bump nginx ingress chart to fix 2025 CVEs
Change-Id: I83eb8cc3088e53c083249256a93b7b66744ebe00
(cherry picked from commit 806de7313f98d6e733d222cd779608e8c3ec82be)
(cherry picked from commit 8d29532d05dd95fc75c99e3910883a11d4852a8b)
diff --git a/.charts.yml b/.charts.yml
index 0676df4..c93b462 100644
--- a/.charts.yml
+++ b/.charts.yml
@@ -82,7 +82,7 @@
review.opendev.org:
- 919480
- name: ingress-nginx
- version: 4.0.17
+ version: 4.12.1
repository:
url: https://kubernetes.github.io/ingress-nginx
- name: ironic
diff --git a/charts/ingress-nginx/.helmignore b/charts/ingress-nginx/.helmignore
index 50af031..109b408 100644
--- a/charts/ingress-nginx/.helmignore
+++ b/charts/ingress-nginx/.helmignore
@@ -20,3 +20,4 @@
.idea/
*.tmproj
.vscode/
+__snapshot__
diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md
deleted file mode 100644
index 6169482..0000000
--- a/charts/ingress-nginx/CHANGELOG.md
+++ /dev/null
@@ -1,340 +0,0 @@
-# Changelog
-
-This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
-
-### 4.0.15
-
-- [8120] https://github.com/kubernetes/ingress-nginx/pull/8120 Update go in runner and release v1.1.1
-- [8119] https://github.com/kubernetes/ingress-nginx/pull/8119 Update to go v1.17.6
-- [8118] https://github.com/kubernetes/ingress-nginx/pull/8118 Remove deprecated libraries, update other libs
-- [8117] https://github.com/kubernetes/ingress-nginx/pull/8117 Fix codegen errors
-- [8115] https://github.com/kubernetes/ingress-nginx/pull/8115 chart/ghaction: set the correct permission to have access to push a release
-- [8098] https://github.com/kubernetes/ingress-nginx/pull/8098 generating SHA for CA only certs in backend_ssl.go + comparision of P…
-- [8088] https://github.com/kubernetes/ingress-nginx/pull/8088 Fix Edit this page link to use main branch
-- [8072] https://github.com/kubernetes/ingress-nginx/pull/8072 Expose GeoIP2 Continent code as variable
-- [8061] https://github.com/kubernetes/ingress-nginx/pull/8061 docs(charts): using helm-docs for chart
-- [8058] https://github.com/kubernetes/ingress-nginx/pull/8058 Bump github.com/spf13/cobra from 1.2.1 to 1.3.0
-- [8054] https://github.com/kubernetes/ingress-nginx/pull/8054 Bump google.golang.org/grpc from 1.41.0 to 1.43.0
-- [8051] https://github.com/kubernetes/ingress-nginx/pull/8051 align bug report with feature request regarding kind documentation
-- [8046] https://github.com/kubernetes/ingress-nginx/pull/8046 Report expired certificates (#8045)
-- [8044] https://github.com/kubernetes/ingress-nginx/pull/8044 remove G109 check till gosec resolves issues
-- [8042] https://github.com/kubernetes/ingress-nginx/pull/8042 docs_multiple_instances_one_cluster_ticket_7543
-- [8041] https://github.com/kubernetes/ingress-nginx/pull/8041 docs: fix typo'd executible name
-- [8035] https://github.com/kubernetes/ingress-nginx/pull/8035 Comment busy owners
-- [8029] https://github.com/kubernetes/ingress-nginx/pull/8029 Add stream-snippet as a ConfigMap and Annotation option
-- [8023] https://github.com/kubernetes/ingress-nginx/pull/8023 fix nginx compilation flags
-- [8021] https://github.com/kubernetes/ingress-nginx/pull/8021 Disable default modsecurity_rules_file if modsecurity-snippet is specified
-- [8019] https://github.com/kubernetes/ingress-nginx/pull/8019 Revise main documentation page
-- [8018] https://github.com/kubernetes/ingress-nginx/pull/8018 Preserve order of plugin invocation
-- [8015] https://github.com/kubernetes/ingress-nginx/pull/8015 Add newline indenting to admission webhook annotations
-- [8014] https://github.com/kubernetes/ingress-nginx/pull/8014 Add link to example error page manifest in docs
-- [8009] https://github.com/kubernetes/ingress-nginx/pull/8009 Fix spelling in documentation and top-level files
-- [8008] https://github.com/kubernetes/ingress-nginx/pull/8008 Add relabelings in controller-servicemonitor.yaml
-- [8003] https://github.com/kubernetes/ingress-nginx/pull/8003 Minor improvements (formatting, consistency) in install guide
-- [8001] https://github.com/kubernetes/ingress-nginx/pull/8001 fix: go-grpc Dockerfile
-- [7999] https://github.com/kubernetes/ingress-nginx/pull/7999 images: use k8s-staging-test-infra/gcb-docker-gcloud
-- [7996] https://github.com/kubernetes/ingress-nginx/pull/7996 doc: improvement
-- [7983] https://github.com/kubernetes/ingress-nginx/pull/7983 Fix a couple of misspellings in the annotations documentation.
-- [7979] https://github.com/kubernetes/ingress-nginx/pull/7979 allow set annotations for admission Jobs
-- [7977] https://github.com/kubernetes/ingress-nginx/pull/7977 Add ssl_reject_handshake to defaul server
-- [7975] https://github.com/kubernetes/ingress-nginx/pull/7975 add legacy version update v0.50.0 to main changelog
-- [7972] https://github.com/kubernetes/ingress-nginx/pull/7972 updated service upstream definition
-
-### 4.0.14
-
-- [8061] https://github.com/kubernetes/ingress-nginx/pull/8061 Using helm-docs to populate values table in README.md
-
-### 4.0.13
-
-- [8008] https://github.com/kubernetes/ingress-nginx/pull/8008 Add relabelings in controller-servicemonitor.yaml
-
-### 4.0.12
-
-- [7978] https://github.com/kubernetes/ingress-nginx/pull/7979 Support custom annotations in admissions Jobs
-
-### 4.0.11
-
-- [7873] https://github.com/kubernetes/ingress-nginx/pull/7873 Makes the [appProtocol](https://kubernetes.io/docs/concepts/services-networking/_print/#application-protocol) field optional.
-
-### 4.0.10
-
-- [7964] https://github.com/kubernetes/ingress-nginx/pull/7964 Update controller version to v1.1.0
-
-### 4.0.9
-
-- [6992] https://github.com/kubernetes/ingress-nginx/pull/6992 Add ability to specify labels for all resources
-
-### 4.0.7
-
-- [7923] https://github.com/kubernetes/ingress-nginx/pull/7923 Release v1.0.5 of ingress-nginx
-- [7806] https://github.com/kubernetes/ingress-nginx/pull/7806 Choice option for internal/external loadbalancer type service
-
-### 4.0.6
-
-- [7804] https://github.com/kubernetes/ingress-nginx/pull/7804 Release v1.0.4 of ingress-nginx
-- [7651] https://github.com/kubernetes/ingress-nginx/pull/7651 Support ipFamilyPolicy and ipFamilies fields in Helm Chart
-- [7798] https://github.com/kubernetes/ingress-nginx/pull/7798 Exoscale: use HTTP Healthcheck mode
-- [7793] https://github.com/kubernetes/ingress-nginx/pull/7793 Update kube-webhook-certgen to v1.1.1
-
-### 4.0.5
-
-- [7740] https://github.com/kubernetes/ingress-nginx/pull/7740 Release v1.0.3 of ingress-nginx
-
-### 4.0.3
-
-- [7707] https://github.com/kubernetes/ingress-nginx/pull/7707 Release v1.0.2 of ingress-nginx
-
-### 4.0.2
-
-- [7681] https://github.com/kubernetes/ingress-nginx/pull/7681 Release v1.0.1 of ingress-nginx
-
-### 4.0.1
-
-- [7535] https://github.com/kubernetes/ingress-nginx/pull/7535 Release v1.0.0 ingress-nginx
-
-### 3.34.0
-
-- [7256] https://github.com/kubernetes/ingress-nginx/pull/7256 Add namespace field in the namespace scoped resource templates
-
-### 3.33.0
-
-- [7164] https://github.com/kubernetes/ingress-nginx/pull/7164 Update nginx to v1.20.1
-
-### 3.32.0
-
-- [7117] https://github.com/kubernetes/ingress-nginx/pull/7117 Add annotations for HPA
-
-### 3.31.0
-
-- [7137] https://github.com/kubernetes/ingress-nginx/pull/7137 Add support for custom probes
-
-### 3.30.0
-
-- [#7092](https://github.com/kubernetes/ingress-nginx/pull/7092) Removes the possibility of using localhost in ExternalNames as endpoints
-
-### 3.29.0
-
-- [X] [#6945](https://github.com/kubernetes/ingress-nginx/pull/7020) Add option to specify job label for ServiceMonitor
-
-### 3.28.0
-
-- [ ] [#6900](https://github.com/kubernetes/ingress-nginx/pull/6900) Support existing PSPs
-
-### 3.27.0
-
-- Update ingress-nginx v0.45.0
-
-### 3.26.0
-
-- [X] [#6979](https://github.com/kubernetes/ingress-nginx/pull/6979) Changed servicePort value for metrics
-
-### 3.25.0
-
-- [X] [#6957](https://github.com/kubernetes/ingress-nginx/pull/6957) Add ability to specify automountServiceAccountToken
-
-### 3.24.0
-
-- [X] [#6908](https://github.com/kubernetes/ingress-nginx/pull/6908) Add volumes to default-backend deployment
-
-### 3.23.0
-
-- Update ingress-nginx v0.44.0
-
-### 3.22.0
-
-- [X] [#6802](https://github.com/kubernetes/ingress-nginx/pull/6802) Add value for configuring a custom Diffie-Hellman parameters file
-- [X] [#6815](https://github.com/kubernetes/ingress-nginx/pull/6815) Allow use of numeric namespaces in helm chart
-
-### 3.21.0
-
-- [X] [#6783](https://github.com/kubernetes/ingress-nginx/pull/6783) Add custom annotations to ScaledObject
-- [X] [#6761](https://github.com/kubernetes/ingress-nginx/pull/6761) Adding quotes in the serviceAccount name in Helm values
-- [X] [#6767](https://github.com/kubernetes/ingress-nginx/pull/6767) Remove ClusterRole when scope option is enabled
-- [X] [#6785](https://github.com/kubernetes/ingress-nginx/pull/6785) Update kube-webhook-certgen image to v1.5.1
-
-### 3.20.1
-
-- Do not create KEDA in case of DaemonSets.
-- Fix KEDA v2 definition
-
-### 3.20.0
-
-- [X] [#6730](https://github.com/kubernetes/ingress-nginx/pull/6730) Do not create HPA for defaultBackend if not enabled.
-
-### 3.19.0
-
-- Update ingress-nginx v0.43.0
-
-### 3.18.0
-
-- [X] [#6688](https://github.com/kubernetes/ingress-nginx/pull/6688) Allow volume-type emptyDir in controller podsecuritypolicy
-- [X] [#6691](https://github.com/kubernetes/ingress-nginx/pull/6691) Improve parsing of helm parameters
-
-### 3.17.0
-
-- Update ingress-nginx v0.42.0
-
-### 3.16.1
-
-- Fix chart-releaser action
-
-### 3.16.0
-
-- [X] [#6646](https://github.com/kubernetes/ingress-nginx/pull/6646) Added LoadBalancerIP value for internal service
-
-### 3.15.1
-
-- Fix chart-releaser action
-
-### 3.15.0
-
-- [X] [#6586](https://github.com/kubernetes/ingress-nginx/pull/6586) Fix 'maxmindLicenseKey' location in values.yaml
-
-### 3.14.0
-
-- [X] [#6469](https://github.com/kubernetes/ingress-nginx/pull/6469) Allow custom service names for controller and backend
-
-### 3.13.0
-
-- [X] [#6544](https://github.com/kubernetes/ingress-nginx/pull/6544) Fix default backend HPA name variable
-
-### 3.12.0
-
-- [X] [#6514](https://github.com/kubernetes/ingress-nginx/pull/6514) Remove helm2 support and update docs
-
-### 3.11.1
-
-- [X] [#6505](https://github.com/kubernetes/ingress-nginx/pull/6505) Reorder HPA resource list to work with GitOps tooling
-
-### 3.11.0
-
-- Support Keda Autoscaling
-
-### 3.10.1
-
-- Fix regression introduced in 0.41.0 with external authentication
-
-### 3.10.0
-
-- Fix routing regression introduced in 0.41.0 with PathType Exact
-
-### 3.9.0
-
-- [X] [#6423](https://github.com/kubernetes/ingress-nginx/pull/6423) Add Default backend HPA autoscaling
-
-### 3.8.0
-
-- [X] [#6395](https://github.com/kubernetes/ingress-nginx/pull/6395) Update jettech/kube-webhook-certgen image
-- [X] [#6377](https://github.com/kubernetes/ingress-nginx/pull/6377) Added loadBalancerSourceRanges for internal lbs
-- [X] [#6356](https://github.com/kubernetes/ingress-nginx/pull/6356) Add securitycontext settings on defaultbackend
-- [X] [#6401](https://github.com/kubernetes/ingress-nginx/pull/6401) Fix controller service annotations
-- [X] [#6403](https://github.com/kubernetes/ingress-nginx/pull/6403) Initial helm chart changelog
-
-### 3.7.1
-
-- [X] [#6326](https://github.com/kubernetes/ingress-nginx/pull/6326) Fix liveness and readiness probe path in daemonset chart
-
-### 3.7.0
-
-- [X] [#6316](https://github.com/kubernetes/ingress-nginx/pull/6316) Numerals in podAnnotations in quotes [#6315](https://github.com/kubernetes/ingress-nginx/issues/6315)
-
-### 3.6.0
-
-- [X] [#6305](https://github.com/kubernetes/ingress-nginx/pull/6305) Add default linux nodeSelector
-
-### 3.5.1
-
-- [X] [#6299](https://github.com/kubernetes/ingress-nginx/pull/6299) Fix helm chart release
-
-### 3.5.0
-
-- [X] [#6260](https://github.com/kubernetes/ingress-nginx/pull/6260) Allow Helm Chart to customize admission webhook's annotations, timeoutSeconds, namespaceSelector, objectSelector and cert files locations
-
-### 3.4.0
-
-- [X] [#6268](https://github.com/kubernetes/ingress-nginx/pull/6268) Update to 0.40.2 in helm chart #6288
-
-### 3.3.1
-
-- [X] [#6259](https://github.com/kubernetes/ingress-nginx/pull/6259) Release helm chart
-- [X] [#6258](https://github.com/kubernetes/ingress-nginx/pull/6258) Fix chart markdown link
-- [X] [#6253](https://github.com/kubernetes/ingress-nginx/pull/6253) Release v0.40.0
-
-### 3.3.1
-
-- [X] [#6233](https://github.com/kubernetes/ingress-nginx/pull/6233) Add admission controller e2e test
-
-### 3.3.0
-
-- [X] [#6203](https://github.com/kubernetes/ingress-nginx/pull/6203) Refactor parsing of key values
-- [X] [#6162](https://github.com/kubernetes/ingress-nginx/pull/6162) Add helm chart options to expose metrics service as NodePort
-- [X] [#6180](https://github.com/kubernetes/ingress-nginx/pull/6180) Fix helm chart admissionReviewVersions regression
-- [X] [#6169](https://github.com/kubernetes/ingress-nginx/pull/6169) Fix Typo in example prometheus rules
-
-### 3.0.0
-
-- [X] [#6167](https://github.com/kubernetes/ingress-nginx/pull/6167) Update chart requirements
-
-### 2.16.0
-
-- [X] [#6154](https://github.com/kubernetes/ingress-nginx/pull/6154) add `topologySpreadConstraint` to controller
-
-### 2.15.0
-
-- [X] [#6087](https://github.com/kubernetes/ingress-nginx/pull/6087) Adding parameter for externalTrafficPolicy in internal controller service spec
-
-### 2.14.0
-
-- [X] [#6104](https://github.com/kubernetes/ingress-nginx/pull/6104) Misc fixes for nginx-ingress chart for better keel and prometheus-operator integration
-
-### 2.13.0
-
-- [X] [#6093](https://github.com/kubernetes/ingress-nginx/pull/6093) Release v0.35.0
-
-### 2.13.0
-
-- [X] [#6093](https://github.com/kubernetes/ingress-nginx/pull/6093) Release v0.35.0
-- [X] [#6080](https://github.com/kubernetes/ingress-nginx/pull/6080) Switch images to k8s.gcr.io after Vanity Domain Flip
-
-### 2.12.1
-
-- [X] [#6075](https://github.com/kubernetes/ingress-nginx/pull/6075) Sync helm chart affinity examples
-
-### 2.12.0
-
-- [X] [#6039](https://github.com/kubernetes/ingress-nginx/pull/6039) Add configurable serviceMonitor metricRelabelling and targetLabels
-- [X] [#6044](https://github.com/kubernetes/ingress-nginx/pull/6044) Fix YAML linting
-
-### 2.11.3
-
-- [X] [#6038](https://github.com/kubernetes/ingress-nginx/pull/6038) Bump chart version PATCH
-
-### 2.11.2
-
-- [X] [#5951](https://github.com/kubernetes/ingress-nginx/pull/5951) Bump chart patch version
-
-### 2.11.1
-
-- [X] [#5900](https://github.com/kubernetes/ingress-nginx/pull/5900) Release helm chart for v0.34.1
-
-### 2.11.0
-
-- [X] [#5879](https://github.com/kubernetes/ingress-nginx/pull/5879) Update helm chart for v0.34.0
-- [X] [#5671](https://github.com/kubernetes/ingress-nginx/pull/5671) Make liveness probe more fault tolerant than readiness probe
-
-### 2.10.0
-
-- [X] [#5843](https://github.com/kubernetes/ingress-nginx/pull/5843) Update jettech/kube-webhook-certgen image
-
-### 2.9.1
-
-- [X] [#5823](https://github.com/kubernetes/ingress-nginx/pull/5823) Add quoting to sysctls because numeric values need to be presented as strings (#5823)
-
-### 2.9.0
-
-- [X] [#5795](https://github.com/kubernetes/ingress-nginx/pull/5795) Use fully qualified images to avoid cri-o issues
-
-
-### TODO
-
-Keep building the changelog using *git log charts* checking the tag
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index 0dbff62..42d9f82 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -1,43 +1,9 @@
annotations:
artifacthub.io/changes: |
- - "#8120 Update go in runner and release v1.1.1"
- - "#8119 Update to go v1.17.6"
- - "#8118 Remove deprecated libraries, update other libs"
- - "#8117 Fix codegen errors"
- - "#8115 chart/ghaction: set the correct permission to have access to push a release"
- - "#8098 generating SHA for CA only certs in backend_ssl.go + comparision of P…"
- - "#8088 Fix Edit this page link to use main branch"
- - "#8072 Expose GeoIP2 Continent code as variable"
- - "#8061 docs(charts): using helm-docs for chart"
- - "#8058 Bump github.com/spf13/cobra from 1.2.1 to 1.3.0"
- - "#8054 Bump google.golang.org/grpc from 1.41.0 to 1.43.0"
- - "#8051 align bug report with feature request regarding kind documentation"
- - "#8046 Report expired certificates (#8045)"
- - "#8044 remove G109 check till gosec resolves issues"
- - "#8042 docs_multiple_instances_one_cluster_ticket_7543"
- - "#8041 docs: fix typo'd executible name"
- - "#8035 Comment busy owners"
- - "#8029 Add stream-snippet as a ConfigMap and Annotation option"
- - "#8023 fix nginx compilation flags"
- - "#8021 Disable default modsecurity_rules_file if modsecurity-snippet is specified"
- - "#8019 Revise main documentation page"
- - "#8018 Preserve order of plugin invocation"
- - "#8015 Add newline indenting to admission webhook annotations"
- - "#8014 Add link to example error page manifest in docs"
- - "#8009 Fix spelling in documentation and top-level files"
- - "#8008 Add relabelings in controller-servicemonitor.yaml"
- - "#8003 Minor improvements (formatting, consistency) in install guide"
- - "#8001 fix: go-grpc Dockerfile"
- - "#7999 images: use k8s-staging-test-infra/gcb-docker-gcloud"
- - "#7996 doc: improvement"
- - "#7983 Fix a couple of misspellings in the annotations documentation."
- - "#7979 allow set annotations for admission Jobs"
- - "#7977 Add ssl_reject_handshake to defaul server"
- - "#7975 add legacy version update v0.50.0 to main changelog"
- - "#7972 updated service upstream definition"
+ - Update Ingress-Nginx version controller-v1.12.1
artifacthub.io/prerelease: "false"
apiVersion: v2
-appVersion: 1.1.1
+appVersion: 1.12.1
description: Ingress controller for Kubernetes using NGINX as a reverse proxy and
load balancer
home: https://github.com/kubernetes/ingress-nginx
@@ -45,11 +11,13 @@
keywords:
- ingress
- nginx
-kubeVersion: '>=1.19.0-0'
+kubeVersion: '>=1.21.0-0'
maintainers:
-- name: ChiefAlexander
+- name: cpanato
+- name: Gacko
+- name: strongjz
+- name: tao12345666333
name: ingress-nginx
sources:
- https://github.com/kubernetes/ingress-nginx
-type: application
-version: 4.0.17
+version: 4.12.1
diff --git a/charts/ingress-nginx/OWNERS b/charts/ingress-nginx/OWNERS
index 6b7e049..428474f 100644
--- a/charts/ingress-nginx/OWNERS
+++ b/charts/ingress-nginx/OWNERS
@@ -1,10 +1,4 @@
-# See the OWNERS docs: https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md
-
-approvers:
-- ingress-nginx-helm-maintainers
-
-reviewers:
-- ingress-nginx-helm-reviewers
+# See the OWNERS docs: https://www.kubernetes.dev/docs/guide/owners
labels:
- area/helm
diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md
index e5e93a1..5861a73 100644
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@@ -2,16 +2,15 @@
[ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
-  
+ 
To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
-## Prerequisites
+## Requirements
-- Chart version 3.x.x: Kubernetes v1.16+
-- Chart version 4.x.x and above: Kubernetes v1.19+
+Kubernetes: `>=1.21.0-0`
## Get Repo Info
@@ -52,10 +51,6 @@
_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._
-### Upgrading With Zero Downtime in Production
-
-By default the ingress-nginx controller has service interruptions whenever it's pods are restarted or redeployed. In order to fix that, see the excellent blog post by Lindsay Landry from Codecademy: [Kubernetes: Nginx and Zero Downtime in Production](https://medium.com/codecademy-engineering/kubernetes-nginx-and-zero-downtime-in-production-2c910c6a5ed8).
-
### Migrating from stable/nginx-ingress
There are two main ways to migrate a release from `stable/nginx-ingress` to `ingress-nginx/ingress-nginx` chart:
@@ -66,7 +61,6 @@
1. Redirect your DNS traffic from the old controller to the new controller
1. Log traffic from both controllers during this changeover
1. [Uninstall](#uninstall-chart) the old controller once traffic has fully drained from it
- 1. For details on all of these steps see [Upgrading With Zero Downtime in Production](#upgrading-with-zero-downtime-in-production)
Note that there are some different and upgraded configurations between the two charts, described by Rimas Mocevicius from JFrog in the "Upgrading to ingress-nginx Helm chart" section of [Migrating from Helm chart nginx-ingress to ingress-nginx](https://rimusz.net/migrating-to-ingress-nginx). As the `ingress-nginx/ingress-nginx` chart continues to update, you will want to check current differences by running [helm configuration](#configuration) commands on both charts.
@@ -85,14 +79,14 @@
### Prometheus Metrics
-The Nginx ingress controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.
+The Ingress-Nginx Controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.
You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`.
Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. And set `controller.metrics.serviceMonitor.additionalLabels.release="prometheus"`. "release=prometheus" should match the label configured in the prometheus servicemonitor ( see `kubectl get servicemonitor prometheus-kube-prom-prometheus -oyaml -n prometheus`)
### ingress-nginx nginx\_status page/stats server
-Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller:
+Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in Ingress-Nginx Controller:
- In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed
- In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost.
@@ -100,7 +94,7 @@
### ExternalDNS Service Configuration
-Add an [ExternalDNS](https://github.com/kubernetes-incubator/external-dns) annotation to the LoadBalancer service:
+Add an [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) annotation to the LoadBalancer service:
```yaml
controller:
@@ -111,7 +105,7 @@
### AWS L7 ELB with SSL Termination
-Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/main/deploy/aws/l7/service-l7.yaml):
+Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/ab3a789caae65eec4ad6e3b46b19750b481b6bce/deploy/aws/l7/service-l7.yaml):
```yaml
controller:
@@ -126,19 +120,6 @@
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
```
-### AWS route53-mapper
-
-To configure the LoadBalancer service with the [route53-mapper addon](https://github.com/kubernetes/kops/tree/master/addons/route53-mapper), add the `domainName` annotation and `dns` label:
-
-```yaml
-controller:
- service:
- labels:
- dns: "route53"
- annotations:
- domainName: "kubernetes-example.com"
-```
-
### Additional Internal Load Balancer
This setup is useful when you need both external and internal load balancers but don't want to have multiple ingress controllers and multiple ingress objects per application.
@@ -162,8 +143,10 @@
internal:
enabled: true
annotations:
- # Create internal ELB
- service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+ # Create internal NLB
+ service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
+ # Create internal ELB(Deprecated)
+ # service.beta.kubernetes.io/aws-load-balancer-internal: "true"
# Any other annotation can be declared here.
```
@@ -175,7 +158,7 @@
internal:
enabled: true
annotations:
- # Create internal LB. More informations: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing
+ # Create internal LB. More information: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing
# For GKE versions 1.17 and later
networking.gke.io/load-balancer-type: "Internal"
# For earlier versions
@@ -206,17 +189,34 @@
# Any other annotation can be declared here.
```
+The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer).
+
An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object.
Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`.
### Ingress Admission Webhooks
-With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
+With nginx-ingress-controller version 0.25+, the Ingress-Nginx Controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
**This feature is enabled by default since 0.31.0.**
With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521)
+#### How the Chart Configures the Hooks
+A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks.
+
+1. A pre-install hook provisions a certificate into the same namespace using a format compatible with provisioning using end user certificates. If the certificate already exists, the hook exits.
+2. The Ingress-Nginx Controller pod is configured to use a TLS proxy container, which will load that certificate.
+3. Validating and Mutating webhook configurations are created in the cluster.
+4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations
+
+#### Alternatives
+It should be possible to use [cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) if a more complete solution is required.
+
+You can enable automatic self-signed TLS certificate provisioning via cert-manager by setting the `controller.admissionWebhooks.certManager.enabled` value to true.
+
+Please ensure that cert-manager is correctly installed and configured.
+
### Helm Error When Upgrading: spec.clusterIP: Invalid value: ""
If you are upgrading this chart from a version between 0.31.0 and 1.2.2 then you may get an error like this:
@@ -229,9 +229,23 @@
As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered.
-## Requirements
+### Pod Security Admission
-Kubernetes: `>=1.19.0-0`
+You can use Pod Security Admission by applying labels to the `ingress-nginx` namespace as instructed by the [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels).
