Trigger other builds. (#11796)
+* Controller: Fix panic in alternative backend merging. (#11789)
+* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11788)
+* Images: Trigger `test-runner` build. (#11785)
+* Images: Bump `NGINX_BASE` to v0.0.12. (#11782)
+* Images: Trigger NGINX build. (#11779)
+* Cloud Build: Add missing config, remove unused ones. (#11774)
+* Cloud Build: Tweak timeouts. (#11761)
+* Cloud Build: Fix substitutions. (#11758)
+* Cloud Build: Some chores. (#11633)
+* Go: Bump to v1.22.6. (#11747)
+* Images: Bump `NGINX_BASE` to v0.0.11. (#11741)
+* Images: Trigger NGINX build. (#11735)
+* docs: update OpenSSL Roadmap link (#11730)
+* Go: Bump to v1.22.5. (#11634)
+* Docs: Fix typo in AWS LB Controller reference (#11723)
+* Perform some cleaning operations on line breaks. (#11720)
+* Missing anchors in regular expression. (#11717)
+* Docs: Fix `from-to-www` redirect description. (#11712)
+* Chart: Remove `isControllerTagValid`. (#11710)
+* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11702)
+* Chart: Explicitly set `runAsGroup`. (#11679)
+* Docs: Clarify `from-to-www` redirect direction. (#11682)
+* added real-client-ip faq (#11663)
+* Docs: Format NGINX configuration table. (#11659)
+* Release controller v1.11.1/v1.10.3 & chart v4.11.1/v4.10.3. (#11654)
+* Tests: Bump `test-runner` to v20240717-1fe74b5f. (#11645)
+* Images: Trigger `test-runner` build. (#11636)
+* Images: Bump `NGINX_BASE` to v0.0.10. (#11635)
+* remove modsecurity coreruleset test files from nginx image (#11617)
+* unskip the ocsp tests and update images to fix cfssl bug (#11606)
+* Fix indent in YAML for example pod (#11598)
+* Images: Bump `test-runner`. (#11600)
+* Images: Bump `NGINX_BASE` to v0.0.9. (#11599)
+* revert module upgrade (#11594)
+* README: Fix support matrix. (#11586)
+* Repository: Add changelogs from `release-v1.10`. (#11587)
+
+### Dependency updates:
+
+* Bump k8s.io/apiextensions-apiserver from 0.31.3 to 0.32.0 (#12566)
+* Bump github.com/onsi/ginkgo/v2 from 2.22.0 to 2.22.1 (#12555)
+* Bump k8s.io/code-generator from 0.31.3 to 0.32.0 (#12550)
+* Bump k8s.io/cli-runtime from 0.31.3 to 0.32.0 (#12547)
+* Bump k8s.io/apiserver from 0.31.3 to 0.32.0 (#12544)
+* Bump the actions group with 2 updates (#12541)
+* Bump google.golang.org/grpc from 1.68.1 to 1.69.2 (#12538)
+* Bump k8s.io/client-go from 0.31.3 to 0.32.0 (#12512)
+* Bump github.com/opencontainers/runc from 1.2.2 to 1.2.3 in the go group across 1 directory (#12509)
+* Bump the actions group with 3 updates (#12506)
+* Bump k8s.io/kube-aggregator from 0.31.3 to 0.32.0 in /images/kube-webhook-certgen/rootfs (#12505)
+* Bump k8s.io/apimachinery from 0.31.3 to 0.32.0 in /images/ext-auth-example-authsvc/rootfs (#12502)
+* Bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#12476)
+* Bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /magefiles (#12472)
+* Bump github.com/prometheus/common from 0.60.1 to 0.61.0 (#12464)
+* Bump github/codeql-action from 3.27.5 to 3.27.6 in the actions group (#12461)
+* Bump the go group across 1 directory with 2 updates (#12460)
+* Bump github.com/onsi/ginkgo/v2 from 2.21.0 to 2.22.0 (#12426)
+* Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#12418)
+* Bump the go group across 3 directories with 10 updates (#12413)
+* Bump the actions group with 3 updates (#12412)
+* Bump github.com/opencontainers/runc from 1.2.1 to 1.2.2 in the go group across 1 directory (#12380)
+* Bump github/codeql-action from 3.27.1 to 3.27.4 in the actions group (#12373)
+* Bump golangci-lint on actions and disable deprecated linters (#12361)
+* Bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#12357)
+* Bump the actions group with 3 updates (#12354)
+* Bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#12349)
+* Bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#12299)
+* Bump github.com/opencontainers/runc from 1.2.0 to 1.2.1 in the go group across 1 directory (#12296)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.2 to 2.21.0 (#12288)
+* Bump actions/dependency-review-action from 4.3.5 to 4.4.0 in the actions group (#12273)
+* Bump the go group across 3 directories with 11 updates (#12244)
+* Bump github.com/opencontainers/runc from 1.1.15 to 1.2.0 (#12242)
+* Bump the actions group with 5 updates (#12236)
+* Bump github.com/ncabatoff/process-exporter from 0.8.3 to 0.8.4 in the go group across 1 directory (#12218)
+* Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 in the actions group (#12217)
+* Bump github/codeql-action from 3.26.12 to 3.26.13 in the actions group (#12188)
+* Bump the go group across 2 directories with 1 update (#12186)
+* Bump the actions group with 2 updates (#12180)
+* Bump github.com/opencontainers/runc from 1.1.14 to 1.1.15 in the go group across 1 directory (#12178)
+* Bump the actions group with 3 updates (#12152)
+* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12107)
+* Bump the actions group with 3 updates (#12092)
+* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12062)
+* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12060)
+* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12059)
+* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12061)
+* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12051)
+* Bump the go group across 1 directory with 3 updates (#12050)
+* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12043)
+* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12041)
+* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12040)
+* Bump the all group with 2 updates (#12032)
+* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12010)
+* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12009)
+* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12008)
+* Bump the all group with 2 updates (#11977)
+* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11976)
+* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11954)
+* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11955)
+* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11953)
+* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11928)
+* Bump the all group with 2 updates (#11922)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11901)
+* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11902)
+* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11903)
+* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11904)
+* Bump the all group with 2 updates (#11865)
+* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11867)
+* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11832)
+* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11823)
+* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11822)
+* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11825)
+* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11826)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11766)
+* Bump the all group with 2 updates (#11767)
+* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11765)
+* Bump the all group with 3 updates (#11727)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11696)
+* Bump the all group with 2 updates (#11695)
+* Bump the all group with 4 updates (#11673)
+* Bump the all group with 2 updates (#11672)
+* Bump github.com/prometheus/common from 0.54.0 to 0.55.0 (#11522)
+* Bump the all group with 5 updates (#11611)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.0...controller-v1.12.0
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@ -1,10 +1,10 @@
 annotations:
  artifacthub.io/changes: |
-    - 'CI: Fix chart testing. (#12259)'
-    - Update Ingress-Nginx version controller-v1.11.4
+    - 'CI: Fix chart testing. (#12258)'
+    - Update Ingress-Nginx version controller-v1.12.0
  artifacthub.io/prerelease: "false"
 apiVersion: v2
-appVersion: 1.11.4
+appVersion: 1.12.0
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and
  load balancer
 home: https://github.com/kubernetes/ingress-nginx
@ -21,4 +21,4 @@ maintainers:
 name: ingress-nginx
 sources:
 - https://github.com/kubernetes/ingress-nginx
-version: 4.11.4
+version: 4.12.0
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@ -2,7 +2,7 @@

 [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer

-![Version: 4.11.4](https://img.shields.io/badge/Version-4.11.4-informational?style=flat-square) ![AppVersion: 1.11.4](https://img.shields.io/badge/AppVersion-1.11.4-informational?style=flat-square)
+![Version: 4.12.0](https://img.shields.io/badge/Version-4.12.0-informational?style=flat-square) ![AppVersion: 1.12.0](https://img.shields.io/badge/AppVersion-1.12.0-informational?style=flat-square)

 To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.

@ -260,9 +260,8 @@ metadata:
 | controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` |  |
 | controller.admissionWebhooks.createSecretJob.name | string | `"create"` |  |
 | controller.admissionWebhooks.createSecretJob.resources | object | `{}` |  |
-| controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers |
+| controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers |
 | controller.admissionWebhooks.enabled | bool | `true` |  |
-| controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one |
 | controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set |
 | controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use |
 | controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` |  |
@ -274,7 +273,6 @@ metadata:
 | controller.admissionWebhooks.patch.image.digest | string | `"sha256:0de05718b59dc33b57ddfb4d8ad5f637cefd13eafdec0e1579d782b3483c27c3"` |  |
 | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` |  |
 | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` |  |
-| controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` |  |
 | controller.admissionWebhooks.patch.image.tag | string | `"v1.5.1"` |  |
 | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
 | controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
@ -291,7 +289,7 @@ metadata:
 | controller.admissionWebhooks.patch.tolerations | list | `[]` |  |
 | controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` |  |
 | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` |  |
-| controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers |
+| controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers |
 | controller.admissionWebhooks.port | int | `8443` |  |
 | controller.admissionWebhooks.service.annotations | object | `{}` |  |
 | controller.admissionWebhooks.service.externalIPs | list | `[]` |  |
@ -322,15 +320,14 @@ metadata:
 | controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. |
 | controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' |
 | controller.electionTTL | string | `""` | Duration a leader election is valid before it's getting re-elected, e.g. `15s`, `10m` or `1h`. (Default: 30s) |
-| controller.enableAnnotationValidations | bool | `false` |  |
+| controller.enableAnnotationValidations | bool | `true` |  |
 | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # |
 | controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false |
-| controller.existingPsp | string | `""` | Use an existing PSP instead of creating one |
 | controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use |
 | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. |
 | controller.extraEnvs | list | `[]` | Additional environment variables to set |
 | controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. |
-| controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module |
+| controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. |
 | controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. |
 | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. |
 | controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. |
@ -343,16 +340,16 @@ metadata:
 | controller.hostname | object | `{}` | Optionally customize the pod hostname. |
 | controller.image.allowPrivilegeEscalation | bool | `false` |  |
 | controller.image.chroot | bool | `false` |  |
-| controller.image.digest | string | `"sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52"` |  |
-| controller.image.digestChroot | string | `"sha256:f29d0f9e7a9ef4947eda59ed0c09ec13380b13639d1518cf1ab8ec09c3e22ef8"` |  |
+| controller.image.digest | string | `"sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa"` |  |
+| controller.image.digestChroot | string | `"sha256:87c88e1c38a6c8d4483c8f70b69e2cca49853bb3ec3124b9b1be648edf139af3"` |  |
 | controller.image.image | string | `"ingress-nginx/controller"` |  |
 | controller.image.pullPolicy | string | `"IfNotPresent"` |  |
 | controller.image.readOnlyRootFilesystem | bool | `false` |  |
-| controller.image.registry | string | `"registry.k8s.io"` |  |
+| controller.image.runAsGroup | int | `82` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) |
 | controller.image.runAsNonRoot | bool | `true` |  |
-| controller.image.runAsUser | int | `101` |  |
+| controller.image.runAsUser | int | `101` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) |
 | controller.image.seccompProfile.type | string | `"RuntimeDefault"` |  |
-| controller.image.tag | string | `"v1.11.4"` |  |
+| controller.image.tag | string | `"v1.12.0"` |  |
 | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
 | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
 | controller.ingressClassResource | object | `{"aliases":[],"annotations":{},"controllerValue":"k8s.io/ingress-nginx","default":false,"enabled":true,"name":"nginx","parameters":{}}` | This section refers to the creation of the IngressClass resource. IngressClasses are immutable and cannot be changed after creation. We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. |
@ -389,9 +386,11 @@ metadata:
 | controller.metrics.port | int | `10254` |  |
 | controller.metrics.portName | string | `"metrics"` |  |
 | controller.metrics.prometheusRule.additionalLabels | object | `{}` |  |
+| controller.metrics.prometheusRule.annotations | object | `{}` | Annotations to be added to the PrometheusRule. |
 | controller.metrics.prometheusRule.enabled | bool | `false` |  |
 | controller.metrics.prometheusRule.rules | list | `[]` |  |
 | controller.metrics.service.annotations | object | `{}` |  |
+| controller.metrics.service.enabled | bool | `true` | Enable the metrics service or not. |
 | controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
 | controller.metrics.service.labels | object | `{}` | Labels to be added to the metrics service resource |
 | controller.metrics.service.loadBalancerSourceRanges | list | `[]` |  |
@ -400,35 +399,27 @@ metadata:
 | controller.metrics.serviceMonitor.additionalLabels | object | `{}` |  |
 | controller.metrics.serviceMonitor.annotations | object | `{}` | Annotations to be added to the ServiceMonitor. |
 | controller.metrics.serviceMonitor.enabled | bool | `false` |  |
+| controller.metrics.serviceMonitor.labelLimit | int | `0` | Per-scrape limit on number of labels that will be accepted for a sample. |
+| controller.metrics.serviceMonitor.labelNameLengthLimit | int | `0` | Per-scrape limit on length of labels name that will be accepted for a sample. |
+| controller.metrics.serviceMonitor.labelValueLengthLimit | int | `0` | Per-scrape limit on length of labels value that will be accepted for a sample. |
 | controller.metrics.serviceMonitor.metricRelabelings | list | `[]` |  |
 | controller.metrics.serviceMonitor.namespace | string | `""` |  |
 | controller.metrics.serviceMonitor.namespaceSelector | object | `{}` |  |
 | controller.metrics.serviceMonitor.relabelings | list | `[]` |  |
+| controller.metrics.serviceMonitor.sampleLimit | int | `0` | Defines a per-scrape limit on the number of scraped samples that will be accepted. |
 | controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` |  |
 | controller.metrics.serviceMonitor.targetLabels | list | `[]` |  |
+| controller.metrics.serviceMonitor.targetLimit | int | `0` | Defines a limit on the number of scraped targets that will be accepted. |
 | controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. |
 | controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
 | controller.name | string | `"controller"` |  |
 | controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
 | controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
-| controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` |  |
-| controller.opentelemetry.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` |  |
-| controller.opentelemetry.containerSecurityContext.readOnlyRootFilesystem | bool | `true` |  |
-| controller.opentelemetry.containerSecurityContext.runAsNonRoot | bool | `true` |  |
-| controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. |
-| controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
-| controller.opentelemetry.enabled | bool | `false` |  |
-| controller.opentelemetry.image.digest | string | `"sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922"` |  |
-| controller.opentelemetry.image.distroless | bool | `true` |  |
-| controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry-1.25.3"` |  |
-| controller.opentelemetry.image.registry | string | `"registry.k8s.io"` |  |
-| controller.opentelemetry.image.tag | string | `"v20240813-b933310d"` |  |
-| controller.opentelemetry.name | string | `"opentelemetry"` |  |
-| controller.opentelemetry.resources | object | `{}` |  |
 | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # |
 | controller.podLabels | object | `{}` | Labels to add to the pod container metadata |
 | controller.podSecurityContext | object | `{}` | Security context for controller pods |
 | controller.priorityClassName | string | `""` |  |
+| controller.progressDeadlineSeconds | int | `0` | Specifies the number of seconds you want to wait for the controller deployment to progress before the system reports back that it has failed. Ref.: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds |
 | controller.proxySetHeaders | object | `{}` | Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers |
 | controller.publishService | object | `{"enabled":true,"pathOverride":""}` | Allows customization of the source of the IP address or FQDN to report in the ingress status field. By default, it reads the information provided by the service. If disable, the status field reports the IP address of the node or nodes where an ingress controller pod is running. |
 | controller.publishService.enabled | bool | `true` | Enable 'publishService' or not |
@ -451,20 +442,24 @@ metadata:
 | controller.service.annotations | object | `{}` | Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service. |
 | controller.service.appProtocol | bool | `true` | Declare the app protocol of the external HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol |
 | controller.service.clusterIP | string | `""` | Pre-defined cluster internal IP address of the external controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
+| controller.service.clusterIPs | list | `[]` | Pre-defined cluster internal IP addresses of the external controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
 | controller.service.enableHttp | bool | `true` | Enable the HTTP listener on both controller services or not. |
 | controller.service.enableHttps | bool | `true` | Enable the HTTPS listener on both controller services or not. |
 | controller.service.enabled | bool | `true` | Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service. |
 | controller.service.external.enabled | bool | `true` | Enable the external controller service or not. Useful for internal-only deployments. |
+| controller.service.external.labels | object | `{}` | Labels to be added to the external controller service. |
 | controller.service.externalIPs | list | `[]` | List of node IP addresses at which the external controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips |
 | controller.service.externalTrafficPolicy | string | `""` | External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip |
 | controller.service.internal.annotations | object | `{}` | Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer |
 | controller.service.internal.appProtocol | bool | `true` | Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol |
 | controller.service.internal.clusterIP | string | `""` | Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
+| controller.service.internal.clusterIPs | list | `[]` | Pre-defined cluster internal IP addresses of the internal controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
 | controller.service.internal.enabled | bool | `false` | Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this. |
 | controller.service.internal.externalIPs | list | `[]` | List of node IP addresses at which the internal controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips |
 | controller.service.internal.externalTrafficPolicy | string | `""` | External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip |
 | controller.service.internal.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
 | controller.service.internal.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
+| controller.service.internal.labels | object | `{}` | Labels to be added to the internal controller service. |
 | controller.service.internal.loadBalancerClass | string | `""` | Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class |
 | controller.service.internal.loadBalancerIP | string | `""` | Deprecated: Pre-defined IP address of the internal controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer |
 | controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access to the internal controller service. Values must be CIDRs. Allows any source address by default. |
@ -475,6 +470,7 @@ metadata:
 | controller.service.internal.ports | object | `{}` |  |
 | controller.service.internal.sessionAffinity | string | `""` | Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity |
 | controller.service.internal.targetPorts | object | `{}` |  |
+| controller.service.internal.trafficDistribution | string | `""` | Traffic distribution policy of the internal controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution |
 | controller.service.internal.type | string | `""` | Type of the internal controller service. Defaults to the value of `controller.service.type`. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
 | controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
 | controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
@ -491,6 +487,7 @@ metadata:
 | controller.service.sessionAffinity | string | `""` | Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity |
 | controller.service.targetPorts.http | string | `"http"` | Port of the ingress controller the external HTTP listener is mapped to. |
 | controller.service.targetPorts.https | string | `"https"` | Port of the ingress controller the external HTTPS listener is mapped to. |
+| controller.service.trafficDistribution | string | `""` | Traffic distribution policy of the external controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution |
 | controller.service.type | string | `"LoadBalancer"` | Type of the external controller service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
 | controller.shareProcessNamespace | bool | `false` |  |
 | controller.sysctls | object | `{}` | sysctls for controller pods # Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ |
@ -501,6 +498,7 @@ metadata:
 | controller.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ # |
 | controller.udp.annotations | object | `{}` | Annotations to be added to the udp config configmap |
 | controller.udp.configMapNamespace | string | `""` | Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) |
+| controller.unhealthyPodEvictionPolicy | string | `""` | Eviction policy for unhealthy pods guarded by PodDisruptionBudget. Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ |
 | controller.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
 | controller.watchIngressWithoutClass | bool | `false` | Process Ingress objects without ingressClass annotation/ingressClassName field Overrides value for --watch-ingress-without-class flag of the controller binary Defaults to false |
 | defaultBackend.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity |
@ -512,7 +510,6 @@ metadata:
 | defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` |  |
 | defaultBackend.containerSecurityContext | object | `{}` | Security context for default backend containers |
 | defaultBackend.enabled | bool | `false` |  |
-| defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one |
 | defaultBackend.extraArgs | object | `{}` |  |
 | defaultBackend.extraConfigMaps | list | `[]` |  |
 | defaultBackend.extraEnvs | list | `[]` | Additional environment variables to set for defaultBackend pods |
@ -522,7 +519,7 @@ metadata:
 | defaultBackend.image.image | string | `"defaultbackend-amd64"` |  |
 | defaultBackend.image.pullPolicy | string | `"IfNotPresent"` |  |
 | defaultBackend.image.readOnlyRootFilesystem | bool | `true` |  |
-| defaultBackend.image.registry | string | `"registry.k8s.io"` |  |
+| defaultBackend.image.runAsGroup | int | `65534` |  |
 | defaultBackend.image.runAsNonRoot | bool | `true` |  |
 | defaultBackend.image.runAsUser | int | `65534` |  |
 | defaultBackend.image.seccompProfile.type | string | `"RuntimeDefault"` |  |
@ -533,7 +530,7 @@ metadata:
 | defaultBackend.livenessProbe.periodSeconds | int | `10` |  |
 | defaultBackend.livenessProbe.successThreshold | int | `1` |  |
 | defaultBackend.livenessProbe.timeoutSeconds | int | `5` |  |
-| defaultBackend.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. |
+| defaultBackend.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. |
 | defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
 | defaultBackend.name | string | `"defaultbackend"` |  |
 | defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
@ -551,6 +548,7 @@ metadata:
 | defaultBackend.replicaCount | int | `1` |  |
 | defaultBackend.resources | object | `{}` |  |
 | defaultBackend.service.annotations | object | `{}` |  |
+| defaultBackend.service.clusterIPs | list | `[]` | Pre-defined cluster internal IP addresses of the default backend service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
 | defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
 | defaultBackend.service.loadBalancerSourceRanges | list | `[]` |  |
 | defaultBackend.service.servicePort | int | `80` |  |
@ -560,11 +558,12 @@ metadata:
 | defaultBackend.serviceAccount.name | string | `""` |  |
 | defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # |
 | defaultBackend.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. Ref.: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ |
+| defaultBackend.unhealthyPodEvictionPolicy | string | `""` | Eviction policy for unhealthy pods guarded by PodDisruptionBudget. Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ |
 | defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
 | dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param |
+| global.image.registry | string | `"registry.k8s.io"` | Registry host to pull images from. |
 | imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
 | namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace |
-| podSecurityPolicy.enabled | bool | `false` |  |
 | portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration |
 | rbac.create | bool | `true` |  |
 | rbac.scope | bool | `false` |  |
--- a/charts/ingress-nginx/changelog/helm-chart-4.10.3.md
+++ b/charts/ingress-nginx/changelog/helm-chart-4.10.3.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.10.3
+
+* Update Ingress-Nginx version controller-v1.10.3
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.2...helm-chart-4.10.3
--- a/charts/ingress-nginx/changelog/helm-chart-4.10.4.md
+++ b/charts/ingress-nginx/changelog/helm-chart-4.10.4.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.10.4
+
+* Update Ingress-Nginx version controller-v1.10.4
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.3...helm-chart-4.10.4
--- a/charts/ingress-nginx/changelog/helm-chart-4.10.5.md
+++ b/charts/ingress-nginx/changelog/helm-chart-4.10.5.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.10.5
+
+* Update Ingress-Nginx version controller-v1.10.5
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.4...helm-chart-4.10.5
--- a/charts/ingress-nginx/changelog/helm-chart-4.10.6.md
+++ b/charts/ingress-nginx/changelog/helm-chart-4.10.6.md
@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.10.6
+
+* CI: Fix chart testing. (#12260)
+* Update Ingress-Nginx version controller-v1.10.6
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.5...helm-chart-4.10.6
--- a/charts/ingress-nginx/changelog/helm-chart-4.12.0-beta.0.md
+++ b/charts/ingress-nginx/changelog/helm-chart-4.12.0-beta.0.md
@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.12.0-beta.0
+
+* Update Ingress-Nginx version controller-v1.12.0-beta.0
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.0...helm-chart-4.12.0-beta.0
--- a/charts/ingress-nginx/changelog/helm-chart-4.12.0.md
+++ b/charts/ingress-nginx/changelog/helm-chart-4.12.0.md
@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.12.0
+
+* CI: Fix chart testing. (#12258)
+* Update Ingress-Nginx version controller-v1.12.0
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.0...helm-chart-4.12.0
--- a/charts/ingress-nginx/ci/controller-daemonset-extra-modules-values.yaml
+++ b/charts/ingress-nginx/ci/controller-daemonset-extra-modules-values.yaml
@ -1,30 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-
-  service:
-    type: ClusterIP
-
-  kind: DaemonSet
-
-  extraModules:
-  - name: opentelemetry
-    image:
-      registry: registry.k8s.io
-      image: ingress-nginx/opentelemetry-1.25.3
-      tag: v20240813-b933310d
-      digest: sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922
-      distroless: true
-    containerSecurityContext:
-      runAsNonRoot: true
-      runAsUser: 65532
-      runAsGroup: 65532
-      allowPrivilegeEscalation: false
-      seccompProfile:
-        type: RuntimeDefault
-      capabilities:
-        drop:
-        - ALL
-      readOnlyRootFilesystem: true
--- a/charts/ingress-nginx/ci/controller-daemonset-opentelemetry-values.yaml
+++ b/charts/ingress-nginx/ci/controller-daemonset-opentelemetry-values.yaml
@ -1,13 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-
-  service:
-    type: ClusterIP
-
-  kind: DaemonSet
-
-  opentelemetry:
-    enabled: true
--- a/charts/ingress-nginx/ci/controller-deployment-extra-modules-values.yaml
+++ b/charts/ingress-nginx/ci/controller-deployment-extra-modules-values.yaml
@ -1,30 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-
-  service:
-    type: ClusterIP
-
-  kind: Deployment
-
-  extraModules:
-  - name: opentelemetry
-    image:
-      registry: registry.k8s.io
-      image: ingress-nginx/opentelemetry-1.25.3
-      tag: v20240813-b933310d
-      digest: sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922
-      distroless: true
-    containerSecurityContext:
-      runAsNonRoot: true
-      runAsUser: 65532
-      runAsGroup: 65532
-      allowPrivilegeEscalation: false
-      seccompProfile:
-        type: RuntimeDefault
-      capabilities:
-        drop:
-        - ALL
-      readOnlyRootFilesystem: true
--- a/charts/ingress-nginx/ci/controller-deployment-opentelemetry-values.yaml
+++ b/charts/ingress-nginx/ci/controller-deployment-opentelemetry-values.yaml
@ -1,13 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-
-  service:
-    type: ClusterIP
-
-  kind: Deployment
-
-  opentelemetry:
-    enabled: true
--- a/charts/ingress-nginx/ci/controller-service-internal-values.yaml
+++ b/charts/ingress-nginx/ci/controller-service-internal-values.yaml
@ -9,5 +9,7 @@ controller:

    internal:
      enabled: true
+      labels:
+        external-dns.alpha.kubernetes.io/hostname: internal.example.com
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-internal: "true"
--- a/charts/ingress-nginx/ci/controller-service-values.yaml
+++ b/charts/ingress-nginx/ci/controller-service-values.yaml
@ -7,6 +7,10 @@ controller:
  service:
    type: NodePort

+    external:
+      labels:
+        external-dns.alpha.kubernetes.io/hostname: external.example.com
+
    nodePorts:
      tcp:
        9000: 30090
--- a/charts/ingress-nginx/ci/deamonset-psp-values.yaml
+++ b/charts/ingress-nginx/ci/deamonset-psp-values.yaml
@ -1,13 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
-
-podSecurityPolicy:
-  enabled: true
--- a/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml
+++ b/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml
@ -1,13 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: true
-  service:
-    type: ClusterIP
-
-podSecurityPolicy:
-  enabled: true
--- a/charts/ingress-nginx/ci/deployment-psp-values.yaml
+++ b/charts/ingress-nginx/ci/deployment-psp-values.yaml
@ -1,10 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  service:
-    type: ClusterIP
-
-podSecurityPolicy:
-  enabled: true
--- a/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml
+++ b/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml
@ -1,12 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: true
-  service:
-    type: ClusterIP
-
-podSecurityPolicy:
-  enabled: true
--- a/charts/ingress-nginx/templates/_helpers.tpl
+++ b/charts/ingress-nginx/templates/_helpers.tpl
@ -47,6 +47,7 @@ Controller container security context.
 {{- else -}}
 runAsNonRoot: {{ .Values.controller.image.runAsNonRoot }}
 runAsUser: {{ .Values.controller.image.runAsUser }}
+runAsGroup: {{ .Values.controller.image.runAsGroup }}
 allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }}
 {{- if .Values.controller.image.seccompProfile }}
 seccompProfile: {{ toYaml .Values.controller.image.seccompProfile | nindent 2 }}
@ -222,6 +223,7 @@ Default backend container security context.
 {{- else -}}
 runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
 runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
+runAsGroup: {{ .Values.defaultBackend.image.runAsGroup }}
 allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
 {{- if .Values.defaultBackend.image.seccompProfile }}
 seccompProfile: {{ toYaml .Values.defaultBackend.image.seccompProfile | nindent 2 }}
@ -233,17 +235,6 @@ readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem }
 {{- end -}}
 {{- end -}}

-{{/*
-Return the appropriate apiGroup for PodSecurityPolicy.
-*/}}
-{{- define "podSecurityPolicy.apiGroup" -}}
-{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
-{{- print "policy" -}}
-{{- else -}}
-{{- print "extensions" -}}
-{{- end -}}
-{{- end -}}
-
 {{/*
 Extra modules.
 */}}
--- a/charts/ingress-nginx/templates/_params.tpl
+++ b/charts/ingress-nginx/templates/_params.tpl
@ -1,7 +1,7 @@
 {{- define "ingress-nginx.params" -}}
 - /nginx-ingress-controller
-{{- if .Values.controller.enableAnnotationValidations }}
- --enable-annotation-validation=true
+{{- if not .Values.controller.enableAnnotationValidations }}
+- --enable-annotation-validation=false
 {{- end }}
 {{- if .Values.defaultBackend.enabled }}
 - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }}
@ -54,7 +54,7 @@
 {{- if .Values.controller.watchIngressWithoutClass }}
 - --watch-ingress-without-class=true
 {{- end }}
-{{- if not .Values.controller.metrics.enabled }}
+{{- if .Values.controller.metrics.enabled }}
 - --enable-metrics={{ .Values.controller.metrics.enabled }}
 {{- end }}
 {{- if .Values.controller.enableTopologyAwareRouting }}
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
@ -20,14 +20,4 @@ rules:
    verbs:
      - get
      - update
-{{- if .Values.podSecurityPolicy.enabled }}
-  - apiGroups:      [{{ template "podSecurityPolicy.apiGroup" . }}]
-    resources:      ['podsecuritypolicies']
-    verbs:          ['use']
-    {{- with .Values.controller.admissionWebhooks.existingPsp }}
-    resourceNames:  [{{ . }}]
-    {{- else }}
-    resourceNames:  [{{ include "ingress-nginx.admissionWebhooks.fullname" . }}]
-    {{- end }}
-{{- end }}
 {{- end }}
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
@ -42,7 +42,7 @@ spec:
    {{- end }}
      containers:
        - name: create
-          {{- with .Values.controller.admissionWebhooks.patch.image }}
+          {{- with (merge .Values.controller.admissionWebhooks.patch.image .Values.global.image) }}
          image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }}
          {{- end }}
          imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
@ -67,6 +67,7 @@ spec:
          {{- end }}
      restartPolicy: OnFailure
      serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken }}
    {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
      nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
    {{- end }}
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@ -42,7 +42,7 @@ spec:
    {{- end }}
      containers:
        - name: patch
-          {{- with .Values.controller.admissionWebhooks.patch.image }}
+          {{- with (merge .Values.controller.admissionWebhooks.patch.image .Values.global.image) }}
          image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }}
          {{- end }}
          imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
@ -69,6 +69,7 @@ spec:
          {{- end }}
      restartPolicy: OnFailure
      serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken }}
    {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
      nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
    {{- end }}
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
@ -1,52 +0,0 @@
-{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
-{{- if and .Values.podSecurityPolicy.enabled .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
-  labels:
-    {{- include "ingress-nginx.labels" . | nindent 4 }}
-    app.kubernetes.io/component: admission-webhook
-    {{- with .Values.controller.admissionWebhooks.patch.labels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-spec:
-  privileged: false
-  hostPID: false
-  hostIPC: false
-  hostNetwork: false
-  volumes:
-    - configMap
-    - downwardAPI
-    - emptyDir
-    - secret
-    - projected
-  fsGroup:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: true
-  runAsUser:
-    rule: MustRunAsNonRoot
-  runAsGroup:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  supplementalGroups:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  allowPrivilegeEscalation: false
-  requiredDropCapabilities:
-    - ALL
-  seLinux:
-    rule: RunAsAny
-{{- end }}
-{{- end }}
--- a/charts/ingress-nginx/templates/controller-configmap.yaml
+++ b/charts/ingress-nginx/templates/controller-configmap.yaml
@ -13,7 +13,9 @@ metadata:
  name: {{ include "ingress-nginx.controller.fullname" . }}
  namespace: {{ include "ingress-nginx.namespace" . }}
 data:
-  allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}"
+{{- if .Values.controller.allowSnippetAnnotations }}
+  allow-snippet-annotations: "true"
+{{- end }}
 {{- if .Values.controller.addHeaders }}
  add-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers
 {{- end }}
--- a/charts/ingress-nginx/templates/controller-daemonset.yaml
+++ b/charts/ingress-nginx/templates/controller-daemonset.yaml
@ -75,7 +75,7 @@ spec:
    {{- end }}
      containers:
        - name: {{ .Values.controller.containerName }}
-          {{- with .Values.controller.image }}
+          {{- with (merge .Values.controller.image .Values.global.image) }}
          image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}
          {{- end }}
          imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
@ -144,9 +144,9 @@ spec:
              hostPort: {{ $key }}
              {{- end }}
          {{- end }}
-        {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
+        {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }}
          volumeMounts:
-          {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
+          {{- if .Values.controller.extraModules }}
            - name: modules
            {{- if .Values.controller.image.chroot }}
              mountPath: /chroot/modules_mount
@ -174,7 +174,7 @@ spec:
      {{- if .Values.controller.extraContainers }}
        {{- toYaml .Values.controller.extraContainers | nindent 8 }}
      {{- end }}
-    {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
+    {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }}
      initContainers:
      {{- if .Values.controller.extraInitContainers }}
        {{- toYaml .Values.controller.extraInitContainers | nindent 8 }}
@ -182,13 +182,7 @@ spec:
      {{- if .Values.controller.extraModules }}
        {{- range .Values.controller.extraModules }}
          {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-          {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
-        {{- end }}
-      {{- end }}
-      {{- if .Values.controller.opentelemetry.enabled }}
-        {{- with .Values.controller.opentelemetry }}
-          {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-          {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
+          {{- include "extraModules" (dict "name" .name "image" (merge .image $.Values.global.image) "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
        {{- end }}
      {{- end }}
    {{- end }}
@ -208,10 +202,11 @@ spec:
      topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }}
    {{- end }}
      serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
      terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
-    {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
+    {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }}
      volumes:
-      {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}}
+      {{- if .Values.controller.extraModules }}
        - name: modules
          emptyDir: {}
      {{- end }}
--- a/charts/ingress-nginx/templates/controller-deployment.yaml
+++ b/charts/ingress-nginx/templates/controller-deployment.yaml
@ -22,6 +22,9 @@ spec:
  replicas: {{ .Values.controller.replicaCount }}
  {{- end }}
  revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
+  {{- if .Values.controller.progressDeadlineSeconds }}
+  progressDeadlineSeconds: {{ .Values.controller.progressDeadlineSeconds }}
+  {{- end }}
  {{- if .Values.controller.updateStrategy }}
  strategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }}
  {{- end }}
@ -78,7 +81,7 @@ spec:
    {{- end }}
      containers:
        - name: {{ .Values.controller.containerName }}
-          {{- with .Values.controller.image }}
+          {{- with (merge .Values.controller.image .Values.global.image) }}
          image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}
          {{- end }}
          imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
@ -147,9 +150,9 @@ spec:
              hostPort: {{ $key }}
              {{- end }}
          {{- end }}
-        {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
+        {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }}
          volumeMounts:
-          {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
+          {{- if .Values.controller.extraModules }}
            - name: modules
            {{- if .Values.controller.image.chroot }}
              mountPath: /chroot/modules_mount
@ -177,7 +180,7 @@ spec:
      {{- if .Values.controller.extraContainers }}
        {{- toYaml .Values.controller.extraContainers | nindent 8 }}
      {{- end }}
-    {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
+    {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }}
      initContainers:
      {{- if .Values.controller.extraInitContainers }}
        {{- toYaml .Values.controller.extraInitContainers | nindent 8 }}
@ -185,13 +188,7 @@ spec:
      {{- if .Values.controller.extraModules }}
        {{- range .Values.controller.extraModules }}
          {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-          {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
-        {{- end }}
-      {{- end }}
-      {{- if .Values.controller.opentelemetry.enabled }}
-        {{- with .Values.controller.opentelemetry }}
-          {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-          {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
+          {{- include "extraModules" (dict "name" .name "image" (merge .image $.Values.global.image) "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
        {{- end }}
      {{- end }}
    {{- end }}
@ -211,10 +208,11 @@ spec:
      topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }}
    {{- end }}
      serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
      terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
-    {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
+    {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }}
      volumes:
-      {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}}
+      {{- if .Values.controller.extraModules }}
        - name: modules
          emptyDir: {}
      {{- end }}
--- a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml
+++ b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml
@ -32,5 +32,8 @@ spec:
  {{- else if .Values.controller.maxUnavailable }}
  maxUnavailable: {{ .Values.controller.maxUnavailable }}
  {{- end }}
+  {{- if .Values.controller.unhealthyPodEvictionPolicy }}
+  unhealthyPodEvictionPolicy: {{ .Values.controller.unhealthyPodEvictionPolicy }}
+  {{- end }}
 {{- end }}
 {{- end }}
--- a/charts/ingress-nginx/templates/controller-prometheusrule.yaml
+++ b/charts/ingress-nginx/templates/controller-prometheusrule.yaml
@ -14,6 +14,9 @@ metadata:
  {{- if .Values.controller.metrics.prometheusRule.additionalLabels }}
    {{- toYaml .Values.controller.metrics.prometheusRule.additionalLabels | nindent 4 }}
  {{- end }}
+  {{- if .Values.controller.metrics.prometheusRule.annotations }}
+  annotations: {{ toYaml .Values.controller.metrics.prometheusRule.annotations | nindent 4 }}
+  {{- end }}
 spec:
 {{- if .Values.controller.metrics.prometheusRule.rules }}
  groups:
--- a/charts/ingress-nginx/templates/controller-psp.yaml
+++ b/charts/ingress-nginx/templates/controller-psp.yaml
@ -1,100 +0,0 @@
-{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
-{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}}
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: {{ include "ingress-nginx.fullname" . }}
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
-  labels:
-    {{- include "ingress-nginx.labels" . | nindent 4 }}
-    app.kubernetes.io/component: controller
-    {{- with .Values.controller.labels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-spec:
-  privileged: false
-  hostPID: false
-  hostIPC: false
-  hostNetwork: {{ .Values.controller.hostNetwork }}
-{{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }}
-  hostPorts:
-  {{- if .Values.controller.hostNetwork }}
-  {{- range $key, $value := .Values.controller.containerPort }}
-    # controller.containerPort.{{ $key }}
-    - min: {{ $value }}
-      max: {{ $value }}
-  {{- end }}
-  {{- else if .Values.controller.hostPort.enabled }}
-  {{- range $key, $value := .Values.controller.hostPort.ports }}
-    # controller.hostPort.ports.{{ $key }}
-    - min: {{ $value }}
-      max: {{ $value }}
-  {{- end }}
-  {{- end }}
-  {{- if .Values.controller.metrics.enabled }}
-    # controller.metrics.port
-    - min: {{ .Values.controller.metrics.port }}
-      max: {{ .Values.controller.metrics.port }}
-  {{- end }}
-  {{- if .Values.controller.admissionWebhooks.enabled }}
-    # controller.admissionWebhooks.port
-    - min: {{ .Values.controller.admissionWebhooks.port }}
-      max: {{ .Values.controller.admissionWebhooks.port }}
-  {{- end }}
-  {{- range $key, $value := .Values.tcp }}
-    # tcp.{{ $key }}
-    - min: {{ $key }}
-      max: {{ $key }}
-  {{- end }}
-  {{- range $key, $value := .Values.udp }}
-    # udp.{{ $key }}
-    - min: {{ $key }}
-      max: {{ $key }}
-  {{- end }}
-{{- end }}
-  volumes:
-    - configMap
-    - downwardAPI
-    - emptyDir
-    - secret
-    - projected
-  fsGroup:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: false
-  runAsUser:
-    rule: MustRunAsNonRoot
-  runAsGroup:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  supplementalGroups:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }}
-  requiredDropCapabilities:
-    - ALL
-  allowedCapabilities:
-    - NET_BIND_SERVICE
-  {{- if .Values.controller.image.chroot }}
-  {{- if .Values.controller.image.seccompProfile }}
-    - SYS_ADMIN
-  {{- end }}
-    - SYS_CHROOT
-  {{- end }}
-  seLinux:
-    rule: RunAsAny
-{{- if .Values.controller.sysctls }}
-  allowedUnsafeSysctls:
-  {{- range $sysctl, $value := .Values.controller.sysctls }}
-    - {{ $sysctl }}
-  {{- end }}
-{{- end }}
-{{- end }}
-{{- end }}
--- a/charts/ingress-nginx/templates/controller-role.yaml
+++ b/charts/ingress-nginx/templates/controller-role.yaml
@ -91,14 +91,4 @@ rules:
      - list
      - watch
      - get
-{{- if .Values.podSecurityPolicy.enabled }}
-  - apiGroups:      [{{ template "podSecurityPolicy.apiGroup" . }}]
-    resources:      ['podsecuritypolicies']
-    verbs:          ['use']
-    {{- with .Values.controller.existingPsp }}
-    resourceNames:  [{{ . }}]
-    {{- else }}
-    resourceNames:  [{{ include "ingress-nginx.fullname" . }}]
-    {{- end }}
-{{- end }}
 {{- end }}
--- a/charts/ingress-nginx/templates/controller-service-internal.yaml
+++ b/charts/ingress-nginx/templates/controller-service-internal.yaml
@ -12,6 +12,9 @@ metadata:
  {{- if .Values.controller.service.labels }}
    {{- toYaml .Values.controller.service.labels | nindent 4 }}
  {{- end }}
+  {{- if .Values.controller.service.internal.labels }}
+    {{- toYaml .Values.controller.service.internal.labels | nindent 4 }}
+  {{- end }}
  name: {{ include "ingress-nginx.controller.fullname" . }}-internal
  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
@ -19,6 +22,9 @@ spec:
 {{- if .Values.controller.service.internal.clusterIP }}
  clusterIP: {{ .Values.controller.service.internal.clusterIP }}
 {{- end }}
+{{- if .Values.controller.service.internal.clusterIPs }}
+  clusterIPs: {{ toYaml .Values.controller.service.internal.clusterIPs | nindent 4 }}
+{{- end }}
 {{- if .Values.controller.service.internal.externalIPs }}
  externalIPs: {{ toYaml .Values.controller.service.internal.externalIPs | nindent 4 }}
 {{- end }}
@ -43,6 +49,11 @@ spec:
 {{- if .Values.controller.service.internal.healthCheckNodePort }}
  healthCheckNodePort: {{ .Values.controller.service.internal.healthCheckNodePort }}
 {{- end }}
+{{- if semverCompare ">=1.31.0-0" .Capabilities.KubeVersion.Version -}}
+{{- if .Values.controller.service.internal.trafficDistribution }}
+  trafficDistribution: {{ .Values.controller.service.internal.trafficDistribution }}
+{{- end }}
+{{- end }}
 {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}}
 {{- if .Values.controller.service.internal.ipFamilyPolicy }}
  ipFamilyPolicy: {{ .Values.controller.service.internal.ipFamilyPolicy }}
--- a/charts/ingress-nginx/templates/controller-service-metrics.yaml
+++ b/charts/ingress-nginx/templates/controller-service-metrics.yaml
@ -1,4 +1,4 @@
-{{- if .Values.controller.metrics.enabled -}}
+{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.service.enabled -}}
 apiVersion: v1
 kind: Service
 metadata:
--- a/charts/ingress-nginx/templates/controller-service.yaml
+++ b/charts/ingress-nginx/templates/controller-service.yaml
@ -12,6 +12,9 @@ metadata:
  {{- if .Values.controller.service.labels }}
    {{- toYaml .Values.controller.service.labels | nindent 4 }}
  {{- end }}
+  {{- if .Values.controller.service.external.labels }}
+    {{- toYaml .Values.controller.service.external.labels | nindent 4 }}
+  {{- end }}
  name: {{ include "ingress-nginx.controller.fullname" . }}
  namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
@ -19,6 +22,9 @@ spec:
 {{- if .Values.controller.service.clusterIP }}
  clusterIP: {{ .Values.controller.service.clusterIP }}
 {{- end }}
+{{- if .Values.controller.service.clusterIPs }}
+  clusterIPs: {{ toYaml .Values.controller.service.clusterIPs | nindent 4 }}
+{{- end }}
 {{- if .Values.controller.service.externalIPs }}
  externalIPs: {{ toYaml .Values.controller.service.externalIPs | nindent 4 }}
 {{- end }}
@ -43,6 +49,11 @@ spec:
 {{- if .Values.controller.service.healthCheckNodePort }}
  healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }}
 {{- end }}
+{{- if semverCompare ">=1.31.0-0" .Capabilities.KubeVersion.Version -}}
+{{- if .Values.controller.service.trafficDistribution }}
+  trafficDistribution: {{ .Values.controller.service.trafficDistribution }}
+{{- end }}
+{{- end }}
 {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}}
 {{- if .Values.controller.service.ipFamilyPolicy }}
  ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy }}
--- a/charts/ingress-nginx/templates/controller-servicemonitor.yaml
+++ b/charts/ingress-nginx/templates/controller-servicemonitor.yaml
@ -47,4 +47,19 @@ spec:
  {{- if .Values.controller.metrics.serviceMonitor.targetLabels }}
  targetLabels: {{ toYaml .Values.controller.metrics.serviceMonitor.targetLabels | nindent 2 }}
  {{- end }}
+  {{- if .Values.controller.metrics.serviceMonitor.labelLimit }}
+  labelLimit: {{ .Values.controller.metrics.serviceMonitor.labelLimit }}
+  {{- end }}
+  {{- if .Values.controller.metrics.serviceMonitor.labelNameLengthLimit }}
+  labelNameLengthLimit: {{ .Values.controller.metrics.serviceMonitor.labelNameLengthLimit }}
+  {{- end }}
+  {{- if .Values.controller.metrics.serviceMonitor.labelValueLengthLimit }}
+  labelValueLengthLimit: {{ .Values.controller.metrics.serviceMonitor.labelValueLengthLimit }}
+  {{- end }}
+  {{- if .Values.controller.metrics.serviceMonitor.sampleLimit }}
+  sampleLimit: {{ .Values.controller.metrics.serviceMonitor.sampleLimit }}
+  {{- end }}
+  {{- if .Values.controller.metrics.serviceMonitor.targetLimit }}
+  targetLimit: {{ .Values.controller.metrics.serviceMonitor.targetLimit }}
+  {{- end }}
 {{- end }}
--- a/charts/ingress-nginx/templates/default-backend-deployment.yaml
+++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml
@ -50,7 +50,7 @@ spec:
    {{- end }}
      containers:
        - name: {{ template "ingress-nginx.name" . }}-default-backend
-          {{- with .Values.defaultBackend.image }}
+          {{- with (merge .Values.defaultBackend.image .Values.global.image) }}
          image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }}
          {{- end }}
          imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }}
@ -103,6 +103,7 @@ spec:
      nodeSelector: {{ toYaml .Values.defaultBackend.nodeSelector | nindent 8 }}
    {{- end }}
      serviceAccountName: {{ include "ingress-nginx.defaultBackend.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.defaultBackend.serviceAccount.automountServiceAccountToken }}
    {{- if .Values.defaultBackend.tolerations }}
      tolerations: {{ toYaml .Values.defaultBackend.tolerations | nindent 8 }}
    {{- end }}
--- a/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
+++ b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
@ -20,6 +20,13 @@ spec:
    matchLabels:
      {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
      app.kubernetes.io/component: default-backend
+  {{- if and .Values.defaultBackend.minAvailable (not (hasKey .Values.defaultBackend "maxUnavailable")) }}
  minAvailable: {{ .Values.defaultBackend.minAvailable }}
+  {{- else if .Values.defaultBackend.maxUnavailable }}
+  maxUnavailable: {{ .Values.defaultBackend.maxUnavailable }}
+  {{- end }}
+  {{- if .Values.defaultBackend.unhealthyPodEvictionPolicy }}
+  unhealthyPodEvictionPolicy: {{ .Values.defaultBackend.unhealthyPodEvictionPolicy }}
+  {{- end }}
 {{- end }}
 {{- end }}
--- a/charts/ingress-nginx/templates/default-backend-psp.yaml
+++ b/charts/ingress-nginx/templates/default-backend-psp.yaml
@ -1,50 +0,0 @@
-{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
-{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}}
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: {{ include "ingress-nginx.fullname" . }}-backend
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
-  labels:
-    {{- include "ingress-nginx.labels" . | nindent 4 }}
-    app.kubernetes.io/component: default-backend
-    {{- with .Values.defaultBackend.labels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-spec:
-  privileged: false
-  hostPID: false
-  hostIPC: false
-  hostNetwork: false
-  volumes:
-    - configMap
-    - downwardAPI
-    - emptyDir
-    - secret
-    - projected
-  fsGroup:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: true
-  runAsUser:
-    rule: MustRunAsNonRoot
-  runAsGroup:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  supplementalGroups:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  allowPrivilegeEscalation: false
-  requiredDropCapabilities:
-    - ALL
-  seLinux:
-    rule: RunAsAny
-{{- end }}
-{{- end }}
--- a/charts/ingress-nginx/templates/default-backend-role.yaml
+++ b/charts/ingress-nginx/templates/default-backend-role.yaml
@ -1,22 +0,0 @@
-{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  labels:
-    {{- include "ingress-nginx.labels" . | nindent 4 }}
-    app.kubernetes.io/component: default-backend
-    {{- with .Values.defaultBackend.labels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  name: {{ include "ingress-nginx.fullname" . }}-backend
-  namespace: {{ include "ingress-nginx.namespace" . }}
-rules:
-  - apiGroups:      [{{ template "podSecurityPolicy.apiGroup" . }}]
-    resources:      ['podsecuritypolicies']
-    verbs:          ['use']
-    {{- with .Values.defaultBackend.existingPsp }}
-    resourceNames:  [{{ . }}]
-    {{- else }}
-    resourceNames:  [{{ include "ingress-nginx.fullname" . }}-backend]
-    {{- end }}
-{{- end }}
--- a/charts/ingress-nginx/templates/default-backend-rolebinding.yaml
+++ b/charts/ingress-nginx/templates/default-backend-rolebinding.yaml
@ -1,21 +0,0 @@
-{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  labels:
-    {{- include "ingress-nginx.labels" . | nindent 4 }}
-    app.kubernetes.io/component: default-backend
-    {{- with .Values.defaultBackend.labels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  name: {{ include "ingress-nginx.fullname" . }}-backend
-  namespace: {{ include "ingress-nginx.namespace" . }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ include "ingress-nginx.fullname" . }}-backend
-subjects:
-  - kind: ServiceAccount
-    name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
-    namespace: {{ include "ingress-nginx.namespace" . }}
-{{- end }}
--- a/charts/ingress-nginx/templates/default-backend-service.yaml
+++ b/charts/ingress-nginx/templates/default-backend-service.yaml
@ -18,6 +18,9 @@ spec:
 {{- if .Values.defaultBackend.service.clusterIP }}
  clusterIP: {{ .Values.defaultBackend.service.clusterIP }}
 {{- end }}
+{{- if .Values.defaultBackend.service.clusterIPs }}
+  clusterIPs: {{ toYaml .Values.defaultBackend.service.clusterIPs | nindent 4 }}
+{{- end }}
 {{- if .Values.defaultBackend.service.externalIPs }}
  externalIPs: {{ toYaml .Values.defaultBackend.service.externalIPs | nindent 4 }}
 {{- end }}
--- a/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-createSecret_test.yaml
+++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-createSecret_test.yaml
@ -0,0 +1,12 @@
+suite: Admission Webhooks > Patch Job > Create Secret Job
+templates:
+  - admission-webhooks/job-patch/job-createSecret.yaml
+
+tests:
+  - it: should create a Job with token auto-mounting disabled if `controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken` is false
+    set:
+      controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false
--- a/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-patchWebhook_test.yaml
+++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-patchWebhook_test.yaml
@ -0,0 +1,12 @@
+suite: Admission Webhooks > Patch Job > Patch Webhook Job
+templates:
+  - admission-webhooks/job-patch/job-patchWebhook.yaml
+
+tests:
+  - it: should create a Job with token auto-mounting disabled if `controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken` is false
+    set:
+      controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false
--- a/charts/ingress-nginx/tests/controller-daemonset_test.yaml
+++ b/charts/ingress-nginx/tests/controller-daemonset_test.yaml
@ -15,23 +15,23 @@ tests:
          path: metadata.name
          value: RELEASE-NAME-ingress-nginx-controller

