Bump github.com/spf13/cobra from 1.8.1 to 1.9.1 (#12859)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

NGINX_BASE

@@ -1 +1 @@
-registry.k8s.io/ingress-nginx/nginx:v1.2.0@sha256:c4b3f79fb88eab2ac03bde5c6b8340ffad941e0fce0eaa797e98481683b3b5aa
+registry.k8s.io/ingress-nginx/nginx:v2.0.0@sha256:3e7bda4cf5111d283ed1e4ff5cc9a2b5cdc5ebe62d50ba67473d3e25b1389133

README.md

@@ -41,9 +41,13 @@ the versions listed. Ingress-Nginx versions **may** work on older versions, but
 | :-------: | --------------------- | ----------------------------- | -------------- | ------------- | ------------------ |
 |    🔄     | **v1.12.0**           | 1.32, 1.31, 1.30, 1.29, 1.28  | 3.21.0         | 1.25.5        | 4.12.0             |
 |    🔄     | **v1.12.0-beta.0**    | 1.32, 1.31, 1.30, 1.29, 1.28  | 3.20.3         | 1.25.5        | 4.12.0-beta.0      |
+|    🔄     | **v1.11.4**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.21.0         | 1.25.5        | 4.11.4             |
+|    🔄     | **v1.11.3**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.3         | 1.25.5        | 4.11.3             |
 |    🔄     | **v1.11.2**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.11.2             |
 |    🔄     | **v1.11.1**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.11.1             |
 |    🔄     | **v1.11.0**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.11.0             |
+|           | **v1.10.6**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.21.0         | 1.25.5        | 4.10.6             |
+|           | **v1.10.5**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.3         | 1.25.5        | 4.10.5             |
 |           | **v1.10.4**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.10.4             |
 |           | **v1.10.3**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.10.3             |
 |           | **v1.10.2**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.10.2             |

TAG

@@ -1 +0,0 @@
-v1.12.0

build/run-in-docker.sh

@@ -41,7 +41,7 @@ function cleanup {
 }
 trap cleanup EXIT
 
-E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20250112-01b7af21@sha256:f77bb4625985462fe1a2bc846c430d668113abc90e5e5de6b4533403f56a048c}
+E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20250112-a188f4eb@sha256:043038b1e30e5a0b64f3f919f096c5c9488ac3f617ac094b07fb9db8215f9441}
 
 if [[ "$RUNTIME" == podman ]]; then
   # Podman does not support both tag and digest

changelog/controller-1.10.5.md

@@ -0,0 +1,90 @@
+# Changelog
+
+### controller-v1.10.5
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.5@sha256:c84d11b1f7bd14ebbf49918a7f0dc01b31c0c6e757e0129520ea93453096315c
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.5@sha256:030a43bdd5f0212a7e135cc4da76b15a6706ef65a6824eb4cc401f87a81c2987
+
+### All changes:
+
+* Images: Trigger controller build. (#12133)
+* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12146)
+* Images: Trigger `e2e-test-echo` build. (#12142)
+* Images: Drop `s390x`. (#12139)
+* Images: Build `s390x` controller. (#12128)
+* Chart: Bump Kube Webhook CertGen. (#12122)
+* Tests & Docs: Bump images. (#12120)
+* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12116)
+* Images: Trigger other builds. (#12111)
+* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12104)
+* Images: Trigger `test-runner` build. (#12101)
+* Docs: Add a multi-tenant warning. (#12098)
+* Go: Bump to v1.22.8. (#12093)
+* Images: Bump `NGINX_BASE` to v0.1.0. (#12079)
+* Images: Trigger NGINX build. (#12077)
+* Images: Remove NGINX v1.21. (#12057)
+* GitHub: Improve Dependabot. (#12037)
+* Chart: Improve CI. (#12029)
+* Chart: Extend image tests. (#12026)
+* Docs: Add health check annotations for AWS. (#12021)
+* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12007)
+* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12001)
+* Chart: Align default backend `PodDisruptionBudget`. (#11998)
+* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#11985)
+* Chart: Improve default backend service account. (#11973)
+* Go: Bump to v1.22.7. (#11969)
+* Images: Bump OpenTelemetry C++ Contrib. (#11950)
+* Docs: Add note about `--watch-namespace`. (#11948)
+* Images: Use latest Alpine 3.20 everywhere. (#11945)
+* Fix minor typos (#11940)
+* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11933)
+* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11920)
+* Images: Trigger `test-runner` build. (#11918)
+* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11888)
+* Annotations: Allow commas in URLs. (#11886)
+* CI: Grant checks write permissions to E2E Test Report. (#11884)
+* Update maxmind post link about geolite2 license changes (#11880)
+* Go: Sync `go.work.sum`. (#11876)
+* Replace deprecated queue method (#11858)
+* Auto-generate annotation docs (#11835)
+
+### Dependency updates:
+
+* Bump the actions group with 3 updates (#12150)
+* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12108)
+* Bump the actions group with 3 updates (#12096)
+* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12088)
+* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12086)
+* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12084)
+* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12082)
+* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12054)
+* Bump the go group across 1 directory with 3 updates (#12052)
+* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12048)
+* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12044)
+* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12045)
+* Bump the all group with 2 updates (#12035)
+* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12015)
+* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12013)
+* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12011)
+* Bump the all group with 2 updates (#11979)
+* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11978)
+* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11960)
+* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11959)
+* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11956)
+* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11929)
+* Bump the all group with 2 updates (#11924)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11912)
+* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11907)
+* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11906)
+* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11905)
+* Bump the all group with 2 updates (#11870)
+* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11869)
+* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11848)
+* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11847)
+* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11846)
+* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11841)
+* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11833)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.4...controller-v1.10.5

changelog/controller-1.10.6.md

@@ -0,0 +1,92 @@
+# Changelog
+
+### controller-v1.10.6
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.6@sha256:b6fbd102255edb3ba8e5421feebe14fd3e94cf53d199af9e40687f536152189c
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.6@sha256:44ceedafc0e04a75521b5d472c1b6b5cc08afb8038b5bbfd79c21d066ccf300e
+
+### All changes:
+
+* Images: Trigger controller build. (#12611)
+* Chart: Bump Kube Webhook CertGen. (#12608)
+* Tests & Docs: Bump images. (#12605)
+* Images: Trigger other builds (2/2). (#12598)
+* Images: Trigger other builds (1/2). (#12597)
+* Tests: Bump `e2e-test-runner` to v20241224-68ed4e7b. (#12592)
+* Images: Trigger `test-runner` build. (#12586)
+* Images: Bump `NGINX_BASE` to v0.2.0. (#12584)
+* Images: Trigger NGINX build. (#12578)
+* Go: Clean `go.work.sum`. (#12575)
+* Repository: Update owners. (#12570)
+* Images: Bump `gcb-docker-gcloud` to v20241217-ff46a068cd. (#12563)
+* CI: Update KIND images. (#12559)
+* Images: Bump Alpine to v3.21. (#12530)
+* Docs: Add guide on how to set a Maintenance Page. (#12527)
+* rikatz is stepping down (#12518)
+* rikatz is stepping down (#12497)
+* Go: Bump to v1.23.4. (#12485)
+* Plugin: Bump `goreleaser` to v2. (#12442)
+* GitHub: Fix `exec` in issue template. (#12389)
+* CI: Update KIND images. (#12368)
+* Images: Bump `gcb-docker-gcloud` to v20241110-72bb0b1665. (#12341)
+* Go: Bump to v1.23.3. (#12339)
+* Auth TLS: Add `_` to redirect RegEx. (#12328)
+* Auth TLS: Improve redirect RegEx. (#12321)
+* Tests: Bump `e2e-test-runner` to v20241104-02a3933e. (#12314)
+* Images: Trigger `test-runner` build. (#12307)
+* Config: Fix panic on invalid `lua-shared-dict`. (#12282)
+* Docs: fix limit-rate-after references (#12280)
+* Chart: Rework ServiceMonitor. (#12268)
+* Chart: Add ServiceAccount tests. (#12266)
+* CI: Fix chart testing. (#12260)
+* [fix] fix nginx temp configs cleanup (#12224)
+* Chart: Suggest `matchLabelKeys` in Topology Spread Constraints. (#12204)
+* Docs: Add Pod Security Admission. (#12198)
+* Docs: Clarify external & service port in TCP/UDP services explanation. (#12194)
+
+### Dependency updates:
+
+* Bump k8s.io/apiextensions-apiserver from 0.31.3 to 0.32.0 (#12565)
+* Bump github.com/onsi/ginkgo/v2 from 2.22.0 to 2.22.1 (#12557)
+* Bump k8s.io/code-generator from 0.31.3 to 0.32.0 (#12552)
+* Bump k8s.io/cli-runtime from 0.31.3 to 0.32.0 (#12549)
+* Bump k8s.io/apiserver from 0.31.3 to 0.32.0 (#12546)
+* Bump the actions group with 2 updates (#12543)
+* Bump google.golang.org/grpc from 1.68.1 to 1.69.2 (#12540)
+* Bump k8s.io/client-go from 0.31.3 to 0.32.0 (#12514)
+* Bump github.com/opencontainers/runc from 1.2.2 to 1.2.3 in the go group across 1 directory (#12511)
+* Bump the actions group with 3 updates (#12508)
+* Bump k8s.io/kube-aggregator from 0.31.3 to 0.32.0 in /images/kube-webhook-certgen/rootfs (#12504)
+* Bump k8s.io/apimachinery from 0.31.3 to 0.32.0 in /images/ext-auth-example-authsvc/rootfs (#12501)
+* Bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#12478)
+* Bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /magefiles (#12473)
+* Bump github.com/prometheus/common from 0.60.1 to 0.61.0 (#12466)
+* Bump github/codeql-action from 3.27.5 to 3.27.6 in the actions group (#12463)
+* Bump the go group across 1 directory with 2 updates (#12459)
+* Bump github.com/onsi/ginkgo/v2 from 2.21.0 to 2.22.0 (#12425)
+* Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#12416)
+* Bump the go group across 3 directories with 10 updates (#12414)
+* Bump the actions group with 3 updates (#12410)
+* Bump github.com/opencontainers/runc from 1.2.1 to 1.2.2 in the go group across 1 directory (#12382)
+* Bump github/codeql-action from 3.27.1 to 3.27.4 in the actions group (#12375)
+* Bump golangci-lint on actions and disable deprecated linters (#12363)
+* Bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#12356)
+* Bump the actions group with 3 updates (#12353)
+* Bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#12351)
+* Bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#12297)
+* Bump github.com/opencontainers/runc from 1.2.0 to 1.2.1 in the go group across 1 directory (#12294)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.2 to 2.21.0 (#12290)
+* Bump actions/dependency-review-action from 4.3.5 to 4.4.0 in the actions group (#12275)
+* Bump the go group across 3 directories with 11 updates (#12246)
+* Bump github.com/opencontainers/runc from 1.1.15 to 1.2.0 (#12241)
+* Bump the actions group with 5 updates (#12243)
+* Bump github.com/ncabatoff/process-exporter from 0.8.3 to 0.8.4 in the go group across 1 directory (#12219)
+* Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 in the actions group (#12215)
+* Bump github/codeql-action from 3.26.12 to 3.26.13 in the actions group (#12191)
+* Bump the go group across 2 directories with 1 update (#12189)
+* Bump the actions group with 2 updates (#12185)
+* Bump github.com/opencontainers/runc from 1.1.14 to 1.1.15 in the go group across 1 directory (#12184)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.5...controller-v1.10.6

changelog/controller-1.11.3.md

@@ -0,0 +1,91 @@
+# Changelog
+
+### controller-v1.11.3
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.11.3@sha256:d56f135b6462cfc476447cfe564b83a45e8bb7da2774963b00d12161112270b7
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.3@sha256:22701f0fc0f2dd209ef782f4e281bfe2d8cccd50ededa00aec88e0cdbe7edd14
+
+### All changes:
+
+* Images: Trigger controller build. (#12134)
+* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12145)
+* Images: Trigger `e2e-test-echo` build. (#12141)
+* Images: Drop `s390x`. (#12138)
+* Images: Build `s390x` controller. (#12127)
+* Chart: Bump Kube Webhook CertGen. (#12123)
+* Tests & Docs: Bump images. (#12121)
+* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12117)
+* Images: Trigger other builds. (#12112)
+* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12105)
+* Images: Trigger `test-runner` build. (#12102)
+* Docs: Add a multi-tenant warning. (#12099)
+* Go: Bump to v1.22.8. (#12094)
+* Images: Bump `NGINX_BASE` to v0.1.0. (#12080)
+* Images: Trigger NGINX build. (#12076)
+* Images: Remove NGINX v1.21. (#12058)
+* GitHub: Improve Dependabot. (#12038)
+* Chart: Improve CI. (#12030)
+* Chart: Extend image tests. (#12027)
+* Docs: Add health check annotations for AWS. (#12020)
+* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12006)
+* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12002)
+* Chart: Align default backend `PodDisruptionBudget`. (#11999)
+* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#11986)
+* Chart: Improve default backend service account. (#11974)
+* Go: Bump to v1.22.7. (#11970)
+* Images: Bump OpenTelemetry C++ Contrib. (#11951)
+* Docs: Add note about `--watch-namespace`. (#11949)
+* Images: Use latest Alpine 3.20 everywhere. (#11946)
+* Fix minor typos (#11941)
+* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11934)
+* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11921)
+* Images: Trigger `test-runner` build. (#11917)
+* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11889)
+* Annotations: Allow commas in URLs. (#11887)
+* CI: Grant checks write permissions to E2E Test Report. (#11885)
+* Chart: Use generic values for `ConfigMap` test. (#11879)
+* Update maxmind post link about geolite2 license changes (#11881)
+* Go: Sync `go.work.sum`. (#11875)
+* Replace deprecated queue method (#11859)
+* Auto-generate annotation docs (#11831)
+
+### Dependency updates:
+
+* Bump the actions group with 3 updates (#12149)
+* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12109)
+* Bump the actions group with 3 updates (#12097)
+* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12089)
+* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12087)
+* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12085)
+* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12083)
+* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12055)
+* Bump the go group across 1 directory with 3 updates (#12053)
+* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12049)
+* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12047)
+* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12046)
+* Bump the all group with 2 updates (#12036)
+* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12016)
+* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12014)
+* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12012)
+* Bump the all group with 2 updates (#11981)
+* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11980)
+* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11961)
+* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11958)
+* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11957)
+* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11930)
+* Bump the all group with 2 updates (#11925)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11913)
+* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11910)
+* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11909)
+* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11908)
+* Bump the all group with 2 updates (#11871)
+* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11868)
+* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11840)
+* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11839)
+* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11837)
+* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11836)
+* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11834)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.2...controller-v1.11.3

