diff --git a/helm/ingress-nginx/.helmignore b/helm/ingress-nginx/.helmignore index 50af03172..109b40811 100644 --- a/helm/ingress-nginx/.helmignore +++ b/helm/ingress-nginx/.helmignore @@ -20,3 +20,4 @@ .idea/ *.tmproj .vscode/ +__snapshot__ diff --git a/helm/ingress-nginx/Chart.yaml b/helm/ingress-nginx/Chart.yaml index f3e63e665..b664a6714 100644 --- a/helm/ingress-nginx/Chart.yaml +++ b/helm/ingress-nginx/Chart.yaml @@ -1,16 +1,22 @@ annotations: - application.giantswarm.io/team: team-cabbage - ui.giantswarm.io/logo: https://s.giantswarm.io/app-icons/ingress-nginx/2/logo_dark.svg + artifacthub.io/changes: |- + - "Update Ingress-Nginx version controller-v1.9.4" + artifacthub.io/prerelease: "false" apiVersion: v2 appVersion: 1.9.4 -description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -home: https://github.com/giantswarm/ingress-nginx-app -icon: https://s.giantswarm.io/app-icons/ingress-nginx/2/icon_dark.svg +description: Ingress controller for Kubernetes using NGINX as a reverse proxy and + load balancer +home: https://github.com/kubernetes/ingress-nginx +icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png keywords: - - ingress - - nginx +- ingress +- nginx kubeVersion: '>=1.20.0-0' +maintainers: +- name: rikatz +- name: strongjz +- name: tao12345666333 name: ingress-nginx sources: - - https://github.com/kubernetes/ingress-nginx -version: 3.3.1 +- https://github.com/kubernetes/ingress-nginx +version: 4.8.4 diff --git a/helm/ingress-nginx/README.md b/helm/ingress-nginx/README.md index d04eccd47..acf1be7bf 100644 --- a/helm/ingress-nginx/README.md +++ b/helm/ingress-nginx/README.md @@ -1,8 +1,8 @@ # ingress-nginx -[ingress-nginx](https://github.com/giantswarm/ingress-nginx-app) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer +[ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 3.3.1](https://img.shields.io/badge/Version-3.3.1-informational?style=flat-square) ![AppVersion: 1.9.4](https://img.shields.io/badge/AppVersion-1.9.4-informational?style=flat-square) +![Version: 4.8.4](https://img.shields.io/badge/Version-4.8.4-informational?style=flat-square) ![AppVersion: 1.9.4](https://img.shields.io/badge/AppVersion-1.9.4-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -12,22 +12,65 @@ This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kuber Kubernetes: `>=1.20.0-0` -### Migrating from giantswarm/nginx-ingress-controller-app +## Get Repo Info -There are two main ways to migrate a release from `giantswarm/nginx-ingress-controller-app` to `giantswarm/ingress-nginx` chart: +```console +helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx +helm repo update +``` + +## Install Chart + +**Important:** only helm3 is supported + +```console +helm install [RELEASE_NAME] ingress-nginx/ingress-nginx +``` + +The command deploys ingress-nginx on the Kubernetes cluster in the default configuration. + +_See [configuration](#configuration) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Uninstall Chart + +```console +helm uninstall [RELEASE_NAME] +``` + +This removes all the Kubernetes components associated with the chart and deletes the release. + +_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._ + +## Upgrading Chart + +```console +helm upgrade [RELEASE_NAME] [CHART] --install +``` -1. For Nginx Ingress controllers used for non-critical services, the easiest method is to uninstall the old release and install the new one +_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ + +### Migrating from stable/nginx-ingress + +There are two main ways to migrate a release from `stable/nginx-ingress` to `ingress-nginx/ingress-nginx` chart: + +1. For Nginx Ingress controllers used for non-critical services, the easiest method is to [uninstall](#uninstall-chart) the old release and [install](#install-chart) the new one 1. For critical services in production that require zero-downtime, you will want to: - 1. Install a second Ingress controller + 1. [Install](#install-chart) a second Ingress controller 1. Redirect your DNS traffic from the old controller to the new controller 1. Log traffic from both controllers during this changeover - 1. Uninstall the old controller once traffic has fully drained from it + 1. [Uninstall](#uninstall-chart) the old controller once traffic has fully drained from it + +Note that there are some different and upgraded configurations between the two charts, described by Rimas Mocevicius from JFrog in the "Upgrading to ingress-nginx Helm chart" section of [Migrating from Helm chart nginx-ingress to ingress-nginx](https://rimusz.net/migrating-to-ingress-nginx). As the `ingress-nginx/ingress-nginx` chart continues to update, you will want to check current differences by running [helm configuration](#configuration) commands on both charts. ## Configuration -_See [configuration](#configuration) below._ +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands: -To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml). +```console +helm show values ingress-nginx/ingress-nginx +``` ### PodDisruptionBudget @@ -43,13 +86,26 @@ Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor ### ingress-nginx nginx\_status page/stats server -Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete. +Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in Ingress-Nginx Controller: + +- In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed +- In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost. + You can use `curl --unix-socket /tmp/nginx-status-server.sock http://localhost/nginx_status` inside the controller container to access it locally, or use the snippet from [nginx-ingress changelog](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230) to re-enable the http server + +### ExternalDNS Service Configuration -You can use `curl --unix-socket /tmp/nginx-status-server.sock http://localhost/nginx_status` inside the controller container to access it locally. +Add an [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) annotation to the LoadBalancer service: + +```yaml +controller: + service: + annotations: + external-dns.alpha.kubernetes.io/hostname: kubernetes-example.com. +``` ### AWS L7 ELB with SSL Termination -Annotate the controller as shown in the [docs](https://docs.giantswarm.io/advanced/ingress/service-type-loadbalancer/#ssl-termination-on-aws): +Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/ab3a789caae65eec4ad6e3b46b19750b481b6bce/deploy/aws/l7/service-l7.yaml): ```yaml controller: @@ -70,9 +126,70 @@ This setup is useful when you need both external and internal load balancers but By default, the ingress object will point to the external load balancer address, but if correctly configured, you can make use of the internal one if the URL you are looking up resolves to the internal load balancer's URL. -You'll need to set the following value: +You'll need to set both the following values: `controller.service.internal.enabled` +`controller.service.internal.annotations` + +If one of them is missing the internal load balancer will not be deployed. Example you may have `controller.service.internal.enabled=true` but no annotations set, in this case no action will be taken. + +`controller.service.internal.annotations` varies with the cloud service you're using. + +Example for AWS: + +```yaml +controller: + service: + internal: + enabled: true + annotations: + # Create internal NLB + service.beta.kubernetes.io/aws-load-balancer-scheme: "internal" + # Create internal ELB(Deprecated) + # service.beta.kubernetes.io/aws-load-balancer-internal: "true" + # Any other annotation can be declared here. +``` + +Example for GCE: + +```yaml +controller: + service: + internal: + enabled: true + annotations: + # Create internal LB. More information: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing + # For GKE versions 1.17 and later + networking.gke.io/load-balancer-type: "Internal" + # For earlier versions + # cloud.google.com/load-balancer-type: "Internal" + + # Any other annotation can be declared here. +``` + +Example for Azure: + +```yaml +controller: + service: + annotations: + # Create internal LB + service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # Any other annotation can be declared here. +``` + +Example for Oracle Cloud Infrastructure: + +```yaml +controller: + service: + annotations: + # Create internal LB + service.beta.kubernetes.io/oci-load-balancer-internal: "true" + # Any other annotation can be declared here. +``` + +The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer). An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object. @@ -80,7 +197,10 @@ Optionally you can set `controller.service.loadBalancerIP` if you need a static ### Ingress Admission Webhooks -The Ingress-Nginx Controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster. +With nginx-ingress-controller version 0.25+, the Ingress-Nginx Controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster. +**This feature is enabled by default since 0.31.0.