diff --git a/.github/workflows/chart.yaml b/.github/workflows/chart.yaml index 7c37447af..f2c017fd5 100644 --- a/.github/workflows/chart.yaml +++ b/.github/workflows/chart.yaml @@ -23,7 +23,7 @@ jobs: steps: - name: Set up Python - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: 3.x @@ -31,12 +31,12 @@ jobs: uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 - name: Set up Helm Chart Testing - uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0 + uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - name: Set up Artifact Hub run: | - curl --fail --location https://github.com/artifacthub/hub/releases/download/v1.20.0/ah_1.20.0_linux_amd64.tar.gz --output /tmp/ah.tar.gz - echo "9027626f19ff9f3ac668f222917130ac885e289e922e1428bfd2e7f066324e31 /tmp/ah.tar.gz" | shasum --check + curl --fail --location https://github.com/artifacthub/hub/releases/download/v1.19.0/ah_1.19.0_linux_amd64.tar.gz --output /tmp/ah.tar.gz + echo "0e430493521ce387ca04d79b26646a86f92886dbcceb44985bb71082a9530ca5 /tmp/ah.tar.gz" | shasum --check sudo tar --extract --file /tmp/ah.tar.gz --directory /usr/local/bin ah - name: Set up Git @@ -55,7 +55,7 @@ jobs: ah lint --path charts/ingress-nginx - name: Release chart - uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0 + uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0 env: CR_TOKEN: ${{ secrets.GITHUB_TOKEN }} CR_RELEASE_NAME_TEMPLATE: helm-chart-{{ .Version }} diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b06cef33c..039651bbb 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -71,22 +71,6 @@ jobs: - 'images/nginx/**' docs: - '**/*.md' - lua: - - '**/*.lua' - - lua-lint: - runs-on: ubuntu-latest - needs: changes - if: | - (needs.changes.outputs.lua == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }} - steps: - - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Lint Lua - uses: lunarmodules/luacheck@v1 - with: - args: --codes --globals lua_ingress --globals configuration --globals balancer --globals monitor --globals certificate --globals tcp_udp_configuration --globals tcp_udp_balancer --no-max-comment-line-length -q rootfs/etc/nginx/lua/ test-go: runs-on: ubuntu-latest @@ -102,7 +86,7 @@ jobs: - name: Set up Go id: go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: ${{ env.GOLANG_VERSION }} check-latest: true @@ -124,7 +108,7 @@ jobs: run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV - name: Set up Go id: go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: ${{ env.GOLANG_VERSION }} check-latest: true @@ -153,17 +137,17 @@ jobs: - name: Set up Go id: go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: ${{ steps.golangversion.outputs.version }} check-latest: true - name: Set up QEMU - uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 with: version: latest @@ -172,7 +156,7 @@ jobs: - name: Prepare Host run: | - curl -LO https://dl.k8s.io/release/v1.32.2/bin/linux/amd64/kubectl + curl -LO https://dl.k8s.io/release/v1.27.3/bin/linux/amd64/kubectl chmod +x ./kubectl sudo mv ./kubectl /usr/local/bin/kubectl @@ -202,7 +186,7 @@ jobs: | gzip > docker.tar.gz - name: cache - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: name: docker.tar.gz path: docker.tar.gz @@ -218,7 +202,7 @@ jobs: steps: - name: Set up Python - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: 3.x @@ -226,12 +210,12 @@ jobs: uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 - name: Set up Helm Chart Testing - uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0 + uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - name: Set up Artifact Hub run: | - curl --fail --location https://github.com/artifacthub/hub/releases/download/v1.20.0/ah_1.20.0_linux_amd64.tar.gz --output /tmp/ah.tar.gz - echo "9027626f19ff9f3ac668f222917130ac885e289e922e1428bfd2e7f066324e31 /tmp/ah.tar.gz" | shasum --check + curl --fail --location https://github.com/artifacthub/hub/releases/download/v1.19.0/ah_1.19.0_linux_amd64.tar.gz --output /tmp/ah.tar.gz + echo "0e430493521ce387ca04d79b26646a86f92886dbcceb44985bb71082a9530ca5 /tmp/ah.tar.gz" | shasum --check sudo tar --extract --file /tmp/ah.tar.gz --directory /usr/local/bin ah - name: Set up Helm Docs @@ -270,7 +254,7 @@ jobs: strategy: matrix: - k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0] + k8s: [v1.26.15, v1.27.16, v1.28.15, v1.29.12, v1.30.8] steps: - name: Checkout code @@ -301,11 +285,26 @@ jobs: (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }} strategy: matrix: - k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0] + k8s: [v1.26.15, v1.27.16, v1.28.15, v1.29.12, v1.30.8] uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml with: k8s-version: ${{ matrix.k8s }} + kubernetes-validations: + name: Kubernetes with Validations + needs: + - changes + - build + if: | + (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }} + strategy: + matrix: + k8s: [v1.26.15, v1.27.16, v1.28.15, v1.29.12, v1.30.8] + uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml + with: + k8s-version: ${{ matrix.k8s }} + variation: "VALIDATIONS" + kubernetes-chroot: name: Kubernetes chroot needs: @@ -315,7 +314,7 @@ jobs: (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }} strategy: matrix: - k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0] + k8s: [v1.26.15, v1.27.16, v1.28.15, v1.29.12, v1.30.8] uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml with: k8s-version: ${{ matrix.k8s }} diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index f57878084..942ef9a6d 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -22,13 +22,13 @@ jobs: - name: Set up Go id: go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: ${{ env.GOLANG_VERSION }} check-latest: true - name: golangci-lint - uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837 # v6.5.0 + uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1 with: version: v1.62 only-new-issues: true diff --git a/.github/workflows/images.yaml b/.github/workflows/images.yaml index 6d32f56f6..a3238604d 100644 --- a/.github/workflows/images.yaml +++ b/.github/workflows/images.yaml @@ -36,6 +36,7 @@ jobs: kube-webhook-certgen: ${{ steps.filter.outputs.kube-webhook-certgen }} ext-auth-example-authsvc: ${{ steps.filter.outputs.ext-auth-example-authsvc }} nginx: ${{ steps.filter.outputs.nginx }} + opentelemetry: ${{ steps.filter.outputs.opentelemetry }} steps: - name: Checkout @@ -63,6 +64,8 @@ jobs: - 'images/ext-auth-example-authsvc/**' nginx: - 'images/nginx/**' + opentelemetry: + - 'images/opentelemetry/**' #### TODO: Make the below jobs 'less dumb' and use the job name as parameter (the github.job context does not work here) cfssl: @@ -135,7 +138,7 @@ jobs: (needs.changes.outputs.kube-webhook-certgen == 'true') strategy: matrix: - k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0] + k8s: [v1.26.15, v1.27.16, v1.28.15, v1.29.12, v1.30.8] steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -145,7 +148,7 @@ jobs: - name: Set up Go id: go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: ${{ env.GOLANG_VERSION }} check-latest: true @@ -160,6 +163,23 @@ jobs: run: | cd images/ && make NAME=kube-webhook-certgen test test-e2e + opentelemetry: + runs-on: ubuntu-latest + env: + PLATFORMS: linux/amd64,linux/arm,linux/arm64 + needs: changes + if: | + (needs.changes.outputs.opentelemetry == 'true') + strategy: + matrix: + nginx: ['1.25.3', '1.21.6'] + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: image build + run: | + cd images/opentelemetry && make NGINX_VERSION=${{ matrix.nginx }} build + nginx: permissions: contents: write @@ -174,10 +194,10 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up QEMU - uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 with: version: latest platforms: ${{ env.PLATFORMS }} diff --git a/.github/workflows/plugin.yaml b/.github/workflows/plugin.yaml index 20f2caeae..a9c5c9248 100644 --- a/.github/workflows/plugin.yaml +++ b/.github/workflows/plugin.yaml @@ -20,14 +20,14 @@ jobs: run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV - name: Set up Go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: ${{ env.GOLANG_VERSION }} check-latest: true - name: Run GoReleaser Snapshot if: ${{ ! startsWith(github.ref, 'refs/tags/') }} - uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # v6.2.1 + uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0 with: version: "~> v2" args: release --snapshot --clean @@ -36,7 +36,7 @@ jobs: - name: Run GoReleaser if: ${{ startsWith(github.ref, 'refs/tags/') }} - uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # v6.2.1 + uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0 with: version: "~> v2" args: release --clean diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index a4473710d..916235c42 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -51,7 +51,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: name: SARIF file path: results.sarif @@ -59,6 +59,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9 + uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 with: sarif_file: results.sarif diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index 45a7cd320..a7c245295 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -13,7 +13,7 @@ jobs: pull-requests: write steps: - - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0 + - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: stale-issue-message: "This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach `#ingress-nginx-dev` on Kubernetes Slack." stale-pr-message: "This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach `#ingress-nginx-dev` on Kubernetes Slack." diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index 4461d9757..3838dde75 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -75,7 +75,7 @@ jobs: # This step checks out a copy of your repository. - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9 + uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 with: token: ${{ github.token }} # Path to SARIF file relative to the root of the repository diff --git a/.github/workflows/zz-tmpl-k8s-e2e.yaml b/.github/workflows/zz-tmpl-k8s-e2e.yaml index c46e4a957..bed0af207 100644 --- a/.github/workflows/zz-tmpl-k8s-e2e.yaml +++ b/.github/workflows/zz-tmpl-k8s-e2e.yaml @@ -43,13 +43,14 @@ jobs: SKIP_CLUSTER_CREATION: true SKIP_INGRESS_IMAGE_CREATION: true SKIP_E2E_IMAGE_CREATION: true + ENABLE_VALIDATIONS: ${{ inputs.variation == 'VALIDATIONS' }} IS_CHROOT: ${{ inputs.variation == 'CHROOT' }} run: | kind get kubeconfig > $HOME/.kube/kind-config-kind make kind-e2e-test - name: Upload e2e junit-reports ${{ inputs.variation }} - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 if: success() || failure() with: name: e2e-test-reports-${{ inputs.k8s-version }}${{ inputs.variation }} diff --git a/.golangci.yml b/.golangci.yml index 729468711..2d73e14e7 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -2,7 +2,6 @@ run: timeout: 10m allow-parallel-runners: true -issues: # Maximum issues count per one linter. Set to 0 to disable. Default is 50. max-issues-per-linter: 0 @@ -227,6 +226,9 @@ linters-settings: nolintlint: # Enable to ensure that nolint directives are all used. Default is true. allow-unused: false + # Disable to ensure that nolint directives don't have a leading space. Default is true. + # TODO(lint): Enforce machine-readable `nolint` directives + allow-leading-space: true # Exclude following linters from requiring an explanation. Default is []. allow-no-explanation: [] # Enable to require an explanation of nonzero length after each nolint directive. Default is false. diff --git a/.luacheckrc b/.luacheckrc index 5a1c249fe..a24399e26 100644 --- a/.luacheckrc +++ b/.luacheckrc @@ -1,6 +1,6 @@ std = 'ngx_lua' max_line_length = 100 -exclude_files = {'./rootfs/etc/nginx/lua/test/**/*.lua'} +exclude_files = {'./rootfs/etc/nginx/lua/test/**/*.lua', './rootfs/etc/nginx/lua/plugins/**/test/**/*.lua'} files["rootfs/etc/nginx/lua/lua_ingress.lua"] = { ignore = { "122" }, -- TODO(elvinefendi) figure out why this does not work diff --git a/GOLANG_VERSION b/GOLANG_VERSION index d8c40e539..27ddcc14d 100644 --- a/GOLANG_VERSION +++ b/GOLANG_VERSION @@ -1 +1 @@ -1.23.6 +1.23.4 diff --git a/MANUAL_RELEASE.md b/MANUAL_RELEASE.md index 0ae7a4e37..8a6b10bc1 100644 --- a/MANUAL_RELEASE.md +++ b/MANUAL_RELEASE.md @@ -93,7 +93,7 @@ Promoting the images basically means that images, that were pushed to staging co ``` ... - pushing manifest for us-central1-docker.pkg.dev/k8s-staging-images/ingress-nginx/controller:v1.0.2@sha256:e15fac6e8474d77e1f017edc33d804ce72a184e3c0a30963b2a0d7f0b89f6b16 + pushing manifest for gcr.io/k8s-staging-ingress-nginx/controller:v1.0.2@sha256:e15fac6e8474d77e1f017edc33d804ce72a184e3c0a30963b2a0d7f0b89f6b16 ... ``` @@ -113,7 +113,7 @@ Promoting the images basically means that images, that were pushed to staging co - For making, it easier, you can edit your branch directly in the browser. But be careful about making any mistake. -- Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/registry.k8s.io/images/k8s-staging-ingress-nginx/images.yaml) Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/2536) to see how it was done before +- Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml) Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/2536) to see how it was done before - Save and commit diff --git a/Makefile b/Makefile index 0b8f1f5c2..3ff56fc47 100644 --- a/Makefile +++ b/Makefile @@ -58,7 +58,7 @@ ifneq ($(PLATFORM),) PLATFORM_FLAG="--platform" endif -REGISTRY ?= us-central1-docker.pkg.dev/k8s-staging-images/ingress-nginx +REGISTRY ?= gcr.io/k8s-staging-ingress-nginx BASE_IMAGE ?= $(shell cat NGINX_BASE) diff --git a/NEW_CONTRIBUTOR.md b/NEW_CONTRIBUTOR.md index c9668430c..20c4e3daa 100644 --- a/NEW_CONTRIBUTOR.md +++ b/NEW_CONTRIBUTOR.md @@ -325,9 +325,9 @@ minikube start 🐳 Preparing Kubernetes v1.23.3 on Docker 20.10.12 ... ▪ kubelet.housekeeping-interval=5m 🔎 Verifying Kubernetes components... - ▪ Using image registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1 - ▪ Using image registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1 - ▪ Using image registry.k8s.io/ingress-nginx/controller:v1.2.1 + ▪ Using image k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1 + ▪ Using image k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1 + ▪ Using image k8s.gcr.io/ingress-nginx/controller:v1.2.1 ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5 🔎 Verifying ingress addon... 🌟 Enabled addons: ingress, storage-provisioner, default-storageclass diff --git a/NGINX_BASE b/NGINX_BASE index dd8d6c586..5d0baff5f 100644 --- a/NGINX_BASE +++ b/NGINX_BASE @@ -1 +1 @@ -registry.k8s.io/ingress-nginx/nginx:v2.0.0@sha256:3e7bda4cf5111d283ed1e4ff5cc9a2b5cdc5ebe62d50ba67473d3e25b1389133 +registry.k8s.io/ingress-nginx/nginx:v0.2.0@sha256:df33459aa3ef83c62d7fb1f1eafc872cf322fa342c0ec97a2533e844267d45b4 diff --git a/README.md b/README.md index c95e644de..0dea68548 100644 --- a/README.md +++ b/README.md @@ -39,17 +39,11 @@ the versions listed. Ingress-Nginx versions **may** work on older versions, but | Supported | Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | Helm Chart Version | | :-------: | --------------------- | ----------------------------- | -------------- | ------------- | ------------------ | -| 🔄 | **v1.12.0** | 1.32, 1.31, 1.30, 1.29, 1.28 | 3.21.0 | 1.25.5 | 4.12.0 | -| 🔄 | **v1.12.0-beta.0** | 1.32, 1.31, 1.30, 1.29, 1.28 | 3.20.3 | 1.25.5 | 4.12.0-beta.0 | -| 🔄 | **v1.11.4** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.21.0 | 1.25.5 | 4.11.4 | +| 🔄 | **v1.11.4** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.21.0 | 1.25.5 | 4.11.4 | | 🔄 | **v1.11.3** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.3 | 1.25.5 | 4.11.3 | | 🔄 | **v1.11.2** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.11.2 | | 🔄 | **v1.11.1** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.11.1 | | 🔄 | **v1.11.0** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.11.0 | -| | **v1.10.6** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.21.0 | 1.25.5 | 4.10.6 | -| | **v1.10.5** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.3 | 1.25.5 | 4.10.5 | -| | **v1.10.4** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.10.4 | -| | **v1.10.3** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.10.3 | | | **v1.10.2** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.10.2 | | | **v1.10.1** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.19.1 | 1.25.3 | 4.10.1 | | | **v1.10.0** | 1.29, 1.28, 1.27, 1.26 | 3.19.1 | 1.25.3 | 4.10.0 | diff --git a/TAG b/TAG new file mode 100644 index 000000000..f5f1545d8 --- /dev/null +++ b/TAG @@ -0,0 +1 @@ +v1.11.4 diff --git a/build/dev-env.sh b/build/dev-env.sh index dd1518ee0..699c98030 100755 --- a/build/dev-env.sh +++ b/build/dev-env.sh @@ -64,7 +64,7 @@ echo "[dev-env] building image" make build image docker tag "${REGISTRY}/controller:${TAG}" "${DEV_IMAGE}" -export K8S_VERSION=${K8S_VERSION:-v1.32.0@sha256:c48c62eac5da28cdadcf560d1d8616cfa6783b58f0d94cf63ad1bf49600cb027} +export K8S_VERSION=${K8S_VERSION:-v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245} KIND_CLUSTER_NAME="ingress-nginx-dev" diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh index c4f3b34e0..03cc3de73 100755 --- a/build/run-in-docker.sh +++ b/build/run-in-docker.sh @@ -26,11 +26,14 @@ set -o nounset set -o pipefail # temporal directory for the /etc/ingress-controller directory -if [[ "$OSTYPE" == darwin* ]]; then +if [[ "$OSTYPE" == darwin* ]] && [[ "$RUNTIME" == podman ]]; then mkdir -p "tmp" INGRESS_VOLUME=$(pwd)/$(mktemp -d tmp/XXXXXX) else INGRESS_VOLUME=$(mktemp -d) + if [[ "$OSTYPE" == darwin* ]]; then + INGRESS_VOLUME=/private$INGRESS_VOLUME + fi fi # make sure directory for SSL cert storage exists under ingress volume @@ -41,7 +44,7 @@ function cleanup { } trap cleanup EXIT -E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20250112-a188f4eb@sha256:043038b1e30e5a0b64f3f919f096c5c9488ac3f617ac094b07fb9db8215f9441} +E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20241224-68ed4e7b@sha256:871642296ebc0dd386f9a43b0cf2606028d757d6c4a2737d41180f02f8172823} if [[ "$RUNTIME" == podman ]]; then # Podman does not support both tag and digest @@ -79,7 +82,7 @@ if [[ "$DOCKER_IN_DOCKER_ENABLED" == "true" ]]; then echo "..reached DIND check TRUE block, inside run-in-docker.sh" echo "FLAGS=$FLAGS" #go env - go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.22.2 + go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.22.1 find / -type f -name ginkgo 2>/dev/null which ginkgo /bin/bash -c "${FLAGS}" diff --git a/changelog/controller-1.10.3.md b/changelog/controller-1.10.3.md deleted file mode 100644 index 1cbc77951..000000000 --- a/changelog/controller-1.10.3.md +++ /dev/null @@ -1,37 +0,0 @@ -# Changelog - -### controller-v1.10.3 - -Images: - -* registry.k8s.io/ingress-nginx/controller:v1.10.3@sha256:b5a5082f8e508cc1aac1c0ef101dc2f87b63d51598a5747d81d6cf6e7ba058fd -* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.3@sha256:9033e04bd3cd01f92414f8d5999c5095734d4caceb4923942298152a38373d4b - -### All changes: - -* Images: Trigger `controller` v1.10.3 build. (#11648) -* Tests: Bump `test-runner` to v20240717-1fe74b5f. (#11646) -* Images: Re-run `test-runner` build. (#11643) -* Images: Trigger `test-runner` build. (#11639) -* Images: Bump `NGINX_BASE` to v0.0.10. (#11637) -* Images: Trigger NGINX build. (#11631) -* bump testing runner (#11626) -* remove modsecurity coreruleset test files from nginx image (#11619) -* unskip the ocsp tests and update images to fix cfssl bug (#11615) -* Fix indent in YAML for example pod (#11609) -* Images: Bump `test-runner`. (#11604) -* Images: Bump `NGINX_BASE` to v0.0.9. (#11601) -* revert module upgrade (#11595) -* README: Fix support matrix. (#11593) -* Mage: Stop mutating release notes. (#11582) -* Images: Bump `kube-webhook-certgen`. (#11583) - -### Dependency updates: - -* Bump github.com/prometheus/common from 0.54.0 to 0.55.0 (#11622) -* Bump the all group with 5 updates (#11613) -* Bump golang.org/x/crypto from 0.24.0 to 0.25.0 (#11579) -* Bump google.golang.org/grpc from 1.64.0 to 1.65.0 (#11577) -* Bump the all group with 4 updates (#11574) - -**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.2...controller-v1.10.3 diff --git a/changelog/controller-1.10.4.md b/changelog/controller-1.10.4.md deleted file mode 100644 index 9a4e8025b..000000000 --- a/changelog/controller-1.10.4.md +++ /dev/null @@ -1,53 +0,0 @@ -# Changelog - -### controller-v1.10.4 - -Images: - -* registry.k8s.io/ingress-nginx/controller:v1.10.4@sha256:505b9048c02dde3d6c8667bf0b52aba7b36adf7b03da34c47d5fa312d2d4c6fc -* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.4@sha256:bf71acf6e71830a4470e2183e3bc93c4f006b954f8a05fb434242ef0f8a24858 - -### All changes: - -* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11811) -* Images: Trigger controller build. (#11808) -* Tests & Docs: Bump images. (#11804) -* Images: Trigger failed builds. (#11801) -* Images: Trigger other builds. (#11797) -* Controller: Fix panic in alternative backend merging. (#11793) -* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11791) -* Images: Trigger `test-runner` build. (#11786) -* Images: Bump `NGINX_BASE` to v0.0.12. (#11783) -* Images: Trigger NGINX build. (#11780) -* Cloud Build: Add missing config, remove unused ones. (#11776) -* Generate correct output on NumCPU() when using cgroups2 (#11775) -* Cloud Build: Tweak timeouts. (#11762) -* Cloud Build: Fix substitutions. (#11759) -* Cloud Build: Some chores. (#11756) -* Go: Bump to v1.22.6. (#11748) -* Images: Bump `NGINX_BASE` to v0.0.11. (#11744) -* Images: Trigger NGINX build. (#11736) -* docs: update OpenSSL Roadmap link (#11734) -* Go: Bump to v1.22.5. (#11731) -* Docs: Fix typo in AWS LB Controller reference (#11724) -* Perform some cleaning operations on line breaks. (#11722) -* Missing anchors in regular expression. (#11718) -* Docs: Fix `from-to-www` redirect description. (#11715) -* Chart: Remove `isControllerTagValid`. (#11714) -* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11704) -* Docs: Clarify `from-to-www` redirect direction. (#11692) -* added real-client-ip faq (#11665) -* Docs: Format NGINX configuration table. (#11660) - -### Dependency updates: - -* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11772) -* Bump the all group with 2 updates (#11770) -* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11768) -* Bump the all group with 3 updates (#11729) -* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11700) -* Bump the all group with 2 updates (#11697) -* Bump the all group with 4 updates (#11676) -* Bump the all group with 2 updates (#11674) - -**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.3...controller-v1.10.4 diff --git a/changelog/controller-1.10.5.md b/changelog/controller-1.10.5.md deleted file mode 100644 index 82be0a608..000000000 --- a/changelog/controller-1.10.5.md +++ /dev/null @@ -1,90 +0,0 @@ -# Changelog - -### controller-v1.10.5 - -Images: - -* registry.k8s.io/ingress-nginx/controller:v1.10.5@sha256:c84d11b1f7bd14ebbf49918a7f0dc01b31c0c6e757e0129520ea93453096315c -* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.5@sha256:030a43bdd5f0212a7e135cc4da76b15a6706ef65a6824eb4cc401f87a81c2987 - -### All changes: - -* Images: Trigger controller build. (#12133) -* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12146) -* Images: Trigger `e2e-test-echo` build. (#12142) -* Images: Drop `s390x`. (#12139) -* Images: Build `s390x` controller. (#12128) -* Chart: Bump Kube Webhook CertGen. (#12122) -* Tests & Docs: Bump images. (#12120) -* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12116) -* Images: Trigger other builds. (#12111) -* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12104) -* Images: Trigger `test-runner` build. (#12101) -* Docs: Add a multi-tenant warning. (#12098) -* Go: Bump to v1.22.8. (#12093) -* Images: Bump `NGINX_BASE` to v0.1.0. (#12079) -* Images: Trigger NGINX build. (#12077) -* Images: Remove NGINX v1.21. (#12057) -* GitHub: Improve Dependabot. (#12037) -* Chart: Improve CI. (#12029) -* Chart: Extend image tests. (#12026) -* Docs: Add health check annotations for AWS. (#12021) -* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12007) -* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12001) -* Chart: Align default backend `PodDisruptionBudget`. (#11998) -* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#11985) -* Chart: Improve default backend service account. (#11973) -* Go: Bump to v1.22.7. (#11969) -* Images: Bump OpenTelemetry C++ Contrib. (#11950) -* Docs: Add note about `--watch-namespace`. (#11948) -* Images: Use latest Alpine 3.20 everywhere. (#11945) -* Fix minor typos (#11940) -* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11933) -* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11920) -* Images: Trigger `test-runner` build. (#11918) -* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11888) -* Annotations: Allow commas in URLs. (#11886) -* CI: Grant checks write permissions to E2E Test Report. (#11884) -* Update maxmind post link about geolite2 license changes (#11880) -* Go: Sync `go.work.sum`. (#11876) -* Replace deprecated queue method (#11858) -* Auto-generate annotation docs (#11835) - -### Dependency updates: - -* Bump the actions group with 3 updates (#12150) -* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12108) -* Bump the actions group with 3 updates (#12096) -* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12088) -* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12086) -* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12084) -* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12082) -* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12054) -* Bump the go group across 1 directory with 3 updates (#12052) -* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12048) -* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12044) -* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12045) -* Bump the all group with 2 updates (#12035) -* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12015) -* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12013) -* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12011) -* Bump the all group with 2 updates (#11979) -* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11978) -* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11960) -* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11959) -* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11956) -* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11929) -* Bump the all group with 2 updates (#11924) -* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11912) -* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11907) -* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11906) -* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11905) -* Bump the all group with 2 updates (#11870) -* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11869) -* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11848) -* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11847) -* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11846) -* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11841) -* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11833) - -**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.4...controller-v1.10.5 diff --git a/changelog/controller-1.10.6.md b/changelog/controller-1.10.6.md deleted file mode 100644 index 695e418d8..000000000 --- a/changelog/controller-1.10.6.md +++ /dev/null @@ -1,92 +0,0 @@ -# Changelog - -### controller-v1.10.6 - -Images: - -* registry.k8s.io/ingress-nginx/controller:v1.10.6@sha256:b6fbd102255edb3ba8e5421feebe14fd3e94cf53d199af9e40687f536152189c -* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.6@sha256:44ceedafc0e04a75521b5d472c1b6b5cc08afb8038b5bbfd79c21d066ccf300e - -### All changes: - -* Images: Trigger controller build. (#12611) -* Chart: Bump Kube Webhook CertGen. (#12608) -* Tests & Docs: Bump images. (#12605) -* Images: Trigger other builds (2/2). (#12598) -* Images: Trigger other builds (1/2). (#12597) -* Tests: Bump `e2e-test-runner` to v20241224-68ed4e7b. (#12592) -* Images: Trigger `test-runner` build. (#12586) -* Images: Bump `NGINX_BASE` to v0.2.0. (#12584) -* Images: Trigger NGINX build. (#12578) -* Go: Clean `go.work.sum`. (#12575) -* Repository: Update owners. (#12570) -* Images: Bump `gcb-docker-gcloud` to v20241217-ff46a068cd. (#12563) -* CI: Update KIND images. (#12559) -* Images: Bump Alpine to v3.21. (#12530) -* Docs: Add guide on how to set a Maintenance Page. (#12527) -* rikatz is stepping down (#12518) -* rikatz is stepping down (#12497) -* Go: Bump to v1.23.4. (#12485) -* Plugin: Bump `goreleaser` to v2. (#12442) -* GitHub: Fix `exec` in issue template. (#12389) -* CI: Update KIND images. (#12368) -* Images: Bump `gcb-docker-gcloud` to v20241110-72bb0b1665. (#12341) -* Go: Bump to v1.23.3. (#12339) -* Auth TLS: Add `_` to redirect RegEx. (#12328) -* Auth TLS: Improve redirect RegEx. (#12321) -* Tests: Bump `e2e-test-runner` to v20241104-02a3933e. (#12314) -* Images: Trigger `test-runner` build. (#12307) -* Config: Fix panic on invalid `lua-shared-dict`. (#12282) -* Docs: fix limit-rate-after references (#12280) -* Chart: Rework ServiceMonitor. (#12268) -* Chart: Add ServiceAccount tests. (#12266) -* CI: Fix chart testing. (#12260) -* [fix] fix nginx temp configs cleanup (#12224) -* Chart: Suggest `matchLabelKeys` in Topology Spread Constraints. (#12204) -* Docs: Add Pod Security Admission. (#12198) -* Docs: Clarify external & service port in TCP/UDP services explanation. (#12194) - -### Dependency updates: - -* Bump k8s.io/apiextensions-apiserver from 0.31.3 to 0.32.0 (#12565) -* Bump github.com/onsi/ginkgo/v2 from 2.22.0 to 2.22.1 (#12557) -* Bump k8s.io/code-generator from 0.31.3 to 0.32.0 (#12552) -* Bump k8s.io/cli-runtime from 0.31.3 to 0.32.0 (#12549) -* Bump k8s.io/apiserver from 0.31.3 to 0.32.0 (#12546) -* Bump the actions group with 2 updates (#12543) -* Bump google.golang.org/grpc from 1.68.1 to 1.69.2 (#12540) -* Bump k8s.io/client-go from 0.31.3 to 0.32.0 (#12514) -* Bump github.com/opencontainers/runc from 1.2.2 to 1.2.3 in the go group across 1 directory (#12511) -* Bump the actions group with 3 updates (#12508) -* Bump k8s.io/kube-aggregator from 0.31.3 to 0.32.0 in /images/kube-webhook-certgen/rootfs (#12504) -* Bump k8s.io/apimachinery from 0.31.3 to 0.32.0 in /images/ext-auth-example-authsvc/rootfs (#12501) -* Bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#12478) -* Bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /magefiles (#12473) -* Bump github.com/prometheus/common from 0.60.1 to 0.61.0 (#12466) -* Bump github/codeql-action from 3.27.5 to 3.27.6 in the actions group (#12463) -* Bump the go group across 1 directory with 2 updates (#12459) -* Bump github.com/onsi/ginkgo/v2 from 2.21.0 to 2.22.0 (#12425) -* Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#12416) -* Bump the go group across 3 directories with 10 updates (#12414) -* Bump the actions group with 3 updates (#12410) -* Bump github.com/opencontainers/runc from 1.2.1 to 1.2.2 in the go group across 1 directory (#12382) -* Bump github/codeql-action from 3.27.1 to 3.27.4 in the actions group (#12375) -* Bump golangci-lint on actions and disable deprecated linters (#12363) -* Bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#12356) -* Bump the actions group with 3 updates (#12353) -* Bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#12351) -* Bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#12297) -* Bump github.com/opencontainers/runc from 1.2.0 to 1.2.1 in the go group across 1 directory (#12294) -* Bump github.com/onsi/ginkgo/v2 from 2.20.2 to 2.21.0 (#12290) -* Bump actions/dependency-review-action from 4.3.5 to 4.4.0 in the actions group (#12275) -* Bump the go group across 3 directories with 11 updates (#12246) -* Bump github.com/opencontainers/runc from 1.1.15 to 1.2.0 (#12241) -* Bump the actions group with 5 updates (#12243) -* Bump github.com/ncabatoff/process-exporter from 0.8.3 to 0.8.4 in the go group across 1 directory (#12219) -* Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 in the actions group (#12215) -* Bump github/codeql-action from 3.26.12 to 3.26.13 in the actions group (#12191) -* Bump the go group across 2 directories with 1 update (#12189) -* Bump the actions group with 2 updates (#12185) -* Bump github.com/opencontainers/runc from 1.1.14 to 1.1.15 in the go group across 1 directory (#12184) - -**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.5...controller-v1.10.6 diff --git a/changelog/controller-1.12.0-beta.0.md b/changelog/controller-1.12.0-beta.0.md deleted file mode 100644 index 5f2fa9d74..000000000 --- a/changelog/controller-1.12.0-beta.0.md +++ /dev/null @@ -1,216 +0,0 @@ -# Changelog - -### controller-v1.12.0-beta.0 - -Images: - -* registry.k8s.io/ingress-nginx/controller:v1.12.0-beta.0@sha256:9724476b928967173d501040631b23ba07f47073999e80e34b120e8db5f234d5 -* registry.k8s.io/ingress-nginx/controller-chroot:v1.12.0-beta.0@sha256:6e2f8f52e1f2571ff65bc4fc4826d5282d5def5835ec4ab433dcb8e659b2fbac - -### All changes: - -* Images: Trigger controller build. (#12154) -* ⚠️ Metrics: Disable by default. (#12153) ⚠️ - - This changes the default of the following CLI arguments: - - * `--enable-metrics` gets disabled by default. - -* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12147) -* Images: Trigger `e2e-test-echo` build. (#12140) -* ⚠️ Images: Drop `s390x`. (#12137) ⚠️ - - Support for the `s390x` architecture has already been removed from the controller image. This also removes it from the NGINX base image and CI relevant images. - -* Images: Build `s390x` controller. (#12126) -* Chart: Bump Kube Webhook CertGen. (#12119) -* Tests & Docs: Bump images. (#12118) -* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12113) -* Images: Trigger other builds. (#12110) -* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12103) -* Images: Trigger `test-runner` build. (#12100) -* Docs: Add a multi-tenant warning. (#12091) -* Go: Bump to v1.22.8. (#12069) -* Images: Bump `NGINX_BASE` to v1.0.0. (#12066) -* Images: Trigger NGINX build. (#12063) -* Images: Remove NGINX v1.21. (#12031) -* Chart: Add `controller.metrics.service.enabled`. (#12056) -* GitHub: Improve Dependabot. (#12033) -* Chart: Add `global.image.registry`. (#12028) -* ⚠️ Images: Remove OpenTelemetry. (#12024) ⚠️ - - OpenTelemetry is still supported, but since the module is built into the controller image since v1.10, we hereby remove the init container and image which were used to install it upon controller startup. - -* Chart: Improve CI. (#12003) -* Chart: Extend image tests. (#12025) -* Chart: Add `controller.progressDeadlineSeconds`. (#12017) -* Docs: Add health check annotations for AWS. (#12018) -* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12005) -* Chart: Implement `unhealthyPodEvictionPolicy`. (#11992) -* Chart: Add `defaultBackend.maxUnavailable`. (#11995) -* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12000) -* Chart: Align default backend `PodDisruptionBudget`. (#11993) -* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#10274) -* ⚠️ Chart: Remove Pod Security Policy. (#11971) ⚠️ - - This removes Pod Security Policies and related resources from the chart. - -* Chart: Improve default backend service account. (#11972) -* Go: Bump to v1.22.7. (#11943) -* NGINX: Remove inline Lua from template. (#11806) -* Images: Bump OpenTelemetry C++ Contrib. (#11629) -* Docs: Add note about `--watch-namespace`. (#11947) -* Images: Use latest Alpine 3.20 everywhere. (#11944) -* Fix minor typos (#11935) -* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11931) -* Allow any protocol for cors origins (#11153) -* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11919) -* Images: Trigger `test-runner` build. (#11916) -* Chart: Add `controller.metrics.prometheusRule.annotations`. (#11849) -* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11883) -* Annotations: Allow commas in URLs. (#11882) -* CI: Grant checks write permissions to E2E Test Report. (#11862) -* Chart: Use generic values for `ConfigMap` test. (#11877) -* Security: Follow-up on recent changes. (#11874) -* Lua: Remove plugins from `.luacheckrc` & E2E docs. (#11872) -* Dashboard: Remove `ingress_upstream_latency_seconds`. (#11878) -* Metrics: Add `--metrics-per-undefined-host` argument. (#11818) -* Update maxmind post link about geolite2 license changes (#11861) -* ⚠️ Remove global-rate-limit feature (#11851) ⚠️ - - This removes the following configuration options: - - * `global-rate-limit-memcached-host` - * `global-rate-limit-memcached-port` - * `global-rate-limit-memcached-connect-timeout` - * `global-rate-limit-memcached-max-idle-timeout` - * `global-rate-limit-memcached-pool-size` - * `global-rate-limit-status-code` - - It also removes the following annotations: - - * `global-rate-limit` - * `global-rate-limit-window` - * `global-rate-limit-key` - * `global-rate-limit-ignored-cidrs` - -* Revert "docs: Add deployment for AWS NLB Proxy." (#11857) -* Add custom code handling for temporal redirect (#10651) -* Add native histogram support for histogram metrics (#9971) -* Replace deprecated queue method (#11853) -* ⚠️ Enable security features by default (#11819) ⚠️ - - This changes the default of the following CLI arguments: - - * `--enable-annotation-validation` gets enabled by default. - - It also changes the default of the following configuration options: - - * `allow-cross-namespace-resources` gets disabled by default. - * `annotations-risk-level` gets lowered to "High" by default. - * `strict-validate-path-type` gets enabled by default. - -* docs: Add deployment for AWS NLB Proxy. (#9565) -* ⚠️ Remove 3rd party lua plugin support (#11821) ⚠️ - - This removes the following configuration options: - - * `plugins` - - It also removes support for user provided Lua plugins in the `/etc/nginx/lua/plugins` directory. - -* Auto-generate annotation docs (#11820) -* ⚠️ Metrics: Remove `ingress_upstream_latency_seconds`. (#11795) ⚠️ - - This metric has already been deprecated and is now getting removed. - -* Release controller v1.11.2/v1.10.4 & chart v4.11.2/v4.10.4. (#11816) -* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11809) -* Tests & Docs: Bump images. (#11803) -* Images: Trigger failed builds. (#11800) -* Images: Trigger other builds. (#11796) -* Controller: Fix panic in alternative backend merging. (#11789) -* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11788) -* Images: Trigger `test-runner` build. (#11785) -* Images: Bump `NGINX_BASE` to v0.0.12. (#11782) -* Images: Trigger NGINX build. (#11779) -* Cloud Build: Add missing config, remove unused ones. (#11774) -* Cloud Build: Tweak timeouts. (#11761) -* Cloud Build: Fix substitutions. (#11758) -* Cloud Build: Some chores. (#11633) -* Go: Bump to v1.22.6. (#11747) -* Images: Bump `NGINX_BASE` to v0.0.11. (#11741) -* Images: Trigger NGINX build. (#11735) -* docs: update OpenSSL Roadmap link (#11730) -* Go: Bump to v1.22.5. (#11634) -* Docs: Fix typo in AWS LB Controller reference (#11723) -* Perform some cleaning operations on line breaks. (#11720) -* Missing anchors in regular expression. (#11717) -* Docs: Fix `from-to-www` redirect description. (#11712) -* Chart: Remove `isControllerTagValid`. (#11710) -* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11702) -* Chart: Explicitly set `runAsGroup`. (#11679) -* Docs: Clarify `from-to-www` redirect direction. (#11682) -* added real-client-ip faq (#11663) -* Docs: Format NGINX configuration table. (#11659) -* Release controller v1.11.1/v1.10.3 & chart v4.11.1/v4.10.3. (#11654) -* Tests: Bump `test-runner` to v20240717-1fe74b5f. (#11645) -* Images: Trigger `test-runner` build. (#11636) -* Images: Bump `NGINX_BASE` to v0.0.10. (#11635) -* remove modsecurity coreruleset test files from nginx image (#11617) -* unskip the ocsp tests and update images to fix cfssl bug (#11606) -* Fix indent in YAML for example pod (#11598) -* Images: Bump `test-runner`. (#11600) -* Images: Bump `NGINX_BASE` to v0.0.9. (#11599) -* revert module upgrade (#11594) -* README: Fix support matrix. (#11586) -* Repository: Add changelogs from `release-v1.10`. (#11587) - -### Dependency updates: - -* Bump the actions group with 3 updates (#12152) -* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12107) -* Bump the actions group with 3 updates (#12092) -* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12062) -* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12060) -* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12059) -* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12061) -* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12051) -* Bump the go group across 1 directory with 3 updates (#12050) -* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12043) -* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12041) -* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12040) -* Bump the all group with 2 updates (#12032) -* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12010) -* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12009) -* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12008) -* Bump the all group with 2 updates (#11977) -* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11976) -* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11954) -* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11955) -* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11953) -* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11928) -* Bump the all group with 2 updates (#11922) -* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11901) -* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11902) -* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11903) -* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11904) -* Bump the all group with 2 updates (#11865) -* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11867) -* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11832) -* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11823) -* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11822) -* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11825) -* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11826) -* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11766) -* Bump the all group with 2 updates (#11767) -* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11765) -* Bump the all group with 3 updates (#11727) -* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11696) -* Bump the all group with 2 updates (#11695) -* Bump the all group with 4 updates (#11673) -* Bump the all group with 2 updates (#11672) -* Bump github.com/prometheus/common from 0.54.0 to 0.55.0 (#11522) -* Bump the all group with 5 updates (#11611) - -**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.0...controller-v1.12.0-beta.0 diff --git a/changelog/controller-1.12.0.md b/changelog/controller-1.12.0.md deleted file mode 100644 index dc7155546..000000000 --- a/changelog/controller-1.12.0.md +++ /dev/null @@ -1,294 +0,0 @@ -# Changelog - -### controller-v1.12.0 - -Images: - -* registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa -* registry.k8s.io/ingress-nginx/controller-chroot:v1.12.0@sha256:87c88e1c38a6c8d4483c8f70b69e2cca49853bb3ec3124b9b1be648edf139af3 - -### All changes: - -* Images: Trigger controller build. (#12609) -* Chart: Bump Kube Webhook CertGen. (#12606) -* Tests & Docs: Bump images. (#12603) -* Images: Trigger other builds (2/2). (#12599) -* Images: Trigger other builds (1/2). (#12595) -* Tests: Bump `e2e-test-runner` to v20241224-68ed4e7b. (#12590) -* Images: Trigger `test-runner` build. (#12587) -* Images: Bump `NGINX_BASE` to v1.1.0. (#12582) -* Images: Trigger NGINX build. (#12579) -* Go: Clean `go.work.sum`. (#12573) -* Repository: Update owners. (#12568) -* Images: Bump `gcb-docker-gcloud` to v20241217-ff46a068cd. (#12561) -* CI: Update KIND images. (#12560) -* Images: Bump Alpine to v3.21. (#12528) -* Docs: Add guide on how to set a Maintenance Page. (#12525) -* rikatz is stepping down (#12516) -* rikatz is stepping down (#12494) -* Go: Bump to v1.23.4. (#12483) -* Plugin: Bump `goreleaser` to v2. (#12440) -* GitHub: Fix `exec` in issue template. (#12387) -* CI: Update KIND images. (#12367) -* Images: Bump `gcb-docker-gcloud` to v20241110-72bb0b1665. (#12342) -* Go: Bump to v1.23.3. (#12337) -* Auth TLS: Add `_` to redirect RegEx. (#12326) -* Auth TLS: Improve redirect RegEx. (#12323) -* Update custom headers annotation documentation (#12318) -* Tests: Bump `e2e-test-runner` to v20241104-02a3933e. (#12312) -* Docs: Add CPU usage note for `--metrics-per-undefined-host`. (#12310) -* Images: Trigger `test-runner` build. (#12308) -* Config: Fix panic on invalid `lua-shared-dict`. (#12283) -* Docs: fix limit-rate-after references (#12278) -* Chart: Rework ServiceMonitor. (#12269) -* Chart: Add ServiceAccount tests. (#12263) -* CI: Fix chart testing. (#12258) -* [fix] fix nginx temp configs cleanup (#12225) -* Chart: Suggest `matchLabelKeys` in Topology Spread Constraints. (#12202) -* Docs: Add Pod Security Admission. (#12195) -* Docs: Clarify external & service port in TCP/UDP services explanation. (#12192) -* Images: Trigger controller build. (#12154) -* ⚠️ Metrics: Disable by default. (#12153) ⚠️ - - This changes the default of the following CLI arguments: - - * `--enable-metrics` gets disabled by default. - -* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12147) -* Images: Trigger `e2e-test-echo` build. (#12140) -* ⚠️ Images: Drop `s390x`. (#12137) ⚠️ - - Support for the `s390x` architecture has already been removed from the controller image. This also removes it from the NGINX base image and CI relevant images. - -* Images: Build `s390x` controller. (#12126) -* Chart: Bump Kube Webhook CertGen. (#12119) -* Tests & Docs: Bump images. (#12118) -* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12113) -* Images: Trigger other builds. (#12110) -* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12103) -* Images: Trigger `test-runner` build. (#12100) -* Docs: Add a multi-tenant warning. (#12091) -* Go: Bump to v1.22.8. (#12069) -* Images: Bump `NGINX_BASE` to v1.0.0. (#12066) -* Images: Trigger NGINX build. (#12063) -* Images: Remove NGINX v1.21. (#12031) -* Chart: Add `controller.metrics.service.enabled`. (#12056) -* GitHub: Improve Dependabot. (#12033) -* Chart: Add `global.image.registry`. (#12028) -* ⚠️ Images: Remove OpenTelemetry. (#12024) ⚠️ - - OpenTelemetry is still supported, but since the module is built into the controller image since v1.10, we hereby remove the init container and image which were used to install it upon controller startup. - -* Chart: Improve CI. (#12003) -* Chart: Extend image tests. (#12025) -* Chart: Add `controller.progressDeadlineSeconds`. (#12017) -* Docs: Add health check annotations for AWS. (#12018) -* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12005) -* Chart: Implement `unhealthyPodEvictionPolicy`. (#11992) -* Chart: Add `defaultBackend.maxUnavailable`. (#11995) -* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12000) -* Chart: Align default backend `PodDisruptionBudget`. (#11993) -* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#10274) -* ⚠️ Chart: Remove Pod Security Policy. (#11971) ⚠️ - - This removes Pod Security Policies and related resources from the chart. - -* Chart: Improve default backend service account. (#11972) -* Go: Bump to v1.22.7. (#11943) -* NGINX: Remove inline Lua from template. (#11806) -* Images: Bump OpenTelemetry C++ Contrib. (#11629) -* Docs: Add note about `--watch-namespace`. (#11947) -* Images: Use latest Alpine 3.20 everywhere. (#11944) -* Fix minor typos (#11935) -* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11931) -* Allow any protocol for cors origins (#11153) -* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11919) -* Images: Trigger `test-runner` build. (#11916) -* Chart: Add `controller.metrics.prometheusRule.annotations`. (#11849) -* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11883) -* Annotations: Allow commas in URLs. (#11882) -* CI: Grant checks write permissions to E2E Test Report. (#11862) -* Chart: Use generic values for `ConfigMap` test. (#11877) -* Security: Follow-up on recent changes. (#11874) -* Lua: Remove plugins from `.luacheckrc` & E2E docs. (#11872) -* Dashboard: Remove `ingress_upstream_latency_seconds`. (#11878) -* Metrics: Add `--metrics-per-undefined-host` argument. (#11818) -* Update maxmind post link about geolite2 license changes (#11861) -* ⚠️ Remove global-rate-limit feature (#11851) ⚠️ - - This removes the following configuration options: - - * `global-rate-limit-memcached-host` - * `global-rate-limit-memcached-port` - * `global-rate-limit-memcached-connect-timeout` - * `global-rate-limit-memcached-max-idle-timeout` - * `global-rate-limit-memcached-pool-size` - * `global-rate-limit-status-code` - - It also removes the following annotations: - - * `global-rate-limit` - * `global-rate-limit-window` - * `global-rate-limit-key` - * `global-rate-limit-ignored-cidrs` - -* Revert "docs: Add deployment for AWS NLB Proxy." (#11857) -* Add custom code handling for temporal redirect (#10651) -* Add native histogram support for histogram metrics (#9971) -* Replace deprecated queue method (#11853) -* ⚠️ Enable security features by default (#11819) ⚠️ - - This changes the default of the following CLI arguments: - - * `--enable-annotation-validation` gets enabled by default. - - It also changes the default of the following configuration options: - - * `allow-cross-namespace-resources` gets disabled by default. - * `annotations-risk-level` gets lowered to "High" by default. - * `strict-validate-path-type` gets enabled by default. - -* docs: Add deployment for AWS NLB Proxy. (#9565) -* ⚠️ Remove 3rd party lua plugin support (#11821) ⚠️ - - This removes the following configuration options: - - * `plugins` - - It also removes support for user provided Lua plugins in the `/etc/nginx/lua/plugins` directory. - -* Auto-generate annotation docs (#11820) -* ⚠️ Metrics: Remove `ingress_upstream_latency_seconds`. (#11795) ⚠️ - - This metric has already been deprecated and is now getting removed. - -* Release controller v1.11.2/v1.10.4 & chart v4.11.2/v4.10.4. (#11816) -* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11809) -* Tests & Docs: Bump images. (#11803) -* Images: Trigger failed builds. (#11800) -* Images: Trigger other builds. (#11796) -* Controller: Fix panic in alternative backend merging. (#11789) -* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11788) -* Images: Trigger `test-runner` build. (#11785) -* Images: Bump `NGINX_BASE` to v0.0.12. (#11782) -* Images: Trigger NGINX build. (#11779) -* Cloud Build: Add missing config, remove unused ones. (#11774) -* Cloud Build: Tweak timeouts. (#11761) -* Cloud Build: Fix substitutions. (#11758) -* Cloud Build: Some chores. (#11633) -* Go: Bump to v1.22.6. (#11747) -* Images: Bump `NGINX_BASE` to v0.0.11. (#11741) -* Images: Trigger NGINX build. (#11735) -* docs: update OpenSSL Roadmap link (#11730) -* Go: Bump to v1.22.5. (#11634) -* Docs: Fix typo in AWS LB Controller reference (#11723) -* Perform some cleaning operations on line breaks. (#11720) -* Missing anchors in regular expression. (#11717) -* Docs: Fix `from-to-www` redirect description. (#11712) -* Chart: Remove `isControllerTagValid`. (#11710) -* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11702) -* Chart: Explicitly set `runAsGroup`. (#11679) -* Docs: Clarify `from-to-www` redirect direction. (#11682) -* added real-client-ip faq (#11663) -* Docs: Format NGINX configuration table. (#11659) -* Release controller v1.11.1/v1.10.3 & chart v4.11.1/v4.10.3. (#11654) -* Tests: Bump `test-runner` to v20240717-1fe74b5f. (#11645) -* Images: Trigger `test-runner` build. (#11636) -* Images: Bump `NGINX_BASE` to v0.0.10. (#11635) -* remove modsecurity coreruleset test files from nginx image (#11617) -* unskip the ocsp tests and update images to fix cfssl bug (#11606) -* Fix indent in YAML for example pod (#11598) -* Images: Bump `test-runner`. (#11600) -* Images: Bump `NGINX_BASE` to v0.0.9. (#11599) -* revert module upgrade (#11594) -* README: Fix support matrix. (#11586) -* Repository: Add changelogs from `release-v1.10`. (#11587) - -### Dependency updates: - -* Bump k8s.io/apiextensions-apiserver from 0.31.3 to 0.32.0 (#12566) -* Bump github.com/onsi/ginkgo/v2 from 2.22.0 to 2.22.1 (#12555) -* Bump k8s.io/code-generator from 0.31.3 to 0.32.0 (#12550) -* Bump k8s.io/cli-runtime from 0.31.3 to 0.32.0 (#12547) -* Bump k8s.io/apiserver from 0.31.3 to 0.32.0 (#12544) -* Bump the actions group with 2 updates (#12541) -* Bump google.golang.org/grpc from 1.68.1 to 1.69.2 (#12538) -* Bump k8s.io/client-go from 0.31.3 to 0.32.0 (#12512) -* Bump github.com/opencontainers/runc from 1.2.2 to 1.2.3 in the go group across 1 directory (#12509) -* Bump the actions group with 3 updates (#12506) -* Bump k8s.io/kube-aggregator from 0.31.3 to 0.32.0 in /images/kube-webhook-certgen/rootfs (#12505) -* Bump k8s.io/apimachinery from 0.31.3 to 0.32.0 in /images/ext-auth-example-authsvc/rootfs (#12502) -* Bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#12476) -* Bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /magefiles (#12472) -* Bump github.com/prometheus/common from 0.60.1 to 0.61.0 (#12464) -* Bump github/codeql-action from 3.27.5 to 3.27.6 in the actions group (#12461) -* Bump the go group across 1 directory with 2 updates (#12460) -* Bump github.com/onsi/ginkgo/v2 from 2.21.0 to 2.22.0 (#12426) -* Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#12418) -* Bump the go group across 3 directories with 10 updates (#12413) -* Bump the actions group with 3 updates (#12412) -* Bump github.com/opencontainers/runc from 1.2.1 to 1.2.2 in the go group across 1 directory (#12380) -* Bump github/codeql-action from 3.27.1 to 3.27.4 in the actions group (#12373) -* Bump golangci-lint on actions and disable deprecated linters (#12361) -* Bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#12357) -* Bump the actions group with 3 updates (#12354) -* Bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#12349) -* Bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#12299) -* Bump github.com/opencontainers/runc from 1.2.0 to 1.2.1 in the go group across 1 directory (#12296) -* Bump github.com/onsi/ginkgo/v2 from 2.20.2 to 2.21.0 (#12288) -* Bump actions/dependency-review-action from 4.3.5 to 4.4.0 in the actions group (#12273) -* Bump the go group across 3 directories with 11 updates (#12244) -* Bump github.com/opencontainers/runc from 1.1.15 to 1.2.0 (#12242) -* Bump the actions group with 5 updates (#12236) -* Bump github.com/ncabatoff/process-exporter from 0.8.3 to 0.8.4 in the go group across 1 directory (#12218) -* Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 in the actions group (#12217) -* Bump github/codeql-action from 3.26.12 to 3.26.13 in the actions group (#12188) -* Bump the go group across 2 directories with 1 update (#12186) -* Bump the actions group with 2 updates (#12180) -* Bump github.com/opencontainers/runc from 1.1.14 to 1.1.15 in the go group across 1 directory (#12178) -* Bump the actions group with 3 updates (#12152) -* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12107) -* Bump the actions group with 3 updates (#12092) -* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12062) -* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12060) -* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12059) -* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12061) -* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12051) -* Bump the go group across 1 directory with 3 updates (#12050) -* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12043) -* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12041) -* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12040) -* Bump the all group with 2 updates (#12032) -* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12010) -* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12009) -* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12008) -* Bump the all group with 2 updates (#11977) -* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11976) -* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11954) -* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11955) -* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11953) -* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11928) -* Bump the all group with 2 updates (#11922) -* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11901) -* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11902) -* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11903) -* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11904) -* Bump the all group with 2 updates (#11865) -* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11867) -* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11832) -* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11823) -* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11822) -* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11825) -* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11826) -* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11766) -* Bump the all group with 2 updates (#11767) -* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11765) -* Bump the all group with 3 updates (#11727) -* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11696) -* Bump the all group with 2 updates (#11695) -* Bump the all group with 4 updates (#11673) -* Bump the all group with 2 updates (#11672) -* Bump github.com/prometheus/common from 0.54.0 to 0.55.0 (#11522) -* Bump the all group with 5 updates (#11611) - -**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.0...controller-v1.12.0 diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 11000f43d..300330c92 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -1,10 +1,10 @@ annotations: artifacthub.io/changes: | - - 'CI: Fix chart testing. (#12258)' - - Update Ingress-Nginx version controller-v1.12.0 + - 'CI: Fix chart testing. (#12259)' + - Update Ingress-Nginx version controller-v1.11.4 artifacthub.io/prerelease: "false" apiVersion: v2 -appVersion: 1.12.0 +appVersion: 1.11.4 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer home: https://github.com/kubernetes/ingress-nginx @@ -21,4 +21,4 @@ maintainers: name: ingress-nginx sources: - https://github.com/kubernetes/ingress-nginx -version: 4.12.0 +version: 4.11.4 diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 7d8c1e74f..95b1ea0c3 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.12.0](https://img.shields.io/badge/Version-4.12.0-informational?style=flat-square) ![AppVersion: 1.12.0](https://img.shields.io/badge/AppVersion-1.12.0-informational?style=flat-square) +![Version: 4.11.4](https://img.shields.io/badge/Version-4.11.4-informational?style=flat-square) ![AppVersion: 1.11.4](https://img.shields.io/badge/AppVersion-1.11.4-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -260,8 +260,9 @@ metadata: | controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` | | | controller.admissionWebhooks.createSecretJob.name | string | `"create"` | | | controller.admissionWebhooks.createSecretJob.resources | object | `{}` | | -| controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers | +| controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers | | controller.admissionWebhooks.enabled | bool | `true` | | +| controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one | | controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set | | controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use | | controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` | | @@ -270,10 +271,11 @@ metadata: | controller.admissionWebhooks.namespaceSelector | object | `{}` | | | controller.admissionWebhooks.objectSelector | object | `{}` | | | controller.admissionWebhooks.patch.enabled | bool | `true` | | -| controller.admissionWebhooks.patch.image.digest | string | `"sha256:0de05718b59dc33b57ddfb4d8ad5f637cefd13eafdec0e1579d782b3483c27c3"` | | +| controller.admissionWebhooks.patch.image.digest | string | `"sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4"` | | | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | | | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | | -| controller.admissionWebhooks.patch.image.tag | string | `"v1.5.1"` | | +| controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | | +| controller.admissionWebhooks.patch.image.tag | string | `"v1.5.0"` | | | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources | | controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | @@ -289,7 +291,7 @@ metadata: | controller.admissionWebhooks.patch.tolerations | list | `[]` | | | controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` | | | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | | -| controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers | +| controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers | | controller.admissionWebhooks.port | int | `8443` | | | controller.admissionWebhooks.service.annotations | object | `{}` | | | controller.admissionWebhooks.service.externalIPs | list | `[]` | | @@ -320,14 +322,15 @@ metadata: | controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. | | controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' | | controller.electionTTL | string | `""` | Duration a leader election is valid before it's getting re-elected, e.g. `15s`, `10m` or `1h`. (Default: 30s) | -| controller.enableAnnotationValidations | bool | `true` | | +| controller.enableAnnotationValidations | bool | `false` | | | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # | | controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false | +| controller.existingPsp | string | `""` | Use an existing PSP instead of creating one | | controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use | | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. | | controller.extraEnvs | list | `[]` | Additional environment variables to set | | controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. | -| controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. | +| controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module | | controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. | | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. | | controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. | @@ -340,16 +343,16 @@ metadata: | controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.image.allowPrivilegeEscalation | bool | `false` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `"sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa"` | | -| controller.image.digestChroot | string | `"sha256:87c88e1c38a6c8d4483c8f70b69e2cca49853bb3ec3124b9b1be648edf139af3"` | | +| controller.image.digest | string | `"sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52"` | | +| controller.image.digestChroot | string | `"sha256:f29d0f9e7a9ef4947eda59ed0c09ec13380b13639d1518cf1ab8ec09c3e22ef8"` | | | controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.readOnlyRootFilesystem | bool | `false` | | -| controller.image.runAsGroup | int | `82` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) | +| controller.image.registry | string | `"registry.k8s.io"` | | | controller.image.runAsNonRoot | bool | `true` | | -| controller.image.runAsUser | int | `101` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) | +| controller.image.runAsUser | int | `101` | | | controller.image.seccompProfile.type | string | `"RuntimeDefault"` | | -| controller.image.tag | string | `"v1.12.0"` | | +| controller.image.tag | string | `"v1.11.4"` | | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassResource | object | `{"aliases":[],"annotations":{},"controllerValue":"k8s.io/ingress-nginx","default":false,"enabled":true,"name":"nginx","parameters":{}}` | This section refers to the creation of the IngressClass resource. IngressClasses are immutable and cannot be changed after creation. We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. | @@ -386,11 +389,9 @@ metadata: | controller.metrics.port | int | `10254` | | | controller.metrics.portName | string | `"metrics"` | | | controller.metrics.prometheusRule.additionalLabels | object | `{}` | | -| controller.metrics.prometheusRule.annotations | object | `{}` | Annotations to be added to the PrometheusRule. | | controller.metrics.prometheusRule.enabled | bool | `false` | | | controller.metrics.prometheusRule.rules | list | `[]` | | | controller.metrics.service.annotations | object | `{}` | | -| controller.metrics.service.enabled | bool | `true` | Enable the metrics service or not. | | controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # | | controller.metrics.service.labels | object | `{}` | Labels to be added to the metrics service resource | | controller.metrics.service.loadBalancerSourceRanges | list | `[]` | | @@ -399,27 +400,35 @@ metadata: | controller.metrics.serviceMonitor.additionalLabels | object | `{}` | | | controller.metrics.serviceMonitor.annotations | object | `{}` | Annotations to be added to the ServiceMonitor. | | controller.metrics.serviceMonitor.enabled | bool | `false` | | -| controller.metrics.serviceMonitor.labelLimit | int | `0` | Per-scrape limit on number of labels that will be accepted for a sample. | -| controller.metrics.serviceMonitor.labelNameLengthLimit | int | `0` | Per-scrape limit on length of labels name that will be accepted for a sample. | -| controller.metrics.serviceMonitor.labelValueLengthLimit | int | `0` | Per-scrape limit on length of labels value that will be accepted for a sample. | | controller.metrics.serviceMonitor.metricRelabelings | list | `[]` | | | controller.metrics.serviceMonitor.namespace | string | `""` | | | controller.metrics.serviceMonitor.namespaceSelector | object | `{}` | | | controller.metrics.serviceMonitor.relabelings | list | `[]` | | -| controller.metrics.serviceMonitor.sampleLimit | int | `0` | Defines a per-scrape limit on the number of scraped samples that will be accepted. | | controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` | | | controller.metrics.serviceMonitor.targetLabels | list | `[]` | | -| controller.metrics.serviceMonitor.targetLimit | int | `0` | Defines a limit on the number of scraped targets that will be accepted. | | controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. | | controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | controller.name | string | `"controller"` | | | controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | +| controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | +| controller.opentelemetry.