From 540cd669f097f1da2c9a9db40b8e8ee3f3d7845d Mon Sep 17 00:00:00 2001 From: Ayoub Nasr Date: Tue, 28 Jan 2025 17:06:26 +0100 Subject: [PATCH] Bump nginx-operator nginx-ingress chart to 1.12.0 --- buildchain/buildchain/versions.py | 6 +- .../nginx-operator/bundles/v4.12.0.yaml | 563 ++++++++++++++++++ .../nginx-operator/channels/stable.yaml | 2 + nginx-operator/BUMPING.md | 2 +- nginx-operator/Makefile | 2 +- nginx-operator/bundle.Dockerfile | 2 +- .../nginx-operator.clusterserviceversion.yaml | 10 +- .../bundle/metadata/annotations.yaml | 2 +- .../config/manager/kustomization.yaml | 2 +- .../helm-charts/ingress-nginx/Chart.yaml | 9 +- .../helm-charts/ingress-nginx/OWNERS | 6 - .../helm-charts/ingress-nginx/README.md | 71 ++- .../ingress-nginx/README.md.gotmpl | 18 + ...m-chart-4.11.3.md => helm-chart-4.10.3.md} | 6 +- .../changelog/helm-chart-4.10.4.md | 9 + .../changelog/helm-chart-4.12.0-beta.0.md | 9 + .../changelog/helm-chart-4.12.0.md | 10 + ...roller-daemonset-extra-modules-values.yaml | 30 - ...roller-daemonset-opentelemetry-values.yaml | 13 - ...oller-deployment-extra-modules-values.yaml | 30 - ...oller-deployment-opentelemetry-values.yaml | 13 - .../ci/deamonset-psp-values.yaml | 13 - .../ci/deamonset-webhook-and-psp-values.yaml | 13 - .../ci/deployment-psp-values.yaml | 10 - .../ci/deployment-webhook-and-psp-values.yaml | 12 - .../ingress-nginx/templates/_helpers.tpl | 13 +- .../ingress-nginx/templates/_params.tpl | 6 +- .../job-patch/clusterrole.yaml | 10 - .../job-patch/job-createSecret.yaml | 2 +- .../job-patch/job-patchWebhook.yaml | 2 +- .../admission-webhooks/job-patch/psp.yaml | 52 -- .../templates/controller-configmap.yaml | 4 +- .../templates/controller-daemonset.yaml | 20 +- .../templates/controller-deployment.yaml | 23 +- .../controller-poddisruptionbudget.yaml | 3 + .../templates/controller-prometheusrule.yaml | 3 + .../templates/controller-psp.yaml | 100 ---- .../templates/controller-role.yaml | 10 - .../templates/controller-service-metrics.yaml | 2 +- .../templates/controller-servicemonitor.yaml | 53 +- .../templates/default-backend-deployment.yaml | 2 +- .../default-backend-poddisruptionbudget.yaml | 7 + .../templates/default-backend-psp.yaml | 50 -- .../templates/default-backend-role.yaml | 22 - .../default-backend-rolebinding.yaml | 21 - .../job-patch/serviceaccount_test.yaml | 2 +- .../validating-webhook_test.yaml | 2 +- .../tests/controller-daemonset_test.yaml | 32 +- .../tests/controller-deployment_test.yaml | 38 +- .../controller-poddisruptionbudget_test.yaml | 13 + .../tests/controller-prometheusrule_test.yaml | 12 + .../controller-service-metrics_test.yaml | 22 +- .../tests/controller-serviceaccount_test.yaml | 47 ++ .../default-backend-deployment_test.yaml | 20 + ...ault-backend-poddisruptionbudget_test.yaml | 31 + .../default-backend-serviceaccount_test.yaml | 51 ++ .../helm-charts/ingress-nginx/values.yaml | 95 +-- .../files/ingress-nginx-performance.json | 98 --- .../deployed/clusterextension.sls | 2 +- 59 files changed, 1039 insertions(+), 694 deletions(-) create mode 100644 catalog-source/catalog/nginx-operator/bundles/v4.12.0.yaml rename nginx-operator/helm-charts/ingress-nginx/changelog/{helm-chart-4.11.3.md => helm-chart-4.10.3.md} (71%) create mode 100644 nginx-operator/helm-charts/ingress-nginx/changelog/helm-chart-4.10.4.md create mode 100644 nginx-operator/helm-charts/ingress-nginx/changelog/helm-chart-4.12.0-beta.0.md create mode 100644 nginx-operator/helm-charts/ingress-nginx/changelog/helm-chart-4.12.0.md delete mode 100644 nginx-operator/helm-charts/ingress-nginx/ci/controller-daemonset-extra-modules-values.yaml delete mode 100644 nginx-operator/helm-charts/ingress-nginx/ci/controller-daemonset-opentelemetry-values.yaml delete mode 100644 nginx-operator/helm-charts/ingress-nginx/ci/controller-deployment-extra-modules-values.yaml delete mode 100644 nginx-operator/helm-charts/ingress-nginx/ci/controller-deployment-opentelemetry-values.yaml delete mode 100644 nginx-operator/helm-charts/ingress-nginx/ci/deamonset-psp-values.yaml delete mode 100644 nginx-operator/helm-charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml delete mode 100644 nginx-operator/helm-charts/ingress-nginx/ci/deployment-psp-values.yaml delete mode 100644 nginx-operator/helm-charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml delete mode 100644 nginx-operator/helm-charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml delete mode 100644 nginx-operator/helm-charts/ingress-nginx/templates/controller-psp.yaml delete mode 100644 nginx-operator/helm-charts/ingress-nginx/templates/default-backend-psp.yaml delete mode 100644 nginx-operator/helm-charts/ingress-nginx/templates/default-backend-role.yaml delete mode 100644 nginx-operator/helm-charts/ingress-nginx/templates/default-backend-rolebinding.yaml create mode 100644 nginx-operator/helm-charts/ingress-nginx/tests/controller-serviceaccount_test.yaml create mode 100644 nginx-operator/helm-charts/ingress-nginx/tests/default-backend-serviceaccount_test.yaml diff --git a/buildchain/buildchain/versions.py b/buildchain/buildchain/versions.py index c4804f1ea1..86fe15901a 100644 --- a/buildchain/buildchain/versions.py +++ b/buildchain/buildchain/versions.py @@ -28,7 +28,7 @@ CALICO_VERSION: str = "3.29.0" SALT_VERSION: str = "3002.9" CONTAINERD_VERSION: str = "1.6.36" -NGINX_OPERATOR_VERSION: str = "4.11.3" +NGINX_OPERATOR_VERSION: str = "4.12.0" CONTAINERD_RELEASE: str = "1" SOSREPORT_RELEASE: str = "2" @@ -190,8 +190,8 @@ def _version_prefix(version: str, prefix: str = "v") -> str: ), Image( name="nginx-ingress-controller", - version="v1.11.3", - digest="sha256:d56f135b6462cfc476447cfe564b83a45e8bb7da2774963b00d12161112270b7", + version="v1.12.0", + digest="sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa", ), Image( name="node-exporter", diff --git a/catalog-source/catalog/nginx-operator/bundles/v4.12.0.yaml b/catalog-source/catalog/nginx-operator/bundles/v4.12.0.yaml new file mode 100644 index 0000000000..bcf33dd171 --- /dev/null +++ b/catalog-source/catalog/nginx-operator/bundles/v4.12.0.yaml @@ -0,0 +1,563 @@ +--- +image: registry.metalk8s.lan/nginx-operator-bundle:v4.12.0 +name: nginx-operator.v4.12.0 +package: nginx-operator +properties: +- type: olm.gvk + value: + group: metalk8s.scality.com + kind: IngressNginx + version: v1alpha1 +- type: olm.package + value: + packageName: nginx-operator + version: 4.12.0 +- type: olm.csv.metadata + value: + annotations: + alm-examples: |- + [ + { + "apiVersion": "metalk8s.scality.com/v1alpha1", + "kind": "IngressNginx", + "metadata": { + "name": "ingressnginx-sample" + }, + "spec": { + "commonLabels": {}, + "controller": { + "addHeaders": {}, + "admissionWebhooks": { + "annotations": {}, + "certManager": { + "admissionCert": { + "duration": "" + }, + "enabled": false, + "rootCert": { + "duration": "" + } + }, + "certificate": "/usr/local/certificates/cert", + "createSecretJob": { + "name": "create", + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true, + "runAsNonRoot": true, + "runAsUser": 65532, + "seccompProfile": { + "type": "RuntimeDefault" + } + } + }, + "enabled": true, + "existingPsp": "", + "extraEnvs": [], + "failurePolicy": "Fail", + "key": "/usr/local/certificates/key", + "labels": {}, + "name": "admission", + "namespaceSelector": {}, + "objectSelector": {}, + "patch": { + "enabled": true, + "image": { + "digest": "sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f", + "image": "ingress-nginx/kube-webhook-certgen", + "pullPolicy": "IfNotPresent", + "registry": "registry.k8s.io", + "tag": "v1.4.4" + }, + "labels": {}, + "networkPolicy": { + "enabled": false + }, + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "podAnnotations": {}, + "priorityClassName": "", + "rbac": { + "create": true + }, + "securityContext": {}, + "serviceAccount": { + "automountServiceAccountToken": true, + "create": true, + "name": "" + }, + "tolerations": [] + }, + "patchWebhookJob": { + "name": "patch", + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true, + "runAsNonRoot": true, + "runAsUser": 65532, + "seccompProfile": { + "type": "RuntimeDefault" + } + } + }, + "port": 8443, + "service": { + "annotations": {}, + "externalIPs": [], + "loadBalancerSourceRanges": [], + "servicePort": 443, + "type": "ClusterIP" + } + }, + "affinity": {}, + "allowSnippetAnnotations": false, + "annotations": {}, + "autoscaling": { + "annotations": {}, + "behavior": {}, + "enabled": false, + "maxReplicas": 11, + "minReplicas": 1, + "targetCPUUtilizationPercentage": 50, + "targetMemoryUtilizationPercentage": 50 + }, + "autoscalingTemplate": [], + "config": {}, + "configAnnotations": {}, + "configMapNamespace": "", + "containerName": "controller", + "containerPort": { + "http": 80, + "https": 443 + }, + "containerSecurityContext": {}, + "customTemplate": { + "configMapKey": "", + "configMapName": "" + }, + "disableLeaderElection": false, + "dnsConfig": {}, + "dnsPolicy": "ClusterFirst", + "electionID": "", + "electionTTL": "", + "enableAnnotationValidations": false, + "enableMimalloc": true, + "enableTopologyAwareRouting": false, + "existingPsp": "", + "extraArgs": {}, + "extraContainers": [], + "extraEnvs": [], + "extraInitContainers": [], + "extraModules": [], + "extraVolumeMounts": [], + "extraVolumes": [], + "healthCheckHost": "", + "healthCheckPath": "/healthz", + "hostAliases": [], + "hostNetwork": false, + "hostPort": { + "enabled": false, + "ports": { + "http": 80, + "https": 443 + } + }, + "hostname": {}, + "image": { + "allowPrivilegeEscalation": false, + "chroot": false, + "digest": "sha256:d56f135b6462cfc476447cfe564b83a45e8bb7da2774963b00d12161112270b7", + "digestChroot": "sha256:22701f0fc0f2dd209ef782f4e281bfe2d8cccd50ededa00aec88e0cdbe7edd14", + "image": "ingress-nginx/controller", + "pullPolicy": "IfNotPresent", + "readOnlyRootFilesystem": false, + "registry": "registry.k8s.io", + "runAsNonRoot": true, + "runAsUser": 101, + "seccompProfile": { + "type": "RuntimeDefault" + }, + "tag": "v1.11.3" + }, + "ingressClass": "nginx", + "ingressClassByName": false, + "ingressClassResource": { + "aliases": [], + "annotations": {}, + "controllerValue": "k8s.io/ingress-nginx", + "default": false, + "enabled": true, + "name": "nginx", + "parameters": {} + }, + "keda": { + "apiVersion": "keda.sh/v1alpha1", + "behavior": {}, + "cooldownPeriod": 300, + "enabled": false, + "maxReplicas": 11, + "minReplicas": 1, + "pollingInterval": 30, + "restoreToOriginalReplicaCount": false, + "scaledObject": { + "annotations": {} + }, + "triggers": [] + }, + "kind": "Deployment", + "labels": {}, + "lifecycle": { + "preStop": { + "exec": { + "command": [ + "/wait-shutdown" + ] + } + } + }, + "livenessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/healthz", + "port": 10254, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "maxmindLicenseKey": "", + "metrics": { + "enabled": false, + "port": 10254, + "portName": "metrics", + "prometheusRule": { + "additionalLabels": {}, + "enabled": false, + "rules": [] + }, + "service": { + "annotations": {}, + "externalIPs": [], + "labels": {}, + "loadBalancerSourceRanges": [], + "servicePort": 10254, + "type": "ClusterIP" + }, + "serviceMonitor": { + "additionalLabels": {}, + "annotations": {}, + "enabled": false, + "metricRelabelings": [], + "namespace": "", + "namespaceSelector": {}, + "relabelings": [], + "scrapeInterval": "30s", + "targetLabels": [] + } + }, + "minAvailable": 1, + "minReadySeconds": 0, + "name": "controller", + "networkPolicy": { + "enabled": false + }, + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "opentelemetry": { + "containerSecurityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true, + "runAsNonRoot": true, + "runAsUser": 65532, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "enabled": false, + "image": { + "digest": "sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922", + "distroless": true, + "image": "ingress-nginx/opentelemetry-1.25.3", + "registry": "registry.k8s.io", + "tag": "v20240813-b933310d" + }, + "name": "opentelemetry", + "resources": {} + }, + "podAnnotations": {}, + "podLabels": {}, + "podSecurityContext": {}, + "priorityClassName": "", + "proxySetHeaders": {}, + "publishService": { + "enabled": true, + "pathOverride": "" + }, + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/healthz", + "port": 10254, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "replicaCount": 1, + "reportNodeInternalIp": false, + "resources": { + "requests": { + "cpu": "100m", + "memory": "90Mi" + } + }, + "scope": { + "enabled": false, + "namespace": "", + "namespaceSelector": "" + }, + "service": { + "annotations": {}, + "appProtocol": true, + "clusterIP": "", + "enableHttp": true, + "enableHttps": true, + "enabled": true, + "external": { + "enabled": true + }, + "externalIPs": [], + "externalTrafficPolicy": "", + "internal": { + "annotations": {}, + "appProtocol": true, + "clusterIP": "", + "enabled": false, + "externalIPs": [], + "externalTrafficPolicy": "", + "ipFamilies": [ + "IPv4" + ], + "ipFamilyPolicy": "SingleStack", + "loadBalancerClass": "", + "loadBalancerIP": "", + "loadBalancerSourceRanges": [], + "nodePorts": { + "http": "", + "https": "", + "tcp": {}, + "udp": {} + }, + "ports": {}, + "sessionAffinity": "", + "targetPorts": {}, + "type": "" + }, + "ipFamilies": [ + "IPv4" + ], + "ipFamilyPolicy": "SingleStack", + "labels": {}, + "loadBalancerClass": "", + "loadBalancerIP": "", + "loadBalancerSourceRanges": [], + "nodePorts": { + "http": "", + "https": "", + "tcp": {}, + "udp": {} + }, + "ports": { + "http": 80, + "https": 443 + }, + "sessionAffinity": "", + "targetPorts": { + "http": "http", + "https": "https" + }, + "type": "LoadBalancer" + }, + "shareProcessNamespace": false, + "sysctls": {}, + "tcp": { + "annotations": {}, + "configMapNamespace": "" + }, + "terminationGracePeriodSeconds": 300, + "tolerations": [], + "topologySpreadConstraints": [], + "udp": { + "annotations": {}, + "configMapNamespace": "" + }, + "updateStrategy": {}, + "watchIngressWithoutClass": false + }, + "defaultBackend": { + "affinity": {}, + "autoscaling": { + "annotations": {}, + "enabled": false, + "maxReplicas": 2, + "minReplicas": 1, + "targetCPUUtilizationPercentage": 50, + "targetMemoryUtilizationPercentage": 50 + }, + "containerSecurityContext": {}, + "enabled": false, + "existingPsp": "", + "extraArgs": {}, + "extraConfigMaps": [], + "extraEnvs": [], + "extraVolumeMounts": [], + "extraVolumes": [], + "image": { + "allowPrivilegeEscalation": false, + "image": "defaultbackend-amd64", + "pullPolicy": "IfNotPresent", + "readOnlyRootFilesystem": true, + "registry": "registry.k8s.io", + "runAsNonRoot": true, + "runAsUser": 65534, + "seccompProfile": { + "type": "RuntimeDefault" + }, + "tag": "1.5" + }, + "labels": {}, + "livenessProbe": { + "failureThreshold": 3, + "initialDelaySeconds": 30, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "minAvailable": 1, + "minReadySeconds": 0, + "name": "defaultbackend", + "networkPolicy": { + "enabled": false + }, + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "podAnnotations": {}, + "podLabels": {}, + "podSecurityContext": {}, + "port": 8080, + "priorityClassName": "", + "readinessProbe": { + "failureThreshold": 6, + "initialDelaySeconds": 0, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "replicaCount": 1, + "resources": {}, + "service": { + "annotations": {}, + "externalIPs": [], + "loadBalancerSourceRanges": [], + "servicePort": 80, + "type": "ClusterIP" + }, + "serviceAccount": { + "automountServiceAccountToken": true, + "create": true, + "name": "" + }, + "tolerations": [], + "topologySpreadConstraints": [], + "updateStrategy": {} + }, + "dhParam": "", + "imagePullSecrets": [], + "namespaceOverride": "", + "podSecurityPolicy": { + "enabled": false + }, + "portNamePrefix": "", + "rbac": { + "create": true, + "scope": false + }, + "revisionHistoryLimit": 10, + "serviceAccount": { + "annotations": {}, + "automountServiceAccountToken": true, + "create": true, + "name": "" + }, + "tcp": {}, + "udp": {} + } + } + ] + capabilities: Basic Install + createdAt: "2025-01-28T15:52:54Z" + operators.operatorframework.io/builder: operator-sdk-v1.39.1 + operators.operatorframework.io/project_layout: helm.sdk.operatorframework.io/v1 + apiServiceDefinitions: {} + crdDescriptions: + owned: + - kind: IngressNginx + name: ingressnginxes.metalk8s.scality.com + version: v1alpha1 + description: Operator Manages Kubernetes Nginx Controllers + displayName: nginx-operator + installModes: + - supported: false + type: OwnNamespace + - supported: false + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - operator + - scality + - metalk8s + - nginx + - kubernetes + links: + - name: Nginx Operator + url: https://nginx-operator.domain + maintainers: + - email: ayoub.nasr@scality.com + name: Ayoub Nasr + maturity: alpha + provider: + name: scality + url: scality.com +relatedImages: +- image: registry.metalk8s.lan/nginx-operator-bundle:v4.12.0 + name: "" +- image: registry.metalk8s.lan/nginx-operator:v4.12.0 + name: "" +schema: olm.bundle diff --git a/catalog-source/catalog/nginx-operator/channels/stable.yaml b/catalog-source/catalog/nginx-operator/channels/stable.yaml index 3fbc9d716e..f1e8f691e6 100644 --- a/catalog-source/catalog/nginx-operator/channels/stable.yaml +++ b/catalog-source/catalog/nginx-operator/channels/stable.yaml @@ -4,3 +4,5 @@ package: nginx-operator name: stable entries: - name: nginx-operator.v4.11.3 + - name: nginx-operator.v4.12.0 + replaces: nginx-operator.v4.11.3 diff --git a/nginx-operator/BUMPING.md b/nginx-operator/BUMPING.md index 079e5fc8b7..55def46341 100644 --- a/nginx-operator/BUMPING.md +++ b/nginx-operator/BUMPING.md @@ -5,7 +5,7 @@ from within this directory: ``` -VERSION=<...> +VERSION=<...> #SEMVER VERSION without the v rm -rf helm-charts/ingress-nginx helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo update diff --git a/nginx-operator/Makefile b/nginx-operator/Makefile index 97c7e7babf..c3d0325724 100644 --- a/nginx-operator/Makefile +++ b/nginx-operator/Makefile @@ -6,7 +6,7 @@ # # We keep this aligned with the chart version # Will also be set in versions.py -VERSION ?= 4.11.3 +VERSION ?= 4.12.0 # CHANNELS define the bundle channels used in the bundle. # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable") diff --git a/nginx-operator/bundle.Dockerfile b/nginx-operator/bundle.Dockerfile index f7b2e43a9a..132db509b8 100644 --- a/nginx-operator/bundle.Dockerfile +++ b/nginx-operator/bundle.Dockerfile @@ -6,7 +6,7 @@ LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ LABEL operators.operatorframework.io.bundle.package.v1=nginx-operator LABEL operators.operatorframework.io.bundle.channels.v1=alpha -LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.38.0 +LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.39.1 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 LABEL operators.operatorframework.io.metrics.project_layout=helm.sdk.operatorframework.io/v1 diff --git a/nginx-operator/bundle/manifests/nginx-operator.clusterserviceversion.yaml b/nginx-operator/bundle/manifests/nginx-operator.clusterserviceversion.yaml index 81d4c8b6b9..6c2801c374 100644 --- a/nginx-operator/bundle/manifests/nginx-operator.clusterserviceversion.yaml +++ b/nginx-operator/bundle/manifests/nginx-operator.clusterserviceversion.yaml @@ -506,10 +506,10 @@ metadata: } ] capabilities: Basic Install - createdAt: "2025-01-28T15:28:53Z" - operators.operatorframework.io/builder: operator-sdk-v1.38.0 + createdAt: "2025-01-28T15:52:54Z" + operators.operatorframework.io/builder: operator-sdk-v1.39.1 operators.operatorframework.io/project_layout: helm.sdk.operatorframework.io/v1 - name: nginx-operator.v4.11.3 + name: nginx-operator.v4.12.0 namespace: placeholder spec: apiservicedefinitions: {} @@ -660,7 +660,7 @@ spec: - --leader-elect - --leader-election-id=nginx-operator - --health-probe-bind-address=:8081 - image: registry.metalk8s.lan/nginx-operator:v4.11.3 + image: registry.metalk8s.lan/nginx-operator:v4.12.0 livenessProbe: httpGet: path: /healthz @@ -762,4 +762,4 @@ spec: provider: name: scality url: scality.com - version: 4.11.3 + version: 4.12.0 diff --git a/nginx-operator/bundle/metadata/annotations.yaml b/nginx-operator/bundle/metadata/annotations.yaml index e99eec8a01..e2b9d6b397 100644 --- a/nginx-operator/bundle/metadata/annotations.yaml +++ b/nginx-operator/bundle/metadata/annotations.yaml @@ -5,7 +5,7 @@ annotations: operators.operatorframework.io.bundle.metadata.v1: metadata/ operators.operatorframework.io.bundle.package.v1: nginx-operator operators.operatorframework.io.bundle.channels.v1: alpha - operators.operatorframework.io.metrics.builder: operator-sdk-v1.38.0 + operators.operatorframework.io.metrics.builder: operator-sdk-v1.39.1 operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 operators.operatorframework.io.metrics.project_layout: helm.sdk.operatorframework.io/v1 diff --git a/nginx-operator/config/manager/kustomization.yaml b/nginx-operator/config/manager/kustomization.yaml index 3dc49ca8eb..a8191938ca 100644 --- a/nginx-operator/config/manager/kustomization.yaml +++ b/nginx-operator/config/manager/kustomization.yaml @@ -5,4 +5,4 @@ kind: Kustomization images: - name: controller newName: registry.metalk8s.lan/nginx-operator - newTag: v4.11.3 + newTag: v4.12.0 diff --git a/nginx-operator/helm-charts/ingress-nginx/Chart.yaml b/nginx-operator/helm-charts/ingress-nginx/Chart.yaml index 1f0128493d..11000f43da 100644 --- a/nginx-operator/helm-charts/ingress-nginx/Chart.