+
+Example:
+
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: ingress-nginx
+ labels:
+ kubernetes.io/metadata.name: ingress-nginx
+ name: ingress-nginx
+ pod-security.kubernetes.io/enforce: restricted
+ pod-security.kubernetes.io/enforce-version: v1.31
+```
## Values
@@ -240,37 +254,52 @@
| commonLabels | object | `{}` | |
| controller.addHeaders | object | `{}` | Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers |
| controller.admissionWebhooks.annotations | object | `{}` | |
+| controller.admissionWebhooks.certManager.admissionCert.duration | string | `""` | |
+| controller.admissionWebhooks.certManager.enabled | bool | `false` | |
+| controller.admissionWebhooks.certManager.rootCert.duration | string | `""` | |
| controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` | |
+| controller.admissionWebhooks.createSecretJob.name | string | `"create"` | |
| controller.admissionWebhooks.createSecretJob.resources | object | `{}` | |
+| controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers |
| controller.admissionWebhooks.enabled | bool | `true` | |
-| controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one |
-| controller.admissionWebhooks.failurePolicy | string | `"Fail"` | |
+| controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set |
+| controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use |
| controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` | |
| controller.admissionWebhooks.labels | object | `{}` | Labels to be added to admission webhooks |
+| controller.admissionWebhooks.name | string | `"admission"` | |
| controller.admissionWebhooks.namespaceSelector | object | `{}` | |
| controller.admissionWebhooks.objectSelector | object | `{}` | |
| controller.admissionWebhooks.patch.enabled | bool | `true` | |
-| controller.admissionWebhooks.patch.image.digest | string | `"sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660"` | |
+| controller.admissionWebhooks.patch.image.digest | string | `"sha256:e8825994b7a2c7497375a9b945f386506ca6a3eda80b89b74ef2db743f66a5ea"` | |
| controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | |
| controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | |
-| controller.admissionWebhooks.patch.image.registry | string | `"k8s.gcr.io"` | |
-| controller.admissionWebhooks.patch.image.tag | string | `"v1.1.1"` | |
+| controller.admissionWebhooks.patch.image.tag | string | `"v1.5.2"` | |
| controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
+| controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
| controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | |
| controller.admissionWebhooks.patch.podAnnotations | object | `{}` | |
-| controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job |
-| controller.admissionWebhooks.patch.runAsUser | int | `2000` | |
+| controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # |
+| controller.admissionWebhooks.patch.rbac | object | `{"create":true}` | Admission webhook patch job RBAC |
+| controller.admissionWebhooks.patch.rbac.create | bool | `true` | Create RBAC or not |
+| controller.admissionWebhooks.patch.securityContext | object | `{}` | Security context for secret creation & webhook patch pods |
+| controller.admissionWebhooks.patch.serviceAccount | object | `{"automountServiceAccountToken":true,"create":true,"name":""}` | Admission webhook patch job service account |
+| controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken | bool | `true` | Auto-mount service account token or not |
+| controller.admissionWebhooks.patch.serviceAccount.create | bool | `true` | Create a service account or not |
+| controller.admissionWebhooks.patch.serviceAccount.name | string | `""` | Custom service account name |
| controller.admissionWebhooks.patch.tolerations | list | `[]` | |
+| controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` | |
| controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | |
+| controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers |
| controller.admissionWebhooks.port | int | `8443` | |
| controller.admissionWebhooks.service.annotations | object | `{}` | |
| controller.admissionWebhooks.service.externalIPs | list | `[]` | |
| controller.admissionWebhooks.service.loadBalancerSourceRanges | list | `[]` | |
| controller.admissionWebhooks.service.servicePort | int | `443` | |
| controller.admissionWebhooks.service.type | string | `"ClusterIP"` | |
-| controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes |
-| controller.allowSnippetAnnotations | bool | `true` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected |
-| controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet |
+| controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # |
+| controller.allowSnippetAnnotations | bool | `false` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected |
+| controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # |
+| controller.autoscaling.annotations | object | `{}` | |
| controller.autoscaling.behavior | object | `{}` | |
| controller.autoscaling.enabled | bool | `false` | |
| controller.autoscaling.maxReplicas | int | `11` | |
@@ -278,46 +307,59 @@
| controller.autoscaling.targetCPUUtilizationPercentage | int | `50` | |
| controller.autoscaling.targetMemoryUtilizationPercentage | int | `50` | |
| controller.autoscalingTemplate | list | `[]` | |
-| controller.config | object | `{}` | Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ |
+| controller.config | object | `{}` | Global configuration passed to the ConfigMap consumed by the controller. Values may contain Helm templates. Ref.: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ |
| controller.configAnnotations | object | `{}` | Annotations to be added to the controller config configuration configmap. |
| controller.configMapNamespace | string | `""` | Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) |
| controller.containerName | string | `"controller"` | Configures the controller container name |
| controller.containerPort | object | `{"http":80,"https":443}` | Configures the ports that the nginx-controller listens on |
+| controller.containerSecurityContext | object | `{}` | Security context for controller containers |
| controller.customTemplate.configMapKey | string | `""` | |
| controller.customTemplate.configMapName | string | `""` | |
+| controller.disableLeaderElection | bool | `false` | This configuration disable Nginx Controller Leader Election |
| controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. |
| controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. |
-| controller.electionID | string | `"ingress-controller-leader"` | Election ID to use for status update |
-| controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. |
-| controller.existingPsp | string | `""` | Use an existing PSP instead of creating one |
-| controller.extraArgs | object | `{}` | Additional command line arguments to pass to nginx-ingress-controller E.g. to specify the default SSL certificate you can use |
+| controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' |
+| controller.electionTTL | string | `""` | Duration a leader election is valid before it's getting re-elected, e.g. `15s`, `10m` or `1h`. (Default: 30s) |
+| controller.enableAnnotationValidations | bool | `true` | |
+| controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # |
+| controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false |
+| controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use |
| controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. |
| controller.extraEnvs | list | `[]` | Additional environment variables to set |
| controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. |
-| controller.extraModules | list | `[]` | |
+| controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. |
| controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. |
| controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. |
-| controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the ingress nginx controller is running in the `hostNetwork: true` mode. |
+| controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. |
| controller.healthCheckPath | string | `"/healthz"` | Path of the health check endpoint. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. |
+| controller.hostAliases | list | `[]` | Optionally customize the pod hostAliases. |
| controller.hostNetwork | bool | `false` | Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 is merged |
| controller.hostPort.enabled | bool | `false` | Enable 'hostPort' or not |
| controller.hostPort.ports.http | int | `80` | 'hostPort' http port |
| controller.hostPort.ports.https | int | `443` | 'hostPort' https port |
| controller.hostname | object | `{}` | Optionally customize the pod hostname. |
-| controller.image.allowPrivilegeEscalation | bool | `true` | |
-| controller.image.digest | string | `"sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de"` | |
+| controller.image.allowPrivilegeEscalation | bool | `false` | |
+| controller.image.chroot | bool | `false` | |
+| controller.image.digest | string | `"sha256:d2fbc4ec70d8aa2050dd91a91506e998765e86c96f32cffb56c503c9c34eed5b"` | |
+| controller.image.digestChroot | string | `"sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e"` | |
| controller.image.image | string | `"ingress-nginx/controller"` | |
| controller.image.pullPolicy | string | `"IfNotPresent"` | |
-| controller.image.registry | string | `"k8s.gcr.io"` | |
-| controller.image.runAsUser | int | `101` | |
-| controller.image.tag | string | `"v1.1.1"` | |
+| controller.image.readOnlyRootFilesystem | bool | `false` | |
+| controller.image.runAsGroup | int | `82` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) |
+| controller.image.runAsNonRoot | bool | `true` | |
+| controller.image.runAsUser | int | `101` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) |
+| controller.image.seccompProfile.type | string | `"RuntimeDefault"` | |
+| controller.image.tag | string | `"v1.12.1"` | |
| controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
| controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
-| controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass |
-| controller.ingressClassResource.default | bool | `false` | Is this the default ingressClass for the cluster |
-| controller.ingressClassResource.enabled | bool | `true` | Is this ingressClass enabled or not |
-| controller.ingressClassResource.name | string | `"nginx"` | Name of the ingressClass |
-| controller.ingressClassResource.parameters | object | `{}` | Parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters. |
+| controller.ingressClassResource | object | `{"aliases":[],"annotations":{},"controllerValue":"k8s.io/ingress-nginx","default":false,"enabled":true,"name":"nginx","parameters":{}}` | This section refers to the creation of the IngressClass resource. IngressClasses are immutable and cannot be changed after creation. We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. |
+| controller.ingressClassResource.aliases | list | `[]` | Aliases of this IngressClass. Creates copies with identical settings but the respective alias as name. Useful for development environments with only one Ingress Controller but production-like Ingress resources. `default` gets enabled on the original IngressClass only. |
+| controller.ingressClassResource.annotations | object | `{}` | Annotations to be added to the IngressClass resource. |
+| controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller of the IngressClass. An Ingress Controller looks for IngressClasses it should reconcile by this value. This value is also being set as the `--controller-class` argument of this Ingress Controller. Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class |
+| controller.ingressClassResource.default | bool | `false` | If true, Ingresses without `ingressClassName` get assigned to this IngressClass on creation. Ingress creation gets rejected if there are multiple default IngressClasses. Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class |
+| controller.ingressClassResource.enabled | bool | `true` | Create the IngressClass or not |
+| controller.ingressClassResource.name | string | `"nginx"` | Name of the IngressClass |
+| controller.ingressClassResource.parameters | object | `{}` | A link to a custom resource containing additional configuration for the controller. This is optional if the controller consuming this IngressClass does not require additional parameters. Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class |
| controller.keda.apiVersion | string | `"keda.sh/v1alpha1"` | |
| controller.keda.behavior | object | `{}` | |
| controller.keda.cooldownPeriod | int | `300` | |
@@ -329,8 +371,8 @@
| controller.keda.scaledObject.annotations | object | `{}` | |
| controller.keda.triggers | list | `[]` | |
| controller.kind | string | `"Deployment"` | Use a `DaemonSet` or `Deployment` |
-| controller.labels | object | `{}` | Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels |
-| controller.lifecycle | object | `{"preStop":{"exec":{"command":["/wait-shutdown"]}}}` | Improve connection draining when ingress controller pod is deleted using a lifecycle hook: With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds to 300, allowing the draining of connections up to five minutes. If the active connections end before that, the pod will terminate gracefully at that time. To effectively take advantage of this feature, the Configmap feature worker-shutdown-timeout new value is 240s instead of 10s. |
+| controller.labels | object | `{}` | Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels # |
+| controller.lifecycle | object | `{"preStop":{"exec":{"command":["/wait-shutdown"]}}}` | Improve connection draining when ingress controller pod is deleted using a lifecycle hook: With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds to 300, allowing the draining of connections up to five minutes. If the active connections end before that, the pod will terminate gracefully at that time. To effectively take advantage of this feature, the Configmap feature worker-shutdown-timeout new value is 240s instead of 10s. # |
| controller.livenessProbe.failureThreshold | int | `5` | |
| controller.livenessProbe.httpGet.path | string | `"/healthz"` | |
| controller.livenessProbe.httpGet.port | int | `10254` | |
@@ -339,18 +381,23 @@
| controller.livenessProbe.periodSeconds | int | `10` | |
| controller.livenessProbe.successThreshold | int | `1` | |
| controller.livenessProbe.timeoutSeconds | int | `1` | |
-| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. |
+| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. # https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/ |
| controller.metrics.enabled | bool | `false` | |
| controller.metrics.port | int | `10254` | |
+| controller.metrics.portName | string | `"metrics"` | |
| controller.metrics.prometheusRule.additionalLabels | object | `{}` | |
+| controller.metrics.prometheusRule.annotations | object | `{}` | Annotations to be added to the PrometheusRule. |
| controller.metrics.prometheusRule.enabled | bool | `false` | |
| controller.metrics.prometheusRule.rules | list | `[]` | |
| controller.metrics.service.annotations | object | `{}` | |
-| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available |
+| controller.metrics.service.enabled | bool | `true` | Enable the metrics service or not. |
+| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
+| controller.metrics.service.labels | object | `{}` | Labels to be added to the metrics service resource |
| controller.metrics.service.loadBalancerSourceRanges | list | `[]` | |
| controller.metrics.service.servicePort | int | `10254` | |
| controller.metrics.service.type | string | `"ClusterIP"` | |
| controller.metrics.serviceMonitor.additionalLabels | object | `{}` | |
+| controller.metrics.serviceMonitor.annotations | object | `{}` | Annotations to be added to the ServiceMonitor. |
| controller.metrics.serviceMonitor.enabled | bool | `false` | |
| controller.metrics.serviceMonitor.metricRelabelings | list | `[]` | |
| controller.metrics.serviceMonitor.namespace | string | `""` | |
@@ -358,14 +405,16 @@
| controller.metrics.serviceMonitor.relabelings | list | `[]` | |
| controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` | |
| controller.metrics.serviceMonitor.targetLabels | list | `[]` | |
-| controller.minAvailable | int | `1` | |
-| controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready |
+| controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. |
+| controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
| controller.name | string | `"controller"` | |
-| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment |
-| controller.podAnnotations | object | `{}` | Annotations to be added to controller pods |
+| controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
+| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
+| controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # |
| controller.podLabels | object | `{}` | Labels to add to the pod container metadata |
-| controller.podSecurityContext | object | `{}` | Security Context policies for controller pods |
+| controller.podSecurityContext | object | `{}` | Security context for controller pods |
| controller.priorityClassName | string | `""` | |
+| controller.progressDeadlineSeconds | int | `0` | Specifies the number of seconds you want to wait for the controller deployment to progress before the system reports back that it has failed. Ref.: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds |
| controller.proxySetHeaders | object | `{}` | Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers |
| controller.publishService | object | `{"enabled":true,"pathOverride":""}` | Allows customization of the source of the IP address or FQDN to report in the ingress status field. By default, it reads the information provided by the service. If disable, the status field reports the IP address of the node or nodes where an ingress controller pod is running. |
| controller.publishService.enabled | bool | `true` | Enable 'publishService' or not |
@@ -379,56 +428,79 @@
| controller.readinessProbe.successThreshold | int | `1` | |
| controller.readinessProbe.timeoutSeconds | int | `1` | |
| controller.replicaCount | int | `1` | |
-| controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply |
+| controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply |
| controller.resources.requests.cpu | string | `"100m"` | |
| controller.resources.requests.memory | string | `"90Mi"` | |
| controller.scope.enabled | bool | `false` | Enable 'scope' or not |
| controller.scope.namespace | string | `""` | Namespace to limit the controller to; defaults to $(POD_NAMESPACE) |
| controller.scope.namespaceSelector | string | `""` | When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. |
-| controller.service.annotations | object | `{}` | |
-| controller.service.appProtocol | bool | `true` | If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http It allows choosing the protocol for each backend specified in the Kubernetes service. See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 Will be ignored for Kubernetes versions older than 1.20 |
-| controller.service.enableHttp | bool | `true` | |
-| controller.service.enableHttps | bool | `true` | |
-| controller.service.enabled | bool | `true` | |
-| controller.service.external.enabled | bool | `true` | |
-| controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available |
-| controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. |
-| controller.service.internal.enabled | bool | `false` | Enables an additional internal load balancer (besides the external one). |
-| controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. |
-| controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. |
-| controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack-ness requested or required by this Service. Possible values are SingleStack, PreferDualStack or RequireDualStack. The ipFamilies and clusterIPs fields depend on the value of this field. |
-| controller.service.labels | object | `{}` | |
-| controller.service.loadBalancerSourceRanges | list | `[]` | |
-| controller.service.nodePorts.http | string | `""` | |
-| controller.service.nodePorts.https | string | `""` | |
-| controller.service.nodePorts.tcp | object | `{}` | |
-| controller.service.nodePorts.udp | object | `{}` | |
-| controller.service.ports.http | int | `80` | |
-| controller.service.ports.https | int | `443` | |
-| controller.service.targetPorts.http | string | `"http"` | |
-| controller.service.targetPorts.https | string | `"https"` | |
-| controller.service.type | string | `"LoadBalancer"` | |
-| controller.sysctls | object | `{}` | See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls |
+| controller.service.annotations | object | `{}` | Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service. |
+| controller.service.appProtocol | bool | `true` | Declare the app protocol of the external HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol |
+| controller.service.clusterIP | string | `""` | Pre-defined cluster internal IP address of the external controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
+| controller.service.enableHttp | bool | `true` | Enable the HTTP listener on both controller services or not. |
+| controller.service.enableHttps | bool | `true` | Enable the HTTPS listener on both controller services or not. |
+| controller.service.enabled | bool | `true` | Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service. |
+| controller.service.external.enabled | bool | `true` | Enable the external controller service or not. Useful for internal-only deployments. |
+| controller.service.externalIPs | list | `[]` | List of node IP addresses at which the external controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips |
+| controller.service.externalTrafficPolicy | string | `""` | External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip |
+| controller.service.internal.annotations | object | `{}` | Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer |
+| controller.service.internal.appProtocol | bool | `true` | Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol |
+| controller.service.internal.clusterIP | string | `""` | Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
+| controller.service.internal.enabled | bool | `false` | Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this. |
+| controller.service.internal.externalIPs | list | `[]` | List of node IP addresses at which the internal controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips |
+| controller.service.internal.externalTrafficPolicy | string | `""` | External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip |
+| controller.service.internal.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
+| controller.service.internal.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
+| controller.service.internal.loadBalancerClass | string | `""` | Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class |
+| controller.service.internal.loadBalancerIP | string | `""` | Deprecated: Pre-defined IP address of the internal controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer |
+| controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access to the internal controller service. Values must be CIDRs. Allows any source address by default. |
+| controller.service.internal.nodePorts.http | string | `""` | Node port allocated for the internal HTTP listener. If left empty, the service controller allocates one from the configured node port range. |
+| controller.service.internal.nodePorts.https | string | `""` | Node port allocated for the internal HTTPS listener. If left empty, the service controller allocates one from the configured node port range. |
+| controller.service.internal.nodePorts.tcp | object | `{}` | Node port mapping for internal TCP listeners. If left empty, the service controller allocates them from the configured node port range. Example: tcp: 8080: 30080 |
+| controller.service.internal.nodePorts.udp | object | `{}` | Node port mapping for internal UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp: 53: 30053 |
+| controller.service.internal.ports | object | `{}` | |
+| controller.service.internal.sessionAffinity | string | `""` | Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity |
+| controller.service.internal.targetPorts | object | `{}` | |
+| controller.service.internal.type | string | `""` | Type of the internal controller service. Defaults to the value of `controller.service.type`. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
+| controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
+| controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
+| controller.service.labels | object | `{}` | Labels to be added to both controller services. |
+| controller.service.loadBalancerClass | string | `""` | Load balancer class of the external controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class |
+| controller.service.loadBalancerIP | string | `""` | Deprecated: Pre-defined IP address of the external controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer |
+| controller.service.loadBalancerSourceRanges | list | `[]` | Restrict access to the external controller service. Values must be CIDRs. Allows any source address by default. |
+| controller.service.nodePorts.http | string | `""` | Node port allocated for the external HTTP listener. If left empty, the service controller allocates one from the configured node port range. |
+| controller.service.nodePorts.https | string | `""` | Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range. |
+| controller.service.nodePorts.tcp | object | `{}` | Node port mapping for external TCP listeners. If left empty, the service controller allocates them from the configured node port range. Example: tcp: 8080: 30080 |
+| controller.service.nodePorts.udp | object | `{}` | Node port mapping for external UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp: 53: 30053 |
+| controller.service.ports.http | int | `80` | Port the external HTTP listener is published with. |
+| controller.service.ports.https | int | `443` | Port the external HTTPS listener is published with. |
+| controller.service.sessionAffinity | string | `""` | Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity |
+| controller.service.targetPorts.http | string | `"http"` | Port of the ingress controller the external HTTP listener is mapped to. |
+| controller.service.targetPorts.https | string | `"https"` | Port of the ingress controller the external HTTPS listener is mapped to. |
+| controller.service.type | string | `"LoadBalancer"` | Type of the external controller service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
+| controller.shareProcessNamespace | bool | `false` | |
+| controller.sysctls | object | `{}` | sysctls for controller pods # Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ |
| controller.tcp.annotations | object | `{}` | Annotations to be added to the tcp config configmap |
| controller.tcp.configMapNamespace | string | `""` | Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) |
-| controller.terminationGracePeriodSeconds | int | `300` | `terminationGracePeriodSeconds` to avoid killing pods before we are ready |
-| controller.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints |
-| controller.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. |
+| controller.terminationGracePeriodSeconds | int | `300` | `terminationGracePeriodSeconds` to avoid killing pods before we are ready # wait up to five minutes for the drain of connections # |
+| controller.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # |
+| controller.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ # |
| controller.udp.annotations | object | `{}` | Annotations to be added to the udp config configmap |
| controller.udp.configMapNamespace | string | `""` | Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) |
-| controller.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet |
+| controller.unhealthyPodEvictionPolicy | string | `""` | Eviction policy for unhealthy pods guarded by PodDisruptionBudget. Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ |
+| controller.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
| controller.watchIngressWithoutClass | bool | `false` | Process Ingress objects without ingressClass annotation/ingressClassName field Overrides value for --watch-ingress-without-class flag of the controller binary Defaults to false |
-| defaultBackend.affinity | object | `{}` | |
+| defaultBackend.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity |
| defaultBackend.autoscaling.annotations | object | `{}` | |
| defaultBackend.autoscaling.enabled | bool | `false` | |
| defaultBackend.autoscaling.maxReplicas | int | `2` | |
| defaultBackend.autoscaling.minReplicas | int | `1` | |
| defaultBackend.autoscaling.targetCPUUtilizationPercentage | int | `50` | |
| defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` | |
-| defaultBackend.containerSecurityContext | object | `{}` | Security Context policies for controller main container. See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls |
+| defaultBackend.containerSecurityContext | object | `{}` | Security context for default backend containers |
| defaultBackend.enabled | bool | `false` | |
-| defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one |
| defaultBackend.extraArgs | object | `{}` | |
+| defaultBackend.extraConfigMaps | list | `[]` | |
| defaultBackend.extraEnvs | list | `[]` | Additional environment variables to set for defaultBackend pods |
| defaultBackend.extraVolumeMounts | list | `[]` | |
| defaultBackend.extraVolumes | list | `[]` | |
@@ -436,9 +508,10 @@
| defaultBackend.image.image | string | `"defaultbackend-amd64"` | |
| defaultBackend.image.pullPolicy | string | `"IfNotPresent"` | |
| defaultBackend.image.readOnlyRootFilesystem | bool | `true` | |
-| defaultBackend.image.registry | string | `"k8s.gcr.io"` | |
+| defaultBackend.image.runAsGroup | int | `65534` | |
| defaultBackend.image.runAsNonRoot | bool | `true` | |
| defaultBackend.image.runAsUser | int | `65534` | |
+| defaultBackend.image.seccompProfile.type | string | `"RuntimeDefault"` | |
| defaultBackend.image.tag | string | `"1.5"` | |
| defaultBackend.labels | object | `{}` | Labels to be added to the default backend resources |
| defaultBackend.livenessProbe.failureThreshold | int | `3` | |
@@ -446,12 +519,14 @@
| defaultBackend.livenessProbe.periodSeconds | int | `10` | |
| defaultBackend.livenessProbe.successThreshold | int | `1` | |
| defaultBackend.livenessProbe.timeoutSeconds | int | `5` | |
-| defaultBackend.minAvailable | int | `1` | |
+| defaultBackend.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. |
+| defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
| defaultBackend.name | string | `"defaultbackend"` | |
-| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment |
-| defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods |
+| defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
+| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
+| defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # |
| defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata |
-| defaultBackend.podSecurityContext | object | `{}` | Security Context policies for controller pods See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls |
+| defaultBackend.podSecurityContext | object | `{}` | Security context for default backend pods |
| defaultBackend.port | int | `8080` | |
| defaultBackend.priorityClassName | string | `""` | |
| defaultBackend.readinessProbe.failureThreshold | int | `6` | |
@@ -462,24 +537,28 @@
| defaultBackend.replicaCount | int | `1` | |
| defaultBackend.resources | object | `{}` | |
| defaultBackend.service.annotations | object | `{}` | |
-| defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available |
+| defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
| defaultBackend.service.loadBalancerSourceRanges | list | `[]` | |
| defaultBackend.service.servicePort | int | `80` | |
| defaultBackend.service.type | string | `"ClusterIP"` | |
| defaultBackend.serviceAccount.automountServiceAccountToken | bool | `true` | |
| defaultBackend.serviceAccount.create | bool | `true` | |
| defaultBackend.serviceAccount.name | string | `""` | |
-| defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints |
-| dhParam | string | `nil` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` |
-| imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials |
-| podSecurityPolicy.enabled | bool | `false` | |
+| defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # |
+| defaultBackend.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. Ref.: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ |
+| defaultBackend.unhealthyPodEvictionPolicy | string | `""` | Eviction policy for unhealthy pods guarded by PodDisruptionBudget. Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ |
+| defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
+| dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param |
+| global.image.registry | string | `"registry.k8s.io"` | Registry host to pull images from. |
+| imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
+| namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace |
+| portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration |
| rbac.create | bool | `true` | |
| rbac.scope | bool | `false` | |
-| revisionHistoryLimit | int | `10` | Rollback limit |
+| revisionHistoryLimit | int | `10` | Rollback limit # |
| serviceAccount.annotations | object | `{}` | Annotations for the controller service account |
| serviceAccount.automountServiceAccountToken | bool | `true` | |
| serviceAccount.create | bool | `true` | |
| serviceAccount.name | string | `""` | |
-| tcp | object | `{}` | TCP service key:value pairs |
-| udp | object | `{}` | UDP service key:value pairs |
-
+| tcp | object | `{}` | TCP service key-value pairs # Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md # |
+| udp | object | `{}` | UDP service key-value pairs # Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md # |
diff --git a/charts/ingress-nginx/README.md.gotmpl b/charts/ingress-nginx/README.md.gotmpl
index 5cd9e59..3cb9d56 100644
--- a/charts/ingress-nginx/README.md.gotmpl
+++ b/charts/ingress-nginx/README.md.gotmpl
@@ -7,10 +7,7 @@
This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
-## Prerequisites
-
-- Chart version 3.x.x: Kubernetes v1.16+
-- Chart version 4.x.x and above: Kubernetes v1.19+
+{{ template "chart.requirementsSection" . }}
## Get Repo Info
@@ -51,10 +48,6 @@
_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._
-### Upgrading With Zero Downtime in Production
-
-By default the ingress-nginx controller has service interruptions whenever it's pods are restarted or redeployed. In order to fix that, see the excellent blog post by Lindsay Landry from Codecademy: [Kubernetes: Nginx and Zero Downtime in Production](https://medium.com/codecademy-engineering/kubernetes-nginx-and-zero-downtime-in-production-2c910c6a5ed8).
-
### Migrating from stable/nginx-ingress
There are two main ways to migrate a release from `stable/nginx-ingress` to `ingress-nginx/ingress-nginx` chart:
@@ -65,7 +58,6 @@
1. Redirect your DNS traffic from the old controller to the new controller
1. Log traffic from both controllers during this changeover
1. [Uninstall](#uninstall-chart) the old controller once traffic has fully drained from it
- 1. For details on all of these steps see [Upgrading With Zero Downtime in Production](#upgrading-with-zero-downtime-in-production)
Note that there are some different and upgraded configurations between the two charts, described by Rimas Mocevicius from JFrog in the "Upgrading to ingress-nginx Helm chart" section of [Migrating from Helm chart nginx-ingress to ingress-nginx](https://rimusz.net/migrating-to-ingress-nginx). As the `ingress-nginx/ingress-nginx` chart continues to update, you will want to check current differences by running [helm configuration](#configuration) commands on both charts.
@@ -84,14 +76,14 @@
### Prometheus Metrics
-The Nginx ingress controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.
+The Ingress-Nginx Controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.
You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`.
Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. And set `controller.metrics.serviceMonitor.additionalLabels.release="prometheus"`. "release=prometheus" should match the label configured in the prometheus servicemonitor ( see `kubectl get servicemonitor prometheus-kube-prom-prometheus -oyaml -n prometheus`)
### ingress-nginx nginx\_status page/stats server
-Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller:
+Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in Ingress-Nginx Controller:
- In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed
- In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost.
@@ -99,7 +91,7 @@
### ExternalDNS Service Configuration
-Add an [ExternalDNS](https://github.com/kubernetes-incubator/external-dns) annotation to the LoadBalancer service:
+Add an [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) annotation to the LoadBalancer service:
```yaml
controller:
@@ -110,7 +102,7 @@
### AWS L7 ELB with SSL Termination
-Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/main/deploy/aws/l7/service-l7.yaml):
+Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/ab3a789caae65eec4ad6e3b46b19750b481b6bce/deploy/aws/l7/service-l7.yaml):
```yaml
controller:
@@ -125,19 +117,6 @@
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
```
-### AWS route53-mapper
-
-To configure the LoadBalancer service with the [route53-mapper addon](https://github.com/kubernetes/kops/tree/master/addons/route53-mapper), add the `domainName` annotation and `dns` label:
-
-```yaml
-controller:
- service:
- labels:
- dns: "route53"
- annotations:
- domainName: "kubernetes-example.com"
-```
-
### Additional Internal Load Balancer
This setup is useful when you need both external and internal load balancers but don't want to have multiple ingress controllers and multiple ingress objects per application.
@@ -161,8 +140,10 @@
internal:
enabled: true
annotations:
- # Create internal ELB
- service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+ # Create internal NLB
+ service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
+ # Create internal ELB(Deprecated)
+ # service.beta.kubernetes.io/aws-load-balancer-internal: "true"
# Any other annotation can be declared here.
```
@@ -174,7 +155,7 @@
internal:
enabled: true
annotations:
- # Create internal LB. More informations: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing
+ # Create internal LB. More information: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing
# For GKE versions 1.17 and later
networking.gke.io/load-balancer-type: "Internal"
# For earlier versions
@@ -205,17 +186,34 @@
# Any other annotation can be declared here.
```
+The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer).
+
An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object.
Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`.
### Ingress Admission Webhooks
-With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
+With nginx-ingress-controller version 0.25+, the Ingress-Nginx Controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
**This feature is enabled by default since 0.31.0.**
With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521)
+#### How the Chart Configures the Hooks
+A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks.
+
+1. A pre-install hook provisions a certificate into the same namespace using a format compatible with provisioning using end user certificates. If the certificate already exists, the hook exits.
+2. The Ingress-Nginx Controller pod is configured to use a TLS proxy container, which will load that certificate.
+3. Validating and Mutating webhook configurations are created in the cluster.
+4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations
+
+#### Alternatives
+It should be possible to use [cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) if a more complete solution is required.
+
+You can enable automatic self-signed TLS certificate provisioning via cert-manager by setting the `controller.admissionWebhooks.certManager.enabled` value to true.
+
+Please ensure that cert-manager is correctly installed and configured.
+
### Helm Error When Upgrading: spec.clusterIP: Invalid value: ""
If you are upgrading this chart from a version between 0.31.0 and 1.2.2 then you may get an error like this:
@@ -228,8 +226,22 @@
As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered.
-{{ template "chart.requirementsSection" . }}
+### Pod Security Admission
+
+You can use Pod Security Admission by applying labels to the `ingress-nginx` namespace as instructed by the [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels).
+
+Example:
+
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: ingress-nginx
+ labels:
+ kubernetes.io/metadata.name: ingress-nginx
+ name: ingress-nginx
+ pod-security.kubernetes.io/enforce: restricted
+ pod-security.kubernetes.io/enforce-version: v1.31
+```
{{ template "chart.valuesSection" . }}
-
-{{ template "helm-docs.versionFooter" . }}
diff --git a/charts/ingress-nginx/changelog/helm-chart-2.10.0.md b/charts/ingress-nginx/changelog/helm-chart-2.10.0.md
new file mode 100644
index 0000000..b42d6c2
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-2.10.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.10.0
+
+* [#5843](https://github.com/kubernetes/ingress-nginx/pull/5843) Update jettech/kube-webhook-certgen image
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.9.1...ingress-nginx-2.10.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-2.11.0.md b/charts/ingress-nginx/changelog/helm-chart-2.11.0.md
new file mode 100644
index 0000000..e549b38
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-2.11.0.md
@@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.11.0
+
+* [#5879](https://github.com/kubernetes/ingress-nginx/pull/5879) Update helm chart for v0.34.0
+* [#5671](https://github.com/kubernetes/ingress-nginx/pull/5671) Make liveness probe more fault tolerant than readiness probe
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.10.0...ingress-nginx-2.11.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-2.11.1.md b/charts/ingress-nginx/changelog/helm-chart-2.11.1.md
new file mode 100644
index 0000000..d910d3b
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-2.11.1.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.11.1
+
+* [#5900](https://github.com/kubernetes/ingress-nginx/pull/5900) Release helm chart for v0.34.1
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.11.0...ingress-nginx-2.11.1
diff --git a/charts/ingress-nginx/changelog/helm-chart-2.11.2.md b/charts/ingress-nginx/changelog/helm-chart-2.11.2.md
new file mode 100644
index 0000000..9f78210
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-2.11.2.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.11.2
+
+* [#5951](https://github.com/kubernetes/ingress-nginx/pull/5951) Bump chart patch version
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.11.1...ingress-nginx-2.11.2
diff --git a/charts/ingress-nginx/changelog/helm-chart-2.11.3.md b/charts/ingress-nginx/changelog/helm-chart-2.11.3.md
new file mode 100644
index 0000000..3447691
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-2.11.3.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.11.3
+
+* [#6038](https://github.com/kubernetes/ingress-nginx/pull/6038) Bump chart version PATCH
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.11.2...ingress-nginx-2.11.3
diff --git a/charts/ingress-nginx/changelog/helm-chart-2.12.0.md b/charts/ingress-nginx/changelog/helm-chart-2.12.0.md
new file mode 100644
index 0000000..5cb3888
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-2.12.0.md
@@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.12.0
+
+* [#6039](https://github.com/kubernetes/ingress-nginx/pull/6039) Add configurable serviceMonitor metricRelabelling and targetLabels
+* [#6044](https://github.com/kubernetes/ingress-nginx/pull/6044) Fix YAML linting
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.11.3...ingress-nginx-2.12.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-2.12.1.md b/charts/ingress-nginx/changelog/helm-chart-2.12.1.md
new file mode 100644
index 0000000..94d121d
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-2.12.1.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.12.1
+
+* [#6075](https://github.com/kubernetes/ingress-nginx/pull/6075) Sync helm chart affinity examples
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.12.0...ingress-nginx-2.12.1
diff --git a/charts/ingress-nginx/changelog/helm-chart-2.13.0.md b/charts/ingress-nginx/changelog/helm-chart-2.13.0.md
new file mode 100644
index 0000000..01fe0b1
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-2.13.0.md
@@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.13.0
+
+* [#6093](https://github.com/kubernetes/ingress-nginx/pull/6093) Release v0.35.0
+* [#6080](https://github.com/kubernetes/ingress-nginx/pull/6080) Switch images to k8s.gcr.io after Vanity Domain Flip
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.12.1...ingress-nginx-2.13.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-2.14.0.md b/charts/ingress-nginx/changelog/helm-chart-2.14.0.md
new file mode 100644
index 0000000..2fb7a5a
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-2.14.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.14.0
+
+* [#6104](https://github.com/kubernetes/ingress-nginx/pull/6104) Misc fixes for nginx-ingress chart for better keel and prometheus-operator integration
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.13.0...ingress-nginx-2.14.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-2.15.0.md b/charts/ingress-nginx/changelog/helm-chart-2.15.0.md
new file mode 100644
index 0000000..543a559
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-2.15.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.15.0
+
+* [#6087](https://github.com/kubernetes/ingress-nginx/pull/6087) Adding parameter for externalTrafficPolicy in internal controller service spec
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.14.0...ingress-nginx-2.15.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-2.16.0.md b/charts/ingress-nginx/changelog/helm-chart-2.16.0.md
new file mode 100644
index 0000000..996f448
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-2.16.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.16.0
+
+* [#6154](https://github.com/kubernetes/ingress-nginx/pull/6154) add `topologySpreadConstraint` to controller
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.15.0...ingress-nginx-2.16.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-2.9.0.md b/charts/ingress-nginx/changelog/helm-chart-2.9.0.md
new file mode 100644
index 0000000..11c5f5f
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-2.9.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.9.0
+
+* [#5795](https://github.com/kubernetes/ingress-nginx/pull/5795) Use fully qualified images to avoid cri-o issues
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-TODO...ingress-nginx-2.9.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-2.9.1.md b/charts/ingress-nginx/changelog/helm-chart-2.9.1.md
new file mode 100644
index 0000000..7d4314d
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-2.9.1.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 2.9.1
+
+* [#5823](https://github.com/kubernetes/ingress-nginx/pull/5823) Add quoting to sysctls because numeric values need to be presented as strings (#5823)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.9.0...ingress-nginx-2.9.1
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.0.0.md b/charts/ingress-nginx/changelog/helm-chart-3.0.0.md
new file mode 100644
index 0000000..a7d50ee
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.0.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.0.0
+
+* [#6167](https://github.com/kubernetes/ingress-nginx/pull/6167) Update chart requirements
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.16.0...ingress-nginx-3.0.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.10.0.md b/charts/ingress-nginx/changelog/helm-chart-3.10.0.md
new file mode 100644
index 0000000..3369bed
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.10.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.10.0
+
+* Fix routing regression introduced in 0.41.0 with PathType Exact
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.9.0...ingress-nginx-3.10.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.10.1.md b/charts/ingress-nginx/changelog/helm-chart-3.10.1.md
new file mode 100644
index 0000000..6ff682e
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.10.1.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.10.1
+
+* Fix regression introduced in 0.41.0 with external authentication
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.10.0...ingress-nginx-3.10.1
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.11.0.md b/charts/ingress-nginx/changelog/helm-chart-3.11.0.md
new file mode 100644
index 0000000..69ba550
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.11.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.11.0
+
+* Support Keda Autoscaling
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.10.1...ingress-nginx-3.11.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.11.1.md b/charts/ingress-nginx/changelog/helm-chart-3.11.1.md
new file mode 100644
index 0000000..4e81f4b
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.11.1.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.11.1
+
+* [#6505](https://github.com/kubernetes/ingress-nginx/pull/6505) Reorder HPA resource list to work with GitOps tooling
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.11.0...ingress-nginx-3.11.1
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.12.0.md b/charts/ingress-nginx/changelog/helm-chart-3.12.0.md
new file mode 100644
index 0000000..41b9744
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.12.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.12.0
+
+* [#6514](https://github.com/kubernetes/ingress-nginx/pull/6514) Remove helm2 support and update docs
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.11.1...ingress-nginx-3.12.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.13.0.md b/charts/ingress-nginx/changelog/helm-chart-3.13.0.md
new file mode 100644
index 0000000..0855a79
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.13.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.13.0
+
+* [#6544](https://github.com/kubernetes/ingress-nginx/pull/6544) Fix default backend HPA name variable
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.12.0...ingress-nginx-3.13.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.14.0.md b/charts/ingress-nginx/changelog/helm-chart-3.14.0.md
new file mode 100644
index 0000000..e07880b
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.14.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.14.0
+
+* [#6469](https://github.com/kubernetes/ingress-nginx/pull/6469) Allow custom service names for controller and backend
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.13.0...ingress-nginx-3.14.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.15.0.md b/charts/ingress-nginx/changelog/helm-chart-3.15.0.md
new file mode 100644
index 0000000..3053a35
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.15.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.15.0
+
+* [#6586](https://github.com/kubernetes/ingress-nginx/pull/6586) Fix 'maxmindLicenseKey' location in values.yaml
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.14.0...ingress-nginx-3.15.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.15.1.md b/charts/ingress-nginx/changelog/helm-chart-3.15.1.md
new file mode 100644
index 0000000..f11ee0a
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.15.1.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.15.1
+
+* Fix chart-releaser action
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.15.0...ingress-nginx-3.15.1
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.16.0.md b/charts/ingress-nginx/changelog/helm-chart-3.16.0.md
new file mode 100644
index 0000000..fba30b1
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.16.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.16.0
+
+* [#6646](https://github.com/kubernetes/ingress-nginx/pull/6646) Added LoadBalancerIP value for internal service
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.15.1...helm-chart-3.16.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.16.1.md b/charts/ingress-nginx/changelog/helm-chart-3.16.1.md
new file mode 100644
index 0000000..650d1b8
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.16.1.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.16.1
+
+* Fix chart-releaser action
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.16.0...helm-chart-3.16.1
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.17.0.md b/charts/ingress-nginx/changelog/helm-chart-3.17.0.md
new file mode 100644
index 0000000..175c7a2
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.17.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.17.0
+
+* Update ingress-nginx v0.42.0
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.16.1...helm-chart-3.17.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.18.0.md b/charts/ingress-nginx/changelog/helm-chart-3.18.0.md
new file mode 100644
index 0000000..31b815e
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.18.0.md
@@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.18.0
+
+* [#6688](https://github.com/kubernetes/ingress-nginx/pull/6688) Allow volume-type emptyDir in controller podsecuritypolicy
+* [#6691](https://github.com/kubernetes/ingress-nginx/pull/6691) Improve parsing of helm parameters
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.17.0...helm-chart-3.18.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.19.0.md b/charts/ingress-nginx/changelog/helm-chart-3.19.0.md
new file mode 100644
index 0000000..0970bf0
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.19.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.19.0
+
+* Update ingress-nginx v0.43.0
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.18.0...helm-chart-3.19.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.20.0.md b/charts/ingress-nginx/changelog/helm-chart-3.20.0.md
new file mode 100644
index 0000000..4b81ae4
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.20.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.20.0
+
+* [#6730](https://github.com/kubernetes/ingress-nginx/pull/6730) Do not create HPA for defaultBackend if not enabled.
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.19.0...helm-chart-3.20.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.20.1.md b/charts/ingress-nginx/changelog/helm-chart-3.20.1.md
new file mode 100644
index 0000000..952bf2b
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.20.1.md
@@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.20.1
+
+* Do not create KEDA in case of DaemonSets.
+* Fix KEDA v2 definition
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.20.0...helm-chart-3.20.1
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.21.0.md b/charts/ingress-nginx/changelog/helm-chart-3.21.0.md
new file mode 100644
index 0000000..25edbef
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.21.0.md
@@ -0,0 +1,12 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.21.0
+
+* [#6783](https://github.com/kubernetes/ingress-nginx/pull/6783) Add custom annotations to ScaledObject
+* [#6761](https://github.com/kubernetes/ingress-nginx/pull/6761) Adding quotes in the serviceAccount name in Helm values
+* [#6767](https://github.com/kubernetes/ingress-nginx/pull/6767) Remove ClusterRole when scope option is enabled
+* [#6785](https://github.com/kubernetes/ingress-nginx/pull/6785) Update kube-webhook-certgen image to v1.5.1
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.20.1...helm-chart-3.21.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.22.0.md b/charts/ingress-nginx/changelog/helm-chart-3.22.0.md
new file mode 100644
index 0000000..147d664
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.22.0.md
@@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.22.0
+
+* [#6802](https://github.com/kubernetes/ingress-nginx/pull/6802) Add value for configuring a custom Diffie-Hellman parameters file
+* [#6815](https://github.com/kubernetes/ingress-nginx/pull/6815) Allow use of numeric namespaces in helm chart
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.21.0...helm-chart-3.22.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.23.0.md b/charts/ingress-nginx/changelog/helm-chart-3.23.0.md
new file mode 100644
index 0000000..5dcb50f
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.23.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.23.0
+
+* Update ingress-nginx v0.44.0
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.22.0...helm-chart-3.23.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.24.0.md b/charts/ingress-nginx/changelog/helm-chart-3.24.0.md
new file mode 100644
index 0000000..d7db808
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.24.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.24.0
+
+* [#6908](https://github.com/kubernetes/ingress-nginx/pull/6908) Add volumes to default-backend deployment
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.23.0...helm-chart-3.24.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.25.0.md b/charts/ingress-nginx/changelog/helm-chart-3.25.0.md
new file mode 100644
index 0000000..f9679a1
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.25.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.25.0
+
+* [#6957](https://github.com/kubernetes/ingress-nginx/pull/6957) Add ability to specify automountServiceAccountToken
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.24.0...helm-chart-3.25.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.26.0.md b/charts/ingress-nginx/changelog/helm-chart-3.26.0.md
new file mode 100644
index 0000000..0c3a1df
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.26.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.26.0
+
+* [#6979](https://github.com/kubernetes/ingress-nginx/pull/6979) Changed servicePort value for metrics
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.25.0...helm-chart-3.26.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.27.0.md b/charts/ingress-nginx/changelog/helm-chart-3.27.0.md
new file mode 100644
index 0000000..8113d7b
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.27.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.27.0
+
+* Update ingress-nginx v0.45.0
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.26.0...helm-chart-3.27.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.28.0.md b/charts/ingress-nginx/changelog/helm-chart-3.28.0.md
new file mode 100644
index 0000000..eee0ccb
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.28.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.28.0
+
+* [#6900](https://github.com/kubernetes/ingress-nginx/pull/6900) Support existing PSPs
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.27.0...helm-chart-3.28.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.29.0.md b/charts/ingress-nginx/changelog/helm-chart-3.29.0.md
new file mode 100644
index 0000000..f0fabdc
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.29.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.29.0
+
+* [#6945](https://github.com/kubernetes/ingress-nginx/pull/7020) Add option to specify job label for ServiceMonitor
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.28.0...helm-chart-3.29.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.3.0.md b/charts/ingress-nginx/changelog/helm-chart-3.3.0.md
new file mode 100644
index 0000000..09fab37
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.3.0.md
@@ -0,0 +1,12 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.3.0
+
+* [#6203](https://github.com/kubernetes/ingress-nginx/pull/6203) Refactor parsing of key values
+* [#6162](https://github.com/kubernetes/ingress-nginx/pull/6162) Add helm chart options to expose metrics service as NodePort
+* [#6180](https://github.com/kubernetes/ingress-nginx/pull/6180) Fix helm chart admissionReviewVersions regression
+* [#6169](https://github.com/kubernetes/ingress-nginx/pull/6169) Fix Typo in example prometheus rules
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.0.0...ingress-nginx-3.3.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.3.1.md b/charts/ingress-nginx/changelog/helm-chart-3.3.1.md
new file mode 100644
index 0000000..81f44fd
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.3.1.md
@@ -0,0 +1,12 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.3.1
+
+* [#6259](https://github.com/kubernetes/ingress-nginx/pull/6259) Release helm chart
+* [#6258](https://github.com/kubernetes/ingress-nginx/pull/6258) Fix chart markdown link
+* [#6253](https://github.com/kubernetes/ingress-nginx/pull/6253) Release v0.40.0
+* [#6233](https://github.com/kubernetes/ingress-nginx/pull/6233) Add admission controller e2e test
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.3.0...ingress-nginx-3.3.1
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.30.0.md b/charts/ingress-nginx/changelog/helm-chart-3.30.0.md
new file mode 100644
index 0000000..77ad6b4
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.30.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.30.0
+
+* [#7092](https://github.com/kubernetes/ingress-nginx/pull/7092) Removes the possibility of using localhost in ExternalNames as endpoints
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.29.0...helm-chart-3.30.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.31.0.md b/charts/ingress-nginx/changelog/helm-chart-3.31.0.md
new file mode 100644
index 0000000..bc07fed
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.31.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.31.0
+
+* [7137] https://github.com/kubernetes/ingress-nginx/pull/7137 Add support for custom probes
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.30.0...helm-chart-3.31.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.32.0.md b/charts/ingress-nginx/changelog/helm-chart-3.32.0.md
new file mode 100644
index 0000000..68f7ed6
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.32.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.32.0
+
+* [7117] https://github.com/kubernetes/ingress-nginx/pull/7117 Add annotations for HPA
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.31.0...helm-chart-3.32.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.33.0.md b/charts/ingress-nginx/changelog/helm-chart-3.33.0.md
new file mode 100644
index 0000000..b56c5fc
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.33.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.33.0
+
+* [7164] https://github.com/kubernetes/ingress-nginx/pull/7164 Update nginx to v1.20.1
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.32.0...helm-chart-3.33.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.34.0.md b/charts/ingress-nginx/changelog/helm-chart-3.34.0.md
new file mode 100644
index 0000000..a28cd02
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.34.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.34.0
+
+* [7256] https://github.com/kubernetes/ingress-nginx/pull/7256 Add namespace field in the namespace scoped resource templates
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.33.0...helm-chart-3.34.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.4.0.md b/charts/ingress-nginx/changelog/helm-chart-3.4.0.md
new file mode 100644
index 0000000..3b4ca93
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.4.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.4.0
+
+* [#6268](https://github.com/kubernetes/ingress-nginx/pull/6268) Update to 0.40.2 in helm chart #6288
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.3.1...ingress-nginx-3.4.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.5.0.md b/charts/ingress-nginx/changelog/helm-chart-3.5.0.md
new file mode 100644
index 0000000..44991b3
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.5.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.5.0
+
+* [#6260](https://github.com/kubernetes/ingress-nginx/pull/6260) Allow Helm Chart to customize admission webhook's annotations, timeoutSeconds, namespaceSelector, objectSelector and cert files locations
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.4.0...ingress-nginx-3.5.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.5.1.md b/charts/ingress-nginx/changelog/helm-chart-3.5.1.md
new file mode 100644
index 0000000..740f00c
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.5.1.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.5.1
+
+* [#6299](https://github.com/kubernetes/ingress-nginx/pull/6299) Fix helm chart release
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.5.0...ingress-nginx-3.5.1
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.6.0.md b/charts/ingress-nginx/changelog/helm-chart-3.6.0.md
new file mode 100644
index 0000000..4af7f11
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.6.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.6.0
+
+* [#6305](https://github.com/kubernetes/ingress-nginx/pull/6305) Add default linux nodeSelector
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.5.1...ingress-nginx-3.6.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.7.0.md b/charts/ingress-nginx/changelog/helm-chart-3.7.0.md
new file mode 100644
index 0000000..a6b1299
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.7.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.7.0
+
+* [#6316](https://github.com/kubernetes/ingress-nginx/pull/6316) Numerals in podAnnotations in quotes [#6315](https://github.com/kubernetes/ingress-nginx/issues/6315)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.6.0...ingress-nginx-3.7.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.7.1.md b/charts/ingress-nginx/changelog/helm-chart-3.7.1.md
new file mode 100644
index 0000000..6ba12df
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.7.1.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.7.1
+
+* [#6326](https://github.com/kubernetes/ingress-nginx/pull/6326) Fix liveness and readiness probe path in daemonset chart
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.7.0...ingress-nginx-3.7.1
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.8.0.md b/charts/ingress-nginx/changelog/helm-chart-3.8.0.md
new file mode 100644
index 0000000..8df250a
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.8.0.md
@@ -0,0 +1,13 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.8.0
+
+* [#6395](https://github.com/kubernetes/ingress-nginx/pull/6395) Update jettech/kube-webhook-certgen image
+* [#6377](https://github.com/kubernetes/ingress-nginx/pull/6377) Added loadBalancerSourceRanges for internal lbs
+* [#6356](https://github.com/kubernetes/ingress-nginx/pull/6356) Add securitycontext settings on defaultbackend
+* [#6401](https://github.com/kubernetes/ingress-nginx/pull/6401) Fix controller service annotations
+* [#6403](https://github.com/kubernetes/ingress-nginx/pull/6403) Initial helm chart changelog
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.7.1...ingress-nginx-3.8.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-3.9.0.md b/charts/ingress-nginx/changelog/helm-chart-3.9.0.md
new file mode 100644
index 0000000..e8c9def
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-3.9.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 3.9.0
+
+* [#6423](https://github.com/kubernetes/ingress-nginx/pull/6423) Add Default backend HPA autoscaling
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.8.0...ingress-nginx-3.9.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.1.md b/charts/ingress-nginx/changelog/helm-chart-4.0.1.md
new file mode 100644
index 0000000..7a187b3
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.0.1.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.0.1
+
+* [7535] https://github.com/kubernetes/ingress-nginx/pull/7535 Release v1.0.0 ingress-nginx
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.34.0...helm-chart-4.0.1
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.10.md b/charts/ingress-nginx/changelog/helm-chart-4.0.10.md
new file mode 100644
index 0000000..c5d6516
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.0.10.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.0.10
+
+* [7964] https://github.com/kubernetes/ingress-nginx/pull/7964 Update controller version to v1.1.0
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.9...helm-chart-4.0.10
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.11.md b/charts/ingress-nginx/changelog/helm-chart-4.0.11.md
new file mode 100644
index 0000000..5541823
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.0.11.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.0.11
+
+* [7873] https://github.com/kubernetes/ingress-nginx/pull/7873 Makes the [appProtocol](https://kubernetes.io/docs/concepts/services-networking/_print/#application-protocol) field optional.