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | | +| controller.opentelemetry.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | | +| controller.opentelemetry.containerSecurityContext.runAsNonRoot | bool | `true` | | +| controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. | +| controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | | +| controller.opentelemetry.enabled | bool | `false` | | +| controller.opentelemetry.image.digest | string | `"sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922"` | | +| controller.opentelemetry.image.distroless | bool | `true` | | +| controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry-1.25.3"` | | +| controller.opentelemetry.image.registry | string | `"registry.k8s.io"` | | +| controller.opentelemetry.image.tag | string | `"v20240813-b933310d"` | | +| controller.opentelemetry.name | string | `"opentelemetry"` | | +| controller.opentelemetry.resources | object | `{}` | | | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # | | controller.podLabels | object | `{}` | Labels to add to the pod container metadata | | controller.podSecurityContext | object | `{}` | Security context for controller pods | | controller.priorityClassName | string | `""` | | -| controller.progressDeadlineSeconds | int | `0` | Specifies the number of seconds you want to wait for the controller deployment to progress before the system reports back that it has failed. Ref.: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds | | controller.proxySetHeaders | object | `{}` | Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers | | controller.publishService | object | `{"enabled":true,"pathOverride":""}` | Allows customization of the source of the IP address or FQDN to report in the ingress status field. By default, it reads the information provided by the service. If disable, the status field reports the IP address of the node or nodes where an ingress controller pod is running. | | controller.publishService.enabled | bool | `true` | Enable 'publishService' or not | @@ -442,24 +451,20 @@ metadata: | controller.service.annotations | object | `{}` | Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service. | | controller.service.appProtocol | bool | `true` | Declare the app protocol of the external HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol | | controller.service.clusterIP | string | `""` | Pre-defined cluster internal IP address of the external controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address | -| controller.service.clusterIPs | list | `[]` | Pre-defined cluster internal IP addresses of the external controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address | | controller.service.enableHttp | bool | `true` | Enable the HTTP listener on both controller services or not. | | controller.service.enableHttps | bool | `true` | Enable the HTTPS listener on both controller services or not. | | controller.service.enabled | bool | `true` | Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service. | | controller.service.external.enabled | bool | `true` | Enable the external controller service or not. Useful for internal-only deployments. | -| controller.service.external.labels | object | `{}` | Labels to be added to the external controller service. | | controller.service.externalIPs | list | `[]` | List of node IP addresses at which the external controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | | controller.service.externalTrafficPolicy | string | `""` | External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | | controller.service.internal.annotations | object | `{}` | Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer | | controller.service.internal.appProtocol | bool | `true` | Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol | | controller.service.internal.clusterIP | string | `""` | Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address | -| controller.service.internal.clusterIPs | list | `[]` | Pre-defined cluster internal IP addresses of the internal controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address | | controller.service.internal.enabled | bool | `false` | Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this. | | controller.service.internal.externalIPs | list | `[]` | List of node IP addresses at which the internal controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | | controller.service.internal.externalTrafficPolicy | string | `""` | External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | | controller.service.internal.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | | controller.service.internal.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | -| controller.service.internal.labels | object | `{}` | Labels to be added to the internal controller service. | | controller.service.internal.loadBalancerClass | string | `""` | Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class | | controller.service.internal.loadBalancerIP | string | `""` | Deprecated: Pre-defined IP address of the internal controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer | | controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access to the internal controller service. Values must be CIDRs. Allows any source address by default. | @@ -470,7 +475,6 @@ metadata: | controller.service.internal.ports | object | `{}` | | | controller.service.internal.sessionAffinity | string | `""` | Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity | | controller.service.internal.targetPorts | object | `{}` | | -| controller.service.internal.trafficDistribution | string | `""` | Traffic distribution policy of the internal controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution | | controller.service.internal.type | string | `""` | Type of the internal controller service. Defaults to the value of `controller.service.type`. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types | | controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | | controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | @@ -487,7 +491,6 @@ metadata: | controller.service.sessionAffinity | string | `""` | Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity | | controller.service.targetPorts.http | string | `"http"` | Port of the ingress controller the external HTTP listener is mapped to. | | controller.service.targetPorts.https | string | `"https"` | Port of the ingress controller the external HTTPS listener is mapped to. | -| controller.service.trafficDistribution | string | `""` | Traffic distribution policy of the external controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution | | controller.service.type | string | `"LoadBalancer"` | Type of the external controller service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types | | controller.shareProcessNamespace | bool | `false` | | | controller.sysctls | object | `{}` | sysctls for controller pods # Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ | @@ -498,7 +501,6 @@ metadata: | controller.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ # | | controller.udp.annotations | object | `{}` | Annotations to be added to the udp config configmap | | controller.udp.configMapNamespace | string | `""` | Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) | -| controller.unhealthyPodEvictionPolicy | string | `""` | Eviction policy for unhealthy pods guarded by PodDisruptionBudget. Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ | | controller.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # | | controller.watchIngressWithoutClass | bool | `false` | Process Ingress objects without ingressClass annotation/ingressClassName field Overrides value for --watch-ingress-without-class flag of the controller binary Defaults to false | | defaultBackend.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity | @@ -510,6 +512,7 @@ metadata: | defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` | | | defaultBackend.containerSecurityContext | object | `{}` | Security context for default backend containers | | defaultBackend.enabled | bool | `false` | | +| defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one | | defaultBackend.extraArgs | object | `{}` | | | defaultBackend.extraConfigMaps | list | `[]` | | | defaultBackend.extraEnvs | list | `[]` | Additional environment variables to set for defaultBackend pods | @@ -519,7 +522,7 @@ metadata: | defaultBackend.image.image | string | `"defaultbackend-amd64"` | | | defaultBackend.image.pullPolicy | string | `"IfNotPresent"` | | | defaultBackend.image.readOnlyRootFilesystem | bool | `true` | | -| defaultBackend.image.runAsGroup | int | `65534` | | +| defaultBackend.image.registry | string | `"registry.k8s.io"` | | | defaultBackend.image.runAsNonRoot | bool | `true` | | | defaultBackend.image.runAsUser | int | `65534` | | | defaultBackend.image.seccompProfile.type | string | `"RuntimeDefault"` | | @@ -530,7 +533,7 @@ metadata: | defaultBackend.livenessProbe.periodSeconds | int | `10` | | | defaultBackend.livenessProbe.successThreshold | int | `1` | | | defaultBackend.livenessProbe.timeoutSeconds | int | `5` | | -| defaultBackend.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. | +| defaultBackend.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. | | defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | defaultBackend.name | string | `"defaultbackend"` | | | defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | @@ -548,7 +551,6 @@ metadata: | defaultBackend.replicaCount | int | `1` | | | defaultBackend.resources | object | `{}` | | | defaultBackend.service.annotations | object | `{}` | | -| defaultBackend.service.clusterIPs | list | `[]` | Pre-defined cluster internal IP addresses of the default backend service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address | | defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # | | defaultBackend.service.loadBalancerSourceRanges | list | `[]` | | | defaultBackend.service.servicePort | int | `80` | | @@ -558,12 +560,11 @@ metadata: | defaultBackend.serviceAccount.name | string | `""` | | | defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # | | defaultBackend.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. Ref.: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ | -| defaultBackend.unhealthyPodEvictionPolicy | string | `""` | Eviction policy for unhealthy pods guarded by PodDisruptionBudget. Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ | | defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # | | dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param | -| global.image.registry | string | `"registry.k8s.io"` | Registry host to pull images from. | | imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | | namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace | +| podSecurityPolicy.enabled | bool | `false` | | | portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration | | rbac.create | bool | `true` | | | rbac.scope | bool | `false` | | diff --git a/charts/ingress-nginx/changelog/helm-chart-4.10.3.md b/charts/ingress-nginx/changelog/helm-chart-4.10.3.md deleted file mode 100644 index 3f77d405b..000000000 --- a/charts/ingress-nginx/changelog/helm-chart-4.10.3.md +++ /dev/null @@ -1,9 +0,0 @@ -# Changelog - -This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). - -### 4.10.3 - -* Update Ingress-Nginx version controller-v1.10.3 - -**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.2...helm-chart-4.10.3 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.10.4.md b/charts/ingress-nginx/changelog/helm-chart-4.10.4.md deleted file mode 100644 index 661d3c9bb..000000000 --- a/charts/ingress-nginx/changelog/helm-chart-4.10.4.md +++ /dev/null @@ -1,9 +0,0 @@ -# Changelog - -This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). - -### 4.10.4 - -* Update Ingress-Nginx version controller-v1.10.4 - -**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.3...helm-chart-4.10.4 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.10.5.md b/charts/ingress-nginx/changelog/helm-chart-4.10.5.md deleted file mode 100644 index 72c72c720..000000000 --- a/charts/ingress-nginx/changelog/helm-chart-4.10.5.md +++ /dev/null @@ -1,9 +0,0 @@ -# Changelog - -This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). - -### 4.10.5 - -* Update Ingress-Nginx version controller-v1.10.5 - -**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.4...helm-chart-4.10.5 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.10.6.md b/charts/ingress-nginx/changelog/helm-chart-4.10.6.md deleted file mode 100644 index c26c8817b..000000000 --- a/charts/ingress-nginx/changelog/helm-chart-4.10.6.md +++ /dev/null @@ -1,10 +0,0 @@ -# Changelog - -This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). - -### 4.10.6 - -* CI: Fix chart testing. (#12260) -* Update Ingress-Nginx version controller-v1.10.6 - -**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.5...helm-chart-4.10.6 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.12.0-beta.0.md b/charts/ingress-nginx/changelog/helm-chart-4.12.0-beta.0.md deleted file mode 100644 index fa980f1fb..000000000 --- a/charts/ingress-nginx/changelog/helm-chart-4.12.0-beta.0.md +++ /dev/null @@ -1,9 +0,0 @@ -# Changelog - -This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). - -### 4.12.0-beta.0 - -* Update Ingress-Nginx version controller-v1.12.0-beta.0 - -**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.0...helm-chart-4.12.0-beta.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.12.0.md b/charts/ingress-nginx/changelog/helm-chart-4.12.0.md deleted file mode 100644 index f8f36d499..000000000 --- a/charts/ingress-nginx/changelog/helm-chart-4.12.0.md +++ /dev/null @@ -1,10 +0,0 @@ -# Changelog - -This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). - -### 4.12.0 - -* CI: Fix chart testing. (#12258) -* Update Ingress-Nginx version controller-v1.12.0 - -**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.0...helm-chart-4.12.0 diff --git a/charts/ingress-nginx/ci/controller-daemonset-extra-modules-values.yaml b/charts/ingress-nginx/ci/controller-daemonset-extra-modules-values.yaml new file mode 100644 index 000000000..edf12e77e --- /dev/null +++ b/charts/ingress-nginx/ci/controller-daemonset-extra-modules-values.yaml @@ -0,0 +1,30 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + + service: + type: ClusterIP + + kind: DaemonSet + + extraModules: + - name: opentelemetry + image: + registry: registry.k8s.io + image: ingress-nginx/opentelemetry-1.25.3 + tag: v20240813-b933310d + digest: sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922 + distroless: true + containerSecurityContext: + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true diff --git a/charts/ingress-nginx/ci/controller-daemonset-opentelemetry-values.yaml b/charts/ingress-nginx/ci/controller-daemonset-opentelemetry-values.yaml new file mode 100644 index 000000000..179ab2a85 --- /dev/null +++ b/charts/ingress-nginx/ci/controller-daemonset-opentelemetry-values.yaml @@ -0,0 +1,13 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + + service: + type: ClusterIP + + kind: DaemonSet + + opentelemetry: + enabled: true diff --git a/charts/ingress-nginx/ci/controller-deployment-extra-modules-values.yaml b/charts/ingress-nginx/ci/controller-deployment-extra-modules-values.yaml new file mode 100644 index 000000000..d4083cc37 --- /dev/null +++ b/charts/ingress-nginx/ci/controller-deployment-extra-modules-values.yaml @@ -0,0 +1,30 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + + service: + type: ClusterIP + + kind: Deployment + + extraModules: + - name: opentelemetry + image: + registry: registry.k8s.io + image: ingress-nginx/opentelemetry-1.25.3 + tag: v20240813-b933310d + digest: sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922 + distroless: true + containerSecurityContext: + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true diff --git a/charts/ingress-nginx/ci/controller-deployment-opentelemetry-values.yaml b/charts/ingress-nginx/ci/controller-deployment-opentelemetry-values.yaml new file mode 100644 index 000000000..9443ddefc --- /dev/null +++ b/charts/ingress-nginx/ci/controller-deployment-opentelemetry-values.yaml @@ -0,0 +1,13 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + + service: + type: ClusterIP + + kind: Deployment + + opentelemetry: + enabled: true diff --git a/charts/ingress-nginx/ci/controller-service-internal-values.yaml b/charts/ingress-nginx/ci/controller-service-internal-values.yaml index 01635e339..11108fbce 100644 --- a/charts/ingress-nginx/ci/controller-service-internal-values.yaml +++ b/charts/ingress-nginx/ci/controller-service-internal-values.yaml @@ -9,7 +9,5 @@ controller: internal: enabled: true - labels: - external-dns.alpha.kubernetes.io/hostname: internal.example.com annotations: service.beta.kubernetes.io/aws-load-balancer-internal: "true" diff --git a/charts/ingress-nginx/ci/controller-service-values.yaml b/charts/ingress-nginx/ci/controller-service-values.yaml index 4ba3debba..9039368c2 100644 --- a/charts/ingress-nginx/ci/controller-service-values.yaml +++ b/charts/ingress-nginx/ci/controller-service-values.yaml @@ -7,10 +7,6 @@ controller: service: type: NodePort - external: - labels: - external-dns.alpha.kubernetes.io/hostname: external.example.com - nodePorts: tcp: 9000: 30090 diff --git a/charts/ingress-nginx/ci/deamonset-psp-values.yaml b/charts/ingress-nginx/ci/deamonset-psp-values.yaml new file mode 100644 index 000000000..8026a6356 --- /dev/null +++ b/charts/ingress-nginx/ci/deamonset-psp-values.yaml @@ -0,0 +1,13 @@ +controller: + kind: DaemonSet + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + admissionWebhooks: + enabled: false + service: + type: ClusterIP + +podSecurityPolicy: + enabled: true diff --git a/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml b/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml new file mode 100644 index 000000000..fccdb134c --- /dev/null +++ b/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml @@ -0,0 +1,13 @@ +controller: + kind: DaemonSet + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + admissionWebhooks: + enabled: true + service: + type: ClusterIP + +podSecurityPolicy: + enabled: true diff --git a/charts/ingress-nginx/ci/deployment-psp-values.yaml b/charts/ingress-nginx/ci/deployment-psp-values.yaml new file mode 100644 index 000000000..2f332a7b2 --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-psp-values.yaml @@ -0,0 +1,10 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + service: + type: ClusterIP + +podSecurityPolicy: + enabled: true diff --git a/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml b/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml new file mode 100644 index 000000000..6195bb339 --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml @@ -0,0 +1,12 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + admissionWebhooks: + enabled: true + service: + type: ClusterIP + +podSecurityPolicy: + enabled: true diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl index 6cbda2d4d..24cfd14ad 100644 --- a/charts/ingress-nginx/templates/_helpers.tpl +++ b/charts/ingress-nginx/templates/_helpers.tpl @@ -47,7 +47,6 @@ Controller container security context. {{- else -}} runAsNonRoot: {{ .Values.controller.image.runAsNonRoot }} runAsUser: {{ .Values.controller.image.runAsUser }} -runAsGroup: {{ .Values.controller.image.runAsGroup }} allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }} {{- if .Values.controller.image.seccompProfile }} seccompProfile: {{ toYaml .Values.controller.image.seccompProfile | nindent 2 }} @@ -223,7 +222,6 @@ Default backend container security context. {{- else -}} runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }} runAsUser: {{ .Values.defaultBackend.image.runAsUser }} -runAsGroup: {{ .Values.defaultBackend.image.runAsGroup }} allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }} {{- if .Values.defaultBackend.image.seccompProfile }} seccompProfile: {{ toYaml .Values.defaultBackend.image.seccompProfile | nindent 2 }} @@ -235,6 +233,17 @@ readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem } {{- end -}} {{- end -}} +{{/* +Return the appropriate apiGroup for PodSecurityPolicy. +*/}} +{{- define "podSecurityPolicy.apiGroup" -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "policy" -}} +{{- else -}} +{{- print "extensions" -}} +{{- end -}} +{{- end -}} + {{/* Extra modules. */}} diff --git a/charts/ingress-nginx/templates/_params.tpl b/charts/ingress-nginx/templates/_params.tpl index 0051dc9c0..48569a8b0 100644 --- a/charts/ingress-nginx/templates/_params.tpl +++ b/charts/ingress-nginx/templates/_params.tpl @@ -1,7 +1,7 @@ {{- define "ingress-nginx.params" -}} - /nginx-ingress-controller -{{- if not .Values.controller.enableAnnotationValidations }} -- --enable-annotation-validation=false +{{- if .Values.controller.enableAnnotationValidations }} +- --enable-annotation-validation=true {{- end }} {{- if .Values.defaultBackend.enabled }} - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }} @@ -54,7 +54,7 @@ {{- if .Values.controller.watchIngressWithoutClass }} - --watch-ingress-without-class=true {{- end }} -{{- if .Values.controller.metrics.enabled }} +{{- if not .Values.controller.metrics.enabled }} - --enable-metrics={{ .Values.controller.metrics.enabled }} {{- end }} {{- if .Values.controller.enableTopologyAwareRouting }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml index 54af7abb6..a21848201 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml @@ -20,4 +20,14 @@ rules: verbs: - get - update +{{- if .Values.podSecurityPolicy.enabled }} + - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] + resources: ['podsecuritypolicies'] + verbs: ['use'] + {{- with .Values.controller.admissionWebhooks.existingPsp }} + resourceNames: [{{ . }}] + {{- else }} + resourceNames: [{{ include "ingress-nginx.admissionWebhooks.fullname" . }}] + {{- end }} +{{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml index bb31e60ba..176616467 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -42,7 +42,7 @@ spec: {{- end }} containers: - name: create - {{- with (merge .Values.controller.admissionWebhooks.patch.image .Values.global.image) }} + {{- with .Values.controller.admissionWebhooks.patch.image }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} @@ -67,7 +67,6 @@ spec: {{- end }} restartPolicy: OnFailure serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} - automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken }} {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml index cf757c98b..f7d44a24d 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -42,7 +42,7 @@ spec: {{- end }} containers: - name: patch - {{- with (merge .Values.controller.admissionWebhooks.patch.image .Values.global.image) }} + {{- with .Values.controller.admissionWebhooks.patch.image }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} @@ -69,7 +69,6 @@ spec: {{- end }} restartPolicy: OnFailure serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} - automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken }} {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml new file mode 100644 index 000000000..8e5dc72ac --- /dev/null +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml @@ -0,0 +1,52 @@ +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.podSecurityPolicy.enabled .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook + {{- with .Values.controller.admissionWebhooks.patch.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + privileged: false + hostPID: false + hostIPC: false + hostNetwork: false + volumes: + - configMap + - downwardAPI + - emptyDir + - secret + - projected + fsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: true + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + supplementalGroups: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + seLinux: + rule: RunAsAny +{{- end }} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-configmap.yaml b/charts/ingress-nginx/templates/controller-configmap.yaml index b73cdc2d0..22080d115 100644 --- a/charts/ingress-nginx/templates/controller-configmap.yaml +++ b/charts/ingress-nginx/templates/controller-configmap.yaml @@ -13,9 +13,7 @@ metadata: name: {{ include "ingress-nginx.controller.fullname" . }} namespace: {{ include "ingress-nginx.namespace" . }} data: -{{- if .Values.controller.allowSnippetAnnotations }} - allow-snippet-annotations: "true" -{{- end }} + allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}" {{- if .Values.controller.addHeaders }} add-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers {{- end }} diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml index 804ff56d9..fcc633d3d 100644 --- a/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -75,7 +75,7 @@ spec: {{- end }} containers: - name: {{ .Values.controller.containerName }} - {{- with (merge .Values.controller.image .Values.global.image) }} + {{- with .Values.controller.image }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }} {{- end }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }} @@ -144,9 +144,9 @@ spec: hostPort: {{ $key }} {{- end }} {{- end }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} volumeMounts: - {{- if .Values.controller.extraModules }} + {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - name: modules {{- if .Values.controller.image.chroot }} mountPath: /chroot/modules_mount @@ -174,7 +174,7 @@ spec: {{- if .Values.controller.extraContainers }} {{- toYaml .Values.controller.extraContainers | nindent 8 }} {{- end }} - {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }} + {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} initContainers: {{- if .Values.controller.extraInitContainers }} {{- toYaml .Values.controller.extraInitContainers | nindent 8 }} @@ -182,7 +182,13 @@ spec: {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" (merge .image $.Values.global.image) "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} + {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} + {{- end }} + {{- end }} + {{- if .Values.controller.opentelemetry.enabled }} + {{- with .Values.controller.opentelemetry }} + {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} + {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} {{- end }} {{- end }} {{- end }} @@ -202,11 +208,10 @@ spec: topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }} {{- end }} serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} - automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} volumes: - {{- if .Values.controller.extraModules }} + {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}} - name: modules emptyDir: {} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index da8ce97d3..5211acd0b 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -22,9 +22,6 @@ spec: replicas: {{ .Values.controller.replicaCount }} {{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} - {{- if .Values.controller.progressDeadlineSeconds }} - progressDeadlineSeconds: {{ .Values.controller.progressDeadlineSeconds }} - {{- end }} {{- if .Values.controller.updateStrategy }} strategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }} {{- end }} @@ -81,7 +78,7 @@ spec: {{- end }} containers: - name: {{ .Values.controller.containerName }} - {{- with (merge .Values.controller.image .Values.global.image) }} + {{- with .Values.controller.image }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }} {{- end }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }} @@ -150,9 +147,9 @@ spec: hostPort: {{ $key }} {{- end }} {{- end }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} volumeMounts: - {{- if .Values.controller.extraModules }} + {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - name: modules {{- if .Values.controller.image.chroot }} mountPath: /chroot/modules_mount @@ -180,7 +177,7 @@ spec: {{- if .Values.controller.extraContainers }} {{- toYaml .Values.controller.extraContainers | nindent 8 }} {{- end }} - {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }} + {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} initContainers: {{- if .Values.controller.extraInitContainers }} {{- toYaml .Values.controller.extraInitContainers | nindent 8 }} @@ -188,7 +185,13 @@ spec: {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" (merge .image $.Values.global.image) "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} + {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} + {{- end }} + {{- end }} + {{- if .Values.controller.opentelemetry.enabled }} + {{- with .Values.controller.opentelemetry }} + {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} + {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} {{- end }} {{- end }} {{- end }} @@ -208,11 +211,10 @@ spec: topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }} {{- end }} serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} - automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} volumes: - {{- if .Values.controller.extraModules }} + {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}} - name: modules emptyDir: {} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml index a1f5fbba2..8e0181f9f 100644 --- a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml +++ b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml @@ -32,8 +32,5 @@ spec: {{- else if .Values.controller.maxUnavailable }} maxUnavailable: {{ .Values.controller.maxUnavailable }} {{- end }} - {{- if .Values.controller.unhealthyPodEvictionPolicy }} - unhealthyPodEvictionPolicy: {{ .Values.controller.unhealthyPodEvictionPolicy }} - {{- end }} {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-prometheusrule.yaml b/charts/ingress-nginx/templates/controller-prometheusrule.yaml index 4a9357f71..41684c370 100644 --- a/charts/ingress-nginx/templates/controller-prometheusrule.yaml +++ b/charts/ingress-nginx/templates/controller-prometheusrule.yaml @@ -14,9 +14,6 @@ metadata: {{- if .Values.controller.metrics.prometheusRule.additionalLabels }} {{- toYaml .Values.controller.metrics.prometheusRule.additionalLabels | nindent 4 }} {{- end }} - {{- if .Values.controller.metrics.prometheusRule.annotations }} - annotations: {{ toYaml .Values.controller.metrics.prometheusRule.annotations | nindent 4 }} - {{- end }} spec: {{- if .Values.controller.metrics.prometheusRule.rules }} groups: diff --git a/charts/ingress-nginx/templates/controller-psp.yaml b/charts/ingress-nginx/templates/controller-psp.yaml new file mode 100644 index 000000000..aad1d2736 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-psp.yaml @@ -0,0 +1,100 @@ +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "ingress-nginx.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- with .Values.controller.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + privileged: false + hostPID: false + hostIPC: false + hostNetwork: {{ .Values.controller.hostNetwork }} +{{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }} + hostPorts: + {{- if .Values.controller.hostNetwork }} + {{- range $key, $value := .Values.controller.containerPort }} + # controller.containerPort.{{ $key }} + - min: {{ $value }} + max: {{ $value }} + {{- end }} + {{- else if .Values.controller.hostPort.enabled }} + {{- range $key, $value := .Values.controller.hostPort.ports }} + # controller.hostPort.ports.{{ $key }} + - min: {{ $value }} + max: {{ $value }} + {{- end }} + {{- end }} + {{- if .Values.controller.metrics.enabled }} + # controller.metrics.port + - min: {{ .Values.controller.metrics.port }} + max: {{ .Values.controller.metrics.port }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + # controller.admissionWebhooks.port + - min: {{ .Values.controller.admissionWebhooks.port }} + max: {{ .Values.controller.admissionWebhooks.port }} + {{- end }} + {{- range $key, $value := .Values.tcp }} + # tcp.{{ $key }} + - min: {{ $key }} + max: {{ $key }} + {{- end }} + {{- range $key, $value := .Values.udp }} + # udp.{{ $key }} + - min: {{ $key }} + max: {{ $key }} + {{- end }} +{{- end }} + volumes: + - configMap + - downwardAPI + - emptyDir + - secret + - projected + fsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + supplementalGroups: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }} + requiredDropCapabilities: + - ALL + allowedCapabilities: + - NET_BIND_SERVICE + {{- if .Values.controller.image.chroot }} + {{- if .Values.controller.image.seccompProfile }} + - SYS_ADMIN + {{- end }} + - SYS_CHROOT + {{- end }} + seLinux: + rule: RunAsAny +{{- if .Values.controller.sysctls }} + allowedUnsafeSysctls: + {{- range $sysctl, $value := .Values.controller.sysctls }} + - {{ $sysctl }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-role.yaml b/charts/ingress-nginx/templates/controller-role.yaml index 127b368c4..a94b39978 100644 --- a/charts/ingress-nginx/templates/controller-role.yaml +++ b/charts/ingress-nginx/templates/controller-role.yaml @@ -91,4 +91,14 @@ rules: - list - watch - get +{{- if .Values.podSecurityPolicy.enabled }} + - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] + resources: ['podsecuritypolicies'] + verbs: ['use'] + {{- with .Values.controller.existingPsp }} + resourceNames: [{{ . }}] + {{- else }} + resourceNames: [{{ include "ingress-nginx.fullname" . }}] + {{- end }} +{{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-service-internal.yaml b/charts/ingress-nginx/templates/controller-service-internal.yaml index 8d369526d..6d0b47caf 100644 --- a/charts/ingress-nginx/templates/controller-service-internal.yaml +++ b/charts/ingress-nginx/templates/controller-service-internal.yaml @@ -12,9 +12,6 @@ metadata: {{- if .Values.controller.service.labels }} {{- toYaml .Values.controller.service.labels | nindent 4 }} {{- end }} - {{- if .Values.controller.service.internal.labels }} - {{- toYaml .Values.controller.service.internal.labels | nindent 4 }} - {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }}-internal namespace: {{ include "ingress-nginx.namespace" . }} spec: @@ -22,9 +19,6 @@ spec: {{- if .Values.controller.service.internal.clusterIP }} clusterIP: {{ .Values.controller.service.internal.clusterIP }} {{- end }} -{{- if .Values.controller.service.internal.clusterIPs }} - clusterIPs: {{ toYaml .Values.controller.service.internal.clusterIPs | nindent 4 }} -{{- end }} {{- if .Values.controller.service.internal.externalIPs }} externalIPs: {{ toYaml .Values.controller.service.internal.externalIPs | nindent 4 }} {{- end }} @@ -49,11 +43,6 @@ spec: {{- if .Values.controller.service.internal.healthCheckNodePort }} healthCheckNodePort: {{ .Values.controller.service.internal.healthCheckNodePort }} {{- end }} -{{- if semverCompare ">=1.31.0-0" .Capabilities.KubeVersion.Version -}} -{{- if .Values.controller.service.internal.trafficDistribution }} - trafficDistribution: {{ .Values.controller.service.internal.trafficDistribution }} -{{- end }} -{{- end }} {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}} {{- if .Values.controller.service.internal.ipFamilyPolicy }} ipFamilyPolicy: {{ .Values.controller.service.internal.ipFamilyPolicy }} diff --git a/charts/ingress-nginx/templates/controller-service-metrics.yaml b/charts/ingress-nginx/templates/controller-service-metrics.yaml index 4b25a840e..7c153295f 100644 --- a/charts/ingress-nginx/templates/controller-service-metrics.yaml +++ b/charts/ingress-nginx/templates/controller-service-metrics.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.service.enabled -}} +{{- if .Values.controller.metrics.enabled -}} apiVersion: v1 kind: Service metadata: diff --git a/charts/ingress-nginx/templates/controller-service.yaml b/charts/ingress-nginx/templates/controller-service.yaml index 36d2e4884..cb78a7035 100644 --- a/charts/ingress-nginx/templates/controller-service.yaml +++ b/charts/ingress-nginx/templates/controller-service.yaml @@ -12,9 +12,6 @@ metadata: {{- if .Values.controller.service.labels }} {{- toYaml .Values.controller.service.labels | nindent 4 }} {{- end }} - {{- if .Values.controller.service.external.labels }} - {{- toYaml .Values.controller.service.external.labels | nindent 4 }} - {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} namespace: {{ include "ingress-nginx.namespace" . }} spec: @@ -22,9 +19,6 @@ spec: {{- if .Values.controller.service.clusterIP }} clusterIP: {{ .Values.controller.service.clusterIP }} {{- end }} -{{- if .Values.controller.service.clusterIPs }} - clusterIPs: {{ toYaml .Values.controller.service.clusterIPs | nindent 4 }} -{{- end }} {{- if .Values.controller.service.externalIPs }} externalIPs: {{ toYaml .Values.controller.service.externalIPs | nindent 4 }} {{- end }} @@ -49,11 +43,6 @@ spec: {{- if .Values.controller.service.healthCheckNodePort }} healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} {{- end }} -{{- if semverCompare ">=1.31.0-0" .Capabilities.KubeVersion.Version -}} -{{- if .Values.controller.service.trafficDistribution }} - trafficDistribution: {{ .Values.controller.service.trafficDistribution }} -{{- end }} -{{- end }} {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}} {{- if .Values.controller.service.ipFamilyPolicy }} ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy }} diff --git a/charts/ingress-nginx/templates/controller-servicemonitor.yaml b/charts/ingress-nginx/templates/controller-servicemonitor.yaml index 85bb84186..93ab4d242 100644 --- a/charts/ingress-nginx/templates/controller-servicemonitor.yaml +++ b/charts/ingress-nginx/templates/controller-servicemonitor.yaml @@ -47,19 +47,4 @@ spec: {{- if .Values.controller.metrics.serviceMonitor.targetLabels }} targetLabels: {{ toYaml .Values.controller.metrics.serviceMonitor.targetLabels | nindent 2 }} {{- end }} - {{- if .Values.controller.metrics.serviceMonitor.labelLimit }} - labelLimit: {{ .Values.controller.metrics.serviceMonitor.labelLimit }} - {{- end }} - {{- if .Values.controller.metrics.serviceMonitor.labelNameLengthLimit }} - labelNameLengthLimit: {{ .Values.controller.metrics.serviceMonitor.labelNameLengthLimit }} - {{- end }} - {{- if .Values.controller.metrics.serviceMonitor.labelValueLengthLimit }} - labelValueLengthLimit: {{ .Values.controller.metrics.serviceMonitor.labelValueLengthLimit }} - {{- end }} - {{- if .Values.controller.metrics.serviceMonitor.sampleLimit }} - sampleLimit: {{ .Values.controller.metrics.serviceMonitor.sampleLimit }} - {{- end }} - {{- if .Values.controller.metrics.serviceMonitor.targetLimit }} - targetLimit: {{ .Values.controller.metrics.serviceMonitor.targetLimit }} - {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-deployment.yaml b/charts/ingress-nginx/templates/default-backend-deployment.yaml index 4a17f7444..6755e2378 100644 --- a/charts/ingress-nginx/templates/default-backend-deployment.yaml +++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml @@ -50,7 +50,7 @@ spec: {{- end }} containers: - name: {{ template "ingress-nginx.name" . }}-default-backend - {{- with (merge .Values.defaultBackend.image .Values.global.image) }} + {{- with .Values.defaultBackend.image }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }} @@ -103,7 +103,6 @@ spec: nodeSelector: {{ toYaml .Values.defaultBackend.nodeSelector | nindent 8 }} {{- end }} serviceAccountName: {{ include "ingress-nginx.defaultBackend.serviceAccountName" . }} - automountServiceAccountToken: {{ .Values.defaultBackend.serviceAccount.automountServiceAccountToken }} {{- if .Values.defaultBackend.tolerations }} tolerations: {{ toYaml .Values.defaultBackend.tolerations | nindent 8 }} {{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml index e399ea8a4..c8363fd4b 100644 --- a/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml +++ b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml @@ -20,13 +20,6 @@ spec: matchLabels: {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} app.kubernetes.io/component: default-backend - {{- if and .Values.defaultBackend.minAvailable (not (hasKey .Values.defaultBackend "maxUnavailable")) }} minAvailable: {{ .Values.defaultBackend.minAvailable }} - {{- else if .Values.defaultBackend.maxUnavailable }} - maxUnavailable: {{ .Values.defaultBackend.maxUnavailable }} - {{- end }} - {{- if .Values.defaultBackend.unhealthyPodEvictionPolicy }} - unhealthyPodEvictionPolicy: {{ .Values.defaultBackend.unhealthyPodEvictionPolicy }} - {{- end }} {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-psp.yaml b/charts/ingress-nginx/templates/default-backend-psp.yaml new file mode 100644 index 000000000..424109109 --- /dev/null +++ b/charts/ingress-nginx/templates/default-backend-psp.yaml @@ -0,0 +1,50 @@ +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "ingress-nginx.fullname" . }}-backend + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + {{- with .Values.defaultBackend.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + privileged: false + hostPID: false + hostIPC: false + hostNetwork: false + volumes: + - configMap + - downwardAPI + - emptyDir + - secret + - projected + fsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: true + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + supplementalGroups: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + seLinux: + rule: RunAsAny +{{- end }} +{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-role.yaml b/charts/ingress-nginx/templates/default-backend-role.yaml new file mode 100644 index 000000000..dd7868aa0 --- /dev/null +++ b/charts/ingress-nginx/templates/default-backend-role.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + {{- with .Values.defaultBackend.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.fullname" . }}-backend + namespace: {{ include "ingress-nginx.namespace" . }} +rules: + - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] + resources: ['podsecuritypolicies'] + verbs: ['use'] + {{- with .Values.defaultBackend.existingPsp }} + resourceNames: [{{ . }}] + {{- else }} + resourceNames: [{{ include "ingress-nginx.fullname" . }}-backend] + {{- end }} +{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-rolebinding.yaml b/charts/ingress-nginx/templates/default-backend-rolebinding.yaml new file mode 100644 index 000000000..3203b6f57 --- /dev/null +++ b/charts/ingress-nginx/templates/default-backend-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + {{- with .Values.defaultBackend.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.fullname" . }}-backend + namespace: {{ include "ingress-nginx.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "ingress-nginx.fullname" . }}-backend +subjects: + - kind: ServiceAccount + name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} + namespace: {{ include "ingress-nginx.namespace" . }} +{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-service.yaml b/charts/ingress-nginx/templates/default-backend-service.yaml index 5a836365b..65b6b8362 100644 --- a/charts/ingress-nginx/templates/default-backend-service.yaml +++ b/charts/ingress-nginx/templates/default-backend-service.yaml @@ -18,9 +18,6 @@ spec: {{- if .Values.defaultBackend.service.clusterIP }} clusterIP: {{ .Values.defaultBackend.service.clusterIP }} {{- end }} -{{- if .Values.defaultBackend.service.clusterIPs }} - clusterIPs: {{ toYaml .Values.defaultBackend.service.clusterIPs | nindent 4 }} -{{- end }} {{- if .Values.defaultBackend.service.externalIPs }} externalIPs: {{ toYaml .Values.defaultBackend.service.externalIPs | nindent 4 }} {{- end }} diff --git a/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-createSecret_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-createSecret_test.yaml deleted file mode 100644 index b5272553b..000000000 --- a/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-createSecret_test.yaml +++ /dev/null @@ -1,12 +0,0 @@ -suite: Admission Webhooks > Patch Job > Create Secret Job -templates: - - admission-webhooks/job-patch/job-createSecret.yaml - -tests: - - it: should create a Job with token auto-mounting disabled if `controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken` is false - set: - controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false - asserts: - - equal: - path: spec.template.spec.automountServiceAccountToken - value: false diff --git a/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-patchWebhook_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-patchWebhook_test.yaml deleted file mode 100644 index ca4c6b4c2..000000000 --- a/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-patchWebhook_test.yaml +++ /dev/null @@ -1,12 +0,0 @@ -suite: Admission Webhooks > Patch Job > Patch Webhook Job -templates: - - admission-webhooks/job-patch/job-patchWebhook.yaml - -tests: - - it: should create a Job with token auto-mounting disabled if `controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken` is false - set: - controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false - asserts: - - equal: - path: spec.template.spec.automountServiceAccountToken - value: false diff --git a/charts/ingress-nginx/tests/controller-daemonset_test.yaml b/charts/ingress-nginx/tests/controller-daemonset_test.yaml index 0321fd376..81d067bb5 100644 --- a/charts/ingress-nginx/tests/controller-daemonset_test.yaml +++ b/charts/ingress-nginx/tests/controller-daemonset_test.yaml @@ -15,23 +15,23 @@ tests: path: metadata.name value: RELEASE-NAME-ingress-nginx-controller - - it: should create a DaemonSet with argument `--enable-metrics=true` if `controller.metrics.enabled` is true - set: - controller.kind: DaemonSet - controller.metrics.enabled: true - asserts: - - contains: - path: spec.template.spec.containers[0].args - content: --enable-metrics=true - - - it: should create a DaemonSet without argument `--enable-metrics=true` if `controller.metrics.enabled` is false + - it: should create a DaemonSet with argument `--enable-metrics=false` if `controller.metrics.enabled` is false set: controller.kind: DaemonSet controller.metrics.enabled: false + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: --enable-metrics=false + + - it: should create a DaemonSet without argument `--enable-metrics=false` if `controller.metrics.enabled` is true + set: + controller.kind: DaemonSet + controller.metrics.enabled: true asserts: - notContains: path: spec.template.spec.containers[0].args - content: --enable-metrics=true + content: --enable-metrics=false - it: should create a DaemonSet with argument `--controller-class=k8s.io/ingress-nginx-internal` if `controller.ingressClassResource.controllerValue` is "k8s.io/ingress-nginx-internal" set: @@ -139,26 +139,6 @@ tests: - controller topologyKey: kubernetes.io/hostname - - it: should create a DaemonSet with `runAsGroup` if `controller.image.runAsGroup` is set - set: - controller.kind: DaemonSet - controller.image.runAsGroup: 1000 - asserts: - - equal: - path: spec.template.spec.containers[0].securityContext.runAsGroup - value: 1000 - - - it: should create a DaemonSet with a custom registry if `global.image.registry` is set - set: - global.image.registry: custom.registry.io - controller.kind: DaemonSet - controller.image.tag: v1.0.0-dev - controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd - asserts: - - equal: - path: spec.template.spec.containers[0].image - value: custom.registry.io/ingress-nginx/controller:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd - - it: should create a DaemonSet with a custom registry if `controller.image.registry` is set set: controller.kind: DaemonSet @@ -190,12 +170,3 @@ tests: - equal: path: spec.template.spec.containers[0].image value: registry.k8s.io/ingress-nginx/controller:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd - - - it: should create a DaemonSet with token auto-mounting disabled if `serviceAccount.automountServiceAccountToken` is false - set: - controller.kind: DaemonSet - serviceAccount.automountServiceAccountToken: false - asserts: - - equal: - path: spec.template.spec.automountServiceAccountToken - value: false diff --git a/charts/ingress-nginx/tests/controller-deployment_test.yaml b/charts/ingress-nginx/tests/controller-deployment_test.yaml index 18306079e..382aecd71 100644 --- a/charts/ingress-nginx/tests/controller-deployment_test.yaml +++ b/charts/ingress-nginx/tests/controller-deployment_test.yaml @@ -43,21 +43,21 @@ tests: - exists: path: spec.replicas - - it: should create a Deployment with argument `--enable-metrics=true` if `controller.metrics.enabled` is true - set: - controller.metrics.enabled: true - asserts: - - contains: - path: spec.template.spec.containers[0].args - content: --enable-metrics=true - - - it: should create a Deployment without argument `--enable-metrics=true` if `controller.metrics.enabled` is false + - it: should create a Deployment with argument `--enable-metrics=false` if `controller.metrics.enabled` is false set: controller.metrics.enabled: false + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: --enable-metrics=false + + - it: should create a Deployment without argument `--enable-metrics=false` if `controller.metrics.enabled` is true + set: + controller.metrics.enabled: true asserts: - notContains: path: spec.template.spec.containers[0].args - content: --enable-metrics=true + content: --enable-metrics=false - it: should create a Deployment with argument `--controller-class=k8s.io/ingress-nginx-internal` if `controller.ingressClassResource.controllerValue` is "k8s.io/ingress-nginx-internal" set: @@ -161,24 +161,6 @@ tests: - controller topologyKey: kubernetes.io/hostname - - it: should create a Deployment with `runAsGroup` if `controller.image.runAsGroup` is set - set: - controller.image.runAsGroup: 1000 - asserts: - - equal: - path: spec.template.spec.containers[0].securityContext.runAsGroup - value: 1000 - - - it: should create a Deployment with a custom registry if `global.image.registry` is set - set: - global.image.registry: custom.registry.io - controller.image.tag: v1.0.0-dev - controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd - asserts: - - equal: - path: spec.template.spec.containers[0].image - value: custom.registry.io/ingress-nginx/controller:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd - - it: should create a Deployment with a custom registry if `controller.image.registry` is set set: controller.image.registry: custom.registry.io @@ -207,19 +189,3 @@ tests: - equal: path: spec.template.spec.containers[0].image value: registry.k8s.io/ingress-nginx/controller:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd - - - it: should create a Deployment with `progressDeadlineSeconds` if `controller.progressDeadlineSeconds` is set - set: - controller.progressDeadlineSeconds: 111 - asserts: - - equal: - path: spec.progressDeadlineSeconds - value: 111 - - - it: should create a Deployment with token auto-mounting disabled if `serviceAccount.automountServiceAccountToken` is false - set: - serviceAccount.automountServiceAccountToken: false - asserts: - - equal: - path: spec.template.spec.automountServiceAccountToken - value: false diff --git a/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml b/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml index 5ac986fc7..f215f3520 100644 --- a/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml +++ b/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml @@ -87,16 +87,3 @@ tests: - equal: path: spec.maxUnavailable value: 1 - - - it: should create a PodDisruptionBudget with `unhealthyPodEvictionPolicy` if `controller.unhealthyPodEvictionPolicy` is set - set: - controller.replicaCount: 2 - controller.unhealthyPodEvictionPolicy: IfHealthyBudget - asserts: - - hasDocuments: - count: 1 - - isKind: - of: PodDisruptionBudget - - equal: - path: spec.unhealthyPodEvictionPolicy - value: IfHealthyBudget diff --git a/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml b/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml index 2d330919d..d60a98315 100644 --- a/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml +++ b/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml @@ -15,15 +15,3 @@ tests: - equal: path: metadata.name value: RELEASE-NAME-ingress-nginx-controller - - - it: should create a PrometheusRule with annotations if `controller.metrics.prometheusRule.annotations` is set - set: - controller.metrics.enabled: true - controller.metrics.prometheusRule.enabled: true - controller.metrics.prometheusRule.annotations: - my-little-annotation: test-value - asserts: - - equal: - path: metadata.annotations - value: - my-little-annotation: test-value diff --git a/charts/ingress-nginx/tests/controller-service-internal_test.yaml b/charts/ingress-nginx/tests/controller-service-internal_test.yaml index c0ece07d5..5465e1a2b 100644 --- a/charts/ingress-nginx/tests/controller-service-internal_test.yaml +++ b/charts/ingress-nginx/tests/controller-service-internal_test.yaml @@ -23,53 +23,3 @@ tests: - equal: path: metadata.name value: RELEASE-NAME-ingress-nginx-controller-internal - - - it: should create a Service without `clusterIPs` if `controller.service.internal.clusterIPs` is not set - set: - controller.service.internal.enabled: true - controller.service.internal.annotations: - test.annotation: "true" - asserts: - - notExists: - path: spec.clusterIPs - - - it: should create a Service with `clusterIPs` if `controller.service.internal.clusterIPs` is set - set: - controller.service.internal.enabled: true - controller.service.internal.annotations: - test.annotation: "true" - controller.service.internal.clusterIPs: - - 10.0.0.1 - - fd00::1 - asserts: - - equal: - path: spec.clusterIPs - value: - - 10.0.0.1 - - fd00::1 - - - it: should create a Service with `trafficDistribution` if `controller.service.internal.trafficDistribution` is set - capabilities: - majorVersion: 1 - minorVersion: 31 - set: - controller.service.internal.enabled: true - controller.service.internal.annotations: - test.annotation: "true" - controller.service.internal.trafficDistribution: PreferClose - asserts: - - equal: - path: spec.trafficDistribution - value: PreferClose - - - it: should create a Service with labels if `controller.service.internal.labels` is set - set: - controller.service.internal.enabled: true - controller.service.internal.annotations: - test.annotation: "true" - controller.service.internal.labels: - external-dns.alpha.kubernetes.io/hostname: internal.example.com - asserts: - - equal: - path: metadata.labels["external-dns.alpha.kubernetes.io/hostname"] - value: internal.example.com diff --git a/charts/ingress-nginx/tests/controller-service-metrics_test.yaml b/charts/ingress-nginx/tests/controller-service-metrics_test.yaml index ddb412e5b..afdb94046 100644 --- a/charts/ingress-nginx/tests/controller-service-metrics_test.yaml +++ b/charts/ingress-nginx/tests/controller-service-metrics_test.yaml @@ -3,34 +3,16 @@ templates: - controller-service-metrics.yaml tests: - - it: should not create a metrics Service if `controller.metrics.enabled` is false and `controller.metrics.service.enabled` is false + - it: should not create a metrics Service if `controller.metrics.enabled` is false set: controller.metrics.enabled: false - controller.metrics.service.enabled: false asserts: - hasDocuments: count: 0 - - it: should not create a metrics Service if `controller.metrics.enabled` is false and `controller.metrics.service.enabled` is true - set: - controller.metrics.enabled: false - controller.metrics.service.enabled: true - asserts: - - hasDocuments: - count: 0 - - - it: should not create a metrics Service if `controller.metrics.enabled` is true and `controller.metrics.service.enabled` is false + - it: should create a metrics Service if `controller.metrics.enabled` is true set: controller.metrics.enabled: true - controller.metrics.service.enabled: false - asserts: - - hasDocuments: - count: 0 - - - it: should create a metrics Service if `controller.metrics.enabled` is true and `controller.metrics.service.enabled` is true - set: - controller.metrics.enabled: true - controller.metrics.service.enabled: true asserts: - hasDocuments: count: 1 diff --git a/charts/ingress-nginx/tests/controller-service_test.yaml b/charts/ingress-nginx/tests/controller-service_test.yaml index f3e8cf030..10574f227 100644 --- a/charts/ingress-nginx/tests/controller-service_test.yaml +++ b/charts/ingress-nginx/tests/controller-service_test.yaml @@ -30,45 +30,3 @@ tests: - equal: path: spec.type value: NodePort - - - it: should create a Service without `clusterIPs` if `controller.service.clusterIPs` is not set - set: - controller.service.external.enabled: true - asserts: - - notExists: - path: spec.clusterIPs - - - it: should create a Service with `clusterIPs` if `controller.service.clusterIPs` is set - set: - controller.service.external.enabled: true - controller.service.clusterIPs: - - 10.0.0.1 - - fd00::1 - asserts: - - equal: - path: spec.clusterIPs - value: - - 10.0.0.1 - - fd00::1 - - - it: should create a Service with `trafficDistribution` if `controller.service.trafficDistribution` is set - capabilities: - majorVersion: 1 - minorVersion: 31 - set: - controller.service.external.enabled: true - controller.service.trafficDistribution: PreferClose - asserts: - - equal: - path: spec.trafficDistribution - value: PreferClose - - - it: should create a Service with labels if `controller.service.external.labels` is set - set: - controller.service.external.enabled: true - controller.service.external.labels: - external-dns.alpha.kubernetes.io/hostname: external.example.com - asserts: - - equal: - path: metadata.labels["external-dns.alpha.kubernetes.io/hostname"] - value: external.example.com diff --git a/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml b/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml index 7edee98c5..310097c1a 100644 --- a/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml +++ b/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml @@ -27,53 +27,3 @@ tests: path: metadata.annotations value: my-little-annotation: test-value - - - it: should create a ServiceMonitor with `labelLimit` if `controller.metrics.serviceMonitor.labelLimit` is set - set: - controller.metrics.enabled: true - controller.metrics.serviceMonitor.enabled: true - controller.metrics.serviceMonitor.labelLimit: 20 - asserts: - - equal: - path: spec.labelLimit - value: 20 - - - it: should create a ServiceMonitor with `labelNameLengthLimit` if `controller.metrics.serviceMonitor.labelNameLengthLimit` is set - set: - controller.metrics.enabled: true - controller.metrics.serviceMonitor.enabled: true - controller.metrics.serviceMonitor.labelNameLengthLimit: 50 - asserts: - - equal: - path: spec.labelNameLengthLimit - value: 50 - - - it: should create a ServiceMonitor with `labelValueLengthLimit` if `controller.metrics.serviceMonitor.labelValueLengthLimit` is set - set: - controller.metrics.enabled: true - controller.metrics.serviceMonitor.enabled: true - controller.metrics.serviceMonitor.labelValueLengthLimit: 50 - asserts: - - equal: - path: spec.labelValueLengthLimit - value: 50 - - - it: should create a ServiceMonitor with `sampleLimit` if `controller.metrics.serviceMonitor.sampleLimit` is set - set: - controller.metrics.enabled: true - controller.metrics.serviceMonitor.enabled: true - controller.metrics.serviceMonitor.sampleLimit: 5000 - asserts: - - equal: - path: spec.sampleLimit - value: 5000 - - - it: should create a ServiceMonitor with `targetLimit` if `controller.metrics.serviceMonitor.targetLimit` is set - set: - controller.metrics.enabled: true - controller.metrics.serviceMonitor.enabled: true - controller.metrics.serviceMonitor.targetLimit: 100 - asserts: - - equal: - path: spec.targetLimit - value: 100 diff --git a/charts/ingress-nginx/tests/default-backend-deployment_test.yaml b/charts/ingress-nginx/tests/default-backend-deployment_test.yaml index 11d400c46..4ba4b03d3 100644 --- a/charts/ingress-nginx/tests/default-backend-deployment_test.yaml +++ b/charts/ingress-nginx/tests/default-backend-deployment_test.yaml @@ -136,26 +136,6 @@ tests: - default-backend topologyKey: kubernetes.io/hostname - - it: should create a Deployment with `runAsGroup` if `defaultBackend.image.runAsGroup` is set - set: - defaultBackend.enabled: true - defaultBackend.image.runAsGroup: 1000 - asserts: - - equal: - path: spec.template.spec.containers[0].securityContext.runAsGroup - value: 1000 - - - it: should create a Deployment with a custom registry if `global.image.registry` is set - set: - global.image.registry: custom.registry.io - defaultBackend.enabled: true - defaultBackend.image.tag: v1.0.0-dev - defaultBackend.