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/Chart.yaml @@ -1,9 +1,10 @@ annotations: artifacthub.io/changes: | - - Update Ingress-Nginx version controller-v1.11.3 + - 'CI: Fix chart testing. (#12258)' + - Update Ingress-Nginx version controller-v1.12.0 artifacthub.io/prerelease: "false" apiVersion: v2 -appVersion: 1.11.3 +appVersion: 1.12.0 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer home: https://github.com/kubernetes/ingress-nginx @@ -15,11 +16,9 @@ kubeVersion: '>=1.21.0-0' maintainers: - name: cpanato - name: Gacko -- name: puerco -- name: rikatz - name: strongjz - name: tao12345666333 name: ingress-nginx sources: - https://github.com/kubernetes/ingress-nginx -version: 4.11.3 +version: 4.12.0 diff --git a/nginx-operator/helm-charts/ingress-nginx/OWNERS b/nginx-operator/helm-charts/ingress-nginx/OWNERS index d588ede681..428474f631 100644 --- a/nginx-operator/helm-charts/ingress-nginx/OWNERS +++ b/nginx-operator/helm-charts/ingress-nginx/OWNERS @@ -1,10 +1,4 @@ # See the OWNERS docs: https://www.kubernetes.dev/docs/guide/owners -approvers: -- ingress-nginx-helm-maintainers - -reviewers: -- ingress-nginx-helm-reviewers - labels: - area/helm diff --git a/nginx-operator/helm-charts/ingress-nginx/README.md b/nginx-operator/helm-charts/ingress-nginx/README.md index f70bd0ae68..04b750fbab 100644 --- a/nginx-operator/helm-charts/ingress-nginx/README.md +++ b/nginx-operator/helm-charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.11.3](https://img.shields.io/badge/Version-4.11.3-informational?style=flat-square) ![AppVersion: 1.11.3](https://img.shields.io/badge/AppVersion-1.11.3-informational?style=flat-square) +![Version: 4.12.0](https://img.shields.io/badge/Version-4.12.0-informational?style=flat-square) ![AppVersion: 1.12.0](https://img.shields.io/badge/AppVersion-1.12.0-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -229,6 +229,24 @@ Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13 As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered. +### Pod Security Admission + +You can use Pod Security Admission by applying labels to the `ingress-nginx` namespace as instructed by the [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels). + +Example: + +```yaml +apiVersion: v1 +kind: Namespace +metadata: + name: ingress-nginx + labels: + kubernetes.io/metadata.name: ingress-nginx + name: ingress-nginx + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/enforce-version: v1.31 +``` + ## Values | Key | Type | Default | Description | @@ -242,9 +260,8 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` | | | controller.admissionWebhooks.createSecretJob.name | string | `"create"` | | | controller.admissionWebhooks.createSecretJob.resources | object | `{}` | | -| controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers | +| controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers | | controller.admissionWebhooks.enabled | bool | `true` | | -| controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one | | controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set | | controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use | | controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` | | @@ -253,11 +270,10 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.admissionWebhooks.namespaceSelector | object | `{}` | | | controller.admissionWebhooks.objectSelector | object | `{}` | | | controller.admissionWebhooks.patch.enabled | bool | `true` | | -| controller.admissionWebhooks.patch.image.digest | string | `"sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f"` | | +| controller.admissionWebhooks.patch.image.digest | string | `"sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4"` | | | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | | | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | | -| controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | | -| controller.admissionWebhooks.patch.image.tag | string | `"v1.4.4"` | | +| controller.admissionWebhooks.patch.image.tag | string | `"v1.5.0"` | | | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources | | controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | @@ -273,7 +289,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.admissionWebhooks.patch.tolerations | list | `[]` | | | controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` | | | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | | -| controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers | +| controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers | | controller.admissionWebhooks.port | int | `8443` | | | controller.admissionWebhooks.service.annotations | object | `{}` | | | controller.admissionWebhooks.service.externalIPs | list | `[]` | | @@ -304,15 +320,14 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. | | controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' | | controller.electionTTL | string | `""` | Duration a leader election is valid before it's getting re-elected, e.g. `15s`, `10m` or `1h`. (Default: 30s) | -| controller.enableAnnotationValidations | bool | `false` | | +| controller.enableAnnotationValidations | bool | `true` | | | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # | | controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false | -| controller.existingPsp | string | `""` | Use an existing PSP instead of creating one | | controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use | | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. | | controller.extraEnvs | list | `[]` | Additional environment variables to set | | controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. | -| controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module | +| controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. | | controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. | | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. | | controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. | @@ -325,16 +340,16 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.image.allowPrivilegeEscalation | bool | `false` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `"sha256:d56f135b6462cfc476447cfe564b83a45e8bb7da2774963b00d12161112270b7"` | | -| controller.image.digestChroot | string | `"sha256:22701f0fc0f2dd209ef782f4e281bfe2d8cccd50ededa00aec88e0cdbe7edd14"` | | +| controller.image.digest | string | `"sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa"` | | +| controller.image.digestChroot | string | `"sha256:87c88e1c38a6c8d4483c8f70b69e2cca49853bb3ec3124b9b1be648edf139af3"` | | | controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.readOnlyRootFilesystem | bool | `false` | | -| controller.image.registry | string | `"registry.k8s.io"` | | +| controller.image.runAsGroup | int | `82` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) | | controller.image.runAsNonRoot | bool | `true` | | -| controller.image.runAsUser | int | `101` | | +| controller.image.runAsUser | int | `101` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) | | controller.image.seccompProfile.type | string | `"RuntimeDefault"` | | -| controller.image.tag | string | `"v1.11.3"` | | +| controller.image.tag | string | `"v1.12.0"` | | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassResource | object | `{"aliases":[],"annotations":{},"controllerValue":"k8s.io/ingress-nginx","default":false,"enabled":true,"name":"nginx","parameters":{}}` | This section refers to the creation of the IngressClass resource. IngressClasses are immutable and cannot be changed after creation. We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. | @@ -371,9 +386,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.metrics.port | int | `10254` | | | controller.metrics.portName | string | `"metrics"` | | | controller.metrics.prometheusRule.additionalLabels | object | `{}` | | +| controller.metrics.prometheusRule.annotations | object | `{}` | Annotations to be added to the PrometheusRule. | | controller.metrics.prometheusRule.enabled | bool | `false` | | | controller.metrics.prometheusRule.rules | list | `[]` | | | controller.metrics.service.annotations | object | `{}` | | +| controller.metrics.service.enabled | bool | `true` | Enable the metrics service or not. | | controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # | | controller.metrics.service.labels | object | `{}` | Labels to be added to the metrics service resource | | controller.metrics.service.loadBalancerSourceRanges | list | `[]` | | @@ -393,24 +410,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.name | string | `"controller"` | | | controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | -| controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | -| controller.opentelemetry.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | | -| controller.opentelemetry.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | | -| controller.opentelemetry.containerSecurityContext.runAsNonRoot | bool | `true` | | -| controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. | -| controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | | -| controller.opentelemetry.enabled | bool | `false` | | -| controller.opentelemetry.image.digest | string | `"sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922"` | | -| controller.opentelemetry.image.distroless | bool | `true` | | -| controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry-1.25.3"` | | -| controller.opentelemetry.image.registry | string | `"registry.k8s.io"` | | -| controller.opentelemetry.image.tag | string | `"v20240813-b933310d"` | | -| controller.opentelemetry.name | string | `"opentelemetry"` | | -| controller.opentelemetry.resources | object | `{}` | | | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # | | controller.podLabels | object | `{}` | Labels to add to the pod container metadata | | controller.podSecurityContext | object | `{}` | Security context for controller pods | | controller.priorityClassName | string | `""` | | +| controller.progressDeadlineSeconds | int | `0` | Specifies the number of seconds you want to wait for the controller deployment to progress before the system reports back that it has failed. Ref.: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds | | controller.proxySetHeaders | object | `{}` | Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers | | controller.publishService | object | `{"enabled":true,"pathOverride":""}` | Allows customization of the source of the IP address or FQDN to report in the ingress status field. By default, it reads the information provided by the service. If disable, the status field reports the IP address of the node or nodes where an ingress controller pod is running. | | controller.publishService.enabled | bool | `true` | Enable 'publishService' or not | @@ -483,6 +487,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ # | | controller.udp.annotations | object | `{}` | Annotations to be added to the udp config configmap | | controller.udp.configMapNamespace | string | `""` | Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) | +| controller.unhealthyPodEvictionPolicy | string | `""` | Eviction policy for unhealthy pods guarded by PodDisruptionBudget. Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ | | controller.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # | | controller.watchIngressWithoutClass | bool | `false` | Process Ingress objects without ingressClass annotation/ingressClassName field Overrides value for --watch-ingress-without-class flag of the controller binary Defaults to false | | defaultBackend.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity | @@ -494,7 +499,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` | | | defaultBackend.containerSecurityContext | object | `{}` | Security context for default backend containers | | defaultBackend.enabled | bool | `false` | | -| defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one | | defaultBackend.extraArgs | object | `{}` | | | defaultBackend.extraConfigMaps | list | `[]` | | | defaultBackend.extraEnvs | list | `[]` | Additional environment variables to set for defaultBackend pods | @@ -504,7 +508,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.image.image | string | `"defaultbackend-amd64"` | | | defaultBackend.image.pullPolicy | string | `"IfNotPresent"` | | | defaultBackend.image.readOnlyRootFilesystem | bool | `true` | | -| defaultBackend.image.registry | string | `"registry.k8s.io"` | | +| defaultBackend.image.runAsGroup | int | `65534` | | | defaultBackend.image.runAsNonRoot | bool | `true` | | | defaultBackend.image.runAsUser | int | `65534` | | | defaultBackend.image.seccompProfile.type | string | `"RuntimeDefault"` | | @@ -515,7 +519,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.livenessProbe.periodSeconds | int | `10` | | | defaultBackend.livenessProbe.successThreshold | int | `1` | | | defaultBackend.livenessProbe.timeoutSeconds | int | `5` | | -| defaultBackend.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. | +| defaultBackend.