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.10...helm-chart-4.0.11
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.12.md b/charts/ingress-nginx/changelog/helm-chart-4.0.12.md
new file mode 100644
index 0000000..320f6f5
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.0.12.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.0.12
+
+* [7978] https://github.com/kubernetes/ingress-nginx/pull/7979 Support custom annotations in admissions Jobs
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.11...helm-chart-4.0.12
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.13.md b/charts/ingress-nginx/changelog/helm-chart-4.0.13.md
new file mode 100644
index 0000000..edd9228
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.0.13.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.0.13
+
+* [8008] https://github.com/kubernetes/ingress-nginx/pull/8008 Add relabelings in controller-servicemonitor.yaml
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.12...helm-chart-4.0.13
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.14.md b/charts/ingress-nginx/changelog/helm-chart-4.0.14.md
new file mode 100644
index 0000000..e927010
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.0.14.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.0.14
+
+* [8061] https://github.com/kubernetes/ingress-nginx/pull/8061 Using helm-docs to populate values table in README.md
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.13...helm-chart-4.0.14
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.15.md b/charts/ingress-nginx/changelog/helm-chart-4.0.15.md
new file mode 100644
index 0000000..d3d14a9
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.0.15.md
@@ -0,0 +1,43 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.0.15
+
+* [8120] https://github.com/kubernetes/ingress-nginx/pull/8120 Update go in runner and release v1.1.1
+* [8119] https://github.com/kubernetes/ingress-nginx/pull/8119 Update to go v1.17.6
+* [8118] https://github.com/kubernetes/ingress-nginx/pull/8118 Remove deprecated libraries, update other libs
+* [8117] https://github.com/kubernetes/ingress-nginx/pull/8117 Fix codegen errors
+* [8115] https://github.com/kubernetes/ingress-nginx/pull/8115 chart/ghaction: set the correct permission to have access to push a release
+* [8098] https://github.com/kubernetes/ingress-nginx/pull/8098 generating SHA for CA only certs in backend_ssl.go + comparison of P…
+* [8088] https://github.com/kubernetes/ingress-nginx/pull/8088 Fix Edit this page link to use main branch
+* [8072] https://github.com/kubernetes/ingress-nginx/pull/8072 Expose GeoIP2 Continent code as variable
+* [8061] https://github.com/kubernetes/ingress-nginx/pull/8061 docs(charts): using helm-docs for chart
+* [8058] https://github.com/kubernetes/ingress-nginx/pull/8058 Bump github.com/spf13/cobra from 1.2.1 to 1.3.0
+* [8054] https://github.com/kubernetes/ingress-nginx/pull/8054 Bump google.golang.org/grpc from 1.41.0 to 1.43.0
+* [8051] https://github.com/kubernetes/ingress-nginx/pull/8051 align bug report with feature request regarding kind documentation
+* [8046] https://github.com/kubernetes/ingress-nginx/pull/8046 Report expired certificates (#8045)
+* [8044] https://github.com/kubernetes/ingress-nginx/pull/8044 remove G109 check till gosec resolves issues
+* [8042] https://github.com/kubernetes/ingress-nginx/pull/8042 docs_multiple_instances_one_cluster_ticket_7543
+* [8041] https://github.com/kubernetes/ingress-nginx/pull/8041 docs: fix typo'd executable name
+* [8035] https://github.com/kubernetes/ingress-nginx/pull/8035 Comment busy owners
+* [8029] https://github.com/kubernetes/ingress-nginx/pull/8029 Add stream-snippet as a ConfigMap and Annotation option
+* [8023] https://github.com/kubernetes/ingress-nginx/pull/8023 fix nginx compilation flags
+* [8021] https://github.com/kubernetes/ingress-nginx/pull/8021 Disable default modsecurity_rules_file if modsecurity-snippet is specified
+* [8019] https://github.com/kubernetes/ingress-nginx/pull/8019 Revise main documentation page
+* [8018] https://github.com/kubernetes/ingress-nginx/pull/8018 Preserve order of plugin invocation
+* [8015] https://github.com/kubernetes/ingress-nginx/pull/8015 Add newline indenting to admission webhook annotations
+* [8014] https://github.com/kubernetes/ingress-nginx/pull/8014 Add link to example error page manifest in docs
+* [8009] https://github.com/kubernetes/ingress-nginx/pull/8009 Fix spelling in documentation and top-level files
+* [8008] https://github.com/kubernetes/ingress-nginx/pull/8008 Add relabelings in controller-servicemonitor.yaml
+* [8003] https://github.com/kubernetes/ingress-nginx/pull/8003 Minor improvements (formatting, consistency) in install guide
+* [8001] https://github.com/kubernetes/ingress-nginx/pull/8001 fix: go-grpc Dockerfile
+* [7999] https://github.com/kubernetes/ingress-nginx/pull/7999 images: use k8s-staging-test-infra/gcb-docker-gcloud
+* [7996] https://github.com/kubernetes/ingress-nginx/pull/7996 doc: improvement
+* [7983] https://github.com/kubernetes/ingress-nginx/pull/7983 Fix a couple of misspellings in the annotations documentation.
+* [7979] https://github.com/kubernetes/ingress-nginx/pull/7979 allow set annotations for admission Jobs
+* [7977] https://github.com/kubernetes/ingress-nginx/pull/7977 Add ssl_reject_handshake to default server
+* [7975] https://github.com/kubernetes/ingress-nginx/pull/7975 add legacy version update v0.50.0 to main changelog
+* [7972] https://github.com/kubernetes/ingress-nginx/pull/7972 updated service upstream definition
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.14...helm-chart-4.0.15
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.18.md b/charts/ingress-nginx/changelog/helm-chart-4.0.18.md
new file mode 100644
index 0000000..30a8f75
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.0.18.md
@@ -0,0 +1,40 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.0.18
+
+* [8291](https://github.com/kubernetes/ingress-nginx/pull/8291) remove git tag env from cloud build
+* [8286](https://github.com/kubernetes/ingress-nginx/pull/8286) Fix OpenTelemetry sidecar image build
+* [8277](https://github.com/kubernetes/ingress-nginx/pull/8277) Add OpenSSF Best practices badge
+* [8273](https://github.com/kubernetes/ingress-nginx/pull/8273) Issue#8241
+* [8267](https://github.com/kubernetes/ingress-nginx/pull/8267) Add fsGroup value to admission-webhooks/job-patch charts
+* [8262](https://github.com/kubernetes/ingress-nginx/pull/8262) Updated confusing error
+* [8256](https://github.com/kubernetes/ingress-nginx/pull/8256) fix: deny locations with invalid auth-url annotation
+* [8253](https://github.com/kubernetes/ingress-nginx/pull/8253) Add a certificate info metric
+* [8236](https://github.com/kubernetes/ingress-nginx/pull/8236) webhook: remove useless code.
+* [8227](https://github.com/kubernetes/ingress-nginx/pull/8227) Update libraries in webhook image
+* [8225](https://github.com/kubernetes/ingress-nginx/pull/8225) fix inconsistent-label-cardinality for prometheus metrics: nginx_ingress_controller_requests
+* [8221](https://github.com/kubernetes/ingress-nginx/pull/8221) Do not validate ingresses with unknown ingress class in admission webhook endpoint
+* [8210](https://github.com/kubernetes/ingress-nginx/pull/8210) Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.1
+* [8209](https://github.com/kubernetes/ingress-nginx/pull/8209) Bump google.golang.org/grpc from 1.43.0 to 1.44.0
+* [8204](https://github.com/kubernetes/ingress-nginx/pull/8204) Add Artifact Hub lint
+* [8203](https://github.com/kubernetes/ingress-nginx/pull/8203) Fix Indentation of example and link to cert-manager tutorial
+* [8201](https://github.com/kubernetes/ingress-nginx/pull/8201) feat(metrics): add path and method labels to requests countera
+* [8199](https://github.com/kubernetes/ingress-nginx/pull/8199) use functional options to reduce number of methods creating an EchoDeployment
+* [8196](https://github.com/kubernetes/ingress-nginx/pull/8196) docs: fix inconsistent controller annotation
+* [8191](https://github.com/kubernetes/ingress-nginx/pull/8191) Using Go install for misspell
+* [8186](https://github.com/kubernetes/ingress-nginx/pull/8186) prometheus+grafana using servicemonitor
+* [8185](https://github.com/kubernetes/ingress-nginx/pull/8185) Append elements on match, instead of removing for cors-annotations
+* [8179](https://github.com/kubernetes/ingress-nginx/pull/8179) Bump github.com/opencontainers/runc from 1.0.3 to 1.1.0
+* [8173](https://github.com/kubernetes/ingress-nginx/pull/8173) Adding annotations to the controller service account
+* [8163](https://github.com/kubernetes/ingress-nginx/pull/8163) Update the $req_id placeholder description
+* [8162](https://github.com/kubernetes/ingress-nginx/pull/8162) Versioned static manifests
+* [8159](https://github.com/kubernetes/ingress-nginx/pull/8159) Adding some geoip variables and default values
+* [8155](https://github.com/kubernetes/ingress-nginx/pull/8155) #7271 feat: avoid-pdb-creation-when-default-backend-disabled-and-replicas-gt-1
+* [8151](https://github.com/kubernetes/ingress-nginx/pull/8151) Automatically generate helm docs
+* [8143](https://github.com/kubernetes/ingress-nginx/pull/8143) Allow to configure delay before controller exits
+* [8136](https://github.com/kubernetes/ingress-nginx/pull/8136) add ingressClass option to helm chart - back compatibility with ingress.class annotations
+* [8126](https://github.com/kubernetes/ingress-nginx/pull/8126) Example for JWT
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.15...helm-chart-4.0.18
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.2.md b/charts/ingress-nginx/changelog/helm-chart-4.0.2.md
new file mode 100644
index 0000000..9dbd003
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.0.2.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.0.2
+
+* [7681] https://github.com/kubernetes/ingress-nginx/pull/7681 Release v1.0.1 of ingress-nginx
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.1...helm-chart-4.0.2
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.3.md b/charts/ingress-nginx/changelog/helm-chart-4.0.3.md
new file mode 100644
index 0000000..09b89f6
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.0.3.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.0.3
+
+* [7707] https://github.com/kubernetes/ingress-nginx/pull/7707 Release v1.0.2 of ingress-nginx
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.2...helm-chart-4.0.3
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.5.md b/charts/ingress-nginx/changelog/helm-chart-4.0.5.md
new file mode 100644
index 0000000..be67704
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.0.5.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.0.5
+
+* [7740] https://github.com/kubernetes/ingress-nginx/pull/7740 Release v1.0.3 of ingress-nginx
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.3...helm-chart-4.0.5
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.6.md b/charts/ingress-nginx/changelog/helm-chart-4.0.6.md
new file mode 100644
index 0000000..25276e2
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.0.6.md
@@ -0,0 +1,12 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.0.6
+
+* [7804] https://github.com/kubernetes/ingress-nginx/pull/7804 Release v1.0.4 of ingress-nginx
+* [7651] https://github.com/kubernetes/ingress-nginx/pull/7651 Support ipFamilyPolicy and ipFamilies fields in Helm Chart
+* [7798] https://github.com/kubernetes/ingress-nginx/pull/7798 Exoscale: use HTTP Healthcheck mode
+* [7793] https://github.com/kubernetes/ingress-nginx/pull/7793 Update kube-webhook-certgen to v1.1.1
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.5...helm-chart-4.0.6
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.7.md b/charts/ingress-nginx/changelog/helm-chart-4.0.7.md
new file mode 100644
index 0000000..50fd922
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.0.7.md
@@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.0.7
+
+* [7923] https://github.com/kubernetes/ingress-nginx/pull/7923 Release v1.0.5 of ingress-nginx
+* [7806] https://github.com/kubernetes/ingress-nginx/pull/7806 Choice option for internal/external loadbalancer type service
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.6...helm-chart-4.0.7
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.9.md b/charts/ingress-nginx/changelog/helm-chart-4.0.9.md
new file mode 100644
index 0000000..f2f725c
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.0.9.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.0.9
+
+* [6992] https://github.com/kubernetes/ingress-nginx/pull/6992 Add ability to specify labels for all resources
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.7...helm-chart-4.0.9
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.1.0.md b/charts/ingress-nginx/changelog/helm-chart-4.1.0.md
new file mode 100644
index 0000000..24aaf49
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.1.0.md
@@ -0,0 +1,21 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.1.0
+
+* [8481](https://github.com/kubernetes/ingress-nginx/pull/8481) Fix log creation in chroot script
+* [8479](https://github.com/kubernetes/ingress-nginx/pull/8479) changed nginx base img tag to img built with alpine3.14.6
+* [8478](https://github.com/kubernetes/ingress-nginx/pull/8478) update base images and protobuf gomod
+* [8468](https://github.com/kubernetes/ingress-nginx/pull/8468) Fallback to ngx.var.scheme for redirectScheme with use-forward-headers when X-Forwarded-Proto is empty
+* [8456](https://github.com/kubernetes/ingress-nginx/pull/8456) Implement object deep inspector
+* [8455](https://github.com/kubernetes/ingress-nginx/pull/8455) Update dependencies
+* [8454](https://github.com/kubernetes/ingress-nginx/pull/8454) Update index.md
+* [8447](https://github.com/kubernetes/ingress-nginx/pull/8447) typo fixing
+* [8446](https://github.com/kubernetes/ingress-nginx/pull/8446) Fix suggested annotation-value-word-blocklist
+* [8444](https://github.com/kubernetes/ingress-nginx/pull/8444) replace deprecated topology key in example with current one
+* [8443](https://github.com/kubernetes/ingress-nginx/pull/8443) Add dependency review enforcement
+* [8434](https://github.com/kubernetes/ingress-nginx/pull/8434) added new auth-tls-match-cn annotation
+* [8426](https://github.com/kubernetes/ingress-nginx/pull/8426) Bump github.com/prometheus/common from 0.32.1 to 0.33.0
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.18...helm-chart-4.1.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.1.2.md b/charts/ingress-nginx/changelog/helm-chart-4.1.2.md
new file mode 100644
index 0000000..2061855
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.1.2.md
@@ -0,0 +1,11 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.1.2
+
+* [8587](https://github.com/kubernetes/ingress-nginx/pull/8587) Add CAP_SYS_CHROOT to DS/PSP when needed
+* [8458](https://github.com/kubernetes/ingress-nginx/pull/8458) Add portNamePrefix Helm chart parameter
+* [8522](https://github.com/kubernetes/ingress-nginx/pull/8522) Add documentation for controller.service.loadBalancerIP in Helm chart
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.1.0...helm-chart-4.1.2
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.10.0.md b/charts/ingress-nginx/changelog/helm-chart-4.10.0.md
new file mode 100644
index 0000000..a1f1847
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.10.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.10.0
+
+* - "Update Ingress-Nginx version controller-v1.10.0"
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.9.1...helm-chart-4.10.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.10.1.md b/charts/ingress-nginx/changelog/helm-chart-4.10.1.md
new file mode 100644
index 0000000..3a28de0
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.10.1.md
@@ -0,0 +1,11 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.10.1
+
+* - "update post submit helm ci and clean up (#11221)"
+* - "refactor helm ci tests part I (#11188)"
+* - "Update Ingress-Nginx version controller-v1.10.1"
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.0...helm-chart-4.10.1
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.10.2.md b/charts/ingress-nginx/changelog/helm-chart-4.10.2.md
new file mode 100644
index 0000000..399bd98
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.10.2.md
@@ -0,0 +1,18 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.10.2
+
+* Chores: Align security contacts & chart maintainers to actual owners. (#11480)
+* Fix helm install on cloud provider admonition block (#11412)
+* edited helm-install tips (#11411)
+* added info for aws helm install (#11410)
+* add workflow to helm release and update ct for branch (#11317)
+* Merge pull request #11277 from strongjz/chart-1.10.1 (#11314)
+* release helm chart from release branch (#11278)
+* update post submit helm ci and clean up (#11221)
+* refactor helm ci tests part I (#11188)
+* Update Ingress-Nginx version controller-v1.10.2
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.1...helm-chart-4.10.2
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.10.3.md b/charts/ingress-nginx/changelog/helm-chart-4.10.3.md
new file mode 100644
index 0000000..3f77d40
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.10.3.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.10.3
+
+* Update Ingress-Nginx version controller-v1.10.3
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.2...helm-chart-4.10.3
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.10.4.md b/charts/ingress-nginx/changelog/helm-chart-4.10.4.md
new file mode 100644
index 0000000..661d3c9
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.10.4.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.10.4
+
+* Update Ingress-Nginx version controller-v1.10.4
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.3...helm-chart-4.10.4
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.11.0.md b/charts/ingress-nginx/changelog/helm-chart-4.11.0.md
new file mode 100644
index 0000000..64108c0
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.11.0.md
@@ -0,0 +1,18 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.11.0
+
+* Chores: Align security contacts & chart maintainers to actual owners. (#11465)
+* Merge pull request #11277 from strongjz/chart-1.10.1 (#11415)
+* Fix helm install on cloud provider admonition block (#11394)
+* edited helm-install tips (#11393)
+* added info for aws helm install (#11390)
+* add workflow to helm release and update ct for branch (#11378)
+* release helm chart from release branch (#11276)
+* update post submit helm ci and clean up (#11220)
+* refactor helm ci tests part I (#11178)
+* Update Ingress-Nginx version controller-v1.11.0
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.2...helm-chart-4.11.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.11.1.md b/charts/ingress-nginx/changelog/helm-chart-4.11.1.md
new file mode 100644
index 0000000..281513e
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.11.1.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.11.1
+
+* Update Ingress-Nginx version controller-v1.11.1
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.0...helm-chart-4.11.1
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.11.2.md b/charts/ingress-nginx/changelog/helm-chart-4.11.2.md
new file mode 100644
index 0000000..c7645a5
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.11.2.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.11.2
+
+* Update Ingress-Nginx version controller-v1.11.2
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.1...helm-chart-4.11.2
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.12.0-beta.0.md b/charts/ingress-nginx/changelog/helm-chart-4.12.0-beta.0.md
new file mode 100644
index 0000000..fa980f1
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.12.0-beta.0.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.12.0-beta.0
+
+* Update Ingress-Nginx version controller-v1.12.0-beta.0
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.0...helm-chart-4.12.0-beta.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.12.0.md b/charts/ingress-nginx/changelog/helm-chart-4.12.0.md
new file mode 100644
index 0000000..f8f36d4
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.12.0.md
@@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.12.0
+
+* CI: Fix chart testing. (#12258)
+* Update Ingress-Nginx version controller-v1.12.0
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.0...helm-chart-4.12.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.12.1.md b/charts/ingress-nginx/changelog/helm-chart-4.12.1.md
new file mode 100644
index 0000000..4d44373
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.12.1.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.12.1
+
+* Update Ingress-Nginx version controller-v1.12.1
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.12.0...helm-chart-4.12.1
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.2.0.md b/charts/ingress-nginx/changelog/helm-chart-4.2.0.md
new file mode 100644
index 0000000..2074a09
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.2.0.md
@@ -0,0 +1,47 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.2.0
+
+* Support for Kubernetes v1.19.0 was removed
+* [8810](https://github.com/kubernetes/ingress-nginx/pull/8810) Prepare for v1.3.0
+* [8808](https://github.com/kubernetes/ingress-nginx/pull/8808) revert arch var name
+* [8805](https://github.com/kubernetes/ingress-nginx/pull/8805) Bump k8s.io/klog/v2 from 2.60.1 to 2.70.1
+* [8803](https://github.com/kubernetes/ingress-nginx/pull/8803) Update to nginx base with alpine v3.16
+* [8802](https://github.com/kubernetes/ingress-nginx/pull/8802) chore: start v1.3.0 release process
+* [8798](https://github.com/kubernetes/ingress-nginx/pull/8798) Add v1.24.0 to test matrix
+* [8796](https://github.com/kubernetes/ingress-nginx/pull/8796) fix: add MAC_OS variable for static-check
+* [8793](https://github.com/kubernetes/ingress-nginx/pull/8793) changed to alpine-v3.16
+* [8781](https://github.com/kubernetes/ingress-nginx/pull/8781) Bump github.com/stretchr/testify from 1.7.5 to 1.8.0
+* [8778](https://github.com/kubernetes/ingress-nginx/pull/8778) chore: remove stable.txt from release process
+* [8775](https://github.com/kubernetes/ingress-nginx/pull/8775) Remove stable
+* [8773](https://github.com/kubernetes/ingress-nginx/pull/8773) Bump github/codeql-action from 2.1.14 to 2.1.15
+* [8772](https://github.com/kubernetes/ingress-nginx/pull/8772) Bump ossf/scorecard-action from 1.1.1 to 1.1.2
+* [8771](https://github.com/kubernetes/ingress-nginx/pull/8771) fix bullet md format
+* [8770](https://github.com/kubernetes/ingress-nginx/pull/8770) Add condition for monitoring.coreos.com/v1 API
+* [8769](https://github.com/kubernetes/ingress-nginx/pull/8769) Fix typos and add links to developer guide
+* [8767](https://github.com/kubernetes/ingress-nginx/pull/8767) change v1.2.0 to v1.2.1 in deploy doc URLs
+* [8765](https://github.com/kubernetes/ingress-nginx/pull/8765) Bump github/codeql-action from 1.0.26 to 2.1.14
+* [8752](https://github.com/kubernetes/ingress-nginx/pull/8752) Bump github.com/spf13/cobra from 1.4.0 to 1.5.0
+* [8751](https://github.com/kubernetes/ingress-nginx/pull/8751) Bump github.com/stretchr/testify from 1.7.2 to 1.7.5
+* [8750](https://github.com/kubernetes/ingress-nginx/pull/8750) added announcement
+* [8740](https://github.com/kubernetes/ingress-nginx/pull/8740) change sha e2etestrunner and echoserver
+* [8738](https://github.com/kubernetes/ingress-nginx/pull/8738) Update docs to make it easier for noobs to follow step by step
+* [8737](https://github.com/kubernetes/ingress-nginx/pull/8737) updated baseimage sha
+* [8736](https://github.com/kubernetes/ingress-nginx/pull/8736) set ld-musl-path
+* [8733](https://github.com/kubernetes/ingress-nginx/pull/8733) feat: migrate leaderelection lock to leases
+* [8726](https://github.com/kubernetes/ingress-nginx/pull/8726) prometheus metric: upstream_latency_seconds
+* [8720](https://github.com/kubernetes/ingress-nginx/pull/8720) Ci pin deps
+* [8719](https://github.com/kubernetes/ingress-nginx/pull/8719) Working OpenTelemetry sidecar (base nginx image)
+* [8714](https://github.com/kubernetes/ingress-nginx/pull/8714) Create Openssf scorecard
+* [8708](https://github.com/kubernetes/ingress-nginx/pull/8708) Bump github.com/prometheus/common from 0.34.0 to 0.35.0
+* [8703](https://github.com/kubernetes/ingress-nginx/pull/8703) Bump actions/dependency-review-action from 1 to 2
+* [8701](https://github.com/kubernetes/ingress-nginx/pull/8701) Fix several typos
+* [8699](https://github.com/kubernetes/ingress-nginx/pull/8699) fix the gosec test and a make target for it
+* [8698](https://github.com/kubernetes/ingress-nginx/pull/8698) Bump actions/upload-artifact from 2.3.1 to 3.1.0
+* [8697](https://github.com/kubernetes/ingress-nginx/pull/8697) Bump actions/setup-go from 2.2.0 to 3.2.0
+* [8695](https://github.com/kubernetes/ingress-nginx/pull/8695) Bump actions/download-artifact from 2 to 3
+* [8694](https://github.com/kubernetes/ingress-nginx/pull/8694) Bump crazy-max/ghaction-docker-buildx from 1.6.2 to 3.3.1
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.1.2...helm-chart-4.2.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.2.1.md b/charts/ingress-nginx/changelog/helm-chart-4.2.1.md
new file mode 100644
index 0000000..7965bb1
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.2.1.md
@@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.2.1
+
+* The sha of kube-webhook-certgen image & the opentelemetry image, in values file, was changed to new images built on alpine-v3.16.1
+* [8896](https://github.com/kubernetes/ingress-nginx/pull/8896) updated to new images built today
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.2.0...helm-chart-4.2.1
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.3.0.md b/charts/ingress-nginx/changelog/helm-chart-4.3.0.md
new file mode 100644
index 0000000..f9dca22
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.3.0.md
@@ -0,0 +1,14 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.3.0
+
+* Support for Kubernetes v.1.25.0 was added and support for endpoint slices
+* Support for Kubernetes v1.20.0 and v1.21.0 was removed
+* [8890](https://github.com/kubernetes/ingress-nginx/pull/8890) migrate to endpointslices
+* [9059](https://github.com/kubernetes/ingress-nginx/pull/9059) kubewebhookcertgen sha change after go1191
+* [9046](https://github.com/kubernetes/ingress-nginx/pull/9046) Parameterize metrics port name
+* [9104](https://github.com/kubernetes/ingress-nginx/pull/9104) Fix yaml formatting error with multiple annotations
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.2.1...helm-chart-4.3.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.4.0.md b/charts/ingress-nginx/changelog/helm-chart-4.4.0.md
new file mode 100644
index 0000000..20f9e23
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.4.0.md
@@ -0,0 +1,12 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.4.0
+
+* Adding support for disabling liveness and readiness probes to the Helm chart by @njegosrailic in https://github.com/kubernetes/ingress-nginx/pull/9238
+* add:(admission-webhooks) ability to set securityContext by @ybelMekk in https://github.com/kubernetes/ingress-nginx/pull/9186
+* #7652 - Updated Helm chart to use the fullname for the electionID if not specified. by @FutureMatt in https://github.com/kubernetes/ingress-nginx/pull/9133
+* Rename controller-wehbooks-networkpolicy.yaml. by @Gacko in https://github.com/kubernetes/ingress-nginx/pull/9123
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.3.0...helm-chart-4.4.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.5.2.md b/charts/ingress-nginx/changelog/helm-chart-4.5.2.md
new file mode 100644
index 0000000..b6d8a3b
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.5.2.md
@@ -0,0 +1,13 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.5.2
+
+* add lint on chart before release (#9570)
+* ci: remove setup-helm step (#9404)
+* feat(helm): Optionally use cert-manager instead admission patch (#9279)
+* run helm release on main only and when the chart/value changes only (#9290)
+* Update Ingress-Nginx version controller-v1.6.4
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.4.3...helm-chart-4.5.2
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.6.0.md b/charts/ingress-nginx/changelog/helm-chart-4.6.0.md
new file mode 100644
index 0000000..469aaba
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.6.0.md
@@ -0,0 +1,24 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.5.3
+
+* docs(helm): fix value key in readme for enabling certManager (#9640)
+* Upgrade alpine 3.17.2
+* Upgrade golang 1.20
+* Drop testing/support for Kubernetes 1.23
+* docs(helm): fix value key in readme for enabling certManager (#9640)
+* Update Ingress-Nginx version controller-v1.7.0
+* feat: OpenTelemetry module integration (#9062)
+* canary-weight-total annotation ignored in rule backends (#9729)
+* fix controller psp's volume config (#9740)
+* Fix several Helm YAML issues with extraModules and extraInitContainers (#9709)
+* Chart: Drop `controller.headers`, rework DH param secret. (#9659)
+* Deployment/DaemonSet: Label pods using `ingress-nginx.labels`. (#9732)
+* HPA: autoscaling/v2beta1 deprecated, bump apiVersion to v2 for defaultBackend (#9731)
+* Fix incorrect annotation name in upstream hashing configuration (#9617)
+
+* Update Ingress-Nginx version controller-v1.7.0
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.5.2...helm-chart-4.6.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.6.1.md b/charts/ingress-nginx/changelog/helm-chart-4.6.1.md
new file mode 100644
index 0000000..57d99b8
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.6.1.md
@@ -0,0 +1,11 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.6.1
+
+* [helm] Support custom port configuration for internal service (#9846)
+* Adding resource type to default HPA configuration to resolve issues with Terraform helm chart usage (#9803)
+* Update Ingress-Nginx version controller-v1.7.1
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.6.0...helm-chart-4.6.1
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.7.0.md b/charts/ingress-nginx/changelog/helm-chart-4.7.0.md
new file mode 100644
index 0000000..9d54070
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.7.0.md
@@ -0,0 +1,14 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.7.0
+
+* helm: Fix opentelemetry module installation for daemonset (#9792)
+* Update charts/* to keep project name display aligned (#9931)
+* HPA: Use capabilities & align manifests. (#9521)
+* PodDisruptionBudget spec logic update (#9904)
+* add option for annotations in PodDisruptionBudget (#9843)
+* Update Ingress-Nginx version controller-v1.8.0
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.6.1...helm-chart-4.7.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.7.1.md b/charts/ingress-nginx/changelog/helm-chart-4.7.1.md
new file mode 100644
index 0000000..4d69a71
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.7.1.md
@@ -0,0 +1,12 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.7.1
+
+* Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406)
+* feat(helm): Add loadBalancerClass (#9562)
+* added helmshowvalues example (#10019)
+* Update Ingress-Nginx version controller-v1.8.1
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.0...helm-chart-4.7.1
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.7.2.md b/charts/ingress-nginx/changelog/helm-chart-4.7.2.md
new file mode 100644
index 0000000..57b17b9
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.7.2.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.7.2
+
+* Update Ingress-Nginx version controller-v1.8.2
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.1...helm-chart-4.7.2
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.8.0-beta.0.md b/charts/ingress-nginx/changelog/helm-chart-4.8.0-beta.0.md
new file mode 100644
index 0000000..9072a75
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.8.0-beta.0.md
@@ -0,0 +1,13 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.8.0-beta.0
+
+* ci(helm): fix Helm Chart release action 422 error (#10237)
+* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249)
+* [helm] configure allow to configure hostAliases (#10180)
+* [helm] pass service annotations through helm tpl engine (#10084)
+* Update Ingress-Nginx version controller-v1.9.0-beta.0
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.2...helm-chart-4.8.0-beta.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.8.0.md b/charts/ingress-nginx/changelog/helm-chart-4.8.0.md
new file mode 100644
index 0000000..af8f124
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.8.0.md
@@ -0,0 +1,13 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.8.0
+
+* ci(helm): fix Helm Chart release action 422 error (#10237)
+* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249)
+* [helm] configure allow to configure hostAliases (#10180)
+* [helm] pass service annotations through helm tpl engine (#10084)
+* Update Ingress-Nginx version controller-v1.9.0
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.2...helm-chart-4.8.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.8.1.md b/charts/ingress-nginx/changelog/helm-chart-4.8.1.md
new file mode 100644
index 0000000..53a4493
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.8.1.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.8.1
+
+* Update Ingress-Nginx version controller-v1.9.1
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.0...helm-chart-4.8.1
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.8.2.md b/charts/ingress-nginx/changelog/helm-chart-4.8.2.md
new file mode 100644
index 0000000..9957c1a
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.8.2.md
@@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.8.2
+
+* update nginx base, httpbun, e2e, helm webhook cert gen (#10506)
+* Update Ingress-Nginx version controller-v1.9.3
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.1...helm-chart-4.8.2