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd - asserts: - - equal: - path: spec.template.spec.containers[0].image - value: custom.registry.io/defaultbackend-amd64:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd - - it: should create a Deployment with a custom registry if `defaultBackend.image.registry` is set set: defaultBackend.enabled: true @@ -187,12 +167,3 @@ tests: - equal: path: spec.template.spec.containers[0].image value: registry.k8s.io/defaultbackend-amd64:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd - - - it: should create a Deployment with token auto-mounting disabled if `defaultBackend.serviceAccount.automountServiceAccountToken` is false - set: - defaultBackend.enabled: true - defaultBackend.serviceAccount.automountServiceAccountToken: false - asserts: - - equal: - path: spec.template.spec.automountServiceAccountToken - value: false diff --git a/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml b/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml index bfe98e883..095801862 100644 --- a/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml +++ b/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml @@ -46,34 +46,3 @@ tests: asserts: - hasDocuments: count: 0 - - - it: should create a PodDisruptionBudget without `minAvailable` and with `maxUnavailable` if `defaultBackend.minAvailable` and `defaultBackend.maxUnavailable` are set - set: - defaultBackend.enabled: true - defaultBackend.replicaCount: 2 - defaultBackend.minAvailable: 1 - defaultBackend.maxUnavailable: 1 - asserts: - - hasDocuments: - count: 1 - - isKind: - of: PodDisruptionBudget - - notExists: - path: spec.minAvailable - - equal: - path: spec.maxUnavailable - value: 1 - - - it: should create a PodDisruptionBudget with `unhealthyPodEvictionPolicy` if `defaultBackend.unhealthyPodEvictionPolicy` is set - set: - defaultBackend.enabled: true - defaultBackend.replicaCount: 2 - defaultBackend.unhealthyPodEvictionPolicy: IfHealthyBudget - asserts: - - hasDocuments: - count: 1 - - isKind: - of: PodDisruptionBudget - - equal: - path: spec.unhealthyPodEvictionPolicy - value: IfHealthyBudget diff --git a/charts/ingress-nginx/tests/default-backend-service_test.yaml b/charts/ingress-nginx/tests/default-backend-service_test.yaml index 521d82091..f16904f9f 100644 --- a/charts/ingress-nginx/tests/default-backend-service_test.yaml +++ b/charts/ingress-nginx/tests/default-backend-service_test.yaml @@ -30,23 +30,3 @@ tests: - equal: path: spec.ports[0].port value: 80 - - - it: should create a Service without `clusterIPs` if `defaultBackend.service.clusterIPs` is not set - set: - defaultBackend.enabled: true - asserts: - - notExists: - path: spec.clusterIPs - - - it: should create a Service with `clusterIPs` if `defaultBackend.service.clusterIPs` is set - set: - defaultBackend.enabled: true - defaultBackend.service.clusterIPs: - - 10.0.0.1 - - fd00::1 - asserts: - - equal: - path: spec.clusterIPs - value: - - 10.0.0.1 - - fd00::1 diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index ccebb9ceb..02a024cb5 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -2,10 +2,6 @@ ## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/index.md ## -global: - image: - # -- Registry host to pull images from. - registry: registry.k8s.io ## Overrides for generated resource names # See templates/_helpers.tpl # nameOverride: @@ -21,30 +17,28 @@ commonLabels: {} controller: name: controller - enableAnnotationValidations: true + enableAnnotationValidations: false image: ## Keep false as default for now! chroot: false - # registry: registry.k8s.io + registry: registry.k8s.io image: ingress-nginx/controller ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: "v1.12.0" - digest: sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa - digestChroot: sha256:87c88e1c38a6c8d4483c8f70b69e2cca49853bb3ec3124b9b1be648edf139af3 + tag: "v1.11.4" + digest: sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52 + digestChroot: sha256:f29d0f9e7a9ef4947eda59ed0c09ec13380b13639d1518cf1ab8ec09c3e22ef8 pullPolicy: IfNotPresent runAsNonRoot: true - # -- This value must not be changed using the official image. - # uid=101(www-data) gid=82(www-data) groups=82(www-data) + # www-data -> uid 101 runAsUser: 101 - # -- This value must not be changed using the official image. - # uid=101(www-data) gid=82(www-data) groups=82(www-data) - runAsGroup: 82 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault readOnlyRootFilesystem: false + # -- Use an existing PSP instead of creating one + existingPsp: "" # -- Configures the controller container name containerName: controller # -- Configures the ports that the nginx-controller listens on @@ -240,9 +234,6 @@ controller: # maxUnavailable: 1 # type: RollingUpdate - # -- Specifies the number of seconds you want to wait for the controller deployment to progress before the system reports back that it has failed. - # Ref.: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds - progressDeadlineSeconds: 0 # -- `minReadySeconds` to avoid killing pods before we are ready ## minReadySeconds: 0 @@ -385,9 +376,7 @@ controller: minAvailable: 1 # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" + ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes ## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 ## Ideally, there should be no limits. @@ -486,8 +475,6 @@ controller: external: # -- Enable the external controller service or not. Useful for internal-only deployments. enabled: true - # -- Labels to be added to the external controller service. - labels: {} # -- Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service. annotations: {} # -- Labels to be added to both controller services. @@ -499,10 +486,6 @@ controller: # This value is immutable. Set once, it can not be changed without deleting and re-creating the service. # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address clusterIP: "" - # -- Pre-defined cluster internal IP addresses of the external controller service. Take care of collisions with existing services. - # This value is immutable. Set once, it can not be changed without deleting and re-creating the service. - # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address - clusterIPs: [] # -- List of node IP addresses at which the external controller service is available. # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips externalIPs: [] @@ -529,10 +512,6 @@ controller: # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip # healthCheckNodePort: 0 - # -- Traffic distribution policy of the external controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client. - # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution - trafficDistribution: "" - # -- Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. # Fields `ipFamilies` and `clusterIP` depend on the value of this field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services @@ -576,8 +555,6 @@ controller: internal: # -- Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this. enabled: false - # -- Labels to be added to the internal controller service. - labels: {} # -- Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer annotations: {} @@ -589,10 +566,6 @@ controller: # This value is immutable. Set once, it can not be changed without deleting and re-creating the service. # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address clusterIP: "" - # -- Pre-defined cluster internal IP addresses of the internal controller service. Take care of collisions with existing services. - # This value is immutable. Set once, it can not be changed without deleting and re-creating the service. - # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address - clusterIPs: [] # -- List of node IP addresses at which the internal controller service is available. # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips externalIPs: [] @@ -619,10 +592,6 @@ controller: # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip # healthCheckNodePort: 0 - # -- Traffic distribution policy of the internal controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client. - # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution - trafficDistribution: "" - # -- Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. # Fields `ipFamilies` and `clusterIP` depend on the value of this field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services @@ -708,11 +677,11 @@ controller: # image: busybox # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] - # -- Modules, which are mounted into the core nginx image. + # -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module extraModules: [] # - name: mytestmodule # image: - # # registry: registry.k8s.io + # registry: registry.k8s.io # image: ingress-nginx/mytestmodule # ## for backwards compatibility consider setting the full image url via the repository value below # ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail @@ -723,7 +692,6 @@ controller: # containerSecurityContext: # runAsNonRoot: true # runAsUser: - # runAsGroup: # allowPrivilegeEscalation: false # seccompProfile: # type: RuntimeDefault @@ -737,6 +705,30 @@ controller: # will be executed as initContainers, to move its config files within the # mounted volume. + opentelemetry: + enabled: false + name: opentelemetry + image: + registry: registry.k8s.io + image: ingress-nginx/opentelemetry-1.25.3 + ## for backwards compatibility consider setting the full image url via the repository value below + ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + ## repository: + tag: v20240813-b933310d + digest: sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922 + distroless: true + containerSecurityContext: + runAsNonRoot: true + # -- The image's default user, inherited from its base image `cgr.dev/chainguard/static`. + runAsUser: 65532 + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + resources: {} admissionWebhooks: name: admission annotations: {} @@ -764,6 +756,8 @@ controller: objectSelector: {} # -- Labels to be added to admission webhooks labels: {} + # -- Use an existing PSP instead of creating one + existingPsp: "" service: annotations: {} # clusterIP: "" @@ -778,7 +772,6 @@ controller: securityContext: runAsNonRoot: true runAsUser: 65532 - runAsGroup: 65532 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault @@ -799,7 +792,6 @@ controller: securityContext: runAsNonRoot: true runAsUser: 65532 - runAsGroup: 65532 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault @@ -811,13 +803,13 @@ controller: patch: enabled: true image: - # registry: registry.k8s.io + registry: registry.k8s.io image: ingress-nginx/kube-webhook-certgen ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: v1.5.1 - digest: sha256:0de05718b59dc33b57ddfb4d8ad5f637cefd13eafdec0e1579d782b3483c27c3 + tag: v1.5.0 + digest: sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4 pullPolicy: IfNotPresent # -- Provide a priority class name to the webhook patching job ## @@ -865,8 +857,6 @@ controller: # if this port is changed, change healthz-port: in extraArgs: accordingly enabled: false service: - # -- Enable the metrics service or not. - enabled: true annotations: {} # prometheus.io/scrape: "true" # prometheus.io/port: "10254" @@ -902,21 +892,9 @@ controller: targetLabels: [] relabelings: [] metricRelabelings: [] - # -- Per-scrape limit on number of labels that will be accepted for a sample. - labelLimit: 0 - # -- Per-scrape limit on length of labels name that will be accepted for a sample. - labelNameLengthLimit: 0 - # -- Per-scrape limit on length of labels value that will be accepted for a sample. - labelValueLengthLimit: 0 - # -- Defines a per-scrape limit on the number of scraped samples that will be accepted. - sampleLimit: 0 - # -- Defines a limit on the number of scraped targets that will be accepted. - targetLimit: 0 prometheusRule: enabled: false additionalLabels: {} - # -- Annotations to be added to the PrometheusRule. - annotations: {} # namespace: "" rules: [] # # These are just examples rules, please adapt them to your needs @@ -980,7 +958,7 @@ defaultBackend: enabled: false name: defaultbackend image: - # registry: registry.k8s.io + registry: registry.k8s.io image: defaultbackend-amd64 ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail @@ -990,11 +968,12 @@ defaultBackend: runAsNonRoot: true # nobody user -> uid 65534 runAsUser: 65534 - runAsGroup: 65534 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault readOnlyRootFilesystem: true + # -- Use an existing PSP instead of creating one + existingPsp: "" extraArgs: {} serviceAccount: create: true @@ -1121,13 +1100,7 @@ defaultBackend: podAnnotations: {} replicaCount: 1 # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" resources: {} # limits: # cpu: 10m @@ -1175,10 +1148,6 @@ defaultBackend: service: annotations: {} # clusterIP: "" - # -- Pre-defined cluster internal IP addresses of the default backend service. Take care of collisions with existing services. - # This value is immutable. Set once, it can not be changed without deleting and re-creating the service. - # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address - clusterIPs: [] # -- List of IP addresses at which the default backend service is available ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips @@ -1195,6 +1164,10 @@ defaultBackend: rbac: create: true scope: false +## If true, create & use Pod Security Policy resources +## https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +podSecurityPolicy: + enabled: false serviceAccount: create: true name: "" diff --git a/cloudbuild.yaml b/cloudbuild.yaml index 0bb2b60a4..88ba9b935 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -2,9 +2,9 @@ options: # Ignore Prow provided substitutions. substitution_option: ALLOW_LOOSE steps: - - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20250116-2a05ea7e3d + - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20241217-ff46a068cd env: - - REGISTRY=us-central1-docker.pkg.dev/k8s-staging-images/ingress-nginx + - REGISTRY=gcr.io/k8s-staging-ingress-nginx - REPO_INFO=https://github.com/kubernetes/ingress-nginx - COMMIT_SHA=${_PULL_BASE_SHA} - BUILD_ID=${BUILD_ID} diff --git a/cmd/dataplane/main.go b/cmd/dataplane/main.go index e7e4dc38f..65f898df6 100644 --- a/cmd/dataplane/main.go +++ b/cmd/dataplane/main.go @@ -66,7 +66,7 @@ func main() { mc := metric.NewDummyCollector() if conf.EnableMetrics { // TODO: Ingress class is not a part of dataplane anymore - mc, err = metric.NewCollector(conf.MetricsPerHost, conf.MetricsPerUndefinedHost, conf.ReportStatusClasses, reg, conf.IngressClassConfiguration.Controller, *conf.MetricsBuckets, conf.MetricsBucketFactor, conf.MetricsMaxBuckets, conf.ExcludeSocketMetrics) + mc, err = metric.NewCollector(conf.MetricsPerHost, conf.ReportStatusClasses, reg, conf.IngressClassConfiguration.Controller, *conf.MetricsBuckets, conf.ExcludeSocketMetrics) if err != nil { klog.Fatalf("Error creating prometheus collector: %v", err) } diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go index 781f3a8eb..5ab54aa93 100644 --- a/cmd/nginx/main.go +++ b/cmd/nginx/main.go @@ -130,7 +130,7 @@ func main() { mc := metric.NewDummyCollector() if conf.EnableMetrics { - mc, err = metric.NewCollector(conf.MetricsPerHost, conf.MetricsPerUndefinedHost, conf.ReportStatusClasses, reg, conf.IngressClassConfiguration.Controller, *conf.MetricsBuckets, conf.MetricsBucketFactor, conf.MetricsMaxBuckets, conf.ExcludeSocketMetrics) + mc, err = metric.NewCollector(conf.MetricsPerHost, conf.ReportStatusClasses, reg, conf.IngressClassConfiguration.Controller, *conf.MetricsBuckets, conf.ExcludeSocketMetrics) if err != nil { klog.Fatalf("Error creating prometheus collector: %v", err) } diff --git a/deploy/grafana/dashboards/request-handling-performance.json b/deploy/grafana/dashboards/request-handling-performance.json index cde796384..61db983a6 100644 --- a/deploy/grafana/dashboards/request-handling-performance.json +++ b/deploy/grafana/dashboards/request-handling-performance.json @@ -893,6 +893,104 @@ ], "title": "Average Response Size by Method and Path", "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 32 + }, + "id": 96, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "10.4.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "sum (\n rate(\n nginx_ingress_controller_ingress_upstream_latency_seconds_sum {\n ingress =~ \"$ingress\",\n }[5m]\n)) / sum (\n rate(\n nginx_ingress_controller_ingress_upstream_latency_seconds_count {\n ingress =~ \"$ingress\",\n }[5m]\n )\n)\n", + "hide": false, + "instant": false, + "interval": "", + "intervalFactor": 1, + "legendFormat": "average", + "refId": "B" + } + ], + "title": "Upstream Service Latency", + "type": "timeseries" } ], "refresh": "30s", diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml index 1ed9b7471..88d3226c6 100644 --- a/deploy/static/provider/aws/deploy.yaml +++ b/deploy/static/provider/aws/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -320,7 +320,8 @@ subjects: namespace: ingress-nginx --- apiVersion: v1 -data: null +data: + allow-snippet-annotations: "false" kind: ConfigMap metadata: labels: @@ -328,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -344,7 +345,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -377,7 +378,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -400,7 +401,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -422,7 +423,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 spec: containers: - args: @@ -435,6 +436,7 @@ spec: - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key + - --enable-metrics=false env: - name: POD_NAME valueFrom: @@ -446,7 +448,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa + image: registry.k8s.io/ingress-nginx/controller:v1.11.4@sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -496,7 +498,6 @@ spec: drop: - ALL readOnlyRootFilesystem: false - runAsGroup: 82 runAsNonRoot: true runAsUser: 101 seccompProfile: @@ -523,7 +524,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -534,7 +535,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-create spec: containers: @@ -557,7 +558,6 @@ spec: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: @@ -575,7 +575,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -586,7 +586,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-patch spec: containers: @@ -611,7 +611,6 @@ spec: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: @@ -629,7 +628,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: nginx spec: controller: k8s.io/ingress-nginx @@ -642,7 +641,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml index d048683d9..3463fe2d9 100644 --- a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml +++ b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -321,6 +321,7 @@ subjects: --- apiVersion: v1 data: + allow-snippet-annotations: "false" http-snippet: | server { listen 2443; @@ -335,7 +336,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -353,7 +354,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -386,7 +387,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -409,7 +410,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -431,7 +432,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 spec: containers: - args: @@ -444,6 +445,7 @@ spec: - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key + - --enable-metrics=false env: - name: POD_NAME valueFrom: @@ -455,7 +457,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa + image: registry.k8s.io/ingress-nginx/controller:v1.11.4@sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -508,7 +510,6 @@ spec: drop: - ALL readOnlyRootFilesystem: false - runAsGroup: 82 runAsNonRoot: true runAsUser: 101 seccompProfile: @@ -535,7 +536,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -546,7 +547,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-create spec: containers: @@ -569,7 +570,6 @@ spec: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: @@ -587,7 +587,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -598,7 +598,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-patch spec: containers: @@ -623,7 +623,6 @@ spec: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: @@ -641,7 +640,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: nginx spec: controller: k8s.io/ingress-nginx @@ -654,7 +653,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml index 7248dfd9b..720788035 100644 --- a/deploy/static/provider/baremetal/deploy.yaml +++ b/deploy/static/provider/baremetal/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -320,7 +320,8 @@ subjects: namespace: ingress-nginx --- apiVersion: v1 -data: null +data: + allow-snippet-annotations: "false" kind: ConfigMap metadata: labels: @@ -328,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +341,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -372,7 +373,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -395,7 +396,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -417,7 +418,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 spec: containers: - args: @@ -429,6 +430,7 @@ spec: - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key + - --enable-metrics=false env: - name: POD_NAME valueFrom: @@ -440,7 +442,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa + image: registry.k8s.io/ingress-nginx/controller:v1.11.4@sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -490,7 +492,6 @@ spec: drop: - ALL readOnlyRootFilesystem: false - runAsGroup: 82 runAsNonRoot: true runAsUser: 101 seccompProfile: @@ -517,7 +518,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -528,7 +529,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-create spec: containers: @@ -551,7 +552,6 @@ spec: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: @@ -569,7 +569,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -580,7 +580,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-patch spec: containers: @@ -605,7 +605,6 @@ spec: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: @@ -623,7 +622,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: nginx spec: controller: k8s.io/ingress-nginx @@ -636,7 +635,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml index 08bc7e4bf..1a3c18a6c 100644 --- a/deploy/static/provider/cloud/deploy.yaml +++ b/deploy/static/provider/cloud/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -320,7 +320,8 @@ subjects: namespace: ingress-nginx --- apiVersion: v1 -data: null +data: + allow-snippet-annotations: "false" kind: ConfigMap metadata: labels: @@ -328,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +341,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -373,7 +374,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -396,7 +397,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -418,7 +419,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 spec: containers: - args: @@ -431,6 +432,7 @@ spec: - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key + - --enable-metrics=false env: - name: POD_NAME valueFrom: @@ -442,7 +444,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa + image: registry.k8s.io/ingress-nginx/controller:v1.11.4@sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -492,7 +494,6 @@ spec: drop: - ALL readOnlyRootFilesystem: false - runAsGroup: 82 runAsNonRoot: true runAsUser: 101 seccompProfile: @@ -519,7 +520,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -530,7 +531,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-create spec: containers: @@ -553,7 +554,6 @@ spec: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: @@ -571,7 +571,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -582,7 +582,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-patch spec: containers: @@ -607,7 +607,6 @@ spec: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: @@ -625,7 +624,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: nginx spec: controller: k8s.io/ingress-nginx @@ -638,7 +637,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml index 4745c64fc..1c2e5da6a 100644 --- a/deploy/static/provider/do/deploy.yaml +++ b/deploy/static/provider/do/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -321,6 +321,7 @@ subjects: --- apiVersion: v1 data: + allow-snippet-annotations: "false" use-proxy-protocol: "true" kind: ConfigMap metadata: @@ -329,7 +330,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -343,7 +344,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -376,7 +377,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -399,7 +400,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -421,7 +422,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 spec: containers: - args: @@ -434,6 +435,7 @@ spec: - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key + - --enable-metrics=false env: - name: POD_NAME valueFrom: @@ -445,7 +447,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa + image: registry.k8s.io/ingress-nginx/controller:v1.11.4@sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -495,7 +497,6 @@ spec: drop: - ALL readOnlyRootFilesystem: false - runAsGroup: 82 runAsNonRoot: true runAsUser: 101 seccompProfile: @@ -522,7 +523,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -533,7 +534,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-create spec: containers: @@ -556,7 +557,6 @@ spec: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: @@ -574,7 +574,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -585,7 +585,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-patch spec: containers: @@ -610,7 +610,6 @@ spec: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: @@ -628,7 +627,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: nginx spec: controller: k8s.io/ingress-nginx @@ -641,7 +640,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml index 8ed5d002c..c7e912955 100644 --- a/deploy/static/provider/exoscale/deploy.yaml +++ b/deploy/static/provider/exoscale/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -320,7 +320,8 @@ subjects: namespace: ingress-nginx --- apiVersion: v1 -data: null +data: + allow-snippet-annotations: "false" kind: ConfigMap metadata: labels: @@ -328,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -349,7 +350,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -382,7 +383,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -405,7 +406,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -423,7 +424,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 spec: containers: - args: @@ -436,6 +437,7 @@ spec: - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key + - --enable-metrics=false env: - name: POD_NAME valueFrom: @@ -447,7 +449,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa + image: registry.k8s.io/ingress-nginx/controller:v1.11.4@sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -497,7 +499,6 @@ spec: drop: - ALL readOnlyRootFilesystem: false - runAsGroup: 82 runAsNonRoot: true runAsUser: 101 seccompProfile: @@ -528,7 +529,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -539,7 +540,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-create spec: containers: @@ -562,7 +563,6 @@ spec: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: @@ -580,7 +580,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -591,7 +591,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-patch spec: containers: @@ -616,7 +616,6 @@ spec: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: @@ -634,7 +633,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: nginx spec: controller: k8s.io/ingress-nginx @@ -647,7 +646,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml index b7488f046..e40f95391 100644 --- a/deploy/static/provider/kind/deploy.yaml +++ b/deploy/static/provider/kind/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -320,7 +320,8 @@ subjects: namespace: ingress-nginx --- apiVersion: v1 -data: null +data: + allow-snippet-annotations: "false" kind: ConfigMap metadata: labels: @@ -328,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +341,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -372,7 +373,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -395,7 +396,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -417,7 +418,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 spec: containers: - args: @@ -430,6 +431,7 @@ spec: - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key - --watch-ingress-without-class=true + - --enable-metrics=false - --publish-status-address=localhost env: - name: POD_NAME @@ -442,7 +444,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa + image: registry.k8s.io/ingress-nginx/controller:v1.11.4@sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -494,7 +496,6 @@ spec: drop: - ALL readOnlyRootFilesystem: false - runAsGroup: 82 runAsNonRoot: true runAsUser: 101 seccompProfile: @@ -529,7 +530,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -540,7 +541,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-create spec: containers: @@ -563,7 +564,6 @@ spec: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: @@ -581,7 +581,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -592,7 +592,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-patch spec: containers: @@ -617,7 +617,6 @@ spec: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: @@ -635,7 +634,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: nginx spec: controller: k8s.io/ingress-nginx @@ -648,7 +647,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/oracle/deploy.yaml b/deploy/static/provider/oracle/deploy.yaml index 02d18b1bf..2fb1ff0ab 100644 --- a/deploy/static/provider/oracle/deploy.yaml +++ b/deploy/static/provider/oracle/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -320,7 +320,8 @@ subjects: namespace: ingress-nginx --- apiVersion: v1 -data: null +data: + allow-snippet-annotations: "false" kind: ConfigMap metadata: labels: @@ -328,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -344,7 +345,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -377,7 +378,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -400,7 +401,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -422,7 +423,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 spec: containers: - args: @@ -435,6 +436,7 @@ spec: - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key + - --enable-metrics=false env: - name: POD_NAME valueFrom: @@ -446,7 +448,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa + image: registry.k8s.io/ingress-nginx/controller:v1.11.4@sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -496,7 +498,6 @@ spec: drop: - ALL readOnlyRootFilesystem: false - runAsGroup: 82 runAsNonRoot: true runAsUser: 101 seccompProfile: @@ -523,7 +524,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -534,7 +535,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-create spec: containers: @@ -557,7 +558,6 @@ spec: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: @@ -575,7 +575,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -586,7 +586,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-patch spec: containers: @@ -611,7 +611,6 @@ spec: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: @@ -629,7 +628,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: nginx spec: controller: k8s.io/ingress-nginx @@ -642,7 +641,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml index 8ed37d062..2a4dca406 100644 --- a/deploy/static/provider/scw/deploy.yaml +++ b/deploy/static/provider/scw/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -321,6 +321,7 @@ subjects: --- apiVersion: v1 data: + allow-snippet-annotations: "false" use-proxy-protocol: "true" kind: ConfigMap metadata: @@ -329,7 +330,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -343,7 +344,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -376,7 +377,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -399,7 +400,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -421,7 +422,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 spec: containers: - args: @@ -434,6 +435,7 @@ spec: - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key + - --enable-metrics=false env: - name: POD_NAME valueFrom: @@ -445,7 +447,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa + image: registry.k8s.io/ingress-nginx/controller:v1.11.4@sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -495,7 +497,6 @@ spec: drop: - ALL readOnlyRootFilesystem: false - runAsGroup: 82 runAsNonRoot: true runAsUser: 101 seccompProfile: @@ -522,7 +523,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -533,7 +534,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-create spec: containers: @@ -556,7 +557,6 @@ spec: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: @@ -574,7 +574,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -585,7 +585,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission-patch spec: containers: @@ -610,7 +610,6 @@ spec: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: @@ -628,7 +627,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: nginx spec: controller: k8s.io/ingress-nginx @@ -641,7 +640,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.0 + app.kubernetes.io/version: 1.11.4 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/docs/deploy/baremetal.md b/docs/deploy/baremetal.md index 077d1e758..f5ff54174 100644 --- a/docs/deploy/baremetal.md +++ b/docs/deploy/baremetal.md @@ -118,8 +118,6 @@ requests. ![NodePort request flow](../images/baremetal/nodeport.jpg) -You can **customize the exposed node port numbers** by setting the `controller.service.nodePorts.*` Helm values, but they still have to be in the 30000-32767 range. - !!! example Given the NodePort `30100` allocated to the `ingress-nginx` Service @@ -154,7 +152,7 @@ You can **customize the exposed node port numbers** by setting the `controller.s This approach has a few other limitations one ought to be aware of: -### Source IP address +* **Source IP address** Services of type NodePort perform [source address translation][nodeport-nat] by default. This means the source IP of a HTTP request is always **the IP address of the Kubernetes node that received the request** from the perspective of @@ -193,9 +191,7 @@ field of the `ingress-nginx` Service spec to `Local` ([example][preserve-ip]). Requests sent to `host-2` and `host-3` would be forwarded to NGINX and original client's IP would be preserved, while requests to `host-1` would get dropped because there is no NGINX replica running on that node. -Other ways to preserve the source IP in a NodePort setup are described here: [Source IP address](https://kubernetes.github.io/ingress-nginx/user-guide/miscellaneous/#source-ip-address). - -### Ingress status +* **Ingress status** Because NodePort Services do not get a LoadBalancerIP assigned by definition, the Ingress-Nginx Controller **does not update the status of Ingress objects it manages**. @@ -245,7 +241,7 @@ Service. test-ingress myapp.example.com 203.0.113.1,203.0.113.2,203.0.113.3 80 ``` -### Redirects +* **Redirects** As NGINX is **not aware of the port translation operated by the NodePort Service**, backend applications are responsible for generating redirect URLs that take into account the URL used by external clients, including the NodePort. @@ -266,7 +262,7 @@ for generating redirect URLs that take into account the URL used by external cli [nodeport-def]: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport [nodeport-nat]: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-type-nodeport [pod-assign]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ -[preserve-ip]: https://github.com/kubernetes/ingress-nginx/blob/ingress-nginx-3.15.2/deploy/static/provider/aws/deploy.yaml#L290 +[preserve-ip]: https://github.com/kubernetes/ingress-nginx/blob/nginx-0.19.0/deploy/provider/aws/service-nlb.yaml#L12-L14 ## Via the host network @@ -330,13 +326,13 @@ configuration of the corresponding manifest at the user's discretion. Like with NodePorts, this approach has a few quirks it is important to be aware of. -### DNS resolution +* **DNS resolution** Pods configured with `hostNetwork: true` do not use the internal DNS resolver (i.e. *kube-dns* or *CoreDNS*), unless their `dnsPolicy` spec field is set to [`ClusterFirstWithHostNet`][dnspolicy]. Consider using this setting if NGINX is expected to resolve internal names for any reason. -### Ingress status +* **Ingress status** Because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default `--publish-service` flag used in standard cloud setups **does not apply** and the status of all Ingress objects remains diff --git a/docs/deploy/index.md b/docs/deploy/index.md index 717c479ac..f74a06bf4 100644 --- a/docs/deploy/index.md +++ b/docs/deploy/index.md @@ -92,7 +92,7 @@ helm show values ingress-nginx --repo https://kubernetes.github.io/ingress-nginx **If you don't have Helm** or if you prefer to use a YAML manifest, you can run the following command instead: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.4/deploy/static/provider/cloud/deploy.yaml ``` !!! info @@ -274,7 +274,7 @@ In AWS, we use a Network load balancer (NLB) to expose the Ingress-Nginx Control ##### Network Load Balancer (NLB) ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/aws/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.4/deploy/static/provider/aws/deploy.yaml ``` ##### TLS termination in AWS Load Balancer (NLB) @@ -282,10 +282,10 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS using an NLB. -1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template +1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.4/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template ```console - wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml + wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.4/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml ``` 2. Edit the file and change the VPC CIDR in use for the Kubernetes cluster: @@ -333,7 +333,7 @@ kubectl create clusterrolebinding cluster-admin-binding \ Then, the ingress controller can be installed like this: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.4/deploy/static/provider/cloud/deploy.yaml ``` !!! warning @@ -350,7 +350,7 @@ Proxy-protocol is supported in GCE check the [Official Documentations on how to #### Azure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.4/deploy/static/provider/cloud/deploy.yaml ``` More information with regard to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller). @@ -358,7 +358,7 @@ More information with regard to Azure annotations for ingress controller can be #### Digital Ocean ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/do/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.4/deploy/static/provider/do/deploy.yaml ``` - By default the service object of the ingress-nginx-controller for Digital-Ocean, only configures one annotation. Its this one `service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"`. While this makes the service functional, it was reported that the Digital-Ocean LoadBalancer graphs shows `no data`, unless a few other annotations are also configured. Some of these other annotations require values that can not be generic and hence not forced in a out-of-the-box installation. These annotations and a discussion on them is well documented in [this issue](https://github.com/kubernetes/ingress-nginx/issues/8965). Please refer to the issue to add annotations, with values specific to user, to get graphs of the DO-LB populated with data. @@ -366,7 +366,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont #### Scaleway ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/scw/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.4/deploy/static/provider/scw/deploy.yaml ``` Refer to the [dedicated tutorial](https://www.scaleway.com/en/docs/tutorials/proxy-protocol-v2-load-balancer/#configuring-proxy-protocol-for-ingress-nginx) in the Scaleway documentation for configuring the proxy protocol for ingress-nginx with the Scaleway load balancer. @@ -383,7 +383,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale #### Oracle Cloud Infrastructure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.4/deploy/static/provider/cloud/deploy.yaml ``` A @@ -410,7 +410,7 @@ For quick testing, you can use a This should work on almost every cluster, but it will typically use a port in the range 30000-32767. ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/baremetal/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.4/deploy/static/provider/baremetal/deploy.yaml ``` For more information about bare metal deployments (and how to use port 80 instead of a random port in the 30000-32767 range), diff --git a/docs/e2e-tests.md b/docs/e2e-tests.md index 43726f5a1..8a2e80b22 100644 --- a/docs/e2e-tests.md +++ b/docs/e2e-tests.md @@ -7,17 +7,18 @@ Do not try to edit it manually. ### [[Admission] admission controller](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L39) -- [should not allow overlaps of host and paths without canary annotations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L47) -- [should allow overlaps of host and paths with canary annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L64) -- [should block ingress with invalid path](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L85) -- [should return an error if there is an error validating the ingress definition](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L102) -- [should return an error if there is an invalid value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L116) -- [should return an error if there is a forbidden value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L130) -- [should return an error if there is an invalid path and wrong pathType is set](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L144) -- [should not return an error if the Ingress V1 definition is valid with Ingress Class](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L178) -- [should not return an error if the Ingress V1 definition is valid with IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L194) -- [should return an error if the Ingress V1 definition contains invalid annotations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L210) -- [should not return an error for an invalid Ingress when it has unknown class](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L224) +- [reject ingress with global-rate-limit annotations when memcached is not configured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L47) +- [should not allow overlaps of host and paths without canary annotations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L74) +- [should allow overlaps of host and paths with canary annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L91) +- [should block ingress with invalid path](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L112) +- [should return an error if there is an error validating the ingress definition](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L129) +- [should return an error if there is an invalid value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L149) +- [should return an error if there is a forbidden value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L163) +- [should return an error if there is an invalid path and wrong pathType is set](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L177) +- [should not return an error if the Ingress V1 definition is valid with Ingress Class](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L211) +- [should not return an error if the Ingress V1 definition is valid with IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L227) +- [should return an error if the Ingress V1 definition contains invalid annotations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L243) +- [should not return an error for an invalid Ingress when it has unknown class](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L263) ### [affinity session-cookie-name](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L43) - [should set sticky cookie SERVERID](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L50) - [should change cookie name on ingress definition change](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L72) @@ -53,24 +54,24 @@ Do not try to edit it manually. - [should return status code 200 when authentication is configured with a map and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L205) - [should return status code 401 when authentication is configured with invalid content and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L233) - [proxy_set_header My-Custom-Header 42;](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L272) -- [proxy_set_header My-Custom-Header 42;](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L292) -- [proxy_set_header 'My-Custom-Header' '42';](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L311) -- [user retains cookie by default](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L420) -- [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L431) -- [user with annotated ingress retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L442) -- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L481) -- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L490) -- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L501) -- [should overwrite Foo header with auth response](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L525) -- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L701) -- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L710) -- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L721) -- [should return status code 200 when signed in after auth backend is deleted ](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L780) -- [should deny login for different location on same server](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L800) -- [should deny login for different servers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L828) -- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L857) -- [should return 503 (location was denied)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L887) -- [should add error to the config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L895) +- [proxy_set_header My-Custom-Header 42;](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L298) +- [proxy_set_header 'My-Custom-Header' '42';](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L324) +- [user retains cookie by default](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L433) +- [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L444) +- [user with annotated ingress retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L455) +- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L494) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L503) +- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L514) +- [should overwrite Foo header with auth response](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L538) +- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L714) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L723) +- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L734) +- [should return status code 200 when signed in after auth backend is deleted ](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L793) +- [should deny login for different location on same server](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L813) +- [should deny login for different servers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L841) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L870) +- [should return 503 (location was denied)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L900) +- [should add error to the config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L908) ### [auth-tls-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L31) - [should set sslClientCertificate, sslVerifyClient and sslVerifyDepth with auth-tls-secret](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L38) - [should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L86) @@ -148,7 +149,6 @@ Do not try to edit it manually. - [should allow correct origins - missing subdomain + origin with wildcard origin and correct origin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L540) - [should allow - missing origins (should allow all origins)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L576) - [should allow correct origin but not others - cors allow origin annotations contain trailing comma](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L636) -- [should allow - origins with non-http[s] protocols](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L673) ### [custom-headers-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/customheaders.go#L33) - [should return status code 200 when no custom-headers is configured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/customheaders.go#L40) - [should return status code 503 when custom-headers is configured with an invalid secret](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/customheaders.go#L57) @@ -173,13 +173,15 @@ Do not try to edit it manually. ### [from-to-www-redirect](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fromtowwwredirect.go#L31) - [should redirect from www HTTP to HTTP](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fromtowwwredirect.go#L38) - [should redirect from www HTTPS to HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fromtowwwredirect.go#L64) +### [annotation-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/globalratelimit.go#L30) +- [generates correct configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/globalratelimit.go#L38) ### [backend-protocol - GRPC](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L45) - [should use grpc_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L48) - [should return OK for service with backend protocol GRPC](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L71) - [authorization metadata should be overwritten by external auth response headers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L132) - [should return OK for service with backend protocol GRPCS](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L193) -- [should return OK when request not exceed timeout](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L260) -- [should return Error when request exceed timeout](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L303) +- [should return OK when request not exceed timeout](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L266) +- [should return Error when request exceed timeout](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L309) ### [http2-push-preload](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/http2pushpreload.go#L27) - [enable the http2-push-preload directive](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/http2pushpreload.go#L34) ### [allowlist-source-range](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/ipallowlist.go#L27) @@ -203,14 +205,14 @@ Do not try to edit it manually. - [should enable modsecurity with transaction ID and OWASP rules](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L64) - [should disable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L85) - [should enable modsecurity with snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L102) -- [should enable modsecurity without using 'modsecurity on;'](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L124) -- [should disable modsecurity using 'modsecurity off;'](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L147) -- [should enable modsecurity with snippet and block requests](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L169) -- [should enable modsecurity globally and with modsecurity-snippet block requests](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L202) -- [should enable modsecurity when enable-owasp-modsecurity-crs is set to true](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L235) -- [should enable modsecurity through the config map](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L269) -- [should enable modsecurity through the config map but ignore snippet as disabled by admin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L309) -- [should disable default modsecurity conf setting when modsecurity-snippet is specified](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L354) +- [should enable modsecurity without using 'modsecurity on;'](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L130) +- [should disable modsecurity using 'modsecurity off;'](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L153) +- [should enable modsecurity with snippet and block requests](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L175) +- [should enable modsecurity globally and with modsecurity-snippet block requests](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L214) +- [should enable modsecurity when enable-owasp-modsecurity-crs is set to true](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L253) +- [should enable modsecurity through the config map](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L292) +- [should enable modsecurity through the config map but ignore snippet as disabled by admin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L338) +- [should disable default modsecurity conf setting when modsecurity-snippet is specified](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L380) ### [preserve-trailing-slash](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/preservetrailingslash.go#L27) - [should allow preservation of trailing slashes](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/preservetrailingslash.go#L34) ### [proxy-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L30) @@ -222,10 +224,10 @@ Do not try to edit it manually. - [should set valid proxy timeouts](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L117) - [should not set invalid proxy timeouts](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L138) - [should turn on proxy-buffering](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L159) -- [should turn off proxy-request-buffering](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L184) -- [should build proxy next upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L199) -- [should setup proxy cookies](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L220) -- [should change the default proxy HTTP version](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L238) +- [should turn off proxy-request-buffering](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L181) +- [should build proxy next upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L196) +- [should setup proxy cookies](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L217) +- [should change the default proxy HTTP version](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L235) ### [proxy-ssl-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxyssl.go#L32) - [should set valid proxy-ssl-secret](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxyssl.go#L39) - [should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxyssl.go#L66) @@ -235,10 +237,6 @@ Do not try to edit it manually. ### [permanent-redirect permanent-redirect-code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/redirect.go#L30) - [should respond with a standard redirect code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/redirect.go#L33) - [should respond with a custom redirect code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/redirect.go#L61) -### [relative-redirects](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/relativeredirects.go#L35) -- [configures Nginx correctly](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/relativeredirects.go#L43) -- [should respond with absolute URL in Location](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/relativeredirects.go#L61) -- [should respond with relative URL in Location](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/relativeredirects.go#L85) ### [rewrite-target use-regex enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/rewrite.go#L32) - [should write rewrite logs](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/rewrite.go#L39) - [should use correct longest path match](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/rewrite.go#L68) @@ -255,13 +253,13 @@ Do not try to edit it manually. - [should not use the Service Cluster IP and Port](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/serviceupstream.go#L97) ### [configuration-snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/snippet.go#L28) - [set snippet more_set_headers in all locations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/snippet.go#L34) -- [drops snippet more_set_header in all locations if disabled by admin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/snippet.go#L66) +- [drops snippet more_set_header in all locations if disabled by admin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/snippet.go#L73) ### [ssl-ciphers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/sslciphers.go#L28) - [should change ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/sslciphers.go#L35) - [should keep ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/sslciphers.go#L58) ### [stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/streamsnippet.go#L34) - [should add value of stream-snippet to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/streamsnippet.go#L41) -- [should add stream-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/streamsnippet.go#L88) +- [should add stream-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/streamsnippet.go#L94) ### [upstream-hash-by-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/upstreamhashby.go#L79) - [should connect to the same pod](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/upstreamhashby.go#L86) - [should connect to the same subset of pods](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/upstreamhashby.go#L95) @@ -334,15 +332,13 @@ Do not try to edit it manually. - [removes HTTPS configuration when we delete TLS spec](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_certificates.go#L233) ### [[Lua] dynamic configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L41) - [configures balancer Lua middleware correctly](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L49) -- [handles endpoints only changes](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L56) -- [handles endpoints only changes (down scaling of replicas)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L81) -- [handles endpoints only changes consistently (down scaling of replicas vs. empty service)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L119) -- [handles an annotation change](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L165) +- [handles endpoints only changes](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L61) +- [handles endpoints only changes (down scaling of replicas)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L86) +- [handles endpoints only changes consistently (down scaling of replicas vs. empty service)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L124) +- [handles an annotation change](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L170) ### [[metrics] exported prometheus metrics](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/metrics/metrics.go#L36) -- [exclude socket request metrics are absent](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/metrics/metrics.go#L51) -- [exclude socket request metrics are present](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/metrics/metrics.go#L73) -- [request metrics per undefined host are present when flag is set](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/metrics/metrics.go#L95) -- [request metrics per undefined host are not present when flag is not set](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/metrics/metrics.go#L128) +- [exclude socket request metrics are absent](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/metrics/metrics.go#L50) +- [exclude socket request metrics are present](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/metrics/metrics.go#L72) ### [nginx-configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/nginx/nginx.go#L99) - [start nginx with default configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/nginx/nginx.go#L102) - [fails when using alias directive](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/nginx/nginx.go#L114) @@ -375,9 +371,9 @@ Do not try to edit it manually. - [should be disabled when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/aio_write.go#L46) ### [Bad annotation values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L29) - [[BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L36) -- [[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L68) -- [[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L105) -- [[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L138) +- [[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L75) +- [[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L119) +- [[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L157) ### [brotli](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/brotli.go#L30) - [should only compress responses that meet the `brotli-min-length` condition](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/brotli.go#L38) ### [Configmap change](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/configmap_change.go#L29) @@ -408,7 +404,7 @@ Do not try to edit it manually. ### [Geoip2](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/geoip2.go#L36) - [should include geoip2 line in config when enabled and db file exists](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/geoip2.go#L45) - [should only allow requests from specific countries](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/geoip2.go#L69) -- [should up and running nginx controller using autoreload flag](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/geoip2.go#L122) +- [should up and running nginx controller using autoreload flag](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/geoip2.go#L128) ### [[Security] block-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_access_block.go#L28) - [should block CIDRs defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_access_block.go#L38) - [should