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. | | defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | defaultBackend.name | string | `"defaultbackend"` | | | defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | @@ -542,11 +546,12 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.serviceAccount.name | string | `""` | | | defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # | | defaultBackend.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. Ref.: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ | +| defaultBackend.unhealthyPodEvictionPolicy | string | `""` | Eviction policy for unhealthy pods guarded by PodDisruptionBudget. Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ | | defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # | | dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param | +| global.image.registry | string | `"registry.k8s.io"` | Registry host to pull images from. | | imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | | namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace | -| podSecurityPolicy.enabled | bool | `false` | | | portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration | | rbac.create | bool | `true` | | | rbac.scope | bool | `false` | | diff --git a/nginx-operator/helm-charts/ingress-nginx/README.md.gotmpl b/nginx-operator/helm-charts/ingress-nginx/README.md.gotmpl index 17b029bbfa..3cb9d5651b 100644 --- a/nginx-operator/helm-charts/ingress-nginx/README.md.gotmpl +++ b/nginx-operator/helm-charts/ingress-nginx/README.md.gotmpl @@ -226,4 +226,22 @@ Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13 As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered. +### Pod Security Admission + +You can use Pod Security Admission by applying labels to the `ingress-nginx` namespace as instructed by the [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels). + +Example: + +```yaml +apiVersion: v1 +kind: Namespace +metadata: + name: ingress-nginx + labels: + kubernetes.io/metadata.name: ingress-nginx + name: ingress-nginx + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/enforce-version: v1.31 +``` + {{ template "chart.valuesSection" . }} diff --git a/nginx-operator/helm-charts/ingress-nginx/changelog/helm-chart-4.11.3.md b/nginx-operator/helm-charts/ingress-nginx/changelog/helm-chart-4.10.3.md similarity index 71% rename from nginx-operator/helm-charts/ingress-nginx/changelog/helm-chart-4.11.3.md rename to nginx-operator/helm-charts/ingress-nginx/changelog/helm-chart-4.10.3.md index 18ec6ba82c..3f77d405b6 100644 --- a/nginx-operator/helm-charts/ingress-nginx/changelog/helm-chart-4.11.3.md +++ b/nginx-operator/helm-charts/ingress-nginx/changelog/helm-chart-4.10.3.md @@ -2,8 +2,8 @@ This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). -### 4.11.3 +### 4.10.3 -* Update Ingress-Nginx version controller-v1.11.3 +* Update Ingress-Nginx version controller-v1.10.3 -**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.2...helm-chart-4.11.3 +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.2...helm-chart-4.10.3 diff --git a/nginx-operator/helm-charts/ingress-nginx/changelog/helm-chart-4.10.4.md b/nginx-operator/helm-charts/ingress-nginx/changelog/helm-chart-4.10.4.md new file mode 100644 index 0000000000..661d3c9bb4 --- /dev/null +++ b/nginx-operator/helm-charts/ingress-nginx/changelog/helm-chart-4.10.4.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.10.4 + +* Update Ingress-Nginx version controller-v1.10.4 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.3...helm-chart-4.10.4 diff --git a/nginx-operator/helm-charts/ingress-nginx/changelog/helm-chart-4.12.0-beta.0.md b/nginx-operator/helm-charts/ingress-nginx/changelog/helm-chart-4.12.0-beta.0.md new file mode 100644 index 0000000000..fa980f1fb9 --- /dev/null +++ b/nginx-operator/helm-charts/ingress-nginx/changelog/helm-chart-4.12.0-beta.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.12.0-beta.0 + +* Update Ingress-Nginx version controller-v1.12.0-beta.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.0...helm-chart-4.12.0-beta.0 diff --git a/nginx-operator/helm-charts/ingress-nginx/changelog/helm-chart-4.12.0.md b/nginx-operator/helm-charts/ingress-nginx/changelog/helm-chart-4.12.0.md new file mode 100644 index 0000000000..f8f36d4998 --- /dev/null +++ b/nginx-operator/helm-charts/ingress-nginx/changelog/helm-chart-4.12.0.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.12.0 + +* CI: Fix chart testing. (#12258) +* Update Ingress-Nginx version controller-v1.12.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.0...helm-chart-4.12.0 diff --git a/nginx-operator/helm-charts/ingress-nginx/ci/controller-daemonset-extra-modules-values.yaml b/nginx-operator/helm-charts/ingress-nginx/ci/controller-daemonset-extra-modules-values.yaml deleted file mode 100644 index edf12e77ed..0000000000 --- a/nginx-operator/helm-charts/ingress-nginx/ci/controller-daemonset-extra-modules-values.yaml +++ /dev/null @@ -1,30 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - - service: - type: ClusterIP - - kind: DaemonSet - - extraModules: - - name: opentelemetry - image: - registry: registry.k8s.io - image: ingress-nginx/opentelemetry-1.25.3 - tag: v20240813-b933310d - digest: sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922 - distroless: true - containerSecurityContext: - runAsNonRoot: true - runAsUser: 65532 - runAsGroup: 65532 - allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true diff --git a/nginx-operator/helm-charts/ingress-nginx/ci/controller-daemonset-opentelemetry-values.yaml b/nginx-operator/helm-charts/ingress-nginx/ci/controller-daemonset-opentelemetry-values.yaml deleted file mode 100644 index 179ab2a85a..0000000000 --- a/nginx-operator/helm-charts/ingress-nginx/ci/controller-daemonset-opentelemetry-values.yaml +++ /dev/null @@ -1,13 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - - service: - type: ClusterIP - - kind: DaemonSet - - opentelemetry: - enabled: true diff --git a/nginx-operator/helm-charts/ingress-nginx/ci/controller-deployment-extra-modules-values.yaml b/nginx-operator/helm-charts/ingress-nginx/ci/controller-deployment-extra-modules-values.yaml deleted file mode 100644 index d4083cc375..0000000000 --- a/nginx-operator/helm-charts/ingress-nginx/ci/controller-deployment-extra-modules-values.yaml +++ /dev/null @@ -1,30 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - - service: - type: ClusterIP - - kind: Deployment - - extraModules: - - name: opentelemetry - image: - registry: registry.k8s.io - image: ingress-nginx/opentelemetry-1.25.3 - tag: v20240813-b933310d - digest: sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922 - distroless: true - containerSecurityContext: - runAsNonRoot: true - runAsUser: 65532 - runAsGroup: 65532 - allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true diff --git a/nginx-operator/helm-charts/ingress-nginx/ci/controller-deployment-opentelemetry-values.yaml b/nginx-operator/helm-charts/ingress-nginx/ci/controller-deployment-opentelemetry-values.yaml deleted file mode 100644 index 9443ddefcc..0000000000 --- a/nginx-operator/helm-charts/ingress-nginx/ci/controller-deployment-opentelemetry-values.yaml +++ /dev/null @@ -1,13 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - - service: - type: ClusterIP - - kind: Deployment - - opentelemetry: - enabled: true diff --git a/nginx-operator/helm-charts/ingress-nginx/ci/deamonset-psp-values.yaml b/nginx-operator/helm-charts/ingress-nginx/ci/deamonset-psp-values.yaml deleted file mode 100644 index 8026a6356f..0000000000 --- a/nginx-operator/helm-charts/ingress-nginx/ci/deamonset-psp-values.yaml +++ /dev/null @@ -1,13 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: ClusterIP - -podSecurityPolicy: - enabled: true diff --git a/nginx-operator/helm-charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml b/nginx-operator/helm-charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml deleted file mode 100644 index fccdb134cf..0000000000 --- a/nginx-operator/helm-charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml +++ /dev/null @@ -1,13 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: true - service: - type: ClusterIP - -podSecurityPolicy: - enabled: true diff --git a/nginx-operator/helm-charts/ingress-nginx/ci/deployment-psp-values.yaml b/nginx-operator/helm-charts/ingress-nginx/ci/deployment-psp-values.yaml deleted file mode 100644 index 2f332a7b20..0000000000 --- a/nginx-operator/helm-charts/ingress-nginx/ci/deployment-psp-values.yaml +++ /dev/null @@ -1,10 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - service: - type: ClusterIP - -podSecurityPolicy: - enabled: true diff --git a/nginx-operator/helm-charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml b/nginx-operator/helm-charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml deleted file mode 100644 index 6195bb3391..0000000000 --- a/nginx-operator/helm-charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml +++ /dev/null @@ -1,12 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: true - service: - type: ClusterIP - -podSecurityPolicy: - enabled: true diff --git a/nginx-operator/helm-charts/ingress-nginx/templates/_helpers.tpl b/nginx-operator/helm-charts/ingress-nginx/templates/_helpers.tpl index 24cfd14ad9..6cbda2d4d2 100644 --- a/nginx-operator/helm-charts/ingress-nginx/templates/_helpers.tpl +++ b/nginx-operator/helm-charts/ingress-nginx/templates/_helpers.tpl @@ -47,6 +47,7 @@ Controller container security context. {{- else -}} runAsNonRoot: {{ .Values.controller.image.runAsNonRoot }} runAsUser: {{ .Values.controller.image.runAsUser }} +runAsGroup: {{ .Values.controller.image.runAsGroup }} allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }} {{- if .Values.controller.image.seccompProfile }} seccompProfile: {{ toYaml .Values.controller.image.seccompProfile | nindent 2 }} @@ -222,6 +223,7 @@ Default backend container security context. {{- else -}} runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }} runAsUser: {{ .Values.defaultBackend.image.runAsUser }} +runAsGroup: {{ .Values.defaultBackend.image.runAsGroup }} allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }} {{- if .Values.defaultBackend.image.seccompProfile }} seccompProfile: {{ toYaml .Values.defaultBackend.image.seccompProfile | nindent 2 }} @@ -233,17 +235,6 @@ readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem } {{- end -}} {{- end -}} -{{/* -Return the appropriate apiGroup for PodSecurityPolicy. -*/}} -{{- define "podSecurityPolicy.apiGroup" -}} -{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "policy" -}} -{{- else -}} -{{- print "extensions" -}} -{{- end -}} -{{- end -}} - {{/* Extra modules. */}} diff --git a/nginx-operator/helm-charts/ingress-nginx/templates/_params.tpl b/nginx-operator/helm-charts/ingress-nginx/templates/_params.tpl index 48569a8b0c..0051dc9c09 100644 --- a/nginx-operator/helm-charts/ingress-nginx/templates/_params.tpl +++ b/nginx-operator/helm-charts/ingress-nginx/templates/_params.tpl @@ -1,7 +1,7 @@ {{- define "ingress-nginx.params" -}} - /nginx-ingress-controller -{{- if .Values.controller.enableAnnotationValidations }} -- --enable-annotation-validation=true +{{- if not .Values.controller.enableAnnotationValidations }} +- --enable-annotation-validation=false {{- end }} {{- if .Values.defaultBackend.enabled }} - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }} @@ -54,7 +54,7 @@ {{- if .Values.controller.watchIngressWithoutClass }} - --watch-ingress-without-class=true {{- end }} -{{- if not .Values.controller.metrics.enabled }} +{{- if .Values.controller.metrics.enabled }} - --enable-metrics={{ .Values.controller.metrics.enabled }} {{- end }} {{- if .Values.controller.enableTopologyAwareRouting }} diff --git a/nginx-operator/helm-charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml b/nginx-operator/helm-charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml index a21848201b..54af7abb65 100644 --- a/nginx-operator/helm-charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml @@ -20,14 +20,4 @@ rules: verbs: - get - update -{{- if .Values.podSecurityPolicy.enabled }} - - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] - resources: ['podsecuritypolicies'] - verbs: ['use'] - {{- with .Values.controller.admissionWebhooks.existingPsp }} - resourceNames: [{{ . }}] - {{- else }} - resourceNames: [{{ include "ingress-nginx.admissionWebhooks.fullname" . }}] - {{- end }} -{{- end }} {{- end }} diff --git a/nginx-operator/helm-charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/nginx-operator/helm-charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml index 176616467c..af3ea12a32 100644 --- a/nginx-operator/helm-charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -42,7 +42,7 @@ spec: {{- end }} containers: - name: create - {{- with .Values.controller.admissionWebhooks.patch.image }} + {{- with (merge .Values.controller.admissionWebhooks.patch.image .Values.global.image) }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} diff --git a/nginx-operator/helm-charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/nginx-operator/helm-charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml index f7d44a24db..87dd2c251f 100644 --- a/nginx-operator/helm-charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -42,7 +42,7 @@ spec: {{- end }} containers: - name: patch - {{- with .Values.controller.admissionWebhooks.patch.image }} + {{- with (merge .Values.controller.admissionWebhooks.patch.image .Values.global.image) }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} diff --git a/nginx-operator/helm-charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml b/nginx-operator/helm-charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml deleted file mode 100644 index 8e5dc72ac4..0000000000 --- a/nginx-operator/helm-charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml +++ /dev/null @@ -1,52 +0,0 @@ -{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} -{{- if and .Values.podSecurityPolicy.enabled .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} - annotations: - "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: admission-webhook - {{- with .Values.controller.admissionWebhooks.patch.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - privileged: false - hostPID: false - hostIPC: false - hostNetwork: false - volumes: - - configMap - - downwardAPI - - emptyDir - - secret - - projected - fsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: true - runAsUser: - rule: MustRunAsNonRoot - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - supplementalGroups: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - allowPrivilegeEscalation: false - requiredDropCapabilities: - - ALL - seLinux: - rule: RunAsAny -{{- end }} -{{- end }} diff --git a/nginx-operator/helm-charts/ingress-nginx/templates/controller-configmap.yaml b/nginx-operator/helm-charts/ingress-nginx/templates/controller-configmap.yaml index e24a967426..b63cff3507 100644 --- a/nginx-operator/helm-charts/ingress-nginx/templates/controller-configmap.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/templates/controller-configmap.yaml @@ -14,7 +14,9 @@ metadata: name: {{ include "ingress-nginx.controller.fullname" . }} namespace: {{ include "ingress-nginx.namespace" . }} data: - allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}" +{{- if .Values.controller.allowSnippetAnnotations }} + allow-snippet-annotations: "true" +{{- end }} {{- if .Values.controller.addHeaders }} add-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers {{- end }} diff --git a/nginx-operator/helm-charts/ingress-nginx/templates/controller-daemonset.yaml b/nginx-operator/helm-charts/ingress-nginx/templates/controller-daemonset.yaml index fcc633d3d4..fd1b132845 100644 --- a/nginx-operator/helm-charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/templates/controller-daemonset.yaml @@ -75,7 +75,7 @@ spec: {{- end }} containers: - name: {{ .Values.controller.containerName }} - {{- with .Values.controller.image }} + {{- with (merge .Values.controller.image .Values.global.image) }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }} {{- end }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }} @@ -144,9 +144,9 @@ spec: hostPort: {{ $key }} {{- end }} {{- end }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }} volumeMounts: - {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} + {{- if .Values.controller.extraModules }} - name: modules {{- if .Values.controller.image.chroot }} mountPath: /chroot/modules_mount @@ -174,7 +174,7 @@ spec: {{- if .Values.controller.extraContainers }} {{- toYaml .Values.controller.extraContainers | nindent 8 }} {{- end }} - {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} + {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }} initContainers: {{- if .Values.controller.extraInitContainers }} {{- toYaml .Values.controller.extraInitContainers | nindent 8 }} @@ -182,13 +182,7 @@ spec: {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} - {{- end }} - {{- end }} - {{- if .Values.controller.opentelemetry.enabled }} - {{- with .Values.controller.opentelemetry }} - {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} + {{- include "extraModules" (dict "name" .name "image" (merge .image $.Values.global.image) "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} {{- end }} {{- end }} {{- end }} @@ -209,9 +203,9 @@ spec: {{- end }} serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }} volumes: - {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}} + {{- if .Values.controller.extraModules }} - name: modules emptyDir: {} {{- end }} diff --git a/nginx-operator/helm-charts/ingress-nginx/templates/controller-deployment.yaml b/nginx-operator/helm-charts/ingress-nginx/templates/controller-deployment.yaml index 5211acd0b2..cc41bfbc7f 100644 --- a/nginx-operator/helm-charts/ingress-nginx/templates/controller-deployment.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/templates/controller-deployment.yaml @@ -22,6 +22,9 @@ spec: replicas: {{ .Values.controller.replicaCount }} {{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + {{- if .Values.controller.progressDeadlineSeconds }} + progressDeadlineSeconds: {{ .Values.controller.progressDeadlineSeconds }} + {{- end }} {{- if .Values.controller.updateStrategy }} strategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }} {{- end }} @@ -78,7 +81,7 @@ spec: {{- end }} containers: - name: {{ .Values.controller.containerName }} - {{- with .Values.controller.image }} + {{- with (merge .Values.controller.image .Values.global.image) }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }} {{- end }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }} @@ -147,9 +150,9 @@ spec: hostPort: {{ $key }} {{- end }} {{- end }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }} volumeMounts: - {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} + {{- if .Values.controller.extraModules }} - name: modules {{- if .Values.controller.image.chroot }} mountPath: /chroot/modules_mount @@ -177,7 +180,7 @@ spec: {{- if .Values.controller.extraContainers }} {{- toYaml .Values.controller.extraContainers | nindent 8 }} {{- end }} - {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} + {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }} initContainers: {{- if .Values.controller.extraInitContainers }} {{- toYaml .Values.controller.extraInitContainers | nindent 8 }} @@ -185,13 +188,7 @@ spec: {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} - {{- end }} - {{- end }} - {{- if .Values.controller.opentelemetry.enabled }} - {{- with .Values.controller.opentelemetry }} - {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} + {{- include "extraModules" (dict "name" .name "image" (merge .image $.Values.global.image) "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} {{- end }} {{- end }} {{- end }} @@ -212,9 +209,9 @@ spec: {{- end }} serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }} volumes: - {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}} + {{- if .Values.controller.extraModules }} - name: modules emptyDir: {} {{- end }} diff --git a/nginx-operator/helm-charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml b/nginx-operator/helm-charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml index 8e0181f9f1..a1f5fbba2a 100644 --- a/nginx-operator/helm-charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml @@ -32,5 +32,8 @@ spec: {{- else if .Values.controller.maxUnavailable }} maxUnavailable: {{ .Values.controller.maxUnavailable }} {{- end }} + {{- if .Values.controller.unhealthyPodEvictionPolicy }} + unhealthyPodEvictionPolicy: {{ .Values.controller.unhealthyPodEvictionPolicy }} + {{- end }} {{- end }} {{- end }} diff --git a/nginx-operator/helm-charts/ingress-nginx/templates/controller-prometheusrule.yaml b/nginx-operator/helm-charts/ingress-nginx/templates/controller-prometheusrule.yaml index 41684c3708..4a9357f710 100644 --- a/nginx-operator/helm-charts/ingress-nginx/templates/controller-prometheusrule.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/templates/controller-prometheusrule.yaml @@ -14,6 +14,9 @@ metadata: {{- if .Values.controller.metrics.prometheusRule.additionalLabels }} {{- toYaml .Values.controller.metrics.prometheusRule.additionalLabels | nindent 4 }} {{- end }} + {{- if .Values.controller.metrics.prometheusRule.annotations }} + annotations: {{ toYaml .Values.controller.metrics.prometheusRule.annotations | nindent 4 }} + {{- end }} spec: {{- if .Values.controller.metrics.prometheusRule.rules }} groups: diff --git a/nginx-operator/helm-charts/ingress-nginx/templates/controller-psp.yaml b/nginx-operator/helm-charts/ingress-nginx/templates/controller-psp.yaml deleted file mode 100644 index aad1d27361..0000000000 --- a/nginx-operator/helm-charts/ingress-nginx/templates/controller-psp.yaml +++ /dev/null @@ -1,100 +0,0 @@ -{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} -{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "ingress-nginx.fullname" . }} - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: controller - {{- with .Values.controller.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - privileged: false - hostPID: false - hostIPC: false - hostNetwork: {{ .Values.controller.hostNetwork }} -{{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }} - hostPorts: - {{- if .Values.controller.hostNetwork }} - {{- range $key, $value := .Values.controller.containerPort }} - # controller.containerPort.{{ $key }} - - min: {{ $value }} - max: {{ $value }} - {{- end }} - {{- else if .Values.controller.hostPort.enabled }} - {{- range $key, $value := .Values.controller.hostPort.ports }} - # controller.hostPort.ports.{{ $key }} - - min: {{ $value }} - max: {{ $value }} - {{- end }} - {{- end }} - {{- if .Values.controller.metrics.enabled }} - # controller.metrics.port - - min: {{ .Values.controller.metrics.port }} - max: {{ .Values.controller.metrics.port }} - {{- end }} - {{- if .Values.controller.admissionWebhooks.enabled }} - # controller.admissionWebhooks.port - - min: {{ .Values.controller.admissionWebhooks.port }} - max: {{ .Values.controller.admissionWebhooks.port }} - {{- end }} - {{- range $key, $value := .Values.tcp }} - # tcp.{{ $key }} - - min: {{ $key }} - max: {{ $key }} - {{- end }} - {{- range $key, $value := .Values.udp }} - # udp.