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.8.3.md b/charts/ingress-nginx/changelog/helm-chart-4.8.3.md
new file mode 100644
index 0000000..b8d4d56
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.8.3.md
@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.8.3
+
+* Update Ingress-Nginx version controller-v1.9.4
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.2...helm-chart-4.8.3
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.9.0.md b/charts/ingress-nginx/changelog/helm-chart-4.9.0.md
new file mode 100644
index 0000000..5c77298
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.9.0.md
@@ -0,0 +1,13 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.9.0
+
+* - "Add controller.metrics.serviceMonitor.annotations in Helm chart"
+* - "fix(labels): use complete labels variable on default-backend deployment"
+* - "chart: allow setting allocateLoadBalancerNodePorts (#10693)"
+* - "[release-1.9] feat(helm): add documentation about metric args (#10695)"
+* - "Update Ingress-Nginx version controller-v1.9.5"
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.3...helm-chart-4.9.0
diff --git a/charts/ingress-nginx/changelog/helm-chart-4.9.1.md b/charts/ingress-nginx/changelog/helm-chart-4.9.1.md
new file mode 100644
index 0000000..c6120e7
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart-4.9.1.md
@@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.9.1
+
+* - "update web hook cert gen to latest release v20231226-1a7112e06"
+* - "Update Ingress-Nginx version controller-v1.9.6"
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.9.0...helm-chart-4.9.1
diff --git a/charts/ingress-nginx/changelog/helm-chart.md.gotmpl b/charts/ingress-nginx/changelog/helm-chart.md.gotmpl
new file mode 100644
index 0000000..ef5add5
--- /dev/null
+++ b/charts/ingress-nginx/changelog/helm-chart.md.gotmpl
@@ -0,0 +1,11 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### {{ .NewHelmChartVersion }}
+{{ with .HelmUpdates }}
+{{- range . }}
+* {{ . }}
+{{- end }}
+{{ end }}
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-{{ .PreviousHelmChartVersion }}...helm-chart-{{ .NewHelmChartVersion }}
diff --git a/charts/ingress-nginx/ci/deamonset-webhook-values.yaml b/charts/ingress-nginx/ci/admission-webhooks-cert-manager-values.yaml
similarity index 79%
copy from charts/ingress-nginx/ci/deamonset-webhook-values.yaml
copy to charts/ingress-nginx/ci/admission-webhooks-cert-manager-values.yaml
index 54d364d..7eafd0c 100644
--- a/charts/ingress-nginx/ci/deamonset-webhook-values.yaml
+++ b/charts/ingress-nginx/ci/admission-webhooks-cert-manager-values.yaml
@@ -1,10 +1,12 @@
controller:
- kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
- admissionWebhooks:
- enabled: true
+
service:
type: ClusterIP
+
+ admissionWebhooks:
+ certManager:
+ enabled: true
diff --git a/charts/ingress-nginx/ci/deployment-psp-values.yaml b/charts/ingress-nginx/ci/controller-configmap-addheaders-values.yaml
similarity index 76%
copy from charts/ingress-nginx/ci/deployment-psp-values.yaml
copy to charts/ingress-nginx/ci/controller-configmap-addheaders-values.yaml
index 2f332a7..460a610 100644
--- a/charts/ingress-nginx/ci/deployment-psp-values.yaml
+++ b/charts/ingress-nginx/ci/controller-configmap-addheaders-values.yaml
@@ -3,8 +3,9 @@
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
+
service:
type: ClusterIP
-podSecurityPolicy:
- enabled: true
+ addHeaders:
+ X-Frame-Options: deny
diff --git a/charts/ingress-nginx/ci/deployment-psp-values.yaml b/charts/ingress-nginx/ci/controller-configmap-proxyheaders-values.yaml
similarity index 73%
copy from charts/ingress-nginx/ci/deployment-psp-values.yaml
copy to charts/ingress-nginx/ci/controller-configmap-proxyheaders-values.yaml
index 2f332a7..e23a13c 100644
--- a/charts/ingress-nginx/ci/deployment-psp-values.yaml
+++ b/charts/ingress-nginx/ci/controller-configmap-proxyheaders-values.yaml
@@ -3,8 +3,9 @@
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
+
service:
type: ClusterIP
-podSecurityPolicy:
- enabled: true
+ proxySetHeaders:
+ X-Forwarded-Proto: https
diff --git a/charts/ingress-nginx/ci/deployment-psp-values.yaml b/charts/ingress-nginx/ci/controller-configmap-values.yaml
similarity index 76%
copy from charts/ingress-nginx/ci/deployment-psp-values.yaml
copy to charts/ingress-nginx/ci/controller-configmap-values.yaml
index 2f332a7..a702989 100644
--- a/charts/ingress-nginx/ci/deployment-psp-values.yaml
+++ b/charts/ingress-nginx/ci/controller-configmap-values.yaml
@@ -3,8 +3,9 @@
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
+
service:
type: ClusterIP
-podSecurityPolicy:
- enabled: true
+ config:
+ use-proxy-protocol: "true"
diff --git a/charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml b/charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml
deleted file mode 100644
index b28a232..0000000
--- a/charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-controller:
- watchIngressWithoutClass: true
- ingressClassResource:
- name: custom-nginx
- enabled: true
- default: true
- controllerValue: "k8s.io/custom-nginx"
diff --git a/charts/ingress-nginx/ci/deamonset-webhook-values.yaml b/charts/ingress-nginx/ci/controller-daemonset-metrics-values.yaml
similarity index 88%
rename from charts/ingress-nginx/ci/deamonset-webhook-values.yaml
rename to charts/ingress-nginx/ci/controller-daemonset-metrics-values.yaml
index 54d364d..7a98580 100644
--- a/charts/ingress-nginx/ci/deamonset-webhook-values.yaml
+++ b/charts/ingress-nginx/ci/controller-daemonset-metrics-values.yaml
@@ -1,10 +1,13 @@
controller:
- kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
- admissionWebhooks:
- enabled: true
+
service:
type: ClusterIP
+
+ kind: DaemonSet
+
+ metrics:
+ enabled: true
diff --git a/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml b/charts/ingress-nginx/ci/controller-daemonset-podannotations-values.yaml
similarity index 81%
rename from charts/ingress-nginx/ci/daemonset-podannotations-values.yaml
rename to charts/ingress-nginx/ci/controller-daemonset-podannotations-values.yaml
index 0b55306..405992e 100644
--- a/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml
+++ b/charts/ingress-nginx/ci/controller-daemonset-podannotations-values.yaml
@@ -1,17 +1,16 @@
controller:
- kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
- admissionWebhooks:
- enabled: false
- metrics:
- enabled: true
+
service:
type: ClusterIP
+
+ kind: DaemonSet
+
podAnnotations:
- prometheus.io/path: /metrics
+ prometheus.io/scrape: "true"
prometheus.io/port: "10254"
prometheus.io/scheme: http
- prometheus.io/scrape: "true"
+ prometheus.io/path: /metrics
diff --git a/charts/ingress-nginx/ci/deployment-psp-values.yaml b/charts/ingress-nginx/ci/controller-daemonset-values.yaml
similarity index 79%
rename from charts/ingress-nginx/ci/deployment-psp-values.yaml
rename to charts/ingress-nginx/ci/controller-daemonset-values.yaml
index 2f332a7..d34025c 100644
--- a/charts/ingress-nginx/ci/deployment-psp-values.yaml
+++ b/charts/ingress-nginx/ci/controller-daemonset-values.yaml
@@ -3,8 +3,8 @@
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
+
service:
type: ClusterIP
-podSecurityPolicy:
- enabled: true
+ kind: DaemonSet
diff --git a/charts/ingress-nginx/ci/deployment-webhook-values.yaml b/charts/ingress-nginx/ci/controller-deployment-metrics-values.yaml
similarity index 81%
rename from charts/ingress-nginx/ci/deployment-webhook-values.yaml
rename to charts/ingress-nginx/ci/controller-deployment-metrics-values.yaml
index 76669a5..9c95d34 100644
--- a/charts/ingress-nginx/ci/deployment-webhook-values.yaml
+++ b/charts/ingress-nginx/ci/controller-deployment-metrics-values.yaml
@@ -3,7 +3,11 @@
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
- admissionWebhooks:
- enabled: true
+
service:
type: ClusterIP
+
+ kind: Deployment
+
+ metrics:
+ enabled: true
diff --git a/charts/ingress-nginx/ci/deployment-podannotations-values.yaml b/charts/ingress-nginx/ci/controller-deployment-podannotations-values.yaml
similarity index 80%
rename from charts/ingress-nginx/ci/deployment-podannotations-values.yaml
rename to charts/ingress-nginx/ci/controller-deployment-podannotations-values.yaml
index b48d93c..cf1f261 100644
--- a/charts/ingress-nginx/ci/deployment-podannotations-values.yaml
+++ b/charts/ingress-nginx/ci/controller-deployment-podannotations-values.yaml
@@ -3,14 +3,14 @@
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
- admissionWebhooks:
- enabled: false
- metrics:
- enabled: true
+
service:
type: ClusterIP
+
+ kind: Deployment
+
podAnnotations:
- prometheus.io/path: /metrics
+ prometheus.io/scrape: "true"
prometheus.io/port: "10254"
prometheus.io/scheme: http
- prometheus.io/scrape: "true"
+ prometheus.io/path: /metrics
diff --git a/charts/ingress-nginx/ci/deployment-psp-values.yaml b/charts/ingress-nginx/ci/controller-deployment-values.yaml
similarity index 79%
copy from charts/ingress-nginx/ci/deployment-psp-values.yaml
copy to charts/ingress-nginx/ci/controller-deployment-values.yaml
index 2f332a7..1b092dc 100644
--- a/charts/ingress-nginx/ci/deployment-psp-values.yaml
+++ b/charts/ingress-nginx/ci/controller-deployment-values.yaml
@@ -3,8 +3,8 @@
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
+
service:
type: ClusterIP
-podSecurityPolicy:
- enabled: true
+ kind: Deployment
diff --git a/charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml b/charts/ingress-nginx/ci/controller-hpa-values.yaml
similarity index 71%
rename from charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml
rename to charts/ingress-nginx/ci/controller-hpa-values.yaml
index dca3f35..54a0d2f 100644
--- a/charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml
+++ b/charts/ingress-nginx/ci/controller-hpa-values.yaml
@@ -1,4 +1,12 @@
controller:
+ image:
+ repository: ingress-controller/controller
+ tag: 1.0.0-dev
+ digest: null
+
+ service:
+ type: ClusterIP
+
autoscaling:
enabled: true
behavior:
@@ -8,7 +16,3 @@
- type: Pods
value: 1
periodSeconds: 180
- admissionWebhooks:
- enabled: false
- service:
- type: ClusterIP
diff --git a/charts/ingress-nginx/ci/controller-ingressclass-values.yaml b/charts/ingress-nginx/ci/controller-ingressclass-values.yaml
new file mode 100644
index 0000000..c06429f
--- /dev/null
+++ b/charts/ingress-nginx/ci/controller-ingressclass-values.yaml
@@ -0,0 +1,15 @@
+controller:
+ image:
+ repository: ingress-controller/controller
+ tag: 1.0.0-dev
+ digest: null
+
+ service:
+ type: ClusterIP
+
+ ingressClassResource:
+ name: custom-nginx
+ default: true
+ controllerValue: k8s.io/custom-nginx
+
+ watchIngressWithoutClass: true
diff --git a/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml b/charts/ingress-nginx/ci/controller-service-internal-values.yaml
similarity index 86%
rename from charts/ingress-nginx/ci/deployment-internal-lb-values.yaml
rename to charts/ingress-nginx/ci/controller-service-internal-values.yaml
index fd8df8d..11108fb 100644
--- a/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml
+++ b/charts/ingress-nginx/ci/controller-service-internal-values.yaml
@@ -3,10 +3,10 @@
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
- admissionWebhooks:
- enabled: false
+
service:
type: ClusterIP
+
internal:
enabled: true
annotations:
diff --git a/charts/ingress-nginx/ci/deployment-customnodeport-values.yaml b/charts/ingress-nginx/ci/controller-service-values.yaml
similarity index 69%
rename from charts/ingress-nginx/ci/deployment-customnodeport-values.yaml
rename to charts/ingress-nginx/ci/controller-service-values.yaml
index a564eaf..9039368 100644
--- a/charts/ingress-nginx/ci/deployment-customnodeport-values.yaml
+++ b/charts/ingress-nginx/ci/controller-service-values.yaml
@@ -3,18 +3,20 @@
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
- admissionWebhooks:
- enabled: false
+
service:
type: NodePort
+
nodePorts:
tcp:
9000: 30090
udp:
9001: 30091
+portNamePrefix: port
+
tcp:
- 9000: "default/test:8080"
+ 9000: default/test:8080
udp:
- 9001: "default/test:8080"
+ 9001: default/test:8080
diff --git a/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml b/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml
deleted file mode 100644
index 4393a5b..0000000
--- a/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-controller:
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- digest: null
- kind: DaemonSet
- allowSnippetAnnotations: false
- admissionWebhooks:
- enabled: false
- service:
- type: ClusterIP
-
- config:
- use-proxy-protocol: "true"
diff --git a/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml b/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml
deleted file mode 100644
index 1d94be2..0000000
--- a/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-controller:
- kind: DaemonSet
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- digest: null
- admissionWebhooks:
- enabled: false
-
- service:
- type: NodePort
- nodePorts:
- tcp:
- 9000: 30090
- udp:
- 9001: 30091
-
-tcp:
- 9000: "default/test:8080"
-
-udp:
- 9001: "default/test:8080"
diff --git a/charts/ingress-nginx/ci/daemonset-extra-modules.yaml b/charts/ingress-nginx/ci/daemonset-extra-modules.yaml
deleted file mode 100644
index f299dbf..0000000
--- a/charts/ingress-nginx/ci/daemonset-extra-modules.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-controller:
- kind: DaemonSet
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- service:
- type: ClusterIP
- extraModules:
- - name: opentelemetry
- image: busybox
diff --git a/charts/ingress-nginx/ci/daemonset-headers-values.yaml b/charts/ingress-nginx/ci/daemonset-headers-values.yaml
deleted file mode 100644
index ab7d47b..0000000
--- a/charts/ingress-nginx/ci/daemonset-headers-values.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-controller:
- kind: DaemonSet
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- digest: null
- admissionWebhooks:
- enabled: false
- addHeaders:
- X-Frame-Options: deny
- proxySetHeaders:
- X-Forwarded-Proto: https
- service:
- type: ClusterIP
diff --git a/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml b/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml
deleted file mode 100644
index 0a200a7..0000000
--- a/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-controller:
- kind: DaemonSet
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- digest: null
- admissionWebhooks:
- enabled: false
- service:
- type: ClusterIP
- internal:
- enabled: true
- annotations:
- service.beta.kubernetes.io/aws-load-balancer-internal: "true"
diff --git a/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml b/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml
deleted file mode 100644
index 3b7aa2f..0000000
--- a/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-controller:
- kind: DaemonSet
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- digest: null
- admissionWebhooks:
- enabled: false
- service:
- type: NodePort
diff --git a/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml b/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml
deleted file mode 100644
index acd86a7..0000000
--- a/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-controller:
- kind: DaemonSet
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- digest: null
- admissionWebhooks:
- enabled: false
- service:
- type: ClusterIP
- tcp:
- configMapNamespace: default
- udp:
- configMapNamespace: default
-
-tcp:
- 9000: "default/test:8080"
-
-udp:
- 9001: "default/test:8080"
diff --git a/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml b/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml
deleted file mode 100644
index 25ee64d..0000000
--- a/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-controller:
- kind: DaemonSet
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- digest: null
- admissionWebhooks:
- enabled: false
- service:
- type: ClusterIP
-
-tcp:
- 9000: "default/test:8080"
-
-udp:
- 9001: "default/test:8080"
diff --git a/charts/ingress-nginx/ci/daemonset-tcp-values.yaml b/charts/ingress-nginx/ci/daemonset-tcp-values.yaml
deleted file mode 100644
index 380c8b4..0000000
--- a/charts/ingress-nginx/ci/daemonset-tcp-values.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-controller:
- kind: DaemonSet
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- digest: null
- admissionWebhooks:
- enabled: false
- service:
- type: ClusterIP
-
-tcp:
- 9000: "default/test:8080"
- 9001: "default/test:8080"
diff --git a/charts/ingress-nginx/ci/deamonset-default-values.yaml b/charts/ingress-nginx/ci/deamonset-default-values.yaml
deleted file mode 100644
index 82fa23e..0000000
--- a/charts/ingress-nginx/ci/deamonset-default-values.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-controller:
- kind: DaemonSet
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- digest: null
- admissionWebhooks:
- enabled: false
- service:
- type: ClusterIP
diff --git a/charts/ingress-nginx/ci/deamonset-metrics-values.yaml b/charts/ingress-nginx/ci/deamonset-metrics-values.yaml
deleted file mode 100644
index cb3cb54..0000000
--- a/charts/ingress-nginx/ci/deamonset-metrics-values.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-controller:
- kind: DaemonSet
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- digest: null
- admissionWebhooks:
- enabled: false
- metrics:
- enabled: true
- service:
- type: ClusterIP
diff --git a/charts/ingress-nginx/ci/deamonset-psp-values.yaml b/charts/ingress-nginx/ci/deamonset-psp-values.yaml
deleted file mode 100644
index 8026a63..0000000
--- a/charts/ingress-nginx/ci/deamonset-psp-values.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-controller:
- kind: DaemonSet
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- digest: null
- admissionWebhooks:
- enabled: false
- service:
- type: ClusterIP
-
-podSecurityPolicy:
- enabled: true
diff --git a/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml b/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml
deleted file mode 100644
index fccdb13..0000000
--- a/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-controller:
- kind: DaemonSet
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- digest: null
- admissionWebhooks:
- enabled: true
- service:
- type: ClusterIP
-
-podSecurityPolicy:
- enabled: true
diff --git a/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml b/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml
deleted file mode 100644
index b8b3ac6..0000000
--- a/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-controller:
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- digest: null
- autoscaling:
- enabled: true
- admissionWebhooks:
- enabled: false
- service:
- type: ClusterIP
diff --git a/charts/ingress-nginx/ci/deployment-customconfig-values.yaml b/charts/ingress-nginx/ci/deployment-customconfig-values.yaml
deleted file mode 100644
index 1749418..0000000
--- a/charts/ingress-nginx/ci/deployment-customconfig-values.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-controller:
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- digest: null
- config:
- use-proxy-protocol: "true"
- allowSnippetAnnotations: false
- admissionWebhooks:
- enabled: false
- service:
- type: ClusterIP
diff --git a/charts/ingress-nginx/ci/deployment-default-values.yaml b/charts/ingress-nginx/ci/deployment-default-values.yaml
deleted file mode 100644
index 9f46b4e..0000000
--- a/charts/ingress-nginx/ci/deployment-default-values.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-# Left blank to test default values
-controller:
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- digest: null
- service:
- type: ClusterIP
diff --git a/charts/ingress-nginx/ci/deployment-extra-modules.yaml b/charts/ingress-nginx/ci/deployment-extra-modules.yaml
deleted file mode 100644
index ec59235..0000000
--- a/charts/ingress-nginx/ci/deployment-extra-modules.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-controller:
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- digest: null
- service:
- type: ClusterIP
- extraModules:
- - name: opentelemetry
- image: busybox
diff --git a/charts/ingress-nginx/ci/deployment-headers-values.yaml b/charts/ingress-nginx/ci/deployment-headers-values.yaml
deleted file mode 100644
index 17a11ac..0000000
--- a/charts/ingress-nginx/ci/deployment-headers-values.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-controller:
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- digest: null
- admissionWebhooks:
- enabled: false
- addHeaders:
- X-Frame-Options: deny
- proxySetHeaders:
- X-Forwarded-Proto: https
- service:
- type: ClusterIP
diff --git a/charts/ingress-nginx/ci/deployment-metrics-values.yaml b/charts/ingress-nginx/ci/deployment-metrics-values.yaml
deleted file mode 100644
index 9209ad5..0000000
--- a/charts/ingress-nginx/ci/deployment-metrics-values.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-controller:
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- digest: null
- admissionWebhooks:
- enabled: false
- metrics:
- enabled: true
- service:
- type: ClusterIP
diff --git a/charts/ingress-nginx/ci/deployment-nodeport-values.yaml b/charts/ingress-nginx/ci/deployment-nodeport-values.yaml
deleted file mode 100644
index cd9b323..0000000
--- a/charts/ingress-nginx/ci/deployment-nodeport-values.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-controller:
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- digest: null
- admissionWebhooks:
- enabled: false
- service:
- type: NodePort
diff --git a/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml b/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml
deleted file mode 100644
index c51a4e9..0000000
--- a/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-controller:
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- digest: null
- admissionWebhooks:
- enabled: false
- service:
- type: ClusterIP
- tcp:
- configMapNamespace: default
- udp:
- configMapNamespace: default
-
-tcp:
- 9000: "default/test:8080"
-
-udp:
- 9001: "default/test:8080"
diff --git a/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml b/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml
deleted file mode 100644
index 5b45b69..0000000
--- a/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-controller:
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- digest: null
- admissionWebhooks:
- enabled: false
- service:
- type: ClusterIP
-
-tcp:
- 9000: "default/test:8080"
-
-udp:
- 9001: "default/test:8080"
diff --git a/charts/ingress-nginx/ci/deployment-tcp-values.yaml b/charts/ingress-nginx/ci/deployment-tcp-values.yaml
deleted file mode 100644
index ac0b6e6..0000000
--- a/charts/ingress-nginx/ci/deployment-tcp-values.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-controller:
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- digest: null
- service:
- type: ClusterIP
-
-tcp:
- 9000: "default/test:8080"
- 9001: "default/test:8080"
diff --git a/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml b/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml
deleted file mode 100644
index 6195bb3..0000000
--- a/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-controller:
- image:
- repository: ingress-controller/controller
- tag: 1.0.0-dev
- digest: null
- admissionWebhooks:
- enabled: true
- service:
- type: ClusterIP
-
-podSecurityPolicy:
- enabled: true
diff --git a/charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml b/charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml
deleted file mode 100644
index 49ebbb0..0000000
--- a/charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-controller:
- service:
- type: ClusterIP
- admissionWebhooks:
- enabled: true
- createSecretJob:
- resources:
- limits:
- cpu: 10m
- memory: 20Mi
- requests:
- cpu: 10m
- memory: 20Mi
- patchWebhookJob:
- resources:
- limits:
- cpu: 10m
- memory: 20Mi
- requests:
- cpu: 10m
- memory: 20Mi
- patch:
- enabled: true
diff --git a/charts/ingress-nginx/templates/NOTES.txt b/charts/ingress-nginx/templates/NOTES.txt
index c10ab03..f492300 100644
--- a/charts/ingress-nginx/templates/NOTES.txt
+++ b/charts/ingress-nginx/templates/NOTES.txt
@@ -6,24 +6,24 @@
{{- if (not (empty .Values.controller.service.nodePorts.http)) }}
export HTTP_NODE_PORT={{ .Values.controller.service.nodePorts.http }}
{{- else }}
- export HTTP_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[0].nodePort}" {{ include "ingress-nginx.controller.fullname" . }})
+ export HTTP_NODE_PORT=$(kubectl get service --namespace {{ include "ingress-nginx.namespace" . }} {{ include "ingress-nginx.controller.fullname" . }} --output jsonpath="{.spec.ports[0].nodePort}")
{{- end }}
{{- if (not (empty .Values.controller.service.nodePorts.https)) }}
export HTTPS_NODE_PORT={{ .Values.controller.service.nodePorts.https }}
{{- else }}
- export HTTPS_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[1].nodePort}" {{ include "ingress-nginx.controller.fullname" . }})
+ export HTTPS_NODE_PORT=$(kubectl get service --namespace {{ include "ingress-nginx.namespace" . }} {{ include "ingress-nginx.controller.fullname" . }} --output jsonpath="{.spec.ports[1].nodePort}")
{{- end }}
- export NODE_IP=$(kubectl --namespace {{ .Release.Namespace }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}")
+ export NODE_IP="$(kubectl get nodes --output jsonpath="{.items[0].status.addresses[1].address}")"
- echo "Visit http://$NODE_IP:$HTTP_NODE_PORT to access your application via HTTP."
- echo "Visit https://$NODE_IP:$HTTPS_NODE_PORT to access your application via HTTPS."
+ echo "Visit http://${NODE_IP}:${HTTP_NODE_PORT} to access your application via HTTP."
+ echo "Visit https://${NODE_IP}:${HTTPS_NODE_PORT} to access your application via HTTPS."
{{- else if contains "LoadBalancer" .Values.controller.service.type }}
-It may take a few minutes for the LoadBalancer IP to be available.
-You can watch the status by running 'kubectl --namespace {{ .Release.Namespace }} get services -o wide -w {{ include "ingress-nginx.controller.fullname" . }}'
+It may take a few minutes for the load balancer IP to be available.
+You can watch the status by running 'kubectl get service --namespace {{ include "ingress-nginx.namespace" . }} {{ include "ingress-nginx.controller.fullname" . }} --output wide --watch'
{{- else if contains "ClusterIP" .Values.controller.service.type }}
Get the application URL by running these commands:
- export POD_NAME=$(kubectl --namespace {{ .Release.Namespace }} get pods -o jsonpath="{.items[0].metadata.name}" -l "app={{ template "ingress-nginx.name" . }},component={{ .Values.controller.name }},release={{ .Release.Name }}")
- kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80
+ export POD_NAME="$(kubectl get pods --namespace {{ include "ingress-nginx.namespace" . }} --selector app.kubernetes.io/name={{ include "ingress-nginx.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=controller --output jsonpath="{.items[0].metadata.name}")"
+ kubectl port-forward --namespace {{ include "ingress-nginx.namespace" . }} "${POD_NAME}" 8080:80
echo "Visit http://127.0.0.1:8080 to access your application."
{{- end }}
@@ -47,7 +47,8 @@
- host: www.example.com
http:
paths:
- - backend:
+ - pathType: Prefix
+ backend:
service:
name: exampleService
port:
@@ -70,10 +71,3 @@
tls.crt: <base64 encoded cert>
tls.key: <base64 encoded key>
type: kubernetes.io/tls
-
-{{- if .Values.controller.headers }}
-#################################################################################
-###### WARNING: `controller.headers` has been deprecated! #####
-###### It has been renamed to `controller.proxySetHeaders`. #####
-#################################################################################
-{{- end }}
diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl
index a72af5d..6cbda2d 100644
--- a/charts/ingress-nginx/templates/_helpers.tpl
+++ b/charts/ingress-nginx/templates/_helpers.tpl
@@ -30,25 +30,70 @@
{{- end -}}
{{- end -}}
+{{/*
+Expand the namespace of the release.
+Allows overriding it for multi-namespace deployments in combined charts.
+*/}}
+{{- define "ingress-nginx.namespace" -}}
+{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
{{/*
-Container SecurityContext.
+Controller container security context.
*/}}
-{{- define "controller.containerSecurityContext" -}}
+{{- define "ingress-nginx.controller.containerSecurityContext" -}}
{{- if .Values.controller.containerSecurityContext -}}
{{- toYaml .Values.controller.containerSecurityContext -}}
{{- else -}}
+runAsNonRoot: {{ .Values.controller.image.runAsNonRoot }}
+runAsUser: {{ .Values.controller.image.runAsUser }}
+runAsGroup: {{ .Values.controller.image.runAsGroup }}
+allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }}
+{{- if .Values.controller.image.seccompProfile }}
+seccompProfile: {{ toYaml .Values.controller.image.seccompProfile | nindent 2 }}
+{{- end }}
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
-runAsUser: {{ .Values.controller.image.runAsUser }}
-allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
+ {{- if .Values.controller.image.chroot }}
+ {{- if .Values.controller.image.seccompProfile }}
+ - SYS_ADMIN
+ {{- end }}
+ - SYS_CHROOT
+ {{- end }}
+readOnlyRootFilesystem: {{ .Values.controller.image.readOnlyRootFilesystem }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get specific image
+*/}}
+{{- define "ingress-nginx.image" -}}
+{{- if .chroot -}}
+{{- printf "%s-chroot" .image -}}
+{{- else -}}
+{{- printf "%s" .image -}}
{{- end }}
{{- end -}}
{{/*
+Get specific image digest
+*/}}
+{{- define "ingress-nginx.imageDigest" -}}
+{{- if .chroot -}}
+{{- if .digestChroot -}}
+{{- printf "@%s" .digestChroot -}}
+{{- end }}
+{{- else -}}
+{{ if .digest -}}
+{{- printf "@%s" .digest -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
Create a default fully qualified controller name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
@@ -57,13 +102,22 @@
{{- end -}}
{{/*
+Construct a unique electionID.
+Users can provide an override for an explicit electionID if they want via `.Values.controller.electionID`
+*/}}
+{{- define "ingress-nginx.controller.electionID" -}}
+{{- $defElectionID := printf "%s-leader" (include "ingress-nginx.fullname" .) -}}
+{{- $electionID := default $defElectionID .Values.controller.electionID -}}
+{{- print $electionID -}}
+{{- end -}}
+
+{{/*
Construct the path for the publish-service.
By convention this will simply use the <namespace>/<controller-name> to match the name of the
service generated.
Users can provide an override for an explicit service they want bound via `.Values.controller.publishService.pathOverride`
-
*/}}
{{- define "ingress-nginx.controller.publishServicePath" -}}
{{- $defServiceName := printf "%s/%s" "$(POD_NAMESPACE)" (include "ingress-nginx.controller.fullname" .) -}}
@@ -72,14 +126,6 @@
{{- end -}}
{{/*
-Create a default fully qualified default backend name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-*/}}
-{{- define "ingress-nginx.defaultBackend.fullname" -}}
-{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{/*
Common labels
*/}}
{{- define "ingress-nginx.labels" -}}
@@ -115,7 +161,50 @@
{{- end -}}
{{/*
-Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
+Create a default fully qualified admission webhook name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "ingress-nginx.admissionWebhooks.fullname" -}}
+{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.controller.admissionWebhooks.name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the name of the admission webhook patch job service account to use
+*/}}
+{{- define "ingress-nginx.admissionWebhooks.patch.serviceAccountName" -}}
+{{- if .Values.controller.admissionWebhooks.patch.serviceAccount.create -}}
+ {{ default (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.patch.serviceAccount.name }}
+{{- else -}}
+ {{ default "default" .Values.controller.admissionWebhooks.patch.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified admission webhook secret creation job name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "ingress-nginx.admissionWebhooks.createSecretJob.fullname" -}}
+{{- printf "%s-%s" (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.createSecretJob.name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified admission webhook patch job name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "ingress-nginx.admissionWebhooks.patchWebhookJob.fullname" -}}
+{{- printf "%s-%s" (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.patchWebhookJob.name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified default backend name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "ingress-nginx.defaultBackend.fullname" -}}
+{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the name of the default backend service account to use
*/}}
{{- define "ingress-nginx.defaultBackend.serviceAccountName" -}}
{{- if .Values.defaultBackend.serviceAccount.create -}}
@@ -126,31 +215,49 @@
{{- end -}}
{{/*
-Return the appropriate apiGroup for PodSecurityPolicy.
+Default backend container security context.
*/}}
-{{- define "podSecurityPolicy.apiGroup" -}}
-{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
-{{- print "policy" -}}
+{{- define "ingress-nginx.defaultBackend.containerSecurityContext" -}}
+{{- if .Values.defaultBackend.containerSecurityContext -}}
+{{- toYaml .Values.defaultBackend.containerSecurityContext -}}
{{- else -}}
-{{- print "extensions" -}}
+runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
+runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
+runAsGroup: {{ .Values.defaultBackend.image.runAsGroup }}
+allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
+{{- if .Values.defaultBackend.image.seccompProfile }}
+seccompProfile: {{ toYaml .Values.defaultBackend.image.seccompProfile | nindent 2 }}
+{{- end }}
+capabilities:
+ drop:
+ - ALL
+readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem }}
{{- end -}}
{{- end -}}
{{/*
-Check the ingress controller version tag is at most three versions behind the last release
+Extra modules.
*/}}
-{{- define "isControllerTagValid" -}}
-{{- if not (semverCompare ">=0.27.0-0" .Values.controller.image.tag) -}}
-{{- fail "Controller container image tag should be 0.27.0 or higher" -}}
-{{- end -}}
-{{- end -}}
-
-{{/*
-IngressClass parameters.