block User-Agents defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_access_block.go#L55) @@ -424,6 +420,8 @@ Do not try to edit it manually. ### [global-options](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_options.go#L28) - [should have worker_rlimit_nofile option](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_options.go#L31) - [should have worker_rlimit_nofile option and be independent on amount of worker processes](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_options.go#L37) +### [settings-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/globalratelimit.go#L30) +- [generates correct NGINX configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/globalratelimit.go#L38) ### [GRPC](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/grpc.go#L39) - [should set the correct GRPC Buffer Size](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/grpc.go#L42) ### [gzip](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/gzip.go#L30) @@ -494,20 +492,22 @@ Do not try to edit it manually. - [should return status code 200 when accessing '/noauth' unauthenticated](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/no_auth_locations.go#L82) ### [Add no tls redirect locations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/no_tls_redirect_locations.go#L27) - [Check no tls redirect locations config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/no_tls_redirect_locations.go#L30) -### [OCSP](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ocsp/ocsp.go#L43) -- [should enable OCSP and contain stapling information in the connection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ocsp/ocsp.go#L50) +### [OCSP](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ocsp/ocsp.go#L42) +- [should enable OCSP and contain stapling information in the connection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ocsp/ocsp.go#L49) ### [Configure Opentelemetry](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L39) - [should not exists opentelemetry directive](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L49) - [should exists opentelemetry directive when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L62) - [should include opentelemetry_trust_incoming_spans on directive when enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L76) - [should not exists opentelemetry_operation_name directive when is empty](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L91) - [should exists opentelemetry_operation_name directive when is configured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L106) +### [plugins](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/plugins.go#L28) +- [should exist a x-hello-world header](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/plugins.go#L35) ### [proxy-connect-timeout](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_connect_timeout.go#L29) - [should set valid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_connect_timeout.go#L37) - [should not set invalid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_connect_timeout.go#L53) ### [Dynamic $proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_host.go#L28) - [should exist a proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_host.go#L36) -- [should exist a proxy_host using the upstream-vhost annotation value](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_host.go#L60) +- [should exist a proxy_host using the upstream-vhost annotation value](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_host.go#L65) ### [proxy-next-upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_next_upstream.go#L28) - [should build proxy next upstream using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_next_upstream.go#L36) ### [use-proxy-protocol](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_protocol.go#L38) @@ -527,7 +527,7 @@ Do not try to edit it manually. - [reuse port should be enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/reuse-port.go#L52) ### [configmap server-snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_snippet.go#L28) - [should add value of server-snippet setting to all ingress config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_snippet.go#L35) -- [should add global server-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_snippet.go#L100) +- [should add global server-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_snippet.go#L98) ### [server-tokens](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_tokens.go#L29) - [should not exists Server header in the response](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_tokens.go#L38) - [should exists Server header in the response when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_tokens.go#L50) @@ -539,14 +539,14 @@ Do not try to edit it manually. - [should pass unknown traffic to default backend and handle known traffic](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_passthrough.go#L78) ### [configmap stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/stream_snippet.go#L35) - [should add value of stream-snippet via config map to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/stream_snippet.go#L42) -### [[SSL] TLS protocols, ciphers and headers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L32) -- [setting cipher suite](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L66) -- [setting max-age parameter](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L110) -- [setting includeSubDomains parameter](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L127) -- [setting preload parameter](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L147) -- [overriding what's set from the upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L168) -- [should not use ports during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L190) -- [should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L208) +### [[SSL] TLS protocols, ciphers and headers)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L31) +- [setting cipher suite](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L65) +- [setting max-age parameter](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L109) +- [setting includeSubDomains parameter](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L125) +- [setting preload parameter](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L144) +- [overriding what's set from the upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L164) +- [should not use ports during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L186) +- [should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L204) ### [annotation validations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/validations/validations.go#L30) - [should allow ingress based on their risk on webhooks](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/validations/validations.go#L33) - [should allow ingress based on their risk on webhooks](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/validations/validations.go#L68) diff --git a/docs/examples/canary/README.md b/docs/examples/canary/README.md index 885991a3b..77b711b3a 100644 --- a/docs/examples/canary/README.md +++ b/docs/examples/canary/README.md @@ -31,7 +31,7 @@ spec: spec: containers: - name: production - image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.1.1@sha256:a1e0152e2eeab26e3f6fd3986f3d82b17bc7711717cae5392dcd18dd447ba6ef + image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.1.0@sha256:0713ba47b3e4359b38ad53cd785c34b158e168a91636520a4a5e54cd500d8356 ports: - containerPort: 80 env: @@ -97,7 +97,7 @@ spec: spec: containers: - name: canary - image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.1.1@sha256:a1e0152e2eeab26e3f6fd3986f3d82b17bc7711717cae5392dcd18dd447ba6ef + image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.1.0@sha256:0713ba47b3e4359b38ad53cd785c34b158e168a91636520a4a5e54cd500d8356 ports: - containerPort: 80 env: diff --git a/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml b/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml index d72001d58..b538f75ab 100644 --- a/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml +++ b/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml @@ -6,7 +6,7 @@ defaultBackend: image: registry: registry.k8s.io image: ingress-nginx/custom-error-pages - tag: v1.1.1@sha256:8c10776191ae44b5c387b8c7696d8bc17ceec90d7184a3a38b89ac8434b6c56b + tag: v1.1.0@sha256:a2342e403fc3c19f81f5625e1b93daa0f8fb3dfaa1df4905f85e32d2d98a5e96 extraVolumes: - name: custom-error-pages configMap: diff --git a/docs/examples/customization/custom-errors/custom-default-backend.yaml b/docs/examples/customization/custom-errors/custom-default-backend.yaml index 088ca1374..b392eefef 100644 --- a/docs/examples/customization/custom-errors/custom-default-backend.yaml +++ b/docs/examples/customization/custom-errors/custom-default-backend.yaml @@ -36,7 +36,7 @@ spec: spec: containers: - name: nginx-error-server - image: registry.k8s.io/ingress-nginx/custom-error-pages:v1.1.1@sha256:8c10776191ae44b5c387b8c7696d8bc17ceec90d7184a3a38b89ac8434b6c56b + image: registry.k8s.io/ingress-nginx/custom-error-pages:v1.1.0@sha256:a2342e403fc3c19f81f5625e1b93daa0f8fb3dfaa1df4905f85e32d2d98a5e96 ports: - containerPort: 8080 # Setting the environment variable DEBUG we can see the headers sent diff --git a/docs/examples/customization/external-auth-headers/echo-service.yaml b/docs/examples/customization/external-auth-headers/echo-service.yaml index 10244458d..6a970dd9f 100644 --- a/docs/examples/customization/external-auth-headers/echo-service.yaml +++ b/docs/examples/customization/external-auth-headers/echo-service.yaml @@ -18,7 +18,7 @@ spec: terminationGracePeriodSeconds: 60 containers: - name: echo-service - image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.1.1@sha256:a1e0152e2eeab26e3f6fd3986f3d82b17bc7711717cae5392dcd18dd447ba6ef + image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.1.0@sha256:0713ba47b3e4359b38ad53cd785c34b158e168a91636520a4a5e54cd500d8356 ports: - containerPort: 8080 resources: diff --git a/docs/examples/psp/README.md b/docs/examples/psp/README.md new file mode 100644 index 000000000..f8426baf2 --- /dev/null +++ b/docs/examples/psp/README.md @@ -0,0 +1,17 @@ +# Pod Security Policy (PSP) + +In most clusters today, by default, all resources (e.g. `Deployments` and `ReplicatSets`) +have permissions to create pods. +Kubernetes however provides a more fine-grained authorization policy called +[Pod Security Policy (PSP)](https://kubernetes.io/docs/concepts/policy/pod-security-policy/). + +PSP allows the cluster owner to define the permission of each object, for example creating a pod. +If you have PSP enabled on the cluster, and you deploy ingress-nginx, +you will need to provide the `Deployment` with the permissions to create pods. + +Before applying any objects, first apply the PSP permissions by running: +```console +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/psp/psp.yaml +``` + +Note: PSP permissions must be granted before the creation of the `Deployment` and the `ReplicaSet`. diff --git a/docs/examples/psp/psp.yaml b/docs/examples/psp/psp.yaml new file mode 100644 index 000000000..0f859dece --- /dev/null +++ b/docs/examples/psp/psp.yaml @@ -0,0 +1,75 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: ingress-nginx + +--- + +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: ingress-nginx + namespace: ingress-nginx +spec: + allowedCapabilities: + - NET_BIND_SERVICE + privileged: false + allowPrivilegeEscalation: true + # Allow core volume types. + volumes: + - configMap + - secret + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: MustRunAsNonRoot + supplementalGroups: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + seLinux: + rule: RunAsAny + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ingress-nginx-psp + namespace: ingress-nginx +rules: +- apiGroups: [policy] + resources: [podsecuritypolicies] + verbs: [use] + resourceNames: [ingress-nginx] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ingress-nginx-psp + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx-psp +subjects: +- kind: ServiceAccount + name: default +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx diff --git a/docs/faq.md b/docs/faq.md index ea1e4d308..97d3325ca 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -165,8 +165,8 @@ default on the next breaking change release, set for 2.0.0. - When "`ingress.spec.rules.http.pathType=Exact`" or "`pathType=Prefix`", this validation will limit the characters accepted on the field "`ingress.spec.rules.http.paths.path`", -to "`alphanumeric characters`", and "`/`", "`_`", "`-`". Also, in this case, -the path should start with "`/`". +to "`alphanumeric characters`", and `"/," "_," "-."` Also, in this case, +the path should start with `"/."` - When the ingress resource path contains other characters (like on rewrite configurations), the pathType value should be "`ImplementationSpecific`". @@ -175,7 +175,7 @@ configurations), the pathType value should be "`ImplementationSpecific`". - When this option is enabled, the validation will happen on the Admission Webhook. So if any new ingress object contains characters other than -alphanumeric characters, and, "`/`", "`_`", "`-`", in the `path` field, but +alphanumeric characters, and, `"/,","_","-"`, in the `path` field, but is not using `pathType` value as `ImplementationSpecific`, then the ingress object will be denied admission. diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index ffd8f839f..e1fd6956e 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -443,7 +443,7 @@ $ capsh --decode=0000000000000400 ``` ## Create a test pod as root -(Note, this may be restricted by PodSecurityAdmission/Standards, OPA Gatekeeper, etc. in which case you will need to do the appropriate workaround for testing, e.g. deploy in a new namespace without the restrictions.) +(Note, this may be restricted by PodSecurityPolicy, PodSecurityAdmission/Standards, OPA Gatekeeper, etc. in which case you will need to do the appropriate workaround for testing, e.g. deploy in a new namespace without the restrictions.) To test further you may want to install additional utilities, etc. Modify the pod yaml by: * changing runAsUser from 101 to 0 * removing the "drop..ALL" section from the capabilities. diff --git a/docs/user-guide/cli-arguments.md b/docs/user-guide/cli-arguments.md index a33e75159..ea4ef2572 100644 --- a/docs/user-guide/cli-arguments.md +++ b/docs/user-guide/cli-arguments.md @@ -8,7 +8,6 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment |----------|-------------| | `--annotations-prefix` | Prefix of the Ingress annotations specific to the NGINX controller. (default "nginx.ingress.kubernetes.io") | | `--apiserver-host` | Address of the Kubernetes API server. Takes the form "protocol://address:port". If not specified, it is assumed the program runs inside a Kubernetes cluster and local discovery is attempted. | -| `--bucket-factor` | Bucket factor for native histograms. Value must be > 1 for enabling native histograms. (default 0) | | `--certificate-authority` | Path to a cert file for the certificate authority. This certificate is used only when the flag --apiserver-host is specified. | | `--configmap` | Name of the ConfigMap containing custom global configurations for the controller. | | `--controller-class` | Ingress Class Controller value this Ingress satisfies. The class of an Ingress object is set using the field IngressClassName in Kubernetes clusters version v1.19.0 or higher. The .spec.controller value of the IngressClass referenced in an Ingress Object should be the same value specified here to make this object be watched. | @@ -16,7 +15,7 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment | `--default-backend-service` | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form "namespace/name". The controller configures NGINX to forward requests to the first port of this Service. | | `--default-server-port` | Port to use for exposing the default server (catch-all). (default 8181) | | `--default-ssl-certificate` | Secret containing a SSL certificate to be used by the default HTTPS server (catch-all). Takes the form "namespace/name". | -| `--enable-annotation-validation` | If true, will enable the annotation validation feature. Defaults to true | +| `--enable-annotation-validation` | If true, will enable the annotation validation feature. This value will be defaulted to true on a future release. | | `--disable-catch-all` | Disable support for catch-all Ingresses. (default false) | | `--disable-full-test` | Disable full test of all merged ingresses at the admission stage and tests the template of the ingress being created or updated (full test of all ingresses is enabled by default). | | `--disable-svc-external-name` | Disable support for Services of type ExternalName. (default false) | @@ -24,7 +23,7 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment | `--dynamic-configuration-retries` | Number of times to retry failed dynamic configuration before failing to sync an ingress. (default 15) | | `--election-id` | Election id to use for Ingress status updates. (default "ingress-controller-leader") | | `--election-ttl` | Duration a leader election is valid before it's getting re-elected, e.g. `15s`, `10m` or `1h`. (Default: 30s) | -| `--enable-metrics` | Enables the collection of NGINX metrics. (Default: false) | +| `--enable-metrics` | Enables the collection of NGINX metrics. (default true) | | `--enable-ssl-chain-completion` | Autocomplete SSL certificate chains with missing intermediate CA certificates. Certificates uploaded to Kubernetes must have the "Authority Information Access" X.509 v3 extension for this to succeed. (default false)| | `--enable-ssl-passthrough` | Enable SSL Passthrough. (default false) | | `--disable-leader-election` | Disable Leader Election on Nginx Controller. (default false) | @@ -41,14 +40,12 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment | `--internal-logger-address` | Address to be used when binding internal syslogger. (default 127.0.0.1:11514) | | `--kubeconfig` | Path to a kubeconfig file containing authorization and API server information. | | `--length-buckets` | Set of buckets which will be used for prometheus histogram metrics such as RequestLength, ResponseLength. (default `[10, 20, 30, 40, 50, 60, 70, 80, 90, 100]`) | -| `--max-buckets` | Maximum number of buckets for native histograms. (default 100) | | `--maxmind-edition-ids` | Maxmind edition ids to download GeoLite2 Databases. (default "GeoLite2-City,GeoLite2-ASN") | | `--maxmind-retries-timeout` | Maxmind downloading delay between 1st and 2nd attempt, 0s - do not retry to download if something went wrong. (default 0s) | | `--maxmind-retries-count` | Number of attempts to download the GeoIP DB. (default 1) | | `--maxmind-license-key` | Maxmind license key to download GeoLite2 Databases. https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/ . | | `--maxmind-mirror` | Maxmind mirror url (example: http://geoip.local/databases. | | `--metrics-per-host` | Export metrics per-host. (default true) | -| `--metrics-per-undefined-host` | Export metrics per-host even if the host is not defined in an ingress. Requires --metrics-per-host to be set to true. (default false) | | `--monitor-max-batch-size` | Max batch size of NGINX metrics. (default 10000)| | `--post-shutdown-grace-period` | Additional delay in seconds before controller container exits. (default 10) | | `--profiler-port` | Port to use for expose the ingress controller Go profiler when it is enabled. (default 10245) | diff --git a/docs/user-guide/miscellaneous.md b/docs/user-guide/miscellaneous.md index ee3d63056..80a38db51 100644 --- a/docs/user-guide/miscellaneous.md +++ b/docs/user-guide/miscellaneous.md @@ -4,11 +4,9 @@ By default NGINX uses the content of the header `X-Forwarded-For` as the source of truth to get information about the client IP address. This works without issues in L7 **if we configure the setting `proxy-real-ip-cidr`** with the correct information of the IP/network address of trusted external load balancer. -This setting can be enabled/disabled by setting [`use-forwarded-headers`](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-forwarded-headers). - If the ingress controller is running in AWS we need to use the VPC IPv4 CIDR. -Another option is to enable the **PROXY protocol** using [`use-proxy-protocol: "true"`](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-proxy-protocol). +Another option is to enable proxy protocol using `use-proxy-protocol: "true"`. In this mode NGINX does not use the content of the header to get the source IP address of the connection. diff --git a/docs/user-guide/monitoring.md b/docs/user-guide/monitoring.md index 4ad2795cf..28608e850 100644 --- a/docs/user-guide/monitoring.md +++ b/docs/user-guide/monitoring.md @@ -166,9 +166,7 @@ According to the above example, this URL will be http://10.192.0.3:31086 #### Wildcard ingresses - - By default request metrics are labeled with the hostname. When you have a wildcard domain ingress, then there will be no metrics for that ingress (to prevent the metrics from exploding in cardinality). To get metrics in this case you have two options: - - Run the ingress controller with `--metrics-per-host=false`. You will lose labeling by hostname, but still have labeling by ingress. - - Run the ingress controller with `--metrics-per-undefined-host=true --metrics-per-host=true`. You will get labeling by hostname even if the hostname is not explicitly defined on an ingress. Be warned that cardinality could explode due to many hostnames and CPU usage could also increase. + - By default request metrics are labeled with the hostname. When you have a wildcard domain ingress, then there will be no metrics for that ingress (to prevent the metrics from exploding in cardinality). To get metrics in this case you need to run the ingress controller with `--metrics-per-host=false` (you will lose labeling by hostname, but still have labeling by ingress). ### Grafana dashboard using ingress resource - If you want to expose the dashboard for grafana using an ingress resource, then you can : @@ -388,6 +386,10 @@ Prometheus metrics are exposed on port 10254. The number of bytes sent to a client. **Deprecated**, use `nginx_ingress_controller_response_size`\ nginx var: `bytes_sent` +* `nginx_ingress_controller_ingress_upstream_latency_seconds` Summary\ + Upstream service latency per Ingress. **Deprecated**, use `nginx_ingress_controller_connect_duration_seconds`\ + nginx var: `upstream_connect_time` + ``` # HELP nginx_ingress_controller_bytes_sent The number of bytes sent to a client. DEPRECATED! Use nginx_ingress_controller_response_size # TYPE nginx_ingress_controller_bytes_sent histogram @@ -395,6 +397,8 @@ Prometheus metrics are exposed on port 10254. # TYPE nginx_ingress_controller_connect_duration_seconds nginx_ingress_controller_connect_duration_seconds * HELP nginx_ingress_controller_header_duration_seconds The time spent on receiving first header from the upstream server # TYPE nginx_ingress_controller_header_duration_seconds histogram +# HELP nginx_ingress_controller_ingress_upstream_latency_seconds Upstream service latency per Ingress DEPRECATED! Use nginx_ingress_controller_connect_duration_seconds +# TYPE nginx_ingress_controller_ingress_upstream_latency_seconds summary # HELP nginx_ingress_controller_request_duration_seconds The request processing time in milliseconds # TYPE nginx_ingress_controller_request_duration_seconds histogram # HELP nginx_ingress_controller_request_size The request length (including request line, header, and request body) diff --git a/docs/user-guide/nginx-configuration/annotations-risk.md b/docs/user-guide/nginx-configuration/annotations-risk.md index aff9357b8..b53860174 100755 --- a/docs/user-guide/nginx-configuration/annotations-risk.md +++ b/docs/user-guide/nginx-configuration/annotations-risk.md @@ -55,6 +55,10 @@ | ExternalAuth | auth-url | High | location | | FastCGI | fastcgi-index | Medium | location | | FastCGI | fastcgi-params-configmap | Medium | location | +| GlobalRateLimit | global-rate-limit | Low | ingress | +| GlobalRateLimit | global-rate-limit-ignored-cidrs | Medium | ingress | +| GlobalRateLimit | global-rate-limit-key | High | ingress | +| GlobalRateLimit | global-rate-limit-window | Low | ingress | | HTTP2PushPreload | http2-push-preload | Low | location | | LoadBalancing | load-balance | Low | location | | Logs | enable-access-log | Low | location | @@ -73,7 +77,6 @@ | Proxy | proxy-buffer-size | Low | location | | Proxy | proxy-buffering | Low | location | | Proxy | proxy-buffers-number | Low | location | -| Proxy | proxy-busy-buffers-size | Low | location | | Proxy | proxy-connect-timeout | Low | location | | Proxy | proxy-cookie-domain | Medium | location | | Proxy | proxy-cookie-path | Medium | location | @@ -104,9 +107,7 @@ | Redirect | from-to-www-redirect | Low | location | | Redirect | permanent-redirect | Medium | location | | Redirect | permanent-redirect-code | Low | location | -| Redirect | relative-redirects | Low | location | | Redirect | temporal-redirect | Medium | location | -| Redirect | temporal-redirect-code | Low | location | | Rewrite | app-root | Medium | location | | Rewrite | force-ssl-redirect | Medium | location | | Rewrite | preserve-trailing-slash | Medium | location | diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md index b0ea3cce3..9fd392eae 100755 --- a/docs/user-guide/nginx-configuration/annotations.md +++ b/docs/user-guide/nginx-configuration/annotations.md @@ -64,10 +64,13 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz |[nginx.ingress.kubernetes.io/http2-push-preload](#http2-push-preload)|"true" or "false"| |[nginx.ingress.kubernetes.io/limit-connections](#rate-limiting)|number| |[nginx.ingress.kubernetes.io/limit-rps](#rate-limiting)|number| +|[nginx.ingress.kubernetes.io/global-rate-limit](#global-rate-limiting)|number| +|[nginx.ingress.kubernetes.io/global-rate-limit-window](#global-rate-limiting)|duration| +|[nginx.ingress.kubernetes.io/global-rate-limit-key](#global-rate-limiting)|string| +|[nginx.ingress.kubernetes.io/global-rate-limit-ignored-cidrs](#global-rate-limiting)|string| |[nginx.ingress.kubernetes.io/permanent-redirect](#permanent-redirect)|string| |[nginx.ingress.kubernetes.io/permanent-redirect-code](#permanent-redirect-code)|number| |[nginx.ingress.kubernetes.io/temporal-redirect](#temporal-redirect)|string| -|[nginx.ingress.kubernetes.io/temporal-redirect-code](#temporal-redirect-code)|number| |[nginx.ingress.kubernetes.io/preserve-trailing-slash](#server-side-https-enforcement-through-redirect)|"true" or "false"| |[nginx.ingress.kubernetes.io/proxy-body-size](#custom-max-body-size)|string| |[nginx.ingress.kubernetes.io/proxy-cookie-domain](#proxy-cookie-domain)|string| @@ -116,7 +119,6 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz |[nginx.ingress.kubernetes.io/proxy-buffering](#proxy-buffering)|string| |[nginx.ingress.kubernetes.io/proxy-buffers-number](#proxy-buffers-number)|number| |[nginx.ingress.kubernetes.io/proxy-buffer-size](#proxy-buffer-size)|string| -|[nginx.ingress.kubernetes.io/proxy-busy-buffers-size](#proxy-busy-buffers-size)|string| |[nginx.ingress.kubernetes.io/proxy-max-temp-file-size](#proxy-max-temp-file-size)|string| |[nginx.ingress.kubernetes.io/ssl-ciphers](#ssl-ciphers)|string| |[nginx.ingress.kubernetes.io/ssl-prefer-server-ciphers](#ssl-ciphers)|"true" or "false"| @@ -395,13 +397,13 @@ CORS can be controlled with the following annotations: * `nginx.ingress.kubernetes.io/cors-allow-origin`: Controls what's the accepted Origin for CORS. - This is a multi-valued field, separated by ','. It must follow this format: `protocol://origin-site.com` or `protocol://origin-site.com:port` + This is a multi-valued field, separated by ','. It must follow this format: `http(s)://origin-site.com` or `http(s)://origin-site.com:port` - Default: `*` - - Example: `nginx.ingress.kubernetes.io/cors-allow-origin: "https://origin-site.com:4443, http://origin-site.com, myprotocol://example.org:1199"` + - Example: `nginx.ingress.kubernetes.io/cors-allow-origin: "https://origin-site.com:4443, http://origin-site.com, https://example.org:1199"` - It also supports single level wildcard subdomains and follows this format: `protocol://*.foo.bar`, `protocol://*.bar.foo:8080` or `protocol://*.abc.bar.foo:9000` - - Example: `nginx.ingress.kubernetes.io/cors-allow-origin: "https://*.origin-site.com:4443, http://*.origin-site.com, myprotocol://example.org:1199"` + It also supports single level wildcard subdomains and follows this format: `http(s)://*.foo.bar`, `http(s)://*.bar.foo:8080` or `http(s)://*.abc.bar.foo:9000` + - Example: `nginx.ingress.kubernetes.io/cors-allow-origin: "https://*.origin-site.com:4443, http://*.origin-site.com, https://example.org:1199"` * `nginx.ingress.kubernetes.io/cors-allow-credentials`: Controls if credentials can be passed during CORS operations. @@ -550,15 +552,10 @@ By default the controller redirects all requests to an existing service that pro These annotations define limits on connections and transmission rates. These can be used to mitigate [DDoS Attacks](https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus). -!!! attention - Rate limits are applied per Ingress NGINX controller replica. - If you're running multiple replicas or using a horizontal pod autoscaler (HPA), the effective rate limit will be multiplied by the number of replicas. - When using HPA, the exact rate limit becomes dynamic as the number of replicas may change based on load. - -* `nginx.ingress.kubernetes.io/limit-connections`: number of concurrent connections allowed from a single IP address per controller replica. A 503 error is returned when exceeding this limit. -* `nginx.ingress.kubernetes.io/limit-rps`: number of requests accepted from a given IP each second per controller replica. The burst limit is set to this limit multiplied by the burst multiplier, the default multiplier is 5. When clients exceed this limit, [limit-req-status-code](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#limit-req-status-code) ***default:*** 503 is returned. -* `nginx.ingress.kubernetes.io/limit-rpm`: number of requests accepted from a given IP each minute per controller replica. The burst limit is set to this limit multiplied by the burst multiplier, the default multiplier is 5. When clients exceed this limit, [limit-req-status-code](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#limit-req-status-code) ***default:*** 503 is returned. -* `nginx.ingress.kubernetes.io/limit-burst-multiplier`: multiplier of the limit rate for burst size. The default burst multiplier is 5, this annotation override the default multiplier. When clients exceed this limit, [limit-req-status-code](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#limit-req-status-code) ***default:*** 503 is returned. +* `nginx.ingress.kubernetes.io/limit-connections`: number of concurrent connections allowed from a single IP address. A 503 error is returned when exceeding this limit. +* `nginx.ingress.kubernetes.io/limit-rps`: number of requests accepted from a given IP each second. The burst limit is set to this limit multiplied by the burst multiplier, the default multiplier is 5. When clients exceed this limit, [limit-req-status-code](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#limit-req-status-code) ***default:*** 503 is returned. +* `nginx.ingress.kubernetes.io/limit-rpm`: number of requests accepted from a given IP each minute. The burst limit is set to this limit multiplied by the burst multiplier, the default multiplier is 5. When clients exceed this limit, [limit-req-status-code](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#limit-req-status-code) ***default:*** 503 is returned. +* `nginx.ingress.kubernetes.io/limit-burst-multiplier`: multiplier of the limit rate for burst size. The default burst multiplier is 5, this annotation override the default multiplier. When clients exceed this limit, [limit-req-status-code](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#limit-req-status-code) ***default:*** 503 is returned. * `nginx.ingress.kubernetes.io/limit-rate-after`: initial number of kilobytes after which the further transmission of a response to a given connection will be rate limited. This feature must be used with [proxy-buffering](#proxy-buffering) enabled. * `nginx.ingress.kubernetes.io/limit-rate`: number of kilobytes per second allowed to send to a given connection. The zero value disables rate limiting. This feature must be used with [proxy-buffering](#proxy-buffering) enabled. * `nginx.ingress.kubernetes.io/limit-whitelist`: client IP source ranges to be excluded from rate-limiting. The value is a comma separated list of CIDRs. @@ -569,6 +566,46 @@ To configure settings globally for all Ingress rules, the `limit-rate-after` and The client IP address will be set based on the use of [PROXY protocol](./configmap.md#use-proxy-protocol) or from the `X-Forwarded-For` header value when [use-forwarded-headers](./configmap.md#use-forwarded-headers) is enabled. +### Global Rate Limiting + +**Note:** Be careful when configuring both (Local) Rate Limiting and Global Rate Limiting at the same time. +They are two completely different rate limiting implementations. Whichever limit exceeds first will reject the +requests. It might be a good idea to configure both of them to ease load on Global Rate Limiting backend +in cases of spike in traffic. + +The stock NGINX rate limiting does not share its counters among different NGINX instances. +Given that most ingress-nginx deployments are elastic and number of replicas can change any day +it is impossible to configure a proper rate limit using stock NGINX functionalities. +Global Rate Limiting overcome this by using [lua-resty-global-throttle](https://github.com/ElvinEfendi/lua-resty-global-throttle). `lua-resty-global-throttle` shares its counters via a central store such as `memcached`. +The obvious shortcoming of this is users have to deploy and operate a `memcached` instance +in order to benefit from this functionality. Configure the `memcached` +using [these configmap settings](./configmap.md#global-rate-limit). + +**Here are a few remarks for ingress-nginx integration of `lua-resty-global-throttle`:** + +1. We minimize `memcached` access by caching exceeding limit decisions. The expiry of +cache entry is the desired delay `lua-resty-global-throttle` calculates for us. +The Lua Shared Dictionary used for that is `global_throttle_cache`. Currently its size defaults to 10M. +Customize it as per your needs using [lua-shared-dicts](./configmap.md#lua-shared-dicts). +When we fail to cache the exceeding limit decision then we log an NGINX error. You can monitor +for that error to decide if you need to bump the cache size. Without cache the cost of processing a +request is two memcached commands: `GET`, and `INCR`. With the cache it is only `INCR`. +1. Log NGINX variable `$global_rate_limit_exceeding`'s value to have some visibility into +what portion of requests are rejected (value `y`), whether they are rejected using cached decision (value `c`), +or if they are not rejected (default value `n`). You can use [log-format-upstream](./configmap.md#log-format-upstream) +to include that in access logs. +1. In case of an error it will log the error message and **fail open**. +1. The annotations below creates Global Rate Limiting instance per ingress. +That means if there are multiple paths configured under the same ingress, +the Global Rate Limiting will count requests to all the paths under the same counter. +Extract a path out into its own ingress if you need to isolate a certain path. + + +* `nginx.ingress.kubernetes.io/global-rate-limit`: Configures maximum allowed number of requests per window. Required. +* `nginx.ingress.kubernetes.io/global-rate-limit-window`: Configures a time window (i.e `1m`) that the limit is applied. Required. +* `nginx.ingress.kubernetes.io/global-rate-limit-key`: Configures a key for counting the samples. Defaults to `$remote_addr`. You can also combine multiple NGINX variables here, like `${remote_addr}-${http_x_api_client}` which would mean the limit will be applied to requests coming from the same API client (indicated by `X-API-Client` HTTP request header) with the same source IP address. +* `nginx.ingress.kubernetes.io/global-rate-limit-ignored-cidrs`: comma separated list of IPs and CIDRs to match client IP against. When there's a match request is not considered for rate limiting. + ### Permanent Redirect This annotation allows to return a permanent redirect (Return Code 301) instead of sending data to the upstream. For example `nginx.ingress.kubernetes.io/permanent-redirect: https://www.google.com` would redirect everything to Google. @@ -580,10 +617,6 @@ This annotation allows you to modify the status code used for permanent redirect ### Temporal Redirect This annotation allows you to return a temporal redirect (Return Code 302) instead of sending data to the upstream. For example `nginx.ingress.kubernetes.io/temporal-redirect: https://www.google.com` would redirect everything to Google with a Return Code of 302 (Moved Temporarily) -### Temporal Redirect Code - -This annotation allows you to modify the status code used for temporal redirects. For example `nginx.ingress.kubernetes.io/temporal-redirect-code: '307'` would return your temporal-redirect with a 307. - ### SSL Passthrough The annotation `nginx.ingress.kubernetes.io/ssl-passthrough` instructs the controller to send TLS connections directly @@ -748,18 +781,6 @@ To configure this setting globally, set `proxy-buffer-size` in [NGINX ConfigMap] nginx.ingress.kubernetes.io/proxy-buffer-size: "8k" ``` -### Proxy busy buffers size - -[Limits the total size of buffers that can be busy](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_busy_buffers_size) sending a response to the client while the response is not yet fully read. - -By default proxy busy buffers size is set as "8k". - -To configure this setting globally, set `proxy-busy-buffers-size` in the [ConfigMap](./configmap.md#proxy-busy-buffers-size). To use custom values in an Ingress rule, define this annotation: - -```yaml -nginx.ingress.kubernetes.io/proxy-busy-buffers-size: "16k" -``` - ### Proxy max temp file size When [`buffering`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering) of responses from the proxied server is enabled, and the whole response does not fit into the buffers set by the [`proxy_buffer_size`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) and [`proxy_buffers`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers) directives, a part of the response can be saved to a temporary file. This directive sets the maximum `size` of the temporary file setting the [`proxy_max_temp_file_size`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_max_temp_file_size). The size of data written to the temporary file at a time is set by the [`proxy_temp_file_write_size`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_temp_file_write_size) directive. diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index d8b4f6693..12793d0e4 100644 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -29,9 +29,9 @@ The following table shows a configuration option's name, type, and the default v |:--------------------------------------------------------------------------------|:-------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------------------------------------------| | [add-headers](#add-headers) | string | "" | | | [allow-backend-server-header](#allow-backend-server-header) | bool | "false" | | -| [allow-cross-namespace-resources](#allow-cross-namespace-resources) | bool | "false" | | +| [allow-cross-namespace-resources](#allow-cross-namespace-resources) | bool | "true" | | | [allow-snippet-annotations](#allow-snippet-annotations) | bool | "false" | | -| [annotations-risk-level](#annotations-risk-level) | string | High | | +| [annotations-risk-level](#annotations-risk-level) | string | Critical | | | [annotation-value-word-blocklist](#annotation-value-word-blocklist) | string array | "" | | | [hide-headers](#hide-headers) | string array | empty | | | [access-log-params](#access-log-params) | string | "" | | @@ -82,6 +82,7 @@ The following table shows a configuration option's name, type, and the default v | [server-name-hash-bucket-size](#server-name-hash-bucket-size) | int | `` | | [proxy-headers-hash-max-size](#proxy-headers-hash-max-size) | int | 512 | | | [proxy-headers-hash-bucket-size](#proxy-headers-hash-bucket-size) | int | 64 | | +| [plugins](#plugins) | []string | | | | [reuse-port](#reuse-port) | bool | "true" | | | [server-tokens](#server-tokens) | bool | "false" | | | [ssl-ciphers](#ssl-ciphers) | string | "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" | | @@ -179,7 +180,6 @@ The following table shows a configuration option's name, type, and the default v | [proxy-send-timeout](#proxy-send-timeout) | int | 60 | | | [proxy-buffers-number](#proxy-buffers-number) | int | 4 | | | [proxy-buffer-size](#proxy-buffer-size) | string | "4k" | | -| [proxy-busy-buffers-size](#proxy-busy-buffers-size) | string | "8k" | | | [proxy-cookie-path](#proxy-cookie-path) | string | "off" | | | [proxy-cookie-domain](#proxy-cookie-domain) | string | "off" | | | [proxy-next-upstream](#proxy-next-upstream) | string | "error timeout" | | @@ -219,12 +219,17 @@ The following table shows a configuration option's name, type, and the default v | [block-referers](#block-referers) | []string | "" | | | [proxy-ssl-location-only](#proxy-ssl-location-only) | bool | "false" | | | [default-type](#default-type) | string | "text/html" | | +| [global-rate-limit-memcached-host](#global-rate-limit) | string | "" | | +| [global-rate-limit-memcached-port](#global-rate-limit) | int | 11211 | | +| [global-rate-limit-memcached-connect-timeout](#global-rate-limit) | int | 50 | | +| [global-rate-limit-memcached-max-idle-timeout](#global-rate-limit) | int | 10000 | | +| [global-rate-limit-memcached-pool-size](#global-rate-limit) | int | 50 | | +| [global-rate-limit-status-code](#global-rate-limit) | int | 429 | | | [service-upstream](#service-upstream) | bool | "false" | | | [ssl-reject-handshake](#ssl-reject-handshake) | bool | "false" | | | [debug-connections](#debug-connections) | []string | "127.0.0.1,1.1.1.1/24" | | -| [strict-validate-path-type](#strict-validate-path-type) | bool | "true" | | +| [strict-validate-path-type](#strict-validate-path-type) | bool | "false" (v1.7.x) | | | [grpc-buffer-size-kb](#grpc-buffer-size-kb) | int | 0 | | -| [relative-redirects](#relative-redirects) | bool | false | | ## add-headers @@ -236,16 +241,18 @@ Enables the return of the header Server from the backend instead of the generic ## allow-cross-namespace-resources -Enables users to consume cross namespace resource on annotations, when was previously enabled . _**default:**_ false +Enables users to consume cross namespace resource on annotations, when was previously enabled . _**default:**_ true **Annotations that may be impacted with this change**: - * `auth-secret` * `auth-proxy-set-header` * `auth-tls-secret` * `fastcgi-params-configmap` * `proxy-ssl-secret` + +**This option will be defaulted to false in the next major release** + ## allow-snippet-annotations Enables Ingress to parse and add *-snippet annotations/directives created by the user. _**default:**_ `false` @@ -253,13 +260,15 @@ Enables Ingress to parse and add *-snippet annotations/directives created by the Warning: We recommend enabling this option only if you TRUST users with permission to create Ingress objects, as this may allow a user to add restricted configurations to the final nginx.conf file +**This option will be defaulted to false in the next major release** + ## annotations-risk-level Represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations with risk High and Critical will not be accepted. Accepted values are `Critical`, `High`, `Medium` and `Low`. -_**default:**_ `High` +Defaults to `Critical` but will be changed to `High` on the next minor release ## annotation-value-word-blocklist @@ -603,6 +612,10 @@ _References:_ - [https://nginx.org/en/docs/hash.html](https://nginx.org/en/docs/hash.html) - [https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_headers_hash_bucket_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_headers_hash_bucket_size) +## plugins + +Activates plugins installed in `/etc/nginx/lua/plugins`. Refer to [ingress-nginx plugins README](https://github.com/kubernetes/ingress-nginx/blob/main/rootfs/etc/nginx/lua/plugins/README.md) for more information on how to write and install a plugin. + ## server-tokens Send NGINX Server header in responses and display NGINX version in error pages. _**default:**_ is disabled @@ -1110,10 +1123,6 @@ Sets the number of the buffer used for [reading the first part of the response]( Sets the size of the buffer used for [reading the first part of the response](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) received from the proxied server. This part usually contains a small response header. -## proxy-busy-buffers-size - -[Limits the total size of buffers that can be busy](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_busy_buffers_size) sending a response to the client while the response is not yet fully read. - ## proxy-cookie-path Sets a text that [should be changed in the path attribute](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_path) of the “Set-Cookie” header fields of a proxied server response. @@ -1345,6 +1354,22 @@ _**default:**_ text/html _References:_ [https://nginx.org/en/docs/http/ngx_http_core_module.html#default_type](https://nginx.org/en/docs/http/ngx_http_core_module.html#default_type) +## global-rate-limit + +* `global-rate-limit-status-code`: configure HTTP status code to return when rejecting requests. Defaults to 429. + +Configure `memcached` client for [Global Rate Limiting](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#global-rate-limiting). + +* `global-rate-limit-memcached-host`: IP/FQDN of memcached server to use. Required to enable Global Rate Limiting. +* `global-rate-limit-memcached-port`: port of memcached server to use. Defaults default memcached port of `11211`. +* `global-rate-limit-memcached-connect-timeout`: configure timeout for connect, send and receive operations. Unit is millisecond. Defaults to 50ms. +* `global-rate-limit-memcached-max-idle-timeout`: configure timeout for cleaning idle connections. Unit is millisecond. Defaults to 50ms. +* `global-rate-limit-memcached-pool-size`: configure number of max connections to keep alive. Make sure your `memcached` server can handle +`global-rate-limit-memcached-pool-size * worker-processes * ` simultaneous connections. + +These settings get used by [lua-resty-global-throttle](https://github.com/ElvinEfendi/lua-resty-global-throttle) +that ingress-nginx includes. Refer to the link to learn more about `lua-resty-global-throttle`. + ## service-upstream Set if the service's Cluster IP and port should be used instead of a list of all endpoints. This can be overwritten by an annotation on an Ingress rule. @@ -1366,7 +1391,6 @@ _References:_ [http://nginx.org/en/docs/ngx_core_module.html#debug_connection](http://nginx.org/en/docs/ngx_core_module.html#debug_connection) ## strict-validate-path-type - Ingress objects contains a field called pathType that defines the proxy behavior. It can be `Exact`, `Prefix` and `ImplementationSpecific`. When pathType is configured as `Exact` or `Prefix`, there should be a more strict validation, allowing only paths starting with "/" and @@ -1380,22 +1404,9 @@ This means that Ingress objects that rely on paths containing regex characters s The cluster admin should establish validation rules using mechanisms like [Open Policy Agent](https://www.openpolicyagent.org/) to validate that only authorized users can use `ImplementationSpecific` pathType and that only the authorized characters can be used. -_**default:**_ "true" - ## grpc-buffer-size-kb Sets the configuration for the GRPC Buffer Size parameter. If not set it will use the default from NGINX. _References:_ [https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_buffer_size](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_buffer_size) - -## relative-redirects - -Use relative redirects instead of absolute redirects. Absolute redirects are the default in nginx. RFC7231 allows relative redirects since 2014. -Similar to the Ingress rule annotation `nginx.ingress.kubernetes.io/relative-redirects`. - -_**default:**_ "false" - -_References:_ -- [https://nginx.org/en/docs/http/ngx_http_core_module.html#absolute_redirect](https://nginx.org/en/docs/http/ngx_http_core_module.html#absolute_redirect) -- [https://datatracker.ietf.org/doc/html/rfc7231#section-7.1.2](https://datatracker.ietf.org/doc/html/rfc7231#section-7.1.2) diff --git a/docs/user-guide/third-party-addons/opentelemetry.md b/docs/user-guide/third-party-addons/opentelemetry.md index 255ba1ffa..32b17d2ca 100644 --- a/docs/user-guide/third-party-addons/opentelemetry.md +++ b/docs/user-guide/third-party-addons/opentelemetry.md @@ -147,7 +147,17 @@ graph TB To install the example and collectors run: -1. Enable OpenTelemetry and set the otlp-collector-host: +1. Enable Ingress addon with: + + ```yaml + opentelemetry: + enabled: true + image: registry.k8s.io/ingress-nginx/opentelemetry-1.25.3:v20240813-b933310d@sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922 + containerSecurityContext: + allowPrivilegeEscalation: false + ``` + +2. Enable OpenTelemetry and set the otlp-collector-host: ```yaml $ echo ' @@ -173,7 +183,7 @@ To install the example and collectors run: ' | kubectl replace -f - ``` -2. Deploy otel-collector, grafana and Jaeger backend: +4. Deploy otel-collector, grafana and Jaeger backend: ```bash # add helm charts needed for grafana and OpenTelemetry collector @@ -208,7 +218,7 @@ To install the example and collectors run: make deploy-app ``` -4. Make a few requests to the Service: +5. Make a few requests to the Service: ```bash kubectl port-forward --namespace=ingress-nginx service/ingress-nginx-controller 8090:80 @@ -237,7 +247,7 @@ To install the example and collectors run: RawContentLength : 21 ``` -5. View the Grafana UI: +6. View the Grafana UI: ```bash kubectl port-forward --namespace=observability service/grafana 3000:80 @@ -245,7 +255,7 @@ To install the example and collectors run: In the Grafana interface we can see the details: ![grafana screenshot](../../images/otel-grafana-demo.png "grafana screenshot") -6. View the Jaeger UI: +7. View the Jaeger UI: ```bash kubectl port-forward --namespace=observability service/jaeger-all-in-one-query 16686:16686 @@ -253,7 +263,7 @@ To install the example and collectors run: In the Jaeger interface we can see the details: ![Jaeger screenshot](../../images/otel-jaeger-demo.png "Jaeger screenshot") -7. View the Zipkin UI: +8. View the Zipkin UI: ```bash kubectl port-forward --namespace=observability service/zipkin 9411:9411 diff --git a/ginkgo_upgrade.md b/ginkgo_upgrade.md index 87e6bd9fd..57db0f28f 100644 --- a/ginkgo_upgrade.md +++ b/ginkgo_upgrade.md @@ -49,7 +49,7 @@ Promoting the images basically means that images, that were pushed to staging co ``` ... - pushing manifest for us-central1-docker.pkg.dev/k8s-staging-images/ingress-nginx/controller:v1.0.2@sha256:e15fac6e8474d77e1f017edc33d804ce72a184e3c0a30963b2a0d7f0b89f6b16 + pushing manifest for gcr.io/k8s-staging-ingress-nginx/controller:v1.0.2@sha256:e15fac6e8474d77e1f017edc33d804ce72a184e3c0a30963b2a0d7f0b89f6b16 ... ``` @@ -65,11 +65,11 @@ Promoting the images basically means that images, that were pushed to staging co - Create a branch in your fork, named as the issue number for this release -- In the related branch, of your fork, edit the file registry.k8s.io/images/k8s-staging-ingress-nginx/images.yaml. +- In the related branch, of your fork, edit the file k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml. - For making it easier, you can edit your branch directly in the browser. But be careful about making any mistake. -- Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/registry.k8s.io/images/k8s-staging-ingress-nginx/images.yaml) Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/4499) to see how it was done before +- Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml) Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/4499) to see how it was done before - Save and commit @@ -128,4 +128,4 @@ Promoting the images basically means that images, that were pushed to staging co - Finally merge the PR. -## END ## +## END ## \ No newline at end of file diff --git a/go.mod b/go.mod index 34584bbf9..7cced6117 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module k8s.io/ingress-nginx -go 1.23.6 +go 1.23.4 require ( dario.cat/mergo v1.0.1 @@ -13,34 +13,35 @@ require ( github.com/mitchellh/hashstructure/v2 v2.0.2 github.com/mitchellh/mapstructure v1.5.0 github.com/moul/pb v0.0.0-20220425114252-bca18df4138c - github.com/ncabatoff/process-exporter v0.8.5 - github.com/onsi/ginkgo/v2 v2.22.2 - github.com/opencontainers/runc v1.2.5 + github.com/ncabatoff/process-exporter v0.8.4 + github.com/onsi/ginkgo/v2 v2.22.1 + github.com/opencontainers/runc v1.2.3 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 github.com/prometheus/client_golang v1.20.5 github.com/prometheus/client_model v0.6.1 - github.com/prometheus/common v0.62.0 - github.com/spf13/cobra v1.9.1 - github.com/spf13/pflag v1.0.6 + github.com/prometheus/common v0.61.0 + github.com/spf13/cobra v1.8.1 + github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.10.0 github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20221221105603-fcedb00c5b30 - golang.org/x/crypto v0.33.0 - google.golang.org/grpc v1.70.0 + golang.org/x/crypto v0.31.0 + golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 + google.golang.org/grpc v1.69.2 google.golang.org/grpc/examples v0.0.0-20240223204917-5ccf176a08ab gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 - k8s.io/api v0.32.2 - k8s.io/apiextensions-apiserver v0.32.2 - k8s.io/apimachinery v0.32.2 - k8s.io/apiserver v0.32.2 - k8s.io/cli-runtime v0.32.2 - k8s.io/client-go v0.32.2 - k8s.io/code-generator v0.32.2 - k8s.io/component-base v0.32.2 + k8s.io/api v0.32.0 + k8s.io/apiextensions-apiserver v0.32.0 + k8s.io/apimachinery v0.32.0 + k8s.io/apiserver v0.32.0 + k8s.io/cli-runtime v0.32.0 + k8s.io/client-go v0.32.0 + k8s.io/code-generator v0.32.0 + k8s.io/component-base v0.32.0 k8s.io/klog/v2 v2.130.1 pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 - sigs.k8s.io/controller-runtime v0.20.2 + sigs.k8s.io/controller-runtime v0.19.3 sigs.k8s.io/mdtoc v1.4.0 ) @@ -50,8 +51,8 @@ require ( github.com/klauspost/compress v1.17.9 // indirect github.com/moby/sys/userns v0.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect - go.opentelemetry.io/otel v1.32.0 // indirect - go.opentelemetry.io/otel/trace v1.32.0 // indirect + go.opentelemetry.io/otel v1.31.0 // indirect + go.opentelemetry.io/otel/trace v1.31.0 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect sigs.k8s.io/release-utils v0.8.3 // indirect ) @@ -64,11 +65,11 @@ require ( github.com/blang/semver/v4 v4.0.0 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/coreos/go-systemd/v22 v22.5.0 // indirect - github.com/cyphar/filepath-securejoin v0.4.1 // indirect + github.com/cyphar/filepath-securejoin v0.3.5 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/eapache/queue v1.1.0 // indirect github.com/emicklei/go-restful/v3 v3.12.0 // indirect - github.com/evanphx/json-patch/v5 v5.9.11 // indirect + github.com/evanphx/json-patch/v5 v5.9.0 // indirect github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa // indirect github.com/go-errors/errors v1.5.1 // indirect github.com/go-logr/logr v1.4.2 // indirect @@ -80,7 +81,7 @@ require ( github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/protobuf v1.5.4 // indirect github.com/gomarkdown/markdown v0.0.0-20240328165702-4d01890c35c0 // indirect - github.com/google/btree v1.1.3 // indirect + github.com/google/btree v1.1.2 // indirect github.com/google/gnostic-models v0.6.8 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect @@ -115,14 +116,14 @@ require ( golang.org/x/mod v0.22.0 // indirect golang.org/x/net v0.33.0 // indirect golang.org/x/oauth2 v0.24.0 // indirect - golang.org/x/sync v0.11.0 // indirect - golang.org/x/sys v0.30.0 // indirect - golang.org/x/term v0.29.0 // indirect - golang.org/x/text v0.22.0 // indirect + golang.org/x/sync v0.10.0 // indirect + golang.org/x/sys v0.28.0 // indirect + golang.org/x/term v0.27.0 // indirect + golang.org/x/text v0.21.0 // indirect golang.org/x/time v0.7.0 // indirect golang.org/x/tools v0.28.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20241202173237-19429a94021a // indirect - google.golang.org/protobuf v1.36.1 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53 // indirect + google.golang.org/protobuf v1.35.2 // indirect gopkg.in/go-playground/assert.v1 v1.2.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/go.sum b/go.sum index 6e933d349..53b639700 100644 --- a/go.sum +++ b/go.sum @@ -18,11 +18,11 @@ github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w= github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= -github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= +github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= -github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s= -github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= +github.com/cyphar/filepath-securejoin v0.3.5 h1:L81NHjquoQmcPgXcttUS9qTSR/+bXry6pbSINQGpjj4= +github.com/cyphar/filepath-securejoin v0.3.5/go.mod h1:edhVd3c6OXKjUmSrVa/tGJRS9joFTxlslFCAyaxigkE= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -33,8 +33,8 @@ github.com/eapache/queue v1.1.0 h1:YOEu7KNc61ntiQlcEeUIoDTJ2o8mQznoNvUhiigpIqc= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk= github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU= -github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM= +github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= +github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M= @@ -77,8 +77,8 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/gomarkdown/markdown v0.0.0-20240328165702-4d01890c35c0 h1:4gjrh/PN2MuWCCElk8/I4OCKRKWCCo2zEct3VKCbibU= github.com/gomarkdown/markdown v0.0.0-20240328165702-4d01890c35c0/go.mod h1:JDGcbDT52eL4fju3sZ4TeHGsQwhG9nbDV21aMyhwPoA= -github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= -github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= +github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= +github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -154,8 +154,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833 h1:t4WWQ9I797y7QUgeEjeXnVb+oYuEDQc6gLvrZJTYo94= github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833/go.mod h1:0CznHmXSjMEqs5Tezj/w2emQoM41wzYM9KpDKUHPYag= -github.com/ncabatoff/process-exporter v0.8.5 h1:Hk1sflgRWn0Xrh/OsupQLVVCTW01kv0YYrGxu7NvkmM= -github.com/ncabatoff/process-exporter v0.8.5/go.mod h1:IZndG/m2Y++D90y99NhDJfg0SOkpbx/Fl6MlnBr4SC0= +github.com/ncabatoff/process-exporter v0.8.4 h1:qj0pWbP6AytVQ1fMYabRd5LnuV6NPh0O6WCfenPJT54= +github.com/ncabatoff/process-exporter v0.8.4/go.mod h1:MxEOWl740VK/hlWycJkq91VrA2mI+U9Bvc1wuyAaxA4= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= @@ -163,14 +163,14 @@ github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.22.2 h1:/3X8Panh8/WwhU/3Ssa6rCKqPLuAkVY2I0RoyDLySlU= -github.com/onsi/ginkgo/v2 v2.22.2/go.mod h1:oeMosUL+8LtarXBHu/c0bx2D/K9zyQ6uX3cTyztHwsk= +github.com/onsi/ginkgo/v2 v2.22.1 h1:QW7tbJAUDyVDVOM5dFa7qaybo+CRfR7bemlQUN6Z8aM= +github.com/onsi/ginkgo/v2 v2.22.1/go.mod h1:S6aTpoRsSq2cZOd+pssHAlKW/Q/jZt6cPrPlnj4a1xM= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8= -github.com/onsi/gomega v1.36.2/go.mod h1:DdwyADRjrc825LhMEkD76cHR5+pUnjhUN8GlHlRPHzY= -github.com/opencontainers/runc v1.2.5 h1:8KAkq3Wrem8bApgOHyhRI/8IeLXIfmZ6Qaw6DNSLnA4= -github.com/opencontainers/runc v1.2.5/go.mod h1:dOQeFo29xZKBNeRBI0B19mJtfHv68YgCTh1X+YphA+4= +github.com/onsi/gomega v1.36.1 h1:bJDPBO7ibjxcbHMgSCoo4Yj18UWbKDlLwX1x9sybDcw= +github.com/onsi/gomega v1.36.