{{ $key }} - - min: {{ $key }} - max: {{ $key }} - {{- end }} -{{- end }} - volumes: - - configMap - - downwardAPI - - emptyDir - - secret - - projected - fsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: false - runAsUser: - rule: MustRunAsNonRoot - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - supplementalGroups: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }} - requiredDropCapabilities: - - ALL - allowedCapabilities: - - NET_BIND_SERVICE - {{- if .Values.controller.image.chroot }} - {{- if .Values.controller.image.seccompProfile }} - - SYS_ADMIN - {{- end }} - - SYS_CHROOT - {{- end }} - seLinux: - rule: RunAsAny -{{- if .Values.controller.sysctls }} - allowedUnsafeSysctls: - {{- range $sysctl, $value := .Values.controller.sysctls }} - - {{ $sysctl }} - {{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/nginx-operator/helm-charts/ingress-nginx/templates/controller-role.yaml b/nginx-operator/helm-charts/ingress-nginx/templates/controller-role.yaml index a94b399782..127b368c46 100644 --- a/nginx-operator/helm-charts/ingress-nginx/templates/controller-role.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/templates/controller-role.yaml @@ -91,14 +91,4 @@ rules: - list - watch - get -{{- if .Values.podSecurityPolicy.enabled }} - - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] - resources: ['podsecuritypolicies'] - verbs: ['use'] - {{- with .Values.controller.existingPsp }} - resourceNames: [{{ . }}] - {{- else }} - resourceNames: [{{ include "ingress-nginx.fullname" . }}] - {{- end }} -{{- end }} {{- end }} diff --git a/nginx-operator/helm-charts/ingress-nginx/templates/controller-service-metrics.yaml b/nginx-operator/helm-charts/ingress-nginx/templates/controller-service-metrics.yaml index 7c153295fd..4b25a840e8 100644 --- a/nginx-operator/helm-charts/ingress-nginx/templates/controller-service-metrics.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/templates/controller-service-metrics.yaml @@ -1,4 +1,4 @@ -{{- if .Values.controller.metrics.enabled -}} +{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.service.enabled -}} apiVersion: v1 kind: Service metadata: diff --git a/nginx-operator/helm-charts/ingress-nginx/templates/controller-servicemonitor.yaml b/nginx-operator/helm-charts/ingress-nginx/templates/controller-servicemonitor.yaml index 62301da454..93ab4d242d 100644 --- a/nginx-operator/helm-charts/ingress-nginx/templates/controller-servicemonitor.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/templates/controller-servicemonitor.yaml @@ -3,51 +3,48 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: {{ include "ingress-nginx.controller.fullname" . }} -{{- if .Values.controller.metrics.serviceMonitor.namespace }} + {{- if .Values.controller.metrics.serviceMonitor.namespace }} namespace: {{ .Values.controller.metrics.serviceMonitor.namespace }} -{{- else }} + {{- else }} namespace: {{ include "ingress-nginx.namespace" . }} -{{- end }} + {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: controller - {{- if .Values.controller.metrics.serviceMonitor.additionalLabels }} + {{- if .Values.controller.metrics.serviceMonitor.additionalLabels }} {{- toYaml .Values.controller.metrics.serviceMonitor.additionalLabels | nindent 4 }} - {{- end }} + {{- end }} {{- if .Values.controller.metrics.serviceMonitor.annotations }} annotations: {{ toYaml .Values.controller.metrics.serviceMonitor.annotations | nindent 4 }} {{- end }} spec: + {{- if .Values.controller.metrics.serviceMonitor.namespaceSelector }} + namespaceSelector: {{ toYaml .Values.controller.metrics.serviceMonitor.namespaceSelector | nindent 4 }} + {{- else }} + namespaceSelector: + matchNames: + - {{ include "ingress-nginx.namespace" . }} + {{- end }} + selector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: controller endpoints: - - port: {{ .Values.controller.metrics.portName }} - interval: {{ .Values.controller.metrics.serviceMonitor.scrapeInterval }} + - port: {{ .Values.controller.metrics.portName }} + interval: {{ .Values.controller.metrics.serviceMonitor.scrapeInterval }} {{- if .Values.controller.metrics.serviceMonitor.honorLabels }} - honorLabels: true + honorLabels: true {{- end }} {{- if .Values.controller.metrics.serviceMonitor.relabelings }} - relabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.relabelings | nindent 8 }} + relabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.relabelings | nindent 4 }} {{- end }} {{- if .Values.controller.metrics.serviceMonitor.metricRelabelings }} - metricRelabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.metricRelabelings | nindent 8 }} + metricRelabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.metricRelabelings | nindent 4 }} {{- end }} -{{- if .Values.controller.metrics.serviceMonitor.jobLabel }} + {{- if .Values.controller.metrics.serviceMonitor.jobLabel }} jobLabel: {{ .Values.controller.metrics.serviceMonitor.jobLabel | quote }} -{{- end }} -{{- if .Values.controller.metrics.serviceMonitor.namespaceSelector }} - namespaceSelector: {{ toYaml .Values.controller.metrics.serviceMonitor.namespaceSelector | nindent 4 }} -{{- else }} - namespaceSelector: - matchNames: - - {{ include "ingress-nginx.namespace" . }} -{{- end }} -{{- if .Values.controller.metrics.serviceMonitor.targetLabels }} - targetLabels: - {{- range .Values.controller.metrics.serviceMonitor.targetLabels }} - - {{ . }} {{- end }} -{{- end }} - selector: - matchLabels: - {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: controller + {{- if .Values.controller.metrics.serviceMonitor.targetLabels }} + targetLabels: {{ toYaml .Values.controller.metrics.serviceMonitor.targetLabels | nindent 2 }} + {{- end }} {{- end }} diff --git a/nginx-operator/helm-charts/ingress-nginx/templates/default-backend-deployment.yaml b/nginx-operator/helm-charts/ingress-nginx/templates/default-backend-deployment.yaml index 6755e23783..f7d9de1215 100644 --- a/nginx-operator/helm-charts/ingress-nginx/templates/default-backend-deployment.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/templates/default-backend-deployment.yaml @@ -50,7 +50,7 @@ spec: {{- end }} containers: - name: {{ template "ingress-nginx.name" . }}-default-backend - {{- with .Values.defaultBackend.image }} + {{- with (merge .Values.defaultBackend.image .Values.global.image) }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }} diff --git a/nginx-operator/helm-charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml b/nginx-operator/helm-charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml index c8363fd4b4..e399ea8a42 100644 --- a/nginx-operator/helm-charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml @@ -20,6 +20,13 @@ spec: matchLabels: {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} app.kubernetes.io/component: default-backend + {{- if and .Values.defaultBackend.minAvailable (not (hasKey .Values.defaultBackend "maxUnavailable")) }} minAvailable: {{ .Values.defaultBackend.minAvailable }} + {{- else if .Values.defaultBackend.maxUnavailable }} + maxUnavailable: {{ .Values.defaultBackend.maxUnavailable }} + {{- end }} + {{- if .Values.defaultBackend.unhealthyPodEvictionPolicy }} + unhealthyPodEvictionPolicy: {{ .Values.defaultBackend.unhealthyPodEvictionPolicy }} + {{- end }} {{- end }} {{- end }} diff --git a/nginx-operator/helm-charts/ingress-nginx/templates/default-backend-psp.yaml b/nginx-operator/helm-charts/ingress-nginx/templates/default-backend-psp.yaml deleted file mode 100644 index 4241091091..0000000000 --- a/nginx-operator/helm-charts/ingress-nginx/templates/default-backend-psp.yaml +++ /dev/null @@ -1,50 +0,0 @@ -{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} -{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "ingress-nginx.fullname" . }}-backend - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: default-backend - {{- with .Values.defaultBackend.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - privileged: false - hostPID: false - hostIPC: false - hostNetwork: false - volumes: - - configMap - - downwardAPI - - emptyDir - - secret - - projected - fsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: true - runAsUser: - rule: MustRunAsNonRoot - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - supplementalGroups: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - allowPrivilegeEscalation: false - requiredDropCapabilities: - - ALL - seLinux: - rule: RunAsAny -{{- end }} -{{- end }} diff --git a/nginx-operator/helm-charts/ingress-nginx/templates/default-backend-role.yaml b/nginx-operator/helm-charts/ingress-nginx/templates/default-backend-role.yaml deleted file mode 100644 index dd7868aa0e..0000000000 --- a/nginx-operator/helm-charts/ingress-nginx/templates/default-backend-role.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: default-backend - {{- with .Values.defaultBackend.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - name: {{ include "ingress-nginx.fullname" . }}-backend - namespace: {{ include "ingress-nginx.namespace" . }} -rules: - - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] - resources: ['podsecuritypolicies'] - verbs: ['use'] - {{- with .Values.defaultBackend.existingPsp }} - resourceNames: [{{ . }}] - {{- else }} - resourceNames: [{{ include "ingress-nginx.fullname" . }}-backend] - {{- end }} -{{- end }} diff --git a/nginx-operator/helm-charts/ingress-nginx/templates/default-backend-rolebinding.yaml b/nginx-operator/helm-charts/ingress-nginx/templates/default-backend-rolebinding.yaml deleted file mode 100644 index 3203b6f575..0000000000 --- a/nginx-operator/helm-charts/ingress-nginx/templates/default-backend-rolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: default-backend - {{- with .Values.defaultBackend.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - name: {{ include "ingress-nginx.fullname" . }}-backend - namespace: {{ include "ingress-nginx.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "ingress-nginx.fullname" . }}-backend -subjects: - - kind: ServiceAccount - name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} - namespace: {{ include "ingress-nginx.namespace" . }} -{{- end }} diff --git a/nginx-operator/helm-charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml b/nginx-operator/helm-charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml index 7c30d1e660..f72bc4383f 100644 --- a/nginx-operator/helm-charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml @@ -20,7 +20,7 @@ tests: of: ServiceAccount - equal: path: metadata.name - value: ingress-nginx-admission + value: RELEASE-NAME-ingress-nginx-admission - it: should create a ServiceAccount with specified name if `controller.admissionWebhooks.patch.serviceAccount.name` is set set: diff --git a/nginx-operator/helm-charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml b/nginx-operator/helm-charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml index b9d6d780bb..47b6b68730 100644 --- a/nginx-operator/helm-charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml @@ -20,7 +20,7 @@ tests: of: ValidatingWebhookConfiguration - equal: path: metadata.name - value: RELEASE-NAME-admission + value: RELEASE-NAME-ingress-nginx-admission - it: should create a ValidatingWebhookConfiguration with a custom port if `controller.admissionWebhooks.service.servicePort` is set set: diff --git a/nginx-operator/helm-charts/ingress-nginx/tests/controller-daemonset_test.yaml b/nginx-operator/helm-charts/ingress-nginx/tests/controller-daemonset_test.yaml index 81d067bb5f..d2d77befb3 100644 --- a/nginx-operator/helm-charts/ingress-nginx/tests/controller-daemonset_test.