-  - it: should create a DaemonSet with argument `--enable-metrics=false` if `controller.metrics.enabled` is false
-    set:
-      controller.kind: DaemonSet
-      controller.metrics.enabled: false
-    asserts:
-      - contains:
-          path: spec.template.spec.containers[0].args
-          content: --enable-metrics=false
-
-  - it: should create a DaemonSet without argument `--enable-metrics=false` if `controller.metrics.enabled` is true
+  - it: should create a DaemonSet with argument `--enable-metrics=true` if `controller.metrics.enabled` is true
    set:
      controller.kind: DaemonSet
      controller.metrics.enabled: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: --enable-metrics=true
+
+  - it: should create a DaemonSet without argument `--enable-metrics=true` if `controller.metrics.enabled` is false
+    set:
+      controller.kind: DaemonSet
+      controller.metrics.enabled: false
    asserts:
      - notContains:
          path: spec.template.spec.containers[0].args
-          content: --enable-metrics=false
+          content: --enable-metrics=true

  - it: should create a DaemonSet with argument `--controller-class=k8s.io/ingress-nginx-internal` if `controller.ingressClassResource.controllerValue` is "k8s.io/ingress-nginx-internal"
    set:
@ -139,6 +139,26 @@ tests:
                          - controller
                  topologyKey: kubernetes.io/hostname

+  - it: should create a DaemonSet with `runAsGroup` if `controller.image.runAsGroup` is set
+    set:
+      controller.kind: DaemonSet
+      controller.image.runAsGroup: 1000
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.runAsGroup
+          value: 1000
+
+  - it: should create a DaemonSet with a custom registry if `global.image.registry` is set
+    set:
+      global.image.registry: custom.registry.io
+      controller.kind: DaemonSet
+      controller.image.tag: v1.0.0-dev
+      controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: custom.registry.io/ingress-nginx/controller:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
  - it: should create a DaemonSet with a custom registry if `controller.image.registry` is set
    set:
      controller.kind: DaemonSet
@ -170,3 +190,12 @@ tests:
      - equal:
          path: spec.template.spec.containers[0].image
          value: registry.k8s.io/ingress-nginx/controller:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
+  - it: should create a DaemonSet with token auto-mounting disabled if `serviceAccount.automountServiceAccountToken` is false
+    set:
+      controller.kind: DaemonSet
+      serviceAccount.automountServiceAccountToken: false
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false
--- a/charts/ingress-nginx/tests/controller-deployment_test.yaml
+++ b/charts/ingress-nginx/tests/controller-deployment_test.yaml
@ -43,21 +43,21 @@ tests:
      - exists:
          path: spec.replicas

-  - it: should create a Deployment with argument `--enable-metrics=false` if `controller.metrics.enabled` is false
-    set:
-      controller.metrics.enabled: false
-    asserts:
-      - contains:
-          path: spec.template.spec.containers[0].args
-          content: --enable-metrics=false
-
-  - it: should create a Deployment without argument `--enable-metrics=false` if `controller.metrics.enabled` is true
+  - it: should create a Deployment with argument `--enable-metrics=true` if `controller.metrics.enabled` is true
    set:
      controller.metrics.enabled: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: --enable-metrics=true
+
+  - it: should create a Deployment without argument `--enable-metrics=true` if `controller.metrics.enabled` is false
+    set:
+      controller.metrics.enabled: false
    asserts:
      - notContains:
          path: spec.template.spec.containers[0].args
-          content: --enable-metrics=false
+          content: --enable-metrics=true

  - it: should create a Deployment with argument `--controller-class=k8s.io/ingress-nginx-internal` if `controller.ingressClassResource.controllerValue` is "k8s.io/ingress-nginx-internal"
    set:
@ -161,6 +161,24 @@ tests:
                          - controller
                  topologyKey: kubernetes.io/hostname

+  - it: should create a Deployment with `runAsGroup` if `controller.image.runAsGroup` is set
+    set:
+      controller.image.runAsGroup: 1000
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.runAsGroup
+          value: 1000
+
+  - it: should create a Deployment with a custom registry if `global.image.registry` is set
+    set:
+      global.image.registry: custom.registry.io
+      controller.image.tag: v1.0.0-dev
+      controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: custom.registry.io/ingress-nginx/controller:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
  - it: should create a Deployment with a custom registry if `controller.image.registry` is set
    set:
      controller.image.registry: custom.registry.io
@ -189,3 +207,19 @@ tests:
      - equal:
          path: spec.template.spec.containers[0].image
          value: registry.k8s.io/ingress-nginx/controller:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
+  - it: should create a Deployment with `progressDeadlineSeconds` if `controller.progressDeadlineSeconds` is set
+    set:
+      controller.progressDeadlineSeconds: 111
+    asserts:
+      - equal:
+          path: spec.progressDeadlineSeconds
+          value: 111
+
+  - it: should create a Deployment with token auto-mounting disabled if `serviceAccount.automountServiceAccountToken` is false
+    set:
+      serviceAccount.automountServiceAccountToken: false
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false
--- a/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml
+++ b/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml
@ -87,3 +87,16 @@ tests:
      - equal:
          path: spec.maxUnavailable
          value: 1
+
+  - it: should create a PodDisruptionBudget with `unhealthyPodEvictionPolicy` if `controller.unhealthyPodEvictionPolicy` is set
+    set:
+      controller.replicaCount: 2
+      controller.unhealthyPodEvictionPolicy: IfHealthyBudget
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: PodDisruptionBudget
+      - equal:
+          path: spec.unhealthyPodEvictionPolicy
+          value: IfHealthyBudget
--- a/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml
+++ b/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml
@ -15,3 +15,15 @@ tests:
      - equal:
          path: metadata.name
          value: RELEASE-NAME-ingress-nginx-controller
+
+  - it: should create a PrometheusRule with annotations if `controller.metrics.prometheusRule.annotations` is set
+    set:
+      controller.metrics.enabled: true
+      controller.metrics.prometheusRule.enabled: true
+      controller.metrics.prometheusRule.annotations:
+        my-little-annotation: test-value
+    asserts:
+      - equal:
+          path: metadata.annotations
+          value:
+            my-little-annotation: test-value
--- a/charts/ingress-nginx/tests/controller-service-internal_test.yaml
+++ b/charts/ingress-nginx/tests/controller-service-internal_test.yaml
@ -23,3 +23,53 @@ tests:
      - equal:
          path: metadata.name
          value: RELEASE-NAME-ingress-nginx-controller-internal
+
+  - it: should create a Service without `clusterIPs` if `controller.service.internal.clusterIPs` is not set
+    set:
+      controller.service.internal.enabled: true
+      controller.service.internal.annotations:
+        test.annotation: "true"
+    asserts:
+      - notExists:
+          path: spec.clusterIPs
+
+  - it: should create a Service with `clusterIPs` if `controller.service.internal.clusterIPs` is set
+    set:
+      controller.service.internal.enabled: true
+      controller.service.internal.annotations:
+        test.annotation: "true"
+      controller.service.internal.clusterIPs:
+        - 10.0.0.1
+        - fd00::1
+    asserts:
+      - equal:
+          path: spec.clusterIPs
+          value:
+            - 10.0.0.1
+            - fd00::1
+
+  - it: should create a Service with `trafficDistribution` if `controller.service.internal.trafficDistribution` is set
+    capabilities:
+      majorVersion: 1
+      minorVersion: 31
+    set:
+      controller.service.internal.enabled: true
+      controller.service.internal.annotations:
+        test.annotation: "true"
+      controller.service.internal.trafficDistribution: PreferClose
+    asserts:
+      - equal:
+          path: spec.trafficDistribution
+          value: PreferClose
+
+  - it: should create a Service with labels if `controller.service.internal.labels` is set
+    set: 
+      controller.service.internal.enabled: true
+      controller.service.internal.annotations:
+        test.annotation: "true"
+      controller.service.internal.labels:
+        external-dns.alpha.kubernetes.io/hostname: internal.example.com
+    asserts:
+      - equal:
+          path: metadata.labels["external-dns.alpha.kubernetes.io/hostname"]
+          value: internal.example.com
--- a/charts/ingress-nginx/tests/controller-service-metrics_test.yaml
+++ b/charts/ingress-nginx/tests/controller-service-metrics_test.yaml
@ -3,16 +3,34 @@ templates:
  - controller-service-metrics.yaml

 tests:
-  - it: should not create a metrics Service if `controller.metrics.enabled` is false
+  - it: should not create a metrics Service if `controller.metrics.enabled` is false and `controller.metrics.service.enabled` is false
    set:
      controller.metrics.enabled: false
+      controller.metrics.service.enabled: false
    asserts:
      - hasDocuments:
          count: 0

-  - it: should create a metrics Service if `controller.metrics.enabled` is true
+  - it: should not create a metrics Service if `controller.metrics.enabled` is false and `controller.metrics.service.enabled` is true
+    set:
+      controller.metrics.enabled: false
+      controller.metrics.service.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should not create a metrics Service if `controller.metrics.enabled` is true and `controller.metrics.service.enabled` is false
    set:
      controller.metrics.enabled: true
+      controller.metrics.service.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should create a metrics Service if `controller.metrics.enabled` is true and `controller.metrics.service.enabled` is true
+    set:
+      controller.metrics.enabled: true
+      controller.metrics.service.enabled: true
    asserts:
      - hasDocuments:
          count: 1
--- a/charts/ingress-nginx/tests/controller-service_test.yaml
+++ b/charts/ingress-nginx/tests/controller-service_test.yaml
@ -30,3 +30,45 @@ tests:
      - equal:
          path: spec.type
          value: NodePort
+
+  - it: should create a Service without `clusterIPs` if `controller.service.clusterIPs` is not set
+    set:
+      controller.service.external.enabled: true
+    asserts:
+      - notExists:
+          path: spec.clusterIPs
+
+  - it: should create a Service with `clusterIPs` if `controller.service.clusterIPs` is set
+    set:
+      controller.service.external.enabled: true
+      controller.service.clusterIPs:
+        - 10.0.0.1
+        - fd00::1
+    asserts:
+      - equal:
+          path: spec.clusterIPs
+          value:
+            - 10.0.0.1
+            - fd00::1
+
+  - it: should create a Service with `trafficDistribution` if `controller.service.trafficDistribution` is set
+    capabilities:
+      majorVersion: 1
+      minorVersion: 31
+    set:
+      controller.service.external.enabled: true
+      controller.service.trafficDistribution: PreferClose
+    asserts:
+      - equal:
+          path: spec.trafficDistribution
+          value: PreferClose
+
+  - it: should create a Service with labels if `controller.service.external.labels` is set
+    set:
+      controller.service.external.enabled: true
+      controller.service.external.labels:
+        external-dns.alpha.kubernetes.io/hostname: external.example.com
+    asserts:
+      - equal:
+          path: metadata.labels["external-dns.alpha.kubernetes.io/hostname"]
+          value: external.example.com
--- a/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml
+++ b/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml
@ -27,3 +27,53 @@ tests:
          path: metadata.annotations
          value:
            my-little-annotation: test-value
+
+  - it: should create a ServiceMonitor with `labelLimit` if `controller.metrics.serviceMonitor.labelLimit` is set
+    set:
+      controller.metrics.enabled: true
+      controller.metrics.serviceMonitor.enabled: true
+      controller.metrics.serviceMonitor.labelLimit: 20
+    asserts:
+      - equal:
+          path: spec.labelLimit
+          value: 20
+
+  - it: should create a ServiceMonitor with `labelNameLengthLimit` if `controller.metrics.serviceMonitor.labelNameLengthLimit` is set
+    set:
+      controller.metrics.enabled: true
+      controller.metrics.serviceMonitor.enabled: true
+      controller.metrics.serviceMonitor.labelNameLengthLimit: 50
+    asserts:
+      - equal:
+          path: spec.labelNameLengthLimit
+          value: 50
+
+  - it: should create a ServiceMonitor with `labelValueLengthLimit` if `controller.metrics.serviceMonitor.labelValueLengthLimit` is set
+    set:
+      controller.metrics.enabled: true
+      controller.metrics.serviceMonitor.enabled: true
+      controller.metrics.serviceMonitor.labelValueLengthLimit: 50
+    asserts:
+      - equal:
+          path: spec.labelValueLengthLimit
+          value: 50
+
+  - it: should create a ServiceMonitor with `sampleLimit` if `controller.metrics.serviceMonitor.sampleLimit` is set
+    set:
+      controller.metrics.enabled: true
+      controller.metrics.serviceMonitor.enabled: true
+      controller.metrics.serviceMonitor.sampleLimit: 5000
+    asserts:
+      - equal:
+          path: spec.sampleLimit
+          value: 5000
+
+  - it: should create a ServiceMonitor with `targetLimit` if `controller.metrics.serviceMonitor.targetLimit` is set
+    set:
+      controller.metrics.enabled: true
+      controller.metrics.serviceMonitor.enabled: true
+      controller.metrics.serviceMonitor.targetLimit: 100
+    asserts:
+      - equal:
+          path: spec.targetLimit
+          value: 100
--- a/charts/ingress-nginx/tests/default-backend-deployment_test.yaml
+++ b/charts/ingress-nginx/tests/default-backend-deployment_test.yaml
@ -136,6 +136,26 @@ tests:
                          - default-backend
                  topologyKey: kubernetes.io/hostname