changelog/controller-1.11.4.md

@@ -0,0 +1,94 @@
+# Changelog
+
+### controller-v1.11.4
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.11.4@sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.4@sha256:f29d0f9e7a9ef4947eda59ed0c09ec13380b13639d1518cf1ab8ec09c3e22ef8
+
+### All changes:
+
+* Images: Trigger controller build. (#12610)
+* Chart: Bump Kube Webhook CertGen. (#12607)
+* Tests & Docs: Bump images. (#12604)
+* Images: Trigger other builds (2/2). (#12600)
+* Images: Trigger other builds (1/2). (#12596)
+* Tests: Bump `e2e-test-runner` to v20241224-68ed4e7b. (#12591)
+* Images: Trigger `test-runner` build. (#12588)
+* Images: Bump `NGINX_BASE` to v0.2.0. (#12583)
+* Images: Trigger NGINX build. (#12577)
+* Go: Clean `go.work.sum`. (#12574)
+* Repository: Update owners. (#12569)
+* Images: Bump `gcb-docker-gcloud` to v20241217-ff46a068cd. (#12562)
+* CI: Update KIND images. (#12558)
+* Images: Bump Alpine to v3.21. (#12529)
+* Docs: Add guide on how to set a Maintenance Page. (#12526)
+* rikatz is stepping down (#12517)
+* rikatz is stepping down (#12495)
+* Go: Bump to v1.23.4. (#12484)
+* Plugin: Bump `goreleaser` to v2. (#12441)
+* GitHub: Fix `exec` in issue template. (#12388)
+* CI: Update KIND images. (#12365)
+* Images: Bump `gcb-docker-gcloud` to v20241110-72bb0b1665. (#12343)
+* Go: Bump to v1.23.3. (#12338)
+* Auth TLS: Add `_` to redirect RegEx. (#12327)
+* Auth TLS: Improve redirect RegEx. (#12322)
+* Update custom headers annotation documentation (#12319)
+* Tests: Bump `e2e-test-runner` to v20241104-02a3933e. (#12313)
+* Images: Trigger `test-runner` build. (#12306)
+* Config: Fix panic on invalid `lua-shared-dict`. (#12284)
+* Docs: fix limit-rate-after references (#12279)
+* Chart: Rework ServiceMonitor. (#12270)
+* Chart: Add ServiceAccount tests. (#12264)
+* CI: Fix chart testing. (#12259)
+* [fix] fix nginx temp configs cleanup (#12223)
+* Chart: Suggest `matchLabelKeys` in Topology Spread Constraints. (#12203)
+* Docs: Add Pod Security Admission. (#12197)
+* Docs: Clarify external & service port in TCP/UDP services explanation. (#12193)
+* Docs: Goodbye, v1.10. (#12159)
+
+### Dependency updates:
+
+* Bump k8s.io/apiextensions-apiserver from 0.31.3 to 0.32.0 (#12567)
+* Bump github.com/onsi/ginkgo/v2 from 2.22.0 to 2.22.1 (#12556)
+* Bump k8s.io/code-generator from 0.31.3 to 0.32.0 (#12551)
+* Bump k8s.io/cli-runtime from 0.31.3 to 0.32.0 (#12548)
+* Bump k8s.io/apiserver from 0.31.3 to 0.32.0 (#12545)
+* Bump the actions group with 2 updates (#12542)
+* Bump google.golang.org/grpc from 1.68.1 to 1.69.2 (#12539)
+* Bump k8s.io/client-go from 0.31.3 to 0.32.0 (#12513)
+* Bump github.com/opencontainers/runc from 1.2.2 to 1.2.3 in the go group across 1 directory (#12510)
+* Bump the actions group with 3 updates (#12507)
+* Bump k8s.io/kube-aggregator from 0.31.3 to 0.32.0 in /images/kube-webhook-certgen/rootfs (#12503)
+* Bump k8s.io/apimachinery from 0.31.3 to 0.32.0 in /images/ext-auth-example-authsvc/rootfs (#12500)
+* Bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#12477)
+* Bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /magefiles (#12475)
+* Bump github.com/prometheus/common from 0.60.1 to 0.61.0 (#12465)
+* Bump github/codeql-action from 3.27.5 to 3.27.6 in the actions group (#12462)
+* Bump the go group across 1 directory with 2 updates (#12458)
+* Bump github.com/onsi/ginkgo/v2 from 2.21.0 to 2.22.0 (#12427)
+* Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#12417)
+* Bump the go group across 3 directories with 10 updates (#12415)
+* Bump the actions group with 3 updates (#12411)
+* Bump github.com/opencontainers/runc from 1.2.1 to 1.2.2 in the go group across 1 directory (#12381)
+* Bump github/codeql-action from 3.27.1 to 3.27.4 in the actions group (#12374)
+* Bump golangci-lint on actions and disable deprecated linters (#12362)
+* Bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#12355)
+* Bump the actions group with 3 updates (#12352)
+* Bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#12350)
+* Bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#12298)
+* Bump github.com/opencontainers/runc from 1.2.0 to 1.2.1 in the go group across 1 directory (#12295)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.2 to 2.21.0 (#12289)
+* Bump actions/dependency-review-action from 4.3.5 to 4.4.0 in the actions group (#12274)
+* Bump the go group across 3 directories with 11 updates (#12245)
+* Bump github.com/opencontainers/runc from 1.1.15 to 1.2.0 (#12239)
+* Bump the actions group with 5 updates (#12240)
+* Bump github.com/ncabatoff/process-exporter from 0.8.3 to 0.8.4 in the go group across 1 directory (#12220)
+* Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 in the actions group (#12216)
+* Bump github/codeql-action from 3.26.12 to 3.26.13 in the actions group (#12190)
+* Bump the go group across 2 directories with 1 update (#12187)
+* Bump the actions group with 2 updates (#12181)
+* Bump github.com/opencontainers/runc from 1.1.14 to 1.1.15 in the go group across 1 directory (#12179)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.3...controller-v1.11.4

charts/ingress-nginx/README.md

@@ -399,12 +399,17 @@ metadata:
 | controller.metrics.serviceMonitor.additionalLabels | object | `{}` |  |
 | controller.metrics.serviceMonitor.annotations | object | `{}` | Annotations to be added to the ServiceMonitor. |
 | controller.metrics.serviceMonitor.enabled | bool | `false` |  |
+| controller.metrics.serviceMonitor.labelLimit | int | `0` | Per-scrape limit on number of labels that will be accepted for a sample. |
+| controller.metrics.serviceMonitor.labelNameLengthLimit | int | `0` | Per-scrape limit on length of labels name that will be accepted for a sample. |
+| controller.metrics.serviceMonitor.labelValueLengthLimit | int | `0` | Per-scrape limit on length of labels value that will be accepted for a sample. |
 | controller.metrics.serviceMonitor.metricRelabelings | list | `[]` |  |
 | controller.metrics.serviceMonitor.namespace | string | `""` |  |
 | controller.metrics.serviceMonitor.namespaceSelector | object | `{}` |  |
 | controller.metrics.serviceMonitor.relabelings | list | `[]` |  |
+| controller.metrics.serviceMonitor.sampleLimit | int | `0` | Defines a per-scrape limit on the number of scraped samples that will be accepted. |
 | controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` |  |
 | controller.metrics.serviceMonitor.targetLabels | list | `[]` |  |
+| controller.metrics.serviceMonitor.targetLimit | int | `0` | Defines a limit on the number of scraped targets that will be accepted. |
 | controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. |
 | controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
 | controller.name | string | `"controller"` |  |
@@ -437,20 +442,24 @@ metadata:
 | controller.service.annotations | object | `{}` | Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service. |
 | controller.service.appProtocol | bool | `true` | Declare the app protocol of the external HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol |
 | controller.service.clusterIP | string | `""` | Pre-defined cluster internal IP address of the external controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
+| controller.service.clusterIPs | list | `[]` | Pre-defined cluster internal IP addresses of the external controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
 | controller.service.enableHttp | bool | `true` | Enable the HTTP listener on both controller services or not. |
 | controller.service.enableHttps | bool | `true` | Enable the HTTPS listener on both controller services or not. |
 | controller.service.enabled | bool | `true` | Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service. |
 | controller.service.external.enabled | bool | `true` | Enable the external controller service or not. Useful for internal-only deployments. |
+| controller.service.external.labels | object | `{}` | Labels to be added to the external controller service. |
 | controller.service.externalIPs | list | `[]` | List of node IP addresses at which the external controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips |
 | controller.service.externalTrafficPolicy | string | `""` | External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip |
 | controller.service.internal.annotations | object | `{}` | Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer |
 | controller.service.internal.appProtocol | bool | `true` | Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol |
 | controller.service.internal.clusterIP | string | `""` | Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
+| controller.service.internal.clusterIPs | list | `[]` | Pre-defined cluster internal IP addresses of the internal controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
 | controller.service.internal.enabled | bool | `false` | Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this. |
 | controller.service.internal.externalIPs | list | `[]` | List of node IP addresses at which the internal controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips |
 | controller.service.internal.externalTrafficPolicy | string | `""` | External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip |
 | controller.service.internal.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
 | controller.service.internal.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
+| controller.service.internal.labels | object | `{}` | Labels to be added to the internal controller service. |
 | controller.service.internal.loadBalancerClass | string | `""` | Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class |
 | controller.service.internal.loadBalancerIP | string | `""` | Deprecated: Pre-defined IP address of the internal controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer |
 | controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access to the internal controller service. Values must be CIDRs. Allows any source address by default. |
@@ -461,6 +470,7 @@ metadata:
 | controller.service.internal.ports | object | `{}` |  |
 | controller.service.internal.sessionAffinity | string | `""` | Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity |
 | controller.service.internal.targetPorts | object | `{}` |  |
+| controller.service.internal.trafficDistribution | string | `""` | Traffic distribution policy of the internal controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution |
 | controller.service.internal.type | string | `""` | Type of the internal controller service. Defaults to the value of `controller.service.type`. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
 | controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
 | controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
@@ -477,6 +487,7 @@ metadata:
 | controller.service.sessionAffinity | string | `""` | Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity |
 | controller.service.targetPorts.http | string | `"http"` | Port of the ingress controller the external HTTP listener is mapped to. |
 | controller.service.targetPorts.https | string | `"https"` | Port of the ingress controller the external HTTPS listener is mapped to. |
+| controller.service.trafficDistribution | string | `""` | Traffic distribution policy of the external controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution |
 | controller.service.type | string | `"LoadBalancer"` | Type of the external controller service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
 | controller.shareProcessNamespace | bool | `false` |  |
 | controller.sysctls | object | `{}` | sysctls for controller pods # Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ |
@@ -537,6 +548,7 @@ metadata:
 | defaultBackend.replicaCount | int | `1` |  |
 | defaultBackend.resources | object | `{}` |  |
 | defaultBackend.service.annotations | object | `{}` |  |
+| defaultBackend.service.clusterIPs | list | `[]` | Pre-defined cluster internal IP addresses of the default backend service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
 | defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
 | defaultBackend.service.loadBalancerSourceRanges | list | `[]` |  |
 | defaultBackend.service.servicePort | int | `80` |  |

charts/ingress-nginx/changelog/helm-chart-4.10.5.md

@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.10.5
+
+* Update Ingress-Nginx version controller-v1.10.5
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.4...helm-chart-4.10.5

charts/ingress-nginx/changelog/helm-chart-4.10.6.md

@@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.10.6
+
+* CI: Fix chart testing. (#12260)
+* Update Ingress-Nginx version controller-v1.10.6
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.5...helm-chart-4.10.6

charts/ingress-nginx/changelog/helm-chart-4.11.3.md

@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.11.3
+
+* Update Ingress-Nginx version controller-v1.11.3
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.2...helm-chart-4.11.3

charts/ingress-nginx/changelog/helm-chart-4.11.4.md

@@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.11.4
+
+* CI: Fix chart testing. (#12259)
+* Update Ingress-Nginx version controller-v1.11.4
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.3...helm-chart-4.11.4

charts/ingress-nginx/ci/controller-service-internal-values.yaml

@@ -9,5 +9,7 @@ controller:
 
     internal:
       enabled: true
+      labels:
+        external-dns.alpha.kubernetes.io/hostname: internal.example.com
       annotations:
         service.beta.kubernetes.io/aws-load-balancer-internal: "true"

charts/ingress-nginx/ci/controller-service-values.yaml

@@ -7,6 +7,10 @@ controller:
   service:
     type: NodePort
 
+    external:
+      labels:
+        external-dns.alpha.kubernetes.io/hostname: external.example.com
+
     nodePorts:
       tcp:
         9000: 30090

charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml

@@ -67,6 +67,7 @@ spec:
           {{- end }}
       restartPolicy: OnFailure
       serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken }}
     {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
       nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
     {{- end }}

charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml

@@ -69,6 +69,7 @@ spec:
           {{- end }}
       restartPolicy: OnFailure
       serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken }}
     {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
       nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
     {{- end }}

charts/ingress-nginx/templates/controller-daemonset.yaml

@@ -202,6 +202,7 @@ spec:
       topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }}
     {{- end }}
       serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
       terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
     {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }}
       volumes:

charts/ingress-nginx/templates/controller-deployment.yaml

@@ -208,6 +208,7 @@ spec:
       topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }}
     {{- end }}
       serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
       terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
     {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }}
       volumes:

charts/ingress-nginx/templates/controller-service-internal.yaml

@@ -12,6 +12,9 @@ metadata:
   {{- if .Values.controller.service.labels }}
     {{- toYaml .Values.controller.service.labels | nindent 4 }}
   {{- end }}
+  {{- if .Values.controller.service.internal.labels }}
+    {{- toYaml .Values.controller.service.internal.labels | nindent 4 }}
+  {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}-internal
   namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
@@ -19,6 +22,9 @@ spec:
 {{- if .Values.controller.service.internal.clusterIP }}
   clusterIP: {{ .Values.controller.service.internal.clusterIP }}
 {{- end }}
+{{- if .Values.controller.service.internal.clusterIPs }}
+  clusterIPs: {{ toYaml .Values.controller.service.internal.clusterIPs | nindent 4 }}
+{{- end }}
 {{- if .Values.controller.service.internal.externalIPs }}
   externalIPs: {{ toYaml .Values.controller.service.internal.externalIPs | nindent 4 }}
 {{- end }}
@@ -43,6 +49,11 @@ spec:
 {{- if .Values.controller.service.internal.healthCheckNodePort }}
   healthCheckNodePort: {{ .Values.controller.service.internal.healthCheckNodePort }}
 {{- end }}
+{{- if semverCompare ">=1.31.0-0" .Capabilities.KubeVersion.Version -}}
+{{- if .Values.controller.service.internal.trafficDistribution }}
+  trafficDistribution: {{ .Values.controller.service.internal.trafficDistribution }}
+{{- end }}
+{{- end }}
 {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}}
 {{- if .Values.controller.service.internal.ipFamilyPolicy }}
   ipFamilyPolicy: {{ .Values.controller.service.internal.ipFamilyPolicy }}

charts/ingress-nginx/templates/controller-service.yaml

@@ -12,6 +12,9 @@ metadata:
   {{- if .Values.controller.service.labels }}
     {{- toYaml .Values.controller.service.labels | nindent 4 }}
   {{- end }}
+  {{- if .Values.controller.service.external.labels }}
+    {{- toYaml .Values.controller.service.external.labels | nindent 4 }}
+  {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
   namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
@@ -19,6 +22,9 @@ spec:
 {{- if .Values.controller.service.clusterIP }}
   clusterIP: {{ .Values.controller.service.clusterIP }}
 {{- end }}
+{{- if .Values.controller.service.clusterIPs }}
+  clusterIPs: {{ toYaml .Values.controller.service.clusterIPs | nindent 4 }}
+{{- end }}
 {{- if .Values.controller.service.externalIPs }}
   externalIPs: {{ toYaml .Values.controller.service.externalIPs | nindent 4 }}
 {{- end }}
@@ -43,6 +49,11 @@ spec:
 {{- if .Values.controller.service.healthCheckNodePort }}
   healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }}
 {{- end }}
+{{- if semverCompare ">=1.31.0-0" .Capabilities.KubeVersion.Version -}}
+{{- if .Values.controller.service.trafficDistribution }}
+  trafficDistribution: {{ .Values.controller.service.trafficDistribution }}
+{{- end }}
+{{- end }}
 {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}}
 {{- if .Values.controller.service.ipFamilyPolicy }}
   ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy }}

charts/ingress-nginx/templates/controller-servicemonitor.yaml

@@ -47,4 +47,19 @@ spec:
   {{- if .Values.controller.metrics.serviceMonitor.targetLabels }}
   targetLabels: {{ toYaml .Values.controller.metrics.serviceMonitor.targetLabels | nindent 2 }}
   {{- end }}
+  {{- if .Values.controller.metrics.serviceMonitor.labelLimit }}
+  labelLimit: {{ .Values.controller.metrics.serviceMonitor.labelLimit }}
+  {{- end }}
+  {{- if .Values.controller.metrics.serviceMonitor.labelNameLengthLimit }}
+  labelNameLengthLimit: {{ .Values.controller.metrics.serviceMonitor.labelNameLengthLimit }}
+  {{- end }}
+  {{- if .Values.controller.metrics.serviceMonitor.labelValueLengthLimit }}
+  labelValueLengthLimit: {{ .Values.controller.metrics.serviceMonitor.labelValueLengthLimit }}
+  {{- end }}
+  {{- if .Values.controller.metrics.serviceMonitor.sampleLimit }}
+  sampleLimit: {{ .Values.controller.metrics.serviceMonitor.sampleLimit }}
+  {{- end }}
+  {{- if .Values.controller.metrics.serviceMonitor.targetLimit }}
+  targetLimit: {{ .Values.controller.metrics.serviceMonitor.targetLimit }}
+  {{- end }}
 {{- end }}

charts/ingress-nginx/templates/default-backend-deployment.yaml

@@ -103,6 +103,7 @@ spec:
       nodeSelector: {{ toYaml .Values.defaultBackend.nodeSelector | nindent 8 }}
     {{- end }}
       serviceAccountName: {{ include "ingress-nginx.defaultBackend.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.defaultBackend.serviceAccount.automountServiceAccountToken }}
     {{- if .Values.defaultBackend.tolerations }}
       tolerations: {{ toYaml .Values.defaultBackend.tolerations | nindent 8 }}
     {{- end }}

charts/ingress-nginx/templates/default-backend-service.yaml

@@ -18,6 +18,9 @@ spec:
 {{- if .Values.defaultBackend.service.clusterIP }}
   clusterIP: {{ .Values.defaultBackend.service.clusterIP }}
 {{- end }}
+{{- if .Values.defaultBackend.service.clusterIPs }}
+  clusterIPs: {{ toYaml .Values.defaultBackend.service.clusterIPs | nindent 4 }}
+{{- end }}
 {{- if .Values.defaultBackend.service.externalIPs }}
   externalIPs: {{ toYaml .Values.defaultBackend.service.externalIPs | nindent 4 }}
 {{- end }}

charts/ingress-nginx/tests/admission-webhooks/job-patch/job-createSecret_test.yaml

@@ -0,0 +1,12 @@
+suite: Admission Webhooks > Patch Job > Create Secret Job
+templates:
+  - admission-webhooks/job-patch/job-createSecret.yaml
+
+tests:
+  - it: should create a Job with token auto-mounting disabled if `controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken` is false
+    set:
+      controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false

charts/ingress-nginx/tests/admission-webhooks/job-patch/job-patchWebhook_test.yaml

@@ -0,0 +1,12 @@
+suite: Admission Webhooks > Patch Job > Patch Webhook Job
+templates:
+  - admission-webhooks/job-patch/job-patchWebhook.yaml
+
+tests:
+  - it: should create a Job with token auto-mounting disabled if `controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken` is false
+    set:
+      controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false

charts/ingress-nginx/tests/controller-daemonset_test.yaml

@@ -190,3 +190,12 @@ tests:
       - equal:
           path: spec.template.spec.containers[0].image
           value: registry.k8s.io/ingress-nginx/controller:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
+  - it: should create a DaemonSet with token auto-mounting disabled if `serviceAccount.automountServiceAccountToken` is false
+    set:
+      controller.kind: DaemonSet
+      serviceAccount.automountServiceAccountToken: false
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false

charts/ingress-nginx/tests/controller-deployment_test.yaml

@@ -215,3 +215,11 @@ tests:
       - equal:
           path: spec.progressDeadlineSeconds
           value: 111
+
+  - it: should create a Deployment with token auto-mounting disabled if `serviceAccount.automountServiceAccountToken` is false
+    set:
+      serviceAccount.automountServiceAccountToken: false
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false

charts/ingress-nginx/tests/controller-service-internal_test.yaml

@@ -23,3 +23,53 @@ tests:
       - equal:
           path: metadata.name
           value: RELEASE-NAME-ingress-nginx-controller-internal
+
+  - it: should create a Service without `clusterIPs` if `controller.service.internal.clusterIPs` is not set
+    set:
+      controller.service.internal.enabled: true
+      controller.service.internal.annotations:
+        test.annotation: "true"
+    asserts:
+      - notExists:
+          path: spec.clusterIPs
+
+  - it: should create a Service with `clusterIPs` if `controller.service.internal.clusterIPs` is set
+    set:
+      controller.service.internal.enabled: true
+      controller.service.internal.annotations:
+        test.annotation: "true"
+      controller.service.internal.clusterIPs:
+        - 10.0.0.1
+        - fd00::1
+    asserts:
+      - equal:
+          path: spec.clusterIPs
+          value:
+            - 10.0.0.1
+            - fd00::1
+
+  - it: should create a Service with `trafficDistribution` if `controller.service.internal.trafficDistribution` is set
+    capabilities:
+      majorVersion: 1
+      minorVersion: 31
+    set:
+      controller.service.internal.enabled: true
+      controller.service.internal.annotations:
+        test.annotation: "true"
+      controller.service.internal.trafficDistribution: PreferClose
+    asserts:
+      - equal:
+          path: spec.trafficDistribution
+          value: PreferClose
+
+  - it: should create a Service with labels if `controller.service.internal.labels` is set
+    set: 
+      controller.service.internal.enabled: true
+      controller.service.internal.annotations:
+        test.annotation: "true"
+      controller.service.internal.labels:
+        external-dns.alpha.kubernetes.io/hostname: internal.example.com
+    asserts:
+      - equal:
+          path: metadata.labels["external-dns.alpha.kubernetes.io/hostname"]
+          value: internal.example.com

charts/ingress-nginx/tests/controller-service_test.yaml

@@ -30,3 +30,45 @@ tests:
       - equal:
           path: spec.type
           value: NodePort
+
+  - it: should create a Service without `clusterIPs` if `controller.service.clusterIPs` is not set
+    set:
+      controller.service.external.enabled: true
+    asserts:
+      - notExists:
+          path: spec.clusterIPs
+
+  - it: should create a Service with `clusterIPs` if `controller.service.clusterIPs` is set
+    set:
+      controller.service.external.enabled: true
+      controller.service.clusterIPs:
+        - 10.0.0.1
+        - fd00::1
+    asserts:
+      - equal:
+          path: spec.clusterIPs
+          value:
+            - 10.0.0.1
+            - fd00::1
+
+  - it: should create a Service with `trafficDistribution` if `controller.service.trafficDistribution` is set
+    capabilities:
+      majorVersion: 1
+      minorVersion: 31
+    set:
+      controller.service.external.enabled: true
+      controller.service.trafficDistribution: PreferClose
+    asserts:
+      - equal:
+          path: spec.trafficDistribution
+          value: PreferClose
+
+  - it: should create a Service with labels if `controller.service.external.labels` is set
+    set:
+      controller.service.external.enabled: true
+      controller.service.external.labels:
+        external-dns.alpha.kubernetes.io/hostname: external.example.com
+    asserts:
+      - equal:
+          path: metadata.labels["external-dns.alpha.kubernetes.io/hostname"]
+          value: external.example.com

charts/ingress-nginx/tests/controller-servicemonitor_test.yaml

@@ -27,3 +27,53 @@ tests:
           path: metadata.annotations
           value:
             my-little-annotation: test-value
+
+  - it: should create a ServiceMonitor with `labelLimit` if `controller.metrics.serviceMonitor.labelLimit` is set
+    set:
+      controller.metrics.enabled: true
+      controller.metrics.serviceMonitor.enabled: true
+      controller.metrics.serviceMonitor.labelLimit: 20
+    asserts:
+      - equal:
+          path: spec.labelLimit
+          value: 20
+
+  - it: should create a ServiceMonitor with `labelNameLengthLimit` if `controller.metrics.serviceMonitor.labelNameLengthLimit` is set
+    set:
+      controller.metrics.enabled: true
+      controller.metrics.serviceMonitor.enabled: true
+      controller.metrics.serviceMonitor.labelNameLengthLimit: 50
+    asserts:
+      - equal:
+          path: spec.labelNameLengthLimit
+          value: 50
+
+  - it: should create a ServiceMonitor with `labelValueLengthLimit` if `controller.metrics.serviceMonitor.labelValueLengthLimit` is set
+    set:
+      controller.metrics.enabled: true
+      controller.metrics.serviceMonitor.enabled: true
+      controller.metrics.serviceMonitor.labelValueLengthLimit: 50
+    asserts:
+      - equal:
+          path: spec.labelValueLengthLimit
+          value: 50
+
+  - it: should create a ServiceMonitor with `sampleLimit` if `controller.metrics.serviceMonitor.sampleLimit` is set
+    set:
+      controller.metrics.enabled: true
+      controller.metrics.serviceMonitor.enabled: true
+      controller.metrics.serviceMonitor.sampleLimit: 5000
+    asserts:
+      - equal:
+          path: spec.sampleLimit
+          value: 5000
+
+  - it: should create a ServiceMonitor with `targetLimit` if `controller.metrics.serviceMonitor.targetLimit` is set
+    set:
+      controller.metrics.enabled: true
+      controller.metrics.serviceMonitor.enabled: true
+      controller.metrics.serviceMonitor.targetLimit: 100
+    asserts:
+      - equal:
+          path: spec.targetLimit
+          value: 100

charts/ingress-nginx/tests/default-backend-deployment_test.yaml

@@ -187,3 +187,12 @@ tests:
       - equal:
           path: spec.template.spec.containers[0].image
           value: registry.k8s.io/defaultbackend-amd64:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
+  - it: should create a Deployment with token auto-mounting disabled if `defaultBackend.serviceAccount.automountServiceAccountToken` is false
+    set:
+      defaultBackend.enabled: true
+      defaultBackend.serviceAccount.automountServiceAccountToken: false
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false

charts/ingress-nginx/tests/default-backend-service_test.yaml

@@ -30,3 +30,23 @@ tests:
       - equal:
           path: spec.ports[0].port
           value: 80
+
+  - it: should create a Service without `clusterIPs` if `defaultBackend.service.clusterIPs` is not set
+    set:
+      defaultBackend.enabled: true
+    asserts:
+      - notExists:
+          path: spec.clusterIPs
+
+  - it: should create a Service with `clusterIPs` if `defaultBackend.service.clusterIPs` is set
+    set:
+      defaultBackend.enabled: true
+      defaultBackend.service.clusterIPs:
+        - 10.0.0.1
+        - fd00::1
+    asserts:
+      - equal:
+          path: spec.clusterIPs
+          value:
+            - 10.0.0.1
+            - fd00::1

charts/ingress-nginx/values.yaml

@@ -486,6 +486,8 @@ controller:
     external:
       # -- Enable the external controller service or not. Useful for internal-only deployments.
       enabled: true
+      # -- Labels to be added to the external controller service.
+      labels: {}
     # -- Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service.
     annotations: {}
     # -- Labels to be added to both controller services.
@@ -497,6 +499,10 @@ controller:
     # This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
     # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
     clusterIP: ""
+    # -- Pre-defined cluster internal IP addresses of the external controller service. Take care of collisions with existing services.
+    # This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
+    # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
+    clusterIPs: []
     # -- List of node IP addresses at which the external controller service is available.
     # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
     externalIPs: []
@@ -523,6 +529,10 @@ controller:
     # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
     # healthCheckNodePort: 0
 