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/tests/controller-daemonset_test.yaml @@ -15,23 +15,23 @@ tests: path: metadata.name value: RELEASE-NAME-ingress-nginx-controller - - it: should create a DaemonSet with argument `--enable-metrics=false` if `controller.metrics.enabled` is false + - it: should create a DaemonSet with argument `--enable-metrics=true` if `controller.metrics.enabled` is true set: controller.kind: DaemonSet - controller.metrics.enabled: false + controller.metrics.enabled: true asserts: - contains: path: spec.template.spec.containers[0].args - content: --enable-metrics=false + content: --enable-metrics=true - - it: should create a DaemonSet without argument `--enable-metrics=false` if `controller.metrics.enabled` is true + - it: should create a DaemonSet without argument `--enable-metrics=true` if `controller.metrics.enabled` is false set: controller.kind: DaemonSet - controller.metrics.enabled: true + controller.metrics.enabled: false asserts: - notContains: path: spec.template.spec.containers[0].args - content: --enable-metrics=false + content: --enable-metrics=true - it: should create a DaemonSet with argument `--controller-class=k8s.io/ingress-nginx-internal` if `controller.ingressClassResource.controllerValue` is "k8s.io/ingress-nginx-internal" set: @@ -139,6 +139,26 @@ tests: - controller topologyKey: kubernetes.io/hostname + - it: should create a DaemonSet with `runAsGroup` if `controller.image.runAsGroup` is set + set: + controller.kind: DaemonSet + controller.image.runAsGroup: 1000 + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext.runAsGroup + value: 1000 + + - it: should create a DaemonSet with a custom registry if `global.image.registry` is set + set: + global.image.registry: custom.registry.io + controller.kind: DaemonSet + controller.image.tag: v1.0.0-dev + controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: custom.registry.io/ingress-nginx/controller:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + - it: should create a DaemonSet with a custom registry if `controller.image.registry` is set set: controller.kind: DaemonSet diff --git a/nginx-operator/helm-charts/ingress-nginx/tests/controller-deployment_test.yaml b/nginx-operator/helm-charts/ingress-nginx/tests/controller-deployment_test.yaml index 382aecd710..1cc9c93255 100644 --- a/nginx-operator/helm-charts/ingress-nginx/tests/controller-deployment_test.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/tests/controller-deployment_test.yaml @@ -43,21 +43,21 @@ tests: - exists: path: spec.replicas - - it: should create a Deployment with argument `--enable-metrics=false` if `controller.metrics.enabled` is false + - it: should create a Deployment with argument `--enable-metrics=true` if `controller.metrics.enabled` is true set: - controller.metrics.enabled: false + controller.metrics.enabled: true asserts: - contains: path: spec.template.spec.containers[0].args - content: --enable-metrics=false + content: --enable-metrics=true - - it: should create a Deployment without argument `--enable-metrics=false` if `controller.metrics.enabled` is true + - it: should create a Deployment without argument `--enable-metrics=true` if `controller.metrics.enabled` is false set: - controller.metrics.enabled: true + controller.metrics.enabled: false asserts: - notContains: path: spec.template.spec.containers[0].args - content: --enable-metrics=false + content: --enable-metrics=true - it: should create a Deployment with argument `--controller-class=k8s.io/ingress-nginx-internal` if `controller.ingressClassResource.controllerValue` is "k8s.io/ingress-nginx-internal" set: @@ -161,6 +161,24 @@ tests: - controller topologyKey: kubernetes.io/hostname + - it: should create a Deployment with `runAsGroup` if `controller.image.runAsGroup` is set + set: + controller.image.runAsGroup: 1000 + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext.runAsGroup + value: 1000 + + - it: should create a Deployment with a custom registry if `global.image.registry` is set + set: + global.image.registry: custom.registry.io + controller.image.tag: v1.0.0-dev + controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: custom.registry.io/ingress-nginx/controller:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + - it: should create a Deployment with a custom registry if `controller.image.registry` is set set: controller.image.registry: custom.registry.io @@ -189,3 +207,11 @@ tests: - equal: path: spec.template.spec.containers[0].image value: registry.k8s.io/ingress-nginx/controller:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + + - it: should create a Deployment with `progressDeadlineSeconds` if `controller.progressDeadlineSeconds` is set + set: + controller.progressDeadlineSeconds: 111 + asserts: + - equal: + path: spec.progressDeadlineSeconds + value: 111 diff --git a/nginx-operator/helm-charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml b/nginx-operator/helm-charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml index f215f35207..5ac986fc70 100644 --- a/nginx-operator/helm-charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml @@ -87,3 +87,16 @@ tests: - equal: path: spec.maxUnavailable value: 1 + + - it: should create a PodDisruptionBudget with `unhealthyPodEvictionPolicy` if `controller.unhealthyPodEvictionPolicy` is set + set: + controller.replicaCount: 2 + controller.unhealthyPodEvictionPolicy: IfHealthyBudget + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PodDisruptionBudget + - equal: + path: spec.unhealthyPodEvictionPolicy + value: IfHealthyBudget diff --git a/nginx-operator/helm-charts/ingress-nginx/tests/controller-prometheusrule_test.yaml b/nginx-operator/helm-charts/ingress-nginx/tests/controller-prometheusrule_test.yaml index d60a98315f..2d330919dd 100644 --- a/nginx-operator/helm-charts/ingress-nginx/tests/controller-prometheusrule_test.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/tests/controller-prometheusrule_test.yaml @@ -15,3 +15,15 @@ tests: - equal: path: metadata.name value: RELEASE-NAME-ingress-nginx-controller + + - it: should create a PrometheusRule with annotations if `controller.metrics.prometheusRule.annotations` is set + set: + controller.metrics.enabled: true + controller.metrics.prometheusRule.enabled: true + controller.metrics.prometheusRule.annotations: + my-little-annotation: test-value + asserts: + - equal: + path: metadata.annotations + value: + my-little-annotation: test-value diff --git a/nginx-operator/helm-charts/ingress-nginx/tests/controller-service-metrics_test.yaml b/nginx-operator/helm-charts/ingress-nginx/tests/controller-service-metrics_test.yaml index afdb940464..ddb412e5b0 100644 --- a/nginx-operator/helm-charts/ingress-nginx/tests/controller-service-metrics_test.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/tests/controller-service-metrics_test.yaml @@ -3,16 +3,34 @@ templates: - controller-service-metrics.yaml tests: - - it: should not create a metrics Service if `controller.metrics.enabled` is false + - it: should not create a metrics Service if `controller.metrics.enabled` is false and `controller.metrics.service.enabled` is false set: controller.metrics.enabled: false + controller.metrics.service.enabled: false asserts: - hasDocuments: count: 0 - - it: should create a metrics Service if `controller.metrics.enabled` is true + - it: should not create a metrics Service if `controller.metrics.enabled` is false and `controller.metrics.service.enabled` is true + set: + controller.metrics.enabled: false + controller.metrics.service.enabled: true + asserts: + - hasDocuments: + count: 0 + + - it: should not create a metrics Service if `controller.metrics.enabled` is true and `controller.metrics.service.enabled` is false + set: + controller.metrics.enabled: true + controller.metrics.service.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a metrics Service if `controller.metrics.enabled` is true and `controller.metrics.service.enabled` is true set: controller.metrics.enabled: true + controller.metrics.service.enabled: true asserts: - hasDocuments: count: 1 diff --git a/nginx-operator/helm-charts/ingress-nginx/tests/controller-serviceaccount_test.yaml b/nginx-operator/helm-charts/ingress-nginx/tests/controller-serviceaccount_test.yaml new file mode 100644 index 0000000000..928e537720 --- /dev/null +++ b/nginx-operator/helm-charts/ingress-nginx/tests/controller-serviceaccount_test.yaml @@ -0,0 +1,47 @@ +suite: Controller > ServiceAccount +templates: + - controller-serviceaccount.yaml + +tests: + - it: should not create a ServiceAccount if `serviceAccount.create` is false + set: + serviceAccount.create: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a ServiceAccount if `serviceAccount.create` is true + set: + serviceAccount.create: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx + + - it: should create a ServiceAccount with specified name if `serviceAccount.name` is set + set: + serviceAccount.name: ingress-nginx-admission-test-sa + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: metadata.name + value: ingress-nginx-admission-test-sa + + - it: should create a ServiceAccount with token auto-mounting disabled if `serviceAccount.automountServiceAccountToken` is false + set: + serviceAccount.automountServiceAccountToken: false + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: automountServiceAccountToken + value: false diff --git a/nginx-operator/helm-charts/ingress-nginx/tests/default-backend-deployment_test.yaml b/nginx-operator/helm-charts/ingress-nginx/tests/default-backend-deployment_test.yaml index 4ba4b03d3e..c3fa33968a 100644 --- a/nginx-operator/helm-charts/ingress-nginx/tests/default-backend-deployment_test.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/tests/default-backend-deployment_test.yaml @@ -136,6 +136,26 @@ tests: - default-backend topologyKey: kubernetes.io/hostname + - it: should create a Deployment with `runAsGroup` if `defaultBackend.image.runAsGroup` is set + set: + defaultBackend.enabled: true + defaultBackend.image.runAsGroup: 1000 + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext.runAsGroup + value: 1000 + + - it: should create a Deployment with a custom registry if `global.image.registry` is set + set: + global.image.registry: custom.registry.io + defaultBackend.enabled: true + defaultBackend.image.tag: v1.0.0-dev + defaultBackend.