+  - it: should create a Deployment with `runAsGroup` if `defaultBackend.image.runAsGroup` is set
+    set:
+      defaultBackend.enabled: true
+      defaultBackend.image.runAsGroup: 1000
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.runAsGroup
+          value: 1000
+
+  - it: should create a Deployment with a custom registry if `global.image.registry` is set
+    set:
+      global.image.registry: custom.registry.io
+      defaultBackend.enabled: true
+      defaultBackend.image.tag: v1.0.0-dev
+      defaultBackend.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: custom.registry.io/defaultbackend-amd64:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
  - it: should create a Deployment with a custom registry if `defaultBackend.image.registry` is set
    set:
      defaultBackend.enabled: true
@ -167,3 +187,12 @@ tests:
      - equal:
          path: spec.template.spec.containers[0].image
          value: registry.k8s.io/defaultbackend-amd64:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
+  - it: should create a Deployment with token auto-mounting disabled if `defaultBackend.serviceAccount.automountServiceAccountToken` is false
+    set:
+      defaultBackend.enabled: true
+      defaultBackend.serviceAccount.automountServiceAccountToken: false
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false
--- a/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml
+++ b/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml
@ -46,3 +46,34 @@ tests:
    asserts:
      - hasDocuments:
          count: 0
+
+  - it: should create a PodDisruptionBudget without `minAvailable` and with `maxUnavailable` if `defaultBackend.minAvailable` and `defaultBackend.maxUnavailable` are set
+    set:
+      defaultBackend.enabled: true
+      defaultBackend.replicaCount: 2
+      defaultBackend.minAvailable: 1
+      defaultBackend.maxUnavailable: 1
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: PodDisruptionBudget
+      - notExists:
+          path: spec.minAvailable
+      - equal:
+          path: spec.maxUnavailable
+          value: 1
+
+  - it: should create a PodDisruptionBudget with `unhealthyPodEvictionPolicy` if `defaultBackend.unhealthyPodEvictionPolicy` is set
+    set:
+      defaultBackend.enabled: true
+      defaultBackend.replicaCount: 2
+      defaultBackend.unhealthyPodEvictionPolicy: IfHealthyBudget
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: PodDisruptionBudget
+      - equal:
+          path: spec.unhealthyPodEvictionPolicy
+          value: IfHealthyBudget
--- a/charts/ingress-nginx/tests/default-backend-service_test.yaml
+++ b/charts/ingress-nginx/tests/default-backend-service_test.yaml
@ -30,3 +30,23 @@ tests:
      - equal:
          path: spec.ports[0].port
          value: 80
+
+  - it: should create a Service without `clusterIPs` if `defaultBackend.service.clusterIPs` is not set
+    set:
+      defaultBackend.enabled: true
+    asserts:
+      - notExists:
+          path: spec.clusterIPs
+
+  - it: should create a Service with `clusterIPs` if `defaultBackend.service.clusterIPs` is set
+    set:
+      defaultBackend.enabled: true
+      defaultBackend.service.clusterIPs:
+        - 10.0.0.1
+        - fd00::1
+    asserts:
+      - equal:
+          path: spec.clusterIPs
+          value:
+            - 10.0.0.1
+            - fd00::1
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@ -2,6 +2,10 @@
 ## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/index.md
 ##

+global:
+  image:
+    # -- Registry host to pull images from.
+    registry: registry.k8s.io
 ## Overrides for generated resource names
 # See templates/_helpers.tpl
 # nameOverride:
@ -17,28 +21,30 @@ commonLabels: {}

 controller:
  name: controller
-  enableAnnotationValidations: false
+  enableAnnotationValidations: true
  image:
    ## Keep false as default for now!
    chroot: false
-    registry: registry.k8s.io
+    # registry: registry.k8s.io
    image: ingress-nginx/controller
    ## for backwards compatibility consider setting the full image url via the repository value below
    ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
    ## repository:
-    tag: "v1.11.4"
-    digest: sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52
-    digestChroot: sha256:f29d0f9e7a9ef4947eda59ed0c09ec13380b13639d1518cf1ab8ec09c3e22ef8
+    tag: "v1.12.0"
+    digest: sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
+    digestChroot: sha256:87c88e1c38a6c8d4483c8f70b69e2cca49853bb3ec3124b9b1be648edf139af3
    pullPolicy: IfNotPresent
    runAsNonRoot: true
-    # www-data -> uid 101
+    # -- This value must not be changed using the official image.
+    # uid=101(www-data) gid=82(www-data) groups=82(www-data)
    runAsUser: 101
+    # -- This value must not be changed using the official image.
+    # uid=101(www-data) gid=82(www-data) groups=82(www-data)
+    runAsGroup: 82
    allowPrivilegeEscalation: false
    seccompProfile:
      type: RuntimeDefault
    readOnlyRootFilesystem: false
-  # -- Use an existing PSP instead of creating one
-  existingPsp: ""
  # -- Configures the controller container name
  containerName: controller
  # -- Configures the ports that the nginx-controller listens on
@ -234,6 +240,9 @@ controller:
  #    maxUnavailable: 1
  #  type: RollingUpdate

+  # -- Specifies the number of seconds you want to wait for the controller deployment to progress before the system reports back that it has failed.
+  # Ref.: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds
+  progressDeadlineSeconds: 0
  # -- `minReadySeconds` to avoid killing pods before we are ready
  ##
  minReadySeconds: 0
@ -376,7 +385,9 @@ controller:
  minAvailable: 1
  # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
  # maxUnavailable: 1
-
+  # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+  # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+  unhealthyPodEvictionPolicy: ""
  ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes
  ## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903
  ## Ideally, there should be no limits.
@ -475,6 +486,8 @@ controller:
    external:
      # -- Enable the external controller service or not. Useful for internal-only deployments.
      enabled: true
+      # -- Labels to be added to the external controller service.
+      labels: {}
    # -- Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service.
    annotations: {}
    # -- Labels to be added to both controller services.
@ -486,6 +499,10 @@ controller:
    # This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
    # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
    clusterIP: ""
+    # -- Pre-defined cluster internal IP addresses of the external controller service. Take care of collisions with existing services.
+    # This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
+    # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
+    clusterIPs: []
    # -- List of node IP addresses at which the external controller service is available.
    # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
    externalIPs: []
@ -512,6 +529,10 @@ controller:
    # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
    # healthCheckNodePort: 0

+    # -- Traffic distribution policy of the external controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client.
+    # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution
+    trafficDistribution: ""
+
    # -- Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack.
    # Fields `ipFamilies` and `clusterIP` depend on the value of this field.
    # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
@ -555,6 +576,8 @@ controller:
    internal:
      # -- Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this.
      enabled: false
+      # -- Labels to be added to the internal controller service.
+      labels: {}
      # -- Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service.
      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
      annotations: {}
@ -566,6 +589,10 @@ controller:
      # This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
      clusterIP: ""
+      # -- Pre-defined cluster internal IP addresses of the internal controller service. Take care of collisions with existing services.
+      # This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
+      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
+      clusterIPs: []
      # -- List of node IP addresses at which the internal controller service is available.
      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
      externalIPs: []
@ -592,6 +619,10 @@ controller:
      # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
      # healthCheckNodePort: 0

+      # -- Traffic distribution policy of the internal controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client.
+      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution
+      trafficDistribution: ""
+
      # -- Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack.
      # Fields `ipFamilies` and `clusterIP` depend on the value of this field.
      # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
@ -677,11 +708,11 @@ controller:
  #   image: busybox
  #   command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;']

-  # -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module
+  # -- Modules, which are mounted into the core nginx image.
  extraModules: []
  # - name: mytestmodule
  #   image:
-  #     registry: registry.k8s.io
+  #     # registry: registry.k8s.io
  #     image: ingress-nginx/mytestmodule
  #     ## for backwards compatibility consider setting the full image url via the repository value below
  #     ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
@ -692,6 +723,7 @@ controller:
  #   containerSecurityContext:
  #     runAsNonRoot: true
  #     runAsUser: <user-id>
+  #     runAsGroup: <group-id>
  #     allowPrivilegeEscalation: false
  #     seccompProfile:
  #       type: RuntimeDefault
@ -705,30 +737,6 @@ controller:
  # will be executed as initContainers, to move its config files within the
  # mounted volume.

-  opentelemetry:
-    enabled: false
-    name: opentelemetry
-    image:
-      registry: registry.k8s.io
-      image: ingress-nginx/opentelemetry-1.25.3
-      ## for backwards compatibility consider setting the full image url via the repository value below
-      ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
-      ## repository:
-      tag: v20240813-b933310d
-      digest: sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922
-      distroless: true
-    containerSecurityContext:
-      runAsNonRoot: true
-      # -- The image's default user, inherited from its base image `cgr.dev/chainguard/static`.
-      runAsUser: 65532
-      allowPrivilegeEscalation: false
-      seccompProfile:
-        type: RuntimeDefault
-      capabilities:
-        drop:
-          - ALL
-      readOnlyRootFilesystem: true
-    resources: {}
  admissionWebhooks:
    name: admission
    annotations: {}
@ -756,8 +764,6 @@ controller:
    objectSelector: {}
    # -- Labels to be added to admission webhooks
    labels: {}
-    # -- Use an existing PSP instead of creating one
-    existingPsp: ""
    service:
      annotations: {}
      # clusterIP: ""
@ -772,6 +778,7 @@ controller:
      securityContext:
        runAsNonRoot: true
        runAsUser: 65532
+        runAsGroup: 65532
        allowPrivilegeEscalation: false
        seccompProfile:
          type: RuntimeDefault
@ -792,6 +799,7 @@ controller:
      securityContext:
        runAsNonRoot: true
        runAsUser: 65532
+        runAsGroup: 65532
        allowPrivilegeEscalation: false
        seccompProfile:
          type: RuntimeDefault
@ -803,7 +811,7 @@ controller:
    patch:
      enabled: true
      image:
-        registry: registry.k8s.io
+        # registry: registry.k8s.io
        image: ingress-nginx/kube-webhook-certgen
        ## for backwards compatibility consider setting the full image url via the repository value below
        ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
@ -857,6 +865,8 @@ controller:
    # if this port is changed, change healthz-port: in extraArgs: accordingly
    enabled: false
    service:
+      # -- Enable the metrics service or not.
+      enabled: true
      annotations: {}
      # prometheus.io/scrape: "true"
      # prometheus.io/port: "10254"
@ -892,9 +902,21 @@ controller:
      targetLabels: []
      relabelings: []
      metricRelabelings: []
+      # -- Per-scrape limit on number of labels that will be accepted for a sample.
+      labelLimit: 0
+      # -- Per-scrape limit on length of labels name that will be accepted for a sample.
+      labelNameLengthLimit: 0
+      # -- Per-scrape limit on length of labels value that will be accepted for a sample.
+      labelValueLengthLimit: 0
+      # -- Defines a per-scrape limit on the number of scraped samples that will be accepted.
+      sampleLimit: 0
+      # -- Defines a limit on the number of scraped targets that will be accepted.
+      targetLimit: 0
    prometheusRule:
      enabled: false
      additionalLabels: {}
+      # -- Annotations to be added to the PrometheusRule.
+      annotations: {}
      # namespace: ""
      rules: []
      # # These are just examples rules, please adapt them to your needs
@ -958,7 +980,7 @@ defaultBackend:
  enabled: false
  name: defaultbackend
  image:
-    registry: registry.k8s.io
+    # registry: registry.k8s.io
    image: defaultbackend-amd64
    ## for backwards compatibility consider setting the full image url via the repository value below
    ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
@ -968,12 +990,11 @@ defaultBackend:
    runAsNonRoot: true
    # nobody user -> uid 65534
    runAsUser: 65534
+    runAsGroup: 65534
    allowPrivilegeEscalation: false
    seccompProfile:
      type: RuntimeDefault
    readOnlyRootFilesystem: true
-  # -- Use an existing PSP instead of creating one
-  existingPsp: ""
  extraArgs: {}
  serviceAccount:
    create: true
@ -1100,7 +1121,13 @@ defaultBackend:
  podAnnotations: {}
  replicaCount: 1
  # -- Minimum available pods set in PodDisruptionBudget.
+  # Define either 'minAvailable' or 'maxUnavailable', never both.
  minAvailable: 1
+  # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+  # maxUnavailable: 1
+  # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+  # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+  unhealthyPodEvictionPolicy: ""
  resources: {}
  # limits:
  #   cpu: 10m
@ -1148,6 +1175,10 @@ defaultBackend:
  service:
    annotations: {}
    # clusterIP: ""
+    # -- Pre-defined cluster internal IP addresses of the default backend service. Take care of collisions with existing services.
+    # This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
+    # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
+    clusterIPs: []

    # -- List of IP addresses at which the default backend service is available
    ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
@ -1164,10 +1195,6 @@ defaultBackend:
 rbac:
  create: true
  scope: false
-## If true, create & use Pod Security Policy resources
-## https://kubernetes.io/docs/concepts/policy/pod-security-policy/
-podSecurityPolicy:
-  enabled: false
 serviceAccount:
  create: true
  name: ""
--- a/cmd/dataplane/main.go
+++ b/cmd/dataplane/main.go
@ -66,7 +66,7 @@ func main() {
 	mc := metric.NewDummyCollector()
 	if conf.EnableMetrics {
 		// TODO: Ingress class is not a part of dataplane anymore
-		mc, err = metric.NewCollector(conf.MetricsPerHost, conf.ReportStatusClasses, reg, conf.IngressClassConfiguration.Controller, *conf.MetricsBuckets, conf.ExcludeSocketMetrics)
+		mc, err = metric.NewCollector(conf.MetricsPerHost, conf.MetricsPerUndefinedHost, conf.ReportStatusClasses, reg, conf.IngressClassConfiguration.Controller, *conf.MetricsBuckets, conf.MetricsBucketFactor, conf.MetricsMaxBuckets, conf.ExcludeSocketMetrics)
 		if err != nil {
 			klog.Fatalf("Error creating prometheus collector:  %v", err)
 		}
--- a/cmd/nginx/main.go
+++ b/cmd/nginx/main.go
@ -130,7 +130,7 @@ func main() {