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= +github.com/opencontainers/runc v1.2.3 h1:fxE7amCzfZflJO2lHXf4y/y8M1BoAqp+FVmG19oYB80= +github.com/opencontainers/runc v1.2.3/go.mod h1:nSxcWUydXrsBZVYNSkTjoQ/N6rcyTtn+1SD5D4+kRIM= github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk= github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= @@ -184,8 +184,8 @@ github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+ github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= -github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io= -github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I= +github.com/prometheus/common v0.61.0 h1:3gv/GThfX0cV2lpO7gkTUwZru38mxevy90Bj8YFSRQQ= +github.com/prometheus/common v0.61.0/go.mod h1:zr29OCN/2BsJRaFwG8QOBr41D6kkchKbpeNH7pAjb/s= github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= @@ -195,10 +195,10 @@ github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo= -github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0= -github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o= -github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= +github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= @@ -224,16 +224,16 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/zakjan/cert-chain-resolver v0.0.0-20221221105603-fcedb00c5b30 h1:rzHvkiukOVYcf840FqAsHqBMhfLofvQIxWtczkGRklU= github.com/zakjan/cert-chain-resolver v0.0.0-20221221105603-fcedb00c5b30/go.mod h1:/Hzu8ych2oXCs1iNI+MeASyFzWTncQ6nlu/wgqbqC2A= -go.opentelemetry.io/otel v1.32.0 h1:WnBN+Xjcteh0zdk01SVqV55d/m62NJLJdIyb4y/WO5U= -go.opentelemetry.io/otel v1.32.0/go.mod h1:00DCVSB0RQcnzlwyTfqtxSm+DRr9hpYrHjNGiBHVQIg= -go.opentelemetry.io/otel/metric v1.32.0 h1:xV2umtmNcThh2/a/aCP+h64Xx5wsj8qqnkYZktzNa0M= -go.opentelemetry.io/otel/metric v1.32.0/go.mod h1:jH7CIbbK6SH2V2wE16W05BHCtIDzauciCRLoc/SyMv8= -go.opentelemetry.io/otel/sdk v1.32.0 h1:RNxepc9vK59A8XsgZQouW8ue8Gkb4jpWtJm9ge5lEG4= -go.opentelemetry.io/otel/sdk v1.32.0/go.mod h1:LqgegDBjKMmb2GC6/PrTnteJG39I8/vJCAP9LlJXEjU= -go.opentelemetry.io/otel/sdk/metric v1.32.0 h1:rZvFnvmvawYb0alrYkjraqJq0Z4ZUJAiyYCU9snn1CU= -go.opentelemetry.io/otel/sdk/metric v1.32.0/go.mod h1:PWeZlq0zt9YkYAp3gjKZ0eicRYvOh1Gd+X99x6GHpCQ= -go.opentelemetry.io/otel/trace v1.32.0 h1:WIC9mYrXf8TmY/EXuULKc8hR17vE+Hjv2cssQDe03fM= -go.opentelemetry.io/otel/trace v1.32.0/go.mod h1:+i4rkvCraA+tG6AzwloGaCtkx53Fa+L+V8e9a7YvhT8= +go.opentelemetry.io/otel v1.31.0 h1:NsJcKPIW0D0H3NgzPDHmo0WW6SptzPdqg/L1zsIm2hY= +go.opentelemetry.io/otel v1.31.0/go.mod h1:O0C14Yl9FgkjqcCZAsE053C13OaddMYr/hz6clDkEJE= +go.opentelemetry.io/otel/metric v1.31.0 h1:FSErL0ATQAmYHUIzSezZibnyVlft1ybhy4ozRPcF2fE= +go.opentelemetry.io/otel/metric v1.31.0/go.mod h1:C3dEloVbLuYoX41KpmAhOqNriGbA+qqH6PQ5E5mUfnY= +go.opentelemetry.io/otel/sdk v1.31.0 h1:xLY3abVHYZ5HSfOg3l2E5LUj2Cwva5Y7yGxnSW9H5Gk= +go.opentelemetry.io/otel/sdk v1.31.0/go.mod h1:TfRbMdhvxIIr/B2N2LQW2S5v9m3gOQ/08KsbbO5BPT0= +go.opentelemetry.io/otel/sdk/metric v1.31.0 h1:i9hxxLJF/9kkvfHppyLL55aW7iIJz4JjxTeYusH7zMc= +go.opentelemetry.io/otel/sdk/metric v1.31.0/go.mod h1:CRInTMVvNhUKgSAMbKyTMxqOBC0zgyxzW55lZzX43Y8= +go.opentelemetry.io/otel/trace v1.31.0 h1:ffjsj1aRouKewfr85U2aGagJ46+MvodynlQ1HYdmJys= +go.opentelemetry.io/otel/trace v1.31.0/go.mod h1:TXZkRk7SM2ZQLtR6eoAWQFIHPvzQ06FJAsO1tJg480A= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= @@ -243,8 +243,10 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus= -golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M= +golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= +golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4= @@ -263,8 +265,8 @@ golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w= -golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= +golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -279,14 +281,14 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc= -golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU= -golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s= +golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= +golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= +golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM= -golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= +golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ= golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -302,10 +304,10 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241202173237-19429a94021a h1:hgh8P4EuoxpsuKMXX/To36nOFD7vixReXgn8lPGnt+o= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241202173237-19429a94021a/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= -google.golang.org/grpc v1.70.0 h1:pWFv03aZoHzlRKHWicjsZytKAiYCtNS0dHbXnIdq7jQ= -google.golang.org/grpc v1.70.0/go.mod h1:ofIJqVKDXx/JiXrwr2IG4/zwdH9txy3IlF40RmcJSQw= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53 h1:X58yt85/IXCx0Y3ZwN6sEIKZzQtDEYaBWrDvErdXrRE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= +google.golang.org/grpc v1.69.2 h1:U3S9QEtbXC0bYNvRtcoklF3xGtLViumSYxWykJS+7AU= +google.golang.org/grpc v1.69.2/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4= google.golang.org/grpc/examples v0.0.0-20240223204917-5ccf176a08ab h1:tg8hvIl5RmFBuXlcJMuL0h4Psh1gx5Q5xEMwzBZIzWA= google.golang.org/grpc/examples v0.0.0-20240223204917-5ccf176a08ab/go.mod h1:liVNnGuZDITxuksuZ+BBvdy7FcJfeNk+efF9qgqNUmc= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= @@ -314,8 +316,8 @@ google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQ google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk= -google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io= +google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= @@ -340,22 +342,22 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.32.2 h1:bZrMLEkgizC24G9eViHGOPbW+aRo9duEISRIJKfdJuw= -k8s.io/api v0.32.2/go.mod h1:hKlhk4x1sJyYnHENsrdCWw31FEmCijNGPJO5WzHiJ6Y= -k8s.io/apiextensions-apiserver v0.32.2 h1:2YMk285jWMk2188V2AERy5yDwBYrjgWYggscghPCvV4= -k8s.io/apiextensions-apiserver v0.32.2/go.mod h1:GPwf8sph7YlJT3H6aKUWtd0E+oyShk/YHWQHf/OOgCA= -k8s.io/apimachinery v0.32.2 h1:yoQBR9ZGkA6Rgmhbp/yuT9/g+4lxtsGYwW6dR6BDPLQ= -k8s.io/apimachinery v0.32.2/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE= -k8s.io/apiserver v0.32.2 h1:WzyxAu4mvLkQxwD9hGa4ZfExo3yZZaYzoYvvVDlM6vw= -k8s.io/apiserver v0.32.2/go.mod h1:PEwREHiHNU2oFdte7BjzA1ZyjWjuckORLIK/wLV5goM= -k8s.io/cli-runtime v0.32.2 h1:aKQR4foh9qeyckKRkNXUccP9moxzffyndZAvr+IXMks= -k8s.io/cli-runtime v0.32.2/go.mod h1:a/JpeMztz3xDa7GCyyShcwe55p8pbcCVQxvqZnIwXN8= -k8s.io/client-go v0.32.2 h1:4dYCD4Nz+9RApM2b/3BtVvBHw54QjMFUl1OLcJG5yOA= -k8s.io/client-go v0.32.2/go.mod h1:fpZ4oJXclZ3r2nDOv+Ux3XcJutfrwjKTCHz2H3sww94= -k8s.io/code-generator v0.32.2 h1:CIvyPrLWP7cMgrqval2qYT839YAwCDeSvGfXgWSNpHQ= -k8s.io/code-generator v0.32.2/go.mod h1:plh7bWk7JztAUkHM4zpbdy0KOMdrhsePcZL2HLWFH7Y= -k8s.io/component-base v0.32.2 h1:1aUL5Vdmu7qNo4ZsE+569PV5zFatM9hl+lb3dEea2zU= -k8s.io/component-base v0.32.2/go.mod h1:PXJ61Vx9Lg+P5mS8TLd7bCIr+eMJRQTyXe8KvkrvJq0= +k8s.io/api v0.32.0 h1:OL9JpbvAU5ny9ga2fb24X8H6xQlVp+aJMFlgtQjR9CE= +k8s.io/api v0.32.0/go.mod h1:4LEwHZEf6Q/cG96F3dqR965sYOfmPM7rq81BLgsE0p0= +k8s.io/apiextensions-apiserver v0.32.0 h1:S0Xlqt51qzzqjKPxfgX1xh4HBZE+p8KKBq+k2SWNOE0= +k8s.io/apiextensions-apiserver v0.32.0/go.mod h1:86hblMvN5yxMvZrZFX2OhIHAuFIMJIZ19bTvzkP+Fmw= +k8s.io/apimachinery v0.32.0 h1:cFSE7N3rmEEtv4ei5X6DaJPHHX0C+upp+v5lVPiEwpg= +k8s.io/apimachinery v0.32.0/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE= +k8s.io/apiserver v0.32.0 h1:VJ89ZvQZ8p1sLeiWdRJpRD6oLozNZD2+qVSLi+ft5Qs= +k8s.io/apiserver v0.32.0/go.mod h1:HFh+dM1/BE/Hm4bS4nTXHVfN6Z6tFIZPi649n83b4Ag= +k8s.io/cli-runtime v0.32.0 h1:dP+OZqs7zHPpGQMCGAhectbHU2SNCuZtIimRKTv2T1c= +k8s.io/cli-runtime v0.32.0/go.mod h1:Mai8ht2+esoDRK5hr861KRy6z0zHsSTYttNVJXgP3YQ= +k8s.io/client-go v0.32.0 h1:DimtMcnN/JIKZcrSrstiwvvZvLjG0aSxy8PxN8IChp8= +k8s.io/client-go v0.32.0/go.mod h1:boDWvdM1Drk4NJj/VddSLnx59X3OPgwrOo0vGbtq9+8= +k8s.io/code-generator v0.32.0 h1:s0lNN8VSWny8LBz5t5iy7MCdgwdOhdg7vAGVxvS+VWU= +k8s.io/code-generator v0.32.0/go.mod h1:b7Q7KMZkvsYFy72A79QYjiv4aTz3GvW0f1T3UfhFq4s= +k8s.io/component-base v0.32.0 h1:d6cWHZkCiiep41ObYQS6IcgzOUQUNpywm39KVYaUqzU= +k8s.io/component-base v0.32.0/go.mod h1:JLG2W5TUxUu5uDyKiH2R/7NnxJo1HlPoRIIbVLkK5eM= k8s.io/gengo/v2 v2.0.0-20240911193312-2b36238f13e9 h1:si3PfKm8dDYxgfbeA6orqrtLkvvIeH8UqffFJDl0bz4= k8s.io/gengo/v2 v2.0.0-20240911193312-2b36238f13e9/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= @@ -366,8 +368,8 @@ k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6J k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 h1:SAElp8THCfmBdM+4lmWX5gebiSSkEr7PAYDVF91qpfg= pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732/go.mod h1:lpvCfhqEHNJSSpG5R5A2EgsVzG8RTt4RfPoQuRAcDmg= -sigs.k8s.io/controller-runtime v0.20.2 h1:/439OZVxoEc02psi1h4QO3bHzTgu49bb347Xp4gW1pc= -sigs.k8s.io/controller-runtime v0.20.2/go.mod h1:xg2XB0K5ShQzAgsoujxuKN4LNXR2LfwwHsPj7Iaw+XY= +sigs.k8s.io/controller-runtime v0.19.3 h1:XO2GvC9OPftRst6xWCpTgBZO04S2cbp0Qqkj8bX1sPw= +sigs.k8s.io/controller-runtime v0.19.3/go.mod h1:j4j87DqtsThvwTv5/Tc5NFRyyF/RF0ip4+62tbTSIUM= sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8= sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo= sigs.k8s.io/kustomize/api v0.18.0 h1:hTzp67k+3NEVInwz5BHyzc9rGxIauoXferXyjv5lWPo= diff --git a/go.work b/go.work new file mode 100644 index 000000000..76d1a6369 --- /dev/null +++ b/go.work @@ -0,0 +1,7 @@ +go 1.23.4 + +use ( + . + ./images/kube-webhook-certgen/rootfs + ./magefiles +) diff --git a/go.work.sum b/go.work.sum new file mode 100644 index 000000000..825d0335a --- /dev/null +++ b/go.work.sum @@ -0,0 +1,146 @@ +cel.dev/expr v0.18.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw= +cloud.google.com/go/compute v1.23.3/go.mod h1:VCgBUoMnIVIR0CscqQiPJLAG25E3ZRZMzcFZeQ+h8CI= +cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= +cloud.google.com/go/compute/metadata v0.5.2/go.mod h1:C66sj2AluDcIqakBq/M8lw8/ybHgOZqin2obFxa/E5k= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.2/go.mod h1:itPGVDKf9cC/ov4MdvJ2QZ0khw4bfoo9jzwTJlaxy2k= +github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= +github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= +github.com/alecthomas/kingpin/v2 v2.4.0/go.mod h1:0gyi0zQnjuFk8xrkNKamJoyUo382HRL7ATRpFZCw6tE= +github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE= +github.com/andybalholm/brotli v1.1.0/go.mod h1:sms7XGricyQI9K10gOSf56VKKWS4oLer58Q+mhRPtnY= +github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= +github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= +github.com/bytedance/sonic v1.9.1/go.mod h1:i736AoUSYt75HyZLoJW9ERYxcy6eaN6h4BZXU064P/U= +github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= +github.com/checkpoint-restore/go-criu/v6 v6.3.0/go.mod h1:rrRTN/uSwY2X+BPRl/gkulo9gsKOSAeVp9/K2tv7xZI= +github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311/go.mod h1:b583jCggY9gE99b6G5LEC39OIiVsWj+R97kbl5odCEk= +github.com/chzyer/logex v1.2.1/go.mod h1:JLbx6lG2kDbNRFnfkgvh4eRJRPX1QCoOIWomwysCBrQ= +github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObkaSkeBlk= +github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8= +github.com/cilium/ebpf v0.16.0/go.mod h1:L7u2Blt2jMM/vLAVgjxluxtBKlz3/GWjB0dMOEngfwE= +github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= +github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/containerd/console v1.0.4/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk= +github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= +github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec= +github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5/go.mod h1:qssHWj60/X5sZFNxpG4HBPDHVqxNm4DfnCKgrbZOT+s= +github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= +github.com/envoyproxy/go-control-plane v0.13.1/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw= +github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= +github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/gabriel-vasile/mimetype v1.4.2/go.mod h1:zApsH/mKG4w07erKIaJPFiX0Tsq9BFQgN3qGY5GnNgA= +github.com/getsentry/sentry-go v0.21.0/go.mod h1:lc76E2QywIyW8WuBnwl8Lc4bkmQH4+w1gwTf25trprY= +github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI= +github.com/gin-gonic/gin v1.9.1/go.mod h1:hPrL7YrpYKXt5YId3A/Tnip5kqbEAP+KLuI3SUcPTeU= +github.com/go-kit/log v0.2.1/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0= +github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= +github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= +github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY= +github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY= +github.com/go-playground/validator/v10 v10.14.0/go.mod h1:9iXMNT7sEkjXb0I+enO7QXmzG6QCsPWY4zveKFVRSyU= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= +github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang/glog v1.2.2/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/google/cel-go v0.22.0/go.mod h1:BuznPXXfQDpXKWQ9sPW3TzlAJN5zzFe+i9tIs0yC4s8= +github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= +github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= +github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k= +github.com/ianlancetaylor/demangle v0.0.0-20240312041847-bd984b5ce465/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw= +github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= +github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc= +github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= +github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= +github.com/klauspost/cpuid/v2 v2.2.4/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY= +github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= +github.com/labstack/echo/v4 v4.10.2/go.mod h1:OEyqf2//K1DFdE57vw2DRgWY0M7s65IVQO2FzvI4J5k= +github.com/labstack/gommon v0.4.0/go.mod h1:uW6kP17uPlLJsD3ijUYn3/M5bAxtlZhMI6m3MFxTMTM= +github.com/leodido/go-urn v1.2.4/go.mod h1:7ZrI8mTSeBSHl/UaRyKQW1qZeMgak41ANeCNaVckg+4= +github.com/maxbrunsfeld/counterfeiter/v6 v6.8.1/go.mod h1:eyp4DdUJAKkr9tvxR3jWhw2mDK7CWABMG5r9uyaKC7I= +github.com/mholt/archiver/v3 v3.5.1/go.mod h1:e3dqJ7H78uzsRSEACH1joayhuSyhnonssnDhppzS1L4= +github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI= +github.com/moby/sys/user v0.3.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs= +github.com/mrunalp/fileutils v0.5.1/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= +github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/ncabatoff/fakescraper v0.0.0-20201102132415-4b37ba603d65/go.mod h1:Tx6UMSMyIsjLG/VU/F6xA1+0XI+/f9o1dGJnf1l+bPg= +github.com/nwaples/rardecode v1.1.3/go.mod h1:5DzqNKiOdpKKBH87u8VlvAnPZMXcGRhxWkRpHbbfGS0= +github.com/onsi/ginkgo/v2 v2.20.1/go.mod h1:lG9ey2Z29hR41WMVthyJBGUBcBhGOtoPF2VFMvBXFCI= +github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo= +github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= +github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= +github.com/pelletier/go-toml/v2 v2.0.8/go.mod h1:vuYfssBdrU2XDZ9bYydBu6t+6a6PYNcZljzZR9VXg+4= +github.com/pierrec/lz4/v4 v4.1.21/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= +github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI= +github.com/prometheus/exporter-toolkit v0.11.0/go.mod h1:BVnENhnNecpwoTLiABx7mrPB/OLRIgN74qlQbV+FK1Q= +github.com/seccomp/libseccomp-golang v0.10.0/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= +github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0= +github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= +github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk= +github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08= +github.com/ugorji/go/codec v1.2.11/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg= +github.com/ulikunitz/xz v0.5.12/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= +github.com/urfave/cli v1.22.14/go.mod h1:X0eDS6pD6Exaclxm99NJ3FiCDRED7vIHpx2mDOHLvkA= +github.com/uwu-tools/magex v0.10.0/go.mod h1:TrSEhrL1xHfJVy6n05AUwFdcQndgwrbgL5ybPNKWmVY= +github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= +github.com/valyala/fasttemplate v1.2.2/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+qRAEEKiv+SiQ= +github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= +github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= +github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU= +github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos= +github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I= +go.etcd.io/etcd/api/v3 v3.5.16/go.mod h1:1P4SlIP/VwkDmGo3OlOD7faPeP8KDIFhqvciH5EfN28= +go.etcd.io/etcd/client/pkg/v3 v3.5.16/go.mod h1:V8acl8pcEK0Y2g19YlOV9m9ssUe6MgiDSobSoaBAM0E= +go.etcd.io/etcd/client/v2 v2.305.16/go.mod h1:h9YxWCzcdvZENbfzBTFCnoNumr2ax3F19sKMqHFmXHE= +go.etcd.io/etcd/client/v3 v3.5.16/go.mod h1:X+rExSGkyqxvu276cr2OwPLBaeqFu1cIl4vmRjAD/50= +go.etcd.io/etcd/pkg/v3 v3.5.16/go.mod h1:+lutCZHG5MBBFI/U4eYT5yL7sJfnexsoM20Y0t2uNuY= +go.etcd.io/etcd/raft/v3 v3.5.16/go.mod h1:P4UP14AxofMJ/54boWilabqqWoW9eLodl6I5GdGzazI= +go.etcd.io/etcd/server/v3 v3.5.16/go.mod h1:ynhyZZpdDp1Gq49jkUg5mfkDWZwXnn3eIqCqtJnrD/s= +go.opentelemetry.io/contrib/detectors/gcp v1.31.0/go.mod h1:tzQL6E1l+iV44YFTkcAeNQqzXUiekSYP9jjJjXwEd00= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ= +go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= +golang.org/x/arch v0.3.0/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8= +golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= +golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs= +golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/telemetry v0.0.0-20240521205824-bda55230c457/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0= +golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= +golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= +golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0= +google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80/go.mod h1:cc8bqMqtv9gMOr0zHg2Vzff5ULhhL2IXP4sbcn32Dro= +google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53/go.mod h1:riSXTwQ4+nqmPGtobMFyW5FqVAmIs0St6VPp4Ug7CE4= +gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc= +gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +k8s.io/kms v0.32.0/go.mod h1:Bk2evz/Yvk0oVrvm4MvZbgq8BD34Ksxs2SRHn4/UiOM= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= diff --git a/hack/manifest-templates/provider/kind/values.yaml b/hack/manifest-templates/provider/kind/values.yaml index 6140f6500..ed636f372 100644 --- a/hack/manifest-templates/provider/kind/values.yaml +++ b/hack/manifest-templates/provider/kind/values.yaml @@ -8,9 +8,11 @@ controller: enabled: true terminationGracePeriodSeconds: 0 service: - type: LoadBalancer + type: NodePort watchIngressWithoutClass: true + nodeSelector: + ingress-ready: "true" tolerations: - key: "node-role.kubernetes.io/master" operator: "Equal" diff --git a/hack/verify-lualint.sh b/hack/verify-lualint.sh index 769d7a6cd..1f6048de0 100755 --- a/hack/verify-lualint.sh +++ b/hack/verify-lualint.sh @@ -18,13 +18,6 @@ set -o errexit set -o nounset set -o pipefail -luacheck --codes --globals lua_ingress \ - --globals configuration \ - --globals balancer \ - --globals monitor \ - --globals certificate \ - --globals tcp_udp_configuration \ - --globals tcp_udp_balancer \ - --no-max-comment-line-length -q rootfs/etc/nginx/lua/ +luacheck --codes -q rootfs/etc/nginx/lua/ find rootfs/etc/nginx/lua/ -name "*.lua" -not -path "*/test/*" -exec lj-releng -L -s {} + && echo "lj-releng validation is success!" diff --git a/images/cfssl/TAG b/images/cfssl/TAG index 56130fb3a..795460fce 100644 --- a/images/cfssl/TAG +++ b/images/cfssl/TAG @@ -1 +1 @@ -v1.1.1 +v1.1.0 diff --git a/images/cfssl/cloudbuild.yaml b/images/cfssl/cloudbuild.yaml index 33fafdb08..658921d1a 100644 --- a/images/cfssl/cloudbuild.yaml +++ b/images/cfssl/cloudbuild.yaml @@ -2,9 +2,9 @@ options: # Ignore Prow provided substitutions. substitution_option: ALLOW_LOOSE steps: - - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20250116-2a05ea7e3d + - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20241217-ff46a068cd env: - - REGISTRY=us-central1-docker.pkg.dev/k8s-staging-images/ingress-nginx + - REGISTRY=gcr.io/k8s-staging-ingress-nginx entrypoint: bash args: - -c diff --git a/images/custom-error-pages/TAG b/images/custom-error-pages/TAG index 56130fb3a..795460fce 100644 --- a/images/custom-error-pages/TAG +++ b/images/custom-error-pages/TAG @@ -1 +1 @@ -v1.1.1 +v1.1.0 diff --git a/images/custom-error-pages/cloudbuild.yaml b/images/custom-error-pages/cloudbuild.yaml index 324a8f19a..7a583e69d 100644 --- a/images/custom-error-pages/cloudbuild.yaml +++ b/images/custom-error-pages/cloudbuild.yaml @@ -2,9 +2,9 @@ options: # Ignore Prow provided substitutions. substitution_option: ALLOW_LOOSE steps: - - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20250116-2a05ea7e3d + - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20241217-ff46a068cd env: - - REGISTRY=us-central1-docker.pkg.dev/k8s-staging-images/ingress-nginx + - REGISTRY=gcr.io/k8s-staging-ingress-nginx entrypoint: bash args: - -c diff --git a/images/custom-error-pages/rootfs/go.mod b/images/custom-error-pages/rootfs/go.mod index 5c0377284..274b81ab1 100644 --- a/images/custom-error-pages/rootfs/go.mod +++ b/images/custom-error-pages/rootfs/go.mod @@ -1,6 +1,6 @@ module k8s.io/ingress-nginx/custom-error-pages -go 1.23.6 +go 1.23.4 require github.com/prometheus/client_golang v1.20.5 diff --git a/images/e2e-test-echo/TAG b/images/e2e-test-echo/TAG index 56130fb3a..795460fce 100644 --- a/images/e2e-test-echo/TAG +++ b/images/e2e-test-echo/TAG @@ -1 +1 @@ -v1.1.1 +v1.1.0 diff --git a/images/e2e-test-echo/cloudbuild.yaml b/images/e2e-test-echo/cloudbuild.yaml index 02bfc034a..a368f3489 100644 --- a/images/e2e-test-echo/cloudbuild.yaml +++ b/images/e2e-test-echo/cloudbuild.yaml @@ -2,9 +2,9 @@ options: # Ignore Prow provided substitutions. substitution_option: ALLOW_LOOSE steps: - - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20250116-2a05ea7e3d + - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20241217-ff46a068cd env: - - REGISTRY=us-central1-docker.pkg.dev/k8s-staging-images/ingress-nginx + - REGISTRY=gcr.io/k8s-staging-ingress-nginx entrypoint: bash args: - -c diff --git a/images/ext-auth-example-authsvc/TAG b/images/ext-auth-example-authsvc/TAG index 56130fb3a..795460fce 100644 --- a/images/ext-auth-example-authsvc/TAG +++ b/images/ext-auth-example-authsvc/TAG @@ -1 +1 @@ -v1.1.1 +v1.1.0 diff --git a/images/ext-auth-example-authsvc/rootfs/go.mod b/images/ext-auth-example-authsvc/rootfs/go.mod index 5f33a86ff..f3e7ba804 100644 --- a/images/ext-auth-example-authsvc/rootfs/go.mod +++ b/images/ext-auth-example-authsvc/rootfs/go.mod @@ -1,7 +1,7 @@ module example.com/authsvc -go 1.23.6 +go 1.23.4 -require k8s.io/apimachinery v0.32.2 +require k8s.io/apimachinery v0.32.0 require github.com/google/uuid v1.6.0 // indirect diff --git a/images/ext-auth-example-authsvc/rootfs/go.sum b/images/ext-auth-example-authsvc/rootfs/go.sum index 770c22f6a..8984e1828 100644 --- a/images/ext-auth-example-authsvc/rootfs/go.sum +++ b/images/ext-auth-example-authsvc/rootfs/go.sum @@ -1,4 +1,4 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -k8s.io/apimachinery v0.32.2 h1:yoQBR9ZGkA6Rgmhbp/yuT9/g+4lxtsGYwW6dR6BDPLQ= -k8s.io/apimachinery v0.32.2/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE= +k8s.io/apimachinery v0.32.0 h1:cFSE7N3rmEEtv4ei5X6DaJPHHX0C+upp+v5lVPiEwpg= +k8s.io/apimachinery v0.32.0/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE= diff --git a/images/fastcgi-helloserver/TAG b/images/fastcgi-helloserver/TAG index 56130fb3a..795460fce 100644 --- a/images/fastcgi-helloserver/TAG +++ b/images/fastcgi-helloserver/TAG @@ -1 +1 @@ -v1.1.1 +v1.1.0 diff --git a/images/fastcgi-helloserver/cloudbuild.yaml b/images/fastcgi-helloserver/cloudbuild.yaml index c2c6135df..289a59c2d 100644 --- a/images/fastcgi-helloserver/cloudbuild.yaml +++ b/images/fastcgi-helloserver/cloudbuild.yaml @@ -2,9 +2,9 @@ options: # Ignore Prow provided substitutions. substitution_option: ALLOW_LOOSE steps: - - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20250116-2a05ea7e3d + - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20241217-ff46a068cd env: - - REGISTRY=us-central1-docker.pkg.dev/k8s-staging-images/ingress-nginx + - REGISTRY=gcr.io/k8s-staging-ingress-nginx entrypoint: bash args: - -c diff --git a/images/go-grpc-greeter-server/TAG b/images/go-grpc-greeter-server/TAG index 56130fb3a..795460fce 100644 --- a/images/go-grpc-greeter-server/TAG +++ b/images/go-grpc-greeter-server/TAG @@ -1 +1 @@ -v1.1.1 +v1.1.0 diff --git a/images/httpbun/TAG b/images/httpbun/TAG index 56130fb3a..795460fce 100644 --- a/images/httpbun/TAG +++ b/images/httpbun/TAG @@ -1 +1 @@ -v1.1.1 +v1.1.0 diff --git a/images/httpbun/cloudbuild.yaml b/images/httpbun/cloudbuild.yaml index c56820d15..cd3df273d 100644 --- a/images/httpbun/cloudbuild.yaml +++ b/images/httpbun/cloudbuild.yaml @@ -2,9 +2,9 @@ options: # Ignore Prow provided substitutions. substitution_option: ALLOW_LOOSE steps: - - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20250116-2a05ea7e3d + - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20241217-ff46a068cd env: - - REGISTRY=us-central1-docker.pkg.dev/k8s-staging-images/ingress-nginx + - REGISTRY=gcr.io/k8s-staging-ingress-nginx entrypoint: bash args: - -c diff --git a/images/kube-webhook-certgen/TAG b/images/kube-webhook-certgen/TAG index 53b5bbb12..2e7bd9108 100644 --- a/images/kube-webhook-certgen/TAG +++ b/images/kube-webhook-certgen/TAG @@ -1 +1 @@ -v1.5.1 +v1.5.0 diff --git a/images/kube-webhook-certgen/cloudbuild.yaml b/images/kube-webhook-certgen/cloudbuild.yaml index e4118ff88..443f24d0c 100644 --- a/images/kube-webhook-certgen/cloudbuild.yaml +++ b/images/kube-webhook-certgen/cloudbuild.yaml @@ -2,9 +2,9 @@ options: # Ignore Prow provided substitutions. substitution_option: ALLOW_LOOSE steps: - - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20250116-2a05ea7e3d + - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20241217-ff46a068cd env: - - REGISTRY=us-central1-docker.pkg.dev/k8s-staging-images/ingress-nginx + - REGISTRY=gcr.io/k8s-staging-ingress-nginx entrypoint: bash args: - -c diff --git a/images/kube-webhook-certgen/rootfs/go.mod b/images/kube-webhook-certgen/rootfs/go.mod index 2b8567748..46d7747c5 100644 --- a/images/kube-webhook-certgen/rootfs/go.mod +++ b/images/kube-webhook-certgen/rootfs/go.mod @@ -1,15 +1,15 @@ module github.com/jet/kube-webhook-certgen -go 1.23.6 +go 1.23.4 require ( github.com/onrik/logrus v0.11.0 github.com/sirupsen/logrus v1.9.3 - github.com/spf13/cobra v1.9.1 - k8s.io/api v0.32.2 - k8s.io/apimachinery v0.32.2 - k8s.io/client-go v0.32.2 - k8s.io/kube-aggregator v0.32.2 + github.com/spf13/cobra v1.8.1 + k8s.io/api v0.32.0 + k8s.io/apimachinery v0.32.0 + k8s.io/client-go v0.32.0 + k8s.io/kube-aggregator v0.32.0 ) require ( @@ -33,10 +33,10 @@ require ( github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect - github.com/onsi/ginkgo/v2 v2.22.2 // indirect - github.com/onsi/gomega v1.36.2 // indirect + github.com/onsi/ginkgo/v2 v2.22.1 // indirect + github.com/onsi/gomega v1.36.1 // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/spf13/pflag v1.0.6 // indirect + github.com/spf13/pflag v1.0.5 // indirect github.com/x448/float16 v0.8.4 // indirect golang.org/x/net v0.33.0 // indirect golang.org/x/oauth2 v0.23.0 // indirect @@ -44,7 +44,7 @@ require ( golang.org/x/term v0.27.0 // indirect golang.org/x/text v0.21.0 // indirect golang.org/x/time v0.7.0 // indirect - google.golang.org/protobuf v1.36.1 // indirect + google.golang.org/protobuf v1.35.1 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/images/kube-webhook-certgen/rootfs/go.sum b/images/kube-webhook-certgen/rootfs/go.sum index 1c660f020..fee4d4e02 100644 --- a/images/kube-webhook-certgen/rootfs/go.sum +++ b/images/kube-webhook-certgen/rootfs/go.sum @@ -1,4 +1,4 @@ -github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= +github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -56,10 +56,10 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/onrik/logrus v0.11.0 h1:pu+BCaWL36t0yQaj/2UHK2erf88dwssAKOT51mxPUVs= github.com/onrik/logrus v0.11.0/go.mod h1:fO2vlZwIdti6PidD3gV5YKt9Lq5ptpnP293RAe1ITwk= -github.com/onsi/ginkgo/v2 v2.22.2 h1:/3X8Panh8/WwhU/3Ssa6rCKqPLuAkVY2I0RoyDLySlU= -github.com/onsi/ginkgo/v2 v2.22.2/go.mod h1:oeMosUL+8LtarXBHu/c0bx2D/K9zyQ6uX3cTyztHwsk= -github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8= -github.com/onsi/gomega v1.36.2/go.mod h1:DdwyADRjrc825LhMEkD76cHR5+pUnjhUN8GlHlRPHzY= +github.com/onsi/ginkgo/v2 v2.22.1 h1:QW7tbJAUDyVDVOM5dFa7qaybo+CRfR7bemlQUN6Z8aM= +github.com/onsi/ginkgo/v2 v2.22.1/go.mod h1:S6aTpoRsSq2cZOd+pssHAlKW/Q/jZt6cPrPlnj4a1xM= +github.com/onsi/gomega v1.36.1 h1:bJDPBO7ibjxcbHMgSCoo4Yj18UWbKDlLwX1x9sybDcw= +github.com/onsi/gomega v1.36.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= @@ -70,10 +70,10 @@ github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo= -github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0= -github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o= -github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= +github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= @@ -129,8 +129,8 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk= -google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= +google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= @@ -141,16 +141,16 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.32.2 h1:bZrMLEkgizC24G9eViHGOPbW+aRo9duEISRIJKfdJuw= -k8s.io/api v0.32.2/go.mod h1:hKlhk4x1sJyYnHENsrdCWw31FEmCijNGPJO5WzHiJ6Y= -k8s.io/apimachinery v0.32.2 h1:yoQBR9ZGkA6Rgmhbp/yuT9/g+4lxtsGYwW6dR6BDPLQ= -k8s.io/apimachinery v0.32.2/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE= -k8s.io/client-go v0.32.2 h1:4dYCD4Nz+9RApM2b/3BtVvBHw54QjMFUl1OLcJG5yOA= -k8s.io/client-go v0.32.2/go.mod h1:fpZ4oJXclZ3r2nDOv+Ux3XcJutfrwjKTCHz2H3sww94= +k8s.io/api v0.32.0 h1:OL9JpbvAU5ny9ga2fb24X8H6xQlVp+aJMFlgtQjR9CE= +k8s.io/api v0.32.0/go.mod h1:4LEwHZEf6Q/cG96F3dqR965sYOfmPM7rq81BLgsE0p0= +k8s.io/apimachinery v0.32.0 h1:cFSE7N3rmEEtv4ei5X6DaJPHHX0C+upp+v5lVPiEwpg= +k8s.io/apimachinery v0.32.0/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE= +k8s.io/client-go v0.32.0 h1:DimtMcnN/JIKZcrSrstiwvvZvLjG0aSxy8PxN8IChp8= +k8s.io/client-go v0.32.0/go.mod h1:boDWvdM1Drk4NJj/VddSLnx59X3OPgwrOo0vGbtq9+8= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-aggregator v0.32.2 h1:kg9pke+i2qRbJwX1UKwZV4fsCRvmbaCEFk38R4FqHmw= -k8s.io/kube-aggregator v0.32.2/go.mod h1:rRm+xY1yIFIt3zBc727nG5SBLYywywD87klfIAw+7+c= +k8s.io/kube-aggregator v0.32.0 h1:5ZyMW3QwAbmkasQrROcpa5we3et938DQuyUYHeXSPao= +k8s.io/kube-aggregator v0.32.0/go.mod h1:6OKivf6Ypx44qu2v1ZUMrxH8kRp/8LKFKeJU72J18lU= k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y= k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4= k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro= diff --git a/images/nginx/Makefile b/images/nginx/Makefile index 3cc14e5b3..3ed502759 100644 --- a/images/nginx/Makefile +++ b/images/nginx/Makefile @@ -24,7 +24,7 @@ INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh SHORT_SHA ?=$(shell git rev-parse --short HEAD) TAG ?=$(shell cat TAG) -REGISTRY ?= us-central1-docker.pkg.dev/k8s-staging-images/ingress-nginx +REGISTRY ?= gcr.io/k8s-staging-ingress-nginx IMAGE = $(REGISTRY)/nginx diff --git a/images/nginx/TAG b/images/nginx/TAG index 46b105a30..1474d00f0 100644 --- a/images/nginx/TAG +++ b/images/nginx/TAG @@ -1 +1 @@ -v2.0.0 +v0.2.0 diff --git a/images/nginx/cloudbuild.yaml b/images/nginx/cloudbuild.yaml index 2563692d7..4bf39adc8 100644 --- a/images/nginx/cloudbuild.yaml +++ b/images/nginx/cloudbuild.yaml @@ -4,9 +4,9 @@ options: # Ignore Prow provided substitutions. substitution_option: ALLOW_LOOSE steps: - - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20250116-2a05ea7e3d + - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20241217-ff46a068cd env: - - REGISTRY=us-central1-docker.pkg.dev/k8s-staging-images/ingress-nginx + - REGISTRY=gcr.io/k8s-staging-ingress-nginx entrypoint: bash args: - -c diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile index 834a9bcf3..078630170 100644 --- a/images/nginx/rootfs/Dockerfile +++ b/images/nginx/rootfs/Dockerfile @@ -51,8 +51,6 @@ RUN apk update \ tzdata \ grpc-cpp \ libprotobuf \ - abseil-cpp-crc-cpu-detect \ - abseil-cpp-vlog-config-internal \ && ln -s /usr/local/nginx/sbin/nginx /sbin/nginx \ && adduser -S -D -H -u 101 -h /usr/local/nginx \ -s /sbin/nologin -G www-data -g www-data www-data \ diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh index 297abf777..61469b32e 100755 --- a/images/nginx/rootfs/build.sh +++ b/images/nginx/rootfs/build.sh @@ -18,91 +18,96 @@ set -o errexit set -o nounset set -o pipefail -export NGINX_VERSION=1.27.1 +export NGINX_VERSION=1.25.5 # Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.3...master export NDK_VERSION=v0.3.3 # Check for recent changes: https://github.com/openresty/set-misc-nginx-module/compare/v0.33...master -export SETMISC_VERSION=v0.33 +export SETMISC_VERSION=796f5a3e518748eb29a93bd450324e0ad45b704e # Check for recent changes: https://github.com/openresty/headers-more-nginx-module/compare/v0.37...master export MORE_HEADERS_VERSION=v0.37 -# Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...master +# Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...atomx:master export NGINX_DIGEST_AUTH=v1.0.0 +# Check for recent changes: https://github.com/yaoweibin/ngx_http_substitutions_filter_module/compare/v0.6.4...master +export NGINX_SUBSTITUTIONS=e12e965ac1837ca709709f9a26f572a54d83430e + # Check for recent changes: https://github.com/SpiderLabs/ModSecurity-nginx/compare/v1.0.3...master export MODSECURITY_VERSION=v1.0.3 -# Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.13...v3/master -export MODSECURITY_LIB_VERSION=v3.0.13 +# Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.8...v3/master +export MODSECURITY_LIB_VERSION=v3.0.12 -# Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v4.10.0...main -export OWASP_MODSECURITY_CRS_VERSION=v4.10.0 +# Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v3.3.5...v4.0/main +export OWASP_MODSECURITY_CRS_VERSION=v4.4.0 -# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.27...master -export LUA_NGX_VERSION=v0.10.27 +# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.26``...master +export LUA_NGX_VERSION=v0.10.26 -# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/v0.0.15...master -export LUA_STREAM_NGX_VERSION=v0.0.15 +# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/bea8a0c0de94cede71554f53818ac0267d675d63...master +export LUA_STREAM_NGX_VERSION=bea8a0c0de94cede71554f53818ac0267d675d63 -# Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/v0.07...master -export LUA_UPSTREAM_VERSION=v0.07 +# Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/8aa93ead98ba2060d4efd594ae33a35d153589bf...master +export LUA_UPSTREAM_VERSION=542be0893543a4e42d89f6dd85372972f5ff2a36 -# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.14...master -export LUA_CJSON_VERSION=2.1.0.14 +# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.13...openresty:master +export LUA_CJSON_VERSION=2.1.0.13 -# Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/445df24ef3781e488cee3dfe8a1e111997fc1dfe...master -export GEOIP2_VERSION=445df24ef3781e488cee3dfe8a1e111997fc1dfe +# Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/a607a41a8115fecfc05b5c283c81532a3d605425...master +export GEOIP2_VERSION=a607a41a8115fecfc05b5c283c81532a3d605425 -# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20240815...v2.1-agentzh -export LUAJIT_VERSION=v2.1-20240815 +# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20240314...v2.1-agentzh +export LUAJIT_VERSION=v2.1-20240314 -# Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/v0.05...master -export LUA_RESTY_BALANCER=v0.05 +# Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/1cd4363c0a239afe4765ec607dcfbbb4e5900eea...master +export LUA_RESTY_BALANCER=1cd4363c0a239afe4765ec607dcfbbb4e5900eea -# Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/v0.15...master -export LUA_RESTY_CACHE=v0.15 +# Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/99e7578465b40f36f596d099b82eab404f2b42ed...master +export LUA_RESTY_CACHE=99e7578465b40f36f596d099b82eab404f2b42ed -# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.30...master -export LUA_RESTY_CORE=v0.1.30 +# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.27...master +export LUA_RESTY_CORE=v0.1.28 # Check for recent changes: https://github.com/cloudflare/lua-resty-cookie/compare/f418d77082eaef48331302e84330488fdc810ef4...master export LUA_RESTY_COOKIE_VERSION=f418d77082eaef48331302e84330488fdc810ef4 -# Check for recent changes: https://github.com/openresty/lua-resty-dns/compare/v0.23...master -export LUA_RESTY_DNS=v0.23 +# Check for recent changes: https://github.com/openresty/lua-resty-dns/compare/8bb53516e2933e61c317db740a9b7c2048847c2f...master +export LUA_RESTY_DNS=8bb53516e2933e61c317db740a9b7c2048847c2f -# Check for recent changes: https://github.com/ledgetech/lua-resty-http/compare/v0.17.2...master -export LUA_RESTY_HTTP=v0.17.2 +# Check for recent changes: https://github.com/ledgetech/lua-resty-http/compare/v0.17.1...master +export LUA_RESTY_HTTP=v0.17.1 # Check for recent changes: https://github.com/openresty/lua-resty-lock/compare/v0.09...master -export LUA_RESTY_LOCK=v0.09 +export LUA_RESTY_LOCK=405d0bf4cbfa74d742c6ed3158d442221e6212a9 # Check for recent changes: https://github.com/openresty/lua-resty-upload/compare/v0.11...master -export LUA_RESTY_UPLOAD_VERSION=v0.11 +export LUA_RESTY_UPLOAD_VERSION=979372cce011f3176af3c9aff53fd0e992c4bfd3 -# Check for recent changes: https://github.com/openresty/lua-resty-string/compare/v0.16...master -export LUA_RESTY_STRING_VERSION=v0.16 +# Check for recent changes: https://github.com/openresty/lua-resty-string/compare/v0.15...master +export LUA_RESTY_STRING_VERSION=6f1bc21d86daef804df3cc34d6427ef68da26844 # Check for recent changes: https://github.com/openresty/lua-resty-memcached/compare/v0.17...master -export LUA_RESTY_MEMCACHED_VERSION=v0.17 +export LUA_RESTY_MEMCACHED_VERSION=2f02b68bf65fa2332cce070674a93a69a6c7239b -# Check for recent changes: https://github.com/openresty/lua-resty-redis/compare/v0.31...master -export LUA_RESTY_REDIS_VERSION=v0.31 +# Check for recent changes: https://github.com/openresty/lua-resty-redis/compare/v0.30...master +export LUA_RESTY_REDIS_VERSION=8641b9f1b6f75cca50c90cf8ca5c502ad8950aa8 -# Check for recent changes: https://github.com/api7/lua-resty-ipmatcher/compare/3e93c53eb8c9884efe939ef070486a0e507cc5be...master +# Check for recent changes: https://github.com/api7/lua-resty-ipmatcher/compare/v0.6.1...master export LUA_RESTY_IPMATCHER_VERSION=3e93c53eb8c9884efe939ef070486a0e507cc5be -# Check for recent changes: https://github.com/microsoft/mimalloc/compare/v2.1.9...master -export MIMALOC_VERSION=v2.1.9 +# Check for recent changes: https://github.com/ElvinEfendi/lua-resty-global-throttle/compare/v0.2.0...main +export LUA_RESTY_GLOBAL_THROTTLE_VERSION=v0.2.0 -# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp/compare/v1.18.0...main -export OPENTELEMETRY_CPP_VERSION=v1.18.0 +# Check for recent changes: https://github.com/microsoft/mimalloc/compare/v2.1.7...master +export MIMALOC_VERSION=v2.1.7 -# Check for recent changes: https://github.com/open-telemetry/opentelemetry-proto/compare/v1.5.0...main -export OPENTELEMETRY_PROTO_VERSION=v1.5.0 +# Check on https://github.com/open-telemetry/opentelemetry-cpp +export OPENTELEMETRY_CPP_VERSION="v1.11.0" +# Check on https://github.com/open-telemetry/opentelemetry-proto +export OPENTELEMETRY_PROTO_VERSION="v1.1.0" export BUILD_PATH=/tmp/build @@ -211,6 +216,9 @@ get_src 0c0d2ced2ce895b3f45eb2b230cd90508ab2a773299f153de14a43e44c1209b3 \ get_src f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b \ "https://github.com/atomx/nginx-http-auth-digest/archive/$NGINX_DIGEST_AUTH.tar.gz" "nginx-http-auth-digest" +get_src a98b48947359166326d58700ccdc27256d2648218072da138ab6b47de47fbd8f \ + "https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/$NGINX_SUBSTITUTIONS.tar.gz" "ngx_http_substitutions_filter_module" + get_src 32a42256616cc674dca24c8654397390adff15b888b77eb74e0687f023c8751b \ "https://github.com/SpiderLabs/ModSecurity-nginx/archive/$MODSECURITY_VERSION.tar.gz" "ModSecurity-nginx" @@ -268,6 +276,9 @@ get_src c15aed1a01c88a3a6387d9af67a957dff670357f5fdb4ee182beb44635eef3f1 \ get_src efb767487ea3f6031577b9b224467ddbda2ad51a41c5867a47582d4ad85d609e \ "https://github.com/api7/lua-resty-ipmatcher/archive/$LUA_RESTY_IPMATCHER_VERSION.tar.gz" "lua-resty-ipmatcher" +get_src 0fb790e394510e73fdba1492e576aaec0b8ee9ef08e3e821ce253a07719cf7ea \ + "https://github.com/ElvinEfendi/lua-resty-global-throttle/archive/$LUA_RESTY_GLOBAL_THROTTLE_VERSION.tar.gz" "lua-resty-global-throttle" + get_src d74f86ada2329016068bc5a243268f1f555edd620b6a7d6ce89295e7d6cf18da \ "https://github.com/microsoft/mimalloc/archive/${MIMALOC_VERSION}.tar.gz" "mimalloc" @@ -318,7 +329,8 @@ git config --global --add core.compression -1 cd "$BUILD_PATH" git clone --depth=100 https://github.com/google/ngx_brotli.git cd ngx_brotli -git reset --hard a71f9312c2deb28875acc7bacfdd5695a111aa53 +# https://github.com/google/ngx_brotli/issues/156 +git reset --hard 63ca02abdcf79c9e788d2eedcc388d2335902e52 git submodule init git submodule update @@ -483,6 +495,7 @@ WITH_MODULES=" \ --add-module=$BUILD_PATH/ngx_devel_kit \ --add-module=$BUILD_PATH/set-misc-nginx-module \ --add-module=$BUILD_PATH/headers-more-nginx-module \ + --add-module=$BUILD_PATH/ngx_http_substitutions_filter_module \ --add-module=$BUILD_PATH/lua-nginx-module \ --add-module=$BUILD_PATH/stream-lua-nginx-module \ --add-module=$BUILD_PATH/lua-upstream-nginx-module \ @@ -520,8 +533,7 @@ make make modules make install -# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp-contrib/compare/8933841f0a7f8737f61404cf0a64acf6b079c8a5...main -export OPENTELEMETRY_CONTRIB_COMMIT=8933841f0a7f8737f61404cf0a64acf6b079c8a5 +export OPENTELEMETRY_CONTRIB_COMMIT=e11348bb400d5472bf1da5d6128bead66fa111ff cd "$BUILD_PATH" git clone https://github.com/open-telemetry/opentelemetry-cpp-contrib.git opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT} @@ -594,6 +606,9 @@ make install cd "$BUILD_PATH/lua-resty-ipmatcher" INST_LUADIR=/usr/local/lib/lua make install +cd "$BUILD_PATH/lua-resty-global-throttle" +make install + cd "$BUILD_PATH/mimalloc" mkdir -p out/release cd out/release diff --git a/images/nginx/rootfs/patches/01_nginx-1.27.1-win32_max_err_str.patch b/images/nginx/rootfs/patches/01_nginx-1.25.3-win32_max_err_str.patch similarity index 100% rename from images/nginx/rootfs/patches/01_nginx-1.27.1-win32_max_err_str.patch rename to images/nginx/rootfs/patches/01_nginx-1.25.3-win32_max_err_str.patch diff --git a/images/nginx/rootfs/patches/02_nginx-1.27.1-stream_balancer_export.patch b/images/nginx/rootfs/patches/02_nginx-1.25.3-stream_balancer_export.patch similarity index 100% rename from images/nginx/rootfs/patches/02_nginx-1.27.1-stream_balancer_export.patch rename to images/nginx/rootfs/patches/02_nginx-1.25.3-stream_balancer_export.patch diff --git a/images/nginx/rootfs/patches/03_nginx-1.27.1-stream_proxy_get_next_upstream_tries.patch b/images/nginx/rootfs/patches/03_nginx-1.25.3-stream_proxy_get_next_upstream_tries.patch similarity index 100% rename from images/nginx/rootfs/patches/03_nginx-1.27.1-stream_proxy_get_next_upstream_tries.patch rename to images/nginx/rootfs/patches/03_nginx-1.25.3-stream_proxy_get_next_upstream_tries.patch diff --git a/images/nginx/rootfs/patches/04_nginx-1.27.1-stream_proxy_timeout_fields.patch b/images/nginx/rootfs/patches/04_nginx-1.25.3-stream_proxy_timeout_fields.patch similarity index 92% rename from images/nginx/rootfs/patches/04_nginx-1.27.1-stream_proxy_timeout_fields.patch rename to images/nginx/rootfs/patches/04_nginx-1.25.3-stream_proxy_timeout_fields.patch index e205abb8b..39c59e206 100644 --- a/images/nginx/rootfs/patches/04_nginx-1.27.1-stream_proxy_timeout_fields.patch +++ b/images/nginx/rootfs/patches/04_nginx-1.25.3-stream_proxy_timeout_fields.patch @@ -1,6 +1,6 @@ -diff -u -r -p -Naur nginx-1.27.1/src/stream/ngx_stream.h nginx-1.27.1-patched/src/stream/ngx_stream.h ---- nginx-1.27.1/src/stream/ngx_stream.h 2021-11-04 21:27:55.288708527 +0800 -+++ nginx-1.27.1-patched/src/stream/ngx_stream.h 2021-11-04 21:28:50.768035209 +0800 +diff -u -r -p -Naur nginx-1.25.3/src/stream/ngx_stream.h nginx-1.25.3-patched/src/stream/ngx_stream.h +--- nginx-1.25.3/src/stream/ngx_stream.h 2021-11-04 21:27:55.288708527 +0800 ++++ nginx-1.25.3-patched/src/stream/ngx_stream.h 2021-11-04 21:28:50.768035209 +0800 @@ -254,6 +254,15 @@ typedef struct { } ngx_stream_module_t; @@ -25,9 +25,9 @@ diff -u -r -p -Naur nginx-1.27.1/src/stream/ngx_stream.h nginx-1.27.1-patched/sr typedef ngx_int_t (*ngx_stream_filter_pt)(ngx_stream_session_t *s, -diff -u -r -p -Naur nginx-1.27.1/src/stream/ngx_stream_proxy_module.c nginx-1.27.1-patched/src/stream/ngx_stream_proxy_module.c ---- nginx-1.27.1/src/stream/ngx_stream_proxy_module.c 2021-11-04 21:27:55.289708533 +0800 -+++ nginx-1.27.1-patched/src/stream/ngx_stream_proxy_module.c 2021-11-04 21:37:03.578936990 +0800 +diff -u -r -p -Naur nginx-1.25.3/src/stream/ngx_stream_proxy_module.c nginx-1.25.3-patched/src/stream/ngx_stream_proxy_module.c +--- nginx-1.25.3/src/stream/ngx_stream_proxy_module.c 2021-11-04 21:27:55.289708533 +0800 ++++ nginx-1.25.3-patched/src/stream/ngx_stream_proxy_module.c 2021-11-04 21:37:03.578936990 +0800 @@ -400,6 +400,7 @@ ngx_stream_proxy_handler(ngx_stream_sess ngx_stream_proxy_srv_conf_t *pscf; ngx_stream_upstream_srv_conf_t *uscf, **uscfp; diff --git a/images/nginx/rootfs/patches/05_nginx-1.27.1-stream_ssl_preread_no_skip.patch b/images/nginx/rootfs/patches/05_nginx-1.25.3-stream_ssl_preread_no_skip.patch similarity index 100% rename from images/nginx/rootfs/patches/05_nginx-1.27.1-stream_ssl_preread_no_skip.patch rename to images/nginx/rootfs/patches/05_nginx-1.25.3-stream_ssl_preread_no_skip.patch diff --git a/images/nginx/rootfs/patches/06_nginx-1.27.1-resolver_conf_parsing.patch b/images/nginx/rootfs/patches/06_nginx-1.25.3-resolver_conf_parsing.patch similarity index 100% rename from images/nginx/rootfs/patches/06_nginx-1.27.1-resolver_conf_parsing.patch rename to images/nginx/rootfs/patches/06_nginx-1.25.3-resolver_conf_parsing.patch diff --git a/images/nginx/rootfs/patches/07_nginx-1.27.1-daemon_destroy_pool.patch b/images/nginx/rootfs/patches/07_nginx-1.25.3-daemon_destroy_pool.patch similarity index 100% rename from images/nginx/rootfs/patches/07_nginx-1.27.1-daemon_destroy_pool.patch rename to images/nginx/rootfs/patches/07_nginx-1.25.3-daemon_destroy_pool.patch diff --git a/images/nginx/rootfs/patches/08_nginx-1.27.1-init_cycle_pool_release.patch b/images/nginx/rootfs/patches/08_nginx-1.25.3-init_cycle_pool_release.patch similarity index 65% rename from images/nginx/rootfs/patches/08_nginx-1.27.1-init_cycle_pool_release.patch rename to images/nginx/rootfs/patches/08_nginx-1.25.3-init_cycle_pool_release.patch index 4a26b92c5..bd2e9a7d9 100644 --- a/images/nginx/rootfs/patches/08_nginx-1.27.1-init_cycle_pool_release.patch +++ b/images/nginx/rootfs/patches/08_nginx-1.25.3-init_cycle_pool_release.patch @@ -1,6 +1,6 @@ -diff -rup nginx-1.27.1/src/core/nginx.c nginx-1.27.1-patched/src/core/nginx.c ---- nginx-1.27.1/src/core/nginx.c 2017-12-17 00:00:38.136470108 -0800 -+++ nginx-1.27.1-patched/src/core/nginx.c 2017-12-16 23:59:51.680958322 -0800 +diff -rup nginx-1.25.3/src/core/nginx.c nginx-1.25.3-patched/src/core/nginx.c +--- nginx-1.25.3/src/core/nginx.c 2017-12-17 00:00:38.136470108 -0800 ++++ nginx-1.25.3-patched/src/core/nginx.c 2017-12-16 23:59:51.680958322 -0800 @@ -186,6 +186,7 @@ static u_char *ngx_prefix; static u_char *ngx_conf_file; static u_char *ngx_conf_params; @@ -18,9 +18,9 @@ diff -rup nginx-1.27.1/src/core/nginx.c nginx-1.27.1-patched/src/core/nginx.c if (ngx_save_argv(&init_cycle, argc, argv) != NGX_OK) { return 1; } -diff -rup nginx-1.27.1/src/core/ngx_core.h nginx-1.27.1-patched/src/core/ngx_core.h ---- nginx-1.27.1/src/core/ngx_core.h 2017-10-10 08:22:51.000000000 -0700 -+++ nginx-1.27.1-patched/src/core/ngx_core.h 2017-12-16 23:59:51.679958370 -0800 +diff -rup nginx-1.25.3/src/core/ngx_core.h nginx-1.25.3-patched/src/core/ngx_core.h +--- nginx-1.25.3/src/core/ngx_core.h 2017-10-10 08:22:51.000000000 -0700 ++++ nginx-1.25.3-patched/src/core/ngx_core.h 2017-12-16 23:59:51.679958370 -0800 @@ -108,4 +108,6 @@ void ngx_cpuinfo(void); #define NGX_DISABLE_SYMLINKS_NOTOWNER 2 #endif @@ -28,9 +28,9 @@ diff -rup nginx-1.27.1/src/core/ngx_core.h nginx-1.27.1-patched/src/core/ngx_cor +extern ngx_pool_t *saved_init_cycle_pool; + #endif /* _NGX_CORE_H_INCLUDED_ */ -diff -rup nginx-1.27.1/src/core/ngx_cycle.c nginx-1.27.1-patched/src/core/ngx_cycle.c ---- nginx-1.27.1/src/core/ngx_cycle.c 2017-10-10 08:22:51.000000000 -0700 -+++ nginx-1.27.1-patched/src/core/ngx_cycle.c 2017-12-16 23:59:51.678958419 -0800 +diff -rup nginx-1.25.3/src/core/ngx_cycle.c nginx-1.25.3-patched/src/core/ngx_cycle.c +--- nginx-1.25.3/src/core/ngx_cycle.c 2017-10-10 08:22:51.000000000 -0700 ++++ nginx-1.25.3-patched/src/core/ngx_cycle.c 2017-12-16 23:59:51.678958419 -0800 @@ -748,6 +748,10 @@ old_shm_zone_done: if (ngx_process == NGX_PROCESS_MASTER || ngx_is_init_cycle(old_cycle)) { @@ -42,9 +42,9 @@ diff -rup nginx-1.27.1/src/core/ngx_cycle.c nginx-1.27.1-patched/src/core/ngx_cy ngx_destroy_pool(old_cycle->pool); cycle->old_cycle = NULL; -diff -rup nginx-1.27.1/src/os/unix/ngx_process_cycle.c nginx-1.27.1-patched/src/os/unix/ngx_process_cycle.c ---- nginx-1.27.1/src/os/unix/ngx_process_cycle.c 2017-12-17 00:00:38.142469762 -0800 -+++ nginx-1.27.1-patched/src/os/unix/ngx_process_cycle.c 2017-12-16 23:59:51.691957791 -0800 +diff -rup nginx-1.25.3/src/os/unix/ngx_process_cycle.c nginx-1.25.3-patched/src/os/unix/ngx_process_cycle.c +--- nginx-1.25.3/src/os/unix/ngx_process_cycle.c 2017-12-17 00:00:38.142469762 -0800 ++++ nginx-1.25.3-patched/src/os/unix/ngx_process_cycle.c 2017-12-16 23:59:51.691957791 -0800 @@ -687,6 +692,11 @@ ngx_master_process_exit(ngx_cycle_t *cyc ngx_exit_cycle.files_n = ngx_cycle->files_n; ngx_cycle = &ngx_exit_cycle; diff --git a/images/nginx/rootfs/patches/09_nginx-1.27.1-balancer_status_code.patch b/images/nginx/rootfs/patches/09_nginx-1.25.3-balancer_status_code.patch similarity index 100% rename from images/nginx/rootfs/patches/09_nginx-1.27.1-balancer_status_code.patch rename to images/nginx/rootfs/patches/09_nginx-1.25.3-balancer_status_code.patch diff --git a/images/nginx/rootfs/patches/10_nginx-1.27.1-delayed_posted_events.patch b/images/nginx/rootfs/patches/10_nginx-1.25.3-delayed_posted_events.patch similarity index 100% rename from images/nginx/rootfs/patches/10_nginx-1.27.1-delayed_posted_events.patch rename to images/nginx/rootfs/patches/10_nginx-1.25.3-delayed_posted_events.patch diff --git a/images/nginx/rootfs/patches/11_nginx-1.27.1-privileged_agent_process.patch b/images/nginx/rootfs/patches/11_nginx-1.25.3-privileged_agent_process.patch similarity index 100% rename from images/nginx/rootfs/patches/11_nginx-1.27.1-privileged_agent_process.patch rename to images/nginx/rootfs/patches/11_nginx-1.25.3-privileged_agent_process.patch diff --git a/images/nginx/rootfs/patches/12_nginx-1.27.1-privileged_agent_process_connections.patch b/images/nginx/rootfs/patches/12_nginx-1.25.3-privileged_agent_process_connections.patch similarity index 100% rename from images/nginx/rootfs/patches/12_nginx-1.27.1-privileged_agent_process_connections.patch rename to images/nginx/rootfs/patches/12_nginx-1.25.3-privileged_agent_process_connections.patch diff --git a/images/nginx/rootfs/patches/13_nginx-1.27.1-privileged_agent_process_thread_pool.patch b/images/nginx/rootfs/patches/13_nginx-1.25.3-privileged_agent_process_thread_pool.patch similarity index 100% rename from images/nginx/rootfs/patches/13_nginx-1.27.1-privileged_agent_process_thread_pool.patch rename to images/nginx/rootfs/patches/13_nginx-1.25.3-privileged_agent_process_thread_pool.patch diff --git a/images/nginx/rootfs/patches/14_nginx-1.27.1-single_process_graceful_exit.patch b/images/nginx/rootfs/patches/14_nginx-1.25.3-single_process_graceful_exit.patch similarity index 100% rename from images/nginx/rootfs/patches/14_nginx-1.27.1-single_process_graceful_exit.patch rename to images/nginx/rootfs/patches/14_nginx-1.25.3-single_process_graceful_exit.patch diff --git a/images/nginx/rootfs/patches/15_nginx-1.27.1-intercept_error_log.patch b/images/nginx/rootfs/patches/15_nginx-1.25.3-intercept_error_log.patch similarity index 100% rename from images/nginx/rootfs/patches/15_nginx-1.27.1-intercept_error_log.patch rename to images/nginx/rootfs/patches/15_nginx-1.25.3-intercept_error_log.patch diff --git a/images/nginx/rootfs/patches/16_nginx-1.27.1-upstream_pipelining.patch b/images/nginx/rootfs/patches/16_nginx-1.25.3-upstream_pipelining.patch similarity index 100% rename from images/nginx/rootfs/patches/16_nginx-1.27.1-upstream_pipelining.patch rename to images/nginx/rootfs/patches/16_nginx-1.25.3-upstream_pipelining.patch diff --git a/images/nginx/rootfs/patches/17_nginx-1.27.1-no_error_pages.patch b/images/nginx/rootfs/patches/17_nginx-1.25.3-no_error_pages.patch similarity index 93% rename from images/nginx/rootfs/patches/17_nginx-1.27.1-no_error_pages.patch rename to images/nginx/rootfs/patches/17_nginx-1.25.3-no_error_pages.patch index 593fcefd6..aceb2e988 100644 --- a/images/nginx/rootfs/patches/17_nginx-1.27.1-no_error_pages.patch +++ b/images/nginx/rootfs/patches/17_nginx-1.25.3-no_error_pages.patch @@ -1,6 +1,6 @@ -diff -upr nginx-1.27.1/src/http/ngx_http_core_module.c nginx-1.27.1-patched/src/http/ngx_http_core_module.c ---- nginx-1.27.1/src/http/ngx_http_core_module.c 2017-08-31 18:14:41.000000000 -0700 -+++ nginx-1.27.1-patched/src/http/ngx_http_core_module.c 2017-08-31 18:21:31.638098196 -0700 +diff -upr nginx-1.25.3/src/http/ngx_http_core_module.c nginx-1.25.3-patched/src/http/ngx_http_core_module.c +--- nginx-1.25.3/src/http/ngx_http_core_module.c 2017-08-31 18:14:41.000000000 -0700 ++++ nginx-1.25.3-patched/src/http/ngx_http_core_module.c 2017-08-31 18:21:31.638098196 -0700 @@ -64,6 +64,8 @@ static char *ngx_http_core_directio(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); static char *ngx_http_core_error_page(ngx_conf_t *cf, ngx_command_t *cmd, diff --git a/images/nginx/rootfs/patches/18_nginx-1.25.3-no_Werror.patch b/images/nginx/rootfs/patches/18_nginx-1.25.3-no_Werror.patch new file mode 100644 index 000000000..f7176faff --- /dev/null +++ b/images/nginx/rootfs/patches/18_nginx-1.25.3-no_Werror.patch @@ -0,0 +1,36 @@ +diff -urp nginx-1.25.3/auto/cc/clang nginx-1.25.3-patched/auto/cc/clang +--- nginx-1.25.3/auto/cc/clang 2014-03-04 03:39:24.000000000 -0800 ++++ nginx-1.25.3-patched/auto/cc/clang 2014-03-13 20:54:26.241413360 -0700 +@@ -89,7 +89,7 @@ CFLAGS="$CFLAGS -Wconditional-uninitiali + CFLAGS="$CFLAGS -Wno-unused-parameter" + + # stop on warning +-CFLAGS="$CFLAGS -Werror" ++#CFLAGS="$CFLAGS -Werror" + + # debug + CFLAGS="$CFLAGS -g" +diff -urp nginx-1.25.3/auto/cc/gcc nginx-1.25.3-patched/auto/cc/gcc +--- nginx-1.25.3/auto/cc/gcc 2014-03-04 03:39:24.000000000 -0800 ++++ nginx-1.25.3-patched/auto/cc/gcc 2014-03-13 20:54:13.301355329 -0700 +@@ -168,7 +168,7 @@ esac + + + # stop on warning +-CFLAGS="$CFLAGS -Werror" ++#CFLAGS="$CFLAGS -Werror" + + # debug + CFLAGS="$CFLAGS -g" +diff -urp nginx-1.25.3/auto/cc/icc nginx-1.25.3-patched/auto/cc/icc +--- nginx-1.25.3/auto/cc/icc 2014-03-04 03:39:24.000000000 -0800 ++++ nginx-1.25.3-patched/auto/cc/icc 2014-03-13 20:54:13.301355329 -0700 +@@ -115,7 +115,7 @@ case "$NGX_ICC_VER" in + esac + + # stop on warning +-CFLAGS="$CFLAGS -Werror" ++#CFLAGS="$CFLAGS -Werror" + + # debug + CFLAGS="$CFLAGS -g" diff --git a/images/nginx/rootfs/patches/18_nginx-1.27.1-no_Werror.patch b/images/nginx/rootfs/patches/18_nginx-1.27.1-no_Werror.patch deleted file mode 100644 index d0aa7a31e..000000000 --- a/images/nginx/rootfs/patches/18_nginx-1.27.1-no_Werror.patch +++ /dev/null @@ -1,36 +0,0 @@ -diff -urp nginx-1.27.1/auto/cc/clang nginx-1.27.1-patched/auto/cc/clang ---- nginx-1.27.1/auto/cc/clang 2014-03-04 03:39:24.000000000 -0800 -+++ nginx-1.27.1-patched/auto/cc/clang 2014-03-13 20:54:26.241413360 -0700 -@@ -89,7 +89,7 @@ CFLAGS="$CFLAGS -Wconditional-uninitiali - CFLAGS="$CFLAGS -Wno-unused-parameter" - - # stop on warning --CFLAGS="$CFLAGS -Werror" -+#CFLAGS="$CFLAGS -Werror" - - # debug - CFLAGS="$CFLAGS -g" -diff -urp nginx-1.27.1/auto/cc/gcc nginx-1.27.1-patched/auto/cc/gcc ---- nginx-1.27.1/auto/cc/gcc 2014-03-04 03:39:24.000000000 -0800 -+++ nginx-1.27.1-patched/auto/cc/gcc 2014-03-13 20:54:13.301355329 -0700 -@@ -168,7 +168,7 @@ esac - - - # stop on warning --CFLAGS="$CFLAGS -Werror" -+#CFLAGS="$CFLAGS -Werror" - - # debug - CFLAGS="$CFLAGS -g" -diff -urp nginx-1.27.1/auto/cc/icc nginx-1.27.1-patched/auto/cc/icc ---- nginx-1.27.1/auto/cc/icc 2014-03-04 03:39:24.000000000 -0800 -+++ nginx-1.27.1-patched/auto/cc/icc 2014-03-13 20:54:13.301355329 -0700 -@@ -115,7 +115,7 @@ case "$NGX_ICC_VER" in - esac - - # stop on warning --CFLAGS="$CFLAGS -Werror" -+#CFLAGS="$CFLAGS -Werror" - - # debug - CFLAGS="$CFLAGS -g" diff --git a/images/nginx/rootfs/patches/19_nginx-1.27.1-log_escape_non_ascii.patch b/images/nginx/rootfs/patches/19_nginx-1.25.3-log_escape_non_ascii.patch similarity index 100% rename from images/nginx/rootfs/patches/19_nginx-1.27.1-log_escape_non_ascii.patch rename to images/nginx/rootfs/patches/19_nginx-1.25.3-log_escape_non_ascii.patch diff --git a/images/nginx/rootfs/patches/20_nginx-1.27.1-proxy_host_port_vars.patch b/images/nginx/rootfs/patches/20_nginx-1.25.3-proxy_host_port_vars.patch similarity index 87% rename from images/nginx/rootfs/patches/20_nginx-1.27.1-proxy_host_port_vars.patch rename to images/nginx/rootfs/patches/20_nginx-1.25.3-proxy_host_port_vars.patch index b81a299c8..82a344324 100644 --- a/images/nginx/rootfs/patches/20_nginx-1.27.1-proxy_host_port_vars.patch +++ b/images/nginx/rootfs/patches/20_nginx-1.25.3-proxy_host_port_vars.patch @@ -1,5 +1,5 @@ ---- nginx-1.27.1/src/http/modules/ngx_http_proxy_module.c 2017-07-16 14:02:51.000000000 +0800 -+++ nginx-1.27.1-patched/src/http/modules/ngx_http_proxy_module.c 2017-07-16 14:02:51.000000000 +0800 +--- nginx-1.25.3/src/http/modules/ngx_http_proxy_module.c 2017-07-16 14:02:51.000000000 +0800 ++++ nginx-1.25.3-patched/src/http/modules/ngx_http_proxy_module.c 2017-07-16 14:02:51.000000000 +0800 @@ -793,13 +793,13 @@ static ngx_keyval_t ngx_http_proxy_cach static ngx_http_variable_t ngx_http_proxy_vars[] = { diff --git a/images/nginx/rootfs/patches/21_nginx-1.27.1-cache_manager_exit.patch b/images/nginx/rootfs/patches/21_nginx-1.25.3-cache_manager_exit.patch similarity index 100% rename from images/nginx/rootfs/patches/21_nginx-1.27.1-cache_manager_exit.patch rename to images/nginx/rootfs/patches/21_nginx-1.25.3-cache_manager_exit.patch diff --git a/images/nginx/rootfs/patches/22_nginx-1.27.1-larger_max_error_str.patch b/images/nginx/rootfs/patches/22_nginx-1.25.3-larger_max_error_str.patch similarity index 62% rename from images/nginx/rootfs/patches/22_nginx-1.27.1-larger_max_error_str.patch rename to images/nginx/rootfs/patches/22_nginx-1.25.3-larger_max_error_str.patch index b821297e6..e5cd07e67 100644 --- a/images/nginx/rootfs/patches/22_nginx-1.27.1-larger_max_error_str.patch +++ b/images/nginx/rootfs/patches/22_nginx-1.25.3-larger_max_error_str.patch @@ -1,5 +1,5 @@ ---- nginx-1.27.1/src/core/ngx_log.h 2013-10-08 05:07:14.000000000 -0700 -+++ nginx-1.27.1-patched/src/core/ngx_log.h 2013-12-05 20:35:35.996236720 -0800 +--- nginx-1.25.3/src/core/ngx_log.h 2013-10-08 05:07:14.000000000 -0700 ++++ nginx-1.25.3-patched/src/core/ngx_log.h 2013-12-05 20:35:35.996236720 -0800 @@ -64,7 +64,9 @@ struct ngx_log_s { }; diff --git a/images/nginx/rootfs/patches/23_nginx-1.27.1-pcre_conf_opt.patch b/images/nginx/rootfs/patches/23_nginx-1.25.3-pcre_conf_opt.patch similarity index 100% rename from images/nginx/rootfs/patches/23_nginx-1.27.1-pcre_conf_opt.patch rename to images/nginx/rootfs/patches/23_nginx-1.25.3-pcre_conf_opt.patch diff --git a/images/nginx/rootfs/patches/24_nginx-1.27.1-always_enable_cc_feature_tests.patch b/images/nginx/rootfs/patches/24_nginx-1.25.3-always_enable_cc_feature_tests.patch similarity index 65% rename from images/nginx/rootfs/patches/24_nginx-1.27.1-always_enable_cc_feature_tests.patch rename to images/nginx/rootfs/patches/24_nginx-1.25.3-always_enable_cc_feature_tests.patch index 9517e92c4..b381d9b07 100644 --- a/images/nginx/rootfs/patches/24_nginx-1.27.1-always_enable_cc_feature_tests.patch +++ b/images/nginx/rootfs/patches/24_nginx-1.25.3-always_enable_cc_feature_tests.patch @@ -1,5 +1,5 @@ ---- nginx-1.27.1/auto/cc/conf 2015-10-30 22:47:50.000000000 +0800 -+++ nginx-1.27.1-patched/auto/cc/conf 2015-11-02 12:23:05.385156987 +0800 +--- nginx-1.25.3/auto/cc/conf 2015-10-30 22:47:50.000000000 +0800 ++++ nginx-1.25.3-patched/auto/cc/conf 2015-11-02 12:23:05.385156987 +0800 @@ -144,7 +144,7 @@ fi CFLAGS="$CFLAGS $NGX_CC_OPT" NGX_TEST_LD_OPT="$NGX_LD_OPT" diff --git a/images/nginx/rootfs/patches/25_nginx-1.27.1-ssl_cert_cb_yield.patch b/images/nginx/rootfs/patches/25_nginx-1.25.3-ssl_cert_cb_yield.patch similarity index 100% rename from images/nginx/rootfs/patches/25_nginx-1.27.1-ssl_cert_cb_yield.patch rename to images/nginx/rootfs/patches/25_nginx-1.25.3-ssl_cert_cb_yield.patch diff --git a/images/nginx/rootfs/patches/26_nginx-1.27.1-ssl_sess_cb_yield.patch b/images/nginx/rootfs/patches/26_nginx-1.25.3-ssl_sess_cb_yield.patch similarity index 100% rename from images/nginx/rootfs/patches/26_nginx-1.27.1-ssl_sess_cb_yield.patch rename to images/nginx/rootfs/patches/26_nginx-1.25.3-ssl_sess_cb_yield.patch diff --git a/images/nginx/rootfs/patches/27_nginx-1.27.1-ssl_client_hello_cb_yield.patch b/images/nginx/rootfs/patches/27_nginx-1.25.3-ssl_client_hello_cb_yield.patch similarity index 100% rename from images/nginx/rootfs/patches/27_nginx-1.27.1-ssl_client_hello_cb_yield.patch rename to images/nginx/rootfs/patches/27_nginx-1.25.3-ssl_client_hello_cb_yield.patch diff --git a/images/nginx/rootfs/patches/28_nginx-1.27.1-upstream_timeout_fields.patch b/images/nginx/rootfs/patches/28_nginx-1.25.3-upstream_timeout_fields.patch similarity index 100% rename from images/nginx/rootfs/patches/28_nginx-1.27.1-upstream_timeout_fields.patch rename to images/nginx/rootfs/patches/28_nginx-1.25.3-upstream_timeout_fields.patch diff --git a/images/nginx/rootfs/patches/29_nginx-1.27.1-safe_resolver_ipv6_option.patch b/images/nginx/rootfs/patches/29_nginx-1.25.3-safe_resolver_ipv6_option.patch similarity index 100% rename from images/nginx/rootfs/patches/29_nginx-1.27.1-safe_resolver_ipv6_option.patch rename to images/nginx/rootfs/patches/29_nginx-1.25.3-safe_resolver_ipv6_option.patch diff --git a/images/nginx/rootfs/patches/30_nginx-1.27.1-socket_cloexec.patch b/images/nginx/rootfs/patches/30_nginx-1.25.3-socket_cloexec.patch similarity index 100% rename from images/nginx/rootfs/patches/30_nginx-1.27.1-socket_cloexec.patch rename to images/nginx/rootfs/patches/30_nginx-1.25.3-socket_cloexec.patch diff --git a/images/nginx/rootfs/patches/31_nginx-1.27.1-reuseport_close_unused_fds.patch b/images/nginx/rootfs/patches/31_nginx-1.25.3-reuseport_close_unused_fds.patch similarity index 100% rename from images/nginx/rootfs/patches/31_nginx-1.27.1-reuseport_close_unused_fds.patch rename to images/nginx/rootfs/patches/31_nginx-1.25.3-reuseport_close_unused_fds.patch diff --git a/images/nginx/rootfs/patches/32_nginx-1.27.1-proc_exit_handler.patch b/images/nginx/rootfs/patches/32_nginx-1.27.1-proc_exit_handler.patch deleted file mode 100644 index f050c09d8..000000000 --- a/images/nginx/rootfs/patches/32_nginx-1.27.1-proc_exit_handler.patch +++ /dev/null @@ -1,77 +0,0 @@ -diff --git a/src/core/ngx_cycle.c b/src/core/ngx_cycle.c -index c4e3c50..fa1408b 100644 ---- a/src/core/ngx_cycle.c -+++ b/src/core/ngx_cycle.c -@@ -264,6 +264,9 @@ ngx_init_cycle(ngx_cycle_t *old_cycle) - } - - -+#if !(NGX_WIN32) -+ ngx_proc_exit_top_handler = ngx_proc_exit_def_handler; -+#endif - conf.ctx = cycle->conf_ctx; - conf.cycle = cycle; - conf.pool = pool; -diff --git a/src/os/unix/ngx_process.c b/src/os/unix/ngx_process.c -index 12a8c68..874c9bf 100644 ---- a/src/os/unix/ngx_process.c -+++ b/src/os/unix/ngx_process.c -@@ -34,6 +34,7 @@ ngx_int_t ngx_process_slot; - ngx_socket_t ngx_channel; - ngx_int_t ngx_last_process; - ngx_process_t ngx_processes[NGX_MAX_PROCESSES]; -+ngx_proc_exit_pt ngx_proc_exit_top_handler; - - - ngx_signal_t signals[] = { -@@ -83,6 +84,13 @@ ngx_signal_t signals[] = { - }; - - -+void -+ngx_proc_exit_def_handler(ngx_pid_t pid) -+{ -+ /* do nothing */ -+} -+ -+ - ngx_pid_t - ngx_spawn_process(ngx_cycle_t *cycle, ngx_spawn_proc_pt proc, void *data, - char *name, ngx_int_t respawn) -@@ -564,6 +572,7 @@ ngx_process_get_status(void) - } - - ngx_unlock_mutexes(pid); -+ ngx_proc_exit_top_handler(pid); - } - } - -diff --git a/src/os/unix/ngx_process.h b/src/os/unix/ngx_process.h -index 3986639..0b55d98 100644 ---- a/src/os/unix/ngx_process.h -+++ b/src/os/unix/ngx_process.h -@@ -18,6 +18,8 @@ typedef pid_t ngx_pid_t; - #define NGX_INVALID_PID -1 - - typedef void (*ngx_spawn_proc_pt) (ngx_cycle_t *cycle, void *data); -+#define NGX_HAVE_PROC_EXIT 1 -+typedef void (*ngx_proc_exit_pt)(ngx_pid_t pid); - - typedef struct { - ngx_pid_t pid; -@@ -66,6 +68,7 @@ ngx_pid_t ngx_spawn_process(ngx_cycle_t *cycle, - ngx_pid_t ngx_execute(ngx_cycle_t *cycle, ngx_exec_ctx_t *ctx); - ngx_int_t ngx_init_signals(ngx_log_t *log); - void ngx_debug_point(void); -+void ngx_proc_exit_def_handler(ngx_pid_t pid); - - - #if (NGX_HAVE_SCHED_YIELD) -@@ -85,6 +88,7 @@ extern ngx_socket_t ngx_channel; - extern ngx_int_t ngx_process_slot; - extern ngx_int_t ngx_last_process; - extern ngx_process_t ngx_processes[NGX_MAX_PROCESSES]; -+extern ngx_proc_exit_pt ngx_proc_exit_top_handler; - - - #endif /* _NGX_PROCESS_H_INCLUDED_ */ diff --git a/images/opentelemetry/Makefile b/images/opentelemetry/Makefile new file mode 100644 index 000000000..eae435bef --- /dev/null +++ b/images/opentelemetry/Makefile @@ -0,0 +1,69 @@ +# Copyright 2024 The Kubernetes Authors. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +.DEFAULT_GOAL:=build + +# set default shell +SHELL=/bin/bash -o pipefail -o errexit + +DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) +INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh + +# 0.0.0 shouldn't clobber any released builds +SHORT_SHA ?=$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA) + +REGISTRY ?= gcr.io/k8s-staging-ingress-nginx + +IMAGE = $(REGISTRY)/opentelemetry + +# required to enable buildx +export DOCKER_CLI_EXPERIMENTAL=enabled + +# build with buildx +PLATFORMS?=linux/amd64,linux/arm,linux/arm64 +OUTPUT= +PROGRESS=plain + +precheck: +ifndef NGINX_VERSION + $(error NGINX_VERSION variable is required) +endif + +build: precheck ensure-buildx + docker buildx build \ + --label=org.opencontainers.image.source=https://github.com/kubernetes/ingress-nginx \ + --label=org.opencontainers.image.licenses=Apache-2.0 \ + --label=org.opencontainers.image.description="Ingress NGINX Opentelemetry image" \ + --platform=${PLATFORMS} $(OUTPUT) \ + --progress=$(PROGRESS) \ + --build-arg=NGINX_VERSION=$(NGINX_VERSION) \ + --pull \ + --tag $(IMAGE)-$(NGINX_VERSION):$(TAG) rootfs + +# push the cross built image +push: OUTPUT=--push +push: build + +# enable buildx +ensure-buildx: +# this is required for cloudbuild +ifeq ("$(wildcard $(INIT_BUILDX))","") + @curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/init-buildx.sh | bash +else + @exec $(INIT_BUILDX) +endif + @echo "done" + +.PHONY: build precheck push ensure-buildx diff --git a/images/opentelemetry/TAG b/images/opentelemetry/TAG new file mode 100644 index 000000000..0ec25f750 --- /dev/null +++ b/images/opentelemetry/TAG @@ -0,0 +1 @@ +v1.0.0 diff --git a/images/opentelemetry/cloudbuild.yaml b/images/opentelemetry/cloudbuild.yaml new file mode 100644 index 000000000..e530071ce --- /dev/null +++ b/images/opentelemetry/cloudbuild.yaml @@ -0,0 +1,13 @@ +options: + # Increase machine type for multi-arch builds. + machineType: E2_HIGHCPU_8 + # Ignore Prow provided substitutions. + substitution_option: ALLOW_LOOSE +steps: + - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20240718-5ef92b5c36 + env: + - REGISTRY=gcr.io/k8s-staging-ingress-nginx + entrypoint: bash + args: + - -c + - gcloud auth configure-docker && cd images/opentelemetry && make NGINX_VERSION=1.21.6 push && make NGINX_VERSION=1.25.3 push diff --git a/images/opentelemetry/rootfs/CMakeLists.txt b/images/opentelemetry/rootfs/CMakeLists.txt new file mode 100644 index 000000000..1c68d6fc6 --- /dev/null +++ b/images/opentelemetry/rootfs/CMakeLists.txt @@ -0,0 +1,74 @@ +#!/bin/bash + +# Copyright 2021 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +cmake_minimum_required(VERSION 3.11 FATAL_ERROR) + +project( + dependencies + LANGUAGES CXX + VERSION 0.0.1) + +set(CMAKE_CXX_STANDARD 17) +set(CMAKE_CXX_EXTENSIONS OFF) +set(CMAKE_CXX_STANDARD_REQUIRED ON) +set(CMAKE_CXX_FLAGS "-O2 -fpic") +set(CMAKE_VERBOSE_MAKEFILE ON CACHE BOOL "ON" FORCE) + +set(CMAKE_BUILD_TYPE + Release + CACHE STRING "Build type" FORCE) + +include(GNUInstallDirs) + +set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY + ${PROJECT_BINARY_DIR}/${CMAKE_INSTALL_LIBDIR}) +set(CMAKE_LIBRARY_OUTPUT_DIRECTORY + ${PROJECT_BINARY_DIR}/${CMAKE_INSTALL_LIBDIR}) +set(CMAKE_RUNTIME_OUTPUT_DIRECTORY + ${PROJECT_BINARY_DIR}/${CMAKE_INSTALL_BINDIR}) + +set(INSTALL_LIBDIR + ${CMAKE_INSTALL_LIBDIR} + CACHE PATH "directory for libraries") +set(INSTALL_BINDIR + ${CMAKE_INSTALL_BINDIR} + CACHE PATH "directory for executables") +set(INSTALL_INCLUDEDIR + ${CMAKE_INSTALL_INCLUDEDIR} + CACHE PATH "directory for header files") + +set(DEF_INSTALL_CMAKEDIR share/cmake/${PROJECT_NAME}) +set(INSTALL_CMAKEDIR + ${DEF_INSTALL_CMAKEDIR} + CACHE PATH "directory for CMake files") + +set_property(DIRECTORY PROPERTY EP_BASE ${CMAKE_BINARY_DIR}/subs) + +set(STAGED_INSTALL_PREFIX ${CMAKE_BINARY_DIR}/stage) +message(STATUS "${PROJECT_NAME} staged install: ${STAGED_INSTALL_PREFIX}") + +find_package(OpenSSL REQUIRED) +message("OpenSSL include dir: ${OPENSSL_INCLUDE_DIR}") +message("OpenSSL libraries: ${OPENSSL_LIBRARIES}") + +find_package(Protobuf REQUIRED) +find_package(gRPC REQUIRED) +find_package(OpentelemetryCPP REQUIRED) + +install( + DIRECTORY ${STAGED_INSTALL_PREFIX}/ + DESTINATION . + USE_SOURCE_PERMISSIONS) diff --git a/images/opentelemetry/rootfs/Dockerfile b/images/opentelemetry/rootfs/Dockerfile new file mode 100644 index 000000000..9da180f84 --- /dev/null +++ b/images/opentelemetry/rootfs/Dockerfile @@ -0,0 +1,46 @@ +# Copyright 2021 The Kubernetes Authors. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +FROM alpine:3.20 AS base + +RUN mkdir -p /opt/third_party/install +COPY . /opt/third_party/ + +# install build tools +RUN apk update \ + && apk upgrade \ + && apk add -U bash \ + && bash /opt/third_party/build.sh -p + +ENV NINJA_STATUS="[%p/%f/%t] " + +# install otel_ngx_module.so +FROM base AS nginx +ARG NGINX_VERSION=1.25.3 +RUN bash /opt/third_party/build.sh -n ${NGINX_VERSION} + +FROM golang:1.22.8-bullseye AS build-init + +WORKDIR /go/src/app +COPY . . + +RUN go mod download +RUN CGO_ENABLED=0 go build -o /go/bin/init_module + +FROM gcr.io/distroless/static-debian11 AS final +COPY --from=build-init /go/bin/init_module / +COPY --from=nginx /etc/nginx/modules /etc/nginx/modules + +CMD ["/init_module"] diff --git a/images/opentelemetry/rootfs/build.sh b/images/opentelemetry/rootfs/build.sh new file mode 100755 index 000000000..6f803fc9f --- /dev/null +++ b/images/opentelemetry/rootfs/build.sh @@ -0,0 +1,165 @@ +#!/bin/bash + +# Copyright 2021 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset +set -o pipefail +set -x +# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp/compare/v1.2.0...main +export OPENTELEMETRY_CPP_VERSION=${OPENTELEMETRY_CPP_VERSION:="v1.11.0"} +export INSTALL_DIR=/opt/third_party/install + +export NGINX_VERSION=${NGINX_VERSION:="1.25.3"} +# improve compilation times +CORES=$(($(grep -c ^processor /proc/cpuinfo) - 1)) + +rm -rf \ + /var/cache/debconf/* \ + /var/lib/apt/lists/* \ + /var/log/* \ + /tmp/* \ + /var/tmp/* + +export BUILD_PATH=/tmp/build +mkdir --verbose -p "$BUILD_PATH" + +Help() +{ + # Display Help + echo "Add description of the script functions here." + echo + echo "Syntax: scriptTemplate [-h|o|n|p|]" + echo "options:" + echo "h Print Help." + echo "o OpenTelemetry git tag" + echo "n install nginx" + echo "p prepare" + echo +} + +prepare() +{ + echo "https://dl-cdn.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories + echo "https://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories + echo "https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories + + apk add \ + linux-headers \ + cmake \ + ninja \ + openssl \ + curl-dev \ + openssl-dev \ + gtest-dev \ + c-ares-dev \ + pcre-dev \ + curl \ + git \ + build-base \ + coreutils \ + build-base \ + openssl-dev \ + pkgconfig \ + c-ares-dev \ + re2-dev \ + grpc-dev \ + protobuf-dev \ + opentelemetry-cpp-dev + + git config --global http.version HTTP/1.1 + git config --global http.postBuffer 157286400 +} + +install_otel() +{ + cd ${BUILD_PATH} + export LD_LIBRARY_PATH="${LD_LIBRARY_PATH:+LD_LIBRARY_PATH:}${INSTALL_DIR}/lib:/usr/local" + export PATH="${PATH}:${INSTALL_DIR}/bin" + git clone --recurse-submodules -j ${CORES} --depth=1 -b \ + ${OPENTELEMETRY_CPP_VERSION} https://github.com/open-telemetry/opentelemetry-cpp.git opentelemetry-cpp-${OPENTELEMETRY_CPP_VERSION} + cd "opentelemetry-cpp-${OPENTELEMETRY_CPP_VERSION}" + mkdir -p .build + cd .build + + cmake -DCMAKE_BUILD_TYPE=Release \ + -G Ninja \ + -DCMAKE_CXX_STANDARD=17 \ + -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE \ + -DWITH_ZIPKIN=OFF \ + -DCMAKE_INSTALL_PREFIX=${INSTALL_DIR} \ + -DBUILD_TESTING=OFF \ + -DWITH_BENCHMARK=OFF \ + -DWITH_FUNC_TESTS=OFF \ + -DBUILD_SHARED_LIBS=OFF \ + -DWITH_OTLP_GRPC=ON \ + -DWITH_OTLP_HTTP=OFF \ + -DWITH_ABSEIL=ON \ + -DWITH_EXAMPLES=OFF \ + -DWITH_NO_DEPRECATED_CODE=ON \ + .. + cmake --build . -j ${CORES} --target install +} + +install_nginx() +{ + + # Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp-contrib/compare/e11348bb400d5472bf1da5d6128bead66fa111ff...main + export OPENTELEMETRY_CONTRIB_COMMIT=e11348bb400d5472bf1da5d6128bead66fa111ff + + mkdir -p /etc/nginx + cd "$BUILD_PATH" + + # TODO fix curl + # get_src 0528e793a97f942868616449d49326160f9cb67b2253fb2c4864603ac6ab09a9 \ + # "https://github.com/open-telemetry/opentelemetry-cpp-contrib/archive/$OPENTELEMETRY_CONTRIB_COMMIT.tar.gz" + + git clone https://github.com/open-telemetry/opentelemetry-cpp-contrib.git \ + opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT} + cd ${BUILD_PATH}/opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT} + git reset --hard ${OPENTELEMETRY_CONTRIB_COMMIT} + cd ${BUILD_PATH}/opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT}/instrumentation/nginx + mkdir -p build + cd build + cmake -DCMAKE_BUILD_TYPE=Release \ + -G Ninja \ + -DCMAKE_CXX_STANDARD=17 \ + -DCMAKE_INSTALL_PREFIX=${INSTALL_DIR} \ + -DBUILD_SHARED_LIBS=ON \ + -DNGINX_VERSION=${NGINX_VERSION} \ + .. + cmake --build . -j ${CORES} --target install + + mkdir -p /etc/nginx/modules + cp ${INSTALL_DIR}/otel_ngx_module.so /etc/nginx/modules/otel_ngx_module.so +} + +while getopts ":phn:" option; do + case $option in + h) # display Help + Help + exit;; + p) # prepare + prepare + exit;; + n) # install nginx + NGINX_VERSION=${OPTARG} + install_nginx + exit;; + \?) + Help + exit;; + esac +done diff --git a/images/opentelemetry/rootfs/go.mod b/images/opentelemetry/rootfs/go.mod new file mode 100644 index 000000000..be474cc0b --- /dev/null +++ b/images/opentelemetry/rootfs/go.mod @@ -0,0 +1,3 @@ +module init-otel + +go 1.22.8 diff --git a/images/opentelemetry/rootfs/init_module.go b/images/opentelemetry/rootfs/init_module.go new file mode 100644 index 000000000..5d285052d --- /dev/null +++ b/images/opentelemetry/rootfs/init_module.go @@ -0,0 +1,103 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package main + +import ( + "fmt" + "io" + "os" + "path/filepath" +) + +func main() { + // Enable error handling for all operations + err := run() + if err != nil { + fmt.Fprintf(os.Stderr, "Error: %v\n", err) + os.Exit(1) + } +} + +func run() error { + // Create the target directory if it doesn't exist + targetDir := "/modules_mount/etc/nginx/modules/otel" + err := os.MkdirAll(targetDir, os.ModePerm) + if err != nil { + return fmt.Errorf("failed to create target directory: %w", err) + } + + // Copy files from source directory to target directory + sourceDir := "/etc/nginx/modules/" + err = filepath.Walk(sourceDir, func(path string, info os.FileInfo, err error) error { + if err != nil { + return err + } + + // Skip directories + if info.IsDir() { + return nil + } + + // Calculate the destination path + relPath, err := filepath.Rel(sourceDir, path) + if err != nil { + return err + } + destPath := filepath.Join(targetDir, relPath) + + // Create the destination directory if it doesn't exist + destDir := filepath.Dir(destPath) + err = os.MkdirAll(destDir, os.ModePerm) + if err != nil { + return err + } + + // Copy the file + err = copyFile(path, destPath) + if err != nil { + return err + } + + return nil + }) + if err != nil { + return fmt.Errorf("failed to copy files: %w", err) + } + + return nil +} + +func copyFile(sourcePath, destPath string) error { + sourceFile, err := os.Open(sourcePath) + if err != nil { + return err + } + defer sourceFile.Close() + + destFile, err := os.Create(destPath) + if err != nil { + return err + } + defer destFile.Close() + + _, err = io.Copy(destFile, sourceFile) + if err != nil { + return err + } + + return nil +} diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile index 8adbf0b41..b51293643 100644 --- a/images/test-runner/Makefile +++ b/images/test-runner/Makefile @@ -50,7 +50,7 @@ image: --build-arg BASE_IMAGE=${NGINX_BASE_IMAGE} \ --build-arg GOLANG_VERSION=${GO_VERSION} \ --build-arg ETCD_VERSION=3.5.13-0 \ - --build-arg K8S_RELEASE=v1.32.2 \ + --build-arg K8S_RELEASE=v1.29.2 \ --build-arg RESTY_CLI_VERSION=0.27 \ --build-arg RESTY_CLI_SHA=e5f4f3128af49ba5c4d039d0554e5ae91bbe05866f60eccfa96d3653274bff90 \ --build-arg LUAROCKS_VERSION=3.8.0 \ @@ -59,7 +59,7 @@ image: --build-arg YAML_LINT_VERSION=1.33.0 \ --build-arg YAMALE_VERSION=4.0.4 \ --build-arg HELM_VERSION=3.14.4 \ - --build-arg GINKGO_VERSION=2.22.2 \ + --build-arg GINKGO_VERSION=2.22.1 \ --build-arg GOLINT_VERSION=latest \ -t ${IMAGE}:${TAG} rootfs @@ -71,7 +71,7 @@ build: ensure-buildx --build-arg BASE_IMAGE=${NGINX_BASE_IMAGE} \ --build-arg GOLANG_VERSION=${GO_VERSION} \ --build-arg ETCD_VERSION=3.5.13-0 \ - --build-arg K8S_RELEASE=v1.32.2 \ + --build-arg K8S_RELEASE=v1.29.2 \ --build-arg RESTY_CLI_VERSION=0.27 \ --build-arg RESTY_CLI_SHA=e5f4f3128af49ba5c4d039d0554e5ae91bbe05866f60eccfa96d3653274bff90 \ --build-arg LUAROCKS_VERSION=3.8.0 \ @@ -80,7 +80,7 @@ build: ensure-buildx --build-arg YAML_LINT_VERSION=1.33.0 \ --build-arg YAMALE_VERSION=4.0.4 \ --build-arg HELM_VERSION=3.14.4 \ - --build-arg GINKGO_VERSION=2.22.2 \ + --build-arg GINKGO_VERSION=2.22.1 \ --build-arg GOLINT_VERSION=latest \ -t ${IMAGE}:${TAG} rootfs diff --git a/images/test-runner/TAG b/images/test-runner/TAG index 46b105a30..79127d85a 100644 --- a/images/test-runner/TAG +++ b/images/test-runner/TAG @@ -1 +1 @@ -v2.0.0 +v1.2.0 diff --git a/images/test-runner/cloudbuild.yaml b/images/test-runner/cloudbuild.yaml index 93dce3ec9..5b38d5b32 100644 --- a/images/test-runner/cloudbuild.yaml +++ b/images/test-runner/cloudbuild.yaml @@ -2,9 +2,9 @@ options: # Ignore Prow provided substitutions. substitution_option: ALLOW_LOOSE steps: - - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20250116-2a05ea7e3d + - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20241217-ff46a068cd env: - - REGISTRY=us-central1-docker.pkg.dev/k8s-staging-images/ingress-nginx + - REGISTRY=gcr.io/k8s-staging-ingress-nginx entrypoint: bash args: - -c diff --git a/internal/ingress/annotations/annotations.go b/internal/ingress/annotations/annotations.go index e10cc9be1..4c073246c 100644 --- a/internal/ingress/annotations/annotations.go +++ b/internal/ingress/annotations/annotations.go @@ -39,6 +39,7 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/defaultbackend" "k8s.io/ingress-nginx/internal/ingress/annotations/disableproxyintercepterrors" "k8s.io/ingress-nginx/internal/ingress/annotations/fastcgi" + "k8s.io/ingress-nginx/internal/ingress/annotations/globalratelimit" "k8s.io/ingress-nginx/internal/ingress/annotations/http2pushpreload" "k8s.io/ingress-nginx/internal/ingress/annotations/ipallowlist" "k8s.io/ingress-nginx/internal/ingress/annotations/ipdenylist" @@ -97,6 +98,7 @@ type Ingress struct { Proxy proxy.Config ProxySSL proxyssl.Config RateLimit ratelimit.Config + GlobalRateLimit globalratelimit.Config Redirect redirect.Config Rewrite rewrite.Config Satisfy string @@ -145,6 +147,7 @@ func NewAnnotationFactory(cfg resolver.Resolver) map[string]parser.IngressAnnota "Proxy": proxy.NewParser(cfg), "ProxySSL": proxyssl.NewParser(cfg), "RateLimit": ratelimit.NewParser(cfg), + "GlobalRateLimit": globalratelimit.NewParser(cfg), "Redirect": redirect.NewParser(cfg), "Rewrite": rewrite.NewParser(cfg), "Satisfy": satisfy.NewParser(cfg), diff --git a/internal/ingress/annotations/cors/main.go b/internal/ingress/annotations/cors/main.go index cef4fb1b2..d6e92b34d 100644 --- a/internal/ingress/annotations/cors/main.go +++ b/internal/ingress/annotations/cors/main.go @@ -40,12 +40,12 @@ var ( // that could cause the Response to contain some internal value/variable (like returning $pid, $upstream_addr, etc) // Origin must contain a http/s Origin (including or not the port) or the value '*' // This Regex is composed of the following: - // * Sets a group that can be (https?://)?*?.something.com:port? OR null + // * Sets a group that can be (https?://)?*?.something.com:port? // * Allows this to be repeated as much as possible, and separated by comma // Otherwise it should be '*' - corsOriginRegexValidator = regexp.MustCompile(`^((((([a-z]+://)?(\*\.)?[A-Za-z0-9\-.]*(:\d+)?,?)|null)+)|\*)?$`) + corsOriginRegexValidator = regexp.MustCompile(`^((((https?://)?(\*\.)?[A-Za-z0-9\-.]*(:\d+)?,?)+)|\*)?$`) // corsOriginRegex defines the regex for validation inside Parse - corsOriginRegex = regexp.MustCompile(`^([a-z]+://(\*\.)?[A-Za-z0-9\-.]*(:\d+)?|\*|null)?$`) + corsOriginRegex = regexp.MustCompile(`^(https?://(\*\.)?[A-Za-z0-9\-.]*(:\d+)?|\*)?$`) // Method must contain valid methods list (PUT, GET, POST, BLA) // May contain or not spaces between each verb corsMethodsRegex = regexp.MustCompile(`^([A-Za-z]+,?\s?)+$`) @@ -78,9 +78,8 @@ var corsAnnotation = parser.Annotation{ Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation controls what's the accepted Origin for CORS. - This is a multi-valued field, separated by ','. It must follow this format: protocol://origin-site.com, protocol://origin-site.com:port, null, or *. - It also supports single level wildcard subdomains and follows this format: https://*.foo.bar, http://*.bar.foo:8080 or myprotocol://*.abc.bar.foo:9000 - Protocol can be any lowercase string, like http, https, or mycustomprotocol.`, + This is a multi-valued field, separated by ','. It must follow this format: http(s)://origin-site.com or http(s)://origin-site.com:port + It also supports single level wildcard subdomains and follows this format: http(s)://*.foo.bar, http(s)://*.bar.foo:8080 or http(s)://*.abc.bar.foo:9000`, }, corsAllowHeadersAnnotation: { Validator: parser.ValidateRegex(parser.HeadersVariable, true), diff --git a/internal/ingress/annotations/cors/main_test.go b/internal/ingress/annotations/cors/main_test.go index 0b6b3671b..a69390a17 100644 --- a/internal/ingress/annotations/cors/main_test.go +++ b/internal/ingress/annotations/cors/main_test.go @@ -27,8 +27,6 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) -const enableAnnotation = "true" - func buildIngress() *networking.Ingress { defaultBackend := networking.IngressBackend{ Service: &networking.IngressServiceBackend{ @@ -78,11 +76,11 @@ func TestIngressCorsConfigValid(t *testing.T) { data := map[string]string{} // Valid - data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)] = enableAnnotation + data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)] = "true" data[parser.GetAnnotationWithPrefix(corsAllowHeadersAnnotation)] = "DNT,X-CustomHeader, Keep-Alive,User-Agent" data[parser.GetAnnotationWithPrefix(corsAllowCredentialsAnnotation)] = "false" data[parser.GetAnnotationWithPrefix(corsAllowMethodsAnnotation)] = "GET, PATCH" - data[parser.GetAnnotationWithPrefix(corsAllowOriginAnnotation)] = "null, https://origin123.test.com:4443" + data[parser.GetAnnotationWithPrefix(corsAllowOriginAnnotation)] = "https://origin123.test.com:4443" data[parser.GetAnnotationWithPrefix(corsExposeHeadersAnnotation)] = "*, X-CustomResponseHeader" data[parser.GetAnnotationWithPrefix(corsMaxAgeAnnotation)] = "600" ing.SetAnnotations(data) @@ -113,7 +111,7 @@ func TestIngressCorsConfigValid(t *testing.T) { t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsAllowMethodsAnnotation)], nginxCors.CorsAllowMethods) } - if !reflect.DeepEqual(nginxCors.CorsAllowOrigin, []string{"null", "https://origin123.test.com:4443"}) { + if nginxCors.CorsAllowOrigin[0] != "https://origin123.test.com:4443" { t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsAllowOriginAnnotation)], nginxCors.CorsAllowOrigin) } @@ -176,11 +174,11 @@ func TestIngressCorsConfigInvalid(t *testing.T) { } } -func TestIngressCorsConfigAllowOriginWithTrailingComma(t *testing.T) { +func TestIngresCorsConfigAllowOriginWithTrailingComma(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)] = enableAnnotation + data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)] = "true" // Include a trailing comma and an empty value between the commas. data[parser.GetAnnotationWithPrefix(corsAllowOriginAnnotation)] = "https://origin123.test.com:4443, ,https://origin321.test.com:4443," @@ -205,63 +203,3 @@ func TestIngressCorsConfigAllowOriginWithTrailingComma(t *testing.T) { t.Errorf("expected %v but returned %v", expectedCorsAllowOrigins, nginxCors.CorsAllowOrigin) } } - -func TestIngressCorsConfigAllowOriginNull(t *testing.T) { - ing := buildIngress() - - data := map[string]string{} - data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)] = enableAnnotation - - // Include a trailing comma and an empty value between the commas. - data[parser.GetAnnotationWithPrefix(corsAllowOriginAnnotation)] = "https://origin123.test.com:4443,null,https://origin321.test.com:4443" - ing.SetAnnotations(data) - - corst, err := NewParser(&resolver.Mock{}).Parse(ing) - if err != nil { - t.Errorf("error parsing annotations: %v", err) - } - - nginxCors, ok := corst.(*Config) - if !ok { - t.Errorf("expected a Config type but returned %t", corst) - } - - if !nginxCors.CorsEnabled { - t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)], nginxCors.CorsEnabled) - } - - expectedCorsAllowOrigins := []string{"https://origin123.test.com:4443", "null", "https://origin321.test.com:4443"} - if !reflect.DeepEqual(nginxCors.CorsAllowOrigin, expectedCorsAllowOrigins) { - t.Errorf("expected %v but returned %v", expectedCorsAllowOrigins, nginxCors.CorsAllowOrigin) - } -} - -func TestIngressCorsConfigAllowOriginWithNonHttpProtocol(t *testing.T) { - ing := buildIngress() - - data := map[string]string{} - data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)] = enableAnnotation - - // Include a trailing comma and an empty value between the commas. - data[parser.GetAnnotationWithPrefix(corsAllowOriginAnnotation)] = "test://localhost" - ing.SetAnnotations(data) - - corst, err := NewParser(&resolver.Mock{}).Parse(ing) - if err != nil { - t.Errorf("error parsing annotations: %v", err) - } - - nginxCors, ok := corst.(*Config) - if !ok { - t.Errorf("expected a Config type but returned %t", corst) - } - - if !nginxCors.CorsEnabled { - t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)], nginxCors.CorsEnabled) - } - - expectedCorsAllowOrigins := []string{"test://localhost"} - if !reflect.DeepEqual(nginxCors.CorsAllowOrigin, expectedCorsAllowOrigins) { - t.Errorf("expected %v but returned %v", expectedCorsAllowOrigins, nginxCors.CorsAllowOrigin) - } -} diff --git a/internal/ingress/annotations/customheaders/main.go b/internal/ingress/annotations/customheaders/main.go index d48018d8c..774e9c3d3 100644 --- a/internal/ingress/annotations/customheaders/main.go +++ b/internal/ingress/annotations/customheaders/main.go @@ -18,14 +18,13 @@ package customheaders import ( "fmt" - "reflect" "regexp" - "slices" "k8s.io/klog/v2" networking "k8s.io/api/networking/v1" + "golang.org/x/exp/slices" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" @@ -36,18 +35,6 @@ type Config struct { Headers map[string]string `json:"headers,omitempty"` } -// Equal tests for equality between two Config types -func (c1 *Config) Equal(c2 *Config) bool { - if c1 == c2 { - return true - } - if c1 == nil || c2 == nil { - return false - } - - return reflect.DeepEqual(c1.Headers, c2.Headers) -} - var ( headerRegexp = regexp.MustCompile(`^[a-zA-Z\d\-_]+$`) valueRegexp = regexp.MustCompile(`^[a-zA-Z\d_ :;.,\\/"'?!(){}\[\]@<>=\-+*#$&\x60|~^%]+$`) diff --git a/internal/ingress/annotations/globalratelimit/main.go b/internal/ingress/annotations/globalratelimit/main.go new file mode 100644 index 000000000..0aec29f66 --- /dev/null +++ b/internal/ingress/annotations/globalratelimit/main.go @@ -0,0 +1,179 @@ +/* +Copyright 2020 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package globalratelimit + +import ( + "fmt" + "strings" + "time" + + networking "k8s.io/api/networking/v1" + "k8s.io/klog/v2" + + "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" + "k8s.io/ingress-nginx/internal/ingress/resolver" + "k8s.io/ingress-nginx/internal/net" + "k8s.io/ingress-nginx/pkg/util/sets" +) + +const defaultKey = "$remote_addr" + +const ( + globalRateLimitAnnotation = "global-rate-limit" + globalRateLimitWindowAnnotation = "global-rate-limit-window" + globalRateLimitKeyAnnotation = "global-rate-limit-key" + globalRateLimitIgnoredCidrsAnnotation = "global-rate-limit-ignored-cidrs" +) + +var globalRateLimitAnnotationConfig = parser.Annotation{ + Group: "ratelimit", + Annotations: parser.AnnotationFields{ + globalRateLimitAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation configures maximum allowed number of requests per window`, + }, + globalRateLimitWindowAnnotation: { + Validator: parser.ValidateDuration, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `Configures a time window (i.e 1m) that the limit is applied`, + }, + globalRateLimitKeyAnnotation: { + Validator: parser.ValidateRegex(parser.NGINXVariable, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskHigh, + Documentation: `This annotation Configures a key for counting the samples. Defaults to $remote_addr. + You can also combine multiple NGINX variables here, like ${remote_addr}-${http_x_api_client} which would mean the limit will be applied to + requests coming from the same API client (indicated by X-API-Client HTTP request header) with the same source IP address`, + }, + globalRateLimitIgnoredCidrsAnnotation: { + Validator: parser.ValidateCIDRs, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation defines a comma separated list of IPs and CIDRs to match client IP against. + When there's a match request is not considered for rate limiting.`, + }, + }, +} + +// Config encapsulates all global rate limit attributes +type Config struct { + Namespace string `json:"namespace"` + Limit int `json:"limit"` + WindowSize int `json:"window-size"` + Key string `json:"key"` + IgnoredCIDRs []string `json:"ignored-cidrs"` +} + +// Equal tests for equality between two Config types +func (l *Config) Equal(r *Config) bool { + if l.Namespace != r.Namespace { + return false + } + if l.Limit != r.Limit { + return false + } + if l.WindowSize != r.WindowSize { + return false + } + if l.Key != r.Key { + return false + } + if len(l.IgnoredCIDRs) != len(r.IgnoredCIDRs) || !sets.StringElementsMatch(l.IgnoredCIDRs, r.IgnoredCIDRs) { + return false + } + + return true +} + +type globalratelimit struct { + r resolver.Resolver + annotationConfig parser.Annotation +} + +// NewParser creates a new globalratelimit annotation parser +func NewParser(r resolver.Resolver) parser.IngressAnnotation { + return globalratelimit{ + r: r, + annotationConfig: globalRateLimitAnnotationConfig, + } +} + +// Parse extracts globalratelimit annotations from the given ingress +// and returns them structured as Config type +func (a globalratelimit) Parse(ing *networking.Ingress) (interface{}, error) { + config := &Config{} + + limit, err := parser.GetIntAnnotation(globalRateLimitAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && ing_errors.IsInvalidContent(err) { + return nil, err + } + rawWindowSize, err := parser.GetStringAnnotation(globalRateLimitWindowAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && ing_errors.IsValidationError(err) { + return config, ing_errors.LocationDeniedError{ + Reason: fmt.Errorf("failed to parse 'global-rate-limit-window' value: %w", err), + } + } + + if limit == 0 || rawWindowSize == "" { + return config, nil + } + + windowSize, err := time.ParseDuration(rawWindowSize) + if err != nil { + return config, ing_errors.LocationDeniedError{ + Reason: fmt.Errorf("failed to parse 'global-rate-limit-window' value: %w", err), + } + } + + key, err := parser.GetStringAnnotation(globalRateLimitKeyAnnotation, ing, a.annotationConfig.Annotations) + if err != nil { + klog.Warningf("invalid %s, defaulting to %s", globalRateLimitKeyAnnotation, defaultKey) + } + if key == "" { + key = defaultKey + } + + rawIgnoredCIDRs, err := parser.GetStringAnnotation(globalRateLimitIgnoredCidrsAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && ing_errors.IsInvalidContent(err) { + return nil, err + } + ignoredCIDRs, err := net.ParseCIDRs(rawIgnoredCIDRs) + if err != nil { + return nil, err + } + + config.Namespace = strings.ReplaceAll(string(ing.UID), "-", "") + config.Limit = limit + config.WindowSize = int(windowSize.Seconds()) + config.Key = key + config.IgnoredCIDRs = ignoredCIDRs + + return config, nil +} + +func (a globalratelimit) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a globalratelimit) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, globalRateLimitAnnotationConfig.Annotations) +} diff --git a/internal/ingress/annotations/globalratelimit/main_test.go b/internal/ingress/annotations/globalratelimit/main_test.go new file mode 100644 index 000000000..b1a7ab71b --- /dev/null +++ b/internal/ingress/annotations/globalratelimit/main_test.go @@ -0,0 +1,211 @@ +/* +Copyright 2020 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package globalratelimit + +import ( + "encoding/json" + "fmt" + "testing" + + api "k8s.io/api/core/v1" + networking "k8s.io/api/networking/v1" + meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" + "k8s.io/ingress-nginx/internal/ingress/resolver" +) + +const ( + UID = "31285d47-b150-4dcf-bd6f-12c46d769f6e" + expectedUID = "31285d47b1504dcfbd6f12c46d769f6e" +) + +func buildIngress() *networking.Ingress { + defaultBackend := networking.IngressBackend{ + Service: &networking.IngressServiceBackend{ + Name: "default-backend", + Port: networking.ServiceBackendPort{ + Number: 80, + }, + }, + } + + return &networking.Ingress{ + ObjectMeta: meta_v1.ObjectMeta{ + Name: "foo", + Namespace: api.NamespaceDefault, + UID: UID, + }, + Spec: networking.IngressSpec{ + DefaultBackend: &networking.IngressBackend{ + Service: &networking.IngressServiceBackend{ + Name: "default-backend", + Port: networking.ServiceBackendPort{ + Number: 80, + }, + }, + }, + Rules: []networking.IngressRule{ + { + Host: "foo.bar.com", + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + Path: "/foo", + Backend: defaultBackend, + }, + }, + }, + }, + }, + }, + }, + } +} + +type mockBackend struct { + resolver.Mock +} + +func TestGlobalRateLimiting(t *testing.T) { + ing := buildIngress() + + annRateLimit := parser.GetAnnotationWithPrefix("global-rate-limit") + annRateLimitWindow := parser.GetAnnotationWithPrefix("global-rate-limit-window") + annRateLimitKey := parser.GetAnnotationWithPrefix("global-rate-limit-key") + annRateLimitIgnoredCIDRs := parser.GetAnnotationWithPrefix("global-rate-limit-ignored-cidrs") + + testCases := []struct { + title string + annotations map[string]string + expectedConfig *Config + expectedErr error + }{ + { + "no annotation", + nil, + &Config{}, + nil, + }, + { + "minimum required annotations", + map[string]string{ + annRateLimit: "100", + annRateLimitWindow: "2m", + }, + &Config{ + Namespace: expectedUID, + Limit: 100, + WindowSize: 120, + Key: "$remote_addr", + IgnoredCIDRs: make([]string, 0), + }, + nil, + }, + { + "global-rate-limit-key annotation", + map[string]string{ + annRateLimit: "100", + annRateLimitWindow: "2m", + annRateLimitKey: "$http_x_api_user", + }, + &Config{ + Namespace: expectedUID, + Limit: 100, + WindowSize: 120, + Key: "$http_x_api_user", + IgnoredCIDRs: make([]string, 0), + }, + nil, + }, + { + "global-rate-limit-ignored-cidrs annotation", + map[string]string{ + annRateLimit: "100", + annRateLimitWindow: "2m", + annRateLimitKey: "$http_x_api_user", + annRateLimitIgnoredCIDRs: "127.0.0.1, 200.200.24.0/24", + }, + &Config{ + Namespace: expectedUID, + Limit: 100, + WindowSize: 120, + Key: "$http_x_api_user", + IgnoredCIDRs: []string{"127.0.0.1", "200.200.24.0/24"}, + }, + nil, + }, + { + "global-rate-limit-complex-key", + map[string]string{ + annRateLimit: "100", + annRateLimitWindow: "2m", + annRateLimitKey: "${http_x_api_user}${otherinfo}", + }, + &Config{ + Namespace: expectedUID, + Limit: 100, + WindowSize: 120, + Key: "${http_x_api_user}${otherinfo}", + IgnoredCIDRs: make([]string, 0), + }, + nil, + }, + { + "incorrect duration for window", + map[string]string{ + annRateLimit: "100", + annRateLimitWindow: "2mb", + annRateLimitKey: "$http_x_api_user", + }, + &Config{}, + ing_errors.ValidationError{ + Reason: fmt.Errorf("failed to parse 'global-rate-limit-window' value: annotation nginx.ingress.kubernetes.io/global-rate-limit-window contains invalid value"), + }, + }, + } + + for _, testCase := range testCases { + ing.SetAnnotations(testCase.annotations) + + i, actualErr := NewParser(mockBackend{}).Parse(ing) + if (testCase.expectedErr == nil || actualErr == nil) && testCase.expectedErr != actualErr { + t.Errorf("%s expected error '%v' but got '%v'", testCase.title, testCase.expectedErr, actualErr) + } else if testCase.expectedErr != nil && actualErr != nil && + testCase.expectedErr.Error() != actualErr.Error() { + t.Errorf("expected error '%v' but got '%v'", testCase.expectedErr, actualErr) + } + + actualConfig, ok := i.(*Config) + if !ok { + t.Errorf("expected Config type but got %T", i) + } + if !testCase.expectedConfig.Equal(actualConfig) { + expectedJSON, err := json.Marshal(testCase.expectedConfig) + if err != nil { + t.Errorf("failed to marshal expected config: %v", err) + } + actualJSON, err := json.Marshal(actualConfig) + if err != nil { + t.Errorf("failed to marshal actual config: %v", err) + } + t.Errorf("%v: expected config '%s' but got '%s'", testCase.title, expectedJSON, actualJSON) + } + } +} diff --git a/internal/ingress/annotations/parser/validators.go b/internal/ingress/annotations/parser/validators.go index 3c724a311..31524508f 100644 --- a/internal/ingress/annotations/parser/validators.go +++ b/internal/ingress/annotations/parser/validators.go @@ -79,8 +79,6 @@ var ( // URLWithNginxVariableRegex defines a url that can contain nginx variables. // It is a risky operation URLWithNginxVariableRegex = regexp.MustCompile("^[" + extendedAlphaNumeric + urlEnabledChars + "$]*$") - // MaliciousRegex defines chars that are known to inject RCE - MaliciousRegex = regexp.MustCompile(`\r|\n`) ) // ValidateArrayOfServerName validates if all fields on a Server name annotation are @@ -115,10 +113,6 @@ func ValidateRegex(regex *regexp.Regexp, removeSpace bool) AnnotationValidator { if !regex.MatchString(s) { return fmt.Errorf("value %s is invalid", s) } - if MaliciousRegex.MatchString(s) { - return fmt.Errorf("value %s contains malicious string", s) - } - return nil } } diff --git a/internal/ingress/annotations/parser/validators_test.go b/internal/ingress/annotations/parser/validators_test.go index 49923ba76..6c88342e4 100644 --- a/internal/ingress/annotations/parser/validators_test.go +++ b/internal/ingress/annotations/parser/validators_test.go @@ -65,11 +65,6 @@ func TestValidateArrayOfServerName(t *testing.T) { value: "something.com,lolo;xpto.com,nothing.com", wantErr: true, }, - { - name: "should deny names with malicous chars", - value: "http://something.com/#;\nournewinjection", - wantErr: true, - }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/internal/ingress/annotations/proxy/main.go b/internal/ingress/annotations/proxy/main.go index aaa093eaf..9d2646261 100644 --- a/internal/ingress/annotations/proxy/main.go +++ b/internal/ingress/annotations/proxy/main.go @@ -31,7 +31,6 @@ const ( proxyReadTimeoutAnnotation = "proxy-read-timeout" proxyBuffersNumberAnnotation = "proxy-buffers-number" proxyBufferSizeAnnotation = "proxy-buffer-size" - proxyBusyBuffersSizeAnnotation = "proxy-busy-buffers-size" proxyCookiePathAnnotation = "proxy-cookie-path" proxyCookieDomainAnnotation = "proxy-cookie-domain" proxyBodySizeAnnotation = "proxy-body-size" @@ -83,12 +82,6 @@ var proxyAnnotations = parser.Annotation{ Documentation: `This annotation sets the size of the buffer proxy_buffer_size used for reading the first part of the response received from the proxied server. By default proxy buffer size is set as "4k".`, }, - proxyBusyBuffersSizeAnnotation: { - Validator: parser.ValidateRegex(parser.SizeRegex, true), - Scope: parser.AnnotationScopeLocation, - Risk: parser.AnnotationRiskLow, - Documentation: `This annotation limits the total size of buffers that can be busy sending a response to the client while the response is not yet fully read. By default proxy busy buffers size is set as "8k".`, - }, proxyCookiePathAnnotation: { Validator: parser.ValidateRegex(parser.URLIsValidRegex, true), Scope: parser.AnnotationScopeLocation, @@ -174,7 +167,6 @@ type Config struct { ReadTimeout int `json:"readTimeout"` BuffersNumber int `json:"buffersNumber"` BufferSize string `json:"bufferSize"` - BusyBuffersSize string `json:"busyBuffersSize"` CookieDomain string `json:"cookieDomain"` CookiePath string `json:"cookiePath"` NextUpstream string `json:"nextUpstream"` @@ -214,9 +206,6 @@ func (l1 *Config) Equal(l2 *Config) bool { if l1.BufferSize != l2.BufferSize { return false } - if l1.BusyBuffersSize != l2.BusyBuffersSize { - return false - } if l1.CookieDomain != l2.CookieDomain { return false } @@ -301,11 +290,6 @@ func (a proxy) Parse(ing *networking.Ingress) (interface{}, error) { config.BufferSize = defBackend.ProxyBufferSize } - config.BusyBuffersSize, err = parser.GetStringAnnotation(proxyBusyBuffersSizeAnnotation, ing, a.annotationConfig.Annotations) - if err != nil { - config.BusyBuffersSize = defBackend.ProxyBusyBuffersSize - } - config.CookiePath, err = parser.GetStringAnnotation(proxyCookiePathAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.CookiePath = defBackend.ProxyCookiePath diff --git a/internal/ingress/annotations/proxy/main_test.go b/internal/ingress/annotations/proxy/main_test.go index b6ce07fb2..9446ae970 100644 --- a/internal/ingress/annotations/proxy/main_test.go +++ b/internal/ingress/annotations/proxy/main_test.go @@ -88,7 +88,6 @@ func (m mockBackend) GetDefaultBackend() defaults.Backend { ProxyReadTimeout: 20, ProxyBuffersNumber: 4, ProxyBufferSize: "10k", - ProxyBusyBuffersSize: "15k", ProxyBodySize: "3k", ProxyNextUpstream: "error", ProxyNextUpstreamTimeout: 0, @@ -109,7 +108,6 @@ func TestProxy(t *testing.T) { data[parser.GetAnnotationWithPrefix("proxy-read-timeout")] = "3" data[parser.GetAnnotationWithPrefix("proxy-buffers-number")] = "8" data[parser.GetAnnotationWithPrefix("proxy-buffer-size")] = "1k" - data[parser.GetAnnotationWithPrefix("proxy-busy-buffers-size")] = "4k" data[parser.GetAnnotationWithPrefix("proxy-body-size")] = "2k" data[parser.GetAnnotationWithPrefix("proxy-next-upstream")] = off data[parser.GetAnnotationWithPrefix("proxy-next-upstream-timeout")] = "5" @@ -143,9 +141,6 @@ func TestProxy(t *testing.T) { if p.BufferSize != "1k" { t.Errorf("expected 1k as buffer-size but returned %v", p.BufferSize) } - if p.BusyBuffersSize != "4k" { - t.Errorf("expected 4k as busy-buffers-size but returned %v", p.BusyBuffersSize) - } if p.BodySize != "2k" { t.Errorf("expected 2k as body-size but returned %v", p.BodySize) } @@ -181,7 +176,6 @@ func TestProxyComplex(t *testing.T) { data[parser.GetAnnotationWithPrefix("proxy-read-timeout")] = "3" data[parser.GetAnnotationWithPrefix("proxy-buffers-number")] = "8" data[parser.GetAnnotationWithPrefix("proxy-buffer-size")] = "1k" - data[parser.GetAnnotationWithPrefix("proxy-busy-buffers-size")] = "4k" data[parser.GetAnnotationWithPrefix("proxy-body-size")] = "2k" data[parser.GetAnnotationWithPrefix("proxy-next-upstream")] = "error http_502" data[parser.GetAnnotationWithPrefix("proxy-next-upstream-timeout")] = "5" @@ -215,9 +209,6 @@ func TestProxyComplex(t *testing.T) { if p.BufferSize != "1k" { t.Errorf("expected 1k as buffer-size but returned %v", p.BufferSize) } - if p.BusyBuffersSize != "4k" { - t.Errorf("expected 4k as buffer-size but returned %v", p.BusyBuffersSize) - } if p.BodySize != "2k" { t.Errorf("expected 2k as body-size but returned %v", p.BodySize) } @@ -273,9 +264,6 @@ func TestProxyWithNoAnnotation(t *testing.T) { if p.BufferSize != "10k" { t.Errorf("expected 10k as buffer-size but returned %v", p.BufferSize) } - if p.BusyBuffersSize != "15k" { - t.Errorf("expected 15k as buffer-size but returned %v", p.BusyBuffersSize) - } if p.BodySize != "3k" { t.Errorf("expected 3k as body-size but returned %v", p.BodySize) } diff --git a/internal/ingress/annotations/redirect/redirect.go b/internal/ingress/annotations/redirect/redirect.go index edc3d279c..e774b2fe8 100644 --- a/internal/ingress/annotations/redirect/redirect.go +++ b/internal/ingress/annotations/redirect/redirect.go @@ -28,26 +28,20 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) -const ( - defaultPermanentRedirectCode = http.StatusMovedPermanently - defaultTemporalRedirectCode = http.StatusFound -) +const defaultPermanentRedirectCode = http.StatusMovedPermanently // Config returns the redirect configuration for an Ingress rule type Config struct { URL string `json:"url"` Code int `json:"code"` FromToWWW bool `json:"fromToWWW"` - Relative bool `json:"relative"` } const ( fromToWWWRedirAnnotation = "from-to-www-redirect" temporalRedirectAnnotation = "temporal-redirect" - temporalRedirectAnnotationCode = "temporal-redirect-code" permanentRedirectAnnotation = "permanent-redirect" permanentRedirectAnnotationCode = "permanent-redirect-code" - relativeRedirectsAnnotation = "relative-redirects" ) var redirectAnnotations = parser.Annotation{ @@ -66,12 +60,6 @@ var redirectAnnotations = parser.Annotation{ Documentation: `This annotation allows you to return a temporal redirect (Return Code 302) instead of sending data to the upstream. For example setting this annotation to https://www.google.com would redirect everything to Google with a Return Code of 302 (Moved Temporarily).`, }, - temporalRedirectAnnotationCode: { - Validator: parser.ValidateInt, - Scope: parser.AnnotationScopeLocation, - Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options - Documentation: `This annotation allows you to modify the status code used for temporal redirects.`, - }, permanentRedirectAnnotation: { Validator: parser.ValidateRegex(parser.URLIsValidRegex, false), Scope: parser.AnnotationScopeLocation, @@ -85,12 +73,6 @@ var redirectAnnotations = parser.Annotation{ Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options Documentation: `This annotation allows you to modify the status code used for permanent redirects.`, }, - relativeRedirectsAnnotation: { - Validator: parser.ValidateBool, - Scope: parser.AnnotationScopeLocation, - Risk: parser.AnnotationRiskLow, - Documentation: `If enabled, redirects issued by nginx will be relative. See https://nginx.org/en/docs/http/ngx_http_core_module.html#absolute_redirect`, - }, }, } @@ -117,35 +99,20 @@ func (r redirect) Parse(ing *networking.Ingress) (interface{}, error) { return nil, err } - rr, err := parser.GetBoolAnnotation(relativeRedirectsAnnotation, ing, r.annotationConfig.Annotations) - if err != nil && !errors.IsMissingAnnotations(err) { - return nil, err - } - tr, err := parser.GetStringAnnotation(temporalRedirectAnnotation, ing, r.annotationConfig.Annotations) if err != nil && !errors.IsMissingAnnotations(err) { return nil, err } if tr != "" { - trc, err := parser.GetIntAnnotation(temporalRedirectAnnotationCode, ing, r.annotationConfig.Annotations) - if err != nil && !errors.IsMissingAnnotations(err) { - return nil, err - } - - if trc < http.StatusMultipleChoices || trc > http.StatusTemporaryRedirect { - trc = defaultTemporalRedirectCode - } - if err := isValidURL(tr); err != nil { return nil, err } return &Config{ URL: tr, - Code: trc, + Code: http.StatusFound, FromToWWW: r3w, - Relative: rr, }, nil } @@ -168,13 +135,6 @@ func (r redirect) Parse(ing *networking.Ingress) (interface{}, error) { URL: pr, Code: prc, FromToWWW: r3w, - Relative: rr, - }, nil - } - - if rr { - return &Config{ - Relative: rr, }, nil } @@ -198,9 +158,6 @@ func (r1 *Config) Equal(r2 *Config) bool { if r1.FromToWWW != r2.FromToWWW { return false } - if r1.Relative != r2.Relative { - return false - } return true } diff --git a/internal/ingress/annotations/redirect/redirect_test.go b/internal/ingress/annotations/redirect/redirect_test.go index f4734ae5b..bd2f98211 100644 --- a/internal/ingress/annotations/redirect/redirect_test.go +++ b/internal/ingress/annotations/redirect/redirect_test.go @@ -103,7 +103,7 @@ func TestPermanentRedirectWithCustomCode(t *testing.T) { } } -func TestTemporalRedirectWithDefaultCode(t *testing.T) { +func TestTemporalRedirect(t *testing.T) { rp := NewParser(resolver.Mock{}) if rp == nil { t.Fatalf("Expected a parser.IngressAnnotation but returned nil") @@ -128,49 +128,10 @@ func TestTemporalRedirectWithDefaultCode(t *testing.T) { t.Errorf("Expected %v as redirect but returned %s", defRedirectURL, redirect.URL) } if redirect.Code != http.StatusFound { - t.Errorf("Expected %v as redirect to have a code %d but had %d", defRedirectURL, http.StatusFound, redirect.Code) + t.Errorf("Expected %v as redirect to have a code %d but had %d", defRedirectURL, defaultPermanentRedirectCode, redirect.Code) } -} - -func TestTemporalRedirectWithCustomCode(t *testing.T) { - rp := NewParser(resolver.Mock{}) - if rp == nil { - t.Fatalf("Expected a parser.IngressAnnotation but returned nil") - } - - testCases := map[string]struct { - input int - expectOutput int - }{ - "valid code": {http.StatusTemporaryRedirect, http.StatusTemporaryRedirect}, - "invalid code": {http.StatusTeapot, http.StatusFound}, - } - - for n, tc := range testCases { - t.Run(n, func(t *testing.T) { - ing := new(networking.Ingress) - - data := make(map[string]string, 2) - data[parser.GetAnnotationWithPrefix(fromToWWWRedirAnnotation)] = "true" - data[parser.GetAnnotationWithPrefix(temporalRedirectAnnotation)] = defRedirectURL - data[parser.GetAnnotationWithPrefix(temporalRedirectAnnotationCode)] = strconv.Itoa(tc.input) - ing.SetAnnotations(data) - - i, err := rp.Parse(ing) - if err != nil { - t.Errorf("Unexpected error with ingress: %v", err) - } - redirect, ok := i.(*Config) - if !ok { - t.Errorf("Expected a Redirect type") - } - if redirect.URL != defRedirectURL { - t.Errorf("Expected %v as redirect but returned %s", defRedirectURL, redirect.URL) - } - if redirect.Code != tc.expectOutput { - t.Errorf("Expected %v as redirect to have a code %d but had %d", defRedirectURL, tc.expectOutput, redirect.Code) - } - }) + if redirect.FromToWWW != true { + t.Errorf("Expected %v as redirect to have from-to-www as %v but got %v", defRedirectURL, true, redirect.FromToWWW) } } @@ -193,22 +154,3 @@ func TestIsValidURL(t *testing.T) { t.Errorf("expected nil but got %v", err) } } - -func TestParseAnnotations(t *testing.T) { - ing := new(networking.Ingress) - - data := map[string]string{} - data[parser.GetAnnotationWithPrefix(relativeRedirectsAnnotation)] = "true" - ing.SetAnnotations(data) - - _, err := NewParser(&resolver.Mock{}).Parse(ing) - if err != nil { - t.Errorf("unexpected error: %v", err) - } - - // test ingress using the annotation without a TLS section - _, err = NewParser(&resolver.Mock{}).Parse(ing) - if err != nil { - t.Errorf("unexpected error parsing ingress with relative-redirects") - } -} diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index beac1405d..bc0ba9d00 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -318,6 +318,11 @@ type Configuration struct { NginxStatusIpv4Whitelist []string `json:"nginx-status-ipv4-whitelist,omitempty"` NginxStatusIpv6Whitelist []string `json:"nginx-status-ipv6-whitelist,omitempty"` + // Plugins configures plugins to use placed in the directory /etc/nginx/lua/plugins. + // Every plugin has to have main.lua in the root. Every plugin has to bundle all of its dependencies. + // The execution order follows the definition. + Plugins []string `json:"plugins,omitempty"` + // If UseProxyProtocol is enabled ProxyRealIPCIDR defines the default the IP/network address // of your external load balancer ProxyRealIPCIDR []string `json:"proxy-real-ip-cidr,omitempty"` @@ -549,10 +554,6 @@ type Configuration struct { // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors DisableProxyInterceptErrors bool `json:"disable-proxy-intercept-errors,omitempty"` - // Disable absolute redirects and enables relative redirects. - // https://nginx.org/en/docs/http/ngx_http_core_module.html#absolute_redirect - RelativeRedirects bool `json:"relative-redirects"` - // Sets the ipv4 addresses on which the server will accept requests. BindAddressIpv4 []string `json:"bind-address-ipv4,omitempty"` @@ -722,6 +723,31 @@ type Configuration struct { // Default: text/html DefaultType string `json:"default-type"` + // GlobalRateLimitMemcachedHost configures memcached host. + GlobalRateLimitMemcachedHost string `json:"global-rate-limit-memcached-host"` + + // GlobalRateLimitMemcachedPort configures memcached port. + GlobalRateLimitMemcachedPort int `json:"global-rate-limit-memcached-port"` + + // GlobalRateLimitMemcachedConnectTimeout configures timeout when connecting to memcached. + // The unit is millisecond. + GlobalRateLimitMemcachedConnectTimeout int `json:"global-rate-limit-memcached-connect-timeout"` + + // GlobalRateLimitMemcachedMaxIdleTimeout configured how long connections + // should be kept alive in idle state. The unit is millisecond. + GlobalRateLimitMemcachedMaxIdleTimeout int `json:"global-rate-limit-memcached-max-idle-timeout"` + + // GlobalRateLimitMemcachedPoolSize configures how many connections + // should be kept alive in the pool. + // Note that this is per NGINX worker. Make sure your memcached server can + // handle `MemcachedPoolSize * * ` + // simultaneous connections. + GlobalRateLimitMemcachedPoolSize int `json:"global-rate-limit-memcached-pool-size"` + + // GlobalRateLimitStatusCode determines the HTTP status code to return + // when limit is exceeding during global rate limiting. + GlobalRateLimitStatusCode int `json:"global-rate-limit-status-code"` + // DebugConnections Enables debugging log for selected client connections // http://nginx.org/en/docs/ngx_core_module.html#debug_connection // Default: "" @@ -755,10 +781,10 @@ func NewDefault() Configuration { cfg := Configuration{ AllowSnippetAnnotations: false, - AllowCrossNamespaceResources: false, + AllowCrossNamespaceResources: true, AllowBackendServerHeader: false, AnnotationValueWordBlocklist: "", - AnnotationsRiskLevel: "High", + AnnotationsRiskLevel: "Critical", AccessLogPath: "/var/log/nginx/access.log", AccessLogParams: "", EnableAccessLogForDefaultBackend: false, @@ -838,7 +864,6 @@ func NewDefault() Configuration { VariablesHashMaxSize: 2048, UseHTTP2: true, DisableProxyInterceptErrors: false, - RelativeRedirects: false, ProxyStreamTimeout: "600s", ProxyStreamNextUpstream: true, ProxyStreamNextUpstreamTimeout: "600s", @@ -850,7 +875,6 @@ func NewDefault() Configuration { ProxySendTimeout: 60, ProxyBuffersNumber: 4, ProxyBufferSize: "4k", - ProxyBusyBuffersSize: "8k", ProxyCookieDomain: "off", ProxyCookiePath: "off", ProxyNextUpstream: "error timeout", @@ -863,7 +887,6 @@ func NewDefault() Configuration { SSLRedirect: true, CustomHTTPErrors: []int{}, DisableProxyInterceptErrors: false, - RelativeRedirects: false, DenylistSourceRange: []string{}, WhitelistSourceRange: []string{}, SkipAccessLogURLs: []string{}, @@ -875,34 +898,39 @@ func NewDefault() Configuration { ServiceUpstream: false, AllowedResponseHeaders: []string{}, }, - UpstreamKeepaliveConnections: 320, - UpstreamKeepaliveTime: "1h", - UpstreamKeepaliveTimeout: 60, - UpstreamKeepaliveRequests: 10000, - LimitConnZoneVariable: defaultLimitConnZoneVariable, - BindAddressIpv4: defBindAddress, - BindAddressIpv6: defBindAddress, - OpentelemetryTrustIncomingSpan: true, - OpentelemetryConfig: "/etc/ingress-controller/telemetry/opentelemetry.toml", - OtlpCollectorPort: "4317", - OtelServiceName: "nginx", - OtelSampler: "AlwaysOn", - OtelSamplerRatio: 0.01, - OtelSamplerParentBased: true, - OtelScheduleDelayMillis: 5000, - OtelMaxExportBatchSize: 512, - OtelMaxQueueSize: 2048, - LimitReqStatusCode: 503, - LimitConnStatusCode: 503, - SyslogPort: 514, - NoTLSRedirectLocations: "/.well-known/acme-challenge", - NoAuthLocations: "/.well-known/acme-challenge", - GlobalExternalAuth: defGlobalExternalAuth, - ProxySSLLocationOnly: false, - DefaultType: "text/html", - DebugConnections: []string{}, - StrictValidatePathType: true, - GRPCBufferSizeKb: 0, + UpstreamKeepaliveConnections: 320, + UpstreamKeepaliveTime: "1h", + UpstreamKeepaliveTimeout: 60, + UpstreamKeepaliveRequests: 10000, + LimitConnZoneVariable: defaultLimitConnZoneVariable, + BindAddressIpv4: defBindAddress, + BindAddressIpv6: defBindAddress, + OpentelemetryTrustIncomingSpan: true, + OpentelemetryConfig: "/etc/ingress-controller/telemetry/opentelemetry.toml", + OtlpCollectorPort: "4317", + OtelServiceName: "nginx", + OtelSampler: "AlwaysOn", + OtelSamplerRatio: 0.01, + OtelSamplerParentBased: true, + OtelScheduleDelayMillis: 5000, + OtelMaxExportBatchSize: 512, + OtelMaxQueueSize: 2048, + LimitReqStatusCode: 503, + LimitConnStatusCode: 503, + SyslogPort: 514, + NoTLSRedirectLocations: "/.well-known/acme-challenge", + NoAuthLocations: "/.well-known/acme-challenge", + GlobalExternalAuth: defGlobalExternalAuth, + ProxySSLLocationOnly: false, + DefaultType: "text/html", + GlobalRateLimitMemcachedPort: 11211, + GlobalRateLimitMemcachedConnectTimeout: 50, + GlobalRateLimitMemcachedMaxIdleTimeout: 10000, + GlobalRateLimitMemcachedPoolSize: 50, + GlobalRateLimitStatusCode: 429, + DebugConnections: []string{}, + StrictValidatePathType: false, // TODO: This will be true in future releases + GRPCBufferSizeKb: 0, } if klog.V(5).Enabled() { diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 652a80e49..9250ded08 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -105,14 +105,11 @@ type Configuration struct { EnableProfiling bool - EnableMetrics bool - MetricsPerHost bool - MetricsPerUndefinedHost bool - MetricsBuckets *collectors.HistogramBuckets - MetricsBucketFactor float64 - MetricsMaxBuckets uint32 - ReportStatusClasses bool - ExcludeSocketMetrics []string + EnableMetrics bool + MetricsPerHost bool + MetricsBuckets *collectors.HistogramBuckets + ReportStatusClasses bool + ExcludeSocketMetrics []string FakeCertificate *ingress.SSLCert @@ -380,6 +377,10 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { if !cfg.AllowSnippetAnnotations && strings.HasSuffix(key, "-snippet") { return fmt.Errorf("%s annotation cannot be used. Snippet directives are disabled by the Ingress administrator", key) } + + if cfg.GlobalRateLimitMemcachedHost == "" && strings.HasPrefix(key, fmt.Sprintf("%s/%s", parser.AnnotationsPrefix, "global-rate-limit")) { + return fmt.Errorf("'global-rate-limit*' annotations require 'global-rate-limit-memcached-host' settings configured in the global configmap") + } } k8s.SetDefaultNGINXPathType(ing) @@ -1255,7 +1256,6 @@ func (n *NGINXController) createServers(data []*ingress.Ingress, ReadTimeout: bdef.ProxyReadTimeout, BuffersNumber: bdef.ProxyBuffersNumber, BufferSize: bdef.ProxyBufferSize, - BusyBuffersSize: bdef.ProxyBusyBuffersSize, CookieDomain: bdef.ProxyCookieDomain, CookiePath: bdef.ProxyCookiePath, NextUpstream: bdef.ProxyNextUpstream, @@ -1514,6 +1514,7 @@ func locationApplyAnnotations(loc *ingress.Location, anns *annotations.Ingress) loc.Proxy = anns.Proxy loc.ProxySSL = anns.ProxySSL loc.RateLimit = anns.RateLimit + loc.GlobalRateLimit = anns.GlobalRateLimit loc.Redirect = anns.Redirect loc.Rewrite = anns.Rewrite loc.UpstreamVhost = anns.UpstreamVhost diff --git a/internal/ingress/controller/nginx.go b/internal/ingress/controller/nginx.go index 20fad5afb..7b016dbe1 100644 --- a/internal/ingress/controller/nginx.go +++ b/internal/ingress/controller/nginx.go @@ -689,10 +689,6 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error { return err } - err = n.createLuaConfig(&cfg) - if err != nil { - return err - } err = createOpentelemetryCfg(&cfg) if err != nil { return err @@ -1082,32 +1078,6 @@ func createOpentelemetryCfg(cfg *ngx_config.Configuration) error { return os.WriteFile(cfg.OpentelemetryConfig, tmplBuf.Bytes(), file.ReadWriteByUser) } -func (n *NGINXController) createLuaConfig(cfg *ngx_config.Configuration) error { - luaconfigs := &ngx_template.LuaConfig{ - EnableMetrics: n.cfg.EnableMetrics, - ListenPorts: ngx_template.LuaListenPorts{ - HTTPSPort: strconv.Itoa(n.cfg.ListenPorts.HTTPS), - StatusPort: strconv.Itoa(nginx.StatusPort), - SSLProxyPort: strconv.Itoa(n.cfg.ListenPorts.SSLProxy), - }, - UseProxyProtocol: cfg.UseProxyProtocol, - UseForwardedHeaders: cfg.UseForwardedHeaders, - IsSSLPassthroughEnabled: n.cfg.EnableSSLPassthrough, - HTTPRedirectCode: cfg.HTTPRedirectCode, - EnableOCSP: cfg.EnableOCSP, - MonitorBatchMaxSize: n.cfg.MonitorMaxBatchSize, - HSTS: cfg.HSTS, - HSTSMaxAge: cfg.HSTSMaxAge, - HSTSIncludeSubdomains: cfg.HSTSIncludeSubdomains, - HSTSPreload: cfg.HSTSPreload, - } - jsonCfg, err := json.Marshal(luaconfigs) - if err != nil { - return err - } - return os.WriteFile(luaCfgPath, jsonCfg, file.ReadWriteByUser) -} - func cleanTempNginxCfg() error { var files []string diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go index d4bd6136f..284f53209 100644 --- a/internal/ingress/controller/store/store.go +++ b/internal/ingress/controller/store/store.go @@ -240,8 +240,6 @@ type k8sStore struct { backendConfigMu *sync.RWMutex defaultSSLCertificate string - - recorder record.EventRecorder } // New creates a new object store to be used in the ingress controller. @@ -281,7 +279,6 @@ func New( recorder := eventBroadcaster.NewRecorder(scheme.Scheme, corev1.EventSource{ Component: "nginx-ingress-controller", }) - store.recorder = recorder // k8sStore fulfills resolver.Resolver interface store.annotations = annotations.NewAnnotationExtractor(store) @@ -941,9 +938,6 @@ func (s *k8sStore) syncIngress(ing *networkingv1.Ingress) { klog.Error(err) return } - if parsed.Denied != nil { - s.recorder.Eventf(ing, corev1.EventTypeWarning, "AnnotationParsingFailed", fmt.Sprintf("Error parsing annotations: %v", *parsed.Denied)) - } err = s.listers.IngressWithAnnotation.Update(&ingress.Ingress{ Ingress: *copyIng, ParsedAnnotations: parsed, diff --git a/internal/ingress/controller/template/configmap.go b/internal/ingress/controller/template/configmap.go index febf20be0..626f7b14d 100644 --- a/internal/ingress/controller/template/configmap.go +++ b/internal/ingress/controller/template/configmap.go @@ -67,6 +67,7 @@ const ( globalAuthCacheDuration = "global-auth-cache-duration" globalAuthAlwaysSetCookie = "global-auth-always-set-cookie" luaSharedDictsKey = "lua-shared-dicts" + plugins = "plugins" debugConnections = "debug-connections" workerSerialReloads = "enable-serial-reloads" ) @@ -82,6 +83,7 @@ var ( "balancer_ewma_locks": 1024, "certificate_servers": 5120, "ocsp_response_cache": 5120, // keep this same as certificate_servers + "global_throttle_cache": 10240, } defaultGlobalAuthRedirectParam = "rd" ) @@ -417,6 +419,11 @@ func ReadConfig(src map[string]string) config.Configuration { delete(conf, workerSerialReloads) } + if val, ok := conf[plugins]; ok { + to.Plugins = splitAndTrimSpace(val, ",") + delete(conf, plugins) + } + if val, ok := conf[debugConnections]; ok { delete(conf, debugConnections) for _, i := range splitAndTrimSpace(val, ",") { diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go index ed052e4ec..8628f8090 100644 --- a/internal/ingress/controller/template/template.go +++ b/internal/ingress/controller/template/template.go @@ -194,41 +194,6 @@ func cleanConf(in, out *bytes.Buffer) error { } } -/* LuaConfig defines the structure that will be written as a config for lua scripts -The json format should follow what's expected by lua: - use_forwarded_headers = %t, - use_proxy_protocol = %t, - is_ssl_passthrough_enabled = %t, - http_redirect_code = %v, - listen_ports = { ssl_proxy = "%v", https = "%v" }, - - hsts = %t, - hsts_max_age = %v, - hsts_include_subdomains = %t, - hsts_preload = %t, -*/ - -type LuaConfig struct { - EnableMetrics bool `json:"enable_metrics"` - ListenPorts LuaListenPorts `json:"listen_ports"` - UseForwardedHeaders bool `json:"use_forwarded_headers"` - UseProxyProtocol bool `json:"use_proxy_protocol"` - IsSSLPassthroughEnabled bool `json:"is_ssl_passthrough_enabled"` - HTTPRedirectCode int `json:"http_redirect_code"` - EnableOCSP bool `json:"enable_ocsp"` - MonitorBatchMaxSize int `json:"monitor_batch_max_size"` - HSTS bool `json:"hsts"` - HSTSMaxAge string `json:"hsts_max_age"` - HSTSIncludeSubdomains bool `json:"hsts_include_subdomains"` - HSTSPreload bool `json:"hsts_preload"` -} - -type LuaListenPorts struct { - HTTPSPort string `json:"https"` - StatusPort string `json:"status_port"` - SSLProxyPort string `json:"ssl_proxy"` -} - // Write populates a buffer using a template with NGINX configuration // and the servers and upstreams created by Ingress rules func (t *Template) Write(conf *config.TemplateConfig) ([]byte, error) { @@ -291,6 +256,7 @@ var funcMap = text_template.FuncMap{ "filterRateLimits": filterRateLimits, "buildRateLimitZones": buildRateLimitZones, "buildRateLimit": buildRateLimit, + "configForLua": configForLua, "locationConfigForLua": locationConfigForLua, "buildResolvers": buildResolvers, "buildUpstreamName": buildUpstreamName, @@ -417,6 +383,54 @@ func luaConfigurationRequestBodySize(c interface{}) string { return dictKbToStr(size) } +// configForLua returns some general configuration as Lua table represented as string +func configForLua(input interface{}) string { + all, ok := input.(config.TemplateConfig) + if !ok { + klog.Errorf("expected a 'config.TemplateConfig' type but %T was given", input) + return "{}" + } + + return fmt.Sprintf(`{ + use_forwarded_headers = %t, + use_proxy_protocol = %t, + is_ssl_passthrough_enabled = %t, + http_redirect_code = %v, + listen_ports = { ssl_proxy = "%v", https = "%v" }, + + hsts = %t, + hsts_max_age = %v, + hsts_include_subdomains = %t, + hsts_preload = %t, + + global_throttle = { + memcached = { + host = "%v", port = %d, connect_timeout = %d, max_idle_timeout = %d, pool_size = %d, + }, + status_code = %d, + } + }`, + all.Cfg.UseForwardedHeaders, + all.Cfg.UseProxyProtocol, + all.IsSSLPassthroughEnabled, + all.Cfg.HTTPRedirectCode, + all.ListenPorts.SSLProxy, + all.ListenPorts.HTTPS, + + all.Cfg.HSTS, + all.Cfg.HSTSMaxAge, + all.Cfg.HSTSIncludeSubdomains, + all.Cfg.HSTSPreload, + + all.Cfg.GlobalRateLimitMemcachedHost, + all.Cfg.GlobalRateLimitMemcachedPort, + all.Cfg.GlobalRateLimitMemcachedConnectTimeout, + all.Cfg.GlobalRateLimitMemcachedMaxIdleTimeout, + all.Cfg.GlobalRateLimitMemcachedPoolSize, + all.Cfg.GlobalRateLimitStatusCode, + ) +} + // locationConfigForLua formats some location specific configuration into Lua table represented as string func locationConfigForLua(l, a interface{}) string { location, ok := l.