DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Ingress NGINX Controller for Kubernetes
6297 commits 4 branches 217 tags 166 MiB
Go 87.4%
Lua 7.5%
Shell 2.9%
Dockerfile 0.7%
Makefile 0.6%
Other 0.9%
Find a file
Thibault Jamet 1e66a54974
Add a certificate info metric (#8253) 
When the ingress controller loads certificates  (new ones or following a
secret update), it performs a series of check to ensure its validity.

In our systems, we detected a case where, when the secret object is
compromised, for example when the certificate does not match the secret
key, different pods of the ingress controller are serving a different
version of the certificate.

This behaviour is due to the cache mechanism of the ingress controller,
keeping the last known certificate in case of corruption. When this
happens, old ingress-controller pods will keep serving the old one,
while new pods, by failing to load the corrupted certificates, would
use the default certificate, causing invalid certificates for its
clients.

This generates a random error on the client side, depending on the
actual pod instance it reaches.

In order to allow detecting occurences of those situations, add a metric
to expose, for all ingress controlller pods, detailed informations of
the currently loaded certificate.

This will, for example, allow setting an alert when there is a
certificate discrepency across all ingress controller pods using a query
similar to `sum(nginx_ingress_controller_ssl_certificate_info{host="name.tld"})by(serial_number)`

This also allows to catch other exceptions loading certificates (failing
to load the certificate from the k8s API, ...

Co-authored-by: Daniel Ricart <danielricart@users.noreply.github.com>

Co-authored-by: Daniel Ricart <danielricart@users.noreply.github.com>
2022-02-24 07:08:32 -08:00
.github chore: add Artifact Hub lint (#8204) 2022-01-28 06:16:31 -08:00
build Update go in runner and release v1.1.1 (#8120) 2022-01-09 20:37:11 -08:00
charts/ingress-nginx Minor fix for missing pathType property (#8244) 2022-02-20 13:14:11 -08:00
cmd 8217 fix removed extra v (#8218) 2022-02-06 12:10:52 -08:00
deploy Versioned static manifests (#8162) 2022-02-13 10:47:47 -08:00
docs Updated confusing error (#8262) 2022-02-21 11:52:01 -08:00
hack Versioned static manifests (#8162) 2022-02-13 10:47:47 -08:00
images Update libraries in webhook image (#8227) 2022-02-06 12:42:51 -08:00
internal Add a certificate info metric (#8253) 2022-02-24 07:08:32 -08:00
rootfs Adding some geoip variables and default values (#8159) 2022-02-07 09:53:44 -08:00
test Do not validate ingresses with unknown ingress class in admission webhook endpoint. (#8221) 2022-02-06 12:28:51 -08:00
version Refactor version helper (#4437) 2019-08-13 13:46:16 -04:00
.codecov.yml Migrate to codecov.io (#2120) 2018-02-20 08:27:02 -08:00
.gitignore Update go version, modules and remove ioutil 2021-08-06 14:15:21 -03:00
.luacheckrc Enable lj-releng tool to lint lua code. 2020-06-09 18:01:35 +08:00
Changelog.md changes for release v1.1.1 (#8125) 2022-01-12 08:48:37 -08:00
cloudbuild.yaml images: use k8s-staging-test-infra/gcb-docker-gcloud (#7999) 2021-12-12 05:19:59 -08:00
code-of-conduct.md Update code-of-conduct.md (#1842) 2017-12-20 15:34:27 -03:00
CONTRIBUTING.md Fix spelling in documentation and top-level files (#8009) 2021-12-06 05:46:33 -08:00
go.mod Bump google.golang.org/grpc from 1.43.0 to 1.44.0 (#8209) 2022-02-06 12:22:52 -08:00
go.sum Bump google.golang.org/grpc from 1.43.0 to 1.44.0 (#8209) 2022-02-06 12:22:52 -08:00
ISSUE_TRIAGE.md Fix typos in ISSUE_TRIAGE.md (#7863) 2021-11-04 04:52:03 -07:00
LICENSE Initial commit 2016-11-04 23:54:14 +01:00
Makefile Using Go install for misspell (#8191) 2022-01-26 18:52:50 -08:00
mkdocs.yml set edit_uri value with main branch (#8088) 2021-12-29 09:21:36 -08:00
OWNERS Comment busy owners (#8035) 2021-12-15 11:38:27 -03:00
OWNERS_ALIASES Comment busy owners (#8035) 2021-12-15 11:38:27 -03:00
README.md remove 0.46.0 from supported versions table (#8258) 2022-02-19 15:12:12 -08:00
RELEASE.md Static manifest generation uses kustomize instead of python (#8099) 2022-01-17 15:28:56 -08:00
SECURITY.md Add SECURITY.md 2020-07-27 16:01:17 -06:00
SECURITY_CONTACTS Add security contacts (#7642) 2021-09-15 12:24:12 -07:00
stable.txt Release updates for v1.1.0 (#7964) 2021-11-23 15:07:46 -08:00
TAG Update go in runner and release v1.1.1 (#8120) 2022-01-09 20:37:11 -08:00