 	mc := metric.NewDummyCollector()
 	if conf.EnableMetrics {
-		mc, err = metric.NewCollector(conf.MetricsPerHost, conf.ReportStatusClasses, reg, conf.IngressClassConfiguration.Controller, *conf.MetricsBuckets, conf.ExcludeSocketMetrics)
+		mc, err = metric.NewCollector(conf.MetricsPerHost, conf.MetricsPerUndefinedHost, conf.ReportStatusClasses, reg, conf.IngressClassConfiguration.Controller, *conf.MetricsBuckets, conf.MetricsBucketFactor, conf.MetricsMaxBuckets, conf.ExcludeSocketMetrics)
 		if err != nil {
 			klog.Fatalf("Error creating prometheus collector:  %v", err)
 		}
--- a/deploy/grafana/dashboards/request-handling-performance.json
+++ b/deploy/grafana/dashboards/request-handling-performance.json
@ -893,104 +893,6 @@
      ],
      "title": "Average Response Size by Method and Path",
      "type": "timeseries"
-    },
-    {
-      "datasource": {
-        "type": "prometheus",
-        "uid": "${DS_PROMETHEUS}"
-      },
-      "fieldConfig": {
-        "defaults": {
-          "color": {
-            "mode": "palette-classic"
-          },
-          "custom": {
-            "axisBorderShow": false,
-            "axisCenteredZero": false,
-            "axisColorMode": "text",
-            "axisLabel": "",
-            "axisPlacement": "auto",
-            "barAlignment": 0,
-            "drawStyle": "line",
-            "fillOpacity": 10,
-            "gradientMode": "none",
-            "hideFrom": {
-              "legend": false,
-              "tooltip": false,
-              "viz": false
-            },
-            "insertNulls": false,
-            "lineInterpolation": "linear",
-            "lineWidth": 1,
-            "pointSize": 5,
-            "scaleDistribution": {
-              "type": "linear"
-            },
-            "showPoints": "never",
-            "spanNulls": false,
-            "stacking": {
-              "group": "A",
-              "mode": "none"
-            },
-            "thresholdsStyle": {
-              "mode": "off"
-            }
-          },
-          "links": [],
-          "mappings": [],
-          "thresholds": {
-            "mode": "absolute",
-            "steps": [
-              {
-                "color": "green"
-              },
-              {
-                "color": "red",
-                "value": 80
-              }
-            ]
-          },
-          "unit": "s"
-        },
-        "overrides": []
-      },
-      "gridPos": {
-        "h": 8,
-        "w": 12,
-        "x": 0,
-        "y": 32
-      },
-      "id": 96,
-      "options": {
-        "legend": {
-          "calcs": [],
-          "displayMode": "list",
-          "placement": "bottom",
-          "showLegend": true
-        },
-        "tooltip": {
-          "mode": "multi",
-          "sort": "desc"
-        }
-      },
-      "pluginVersion": "10.4.3",
-      "targets": [
-        {
-          "datasource": {
-            "type": "prometheus",
-            "uid": "${DS_PROMETHEUS}"
-          },
-          "expr": "sum (\n  rate(\n      nginx_ingress_controller_ingress_upstream_latency_seconds_sum {\n        ingress =~ \"$ingress\",\n      }[5m]\n)) / sum (\n  rate(\n      nginx_ingress_controller_ingress_upstream_latency_seconds_count {\n        ingress =~ \"$ingress\",\n      }[5m]\n  )\n)\n",
-          "hide": false,
-          "instant": false,
-          "interval": "",
-          "intervalFactor": 1,
-          "legendFormat": "average",
-          "refId": "B"
-        }
-      ],
-      "title": "Upstream Service Latency",
-      "type": "timeseries"
    }
  ],
  "refresh": "30s",
--- a/deploy/static/provider/aws/deploy.yaml
+++ b/deploy/static/provider/aws/deploy.yaml
@ -15,7 +15,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 ---
@ -28,7 +28,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 ---
@ -40,7 +40,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 rules:
@ -130,7 +130,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 rules:
@ -149,7 +149,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
 rules:
 - apiGroups:
@ -231,7 +231,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 rules:
 - apiGroups:
@ -250,7 +250,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 roleRef:
@ -270,7 +270,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 roleRef:
@ -289,7 +289,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@ -308,7 +308,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@ -320,8 +320,7 @@ subjects:
  namespace: ingress-nginx
 ---
 apiVersion: v1
-data:
-  allow-snippet-annotations: "false"
+data: null
 kind: ConfigMap
 metadata:
  labels:
@ -329,7 +328,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 ---
@ -345,7 +344,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 spec:
@ -378,7 +377,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
 spec:
@ -401,7 +400,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 spec:
@ -423,7 +422,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
    spec:
      containers:
      - args:
@ -436,7 +435,6 @@ spec:
        - --validating-webhook=:8443
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
-        - --enable-metrics=false
        env:
        - name: POD_NAME
          valueFrom:
@ -448,7 +446,7 @@ spec:
              fieldPath: metadata.namespace
        - name: LD_PRELOAD
          value: /usr/local/lib/libmimalloc.so
-        image: registry.k8s.io/ingress-nginx/controller:v1.11.4@sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52
+        image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
        imagePullPolicy: IfNotPresent
        lifecycle:
          preStop:
@ -498,6 +496,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: false
+          runAsGroup: 82
          runAsNonRoot: true
          runAsUser: 101
          seccompProfile:
@ -524,7 +523,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission-create
  namespace: ingress-nginx
 spec:
@ -535,7 +534,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
      name: ingress-nginx-admission-create
    spec:
      containers:
@ -558,6 +557,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: true
+          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
@ -575,7 +575,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission-patch
  namespace: ingress-nginx
 spec:
@ -586,7 +586,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
      name: ingress-nginx-admission-patch
    spec:
      containers:
@ -611,6 +611,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: true
+          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
@ -628,7 +629,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: nginx
 spec:
  controller: k8s.io/ingress-nginx
@ -641,7 +642,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
--- a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
@ -15,7 +15,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 ---
@ -28,7 +28,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 ---
@ -40,7 +40,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 rules:
@ -130,7 +130,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 rules:
@ -149,7 +149,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
 rules:
 - apiGroups:
@ -231,7 +231,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 rules:
 - apiGroups:
@ -250,7 +250,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 roleRef:
@ -270,7 +270,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 roleRef:
@ -289,7 +289,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@ -308,7 +308,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@ -321,7 +321,6 @@ subjects:
 ---
 apiVersion: v1
 data:
-  allow-snippet-annotations: "false"
  http-snippet: |
    server {
      listen 2443;
@ -336,7 +335,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 ---
@ -354,7 +353,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 spec:
@ -387,7 +386,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
 spec:
@ -410,7 +409,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 spec:
@ -432,7 +431,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
    spec:
      containers:
      - args:
@ -445,7 +444,6 @@ spec:
        - --validating-webhook=:8443
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
-        - --enable-metrics=false
        env:
        - name: POD_NAME
          valueFrom:
@ -457,7 +455,7 @@ spec:
              fieldPath: metadata.namespace
        - name: LD_PRELOAD
          value: /usr/local/lib/libmimalloc.so
-        image: registry.k8s.io/ingress-nginx/controller:v1.11.4@sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52
+        image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
        imagePullPolicy: IfNotPresent
        lifecycle:
          preStop:
@ -510,6 +508,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: false
+          runAsGroup: 82
          runAsNonRoot: true
          runAsUser: 101
          seccompProfile:
@ -536,7 +535,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission-create
  namespace: ingress-nginx
 spec:
@ -547,7 +546,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
      name: ingress-nginx-admission-create
    spec:
      containers:
@ -570,6 +569,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: true
+          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
@ -587,7 +587,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission-patch
  namespace: ingress-nginx
 spec:
@ -598,7 +598,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
      name: ingress-nginx-admission-patch
    spec:
      containers:
@ -623,6 +623,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: true
+          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
@ -640,7 +641,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: nginx
 spec:
  controller: k8s.io/ingress-nginx
@ -653,7 +654,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
--- a/deploy/static/provider/baremetal/deploy.yaml
+++ b/deploy/static/provider/baremetal/deploy.yaml
@ -15,7 +15,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 ---
@ -28,7 +28,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 ---
@ -40,7 +40,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 rules:
@ -130,7 +130,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 rules:
@ -149,7 +149,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
 rules:
 - apiGroups:
@ -231,7 +231,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 rules:
 - apiGroups:
@ -250,7 +250,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 roleRef:
@ -270,7 +270,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 roleRef:
@ -289,7 +289,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@ -308,7 +308,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@ -320,8 +320,7 @@ subjects:
  namespace: ingress-nginx
 ---
 apiVersion: v1
-data:
-  allow-snippet-annotations: "false"
+data: null
 kind: ConfigMap
 metadata:
  labels:
@ -329,7 +328,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 ---
@ -341,7 +340,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 spec:
@ -373,7 +372,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
 spec:
@ -396,7 +395,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 spec:
@ -418,7 +417,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
    spec:
      containers:
      - args:
@ -430,7 +429,6 @@ spec:
        - --validating-webhook=:8443
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
-        - --enable-metrics=false
        env:
        - name: POD_NAME
          valueFrom:
@ -442,7 +440,7 @@ spec:
              fieldPath: metadata.namespace
        - name: LD_PRELOAD
          value: /usr/local/lib/libmimalloc.so
-        image: registry.k8s.io/ingress-nginx/controller:v1.11.4@sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52
+        image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
        imagePullPolicy: IfNotPresent
        lifecycle:
          preStop:
@ -492,6 +490,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: false
+          runAsGroup: 82
          runAsNonRoot: true
          runAsUser: 101
          seccompProfile:
@ -518,7 +517,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission-create
  namespace: ingress-nginx
 spec:
@ -529,7 +528,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
      name: ingress-nginx-admission-create
    spec:
      containers:
@ -552,6 +551,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: true
+          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
@ -569,7 +569,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission-patch
  namespace: ingress-nginx
 spec:
@ -580,7 +580,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
      name: ingress-nginx-admission-patch
    spec:
      containers:
@ -605,6 +605,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: true
+          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
@ -622,7 +623,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: nginx
 spec:
  controller: k8s.io/ingress-nginx
@ -635,7 +636,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
--- a/deploy/static/provider/cloud/deploy.yaml
+++ b/deploy/static/provider/cloud/deploy.yaml
@ -15,7 +15,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 ---
@ -28,7 +28,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 ---
@ -40,7 +40,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 rules:
@ -130,7 +130,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 rules:
@ -149,7 +149,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
 rules:
 - apiGroups:
@ -231,7 +231,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 rules:
 - apiGroups:
@ -250,7 +250,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 roleRef:
@ -270,7 +270,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 roleRef:
@ -289,7 +289,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@ -308,7 +308,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@ -320,8 +320,7 @@ subjects:
  namespace: ingress-nginx
 ---
 apiVersion: v1
-data:
-  allow-snippet-annotations: "false"
+data: null
 kind: ConfigMap
 metadata:
  labels:
@ -329,7 +328,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 ---
@ -341,7 +340,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 spec:
@ -374,7 +373,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
 spec:
@ -397,7 +396,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 spec:
@ -419,7 +418,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
    spec:
      containers:
      - args:
@ -432,7 +431,6 @@ spec:
        - --validating-webhook=:8443
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
-        - --enable-metrics=false
        env:
        - name: POD_NAME
          valueFrom:
@ -444,7 +442,7 @@ spec:
              fieldPath: metadata.namespace
        - name: LD_PRELOAD
          value: /usr/local/lib/libmimalloc.so
-        image: registry.k8s.io/ingress-nginx/controller:v1.11.4@sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52
+        image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
        imagePullPolicy: IfNotPresent
        lifecycle:
          preStop:
@ -494,6 +492,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: false
+          runAsGroup: 82
          runAsNonRoot: true
          runAsUser: 101
          seccompProfile:
@ -520,7 +519,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission-create
  namespace: ingress-nginx
 spec:
@ -531,7 +530,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
      name: ingress-nginx-admission-create
    spec:
      containers:
@ -554,6 +553,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: true
+          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
@ -571,7 +571,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission-patch
  namespace: ingress-nginx
 spec:
@ -582,7 +582,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
      name: ingress-nginx-admission-patch
    spec:
      containers:
@ -607,6 +607,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: true
+          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
@ -624,7 +625,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: nginx
 spec:
  controller: k8s.io/ingress-nginx
@ -637,7 +638,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
--- a/deploy/static/provider/do/deploy.yaml
+++ b/deploy/static/provider/do/deploy.yaml
@ -15,7 +15,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 ---
@ -28,7 +28,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 ---
@ -40,7 +40,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 rules:
@ -130,7 +130,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 rules:
@ -149,7 +149,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
 rules:
 - apiGroups:
@ -231,7 +231,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 rules:
 - apiGroups:
@ -250,7 +250,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 roleRef:
@ -270,7 +270,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 roleRef:
@ -289,7 +289,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@ -308,7 +308,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@ -321,7 +321,6 @@ subjects:
 ---
 apiVersion: v1
 data:
-  allow-snippet-annotations: "false"
  use-proxy-protocol: "true"
 kind: ConfigMap
 metadata:
@ -330,7 +329,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 ---
@ -344,7 +343,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 spec:
@ -377,7 +376,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
 spec:
@ -400,7 +399,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 spec:
@ -422,7 +421,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
    spec:
      containers:
      - args:
@ -435,7 +434,6 @@ spec:
        - --validating-webhook=:8443
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
-        - --enable-metrics=false
        env:
        - name: POD_NAME
          valueFrom:
@ -447,7 +445,7 @@ spec:
              fieldPath: metadata.namespace
        - name: LD_PRELOAD
          value: /usr/local/lib/libmimalloc.so
-        image: registry.k8s.io/ingress-nginx/controller:v1.11.4@sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52
+        image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
        imagePullPolicy: IfNotPresent
        lifecycle:
          preStop:
@ -497,6 +495,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: false
+          runAsGroup: 82
          runAsNonRoot: true
          runAsUser: 101
          seccompProfile:
@ -523,7 +522,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission-create
  namespace: ingress-nginx
 spec:
@ -534,7 +533,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
      name: ingress-nginx-admission-create
    spec:
      containers:
@ -557,6 +556,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: true
+          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
@ -574,7 +574,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission-patch
  namespace: ingress-nginx
 spec:
@ -585,7 +585,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
      name: ingress-nginx-admission-patch
    spec:
      containers:
@ -610,6 +610,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: true
+          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
@ -627,7 +628,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: nginx
 spec:
  controller: k8s.io/ingress-nginx
@ -640,7 +641,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
--- a/deploy/static/provider/exoscale/deploy.yaml
+++ b/deploy/static/provider/exoscale/deploy.yaml
@ -15,7 +15,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 ---
@ -28,7 +28,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 ---
@ -40,7 +40,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 rules:
@ -130,7 +130,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 rules:
@ -149,7 +149,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
 rules:
 - apiGroups:
@ -231,7 +231,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 rules:
 - apiGroups:
@ -250,7 +250,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 roleRef:
@ -270,7 +270,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 roleRef:
@ -289,7 +289,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@ -308,7 +308,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@ -320,8 +320,7 @@ subjects:
  namespace: ingress-nginx
 ---
 apiVersion: v1
-data:
-  allow-snippet-annotations: "false"
+data: null
 kind: ConfigMap
 metadata:
  labels:
@ -329,7 +328,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 ---
@ -350,7 +349,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 spec:
@ -383,7 +382,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
 spec:
@ -406,7 +405,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 spec:
@ -424,7 +423,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
    spec:
      containers:
      - args:
@ -437,7 +436,6 @@ spec:
        - --validating-webhook=:8443
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
-        - --enable-metrics=false
        env:
        - name: POD_NAME
          valueFrom:
@ -449,7 +447,7 @@ spec:
              fieldPath: metadata.namespace
        - name: LD_PRELOAD
          value: /usr/local/lib/libmimalloc.so
-        image: registry.k8s.io/ingress-nginx/controller:v1.11.4@sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52
+        image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
        imagePullPolicy: IfNotPresent
        lifecycle:
          preStop:
@ -499,6 +497,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: false
+          runAsGroup: 82
          runAsNonRoot: true
          runAsUser: 101
          seccompProfile:
@ -529,7 +528,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission-create
  namespace: ingress-nginx
 spec:
@ -540,7 +539,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
      name: ingress-nginx-admission-create
    spec:
      containers:
@ -563,6 +562,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: true
+          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
@ -580,7 +580,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission-patch
  namespace: ingress-nginx
 spec:
@ -591,7 +591,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
      name: ingress-nginx-admission-patch
    spec:
      containers:
@ -616,6 +616,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: true
+          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
@ -633,7 +634,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: nginx
 spec:
  controller: k8s.io/ingress-nginx
@ -646,7 +647,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
--- a/deploy/static/provider/kind/deploy.yaml
+++ b/deploy/static/provider/kind/deploy.yaml
@ -15,7 +15,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 ---
@ -28,7 +28,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 ---
@ -40,7 +40,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 rules:
@ -130,7 +130,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 rules:
@ -149,7 +149,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
 rules:
 - apiGroups:
@ -231,7 +231,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 rules:
 - apiGroups:
@ -250,7 +250,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 roleRef:
@ -270,7 +270,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 roleRef:
@ -289,7 +289,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@ -308,7 +308,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@ -320,8 +320,7 @@ subjects:
  namespace: ingress-nginx
 ---
 apiVersion: v1
-data:
-  allow-snippet-annotations: "false"
+data: null
 kind: ConfigMap
 metadata:
  labels:
@ -329,7 +328,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 ---
@ -341,7 +340,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 spec:
@ -373,7 +372,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
 spec:
@ -396,7 +395,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 spec:
@ -418,7 +417,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
    spec:
      containers:
      - args:
@ -431,7 +430,6 @@ spec:
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
        - --watch-ingress-without-class=true
-        - --enable-metrics=false
        - --publish-status-address=localhost
        env:
        - name: POD_NAME
@ -444,7 +442,7 @@ spec:
              fieldPath: metadata.namespace
        - name: LD_PRELOAD
          value: /usr/local/lib/libmimalloc.so
-        image: registry.k8s.io/ingress-nginx/controller:v1.11.4@sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52
+        image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
        imagePullPolicy: IfNotPresent
        lifecycle:
          preStop:
@ -496,6 +494,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: false
+          runAsGroup: 82
          runAsNonRoot: true
          runAsUser: 101
          seccompProfile:
@ -530,7 +529,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission-create
  namespace: ingress-nginx
 spec:
@ -541,7 +540,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
      name: ingress-nginx-admission-create
    spec:
      containers:
@ -564,6 +563,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: true
+          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
@ -581,7 +581,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission-patch
  namespace: ingress-nginx
 spec:
@ -592,7 +592,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
      name: ingress-nginx-admission-patch
    spec:
      containers:
@ -617,6 +617,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: true
+          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
@ -634,7 +635,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: nginx
 spec:
  controller: k8s.io/ingress-nginx
@ -647,7 +648,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
--- a/deploy/static/provider/oracle/deploy.yaml
+++ b/deploy/static/provider/oracle/deploy.yaml
@ -15,7 +15,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 ---
@ -28,7 +28,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 ---
@ -40,7 +40,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 rules:
@ -130,7 +130,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 rules:
@ -149,7 +149,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
 rules:
 - apiGroups:
@ -231,7 +231,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 rules:
 - apiGroups:
@ -250,7 +250,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 roleRef:
@ -270,7 +270,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 roleRef:
@ -289,7 +289,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@ -308,7 +308,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@ -320,8 +320,7 @@ subjects:
  namespace: ingress-nginx
 ---
 apiVersion: v1
-data:
-  allow-snippet-annotations: "false"
+data: null
 kind: ConfigMap
 metadata:
  labels:
@ -329,7 +328,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 ---
@ -345,7 +344,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 spec:
@ -378,7 +377,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
 spec:
@ -401,7 +400,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 spec:
@ -423,7 +422,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
    spec:
      containers:
      - args:
@ -436,7 +435,6 @@ spec:
        - --validating-webhook=:8443
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
-        - --enable-metrics=false
        env:
        - name: POD_NAME
          valueFrom:
@ -448,7 +446,7 @@ spec:
              fieldPath: metadata.namespace
        - name: LD_PRELOAD
          value: /usr/local/lib/libmimalloc.so
-        image: registry.k8s.io/ingress-nginx/controller:v1.11.4@sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52
+        image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
        imagePullPolicy: IfNotPresent
        lifecycle:
          preStop:
@ -498,6 +496,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: false
+          runAsGroup: 82
          runAsNonRoot: true
          runAsUser: 101
          seccompProfile:
@ -524,7 +523,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission-create
  namespace: ingress-nginx
 spec:
@ -535,7 +534,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
      name: ingress-nginx-admission-create
    spec:
      containers:
@ -558,6 +557,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: true
+          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
@ -575,7 +575,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission-patch
  namespace: ingress-nginx
 spec:
@ -586,7 +586,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
      name: ingress-nginx-admission-patch
    spec:
      containers:
@ -611,6 +611,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: true
+          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
@ -628,7 +629,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: nginx
 spec:
  controller: k8s.io/ingress-nginx
@ -641,7 +642,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
--- a/deploy/static/provider/scw/deploy.yaml
+++ b/deploy/static/provider/scw/deploy.yaml
@ -15,7 +15,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 ---
@ -28,7 +28,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 ---
@ -40,7 +40,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 rules:
@ -130,7 +130,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 rules:
@ -149,7 +149,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
 rules:
 - apiGroups:
@ -231,7 +231,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 rules:
 - apiGroups:
@ -250,7 +250,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
  namespace: ingress-nginx
 roleRef:
@ -270,7 +270,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 roleRef:
@ -289,7 +289,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@ -308,7 +308,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@ -321,7 +321,6 @@ subjects:
 ---
 apiVersion: v1
 data:
-  allow-snippet-annotations: "false"
  use-proxy-protocol: "true"
 kind: ConfigMap
 metadata:
@ -330,7 +329,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 ---
@ -344,7 +343,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 spec:
@ -377,7 +376,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
 spec:
@ -400,7 +399,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 spec:
@ -422,7 +421,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
    spec:
      containers:
      - args:
@ -435,7 +434,6 @@ spec:
        - --validating-webhook=:8443
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
-        - --enable-metrics=false
        env:
        - name: POD_NAME
          valueFrom:
@ -447,7 +445,7 @@ spec:
              fieldPath: metadata.namespace
        - name: LD_PRELOAD
          value: /usr/local/lib/libmimalloc.so
-        image: registry.k8s.io/ingress-nginx/controller:v1.11.4@sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52
+        image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
        imagePullPolicy: IfNotPresent
        lifecycle:
          preStop:
@ -497,6 +495,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: false
+          runAsGroup: 82
          runAsNonRoot: true
          runAsUser: 101
          seccompProfile:
@ -523,7 +522,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission-create
  namespace: ingress-nginx
 spec:
@ -534,7 +533,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
      name: ingress-nginx-admission-create
    spec:
      containers:
@ -557,6 +556,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: true
+          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
@ -574,7 +574,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission-patch
  namespace: ingress-nginx
 spec:
@ -585,7 +585,7 @@ spec:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.4
+        app.kubernetes.io/version: 1.12.0
      name: ingress-nginx-admission-patch
    spec:
      containers:
@ -610,6 +610,7 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: true
+          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
@ -627,7 +628,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: nginx
 spec:
  controller: k8s.io/ingress-nginx
@ -640,7 +641,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.4
+    app.kubernetes.io/version: 1.12.0
  name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@ -92,7 +92,7 @@ helm show values ingress-nginx --repo https://kubernetes.github.io/ingress-nginx
 **If you don't have Helm** or if you prefer to use a YAML manifest, you can run the following command instead:

 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.4/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/cloud/deploy.yaml
 ```

 !!! info
@ -274,7 +274,7 @@ In AWS, we use a Network load balancer (NLB) to expose the Ingress-Nginx Control
 ##### Network Load Balancer (NLB)

 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.4/deploy/static/provider/aws/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/aws/deploy.yaml
 ```

 ##### TLS termination in AWS Load Balancer (NLB)
@ -282,10 +282,10 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont
 By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer.
 This section explains how to do that on AWS using an NLB.

-1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.4/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template
+1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template

  ```console
-  wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.4/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
+  wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
  ```

 2. Edit the file and change the VPC CIDR in use for the Kubernetes cluster:
@ -333,7 +333,7 @@ kubectl create clusterrolebinding cluster-admin-binding \
 Then, the ingress controller can be installed like this:

 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.4/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/cloud/deploy.yaml
 ```

 !!! warning
@ -350,7 +350,7 @@ Proxy-protocol is supported in GCE check the [Official Documentations on how to
 #### Azure

 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.4/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/cloud/deploy.yaml
 ```

 More information with regard to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller).
@ -358,7 +358,7 @@ More information with regard to Azure annotations for ingress controller can be
 #### Digital Ocean

 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.4/deploy/static/provider/do/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/do/deploy.yaml
 ```

 - By default the service object of the ingress-nginx-controller for Digital-Ocean, only configures one annotation. Its this one `service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"`. While this makes the service functional, it was reported that the Digital-Ocean LoadBalancer graphs shows `no data`, unless a few other annotations are also configured. Some of these other annotations require values that can not be generic and hence not forced in a out-of-the-box installation. These annotations and a discussion on them is well documented in [this issue](https://github.com/kubernetes/ingress-nginx/issues/8965). Please refer to the issue to add annotations, with values specific to user, to get graphs of the DO-LB populated with data.
@ -366,7 +366,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont
 #### Scaleway

 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.4/deploy/static/provider/scw/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/scw/deploy.yaml
 ```

 Refer to the [dedicated tutorial](https://www.scaleway.com/en/docs/tutorials/proxy-protocol-v2-load-balancer/#configuring-proxy-protocol-for-ingress-nginx) in the Scaleway documentation for configuring the proxy protocol for ingress-nginx with the Scaleway load balancer.
@ -383,7 +383,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale
 #### Oracle Cloud Infrastructure

 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.4/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/cloud/deploy.yaml
 ```

 A
@ -410,7 +410,7 @@ For quick testing, you can use a
 This should work on almost every cluster, but it will typically use a port in the range 30000-32767.

 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.4/deploy/static/provider/baremetal/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/baremetal/deploy.yaml
 ```

 For more information about bare metal deployments (and how to use port 80 instead of a random port in the 30000-32767 range),
--- a/docs/e2e-tests.md
+++ b/docs/e2e-tests.md
@ -7,18 +7,17 @@ Do not try to edit it manually.