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: custom.registry.io/defaultbackend-amd64:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + - it: should create a Deployment with a custom registry if `defaultBackend.image.registry` is set set: defaultBackend.enabled: true diff --git a/nginx-operator/helm-charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml b/nginx-operator/helm-charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml index 0958018620..bfe98e8835 100644 --- a/nginx-operator/helm-charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml @@ -46,3 +46,34 @@ tests: asserts: - hasDocuments: count: 0 + + - it: should create a PodDisruptionBudget without `minAvailable` and with `maxUnavailable` if `defaultBackend.minAvailable` and `defaultBackend.maxUnavailable` are set + set: + defaultBackend.enabled: true + defaultBackend.replicaCount: 2 + defaultBackend.minAvailable: 1 + defaultBackend.maxUnavailable: 1 + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PodDisruptionBudget + - notExists: + path: spec.minAvailable + - equal: + path: spec.maxUnavailable + value: 1 + + - it: should create a PodDisruptionBudget with `unhealthyPodEvictionPolicy` if `defaultBackend.unhealthyPodEvictionPolicy` is set + set: + defaultBackend.enabled: true + defaultBackend.replicaCount: 2 + defaultBackend.unhealthyPodEvictionPolicy: IfHealthyBudget + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PodDisruptionBudget + - equal: + path: spec.unhealthyPodEvictionPolicy + value: IfHealthyBudget diff --git a/nginx-operator/helm-charts/ingress-nginx/tests/default-backend-serviceaccount_test.yaml b/nginx-operator/helm-charts/ingress-nginx/tests/default-backend-serviceaccount_test.yaml new file mode 100644 index 0000000000..05a815d0aa --- /dev/null +++ b/nginx-operator/helm-charts/ingress-nginx/tests/default-backend-serviceaccount_test.yaml @@ -0,0 +1,51 @@ +suite: Default Backend > ServiceAccount +templates: + - default-backend-serviceaccount.yaml + +tests: + - it: should not create a ServiceAccount if `defaultBackend.serviceAccount.create` is false + set: + defaultBackend.enabled: true + defaultBackend.serviceAccount.create: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a ServiceAccount if `defaultBackend.serviceAccount.create` is true + set: + defaultBackend.enabled: true + defaultBackend.serviceAccount.create: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-backend + + - it: should create a ServiceAccount with specified name if `defaultBackend.serviceAccount.name` is set + set: + defaultBackend.enabled: true + defaultBackend.serviceAccount.name: ingress-nginx-admission-test-sa + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: metadata.name + value: ingress-nginx-admission-test-sa + + - it: should create a ServiceAccount with token auto-mounting disabled if `defaultBackend.serviceAccount.automountServiceAccountToken` is false + set: + defaultBackend.enabled: true + defaultBackend.serviceAccount.automountServiceAccountToken: false + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: automountServiceAccountToken + value: false diff --git a/nginx-operator/helm-charts/ingress-nginx/values.yaml b/nginx-operator/helm-charts/ingress-nginx/values.yaml index 6c44a3a921..4bd39d4ddc 100644 --- a/nginx-operator/helm-charts/ingress-nginx/values.yaml +++ b/nginx-operator/helm-charts/ingress-nginx/values.yaml @@ -2,6 +2,10 @@ ## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/index.md ## +global: + image: + # -- Registry host to pull images from. + registry: registry.k8s.io ## Overrides for generated resource names # See templates/_helpers.tpl # nameOverride: @@ -17,28 +21,30 @@ commonLabels: {} controller: name: controller - enableAnnotationValidations: false + enableAnnotationValidations: true image: ## Keep false as default for now! chroot: false - registry: registry.k8s.io + # registry: registry.k8s.io image: ingress-nginx/controller ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: "v1.11.3" - digest: sha256:d56f135b6462cfc476447cfe564b83a45e8bb7da2774963b00d12161112270b7 - digestChroot: sha256:22701f0fc0f2dd209ef782f4e281bfe2d8cccd50ededa00aec88e0cdbe7edd14 + tag: "v1.12.0" + digest: sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa + digestChroot: sha256:87c88e1c38a6c8d4483c8f70b69e2cca49853bb3ec3124b9b1be648edf139af3 pullPolicy: IfNotPresent runAsNonRoot: true - # www-data -> uid 101 + # -- This value must not be changed using the official image. + # uid=101(www-data) gid=82(www-data) groups=82(www-data) runAsUser: 101 + # -- This value must not be changed using the official image. + # uid=101(www-data) gid=82(www-data) groups=82(www-data) + runAsGroup: 82 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault readOnlyRootFilesystem: false - # -- Use an existing PSP instead of creating one - existingPsp: "" # -- Configures the controller container name containerName: controller # -- Configures the ports that the nginx-controller listens on @@ -236,6 +242,9 @@ controller: # maxUnavailable: 1 # type: RollingUpdate + # -- Specifies the number of seconds you want to wait for the controller deployment to progress before the system reports back that it has failed. + # Ref.: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds + progressDeadlineSeconds: 0 # -- `minReadySeconds` to avoid killing pods before we are ready ## minReadySeconds: 0 @@ -301,6 +310,8 @@ controller: # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' # app.kubernetes.io/instance: '{{ .Release.Name }}' # app.kubernetes.io/component: controller + # matchLabelKeys: + # - pod-template-hash # topologyKey: topology.kubernetes.io/zone # maxSkew: 1 # whenUnsatisfiable: ScheduleAnyway @@ -309,6 +320,8 @@ controller: # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' # app.kubernetes.io/instance: '{{ .Release.Name }}' # app.kubernetes.io/component: controller + # matchLabelKeys: + # - pod-template-hash # topologyKey: kubernetes.io/hostname # maxSkew: 1 # whenUnsatisfiable: ScheduleAnyway @@ -374,7 +387,9 @@ controller: minAvailable: 1 # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. # maxUnavailable: 1 - + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes ## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 ## Ideally, there should be no limits. @@ -675,11 +690,11 @@ controller: # image: busybox # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] - # -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module + # -- Modules, which are mounted into the core nginx image. extraModules: [] # - name: mytestmodule # image: - # registry: registry.k8s.io + # # registry: registry.k8s.io # image: ingress-nginx/mytestmodule # ## for backwards compatibility consider setting the full image url via the repository value below # ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail @@ -690,6 +705,7 @@ controller: # containerSecurityContext: # runAsNonRoot: true # runAsUser: + # runAsGroup: # allowPrivilegeEscalation: false # seccompProfile: # type: RuntimeDefault @@ -703,30 +719,6 @@ controller: # will be executed as initContainers, to move its config files within the # mounted volume. - opentelemetry: - enabled: false - name: opentelemetry - image: - registry: registry.k8s.io - image: ingress-nginx/opentelemetry-1.25.3 - ## for backwards compatibility consider setting the full image url via the repository value below - ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail - ## repository: - tag: v20240813-b933310d - digest: sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922 - distroless: true - containerSecurityContext: - runAsNonRoot: true - # -- The image's default user, inherited from its base image `cgr.dev/chainguard/static`. - runAsUser: 65532 - allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - resources: {} admissionWebhooks: name: admission annotations: {} @@ -754,8 +746,6 @@ controller: objectSelector: {} # -- Labels to be added to admission webhooks labels: {} - # -- Use an existing PSP instead of creating one - existingPsp: "" service: annotations: {} # clusterIP: "" @@ -770,6 +760,7 @@ controller: securityContext: runAsNonRoot: true runAsUser: 65532 + runAsGroup: 65532 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault @@ -790,6 +781,7 @@ controller: securityContext: runAsNonRoot: true runAsUser: 65532 + runAsGroup: 65532 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault @@ -801,13 +793,13 @@ controller: patch: enabled: true image: - registry: registry.k8s.io + # registry: registry.k8s.io image: ingress-nginx/kube-webhook-certgen ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: v1.4.4 - digest: sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f + tag: v1.5.0 + digest: sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4 pullPolicy: IfNotPresent # -- Provide a priority class name to the webhook patching job ## @@ -855,6 +847,8 @@ controller: # if this port is changed, change healthz-port: in extraArgs: accordingly enabled: false service: + # -- Enable the metrics service or not. + enabled: true annotations: {} # prometheus.io/scrape: "true" # prometheus.io/port: "10254" @@ -893,6 +887,8 @@ controller: prometheusRule: enabled: false additionalLabels: {} + # -- Annotations to be added to the PrometheusRule. + annotations: {} # namespace: "" rules: [] # # These are just examples rules, please adapt them to your needs @@ -956,7 +952,7 @@ defaultBackend: enabled: false name: defaultbackend image: - registry: registry.k8s.io + # registry: registry.k8s.io image: defaultbackend-amd64 ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail @@ -966,12 +962,11 @@ defaultBackend: runAsNonRoot: true # nobody user -> uid 65534 runAsUser: 65534 + runAsGroup: 65534 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault readOnlyRootFilesystem: true - # -- Use an existing PSP instead of creating one - existingPsp: "" extraArgs: {} serviceAccount: create: true @@ -1065,6 +1060,8 @@ defaultBackend: # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' # app.kubernetes.io/instance: '{{ .Release.Name }}' # app.kubernetes.io/component: default-backend + # matchLabelKeys: + # - pod-template-hash # topologyKey: topology.kubernetes.io/zone # maxSkew: 1 # whenUnsatisfiable: ScheduleAnyway @@ -1073,6 +1070,8 @@ defaultBackend: # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' # app.kubernetes.io/instance: '{{ .Release.Name }}' # app.kubernetes.io/component: default-backend + # matchLabelKeys: + # - pod-template-hash # topologyKey: kubernetes.io/hostname # maxSkew: 1 # whenUnsatisfiable: ScheduleAnyway @@ -1094,7 +1093,13 @@ defaultBackend: podAnnotations: {} replicaCount: 1 # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" resources: {} # limits: # cpu: 10m @@ -1158,10 +1163,6 @@ defaultBackend: rbac: create: true scope: false -## If true, create & use Pod Security Policy resources -## https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -podSecurityPolicy: - enabled: false serviceAccount: create: true name: "" diff --git a/salt/metalk8s/addons/nginx-ingress/deployed/files/ingress-nginx-performance.json b/salt/metalk8s/addons/nginx-ingress/deployed/files/ingress-nginx-performance.json index 61db983a65..cde796384c 100644 --- a/salt/metalk8s/addons/nginx-ingress/deployed/files/ingress-nginx-performance.json +++ b/salt/metalk8s/addons/nginx-ingress/deployed/files/ingress-nginx-performance.json @@ -893,104 +893,6 @@ ], "title": "Average Response Size by Method and Path", "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 10, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "never", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "links": [], - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green" - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "s" - }, - "overrides": [] - }, - "gridPos": { - "h": 8, - "w": 12, - "x": 0, - "y": 32 - }, - "id": 96, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "pluginVersion": "10.4.3", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "expr": "sum (\n rate(\n nginx_ingress_controller_ingress_upstream_latency_seconds_sum {\n ingress =~ \"$ingress\",\n }[5m]\n)) / sum (\n rate(\n nginx_ingress_controller_ingress_upstream_latency_seconds_count {\n ingress =~ \"$ingress\",\n }[5m]\n )\n)\n", - "hide": false, - "instant": false, - "interval": "", - "intervalFactor": 1, - "legendFormat": "average", - "refId": "B" - } - ], - "title": "Upstream Service Latency", - "type": "timeseries" } ], "refresh": "30s", diff --git a/salt/metalk8s/addons/nginx-operator/deployed/clusterextension.sls b/salt/metalk8s/addons/nginx-operator/deployed/clusterextension.sls index f684d5d882..a2b242ead6 100644 --- a/salt/metalk8s/addons/nginx-operator/deployed/clusterextension.sls +++ b/salt/metalk8s/addons/nginx-operator/deployed/clusterextension.sls @@ -13,4 +13,4 @@ spec: sourceType: Catalog catalog: packageName: nginx-operator - version: "v4.11.3" + version: "v4.12.0"