+    # -- Traffic distribution policy of the external controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client.
+    # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution
+    trafficDistribution: ""
+
     # -- Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack.
     # Fields `ipFamilies` and `clusterIP` depend on the value of this field.
     # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
@@ -566,6 +576,8 @@ controller:
     internal:
       # -- Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this.
       enabled: false
+      # -- Labels to be added to the internal controller service.
+      labels: {}
       # -- Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service.
       # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
       annotations: {}
@@ -577,6 +589,10 @@ controller:
       # This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
       # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
       clusterIP: ""
+      # -- Pre-defined cluster internal IP addresses of the internal controller service. Take care of collisions with existing services.
+      # This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
+      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
+      clusterIPs: []
       # -- List of node IP addresses at which the internal controller service is available.
       # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
       externalIPs: []
@@ -603,6 +619,10 @@ controller:
       # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
       # healthCheckNodePort: 0
 
+      # -- Traffic distribution policy of the internal controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client.
+      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution
+      trafficDistribution: ""
+
       # -- Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack.
       # Fields `ipFamilies` and `clusterIP` depend on the value of this field.
       # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
@@ -882,6 +902,16 @@ controller:
       targetLabels: []
       relabelings: []
       metricRelabelings: []
+      # -- Per-scrape limit on number of labels that will be accepted for a sample.
+      labelLimit: 0
+      # -- Per-scrape limit on length of labels name that will be accepted for a sample.
+      labelNameLengthLimit: 0
+      # -- Per-scrape limit on length of labels value that will be accepted for a sample.
+      labelValueLengthLimit: 0
+      # -- Defines a per-scrape limit on the number of scraped samples that will be accepted.
+      sampleLimit: 0
+      # -- Defines a limit on the number of scraped targets that will be accepted.
+      targetLimit: 0
     prometheusRule:
       enabled: false
       additionalLabels: {}
@@ -1145,6 +1175,10 @@ defaultBackend:
   service:
     annotations: {}
     # clusterIP: ""
+    # -- Pre-defined cluster internal IP addresses of the default backend service. Take care of collisions with existing services.
+    # This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
+    # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
+    clusterIPs: []
 
     # -- List of IP addresses at which the default backend service is available
     ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips

docs/e2e-tests.md

@@ -222,10 +222,10 @@ Do not try to edit it manually.
 - [should set valid proxy timeouts](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L117)
 - [should not set invalid proxy timeouts](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L138)
 - [should turn on proxy-buffering](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L159)
-- [should turn off proxy-request-buffering](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L181)
+- [should turn off proxy-request-buffering](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L184)
-- [should build proxy next upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L196)
+- [should build proxy next upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L199)
-- [should setup proxy cookies](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L217)
+- [should setup proxy cookies](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L220)
-- [should change the default proxy HTTP version](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L235)
+- [should change the default proxy HTTP version](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L238)
 ### [proxy-ssl-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxyssl.go#L32)
 - [should set valid proxy-ssl-secret](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxyssl.go#L39)
 - [should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxyssl.go#L66)
@@ -235,6 +235,10 @@ Do not try to edit it manually.
 ### [permanent-redirect permanent-redirect-code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/redirect.go#L30)
 - [should respond with a standard redirect code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/redirect.go#L33)
 - [should respond with a custom redirect code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/redirect.go#L61)
+### [relative-redirects](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/relativeredirects.go#L35)
+- [configures Nginx correctly](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/relativeredirects.go#L43)
+- [should respond with absolute URL in Location](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/relativeredirects.go#L61)
+- [should respond with relative URL in Location](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/relativeredirects.go#L85)
 ### [rewrite-target use-regex enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/rewrite.go#L32)
 - [should write rewrite logs](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/rewrite.go#L39)
 - [should use correct longest path match](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/rewrite.go#L68)

docs/user-guide/nginx-configuration/annotations-risk.md

@@ -73,6 +73,7 @@
 | Proxy | proxy-buffer-size | Low | location |
 | Proxy | proxy-buffering | Low | location |
 | Proxy | proxy-buffers-number | Low | location |
+| Proxy | proxy-busy-buffers-size | Low | location |
 | Proxy | proxy-connect-timeout | Low | location |
 | Proxy | proxy-cookie-domain | Medium | location |
 | Proxy | proxy-cookie-path | Medium | location |
@@ -103,6 +104,7 @@
 | Redirect | from-to-www-redirect | Low | location |
 | Redirect | permanent-redirect | Medium | location |
 | Redirect | permanent-redirect-code | Low | location |
+| Redirect | relative-redirects | Low | location |
 | Redirect | temporal-redirect | Medium | location |
 | Redirect | temporal-redirect-code | Low | location |
 | Rewrite | app-root | Medium | location |