(*ingress.Location) @@ -431,26 +445,30 @@ func locationConfigForLua(l, a interface{}) string { return "{}" } - /* Lua expects the following vars - force_ssl_redirect = string_to_bool(ngx.var.force_ssl_redirect), - ssl_redirect = string_to_bool(ngx.var.ssl_redirect), - force_no_ssl_redirect = string_to_bool(ngx.var.force_no_ssl_redirect), - preserve_trailing_slash = string_to_bool(ngx.var.preserve_trailing_slash), - use_port_in_redirects = string_to_bool(ngx.var.use_port_in_redirects), - */ + ignoredCIDRs, err := convertGoSliceIntoLuaTable(location.GlobalRateLimit.IgnoredCIDRs, false) + if err != nil { + klog.Errorf("failed to convert %v into Lua table: %q", location.GlobalRateLimit.IgnoredCIDRs, err) + ignoredCIDRs = "{}" + } - return fmt.Sprintf(` - set $force_ssl_redirect "%t"; - set $ssl_redirect "%t"; - set $force_no_ssl_redirect "%t"; - set $preserve_trailing_slash "%t"; - set $use_port_in_redirects "%t"; - `, + return fmt.Sprintf(`{ + force_ssl_redirect = %t, + ssl_redirect = %t, + force_no_ssl_redirect = %t, + preserve_trailing_slash = %t, + use_port_in_redirects = %t, + global_throttle = { namespace = "%v", limit = %d, window_size = %d, key = %v, ignored_cidrs = %v }, + }`, location.Rewrite.ForceSSLRedirect, location.Rewrite.SSLRedirect, isLocationInLocationList(l, all.Cfg.NoTLSRedirectLocations), location.Rewrite.PreserveTrailingSlash, location.UsePortInRedirects, + location.GlobalRateLimit.Namespace, + location.GlobalRateLimit.Limit, + location.GlobalRateLimit.WindowSize, + parseComplexNginxVarIntoLuaTable(location.GlobalRateLimit.Key), + ignoredCIDRs, ) } @@ -602,12 +620,17 @@ func buildAuthResponseHeaders(proxySetHeader string, headers []string, lua bool) return res } -func buildAuthUpstreamLuaHeaders(headers []string) string { +func buildAuthUpstreamLuaHeaders(headers []string) []string { + res := []string{} + if len(headers) == 0 { - return "" + return res } - return strings.Join(headers, ",") + for i, h := range headers { + res = append(res, fmt.Sprintf("ngx.var.authHeader%d = res.header['%s']", i, h)) + } + return res } func buildAuthProxySetHeaders(headers map[string]string) []string { @@ -1667,6 +1690,54 @@ func buildServerName(hostname string) string { return `~^(?[\w-]+)\.` + strings.Join(parts, "\\.") + `$` } +// parseComplexNginxVarIntoLuaTable parses things like "$my${complex}ngx\$var" into +// [["$var", "complex", "my", "ngx"]]. In other words, 2nd and 3rd elements +// in the result are actual NGINX variable names, whereas first and 4th elements +// are string literals. +func parseComplexNginxVarIntoLuaTable(ngxVar string) string { + r := regexp.MustCompile(`(\\\$[0-9a-zA-Z_]+)|\$\{([0-9a-zA-Z_]+)\}|\$([0-9a-zA-Z_]+)|(\$|[^$\\]+)`) + matches := r.FindAllStringSubmatch(ngxVar, -1) + components := make([][]string, len(matches)) + for i, match := range matches { + components[i] = match[1:] + } + + luaTable, err := convertGoSliceIntoLuaTable(components, true) + if err != nil { + klog.Errorf("unexpected error: %v", err) + luaTable = "{}" + } + return luaTable +} + +func convertGoSliceIntoLuaTable(goSliceInterface interface{}, emptyStringAsNil bool) (string, error) { + goSlice := reflect.ValueOf(goSliceInterface) + kind := goSlice.Kind() + + switch kind { + case reflect.String: + if emptyStringAsNil && goSlice.Interface().(string) == "" { + return "nil", nil + } + return fmt.Sprintf(`"%v"`, goSlice.Interface()), nil + case reflect.Int, reflect.Bool: + return fmt.Sprintf(`%v`, goSlice.Interface()), nil + case reflect.Slice, reflect.Array: + luaTable := "{ " + for i := 0; i < goSlice.Len(); i++ { + luaEl, err := convertGoSliceIntoLuaTable(goSlice.Index(i).Interface(), emptyStringAsNil) + if err != nil { + return "", err + } + luaTable = luaTable + luaEl + ", " + } + luaTable += "}" + return luaTable, nil + default: + return "", fmt.Errorf("could not process type: %s", kind) + } +} + func buildOriginRegex(origin string) string { origin = regexp.QuoteMeta(origin) origin = strings.Replace(origin, "\\*", `[A-Za-z0-9\-]+`, 1) diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go index 6553f5daf..3089e3b32 100644 --- a/internal/ingress/controller/template/template_test.go +++ b/internal/ingress/controller/template/template_test.go @@ -537,7 +537,10 @@ func TestBuildAuthResponseHeaders(t *testing.T) { func TestBuildAuthResponseLua(t *testing.T) { externalAuthResponseHeaders := []string{"h1", "H-With-Caps-And-Dashes"} - expected := "h1,H-With-Caps-And-Dashes" + expected := []string{ + "ngx.var.authHeader0 = res.header['h1']", + "ngx.var.authHeader1 = res.header['H-With-Caps-And-Dashes']", + } headers := buildAuthUpstreamLuaHeaders(externalAuthResponseHeaders) @@ -1923,6 +1926,89 @@ func TestBuildServerName(t *testing.T) { } } +func TestParseComplexNginxVarIntoLuaTable(t *testing.T) { + testCases := []struct { + ngxVar string + expectedLuaTable string + }{ + {"foo", `{ { nil, nil, nil, "foo", }, }`}, + {"$foo", `{ { nil, nil, "foo", nil, }, }`}, + {"${foo}", `{ { nil, "foo", nil, nil, }, }`}, + {"\\$foo", `{ { "\$foo", nil, nil, nil, }, }`}, + { + "foo\\$bar$baz${daz}xiyar$pomidor", + `{ { nil, nil, nil, "foo", }, { "\$bar", nil, nil, nil, }, { nil, nil, "baz", nil, }, ` + + `{ nil, "daz", nil, nil, }, { nil, nil, nil, "xiyar", }, { nil, nil, "pomidor", nil, }, }`, + }, + } + + for _, testCase := range testCases { + actualLuaTable := parseComplexNginxVarIntoLuaTable(testCase.ngxVar) + if actualLuaTable != testCase.expectedLuaTable { + t.Errorf("expected %v but returned %v", testCase.expectedLuaTable, actualLuaTable) + } + } +} + +func TestConvertGoSliceIntoLuaTablet(t *testing.T) { + testCases := []struct { + title string + goSlice interface{} + emptyStringAsNil bool + expectedLuaTable string + expectedErr error + }{ + { + "flat string slice", + []string{"one", "two", "three"}, + false, + `{ "one", "two", "three", }`, + nil, + }, + { + "nested string slice", + [][]string{{"one", "", "three"}, {"foo", "bar"}}, + false, + `{ { "one", "", "three", }, { "foo", "bar", }, }`, + nil, + }, + { + "converts empty string to nil when enabled", + [][]string{{"one", "", "three"}, {"foo", "bar"}}, + true, + `{ { "one", nil, "three", }, { "foo", "bar", }, }`, + nil, + }, + { + "boolean slice", + []bool{true, true, false}, + false, + `{ true, true, false, }`, + nil, + }, + { + "integer slice", + []int{4, 3, 6}, + false, + `{ 4, 3, 6, }`, + nil, + }, + } + + for _, testCase := range testCases { + actualLuaTable, err := convertGoSliceIntoLuaTable(testCase.goSlice, testCase.emptyStringAsNil) + if testCase.expectedErr != nil && err != nil && testCase.expectedErr.Error() != err.Error() { + t.Errorf("expected error '%v' but returned '%v'", testCase.expectedErr, err) + } + if testCase.expectedErr == nil && err != nil { + t.Errorf("expected error to be nil but returned '%v'", err) + } + if testCase.expectedLuaTable != actualLuaTable { + t.Errorf("%v: expected '%v' but returned '%v'", testCase.title, testCase.expectedLuaTable, actualLuaTable) + } + } +} + func TestCleanConf(t *testing.T) { testDataDir, err := getTestDataDir() if err != nil { diff --git a/internal/ingress/controller/util.go b/internal/ingress/controller/util.go index 975fb822a..79bf931ef 100644 --- a/internal/ingress/controller/util.go +++ b/internal/ingress/controller/util.go @@ -98,9 +98,8 @@ func rlimitMaxNumFiles() int { } const ( - defBinary = "/usr/bin/nginx" - cfgPath = "/etc/nginx/nginx.conf" - luaCfgPath = "/etc/nginx/lua/cfg.json" + defBinary = "/usr/bin/nginx" + cfgPath = "/etc/nginx/nginx.conf" ) // NginxExecTester defines the interface to execute diff --git a/internal/ingress/defaults/main.go b/internal/ingress/defaults/main.go index bec1b08e2..cfad388ef 100644 --- a/internal/ingress/defaults/main.go +++ b/internal/ingress/defaults/main.go @@ -69,11 +69,6 @@ type Backend struct { // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) ProxyBufferSize string `json:"proxy-buffer-size"` - // Limits the total size of buffers that can be busy sending a response to the client while - // the response is not yet fully read. - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_busy_buffers_size - ProxyBusyBuffersSize string `json:"proxy-busy-buffers-size"` - // Sets a text that should be changed in the path attribute of the “Set-Cookie” header fields of // a proxied server response. // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_path @@ -130,11 +125,6 @@ type Backend struct { // Default: false UsePortInRedirects bool `json:"use-port-in-redirects"` - // Enables or disables relative redirects. By default nginx uses absolute redirects. - // http://nginx.org/en/docs/http/ngx_http_core_module.html#absolute_redirect - // Default: false - RelativeRedirects bool `json:"relative-redirects"` - // Enable stickiness by client-server mapping based on a NGINX variable, text or a combination of both. // A consistent hashing method will be used which ensures only a few keys would be remapped to different // servers on upstream group changes diff --git a/internal/ingress/metric/collectors/socket.go b/internal/ingress/metric/collectors/socket.go index 0bdd816ae..248f23f63 100644 --- a/internal/ingress/metric/collectors/socket.go +++ b/internal/ingress/metric/collectors/socket.go @@ -64,10 +64,11 @@ type metricMapping map[string]prometheus.Collector type SocketCollector struct { prometheus.Collector - connectTime *prometheus.HistogramVec - headerTime *prometheus.HistogramVec - requestTime *prometheus.HistogramVec - responseTime *prometheus.HistogramVec + upstreamLatency *prometheus.SummaryVec // TODO: DEPRECATED, remove + connectTime *prometheus.HistogramVec + headerTime *prometheus.HistogramVec + requestTime *prometheus.HistogramVec + responseTime *prometheus.HistogramVec requestLength *prometheus.HistogramVec responseLength *prometheus.HistogramVec @@ -81,9 +82,8 @@ type SocketCollector struct { hosts sets.Set[string] - metricsPerHost bool - metricsPerUndefinedHost bool - reportStatusClasses bool + metricsPerHost bool + reportStatusClasses bool } var requestTags = []string{ @@ -98,9 +98,13 @@ var requestTags = []string{ "canary", } +// DefObjectives was removed in https://github.com/prometheus/client_golang/pull/262 +// updating the library to latest version changed the output of the metrics +var defObjectives = map[float64]float64{0.5: 0.05, 0.9: 0.01, 0.99: 0.001} + // NewSocketCollector creates a new SocketCollector instance using // the ingress watch namespace and class used by the controller -func NewSocketCollector(pod, namespace, class string, metricsPerHost, metricsPerUndefinedHost, reportStatusClasses bool, buckets HistogramBuckets, bucketFactor float64, maxBuckets uint32, excludeMetrics []string) (*SocketCollector, error) { +func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStatusClasses bool, buckets HistogramBuckets, excludeMetrics []string) (*SocketCollector, error) { socket := "/tmp/nginx/prometheus-nginx.socket" // unix sockets must be unlink()ed before being used //nolint:errcheck // Ignore unlink error @@ -140,19 +144,16 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, metricsPer sc := &SocketCollector{ listener: listener, - metricsPerHost: metricsPerHost, - metricsPerUndefinedHost: metricsPerUndefinedHost, - reportStatusClasses: reportStatusClasses, + metricsPerHost: metricsPerHost, + reportStatusClasses: reportStatusClasses, connectTime: histogramMetric( &prometheus.HistogramOpts{ - Name: "connect_duration_seconds", - Help: "The time spent on establishing a connection with the upstream server", - Namespace: PrometheusNamespace, - ConstLabels: constLabels, - Buckets: buckets.TimeBuckets, - NativeHistogramBucketFactor: bucketFactor, - NativeHistogramMaxBucketNumber: maxBuckets, + Name: "connect_duration_seconds", + Help: "The time spent on establishing a connection with the upstream server", + Namespace: PrometheusNamespace, + ConstLabels: constLabels, + Buckets: buckets.TimeBuckets, }, requestTags, em, @@ -161,13 +162,11 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, metricsPer headerTime: histogramMetric( &prometheus.HistogramOpts{ - Name: "header_duration_seconds", - Help: "The time spent on receiving first header from the upstream server", - Namespace: PrometheusNamespace, - ConstLabels: constLabels, - Buckets: buckets.TimeBuckets, - NativeHistogramBucketFactor: bucketFactor, - NativeHistogramMaxBucketNumber: maxBuckets, + Name: "header_duration_seconds", + Help: "The time spent on receiving first header from the upstream server", + Namespace: PrometheusNamespace, + ConstLabels: constLabels, + Buckets: buckets.TimeBuckets, }, requestTags, em, @@ -175,13 +174,11 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, metricsPer ), responseTime: histogramMetric( &prometheus.HistogramOpts{ - Name: "response_duration_seconds", - Help: "The time spent on receiving the response from the upstream server", - Namespace: PrometheusNamespace, - ConstLabels: constLabels, - Buckets: buckets.TimeBuckets, - NativeHistogramBucketFactor: bucketFactor, - NativeHistogramMaxBucketNumber: maxBuckets, + Name: "response_duration_seconds", + Help: "The time spent on receiving the response from the upstream server", + Namespace: PrometheusNamespace, + ConstLabels: constLabels, + Buckets: buckets.TimeBuckets, }, requestTags, em, @@ -190,13 +187,11 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, metricsPer requestTime: histogramMetric( &prometheus.HistogramOpts{ - Name: "request_duration_seconds", - Help: "The request processing time in milliseconds", - Namespace: PrometheusNamespace, - ConstLabels: constLabels, - Buckets: buckets.TimeBuckets, - NativeHistogramBucketFactor: bucketFactor, - NativeHistogramMaxBucketNumber: maxBuckets, + Name: "request_duration_seconds", + Help: "The request processing time in milliseconds", + Namespace: PrometheusNamespace, + ConstLabels: constLabels, + Buckets: buckets.TimeBuckets, }, requestTags, em, @@ -205,13 +200,11 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, metricsPer responseLength: histogramMetric( &prometheus.HistogramOpts{ - Name: "response_size", - Help: "The response length (including request line, header, and request body)", - Namespace: PrometheusNamespace, - ConstLabels: constLabels, - Buckets: buckets.LengthBuckets, - NativeHistogramBucketFactor: bucketFactor, - NativeHistogramMaxBucketNumber: maxBuckets, + Name: "response_size", + Help: "The response length (including request line, header, and request body)", + Namespace: PrometheusNamespace, + ConstLabels: constLabels, + Buckets: buckets.LengthBuckets, }, requestTags, em, @@ -220,13 +213,11 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, metricsPer requestLength: histogramMetric( &prometheus.HistogramOpts{ - Name: "request_size", - Help: "The request length (including request line, header, and request body)", - Namespace: PrometheusNamespace, - ConstLabels: constLabels, - Buckets: buckets.LengthBuckets, - NativeHistogramBucketFactor: bucketFactor, - NativeHistogramMaxBucketNumber: maxBuckets, + Name: "request_size", + Help: "The request length (including request line, header, and request body)", + Namespace: PrometheusNamespace, + ConstLabels: constLabels, + Buckets: buckets.LengthBuckets, }, requestTags, em, @@ -257,6 +248,19 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, metricsPer em, mm, ), + + upstreamLatency: summaryMetric( + &prometheus.SummaryOpts{ + Name: "ingress_upstream_latency_seconds", + Help: "DEPRECATED Upstream service latency per Ingress", + Namespace: PrometheusNamespace, + ConstLabels: constLabels, + Objectives: defObjectives, + }, + []string{"ingress", "namespace", "service", "canary"}, + em, + mm, + ), } sc.metricMapping = mm @@ -271,6 +275,18 @@ func containsMetric(excludeMetrics map[string]struct{}, name string) bool { return false } +func summaryMetric(opts *prometheus.SummaryOpts, requestTags []string, excludeMetrics map[string]struct{}, metricMapping metricMapping) *prometheus.SummaryVec { + if containsMetric(excludeMetrics, opts.Name) { + return nil + } + m := prometheus.NewSummaryVec( + *opts, + requestTags, + ) + metricMapping[prometheus.BuildFQName(PrometheusNamespace, "", opts.Name)] = m + return m +} + func counterMetric(opts *prometheus.CounterOpts, requestTags []string, excludeMetrics map[string]struct{}, metricMapping metricMapping) *prometheus.CounterVec { if containsMetric(excludeMetrics, opts.Name) { return nil @@ -308,8 +324,8 @@ func (sc *SocketCollector) handleMessage(msg []byte) { for i := range statsBatch { stats := &statsBatch[i] - if sc.metricsPerHost && !sc.hosts.Has(stats.Host) && !sc.metricsPerUndefinedHost { - klog.V(3).InfoS("Skipping metric for host not explicitly defined in an ingress", "host", stats.Host) + if sc.metricsPerHost && !sc.hosts.Has(stats.Host) { + klog.V(3).InfoS("Skipping metric for host not being served", "host", stats.Host) continue } @@ -342,6 +358,13 @@ func (sc *SocketCollector) handleMessage(msg []byte) { collectorLabels["host"] = stats.Host } + latencyLabels := prometheus.Labels{ + "namespace": stats.Namespace, + "ingress": stats.Ingress, + "service": stats.Service, + "canary": stats.Canary, + } + if sc.requests != nil { requestsMetric, err := sc.requests.GetMetricWith(collectorLabels) if err != nil { @@ -360,6 +383,15 @@ func (sc *SocketCollector) handleMessage(msg []byte) { connectTimeMetric.Observe(stats.Latency) } } + + if sc.upstreamLatency != nil { + latencyMetric, err := sc.upstreamLatency.GetMetricWith(latencyLabels) + if err != nil { + klog.ErrorS(err, "Error fetching latency metric") + } else { + latencyMetric.Observe(stats.Latency) + } + } } if stats.HeaderTime != -1 && sc.headerTime != nil { diff --git a/internal/ingress/metric/collectors/socket_test.go b/internal/ingress/metric/collectors/socket_test.go index 3a1f29f35..2113b4725 100644 --- a/internal/ingress/metric/collectors/socket_test.go +++ b/internal/ingress/metric/collectors/socket_test.go @@ -83,19 +83,15 @@ func TestCollector(t *testing.T) { prometheus.ExponentialBuckets(10, 10, 7), } - bucketFactor := 1.1 - maxBuckets := uint32(100) - cases := []struct { - name string - data []string - metrics []string - metricsPerUndefinedHost bool - useStatusClasses bool - excludeMetrics []string - wantBefore string - removeIngresses []string - wantAfter string + name string + data []string + metrics []string + useStatusClasses bool + excludeMetrics []string + wantBefore string + removeIngresses []string + wantAfter string }{ { name: "invalid metric object should not increase prometheus metrics", @@ -592,69 +588,13 @@ func TestCollector(t *testing.T) { nginx_ingress_controller_response_duration_seconds_count{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx"} 1 `, }, - { - name: "metrics with a host should not be dropped when the host is not in the hosts slice but metricsPerUndefinedHost is true", - data: []string{`[{ - "host":"wildcard.testshop.com", - "status":"200", - "bytesSent":150.0, - "method":"GET", - "path":"/admin", - "requestLength":300.0, - "requestTime":60.0, - "upstreamLatency":1.0, - "upstreamHeaderTime":5.0, - "upstreamName":"test-upstream", - "upstreamIP":"1.1.1.1:8080", - "upstreamResponseTime":200, - "upstreamStatus":"220", - "namespace":"test-app-production", - "ingress":"web-yml", - "service":"test-app", - "canary":"" - }]`}, - excludeMetrics: []string{"response_duration_seconds2", "test.*", "nginx_ingress_.*", "response_duration_secon"}, - metrics: []string{"nginx_ingress_controller_requests"}, - metricsPerUndefinedHost: true, - useStatusClasses: true, - wantBefore: ` - # HELP nginx_ingress_controller_requests The total number of client requests - # TYPE nginx_ingress_controller_requests counter - nginx_ingress_controller_requests{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="wildcard.testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx"} 1 - `, - }, - { - name: "metrics with a host should be dropped when the host is not in the hosts slice", - data: []string{`[{ - "host":"wildcard.testshop.com", - "status":"200", - "bytesSent":150.0, - "method":"GET", - "path":"/admin", - "requestLength":300.0, - "requestTime":60.0, - "upstreamLatency":1.0, - "upstreamHeaderTime":5.0, - "upstreamName":"test-upstream", - "upstreamIP":"1.1.1.1:8080", - "upstreamResponseTime":200, - "upstreamStatus":"220", - "namespace":"test-app-production", - "ingress":"web-yml", - "service":"test-app", - "canary":"" - }]`}, - excludeMetrics: []string{"response_duration_seconds2", "test.*", "nginx_ingress_.*", "response_duration_secon"}, - metrics: []string{"nginx_ingress_controller_requests"}, - useStatusClasses: true, - }, } for _, c := range cases { t.Run(c.name, func(t *testing.T) { registry := prometheus.NewPedanticRegistry() - sc, err := NewSocketCollector("pod", "default", "ingress", true, c.metricsPerUndefinedHost, c.useStatusClasses, buckets, bucketFactor, maxBuckets, c.excludeMetrics) + sc, err := NewSocketCollector("pod", "default", "ingress", true, c.useStatusClasses, buckets, c.excludeMetrics) if err != nil { t.Errorf("%v: unexpected error creating new SocketCollector: %v", c.name, err) } diff --git a/internal/ingress/metric/main.go b/internal/ingress/metric/main.go index 9ed401d19..93c31622c 100644 --- a/internal/ingress/metric/main.go +++ b/internal/ingress/metric/main.go @@ -71,7 +71,7 @@ type collector struct { } // NewCollector creates a new metric collector the for ingress controller -func NewCollector(metricsPerHost, metricsPerUndefinedHost, reportStatusClasses bool, registry *prometheus.Registry, ingressclass string, buckets collectors.HistogramBuckets, bucketFactor float64, maxBuckets uint32, excludedSocketMetrics []string) (Collector, error) { +func NewCollector(metricsPerHost, reportStatusClasses bool, registry *prometheus.Registry, ingressclass string, buckets collectors.HistogramBuckets, excludedSocketMetrics []string) (Collector, error) { podNamespace := os.Getenv("POD_NAMESPACE") if podNamespace == "" { podNamespace = "default" @@ -89,7 +89,7 @@ func NewCollector(metricsPerHost, metricsPerUndefinedHost, reportStatusClasses b return nil, err } - s, err := collectors.NewSocketCollector(podName, podNamespace, ingressclass, metricsPerHost, metricsPerUndefinedHost, reportStatusClasses, buckets, bucketFactor, maxBuckets, excludedSocketMetrics) + s, err := collectors.NewSocketCollector(podName, podNamespace, ingressclass, metricsPerHost, reportStatusClasses, buckets, excludedSocketMetrics) if err != nil { return nil, err } diff --git a/internal/ingress/resolver/mock.go b/internal/ingress/resolver/mock.go index 3abfe7eda..64c4c79a7 100644 --- a/internal/ingress/resolver/mock.go +++ b/internal/ingress/resolver/mock.go @@ -39,7 +39,7 @@ func (m Mock) GetDefaultBackend() defaults.Backend { func (m Mock) GetSecurityConfiguration() defaults.SecurityConfiguration { defRisk := m.AnnotationsRiskLevel if defRisk == "" { - defRisk = "High" + defRisk = "Critical" } return defaults.SecurityConfiguration{ AnnotationsRiskLevel: defRisk, diff --git a/magefiles/go.mod b/magefiles/go.mod index f11ab740e..9ee2bf363 100644 --- a/magefiles/go.mod +++ b/magefiles/go.mod @@ -1,6 +1,6 @@ module k8s.io/ingress-nginx/magefiles -go 1.23.6 +go 1.23.4 require ( github.com/blang/semver/v4 v4.0.0 diff --git a/magefiles/utils/helm.go b/magefiles/utils/helm.go index cb8acae57..dea68caab 100644 --- a/magefiles/utils/helm.go +++ b/magefiles/utils/helm.go @@ -31,6 +31,7 @@ type IngressChartValue struct { RunAsUser int `yaml:"runAsUser"` AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` } `yaml:"image"` + ExistingPsp string `yaml:"existingPsp"` ContainerName string `yaml:"containerName"` ContainerPort struct { HTTP int `yaml:"http"` @@ -207,6 +208,13 @@ type IngressChartValue struct { ExtraVolumes []interface{} `yaml:"extraVolumes"` ExtraInitContainers []interface{} `yaml:"extraInitContainers"` ExtraModules []interface{} `yaml:"extraModules"` + Opentelemetry struct { + Enabled bool `yaml:"enabled"` + Image string `yaml:"image"` + ContainerSecurityContext struct { + AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` + } `yaml:"containerSecurityContext"` + } `yaml:"opentelemetry"` AdmissionWebhooks struct { Annotations struct{} `yaml:"annotations"` Enabled bool `yaml:"enabled"` @@ -218,6 +226,7 @@ type IngressChartValue struct { NamespaceSelector struct{} `yaml:"namespaceSelector"` ObjectSelector struct{} `yaml:"objectSelector"` Labels struct{} `yaml:"labels"` + ExistingPsp string `yaml:"existingPsp"` NetworkPolicyEnabled bool `yaml:"networkPolicyEnabled"` Service struct { Annotations struct{} `yaml:"annotations"` @@ -320,6 +329,7 @@ type IngressChartValue struct { ReadOnlyRootFilesystem bool `yaml:"readOnlyRootFilesystem"` AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` } `yaml:"image"` + ExistingPsp string `yaml:"existingPsp"` ExtraArgs struct{} `yaml:"extraArgs"` ServiceAccount struct { Create bool `yaml:"create"` @@ -378,6 +388,9 @@ type IngressChartValue struct { Create bool `yaml:"create"` Scope bool `yaml:"scope"` } `yaml:"rbac"` + PodSecurityPolicy struct { + Enabled bool `yaml:"enabled"` + } `yaml:"podSecurityPolicy"` ServiceAccount struct { Create bool `yaml:"create"` Name string `yaml:"name"` diff --git a/mkdocs.yml b/mkdocs.yml index b59546c9c..4b010c5ff 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -50,7 +50,6 @@ theme: - navigation.tabs.sticky - navigation.instant - navigation.sections - - content.code.copy palette: primary: "teal" @@ -125,6 +124,7 @@ nav: - Rewrite: "examples/rewrite/README.md" - Static IPs: "examples/static-ip/README.md" - TLS termination: "examples/tls-termination/README.md" + - Pod Security Policy (PSP): "examples/psp/README.md" - Open Policy Agent rules: "examples/openpolicyagent/README.md" - Canary Deployments: "examples/canary/README.md" - Developer Guide: diff --git a/pkg/apis/ingress/types.go b/pkg/apis/ingress/types.go index ccdd49fe9..c6be89c6a 100644 --- a/pkg/apis/ingress/types.go +++ b/pkg/apis/ingress/types.go @@ -29,6 +29,7 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/cors" "k8s.io/ingress-nginx/internal/ingress/annotations/customheaders" "k8s.io/ingress-nginx/internal/ingress/annotations/fastcgi" + "k8s.io/ingress-nginx/internal/ingress/annotations/globalratelimit" "k8s.io/ingress-nginx/internal/ingress/annotations/ipallowlist" "k8s.io/ingress-nginx/internal/ingress/annotations/ipdenylist" "k8s.io/ingress-nginx/internal/ingress/annotations/log" @@ -284,6 +285,10 @@ type Location struct { // The Redirect annotation precedes RateLimit // +optional RateLimit ratelimit.Config `json:"rateLimit,omitempty"` + // GlobalRateLimit similar to RateLimit + // but this is applied globally across multiple replicas. + // +optional + GlobalRateLimit globalratelimit.Config `json:"globalRateLimit,omitempty"` // Redirect describes a temporal o permanent redirection this location. // +optional Redirect redirect.Config `json:"redirect,omitempty"` diff --git a/pkg/apis/ingress/types_equals.go b/pkg/apis/ingress/types_equals.go index 6fba3bd45..eeed9a06e 100644 --- a/pkg/apis/ingress/types_equals.go +++ b/pkg/apis/ingress/types_equals.go @@ -390,6 +390,9 @@ func (l1 *Location) Equal(l2 *Location) bool { if !(&l1.RateLimit).Equal(&l2.RateLimit) { return false } + if !(&l1.GlobalRateLimit).Equal(&l2.GlobalRateLimit) { + return false + } if !(&l1.Redirect).Equal(&l2.Redirect) { return false } @@ -467,10 +470,6 @@ func (l1 *Location) Equal(l2 *Location) bool { return false } - if !l1.CustomHeaders.Equal(&l2.CustomHeaders) { - return false - } - return true } diff --git a/pkg/flags/flags.go b/pkg/flags/flags.go index ce24160fd..92b819c74 100644 --- a/pkg/flags/flags.go +++ b/pkg/flags/flags.go @@ -17,7 +17,6 @@ limitations under the License. package flags import ( - "errors" "flag" "fmt" "net" @@ -159,8 +158,8 @@ Requires the update-status parameter.`) annotationsPrefix = flags.String("annotations-prefix", parser.DefaultAnnotationsPrefix, `Prefix of the Ingress annotations specific to the NGINX controller.`) - enableAnnotationValidation = flags.Bool("enable-annotation-validation", true, - `If true, will enable the annotation validation feature. Defaults to true`) + enableAnnotationValidation = flags.Bool("enable-annotation-validation", false, + `If true, will enable the annotation validation feature. This value will be defaulted to true on a future release`) enableSSLChainCompletion = flags.Bool("enable-ssl-chain-completion", false, `Autocomplete SSL certificate chains with missing intermediate CA certificates. @@ -174,20 +173,16 @@ extension for this to succeed.`) `Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies. Requires the update-status parameter.`) - enableMetrics = flags.Bool("enable-metrics", false, + enableMetrics = flags.Bool("enable-metrics", true, `Enables the collection of NGINX metrics.`) metricsPerHost = flags.Bool("metrics-per-host", true, `Export metrics per-host.`) - metricsPerUndefinedHost = flags.Bool("metrics-per-undefined-host", false, - `Export metrics per-host even if the host is not defined in an ingress. Requires --metrics-per-host to be set to true.`) reportStatusClasses = flags.Bool("report-status-classes", false, `Use status classes (2xx, 3xx, 4xx and 5xx) instead of status codes in metrics.`) timeBuckets = flags.Float64Slice("time-buckets", prometheus.DefBuckets, "Set of buckets which will be used for prometheus histogram metrics such as RequestTime, ResponseTime.") lengthBuckets = flags.Float64Slice("length-buckets", prometheus.LinearBuckets(10, 10, 10), "Set of buckets which will be used for prometheus histogram metrics such as RequestLength, ResponseLength.") sizeBuckets = flags.Float64Slice("size-buckets", prometheus.ExponentialBuckets(10, 10, 7), "Set of buckets which will be used for prometheus histogram metrics such as BytesSent.") - bucketFactor = flags.Float64("bucket-factor", 0, "Bucket factor for native histograms. Value must be > 1 for enabling native histograms.") - maxBuckets = flags.Uint32("max-buckets", 100, "Maximum number of buckets for native histograms.") excludeSocketMetrics = flags.StringSlice("exclude-socket-metrics", []string{}, "et of socket request metrics to exclude which won't be exported nor being calculated. E.g. 'nginx_ingress_controller_success,nginx_ingress_controller_header_duration_seconds'.") monitorMaxBatchSize = flags.Int("monitor-max-batch-size", 10000, "Max batch size of NGINX metrics.") @@ -322,10 +317,6 @@ https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geol } } - if *metricsPerUndefinedHost && !*metricsPerHost { - return false, nil, errors.New("--metrics-per-undefined-host=true must be passed with --metrics-per-host=true") - } - if *electionTTL <= 0 { *electionTTL = 30 * time.Second } @@ -347,10 +338,7 @@ https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geol EnableProfiling: *profiling, EnableMetrics: *enableMetrics, MetricsPerHost: *metricsPerHost, - MetricsPerUndefinedHost: *metricsPerUndefinedHost, MetricsBuckets: histogramBuckets, - MetricsBucketFactor: *bucketFactor, - MetricsMaxBuckets: *maxBuckets, ReportStatusClasses: *reportStatusClasses, ExcludeSocketMetrics: *excludeSocketMetrics, MonitorMaxBatchSize: *monitorMaxBatchSize, diff --git a/pkg/flags/flags_test.go b/pkg/flags/flags_test.go index fdf153021..e51d5fa6c 100644 --- a/pkg/flags/flags_test.go +++ b/pkg/flags/flags_test.go @@ -212,29 +212,3 @@ func TestLeaderElectionTTLParseValueInHours(t *testing.T) { t.Fatalf("Expected --election-ttl and conf.ElectionTTL as 1h, but found: %v", conf.ElectionTTL) } } - -func TestMetricsPerUndefinedHost(t *testing.T) { - ResetForTesting(func() { t.Fatal("Parsing failed") }) - - oldArgs := os.Args - defer func() { os.Args = oldArgs }() - os.Args = []string{"cmd", "--metrics-per-undefined-host=true"} - - _, _, err := ParseFlags() - if err != nil { - t.Fatalf("Expected no error but got: %s", err) - } -} - -func TestMetricsPerUndefinedHostWithMetricsPerHostFalse(t *testing.T) { - ResetForTesting(func() { t.Fatal("Parsing failed") }) - - oldArgs := os.Args - defer func() { os.Args = oldArgs }() - os.Args = []string{"cmd", "--metrics-per-host=false", "--metrics-per-undefined-host=true"} - - _, _, err := ParseFlags() - if err == nil { - t.Fatalf("Expected an error parsing flags but none returned") - } -} diff --git a/rootfs/etc/nginx/lua/global_throttle.lua b/rootfs/etc/nginx/lua/global_throttle.lua new file mode 100644 index 000000000..bea8cfd17 --- /dev/null +++ b/rootfs/etc/nginx/lua/global_throttle.lua @@ -0,0 +1,131 @@ +local resty_global_throttle = require("resty.global_throttle") +local resty_ipmatcher = require("resty.ipmatcher") +local util = require("util") + +local ngx = ngx +local ngx_exit = ngx.exit +local ngx_log = ngx.log +local ngx_ERR = ngx.ERR +local ngx_INFO = ngx.INFO + +local _M = {} + +local DECISION_CACHE = ngx.shared.global_throttle_cache + +-- it does not make sense to cache decision for too little time +-- the benefit of caching likely is negated if we cache for too little time +-- Lua Shared Dict's time resolution for expiry is 0.001. +local CACHE_THRESHOLD = 0.001 + +local DEFAULT_RAW_KEY = "remote_addr" + +local function should_ignore_request(ignored_cidrs) + if not ignored_cidrs or #ignored_cidrs == 0 then + return false + end + + local ignored_cidrs_matcher, err = resty_ipmatcher.new(ignored_cidrs) + if not ignored_cidrs_matcher then + ngx_log(ngx_ERR, "failed to initialize resty-ipmatcher: ", err) + return false + end + + local is_ignored + is_ignored, err = ignored_cidrs_matcher:match(ngx.var.remote_addr) + if err then + ngx_log(ngx_ERR, "failed to match ip: '", + ngx.var.remote_addr, "': ", err) + return false + end + + return is_ignored +end + +local function is_enabled(config, location_config) + if config.memcached.host == "" or config.memcached.port == 0 then + return false + end + if location_config.limit == 0 or + location_config.window_size == 0 then + return false + end + + if should_ignore_request(location_config.ignored_cidrs) then + return false + end + + return true +end + +local function get_namespaced_key_value(namespace, key_value) + return namespace .. key_value +end + +function _M.throttle(config, location_config) + if not is_enabled(config, location_config) then + return + end + + local key_value = util.generate_var_value(location_config.key) + if not key_value or key_value == "" then + key_value = ngx.var[DEFAULT_RAW_KEY] + end + + local namespaced_key_value = + get_namespaced_key_value(location_config.namespace, key_value) + + local is_limit_exceeding = DECISION_CACHE:get(namespaced_key_value) + if is_limit_exceeding then + ngx.var.global_rate_limit_exceeding = "c" + return ngx_exit(config.status_code) + end + + local my_throttle, err = resty_global_throttle.new( + location_config.namespace, + location_config.limit, + location_config.window_size, + { + provider = "memcached", + host = config.memcached.host, + port = config.memcached.port, + connect_timeout = config.memcached.connect_timeout, + max_idle_timeout = config.memcached.max_idle_timeout, + pool_size = config.memcached.pool_size, + } + ) + if err then + ngx.log(ngx.ERR, "faled to initialize resty_global_throttle: ", err) + -- fail open + return + end + + local desired_delay, estimated_final_count + estimated_final_count, desired_delay, err = my_throttle:process(key_value) + if err then + ngx.log(ngx.ERR, "error while processing key: ", err) + -- fail open + return + end + + if desired_delay then + if desired_delay > CACHE_THRESHOLD then + local ok + ok, err = + DECISION_CACHE:safe_add(namespaced_key_value, true, desired_delay) + if not ok then + if err ~= "exists" then + ngx_log(ngx_ERR, "failed to cache decision: ", err) + end + end + end + + ngx.var.global_rate_limit_exceeding = "y" + ngx_log(ngx_INFO, "limit is exceeding for ", + location_config.namespace, "/", key_value, + " with estimated_final_count: ", estimated_final_count) + + return ngx_exit(config.status_code) + end +end + +return _M diff --git a/rootfs/etc/nginx/lua/lua_ingress.lua b/rootfs/etc/nginx/lua/lua_ingress.lua index a513928cf..49e0f5b05 100644 --- a/rootfs/etc/nginx/lua/lua_ingress.lua +++ b/rootfs/etc/nginx/lua/lua_ingress.lua @@ -1,8 +1,8 @@ local ngx_re_split = require("ngx.re").split -local string_to_bool = require("util").string_to_bool local certificate_configured_for_current_request = require("certificate").configured_for_current_request +local global_throttle = require("global_throttle") local ngx = ngx local io = io @@ -109,16 +109,7 @@ end -- rewrite gets called in every location context. -- This is where we do variable assignments to be used in subsequent -- phases or redirection -function _M.rewrite() - - local location_config = { - force_ssl_redirect = string_to_bool(ngx.var.force_ssl_redirect), - ssl_redirect = string_to_bool(ngx.var.ssl_redirect), - force_no_ssl_redirect = string_to_bool(ngx.var.force_no_ssl_redirect), - preserve_trailing_slash = string_to_bool(ngx.var.preserve_trailing_slash), - use_port_in_redirects = string_to_bool(ngx.var.use_port_in_redirects), - } - +function _M.rewrite(location_config) ngx.var.pass_access_scheme = ngx.var.scheme ngx.var.best_http_host = ngx.var.http_host or ngx.var.host @@ -173,6 +164,7 @@ function _M.rewrite() return ngx_redirect(uri, config.http_redirect_code) end + global_throttle.throttle(config.global_throttle, location_config.global_throttle) end function _M.header() diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_balancer.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_balancer.lua deleted file mode 100644 index 977d3e964..000000000 --- a/rootfs/etc/nginx/lua/nginx/ngx_conf_balancer.lua +++ /dev/null @@ -1,2 +0,0 @@ -local balancer = require("balancer") -balancer.balance() \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_balancer_tcp_udp.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_balancer_tcp_udp.lua deleted file mode 100644 index 0442df7d8..000000000 --- a/rootfs/etc/nginx/lua/nginx/ngx_conf_balancer_tcp_udp.lua +++ /dev/null @@ -1,2 +0,0 @@ -local tcp_udp_balancer = require("tcp_udp_balancer") -tcp_udp_balancer.balance() \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_certificate.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_certificate.lua deleted file mode 100644 index d33d2171b..000000000 --- a/rootfs/etc/nginx/lua/nginx/ngx_conf_certificate.lua +++ /dev/null @@ -1,2 +0,0 @@ -local certificate = require("certificate") -certificate.call() \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_configuration.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_configuration.lua deleted file mode 100644 index 7864f40ef..000000000 --- a/rootfs/etc/nginx/lua/nginx/ngx_conf_configuration.lua +++ /dev/null @@ -1,2 +0,0 @@ -local configuration = require("configuration") -configuration.call() \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_content_tcp_udp.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_content_tcp_udp.lua deleted file mode 100644 index ed81e7ff3..000000000 --- a/rootfs/etc/nginx/lua/nginx/ngx_conf_content_tcp_udp.lua +++ /dev/null @@ -1,2 +0,0 @@ -local tcp_udp_configuration = require("tcp_udp_configuration") -tcp_udp_configuration.call() \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_external_auth.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_external_auth.lua deleted file mode 100644 index 6c68cf07c..000000000 --- a/rootfs/etc/nginx/lua/nginx/ngx_conf_external_auth.lua +++ /dev/null @@ -1,30 +0,0 @@ -local auth_path = ngx.var.auth_path -local auth_keepalive_share_vars = ngx.var.auth_keepalive_share_vars -local auth_response_headers = ngx.var.auth_response_headers -local ngx_re_split = require("ngx.re").split -local ipairs = ipairs -local ngx_log = ngx.log -local ngx_ERR = ngx.ERR - -local res = ngx.location.capture(auth_path, { - method = ngx.HTTP_GET, body = '', - share_all_vars = auth_keepalive_share_vars }) - -if res.status == ngx.HTTP_OK then - local header_parts, err = ngx_re_split(auth_response_headers, ",") - if err then - ngx_log(ngx_ERR, err) - return - end - ngx.var.auth_cookie = res.header['Set-Cookie'] - for i, header_name in ipairs(header_parts) do - local varname = "authHeader" .. tostring(i) - ngx.var[varname] = res.header[header_name] - end - return -end - -if res.status == ngx.HTTP_UNAUTHORIZED or res.status == ngx.HTTP_FORBIDDEN then - ngx.exit(res.status) -end -ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR) \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_init_tcp_udp.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_init_tcp_udp.lua deleted file mode 100644 index 926ab7a03..000000000 --- a/rootfs/etc/nginx/lua/nginx/ngx_conf_init_tcp_udp.lua +++ /dev/null @@ -1,2 +0,0 @@ -local tcp_udp_balancer = require("tcp_udp_balancer") -tcp_udp_balancer.init_worker() \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_is_dynamic_lb_initialized.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_is_dynamic_lb_initialized.lua deleted file mode 100644 index ade3114b1..000000000 --- a/rootfs/etc/nginx/lua/nginx/ngx_conf_is_dynamic_lb_initialized.lua +++ /dev/null @@ -1,9 +0,0 @@ -local configuration = require("configuration") -local backend_data = configuration.get_backends_data() -if not backend_data then - ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR) - return -end - -ngx.say("OK") -ngx.exit(ngx.HTTP_OK) \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_log.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_log.lua deleted file mode 100644 index 8f3d57be6..000000000 --- a/rootfs/etc/nginx/lua/nginx/ngx_conf_log.lua +++ /dev/null @@ -1,2 +0,0 @@ -local monitor = require("monitor") -monitor.call() \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_log_block.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_log_block.lua deleted file mode 100644 index 72f6a6430..000000000 --- a/rootfs/etc/nginx/lua/nginx/ngx_conf_log_block.lua +++ /dev/null @@ -1,11 +0,0 @@ -local balancer = require("balancer") -local monitor = require("monitor") - -local luaconfig = ngx.shared.luaconfig -local enablemetrics = luaconfig:get("enablemetrics") - -balancer.log() - -if enablemetrics then - monitor.call() -end \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_rewrite_auth.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_rewrite_auth.lua deleted file mode 100644 index 0d16faba0..000000000 --- a/rootfs/etc/nginx/lua/nginx/ngx_conf_rewrite_auth.lua +++ /dev/null @@ -1 +0,0 @@ -ngx.var.cache_key = ngx.encode_base64(ngx.sha1_bin(ngx.var.tmp_cache_key)) \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_srv_hdr_filter.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_srv_hdr_filter.lua deleted file mode 100644 index 311a9b433..000000000 --- a/rootfs/etc/nginx/lua/nginx/ngx_conf_srv_hdr_filter.lua +++ /dev/null @@ -1,2 +0,0 @@ -local lua_ingress = require("lua_ingress") -lua_ingress.header() \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_rewrite.lua b/rootfs/etc/nginx/lua/nginx/ngx_rewrite.lua deleted file mode 100644 index 66fdd6d55..000000000 --- a/rootfs/etc/nginx/lua/nginx/ngx_rewrite.lua +++ /dev/null @@ -1,5 +0,0 @@ -local lua_ingress = require("lua_ingress") -local balancer = require("balancer") - -lua_ingress.rewrite() -balancer.rewrite() \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/nginx/ngx_srv_redirect.lua b/rootfs/etc/nginx/lua/nginx/ngx_srv_redirect.lua deleted file mode 100644 index 4b9445d00..000000000 --- a/rootfs/etc/nginx/lua/nginx/ngx_srv_redirect.lua +++ /dev/null @@ -1,24 +0,0 @@ -local request_uri = ngx.var.request_uri -local redirect_to = ngx.arg[1] - -local luaconfig = ngx.shared.luaconfig -local use_forwarded_headers = luaconfig:get("use_forwarded_headers") - -if string.sub(request_uri, -1) == "/" then - request_uri = string.sub(request_uri, 1, -2) -end - -local redirectScheme = ngx.var.scheme -local redirectPort = ngx.var.server_port - -if use_forwarded_headers then - if ngx.var.http_x_forwarded_proto then - redirectScheme = ngx.var.http_x_forwarded_proto - end - if ngx.var.http_x_forwarded_port then - redirectPort = ngx.var.http_x_forwarded_port - end -end - -return string.format("%s://%s:%s%s", redirectScheme, - redirect_to, redirectPort, request_uri) \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/ngx_conf_init.lua b/rootfs/etc/nginx/lua/ngx_conf_init.lua deleted file mode 100644 index 9789386ac..000000000 --- a/rootfs/etc/nginx/lua/ngx_conf_init.lua +++ /dev/null @@ -1,53 +0,0 @@ -local cjson = require("cjson.safe") - -collectgarbage("collect") -local f = io.open("/etc/nginx/lua/cfg.json", "r") -local content = f:read("*a") -f:close() -local configfile = cjson.decode(content) - -local luaconfig = ngx.shared.luaconfig -luaconfig:set("enablemetrics", configfile.enable_metrics) -luaconfig:set("use_forwarded_headers", configfile.use_forwarded_headers) --- init modules -local ok, res -ok, res = pcall(require, "lua_ingress") -if not ok then - error("require failed: " .. tostring(res)) -else - lua_ingress = res - lua_ingress.set_config(configfile) -end -ok, res = pcall(require, "configuration") -if not ok then - error("require failed: " .. tostring(res)) -else - configuration = res - if not configfile.listen_ports.status_port then - error("required status port not found") - end - configuration.prohibited_localhost_port = configfile.listen_ports.status_port -end -ok, res = pcall(require, "balancer") -if not ok then - error("require failed: " .. tostring(res)) -else - balancer = res -end -if configfile.enable_metrics then - ok, res = pcall(require, "monitor") - if not ok then - error("require failed: " .. tostring(res)) - else - monitor = res - end -end -ok, res = pcall(require, "certificate") -if not ok then - error("require failed: " .. tostring(res)) -else - certificate = res - if configfile.enable_ocsp then - certificate.is_ocsp_stapling_enabled = configfile.enable_ocsp - end -end \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/ngx_conf_init_stream.lua b/rootfs/etc/nginx/lua/ngx_conf_init_stream.lua deleted file mode 100644 index a78062d0a..000000000 --- a/rootfs/etc/nginx/lua/ngx_conf_init_stream.lua +++ /dev/null @@ -1,30 +0,0 @@ -local cjson = require("cjson.safe") -collectgarbage("collect") -local f = io.open("/etc/nginx/lua/cfg.json", "r") -local content = f:read("*a") -f:close() -local configfile = cjson.decode(content) --- init modules -local ok, res -ok, res = pcall(require, "configuration") -if not ok then - error("require failed: " .. tostring(res)) -else - configuration = res -end -ok, res = pcall(require, "tcp_udp_configuration") -if not ok then - error("require failed: " .. tostring(res)) -else - tcp_udp_configuration = res - if not configfile.listen_ports.status_port then - error("required status port not found") - end - tcp_udp_configuration.prohibited_localhost_port = configfile.listen_ports.status_port -end -ok, res = pcall(require, "tcp_udp_balancer") -if not ok then - error("require failed: " .. tostring(res)) -else - tcp_udp_balancer = res -end diff --git a/rootfs/etc/nginx/lua/ngx_conf_init_worker.lua b/rootfs/etc/nginx/lua/ngx_conf_init_worker.lua deleted file mode 100644 index cba866136..000000000 --- a/rootfs/etc/nginx/lua/ngx_conf_init_worker.lua +++ /dev/null @@ -1,15 +0,0 @@ -local cjson = require("cjson.safe") - -local f = io.open("/etc/nginx/lua/cfg.json", "r") -local content = f:read("*a") -f:close() -local configfile = cjson.decode(content) - -local lua_ingress = require("lua_ingress") -local balancer = require("balancer") -local monitor = require("monitor") -lua_ingress.init_worker() -balancer.init_worker() -if configfile.enable_metrics and configfile.monitor_batch_max_size then - monitor.init_worker(configfile.monitor_batch_max_size) -end \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/plugins.lua b/rootfs/etc/nginx/lua/plugins.lua new file mode 100644 index 000000000..55e208a32 --- /dev/null +++ b/rootfs/etc/nginx/lua/plugins.lua @@ -0,0 +1,61 @@ +local require = require +local ngx = ngx +local ipairs = ipairs +local string_format = string.format +local ngx_log = ngx.log +local INFO = ngx.INFO +local ERR = ngx.ERR +local pcall = pcall + +local _M = {} +local MAX_NUMBER_OF_PLUGINS = 20 +local plugins = {} + +local function load_plugin(name) + local path = string_format("plugins.%s.main", name) + + local ok, plugin = pcall(require, path) + if not ok then + ngx_log(ERR, string_format("error loading plugin \"%s\": %s", path, plugin)) + return + end + local index = #plugins + if (plugin.name == nil or plugin.name == '') then + plugin.name = name + end + plugins[index + 1] = plugin +end + +function _M.init(names) + local count = 0 + for _, name in ipairs(names) do + if count >= MAX_NUMBER_OF_PLUGINS then + ngx_log(ERR, "the total number of plugins exceed the maximum number: ", MAX_NUMBER_OF_PLUGINS) + break + end + load_plugin(name) + count = count + 1 -- ignore loading failure, just count the total + end +end + +function _M.run() + local phase = ngx.get_phase() + + for _, plugin in ipairs(plugins) do + if plugin[phase] then + ngx_log(INFO, string_format("running plugin \"%s\" in phase \"%s\"", plugin.name, phase)) + + -- TODO: consider sandboxing this, should we? + -- probably yes, at least prohibit plugin from accessing env vars etc + -- but since the plugins are going to be installed by ingress-nginx + -- operator they can be assumed to be safe also + local ok, err = pcall(plugin[phase]) + if not ok then + ngx_log(ERR, string_format("error while running plugin \"%s\" in phase \"%s\": %s", + plugin.name, phase, err)) + end + end + end +end + +return _M diff --git a/rootfs/etc/nginx/lua/plugins/README.md b/rootfs/etc/nginx/lua/plugins/README.md new file mode 100644 index 000000000..64f4912f0 --- /dev/null +++ b/rootfs/etc/nginx/lua/plugins/README.md @@ -0,0 +1,36 @@ +# Custom Lua plugins + +ingress-nginx uses [https://github.com/openresty/lua-nginx-module](https://github.com/openresty/lua-nginx-module) to run custom Lua code +within Nginx workers. It is recommended to familiarize yourself with that ecosystem before deploying your custom Lua based ingress-nginx plugin. + +### Writing a plugin + +Every ingress-nginx Lua plugin is expected to have `main.lua` file and all of its dependencies. +`main.lua` is the entry point of the plugin. The plugin manager uses convention over configuration +strategy and automatically runs functions defined in `main.lua` in the corresponding Nginx phase based on their name. + +Nginx has different [request processing phases](https://nginx.org/en/docs/dev/development_guide.html#http_phases). +By defining functions with the following names, you can run your custom Lua code in the corresponding Nginx phase: + + - `init_worker`: useful for initializing some data per Nginx worker process + - `rewrite`: useful for modifying request, changing headers, redirection, dropping request, doing authentication etc + - `header_filter`: this is called when backend response header is received, it is useful for modifying response headers + - `body_filter`: this is called when response body is received, it is useful for logging response body + - `log`: this is called when request processing is completed and a response is delivered to the client + +Check this [`hello_world`](https://github.com/kubernetes/ingress-nginx/tree/main/rootfs/etc/nginx/lua/plugins/hello_world) plugin as a simple example or refer to [OpenID Connect integration](https://github.com/ElvinEfendi/ingress-nginx-openidc/tree/master/rootfs/etc/nginx/lua/plugins/openidc) for more advanced usage. + +Do not forget to write tests for your plugin. + +### Installing a plugin + +There are two options: + + - mount your plugin into `/etc/nginx/lua/plugins/` in the ingress-nginx pod + - build your own ingress-nginx image like it is done in the [example](https://github.com/ElvinEfendi/ingress-nginx-openidc/tree/master/rootfs/etc/nginx/lua/plugins/openidc) and install your plugin during image build + +Mounting is the quickest option. + +### Enabling plugins + +Once your plugin is ready you need to use [`plugins` configuration setting](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#plugins) to activate it. Let's say you want to activate `hello_world` and `open_idc` plugins, then you set `plugins` setting to `"hello_world, open_idc"`. _Note_ that the plugins will be executed in the given order. diff --git a/rootfs/etc/nginx/lua/plugins/hello_world/main.lua b/rootfs/etc/nginx/lua/plugins/hello_world/main.lua new file mode 100644 index 000000000..03316c3ee --- /dev/null +++ b/rootfs/etc/nginx/lua/plugins/hello_world/main.lua @@ -0,0 +1,13 @@ +local ngx = ngx + +local _M = {} + +function _M.rewrite() + local ua = ngx.var.http_user_agent + + if ua == "hello" then + ngx.req.set_header("x-hello-world", "1") + end +end + +return _M diff --git a/rootfs/etc/nginx/lua/plugins/hello_world/test/main_test.lua b/rootfs/etc/nginx/lua/plugins/hello_world/test/main_test.lua new file mode 100644 index 000000000..5eda52259 --- /dev/null +++ b/rootfs/etc/nginx/lua/plugins/hello_world/test/main_test.lua @@ -0,0 +1,24 @@ + +local main = require("plugins.hello_world.main") + +-- The unit tests are run within a timer phase in a headless Nginx process. +-- Since `set_header` and `ngx.var.http_` API are disabled in this phase we have to stub it +-- to avoid `API disabled in the current context` error. + +describe("main", function() + describe("rewrite", function() + it("sets x-hello-world header to 1 when user agent is hello", function() + ngx.var = { http_user_agent = "hello" } + stub(ngx.req, "set_header") + main.rewrite() + assert.stub(ngx.req.set_header).was_called_with("x-hello-world", "1") + end) + + it("does not set x-hello-world header to 1 when user agent is not hello", function() + ngx.var = { http_user_agent = "not-hello" } + stub(ngx.req, "set_header") + main.rewrite() + assert.stub(ngx.req.set_header).was_not_called_with("x-hello-world", "1") + end) + end) +end) diff --git a/rootfs/etc/nginx/lua/test/global_throttle_test.lua b/rootfs/etc/nginx/lua/test/global_throttle_test.lua new file mode 100644 index 000000000..b8db740ad --- /dev/null +++ b/rootfs/etc/nginx/lua/test/global_throttle_test.lua @@ -0,0 +1,258 @@ +local util = require("util") + +local function assert_request_rejected(config, location_config, opts) + stub(ngx, "exit") + + local global_throttle = require_without_cache("global_throttle") + assert.has_no.errors(function() + global_throttle.throttle(config, location_config) + end) + + assert.stub(ngx.exit).was_called_with(config.status_code) + if opts.with_cache then + assert.are.same("c", ngx.var.global_rate_limit_exceeding) + else + assert.are.same("y", ngx.var.global_rate_limit_exceeding) + end +end + +local function assert_request_not_rejected(config, location_config) + stub(ngx, "exit") + local cache_safe_add_spy = spy.on(ngx.shared.global_throttle_cache, "safe_add") + + local global_throttle = require_without_cache("global_throttle") + assert.has_no.errors(function() + global_throttle.throttle(config, location_config) + end) + + assert.stub(ngx.exit).was_not_called() + assert.is_nil(ngx.var.global_rate_limit_exceeding) + assert.spy(cache_safe_add_spy).was_not_called() +end + +local function assert_short_circuits(f) + local cache_get_spy = spy.on(ngx.shared.global_throttle_cache, "get") + + local resty_global_throttle = require_without_cache("resty.global_throttle") + local resty_global_throttle_new_spy = spy.on(resty_global_throttle, "new") + + local global_throttle = require_without_cache("global_throttle") + + f(global_throttle) + + assert.spy(resty_global_throttle_new_spy).was_not_called() + assert.spy(cache_get_spy).was_not_called() +end + +local function assert_fails_open(config, location_config, ...) + stub(ngx, "exit") + stub(ngx, "log") + + local global_throttle = require_without_cache("global_throttle") + + assert.has_no.errors(function() + global_throttle.throttle(config, location_config) + end) + + assert.stub(ngx.exit).was_not_called() + assert.stub(ngx.log).was_called_with(ngx.ERR, ...) + assert.is_nil(ngx.var.global_rate_limit_exceeding) +end + +local function stub_resty_global_throttle_process(ret1, ret2, ret3, f) + local resty_global_throttle = require_without_cache("resty.global_throttle") + local resty_global_throttle_mock = { + process = function(self, key) return ret1, ret2, ret3 end + } + stub(resty_global_throttle, "new", resty_global_throttle_mock) + + f() + + assert.stub(resty_global_throttle.new).was_called() +end + +local function cache_rejection_decision(namespace, key_value, desired_delay) + local namespaced_key_value = namespace .. key_value + local ok, err = ngx.shared.global_throttle_cache:safe_add(namespaced_key_value, true, desired_delay) + assert.is_nil(err) + assert.is_true(ok) + assert.is_true(ngx.shared.global_throttle_cache:get(namespaced_key_value)) +end + +describe("global_throttle", function() + local snapshot + + local NAMESPACE = "31285d47b1504dcfbd6f12c46d769f6e" + local LOCATION_CONFIG = { + namespace = NAMESPACE, + limit = 10, + window_size = 60, + key = {}, + ignored_cidrs = {}, + } + local CONFIG = { + memcached = { + host = "memc.default.svc.cluster.local", port = 11211, + connect_timeout = 50, max_idle_timeout = 10000, pool_size = 50, + }, + status_code = 429, + } + + before_each(function() + snapshot = assert:snapshot() + + ngx.var = { remote_addr = "127.0.0.1", global_rate_limit_exceeding = nil } + end) + + after_each(function() + snapshot:revert() + + ngx.shared.global_throttle_cache:flush_all() + reset_ngx() + end) + + it("short circuits when memcached is not configured", function() + assert_short_circuits(function(global_throttle) + assert.has_no.errors(function() + global_throttle.throttle({ memcached = { host = "", port = 0 } }, LOCATION_CONFIG) + end) + end) + end) + + it("short circuits when limit or window_size is not configured", function() + assert_short_circuits(function(global_throttle) + local location_config_copy = util.deepcopy(LOCATION_CONFIG) + location_config_copy.limit = 0 + assert.has_no.errors(function() + global_throttle.throttle(CONFIG, location_config_copy) + end) + end) + + assert_short_circuits(function(global_throttle) + local location_config_copy = util.deepcopy(LOCATION_CONFIG) + location_config_copy.window_size = 0 + assert.has_no.errors(function() + global_throttle.throttle(CONFIG, location_config_copy) + end) + end) + end) + + it("short circuits when remote_addr is in ignored_cidrs", function() + local global_throttle = require_without_cache("global_throttle") + local location_config = util.deepcopy(LOCATION_CONFIG) + location_config.ignored_cidrs = { ngx.var.remote_addr } + assert_short_circuits(function(global_throttle) + assert.has_no.errors(function() + global_throttle.throttle(CONFIG, location_config) + end) + end) + end) + + it("rejects when exceeding limit has already been cached", function() + local key_value = "foo" + local location_config = util.deepcopy(LOCATION_CONFIG) + location_config.key = { { nil, nil, nil, key_value } } + cache_rejection_decision(NAMESPACE, key_value, 0.5) + + assert_request_rejected(CONFIG, location_config, { with_cache = true }) + end) + + describe("when resty_global_throttle fails", function() + it("fails open in case of initialization error", function() + local too_long_namespace = "" + for i=1,36,1 do + too_long_namespace = too_long_namespace .. "a" + end + + local location_config = util.deepcopy(LOCATION_CONFIG) + location_config.namespace = too_long_namespace + + assert_fails_open(CONFIG, location_config, "faled to initialize resty_global_throttle: ", "'namespace' can be at most 35 characters") + end) + + it("fails open in case of key processing error", function() + stub_resty_global_throttle_process(nil, nil, "failed to process", function() + assert_fails_open(CONFIG, LOCATION_CONFIG, "error while processing key: ", "failed to process") + end) + end) + end) + + it("initializes resty_global_throttle with the right parameters", function() + local resty_global_throttle = require_without_cache("resty.global_throttle") + local resty_global_throttle_original_new = resty_global_throttle.new + resty_global_throttle.new = function(namespace, limit, window_size, store_opts) + local o, err = resty_global_throttle_original_new(namespace, limit, window_size, store_opts) + if not o then + return nil, err + end + o.process = function(self, key) return 1, nil, nil end + + local expected = LOCATION_CONFIG + assert.are.same(expected.namespace, namespace) + assert.are.same(expected.limit, limit) + assert.are.same(expected.window_size, window_size) + + assert.are.same("memcached", store_opts.provider) + assert.are.same(CONFIG.memcached.host, store_opts.host) + assert.are.same(CONFIG.memcached.port, store_opts.port) + assert.are.same(CONFIG.memcached.connect_timeout, store_opts.connect_timeout) + assert.are.same(CONFIG.memcached.max_idle_timeout, store_opts.max_idle_timeout) + assert.are.same(CONFIG.memcached.pool_size, store_opts.pool_size) + + return o, nil + end + local resty_global_throttle_new_spy = spy.on(resty_global_throttle, "new") + + local global_throttle = require_without_cache("global_throttle") + + assert.has_no.errors(function() + global_throttle.throttle(CONFIG, LOCATION_CONFIG) + end) + + assert.spy(resty_global_throttle_new_spy).was_called() + end) + + it("rejects request and caches decision when limit is exceeding after processing a key", function() + local desired_delay = 0.015 + + stub_resty_global_throttle_process(LOCATION_CONFIG.limit + 1, desired_delay, nil, function() + assert_request_rejected(CONFIG, LOCATION_CONFIG, { with_cache = false }) + + local cache_key = LOCATION_CONFIG.namespace .. ngx.var.remote_addr + assert.is_true(ngx.shared.global_throttle_cache:get(cache_key)) + + -- we assume it won't take more than this after caching + -- until we execute the assertion below + local delta = 0.001 + local ttl = ngx.shared.global_throttle_cache:ttl(cache_key) + assert.is_true(ttl > desired_delay - delta) + assert.is_true(ttl <= desired_delay) + end) + end) + + it("rejects request and skip caching of decision when limit is exceeding after processing a key but desired delay is lower than the threshold", function() + local desired_delay = 0.0009 + + stub_resty_global_throttle_process(LOCATION_CONFIG.limit, desired_delay, nil, function() + assert_request_rejected(CONFIG, LOCATION_CONFIG, { with_cache = false }) + + local cache_key = LOCATION_CONFIG.namespace .. ngx.var.remote_addr + assert.is_nil(ngx.shared.global_throttle_cache:get(cache_key)) + end) + end) + + it("allows the request when limit is not exceeding after processing a key", function() + stub_resty_global_throttle_process(LOCATION_CONFIG.limit - 3, nil, nil, + function() + assert_request_not_rejected(CONFIG, LOCATION_CONFIG) + end + ) + end) + + it("rejects with custom status code", function() + cache_rejection_decision(NAMESPACE, ngx.var.remote_addr, 0.3) + local config = util.deepcopy(CONFIG) + config.status_code = 503 + assert_request_rejected(config, LOCATION_CONFIG, { with_cache = true }) + end) +end) diff --git a/rootfs/etc/nginx/lua/test/plugins_test.lua b/rootfs/etc/nginx/lua/test/plugins_test.lua new file mode 100644 index 000000000..d7f789d0f --- /dev/null +++ b/rootfs/etc/nginx/lua/test/plugins_test.lua @@ -0,0 +1,23 @@ +describe("plugins", function() + describe("#run", function() + it("runs the plugins in the given order", function() + ngx.get_phase = function() return "rewrite" end + local plugins = require("plugins") + local called_plugins = {} + local plugins_to_mock = {"plugins.pluginfirst.main", "plugins.pluginsecond.main", "plugins.pluginthird.main"} + for i=1, 3, 1 + do + package.loaded[plugins_to_mock[i]] = { + rewrite = function() + called_plugins[#called_plugins + 1] = plugins_to_mock[i] + end + } + end + assert.has_no.errors(function() + plugins.init({"pluginfirst", "pluginsecond", "pluginthird"}) + end) + assert.has_no.errors(plugins.run) + assert.are.same(plugins_to_mock, called_plugins) + end) + end) +end) \ No newline at end of file diff --git a/rootfs/etc/nginx/lua/util.lua b/rootfs/etc/nginx/lua/util.lua index 1e4cd7c01..7389f3226 100644 --- a/rootfs/etc/nginx/lua/util.lua +++ b/rootfs/etc/nginx/lua/util.lua @@ -146,10 +146,6 @@ function _M.is_blank(str) return str == nil or string_len(str) == 0 end -function _M.string_to_bool(str) - return str == "true" -end - -- this implementation is taken from: -- https://github.com/luafun/luafun/blob/master/fun.lua#L33 -- SHA: 04c99f9c393e54a604adde4b25b794f48104e0d0 diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 6b8e750b0..93a04e3e6 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -68,11 +68,71 @@ http { {{ buildLuaSharedDictionaries $cfg $servers }} - lua_shared_dict luaconfig 5m; + init_by_lua_block { + collectgarbage("collect") - init_by_lua_file /etc/nginx/lua/ngx_conf_init.lua; + -- init modules + local ok, res - init_worker_by_lua_file /etc/nginx/lua/ngx_conf_init_worker.lua; + ok, res = pcall(require, "lua_ingress") + if not ok then + error("require failed: " .. tostring(res)) + else + lua_ingress = res + lua_ingress.set_config({{ configForLua $all }}) + end + + ok, res = pcall(require, "configuration") + if not ok then + error("require failed: " .. tostring(res)) + else + configuration = res + configuration.prohibited_localhost_port = '{{ .StatusPort }}' + end + + ok, res = pcall(require, "balancer") + if not ok then + error("require failed: " .. tostring(res)) + else + balancer = res + end + + {{ if $all.EnableMetrics }} + ok, res = pcall(require, "monitor") + if not ok then + error("require failed: " .. tostring(res)) + else + monitor = res + end + {{ end }} + + ok, res = pcall(require, "certificate") + if not ok then + error("require failed: " .. tostring(res)) + else + certificate = res + certificate.is_ocsp_stapling_enabled = {{ $cfg.EnableOCSP }} + end + + ok, res = pcall(require, "plugins") + if not ok then + error("require failed: " .. tostring(res)) + else + plugins = res + end + -- load all plugins that'll be used here + plugins.init({ {{ range $idx, $plugin := $cfg.Plugins }}{{ if $idx }},{{ end }}{{ $plugin | quote }}{{ end }} }) + } + + init_worker_by_lua_block { + lua_ingress.init_worker() + balancer.init_worker() + {{ if $all.EnableMetrics }} + monitor.init_worker({{ $all.MonitorMaxBatchSize }}) + {{ end }} + + plugins.run() + } {{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}} {{/* we use the value of the real IP for the geo_ip module */}} @@ -459,10 +519,6 @@ http { proxy_intercept_errors on; {{ end }} - {{ if $cfg.RelativeRedirects }} - absolute_redirect off; - {{ end }} - {{ range $errCode := $cfg.CustomHTTPErrors }} error_page {{ $errCode }} = @custom_upstream-default-backend_{{ $errCode }};{{ end }} @@ -494,7 +550,9 @@ http { server 0.0.0.1; # placeholder - balancer_by_lua_file /etc/nginx/lua/nginx/ngx_conf_balancer.lua; + balancer_by_lua_block { + balancer.balance() + } {{ if (gt $cfg.UpstreamKeepaliveConnections 0) }} keepalive {{ $cfg.UpstreamKeepaliveConnections }}; @@ -559,7 +617,9 @@ http { {{ buildHTTPListener $all $redirect.From }} {{ buildHTTPSListener $all $redirect.From }} - ssl_certificate_by_lua_file /etc/nginx/lua/nginx/ngx_conf_certificate.lua; + ssl_certificate_by_lua_block { + certificate.call() + } {{ if gt (len $cfg.BlockUserAgents) 0 }} if ($block_ua) { @@ -572,7 +632,30 @@ http { } {{ end }} - set_by_lua_file $redirect_to /etc/nginx/lua/nginx/ngx_srv_redirect.lua {{ $redirect.To }}; + set_by_lua_block $redirect_to { + local request_uri = ngx.var.request_uri + if string.sub(request_uri, -1) == "/" then + request_uri = string.sub(request_uri, 1, -2) + end + + {{ if $cfg.UseForwardedHeaders }} + local redirectScheme + if not ngx.var.http_x_forwarded_proto then + redirectScheme = ngx.var.scheme + else + redirectScheme = ngx.var.http_x_forwarded_proto + end + {{ else }} + local redirectScheme = ngx.var.scheme + {{ end }} + + {{ if ne $all.ListenPorts.HTTPS 443 }} + {{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }} + return string.format("%s://%s%s%s", redirectScheme, "{{ $redirect.To }}", "{{ $redirect_port }}", request_uri) + {{ else }} + return string.format("%s://%s%s", redirectScheme, "{{ $redirect.To }}", request_uri) + {{ end }} + } return {{ $all.Cfg.HTTPRedirectCode }} $redirect_to; } @@ -667,7 +750,17 @@ http { } location /is-dynamic-lb-initialized { - content_by_lua_file /etc/nginx/lua/nginx/ngx_conf_is_dynamic_lb_initialized.lua; + content_by_lua_block { + local configuration = require("configuration") + local backend_data = configuration.get_backends_data() + if not backend_data then + ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR) + return + end + + ngx.say("OK") + ngx.exit(ngx.HTTP_OK) + } } location {{ .StatusPath }} { @@ -679,11 +772,15 @@ http { client_body_buffer_size {{ luaConfigurationRequestBodySize $cfg }}; proxy_buffering off; - content_by_lua_file /etc/nginx/lua/nginx/ngx_conf_configuration.lua; + content_by_lua_block { + configuration.call() + } } location / { - return 404; + content_by_lua_block { + ngx.exit(ngx.HTTP_NOT_FOUND) + } } } } @@ -695,9 +792,39 @@ stream { {{ buildResolvers $cfg.Resolver $cfg.DisableIpv6DNS }} - init_by_lua_file /etc/nginx/lua/ngx_conf_init_stream.lua; + init_by_lua_block { + collectgarbage("collect") - init_worker_by_lua_file /etc/nginx/lua/nginx/ngx_conf_init_tcp_udp.lua; + -- init modules + local ok, res + + ok, res = pcall(require, "configuration") + if not ok then + error("require failed: " .. tostring(res)) + else + configuration = res + end + + ok, res = pcall(require, "tcp_udp_configuration") + if not ok then + error("require failed: " .. tostring(res)) + else + tcp_udp_configuration = res + tcp_udp_configuration.prohibited_localhost_port = '{{ .StatusPort }}' + + end + + ok, res = pcall(require, "tcp_udp_balancer") + if not ok then + error("require failed: " .. tostring(res)) + else + tcp_udp_balancer = res + end + } + + init_worker_by_lua_block { + tcp_udp_balancer.init_worker() + } lua_add_variable $proxy_upstream_name; @@ -719,7 +846,10 @@ stream { upstream upstream_balancer { server 0.0.0.1:1234; # placeholder - balancer_by_lua_file /etc/nginx/lua/nginx/ngx_conf_balancer_tcp_udp.lua; + + balancer_by_lua_block { + tcp_udp_balancer.balance() + } } server { @@ -727,7 +857,9 @@ stream { access_log off; - content_by_lua_file /etc/nginx/lua/nginx/ngx_conf_content_tcp_udp.lua; + content_by_lua_block { + tcp_udp_configuration.call() + } } # TCP services @@ -827,9 +959,11 @@ stream { rewrite (.