-*/}}
-{{- define "ingressClass.parameters" -}}
- {{- if .Values.controller.ingressClassResource.parameters -}}
- parameters:
-{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4}}
- {{ end }}
+{{- define "extraModules" -}}
+- name: {{ .name }}
+ {{- with .image }}
+ image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }}
+ command:
+ {{- if .distroless }}
+ - /init_module
+ {{- else }}
+ - sh
+ - -c
+ - /usr/local/bin/init_module.sh
+ {{- end }}
+ {{- end }}
+ {{- if .containerSecurityContext }}
+ securityContext: {{ toYaml .containerSecurityContext | nindent 4 }}
+ {{- end }}
+ {{- if .resources }}
+ resources: {{ toYaml .resources | nindent 4 }}
+ {{- end }}
+ volumeMounts:
+ - name: modules
+ mountPath: /modules_mount
{{- end -}}
diff --git a/charts/ingress-nginx/templates/_params.tpl b/charts/ingress-nginx/templates/_params.tpl
index 305ce0d..0051dc9 100644
--- a/charts/ingress-nginx/templates/_params.tpl
+++ b/charts/ingress-nginx/templates/_params.tpl
@@ -1,5 +1,8 @@
{{- define "ingress-nginx.params" -}}
- /nginx-ingress-controller
+{{- if not .Values.controller.enableAnnotationValidations }}
+- --enable-annotation-validation=false
+{{- end }}
{{- if .Values.defaultBackend.enabled }}
- --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }}
{{- end }}
@@ -10,7 +13,7 @@
- --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }}-internal
{{- end }}
{{- end }}
-- --election-id={{ .Values.controller.electionID }}
+- --election-id={{ include "ingress-nginx.controller.electionID" . }}
- --controller-class={{ .Values.controller.ingressClassResource.controllerValue }}
{{- if .Values.controller.ingressClass }}
- --ingress-class={{ .Values.controller.ingressClass }}
@@ -26,7 +29,7 @@
- --watch-namespace={{ default "$(POD_NAMESPACE)" .Values.controller.scope.namespace }}
{{- end }}
{{- if and (not .Values.controller.scope.enabled) .Values.controller.scope.namespaceSelector }}
-- --watch-namespace-selector={{ default "" .Values.controller.scope.namespaceSelector }}
+- --watch-namespace-selector={{ .Values.controller.scope.namespaceSelector }}
{{- end }}
{{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }}
- --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }}
@@ -51,6 +54,18 @@
{{- if .Values.controller.watchIngressWithoutClass }}
- --watch-ingress-without-class=true
{{- end }}
+{{- if .Values.controller.metrics.enabled }}
+- --enable-metrics={{ .Values.controller.metrics.enabled }}
+{{- end }}
+{{- if .Values.controller.enableTopologyAwareRouting }}
+- --enable-topology-aware-routing=true
+{{- end }}
+{{- if .Values.controller.disableLeaderElection }}
+- --disable-leader-election=true
+{{- end }}
+{{- if .Values.controller.electionTTL }}
+- --election-ttl={{ .Values.controller.electionTTL }}
+{{- end }}
{{- range $key, $value := .Values.controller.extraArgs }}
{{- /* Accept keys without values or with false as value */}}
{{- if eq ($value | quote | len) 2 }}
diff --git a/charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml b/charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml
new file mode 100644
index 0000000..db2946c
--- /dev/null
+++ b/charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml
@@ -0,0 +1,63 @@
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.certManager.enabled -}}
+{{- if not .Values.controller.admissionWebhooks.certManager.issuerRef -}}
+# Create a selfsigned Issuer, in order to create a root CA certificate for
+# signing webhook serving certificates
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: {{ include "ingress-nginx.fullname" . }}-self-signed-issuer
+ namespace: {{ include "ingress-nginx.namespace" . }}
+spec:
+ selfSigned: {}
+---
+# Generate a CA Certificate used to sign certificates for the webhook
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ include "ingress-nginx.fullname" . }}-root-cert
+ namespace: {{ include "ingress-nginx.namespace" . }}
+spec:
+ secretName: {{ include "ingress-nginx.fullname" . }}-root-cert
+ duration: {{ .Values.controller.admissionWebhooks.certManager.rootCert.duration | default "43800h0m0s" | quote }}
+ issuerRef:
+ name: {{ include "ingress-nginx.fullname" . }}-self-signed-issuer
+ commonName: "ca.webhook.ingress-nginx"
+ isCA: true
+ subject:
+ organizations:
+ - ingress-nginx
+---
+# Create an Issuer that uses the above generated CA certificate to issue certs
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: {{ include "ingress-nginx.fullname" . }}-root-issuer
+ namespace: {{ include "ingress-nginx.namespace" . }}
+spec:
+ ca:
+ secretName: {{ include "ingress-nginx.fullname" . }}-root-cert
+{{- end }}
+---
+# generate a server certificate for the apiservices to use
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
+spec:
+ secretName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
+ duration: {{ .Values.controller.admissionWebhooks.certManager.admissionCert.duration | default "8760h0m0s" | quote }}
+ issuerRef:
+ {{- if .Values.controller.admissionWebhooks.certManager.issuerRef }}
+ {{- toYaml .Values.controller.admissionWebhooks.certManager.issuerRef | nindent 4 }}
+ {{- else }}
+ name: {{ include "ingress-nginx.fullname" . }}-root-issuer
+ {{- end }}
+ dnsNames:
+ - {{ include "ingress-nginx.controller.fullname" . }}-admission
+ - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ include "ingress-nginx.namespace" . }}
+ - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ include "ingress-nginx.namespace" . }}.svc
+ subject:
+ organizations:
+ - ingress-nginx-admission
+{{- end -}}
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
index 5659a1f..54af7ab 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
@@ -1,8 +1,8 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
- name: {{ include "ingress-nginx.fullname" . }}-admission
+ name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@@ -20,15 +20,4 @@
verbs:
- get
- update
-{{- if .Values.podSecurityPolicy.enabled }}
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames:
- {{- with .Values.controller.admissionWebhooks.existingPsp }}
- - {{ . }}
- {{- else }}
- - {{ include "ingress-nginx.fullname" . }}-admission
- {{- end }}
-{{- end }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
index abf17fb..b893884 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
@@ -1,8 +1,8 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
- name: {{ include "ingress-nginx.fullname" . }}-admission
+ name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@@ -15,9 +15,9 @@
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: {{ include "ingress-nginx.fullname" . }}-admission
+ name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
subjects:
- kind: ServiceAccount
- name: {{ include "ingress-nginx.fullname" . }}-admission
- namespace: {{ .Release.Namespace | quote }}
+ name: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
index e57bfde..af3ea12 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
@@ -1,9 +1,9 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: batch/v1
kind: Job
metadata:
- name: {{ include "ingress-nginx.fullname" . }}-admission-create
- namespace: {{ .Release.Namespace }}
+ name: {{ include "ingress-nginx.admissionWebhooks.createSecretJob.fullname" . }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@@ -23,7 +23,7 @@
{{- end }}
template:
metadata:
- name: {{ include "ingress-nginx.fullname" . }}-admission-create
+ name: {{ include "ingress-nginx.admissionWebhooks.createSecretJob.fullname" . }}
{{- if .Values.controller.admissionWebhooks.patch.podAnnotations }}
annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }}
{{- end }}
@@ -42,34 +42,38 @@
{{- end }}
containers:
- name: create
- {{- with .Values.controller.admissionWebhooks.patch.image }}
- image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
+ {{- with (merge .Values.controller.admissionWebhooks.patch.image .Values.global.image) }}
+ image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }}
{{- end }}
imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
args:
- create
- --host={{ include "ingress-nginx.controller.fullname" . }}-admission,{{ include "ingress-nginx.controller.fullname" . }}-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- - --secret-name={{ include "ingress-nginx.fullname" . }}-admission
+ - --secret-name={{ include "ingress-nginx.admissionWebhooks.fullname" . }}
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- securityContext:
- allowPrivilegeEscalation: false
+ {{- if .Values.controller.admissionWebhooks.extraEnvs }}
+ {{- toYaml .Values.controller.admissionWebhooks.extraEnvs | nindent 12 }}
+ {{- end }}
+ {{- if .Values.controller.admissionWebhooks.createSecretJob.securityContext }}
+ securityContext: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.securityContext | nindent 12 }}
+ {{- end }}
{{- if .Values.controller.admissionWebhooks.createSecretJob.resources }}
resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }}
{{- end }}
restartPolicy: OnFailure
- serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission
+ serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }}
{{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.patch.tolerations }}
tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
{{- end }}
- securityContext:
- runAsNonRoot: true
- runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }}
+ {{- if .Values.controller.admissionWebhooks.patch.securityContext }}
+ securityContext: {{ toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
+ {{- end }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
index 4f8ba14..87dd2c2 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@@ -1,9 +1,9 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: batch/v1
kind: Job
metadata:
- name: {{ include "ingress-nginx.fullname" . }}-admission-patch
- namespace: {{ .Release.Namespace }}
+ name: {{ include "ingress-nginx.admissionWebhooks.patchWebhookJob.fullname" . }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@@ -23,7 +23,7 @@
{{- end }}
template:
metadata:
- name: {{ include "ingress-nginx.fullname" . }}-admission-patch
+ name: {{ include "ingress-nginx.admissionWebhooks.patchWebhookJob.fullname" . }}
{{- if .Values.controller.admissionWebhooks.patch.podAnnotations }}
annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }}
{{- end }}
@@ -42,36 +42,40 @@
{{- end }}
containers:
- name: patch
- {{- with .Values.controller.admissionWebhooks.patch.image }}
- image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
+ {{- with (merge .Values.controller.admissionWebhooks.patch.image .Values.global.image) }}
+ image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }}
{{- end }}
imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
args:
- patch
- - --webhook-name={{ include "ingress-nginx.fullname" . }}-admission
+ - --webhook-name={{ include "ingress-nginx.admissionWebhooks.fullname" . }}
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- - --secret-name={{ include "ingress-nginx.fullname" . }}-admission
+ - --secret-name={{ include "ingress-nginx.admissionWebhooks.fullname" . }}
- --patch-failure-policy={{ .Values.controller.admissionWebhooks.failurePolicy }}
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- securityContext:
- allowPrivilegeEscalation: false
+ {{- if .Values.controller.admissionWebhooks.extraEnvs }}
+ {{- toYaml .Values.controller.admissionWebhooks.extraEnvs | nindent 12 }}
+ {{- end }}
+ {{- if .Values.controller.admissionWebhooks.patchWebhookJob.securityContext }}
+ securityContext: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.securityContext | nindent 12 }}
+ {{- end }}
{{- if .Values.controller.admissionWebhooks.patchWebhookJob.resources }}
resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }}
{{- end }}
restartPolicy: OnFailure
- serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission
+ serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }}
{{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.patch.tolerations }}
tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
{{- end }}
- securityContext:
- runAsNonRoot: true
- runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }}
+ {{- if .Values.controller.admissionWebhooks.patch.securityContext }}
+ securityContext: {{ toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
+ {{- end }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml
new file mode 100644
index 0000000..a8f38df
--- /dev/null
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml
@@ -0,0 +1,26 @@
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.networkPolicy.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
+ annotations:
+ "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+ "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+ labels:
+ {{- include "ingress-nginx.labels" . | nindent 4 }}
+ app.kubernetes.io/component: admission-webhook
+ {{- with .Values.controller.admissionWebhooks.patch.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ podSelector:
+ matchLabels:
+ {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
+ app.kubernetes.io/component: admission-webhook
+ policyTypes:
+ - Ingress
+ - Egress
+ egress:
+ - {}
+{{- end }}
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
deleted file mode 100644
index 70edde3..0000000
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
+++ /dev/null
@@ -1,39 +0,0 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: {{ include "ingress-nginx.fullname" . }}-admission
- annotations:
- "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
- "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
- labels:
- {{- include "ingress-nginx.labels" . | nindent 4 }}
- app.kubernetes.io/component: admission-webhook
- {{- with .Values.controller.admissionWebhooks.patch.labels }}
- {{- toYaml . | nindent 4 }}
- {{- end }}
-spec:
- allowPrivilegeEscalation: false
- fsGroup:
- ranges:
- - max: 65535
- min: 1
- rule: MustRunAs
- requiredDropCapabilities:
- - ALL
- runAsUser:
- rule: MustRunAsNonRoot
- seLinux:
- rule: RunAsAny
- supplementalGroups:
- ranges:
- - max: 65535
- min: 1
- rule: MustRunAs
- volumes:
- - configMap
- - emptyDir
- - projected
- - secret
- - downwardAPI
-{{- end }}
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
index 795bac6..c4b23aa 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
@@ -1,9 +1,9 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
- name: {{ include "ingress-nginx.fullname" . }}-admission
- namespace: {{ .Release.Namespace }}
+ name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
index 698c5c8..425e8d8 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
@@ -1,9 +1,9 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
- name: {{ include "ingress-nginx.fullname" . }}-admission
- namespace: {{ .Release.Namespace }}
+ name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@@ -16,9 +16,9 @@
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
- name: {{ include "ingress-nginx.fullname" . }}-admission
+ name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
subjects:
- kind: ServiceAccount
- name: {{ include "ingress-nginx.fullname" . }}-admission
- namespace: {{ .Release.Namespace | quote }}
+ name: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
index eae4751..52f94dc 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
@@ -1,9 +1,9 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.serviceAccount.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: v1
kind: ServiceAccount
metadata:
- name: {{ include "ingress-nginx.fullname" . }}-admission
- namespace: {{ .Release.Namespace }}
+ name: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@@ -13,4 +13,5 @@
{{- with .Values.controller.admissionWebhooks.patch.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
+automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
index 8caffcb..0949cea 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
@@ -4,8 +4,13 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
+ annotations:
+ {{- if .Values.controller.admissionWebhooks.certManager.enabled }}
+ certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s" (include "ingress-nginx.namespace" .) (include "ingress-nginx.admissionWebhooks.fullname" .) | quote }}
+ cert-manager.io/inject-ca-from: {{ printf "%s/%s" (include "ingress-nginx.namespace" .) (include "ingress-nginx.admissionWebhooks.fullname" .) | quote }}
+ {{- end }}
{{- if .Values.controller.admissionWebhooks.annotations }}
- annotations: {{ toYaml .Values.controller.admissionWebhooks.annotations | nindent 4 }}
+ {{- toYaml .Values.controller.admissionWebhooks.annotations | nindent 4 }}
{{- end }}
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
@@ -13,7 +18,7 @@
{{- with .Values.controller.admissionWebhooks.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
- name: {{ include "ingress-nginx.fullname" . }}-admission
+ name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
webhooks:
- name: validate.nginx.ingress.kubernetes.io
matchPolicy: Equivalent
@@ -33,8 +38,9 @@
- v1
clientConfig:
service:
- namespace: {{ .Release.Namespace | quote }}
name: {{ include "ingress-nginx.controller.fullname" . }}-admission
+ namespace: {{ include "ingress-nginx.namespace" . }}
+ port: {{ .Values.controller.admissionWebhooks.service.servicePort }}
path: /networking/v1/ingresses
{{- if .Values.controller.admissionWebhooks.timeoutSeconds }}
timeoutSeconds: {{ .Values.controller.admissionWebhooks.timeoutSeconds }}
diff --git a/charts/ingress-nginx/templates/clusterrole.yaml b/charts/ingress-nginx/templates/clusterrole.yaml
index c093f04..51bc500 100644
--- a/charts/ingress-nginx/templates/clusterrole.yaml
+++ b/charts/ingress-nginx/templates/clusterrole.yaml
@@ -29,6 +29,13 @@
verbs:
- list
- watch
+ - apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - list
+ - watch
{{- if and .Values.controller.scope.enabled .Values.controller.scope.namespace }}
- apiGroups:
- ""
@@ -82,6 +89,14 @@
- get
- list
- watch
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - list
+ - watch
+ - get
{{- end }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/clusterrolebinding.yaml b/charts/ingress-nginx/templates/clusterrolebinding.yaml
index acbbd8b..8f91aac 100644
--- a/charts/ingress-nginx/templates/clusterrolebinding.yaml
+++ b/charts/ingress-nginx/templates/clusterrolebinding.yaml
@@ -15,5 +15,5 @@
subjects:
- kind: ServiceAccount
name: {{ template "ingress-nginx.serviceAccountName" . }}
- namespace: {{ .Release.Namespace | quote }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml b/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml
index dfd49a1..4e4bd13 100644
--- a/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml
+++ b/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml
@@ -9,6 +9,6 @@
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}-custom-add-headers
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
data: {{ toYaml .Values.controller.addHeaders | nindent 2 }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml b/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml
index f8d15fa..0a22600 100644
--- a/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml
+++ b/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml
@@ -1,4 +1,4 @@
-{{- if or .Values.controller.proxySetHeaders .Values.controller.headers -}}
+{{- if .Values.controller.proxySetHeaders -}}
apiVersion: v1
kind: ConfigMap
metadata:
@@ -9,11 +9,6 @@
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
- namespace: {{ .Release.Namespace }}
-data:
-{{- if .Values.controller.proxySetHeaders }}
-{{ toYaml .Values.controller.proxySetHeaders | indent 2 }}
-{{ else if and .Values.controller.headers (not .Values.controller.proxySetHeaders) }}
-{{ toYaml .Values.controller.headers | indent 2 }}
-{{- end }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
+data: {{ toYaml .Values.controller.proxySetHeaders | nindent 2 }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/controller-configmap-tcp.yaml b/charts/ingress-nginx/templates/controller-configmap-tcp.yaml
index 0f6088e..131a9ad 100644
--- a/charts/ingress-nginx/templates/controller-configmap-tcp.yaml
+++ b/charts/ingress-nginx/templates/controller-configmap-tcp.yaml
@@ -12,6 +12,6 @@
annotations: {{ toYaml .Values.controller.tcp.annotations | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}-tcp
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
data: {{ tpl (toYaml .Values.tcp) . | nindent 2 }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/controller-configmap-udp.yaml b/charts/ingress-nginx/templates/controller-configmap-udp.yaml
index 3772ec5..7137da9 100644
--- a/charts/ingress-nginx/templates/controller-configmap-udp.yaml
+++ b/charts/ingress-nginx/templates/controller-configmap-udp.yaml
@@ -12,6 +12,6 @@
annotations: {{ toYaml .Values.controller.udp.annotations | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}-udp
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
data: {{ tpl (toYaml .Values.udp) . | nindent 2 }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/controller-configmap.yaml b/charts/ingress-nginx/templates/controller-configmap.yaml
index f28b26e..b73cdc2 100644
--- a/charts/ingress-nginx/templates/controller-configmap.yaml
+++ b/charts/ingress-nginx/templates/controller-configmap.yaml
@@ -11,19 +11,20 @@
annotations: {{ toYaml .Values.controller.configAnnotations | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
data:
- allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}"
-{{- if .Values.controller.addHeaders }}
- add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers
+{{- if .Values.controller.allowSnippetAnnotations }}
+ allow-snippet-annotations: "true"
{{- end }}
-{{- if or .Values.controller.proxySetHeaders .Values.controller.headers }}
- proxy-set-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
+{{- if .Values.controller.addHeaders }}
+ add-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers
+{{- end }}
+{{- if .Values.controller.proxySetHeaders }}
+ proxy-set-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
{{- end }}
{{- if .Values.dhParam }}
- ssl-dh-param: {{ printf "%s/%s" .Release.Namespace (include "ingress-nginx.controller.fullname" .) }}
+ ssl-dh-param: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.controller.fullname" . }}
{{- end }}
{{- range $key, $value := .Values.controller.config }}
- {{- $key | nindent 2 }}: {{ $value | quote }}
+ {{- $key | nindent 2 }}: {{ tpl (toString $value) $ | quote }}
{{- end }}
-
diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml
index 72811fb..fd1b132 100644
--- a/charts/ingress-nginx/templates/controller-daemonset.yaml
+++ b/charts/ingress-nginx/templates/controller-daemonset.yaml
@@ -1,5 +1,4 @@
-{{- if or (eq .Values.controller.kind "DaemonSet") (eq .Values.controller.kind "Both") -}}
-{{- include "isControllerTagValid" . -}}
+{{- if eq .Values.controller.kind "DaemonSet" -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
@@ -10,7 +9,7 @@
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
{{- if .Values.controller.annotations }}
annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
{{- end }}
@@ -33,7 +32,7 @@
{{- end }}
{{- end }}
labels:
- {{- include "ingress-nginx.selectorLabels" . | nindent 8 }}
+ {{- include "ingress-nginx.labels" . | nindent 8 }}
app.kubernetes.io/component: controller
{{- with .Values.controller.labels }}
{{- toYaml . | nindent 8 }}
@@ -45,6 +44,9 @@
{{- if .Values.controller.dnsConfig }}
dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }}
{{- end }}
+ {{- if .Values.controller.hostAliases }}
+ hostAliases: {{ tpl (toYaml .Values.controller.hostAliases) $ | nindent 8 }}
+ {{- end }}
{{- if .Values.controller.hostname }}
hostname: {{ toYaml .Values.controller.hostname | nindent 8 }}
{{- end }}
@@ -53,40 +55,35 @@
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
{{- end }}
{{- if .Values.controller.priorityClassName }}
- priorityClassName: {{ .Values.controller.priorityClassName }}
+ priorityClassName: {{ .Values.controller.priorityClassName | quote }}
{{- end }}
{{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }}
securityContext:
- {{- end }}
- {{- if .Values.controller.podSecurityContext }}
+ {{- if .Values.controller.podSecurityContext }}
{{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
- {{- end }}
- {{- if .Values.controller.sysctls }}
+ {{- end }}
+ {{- if .Values.controller.sysctls }}
sysctls:
- {{- range $sysctl, $value := .Values.controller.sysctls }}
- - name: {{ $sysctl | quote }}
- value: {{ $value | quote }}
+ {{- range $sysctl, $value := .Values.controller.sysctls }}
+ - name: {{ $sysctl | quote }}
+ value: {{ $value | quote }}
+ {{- end }}
+ {{- end }}
{{- end }}
+ {{- if .Values.controller.shareProcessNamespace }}
+ shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }}
{{- end }}
containers:
- name: {{ .Values.controller.containerName }}
- {{- with .Values.controller.image }}
- image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
+ {{- with (merge .Values.controller.image .Values.global.image) }}
+ image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}
{{- end }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
{{- if .Values.controller.lifecycle }}
lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}
{{- end }}
- args:
- {{- include "ingress-nginx.params" . | nindent 12 }}
- securityContext:
- capabilities:
- drop:
- - ALL
- add:
- - NET_BIND_SERVICE
- runAsUser: {{ .Values.controller.image.runAsUser }}
- allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
+ args: {{ include "ingress-nginx.params" . | nindent 12 }}
+ securityContext: {{ include "ingress-nginx.controller.containerSecurityContext" . | nindent 12 }}
env:
- name: POD_NAME
valueFrom:
@@ -106,8 +103,12 @@
{{- if .Values.controller.startupProbe }}
startupProbe: {{ toYaml .Values.controller.startupProbe | nindent 12 }}
{{- end }}
+ {{- if .Values.controller.livenessProbe }}
livenessProbe: {{ toYaml .Values.controller.livenessProbe | nindent 12 }}
+ {{- end }}
+ {{- if .Values.controller.readinessProbe }}
readinessProbe: {{ toYaml .Values.controller.readinessProbe | nindent 12 }}
+ {{- end }}
ports:
{{- range $key, $value := .Values.controller.containerPort }}
- name: {{ $key }}
@@ -118,7 +119,7 @@
{{- end }}
{{- end }}
{{- if .Values.controller.metrics.enabled }}
- - name: metrics
+ - name: {{ .Values.controller.metrics.portName }}
containerPort: {{ .Values.controller.metrics.port }}
protocol: TCP
{{- end }}
@@ -128,7 +129,7 @@
protocol: TCP
{{- end }}
{{- range $key, $value := .Values.tcp }}
- - name: {{ $key }}-tcp
+ - name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-tcp
containerPort: {{ $key }}
protocol: TCP
{{- if $.Values.controller.hostPort.enabled }}
@@ -136,7 +137,7 @@
{{- end }}
{{- end }}
{{- range $key, $value := .Values.udp }}
- - name: {{ $key }}-udp
+ - name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-udp
containerPort: {{ $key }}
protocol: UDP
{{- if $.Values.controller.hostPort.enabled }}
@@ -147,7 +148,11 @@
volumeMounts:
{{- if .Values.controller.extraModules }}
- name: modules
+ {{- if .Values.controller.image.chroot }}
+ mountPath: /chroot/modules_mount
+ {{- else }}
mountPath: /modules_mount
+ {{- end }}
{{- end }}
{{- if .Values.controller.customTemplate.configMapName }}
- mountPath: /etc/nginx/template
@@ -167,20 +172,17 @@
resources: {{ toYaml .Values.controller.resources | nindent 12 }}
{{- end }}
{{- if .Values.controller.extraContainers }}
- {{ toYaml .Values.controller.extraContainers | nindent 8 }}
+ {{- toYaml .Values.controller.extraContainers | nindent 8 }}
{{- end }}
-
-
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }}
initContainers:
{{- if .Values.controller.extraInitContainers }}
- {{ toYaml .Values.controller.extraInitContainers | nindent 8 }}
+ {{- toYaml .Values.controller.extraInitContainers | nindent 8 }}
{{- end }}
{{- if .Values.controller.extraModules }}
{{- range .Values.controller.extraModules }}
- - name: {{ .Name }}
- image: {{ .Image }}
- command: ['sh', '-c', '/usr/local/bin/init_module.sh']
+ {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
+ {{- include "extraModules" (dict "name" .name "image" (merge .image $.Values.global.image) "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}
@@ -194,10 +196,10 @@
tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.controller.affinity }}
- affinity: {{ toYaml .Values.controller.affinity | nindent 8 }}
+ affinity: {{ tpl (toYaml .Values.controller.affinity) $ | nindent 8 }}
{{- end }}
{{- if .Values.controller.topologySpreadConstraints }}
- topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }}
+ topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
@@ -218,7 +220,14 @@
{{- if .Values.controller.admissionWebhooks.enabled }}
- name: webhook-cert
secret:
- secretName: {{ include "ingress-nginx.fullname" . }}-admission
+ secretName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
+ {{- if .Values.controller.admissionWebhooks.certManager.enabled }}
+ items:
+ - key: tls.crt
+ path: cert
+ - key: tls.key
+ path: key
+ {{- end }}
{{- end }}
{{- if .Values.controller.extraVolumes }}
{{ toYaml .Values.controller.extraVolumes | nindent 8 }}
diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml
index a1943cd..cc41bfb 100644
--- a/charts/ingress-nginx/templates/controller-deployment.yaml
+++ b/charts/ingress-nginx/templates/controller-deployment.yaml
@@ -1,5 +1,4 @@
-{{- if or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both") -}}
-{{- include "isControllerTagValid" . -}}
+{{- if eq .Values.controller.kind "Deployment" -}}
apiVersion: apps/v1
kind: Deployment
metadata:
@@ -10,7 +9,7 @@
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
{{- if .Values.controller.annotations }}
annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
{{- end }}
@@ -19,13 +18,15 @@
matchLabels:
{{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: controller
- {{- if not .Values.controller.autoscaling.enabled }}
+ {{- if eq .Values.controller.autoscaling.enabled .Values.controller.keda.enabled }}
replicas: {{ .Values.controller.replicaCount }}
{{- end }}
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
+ {{- if .Values.controller.progressDeadlineSeconds }}
+ progressDeadlineSeconds: {{ .Values.controller.progressDeadlineSeconds }}
+ {{- end }}
{{- if .Values.controller.updateStrategy }}
- strategy:
- {{ toYaml .Values.controller.updateStrategy | nindent 4 }}
+ strategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }}
{{- end }}
minReadySeconds: {{ .Values.controller.minReadySeconds }}
template:
@@ -37,7 +38,7 @@
{{- end }}
{{- end }}
labels:
- {{- include "ingress-nginx.selectorLabels" . | nindent 8 }}
+ {{- include "ingress-nginx.labels" . | nindent 8 }}
app.kubernetes.io/component: controller
{{- with .Values.controller.labels }}
{{- toYaml . | nindent 8 }}
@@ -49,6 +50,9 @@
{{- if .Values.controller.dnsConfig }}
dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }}
{{- end }}
+ {{- if .Values.controller.hostAliases }}
+ hostAliases: {{ tpl (toYaml .Values.controller.hostAliases) $ | nindent 8 }}
+ {{- end }}
{{- if .Values.controller.hostname }}
hostname: {{ toYaml .Values.controller.hostname | nindent 8 }}
{{- end }}
@@ -61,29 +65,31 @@
{{- end }}
{{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }}
securityContext:
- {{- end }}
- {{- if .Values.controller.podSecurityContext }}
+ {{- if .Values.controller.podSecurityContext }}
{{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
- {{- end }}
- {{- if .Values.controller.sysctls }}
+ {{- end }}
+ {{- if .Values.controller.sysctls }}
sysctls:
- {{- range $sysctl, $value := .Values.controller.sysctls }}
- - name: {{ $sysctl | quote }}
- value: {{ $value | quote }}
+ {{- range $sysctl, $value := .Values.controller.sysctls }}
+ - name: {{ $sysctl | quote }}
+ value: {{ $value | quote }}
+ {{- end }}
+ {{- end }}
{{- end }}
+ {{- if .Values.controller.shareProcessNamespace }}
+ shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }}
{{- end }}
containers:
- name: {{ .Values.controller.containerName }}
- {{- with .Values.controller.image }}
- image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
+ {{- with (merge .Values.controller.image .Values.global.image) }}
+ image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}
{{- end }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
{{- if .Values.controller.lifecycle }}
lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}
{{- end }}
- args:
- {{- include "ingress-nginx.params" . | nindent 12 }}
- securityContext: {{ include "controller.containerSecurityContext" . | nindent 12 }}
+ args: {{ include "ingress-nginx.params" . | nindent 12 }}
+ securityContext: {{ include "ingress-nginx.controller.containerSecurityContext" . | nindent 12 }}
env:
- name: POD_NAME
valueFrom:
@@ -103,8 +109,12 @@
{{- if .Values.controller.startupProbe }}
startupProbe: {{ toYaml .Values.controller.startupProbe | nindent 12 }}
{{- end }}
+ {{- if .Values.controller.livenessProbe }}
livenessProbe: {{ toYaml .Values.controller.livenessProbe | nindent 12 }}
+ {{- end }}
+ {{- if .Values.controller.readinessProbe }}
readinessProbe: {{ toYaml .Values.controller.readinessProbe | nindent 12 }}
+ {{- end }}
ports:
{{- range $key, $value := .Values.controller.containerPort }}
- name: {{ $key }}
@@ -115,7 +125,7 @@
{{- end }}
{{- end }}
{{- if .Values.controller.metrics.enabled }}
- - name: metrics
+ - name: {{ .Values.controller.metrics.portName }}
containerPort: {{ .Values.controller.metrics.port }}
protocol: TCP
{{- end }}
@@ -125,7 +135,7 @@
protocol: TCP
{{- end }}
{{- range $key, $value := .Values.tcp }}
- - name: {{ $key }}-tcp
+ - name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-tcp
containerPort: {{ $key }}
protocol: TCP
{{- if $.Values.controller.hostPort.enabled }}
@@ -133,7 +143,7 @@
{{- end }}
{{- end }}
{{- range $key, $value := .Values.udp }}
- - name: {{ $key }}-udp
+ - name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-udp
containerPort: {{ $key }}
protocol: UDP
{{- if $.Values.controller.hostPort.enabled }}
@@ -144,7 +154,11 @@
volumeMounts:
{{- if .Values.controller.extraModules }}
- name: modules
+ {{- if .Values.controller.image.chroot }}
+ mountPath: /chroot/modules_mount
+ {{- else }}
mountPath: /modules_mount
+ {{- end }}
{{- end }}
{{- if .Values.controller.customTemplate.configMapName }}
- mountPath: /etc/nginx/template
@@ -164,21 +178,17 @@
resources: {{ toYaml .Values.controller.resources | nindent 12 }}
{{- end }}
{{- if .Values.controller.extraContainers }}
- {{ toYaml .Values.controller.extraContainers | nindent 8 }}
+ {{- toYaml .Values.controller.extraContainers | nindent 8 }}
{{- end }}
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }}
initContainers:
{{- if .Values.controller.extraInitContainers }}
- {{ toYaml .Values.controller.extraInitContainers | nindent 8 }}
+ {{- toYaml .Values.controller.extraInitContainers | nindent 8 }}
{{- end }}
{{- if .Values.controller.extraModules }}
{{- range .Values.controller.extraModules }}
- - name: {{ .name }}
- image: {{ .image }}
- command: ['sh', '-c', '/usr/local/bin/init_module.sh']
- volumeMounts:
- - name: modules
- mountPath: /modules_mount
+ {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
+ {{- include "extraModules" (dict "name" .name "image" (merge .image $.Values.global.image) "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}
@@ -192,10 +202,10 @@
tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.controller.affinity }}
- affinity: {{ toYaml .Values.controller.affinity | nindent 8 }}
+ affinity: {{ tpl (toYaml .Values.controller.affinity) $ | nindent 8 }}
{{- end }}
{{- if .Values.controller.topologySpreadConstraints }}
- topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }}
+ topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
@@ -216,7 +226,14 @@
{{- if .Values.controller.admissionWebhooks.enabled }}
- name: webhook-cert
secret:
- secretName: {{ include "ingress-nginx.fullname" . }}-admission
+ secretName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
+ {{- if .Values.controller.admissionWebhooks.certManager.enabled }}
+ items:
+ - key: tls.crt
+ path: cert
+ - key: tls.key
+ path: key
+ {{- end }}
{{- end }}
{{- if .Values.controller.extraVolumes }}
{{ toYaml .Values.controller.extraVolumes | nindent 8 }}
diff --git a/charts/ingress-nginx/templates/controller-hpa.yaml b/charts/ingress-nginx/templates/controller-hpa.yaml
index e0979f1..ec9ad73 100644
--- a/charts/ingress-nginx/templates/controller-hpa.yaml
+++ b/charts/ingress-nginx/templates/controller-hpa.yaml
@@ -1,12 +1,9 @@
-{{- if and .Values.controller.autoscaling.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}}
-{{- if not .Values.controller.keda.enabled }}
-
-apiVersion: autoscaling/v2beta2
+{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled (not .Values.controller.keda.enabled) -}}
+apiVersion: {{ ternary "autoscaling/v2" "autoscaling/v2beta2" (.Capabilities.APIVersions.Has "autoscaling/v2") }}
kind: HorizontalPodAutoscaler
metadata:
- annotations:
{{- with .Values.controller.autoscaling.annotations }}
- {{- toYaml . | trimSuffix "\n" | nindent 4 }}
+ annotations: {{ toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
@@ -15,7 +12,7 @@
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
spec:
scaleTargetRef:
apiVersion: apps/v1
@@ -48,5 +45,3 @@
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
-{{- end }}
-
diff --git a/charts/ingress-nginx/templates/controller-ingressclass-aliases.yaml b/charts/ingress-nginx/templates/controller-ingressclass-aliases.yaml
new file mode 100644
index 0000000..ffe2231
--- /dev/null
+++ b/charts/ingress-nginx/templates/controller-ingressclass-aliases.yaml
@@ -0,0 +1,23 @@
+{{- if .Values.controller.ingressClassResource.enabled -}}
+{{- range .Values.controller.ingressClassResource.aliases }}
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+ labels:
+ {{- include "ingress-nginx.labels" $ | nindent 4 }}
+ app.kubernetes.io/component: controller
+ {{- with $.Values.controller.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ name: {{ . }}
+ {{- if $.Values.controller.ingressClassResource.annotations }}
+ annotations: {{ toYaml $.Values.controller.ingressClassResource.annotations | nindent 4 }}
+ {{- end }}
+spec:
+ controller: {{ $.Values.controller.ingressClassResource.controllerValue }}
+ {{- with $.Values.controller.ingressClassResource.parameters }}
+ parameters: {{ toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ingress-nginx/templates/controller-ingressclass.yaml b/charts/ingress-nginx/templates/controller-ingressclass.yaml
index 9492784..98479a5 100644
--- a/charts/ingress-nginx/templates/controller-ingressclass.yaml
+++ b/charts/ingress-nginx/templates/controller-ingressclass.yaml
@@ -1,6 +1,4 @@
{{- if .Values.controller.ingressClassResource.enabled -}}
-# We don't support namespaced ingressClass yet
-# So a ClusterRole and a ClusterRoleBinding is required
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
@@ -11,11 +9,18 @@
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ .Values.controller.ingressClassResource.name }}
-{{- if .Values.controller.ingressClassResource.default }}
+ {{- if or .Values.controller.ingressClassResource.default .Values.controller.ingressClassResource.annotations }}
annotations:
+ {{- if .Values.controller.ingressClassResource.default }}
ingressclass.kubernetes.io/is-default-class: "true"
-{{- end }}
+ {{- end }}
+ {{- if .Values.controller.ingressClassResource.annotations }}
+ {{- toYaml .Values.controller.ingressClassResource.annotations | nindent 4 }}
+ {{- end }}
+ {{- end }}
spec:
controller: {{ .Values.controller.ingressClassResource.controllerValue }}
- {{ template "ingressClass.parameters" . }}
+ {{- with .Values.controller.ingressClassResource.parameters }}
+ parameters: {{ toYaml . | nindent 4 }}
+ {{- end }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/controller-keda.yaml b/charts/ingress-nginx/templates/controller-keda.yaml
index 875157e..24d30fa 100644
--- a/charts/ingress-nginx/templates/controller-keda.yaml
+++ b/charts/ingress-nginx/templates/controller-keda.yaml
@@ -1,6 +1,4 @@
-{{- if and .Values.controller.keda.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}}
-# https://keda.sh/docs/
-
+{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled (not .Values.controller.autoscaling.enabled) -}}
apiVersion: {{ .Values.controller.keda.apiVersion }}
kind: ScaledObject
metadata:
@@ -11,6 +9,7 @@
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
{{- if .Values.controller.keda.scaledObject.annotations }}
annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }}
{{- end }}
@@ -25,6 +24,11 @@
cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }}
minReplicaCount: {{ .Values.controller.keda.minReplicas }}
maxReplicaCount: {{ .Values.controller.keda.maxReplicas }}
+{{- with .Values.controller.keda.fallback }}
+ fallback:
+ failureThreshold: {{ .failureThreshold | default 3 }}
+ replicas: {{ .replicas | default $.Values.controller.keda.maxReplicas }}
+{{- end }}
triggers:
{{- with .Values.controller.keda.triggers }}
{{ toYaml . | indent 2 }}
diff --git a/charts/ingress-nginx/templates/controller-networkpolicy.yaml b/charts/ingress-nginx/templates/controller-networkpolicy.yaml
new file mode 100644
index 0000000..e68f991
--- /dev/null
+++ b/charts/ingress-nginx/templates/controller-networkpolicy.yaml
@@ -0,0 +1,45 @@
+{{- if .Values.controller.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ labels:
+ {{- include "ingress-nginx.labels" . | nindent 4 }}
+ app.kubernetes.io/component: controller
+ {{- with .Values.controller.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ name: {{ include "ingress-nginx.controller.fullname" . }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
+spec:
+ podSelector:
+ matchLabels:
+ {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
+ app.kubernetes.io/component: controller
+ policyTypes:
+ - Ingress
+ - Egress
+ ingress:
+ - ports:
+ {{- range $key, $value := .Values.controller.containerPort }}
+ - protocol: TCP
+ port: {{ $value }}
+ {{- end }}
+ {{- if .Values.controller.metrics.enabled }}
+ - protocol: TCP
+ port: {{ .Values.controller.metrics.port }}
+ {{- end }}
+ {{- if .Values.controller.admissionWebhooks.enabled }}
+ - protocol: TCP
+ port: {{ .Values.controller.admissionWebhooks.port }}
+ {{- end }}
+ {{- range $key, $value := .Values.tcp }}
+ - protocol: TCP
+ port: {{ $key }}
+ {{- end }}
+ {{- range $key, $value := .Values.udp }}
+ - protocol: UDP
+ port: {{ $key }}
+ {{- end }}
+ egress:
+ - {}
+{{- end }}
diff --git a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml
index 8dfbe98..a1f5fbb 100644
--- a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml
+++ b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml
@@ -1,4 +1,13 @@
-{{- if or (and .Values.controller.autoscaling.enabled (gt (.Values.controller.autoscaling.minReplicas | int) 1)) (and (not .Values.controller.autoscaling.enabled) (gt (.Values.controller.replicaCount | int) 1)) }}
+# PDB is not supported for DaemonSets.
+# https://github.com/kubernetes/kubernetes/issues/108124
+{{- if eq .Values.controller.kind "Deployment" }}
+{{- $replicas := .Values.controller.replicaCount }}
+{{- if and .Values.controller.autoscaling.enabled (not .Values.controller.keda.enabled) }}
+{{- $replicas = .Values.controller.autoscaling.minReplicas }}
+{{- else if and .Values.controller.keda.enabled (not .Values.controller.autoscaling.enabled) }}
+{{- $replicas = .Values.controller.keda.minReplicas }}
+{{- end }}
+{{- if gt ($replicas | int) 1 }}
apiVersion: {{ ternary "policy/v1" "policy/v1beta1" (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }}
kind: PodDisruptionBudget
metadata:
@@ -9,11 +18,22 @@
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
+ {{- if .Values.controller.annotations }}
+ annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
+ {{- end }}
spec:
selector:
matchLabels:
{{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: controller
+ {{- if and .Values.controller.minAvailable (not (hasKey .Values.controller "maxUnavailable")) }}
minAvailable: {{ .Values.controller.minAvailable }}
+ {{- else if .Values.controller.maxUnavailable }}
+ maxUnavailable: {{ .Values.controller.maxUnavailable }}
+ {{- end }}
+ {{- if .Values.controller.unhealthyPodEvictionPolicy }}
+ unhealthyPodEvictionPolicy: {{ .Values.controller.unhealthyPodEvictionPolicy }}
+ {{- end }}
+{{- end }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/controller-prometheusrules.yaml b/charts/ingress-nginx/templates/controller-prometheusrule.yaml
similarity index 77%
rename from charts/ingress-nginx/templates/controller-prometheusrules.yaml
rename to charts/ingress-nginx/templates/controller-prometheusrule.yaml
index ca54275..4a9357f 100644
--- a/charts/ingress-nginx/templates/controller-prometheusrules.yaml
+++ b/charts/ingress-nginx/templates/controller-prometheusrule.yaml
@@ -4,7 +4,9 @@
metadata:
name: {{ include "ingress-nginx.controller.fullname" . }}
{{- if .Values.controller.metrics.prometheusRule.namespace }}
- namespace: {{ .Values.controller.metrics.prometheusRule.namespace | quote }}
+ namespace: {{ .Values.controller.metrics.prometheusRule.namespace }}
+{{- else }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }}
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
@@ -12,6 +14,9 @@
{{- if .Values.controller.metrics.prometheusRule.additionalLabels }}
{{- toYaml .Values.controller.metrics.prometheusRule.additionalLabels | nindent 4 }}
{{- end }}
+ {{- if .Values.controller.metrics.prometheusRule.annotations }}
+ annotations: {{ toYaml .Values.controller.metrics.prometheusRule.annotations | nindent 4 }}
+ {{- end }}
spec:
{{- if .Values.controller.metrics.prometheusRule.rules }}
groups:
diff --git a/charts/ingress-nginx/templates/controller-psp.yaml b/charts/ingress-nginx/templates/controller-psp.yaml
deleted file mode 100644
index a859594..0000000
--- a/charts/ingress-nginx/templates/controller-psp.yaml
+++ /dev/null
@@ -1,89 +0,0 @@
-{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}}
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: {{ include "ingress-nginx.fullname" . }}
- labels:
- {{- include "ingress-nginx.labels" . | nindent 4 }}
- app.kubernetes.io/component: controller
- {{- with .Values.controller.labels }}
- {{- toYaml . | nindent 4 }}
- {{- end }}
-spec:
- allowedCapabilities:
- - NET_BIND_SERVICE
-{{- if .Values.controller.sysctls }}
- allowedUnsafeSysctls:
- {{- range $sysctl, $value := .Values.controller.sysctls }}
- - {{ $sysctl }}
- {{- end }}
-{{- end }}
- privileged: false
- allowPrivilegeEscalation: true
- # Allow core volume types.