docs/user-guide/nginx-configuration/annotations.md

@@ -116,6 +116,7 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz
 |[nginx.ingress.kubernetes.io/proxy-buffering](#proxy-buffering)|string|
 |[nginx.ingress.kubernetes.io/proxy-buffers-number](#proxy-buffers-number)|number|
 |[nginx.ingress.kubernetes.io/proxy-buffer-size](#proxy-buffer-size)|string|
+|[nginx.ingress.kubernetes.io/proxy-busy-buffers-size](#proxy-busy-buffers-size)|string|
 |[nginx.ingress.kubernetes.io/proxy-max-temp-file-size](#proxy-max-temp-file-size)|string|
 |[nginx.ingress.kubernetes.io/ssl-ciphers](#ssl-ciphers)|string|
 |[nginx.ingress.kubernetes.io/ssl-prefer-server-ciphers](#ssl-ciphers)|"true" or "false"|
@@ -747,6 +748,18 @@ To configure this setting globally, set `proxy-buffer-size` in [NGINX ConfigMap]
 nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
 ```
 
+### Proxy busy buffers size
+
+[Limits the total size of buffers that can be busy](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_busy_buffers_size) sending a response to the client while the response is not yet fully read.
+
+By default proxy busy buffers size is set as "8k".
+
+To configure this setting globally, set `proxy-busy-buffers-size` in the [ConfigMap](./configmap.md#proxy-busy-buffers-size). To use custom values in an Ingress rule, define this annotation:
+
+```yaml
+nginx.ingress.kubernetes.io/proxy-busy-buffers-size: "16k"
+```
+
 ### Proxy max temp file size
 
 When [`buffering`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering) of responses from the proxied server is enabled, and the whole response does not fit into the buffers set by the [`proxy_buffer_size`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) and [`proxy_buffers`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers) directives, a part of the response can be saved to a temporary file. This directive sets the maximum `size` of the temporary file setting the [`proxy_max_temp_file_size`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_max_temp_file_size). The size of data written to the temporary file at a time is set by the [`proxy_temp_file_write_size`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_temp_file_write_size) directive.

docs/user-guide/nginx-configuration/configmap.md

@@ -179,6 +179,7 @@ The following table shows a configuration option's name, type, and the default v
 | [proxy-send-timeout](#proxy-send-timeout)                                       | int          | 60                                                                                                                                                                                                                                                                                                                                                           |                                                                                     |
 | [proxy-buffers-number](#proxy-buffers-number)                                   | int          | 4                                                                                                                                                                                                                                                                                                                                                            |                                                                                     |
 | [proxy-buffer-size](#proxy-buffer-size)                                         | string       | "4k"                                                                                                                                                                                                                                                                                                                                                         |                                                                                     |
+| [proxy-busy-buffers-size](#proxy-busy-buffers-size)                             | string       | "8k"                                                                                                                                                                                                                                                                                                                                                         |                                                                                     |
 | [proxy-cookie-path](#proxy-cookie-path)                                         | string       | "off"                                                                                                                                                                                                                                                                                                                                                        |                                                                                     |
 | [proxy-cookie-domain](#proxy-cookie-domain)                                     | string       | "off"                                                                                                                                                                                                                                                                                                                                                        |                                                                                     |
 | [proxy-next-upstream](#proxy-next-upstream)                                     | string       | "error timeout"                                                                                                                                                                                                                                                                                                                                              |                                                                                     |
@@ -223,6 +224,7 @@ The following table shows a configuration option's name, type, and the default v
 | [debug-connections](#debug-connections)                                         | []string     | "127.0.0.1,1.1.1.1/24"                                                                                                                                                                                                                                                                                                                                       |                                                                                     |
 | [strict-validate-path-type](#strict-validate-path-type)                         | bool         | "true"                                                                                                                                                                                                                                                                                                                                                       |                                                                                     |
 | [grpc-buffer-size-kb](#grpc-buffer-size-kb)                                     | int          | 0                                                                                                                                                                                                                                                                                                                                                            |                                                                                     |
+| [relative-redirects](#relative-redirects)                                       | bool         | false                                                                                                                                                                                                                                                                                                                                                        |                                                                                     |
 
 ## add-headers
 
@@ -1108,6 +1110,10 @@ Sets the number of the buffer used for [reading the first part of the response](
 
 Sets the size of the buffer used for [reading the first part of the response](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) received from the proxied server. This part usually contains a small response header.
 
+## proxy-busy-buffers-size
+
+[Limits the total size of buffers that can be busy](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_busy_buffers_size) sending a response to the client while the response is not yet fully read.
+
 ## proxy-cookie-path
 
 Sets a text that [should be changed in the path attribute](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_path) of the “Set-Cookie” header fields of a proxied server response.
@@ -1382,3 +1388,14 @@ Sets the configuration for the GRPC Buffer Size parameter. If not set it will us
 
 _References:_
 [https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_buffer_size](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_buffer_size)
+
+## relative-redirects
+
+Use relative redirects instead of absolute redirects. Absolute redirects are the default in nginx. RFC7231 allows relative redirects since 2014.
+Similar to the Ingress rule annotation `nginx.ingress.kubernetes.io/relative-redirects`.
+
+_**default:**_ "false"
+
+_References:_
+- [https://nginx.org/en/docs/http/ngx_http_core_module.html#absolute_redirect](https://nginx.org/en/docs/http/ngx_http_core_module.html#absolute_redirect)
+- [https://datatracker.ietf.org/doc/html/rfc7231#section-7.1.2](https://datatracker.ietf.org/doc/html/rfc7231#section-7.1.2)

hack/manifest-templates/provider/kind/values.yaml

@@ -8,11 +8,9 @@ controller:
     enabled: true
   terminationGracePeriodSeconds: 0
   service:
-    type: NodePort
+    type: LoadBalancer
   watchIngressWithoutClass: true
 
-  nodeSelector:
-    ingress-ready: "true"
   tolerations:
     - key: "node-role.kubernetes.io/master"
       operator: "Equal"

images/nginx/TAG

@@ -1 +1 @@
-v1.2.0
+v2.0.0

images/nginx/rootfs/build.sh

@@ -18,23 +18,20 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
-export NGINX_VERSION=1.25.5
+export NGINX_VERSION=1.27.1
 
 # Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.3...master
 export NDK_VERSION=v0.3.3
 
 # Check for recent changes: https://github.com/openresty/set-misc-nginx-module/compare/v0.33...master
-export SETMISC_VERSION=796f5a3e518748eb29a93bd450324e0ad45b704e
+export SETMISC_VERSION=v0.33
 
 # Check for recent changes: https://github.com/openresty/headers-more-nginx-module/compare/v0.37...master
 export MORE_HEADERS_VERSION=v0.37
 
-# Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...atomx:master
+# Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...master
 export NGINX_DIGEST_AUTH=v1.0.0
 
-# Check for recent changes: https://github.com/yaoweibin/ngx_http_substitutions_filter_module/compare/v0.6.4...master
-export NGINX_SUBSTITUTIONS=e12e965ac1837ca709709f9a26f572a54d83430e
-
 # Check for recent changes: https://github.com/SpiderLabs/ModSecurity-nginx/compare/v1.0.3...master
 export MODSECURITY_VERSION=v1.0.3
 
@@ -44,62 +41,62 @@ export MODSECURITY_LIB_VERSION=v3.0.13
 # Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v4.10.0...main
 export OWASP_MODSECURITY_CRS_VERSION=v4.10.0
 
-# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.26``...master
+# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.27...master
-export LUA_NGX_VERSION=v0.10.26
+export LUA_NGX_VERSION=v0.10.27
 
-# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/bea8a0c0de94cede71554f53818ac0267d675d63...master
+# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/v0.0.15...master
-export LUA_STREAM_NGX_VERSION=bea8a0c0de94cede71554f53818ac0267d675d63
+export LUA_STREAM_NGX_VERSION=v0.0.15
 
-# Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/8aa93ead98ba2060d4efd594ae33a35d153589bf...master
+# Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/v0.07...master
-export LUA_UPSTREAM_VERSION=542be0893543a4e42d89f6dd85372972f5ff2a36
+export LUA_UPSTREAM_VERSION=v0.07
 
-# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.13...openresty:master
+# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.14...master
-export LUA_CJSON_VERSION=2.1.0.13
+export LUA_CJSON_VERSION=2.1.0.14
 
-# Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/a607a41a8115fecfc05b5c283c81532a3d605425...master
+# Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/445df24ef3781e488cee3dfe8a1e111997fc1dfe...master
-export GEOIP2_VERSION=a607a41a8115fecfc05b5c283c81532a3d605425
+export GEOIP2_VERSION=445df24ef3781e488cee3dfe8a1e111997fc1dfe
 
-# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20240314...v2.1-agentzh
+# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20240815...v2.1-agentzh
-export LUAJIT_VERSION=v2.1-20240314
+export LUAJIT_VERSION=v2.1-20240815
 
-# Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/1cd4363c0a239afe4765ec607dcfbbb4e5900eea...master
+# Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/v0.05...master
-export LUA_RESTY_BALANCER=1cd4363c0a239afe4765ec607dcfbbb4e5900eea
+export LUA_RESTY_BALANCER=v0.05
 
-# Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/99e7578465b40f36f596d099b82eab404f2b42ed...master
+# Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/v0.15...master
-export LUA_RESTY_CACHE=99e7578465b40f36f596d099b82eab404f2b42ed
+export LUA_RESTY_CACHE=v0.15
 
-# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.27...master
+# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.30...master
-export LUA_RESTY_CORE=v0.1.28
+export LUA_RESTY_CORE=v0.1.30
 
 # Check for recent changes: https://github.com/cloudflare/lua-resty-cookie/compare/f418d77082eaef48331302e84330488fdc810ef4...master
 export LUA_RESTY_COOKIE_VERSION=f418d77082eaef48331302e84330488fdc810ef4
 
-# Check for recent changes: https://github.com/openresty/lua-resty-dns/compare/8bb53516e2933e61c317db740a9b7c2048847c2f...master
+# Check for recent changes: https://github.com/openresty/lua-resty-dns/compare/v0.23...master
-export LUA_RESTY_DNS=8bb53516e2933e61c317db740a9b7c2048847c2f
+export LUA_RESTY_DNS=v0.23
 
-# Check for recent changes: https://github.com/ledgetech/lua-resty-http/compare/v0.17.1...master
+# Check for recent changes: https://github.com/ledgetech/lua-resty-http/compare/v0.17.2...master
-export LUA_RESTY_HTTP=v0.17.1
+export LUA_RESTY_HTTP=v0.17.2
 