** + +With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521) #### How the Chart Configures the Hooks A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks. @@ -91,19 +211,29 @@ A validating and configuration requires the endpoint to which the request is sen 4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations #### Alternatives -It should be possible to use [giantswarm/cert-manager-app](https://github.com/giantswarm/cert-manager-app) if a more complete solution is required. +It should be possible to use [cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) if a more complete solution is required. You can enable automatic self-signed TLS certificate provisioning via cert-manager by setting the `controller.admissionWebhooks.certManager.enabled` value to true. Please ensure that cert-manager is correctly installed and configured. +### Helm Error When Upgrading: spec.clusterIP: Invalid value: "" + +If you are upgrading this chart from a version between 0.31.0 and 1.2.2 then you may get an error like this: + +```console +Error: UPGRADE FAILED: Service "?????-controller" is invalid: spec.clusterIP: Invalid value: "": field is immutable +``` + +Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13646) but to resolve this you can set `xxxx.service.omitClusterIP` to `true` where `xxxx` is the service referenced in the error. + +As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered. + ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| -| baseDomain | string | `""` | Domain of the service's FQDN. This value is set automatically. Do not overwrite it. | | commonLabels | object | `{}` | | -| configmap | object | `{}` | Deprecated, use `controller.config` instead. | | controller.addHeaders | object | `{}` | Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers | | controller.admissionWebhooks.annotations | object | `{}` | | | controller.admissionWebhooks.certManager.admissionCert.duration | string | `""` | | @@ -123,12 +253,13 @@ Please ensure that cert-manager is correctly installed and configured. | controller.admissionWebhooks.namespaceSelector | object | `{}` | | | controller.admissionWebhooks.objectSelector | object | `{}` | | | controller.admissionWebhooks.patch.enabled | bool | `true` | | -| controller.admissionWebhooks.patch.image.digest | string | `""` | | -| controller.admissionWebhooks.patch.image.image | string | `"giantswarm/ingress-nginx-kube-webhook-certgen"` | | +| controller.admissionWebhooks.patch.image.digest | string | `"sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80"` | | +| controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | | | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | | +| controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | | | controller.admissionWebhooks.patch.image.tag | string | `"v20231011-8b53cabe0"` | | | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources | -| controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `true` | Enable 'networkPolicy' or not | +| controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | controller.admissionWebhooks.patch.podAnnotations | object | `{}` | | | controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # | @@ -148,15 +279,13 @@ Please ensure that cert-manager is correctly installed and configured. | controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # | | controller.autoscaling.annotations | object | `{}` | | | controller.autoscaling.behavior | object | `{}` | | -| controller.autoscaling.enabled | bool | `true` | | -| controller.autoscaling.maxReplicas | int | `20` | | -| controller.autoscaling.minReplicas | int | `2` | | -| controller.autoscaling.targetCPUUtilizationPercentage | int | `80` | | -| controller.autoscaling.targetMemoryUtilizationPercentage | int | `80` | | +| controller.autoscaling.enabled | bool | `false` | | +| controller.autoscaling.maxReplicas | int | `11` | | +| controller.autoscaling.minReplicas | int | `1` | | +| controller.autoscaling.targetCPUUtilizationPercentage | int | `50` | | +| controller.autoscaling.targetMemoryUtilizationPercentage | int | `50` | | | controller.autoscalingTemplate | list | `[]` | | -| controller.config | object | `{"hsts":"false","strict-validate-path-type":"true"}` | Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ | -| controller.config.hsts | string | `"false"` | Enable HSTS or not. Disabled by default due to possible serious consequences. Ref: https://github.com/kubernetes/ingress-nginx/issues/549 | -| controller.config.strict-validate-path-type | string | `"true"` | Enable strict path type validation or not. Enabled by default for security reasons. Ref: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type | +| controller.config | object | `{}` | Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ | | controller.configAnnotations | object | `{}` | Annotations to be added to the controller config configuration configmap. | | controller.configMapNamespace | string | `""` | Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) | | controller.containerName | string | `"controller"` | Configures the controller container name | @@ -167,7 +296,7 @@ Please ensure that cert-manager is correctly installed and configured. | controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. | | controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. | | controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' | -| controller.enableAnnotationValidations | bool | `true` | | +| controller.enableAnnotationValidations | bool | `false` | | | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # | | controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false | | controller.existingPsp | string | `""` | Use an existing PSP instead of creating one | @@ -188,11 +317,12 @@ Please ensure that cert-manager is correctly installed and configured. | controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.image.allowPrivilegeEscalation | bool | `false` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `""` | | -| controller.image.digestChroot | string | `""` | | -| controller.image.image | string | `"giantswarm/ingress-nginx-controller"` | | +| controller.image.digest | string | `"sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3"` | | +| controller.image.digestChroot | string | `"sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26"` | | +| controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.readOnlyRootFilesystem | bool | `false` | | +| controller.image.registry | string | `"registry.k8s.io"` | | | controller.image.runAsNonRoot | bool | `true` | | | controller.image.runAsUser | int | `101` | | | controller.image.seccompProfile.type | string | `"RuntimeDefault"` | | @@ -225,9 +355,8 @@ Please ensure that cert-manager is correctly installed and configured. | controller.livenessProbe.periodSeconds | int | `10` | | | controller.livenessProbe.successThreshold | int | `1` | | | controller.livenessProbe.timeoutSeconds | int | `1` | | -| controller.maxUnavailable | string | `"25%"` | Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. | | controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. # https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases | -| controller.metrics.enabled | bool | `true` | | +| controller.metrics.enabled | bool | `false` | | | controller.metrics.port | int | `10254` | | | controller.metrics.portName | string | `"metrics"` | | | controller.metrics.prometheusRule.additionalLabels | object | `{}` | | @@ -240,18 +369,17 @@ Please ensure that cert-manager is correctly installed and configured. | controller.metrics.service.servicePort | int | `10254` | | | controller.metrics.service.type | string | `"ClusterIP"` | | | controller.metrics.serviceMonitor.additionalLabels | object | `{}` | | -| controller.metrics.serviceMonitor.enabled | bool | `true` | | -| controller.metrics.serviceMonitor.metricRelabelings[0].action | string | `"drop"` | | -| controller.metrics.serviceMonitor.metricRelabelings[0].regex | string | `"nginx_ingress_controller_(bytes_sent_bucket|request_size_bucket|response_duration_seconds_bucket|response_size_bucket|request_duration_seconds_count|connect_duration_seconds_bucket|header_duration_seconds_bucket|bytes_sent_count|request_duration_seconds_sum|bytes_sent_sum|request_size_count|response_size_count|response_duration_seconds_sum|response_duration_seconds_count|ingress_upstream_latency_seconds|ingress_upstream_latency_seconds_sum|ingress_upstream_latency_seconds_count)"` | | -| controller.metrics.serviceMonitor.metricRelabelings[0].sourceLabels[0] | string | `"__name__"` | | +| controller.metrics.serviceMonitor.enabled | bool | `false` | | +| controller.metrics.serviceMonitor.metricRelabelings | list | `[]` | | | controller.metrics.serviceMonitor.namespace | string | `""` | | | controller.metrics.serviceMonitor.namespaceSelector | object | `{}` | | | controller.metrics.serviceMonitor.relabelings | list | `[]` | | | controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` | | | controller.metrics.serviceMonitor.targetLabels | list | `[]` | | +| controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. | | controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | controller.name | string | `"controller"` | | -| controller.networkPolicy.enabled | bool | `true` | Enable 'networkPolicy' or not | +| controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | | controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | | controller.opentelemetry.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | | @@ -259,9 +387,12 @@ Please ensure that cert-manager is correctly installed and configured. | controller.opentelemetry.containerSecurityContext.runAsNonRoot | bool | `true` | | | controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. | | controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | | -| controller.opentelemetry.distroless | bool | `true` | | | controller.opentelemetry.enabled | bool | `false` | | -| controller.opentelemetry.image | string | `"quay.io/giantswarm/ingress-nginx-opentelemetry:v20230721-3e2062ee5"` | | +| controller.opentelemetry.image.digest | string | `"sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` | | +| controller.opentelemetry.image.distroless | bool | `true` | | +| controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry"` | | +| controller.opentelemetry.image.registry | string | `"registry.k8s.io"` | | +| controller.opentelemetry.image.tag | string | `"v20230721-3e2062ee5"` | | | controller.opentelemetry.name | string | `"opentelemetry"` | | | controller.opentelemetry.resources | object | `{}` | | | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # | @@ -280,10 +411,10 @@ Please ensure that cert-manager is correctly installed and configured. | controller.readinessProbe.periodSeconds | int | `10` | | | controller.readinessProbe.successThreshold | int | `1` | | | controller.readinessProbe.timeoutSeconds | int | `1` | | -| controller.replicaCount | int | `2` | | +| controller.replicaCount | int | `1` | | | controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply | -| controller.resources.requests.cpu | string | `"250m"` | | -| controller.resources.requests.memory | string | `"500Mi"` | | +| controller.resources.requests.cpu | string | `"100m"` | | +| controller.resources.requests.memory | string | `"90Mi"` | | | controller.scope.enabled | bool | `false` | Enable 'scope' or not | | controller.scope.namespace | string | `""` | Namespace to limit the controller to; defaults to $(POD_NAMESPACE) | | controller.scope.namespaceSelector | string | `""` | When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. | @@ -294,16 +425,14 @@ Please ensure that cert-manager is correctly installed and configured. | controller.service.enableHttps | bool | `true` | Enable the HTTPS listener on both controller services or not. | | controller.service.enabled | bool | `true` | Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service. | | controller.service.external.enabled | bool | `true` | Enable the external controller service or not. Useful for internal-only deployments. | -| controller.service.externalDNS.annotation | string | `"giantswarm.io/external-dns: managed"` | Annotation used so assign the external controller service to a specific ExternalDNS instance. | -| controller.service.externalDNS.enabled | bool | `true` | Add ExternalDNS annotations or not. | | controller.service.externalIPs | list | `[]` | List of node IP addresses at which the external controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | -| controller.service.externalTrafficPolicy | string | `"Local"` | External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | +| controller.service.externalTrafficPolicy | string | `""` | External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | | controller.service.internal.annotations | object | `{}` | Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer | | controller.service.internal.appProtocol | bool | `true` | Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol | | controller.service.internal.clusterIP | string | `""` | Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address | | controller.service.internal.enabled | bool | `false` | Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this. | | controller.service.internal.externalIPs | list | `[]` | List of node IP addresses at which the internal controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | -| controller.service.internal.externalTrafficPolicy | string | `"Local"` | External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | +| controller.service.internal.externalTrafficPolicy | string | `""` | External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | | controller.service.internal.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | | controller.service.internal.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | | controller.service.internal.loadBalancerClass | string | `""` | Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class | @@ -315,7 +444,6 @@ Please ensure that cert-manager is correctly installed and configured. | controller.service.internal.nodePorts.udp | object | `{}` | Node port mapping for internal UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp: 53: 30053 | | controller.service.internal.ports | object | `{}` | | | controller.service.internal.sessionAffinity | string | `""` | Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity | -| controller.service.internal.subdomain | string | `"ingress-internal"` | Defines the sub-domain prepended to the base domain in the FQDN of the internal controller service reconciled by ExternalDNS. | | controller.service.internal.targetPorts | object | `{}` | | | controller.service.internal.type | string | `""` | Type of the internal controller service. Defaults to the value of `controller.service.type`. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types | | controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | @@ -330,9 +458,7 @@ Please ensure that cert-manager is correctly installed and configured. | controller.service.nodePorts.udp | object | `{}` | Node port mapping for external UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp: 53: 30053 | | controller.service.ports.http | int | `80` | Port the external HTTP listener is published with. | | controller.service.ports.https | int | `443` | Port the external HTTPS listener is published with. | -| controller.service.public | bool | `true` | Makes the external controller service public or not. Adds annotations for making it internal if disabled. | | controller.service.sessionAffinity | string | `""` | Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity | -| controller.service.subdomain | string | `"ingress"` | Defines the sub-domain prepended to the base domain in the FQDN of the external controller service reconciled by ExternalDNS. | | controller.service.targetPorts.http | string | `"http"` | Port of the ingress controller the external HTTP listener is mapped to. | | controller.service.targetPorts.https | string | `"https"` | Port of the ingress controller the external HTTPS listener is mapped to. | | controller.service.type | string | `"LoadBalancer"` | Type of the external controller service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types | @@ -342,7 +468,7 @@ Please ensure that cert-manager is correctly installed and configured. | controller.tcp.configMapNamespace | string | `""` | Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) | | controller.terminationGracePeriodSeconds | int | `300` | `terminationGracePeriodSeconds` to avoid killing pods before we are ready # wait up to five minutes for the drain of connections # | | controller.