- volumes:
- - 'configMap'
- - 'emptyDir'
- #- 'projected'
- - 'secret'
- #- 'downwardAPI'
-{{- if .Values.controller.hostNetwork }}
- hostNetwork: {{ .Values.controller.hostNetwork }}
-{{- end }}
-{{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }}
- hostPorts:
-{{- if .Values.controller.hostNetwork }}
-{{- range $key, $value := .Values.controller.containerPort }}
- # {{ $key }}
- - min: {{ $value }}
- max: {{ $value }}
-{{- end }}
-{{- else if .Values.controller.hostPort.enabled }}
-{{- range $key, $value := .Values.controller.hostPort.ports }}
- # {{ $key }}
- - min: {{ $value }}
- max: {{ $value }}
-{{- end }}
-{{- end }}
-{{- if .Values.controller.metrics.enabled }}
- # metrics
- - min: {{ .Values.controller.metrics.port }}
- max: {{ .Values.controller.metrics.port }}
-{{- end }}
-{{- if .Values.controller.admissionWebhooks.enabled }}
- # admission webhooks
- - min: {{ .Values.controller.admissionWebhooks.port }}
- max: {{ .Values.controller.admissionWebhooks.port }}
-{{- end }}
-{{- range $key, $value := .Values.tcp }}
- # {{ $key }}-tcp
- - min: {{ $key }}
- max: {{ $key }}
-{{- end }}
-{{- range $key, $value := .Values.udp }}
- # {{ $key }}-udp
- - min: {{ $key }}
- max: {{ $key }}
-{{- end }}
-{{- end }}
- hostIPC: false
- hostPID: false
- runAsUser:
- # Require the container to run without root privileges.
- rule: 'MustRunAsNonRoot'
- supplementalGroups:
- rule: 'MustRunAs'
- ranges:
- # Forbid adding the root group.
- - min: 1
- max: 65535
- fsGroup:
- rule: 'MustRunAs'
- ranges:
- # Forbid adding the root group.
- - min: 1
- max: 65535
- readOnlyRootFilesystem: false
- seLinux:
- rule: 'RunAsAny'
-{{- end }}
diff --git a/charts/ingress-nginx/templates/controller-role.yaml b/charts/ingress-nginx/templates/controller-role.yaml
index 47bbc32..127b368 100644
--- a/charts/ingress-nginx/templates/controller-role.yaml
+++ b/charts/ingress-nginx/templates/controller-role.yaml
@@ -9,7 +9,7 @@
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
rules:
- apiGroups:
- ""
@@ -44,12 +44,15 @@
- get
- list
- watch
+ # Omit Ingress status permissions if `--update-status` is disabled.
+ {{- if ne (index .Values.controller.extraArgs "update-status") "false" }}
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
+ {{- end }}
- apiGroups:
- networking.k8s.io
resources:
@@ -59,18 +62,18 @@
- list
- watch
- apiGroups:
- - ""
+ - coordination.k8s.io
resources:
- - configmaps
+ - leases
resourceNames:
- - {{ .Values.controller.electionID }}
+ - {{ include "ingress-nginx.controller.electionID" . }}
verbs:
- get
- update
- apiGroups:
- - ""
+ - coordination.k8s.io
resources:
- - configmaps
+ - leases
verbs:
- create
- apiGroups:
@@ -80,14 +83,12 @@
verbs:
- create
- patch
-{{- if .Values.podSecurityPolicy.enabled }}
- - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}]
- resources: ['podsecuritypolicies']
- verbs: ['use']
- {{- with .Values.controller.existingPsp }}
- resourceNames: [{{ . }}]
- {{- else }}
- resourceNames: [{{ include "ingress-nginx.fullname" . }}]
- {{- end }}
-{{- end }}
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - list
+ - watch
+ - get
{{- end }}
diff --git a/charts/ingress-nginx/templates/controller-rolebinding.yaml b/charts/ingress-nginx/templates/controller-rolebinding.yaml
index e846a11..153430a 100644
--- a/charts/ingress-nginx/templates/controller-rolebinding.yaml
+++ b/charts/ingress-nginx/templates/controller-rolebinding.yaml
@@ -9,7 +9,7 @@
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -17,5 +17,5 @@
subjects:
- kind: ServiceAccount
name: {{ template "ingress-nginx.serviceAccountName" . }}
- namespace: {{ .Release.Namespace | quote }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/controller-secret.yaml b/charts/ingress-nginx/templates/controller-secret.yaml
new file mode 100644
index 0000000..f20f534
--- /dev/null
+++ b/charts/ingress-nginx/templates/controller-secret.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.dhParam -}}
+apiVersion: v1
+kind: Secret
+metadata:
+ labels:
+ {{- include "ingress-nginx.labels" . | nindent 4 }}
+ app.kubernetes.io/component: controller
+ {{- with .Values.controller.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ name: {{ include "ingress-nginx.controller.fullname" . }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
+data:
+ dhparam.pem: {{ .Values.dhParam }}
+{{- end }}
diff --git a/charts/ingress-nginx/templates/controller-service-internal.yaml b/charts/ingress-nginx/templates/controller-service-internal.yaml
index 5994498..6d0b47c 100644
--- a/charts/ingress-nginx/templates/controller-service-internal.yaml
+++ b/charts/ingress-nginx/templates/controller-service-internal.yaml
@@ -1,10 +1,10 @@
-{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled .Values.controller.service.internal.annotations}}
+{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled .Values.controller.service.internal.annotations -}}
apiVersion: v1
kind: Service
metadata:
annotations:
{{- range $key, $value := .Values.controller.service.internal.annotations }}
- {{ $key }}: {{ $value | quote }}
+ {{ $key }}: {{ tpl ($value | toString) $ | quote }}
{{- end }}
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
@@ -13,63 +13,89 @@
{{- toYaml .Values.controller.service.labels | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}-internal
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
spec:
- type: "{{ .Values.controller.service.type }}"
+ type: {{ .Values.controller.service.internal.type | default .Values.controller.service.type }}
+{{- if .Values.controller.service.internal.clusterIP }}
+ clusterIP: {{ .Values.controller.service.internal.clusterIP }}
+{{- end }}
+{{- if .Values.controller.service.internal.externalIPs }}
+ externalIPs: {{ toYaml .Values.controller.service.internal.externalIPs | nindent 4 }}
+{{- end }}
{{- if .Values.controller.service.internal.loadBalancerIP }}
loadBalancerIP: {{ .Values.controller.service.internal.loadBalancerIP }}
{{- end }}
{{- if .Values.controller.service.internal.loadBalancerSourceRanges }}
loadBalancerSourceRanges: {{ toYaml .Values.controller.service.internal.loadBalancerSourceRanges | nindent 4 }}
{{- end }}
+{{- if .Values.controller.service.internal.loadBalancerClass }}
+ loadBalancerClass: {{ .Values.controller.service.internal.loadBalancerClass }}
+{{- end }}
+{{- if hasKey .Values.controller.service.internal "allocateLoadBalancerNodePorts" }}
+ allocateLoadBalancerNodePorts: {{ .Values.controller.service.internal.allocateLoadBalancerNodePorts }}
+{{- end }}
{{- if .Values.controller.service.internal.externalTrafficPolicy }}
externalTrafficPolicy: {{ .Values.controller.service.internal.externalTrafficPolicy }}
{{- end }}
+{{- if .Values.controller.service.internal.sessionAffinity }}
+ sessionAffinity: {{ .Values.controller.service.internal.sessionAffinity }}
+{{- end }}
+{{- if .Values.controller.service.internal.healthCheckNodePort }}
+ healthCheckNodePort: {{ .Values.controller.service.internal.healthCheckNodePort }}
+{{- end }}
+{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}}
+{{- if .Values.controller.service.internal.ipFamilyPolicy }}
+ ipFamilyPolicy: {{ .Values.controller.service.internal.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.controller.service.internal.ipFamilies }}
+ ipFamilies: {{ toYaml .Values.controller.service.internal.ipFamilies | nindent 4 }}
+{{- end }}
+{{- end }}
ports:
{{- $setNodePorts := (or (eq .Values.controller.service.type "NodePort") (eq .Values.controller.service.type "LoadBalancer")) }}
{{- if .Values.controller.service.enableHttp }}
- name: http
- port: {{ .Values.controller.service.ports.http }}
+ port: {{ .Values.controller.service.internal.ports.http | default .Values.controller.service.ports.http }}
protocol: TCP
- targetPort: {{ .Values.controller.service.targetPorts.http }}
- {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
+ targetPort: {{ .Values.controller.service.internal.targetPorts.http | default .Values.controller.service.targetPorts.http }}
+ {{- if and (semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version) (.Values.controller.service.internal.appProtocol) }}
appProtocol: http
{{- end }}
- {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }}
- nodePort: {{ .Values.controller.service.nodePorts.http }}
+ {{- if (and $setNodePorts (not (empty .Values.controller.service.internal.nodePorts.http))) }}
+ nodePort: {{ .Values.controller.service.internal.nodePorts.http }}
{{- end }}
{{- end }}
{{- if .Values.controller.service.enableHttps }}
- name: https
- port: {{ .Values.controller.service.ports.https }}
+ port: {{ .Values.controller.service.internal.ports.https | default .Values.controller.service.ports.https }}
protocol: TCP
- targetPort: {{ .Values.controller.service.targetPorts.https }}
- {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
+ targetPort: {{ .Values.controller.service.internal.targetPorts.https | default .Values.controller.service.targetPorts.https }}
+ {{- if and (semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version) (.Values.controller.service.internal.appProtocol) }}
appProtocol: https
{{- end }}
- {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }}
- nodePort: {{ .Values.controller.service.nodePorts.https }}
+ {{- if (and $setNodePorts (not (empty .Values.controller.service.internal.nodePorts.https))) }}
+ nodePort: {{ .Values.controller.service.internal.nodePorts.https }}
{{- end }}
{{- end }}
{{- range $key, $value := .Values.tcp }}
- - name: {{ $key }}-tcp
+ - name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-tcp
port: {{ $key }}
protocol: TCP
- targetPort: {{ $key }}-tcp
- {{- if $.Values.controller.service.nodePorts.tcp }}
- {{- if index $.Values.controller.service.nodePorts.tcp $key }}
- nodePort: {{ index $.Values.controller.service.nodePorts.tcp $key }}
+ targetPort: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-tcp
+ {{- if $.Values.controller.service.internal.nodePorts.tcp }}
+ {{- if index $.Values.controller.service.internal.nodePorts.tcp $key }}
+ nodePort: {{ index $.Values.controller.service.internal.nodePorts.tcp $key }}
{{- end }}
{{- end }}
{{- end }}
{{- range $key, $value := .Values.udp }}
- - name: {{ $key }}-udp
+ - name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-udp
port: {{ $key }}
protocol: UDP
- targetPort: {{ $key }}-udp
- {{- if $.Values.controller.service.nodePorts.udp }}
- {{- if index $.Values.controller.service.nodePorts.udp $key }}
- nodePort: {{ index $.Values.controller.service.nodePorts.udp $key }}
+ targetPort: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-udp
+ {{- if $.Values.controller.service.internal.nodePorts.udp }}
+ {{- if index $.Values.controller.service.internal.nodePorts.udp $key }}
+ nodePort: {{ index $.Values.controller.service.internal.nodePorts.udp $key }}
{{- end }}
{{- end }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/controller-service-metrics.yaml b/charts/ingress-nginx/templates/controller-service-metrics.yaml
index 0aaf414..4b25a84 100644
--- a/charts/ingress-nginx/templates/controller-service-metrics.yaml
+++ b/charts/ingress-nginx/templates/controller-service-metrics.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.controller.metrics.enabled -}}
+{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.service.enabled -}}
apiVersion: v1
kind: Service
metadata:
@@ -12,7 +12,7 @@
{{- toYaml .Values.controller.metrics.service.labels | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}-metrics
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
spec:
type: {{ .Values.controller.metrics.service.type }}
{{- if .Values.controller.metrics.service.clusterIP }}
@@ -31,10 +31,10 @@
externalTrafficPolicy: {{ .Values.controller.metrics.service.externalTrafficPolicy }}
{{- end }}
ports:
- - name: metrics
+ - name: {{ .Values.controller.metrics.portName }}
port: {{ .Values.controller.metrics.service.servicePort }}
protocol: TCP
- targetPort: metrics
+ targetPort: {{ .Values.controller.metrics.portName }}
{{- $setNodePorts := (or (eq .Values.controller.metrics.service.type "NodePort") (eq .Values.controller.metrics.service.type "LoadBalancer")) }}
{{- if (and $setNodePorts (not (empty .Values.controller.metrics.service.nodePort))) }}
nodePort: {{ .Values.controller.metrics.service.nodePort }}
diff --git a/charts/ingress-nginx/templates/controller-service-webhook.yaml b/charts/ingress-nginx/templates/controller-service-webhook.yaml
index 2aae24f..67aac0d 100644
--- a/charts/ingress-nginx/templates/controller-service-webhook.yaml
+++ b/charts/ingress-nginx/templates/controller-service-webhook.yaml
@@ -12,7 +12,7 @@
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}-admission
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
spec:
type: {{ .Values.controller.admissionWebhooks.service.type }}
{{- if .Values.controller.admissionWebhooks.service.clusterIP }}
@@ -29,9 +29,9 @@
{{- end }}
ports:
- name: https-webhook
- port: 443
+ port: {{ .Values.controller.admissionWebhooks.service.servicePort }}
targetPort: webhook
- {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
+ {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
appProtocol: https
{{- end }}
selector:
diff --git a/charts/ingress-nginx/templates/controller-service.yaml b/charts/ingress-nginx/templates/controller-service.yaml
index 05fb204..cb78a70 100644
--- a/charts/ingress-nginx/templates/controller-service.yaml
+++ b/charts/ingress-nginx/templates/controller-service.yaml
@@ -4,7 +4,7 @@
metadata:
annotations:
{{- range $key, $value := .Values.controller.service.annotations }}
- {{ $key }}: {{ $value | quote }}
+ {{ $key }}: {{ tpl ($value | toString) $ | quote }}
{{- end }}
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
@@ -13,7 +13,7 @@
{{- toYaml .Values.controller.service.labels | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
spec:
type: {{ .Values.controller.service.type }}
{{- if .Values.controller.service.clusterIP }}
@@ -28,6 +28,12 @@
{{- if .Values.controller.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges: {{ toYaml .Values.controller.service.loadBalancerSourceRanges | nindent 4 }}
{{- end }}
+{{- if .Values.controller.service.loadBalancerClass }}
+ loadBalancerClass: {{ .Values.controller.service.loadBalancerClass }}
+{{- end }}
+{{- if hasKey .Values.controller.service "allocateLoadBalancerNodePorts" }}
+ allocateLoadBalancerNodePorts: {{ .Values.controller.service.allocateLoadBalancerNodePorts }}
+{{- end }}
{{- if .Values.controller.service.externalTrafficPolicy }}
externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }}
{{- end }}
@@ -37,12 +43,10 @@
{{- if .Values.controller.service.healthCheckNodePort }}
healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }}
{{- end }}
-{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version -}}
+{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}}
{{- if .Values.controller.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy }}
{{- end }}
-{{- end }}
-{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version -}}
{{- if .Values.controller.service.ipFamilies }}
ipFamilies: {{ toYaml .Values.controller.service.ipFamilies | nindent 4 }}
{{- end }}
@@ -54,7 +58,7 @@
port: {{ .Values.controller.service.ports.http }}
protocol: TCP
targetPort: {{ .Values.controller.service.targetPorts.http }}
- {{- if and (semverCompare ">=1.20" .Capabilities.KubeVersion.Version) (.Values.controller.service.appProtocol) }}
+ {{- if and (semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version) (.Values.controller.service.appProtocol) }}
appProtocol: http
{{- end }}
{{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }}
@@ -66,7 +70,7 @@
port: {{ .Values.controller.service.ports.https }}
protocol: TCP
targetPort: {{ .Values.controller.service.targetPorts.https }}
- {{- if and (semverCompare ">=1.20" .Capabilities.KubeVersion.Version) (.Values.controller.service.appProtocol) }}
+ {{- if and (semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version) (.Values.controller.service.appProtocol) }}
appProtocol: https
{{- end }}
{{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }}
@@ -74,10 +78,10 @@
{{- end }}
{{- end }}
{{- range $key, $value := .Values.tcp }}
- - name: {{ $key }}-tcp
+ - name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-tcp
port: {{ $key }}
protocol: TCP
- targetPort: {{ $key }}-tcp
+ targetPort: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-tcp
{{- if $.Values.controller.service.nodePorts.tcp }}
{{- if index $.Values.controller.service.nodePorts.tcp $key }}
nodePort: {{ index $.Values.controller.service.nodePorts.tcp $key }}
@@ -85,10 +89,10 @@
{{- end }}
{{- end }}
{{- range $key, $value := .Values.udp }}
- - name: {{ $key }}-udp
+ - name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-udp
port: {{ $key }}
protocol: UDP
- targetPort: {{ $key }}-udp
+ targetPort: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-udp
{{- if $.Values.controller.service.nodePorts.udp }}
{{- if index $.Values.controller.service.nodePorts.udp $key }}
nodePort: {{ index $.Values.controller.service.nodePorts.udp $key }}
diff --git a/charts/ingress-nginx/templates/controller-serviceaccount.yaml b/charts/ingress-nginx/templates/controller-serviceaccount.yaml
index 824b2a1..df83de3 100644
--- a/charts/ingress-nginx/templates/controller-serviceaccount.yaml
+++ b/charts/ingress-nginx/templates/controller-serviceaccount.yaml
@@ -9,10 +9,9 @@
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ template "ingress-nginx.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
{{- if .Values.serviceAccount.annotations }}
- annotations:
- {{ toYaml .Values.serviceAccount.annotations | indent 4 }}
+ annotations: {{ toYaml .Values.serviceAccount.annotations | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/controller-servicemonitor.yaml b/charts/ingress-nginx/templates/controller-servicemonitor.yaml
index 4dbc6da..93ab4d2 100644
--- a/charts/ingress-nginx/templates/controller-servicemonitor.yaml
+++ b/charts/ingress-nginx/templates/controller-servicemonitor.yaml
@@ -3,46 +3,48 @@
kind: ServiceMonitor
metadata:
name: {{ include "ingress-nginx.controller.fullname" . }}
-{{- if .Values.controller.metrics.serviceMonitor.namespace }}
- namespace: {{ .Values.controller.metrics.serviceMonitor.namespace | quote }}
-{{- end }}
+ {{- if .Values.controller.metrics.serviceMonitor.namespace }}
+ namespace: {{ .Values.controller.metrics.serviceMonitor.namespace }}
+ {{- else }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
+ {{- end }}
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
- {{- if .Values.controller.metrics.serviceMonitor.additionalLabels }}
+ {{- if .Values.controller.metrics.serviceMonitor.additionalLabels }}
{{- toYaml .Values.controller.metrics.serviceMonitor.additionalLabels | nindent 4 }}
+ {{- end }}
+ {{- if .Values.controller.metrics.serviceMonitor.annotations }}
+ annotations: {{ toYaml .Values.controller.metrics.serviceMonitor.annotations | nindent 4 }}
{{- end }}
spec:
- endpoints:
- - port: metrics
- interval: {{ .Values.controller.metrics.serviceMonitor.scrapeInterval }}
- {{- if .Values.controller.metrics.serviceMonitor.honorLabels }}
- honorLabels: true
- {{- end }}
- {{- if .Values.controller.metrics.serviceMonitor.relabelings }}
- relabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.relabelings | nindent 8 }}
- {{- end }}
- {{- if .Values.controller.metrics.serviceMonitor.metricRelabelings }}
- metricRelabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.metricRelabelings | nindent 8 }}
- {{- end }}
-{{- if .Values.controller.metrics.serviceMonitor.jobLabel }}
- jobLabel: {{ .Values.controller.metrics.serviceMonitor.jobLabel | quote }}
-{{- end }}
-{{- if .Values.controller.metrics.serviceMonitor.namespaceSelector }}
+ {{- if .Values.controller.metrics.serviceMonitor.namespaceSelector }}
namespaceSelector: {{ toYaml .Values.controller.metrics.serviceMonitor.namespaceSelector | nindent 4 }}
-{{- else }}
+ {{- else }}
namespaceSelector:
matchNames:
- - {{ .Release.Namespace }}
-{{- end }}
-{{- if .Values.controller.metrics.serviceMonitor.targetLabels }}
- targetLabels:
- {{- range .Values.controller.metrics.serviceMonitor.targetLabels }}
- - {{ . }}
+ - {{ include "ingress-nginx.namespace" . }}
{{- end }}
-{{- end }}
selector:
matchLabels:
{{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: controller
+ endpoints:
+ - port: {{ .Values.controller.metrics.portName }}
+ interval: {{ .Values.controller.metrics.serviceMonitor.scrapeInterval }}
+ {{- if .Values.controller.metrics.serviceMonitor.honorLabels }}
+ honorLabels: true
+ {{- end }}
+ {{- if .Values.controller.metrics.serviceMonitor.relabelings }}
+ relabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.relabelings | nindent 4 }}
+ {{- end }}
+ {{- if .Values.controller.metrics.serviceMonitor.metricRelabelings }}
+ metricRelabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.metricRelabelings | nindent 4 }}
+ {{- end }}
+ {{- if .Values.controller.metrics.serviceMonitor.jobLabel }}
+ jobLabel: {{ .Values.controller.metrics.serviceMonitor.jobLabel | quote }}
+ {{- end }}
+ {{- if .Values.controller.metrics.serviceMonitor.targetLabels }}
+ targetLabels: {{ toYaml .Values.controller.metrics.serviceMonitor.targetLabels | nindent 2 }}
+ {{- end }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/default-backend-deployment.yaml b/charts/ingress-nginx/templates/default-backend-deployment.yaml
index fd3e96e..f7d9de1 100644
--- a/charts/ingress-nginx/templates/default-backend-deployment.yaml
+++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml
@@ -9,7 +9,7 @@
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
spec:
selector:
matchLabels:
@@ -19,13 +19,18 @@
replicas: {{ .Values.defaultBackend.replicaCount }}
{{- end }}
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
+ {{- if .Values.defaultBackend.updateStrategy }}
+ strategy:
+ {{ toYaml .Values.defaultBackend.updateStrategy | nindent 4 }}
+ {{- end }}
+ minReadySeconds: {{ .Values.defaultBackend.minReadySeconds }}
template:
metadata:
{{- if .Values.defaultBackend.podAnnotations }}
annotations: {{ toYaml .Values.defaultBackend.podAnnotations | nindent 8 }}
{{- end }}
labels:
- {{- include "ingress-nginx.selectorLabels" . | nindent 8 }}
+ {{- include "ingress-nginx.labels" . | nindent 8 }}
app.kubernetes.io/component: default-backend
{{- with .Values.defaultBackend.labels }}
{{- toYaml . | nindent 8 }}
@@ -45,8 +50,8 @@
{{- end }}
containers:
- name: {{ template "ingress-nginx.name" . }}-default-backend
- {{- with .Values.defaultBackend.image }}
- image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
+ {{- with (merge .Values.defaultBackend.image .Values.global.image) }}
+ image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }}
{{- end }}
imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }}
{{- if .Values.defaultBackend.extraArgs }}
@@ -60,14 +65,7 @@
{{- end }}
{{- end }}
{{- end }}
- securityContext:
- capabilities:
- drop:
- - ALL
- runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
- runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
- allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
- readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem}}
+ securityContext: {{ include "ingress-nginx.defaultBackend.containerSecurityContext" . | nindent 12 }}
{{- if .Values.defaultBackend.extraEnvs }}
env: {{ toYaml .Values.defaultBackend.extraEnvs | nindent 12 }}
{{- end }}
@@ -104,12 +102,15 @@
{{- if .Values.defaultBackend.nodeSelector }}
nodeSelector: {{ toYaml .Values.defaultBackend.nodeSelector | nindent 8 }}
{{- end }}
- serviceAccountName: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
+ serviceAccountName: {{ include "ingress-nginx.defaultBackend.serviceAccountName" . }}
{{- if .Values.defaultBackend.tolerations }}
tolerations: {{ toYaml .Values.defaultBackend.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.defaultBackend.affinity }}
- affinity: {{ toYaml .Values.defaultBackend.affinity | nindent 8 }}
+ affinity: {{ tpl (toYaml .Values.defaultBackend.affinity) $ | nindent 8 }}
+ {{- end }}
+ {{- if .Values.defaultBackend.topologySpreadConstraints }}
+ topologySpreadConstraints: {{ tpl (toYaml .Values.defaultBackend.topologySpreadConstraints) $ | nindent 8 }}
{{- end }}
terminationGracePeriodSeconds: 60
{{- if .Values.defaultBackend.extraVolumes }}
diff --git a/charts/ingress-nginx/templates/default-backend-extra-configmaps.yaml b/charts/ingress-nginx/templates/default-backend-extra-configmaps.yaml
new file mode 100644
index 0000000..9af56cf
--- /dev/null
+++ b/charts/ingress-nginx/templates/default-backend-extra-configmaps.yaml
@@ -0,0 +1,23 @@
+{{- if .Values.defaultBackend.enabled }}
+{{- range .Values.defaultBackend.extraConfigMaps }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ labels:
+ {{- include "ingress-nginx.labels" $ | nindent 4 }}
+ app.kubernetes.io/component: default-backend
+ {{- with $.Values.defaultBackend.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- with .labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ name: {{ .name }}
+ namespace: {{ include "ingress-nginx.namespace" $ }}
+data:
+ {{- with .data }}
+ {{- toYaml . | nindent 2 }}
+ {{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ingress-nginx/templates/default-backend-hpa.yaml b/charts/ingress-nginx/templates/default-backend-hpa.yaml
index 594d265..49bcdcf 100644
--- a/charts/ingress-nginx/templates/default-backend-hpa.yaml
+++ b/charts/ingress-nginx/templates/default-backend-hpa.yaml
@@ -1,33 +1,40 @@
{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.autoscaling.enabled }}
-apiVersion: autoscaling/v2beta1
+apiVersion: {{ ternary "autoscaling/v2" "autoscaling/v2beta2" (.Capabilities.APIVersions.Has "autoscaling/v2") }}
kind: HorizontalPodAutoscaler
metadata:
+ {{- with .Values.defaultBackend.autoscaling.annotations }}
+ annotations: {{ toYaml . | nindent 4 }}
+ {{- end }}
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: default-backend
{{- with .Values.defaultBackend.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
- name: {{ template "ingress-nginx.defaultBackend.fullname" . }}
- namespace: {{ .Release.Namespace }}
+ name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
- name: {{ template "ingress-nginx.defaultBackend.fullname" . }}
+ name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
minReplicas: {{ .Values.defaultBackend.autoscaling.minReplicas }}
maxReplicas: {{ .Values.defaultBackend.autoscaling.maxReplicas }}
metrics:
-{{- with .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }}
- - type: Resource
- resource:
- name: cpu
- targetAverageUtilization: {{ . }}
-{{- end }}
-{{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }}
- - type: Resource
- resource:
- name: memory
- targetAverageUtilization: {{ . }}
-{{- end }}
+ {{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }}
+ - type: Resource
+ resource:
+ name: memory
+ target:
+ type: Utilization
+ averageUtilization: {{ . }}
+ {{- end }}
+ {{- with .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }}
+ - type: Resource
+ resource:
+ name: cpu
+ target:
+ type: Utilization
+ averageUtilization: {{ . }}
+ {{- end }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/default-backend-networkpolicy.yaml b/charts/ingress-nginx/templates/default-backend-networkpolicy.yaml
new file mode 100644
index 0000000..90b3c2b
--- /dev/null
+++ b/charts/ingress-nginx/templates/default-backend-networkpolicy.yaml
@@ -0,0 +1,25 @@
+{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ labels:
+ {{- include "ingress-nginx.labels" . | nindent 4 }}
+ app.kubernetes.io/component: default-backend
+ {{- with .Values.defaultBackend.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
+spec:
+ podSelector:
+ matchLabels:
+ {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
+ app.kubernetes.io/component: default-backend
+ policyTypes:
+ - Ingress
+ - Egress
+ ingress:
+ - ports:
+ - protocol: TCP
+ port: {{ .Values.defaultBackend.port }}
+{{- end }}
diff --git a/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
index 00891ce..e399ea8 100644
--- a/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
+++ b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
@@ -1,5 +1,9 @@
{{- if .Values.defaultBackend.enabled -}}
-{{- if or (gt (.Values.defaultBackend.replicaCount | int) 1) (gt (.Values.defaultBackend.autoscaling.minReplicas | int) 1) }}
+{{- $replicas := .Values.defaultBackend.replicaCount }}
+{{- if .Values.defaultBackend.autoscaling.enabled }}
+{{- $replicas = .Values.defaultBackend.autoscaling.minReplicas }}
+{{- end }}
+{{- if gt ($replicas | int) 1 }}
apiVersion: {{ ternary "policy/v1" "policy/v1beta1" (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }}
kind: PodDisruptionBudget
metadata:
@@ -10,12 +14,19 @@
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
spec:
selector:
matchLabels:
{{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: default-backend
+ {{- if and .Values.defaultBackend.minAvailable (not (hasKey .Values.defaultBackend "maxUnavailable")) }}
minAvailable: {{ .Values.defaultBackend.minAvailable }}
+ {{- else if .Values.defaultBackend.maxUnavailable }}
+ maxUnavailable: {{ .Values.defaultBackend.maxUnavailable }}
+ {{- end }}
+ {{- if .Values.defaultBackend.unhealthyPodEvictionPolicy }}
+ unhealthyPodEvictionPolicy: {{ .Values.defaultBackend.unhealthyPodEvictionPolicy }}
+ {{- end }}
{{- end }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/default-backend-psp.yaml b/charts/ingress-nginx/templates/default-backend-psp.yaml
deleted file mode 100644
index 42061c5..0000000
--- a/charts/ingress-nginx/templates/default-backend-psp.yaml
+++ /dev/null
@@ -1,36 +0,0 @@
-{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}}
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: {{ include "ingress-nginx.fullname" . }}-backend
- labels:
- {{- include "ingress-nginx.labels" . | nindent 4 }}
- app.kubernetes.io/component: default-backend
- {{- with .Values.defaultBackend.labels }}
- {{- toYaml . | nindent 4 }}
- {{- end }}
-spec:
- allowPrivilegeEscalation: false
- fsGroup:
- ranges:
- - max: 65535
- min: 1
- rule: MustRunAs
- requiredDropCapabilities:
- - ALL
- runAsUser:
- rule: MustRunAsNonRoot
- seLinux:
- rule: RunAsAny
- supplementalGroups:
- ranges:
- - max: 65535
- min: 1
- rule: MustRunAs
- volumes:
- - configMap
- - emptyDir
- - projected
- - secret
- - downwardAPI
-{{- end }}
diff --git a/charts/ingress-nginx/templates/default-backend-role.yaml b/charts/ingress-nginx/templates/default-backend-role.yaml
deleted file mode 100644
index a2b457c..0000000
--- a/charts/ingress-nginx/templates/default-backend-role.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- labels:
- {{- include "ingress-nginx.labels" . | nindent 4 }}
- app.kubernetes.io/component: default-backend
- {{- with .Values.defaultBackend.labels }}
- {{- toYaml . | nindent 4 }}
- {{- end }}
- name: {{ include "ingress-nginx.fullname" . }}-backend
- namespace: {{ .Release.Namespace }}
-rules:
- - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}]
- resources: ['podsecuritypolicies']
- verbs: ['use']
- {{- with .Values.defaultBackend.existingPsp }}
- resourceNames: [{{ . }}]
- {{- else }}
- resourceNames: [{{ include "ingress-nginx.fullname" . }}-backend]
- {{- end }}
-{{- end }}
diff --git a/charts/ingress-nginx/templates/default-backend-rolebinding.yaml b/charts/ingress-nginx/templates/default-backend-rolebinding.yaml
deleted file mode 100644
index dbaa516..0000000
--- a/charts/ingress-nginx/templates/default-backend-rolebinding.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- labels:
- {{- include "ingress-nginx.labels" . | nindent 4 }}
- app.kubernetes.io/component: default-backend
- {{- with .Values.defaultBackend.labels }}
- {{- toYaml . | nindent 4 }}
- {{- end }}
- name: {{ include "ingress-nginx.fullname" . }}-backend
- namespace: {{ .Release.Namespace }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: {{ include "ingress-nginx.fullname" . }}-backend
-subjects:
- - kind: ServiceAccount
- name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
- namespace: {{ .Release.Namespace | quote }}
-{{- end }}
diff --git a/charts/ingress-nginx/templates/default-backend-service.yaml b/charts/ingress-nginx/templates/default-backend-service.yaml
index 5f1d09a..65b6b83 100644
--- a/charts/ingress-nginx/templates/default-backend-service.yaml
+++ b/charts/ingress-nginx/templates/default-backend-service.yaml
@@ -12,7 +12,7 @@
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
spec:
type: {{ .Values.defaultBackend.service.type }}
{{- if .Values.defaultBackend.service.clusterIP }}
@@ -32,7 +32,7 @@
port: {{ .Values.defaultBackend.service.servicePort }}
protocol: TCP
targetPort: http
- {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
+ {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
appProtocol: http
{{- end }}
selector:
diff --git a/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml b/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml
index b45a95a..6fd2d62 100644
--- a/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml
+++ b/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.serviceAccount.create -}}
+{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
@@ -8,7 +8,7 @@
{{- with .Values.defaultBackend.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
- name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ name: {{ include "ingress-nginx.defaultBackend.serviceAccountName" . }}
+ namespace: {{ include "ingress-nginx.namespace" . }}
automountServiceAccountToken: {{ .Values.defaultBackend.serviceAccount.automountServiceAccountToken }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/dh-param-secret.yaml b/charts/ingress-nginx/templates/dh-param-secret.yaml
deleted file mode 100644
index 12e7a4f..0000000
--- a/charts/ingress-nginx/templates/dh-param-secret.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-{{- with .Values.dhParam -}}
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ include "ingress-nginx.controller.fullname" $ }}
- labels:
- {{- include "ingress-nginx.labels" $ | nindent 4 }}
-data:
- dhparam.pem: {{ . }}
-{{- end }}
diff --git a/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml
new file mode 100644
index 0000000..d7a8b88
--- /dev/null
+++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml
@@ -0,0 +1,11 @@
+suite: Admission Webhooks > Patch Job > ClusterRole
+templates:
+ - admission-webhooks/job-patch/clusterrole.yaml
+
+tests:
+ - it: should not create a ClusterRole if `controller.admissionWebhooks.patch.rbac.create` is false
+ set:
+ controller.admissionWebhooks.patch.rbac.create: false
+ asserts:
+ - hasDocuments:
+ count: 0
diff --git a/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml
new file mode 100644
index 0000000..d7c3266
--- /dev/null
+++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml
@@ -0,0 +1,11 @@
+suite: Admission Webhooks > Patch Job > ClusterRoleBinding
+templates:
+ - admission-webhooks/job-patch/clusterrolebinding.yaml
+
+tests:
+ - it: should not create a ClusterRoleBinding if `controller.admissionWebhooks.patch.rbac.create` is false
+ set:
+ controller.admissionWebhooks.patch.rbac.create: false
+ asserts:
+ - hasDocuments:
+ count: 0
diff --git a/charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml
new file mode 100644
index 0000000..a236f3d
--- /dev/null
+++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml
@@ -0,0 +1,11 @@
+suite: Admission Webhooks > Patch Job > Role
+templates:
+ - admission-webhooks/job-patch/role.yaml
+
+tests:
+ - it: should not create a Role if `controller.admissionWebhooks.patch.rbac.create` is false
+ set:
+ controller.admissionWebhooks.patch.rbac.create: false
+ asserts:
+ - hasDocuments:
+ count: 0
diff --git a/charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml
new file mode 100644
index 0000000..74abaa1
--- /dev/null
+++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml
@@ -0,0 +1,11 @@
+suite: Admission Webhooks > Patch Job > RoleBinding
+templates:
+ - admission-webhooks/job-patch/rolebinding.yaml
+
+tests:
+ - it: should not create a RoleBinding if `controller.admissionWebhooks.patch.rbac.create` is false
+ set:
+ controller.admissionWebhooks.patch.rbac.create: false
+ asserts:
+ - hasDocuments:
+ count: 0
diff --git a/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml
new file mode 100644
index 0000000..f72bc43
--- /dev/null
+++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml
@@ -0,0 +1,47 @@
+suite: Admission Webhooks > Patch Job > ServiceAccount
+templates:
+ - admission-webhooks/job-patch/serviceaccount.yaml
+
+tests:
+ - it: should not create a ServiceAccount if `controller.admissionWebhooks.patch.serviceAccount.create` is false
+ set:
+ controller.admissionWebhooks.patch.serviceAccount.create: false
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should create a ServiceAccount if `controller.admissionWebhooks.patch.serviceAccount.create` is true
+ set:
+ controller.admissionWebhooks.patch.serviceAccount.create: true
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: ServiceAccount
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-admission
+
+ - it: should create a ServiceAccount with specified name if `controller.admissionWebhooks.patch.serviceAccount.name` is set
+ set:
+ controller.admissionWebhooks.patch.serviceAccount.name: ingress-nginx-admission-test-sa
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: ServiceAccount
+ - equal:
+ path: metadata.name
+ value: ingress-nginx-admission-test-sa
+
+ - it: should create a ServiceAccount with token auto-mounting disabled if `controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken` is false
+ set:
+ controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: ServiceAccount
+ - equal:
+ path: automountServiceAccountToken
+ value: false
diff --git a/charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml
new file mode 100644
index 0000000..47b6b68
--- /dev/null
+++ b/charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml
@@ -0,0 +1,32 @@
+suite: Admission Webhooks > ValidatingWebhookConfiguration
+templates:
+ - admission-webhooks/validating-webhook.yaml
+
+tests:
+ - it: should not create a ValidatingWebhookConfiguration if `controller.admissionWebhooks.enabled` is false
+ set:
+ controller.admissionWebhooks.enabled: false
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should create a ValidatingWebhookConfiguration if `controller.admissionWebhooks.enabled` is true
+ set:
+ controller.admissionWebhooks.enabled: true
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: ValidatingWebhookConfiguration
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-admission
+
+ - it: should create a ValidatingWebhookConfiguration with a custom port if `controller.admissionWebhooks.service.servicePort` is set
+ set:
+ controller.admissionWebhooks.enabled: true
+ controller.admissionWebhooks.service.servicePort: 9443
+ asserts:
+ - equal:
+ path: webhooks[0].clientConfig.service.port
+ value: 9443
diff --git a/charts/ingress-nginx/tests/controller-configmap-addheaders_test.yaml b/charts/ingress-nginx/tests/controller-configmap-addheaders_test.yaml
new file mode 100644
index 0000000..e831d50
--- /dev/null
+++ b/charts/ingress-nginx/tests/controller-configmap-addheaders_test.yaml
@@ -0,0 +1,27 @@
+suite: Controller > ConfigMap > Add Headers
+templates:
+ - controller-configmap-addheaders.yaml
+
+tests:
+ - it: should not create a ConfigMap if `controller.addHeaders` is not set
+ set:
+ controller.addHeaders: null
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should create a ConfigMap if `controller.addHeaders` is set
+ set:
+ controller.addHeaders:
+ X-Another-Custom-Header: Value
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: ConfigMap
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-custom-add-headers
+ - equal:
+ path: data.X-Another-Custom-Header
+ value: Value
diff --git a/charts/ingress-nginx/tests/controller-configmap-proxyheaders_test.yaml b/charts/ingress-nginx/tests/controller-configmap-proxyheaders_test.yaml
new file mode 100644
index 0000000..0634a37
--- /dev/null
+++ b/charts/ingress-nginx/tests/controller-configmap-proxyheaders_test.yaml
@@ -0,0 +1,27 @@
+suite: Controller > ConfigMap > Proxy Headers
+templates:
+ - controller-configmap-proxyheaders.yaml
+
+tests:
+ - it: should not create a ConfigMap if `controller.proxySetHeaders` is not set
+ set:
+ controller.proxySetHeaders: null
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should create a ConfigMap if `controller.proxySetHeaders` is set
+ set:
+ controller.proxySetHeaders:
+ X-Custom-Header: Value
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: ConfigMap
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-custom-proxy-headers
+ - equal:
+ path: data.X-Custom-Header
+ value: Value
diff --git a/charts/ingress-nginx/tests/controller-configmap_test.yaml b/charts/ingress-nginx/tests/controller-configmap_test.yaml
new file mode 100644
index 0000000..168b657
--- /dev/null
+++ b/charts/ingress-nginx/tests/controller-configmap_test.yaml
@@ -0,0 +1,31 @@
+suite: Controller > ConfigMap
+templates:
+ - controller-configmap.yaml
+
+tests:
+ - it: should create a ConfigMap
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: ConfigMap
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-controller
+
+ - it: should create a ConfigMap with templated values if `controller.config` contains templates
+ set:
+ controller.config:
+ template: "test.{{ .Release.Namespace }}.svc.kubernetes.local"
+ integer: 12345
+ boolean: true
+ asserts:
+ - equal:
+ path: data.template
+ value: test.NAMESPACE.svc.kubernetes.local
+ - equal:
+ path: data.integer
+ value: "12345"
+ - equal:
+ path: data.boolean
+ value: "true"
diff --git a/charts/ingress-nginx/tests/controller-daemonset_test.yaml b/charts/ingress-nginx/tests/controller-daemonset_test.yaml
new file mode 100644
index 0000000..d2d77be
--- /dev/null
+++ b/charts/ingress-nginx/tests/controller-daemonset_test.yaml
@@ -0,0 +1,192 @@
+suite: Controller > DaemonSet
+templates:
+ - controller-daemonset.yaml
+
+tests:
+ - it: should create a DaemonSet if `controller.kind` is "DaemonSet"
+ set:
+ controller.kind: DaemonSet
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: DaemonSet
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-controller
+
+ - it: should create a DaemonSet with argument `--enable-metrics=true` if `controller.metrics.enabled` is true
+ set:
+ controller.kind: DaemonSet
+ controller.metrics.enabled: true
+ asserts:
+ - contains:
+ path: spec.template.spec.containers[0].args
+ content: --enable-metrics=true
+
+ - it: should create a DaemonSet without argument `--enable-metrics=true` if `controller.metrics.enabled` is false
+ set:
+ controller.kind: DaemonSet
+ controller.metrics.enabled: false
+ asserts:
+ - notContains:
+ path: spec.template.spec.containers[0].args
+ content: --enable-metrics=true
+