 # Check for recent changes: https://github.com/openresty/lua-resty-lock/compare/v0.09...master
-export LUA_RESTY_LOCK=405d0bf4cbfa74d742c6ed3158d442221e6212a9
+export LUA_RESTY_LOCK=v0.09
 
 # Check for recent changes: https://github.com/openresty/lua-resty-upload/compare/v0.11...master
-export LUA_RESTY_UPLOAD_VERSION=979372cce011f3176af3c9aff53fd0e992c4bfd3
+export LUA_RESTY_UPLOAD_VERSION=v0.11
 
-# Check for recent changes: https://github.com/openresty/lua-resty-string/compare/v0.15...master
+# Check for recent changes: https://github.com/openresty/lua-resty-string/compare/v0.16...master
-export LUA_RESTY_STRING_VERSION=6f1bc21d86daef804df3cc34d6427ef68da26844
+export LUA_RESTY_STRING_VERSION=v0.16
 
 # Check for recent changes: https://github.com/openresty/lua-resty-memcached/compare/v0.17...master
-export LUA_RESTY_MEMCACHED_VERSION=2f02b68bf65fa2332cce070674a93a69a6c7239b
+export LUA_RESTY_MEMCACHED_VERSION=v0.17
 
-# Check for recent changes: https://github.com/openresty/lua-resty-redis/compare/v0.30...master
+# Check for recent changes: https://github.com/openresty/lua-resty-redis/compare/v0.31...master
-export LUA_RESTY_REDIS_VERSION=8641b9f1b6f75cca50c90cf8ca5c502ad8950aa8
+export LUA_RESTY_REDIS_VERSION=v0.31
 
-# Check for recent changes: https://github.com/api7/lua-resty-ipmatcher/compare/v0.6.1...master
+# Check for recent changes: https://github.com/api7/lua-resty-ipmatcher/compare/3e93c53eb8c9884efe939ef070486a0e507cc5be...master
 export LUA_RESTY_IPMATCHER_VERSION=3e93c53eb8c9884efe939ef070486a0e507cc5be
 
-# Check for recent changes: https://github.com/microsoft/mimalloc/compare/v2.1.7...master
+# Check for recent changes: https://github.com/microsoft/mimalloc/compare/v2.1.9...master
-export MIMALOC_VERSION=v2.1.7
+export MIMALOC_VERSION=v2.1.9
 
 # Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp/compare/v1.18.0...main
 export OPENTELEMETRY_CPP_VERSION=v1.18.0
@@ -214,9 +211,6 @@ get_src 0c0d2ced2ce895b3f45eb2b230cd90508ab2a773299f153de14a43e44c1209b3 \
 get_src f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b \
         "https://github.com/atomx/nginx-http-auth-digest/archive/$NGINX_DIGEST_AUTH.tar.gz" "nginx-http-auth-digest"
 
-get_src a98b48947359166326d58700ccdc27256d2648218072da138ab6b47de47fbd8f \
-        "https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/$NGINX_SUBSTITUTIONS.tar.gz" "ngx_http_substitutions_filter_module"
-
 get_src 32a42256616cc674dca24c8654397390adff15b888b77eb74e0687f023c8751b \
         "https://github.com/SpiderLabs/ModSecurity-nginx/archive/$MODSECURITY_VERSION.tar.gz" "ModSecurity-nginx"
 
@@ -324,8 +318,7 @@ git config --global --add core.compression -1
 cd "$BUILD_PATH"
 git clone --depth=100 https://github.com/google/ngx_brotli.git
 cd ngx_brotli
-# https://github.com/google/ngx_brotli/issues/156
+git reset --hard a71f9312c2deb28875acc7bacfdd5695a111aa53
-git reset --hard 63ca02abdcf79c9e788d2eedcc388d2335902e52
 git submodule init
 git submodule update
 
@@ -490,7 +483,6 @@ WITH_MODULES=" \
   --add-module=$BUILD_PATH/ngx_devel_kit \
   --add-module=$BUILD_PATH/set-misc-nginx-module \
   --add-module=$BUILD_PATH/headers-more-nginx-module \
-  --add-module=$BUILD_PATH/ngx_http_substitutions_filter_module \
   --add-module=$BUILD_PATH/lua-nginx-module \
   --add-module=$BUILD_PATH/stream-lua-nginx-module \
   --add-module=$BUILD_PATH/lua-upstream-nginx-module \

images/nginx/rootfs/patches/04_nginx-1.27.1-stream_proxy_timeout_fields.patch

@@ -1,6 +1,6 @@
-diff -u -r -p -Naur nginx-1.25.3/src/stream/ngx_stream.h nginx-1.25.3-patched/src/stream/ngx_stream.h
+diff -u -r -p -Naur nginx-1.27.1/src/stream/ngx_stream.h nginx-1.27.1-patched/src/stream/ngx_stream.h
---- nginx-1.25.3/src/stream/ngx_stream.h	2021-11-04 21:27:55.288708527 +0800
+--- nginx-1.27.1/src/stream/ngx_stream.h	2021-11-04 21:27:55.288708527 +0800
-+++ nginx-1.25.3-patched/src/stream/ngx_stream.h	2021-11-04 21:28:50.768035209 +0800
++++ nginx-1.27.1-patched/src/stream/ngx_stream.h	2021-11-04 21:28:50.768035209 +0800
 @@ -254,6 +254,15 @@ typedef struct {
  } ngx_stream_module_t;
  
@@ -25,9 +25,9 @@ diff -u -r -p -Naur nginx-1.25.3/src/stream/ngx_stream.h nginx-1.25.3-patched/sr
  
  
  typedef ngx_int_t (*ngx_stream_filter_pt)(ngx_stream_session_t *s,
-diff -u -r -p -Naur nginx-1.25.3/src/stream/ngx_stream_proxy_module.c nginx-1.25.3-patched/src/stream/ngx_stream_proxy_module.c
+diff -u -r -p -Naur nginx-1.27.1/src/stream/ngx_stream_proxy_module.c nginx-1.27.1-patched/src/stream/ngx_stream_proxy_module.c
---- nginx-1.25.3/src/stream/ngx_stream_proxy_module.c	2021-11-04 21:27:55.289708533 +0800
+--- nginx-1.27.1/src/stream/ngx_stream_proxy_module.c	2021-11-04 21:27:55.289708533 +0800
-+++ nginx-1.25.3-patched/src/stream/ngx_stream_proxy_module.c	2021-11-04 21:37:03.578936990 +0800
++++ nginx-1.27.1-patched/src/stream/ngx_stream_proxy_module.c	2021-11-04 21:37:03.578936990 +0800
 @@ -400,6 +400,7 @@ ngx_stream_proxy_handler(ngx_stream_sess
      ngx_stream_proxy_srv_conf_t      *pscf;
      ngx_stream_upstream_srv_conf_t   *uscf, **uscfp;

images/nginx/rootfs/patches/08_nginx-1.27.1-init_cycle_pool_release.patch

@@ -1,6 +1,6 @@
-diff -rup nginx-1.25.3/src/core/nginx.c nginx-1.25.3-patched/src/core/nginx.c
+diff -rup nginx-1.27.1/src/core/nginx.c nginx-1.27.1-patched/src/core/nginx.c
---- nginx-1.25.3/src/core/nginx.c	2017-12-17 00:00:38.136470108 -0800
+--- nginx-1.27.1/src/core/nginx.c	2017-12-17 00:00:38.136470108 -0800
-+++ nginx-1.25.3-patched/src/core/nginx.c	2017-12-16 23:59:51.680958322 -0800
++++ nginx-1.27.1-patched/src/core/nginx.c	2017-12-16 23:59:51.680958322 -0800
 @@ -186,6 +186,7 @@ static u_char      *ngx_prefix;
  static u_char      *ngx_conf_file;
  static u_char      *ngx_conf_params;
@@ -18,9 +18,9 @@ diff -rup nginx-1.25.3/src/core/nginx.c nginx-1.25.3-patched/src/core/nginx.c
      if (ngx_save_argv(&init_cycle, argc, argv) != NGX_OK) {
          return 1;
      }
-diff -rup nginx-1.25.3/src/core/ngx_core.h nginx-1.25.3-patched/src/core/ngx_core.h
+diff -rup nginx-1.27.1/src/core/ngx_core.h nginx-1.27.1-patched/src/core/ngx_core.h
---- nginx-1.25.3/src/core/ngx_core.h	2017-10-10 08:22:51.000000000 -0700
+--- nginx-1.27.1/src/core/ngx_core.h	2017-10-10 08:22:51.000000000 -0700
-+++ nginx-1.25.3-patched/src/core/ngx_core.h	2017-12-16 23:59:51.679958370 -0800
++++ nginx-1.27.1-patched/src/core/ngx_core.h	2017-12-16 23:59:51.679958370 -0800
 @@ -108,4 +108,6 @@ void ngx_cpuinfo(void);
  #define NGX_DISABLE_SYMLINKS_NOTOWNER   2
  #endif
@@ -28,9 +28,9 @@ diff -rup nginx-1.25.3/src/core/ngx_core.h nginx-1.25.3-patched/src/core/ngx_cor
 +extern ngx_pool_t        *saved_init_cycle_pool;
 +
  #endif /* _NGX_CORE_H_INCLUDED_ */
-diff -rup nginx-1.25.3/src/core/ngx_cycle.c nginx-1.25.3-patched/src/core/ngx_cycle.c
+diff -rup nginx-1.27.1/src/core/ngx_cycle.c nginx-1.27.1-patched/src/core/ngx_cycle.c
---- nginx-1.25.3/src/core/ngx_cycle.c	2017-10-10 08:22:51.000000000 -0700
+--- nginx-1.27.1/src/core/ngx_cycle.c	2017-10-10 08:22:51.000000000 -0700
-+++ nginx-1.25.3-patched/src/core/ngx_cycle.c	2017-12-16 23:59:51.678958419 -0800
++++ nginx-1.27.1-patched/src/core/ngx_cycle.c	2017-12-16 23:59:51.678958419 -0800
 @@ -748,6 +748,10 @@ old_shm_zone_done:
  
      if (ngx_process == NGX_PROCESS_MASTER || ngx_is_init_cycle(old_cycle)) {
@@ -42,9 +42,9 @@ diff -rup nginx-1.25.3/src/core/ngx_cycle.c nginx-1.25.3-patched/src/core/ngx_cy
          ngx_destroy_pool(old_cycle->pool);
          cycle->old_cycle = NULL;
  
-diff -rup nginx-1.25.3/src/os/unix/ngx_process_cycle.c nginx-1.25.3-patched/src/os/unix/ngx_process_cycle.c
+diff -rup nginx-1.27.1/src/os/unix/ngx_process_cycle.c nginx-1.27.1-patched/src/os/unix/ngx_process_cycle.c
---- nginx-1.25.3/src/os/unix/ngx_process_cycle.c	2017-12-17 00:00:38.142469762 -0800
+--- nginx-1.27.1/src/os/unix/ngx_process_cycle.c	2017-12-17 00:00:38.142469762 -0800
-+++ nginx-1.25.3-patched/src/os/unix/ngx_process_cycle.c	2017-12-16 23:59:51.691957791 -0800
++++ nginx-1.27.1-patched/src/os/unix/ngx_process_cycle.c	2017-12-16 23:59:51.691957791 -0800
 @@ -687,6 +692,11 @@ ngx_master_process_exit(ngx_cycle_t *cyc
      ngx_exit_cycle.files_n = ngx_cycle->files_n;
      ngx_cycle = &ngx_exit_cycle;

images/nginx/rootfs/patches/17_nginx-1.27.1-no_error_pages.patch

@@ -1,6 +1,6 @@
-diff -upr nginx-1.25.3/src/http/ngx_http_core_module.c nginx-1.25.3-patched/src/http/ngx_http_core_module.c
+diff -upr nginx-1.27.1/src/http/ngx_http_core_module.c nginx-1.27.1-patched/src/http/ngx_http_core_module.c
---- nginx-1.25.3/src/http/ngx_http_core_module.c	2017-08-31 18:14:41.000000000 -0700
+--- nginx-1.27.1/src/http/ngx_http_core_module.c	2017-08-31 18:14:41.000000000 -0700
-+++ nginx-1.25.3-patched/src/http/ngx_http_core_module.c	2017-08-31 18:21:31.638098196 -0700
++++ nginx-1.27.1-patched/src/http/ngx_http_core_module.c	2017-08-31 18:21:31.638098196 -0700
 @@ -64,6 +64,8 @@ static char *ngx_http_core_directio(ngx_conf_t *cf, ngx_command_t *cmd,
      void *conf);
  static char *ngx_http_core_error_page(ngx_conf_t *cf, ngx_command_t *cmd,

images/nginx/rootfs/patches/18_nginx-1.25.3-no_Werror.patch

@@ -1,36 +0,0 @@
-diff -urp nginx-1.25.3/auto/cc/clang nginx-1.25.3-patched/auto/cc/clang
---- nginx-1.25.3/auto/cc/clang	2014-03-04 03:39:24.000000000 -0800
-+++ nginx-1.25.3-patched/auto/cc/clang	2014-03-13 20:54:26.241413360 -0700
-@@ -89,7 +89,7 @@ CFLAGS="$CFLAGS -Wconditional-uninitiali
- CFLAGS="$CFLAGS -Wno-unused-parameter"
- 
- # stop on warning
--CFLAGS="$CFLAGS -Werror"
-+#CFLAGS="$CFLAGS -Werror"
- 
- # debug
- CFLAGS="$CFLAGS -g"
-diff -urp nginx-1.25.3/auto/cc/gcc nginx-1.25.3-patched/auto/cc/gcc
---- nginx-1.25.3/auto/cc/gcc	2014-03-04 03:39:24.000000000 -0800
-+++ nginx-1.25.3-patched/auto/cc/gcc	2014-03-13 20:54:13.301355329 -0700
-@@ -168,7 +168,7 @@ esac
- 
- 
- # stop on warning
--CFLAGS="$CFLAGS -Werror"
-+#CFLAGS="$CFLAGS -Werror"
- 
- # debug
- CFLAGS="$CFLAGS -g"
-diff -urp nginx-1.25.3/auto/cc/icc nginx-1.25.3-patched/auto/cc/icc
---- nginx-1.25.3/auto/cc/icc	2014-03-04 03:39:24.000000000 -0800
-+++ nginx-1.25.3-patched/auto/cc/icc	2014-03-13 20:54:13.301355329 -0700
-@@ -115,7 +115,7 @@ case "$NGX_ICC_VER" in
- esac
- 
- # stop on warning
--CFLAGS="$CFLAGS -Werror"
-+#CFLAGS="$CFLAGS -Werror"
- 
- # debug
- CFLAGS="$CFLAGS -g"

images/nginx/rootfs/patches/18_nginx-1.27.1-no_Werror.patch

@@ -0,0 +1,36 @@
+diff -urp nginx-1.27.1/auto/cc/clang nginx-1.27.1-patched/auto/cc/clang
+--- nginx-1.27.1/auto/cc/clang	2014-03-04 03:39:24.000000000 -0800
++++ nginx-1.27.1-patched/auto/cc/clang	2014-03-13 20:54:26.241413360 -0700
+@@ -89,7 +89,7 @@ CFLAGS="$CFLAGS -Wconditional-uninitiali
+ CFLAGS="$CFLAGS -Wno-unused-parameter"
+ 
+ # stop on warning
+-CFLAGS="$CFLAGS -Werror"
++#CFLAGS="$CFLAGS -Werror"
+ 
+ # debug
+ CFLAGS="$CFLAGS -g"
+diff -urp nginx-1.27.1/auto/cc/gcc nginx-1.27.1-patched/auto/cc/gcc
+--- nginx-1.27.1/auto/cc/gcc	2014-03-04 03:39:24.000000000 -0800
++++ nginx-1.27.1-patched/auto/cc/gcc	2014-03-13 20:54:13.301355329 -0700
+@@ -168,7 +168,7 @@ esac
+ 
+ 
+ # stop on warning
+-CFLAGS="$CFLAGS -Werror"
++#CFLAGS="$CFLAGS -Werror"
+ 
+ # debug
+ CFLAGS="$CFLAGS -g"
+diff -urp nginx-1.27.1/auto/cc/icc nginx-1.27.1-patched/auto/cc/icc
+--- nginx-1.27.1/auto/cc/icc	2014-03-04 03:39:24.000000000 -0800
++++ nginx-1.27.1-patched/auto/cc/icc	2014-03-13 20:54:13.301355329 -0700
+@@ -115,7 +115,7 @@ case "$NGX_ICC_VER" in
+ esac
+ 
+ # stop on warning
+-CFLAGS="$CFLAGS -Werror"
++#CFLAGS="$CFLAGS -Werror"
+ 
+ # debug
+ CFLAGS="$CFLAGS -g"

images/nginx/rootfs/patches/20_nginx-1.27.1-proxy_host_port_vars.patch

@@ -1,5 +1,5 @@
---- nginx-1.25.3/src/http/modules/ngx_http_proxy_module.c	2017-07-16 14:02:51.000000000 +0800
+--- nginx-1.27.1/src/http/modules/ngx_http_proxy_module.c	2017-07-16 14:02:51.000000000 +0800
-+++ nginx-1.25.3-patched/src/http/modules/ngx_http_proxy_module.c	2017-07-16 14:02:51.000000000 +0800
++++ nginx-1.27.1-patched/src/http/modules/ngx_http_proxy_module.c	2017-07-16 14:02:51.000000000 +0800
 @@ -793,13 +793,13 @@ static ngx_keyval_t  ngx_http_proxy_cach
  static ngx_http_variable_t  ngx_http_proxy_vars[] = {
  

images/nginx/rootfs/patches/22_nginx-1.27.1-larger_max_error_str.patch

@@ -1,5 +1,5 @@
---- nginx-1.25.3/src/core/ngx_log.h	2013-10-08 05:07:14.000000000 -0700
+--- nginx-1.27.1/src/core/ngx_log.h	2013-10-08 05:07:14.000000000 -0700
-+++ nginx-1.25.3-patched/src/core/ngx_log.h	2013-12-05 20:35:35.996236720 -0800
++++ nginx-1.27.1-patched/src/core/ngx_log.h	2013-12-05 20:35:35.996236720 -0800
 @@ -64,7 +64,9 @@ struct ngx_log_s {
  };
  

images/nginx/rootfs/patches/24_nginx-1.27.1-always_enable_cc_feature_tests.patch

@@ -1,5 +1,5 @@
---- nginx-1.25.3/auto/cc/conf	2015-10-30 22:47:50.000000000 +0800
+--- nginx-1.27.1/auto/cc/conf	2015-10-30 22:47:50.000000000 +0800
-+++ nginx-1.25.3-patched/auto/cc/conf	2015-11-02 12:23:05.385156987 +0800
++++ nginx-1.27.1-patched/auto/cc/conf	2015-11-02 12:23:05.385156987 +0800
 @@ -144,7 +144,7 @@ fi
  CFLAGS="$CFLAGS $NGX_CC_OPT"
  NGX_TEST_LD_OPT="$NGX_LD_OPT"

images/nginx/rootfs/patches/32_nginx-1.27.1-proc_exit_handler.patch

@@ -0,0 +1,77 @@
+diff --git a/src/core/ngx_cycle.c b/src/core/ngx_cycle.c
+index c4e3c50..fa1408b 100644
+--- a/src/core/ngx_cycle.c
++++ b/src/core/ngx_cycle.c
+@@ -264,6 +264,9 @@ ngx_init_cycle(ngx_cycle_t *old_cycle)
+     }
+ 
+ 
++#if !(NGX_WIN32)
++    ngx_proc_exit_top_handler = ngx_proc_exit_def_handler;
++#endif
+     conf.ctx = cycle->conf_ctx;
+     conf.cycle = cycle;
+     conf.pool = pool;
+diff --git a/src/os/unix/ngx_process.c b/src/os/unix/ngx_process.c
+index 12a8c68..874c9bf 100644
+--- a/src/os/unix/ngx_process.c
++++ b/src/os/unix/ngx_process.c
+@@ -34,6 +34,7 @@ ngx_int_t        ngx_process_slot;
+ ngx_socket_t     ngx_channel;
+ ngx_int_t        ngx_last_process;
+ ngx_process_t    ngx_processes[NGX_MAX_PROCESSES];
++ngx_proc_exit_pt ngx_proc_exit_top_handler;
+ 
+ 
+ ngx_signal_t  signals[] = {
+@@ -83,6 +84,13 @@ ngx_signal_t  signals[] = {
+ };
+ 
+ 
++void
++ngx_proc_exit_def_handler(ngx_pid_t pid)
++{
++    /* do nothing */
++}
++
++
+ ngx_pid_t
+ ngx_spawn_process(ngx_cycle_t *cycle, ngx_spawn_proc_pt proc, void *data,
+     char *name, ngx_int_t respawn)
+@@ -564,6 +572,7 @@ ngx_process_get_status(void)
+         }
+ 
+         ngx_unlock_mutexes(pid);
++        ngx_proc_exit_top_handler(pid);
+     }
+ }
+ 
+diff --git a/src/os/unix/ngx_process.h b/src/os/unix/ngx_process.h
+index 3986639..0b55d98 100644
+--- a/src/os/unix/ngx_process.h
++++ b/src/os/unix/ngx_process.h
+@@ -18,6 +18,8 @@ typedef pid_t       ngx_pid_t;
+ #define NGX_INVALID_PID  -1
+ 
+ typedef void (*ngx_spawn_proc_pt) (ngx_cycle_t *cycle, void *data);
++#define NGX_HAVE_PROC_EXIT 1
++typedef void (*ngx_proc_exit_pt)(ngx_pid_t pid);
+ 
+ typedef struct {
+     ngx_pid_t           pid;