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # | -| controller.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"app.kubernetes.io/component":"controller","app.kubernetes.io/instance":"{{ .Release.Name }}","app.kubernetes.io/name":"{{ include \"ingress-nginx.name\" . }}"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"app.kubernetes.io/component":"controller","app.kubernetes.io/instance":"{{ .Release.Name }}","app.kubernetes.io/name":"{{ include \"ingress-nginx.name\" . }}"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ # | +| controller.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ # | | controller.udp.annotations | object | `{}` | Annotations to be added to the udp config configmap | | controller.udp.configMapNamespace | string | `""` | Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) | | controller.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # | @@ -358,13 +484,15 @@ Please ensure that cert-manager is correctly installed and configured. | defaultBackend.enabled | bool | `false` | | | defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one | | defaultBackend.extraArgs | object | `{}` | | +| defaultBackend.extraConfigMaps | list | `[]` | | | defaultBackend.extraEnvs | list | `[]` | Additional environment variables to set for defaultBackend pods | | defaultBackend.extraVolumeMounts | list | `[]` | | | defaultBackend.extraVolumes | list | `[]` | | | defaultBackend.image.allowPrivilegeEscalation | bool | `false` | | -| defaultBackend.image.image | string | `"giantswarm/defaultbackend"` | | +| defaultBackend.image.image | string | `"defaultbackend-amd64"` | | | defaultBackend.image.pullPolicy | string | `"IfNotPresent"` | | | defaultBackend.image.readOnlyRootFilesystem | bool | `true` | | +| defaultBackend.image.registry | string | `"registry.k8s.io"` | | | defaultBackend.image.runAsNonRoot | bool | `true` | | | defaultBackend.image.runAsUser | int | `65534` | | | defaultBackend.image.seccompProfile.type | string | `"RuntimeDefault"` | | @@ -378,7 +506,7 @@ Please ensure that cert-manager is correctly installed and configured. | defaultBackend.minAvailable | int | `1` | | | defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | defaultBackend.name | string | `"defaultbackend"` | | -| defaultBackend.networkPolicy.enabled | bool | `true` | Enable 'networkPolicy' or not | +| defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | | defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # | | defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata | @@ -403,13 +531,10 @@ Please ensure that cert-manager is correctly installed and configured. | defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # | | defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # | | dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param | -| global.podSecurityStandards.enforced | bool | `false` | Wether Pod Security Standards are being used or not. This value is set automatically. Do not overwrite it. | -| image.registry | string | `"quay.io"` | Registry host to pull images from. This value is set automatically. Do not overwrite it. | | imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | | namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace | -| podSecurityPolicy.enabled | bool | `true` | | +| podSecurityPolicy.enabled | bool | `false` | | | portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration | -| provider | string | `"aws"` | Provider the cluster is running on. This value is set automatically. Do not overwrite it. | | rbac.create | bool | `true` | | | rbac.scope | bool | `false` | | | revisionHistoryLimit | int | `10` | Rollback limit # | diff --git a/helm/ingress-nginx/README.md.gotmpl b/helm/ingress-nginx/README.md.gotmpl index d492ae4be..17b029bbf 100644 --- a/helm/ingress-nginx/README.md.gotmpl +++ b/helm/ingress-nginx/README.md.gotmpl @@ -1,5 +1,5 @@ {{ template "chart.header" . }} -[ingress-nginx](https://github.com/giantswarm/ingress-nginx-app) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer +[ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer {{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} @@ -9,22 +9,65 @@ This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kuber {{ template "chart.requirementsSection" . }} -### Migrating from giantswarm/nginx-ingress-controller-app +## Get Repo Info -There are two main ways to migrate a release from `giantswarm/nginx-ingress-controller-app` to `giantswarm/ingress-nginx` chart: +```console +helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx +helm repo update +``` + +## Install Chart + +**Important:** only helm3 is supported + +```console +helm install [RELEASE_NAME] ingress-nginx/ingress-nginx +``` + +The command deploys ingress-nginx on the Kubernetes cluster in the default configuration. + +_See [configuration](#configuration) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Uninstall Chart + +```console +helm uninstall [RELEASE_NAME] +``` + +This removes all the Kubernetes components associated with the chart and deletes the release. + +_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._ + +## Upgrading Chart + +```console +helm upgrade [RELEASE_NAME] [CHART] --install +``` -1. For Nginx Ingress controllers used for non-critical services, the easiest method is to uninstall the old release and install the new one +_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ + +### Migrating from stable/nginx-ingress + +There are two main ways to migrate a release from `stable/nginx-ingress` to `ingress-nginx/ingress-nginx` chart: + +1. For Nginx Ingress controllers used for non-critical services, the easiest method is to [uninstall](#uninstall-chart) the old release and [install](#install-chart) the new one 1. For critical services in production that require zero-downtime, you will want to: - 1. Install a second Ingress controller + 1. [Install](#install-chart) a second Ingress controller 1. Redirect your DNS traffic from the old controller to the new controller 1. Log traffic from both controllers during this changeover - 1. Uninstall the old controller once traffic has fully drained from it + 1. [Uninstall](#uninstall-chart) the old controller once traffic has fully drained from it + +Note that there are some different and upgraded configurations between the two charts, described by Rimas Mocevicius from JFrog in the "Upgrading to ingress-nginx Helm chart" section of [Migrating from Helm chart nginx-ingress to ingress-nginx](https://rimusz.net/migrating-to-ingress-nginx). As the `ingress-nginx/ingress-nginx` chart continues to update, you will want to check current differences by running [helm configuration](#configuration) commands on both charts. ## Configuration -_See [configuration](#configuration) below._ +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands: -To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml). +```console +helm show values ingress-nginx/ingress-nginx +``` ### PodDisruptionBudget @@ -40,13 +83,26 @@ Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor ### ingress-nginx nginx\_status page/stats server -Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete. +Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in Ingress-Nginx Controller: + +- In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed +- In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost. + You can use `curl --unix-socket /tmp/nginx-status-server.sock http://localhost/nginx_status` inside the controller container to