README.md

Ingress NGINX Controller

Go Report Card GitHub license GitHub stars GitHub stars FOSSA Status

Overview

ingress-nginx is an Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer.

Learn more about Ingress on the main Kubernetes documentation site.

Get started

See the Getting Started document.

Troubleshooting

If you encounter issues, review the troubleshooting docs, file an issue, or talk to us on the #ingress-nginx channel on the Kubernetes Slack server.

Changelog

See the list of releases to find out about feature changes. For detailed changes for each release; please check the Changelog.md file. For detailed changes on the ingress-nginx helm chart, please check the following CHANGELOG.md file.

Support Versions table

Ingress-NGINX version k8s supported version Alpine Version Nginx Version
v1.1.1 1.23, 1.22, 1.21, 1.20, 1.19 3.14.2 1.19.9†
v1.1.0 1.22, 1.21, 1.20, 1.19 3.14.2 1.19.9†
v1.0.5 1.22, 1.21, 1.20, 1.19 3.14.2 1.19.9†
v1.0.4 1.22, 1.21, 1.20, 1.19 3.14.2 1.19.9†
v1.0.3 1.22, 1.21, 1.20, 1.19 3.14.2 1.19.9†
v1.0.2 1.22, 1.21, 1.20, 1.19 3.14.2 1.19.9†
v1.0.1 1.22, 1.21, 1.20, 1.19 3.14.2 1.19.9†
v1.0.0 1.22, 1.21, 1.20, 1.19 3.13.5 1.20.1
v0.50.0 1.21, 1.20, 1.19 3.14.2 1.19.9†
v0.49.3 1.21, 1.20, 1.19 3.14.2 1.19.9†
v0.49.2 1.21, 1.20, 1.19 3.14.2 1.19.9†
v0.49.1 1.21, 1.20, 1.19 3.14.2 1.19.9†
v0.49.0 1.21, 1.20, 1.19 3.13.5 1.20.1
v0.48.1 1.21, 1.20, 1.19 3.13.5 1.20.1
v0.47.0 1.21, 1.20, 1.19 3.13.5 1.20.1

This build is patched against CVE-2021-23017.

See this article if you want upgrade to the stable Ingress API.

Get Involved

Thanks for taking the time to join our community and start contributing!

  • This project adheres to the Kubernetes Community Code of Conduct. By participating in this project, you agree to abide by its terms.

  • Contributing: Contributions of all kind are welcome!

    • Read CONTRIBUTING.md for information about setting up your environment, the workflow that we expect, and instructions on the developer certificate of origin that we require.

    • Join our Kubernetes Slack channel for developer discussion : #ingress-nginx-dev.

    • Submit github issues for any feature enhancements, bugs or documentation problems. Please make sure to read the Issue Reporting Checklist before opening an issue. Issues not conforming to the guidelines may be closed immediately.

  • Support: Join the the #ingress-nginx-users channel inside the Kubernetes Slack to ask questions or get support from the maintainers and other users.

    • The github issues in the repository are exclusively for bug reports and feature requests.

  • Discuss: Tweet using the #IngressNginx hashtag.

License

Apache License 2.0