+@@ -66,6 +68,7 @@ ngx_pid_t ngx_spawn_process(ngx_cycle_t *cycle,
+ ngx_pid_t ngx_execute(ngx_cycle_t *cycle, ngx_exec_ctx_t *ctx);
+ ngx_int_t ngx_init_signals(ngx_log_t *log);
+ void ngx_debug_point(void);
++void ngx_proc_exit_def_handler(ngx_pid_t pid);
+ 
+ 
+ #if (NGX_HAVE_SCHED_YIELD)
+@@ -85,6 +88,7 @@ extern ngx_socket_t   ngx_channel;
+ extern ngx_int_t      ngx_process_slot;
+ extern ngx_int_t      ngx_last_process;
+ extern ngx_process_t  ngx_processes[NGX_MAX_PROCESSES];
++extern ngx_proc_exit_pt  ngx_proc_exit_top_handler;
+ 
+ 
+ #endif /* _NGX_PROCESS_H_INCLUDED_ */

images/test-runner/TAG

@@ -1 +1 @@
-v1.3.0
+v2.0.0

internal/ingress/annotations/cors/main.go

@@ -40,12 +40,12 @@ var (
 	// that could cause the Response to contain some internal value/variable (like returning $pid, $upstream_addr, etc)
 	// Origin must contain a http/s Origin (including or not the port) or the value '*'
 	// This Regex is composed of the following:
-	// * Sets a group that can be (https?://)?*?.something.com:port?
+	// * Sets a group that can be (https?://)?*?.something.com:port? OR null
 	// * Allows this to be repeated as much as possible, and separated by comma
 	// Otherwise it should be '*'
-	corsOriginRegexValidator = regexp.MustCompile(`^(((([a-z]+://)?(\*\.)?[A-Za-z0-9\-.]*(:\d+)?,?)+)|\*)?$`)
+	corsOriginRegexValidator = regexp.MustCompile(`^((((([a-z]+://)?(\*\.)?[A-Za-z0-9\-.]*(:\d+)?,?)|null)+)|\*)?$`)
 	// corsOriginRegex defines the regex for validation inside Parse
-	corsOriginRegex = regexp.MustCompile(`^([a-z]+://(\*\.)?[A-Za-z0-9\-.]*(:\d+)?|\*)?$`)
+	corsOriginRegex = regexp.MustCompile(`^([a-z]+://(\*\.)?[A-Za-z0-9\-.]*(:\d+)?|\*|null)?$`)
 	// Method must contain valid methods list (PUT, GET, POST, BLA)
 	// May contain or not spaces between each verb
 	corsMethodsRegex = regexp.MustCompile(`^([A-Za-z]+,?\s?)+$`)
@@ -78,7 +78,7 @@ var corsAnnotation = parser.Annotation{
 			Scope:     parser.AnnotationScopeIngress,
 			Risk:      parser.AnnotationRiskMedium,
 			Documentation: `This annotation controls what's the accepted Origin for CORS.
-			This is a multi-valued field, separated by ','. It must follow this format: protocol://origin-site.com or protocol://origin-site.com:port
+			This is a multi-valued field, separated by ','. It must follow this format: protocol://origin-site.com, protocol://origin-site.com:port, null, or *.
 			It also supports single level wildcard subdomains and follows this format: https://*.foo.bar, http://*.bar.foo:8080 or myprotocol://*.abc.bar.foo:9000
 			Protocol can be any lowercase string, like http, https, or mycustomprotocol.`,
 		},

internal/ingress/annotations/cors/main_test.go

@@ -82,7 +82,7 @@ func TestIngressCorsConfigValid(t *testing.T) {
 	data[parser.GetAnnotationWithPrefix(corsAllowHeadersAnnotation)] = "DNT,X-CustomHeader, Keep-Alive,User-Agent"
 	data[parser.GetAnnotationWithPrefix(corsAllowCredentialsAnnotation)] = "false"
 	data[parser.GetAnnotationWithPrefix(corsAllowMethodsAnnotation)] = "GET, PATCH"
-	data[parser.GetAnnotationWithPrefix(corsAllowOriginAnnotation)] = "https://origin123.test.com:4443"
+	data[parser.GetAnnotationWithPrefix(corsAllowOriginAnnotation)] = "null, https://origin123.test.com:4443"
 	data[parser.GetAnnotationWithPrefix(corsExposeHeadersAnnotation)] = "*, X-CustomResponseHeader"
 	data[parser.GetAnnotationWithPrefix(corsMaxAgeAnnotation)] = "600"
 	ing.SetAnnotations(data)
@@ -113,7 +113,7 @@ func TestIngressCorsConfigValid(t *testing.T) {
 		t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsAllowMethodsAnnotation)], nginxCors.CorsAllowMethods)
 	}
 
-	if nginxCors.CorsAllowOrigin[0] != "https://origin123.test.com:4443" {
+	if !reflect.DeepEqual(nginxCors.CorsAllowOrigin, []string{"null", "https://origin123.test.com:4443"}) {
 		t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsAllowOriginAnnotation)], nginxCors.CorsAllowOrigin)
 	}
 
@@ -176,7 +176,7 @@ func TestIngressCorsConfigInvalid(t *testing.T) {
 	}
 }
 
-func TestIngresCorsConfigAllowOriginWithTrailingComma(t *testing.T) {
+func TestIngressCorsConfigAllowOriginWithTrailingComma(t *testing.T) {
 	ing := buildIngress()
 
 	data := map[string]string{}
@@ -206,6 +206,36 @@ func TestIngresCorsConfigAllowOriginWithTrailingComma(t *testing.T) {
 	}
 }
 
+func TestIngressCorsConfigAllowOriginNull(t *testing.T) {
+	ing := buildIngress()
+
+	data := map[string]string{}
+	data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)] = enableAnnotation
+
+	// Include a trailing comma and an empty value between the commas.
+	data[parser.GetAnnotationWithPrefix(corsAllowOriginAnnotation)] = "https://origin123.test.com:4443,null,https://origin321.test.com:4443"
+	ing.SetAnnotations(data)
+
+	corst, err := NewParser(&resolver.Mock{}).Parse(ing)
+	if err != nil {
+		t.Errorf("error parsing annotations: %v", err)
+	}
+
+	nginxCors, ok := corst.(*Config)
+	if !ok {
+		t.Errorf("expected a Config type but returned %t", corst)
+	}
+
+	if !nginxCors.CorsEnabled {
+		t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)], nginxCors.CorsEnabled)
+	}
+
+	expectedCorsAllowOrigins := []string{"https://origin123.test.com:4443", "null", "https://origin321.test.com:4443"}
+	if !reflect.DeepEqual(nginxCors.CorsAllowOrigin, expectedCorsAllowOrigins) {
+		t.Errorf("expected %v but returned %v", expectedCorsAllowOrigins, nginxCors.CorsAllowOrigin)
+	}
+}
+
 func TestIngressCorsConfigAllowOriginWithNonHttpProtocol(t *testing.T) {
 	ing := buildIngress()
 

internal/ingress/annotations/proxy/main.go

@@ -31,6 +31,7 @@ const (
 	proxyReadTimeoutAnnotation         = "proxy-read-timeout"
 	proxyBuffersNumberAnnotation       = "proxy-buffers-number"
 	proxyBufferSizeAnnotation          = "proxy-buffer-size"
+	proxyBusyBuffersSizeAnnotation     = "proxy-busy-buffers-size"
 	proxyCookiePathAnnotation          = "proxy-cookie-path"
 	proxyCookieDomainAnnotation        = "proxy-cookie-domain"
 	proxyBodySizeAnnotation            = "proxy-body-size"
@@ -82,6 +83,12 @@ var proxyAnnotations = parser.Annotation{
 			Documentation: `This annotation sets the size of the buffer proxy_buffer_size used for reading the first part of the response received from the proxied server. 
 			By default proxy buffer size is set as "4k".`,
 		},
+		proxyBusyBuffersSizeAnnotation: {
+			Validator:     parser.ValidateRegex(parser.SizeRegex, true),
+			Scope:         parser.AnnotationScopeLocation,
+			Risk:          parser.AnnotationRiskLow,
+			Documentation: `This annotation limits the total size of buffers that can be busy sending a response to the client while the response is not yet fully read. By default proxy busy buffers size is set as "8k".`,
+		},
 		proxyCookiePathAnnotation: {
 			Validator:     parser.ValidateRegex(parser.URLIsValidRegex, true),
 			Scope:         parser.AnnotationScopeLocation,
@@ -167,6 +174,7 @@ type Config struct {
 	ReadTimeout          int    `json:"readTimeout"`
 	BuffersNumber        int    `json:"buffersNumber"`
 	BufferSize           string `json:"bufferSize"`
+	BusyBuffersSize      string `json:"busyBuffersSize"`
 	CookieDomain         string `json:"cookieDomain"`
 	CookiePath           string `json:"cookiePath"`
 	NextUpstream         string `json:"nextUpstream"`
@@ -206,6 +214,9 @@ func (l1 *Config) Equal(l2 *Config) bool {
 	if l1.BufferSize != l2.BufferSize {
 		return false
 	}
+	if l1.BusyBuffersSize != l2.BusyBuffersSize {
+		return false
+	}
 	if l1.CookieDomain != l2.CookieDomain {
 		return false
 	}
@@ -290,6 +301,11 @@ func (a proxy) Parse(ing *networking.Ingress) (interface{}, error) {
 		config.BufferSize = defBackend.ProxyBufferSize
 	}
 
+	config.BusyBuffersSize, err = parser.GetStringAnnotation(proxyBusyBuffersSizeAnnotation, ing, a.annotationConfig.Annotations)
+	if err != nil {
+		config.BusyBuffersSize = defBackend.ProxyBusyBuffersSize
+	}
+
 	config.CookiePath, err = parser.GetStringAnnotation(proxyCookiePathAnnotation, ing, a.annotationConfig.Annotations)
 	if err != nil {
 		config.CookiePath = defBackend.ProxyCookiePath

internal/ingress/annotations/proxy/main_test.go

@@ -88,6 +88,7 @@ func (m mockBackend) GetDefaultBackend() defaults.Backend {
 		ProxyReadTimeout:         20,
 		ProxyBuffersNumber:       4,
 		ProxyBufferSize:          "10k",
+		ProxyBusyBuffersSize:     "15k",
 		ProxyBodySize:            "3k",
 		ProxyNextUpstream:        "error",
 		ProxyNextUpstreamTimeout: 0,
@@ -108,6 +109,7 @@ func TestProxy(t *testing.T) {
 	data[parser.GetAnnotationWithPrefix("proxy-read-timeout")] = "3"
 	data[parser.GetAnnotationWithPrefix("proxy-buffers-number")] = "8"
 	data[parser.GetAnnotationWithPrefix("proxy-buffer-size")] = "1k"
+	data[parser.GetAnnotationWithPrefix("proxy-busy-buffers-size")] = "4k"
 	data[parser.GetAnnotationWithPrefix("proxy-body-size")] = "2k"
 	data[parser.GetAnnotationWithPrefix("proxy-next-upstream")] = off
 	data[parser.GetAnnotationWithPrefix("proxy-next-upstream-timeout")] = "5"
@@ -141,6 +143,9 @@ func TestProxy(t *testing.T) {
 	if p.BufferSize != "1k" {
 		t.Errorf("expected 1k as buffer-size but returned %v", p.BufferSize)
 	}
+	if p.BusyBuffersSize != "4k" {
+		t.Errorf("expected 4k as busy-buffers-size but returned %v", p.BusyBuffersSize)
+	}
 	if p.BodySize != "2k" {
 		t.Errorf("expected 2k as body-size but returned %v", p.BodySize)
 	}
@@ -176,6 +181,7 @@ func TestProxyComplex(t *testing.T) {
 	data[parser.GetAnnotationWithPrefix("proxy-read-timeout")] = "3"
 	data[parser.GetAnnotationWithPrefix("proxy-buffers-number")] = "8"
 	data[parser.GetAnnotationWithPrefix("proxy-buffer-size")] = "1k"
+	data[parser.GetAnnotationWithPrefix("proxy-busy-buffers-size")] = "4k"
 	data[parser.GetAnnotationWithPrefix("proxy-body-size")] = "2k"
 	data[parser.GetAnnotationWithPrefix("proxy-next-upstream")] = "error http_502"
 	data[parser.GetAnnotationWithPrefix("proxy-next-upstream-timeout")] = "5"
@@ -209,6 +215,9 @@ func TestProxyComplex(t *testing.T) {
 	if p.BufferSize != "1k" {
 		t.Errorf("expected 1k as buffer-size but returned %v", p.BufferSize)
 	}
+	if p.BusyBuffersSize != "4k" {
+		t.Errorf("expected 4k as buffer-size but returned %v", p.BusyBuffersSize)
+	}
 	if p.BodySize != "2k" {
 		t.Errorf("expected 2k as body-size but returned %v", p.BodySize)
 	}
@@ -264,6 +273,9 @@ func TestProxyWithNoAnnotation(t *testing.T) {
 	if p.BufferSize != "10k" {
 		t.Errorf("expected 10k as buffer-size but returned %v", p.BufferSize)
 	}
+	if p.BusyBuffersSize != "15k" {
+		t.Errorf("expected 15k as buffer-size but returned %v", p.BusyBuffersSize)
+	}
 	if p.BodySize != "3k" {
 		t.Errorf("expected 3k as body-size but returned %v", p.BodySize)
 	}

internal/ingress/annotations/redirect/redirect.go

@@ -38,6 +38,7 @@ type Config struct {
 	URL       string `json:"url"`
 	Code      int    `json:"code"`
 	FromToWWW bool   `json:"fromToWWW"`
+	Relative  bool   `json:"relative"`
 }
 
 const (
@@ -46,6 +47,7 @@ const (
 	temporalRedirectAnnotationCode  = "temporal-redirect-code"
 	permanentRedirectAnnotation     = "permanent-redirect"
 	permanentRedirectAnnotationCode = "permanent-redirect-code"
+	relativeRedirectsAnnotation     = "relative-redirects"
 )
 
 var redirectAnnotations = parser.Annotation{
@@ -83,6 +85,12 @@ var redirectAnnotations = parser.Annotation{
 			Risk:          parser.AnnotationRiskLow, // Low, as it allows just a set of options
 			Documentation: `This annotation allows you to modify the status code used for permanent redirects.`,
 		},
+		relativeRedirectsAnnotation: {
+			Validator:     parser.ValidateBool,
+			Scope:         parser.AnnotationScopeLocation,
+			Risk:          parser.AnnotationRiskLow,
+			Documentation: `If enabled, redirects issued by nginx will be relative. See https://nginx.org/en/docs/http/ngx_http_core_module.html#absolute_redirect`,
+		},
 	},
 }
 
@@ -109,6 +117,11 @@ func (r redirect) Parse(ing *networking.Ingress) (interface{}, error) {
 		return nil, err
 	}
 
+	rr, err := parser.GetBoolAnnotation(relativeRedirectsAnnotation, ing, r.annotationConfig.Annotations)
+	if err != nil && !errors.IsMissingAnnotations(err) {
+		return nil, err
+	}
+
 	tr, err := parser.GetStringAnnotation(temporalRedirectAnnotation, ing, r.annotationConfig.Annotations)
 	if err != nil && !errors.IsMissingAnnotations(err) {
 		return nil, err
@@ -132,6 +145,7 @@ func (r redirect) Parse(ing *networking.Ingress) (interface{}, error) {
 			URL:       tr,
 			Code:      trc,
 			FromToWWW: r3w,
+			Relative:  rr,
 		}, nil
 	}
 
@@ -154,6 +168,13 @@ func (r redirect) Parse(ing *networking.Ingress) (interface{}, error) {
 			URL:       pr,
 			Code:      prc,
 			FromToWWW: r3w,
+			Relative:  rr,
+		}, nil
+	}
+
+	if rr {
+		return &Config{
+			Relative: rr,
 		}, nil
 	}
 
@@ -177,6 +198,9 @@ func (r1 *Config) Equal(r2 *Config) bool {
 	if r1.FromToWWW != r2.FromToWWW {
 		return false
 	}
+	if r1.Relative != r2.Relative {
+		return false
+	}
 	return true
 }
 

internal/ingress/annotations/redirect/redirect_test.go

@@ -193,3 +193,22 @@ func TestIsValidURL(t *testing.T) {
 		t.Errorf("expected nil but got %v", err)
 	}
 }
+
+func TestParseAnnotations(t *testing.T) {
+	ing := new(networking.Ingress)
+
+	data := map[string]string{}
+	data[parser.GetAnnotationWithPrefix(relativeRedirectsAnnotation)] = "true"
+	ing.SetAnnotations(data)
+
+	_, err := NewParser(&resolver.Mock{}).Parse(ing)
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+
+	// test ingress using the annotation without a TLS section
+	_, err = NewParser(&resolver.Mock{}).Parse(ing)
+	if err != nil {
+		t.Errorf("unexpected error parsing ingress with relative-redirects")
+	}
+}

internal/ingress/controller/config/config.go

@@ -549,6 +549,10 @@ type Configuration struct {
 	// https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors
 	DisableProxyInterceptErrors bool `json:"disable-proxy-intercept-errors,omitempty"`
 
+	// Disable absolute redirects and enables relative redirects.
+	// https://nginx.org/en/docs/http/ngx_http_core_module.html#absolute_redirect
+	RelativeRedirects bool `json:"relative-redirects"`
+
 	// Sets the ipv4 addresses on which the server will accept requests.
 	BindAddressIpv4 []string `json:"bind-address-ipv4,omitempty"`
 
@@ -834,6 +838,7 @@ func NewDefault() Configuration {
 		VariablesHashMaxSize:             2048,
 		UseHTTP2:                         true,
 		DisableProxyInterceptErrors:      false,
+		RelativeRedirects:                false,
 		ProxyStreamTimeout:               "600s",
 		ProxyStreamNextUpstream:          true,
 		ProxyStreamNextUpstreamTimeout:   "600s",
@@ -845,6 +850,7 @@ func NewDefault() Configuration {
 			ProxySendTimeout:            60,
 			ProxyBuffersNumber:          4,
 			ProxyBufferSize:             "4k",
+			ProxyBusyBuffersSize:        "8k",
 			ProxyCookieDomain:           "off",
 			ProxyCookiePath:             "off",
 			ProxyNextUpstream:           "error timeout",