 ### [[Admission] admission controller](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L39)
- [reject ingress with global-rate-limit annotations when memcached is not configured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L47)
- [should not allow overlaps of host and paths without canary annotations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L74)
- [should allow overlaps of host and paths with canary annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L91)
- [should block ingress with invalid path](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L112)
- [should return an error if there is an error validating the ingress definition](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L129)
- [should return an error if there is an invalid value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L149)
- [should return an error if there is a forbidden value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L163)
- [should return an error if there is an invalid path and wrong pathType is set](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L177)
- [should not return an error if the Ingress V1 definition is valid with Ingress Class](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L211)
- [should not return an error if the Ingress V1 definition is valid with IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L227)
- [should return an error if the Ingress V1 definition contains invalid annotations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L243)
- [should not return an error for an invalid Ingress when it has unknown class](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L263)
+- [should not allow overlaps of host and paths without canary annotations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L47)
+- [should allow overlaps of host and paths with canary annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L64)
+- [should block ingress with invalid path](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L85)
+- [should return an error if there is an error validating the ingress definition](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L102)
+- [should return an error if there is an invalid value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L116)
+- [should return an error if there is a forbidden value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L130)
+- [should return an error if there is an invalid path and wrong pathType is set](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L144)
+- [should not return an error if the Ingress V1 definition is valid with Ingress Class](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L178)
+- [should not return an error if the Ingress V1 definition is valid with IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L194)
+- [should return an error if the Ingress V1 definition contains invalid annotations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L210)
+- [should not return an error for an invalid Ingress when it has unknown class](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L224)
 ### [affinity session-cookie-name](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L43)
 - [should set sticky cookie SERVERID](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L50)
 - [should change cookie name on ingress definition change](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L72)
@ -54,24 +53,24 @@ Do not try to edit it manually.
 - [should return status code 200 when authentication is configured with a map and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L205)
 - [should return status code 401 when authentication is configured with invalid content and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L233)
 - [proxy_set_header My-Custom-Header 42;](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L272)
- [proxy_set_header My-Custom-Header 42;](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L298)
- [proxy_set_header 'My-Custom-Header' '42';](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L324)
- [user retains cookie by default](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L433)
- [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L444)
- [user with annotated ingress retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L455)
- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L494)
- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L503)
- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L514)
- [should overwrite Foo header with auth response](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L538)
- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L714)
- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L723)
- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L734)
- [should return status code 200 when signed in after auth backend is deleted ](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L793)
- [should deny login for different location on same server](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L813)
- [should deny login for different servers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L841)
- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L870)
- [should return 503 (location was denied)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L900)
- [should add error to the config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L908)
+- [proxy_set_header My-Custom-Header 42;](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L292)
+- [proxy_set_header 'My-Custom-Header' '42';](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L311)
+- [user retains cookie by default](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L420)
+- [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L431)
+- [user with annotated ingress retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L442)
+- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L481)
+- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L490)
+- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L501)
+- [should overwrite Foo header with auth response](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L525)
+- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L701)
+- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L710)
+- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L721)
+- [should return status code 200 when signed in after auth backend is deleted ](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L780)
+- [should deny login for different location on same server](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L800)
+- [should deny login for different servers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L828)
+- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L857)
+- [should return 503 (location was denied)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L887)
+- [should add error to the config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L895)
 ### [auth-tls-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L31)
 - [should set sslClientCertificate, sslVerifyClient and sslVerifyDepth with auth-tls-secret](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L38)
 - [should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L86)
@ -149,6 +148,7 @@ Do not try to edit it manually.
 - [should allow correct origins - missing subdomain + origin with wildcard origin and correct origin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L540)
 - [should allow - missing origins (should allow all origins)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L576)
 - [should allow correct origin but not others - cors allow origin annotations contain trailing comma](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L636)
+- [should allow - origins with non-http[s] protocols](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L673)
 ### [custom-headers-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/customheaders.go#L33)
 - [should return status code 200 when no custom-headers is configured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/customheaders.go#L40)
 - [should return status code 503 when custom-headers is configured with an invalid secret](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/customheaders.go#L57)
@ -173,15 +173,13 @@ Do not try to edit it manually.
 ### [from-to-www-redirect](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fromtowwwredirect.go#L31)
 - [should redirect from www HTTP to HTTP](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fromtowwwredirect.go#L38)
 - [should redirect from www HTTPS to HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fromtowwwredirect.go#L64)
-### [annotation-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/globalratelimit.go#L30)
- [generates correct configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/globalratelimit.go#L38)
 ### [backend-protocol - GRPC](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L45)
 - [should use grpc_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L48)
 - [should return OK for service with backend protocol GRPC](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L71)
 - [authorization metadata should be overwritten by external auth response headers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L132)
 - [should return OK for service with backend protocol GRPCS](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L193)
- [should return OK when request not exceed timeout](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L266)
- [should return Error when request exceed timeout](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L309)
+- [should return OK when request not exceed timeout](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L260)
+- [should return Error when request exceed timeout](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L303)
 ### [http2-push-preload](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/http2pushpreload.go#L27)
 - [enable the http2-push-preload directive](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/http2pushpreload.go#L34)
 ### [allowlist-source-range](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/ipallowlist.go#L27)
@ -205,14 +203,14 @@ Do not try to edit it manually.
 - [should enable modsecurity with transaction ID and OWASP rules](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L64)
 - [should disable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L85)
 - [should enable modsecurity with snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L102)
- [should enable modsecurity without using 'modsecurity on;'](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L130)
- [should disable modsecurity using 'modsecurity off;'](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L153)
- [should enable modsecurity with snippet and block requests](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L175)
- [should enable modsecurity globally and with modsecurity-snippet block requests](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L214)
- [should enable modsecurity when enable-owasp-modsecurity-crs is set to true](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L253)
- [should enable modsecurity through the config map](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L292)
- [should enable modsecurity through the config map but ignore snippet as disabled by admin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L338)
- [should disable default modsecurity conf setting when modsecurity-snippet is specified](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L380)
+- [should enable modsecurity without using 'modsecurity on;'](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L124)
+- [should disable modsecurity using 'modsecurity off;'](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L147)
+- [should enable modsecurity with snippet and block requests](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L169)
+- [should enable modsecurity globally and with modsecurity-snippet block requests](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L202)
+- [should enable modsecurity when enable-owasp-modsecurity-crs is set to true](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L235)
+- [should enable modsecurity through the config map](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L269)
+- [should enable modsecurity through the config map but ignore snippet as disabled by admin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L309)
+- [should disable default modsecurity conf setting when modsecurity-snippet is specified](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L354)
 ### [preserve-trailing-slash](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/preservetrailingslash.go#L27)
 - [should allow preservation of trailing slashes](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/preservetrailingslash.go#L34)
 ### [proxy-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L30)
@ -224,10 +222,10 @@ Do not try to edit it manually.
 - [should set valid proxy timeouts](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L117)
 - [should not set invalid proxy timeouts](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L138)
 - [should turn on proxy-buffering](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L159)
- [should turn off proxy-request-buffering](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L181)
- [should build proxy next upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L196)
- [should setup proxy cookies](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L217)
- [should change the default proxy HTTP version](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L235)
+- [should turn off proxy-request-buffering](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L184)
+- [should build proxy next upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L199)
+- [should setup proxy cookies](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L220)
+- [should change the default proxy HTTP version](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L238)
 ### [proxy-ssl-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxyssl.go#L32)
 - [should set valid proxy-ssl-secret](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxyssl.go#L39)
 - [should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxyssl.go#L66)
@ -237,6 +235,10 @@ Do not try to edit it manually.
 ### [permanent-redirect permanent-redirect-code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/redirect.go#L30)
 - [should respond with a standard redirect code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/redirect.go#L33)
 - [should respond with a custom redirect code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/redirect.go#L61)
+### [relative-redirects](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/relativeredirects.go#L35)
+- [configures Nginx correctly](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/relativeredirects.go#L43)
+- [should respond with absolute URL in Location](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/relativeredirects.go#L61)
+- [should respond with relative URL in Location](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/relativeredirects.go#L85)
 ### [rewrite-target use-regex enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/rewrite.go#L32)
 - [should write rewrite logs](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/rewrite.go#L39)
 - [should use correct longest path match](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/rewrite.go#L68)
@ -253,13 +255,13 @@ Do not try to edit it manually.
 - [should not use the Service Cluster IP and Port](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/serviceupstream.go#L97)
 ### [configuration-snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/snippet.go#L28)
 - [set snippet more_set_headers in all locations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/snippet.go#L34)
- [drops snippet more_set_header in all locations if disabled by admin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/snippet.go#L73)
+- [drops snippet more_set_header in all locations if disabled by admin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/snippet.go#L66)
 ### [ssl-ciphers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/sslciphers.go#L28)
 - [should change ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/sslciphers.go#L35)
 - [should keep ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/sslciphers.go#L58)
 ### [stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/streamsnippet.go#L34)
 - [should add value of stream-snippet to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/streamsnippet.go#L41)
- [should add stream-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/streamsnippet.go#L94)
+- [should add stream-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/streamsnippet.go#L88)
 ### [upstream-hash-by-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/upstreamhashby.go#L79)
 - [should connect to the same pod](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/upstreamhashby.go#L86)
 - [should connect to the same subset of pods](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/upstreamhashby.go#L95)
@ -332,13 +334,15 @@ Do not try to edit it manually.
 - [removes HTTPS configuration when we delete TLS spec](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_certificates.go#L233)
 ### [[Lua] dynamic configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L41)
 - [configures balancer Lua middleware correctly](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L49)
- [handles endpoints only changes](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L61)
- [handles endpoints only changes (down scaling of replicas)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L86)
- [handles endpoints only changes consistently (down scaling of replicas vs. empty service)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L124)
- [handles an annotation change](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L170)
+- [handles endpoints only changes](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L56)
+- [handles endpoints only changes (down scaling of replicas)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L81)
+- [handles endpoints only changes consistently (down scaling of replicas vs. empty service)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L119)
+- [handles an annotation change](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L165)
 ### [[metrics] exported prometheus metrics](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/metrics/metrics.go#L36)
- [exclude socket request metrics are absent](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/metrics/metrics.go#L50)
- [exclude socket request metrics are present](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/metrics/metrics.go#L72)
+- [exclude socket request metrics are absent](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/metrics/metrics.go#L51)
+- [exclude socket request metrics are present](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/metrics/metrics.go#L73)
+- [request metrics per undefined host are present when flag is set](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/metrics/metrics.go#L95)
+- [request metrics per undefined host are not present when flag is not set](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/metrics/metrics.go#L128)
 ### [nginx-configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/nginx/nginx.go#L99)
 - [start nginx with default configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/nginx/nginx.go#L102)
 - [fails when using alias directive](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/nginx/nginx.go#L114)
@ -371,9 +375,9 @@ Do not try to edit it manually.
 - [should be disabled when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/aio_write.go#L46)
 ### [Bad annotation values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L29)
 - [[BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L36)
- [[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L75)
- [[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L119)
- [[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L157)
+- [[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L68)
+- [[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L105)
+- [[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L138)
 ### [brotli](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/brotli.go#L30)
 - [should only compress responses that meet the `brotli-min-length` condition](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/brotli.go#L38)
 ### [Configmap change](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/configmap_change.go#L29)
@ -404,7 +408,7 @@ Do not try to edit it manually.
 ### [Geoip2](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/geoip2.go#L36)
 - [should include geoip2 line in config when enabled and db file exists](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/geoip2.go#L45)
 - [should only allow requests from specific countries](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/geoip2.go#L69)
- [should up and running nginx controller using autoreload flag](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/geoip2.go#L128)
+- [should up and running nginx controller using autoreload flag](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/geoip2.go#L122)
 ### [[Security] block-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_access_block.go#L28)
 - [should block CIDRs defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_access_block.go#L38)
 - [should block User-Agents defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_access_block.go#L55)
@ -420,8 +424,6 @@ Do not try to edit it manually.
 ### [global-options](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_options.go#L28)
 - [should have worker_rlimit_nofile option](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_options.go#L31)
 - [should have worker_rlimit_nofile option and be independent on amount of worker processes](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_options.go#L37)
-### [settings-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/globalratelimit.go#L30)
- [generates correct NGINX configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/globalratelimit.go#L38)
 ### [GRPC](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/grpc.go#L39)
 - [should set the correct GRPC Buffer Size](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/grpc.go#L42)
 ### [gzip](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/gzip.go#L30)
@ -492,22 +494,20 @@ Do not try to edit it manually.
 - [should return status code 200 when accessing '/noauth' unauthenticated](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/no_auth_locations.go#L82)
 ### [Add no tls redirect locations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/no_tls_redirect_locations.go#L27)
 - [Check no tls redirect locations config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/no_tls_redirect_locations.go#L30)
-### [OCSP](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ocsp/ocsp.go#L42)
- [should enable OCSP and contain stapling information in the connection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ocsp/ocsp.go#L49)
+### [OCSP](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ocsp/ocsp.go#L43)
+- [should enable OCSP and contain stapling information in the connection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ocsp/ocsp.go#L50)
 ### [Configure Opentelemetry](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L39)
 - [should not exists opentelemetry directive](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L49)
 - [should exists opentelemetry directive when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L62)
 - [should include opentelemetry_trust_incoming_spans on directive when enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L76)
 - [should not exists opentelemetry_operation_name directive when is empty](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L91)
 - [should exists opentelemetry_operation_name directive when is configured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L106)
-### [plugins](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/plugins.go#L28)
- [should exist a x-hello-world header](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/plugins.go#L35)
 ### [proxy-connect-timeout](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_connect_timeout.go#L29)
 - [should set valid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_connect_timeout.go#L37)
 - [should not set invalid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_connect_timeout.go#L53)
 ### [Dynamic $proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_host.go#L28)
 - [should exist a proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_host.go#L36)
- [should exist a proxy_host using the upstream-vhost annotation value](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_host.go#L65)
+- [should exist a proxy_host using the upstream-vhost annotation value](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_host.go#L60)
 ### [proxy-next-upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_next_upstream.go#L28)
 - [should build proxy next upstream using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_next_upstream.go#L36)
 ### [use-proxy-protocol](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_protocol.go#L38)
@ -527,7 +527,7 @@ Do not try to edit it manually.
 - [reuse port should be enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/reuse-port.go#L52)
 ### [configmap server-snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_snippet.go#L28)
 - [should add value of server-snippet setting to all ingress config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_snippet.go#L35)
- [should add global server-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_snippet.go#L98)
+- [should add global server-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_snippet.go#L100)
 ### [server-tokens](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_tokens.go#L29)
 - [should not exists Server header in the response](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_tokens.go#L38)
 - [should exists Server header in the response when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_tokens.go#L50)
@ -539,14 +539,14 @@ Do not try to edit it manually.
 - [should pass unknown traffic to default backend and handle known traffic](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_passthrough.go#L78)
 ### [configmap stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/stream_snippet.go#L35)
 - [should add value of stream-snippet via config map to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/stream_snippet.go#L42)
-### [[SSL] TLS protocols, ciphers and headers)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L31)
- [setting cipher suite](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L65)
- [setting max-age parameter](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L109)
- [setting includeSubDomains parameter](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L125)
- [setting preload parameter](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L144)
- [overriding what's set from the upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L164)
- [should not use ports during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L186)
- [should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L204)
+### [[SSL] TLS protocols, ciphers and headers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L32)
+- [setting cipher suite](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L66)
+- [setting max-age parameter](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L110)
+- [setting includeSubDomains parameter](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L127)
+- [setting preload parameter](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L147)
+- [overriding what's set from the upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L168)
+- [should not use ports during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L190)
+- [should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L208)
 ### [annotation validations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/validations/validations.go#L30)
 - [should allow ingress based on their risk on webhooks](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/validations/validations.go#L33)
 - [should allow ingress based on their risk on webhooks](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/validations/validations.go#L68)
--- a/docs/examples/psp/README.md
+++ b/docs/examples/psp/README.md
@ -1,17 +0,0 @@
-# Pod Security Policy (PSP)
-
-In most clusters today, by default, all resources (e.g. `Deployments` and `ReplicatSets`)
-have permissions to create pods.
-Kubernetes however provides a more fine-grained authorization policy called
-[Pod Security Policy (PSP)](https://kubernetes.io/docs/concepts/policy/pod-security-policy/).
-
-PSP allows the cluster owner to define the permission of each object, for example creating a pod.
-If you have PSP enabled on the cluster, and you deploy ingress-nginx,
-you will need to provide the `Deployment` with the permissions to create pods.
-
-Before applying any objects, first apply the PSP permissions by running:
-```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/psp/psp.yaml
-```
-
-Note: PSP permissions must be granted before the creation of the `Deployment` and the `ReplicaSet`.
--- a/docs/examples/psp/psp.yaml
+++ b/docs/examples/psp/psp.yaml
@ -1,75 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: ingress-nginx
-
---
-
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: ingress-nginx
-  namespace: ingress-nginx
-spec:
-  allowedCapabilities:
-    - NET_BIND_SERVICE
-  privileged: false
-  allowPrivilegeEscalation: true
-  # Allow core volume types.
-  volumes:
-    - configMap
-    - secret
-  hostIPC: false
-  hostPID: false
-  runAsUser:
-    # Require the container to run without root privileges.
-    rule: MustRunAsNonRoot
-  supplementalGroups:
-    rule: MustRunAs
-    ranges:
-      # Forbid adding the root group.
-      - min: 1
-        max: 65535
-  fsGroup:
-    rule: MustRunAs
-    ranges:
-      # Forbid adding the root group.
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: false
-  seLinux:
-    rule: RunAsAny
-
---
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: ingress-nginx-psp
-  namespace: ingress-nginx
-rules:
- apiGroups: [policy]
-  resources: [podsecuritypolicies]
-  verbs: [use]
-  resourceNames: [ingress-nginx]
-
---
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: ingress-nginx-psp
-  namespace: ingress-nginx
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ingress-nginx-psp
-subjects:
- kind: ServiceAccount
-  name: default
- kind: ServiceAccount
-  name: ingress-nginx
-  namespace: ingress-nginx
- kind: ServiceAccount
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
--- a/docs/troubleshooting.md
+++ b/docs/troubleshooting.md
@ -443,7 +443,7 @@ $ capsh --decode=0000000000000400
 ```

 ## Create a test pod as root
-(Note, this may be restricted by PodSecurityPolicy, PodSecurityAdmission/Standards, OPA Gatekeeper, etc. in which case you will need to do the appropriate workaround for testing, e.g. deploy in a new namespace without the restrictions.)
+(Note, this may be restricted by PodSecurityAdmission/Standards, OPA Gatekeeper, etc. in which case you will need to do the appropriate workaround for testing, e.g. deploy in a new namespace without the restrictions.)
 To test further you may want to install additional utilities, etc.  Modify the pod yaml by:
 * changing runAsUser from 101 to 0
 * removing the "drop..ALL" section from the capabilities.
--- a/docs/user-guide/cli-arguments.md
+++ b/docs/user-guide/cli-arguments.md
@ -8,6 +8,7 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment
 |----------|-------------|
 | `--annotations-prefix`             | Prefix of the Ingress annotations specific to the NGINX controller. (default "nginx.ingress.kubernetes.io") |
 | `--apiserver-host`                 | Address of the Kubernetes API server. Takes the form "protocol://address:port". If not specified, it is assumed the program runs inside a Kubernetes cluster and local discovery is attempted. |
+| `--bucket-factor`                    | Bucket factor for native histograms. Value must be > 1 for enabling native histograms. (default 0) |
 | `--certificate-authority`          | Path to a cert file for the certificate authority. This certificate is used only when the flag --apiserver-host is specified. |
 | `--configmap`                      | Name of the ConfigMap containing custom global configurations for the controller. |
 | `--controller-class`                      | Ingress Class Controller value this Ingress satisfies. The class of an Ingress object is set using the field IngressClassName in Kubernetes clusters version v1.19.0 or higher. The .spec.controller value of the IngressClass referenced in an Ingress Object should be the same value specified here to make this object be watched. |
@ -15,7 +16,7 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment
 | `--default-backend-service`        | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form "namespace/name". The controller configures NGINX to forward requests to the first port of this Service. |
 | `--default-server-port`            | Port to use for exposing the default server (catch-all). (default 8181) |
 | `--default-ssl-certificate`        | Secret containing a SSL certificate to be used by the default HTTPS server (catch-all). Takes the form "namespace/name". |
-| `--enable-annotation-validation`  | If true, will enable the annotation validation feature. This value will be defaulted to true on a future release. |
+| `--enable-annotation-validation`  | If true, will enable the annotation validation feature. Defaults to true |
 | `--disable-catch-all`              | Disable support for catch-all Ingresses. (default false) |
 | `--disable-full-test` | Disable full test of all merged ingresses at the admission stage and tests the template of the ingress being created or updated  (full test of all ingresses is enabled by default). |
 | `--disable-svc-external-name` | Disable support for Services of type ExternalName. (default false) |
@ -23,7 +24,7 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment
 | `--dynamic-configuration-retries` | Number of times to retry failed dynamic configuration before failing to sync an ingress. (default 15) |
 | `--election-id`                    | Election id to use for Ingress status updates. (default "ingress-controller-leader") |
 | `--election-ttl`                  | Duration a leader election is valid before it's getting re-elected, e.g. `15s`, `10m` or `1h`. (Default: 30s) |
-| `--enable-metrics`                 | Enables the collection of NGINX metrics. (default true) |
+| `--enable-metrics`                 | Enables the collection of NGINX metrics. (Default: false) |
 | `--enable-ssl-chain-completion`    | Autocomplete SSL certificate chains with missing intermediate CA certificates. Certificates uploaded to Kubernetes must have the "Authority Information Access" X.509 v3 extension for this to succeed. (default false)|
 | `--enable-ssl-passthrough`         | Enable SSL Passthrough. (default false) |
 | `--disable-leader-election`        | Disable Leader Election on Nginx Controller. (default false) |
@ -40,12 +41,14 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment
 | `--internal-logger-address`        | Address to be used when binding internal syslogger. (default 127.0.0.1:11514) |
 | `--kubeconfig`                     | Path to a kubeconfig file containing authorization and API server information. |
 | `--length-buckets`                     | Set of buckets which will be used for prometheus histogram metrics such as RequestLength, ResponseLength. (default `[10, 20, 30, 40, 50, 60, 70, 80, 90, 100]`) |
+| `--max-buckets`                      | Maximum number of buckets for native histograms. (default 100) |
 | `--maxmind-edition-ids`            | Maxmind edition ids to download GeoLite2 Databases. (default "GeoLite2-City,GeoLite2-ASN") |
 | `--maxmind-retries-timeout`        | Maxmind downloading delay between 1st and 2nd attempt, 0s - do not retry to download if something went wrong. (default 0s) |
 | `--maxmind-retries-count`          | Number of attempts to download the GeoIP DB. (default 1) |
 | `--maxmind-license-key`            | Maxmind license key to download GeoLite2 Databases. https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/ . |
 | `--maxmind-mirror`            | Maxmind mirror url (example: http://geoip.local/databases. |
 | `--metrics-per-host`               | Export metrics per-host. (default true) |
+| `--metrics-per-undefined-host`     | Export metrics per-host even if the host is not defined in an ingress. Requires --metrics-per-host to be set to true. (default false) |
 | `--monitor-max-batch-size`               | Max batch size of NGINX metrics. (default 10000)|
 | `--post-shutdown-grace-period`     | Additional delay in seconds before controller container exits. (default 10) |
 | `--profiler-port`                  | Port to use for expose the ingress controller Go profiler when it is enabled. (default 10245) |
--- a/docs/user-guide/monitoring.md
+++ b/docs/user-guide/monitoring.md
@ -166,7 +166,9 @@ According to the above example, this URL will be http://10.192.0.3:31086

 #### Wildcard ingresses

-  - By default request metrics are labeled with the hostname. When you have a wildcard domain ingress, then there will be no metrics for that ingress (to prevent the metrics from exploding in cardinality). To get metrics in this case you need to run the ingress controller with `--metrics-per-host=false` (you will lose labeling by hostname, but still have labeling by ingress).
+  - By default request metrics are labeled with the hostname. When you have a wildcard domain ingress, then there will be no metrics for that ingress (to prevent the metrics from exploding in cardinality). To get metrics in this case you have two options:
+    - Run the ingress controller with `--metrics-per-host=false`. You will lose labeling by hostname, but still have labeling by ingress.
+    - Run the ingress controller with `--metrics-per-undefined-host=true --metrics-per-host=true`. You will get labeling by hostname even if the hostname is not explicitly defined on an ingress. Be warned that cardinality could explode due to many hostnames and CPU usage could also increase.

 ### Grafana dashboard using ingress resource
  - If you want to expose the dashboard for grafana using an ingress resource, then you can :
@ -386,10 +388,6 @@ Prometheus metrics are exposed on port 10254.
  The number of bytes sent to a client. **Deprecated**, use `nginx_ingress_controller_response_size`\
  nginx var: `bytes_sent`

-* `nginx_ingress_controller_ingress_upstream_latency_seconds` Summary\
-  Upstream service latency per Ingress. **Deprecated**, use `nginx_ingress_controller_connect_duration_seconds`\
-  nginx var: `upstream_connect_time`
-
 ```
 # HELP nginx_ingress_controller_bytes_sent The number of bytes sent to a client. DEPRECATED! Use nginx_ingress_controller_response_size
 # TYPE nginx_ingress_controller_bytes_sent histogram
@ -397,8 +395,6 @@ Prometheus metrics are exposed on port 10254.
 # TYPE nginx_ingress_controller_connect_duration_seconds nginx_ingress_controller_connect_duration_seconds
 * HELP nginx_ingress_controller_header_duration_seconds The time spent on receiving first header from the upstream server
 # TYPE nginx_ingress_controller_header_duration_seconds histogram
-# HELP nginx_ingress_controller_ingress_upstream_latency_seconds Upstream service latency per Ingress DEPRECATED! Use nginx_ingress_controller_connect_duration_seconds
-# TYPE nginx_ingress_controller_ingress_upstream_latency_seconds summary
 # HELP nginx_ingress_controller_request_duration_seconds The request processing time in milliseconds
 # TYPE nginx_ingress_controller_request_duration_seconds histogram
 # HELP nginx_ingress_controller_request_size The request length (including request line, header, and request body)
--- a/docs/user-guide/nginx-configuration/annotations-risk.md
+++ b/docs/user-guide/nginx-configuration/annotations-risk.md
@ -55,10 +55,6 @@
 | ExternalAuth | auth-url | High | location |
 | FastCGI | fastcgi-index | Medium | location |
 | FastCGI | fastcgi-params-configmap | Medium | location |
-| GlobalRateLimit | global-rate-limit | Low | ingress |
-| GlobalRateLimit | global-rate-limit-ignored-cidrs | Medium | ingress |
-| GlobalRateLimit | global-rate-limit-key | High | ingress |
-| GlobalRateLimit | global-rate-limit-window | Low | ingress |
 | HTTP2PushPreload | http2-push-preload | Low | location |
 | LoadBalancing | load-balance | Low | location |
 | Logs | enable-access-log | Low | location |
@ -77,6 +73,7 @@
 | Proxy | proxy-buffer-size | Low | location |
 | Proxy | proxy-buffering | Low | location |
 | Proxy | proxy-buffers-number | Low | location |
+| Proxy | proxy-busy-buffers-size | Low | location |
 | Proxy | proxy-connect-timeout | Low | location |
 | Proxy | proxy-cookie-domain | Medium | location |
 | Proxy | proxy-cookie-path | Medium | location |
@ -107,7 +104,9 @@
 | Redirect | from-to-www-redirect | Low | location |
 | Redirect | permanent-redirect | Medium | location |
 | Redirect | permanent-redirect-code | Low | location |
+| Redirect | relative-redirects | Low | location |
 | Redirect | temporal-redirect | Medium | location |
+| Redirect | temporal-redirect-code | Low | location |
 | Rewrite | app-root | Medium | location |
 | Rewrite | force-ssl-redirect | Medium | location |
 | Rewrite | preserve-trailing-slash | Medium | location |
--- a/docs/user-guide/nginx-configuration/annotations.md
+++ b/docs/user-guide/nginx-configuration/annotations.md
@ -64,13 +64,10 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz
 |[nginx.ingress.kubernetes.io/http2-push-preload](#http2-push-preload)|"true" or "false"|
 |[nginx.ingress.kubernetes.io/limit-connections](#rate-limiting)|number|
 |[nginx.ingress.kubernetes.io/limit-rps](#rate-limiting)|number|
-|[nginx.ingress.kubernetes.io/global-rate-limit](#global-rate-limiting)|number|
-|[nginx.ingress.kubernetes.io/global-rate-limit-window](#global-rate-limiting)|duration|
-|[nginx.ingress.kubernetes.io/global-rate-limit-key](#global-rate-limiting)|string|
-|[nginx.ingress.kubernetes.io/global-rate-limit-ignored-cidrs](#global-rate-limiting)|string|
 |[nginx.ingress.kubernetes.io/permanent-redirect](#permanent-redirect)|string|
 |[nginx.ingress.kubernetes.io/permanent-redirect-code](#permanent-redirect-code)|number|
 |[nginx.ingress.kubernetes.io/temporal-redirect](#temporal-redirect)|string|
+|[nginx.ingress.kubernetes.io/temporal-redirect-code](#temporal-redirect-code)|number|
 |[nginx.ingress.kubernetes.io/preserve-trailing-slash](#server-side-https-enforcement-through-redirect)|"true" or "false"|
 |[nginx.ingress.kubernetes.io/proxy-body-size](#custom-max-body-size)|string|
 |[nginx.ingress.kubernetes.io/proxy-cookie-domain](#proxy-cookie-domain)|string|
@ -119,6 +116,7 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz
 |[nginx.ingress.kubernetes.io/proxy-buffering](#proxy-buffering)|string|
 |[nginx.ingress.kubernetes.io/proxy-buffers-number](#proxy-buffers-number)|number|
 |[nginx.ingress.kubernetes.io/proxy-buffer-size](#proxy-buffer-size)|string|
+|[nginx.ingress.kubernetes.io/proxy-busy-buffers-size](#proxy-busy-buffers-size)|string|
 |[nginx.ingress.kubernetes.io/proxy-max-temp-file-size](#proxy-max-temp-file-size)|string|
 |[nginx.ingress.kubernetes.io/ssl-ciphers](#ssl-ciphers)|string|
 |[nginx.ingress.kubernetes.io/ssl-prefer-server-ciphers](#ssl-ciphers)|"true" or "false"|
@ -397,13 +395,13 @@ CORS can be controlled with the following annotations:

 * `nginx.ingress.kubernetes.io/cors-allow-origin`: Controls what's the accepted Origin for CORS.

-    This is a multi-valued field, separated by ','. It must follow this format: `http(s)://origin-site.com` or `http(s)://origin-site.com:port`
+    This is a multi-valued field, separated by ','. It must follow this format: `protocol://origin-site.com` or `protocol://origin-site.com:port`

    - Default: `*`
-    - Example: `nginx.ingress.kubernetes.io/cors-allow-origin: "https://origin-site.com:4443, http://origin-site.com, https://example.org:1199"`
+    - Example: `nginx.ingress.kubernetes.io/cors-allow-origin: "https://origin-site.com:4443, http://origin-site.com, myprotocol://example.org:1199"`

-    It also supports single level wildcard subdomains and follows this format: `http(s)://*.foo.bar`, `http(s)://*.bar.foo:8080` or `http(s)://*.abc.bar.foo:9000`
-    - Example: `nginx.ingress.kubernetes.io/cors-allow-origin: "https://*.origin-site.com:4443, http://*.origin-site.com, https://example.org:1199"`
+    It also supports single level wildcard subdomains and follows this format: `protocol://*.foo.bar`, `protocol://*.bar.foo:8080` or `protocol://*.abc.bar.foo:9000`
+    - Example: `nginx.ingress.kubernetes.io/cors-allow-origin: "https://*.origin-site.com:4443, http://*.origin-site.com, myprotocol://example.org:1199"`

 * `nginx.ingress.kubernetes.io/cors-allow-credentials`: Controls if credentials can be passed during CORS operations.

@ -571,46 +569,6 @@ To configure settings globally for all Ingress rules, the `limit-rate-after` and

 The client IP address will be set based on the use of [PROXY protocol](./configmap.md#use-proxy-protocol) or from the `X-Forwarded-For` header value when [use-forwarded-headers](./configmap.md#use-forwarded-headers) is enabled.

-### Global Rate Limiting
-
-**Note:** Be careful when configuring both (Local) Rate Limiting and Global Rate Limiting at the same time.
-They are two completely different rate limiting implementations. Whichever limit exceeds first will reject the
-requests. It might be a good idea to configure both of them to ease load on Global Rate Limiting backend
-in cases of spike in traffic.
-
-The stock NGINX rate limiting does not share its counters among different NGINX instances.
-Given that most ingress-nginx deployments are elastic and number of replicas can change any day
-it is impossible to configure a proper rate limit using stock NGINX functionalities.
-Global Rate Limiting overcome this by using [lua-resty-global-throttle](https://github.com/ElvinEfendi/lua-resty-global-throttle). `lua-resty-global-throttle` shares its counters via a central store such as `memcached`.
-The obvious shortcoming of this is users have to deploy and operate a `memcached` instance
-in order to benefit from this functionality. Configure the `memcached`
-using [these configmap settings](./configmap.md#global-rate-limit).
-
-**Here are a few remarks for ingress-nginx integration of `lua-resty-global-throttle`:**
-
-1. We minimize `memcached` access by caching exceeding limit decisions. The expiry of
-cache entry is the desired delay `lua-resty-global-throttle` calculates for us.
-The Lua Shared Dictionary used for that is `global_throttle_cache`. Currently its size defaults to 10M.
-Customize it as per your needs using [lua-shared-dicts](./configmap.md#lua-shared-dicts).
-When we fail to cache the exceeding limit decision then we log an NGINX error. You can monitor
-for that error to decide if you need to bump the cache size. Without cache the cost of processing a
-request is two memcached commands: `GET`, and `INCR`. With the cache it is only `INCR`.
-1. Log NGINX variable `$global_rate_limit_exceeding`'s value to have some visibility into
-what portion of requests are rejected (value `y`), whether they are rejected using cached decision (value `c`),
-or if they are not rejected (default value `n`). You can use [log-format-upstream](./configmap.md#log-format-upstream)
-to include that in access logs.
-1. In case of an error it will log the error message and **fail open**.
-1. The annotations below creates Global Rate Limiting instance per ingress.
-That means if there are multiple paths configured under the same ingress,
-the Global Rate Limiting will count requests to all the paths under the same counter.
-Extract a path out into its own ingress if you need to isolate a certain path.
-
-
-* `nginx.ingress.kubernetes.io/global-rate-limit`: Configures maximum allowed number of requests per window. Required.
-* `nginx.ingress.kubernetes.io/global-rate-limit-window`: Configures a time window (i.e `1m`) that the limit is applied. Required.
-* `nginx.ingress.kubernetes.io/global-rate-limit-key`: Configures a key for counting the samples. Defaults to `$remote_addr`. You can also combine multiple NGINX variables here, like `${remote_addr}-${http_x_api_client}` which would mean the limit will be applied to requests coming from the same API client (indicated by `X-API-Client` HTTP request header) with the same source IP address.
-* `nginx.ingress.kubernetes.io/global-rate-limit-ignored-cidrs`: comma separated list of IPs and CIDRs to match client IP against. When there's a match request is not considered for rate limiting.
-
 ### Permanent Redirect

 This annotation allows to return a permanent redirect (Return Code 301) instead of sending data to the upstream.  For example `nginx.ingress.kubernetes.io/permanent-redirect: https://www.google.com` would redirect everything to Google.
@ -622,6 +580,10 @@ This annotation allows you to modify the status code used for permanent redirect
 ### Temporal Redirect
 This annotation allows you to return a temporal redirect (Return Code 302) instead of sending data to the upstream. For example `nginx.ingress.kubernetes.io/temporal-redirect: https://www.google.com` would redirect everything to Google with a Return Code of 302 (Moved Temporarily)

+### Temporal Redirect Code
+
+This annotation allows you to modify the status code used for temporal redirects.  For example `nginx.ingress.kubernetes.io/temporal-redirect-code: '307'` would return your temporal-redirect with a 307.
+
 ### SSL Passthrough