+ - it: should create a DaemonSet with argument `--controller-class=k8s.io/ingress-nginx-internal` if `controller.ingressClassResource.controllerValue` is "k8s.io/ingress-nginx-internal"
+ set:
+ controller.kind: DaemonSet
+ controller.ingressClassResource.controllerValue: k8s.io/ingress-nginx-internal
+ asserts:
+ - contains:
+ path: spec.template.spec.containers[0].args
+ content: --controller-class=k8s.io/ingress-nginx-internal
+
+ - it: should create a DaemonSet with resource limits if `controller.resources.limits` is set
+ set:
+ controller.kind: DaemonSet
+ controller.resources.limits.cpu: 500m
+ controller.resources.limits.memory: 512Mi
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].resources.limits.cpu
+ value: 500m
+ - equal:
+ path: spec.template.spec.containers[0].resources.limits.memory
+ value: 512Mi
+
+ - it: should create a DaemonSet with topology spread constraints if `controller.topologySpreadConstraints` is set
+ set:
+ controller.kind: DaemonSet
+ controller.topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
+ app.kubernetes.io/instance: '{{ .Release.Name }}'
+ app.kubernetes.io/component: controller
+ topologyKey: topology.kubernetes.io/zone
+ maxSkew: 1
+ whenUnsatisfiable: ScheduleAnyway
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
+ app.kubernetes.io/instance: '{{ .Release.Name }}'
+ app.kubernetes.io/component: controller
+ topologyKey: kubernetes.io/hostname
+ maxSkew: 1
+ whenUnsatisfiable: ScheduleAnyway
+ asserts:
+ - equal:
+ path: spec.template.spec.topologySpreadConstraints
+ value:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/component: controller
+ topologyKey: topology.kubernetes.io/zone
+ maxSkew: 1
+ whenUnsatisfiable: ScheduleAnyway
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/component: controller
+ topologyKey: kubernetes.io/hostname
+ maxSkew: 1
+ whenUnsatisfiable: ScheduleAnyway
+
+ - it: should create a DaemonSet with affinity if `controller.affinity` is set
+ set:
+ controller.kind: DaemonSet
+ controller.affinity:
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/name
+ operator: In
+ values:
+ - '{{ include "ingress-nginx.name" . }}'
+ - key: app.kubernetes.io/instance
+ operator: In
+ values:
+ - '{{ .Release.Name }}'
+ - key: app.kubernetes.io/component
+ operator: In
+ values:
+ - controller
+ topologyKey: kubernetes.io/hostname
+ asserts:
+ - equal:
+ path: spec.template.spec.affinity
+ value:
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/name
+ operator: In
+ values:
+ - ingress-nginx
+ - key: app.kubernetes.io/instance
+ operator: In
+ values:
+ - RELEASE-NAME
+ - key: app.kubernetes.io/component
+ operator: In
+ values:
+ - controller
+ topologyKey: kubernetes.io/hostname
+
+ - it: should create a DaemonSet with `runAsGroup` if `controller.image.runAsGroup` is set
+ set:
+ controller.kind: DaemonSet
+ controller.image.runAsGroup: 1000
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].securityContext.runAsGroup
+ value: 1000
+
+ - it: should create a DaemonSet with a custom registry if `global.image.registry` is set
+ set:
+ global.image.registry: custom.registry.io
+ controller.kind: DaemonSet
+ controller.image.tag: v1.0.0-dev
+ controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].image
+ value: custom.registry.io/ingress-nginx/controller:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
+ - it: should create a DaemonSet with a custom registry if `controller.image.registry` is set
+ set:
+ controller.kind: DaemonSet
+ controller.image.registry: custom.registry.io
+ controller.image.tag: v1.0.0-dev
+ controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].image
+ value: custom.registry.io/ingress-nginx/controller:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
+ - it: should create a DaemonSet with a custom image if `controller.image.image` is set
+ set:
+ controller.kind: DaemonSet
+ controller.image.image: custom-repo/custom-image
+ controller.image.tag: v1.0.0-dev
+ controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].image
+ value: registry.k8s.io/custom-repo/custom-image:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
+ - it: should create a DaemonSet with a custom tag if `controller.image.tag` is set
+ set:
+ controller.kind: DaemonSet
+ controller.image.tag: custom-tag
+ controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].image
+ value: registry.k8s.io/ingress-nginx/controller:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
diff --git a/charts/ingress-nginx/tests/controller-deployment_test.yaml b/charts/ingress-nginx/tests/controller-deployment_test.yaml
new file mode 100644
index 0000000..1cc9c93
--- /dev/null
+++ b/charts/ingress-nginx/tests/controller-deployment_test.yaml
@@ -0,0 +1,217 @@
+suite: Controller > Deployment
+templates:
+ - controller-deployment.yaml
+
+tests:
+ - it: should create a Deployment
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: Deployment
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-controller
+
+ - it: should create a Deployment with 3 replicas if `controller.replicaCount` is 3
+ set:
+ controller.replicaCount: 3
+ asserts:
+ - equal:
+ path: spec.replicas
+ value: 3
+
+ - it: should create a Deployment without replicas if `controller.autoscaling.enabled` is true
+ set:
+ controller.autoscaling.enabled: true
+ asserts:
+ - notExists:
+ path: spec.replicas
+
+ - it: should create a Deployment without replicas if `controller.keda.enabled` is true
+ set:
+ controller.keda.enabled: true
+ asserts:
+ - notExists:
+ path: spec.replicas
+
+ - it: should create a Deployment with replicas if `controller.autoscaling.enabled` is true and `controller.keda.enabled` is true
+ set:
+ controller.autoscaling.enabled: true
+ controller.keda.enabled: true
+ asserts:
+ - exists:
+ path: spec.replicas
+
+ - it: should create a Deployment with argument `--enable-metrics=true` if `controller.metrics.enabled` is true
+ set:
+ controller.metrics.enabled: true
+ asserts:
+ - contains:
+ path: spec.template.spec.containers[0].args
+ content: --enable-metrics=true
+
+ - it: should create a Deployment without argument `--enable-metrics=true` if `controller.metrics.enabled` is false
+ set:
+ controller.metrics.enabled: false
+ asserts:
+ - notContains:
+ path: spec.template.spec.containers[0].args
+ content: --enable-metrics=true
+
+ - it: should create a Deployment with argument `--controller-class=k8s.io/ingress-nginx-internal` if `controller.ingressClassResource.controllerValue` is "k8s.io/ingress-nginx-internal"
+ set:
+ controller.ingressClassResource.controllerValue: k8s.io/ingress-nginx-internal
+ asserts:
+ - contains:
+ path: spec.template.spec.containers[0].args
+ content: --controller-class=k8s.io/ingress-nginx-internal
+
+ - it: should create a Deployment with resource limits if `controller.resources.limits` is set
+ set:
+ controller.resources.limits.cpu: 500m
+ controller.resources.limits.memory: 512Mi
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].resources.limits.cpu
+ value: 500m
+ - equal:
+ path: spec.template.spec.containers[0].resources.limits.memory
+ value: 512Mi
+
+ - it: should create a Deployment with topology spread constraints if `controller.topologySpreadConstraints` is set
+ set:
+ controller.topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
+ app.kubernetes.io/instance: '{{ .Release.Name }}'
+ app.kubernetes.io/component: controller
+ topologyKey: topology.kubernetes.io/zone
+ maxSkew: 1
+ whenUnsatisfiable: ScheduleAnyway
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
+ app.kubernetes.io/instance: '{{ .Release.Name }}'
+ app.kubernetes.io/component: controller
+ topologyKey: kubernetes.io/hostname
+ maxSkew: 1
+ whenUnsatisfiable: ScheduleAnyway
+ asserts:
+ - equal:
+ path: spec.template.spec.topologySpreadConstraints
+ value:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/component: controller
+ topologyKey: topology.kubernetes.io/zone
+ maxSkew: 1
+ whenUnsatisfiable: ScheduleAnyway
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/component: controller
+ topologyKey: kubernetes.io/hostname
+ maxSkew: 1
+ whenUnsatisfiable: ScheduleAnyway
+
+ - it: should create a Deployment with affinity if `controller.affinity` is set
+ set:
+ controller.affinity:
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/name
+ operator: In
+ values:
+ - '{{ include "ingress-nginx.name" . }}'
+ - key: app.kubernetes.io/instance
+ operator: In
+ values:
+ - '{{ .Release.Name }}'
+ - key: app.kubernetes.io/component
+ operator: In
+ values:
+ - controller
+ topologyKey: kubernetes.io/hostname
+ asserts:
+ - equal:
+ path: spec.template.spec.affinity
+ value:
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/name
+ operator: In
+ values:
+ - ingress-nginx
+ - key: app.kubernetes.io/instance
+ operator: In
+ values:
+ - RELEASE-NAME
+ - key: app.kubernetes.io/component
+ operator: In
+ values:
+ - controller
+ topologyKey: kubernetes.io/hostname
+
+ - it: should create a Deployment with `runAsGroup` if `controller.image.runAsGroup` is set
+ set:
+ controller.image.runAsGroup: 1000
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].securityContext.runAsGroup
+ value: 1000
+
+ - it: should create a Deployment with a custom registry if `global.image.registry` is set
+ set:
+ global.image.registry: custom.registry.io
+ controller.image.tag: v1.0.0-dev
+ controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].image
+ value: custom.registry.io/ingress-nginx/controller:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
+ - it: should create a Deployment with a custom registry if `controller.image.registry` is set
+ set:
+ controller.image.registry: custom.registry.io
+ controller.image.tag: v1.0.0-dev
+ controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].image
+ value: custom.registry.io/ingress-nginx/controller:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
+ - it: should create a Deployment with a custom image if `controller.image.image` is set
+ set:
+ controller.image.image: custom-repo/custom-image
+ controller.image.tag: v1.0.0-dev
+ controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].image
+ value: registry.k8s.io/custom-repo/custom-image:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
+ - it: should create a Deployment with a custom tag if `controller.image.tag` is set
+ set:
+ controller.image.tag: custom-tag
+ controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].image
+ value: registry.k8s.io/ingress-nginx/controller:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
+ - it: should create a Deployment with `progressDeadlineSeconds` if `controller.progressDeadlineSeconds` is set
+ set:
+ controller.progressDeadlineSeconds: 111
+ asserts:
+ - equal:
+ path: spec.progressDeadlineSeconds
+ value: 111
diff --git a/charts/ingress-nginx/tests/controller-hpa_test.yaml b/charts/ingress-nginx/tests/controller-hpa_test.yaml
new file mode 100644
index 0000000..869d3a6
--- /dev/null
+++ b/charts/ingress-nginx/tests/controller-hpa_test.yaml
@@ -0,0 +1,31 @@
+suite: Controller > HPA
+templates:
+ - controller-hpa.yaml
+
+tests:
+ - it: should create an HPA if `controller.autoscaling.enabled` is true
+ set:
+ controller.autoscaling.enabled: true
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: HorizontalPodAutoscaler
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-controller
+
+ - it: should not create an HPA if `controller.autoscaling.enabled` is true and `controller.keda.enabled` is true
+ set:
+ controller.autoscaling.enabled: true
+ controller.keda.enabled: true
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should not create an HPA if `controller.kind` is "DaemonSet"
+ set:
+ controller.kind: DaemonSet
+ asserts:
+ - hasDocuments:
+ count: 0
diff --git a/charts/ingress-nginx/tests/controller-ingressclass-aliases_test.yaml b/charts/ingress-nginx/tests/controller-ingressclass-aliases_test.yaml
new file mode 100644
index 0000000..9a4a576
--- /dev/null
+++ b/charts/ingress-nginx/tests/controller-ingressclass-aliases_test.yaml
@@ -0,0 +1,110 @@
+suite: Controller > IngressClass > Aliases
+templates:
+ - controller-ingressclass-aliases.yaml
+
+tests:
+ - it: should not create IngressClass aliases
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should create an IngressClass alias with name "nginx-alias" if `controller.ingressClassResource.aliases` is set
+ set:
+ controller.ingressClassResource.aliases:
+ - nginx-alias
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: IngressClass
+ - equal:
+ path: metadata.name
+ value: nginx-alias
+
+ - it: should create an IngressClass alias without annotation `ingressclass.kubernetes.io/is-default-class` if `controller.ingressClassResource.default` is true
+ set:
+ controller.ingressClassResource.aliases:
+ - nginx-alias
+ controller.ingressClassResource.default: true
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: IngressClass
+ - equal:
+ path: metadata.name
+ value: nginx-alias
+ - notExists:
+ path: metadata.annotations["ingressclass.kubernetes.io/is-default-class"]
+
+ - it: should create an IngressClass alias with annotations if `controller.ingressClassResource.annotations` is set
+ set:
+ controller.ingressClassResource.aliases:
+ - nginx-alias
+ controller.ingressClassResource.annotations:
+ my-fancy-annotation: has-a-value
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: IngressClass
+ - equal:
+ path: metadata.name
+ value: nginx-alias
+ - equal:
+ path: metadata.annotations.my-fancy-annotation
+ value: has-a-value
+
+ - it: should create an IngressClass alias with controller "k8s.io/ingress-nginx-internal" if `controller.ingressClassResource.controllerValue` is "k8s.io/ingress-nginx-internal"
+ set:
+ controller.ingressClassResource.aliases:
+ - nginx-alias
+ controller.ingressClassResource.controllerValue: k8s.io/ingress-nginx-internal
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: IngressClass
+ - equal:
+ path: metadata.name
+ value: nginx-alias
+ - equal:
+ path: spec.controller
+ value: k8s.io/ingress-nginx-internal
+
+ - it: should create an IngressClass alias with parameters if `controller.ingressClassResource.parameters` is set
+ set:
+ controller.ingressClassResource.aliases:
+ - nginx-alias
+ controller.ingressClassResource.parameters:
+ apiGroup: k8s.example.com
+ kind: IngressParameters
+ name: external-lb
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: IngressClass
+ - equal:
+ path: metadata.name
+ value: nginx-alias
+ - equal:
+ path: spec.parameters
+ value:
+ apiGroup: k8s.example.com
+ kind: IngressParameters
+ name: external-lb
+
+ - it: should create two IngressClass aliases if `controller.ingressClassResource.aliases` has two elements
+ set:
+ controller.ingressClassResource.aliases:
+ - nginx-alias-1
+ - nginx-alias-2
+ asserts:
+ - hasDocuments:
+ count: 2
+ - isKind:
+ of: IngressClass
+ - matchRegex:
+ path: metadata.name
+ pattern: nginx-alias-(1|2)
diff --git a/charts/ingress-nginx/tests/controller-ingressclass_test.yaml b/charts/ingress-nginx/tests/controller-ingressclass_test.yaml
new file mode 100644
index 0000000..b3384af
--- /dev/null
+++ b/charts/ingress-nginx/tests/controller-ingressclass_test.yaml
@@ -0,0 +1,93 @@
+suite: Controller > IngressClass
+templates:
+ - controller-ingressclass.yaml
+
+tests:
+ - it: should create an IngressClass
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: IngressClass
+ - equal:
+ path: metadata.name
+ value: nginx
+
+ - it: should create an IngressClass with name "nginx-internal" if `controller.ingressClassResource.name` is "nginx-internal"
+ set:
+ controller.ingressClassResource.name: nginx-internal
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: IngressClass
+ - equal:
+ path: metadata.name
+ value: nginx-internal
+
+ - it: "should create an IngressClass with annotation `ingressclass.kubernetes.io/is-default-class: \"true\"` if `controller.ingressClassResource.default` is true"
+ set:
+ controller.ingressClassResource.default: true
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: IngressClass
+ - equal:
+ path: metadata.name
+ value: nginx
+ - equal:
+ path: metadata.annotations["ingressclass.kubernetes.io/is-default-class"]
+ value: "true"
+
+ - it: should create an IngressClass with annotations if `controller.ingressClassResource.annotations` is set
+ set:
+ controller.ingressClassResource.annotations:
+ my-fancy-annotation: has-a-value
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: IngressClass
+ - equal:
+ path: metadata.name
+ value: nginx
+ - equal:
+ path: metadata.annotations.my-fancy-annotation
+ value: has-a-value
+
+ - it: should create an IngressClass with controller "k8s.io/ingress-nginx-internal" if `controller.ingressClassResource.controllerValue` is "k8s.io/ingress-nginx-internal"
+ set:
+ controller.ingressClassResource.controllerValue: k8s.io/ingress-nginx-internal
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: IngressClass
+ - equal:
+ path: metadata.name
+ value: nginx
+ - equal:
+ path: spec.controller
+ value: k8s.io/ingress-nginx-internal
+
+ - it: should create an IngressClass with parameters if `controller.ingressClassResource.parameters` is set
+ set:
+ controller.ingressClassResource.parameters:
+ apiGroup: k8s.example.com
+ kind: IngressParameters
+ name: external-lb
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: IngressClass
+ - equal:
+ path: metadata.name
+ value: nginx
+ - equal:
+ path: spec.parameters
+ value:
+ apiGroup: k8s.example.com
+ kind: IngressParameters
+ name: external-lb
diff --git a/charts/ingress-nginx/tests/controller-keda_test.yaml b/charts/ingress-nginx/tests/controller-keda_test.yaml
new file mode 100644
index 0000000..8002834
--- /dev/null
+++ b/charts/ingress-nginx/tests/controller-keda_test.yaml
@@ -0,0 +1,31 @@
+suite: Controller > KEDA
+templates:
+ - controller-keda.yaml
+
+tests:
+ - it: should create a ScaledObject if `controller.keda.enabled` is true
+ set:
+ controller.keda.enabled: true
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: ScaledObject
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-controller
+
+ - it: should not create a ScaledObject if `controller.keda.enabled` is true and `controller.autoscaling.enabled` is true
+ set:
+ controller.keda.enabled: true
+ controller.autoscaling.enabled: true
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should not create a ScaledObject if `controller.kind` is "DaemonSet"
+ set:
+ controller.kind: DaemonSet
+ asserts:
+ - hasDocuments:
+ count: 0
diff --git a/charts/ingress-nginx/tests/controller-networkpolicy_test.yaml b/charts/ingress-nginx/tests/controller-networkpolicy_test.yaml
new file mode 100644
index 0000000..5de12e9
--- /dev/null
+++ b/charts/ingress-nginx/tests/controller-networkpolicy_test.yaml
@@ -0,0 +1,23 @@
+suite: Controller > NetworkPolicy
+templates:
+ - controller-networkpolicy.yaml
+
+tests:
+ - it: should not create a NetworkPolicy if `controller.networkPolicy.enabled` is false
+ set:
+ controller.networkPolicy.enabled: false
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should create a NetworkPolicy if `controller.networkPolicy.enabled` is true
+ set:
+ controller.networkPolicy.enabled: true
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: NetworkPolicy
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-controller
diff --git a/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml b/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml
new file mode 100644
index 0000000..5ac986f
--- /dev/null
+++ b/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml
@@ -0,0 +1,102 @@
+suite: Controller > PodDisruptionBudget
+templates:
+ - controller-poddisruptionbudget.yaml
+
+tests:
+ - it: should create a PodDisruptionBudget if `controller.replicaCount` is greater than 1
+ set:
+ controller.replicaCount: 2
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: PodDisruptionBudget
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-controller
+
+ - it: should not create a PodDisruptionBudget if `controller.replicaCount` is less than or equal 1
+ set:
+ controller.replicaCount: 1
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should create a PodDisruptionBudget if `controller.autoscaling.enabled` is true and `controller.autoscaling.minReplicas` is greater than 1
+ set:
+ controller.autoscaling.enabled: true
+ controller.autoscaling.minReplicas: 2
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: PodDisruptionBudget
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-controller
+
+ - it: should not create a PodDisruptionBudget if `controller.autoscaling.enabled` is true and `controller.autoscaling.minReplicas` is less than or equal 1
+ set:
+ controller.autoscaling.enabled: true
+ controller.autoscaling.minReplicas: 1
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should create a PodDisruptionBudget if `controller.keda.enabled` is true and `controller.keda.minReplicas` is greater than 1
+ set:
+ controller.keda.enabled: true
+ controller.keda.minReplicas: 2
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: PodDisruptionBudget
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-controller
+
+ - it: should not create a PodDisruptionBudget if `controller.keda.enabled` is true and `controller.keda.minReplicas` is less than or equal 1
+ set:
+ controller.keda.enabled: true
+ controller.keda.minReplicas: 1
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should not create a PodDisruptionBudget if `controller.autoscaling.enabled` is true and `controller.keda.enabled` is true
+ set:
+ controller.autoscaling.enabled: true
+ controller.keda.enabled: true
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should create a PodDisruptionBudget without `minAvailable` and with `maxUnavailable` if `controller.minAvailable` and `controller.maxUnavailable` are set
+ set:
+ controller.replicaCount: 2
+ controller.minAvailable: 1
+ controller.maxUnavailable: 1
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: PodDisruptionBudget
+ - notExists:
+ path: spec.minAvailable
+ - equal:
+ path: spec.maxUnavailable
+ value: 1
+
+ - it: should create a PodDisruptionBudget with `unhealthyPodEvictionPolicy` if `controller.unhealthyPodEvictionPolicy` is set
+ set:
+ controller.replicaCount: 2
+ controller.unhealthyPodEvictionPolicy: IfHealthyBudget
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: PodDisruptionBudget
+ - equal:
+ path: spec.unhealthyPodEvictionPolicy
+ value: IfHealthyBudget
diff --git a/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml b/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml
new file mode 100644
index 0000000..2d33091
--- /dev/null
+++ b/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml
@@ -0,0 +1,29 @@
+suite: Controller > PrometheusRule
+templates:
+ - controller-prometheusrule.yaml
+
+tests:
+ - it: should create a PrometheusRule if `controller.metrics.prometheusRule.enabled` is true
+ set:
+ controller.metrics.enabled: true
+ controller.metrics.prometheusRule.enabled: true
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: PrometheusRule
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-controller
+
+ - it: should create a PrometheusRule with annotations if `controller.metrics.prometheusRule.annotations` is set
+ set:
+ controller.metrics.enabled: true
+ controller.metrics.prometheusRule.enabled: true
+ controller.metrics.prometheusRule.annotations:
+ my-little-annotation: test-value
+ asserts:
+ - equal:
+ path: metadata.annotations
+ value:
+ my-little-annotation: test-value
diff --git a/charts/ingress-nginx/tests/controller-service-internal_test.yaml b/charts/ingress-nginx/tests/controller-service-internal_test.yaml
new file mode 100644
index 0000000..5465e1a
--- /dev/null
+++ b/charts/ingress-nginx/tests/controller-service-internal_test.yaml
@@ -0,0 +1,25 @@
+suite: Controller > Service > Internal
+templates:
+ - controller-service-internal.yaml
+
+tests:
+ - it: should not create an internal Service if `controller.service.internal.enabled` is false
+ set:
+ controller.service.internal.enabled: false
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should create an internal Service if `controller.service.internal.enabled` is true and `controller.service.internal.annotations` are set
+ set:
+ controller.service.internal.enabled: true
+ controller.service.internal.annotations:
+ test.annotation: "true"
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: Service
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-controller-internal
diff --git a/charts/ingress-nginx/tests/controller-service-metrics_test.yaml b/charts/ingress-nginx/tests/controller-service-metrics_test.yaml
new file mode 100644
index 0000000..ddb412e
--- /dev/null
+++ b/charts/ingress-nginx/tests/controller-service-metrics_test.yaml
@@ -0,0 +1,41 @@
+suite: Controller > Service > Metrics
+templates:
+ - controller-service-metrics.yaml
+
+tests:
+ - it: should not create a metrics Service if `controller.metrics.enabled` is false and `controller.metrics.service.enabled` is false
+ set:
+ controller.metrics.enabled: false
+ controller.metrics.service.enabled: false
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should not create a metrics Service if `controller.metrics.enabled` is false and `controller.metrics.service.enabled` is true
+ set:
+ controller.metrics.enabled: false
+ controller.metrics.service.enabled: true
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should not create a metrics Service if `controller.metrics.enabled` is true and `controller.metrics.service.enabled` is false
+ set:
+ controller.metrics.enabled: true
+ controller.metrics.service.enabled: false
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should create a metrics Service if `controller.metrics.enabled` is true and `controller.metrics.service.enabled` is true
+ set:
+ controller.metrics.enabled: true
+ controller.metrics.service.enabled: true
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: Service
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-controller-metrics
diff --git a/charts/ingress-nginx/tests/controller-service-webhook_test.yaml b/charts/ingress-nginx/tests/controller-service-webhook_test.yaml
new file mode 100644
index 0000000..1c759ed
--- /dev/null
+++ b/charts/ingress-nginx/tests/controller-service-webhook_test.yaml
@@ -0,0 +1,32 @@
+suite: Controller > Service > Webhook
+templates:
+ - controller-service-webhook.yaml
+
+tests:
+ - it: should not create a webhook Service if `controller.admissionWebhooks.enabled` is false
+ set:
+ controller.admissionWebhooks.enabled: false
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should create a webhook Service if `controller.admissionWebhooks.enabled` is true
+ set:
+ controller.admissionWebhooks.enabled: true
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: Service
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-controller-admission
+
+ - it: should create a webhook Service with a custom port if `controller.admissionWebhooks.service.servicePort` is set
+ set:
+ controller.admissionWebhooks.enabled: true
+ controller.admissionWebhooks.service.servicePort: 9443
+ asserts:
+ - equal:
+ path: spec.ports[0].port
+ value: 9443
diff --git a/charts/ingress-nginx/tests/controller-service_test.yaml b/charts/ingress-nginx/tests/controller-service_test.yaml
new file mode 100644
index 0000000..10574f2
--- /dev/null
+++ b/charts/ingress-nginx/tests/controller-service_test.yaml
@@ -0,0 +1,32 @@
+suite: Controller > Service
+templates:
+ - controller-service.yaml
+
+tests:
+ - it: should not create a Service if `controller.service.external.enabled` is false
+ set:
+ controller.service.external.enabled: false
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should create a Service if `controller.service.external.enabled` is true
+ set:
+ controller.service.external.enabled: true
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: Service
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-controller
+
+ - it: should create a Service of type "NodePort" if `controller.service.external.enabled` is true and `controller.service.type` is "NodePort"
+ set:
+ controller.service.external.enabled: true
+ controller.service.type: NodePort
+ asserts:
+ - equal:
+ path: spec.type
+ value: NodePort
diff --git a/charts/ingress-nginx/tests/controller-serviceaccount_test.yaml b/charts/ingress-nginx/tests/controller-serviceaccount_test.yaml
new file mode 100644
index 0000000..928e537
--- /dev/null
+++ b/charts/ingress-nginx/tests/controller-serviceaccount_test.yaml
@@ -0,0 +1,47 @@
+suite: Controller > ServiceAccount
+templates:
+ - controller-serviceaccount.yaml
+
+tests:
+ - it: should not create a ServiceAccount if `serviceAccount.create` is false
+ set:
+ serviceAccount.create: false
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should create a ServiceAccount if `serviceAccount.create` is true
+ set:
+ serviceAccount.create: true
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: ServiceAccount
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx
+
+ - it: should create a ServiceAccount with specified name if `serviceAccount.name` is set
+ set:
+ serviceAccount.name: ingress-nginx-admission-test-sa
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: ServiceAccount
+ - equal:
+ path: metadata.name
+ value: ingress-nginx-admission-test-sa
+
+ - it: should create a ServiceAccount with token auto-mounting disabled if `serviceAccount.automountServiceAccountToken` is false
+ set:
+ serviceAccount.automountServiceAccountToken: false
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: ServiceAccount
+ - equal:
+ path: automountServiceAccountToken
+ value: false
diff --git a/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml b/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml
new file mode 100644
index 0000000..310097c
--- /dev/null
+++ b/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml
@@ -0,0 +1,29 @@
+suite: Controller > ServiceMonitor
+templates:
+ - controller-servicemonitor.yaml
+
+tests:
+ - it: should create a ServiceMonitor if `controller.metrics.serviceMonitor.enabled` is true
+ set:
+ controller.metrics.enabled: true
+ controller.metrics.serviceMonitor.enabled: true
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: ServiceMonitor
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-controller
+
+ - it: should create a ServiceMonitor with annotations if `controller.metrics.serviceMonitor.annotations` is set
+ set:
+ controller.metrics.enabled: true
+ controller.metrics.serviceMonitor.enabled: true
+ controller.metrics.serviceMonitor.annotations:
+ my-little-annotation: test-value
+ asserts:
+ - equal:
+ path: metadata.annotations
+ value:
+ my-little-annotation: test-value
diff --git a/charts/ingress-nginx/tests/default-backend-deployment_test.yaml b/charts/ingress-nginx/tests/default-backend-deployment_test.yaml
new file mode 100644
index 0000000..c3fa339
--- /dev/null
+++ b/charts/ingress-nginx/tests/default-backend-deployment_test.yaml
@@ -0,0 +1,189 @@
+suite: Default Backend > Deployment
+templates:
+ - default-backend-deployment.yaml
+
+tests:
+ - it: should not create a Deployment if `defaultBackend.enabled` is false
+ set:
+ defaultBackend.enabled: false
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should create a Deployment if `defaultBackend.enabled` is true
+ set:
+ defaultBackend.enabled: true
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: Deployment
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-defaultbackend
+
+ - it: should create a Deployment with 3 replicas if `defaultBackend.replicaCount` is 3
+ set:
+ defaultBackend.enabled: true
+ defaultBackend.replicaCount: 3
+ asserts:
+ - equal:
+ path: spec.replicas
+ value: 3
+
+ - it: should create a Deployment without replicas if `defaultBackend.autoscaling.enabled` is true
+ set:
+ defaultBackend.enabled: true
+ defaultBackend.autoscaling.enabled: true
+ asserts:
+ - notExists:
+ path: spec.replicas
+
+ - it: should create a Deployment with resource limits if `defaultBackend.resources.limits` is set
+ set:
+ defaultBackend.enabled: true
+ defaultBackend.resources.limits.cpu: 500m
+ defaultBackend.resources.limits.memory: 512Mi
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].resources.limits.cpu
+ value: 500m
+ - equal:
+ path: spec.template.spec.containers[0].resources.limits.memory
+ value: 512Mi
+
+ - it: should create a Deployment with topology spread constraints if `defaultBackend.topologySpreadConstraints` is set
+ set:
+ defaultBackend.enabled: true
+ defaultBackend.topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
+ app.kubernetes.io/instance: '{{ .Release.Name }}'
+ app.kubernetes.io/component: default-backend
+ topologyKey: topology.kubernetes.io/zone
+ maxSkew: 1
+ whenUnsatisfiable: ScheduleAnyway
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
+ app.kubernetes.io/instance: '{{ .Release.Name }}'
+ app.kubernetes.io/component: default-backend
+ topologyKey: kubernetes.io/hostname
+ maxSkew: 1
+ whenUnsatisfiable: ScheduleAnyway
+ asserts:
+ - equal:
+ path: spec.template.spec.topologySpreadConstraints
+ value:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/component: default-backend
+ topologyKey: topology.kubernetes.io/zone
+ maxSkew: 1
+ whenUnsatisfiable: ScheduleAnyway
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: ingress-nginx
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/component: default-backend
+ topologyKey: kubernetes.io/hostname
+ maxSkew: 1
+ whenUnsatisfiable: ScheduleAnyway
+
+ - it: should create a Deployment with affinity if `defaultBackend.affinity` is set
+ set:
+ defaultBackend.enabled: true
+ defaultBackend.affinity:
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/name
+ operator: In
+ values:
+ - '{{ include "ingress-nginx.name" . }}'
+ - key: app.kubernetes.io/instance
+ operator: In
+ values:
+ - '{{ .Release.Name }}'
+ - key: app.kubernetes.io/component
+ operator: In
+ values:
+ - default-backend
+ topologyKey: kubernetes.io/hostname
+ asserts:
+ - equal:
+ path: spec.template.spec.affinity
+ value:
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/name
+ operator: In
+ values:
+ - ingress-nginx
+ - key: app.kubernetes.io/instance
+ operator: In
+ values:
+ - RELEASE-NAME
+ - key: app.kubernetes.io/component
+ operator: In
+ values:
+ - default-backend
+ topologyKey: kubernetes.io/hostname
+
+ - it: should create a Deployment with `runAsGroup` if `defaultBackend.image.runAsGroup` is set
+ set:
+ defaultBackend.enabled: true
+ defaultBackend.image.runAsGroup: 1000
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].securityContext.runAsGroup
+ value: 1000
+
+ - it: should create a Deployment with a custom registry if `global.image.registry` is set
+ set:
+ global.image.registry: custom.registry.io
+ defaultBackend.enabled: true
+ defaultBackend.image.tag: v1.0.0-dev
+ defaultBackend.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].image
+ value: custom.registry.io/defaultbackend-amd64:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
+ - it: should create a Deployment with a custom registry if `defaultBackend.image.registry` is set
+ set:
+ defaultBackend.enabled: true
+ defaultBackend.image.registry: custom.registry.io
+ defaultBackend.image.tag: v1.0.0-dev
+ defaultBackend.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].image
+ value: custom.registry.io/defaultbackend-amd64:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
+ - it: should create a Deployment with a custom image if `defaultBackend.image.image` is set
+ set:
+ defaultBackend.enabled: true
+ defaultBackend.image.image: custom-repo/custom-image
+ defaultBackend.image.tag: v1.0.0-dev
+ defaultBackend.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].image
+ value: registry.k8s.io/custom-repo/custom-image:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
+ - it: should create a Deployment with a custom tag if `defaultBackend.image.tag` is set
+ set:
+ defaultBackend.enabled: true
+ defaultBackend.image.tag: custom-tag
+ defaultBackend.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].image
+ value: registry.k8s.io/defaultbackend-amd64:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
diff --git a/charts/ingress-nginx/tests/default-backend-extra-configmaps_test.yaml b/charts/ingress-nginx/tests/default-backend-extra-configmaps_test.yaml
new file mode 100644
index 0000000..aa600e7
--- /dev/null
+++ b/charts/ingress-nginx/tests/default-backend-extra-configmaps_test.yaml
@@ -0,0 +1,50 @@
+suite: Default Backend > Extra ConfigMaps
+templates:
+ - default-backend-extra-configmaps.yaml
+
+tests:
+ - it: should not create a ConfigMap if `defaultBackend.extraConfigMaps` is empty
+ set:
+ defaultBackend.enabled: true
+ defaultBackend.extraConfigMaps: []
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should create one ConfigMap if `defaultBackend.extraConfigMaps` has one element
+ set:
+ defaultBackend.enabled: true
+ defaultBackend.extraConfigMaps:
+ - name: my-configmap-1
+ data:
+ key1: value1
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: ConfigMap
+ - equal:
+ path: metadata.name
+ value: my-configmap-1
+ - equal:
+ path: data.key1
+ value: value1
+
+ - it: should create two ConfigMaps if `defaultBackend.extraConfigMaps` has two elements
+ set:
+ defaultBackend.enabled: true
+ defaultBackend.extraConfigMaps:
+ - name: my-configmap-1
+ data:
+ key1: value1
+ - name: my-configmap-2
+ data:
+ key2: value2
+ asserts:
+ - hasDocuments:
+ count: 2
+ - isKind:
+ of: ConfigMap
+ - matchRegex:
+ path: metadata.name
+ pattern: my-configmap-(1|2)
diff --git a/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml b/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml
new file mode 100644
index 0000000..bfe98e8
--- /dev/null
+++ b/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml
@@ -0,0 +1,79 @@
+suite: Default Backend > PodDisruptionBudget
+templates:
+ - default-backend-poddisruptionbudget.yaml
+
+tests:
+ - it: should create a PodDisruptionBudget if `defaultBackend.replicaCount` is greater than 1
+ set:
+ defaultBackend.enabled: true
+ defaultBackend.replicaCount: 2
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: PodDisruptionBudget
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-defaultbackend
+
+ - it: should not create a PodDisruptionBudget if `defaultBackend.replicaCount` is less than or equal 1
+ set:
+ defaultBackend.enabled: true
+ defaultBackend.replicaCount: 1
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should create a PodDisruptionBudget if `defaultBackend.autoscaling.enabled` is true and `defaultBackend.autoscaling.minReplicas` is greater than 1
+ set:
+ defaultBackend.enabled: true
+ defaultBackend.autoscaling.enabled: true
+ defaultBackend.autoscaling.minReplicas: 2
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: PodDisruptionBudget
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-defaultbackend
+
+ - it: should not create a PodDisruptionBudget if `defaultBackend.autoscaling.enabled` is true and `defaultBackend.autoscaling.minReplicas` is less than or equal 1
+ set:
+ defaultBackend.enabled: true
+ defaultBackend.autoscaling.enabled: true
+ defaultBackend.autoscaling.minReplicas: 1
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should create a PodDisruptionBudget without `minAvailable` and with `maxUnavailable` if `defaultBackend.minAvailable` and `defaultBackend.maxUnavailable` are set
+ set:
+ defaultBackend.enabled: true
+ defaultBackend.replicaCount: 2
+ defaultBackend.minAvailable: 1
+ defaultBackend.maxUnavailable: 1
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: PodDisruptionBudget
+ - notExists:
+ path: spec.minAvailable
+ - equal:
+ path: spec.maxUnavailable
+ value: 1
+
+ - it: should create a PodDisruptionBudget with `unhealthyPodEvictionPolicy` if `defaultBackend.unhealthyPodEvictionPolicy` is set
+ set:
+ defaultBackend.enabled: true
+ defaultBackend.replicaCount: 2
+ defaultBackend.unhealthyPodEvictionPolicy: IfHealthyBudget
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: PodDisruptionBudget
+ - equal:
+ path: spec.unhealthyPodEvictionPolicy
+ value: IfHealthyBudget
diff --git a/charts/ingress-nginx/tests/default-backend-service_test.yaml b/charts/ingress-nginx/tests/default-backend-service_test.yaml
new file mode 100644
index 0000000..f16904f
--- /dev/null
+++ b/charts/ingress-nginx/tests/default-backend-service_test.yaml
@@ -0,0 +1,32 @@
+suite: Default Backend > Service
+templates:
+ - default-backend-service.yaml
+
+tests:
+ - it: should not create a Service if `defaultBackend.enabled` is false
+ set:
+ defaultBackend.enabled: false
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should create a Service if `defaultBackend.enabled` is true
+ set:
+ defaultBackend.enabled: true
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: Service
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-defaultbackend
+
+ - it: should create a Service with port 80 if `defaultBackend.service.port` is 80
+ set:
+ defaultBackend.enabled: true
+ defaultBackend.service.port: 80
+ asserts:
+ - equal:
+ path: spec.ports[0].port
+ value: 80
diff --git a/charts/ingress-nginx/tests/default-backend-serviceaccount_test.yaml b/charts/ingress-nginx/tests/default-backend-serviceaccount_test.yaml
new file mode 100644
index 0000000..05a815d
--- /dev/null
+++ b/charts/ingress-nginx/tests/default-backend-serviceaccount_test.yaml
@@ -0,0 +1,51 @@
+suite: Default Backend > ServiceAccount
+templates:
+ - default-backend-serviceaccount.yaml
+
+tests:
+ - it: should not create a ServiceAccount if `defaultBackend.serviceAccount.create` is false
+ set:
+ defaultBackend.enabled: true
+ defaultBackend.serviceAccount.create: false
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should create a ServiceAccount if `defaultBackend.serviceAccount.create` is true
+ set:
+ defaultBackend.enabled: true
+ defaultBackend.serviceAccount.create: true
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: ServiceAccount
+ - equal:
+ path: metadata.name
+ value: RELEASE-NAME-ingress-nginx-backend
+
+ - it: should create a ServiceAccount with specified name if `defaultBackend.serviceAccount.name` is set
+ set:
+ defaultBackend.enabled: true
+ defaultBackend.serviceAccount.name: ingress-nginx-admission-test-sa
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: ServiceAccount
+ - equal:
+ path: metadata.name
+ value: ingress-nginx-admission-test-sa
+
+ - it: should create a ServiceAccount with token auto-mounting disabled if `defaultBackend.serviceAccount.automountServiceAccountToken` is false
+ set:
+ defaultBackend.enabled: true
+ defaultBackend.serviceAccount.automountServiceAccountToken: false
+ asserts:
+ - hasDocuments:
+ count: 1
+ - isKind:
+ of: ServiceAccount
+ - equal:
+ path: automountServiceAccountToken
+ value: false
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index eb6db4a..5da493d 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -2,11 +2,17 @@
## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/index.md
##
+global:
+ image:
+ # -- Registry host to pull images from.