@@ -857,6 +863,7 @@ func NewDefault() Configuration {
 			SSLRedirect:                 true,
 			CustomHTTPErrors:            []int{},
 			DisableProxyInterceptErrors: false,
+			RelativeRedirects:           false,
 			DenylistSourceRange:         []string{},
 			WhitelistSourceRange:        []string{},
 			SkipAccessLogURLs:           []string{},

internal/ingress/controller/controller.go

@@ -1255,6 +1255,7 @@ func (n *NGINXController) createServers(data []*ingress.Ingress,
 		ReadTimeout:          bdef.ProxyReadTimeout,
 		BuffersNumber:        bdef.ProxyBuffersNumber,
 		BufferSize:           bdef.ProxyBufferSize,
+		BusyBuffersSize:      bdef.ProxyBusyBuffersSize,
 		CookieDomain:         bdef.ProxyCookieDomain,
 		CookiePath:           bdef.ProxyCookiePath,
 		NextUpstream:         bdef.ProxyNextUpstream,

internal/ingress/controller/store/store.go

@@ -240,6 +240,8 @@ type k8sStore struct {
 	backendConfigMu *sync.RWMutex
 
 	defaultSSLCertificate string
+
+	recorder record.EventRecorder
 }
 
 // New creates a new object store to be used in the ingress controller.
@@ -279,6 +281,7 @@ func New(
 	recorder := eventBroadcaster.NewRecorder(scheme.Scheme, corev1.EventSource{
 		Component: "nginx-ingress-controller",
 	})
+	store.recorder = recorder
 
 	// k8sStore fulfills resolver.Resolver interface
 	store.annotations = annotations.NewAnnotationExtractor(store)
@@ -938,6 +941,9 @@ func (s *k8sStore) syncIngress(ing *networkingv1.Ingress) {
 		klog.Error(err)
 		return
 	}
+	if parsed.Denied != nil {
+		s.recorder.Eventf(ing, corev1.EventTypeWarning, "AnnotationParsingFailed", fmt.Sprintf("Error parsing annotations: %v", *parsed.Denied))
+	}
 	err = s.listers.IngressWithAnnotation.Update(&ingress.Ingress{
 		Ingress:           *copyIng,
 		ParsedAnnotations: parsed,

internal/ingress/controller/template/template.go

@@ -602,17 +602,12 @@ func buildAuthResponseHeaders(proxySetHeader string, headers []string, lua bool)
 	return res
 }
 
-func buildAuthUpstreamLuaHeaders(headers []string) []string {
+func buildAuthUpstreamLuaHeaders(headers []string) string {
-	res := []string{}
-
 	if len(headers) == 0 {
-		return res
+		return ""
 	}
 
-	for i, h := range headers {
+	return strings.Join(headers, ",")
-		res = append(res, fmt.Sprintf("ngx.var.authHeader%d = res.header['%s']", i, h))
-	}
-	return res
 }
 
 func buildAuthProxySetHeaders(headers map[string]string) []string {

internal/ingress/controller/template/template_test.go

@@ -537,10 +537,7 @@ func TestBuildAuthResponseHeaders(t *testing.T) {
 
 func TestBuildAuthResponseLua(t *testing.T) {
 	externalAuthResponseHeaders := []string{"h1", "H-With-Caps-And-Dashes"}
-	expected := []string{
+	expected := "h1,H-With-Caps-And-Dashes"
-		"ngx.var.authHeader0 = res.header['h1']",
-		"ngx.var.authHeader1 = res.header['H-With-Caps-And-Dashes']",
-	}
 
 	headers := buildAuthUpstreamLuaHeaders(externalAuthResponseHeaders)
 

internal/ingress/defaults/main.go

@@ -69,6 +69,11 @@ type Backend struct {
 	// http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size)
 	ProxyBufferSize string `json:"proxy-buffer-size"`
 
+	// Limits the total size of buffers that can be busy sending a response to the client while
+	// the response is not yet fully read.
+	// http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_busy_buffers_size
+	ProxyBusyBuffersSize string `json:"proxy-busy-buffers-size"`
+
 	// Sets a text that should be changed in the path attribute of the “Set-Cookie” header fields of
 	// a proxied server response.
 	// http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_path
@@ -125,6 +130,11 @@ type Backend struct {
 	// Default: false
 	UsePortInRedirects bool `json:"use-port-in-redirects"`
 
+	// Enables or disables relative redirects. By default nginx uses absolute redirects.
+	// http://nginx.org/en/docs/http/ngx_http_core_module.html#absolute_redirect
+	// Default: false
+	RelativeRedirects bool `json:"relative-redirects"`
+
 	// Enable stickiness by client-server mapping based on a NGINX variable, text or a combination of both.
 	// A consistent hashing method will be used which ensures only a few keys would be remapped to different
 	// servers on upstream group changes

rootfs/etc/nginx/lua/nginx/ngx_conf_external_auth.lua

@@ -0,0 +1,30 @@
+local auth_path = ngx.var.auth_path
+local auth_keepalive_share_vars = ngx.var.auth_keepalive_share_vars
+local auth_response_headers = ngx.var.auth_response_headers
+local ngx_re_split = require("ngx.re").split
+local ipairs = ipairs
+local ngx_log = ngx.log
+local ngx_ERR = ngx.ERR
+
+local res = ngx.location.capture(auth_path, {
+    method = ngx.HTTP_GET, body = '',
+    share_all_vars = auth_keepalive_share_vars })
+
+if res.status == ngx.HTTP_OK then
+    local header_parts, err = ngx_re_split(auth_response_headers, ",")
+    if err then
+       ngx_log(ngx_ERR, err)
+       return
+    end
+    ngx.var.auth_cookie = res.header['Set-Cookie']
+    for i, header_name in ipairs(header_parts) do
+        local varname = "authHeader" .. tostring(i)
+        ngx.var[varname] = res.header[header_name]
+    end
+    return
+end
+
+if res.status == ngx.HTTP_UNAUTHORIZED or res.status == ngx.HTTP_FORBIDDEN then
+    ngx.exit(res.status)
+end
+ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)

rootfs/etc/nginx/template/nginx.tmpl

@@ -459,6 +459,10 @@ http {
     proxy_intercept_errors on;
     {{ end }}
 
+    {{ if $cfg.RelativeRedirects }}
+    absolute_redirect off;
+    {{ end }}
+
     {{ range $errCode := $cfg.CustomHTTPErrors }}
     error_page {{ $errCode }} = @custom_upstream-default-backend_{{ $errCode }};{{ end }}
 
@@ -1037,6 +1041,7 @@ stream {
             {{ end }}
             proxy_buffer_size                       {{ $location.Proxy.BufferSize }};
             proxy_buffers                           {{ $location.Proxy.BuffersNumber }} {{ $location.Proxy.BufferSize }};
+            proxy_busy_buffers_size                 {{ $location.Proxy.BusyBuffersSize }};
             proxy_request_buffering                 {{ $location.Proxy.RequestBuffering }};
 
             proxy_ssl_server_name       on;
@@ -1185,20 +1190,10 @@ stream {
             {{- end }}
             # `auth_request` module does not support HTTP keepalives in upstream block:
             # https://trac.nginx.org/nginx/ticket/1579
-            access_by_lua_block {
+            set $auth_path '{{ $authPath }}';
-                local res = ngx.location.capture('{{ $authPath }}', { method = ngx.HTTP_GET, body = '', share_all_vars = {{ $externalAuth.KeepaliveShareVars }} })
+            set $auth_keepalive_share_vars {{ $externalAuth.KeepaliveShareVars }};
-                if res.status == ngx.HTTP_OK then
+            set $auth_response_headers '{{ buildAuthUpstreamLuaHeaders $externalAuth.ResponseHeaders }}';
-                    ngx.var.auth_cookie = res.header['Set-Cookie']
+            access_by_lua_file /etc/nginx/lua/nginx/ngx_conf_external_auth.lua;
-                    {{- range $line := buildAuthUpstreamLuaHeaders $externalAuth.ResponseHeaders }}
-                    {{ $line }}
-                    {{- end }}
-                    return
-                end
-                if res.status == ngx.HTTP_UNAUTHORIZED or res.status == ngx.HTTP_FORBIDDEN then
-                    ngx.exit(res.status)
-                end
-                ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
-            }
             {{ else }}
             auth_request        {{ $authPath }};
             auth_request_set    $auth_cookie $upstream_http_set_cookie;
@@ -1302,6 +1297,7 @@ stream {
             proxy_buffering                         {{ $location.Proxy.ProxyBuffering }};
             proxy_buffer_size                       {{ $location.Proxy.BufferSize }};
             proxy_buffers                           {{ $location.Proxy.BuffersNumber }} {{ $location.Proxy.BufferSize }};
+            proxy_busy_buffers_size                 {{ $location.Proxy.BusyBuffersSize }};
             {{ if isValidByteSize $location.Proxy.ProxyMaxTempFileSize true }}
             proxy_max_temp_file_size                {{ $location.Proxy.ProxyMaxTempFileSize }};
             {{ end }}
@@ -1353,6 +1349,10 @@ stream {
             satisfy {{ $location.Satisfy }};
             {{ end }}
 
+            {{ if $location.Redirect.Relative }}
+            absolute_redirect off;
+            {{ end }}
+
             {{/* if a location-specific error override is set, add the proxy_intercept here */}}
             {{ if and $location.CustomHTTPErrors (not $location.DisableProxyInterceptErrors) }}
             # Custom error pages per ingress

test/e2e-image/Makefile

@@ -1,6 +1,6 @@
 
 DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
-E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v20250112-01b7af21@sha256:f77bb4625985462fe1a2bc846c430d668113abc90e5e5de6b4533403f56a048c"
+E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v20250112-a188f4eb@sha256:043038b1e30e5a0b64f3f919f096c5c9488ac3f617ac094b07fb9db8215f9441"
 
 image:
 	echo "..entered Makefile in /test/e2e-image"

test/e2e/annotations/auth.go

@@ -653,7 +653,7 @@ http {
 				func(server string) bool {
 					return strings.Contains(server, `upstream auth-external-auth`) &&
 						strings.Contains(server, `keepalive 10;`) &&
-						strings.Contains(server, `share_all_vars = false`)
+						strings.Contains(server, `set $auth_keepalive_share_vars false;`)
 				})
 		})
 
@@ -673,7 +673,7 @@ http {
 				func(server string) bool {
 					return strings.Contains(server, `upstream auth-external-auth`) &&
 						strings.Contains(server, `keepalive 10;`) &&
-						strings.Contains(server, `share_all_vars = true`)
+						strings.Contains(server, `set $auth_keepalive_share_vars true;`)
 				})
 		})
 	})

test/e2e/annotations/proxy.go

@@ -160,11 +160,13 @@ var _ = framework.DescribeAnnotation("proxy-*", func() {
 		proxyBuffering := "on"
 		proxyBuffersNumber := "8"
 		proxyBufferSize := "8k"
+		proxyBusyBuffersSize := "16k"
 
 		annotations := make(map[string]string)
 		annotations["nginx.ingress.kubernetes.io/proxy-buffering"] = proxyBuffering
 		annotations["nginx.ingress.kubernetes.io/proxy-buffers-number"] = proxyBuffersNumber
 		annotations["nginx.ingress.kubernetes.io/proxy-buffer-size"] = proxyBufferSize
+		annotations["nginx.ingress.kubernetes.io/proxy-busy-buffers-size"] = proxyBusyBuffersSize
 
 		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
 		f.EnsureIngress(ing)
@@ -174,6 +176,7 @@ var _ = framework.DescribeAnnotation("proxy-*", func() {
 				return strings.Contains(server, fmt.Sprintf("proxy_buffering %s;", proxyBuffering)) &&
 					strings.Contains(server, fmt.Sprintf("proxy_buffer_size %s;", proxyBufferSize)) &&
 					strings.Contains(server, fmt.Sprintf("proxy_buffers %s %s;", proxyBuffersNumber, proxyBufferSize)) &&
+					strings.Contains(server, fmt.Sprintf("proxy_busy_buffers_size %s;", proxyBusyBuffersSize)) &&
 					strings.Contains(server, fmt.Sprintf("proxy_request_buffering %s;", proxyBuffering))
 			})
 	})

test/e2e/annotations/relativeredirects.go

@@ -0,0 +1,107 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package annotations
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/onsi/ginkgo/v2"
+	"github.com/stretchr/testify/assert"
+	"k8s.io/ingress-nginx/test/e2e/framework"
+)
+
+const (
+	relativeRedirectsHostname            = "rr.foo.com"
+	relativeRedirectsRedirectPath        = "/something"
+	relativeRedirectsRelativeRedirectURL = "/new-location"
+)
+
+var _ = framework.DescribeAnnotation("relative-redirects", func() {
+	f := framework.NewDefaultFramework("relative-redirects")
+
+	ginkgo.BeforeEach(func() {
+		f.NewHttpbunDeployment()
+		f.NewEchoDeployment()
+	})
+
+	ginkgo.It("configures Nginx correctly", func() {
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/relative-redirects": "true",
+		}
+
+		ing := framework.NewSingleIngress(relativeRedirectsHostname, "/", relativeRedirectsHostname, f.Namespace, framework.HTTPBunService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		var serverConfig string
+		f.WaitForNginxServer(relativeRedirectsHostname, func(srvCfg string) bool {
+			serverConfig = srvCfg
+			return strings.Contains(serverConfig, fmt.Sprintf("server_name %s", relativeRedirectsHostname))
+		})
+
+		ginkgo.By("turning off absolute_redirect directive")
+		assert.Contains(ginkgo.GinkgoT(), serverConfig, "absolute_redirect off;")
+	})
+
+	ginkgo.It("should respond with absolute URL in Location", func() {
+		absoluteRedirectURL := fmt.Sprintf("http://%s%s", relativeRedirectsHostname, relativeRedirectsRelativeRedirectURL)
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/permanent-redirect": relativeRedirectsRelativeRedirectURL,
+			"nginx.ingress.kubernetes.io/relative-redirects": "false",
+		}
+
+		ginkgo.By("setup ingress")
+		ing := framework.NewSingleIngress(relativeRedirectsHostname, relativeRedirectsRedirectPath, relativeRedirectsHostname, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(relativeRedirectsHostname, func(srvCfg string) bool {
+			return strings.Contains(srvCfg, fmt.Sprintf("server_name %s", relativeRedirectsHostname))
+		})
+
+		ginkgo.By("sending request to redirected URL path")
+		f.HTTPTestClient().
+			GET(relativeRedirectsRedirectPath).
+			WithHeader("Host", relativeRedirectsHostname).
+			Expect().
+			Status(http.StatusMovedPermanently).
+			Header("Location").Equal(absoluteRedirectURL)
+	})
+
+	ginkgo.It("should respond with relative URL in Location", func() {
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/permanent-redirect": relativeRedirectsRelativeRedirectURL,
+			"nginx.ingress.kubernetes.io/relative-redirects": "true",
+		}
+
+		ginkgo.By("setup ingress")
+		ing := framework.NewSingleIngress(relativeRedirectsHostname, relativeRedirectsRedirectPath, relativeRedirectsHostname, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(relativeRedirectsHostname, func(srvCfg string) bool {
+			return strings.Contains(srvCfg, fmt.Sprintf("server_name %s", relativeRedirectsHostname))
+		})
+
+		ginkgo.By("sending request to redirected URL path")
+		f.HTTPTestClient().
+			GET(relativeRedirectsRedirectPath).
+			WithHeader("Host", relativeRedirectsHostname).
+			Expect().
+			Status(http.StatusMovedPermanently).
+			Header("Location").Equal(relativeRedirectsRelativeRedirectURL)
+	})
+})

test/e2e/run-chart-test.sh

@@ -114,5 +114,5 @@ docker run \
   --workdir /workdir \
   --entrypoint ct \
   --rm \
-  registry.k8s.io/ingress-nginx/e2e-test-runner:v20250112-01b7af21@sha256:f77bb4625985462fe1a2bc846c430d668113abc90e5e5de6b4533403f56a048c \
+  registry.k8s.io/ingress-nginx/e2e-test-runner:v20250112-a188f4eb@sha256:043038b1e30e5a0b64f3f919f096c5c9488ac3f617ac094b07fb9db8215f9441 \
     install --charts charts/ingress-nginx