 The annotation `nginx.ingress.kubernetes.io/ssl-passthrough` instructs the controller to send TLS connections directly
@ -786,6 +748,18 @@ To configure this setting globally, set `proxy-buffer-size` in [NGINX ConfigMap]
 nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
 ```

+### Proxy busy buffers size
+
+[Limits the total size of buffers that can be busy](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_busy_buffers_size) sending a response to the client while the response is not yet fully read.
+
+By default proxy busy buffers size is set as "8k".
+
+To configure this setting globally, set `proxy-busy-buffers-size` in the [ConfigMap](./configmap.md#proxy-busy-buffers-size). To use custom values in an Ingress rule, define this annotation:
+
+```yaml
+nginx.ingress.kubernetes.io/proxy-busy-buffers-size: "16k"
+```
+
 ### Proxy max temp file size

 When [`buffering`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering) of responses from the proxied server is enabled, and the whole response does not fit into the buffers set by the [`proxy_buffer_size`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) and [`proxy_buffers`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers) directives, a part of the response can be saved to a temporary file. This directive sets the maximum `size` of the temporary file setting the [`proxy_max_temp_file_size`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_max_temp_file_size). The size of data written to the temporary file at a time is set by the [`proxy_temp_file_write_size`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_temp_file_write_size) directive.
--- a/docs/user-guide/nginx-configuration/configmap.md
+++ b/docs/user-guide/nginx-configuration/configmap.md
@ -29,9 +29,9 @@ The following table shows a configuration option's name, type, and the default v
 |:--------------------------------------------------------------------------------|:-------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------------------------------------------|
 | [add-headers](#add-headers)                                                     | string       | ""                                                                                                                                                                                                                                                                                                                                                           |                                                                                     |
 | [allow-backend-server-header](#allow-backend-server-header)                     | bool         | "false"                                                                                                                                                                                                                                                                                                                                                      |                                                                                     |
-| [allow-cross-namespace-resources](#allow-cross-namespace-resources)             | bool         | "true"                                                                                                                                                                                                                                                                                                                                                       |                                                                                     |
+| [allow-cross-namespace-resources](#allow-cross-namespace-resources)             | bool         | "false"                                                                                                                                                                                                                                                                                                                                                      |                                                                                     |
 | [allow-snippet-annotations](#allow-snippet-annotations)                         | bool         | "false"                                                                                                                                                                                                                                                                                                                                                      |                                                                                     |
-| [annotations-risk-level](#annotations-risk-level)                               | string       | Critical                                                                                                                                                                                                                                                                                                                                                     |                                                                                     |
+| [annotations-risk-level](#annotations-risk-level)                               | string       | High                                                                                                                                                                                                                                                                                                                                                         |                                                                                     |
 | [annotation-value-word-blocklist](#annotation-value-word-blocklist)             | string array | ""                                                                                                                                                                                                                                                                                                                                                           |                                                                                     |
 | [hide-headers](#hide-headers)                                                   | string array | empty                                                                                                                                                                                                                                                                                                                                                        |                                                                                     |
 | [access-log-params](#access-log-params)                                         | string       | ""                                                                                                                                                                                                                                                                                                                                                           |                                                                                     |
@ -82,7 +82,6 @@ The following table shows a configuration option's name, type, and the default v
 | [server-name-hash-bucket-size](#server-name-hash-bucket-size)                   | int          | `<size of the processor’s cache line>`                                                                                                                                                                                                                                                                                                                       |
 | [proxy-headers-hash-max-size](#proxy-headers-hash-max-size)                     | int          | 512                                                                                                                                                                                                                                                                                                                                                          |                                                                                     |
 | [proxy-headers-hash-bucket-size](#proxy-headers-hash-bucket-size)               | int          | 64                                                                                                                                                                                                                                                                                                                                                           |                                                                                     |
-| [plugins](#plugins)                                                             | []string     |                                                                                                                                                                                                                                                                                                                                                              |                                                                                     |
 | [reuse-port](#reuse-port)                                                       | bool         | "true"                                                                                                                                                                                                                                                                                                                                                       |                                                                                     |
 | [server-tokens](#server-tokens)                                                 | bool         | "false"                                                                                                                                                                                                                                                                                                                                                      |                                                                                     |
 | [ssl-ciphers](#ssl-ciphers)                                                     | string       | "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"                                                                                                                          |                                                                                     |
@ -180,6 +179,7 @@ The following table shows a configuration option's name, type, and the default v
 | [proxy-send-timeout](#proxy-send-timeout)                                       | int          | 60                                                                                                                                                                                                                                                                                                                                                           |                                                                                     |
 | [proxy-buffers-number](#proxy-buffers-number)                                   | int          | 4                                                                                                                                                                                                                                                                                                                                                            |                                                                                     |
 | [proxy-buffer-size](#proxy-buffer-size)                                         | string       | "4k"                                                                                                                                                                                                                                                                                                                                                         |                                                                                     |
+| [proxy-busy-buffers-size](#proxy-busy-buffers-size)                             | string       | "8k"                                                                                                                                                                                                                                                                                                                                                         |                                                                                     |
 | [proxy-cookie-path](#proxy-cookie-path)                                         | string       | "off"                                                                                                                                                                                                                                                                                                                                                        |                                                                                     |
 | [proxy-cookie-domain](#proxy-cookie-domain)                                     | string       | "off"                                                                                                                                                                                                                                                                                                                                                        |                                                                                     |
 | [proxy-next-upstream](#proxy-next-upstream)                                     | string       | "error timeout"                                                                                                                                                                                                                                                                                                                                              |                                                                                     |
@ -219,17 +219,12 @@ The following table shows a configuration option's name, type, and the default v
 | [block-referers](#block-referers)                                               | []string     | ""                                                                                                                                                                                                                                                                                                                                                           |                                                                                     |
 | [proxy-ssl-location-only](#proxy-ssl-location-only)                             | bool         | "false"                                                                                                                                                                                                                                                                                                                                                      |                                                                                     |
 | [default-type](#default-type)                                                   | string       | "text/html"                                                                                                                                                                                                                                                                                                                                                  |                                                                                     |
-| [global-rate-limit-memcached-host](#global-rate-limit)                          | string       | ""                                                                                                                                                                                                                                                                                                                                                           |                                                                                     |
-| [global-rate-limit-memcached-port](#global-rate-limit)                          | int          | 11211                                                                                                                                                                                                                                                                                                                                                        |                                                                                     |
-| [global-rate-limit-memcached-connect-timeout](#global-rate-limit)               | int          | 50                                                                                                                                                                                                                                                                                                                                                           |                                                                                     |
-| [global-rate-limit-memcached-max-idle-timeout](#global-rate-limit)              | int          | 10000                                                                                                                                                                                                                                                                                                                                                        |                                                                                     |
-| [global-rate-limit-memcached-pool-size](#global-rate-limit)                     | int          | 50                                                                                                                                                                                                                                                                                                                                                           |                                                                                     |
-| [global-rate-limit-status-code](#global-rate-limit)                             | int          | 429                                                                                                                                                                                                                                                                                                                                                          |                                                                                     |
 | [service-upstream](#service-upstream)                                           | bool         | "false"                                                                                                                                                                                                                                                                                                                                                      |                                                                                     |
 | [ssl-reject-handshake](#ssl-reject-handshake)                                   | bool         | "false"                                                                                                                                                                                                                                                                                                                                                      |                                                                                     |
 | [debug-connections](#debug-connections)                                         | []string     | "127.0.0.1,1.1.1.1/24"                                                                                                                                                                                                                                                                                                                                       |                                                                                     |
-| [strict-validate-path-type](#strict-validate-path-type)                         | bool         | "false" (v1.7.x)                                                                                                                                                                                                                                                                                                                                             |                                                                                     |
+| [strict-validate-path-type](#strict-validate-path-type)                         | bool         | "true"                                                                                                                                                                                                                                                                                                                                                       |                                                                                     |
 | [grpc-buffer-size-kb](#grpc-buffer-size-kb)                                     | int          | 0                                                                                                                                                                                                                                                                                                                                                            |                                                                                     |
+| [relative-redirects](#relative-redirects)                                       | bool         | false                                                                                                                                                                                                                                                                                                                                                        |                                                                                     |

 ## add-headers

@ -241,18 +236,16 @@ Enables the return of the header Server from the backend instead of the generic

 ## allow-cross-namespace-resources

-Enables users to consume cross namespace resource on annotations, when was previously enabled . _**default:**_ true
+Enables users to consume cross namespace resource on annotations, when was previously enabled . _**default:**_ false

 **Annotations that may be impacted with this change**:
+
 * `auth-secret`
 * `auth-proxy-set-header`
 * `auth-tls-secret`
 * `fastcgi-params-configmap`
 * `proxy-ssl-secret`

-
-**This option will be defaulted to false in the next major release**
-
 ## allow-snippet-annotations

 Enables Ingress to parse and add *-snippet annotations/directives created by the user. _**default:**_ `false`
@ -260,15 +253,13 @@ Enables Ingress to parse and add *-snippet annotations/directives created by the
 Warning: We recommend enabling this option only if you TRUST users with permission to create Ingress objects, as this
 may allow a user to add restricted configurations to the final nginx.conf file

-**This option will be defaulted to false in the next major release**
-
 ## annotations-risk-level

 Represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations with risk High and Critical will not be accepted.

 Accepted values are `Critical`, `High`, `Medium` and `Low`.

-Defaults to `Critical` but will be changed to `High` on the next minor release
+_**default:**_ `High`

 ## annotation-value-word-blocklist

@ -612,10 +603,6 @@ _References:_
 - [https://nginx.org/en/docs/hash.html](https://nginx.org/en/docs/hash.html)
 - [https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_headers_hash_bucket_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_headers_hash_bucket_size)

-## plugins
-
-Activates plugins installed in `/etc/nginx/lua/plugins`. Refer to [ingress-nginx plugins README](https://github.com/kubernetes/ingress-nginx/blob/main/rootfs/etc/nginx/lua/plugins/README.md) for more information on how to write and install a plugin.
-
 ## server-tokens

 Send NGINX Server header in responses and display NGINX version in error pages. _**default:**_ is disabled
@ -1123,6 +1110,10 @@ Sets the number of the buffer used for [reading the first part of the response](

 Sets the size of the buffer used for [reading the first part of the response](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) received from the proxied server. This part usually contains a small response header.

+## proxy-busy-buffers-size
+
+[Limits the total size of buffers that can be busy](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_busy_buffers_size) sending a response to the client while the response is not yet fully read.
+
 ## proxy-cookie-path

 Sets a text that [should be changed in the path attribute](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_path) of the “Set-Cookie” header fields of a proxied server response.
@ -1354,22 +1345,6 @@ _**default:**_ text/html
 _References:_
 [https://nginx.org/en/docs/http/ngx_http_core_module.html#default_type](https://nginx.org/en/docs/http/ngx_http_core_module.html#default_type)

-## global-rate-limit
-
-* `global-rate-limit-status-code`: configure HTTP status code to return when rejecting requests. Defaults to 429.
-
-Configure `memcached` client for [Global Rate Limiting](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#global-rate-limiting).
-
-* `global-rate-limit-memcached-host`: IP/FQDN of memcached server to use. Required to enable Global Rate Limiting.
-* `global-rate-limit-memcached-port`: port of memcached server to use. Defaults default memcached port of `11211`.
-* `global-rate-limit-memcached-connect-timeout`: configure timeout for connect, send and receive operations. Unit is millisecond. Defaults to 50ms.
-* `global-rate-limit-memcached-max-idle-timeout`: configure timeout for cleaning idle connections. Unit is millisecond. Defaults to 50ms.
-* `global-rate-limit-memcached-pool-size`: configure number of max connections to keep alive. Make sure your `memcached` server can handle
-`global-rate-limit-memcached-pool-size * worker-processes * <number of ingress-nginx replicas>` simultaneous connections.
-
-These settings get used by [lua-resty-global-throttle](https://github.com/ElvinEfendi/lua-resty-global-throttle)
-that ingress-nginx includes. Refer to the link to learn more about `lua-resty-global-throttle`.
-
 ## service-upstream

 Set if the service's Cluster IP and port should be used instead of a list of all endpoints. This can be overwritten by an annotation on an Ingress rule.
@ -1391,6 +1366,7 @@ _References:_
 [http://nginx.org/en/docs/ngx_core_module.html#debug_connection](http://nginx.org/en/docs/ngx_core_module.html#debug_connection)

 ## strict-validate-path-type
+
 Ingress objects contains a field called pathType that defines the proxy behavior. It can be `Exact`, `Prefix` and `ImplementationSpecific`.

 When pathType is configured as `Exact` or `Prefix`, there should be a more strict validation, allowing only paths starting with "/" and
@ -1404,9 +1380,22 @@ This means that Ingress objects that rely on paths containing regex characters s
 The cluster admin should establish validation rules using mechanisms like [Open Policy Agent](https://www.openpolicyagent.org/) to 
 validate that only authorized users can use `ImplementationSpecific` pathType and that only the authorized characters can be used.

+_**default:**_ "true"
+
 ## grpc-buffer-size-kb

 Sets the configuration for the GRPC Buffer Size parameter. If not set it will use the default from NGINX.

 _References:_
 [https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_buffer_size](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_buffer_size)
+
+## relative-redirects
+
+Use relative redirects instead of absolute redirects. Absolute redirects are the default in nginx. RFC7231 allows relative redirects since 2014.
+Similar to the Ingress rule annotation `nginx.ingress.kubernetes.io/relative-redirects`.
+
+_**default:**_ "false"
+
+_References:_
+- [https://nginx.org/en/docs/http/ngx_http_core_module.html#absolute_redirect](https://nginx.org/en/docs/http/ngx_http_core_module.html#absolute_redirect)
+- [https://datatracker.ietf.org/doc/html/rfc7231#section-7.1.2](https://datatracker.ietf.org/doc/html/rfc7231#section-7.1.2)
--- a/docs/user-guide/third-party-addons/opentelemetry.md
+++ b/docs/user-guide/third-party-addons/opentelemetry.md
@ -147,17 +147,7 @@ graph TB

 To install the example and collectors run:

-1. Enable Ingress addon with:
-
-    ```yaml
-      opentelemetry:
-        enabled: true
-        image: registry.k8s.io/ingress-nginx/opentelemetry-1.25.3:v20240813-b933310d@sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922
-        containerSecurityContext:
-        allowPrivilegeEscalation: false
-    ```
-
-2. Enable OpenTelemetry and set the otlp-collector-host:
+1. Enable OpenTelemetry and set the otlp-collector-host:

    ```yaml
    $ echo '
@ -183,7 +173,7 @@ To install the example and collectors run:
      ' | kubectl replace -f -
    ```

-4. Deploy otel-collector, grafana and Jaeger backend:
+2. Deploy otel-collector, grafana and Jaeger backend:

    ```bash
    # add helm charts needed for grafana and OpenTelemetry collector
@ -218,7 +208,7 @@ To install the example and collectors run:
    make deploy-app
    ```

-5. Make a few requests to the Service:
+4. Make a few requests to the Service:

    ```bash
    kubectl port-forward --namespace=ingress-nginx service/ingress-nginx-controller 8090:80
@ -247,7 +237,7 @@ To install the example and collectors run:
    RawContentLength  : 21
    ```

-6. View the Grafana UI:
+5. View the Grafana UI:

    ```bash
    kubectl port-forward --namespace=observability service/grafana 3000:80
@ -255,7 +245,7 @@ To install the example and collectors run:
    In the Grafana interface we can see the details:
    ![grafana screenshot](../../images/otel-grafana-demo.png "grafana screenshot")

-7. View the Jaeger UI:
+6. View the Jaeger UI:

    ```bash
    kubectl port-forward --namespace=observability service/jaeger-all-in-one-query 16686:16686
@ -263,7 +253,7 @@ To install the example and collectors run:
    In the Jaeger interface we can see the details:
    ![Jaeger screenshot](../../images/otel-jaeger-demo.png "Jaeger screenshot")

-8. View the Zipkin UI:
+7. View the Zipkin UI:

    ```bash
    kubectl port-forward --namespace=observability service/zipkin 9411:9411
--- a/hack/manifest-templates/provider/kind/values.yaml
+++ b/hack/manifest-templates/provider/kind/values.yaml
@ -8,11 +8,9 @@ controller:
    enabled: true
  terminationGracePeriodSeconds: 0
  service:
-    type: NodePort
+    type: LoadBalancer
  watchIngressWithoutClass: true

-  nodeSelector:
-    ingress-ready: "true"
  tolerations:
    - key: "node-role.kubernetes.io/master"
      operator: "Equal"
--- a/hack/verify-lualint.sh
+++ b/hack/verify-lualint.sh
@ -18,6 +18,13 @@ set -o errexit
 set -o nounset
 set -o pipefail

-luacheck --codes -q rootfs/etc/nginx/lua/
+luacheck --codes --globals lua_ingress \
+    --globals configuration \
+    --globals balancer \
+    --globals monitor \
+    --globals certificate \
+    --globals tcp_udp_configuration \
+    --globals tcp_udp_balancer \
+    --no-max-comment-line-length -q rootfs/etc/nginx/lua/

 find rootfs/etc/nginx/lua/ -name "*.lua" -not -path "*/test/*" -exec lj-releng -L -s {} + && echo "lj-releng validation is success!"
--- a/images/nginx/TAG
+++ b/images/nginx/TAG
@ -1 +1 @@
-v0.3.0
+v2.0.0
--- a/images/nginx/rootfs/build.sh
+++ b/images/nginx/rootfs/build.sh
@ -18,23 +18,20 @@ set -o errexit
 set -o nounset
 set -o pipefail

-export NGINX_VERSION=1.25.5
+export NGINX_VERSION=1.27.1

 # Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.3...master
 export NDK_VERSION=v0.3.3

 # Check for recent changes: https://github.com/openresty/set-misc-nginx-module/compare/v0.33...master
-export SETMISC_VERSION=796f5a3e518748eb29a93bd450324e0ad45b704e
+export SETMISC_VERSION=v0.33

 # Check for recent changes: https://github.com/openresty/headers-more-nginx-module/compare/v0.37...master
 export MORE_HEADERS_VERSION=v0.37

-# Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...atomx:master
+# Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...master
 export NGINX_DIGEST_AUTH=v1.0.0

-# Check for recent changes: https://github.com/yaoweibin/ngx_http_substitutions_filter_module/compare/v0.6.4...master
-export NGINX_SUBSTITUTIONS=e12e965ac1837ca709709f9a26f572a54d83430e
-
 # Check for recent changes: https://github.com/SpiderLabs/ModSecurity-nginx/compare/v1.0.3...master
 export MODSECURITY_VERSION=v1.0.3

@ -44,65 +41,62 @@ export MODSECURITY_LIB_VERSION=v3.0.13
 # Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v4.10.0...main
 export OWASP_MODSECURITY_CRS_VERSION=v4.10.0

-# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.26``...master
-export LUA_NGX_VERSION=v0.10.26
+# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.27...master
+export LUA_NGX_VERSION=v0.10.27

-# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/bea8a0c0de94cede71554f53818ac0267d675d63...master
-export LUA_STREAM_NGX_VERSION=bea8a0c0de94cede71554f53818ac0267d675d63
+# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/v0.0.15...master
+export LUA_STREAM_NGX_VERSION=v0.0.15

-# Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/8aa93ead98ba2060d4efd594ae33a35d153589bf...master
-export LUA_UPSTREAM_VERSION=542be0893543a4e42d89f6dd85372972f5ff2a36
+# Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/v0.07...master
+export LUA_UPSTREAM_VERSION=v0.07

-# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.13...openresty:master
-export LUA_CJSON_VERSION=2.1.0.13
+# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.14...master
+export LUA_CJSON_VERSION=2.1.0.14

-# Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/a607a41a8115fecfc05b5c283c81532a3d605425...master
-export GEOIP2_VERSION=a607a41a8115fecfc05b5c283c81532a3d605425
+# Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/445df24ef3781e488cee3dfe8a1e111997fc1dfe...master
+export GEOIP2_VERSION=445df24ef3781e488cee3dfe8a1e111997fc1dfe

-# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20240314...v2.1-agentzh
-export LUAJIT_VERSION=v2.1-20240314
+# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20240815...v2.1-agentzh
+export LUAJIT_VERSION=v2.1-20240815

-# Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/1cd4363c0a239afe4765ec607dcfbbb4e5900eea...master
-export LUA_RESTY_BALANCER=1cd4363c0a239afe4765ec607dcfbbb4e5900eea
+# Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/v0.05...master
+export LUA_RESTY_BALANCER=v0.05

-# Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/99e7578465b40f36f596d099b82eab404f2b42ed...master
-export LUA_RESTY_CACHE=99e7578465b40f36f596d099b82eab404f2b42ed
+# Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/v0.15...master
+export LUA_RESTY_CACHE=v0.15

-# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.27...master
-export LUA_RESTY_CORE=v0.1.28
+# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.30...master
+export LUA_RESTY_CORE=v0.1.30

 # Check for recent changes: https://github.com/cloudflare/lua-resty-cookie/compare/f418d77082eaef48331302e84330488fdc810ef4...master
 export LUA_RESTY_COOKIE_VERSION=f418d77082eaef48331302e84330488fdc810ef4

-# Check for recent changes: https://github.com/openresty/lua-resty-dns/compare/8bb53516e2933e61c317db740a9b7c2048847c2f...master
-export LUA_RESTY_DNS=8bb53516e2933e61c317db740a9b7c2048847c2f
+# Check for recent changes: https://github.com/openresty/lua-resty-dns/compare/v0.23...master
+export LUA_RESTY_DNS=v0.23

-# Check for recent changes: https://github.com/ledgetech/lua-resty-http/compare/v0.17.1...master
-export LUA_RESTY_HTTP=v0.17.1
+# Check for recent changes: https://github.com/ledgetech/lua-resty-http/compare/v0.17.2...master
+export LUA_RESTY_HTTP=v0.17.2

 # Check for recent changes: https://github.com/openresty/lua-resty-lock/compare/v0.09...master
-export LUA_RESTY_LOCK=405d0bf4cbfa74d742c6ed3158d442221e6212a9
+export LUA_RESTY_LOCK=v0.09

 # Check for recent changes: https://github.com/openresty/lua-resty-upload/compare/v0.11...master
-export LUA_RESTY_UPLOAD_VERSION=979372cce011f3176af3c9aff53fd0e992c4bfd3
+export LUA_RESTY_UPLOAD_VERSION=v0.11

-# Check for recent changes: https://github.com/openresty/lua-resty-string/compare/v0.15...master
-export LUA_RESTY_STRING_VERSION=6f1bc21d86daef804df3cc34d6427ef68da26844
+# Check for recent changes: https://github.com/openresty/lua-resty-string/compare/v0.16...master
+export LUA_RESTY_STRING_VERSION=v0.16

 # Check for recent changes: https://github.com/openresty/lua-resty-memcached/compare/v0.17...master
-export LUA_RESTY_MEMCACHED_VERSION=2f02b68bf65fa2332cce070674a93a69a6c7239b
+export LUA_RESTY_MEMCACHED_VERSION=v0.17

-# Check for recent changes: https://github.com/openresty/lua-resty-redis/compare/v0.30...master
-export LUA_RESTY_REDIS_VERSION=8641b9f1b6f75cca50c90cf8ca5c502ad8950aa8
+# Check for recent changes: https://github.com/openresty/lua-resty-redis/compare/v0.31...master
+export LUA_RESTY_REDIS_VERSION=v0.31

-# Check for recent changes: https://github.com/api7/lua-resty-ipmatcher/compare/v0.6.1...master
+# Check for recent changes: https://github.com/api7/lua-resty-ipmatcher/compare/3e93c53eb8c9884efe939ef070486a0e507cc5be...master
 export LUA_RESTY_IPMATCHER_VERSION=3e93c53eb8c9884efe939ef070486a0e507cc5be

-# Check for recent changes: https://github.com/ElvinEfendi/lua-resty-global-throttle/compare/v0.2.0...main
-export LUA_RESTY_GLOBAL_THROTTLE_VERSION=v0.2.0
-
-# Check for recent changes: https://github.com/microsoft/mimalloc/compare/v2.1.7...master
-export MIMALOC_VERSION=v2.1.7
+# Check for recent changes: https://github.com/microsoft/mimalloc/compare/v2.1.9...master
+export MIMALOC_VERSION=v2.1.9

 # Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp/compare/v1.18.0...main
 export OPENTELEMETRY_CPP_VERSION=v1.18.0
@ -217,9 +211,6 @@ get_src 0c0d2ced2ce895b3f45eb2b230cd90508ab2a773299f153de14a43e44c1209b3 \
 get_src f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b \
        "https://github.com/atomx/nginx-http-auth-digest/archive/$NGINX_DIGEST_AUTH.tar.gz" "nginx-http-auth-digest"

-get_src a98b48947359166326d58700ccdc27256d2648218072da138ab6b47de47fbd8f \
-        "https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/$NGINX_SUBSTITUTIONS.tar.gz" "ngx_http_substitutions_filter_module"
-
 get_src 32a42256616cc674dca24c8654397390adff15b888b77eb74e0687f023c8751b \
        "https://github.com/SpiderLabs/ModSecurity-nginx/archive/$MODSECURITY_VERSION.tar.gz" "ModSecurity-nginx"

@ -277,9 +268,6 @@ get_src c15aed1a01c88a3a6387d9af67a957dff670357f5fdb4ee182beb44635eef3f1 \
 get_src efb767487ea3f6031577b9b224467ddbda2ad51a41c5867a47582d4ad85d609e \
        "https://github.com/api7/lua-resty-ipmatcher/archive/$LUA_RESTY_IPMATCHER_VERSION.tar.gz" "lua-resty-ipmatcher"

-get_src 0fb790e394510e73fdba1492e576aaec0b8ee9ef08e3e821ce253a07719cf7ea \
-        "https://github.com/ElvinEfendi/lua-resty-global-throttle/archive/$LUA_RESTY_GLOBAL_THROTTLE_VERSION.tar.gz" "lua-resty-global-throttle"
-
 get_src d74f86ada2329016068bc5a243268f1f555edd620b6a7d6ce89295e7d6cf18da \
        "https://github.com/microsoft/mimalloc/archive/${MIMALOC_VERSION}.tar.gz" "mimalloc"

@ -330,8 +318,7 @@ git config --global --add core.compression -1
 cd "$BUILD_PATH"
 git clone --depth=100 https://github.com/google/ngx_brotli.git
 cd ngx_brotli
-# https://github.com/google/ngx_brotli/issues/156
-git reset --hard 63ca02abdcf79c9e788d2eedcc388d2335902e52
+git reset --hard a71f9312c2deb28875acc7bacfdd5695a111aa53
 git submodule init
 git submodule update

@ -496,7 +483,6 @@ WITH_MODULES=" \
  --add-module=$BUILD_PATH/ngx_devel_kit \
  --add-module=$BUILD_PATH/set-misc-nginx-module \
  --add-module=$BUILD_PATH/headers-more-nginx-module \
-  --add-module=$BUILD_PATH/ngx_http_substitutions_filter_module \
  --add-module=$BUILD_PATH/lua-nginx-module \
  --add-module=$BUILD_PATH/stream-lua-nginx-module \
  --add-module=$BUILD_PATH/lua-upstream-nginx-module \
@ -608,9 +594,6 @@ make install
 cd "$BUILD_PATH/lua-resty-ipmatcher"
 INST_LUADIR=/usr/local/lib/lua make install

-cd "$BUILD_PATH/lua-resty-global-throttle"
-make install
-
 cd "$BUILD_PATH/mimalloc"
 mkdir -p out/release
 cd out/release
--- a/images/nginx/rootfs/patches/01_nginx-1.27.1-win32_max_err_str.patch
+++ b/images/nginx/rootfs/patches/01_nginx-1.27.1-win32_max_err_str.patch
--- a/images/nginx/rootfs/patches/02_nginx-1.27.1-stream_balancer_export.patch
+++ b/images/nginx/rootfs/patches/02_nginx-1.27.1-stream_balancer_export.patch
--- a/images/nginx/rootfs/patches/03_nginx-1.27.1-stream_proxy_get_next_upstream_tries.patch
+++ b/images/nginx/rootfs/patches/03_nginx-1.27.1-stream_proxy_get_next_upstream_tries.patch
--- a/images/nginx/rootfs/patches/04_nginx-1.27.1-stream_proxy_timeout_fields.patch
+++ b/images/nginx/rootfs/patches/04_nginx-1.27.1-stream_proxy_timeout_fields.patch
@ -1,6 +1,6 @@
-diff -u -r -p -Naur nginx-1.25.3/src/stream/ngx_stream.h nginx-1.25.3-patched/src/stream/ngx_stream.h
--- nginx-1.25.3/src/stream/ngx_stream.h	2021-11-04 21:27:55.288708527 +0800
-+++ nginx-1.25.3-patched/src/stream/ngx_stream.h	2021-11-04 21:28:50.768035209 +0800
+diff -u -r -p -Naur nginx-1.27.1/src/stream/ngx_stream.h nginx-1.27.1-patched/src/stream/ngx_stream.h
+--- nginx-1.27.1/src/stream/ngx_stream.h	2021-11-04 21:27:55.288708527 +0800
+++ nginx-1.27.1-patched/src/stream/ngx_stream.h	2021-11-04 21:28:50.768035209 +0800
@@ -254,6 +254,15 @@ typedef struct {
 } ngx_stream_module_t;
 
@ -25,9 +25,9 @@ diff -u -r -p -Naur nginx-1.25.3/src/stream/ngx_stream.h nginx-1.25.3-patched/sr
 
 
 typedef ngx_int_t (*ngx_stream_filter_pt)(ngx_stream_session_t *s,
-diff -u -r -p -Naur nginx-1.25.3/src/stream/ngx_stream_proxy_module.c nginx-1.25.3-patched/src/stream/ngx_stream_proxy_module.c
--- nginx-1.25.3/src/stream/ngx_stream_proxy_module.c	2021-11-04 21:27:55.289708533 +0800
-+++ nginx-1.25.3-patched/src/stream/ngx_stream_proxy_module.c	2021-11-04 21:37:03.578936990 +0800
+diff -u -r -p -Naur nginx-1.27.1/src/stream/ngx_stream_proxy_module.c nginx-1.27.1-patched/src/stream/ngx_stream_proxy_module.c
+--- nginx-1.27.1/src/stream/ngx_stream_proxy_module.c	2021-11-04 21:27:55.289708533 +0800
+++ nginx-1.27.1-patched/src/stream/ngx_stream_proxy_module.c	2021-11-04 21:37:03.578936990 +0800
@@ -400,6 +400,7 @@ ngx_stream_proxy_handler(ngx_stream_sess
     ngx_stream_proxy_srv_conf_t      *pscf;
     ngx_stream_upstream_srv_conf_t   *uscf, **uscfp;
--- a/Show more
+++ b/Show more