access it locally, or use the snippet from [nginx-ingress changelog](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230) to re-enable the http server + +### ExternalDNS Service Configuration -You can use `curl --unix-socket /tmp/nginx-status-server.sock http://localhost/nginx_status` inside the controller container to access it locally. +Add an [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) annotation to the LoadBalancer service: + +```yaml +controller: + service: + annotations: + external-dns.alpha.kubernetes.io/hostname: kubernetes-example.com. +``` ### AWS L7 ELB with SSL Termination -Annotate the controller as shown in the [docs](https://docs.giantswarm.io/advanced/ingress/service-type-loadbalancer/#ssl-termination-on-aws): +Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/ab3a789caae65eec4ad6e3b46b19750b481b6bce/deploy/aws/l7/service-l7.yaml): ```yaml controller: @@ -67,9 +123,70 @@ This setup is useful when you need both external and internal load balancers but By default, the ingress object will point to the external load balancer address, but if correctly configured, you can make use of the internal one if the URL you are looking up resolves to the internal load balancer's URL. -You'll need to set the following value: +You'll need to set both the following values: `controller.service.internal.enabled` +`controller.service.internal.annotations` + +If one of them is missing the internal load balancer will not be deployed. Example you may have `controller.service.internal.enabled=true` but no annotations set, in this case no action will be taken. + +`controller.service.internal.annotations` varies with the cloud service you're using. + +Example for AWS: + +```yaml +controller: + service: + internal: + enabled: true + annotations: + # Create internal NLB + service.beta.kubernetes.io/aws-load-balancer-scheme: "internal" + # Create internal ELB(Deprecated) + # service.beta.kubernetes.io/aws-load-balancer-internal: "true" + # Any other annotation can be declared here. +``` + +Example for GCE: + +```yaml +controller: + service: + internal: + enabled: true + annotations: + # Create internal LB. More information: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing + # For GKE versions 1.17 and later + networking.gke.io/load-balancer-type: "Internal" + # For earlier versions + # cloud.google.com/load-balancer-type: "Internal" + + # Any other annotation can be declared here. +``` + +Example for Azure: + +```yaml +controller: + service: + annotations: + # Create internal LB + service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # Any other annotation can be declared here. +``` + +Example for Oracle Cloud Infrastructure: + +```yaml +controller: + service: + annotations: + # Create internal LB + service.beta.kubernetes.io/oci-load-balancer-internal: "true" + # Any other annotation can be declared here. +``` + +The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer). An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object. @@ -77,7 +194,10 @@ Optionally you can set `controller.service.loadBalancerIP` if you need a static ### Ingress Admission Webhooks -The Ingress-Nginx Controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster. +With nginx-ingress-controller version 0.25+, the Ingress-Nginx Controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster. +**This feature is enabled by default since 0.31.0.** + +With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521) #### How the Chart Configures the Hooks A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks. @@ -88,10 +208,22 @@ A validating and configuration requires the endpoint to which the request is sen 4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations #### Alternatives -It should be possible to use [giantswarm/cert-manager-app](https://github.com/giantswarm/cert-manager-app) if a more complete solution is required. +It should be possible to use [cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) if a more complete solution is required. You can enable automatic self-signed TLS certificate provisioning via cert-manager by setting the `controller.admissionWebhooks.certManager.enabled` value to true. Please ensure that cert-manager is correctly installed and configured. +### Helm Error When Upgrading: spec.clusterIP: Invalid value: "" + +If you are upgrading this chart from a version between 0.31.0 and 1.2.2 then you may get an error like this: + +```console +Error: UPGRADE FAILED: Service "?????-controller" is invalid: spec.clusterIP: Invalid value: "": field is immutable +``` + +Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13646) but to resolve this you can set `xxxx.service.omitClusterIP` to `true` where `xxxx` is the service referenced in the error. + +As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered. + {{ template "chart.valuesSection" . }} diff --git a/helm/ingress-nginx/ci/daemonset-extra-modules.yaml b/helm/ingress-nginx/ci/daemonset-extra-modules.yaml index f299dbf1c..52a32fcbd 100644 --- a/helm/ingress-nginx/ci/daemonset-extra-modules.yaml +++ b/helm/ingress-nginx/ci/daemonset-extra-modules.yaml @@ -7,4 +7,7 @@ controller: type: ClusterIP extraModules: - name: opentelemetry - image: busybox + image: + registry: registry.k8s.io + image: busybox + tag: latest diff --git a/helm/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml b/helm/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml index 2310c344e..91b1b98a8 100644 --- a/helm/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml +++ b/helm/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml @@ -9,4 +9,7 @@ controller: allowPrivilegeEscalation: false extraModules: - name: opentelemetry - image: busybox + image: + registry: registry.k8s.io + image: busybox + tag: latest diff --git a/helm/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml b/helm/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml index bd2f011cc..b6013c7d0 100644 --- a/helm/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml +++ b/helm/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml @@ -7,6 +7,9 @@ controller: type: ClusterIP extraModules: - name: opentelemetry - image: busybox + image: + registry: registry.k8s.io + image: busybox + tag: latest containerSecurityContext: allowPrivilegeEscalation: false diff --git a/helm/ingress-nginx/ci/deployment-extra-modules.yaml b/helm/ingress-nginx/ci/deployment-extra-modules.yaml index ec5923548..2fbe1cc01 100644 --- a/helm/ingress-nginx/ci/deployment-extra-modules.yaml +++ b/helm/ingress-nginx/ci/deployment-extra-modules.yaml @@ -7,4 +7,7 @@ controller: type: ClusterIP extraModules: - name: opentelemetry - image: busybox + image: + registry: registry.k8s.io + image: busybox + tag: latest diff --git a/helm/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml b/helm/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml new file mode 100644 index 000000000..fb3ef4446 --- /dev/null +++ b/helm/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml @@ -0,0 +1,9 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + service: + type: ClusterIP + opentelemetry: + enabled: true diff --git a/helm/ingress-nginx/templates/_helpers.tpl b/helm/ingress-nginx/templates/_helpers.tpl index ac3fdc4ec..db1ab2e24 100644 --- a/helm/ingress-nginx/templates/_helpers.tpl +++ b/helm/ingress-nginx/templates/_helpers.tpl @@ -135,8 +135,6 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/part-of: {{ template "ingress-nginx.name" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} -giantswarm.io/service-type: managed -application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/team" | quote }} {{- if .Values.commonLabels}} {{ toYaml .Values.commonLabels }} {{- end }} @@ -259,7 +257,8 @@ Extra modules. */}} {{- define "extraModules" -}} - name: {{ .name }} - image: {{ .image }} + {{- with .image }} + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} command: {{- if .distroless }} - /init_module @@ -268,6 +267,7 @@ Extra modules. - -c - /usr/local/bin/init_module.sh {{- end }} + {{- end }} {{- if .containerSecurityContext }} securityContext: {{ toYaml .containerSecurityContext | nindent 4 }} {{- end }} diff --git a/helm/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml b/helm/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml index daa2e2e12..8271dc404 100644 --- a/helm/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml +++ b/helm/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml @@ -20,7 +20,7 @@ rules: verbs: - get - update -{{- if and .Values.podSecurityPolicy.enabled (not .Values.global.podSecurityStandards.enforced) }} +{{- if .Values.podSecurityPolicy.enabled }} - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] resources: ['podsecuritypolicies'] verbs: ['use'] diff --git a/helm/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/helm/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml index a8a408833..0a21f856a 100644 --- a/helm/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ b/helm/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -43,7 +43,7 @@ spec: containers: - name: create {{- with .Values.controller.admissionWebhooks.patch.image }} - image: {{ if .repository }}{{ .repository }}{{ else }}{{ $.Values.image.registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} args: diff --git a/helm/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/helm/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml index 3302d2cd5..ce9985aa5 100644 --- a/helm/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/helm/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -43,7 +43,7 @@ spec: containers: - name: patch {{- with .Values.controller.admissionWebhooks.patch.image }} - image: {{ if .repository }}{{ .repository }}{{ else }}{{ $.Values.image.registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} args: diff --git a/helm/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml b/helm/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml index 7bc71eb07..8e5dc72ac 100644 --- a/helm/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml +++ b/helm/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml @@ -1,5 +1,5 @@ {{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} -{{- if and .Values.podSecurityPolicy.enabled (not .Values.global.podSecurityStandards.enforced) .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}} +{{- if and .Values.podSecurityPolicy.enabled .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/helm/ingress-nginx/templates/controller-configmap.yaml b/helm/ingress-nginx/templates/controller-configmap.yaml index 94deb9eb5..662a16204 100644 --- a/helm/ingress-nginx/templates/controller-configmap.yaml +++ b/helm/ingress-nginx/templates/controller-configmap.yaml @@ -23,9 +23,6 @@ data: {{- if .Values.dhParam }} ssl-dh-param: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.controller.fullname" . }} {{- end }} -{{- range $key, $value := merge .Values.controller.config .Values.configmap }} +{{- range $key, $value := .Values.controller.config }} {{- $key | nindent 2 }}: {{ $value | quote }} {{- end }} -{{- if and (or (eq .Values.provider "aws") (eq .Values.provider "capa")) (not (index .Values.controller.config "use-proxy-protocol")) }} - use-proxy-protocol: "true" -{{- end }} diff --git a/helm/ingress-nginx/templates/controller-daemonset.yaml b/helm/ingress-nginx/templates/controller-daemonset.yaml index 4b9e57a8e..e6e28c872 100644 --- a/helm/ingress-nginx/templates/controller-daemonset.yaml +++ b/helm/ingress-nginx/templates/controller-daemonset.yaml @@ -6,7 +6,6 @@ metadata: labels: {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: controller - giantswarm.io/monitoring_basic_sli: "true" {{- with .Values.controller.labels }} {{- toYaml . | nindent 4 }} {{- end }} @@ -78,7 +77,7 @@ spec: containers: - name: {{ .Values.controller.containerName }} {{- with .Values.controller.image }} - image: {{ if .repository }}{{ .repository }}{{ else }}{{ $.Values.image.registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }} + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }} {{- end }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }} {{- if .Values.controller.lifecycle }} diff --git a/helm/ingress-nginx/templates/controller-deployment.yaml b/helm/ingress-nginx/templates/controller-deployment.yaml index 6545023c2..cd59c7979 100644 --- a/helm/ingress-nginx/templates/controller-deployment.yaml +++ b/helm/ingress-nginx/templates/controller-deployment.yaml @@ -6,7 +6,6 @@ metadata: labels: {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: controller - giantswarm.io/monitoring_basic_sli: "true" {{- with .Values.controller.labels }} {{- toYaml . | nindent 4 }} {{- end }} @@ -81,7 +80,7 @@ spec: containers: - name: {{ .Values.controller.containerName }} {{- with .Values.controller.image }} - image: {{ if .repository }}{{ .repository }}{{ else }}{{ $.Values.image.registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }} + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }} {{- end }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }} {{- if .Values.controller.lifecycle }} diff --git a/helm/ingress-nginx/templates/controller-psp.yaml b/helm/ingress-nginx/templates/controller-psp.yaml index 18221ca85..aad1d2736 100644 --- a/helm/ingress-nginx/templates/controller-psp.yaml +++ b/helm/ingress-nginx/templates/controller-psp.yaml @@ -1,5 +1,5 @@ {{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} -{{- if and .Values.podSecurityPolicy.enabled (not .Values.global.podSecurityStandards.enforced) (empty .Values.controller.existingPsp) -}} +{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/helm/ingress-nginx/templates/controller-role.yaml b/helm/ingress-nginx/templates/controller-role.yaml index 43ae01696..f6217a29a 100644 --- a/helm/ingress-nginx/templates/controller-role.yaml +++ b/helm/ingress-nginx/templates/controller-role.yaml @@ -88,7 +88,7 @@ rules: - list - watch - get -{{- if and .Values.podSecurityPolicy.enabled (not .Values.global.podSecurityStandards.enforced) }} +{{- if .Values.podSecurityPolicy.enabled }} - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] resources: ['podsecuritypolicies'] verbs: ['use'] diff --git a/helm/ingress-nginx/templates/controller-service-internal.yaml b/helm/ingress-nginx/templates/controller-service-internal.yaml index 86d3d1a4e..950eb8f05 100644 --- a/helm/ingress-nginx/templates/controller-service-internal.yaml +++ b/helm/ingress-nginx/templates/controller-service-internal.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled -}} +{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled .Values.controller.service.internal.annotations -}} apiVersion: v1 kind: Service metadata: @@ -6,25 +6,6 @@ metadata: {{- range $key, $value := .Values.controller.service.internal.annotations }} {{ $key }}: {{ tpl ($value | toString) $ | quote }} {{- end }} - {{- if and .Values.controller.service.externalDNS.enabled .Values.baseDomain }} - external-dns.alpha.kubernetes.io/hostname: "{{ .Values.controller.service.internal.subdomain }}.{{ .Values.baseDomain }}" - {{- if .Values.controller.service.externalDNS.annotation }} - {{ .Values.controller.service.externalDNS.annotation }} - {{- end }} - {{- end }} - {{- if eq .Values.controller.service.type "LoadBalancer" }} - {{- if or (eq .Values.provider "aws") (eq .Values.provider "capa") }} - service.beta.kubernetes.io/aws-load-balancer-internal: "true" - {{- if ne (index (merge .Values.controller.config .Values.configmap) "use-proxy-protocol") "false" }} - service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" - {{- end }} - service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" - {{- else if eq .Values.provider "azure" }} - service.beta.kubernetes.io/azure-load-balancer-internal: "true" - {{- else if eq .Values.provider "cloud-director" }} - service.beta.kubernetes.io/vcloud-avi-ssl-no-termination: "true" - {{- end }} - {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: controller diff --git a/helm/ingress-nginx/templates/controller-service.yaml b/helm/ingress-nginx/templates/controller-service.yaml index 0e49715c2..74f608536 100644 --- a/helm/ingress-nginx/templates/controller-service.yaml +++ b/helm/ingress-nginx/templates/controller-service.yaml @@ -6,29 +6,6 @@ metadata: {{- range $key, $value := .Values.controller.service.annotations }} {{ $key }}: {{ tpl ($value | toString) $ | quote }} {{- end }} - {{- if and .Values.controller.service.externalDNS.enabled .Values.baseDomain }} - external-dns.alpha.kubernetes.io/hostname: "{{ .Values.controller.service.subdomain }}.