*) / break; proxy_pass http://upstream_balancer; - {{ if $enableMetrics }} - log_by_lua_file /etc/nginx/lua/nginx/ngx_conf_log.lua; - {{ end }} + log_by_lua_block { + {{ if $enableMetrics }} + monitor.call() + {{ end }} + } } {{ end }} {{ end }} @@ -889,7 +1023,9 @@ stream { ssl_reject_handshake {{ if $all.Cfg.SSLRejectHandshake }}on{{ else }}off{{ end }}; {{ end }} - ssl_certificate_by_lua_file /etc/nginx/lua/nginx/ngx_conf_certificate.lua; + ssl_certificate_by_lua_block { + certificate.call() + } {{ if not (empty $server.AuthTLSError) }} # {{ $server.AuthTLSError }} @@ -990,7 +1126,9 @@ stream { set $tmp_cache_key '{{ $server.Hostname }}{{ $authPath }}{{ $externalAuth.AuthCacheKey }}'; set $cache_key ''; - rewrite_by_lua_file /etc/nginx/lua/nginx/ngx_conf_rewrite_auth.lua; + rewrite_by_lua_block { + ngx.var.cache_key = ngx.encode_base64(ngx.sha1_bin(ngx.var.tmp_cache_key)) + } proxy_cache auth_cache; @@ -1041,7 +1179,6 @@ stream { {{ end }} proxy_buffer_size {{ $location.Proxy.BufferSize }}; proxy_buffers {{ $location.Proxy.BuffersNumber }} {{ $location.Proxy.BufferSize }}; - proxy_busy_buffers_size {{ $location.Proxy.BusyBuffersSize }}; proxy_request_buffering {{ $location.Proxy.RequestBuffering }}; proxy_ssl_server_name on; @@ -1116,6 +1253,7 @@ stream { set $service_name {{ $ing.Service | quote }}; set $service_port {{ $ing.ServicePort | quote }}; set $location_path {{ $ing.Path | escapeLiteralDollar | quote }}; + set $global_rate_limit_exceeding n; {{ buildOpentelemetryForLocation $all.Cfg.EnableOpentelemetry $all.Cfg.OpentelemetryTrustIncomingSpan $location }} @@ -1124,13 +1262,35 @@ stream { mirror_request_body {{ $location.Mirror.RequestBody }}; {{ end }} - {{ locationConfigForLua $location $all }} + rewrite_by_lua_block { + lua_ingress.rewrite({{ locationConfigForLua $location $all }}) + balancer.rewrite() + plugins.run() + } - rewrite_by_lua_file /etc/nginx/lua/nginx/ngx_rewrite.lua; + # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any + # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)` + # other authentication method such as basic auth or external auth useless - all requests will be allowed. + #access_by_lua_block { + #} - header_filter_by_lua_file /etc/nginx/lua/nginx/ngx_conf_srv_hdr_filter.lua; + header_filter_by_lua_block { + lua_ingress.header() + plugins.run() + } - log_by_lua_file /etc/nginx/lua/nginx/ngx_conf_log_block.lua; + body_filter_by_lua_block { + plugins.run() + } + + log_by_lua_block { + balancer.log() + {{ if $all.EnableMetrics }} + monitor.call() + {{ end }} + + plugins.run() + } {{ if not $location.Logs.Access }} access_log off; @@ -1190,10 +1350,20 @@ stream { {{- end }} # `auth_request` module does not support HTTP keepalives in upstream block: # https://trac.nginx.org/nginx/ticket/1579 - set $auth_path '{{ $authPath }}'; - set $auth_keepalive_share_vars {{ $externalAuth.KeepaliveShareVars }}; - set $auth_response_headers '{{ buildAuthUpstreamLuaHeaders $externalAuth.ResponseHeaders }}'; - access_by_lua_file /etc/nginx/lua/nginx/ngx_conf_external_auth.lua; + access_by_lua_block { + local res = ngx.location.capture('{{ $authPath }}', { method = ngx.HTTP_GET, body = '', share_all_vars = {{ $externalAuth.KeepaliveShareVars }} }) + if res.status == ngx.HTTP_OK then + ngx.var.auth_cookie = res.header['Set-Cookie'] + {{- range $line := buildAuthUpstreamLuaHeaders $externalAuth.ResponseHeaders }} + {{ $line }} + {{- end }} + return + end + if res.status == ngx.HTTP_UNAUTHORIZED or res.status == ngx.HTTP_FORBIDDEN then + ngx.exit(res.status) + end + ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR) + } {{ else }} auth_request {{ $authPath }}; auth_request_set $auth_cookie $upstream_http_set_cookie; @@ -1297,7 +1467,6 @@ stream { proxy_buffering {{ $location.Proxy.ProxyBuffering }}; proxy_buffer_size {{ $location.Proxy.BufferSize }}; proxy_buffers {{ $location.Proxy.BuffersNumber }} {{ $location.Proxy.BufferSize }}; - proxy_busy_buffers_size {{ $location.Proxy.BusyBuffersSize }}; {{ if isValidByteSize $location.Proxy.ProxyMaxTempFileSize true }} proxy_max_temp_file_size {{ $location.Proxy.ProxyMaxTempFileSize }}; {{ end }} @@ -1349,10 +1518,6 @@ stream { satisfy {{ $location.Satisfy }}; {{ end }} - {{ if $location.Redirect.Relative }} - absolute_redirect off; - {{ end }} - {{/* if a location-specific error override is set, add the proxy_intercept here */}} {{ if and $location.CustomHTTPErrors (not $location.DisableProxyInterceptErrors) }} # Custom error pages per ingress diff --git a/test/data/cleanConf.expected.conf b/test/data/cleanConf.expected.conf index 9c0513b37..7c4a16824 100644 --- a/test/data/cleanConf.expected.conf +++ b/test/data/cleanConf.expected.conf @@ -67,6 +67,8 @@ http { balancer.init_worker() monitor.init_worker(10000) + + plugins.run() } map $request_uri $loggable { @@ -118,6 +120,7 @@ http { use_port_in_redirects = false, }) balancer.rewrite() + plugins.run() } # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any @@ -127,6 +130,7 @@ http { header_filter_by_lua_block { lua_ingress.header() + plugins.run() } } diff --git a/test/data/cleanConf.src.conf b/test/data/cleanConf.src.conf index 6da578106..89954cf0d 100644 --- a/test/data/cleanConf.src.conf +++ b/test/data/cleanConf.src.conf @@ -86,8 +86,11 @@ lua_shared_dict ocsp_response_cache 5M; init_worker_by_lua_block { lua_ingress.init_worker() balancer.init_worker() - + monitor.init_worker(10000) + + + plugins.run() } @@ -161,6 +164,7 @@ lua_shared_dict ocsp_response_cache 5M; use_port_in_redirects = false, }) balancer.rewrite() + plugins.run() } # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any @@ -170,6 +174,7 @@ lua_shared_dict ocsp_response_cache 5M; header_filter_by_lua_block { lua_ingress.header() + plugins.run() } diff --git a/test/e2e-image/Makefile b/test/e2e-image/Makefile index f72651f48..7d553c04e 100644 --- a/test/e2e-image/Makefile +++ b/test/e2e-image/Makefile @@ -1,6 +1,6 @@ DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) -E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v20250112-a188f4eb@sha256:043038b1e30e5a0b64f3f919f096c5c9488ac3f617ac094b07fb9db8215f9441" +E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v20241224-68ed4e7b@sha256:871642296ebc0dd386f9a43b0cf2606028d757d6c4a2737d41180f02f8172823" image: echo "..entered Makefile in /test/e2e-image" diff --git a/test/e2e/HTTPBUN_IMAGE b/test/e2e/HTTPBUN_IMAGE index 491b333c7..11f540282 100644 --- a/test/e2e/HTTPBUN_IMAGE +++ b/test/e2e/HTTPBUN_IMAGE @@ -1 +1 @@ -registry.k8s.io/ingress-nginx/httpbun:v1.1.1@sha256:4569515d9b74470c915566a010792e7202b6769443fb1f3bb1b1e87376028634 +registry.k8s.io/ingress-nginx/httpbun:v1.1.0@sha256:bd870e71e30d478fafd00c515fba454f326960fe343a84ace577723a07a2cd6c diff --git a/test/e2e/admission/admission.go b/test/e2e/admission/admission.go index 873e6719d..c41105e2d 100644 --- a/test/e2e/admission/admission.go +++ b/test/e2e/admission/admission.go @@ -44,6 +44,33 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", f.NewSlowEchoDeployment() }) + ginkgo.It("reject ingress with global-rate-limit annotations when memcached is not configured", func() { + host := admissionTestHost + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/global-rate-limit": "100", + "nginx.ingress.kubernetes.io/global-rate-limit-window": "1m", + } + ing := framework.NewSingleIngress("first-ingress", "/", host, f.Namespace, framework.EchoService, 80, annotations) + + ginkgo.By("rejects ingress when memcached is not configured") + + _, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), ing, metav1.CreateOptions{}) + assert.NotNil(ginkgo.GinkgoT(), err, "creating ingress with global throttle annotations when memcached is not configured") + + ginkgo.By("accepts ingress when memcached is not configured") + + f.UpdateNginxConfigMapData("global-rate-limit-memcached-host", "memc.default.svc.cluster.local") + + _, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), ing, metav1.CreateOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "creating ingress with global throttle annotations when memcached is configured") + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, fmt.Sprintf("server_name %v", host)) + }) + }) + ginkgo.It("should not allow overlaps of host and paths without canary annotations", func() { host := admissionTestHost @@ -100,8 +127,14 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", }) ginkgo.It("should return an error if there is an error validating the ingress definition", func() { - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := admissionTestHost @@ -208,8 +241,14 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", }) ginkgo.It("should return an error if the Ingress V1 definition contains invalid annotations", func() { - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() out, err := createIngress(f.Namespace, invalidV1Ingress) assert.Empty(ginkgo.GinkgoT(), out) @@ -222,8 +261,14 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", }) ginkgo.It("should not return an error for an invalid Ingress when it has unknown class", func() { - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() out, err := createIngress(f.Namespace, invalidV1IngressWithOtherClass) assert.Equal(ginkgo.GinkgoT(), "ingress.networking.k8s.io/extensions-invalid-other created\n", out) assert.Nil(ginkgo.GinkgoT(), err, "creating an invalid ingress with unknown class using kubectl") diff --git a/test/e2e/annotations/auth.go b/test/e2e/annotations/auth.go index ddda1dce5..ea33fdf32 100644 --- a/test/e2e/annotations/auth.go +++ b/test/e2e/annotations/auth.go @@ -277,8 +277,14 @@ var _ = framework.DescribeAnnotation("auth-*", func() { "nginx.ingress.kubernetes.io/auth-snippet": ` proxy_set_header My-Custom-Header 42;`, } - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -291,8 +297,15 @@ var _ = framework.DescribeAnnotation("auth-*", func() { ginkgo.It(`should not set snippet "proxy_set_header My-Custom-Header 42;" when external auth is not configured`, func() { host := authHost - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() + + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-snippet": ` @@ -653,7 +666,7 @@ http { func(server string) bool { return strings.Contains(server, `upstream auth-external-auth`) && strings.Contains(server, `keepalive 10;`) && - strings.Contains(server, `set $auth_keepalive_share_vars false;`) + strings.Contains(server, `share_all_vars = false`) }) }) @@ -673,7 +686,7 @@ http { func(server string) bool { return strings.Contains(server, `upstream auth-external-auth`) && strings.Contains(server, `keepalive 10;`) && - strings.Contains(server, `set $auth_keepalive_share_vars true;`) + strings.Contains(server, `share_all_vars = true`) }) }) }) diff --git a/test/e2e/annotations/cors.go b/test/e2e/annotations/cors.go index 58f4445f7..a14a5761f 100644 --- a/test/e2e/annotations/cors.go +++ b/test/e2e/annotations/cors.go @@ -669,33 +669,4 @@ var _ = framework.DescribeAnnotation("cors-*", func() { Headers(). NotContainsKey("Access-Control-Allow-Origin") }) - - ginkgo.It("should allow - origins with non-http[s] protocols", func() { - host := corsHost - origin := "test://localhost" - origin2 := "tauri://localhost:3000" - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/enable-cors": "true", - "nginx.ingress.kubernetes.io/cors-allow-origin": "test://localhost, tauri://localhost:3000", - } - - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin). - Expect(). - Status(http.StatusOK).Headers(). - ValueEqual("Access-Control-Allow-Origin", []string{"test://localhost"}) - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin2). - Expect(). - Status(http.StatusOK).Headers(). - ValueEqual("Access-Control-Allow-Origin", []string{"tauri://localhost:3000"}) - }) }) diff --git a/test/e2e/annotations/fromtowwwredirect.go b/test/e2e/annotations/fromtowwwredirect.go index a3fb3b9b5..b69cce93e 100644 --- a/test/e2e/annotations/fromtowwwredirect.go +++ b/test/e2e/annotations/fromtowwwredirect.go @@ -58,12 +58,18 @@ var _ = framework.DescribeAnnotation("from-to-www-redirect", func() { WithHeader("Host", fmt.Sprintf("%s.%s", "www", host)). Expect(). Status(http.StatusPermanentRedirect). - Header("Location").Equal("http://fromtowwwredirect.bar.com:80/foo") + Header("Location").Equal("http://fromtowwwredirect.bar.com/foo") }) ginkgo.It("should redirect from www HTTPS to HTTPS", func() { - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() ginkgo.By("setting up server for redirect from www") @@ -101,7 +107,7 @@ var _ = framework.DescribeAnnotation("from-to-www-redirect", func() { WithHeader("Host", toHost). Expect(). Status(http.StatusPermanentRedirect). - Header("Location").Equal(fmt.Sprintf("https://%v:443", fromHost)) + Header("Location").Equal(fmt.Sprintf("https://%v", fromHost)) ginkgo.By("sending request to domain should not redirect to www") f.HTTPTestClientWithTLSConfig(&tls.Config{ diff --git a/test/e2e/annotations/globalratelimit.go b/test/e2e/annotations/globalratelimit.go new file mode 100644 index 000000000..96be467fe --- /dev/null +++ b/test/e2e/annotations/globalratelimit.go @@ -0,0 +1,88 @@ +/* +Copyright 2020 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package annotations + +import ( + "fmt" + "net/http" + "strings" + + "github.com/onsi/ginkgo/v2" + "github.com/stretchr/testify/assert" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.DescribeAnnotation("annotation-global-rate-limit", func() { + f := framework.NewDefaultFramework("global-rate-limit") + host := "global-rate-limit-annotation" + + ginkgo.BeforeEach(func() { + f.NewEchoDeployment() + }) + + ginkgo.It("generates correct configuration", func() { + annotations := make(map[string]string) + annotations["nginx.ingress.kubernetes.io/global-rate-limit"] = "5" + annotations["nginx.ingress.kubernetes.io/global-rate-limit-window"] = "2m" + + // We need to allow { and } characters for this annotation to work + f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "load_module, lua_package, _by_lua, location, root") + // Sleep a while just to guarantee that the configmap is applied + framework.Sleep() + + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + ing = f.EnsureIngress(ing) + namespace := strings.ReplaceAll(string(ing.UID), "-", "") + + serverConfig := "" + f.WaitForNginxServer(host, func(server string) bool { + serverConfig = server + return true + }) + assert.Contains(ginkgo.GinkgoT(), serverConfig, + fmt.Sprintf(`global_throttle = { namespace = "%v", `+ + `limit = 5, window_size = 120, key = { { nil, nil, "remote_addr", nil, }, }, `+ + `ignored_cidrs = { } }`, + namespace)) + + f.HTTPTestClient().GET("/").WithHeader("Host", host).Expect().Status(http.StatusOK) + + ginkgo.By("regenerating the correct configuration after update") + annotations["nginx.ingress.kubernetes.io/global-rate-limit-key"] = "${remote_addr}${http_x_api_client}" + annotations["nginx.ingress.kubernetes.io/global-rate-limit-ignored-cidrs"] = "192.168.1.1, 234.234.234.0/24" + ing.SetAnnotations(annotations) + + f.WaitForReload(func() { + ing = f.UpdateIngress(ing) + }) + + serverConfig = "" + f.WaitForNginxServer(host, func(server string) bool { + serverConfig = server + return true + }) + assert.Contains(ginkgo.GinkgoT(), serverConfig, + fmt.Sprintf(`global_throttle = { namespace = "%v", `+ + `limit = 5, window_size = 120, `+ + `key = { { nil, "remote_addr", nil, nil, }, { nil, "http_x_api_client", nil, nil, }, }, `+ + `ignored_cidrs = { "192.168.1.1", "234.234.234.0/24", } }`, + namespace)) + + f.HTTPTestClient().GET("/").WithHeader("Host", host).Expect().Status(http.StatusOK) + }) +}) diff --git a/test/e2e/annotations/grpc.go b/test/e2e/annotations/grpc.go index 2a9c5a983..530d16729 100644 --- a/test/e2e/annotations/grpc.go +++ b/test/e2e/annotations/grpc.go @@ -193,8 +193,14 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { ginkgo.It("should return OK for service with backend protocol GRPCS", func() { f.NewGRPCBinDeployment() - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := echoHost diff --git a/test/e2e/annotations/modsecurity/modsecurity.go b/test/e2e/annotations/modsecurity/modsecurity.go index 730fc76e7..a3e7d80ba 100644 --- a/test/e2e/annotations/modsecurity/modsecurity.go +++ b/test/e2e/annotations/modsecurity/modsecurity.go @@ -100,8 +100,14 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity with snippet", func() { - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := modSecurityFooHost nameSpace := f.Namespace @@ -167,8 +173,14 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity with snippet and block requests", func() { - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := modSecurityFooHost nameSpace := f.Namespace @@ -200,8 +212,14 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity globally and with modsecurity-snippet block requests", func() { - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := modSecurityFooHost nameSpace := f.Namespace @@ -233,11 +251,16 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity when enable-owasp-modsecurity-crs is set to true", func() { - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() - - f.UpdateNginxConfigMapData("enable-modsecurity", "true") - f.UpdateNginxConfigMapData("enable-owasp-modsecurity-crs", "true") + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + "enable-modsecurity": "true", + "enable-owasp-modsecurity-crs": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := modSecurityFooHost nameSpace := f.Namespace @@ -267,8 +290,6 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity through the config map", func() { - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() host := modSecurityFooHost nameSpace := f.Namespace @@ -289,9 +310,17 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { f.EnsureIngress(ing) expectedComment := "SecRuleEngine On" - f.UpdateNginxConfigMapData("enable-modsecurity", "true") - f.UpdateNginxConfigMapData("enable-owasp-modsecurity-crs", "true") - f.UpdateNginxConfigMapData("modsecurity-snippet", expectedComment) + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + "enable-modsecurity": "true", + "enable-owasp-modsecurity-crs": "true", + "modsecurity-snippet": expectedComment, + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() f.WaitForNginxServer(host, func(server string) bool { @@ -310,9 +339,6 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { host := modSecurityFooHost nameSpace := f.Namespace - f.UpdateNginxConfigMapData("annotations-risk-level", "Critical") // To enable snippet configurations - defer f.UpdateNginxConfigMapData("annotations-risk-level", "High") - snippet := `SecRequestBodyAccess On SecAuditEngine RelevantOnly SecAuditLogParts ABIJDEFHZ @@ -352,9 +378,14 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should disable default modsecurity conf setting when modsecurity-snippet is specified", func() { - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() - + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := modSecurityFooHost nameSpace := f.Namespace diff --git a/test/e2e/annotations/proxy.go b/test/e2e/annotations/proxy.go index 8e9866021..235b828e7 100644 --- a/test/e2e/annotations/proxy.go +++ b/test/e2e/annotations/proxy.go @@ -160,13 +160,11 @@ var _ = framework.DescribeAnnotation("proxy-*", func() { proxyBuffering := "on" proxyBuffersNumber := "8" proxyBufferSize := "8k" - proxyBusyBuffersSize := "16k" annotations := make(map[string]string) annotations["nginx.ingress.kubernetes.io/proxy-buffering"] = proxyBuffering annotations["nginx.ingress.kubernetes.io/proxy-buffers-number"] = proxyBuffersNumber annotations["nginx.ingress.kubernetes.io/proxy-buffer-size"] = proxyBufferSize - annotations["nginx.ingress.kubernetes.io/proxy-busy-buffers-size"] = proxyBusyBuffersSize ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -176,7 +174,6 @@ var _ = framework.DescribeAnnotation("proxy-*", func() { return strings.Contains(server, fmt.Sprintf("proxy_buffering %s;", proxyBuffering)) && strings.Contains(server, fmt.Sprintf("proxy_buffer_size %s;", proxyBufferSize)) && strings.Contains(server, fmt.Sprintf("proxy_buffers %s %s;", proxyBuffersNumber, proxyBufferSize)) && - strings.Contains(server, fmt.Sprintf("proxy_busy_buffers_size %s;", proxyBusyBuffersSize)) && strings.Contains(server, fmt.Sprintf("proxy_request_buffering %s;", proxyBuffering)) }) }) diff --git a/test/e2e/annotations/relativeredirects.go b/test/e2e/annotations/relativeredirects.go deleted file mode 100644 index 430b357e4..000000000 --- a/test/e2e/annotations/relativeredirects.go +++ /dev/null @@ -1,107 +0,0 @@ -/* -Copyright 2023 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package annotations - -import ( - "fmt" - "net/http" - "strings" - - "github.com/onsi/ginkgo/v2" - "github.com/stretchr/testify/assert" - "k8s.io/ingress-nginx/test/e2e/framework" -) - -const ( - relativeRedirectsHostname = "rr.foo.com" - relativeRedirectsRedirectPath = "/something" - relativeRedirectsRelativeRedirectURL = "/new-location" -) - -var _ = framework.DescribeAnnotation("relative-redirects", func() { - f := framework.NewDefaultFramework("relative-redirects") - - ginkgo.BeforeEach(func() { - f.NewHttpbunDeployment() - f.NewEchoDeployment() - }) - - ginkgo.It("configures Nginx correctly", func() { - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/relative-redirects": "true", - } - - ing := framework.NewSingleIngress(relativeRedirectsHostname, "/", relativeRedirectsHostname, f.Namespace, framework.HTTPBunService, 80, annotations) - f.EnsureIngress(ing) - - var serverConfig string - f.WaitForNginxServer(relativeRedirectsHostname, func(srvCfg string) bool { - serverConfig = srvCfg - return strings.Contains(serverConfig, fmt.Sprintf("server_name %s", relativeRedirectsHostname)) - }) - - ginkgo.By("turning off absolute_redirect directive") - assert.Contains(ginkgo.GinkgoT(), serverConfig, "absolute_redirect off;") - }) - - ginkgo.It("should respond with absolute URL in Location", func() { - absoluteRedirectURL := fmt.Sprintf("http://%s%s", relativeRedirectsHostname, relativeRedirectsRelativeRedirectURL) - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/permanent-redirect": relativeRedirectsRelativeRedirectURL, - "nginx.ingress.kubernetes.io/relative-redirects": "false", - } - - ginkgo.By("setup ingress") - ing := framework.NewSingleIngress(relativeRedirectsHostname, relativeRedirectsRedirectPath, relativeRedirectsHostname, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) - - f.WaitForNginxServer(relativeRedirectsHostname, func(srvCfg string) bool { - return strings.Contains(srvCfg, fmt.Sprintf("server_name %s", relativeRedirectsHostname)) - }) - - ginkgo.By("sending request to redirected URL path") - f.HTTPTestClient(). - GET(relativeRedirectsRedirectPath). - WithHeader("Host", relativeRedirectsHostname). - Expect(). - Status(http.StatusMovedPermanently). - Header("Location").Equal(absoluteRedirectURL) - }) - - ginkgo.It("should respond with relative URL in Location", func() { - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/permanent-redirect": relativeRedirectsRelativeRedirectURL, - "nginx.ingress.kubernetes.io/relative-redirects": "true", - } - - ginkgo.By("setup ingress") - ing := framework.NewSingleIngress(relativeRedirectsHostname, relativeRedirectsRedirectPath, relativeRedirectsHostname, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) - - f.WaitForNginxServer(relativeRedirectsHostname, func(srvCfg string) bool { - return strings.Contains(srvCfg, fmt.Sprintf("server_name %s", relativeRedirectsHostname)) - }) - - ginkgo.By("sending request to redirected URL path") - f.HTTPTestClient(). - GET(relativeRedirectsRedirectPath). - WithHeader("Host", relativeRedirectsHostname). - Expect(). - Status(http.StatusMovedPermanently). - Header("Location").Equal(relativeRedirectsRelativeRedirectURL) - }) -}) diff --git a/test/e2e/annotations/serversnippet.go b/test/e2e/annotations/serversnippet.go index c94960a3d..1195b728a 100644 --- a/test/e2e/annotations/serversnippet.go +++ b/test/e2e/annotations/serversnippet.go @@ -33,8 +33,14 @@ var _ = framework.DescribeAnnotation("server-snippet", func() { }) ginkgo.It(`add valid directives to server via server snippet`, func() { - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := "serversnippet.foo.com" annotations := map[string]string{ @@ -62,8 +68,14 @@ var _ = framework.DescribeAnnotation("server-snippet", func() { }) ginkgo.It(`drops server snippet if disabled by the administrator`, func() { - f.UpdateNginxConfigMapData("annotations-risk-level", "Critical") // To enable snippet configurations - defer f.UpdateNginxConfigMapData("annotations-risk-level", "High") + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := "noserversnippet.foo.com" annotations := map[string]string{ @@ -73,6 +85,11 @@ var _ = framework.DescribeAnnotation("server-snippet", func() { } ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + f.UpdateNginxConfigMapData("allow-snippet-annotations", "false") + defer func() { + // Return to the original value + f.UpdateNginxConfigMapData("allow-snippet-annotations", "true") + }() // Sleep a while just to guarantee that the configmap is applied framework.Sleep() f.EnsureIngress(ing) diff --git a/test/e2e/annotations/snippet.go b/test/e2e/annotations/snippet.go index 9e3160dcc..0c6148a4f 100644 --- a/test/e2e/annotations/snippet.go +++ b/test/e2e/annotations/snippet.go @@ -33,8 +33,15 @@ var _ = framework.DescribeAnnotation("configuration-snippet", func() { ginkgo.It("set snippet more_set_headers in all locations", func() { host := "configurationsnippet.foo.com" - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() + + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() annotations := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_headers "Foo1: Bar1";`, @@ -64,8 +71,6 @@ var _ = framework.DescribeAnnotation("configuration-snippet", func() { }) ginkgo.It("drops snippet more_set_header in all locations if disabled by admin", func() { - f.UpdateNginxConfigMapData("annotations-risk-level", "Critical") // To enable snippet configurations - defer f.UpdateNginxConfigMapData("annotations-risk-level", "High") host := "noconfigurationsnippet.foo.com" annotations := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_headers "Foo1: Bar1";`, diff --git a/test/e2e/annotations/streamsnippet.go b/test/e2e/annotations/streamsnippet.go index f91cdc34e..432537b4a 100644 --- a/test/e2e/annotations/streamsnippet.go +++ b/test/e2e/annotations/streamsnippet.go @@ -39,8 +39,14 @@ var _ = framework.DescribeSetting("stream-snippet", func() { }) ginkgo.It("should add value of stream-snippet to nginx config", func() { - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := "foo.com" diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go index f213e2e98..21458a156 100644 --- a/test/e2e/framework/deployment.go +++ b/test/e2e/framework/deployment.go @@ -47,7 +47,7 @@ const NIPService = "external-nip" var HTTPBunImage = os.Getenv("HTTPBUN_IMAGE") // EchoImage is the default image to be used by the echo service -const EchoImage = "registry.k8s.io/ingress-nginx/e2e-test-echo:v1.1.1@sha256:a1e0152e2eeab26e3f6fd3986f3d82b17bc7711717cae5392dcd18dd447ba6ef" //#nosec G101 +const EchoImage = "registry.k8s.io/ingress-nginx/e2e-test-echo:v1.1.0@sha256:0713ba47b3e4359b38ad53cd785c34b158e168a91636520a4a5e54cd500d8356" //#nosec G101 // TODO: change all Deployment functions to use these options // in order to reduce complexity and have a unified API across the diff --git a/test/e2e/framework/exec.go b/test/e2e/framework/exec.go index 8d528c37a..580a8f58e 100644 --- a/test/e2e/framework/exec.go +++ b/test/e2e/framework/exec.go @@ -117,7 +117,11 @@ func (f *Framework) newIngressController(namespace, namespaceOverlay string) err isChroot = "false" } - cmd := exec.Command("./wait-for-nginx.sh", namespace, namespaceOverlay, isChroot) + enableAnnotationValidations, ok := os.LookupEnv("ENABLE_VALIDATIONS") + if !ok { + enableAnnotationValidations = "false" + } + cmd := exec.Command("./wait-for-nginx.sh", namespace, namespaceOverlay, isChroot, enableAnnotationValidations) out, err := cmd.CombinedOutput() if err != nil { return fmt.Errorf("unexpected error waiting for ingress controller deployment: %v.\nLogs:\n%v", err, string(out)) diff --git a/test/e2e/framework/fastcgi_helloserver.go b/test/e2e/framework/fastcgi_helloserver.go index c414c4da3..65e257cfd 100644 --- a/test/e2e/framework/fastcgi_helloserver.go +++ b/test/e2e/framework/fastcgi_helloserver.go @@ -59,7 +59,7 @@ func (f *Framework) NewNewFastCGIHelloServerDeploymentWithReplicas(replicas int3 Containers: []corev1.Container{ { Name: "fastcgi-helloserver", - Image: "registry.k8s.io/ingress-nginx/fastcgi-helloserver:v1.1.1@sha256:6af4d8c7745c6727aab759db616a58fd68d784d07ce7a32d1ad149c331fd9a6f", + Image: "registry.k8s.io/ingress-nginx/fastcgi-helloserver:v1.1.0@sha256:939cb351010a618383921b49056ccb6227b5a486ec52773464edbec03bc04812", Env: []corev1.EnvVar{}, Ports: []corev1.ContainerPort{ { diff --git a/test/e2e/framework/framework.go b/test/e2e/framework/framework.go index 204da7df0..65f10ba5d 100644 --- a/test/e2e/framework/framework.go +++ b/test/e2e/framework/framework.go @@ -16,7 +16,6 @@ package framework import ( "context" "crypto/tls" - "encoding/json" "fmt" "net" "net/http" @@ -284,15 +283,6 @@ func (f *Framework) WaitForNginxConfiguration(matcher func(cfg string) bool) { Sleep(1 * time.Second) } -// WaitForLuaConfiguration waits until the nginx configuration contains a particular configuration -// `cfg` passed to matcher is normalized by replacing all tabs and spaces with single space. -func (f *Framework) WaitForLuaConfiguration(matcher func(jsonCfg map[string]interface{}) bool) { - //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated - err := wait.Poll(Poll, DefaultTimeout, f.matchLuaConditions(matcher)) - assert.Nil(ginkgo.GinkgoT(), err, "waiting for nginx lua configuration condition/s") - Sleep(1 * time.Second) -} - // WaitForNginxCustomConfiguration waits until the nginx configuration given part (from, to) contains a particular configuration func (f *Framework) WaitForNginxCustomConfiguration(from, to string, matcher func(cfg string) bool) { //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated @@ -336,29 +326,6 @@ func (f *Framework) matchNginxConditions(name string, matcher func(cfg string) b } } -func (f *Framework) matchLuaConditions(matcher func(jsonCfg map[string]interface{}) bool) wait.ConditionFunc { - return func() (bool, error) { - cmd := "cat /etc/nginx/lua/cfg.json" - - o, err := f.ExecCommand(f.pod, cmd) - if err != nil { - return false, nil - } - - if klog.V(10).Enabled() && o != "" { - klog.InfoS("Lua", "configuration", o) - } - - luaConfig := make(map[string]interface{}) // Use unstructured so we can walk through JSON - if err := json.Unmarshal([]byte(o), &luaConfig); err != nil { - return false, err - } - - // passes the lua interface to the function - return matcher(luaConfig), nil - } -} - func (f *Framework) matchNginxCustomConditions(from, to string, matcher func(cfg string) bool) wait.ConditionFunc { return func() (bool, error) { cmd := fmt.Sprintf("cat /etc/nginx/nginx.conf| awk '/%v/,/%v/'", from, to) @@ -416,20 +383,6 @@ func (f *Framework) SetNginxConfigMapData(cmData map[string]string) { f.WaitForReload(fn) } -// SetNginxConfigMapData sets ingress-nginx's nginx-ingress-controller configMap data -func (f *Framework) AllowSnippetConfiguration() func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - "annotations-risk-level": "Critical", // To enable snippet configurations - }) - return func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - "annotations-risk-level": "High", - }) - } -} - // CreateConfigMap creates a new configmap in the current namespace func (f *Framework) CreateConfigMap(name string, data map[string]string) { _, err := f.KubeClientSet.CoreV1().ConfigMaps(f.Namespace).Create(context.TODO(), &v1.ConfigMap{ diff --git a/test/e2e/ingress/multiple_rules.go b/test/e2e/ingress/multiple_rules.go index 9247dc1d3..f44b2f8dd 100644 --- a/test/e2e/ingress/multiple_rules.go +++ b/test/e2e/ingress/multiple_rules.go @@ -36,8 +36,14 @@ var _ = framework.IngressNginxDescribe("single ingress - multiple hosts", func() }) ginkgo.It("should set the correct $service_name NGINX variable", func() { - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() annotations := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "service-name: $service_name";`, diff --git a/test/e2e/ingress/pathtype_exact.go b/test/e2e/ingress/pathtype_exact.go index 2660e32a4..d0564cbf6 100644 --- a/test/e2e/ingress/pathtype_exact.go +++ b/test/e2e/ingress/pathtype_exact.go @@ -35,8 +35,14 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] exact", func() { }) ginkgo.It("should choose exact location for /exact", func() { - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := "exact.path" diff --git a/test/e2e/ingress/pathtype_mixed.go b/test/e2e/ingress/pathtype_mixed.go index 3212089c9..e7bf2532e 100644 --- a/test/e2e/ingress/pathtype_mixed.go +++ b/test/e2e/ingress/pathtype_mixed.go @@ -37,8 +37,14 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] mix Exact and Prefi exactPathType := networking.PathTypeExact ginkgo.It("should choose the correct location", func() { - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := "mixed.path" diff --git a/test/e2e/lua/dynamic_configuration.go b/test/e2e/lua/dynamic_configuration.go index a5e2196ce..8ec1ef839 100644 --- a/test/e2e/lua/dynamic_configuration.go +++ b/test/e2e/lua/dynamic_configuration.go @@ -48,7 +48,12 @@ var _ = framework.IngressNginxDescribe("[Lua] dynamic configuration", func() { ginkgo.It("configures balancer Lua middleware correctly", func() { f.WaitForNginxConfiguration(func(cfg string) bool { - return strings.Contains(cfg, "balancer_by_lua_file /etc/nginx/lua/nginx/ngx_conf_balancer.lua") + return strings.Contains(cfg, "balancer.init_worker()") && strings.Contains(cfg, "balancer.balance()") + }) + + host := "foo.com" + f.WaitForNginxServer(host, func(server string) bool { + return strings.Contains(server, "balancer.rewrite()") && strings.Contains(server, "balancer.log()") }) }) diff --git a/test/e2e/metrics/metrics.go b/test/e2e/metrics/metrics.go index bec09bb37..907b53732 100644 --- a/test/e2e/metrics/metrics.go +++ b/test/e2e/metrics/metrics.go @@ -36,7 +36,6 @@ const waitForMetrics = 2 * time.Second var _ = framework.IngressNginxDescribe("[metrics] exported prometheus metrics", func() { f := framework.NewDefaultFramework("metrics") host := "foo.com" - wildcardHost := "wildcard." + host ginkgo.BeforeEach(func() { f.NewEchoDeployment() @@ -92,50 +91,4 @@ var _ = framework.IngressNginxDescribe("[metrics] exported prometheus metrics", assert.Nil(ginkgo.GinkgoT(), err) assert.NotNil(ginkgo.GinkgoT(), mf) }) - ginkgo.It("request metrics per undefined host are present when flag is set", func() { - err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error { - args := deployment.Spec.Template.Spec.Containers[0].Args - args = append(args, "--metrics-per-undefined-host=true") - deployment.Spec.Template.Spec.Containers[0].Args = args - _, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{}) - return err - }) - assert.Nil(ginkgo.GinkgoT(), err, "updating deployment") - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", wildcardHost). - Expect(). - Status(http.StatusNotFound) - time.Sleep(waitForMetrics) - - ip := f.GetNginxPodIP() - reqMetrics, err := f.GetMetric("nginx_ingress_controller_requests", ip) - assert.Nil(ginkgo.GinkgoT(), err) - assert.NotNil(ginkgo.GinkgoT(), reqMetrics.Metric) - assert.Len(ginkgo.GinkgoT(), reqMetrics.Metric, 1) - - containedLabel := false - for _, label := range reqMetrics.Metric[0].Label { - if *label.Name == "host" && *label.Value == wildcardHost { - containedLabel = true - break - } - } - - assert.Truef(ginkgo.GinkgoT(), containedLabel, "expected reqMetrics to contain label with \"name\"=\"host\" \"value\"=%q, but it did not: %s", wildcardHost, reqMetrics.String()) - }) - ginkgo.It("request metrics per undefined host are not present when flag is not set", func() { - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", wildcardHost). - Expect(). - Status(http.StatusNotFound) - time.Sleep(waitForMetrics) - - ip := f.GetNginxPodIP() - reqMetrics, err := f.GetMetric("nginx_ingress_controller_requests", ip) - assert.EqualError(ginkgo.GinkgoT(), err, "there is no metric with name nginx_ingress_controller_requests") - assert.Nil(ginkgo.GinkgoT(), reqMetrics) - }) }) diff --git a/test/e2e/run-chart-test.sh b/test/e2e/run-chart-test.sh index 7e3f2fe9b..144db41df 100755 --- a/test/e2e/run-chart-test.sh +++ b/test/e2e/run-chart-test.sh @@ -62,7 +62,7 @@ export KUBECONFIG="${KUBECONFIG:-$HOME/.kube/kind-config-$KIND_CLUSTER_NAME}" if [ "${SKIP_CLUSTER_CREATION:-false}" = "false" ]; then echo "[dev-env] creating Kubernetes cluster with kind" - export K8S_VERSION=${K8S_VERSION:-v1.32.0@sha256:c48c62eac5da28cdadcf560d1d8616cfa6783b58f0d94cf63ad1bf49600cb027} + export K8S_VERSION=${K8S_VERSION:-v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245} kind create cluster \ --verbosity=${KIND_LOG_LEVEL} \ @@ -78,7 +78,7 @@ fi if [ "${SKIP_IMAGE_CREATION:-false}" = "false" ]; then if ! command -v ginkgo &> /dev/null; then - go install github.com/onsi/ginkgo/v2/ginkgo@v2.22.2 + go install github.com/onsi/ginkgo/v2/ginkgo@v2.22.1 fi echo "[dev-env] building image" make -C ${DIR}/../../ clean-image build image @@ -114,5 +114,5 @@ docker run \ --workdir /workdir \ --entrypoint ct \ --rm \ - registry.k8s.io/ingress-nginx/e2e-test-runner:v20250112-a188f4eb@sha256:043038b1e30e5a0b64f3f919f096c5c9488ac3f617ac094b07fb9db8215f9441 \ + registry.k8s.io/ingress-nginx/e2e-test-runner:v20241224-68ed4e7b@sha256:871642296ebc0dd386f9a43b0cf2606028d757d6c4a2737d41180f02f8172823 \ install --charts charts/ingress-nginx diff --git a/test/e2e/run-e2e-suite.sh b/test/e2e/run-e2e-suite.sh index 909368e96..9333ee61f 100755 --- a/test/e2e/run-e2e-suite.sh +++ b/test/e2e/run-e2e-suite.sh @@ -78,6 +78,7 @@ kubectl run --rm \ --env="E2E_NODES=${E2E_NODES}" \ --env="FOCUS=${FOCUS}" \ --env="IS_CHROOT=${IS_CHROOT:-false}"\ + --env="ENABLE_VALIDATIONS=${ENABLE_VALIDATIONS:-false}"\ --env="SKIP_OPENTELEMETRY_TESTS=${SKIP_OPENTELEMETRY_TESTS:-false}"\ --env="E2E_CHECK_LEAKS=${E2E_CHECK_LEAKS}" \ --env="NGINX_BASE_IMAGE=${NGINX_BASE_IMAGE}" \ diff --git a/test/e2e/run-kind-e2e.sh b/test/e2e/run-kind-e2e.sh index e41d31afd..34096fea2 100755 --- a/test/e2e/run-kind-e2e.sh +++ b/test/e2e/run-kind-e2e.sh @@ -39,6 +39,7 @@ fi KIND_LOG_LEVEL="1" IS_CHROOT="${IS_CHROOT:-false}" +ENABLE_VALIDATIONS="${ENABLE_VALIDATIONS:-false}" export KIND_CLUSTER_NAME=${KIND_CLUSTER_NAME:-ingress-nginx-dev} DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" # Use 1.0.0-dev to make sure we use the latest configuration in the helm template @@ -63,7 +64,7 @@ echo "Running e2e with nginx base image ${NGINX_BASE_IMAGE}" if [ "${SKIP_CLUSTER_CREATION}" = "false" ]; then echo "[dev-env] creating Kubernetes cluster with kind" - export K8S_VERSION=${K8S_VERSION:-v1.32.0@sha256:c48c62eac5da28cdadcf560d1d8616cfa6783b58f0d94cf63ad1bf49600cb027} + export K8S_VERSION=${K8S_VERSION:-v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245} # delete the cluster if it exists if kind get clusters | grep "${KIND_CLUSTER_NAME}"; then @@ -95,7 +96,7 @@ fi if [ "${SKIP_E2E_IMAGE_CREATION}" = "false" ]; then if ! command -v ginkgo &> /dev/null; then - go install github.com/onsi/ginkgo/v2/ginkgo@v2.22.2 + go install github.com/onsi/ginkgo/v2/ginkgo@v2.22.1 fi echo "[dev-env] .. done building controller images" diff --git a/test/e2e/settings/badannotationvalues.go b/test/e2e/settings/badannotationvalues.go index aa9906909..f61b5bada 100644 --- a/test/e2e/settings/badannotationvalues.go +++ b/test/e2e/settings/badannotationvalues.go @@ -34,8 +34,14 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { }) ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation", func() { - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := "invalid-value-test" annotations := map[string]string{ @@ -44,6 +50,7 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { } ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + f.UpdateNginxConfigMapData("allow-snippet-annotations", "true") f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "something_forbidden,otherthing_forbidden,{") f.EnsureIngress(ing) @@ -66,8 +73,14 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { }) ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation", func() { - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := "forbidden-value-test" @@ -80,6 +93,7 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { } ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + f.UpdateNginxConfigMapData("allow-snippet-annotations", "true") f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "something_forbidden,otherthing_forbidden,content_by_lua_block") // Sleep a while just to guarantee that the configmap is applied framework.Sleep() @@ -103,9 +117,14 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { }) ginkgo.It("[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place", func() { - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() - + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() hostValid := "custom-allowed-value-test" annotationsValid := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": ` @@ -136,8 +155,14 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { }) ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass", func() { - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := "custom-forbidden-value-test" annotations := map[string]string{ diff --git a/test/e2e/settings/geoip2.go b/test/e2e/settings/geoip2.go index 9c6d59dc5..064863734 100644 --- a/test/e2e/settings/geoip2.go +++ b/test/e2e/settings/geoip2.go @@ -69,9 +69,15 @@ var _ = framework.DescribeSetting("Geoip2", func() { ginkgo.It("should only allow requests from specific countries", func() { ginkgo.Skip("GeoIP test are temporarily disabled") - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() - f.UpdateNginxConfigMapData("use-geoip2", "true") + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + "use-geoip2": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() httpSnippetAllowingOnlyAustralia := `map $geoip2_city_country_code $blocked_country { default 1; diff --git a/test/e2e/settings/globalratelimit.go b/test/e2e/settings/globalratelimit.go new file mode 100644 index 000000000..e266350ad --- /dev/null +++ b/test/e2e/settings/globalratelimit.go @@ -0,0 +1,96 @@ +/* +Copyright 2020 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package settings + +import ( + "fmt" + "net/http" + "strconv" + "strings" + + "github.com/onsi/ginkgo/v2" + "github.com/stretchr/testify/assert" + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.DescribeSetting("settings-global-rate-limit", func() { + f := framework.NewDefaultFramework("global-rate-limit") + host := "global-rate-limit" + + ginkgo.BeforeEach(func() { + f.NewEchoDeployment() + }) + + ginkgo.It("generates correct NGINX configuration", func() { + annotations := make(map[string]string) + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + f.EnsureIngress(ing) + + ginkgo.By("generating correct defaults") + + ngxCfg := "" + f.WaitForNginxConfiguration(func(cfg string) bool { + if strings.Contains(cfg, "global_throttle") { + ngxCfg = cfg + return true + } + return false + }) + + assert.Contains(ginkgo.GinkgoT(), ngxCfg, fmt.Sprintf(`global_throttle = { `+ + `memcached = { host = "%v", port = %d, connect_timeout = %d, max_idle_timeout = %d, `+ + `pool_size = %d, }, status_code = %d, }`, + "", 11211, 50, 10000, 50, 429)) + + f.HTTPTestClient().GET("/").WithHeader("Host", host).Expect().Status(http.StatusOK) + + ginkgo.By("applying customizations") + + memcachedHost := "memc.default.svc.cluster.local" + memcachedPort := 11211 + memcachedConnectTimeout := 100 + memcachedMaxIdleTimeout := 5000 + memcachedPoolSize := 100 + statusCode := 503 + + f.SetNginxConfigMapData(map[string]string{ + "global-rate-limit-memcached-host": memcachedHost, + "global-rate-limit-memcached-port": strconv.Itoa(memcachedPort), + "global-rate-limit-memcached-connect-timeout": strconv.Itoa(memcachedConnectTimeout), + "global-rate-limit-memcached-max-idle-timeout": strconv.Itoa(memcachedMaxIdleTimeout), + "global-rate-limit-memcached-pool-size": strconv.Itoa(memcachedPoolSize), + "global-rate-limit-status-code": strconv.Itoa(statusCode), + }) + + ngxCfg = "" + f.WaitForNginxConfiguration(func(cfg string) bool { + if strings.Contains(cfg, "global_throttle") { + ngxCfg = cfg + return true + } + return false + }) + + assert.Contains(ginkgo.GinkgoT(), ngxCfg, fmt.Sprintf(`global_throttle = { `+ + `memcached = { host = "%v", port = %d, connect_timeout = %d, max_idle_timeout = %d, `+ + `pool_size = %d, }, status_code = %d, }`, + memcachedHost, memcachedPort, memcachedConnectTimeout, memcachedMaxIdleTimeout, + memcachedPoolSize, statusCode)) + + f.HTTPTestClient().GET("/").WithHeader("Host", host).Expect().Status(http.StatusOK) + }) +}) diff --git a/test/e2e/settings/no_tls_redirect_locations.go b/test/e2e/settings/no_tls_redirect_locations.go index 18fd09e26..8339eb23e 100644 --- a/test/e2e/settings/no_tls_redirect_locations.go +++ b/test/e2e/settings/no_tls_redirect_locations.go @@ -33,7 +33,7 @@ var _ = framework.DescribeSetting("Add no tls redirect locations", func() { f.EnsureIngress(ing) f.WaitForNginxConfiguration(func(server string) bool { - return strings.Contains(server, "set $force_no_ssl_redirect \"false\"") + return !strings.Contains(server, "force_no_ssl_redirect = true,") }) wlKey := "no-tls-redirect-locations" @@ -42,7 +42,7 @@ var _ = framework.DescribeSetting("Add no tls redirect locations", func() { f.UpdateNginxConfigMapData(wlKey, wlValue) f.WaitForNginxConfiguration(func(server string) bool { - return strings.Contains(server, "set $force_no_ssl_redirect \"true\"") + return strings.Contains(server, "force_no_ssl_redirect = true,") }) }) }) diff --git a/test/e2e/settings/ocsp/ocsp.go b/test/e2e/settings/ocsp/ocsp.go index b2d50292a..72e6d7ad2 100644 --- a/test/e2e/settings/ocsp/ocsp.go +++ b/test/e2e/settings/ocsp/ocsp.go @@ -34,7 +34,6 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/ingress-nginx/test/e2e/framework" @@ -108,9 +107,8 @@ var _ = framework.DescribeSetting("OCSP", func() { err = framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, "ocspserve", f.Namespace, 1) assert.Nil(ginkgo.GinkgoT(), err, "waiting for endpoints to become ready") - f.WaitForLuaConfiguration(func(jsonCfg map[string]interface{}) bool { - val, ok, err := unstructured.NestedBool(jsonCfg, "enable_ocsp") - return err == nil && ok && val + f.WaitForNginxConfiguration(func(cfg string) bool { + return strings.Contains(cfg, "certificate.is_ocsp_stapling_enabled = true") }) f.WaitForNginxServer(host, @@ -297,7 +295,7 @@ func ocspserveDeployment(namespace string) (*appsv1.Deployment, *corev1.Service) Containers: []corev1.Container{ { Name: name, - Image: "registry.k8s.io/ingress-nginx/cfssl:v1.1.1@sha256:bcd576c6d0a01d4710969195e804c02da62b71b5c35c6816df9b7584d5445437", + Image: "registry.k8s.io/ingress-nginx/cfssl:v1.1.0@sha256:31a195d7c3dc801575ca46919ff2b3f01afce54a744ab22ee83469f92a6e0965", Command: []string{ "/bin/bash", "-c", diff --git a/test/e2e/settings/plugins.go b/test/e2e/settings/plugins.go new file mode 100644 index 000000000..659acd42c --- /dev/null +++ b/test/e2e/settings/plugins.go @@ -0,0 +1,55 @@ +/* +Copyright 2020 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package settings + +import ( + "fmt" + "net/http" + "strings" + + "github.com/onsi/ginkgo/v2" + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.IngressNginxDescribe("plugins", func() { + f := framework.NewDefaultFramework("plugins") + + ginkgo.BeforeEach(func() { + f.NewEchoDeployment() + }) + + ginkgo.It("should exist a x-hello-world header", func() { + f.UpdateNginxConfigMapData("plugins", "hello_world, invalid") + + host := "example.com" + f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)) + + f.WaitForNginxConfiguration( + func(server string) bool { + return strings.Contains(server, fmt.Sprintf("server_name %v", host)) && + strings.Contains(server, `plugins.init({ "hello_world","invalid" })`) + }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithHeader("User-Agent", "hello"). + Expect(). + Status(http.StatusOK). + Body().Contains("x-hello-world=1") + }) +}) diff --git a/test/e2e/settings/proxy_host.go b/test/e2e/settings/proxy_host.go index bb5dc9c01..35aafc53d 100644 --- a/test/e2e/settings/proxy_host.go +++ b/test/e2e/settings/proxy_host.go @@ -34,9 +34,14 @@ var _ = framework.IngressNginxDescribe("Dynamic $proxy_host", func() { }) ginkgo.It("should exist a proxy_host", func() { - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() - + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() upstreamName := fmt.Sprintf("%v-%v-80", f.Namespace, framework.EchoService) annotations := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_headers "Custom-Header: $proxy_host"`, @@ -58,8 +63,14 @@ var _ = framework.IngressNginxDescribe("Dynamic $proxy_host", func() { }) ginkgo.It("should exist a proxy_host using the upstream-vhost annotation value", func() { - disableSnippet := f.AllowSnippetConfiguration() - defer disableSnippet() + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() upstreamName := fmt.Sprintf("%v-%v-80", f.Namespace, framework.EchoService) upstreamVHost := "different.host" diff --git a/test/e2e/settings/server_snippet.go b/test/e2e/settings/server_snippet.go index 1e2084bd8..8ddf10fd9 100644 --- a/test/e2e/settings/server_snippet.go +++ b/test/e2e/settings/server_snippet.go @@ -38,7 +38,6 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() { f.SetNginxConfigMapData(map[string]string{ "allow-snippet-annotations": "true", - "annotations-risk-level": "Critical", "server-snippet": ` more_set_headers "Globalfoo: Foooo";`, }) @@ -46,7 +45,6 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() { defer func() { f.SetNginxConfigMapData(map[string]string{ "allow-snippet-annotations": "false", - "annotations-risk-level": "High", }) }() annotations := map[string]string{ @@ -103,7 +101,6 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() { f.SetNginxConfigMapData(map[string]string{ "allow-snippet-annotations": "false", - "annotations-risk-level": "Critical", // To allow Configuration Snippet "server-snippet": ` more_set_headers "Globalfoo: Foooo";`, }) @@ -111,7 +108,6 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() { defer func() { f.SetNginxConfigMapData(map[string]string{ "allow-snippet-annotations": "false", - "annotations-risk-level": "High", }) }() annotations := map[string]string{ diff --git a/test/e2e/settings/tls.go b/test/e2e/settings/tls.go index 1ebf358c1..51f760df8 100644 --- a/test/e2e/settings/tls.go +++ b/test/e2e/settings/tls.go @@ -25,11 +25,10 @@ import ( "github.com/onsi/ginkgo/v2" "github.com/stretchr/testify/assert" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/ingress-nginx/test/e2e/framework" ) -var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers", func() { +var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", func() { f := framework.NewDefaultFramework("settings-tls") host := "settings-tls" @@ -110,9 +109,8 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers", fu ginkgo.It("setting max-age parameter", func() { f.UpdateNginxConfigMapData(hstsMaxAge, "86400") - f.WaitForLuaConfiguration(func(jsonCfg map[string]interface{}) bool { - val, ok, err := unstructured.NestedString(jsonCfg, "hsts_max_age") - return err == nil && ok && val == "86400" + f.WaitForNginxConfiguration(func(server string) bool { + return strings.Contains(server, `hsts_max_age = 86400,`) }) f.HTTPTestClientWithTLSConfig(tlsConfig). @@ -130,9 +128,8 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers", fu hstsIncludeSubdomains: "false", }) - f.WaitForLuaConfiguration(func(jsonCfg map[string]interface{}) bool { - val, ok, err := unstructured.NestedBool(jsonCfg, "hsts_include_subdomains") - return err == nil && ok && !val + f.WaitForNginxConfiguration(func(server string) bool { + return strings.Contains(server, `hsts_include_subdomains = false,`) }) f.HTTPTestClientWithTLSConfig(tlsConfig). @@ -151,9 +148,8 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers", fu hstsIncludeSubdomains: "false", }) - f.WaitForLuaConfiguration(func(jsonCfg map[string]interface{}) bool { - val, ok, err := unstructured.NestedBool(jsonCfg, "hsts_preload") - return err == nil && ok && val + f.WaitForNginxConfiguration(func(server string) bool { + return strings.Contains(server, `hsts_preload = true,`) }) f.HTTPTestClientWithTLSConfig(tlsConfig). diff --git a/test/e2e/settings/validations/validations.go b/test/e2e/settings/validations/validations.go index 881de39b4..ac95a453a 100644 --- a/test/e2e/settings/validations/validations.go +++ b/test/e2e/settings/validations/validations.go @@ -48,8 +48,8 @@ var _ = framework.IngressNginxDescribeSerial("annotation validations", func() { framework.Sleep() annotations := map[string]string{ - "nginx.ingress.kubernetes.io/default-backend": "bla", // low risk - "nginx.ingress.kubernetes.io/denylist-source-range": "1.1.1.1/32", // medium risk + "nginx.ingress.kubernetes.io/default-backend": "default/bla", // low risk + "nginx.ingress.kubernetes.io/denylist-source-range": "1.1.1.1/32", // medium risk } ginkgo.By("allow ingress with low/medium risk annotations") @@ -82,8 +82,8 @@ var _ = framework.IngressNginxDescribeSerial("annotation validations", func() { framework.Sleep() annotations := map[string]string{ - "nginx.ingress.kubernetes.io/default-backend": "bla", // low risk - "nginx.ingress.kubernetes.io/denylist-source-range": "1.1.1.1/32", // medium risk + "nginx.ingress.kubernetes.io/default-backend": "default/bla", // low risk + "nginx.ingress.kubernetes.io/denylist-source-range": "1.1.1.1/32", // medium risk } ginkgo.By("allow ingress with low/medium risk annotations") diff --git a/test/e2e/wait-for-nginx.sh b/test/e2e/wait-for-nginx.sh index 73023aba1..ac0584962 100755 --- a/test/e2e/wait-for-nginx.sh +++ b/test/e2e/wait-for-nginx.sh @@ -24,6 +24,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" export NAMESPACE=$1 export NAMESPACE_OVERLAY=$2 export IS_CHROOT=$3 +export ENABLE_VALIDATIONS=$4 echo "deploying NGINX Ingress controller in namespace $NAMESPACE" @@ -58,6 +59,7 @@ else # TODO: remove the need to use fullnameOverride fullnameOverride: nginx-ingress controller: + enableAnnotationValidations: ${ENABLE_VALIDATIONS} image: repository: ingress-controller/controller chroot: ${IS_CHROOT} diff --git a/test/manifests/configuration-a.json b/test/manifests/configuration-a.json index f9599d77c..ba513c616 100644 --- a/test/manifests/configuration-a.json +++ b/test/manifests/configuration-a.json @@ -302,12 +302,7 @@ "validationDepth": 0 }, "use-port-in-redirects": false, - "configuration-snippet": "", - "customHeaders": { - "headers": { - "Server": "HAL9000" - } - } + "configuration-snippet": "" }] }, { "hostname": "dev.mycompany.com", diff --git a/test/manifests/configuration-b.json b/test/manifests/configuration-b.json index d2e71bb29..9e40785b4 100644 --- a/test/manifests/configuration-b.json +++ b/test/manifests/configuration-b.json @@ -302,12 +302,7 @@ "validationDepth": 0 }, "use-port-in-redirects": false, - "configuration-snippet": "", - "customHeaders": { - "headers": { - "Server": "HAL9000" - } - } + "configuration-snippet": "" }] }, { "hostname": "dev.mycompany.com", diff --git a/test/test-lua.sh b/test/test-lua.sh index e7ee5843e..fc60023f8 100755 --- a/test/test-lua.sh +++ b/test/test-lua.sh @@ -36,11 +36,12 @@ SHDICT_ARGS=( "--shdict" "high_throughput_tracker 1M" "--shdict" "balancer_ewma_last_touched_at 1M" "--shdict" "balancer_ewma_locks 512k" + "--shdict" "global_throttle_cache 5M" "./rootfs/etc/nginx/lua/test/run.lua" ) if [ $# -eq 0 ]; then - resty "${SHDICT_ARGS[@]}" ./rootfs/etc/nginx/lua/test/ ${BUSTED_ARGS} + resty "${SHDICT_ARGS[@]}" ./rootfs/etc/nginx/lua/test/ ./rootfs/etc/nginx/lua/plugins/**/test ${BUSTED_ARGS} else resty "${SHDICT_ARGS[@]}" $@ ${BUSTED_ARGS} fi