{{ .Values.baseDomain }}" - {{- if .Values.controller.service.externalDNS.annotation }} - {{ .Values.controller.service.externalDNS.annotation }} - {{- end }} - {{- end }} - {{- if eq .Values.controller.service.type "LoadBalancer" }} - {{- if or (eq .Values.provider "aws") (eq .Values.provider "capa") }} - {{- if not .Values.controller.service.public }} - service.beta.kubernetes.io/aws-load-balancer-internal: "true" - {{- end }} - {{- if ne (index (merge .Values.controller.config .Values.configmap) "use-proxy-protocol") "false" }} - service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" - {{- end }} - service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" - {{- else if eq .Values.provider "azure" }} - {{- if not .Values.controller.service.public }} - service.beta.kubernetes.io/azure-load-balancer-internal: "true" - {{- end }} - {{- else if eq .Values.provider "cloud-director" }} - service.beta.kubernetes.io/vcloud-avi-ssl-no-termination: "true" - {{- end }} - {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: controller diff --git a/helm/ingress-nginx/templates/default-backend-deployment.yaml b/helm/ingress-nginx/templates/default-backend-deployment.yaml index 69abfc5d7..66c307563 100644 --- a/helm/ingress-nginx/templates/default-backend-deployment.yaml +++ b/helm/ingress-nginx/templates/default-backend-deployment.yaml @@ -51,7 +51,7 @@ spec: containers: - name: {{ template "ingress-nginx.name" . }}-default-backend {{- with .Values.defaultBackend.image }} - image: {{ if .repository }}{{ .repository }}{{ else }}{{ $.Values.image.registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }} {{- if .Values.defaultBackend.extraArgs }} diff --git a/helm/ingress-nginx/templates/default-backend-extra-configmaps.yaml b/helm/ingress-nginx/templates/default-backend-extra-configmaps.yaml new file mode 100644 index 000000000..88b59280b --- /dev/null +++ b/helm/ingress-nginx/templates/default-backend-extra-configmaps.yaml @@ -0,0 +1,23 @@ +{{- if .Values.defaultBackend.enabled }} + {{- range .Values.defaultBackend.extraConfigMaps }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .name }} + namespace: {{ include "ingress-nginx.namespace" $ | quote }} + labels: + {{- include "ingress-nginx.labels" $ | nindent 4 }} + {{- with $.Values.defaultBackend.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +data: + {{- with .data }} + {{- toYaml . | nindent 2 }} + {{- end }} + {{- end }} +{{- end }} + diff --git a/helm/ingress-nginx/templates/default-backend-psp.yaml b/helm/ingress-nginx/templates/default-backend-psp.yaml index b4c9ef854..424109109 100644 --- a/helm/ingress-nginx/templates/default-backend-psp.yaml +++ b/helm/ingress-nginx/templates/default-backend-psp.yaml @@ -1,5 +1,5 @@ {{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} -{{- if and .Values.podSecurityPolicy.enabled (not .Values.global.podSecurityStandards.enforced) .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}} +{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/helm/ingress-nginx/templates/default-backend-role.yaml b/helm/ingress-nginx/templates/default-backend-role.yaml index b15af1316..dd7868aa0 100644 --- a/helm/ingress-nginx/templates/default-backend-role.yaml +++ b/helm/ingress-nginx/templates/default-backend-role.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled (not .Values.global.podSecurityStandards.enforced) .Values.defaultBackend.enabled -}} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/helm/ingress-nginx/templates/default-backend-rolebinding.yaml b/helm/ingress-nginx/templates/default-backend-rolebinding.yaml index aa3448ab9..3203b6f57 100644 --- a/helm/ingress-nginx/templates/default-backend-rolebinding.yaml +++ b/helm/ingress-nginx/templates/default-backend-rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled (not .Values.global.podSecurityStandards.enforced) .Values.defaultBackend.enabled -}} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/helm/ingress-nginx/tests/default-backend-extra-configmaps_test.yaml b/helm/ingress-nginx/tests/default-backend-extra-configmaps_test.yaml new file mode 100644 index 000000000..b18ceedfa --- /dev/null +++ b/helm/ingress-nginx/tests/default-backend-extra-configmaps_test.yaml @@ -0,0 +1,49 @@ +suite: test default backend extra ConfigMaps +templates: + - default-backend-extra-configmaps.yaml + +tests: + - it: should not create any ConfigMap by default + set: + Release.Namespace: default + defaultBackend.enabled: true + asserts: + - hasDocuments: + count: 0 + + - it: should create one ConfigMap + set: + Release.Namespace: default + defaultBackend.enabled: true + defaultBackend.extraConfigMaps: + - name: my-configmap-1 + data: + key1: value1 + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - equal: + path: metadata.name + value: my-configmap-1 + + - it: should correctly render multiple ConfigMaps + set: + Release.Namespace: nginx + defaultBackend.enabled: true + defaultBackend.extraConfigMaps: + - name: my-configmap-1 + data: + key1: value1 + - name: my-configmap-2 + data: + key2: value2 + asserts: + - hasDocuments: + count: 2 + - isKind: + of: ConfigMap + - matchRegex: + path: metadata.name + pattern: "my-configmap-\\d+" diff --git a/helm/ingress-nginx/values.yaml b/helm/ingress-nginx/values.yaml index e1b365fef..a21eb0ba3 100644 --- a/helm/ingress-nginx/values.yaml +++ b/helm/ingress-nginx/values.yaml @@ -18,17 +18,18 @@ commonLabels: {} controller: name: controller - enableAnnotationValidations: true + enableAnnotationValidations: false image: ## Keep false as default for now! chroot: false - image: giantswarm/ingress-nginx-controller + registry: registry.k8s.io + image: ingress-nginx/controller ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: tag: "v1.9.4" - digest: "" - digestChroot: "" + digest: sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3 + digestChroot: sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26 pullPolicy: IfNotPresent runAsNonRoot: true # www-data -> uid 101 @@ -46,13 +47,7 @@ controller: http: 80 https: 443 # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ - config: - # -- Enable HSTS or not. Disabled by default due to possible serious consequences. - # Ref: https://github.com/kubernetes/ingress-nginx/issues/549 - hsts: "false" - # -- Enable strict path type validation or not. Enabled by default for security reasons. - # Ref: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type - strict-validate-path-type: "true" + config: {} # -- Annotations to be added to the controller config configuration configmap. configAnnotations: {} # -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers @@ -111,7 +106,7 @@ controller: # NetworkPolicy for controller component. networkPolicy: # -- Enable 'networkPolicy' or not - enabled: true + enabled: false # -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' electionID: "" ## This section refers to the creation of the IngressClass resource @@ -277,23 +272,23 @@ controller: # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ ## - topologySpreadConstraints: - - labelSelector: - matchLabels: - app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' - app.kubernetes.io/instance: '{{ .Release.Name }}' - app.kubernetes.io/component: controller - topologyKey: topology.kubernetes.io/zone - maxSkew: 1 - whenUnsatisfiable: ScheduleAnyway - - labelSelector: - matchLabels: - app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' - app.kubernetes.io/instance: '{{ .Release.Name }}' - app.kubernetes.io/component: controller - topologyKey: kubernetes.io/hostname - maxSkew: 1 - whenUnsatisfiable: ScheduleAnyway + topologySpreadConstraints: [] + # - labelSelector: + # matchLabels: + # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + # app.kubernetes.io/instance: '{{ .Release.Name }}' + # app.kubernetes.io/component: controller + # topologyKey: topology.kubernetes.io/zone + # maxSkew: 1 + # whenUnsatisfiable: ScheduleAnyway + # - labelSelector: + # matchLabels: + # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + # app.kubernetes.io/instance: '{{ .Release.Name }}' + # app.kubernetes.io/component: controller + # topologyKey: kubernetes.io/hostname + # maxSkew: 1 + # whenUnsatisfiable: ScheduleAnyway # -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready ## wait up to five minutes for the drain of connections @@ -350,12 +345,12 @@ controller: # -- Annotations to be added to controller pods ## podAnnotations: {} - replicaCount: 2 + replicaCount: 1 # -- Minimum available pods set in PodDisruptionBudget. # Define either 'minAvailable' or 'maxUnavailable', never both. - # minAvailable: 1 + minAvailable: 1 # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - maxUnavailable: "25%" + # maxUnavailable: 1 ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes ## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 @@ -366,16 +361,16 @@ controller: ## cpu: 100m ## memory: 90Mi requests: - cpu: 250m - memory: 500Mi + cpu: 100m + memory: 90Mi # Mutually exclusive with keda autoscaling autoscaling: - enabled: true + enabled: false annotations: {} - minReplicas: 2 - maxReplicas: 20 - targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: 80 + minReplicas: 1 + maxReplicas: 11 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 behavior: {} # scaleDown: # stabilizationWindowSeconds: 300 @@ -463,19 +458,6 @@ controller: # -- Labels to be added to both controller services. labels: {} - externalDNS: - # -- Add ExternalDNS annotations or not. - enabled: true - - # -- Annotation used so assign the external controller service to a specific ExternalDNS instance. - annotation: "giantswarm.io/external-dns: managed" - - # -- Defines the sub-domain prepended to the base domain in the FQDN of the external controller service reconciled by ExternalDNS. - subdomain: ingress - - # -- Makes the external controller service public or not. Adds annotations for making it internal if disabled. - public: true - # -- Type of the external controller service. # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types type: LoadBalancer @@ -504,7 +486,7 @@ controller: # -- External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - externalTrafficPolicy: Local + externalTrafficPolicy: "" # -- Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". # Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity @@ -569,9 +551,6 @@ controller: # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer annotations: {} - # -- Defines the sub-domain prepended to the base domain in the FQDN of the internal controller service reconciled by ExternalDNS. - subdomain: ingress-internal - # -- Type of the internal controller service. # Defaults to the value of `controller.service.type`. # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types @@ -601,7 +580,7 @@ controller: # -- External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - externalTrafficPolicy: Local + externalTrafficPolicy: "" # -- Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". # Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity @@ -703,8 +682,15 @@ controller: # -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module extraModules: [] # - name: mytestmodule - # image: registry.k8s.io/ingress-nginx/mytestmodule - # distroless: false + # image: + # registry: registry.k8s.io + # image: ingress-nginx/mytestmodule + # ## for backwards compatibility consider setting the full image url via the repository value below + # ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + # ## repository: + # tag: "v1.0.0" + # digest: "" + # distroless: false # containerSecurityContext: # runAsNonRoot: true # runAsUser: @@ -724,8 +710,15 @@ controller: opentelemetry: enabled: false name: opentelemetry - image: quay.io/giantswarm/ingress-nginx-opentelemetry:v20230721-3e2062ee5 - distroless: true + image: + registry: registry.k8s.io + image: ingress-nginx/opentelemetry + ## for backwards compatibility consider setting the full image url via the repository value below + ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + ## repository: + tag: "v20230721-3e2062ee5" + digest: sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472 + distroless: true containerSecurityContext: runAsNonRoot: true # -- The image's default user, inherited from its base image `cgr.dev/chainguard/static`. @@ -812,12 +805,13 @@ controller: patch: enabled: true image: - image: giantswarm/ingress-nginx-kube-webhook-certgen + registry: registry.k8s.io + image: ingress-nginx/kube-webhook-certgen ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: tag: v20231011-8b53cabe0 - digest: "" + digest: sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80 pullPolicy: IfNotPresent # -- Provide a priority class name to the webhook patching job ## @@ -826,7 +820,7 @@ controller: # NetworkPolicy for webhook patch networkPolicy: # -- Enable 'networkPolicy' or not - enabled: true + enabled: false nodeSelector: kubernetes.io/os: linux tolerations: [] @@ -851,7 +845,7 @@ controller: port: 10254 portName: metrics # if this port is changed, change healthz-port: in extraArgs: accordingly - enabled: true + enabled: false service: annotations: {} # prometheus.io/scrape: "true" @@ -871,7 +865,7 @@ controller: # externalTrafficPolicy: "" # nodePort: "" serviceMonitor: - enabled: true + enabled: false additionalLabels: {} ## The label to use to retrieve the job name from. ## jobLabel: "app.kubernetes.io/name" @@ -885,11 +879,7 @@ controller: # honorLabels: true targetLabels: [] relabelings: [] - metricRelabelings: - - sourceLabels: - - __name__ - regex: nginx_ingress_controller_(bytes_sent_bucket|request_size_bucket|response_duration_seconds_bucket|response_size_bucket|request_duration_seconds_count|connect_duration_seconds_bucket|header_duration_seconds_bucket|bytes_sent_count|request_duration_seconds_sum|bytes_sent_sum|request_size_count|response_size_count|response_duration_seconds_sum|response_duration_seconds_count|ingress_upstream_latency_seconds|ingress_upstream_latency_seconds_sum|ingress_upstream_latency_seconds_count) - action: drop + metricRelabelings: [] prometheusRule: enabled: false additionalLabels: {} @@ -956,7 +946,8 @@ defaultBackend: enabled: false name: defaultbackend image: - image: giantswarm/defaultbackend + registry: registry.k8s.io + image: defaultbackend-amd64 ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: @@ -1049,6 +1040,21 @@ defaultBackend: ## Additional volumes to the default backend pod. # - name: copy-portal-skins # emptyDir: {} + extraConfigMaps: [] + ## Additional configmaps to the default backend pod. + # Example ConfigMap, uncomment and configure as needed + # - name: my-extra-configmap-1 + # labels: + # type: config-1 + # data: + # extra_file_1.html: | + # + # - name: my-extra-configmap-2 + # labels: + # type: config-2 + # data: + # extra_file_2.html: | + # autoscaling: annotations: {} @@ -1060,7 +1066,7 @@ defaultBackend: # NetworkPolicy for default backend component. networkPolicy: # -- Enable 'networkPolicy' or not - enabled: true + enabled: false service: annotations: {} # clusterIP: "" @@ -1083,7 +1089,7 @@ rbac: ## If true, create & use Pod Security Policy resources ## https://kubernetes.io/docs/concepts/policy/pod-security-policy/ podSecurityPolicy: - enabled: true + enabled: false serviceAccount: create: true name: "" @@ -1114,27 +1120,3 @@ portNamePrefix: "" # This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` ## Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param dhParam: "" - -# -- Deprecated, use `controller.config` instead. -configmap: {} - -# Below are configuration values that you should not overwrite or set yourself. - -global: - podSecurityStandards: - # -- Wether Pod Security Standards are being used or not. - # This value is set automatically. Do not overwrite it. - enforced: false - -image: - # -- Registry host to pull images from. - # This value is set automatically. Do not overwrite it. - registry: quay.io - -# -- Domain of the service's FQDN. -# This value is set automatically. Do not overwrite it. -baseDomain: "" - -# -- Provider the cluster is running on. -# This value is set automatically. Do not overwrite it. -provider: aws diff --git a/vendir.lock.yml b/vendir.lock.yml index 3823eff81..d8e4a3e84 100644 --- a/vendir.lock.yml +++ b/vendir.lock.yml @@ -2,8 +2,8 @@ apiVersion: vendir.k14s.io/v1alpha1 directories: - contents: - git: - commitTitle: 'Helm Service: Align internal to external. (#10239)...' - sha: 7e54daa9097ade586595150b2de0caf3e205a7cb + commitTitle: otel distroless (#10741) + sha: 7c998b5937826b880aab7a56d5081fffcc29e191 path: ingress-nginx path: helm kind: LockConfig