+ registry: registry.k8s.io
## Overrides for generated resource names
# See templates/_helpers.tpl
# nameOverride:
# fullnameOverride:
+# -- Override the deployment namespace; defaults to .Release.Namespace
+namespaceOverride: ""
## Labels to apply to all resources
##
commonLabels: {}
@@ -15,76 +21,88 @@
controller:
name: controller
+ enableAnnotationValidations: true
image:
- registry: k8s.gcr.io
+ ## Keep false as default for now!
+ chroot: false
+ # registry: registry.k8s.io
image: ingress-nginx/controller
## for backwards compatibility consider setting the full image url via the repository value below
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
## repository:
- tag: "v1.1.1"
- digest: sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+ tag: "v1.12.1"
+ digest: sha256:d2fbc4ec70d8aa2050dd91a91506e998765e86c96f32cffb56c503c9c34eed5b
+ digestChroot: sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
pullPolicy: IfNotPresent
- # www-data -> uid 101
+ runAsNonRoot: true
+ # -- This value must not be changed using the official image.
+ # uid=101(www-data) gid=82(www-data) groups=82(www-data)
runAsUser: 101
- allowPrivilegeEscalation: true
-
- # -- Use an existing PSP instead of creating one
- existingPsp: ""
-
+ # -- This value must not be changed using the official image.
+ # uid=101(www-data) gid=82(www-data) groups=82(www-data)
+ runAsGroup: 82
+ allowPrivilegeEscalation: false
+ seccompProfile:
+ type: RuntimeDefault
+ readOnlyRootFilesystem: false
# -- Configures the controller container name
containerName: controller
-
# -- Configures the ports that the nginx-controller listens on
containerPort:
http: 80
https: 443
-
- # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
+ # -- Global configuration passed to the ConfigMap consumed by the controller. Values may contain Helm templates.
+ # Ref.: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
config: {}
-
# -- Annotations to be added to the controller config configuration configmap.
configAnnotations: {}
-
# -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers
proxySetHeaders: {}
-
# -- Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers
addHeaders: {}
-
# -- Optionally customize the pod dnsConfig.
dnsConfig: {}
-
+ # -- Optionally customize the pod hostAliases.
+ hostAliases: []
+ # - ip: 127.0.0.1
+ # hostnames:
+ # - foo.local
+ # - bar.local
+ # - ip: 10.1.2.3
+ # hostnames:
+ # - foo.remote
+ # - bar.remote
# -- Optionally customize the pod hostname.
hostname: {}
-
# -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'.
# By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller
# to keep resolving names inside the k8s network, use ClusterFirstWithHostNet.
dnsPolicy: ClusterFirst
-
# -- Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network
- # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply
+ # Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply
reportNodeInternalIp: false
-
# -- Process Ingress objects without ingressClass annotation/ingressClassName field
# Overrides value for --watch-ingress-without-class flag of the controller binary
# Defaults to false
watchIngressWithoutClass: false
-
# -- Process IngressClass per name (additionally as per spec.controller).
ingressClassByName: false
-
+ # -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto"
+ # Defaults to false
+ enableTopologyAwareRouting: false
+ # -- This configuration disable Nginx Controller Leader Election
+ disableLeaderElection: false
+ # -- Duration a leader election is valid before it's getting re-elected, e.g. `15s`, `10m` or `1h`. (Default: 30s)
+ electionTTL: ""
# -- This configuration defines if Ingress Controller should allow users to set
# their own *-snippet annotations, otherwise this is forbidden / dropped
# when users add those annotations.
# Global snippets in ConfigMap are still respected
- allowSnippetAnnotations: true
-
+ allowSnippetAnnotations: false
# -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm),
# since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920
# is merged
hostNetwork: false
-
## Use host ports 80 and 443
## Disabled by default
hostPort:
@@ -95,43 +113,61 @@
http: 80
# -- 'hostPort' https port
https: 443
-
- # -- Election ID to use for status update
- electionID: ingress-controller-leader
-
- ## This section refers to the creation of the IngressClass resource
- ## IngressClass resources are supported since k8s >= 1.18 and required since k8s >= 1.19
+ # NetworkPolicy for controller component.
+ networkPolicy:
+ # -- Enable 'networkPolicy' or not
+ enabled: false
+ # -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader'
+ electionID: ""
+ # -- This section refers to the creation of the IngressClass resource.
+ # IngressClasses are immutable and cannot be changed after creation.
+ # We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required.
ingressClassResource:
- # -- Name of the ingressClass
+ # -- Name of the IngressClass
name: nginx
- # -- Is this ingressClass enabled or not
+ # -- Create the IngressClass or not
enabled: true
- # -- Is this the default ingressClass for the cluster
+ # -- If true, Ingresses without `ingressClassName` get assigned to this IngressClass on creation.
+ # Ingress creation gets rejected if there are multiple default IngressClasses.
+ # Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class
default: false
- # -- Controller-value of the controller that is processing this ingressClass
- controllerValue: "k8s.io/ingress-nginx"
-
- # -- Parameters is a link to a custom resource containing additional
- # configuration for the controller. This is optional if the controller
- # does not require extra parameters.
+ # -- Annotations to be added to the IngressClass resource.
+ annotations: {}
+ # -- Controller of the IngressClass. An Ingress Controller looks for IngressClasses it should reconcile by this value.
+ # This value is also being set as the `--controller-class` argument of this Ingress Controller.
+ # Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class
+ controllerValue: k8s.io/ingress-nginx
+ # -- Aliases of this IngressClass. Creates copies with identical settings but the respective alias as name.
+ # Useful for development environments with only one Ingress Controller but production-like Ingress resources.
+ # `default` gets enabled on the original IngressClass only.
+ aliases: []
+ # aliases:
+ # - nginx-alias-1
+ # - nginx-alias-2
+ # -- A link to a custom resource containing additional configuration for the controller.
+ # This is optional if the controller consuming this IngressClass does not require additional parameters.
+ # Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class
parameters: {}
-
+ # parameters:
+ # apiGroup: k8s.example.com
+ # kind: IngressParameters
+ # name: external-lb
# -- For backwards compatibility with ingress.class annotation, use ingressClass.
# Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation
ingressClass: nginx
-
# -- Labels to add to the pod container metadata
podLabels: {}
# key: value
- # -- Security Context policies for controller pods
+ # -- Security context for controller pods
podSecurityContext: {}
-
- # -- See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls
+ # -- sysctls for controller pods
+ ## Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
sysctls: {}
# sysctls:
# "net.core.somaxconn": "8192"
-
+ # -- Security context for controller containers
+ containerSecurityContext: {}
# -- Allows customization of the source of the IP address or FQDN to report
# in the ingress status field. By default, it reads the information provided
# by the service. If disable, the status field reports the IP address of the
@@ -142,7 +178,6 @@
# -- Allows overriding of the publish service to bind to
# Must be <namespace>/<service_name>
pathOverride: ""
-
# Limit the scope of the controller to a specific namespace
scope:
# -- Enable 'scope' or not
@@ -152,31 +187,29 @@
# -- When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels
# only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces.
namespaceSelector: ""
-
# -- Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE)
configMapNamespace: ""
-
tcp:
# -- Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE)
configMapNamespace: ""
# -- Annotations to be added to the tcp config configmap
annotations: {}
-
udp:
# -- Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE)
configMapNamespace: ""
# -- Annotations to be added to the udp config configmap
annotations: {}
-
# -- Maxmind license key to download GeoLite2 Databases.
- ## https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases
+ ## https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/
maxmindLicenseKey: ""
-
- # -- Additional command line arguments to pass to nginx-ingress-controller
+ # -- Additional command line arguments to pass to Ingress-Nginx Controller
# E.g. to specify the default SSL certificate you can use
extraArgs: {}
## extraArgs:
## default-ssl-certificate: "<namespace>/<secret_name>"
+ ## time-buckets: "0.005,0.01,0.025,0.05,0.1,0.25,0.5,1,2.5,5,10"
+ ## length-buckets: "10,20,30,40,50,60,70,80,90,100"
+ ## size-buckets: "10,100,1000,10000,100000,1e+06,1e+07"
# -- Additional environment variables to set
extraEnvs: []
@@ -189,7 +222,6 @@
# -- Use a `DaemonSet` or `Deployment`
kind: Deployment
-
# -- Annotations to be added to the controller Deployment or DaemonSet
##
annotations: {}
@@ -201,7 +233,6 @@
# keel.sh/policy: patch
# keel.sh/trigger: poll
-
# -- The update strategy to apply to the Deployment or DaemonSet
##
updateStrategy: {}
@@ -209,11 +240,12 @@
# maxUnavailable: 1
# type: RollingUpdate
+ # -- Specifies the number of seconds you want to wait for the controller deployment to progress before the system reports back that it has failed.
+ # Ref.: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds
+ progressDeadlineSeconds: 0
# -- `minReadySeconds` to avoid killing pods before we are ready
##
minReadySeconds: 0
-
-
# -- Node tolerations for server scheduling to nodes with taints
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
##
@@ -227,68 +259,80 @@
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
##
affinity: {}
- # # An example of preferred pod anti-affinity, weight is in the range 1-100
- # podAntiAffinity:
- # preferredDuringSchedulingIgnoredDuringExecution:
- # - weight: 100
- # podAffinityTerm:
- # labelSelector:
- # matchExpressions:
- # - key: app.kubernetes.io/name
- # operator: In
- # values:
- # - ingress-nginx
- # - key: app.kubernetes.io/instance
- # operator: In
- # values:
- # - ingress-nginx
- # - key: app.kubernetes.io/component
- # operator: In
- # values:
- # - controller
- # topologyKey: kubernetes.io/hostname
+ # # An example of preferred pod anti-affinity, weight is in the range 1-100
+ # podAntiAffinity:
+ # preferredDuringSchedulingIgnoredDuringExecution:
+ # - weight: 100
+ # podAffinityTerm:
+ # labelSelector:
+ # matchExpressions:
+ # - key: app.kubernetes.io/name
+ # operator: In
+ # values:
+ # - '{{ include "ingress-nginx.name" . }}'
+ # - key: app.kubernetes.io/instance
+ # operator: In
+ # values:
+ # - '{{ .Release.Name }}'
+ # - key: app.kubernetes.io/component
+ # operator: In
+ # values:
+ # - controller
+ # topologyKey: kubernetes.io/hostname
- # # An example of required pod anti-affinity
- # podAntiAffinity:
- # requiredDuringSchedulingIgnoredDuringExecution:
- # - labelSelector:
- # matchExpressions:
- # - key: app.kubernetes.io/name
- # operator: In
- # values:
- # - ingress-nginx
- # - key: app.kubernetes.io/instance
- # operator: In
- # values:
- # - ingress-nginx
- # - key: app.kubernetes.io/component
- # operator: In
- # values:
- # - controller
- # topologyKey: "kubernetes.io/hostname"
+ # # An example of required pod anti-affinity
+ # podAntiAffinity:
+ # requiredDuringSchedulingIgnoredDuringExecution:
+ # - labelSelector:
+ # matchExpressions:
+ # - key: app.kubernetes.io/name
+ # operator: In
+ # values:
+ # - '{{ include "ingress-nginx.name" . }}'
+ # - key: app.kubernetes.io/instance
+ # operator: In
+ # values:
+ # - '{{ .Release.Name }}'
+ # - key: app.kubernetes.io/component
+ # operator: In
+ # values:
+ # - controller
+ # topologyKey: kubernetes.io/hostname
# -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in.
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
##
topologySpreadConstraints: []
- # - maxSkew: 1
- # topologyKey: failure-domain.beta.kubernetes.io/zone
- # whenUnsatisfiable: DoNotSchedule
- # labelSelector:
- # matchLabels:
- # app.kubernetes.io/instance: ingress-nginx-internal
+ # - labelSelector:
+ # matchLabels:
+ # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
+ # app.kubernetes.io/instance: '{{ .Release.Name }}'
+ # app.kubernetes.io/component: controller
+ # matchLabelKeys:
+ # - pod-template-hash
+ # topologyKey: topology.kubernetes.io/zone
+ # maxSkew: 1
+ # whenUnsatisfiable: ScheduleAnyway
+ # - labelSelector:
+ # matchLabels:
+ # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
+ # app.kubernetes.io/instance: '{{ .Release.Name }}'
+ # app.kubernetes.io/component: controller
+ # matchLabelKeys:
+ # - pod-template-hash
+ # topologyKey: kubernetes.io/hostname
+ # maxSkew: 1
+ # whenUnsatisfiable: ScheduleAnyway
# -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready
## wait up to five minutes for the drain of connections
##
terminationGracePeriodSeconds: 300
-
# -- Node labels for controller pod assignment
- ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+ ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
##
nodeSelector:
kubernetes.io/os: linux
-
## Liveness and readiness probe values
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
##
@@ -325,58 +369,57 @@
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
-
-
# -- Path of the health check endpoint. All requests received on the port defined by
# the healthz-port parameter are forwarded internally to this path.
healthCheckPath: "/healthz"
-
# -- Address to bind the health check endpoint.
# It is better to set this option to the internal node address
- # if the ingress nginx controller is running in the `hostNetwork: true` mode.
+ # if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode.
healthCheckHost: ""
-
# -- Annotations to be added to controller pods
##
podAnnotations: {}
-
replicaCount: 1
-
+ # -- Minimum available pods set in PodDisruptionBudget.
+ # Define either 'minAvailable' or 'maxUnavailable', never both.
minAvailable: 1
-
+ # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+ # maxUnavailable: 1
+ # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+ # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+ unhealthyPodEvictionPolicy: ""
## Define requests resources to avoid probe issues due to CPU utilization in busy nodes
## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903
## Ideally, there should be no limits.
## https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/
resources:
- ## limits:
- ## cpu: 100m
- ## memory: 90Mi
+ ## limits:
+ ## cpu: 100m
+ ## memory: 90Mi
requests:
cpu: 100m
memory: 90Mi
-
# Mutually exclusive with keda autoscaling
autoscaling:
enabled: false
+ annotations: {}
minReplicas: 1
maxReplicas: 11
targetCPUUtilizationPercentage: 50
targetMemoryUtilizationPercentage: 50
behavior: {}
- # scaleDown:
- # stabilizationWindowSeconds: 300
- # policies:
- # - type: Pods
- # value: 1
- # periodSeconds: 180
- # scaleUp:
- # stabilizationWindowSeconds: 300
- # policies:
- # - type: Pods
- # value: 2
- # periodSeconds: 60
-
+ # scaleDown:
+ # stabilizationWindowSeconds: 300
+ # policies:
+ # - type: Pods
+ # value: 1
+ # periodSeconds: 180
+ # scaleUp:
+ # stabilizationWindowSeconds: 300
+ # policies:
+ # - type: Pods
+ # value: 2
+ # periodSeconds: 60
autoscalingTemplate: []
# Custom or additional autoscaling metrics
# ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics
@@ -399,6 +442,9 @@
maxReplicas: 11
pollingInterval: 30
cooldownPeriod: 300
+ # fallback:
+ # failureThreshold: 3
+ # replicas: 11
restoreToOriginalReplicaCount: false
scaledObject:
annotations: {}
@@ -406,129 +452,202 @@
# annotations:
# key: value
triggers: []
- # - type: prometheus
- # metadata:
- # serverAddress: http://<prometheus-host>:9090
- # metricName: http_requests_total
- # threshold: '100'
- # query: sum(rate(http_requests_total{deployment="my-deployment"}[2m]))
+ # - type: prometheus
+ # metadata:
+ # serverAddress: http://<prometheus-host>:9090
+ # metricName: http_requests_total
+ # threshold: '100'
+ # query: sum(rate(http_requests_total{deployment="my-deployment"}[2m]))
behavior: {}
- # scaleDown:
- # stabilizationWindowSeconds: 300
- # policies:
- # - type: Pods
- # value: 1
- # periodSeconds: 180
- # scaleUp:
- # stabilizationWindowSeconds: 300
- # policies:
- # - type: Pods
- # value: 2
- # periodSeconds: 60
-
+ # scaleDown:
+ # stabilizationWindowSeconds: 300
+ # policies:
+ # - type: Pods
+ # value: 1
+ # periodSeconds: 180
+ # scaleUp:
+ # stabilizationWindowSeconds: 300
+ # policies:
+ # - type: Pods
+ # value: 2
+ # periodSeconds: 60
# -- Enable mimalloc as a drop-in replacement for malloc.
## ref: https://github.com/microsoft/mimalloc
##
enableMimalloc: true
-
## Override NGINX template
customTemplate:
configMapName: ""
configMapKey: ""
-
service:
+ # -- Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service.
enabled: true
-
- # -- If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were
- # using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
- # It allows choosing the protocol for each backend specified in the Kubernetes service.
- # See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244
- # Will be ignored for Kubernetes versions older than 1.20
- ##
- appProtocol: true
-
+ external:
+ # -- Enable the external controller service or not. Useful for internal-only deployments.
+ enabled: true
+ # -- Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service.
annotations: {}
+ # -- Labels to be added to both controller services.
labels: {}
- # clusterIP: ""
-
- # -- List of IP addresses at which the controller services are available
- ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
- ##
+ # -- Type of the external controller service.
+ # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
+ type: LoadBalancer
+ # -- Pre-defined cluster internal IP address of the external controller service. Take care of collisions with existing services.
+ # This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
+ # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
+ clusterIP: ""
+ # -- List of node IP addresses at which the external controller service is available.
+ # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
externalIPs: []
-
- # loadBalancerIP: ""
+ # -- Deprecated: Pre-defined IP address of the external controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP.
+ # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
+ loadBalancerIP: ""
+ # -- Restrict access to the external controller service. Values must be CIDRs. Allows any source address by default.
loadBalancerSourceRanges: []
+ # -- Load balancer class of the external controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default.
+ # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
+ loadBalancerClass: ""
+ # -- Enable node port allocation for the external controller service or not. Applies to type `LoadBalancer` only.
+ # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
+ # allocateLoadBalancerNodePorts: true
- enableHttp: true
- enableHttps: true
-
- ## Set external traffic policy to: "Local" to preserve source IP on providers supporting it.
- ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer
- # externalTrafficPolicy: ""
-
- ## Must be either "None" or "ClientIP" if set. Kubernetes will default to "None".
- ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
- # sessionAffinity: ""
-
- ## Specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified,
- ## the service controller allocates a port from your cluster’s NodePort range.
- ## Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
+ # -- External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it.
+ # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
+ externalTrafficPolicy: ""
+ # -- Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None".
+ # Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
+ sessionAffinity: ""
+ # -- Specifies the health check node port (numeric port number) for the external controller service.
+ # If not specified, the service controller allocates a port from your cluster's node port range.
+ # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
# healthCheckNodePort: 0
- # -- Represents the dual-stack-ness requested or required by this Service. Possible values are
- # SingleStack, PreferDualStack or RequireDualStack.
- # The ipFamilies and clusterIPs fields depend on the value of this field.
- ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/
- ipFamilyPolicy: "SingleStack"
-
- # -- List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically
- # based on cluster configuration and the ipFamilyPolicy field.
- ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/
+ # -- Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack.
+ # Fields `ipFamilies` and `clusterIP` depend on the value of this field.
+ # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+ ipFamilyPolicy: SingleStack
+ # -- List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field.
+ # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
ipFamilies:
- IPv4
-
+ # -- Enable the HTTP listener on both controller services or not.
+ enableHttp: true
+ # -- Enable the HTTPS listener on both controller services or not.
+ enableHttps: true
ports:
+ # -- Port the external HTTP listener is published with.
http: 80
+ # -- Port the external HTTPS listener is published with.
https: 443
-
targetPorts:
+ # -- Port of the ingress controller the external HTTP listener is mapped to.
http: http
+ # -- Port of the ingress controller the external HTTPS listener is mapped to.
https: https
-
- type: LoadBalancer
-
- ## type: NodePort
- ## nodePorts:
- ## http: 32080
- ## https: 32443
- ## tcp:
- ## 8080: 32808
+ # -- Declare the app protocol of the external HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol.
+ # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol
+ appProtocol: true
nodePorts:
+ # -- Node port allocated for the external HTTP listener. If left empty, the service controller allocates one from the configured node port range.
http: ""
+ # -- Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range.
https: ""
+ # -- Node port mapping for external TCP listeners. If left empty, the service controller allocates them from the configured node port range.
+ # Example:
+ # tcp:
+ # 8080: 30080
tcp: {}
+ # -- Node port mapping for external UDP listeners. If left empty, the service controller allocates them from the configured node port range.
+ # Example:
+ # udp:
+ # 53: 30053
udp: {}
-
- external:
- enabled: true
-
internal:
- # -- Enables an additional internal load balancer (besides the external one).
+ # -- Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this.
enabled: false
- # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service.
+ # -- Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service.
+ # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
annotations: {}
-
- # loadBalancerIP: ""
-
- # -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0.
+ # -- Type of the internal controller service.
+ # Defaults to the value of `controller.service.type`.
+ # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
+ type: ""
+ # -- Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services.
+ # This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
+ # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
+ clusterIP: ""
+ # -- List of node IP addresses at which the internal controller service is available.
+ # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
+ externalIPs: []
+ # -- Deprecated: Pre-defined IP address of the internal controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP.
+ # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
+ loadBalancerIP: ""
+ # -- Restrict access to the internal controller service. Values must be CIDRs. Allows any source address by default.
loadBalancerSourceRanges: []
+ # -- Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default.
+ # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
+ loadBalancerClass: ""
+ # -- Enable node port allocation for the internal controller service or not. Applies to type `LoadBalancer` only.
+ # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
+ # allocateLoadBalancerNodePorts: true
- ## Set external traffic policy to: "Local" to preserve source IP on
- ## providers supporting it
- ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer
- # externalTrafficPolicy: ""
+ # -- External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it.
+ # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
+ externalTrafficPolicy: ""
+ # -- Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None".
+ # Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
+ sessionAffinity: ""
+ # -- Specifies the health check node port (numeric port number) for the internal controller service.
+ # If not specified, the service controller allocates a port from your cluster's node port range.
+ # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
+ # healthCheckNodePort: 0
+ # -- Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack.
+ # Fields `ipFamilies` and `clusterIP` depend on the value of this field.
+ # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+ ipFamilyPolicy: SingleStack
+ # -- List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field.
+ # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+ ipFamilies:
+ - IPv4
+ ports: {}
+ # -- Port the internal HTTP listener is published with.
+ # Defaults to the value of `controller.service.ports.http`.
+ # http: 80
+ # -- Port the internal HTTPS listener is published with.
+ # Defaults to the value of `controller.service.ports.https`.
+ # https: 443
+
+ targetPorts: {}
+ # -- Port of the ingress controller the internal HTTP listener is mapped to.
+ # Defaults to the value of `controller.service.targetPorts.http`.
+ # http: http
+ # -- Port of the ingress controller the internal HTTPS listener is mapped to.
+ # Defaults to the value of `controller.service.targetPorts.https`.
+ # https: https
+
+ # -- Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol.
+ # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol
+ appProtocol: true
+ nodePorts:
+ # -- Node port allocated for the internal HTTP listener. If left empty, the service controller allocates one from the configured node port range.
+ http: ""
+ # -- Node port allocated for the internal HTTPS listener. If left empty, the service controller allocates one from the configured node port range.
+ https: ""
+ # -- Node port mapping for internal TCP listeners. If left empty, the service controller allocates them from the configured node port range.
+ # Example:
+ # tcp:
+ # 8080: 30080
+ tcp: {}
+ # -- Node port mapping for internal UDP listeners. If left empty, the service controller allocates them from the configured node port range.
+ # Example:
+ # udp:
+ # 53: 30053
+ udp: {}
+ # shareProcessNamespace enables process namespace sharing within the pod.
+ # This can be used for example to signal log rotation using `kill -USR1` from a sidecar.
+ shareProcessNamespace: false
# -- Additional containers to be added to the controller pod.
# See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example.
extraContainers: []
@@ -569,16 +688,37 @@
# image: busybox
# command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;']
+ # -- Modules, which are mounted into the core nginx image.
extraModules: []
- ## Modules, which are mounted into the core nginx image
- # - name: opentelemetry
- # image: busybox
+ # - name: mytestmodule
+ # image:
+ # # registry: registry.k8s.io
+ # image: ingress-nginx/mytestmodule
+ # ## for backwards compatibility consider setting the full image url via the repository value below
+ # ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
+ # ## repository:
+ # tag: "v1.0.0"
+ # digest: ""
+ # distroless: false
+ # containerSecurityContext:
+ # runAsNonRoot: true
+ # runAsUser: <user-id>
+ # runAsGroup: <group-id>
+ # allowPrivilegeEscalation: false
+ # seccompProfile:
+ # type: RuntimeDefault
+ # capabilities:
+ # drop:
+ # - ALL
+ # readOnlyRootFilesystem: true
+ # resources: {}
#
# The image must contain a `/usr/local/bin/init_module.sh` executable, which
# will be executed as initContainers, to move its config files within the
# mounted volume.
admissionWebhooks:
+ name: admission
annotations: {}
# ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem".
@@ -586,6 +726,15 @@
## These annotations will be added to the ValidatingWebhookConfiguration and
## the Jobs Spec of the admission webhooks.
enabled: true
+ # -- Additional environment variables to set
+ extraEnvs: []
+ # extraEnvs:
+ # - name: FOO
+ # valueFrom:
+ # secretKeyRef:
+ # key: FOO
+ # name: secret-resource
+ # -- Admission Webhook failure policy to use
failurePolicy: Fail
# timeoutSeconds: 10
port: 8443
@@ -595,10 +744,6 @@
objectSelector: {}
# -- Labels to be added to admission webhooks
labels: {}
-
- # -- Use an existing PSP instead of creating one
- existingPsp: ""
-
service:
annotations: {}
# clusterIP: ""
@@ -607,73 +752,128 @@
loadBalancerSourceRanges: []
servicePort: 443
type: ClusterIP
-
createSecretJob:
+ name: create
+ # -- Security context for secret creation containers
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 65532
+ runAsGroup: 65532
+ allowPrivilegeEscalation: false
+ seccompProfile:
+ type: RuntimeDefault
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
resources: {}
- # limits:
- # cpu: 10m
- # memory: 20Mi
- # requests:
- # cpu: 10m
- # memory: 20Mi
-
+ # limits:
+ # cpu: 10m
+ # memory: 20Mi
+ # requests:
+ # cpu: 10m
+ # memory: 20Mi
patchWebhookJob:
+ name: patch
+ # -- Security context for webhook patch containers
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 65532
+ runAsGroup: 65532
+ allowPrivilegeEscalation: false
+ seccompProfile:
+ type: RuntimeDefault
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
resources: {}
-
patch:
enabled: true
image:
- registry: k8s.gcr.io
+ # registry: registry.k8s.io
image: ingress-nginx/kube-webhook-certgen
## for backwards compatibility consider setting the full image url via the repository value below
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
## repository:
- tag: v1.1.1
- digest: sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+ tag: v1.5.2
+ digest: sha256:e8825994b7a2c7497375a9b945f386506ca6a3eda80b89b74ef2db743f66a5ea
pullPolicy: IfNotPresent
# -- Provide a priority class name to the webhook patching job
##
priorityClassName: ""
podAnnotations: {}
+ # NetworkPolicy for webhook patch
+ networkPolicy:
+ # -- Enable 'networkPolicy' or not
+ enabled: false
nodeSelector:
kubernetes.io/os: linux
tolerations: []
# -- Labels to be added to patch job resources
labels: {}
- runAsUser: 2000
-
+ # -- Security context for secret creation & webhook patch pods
+ securityContext: {}
+ # -- Admission webhook patch job RBAC
+ rbac:
+ # -- Create RBAC or not
+ create: true
+ # -- Admission webhook patch job service account
+ serviceAccount:
+ # -- Create a service account or not
+ create: true
+ # -- Custom service account name
+ name: ""
+ # -- Auto-mount service account token or not
+ automountServiceAccountToken: true
+ # Use certmanager to generate webhook certs
+ certManager:
+ enabled: false
+ # self-signed root certificate
+ rootCert:
+ # default to be 5y
+ duration: ""
+ admissionCert:
+ # default to be 1y
+ duration: ""
+ # issuerRef:
+ # name: "issuer"
+ # kind: "ClusterIssuer"
metrics:
port: 10254
+ portName: metrics
# if this port is changed, change healthz-port: in extraArgs: accordingly
enabled: false
-
service:
+ # -- Enable the metrics service or not.
+ enabled: true
annotations: {}
# prometheus.io/scrape: "true"
# prometheus.io/port: "10254"
-
+ # -- Labels to be added to the metrics service resource
+ labels: {}
# clusterIP: ""
# -- List of IP addresses at which the stats-exporter service is available
- ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
+ ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
##
externalIPs: []
-
# loadBalancerIP: ""
loadBalancerSourceRanges: []
servicePort: 10254
type: ClusterIP
# externalTrafficPolicy: ""
# nodePort: ""
-
serviceMonitor:
enabled: false
additionalLabels: {}
+ # -- Annotations to be added to the ServiceMonitor.
+ annotations: {}
## The label to use to retrieve the job name from.
## jobLabel: "app.kubernetes.io/name"
namespace: ""
namespaceSelector: {}
- ## Default: scrape .Release.Namespace only
+ ## Default: scrape .Release.Namespace or namespaceOverride only
## To scrape all, use the following:
## namespaceSelector:
## any: true
@@ -682,46 +882,51 @@
targetLabels: []
relabelings: []
metricRelabelings: []
-
prometheusRule:
enabled: false
additionalLabels: {}
+ # -- Annotations to be added to the PrometheusRule.
+ annotations: {}
# namespace: ""
rules: []
- # # These are just examples rules, please adapt them to your needs
- # - alert: NGINXConfigFailed
- # expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0
- # for: 1s
- # labels:
- # severity: critical
- # annotations:
- # description: bad ingress config - nginx config test failed
- # summary: uninstall the latest ingress changes to allow config reloads to resume
- # - alert: NGINXCertificateExpiry
- # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800
- # for: 1s
- # labels:
- # severity: critical
- # annotations:
- # description: ssl certificate(s) will expire in less then a week
- # summary: renew expiring certificates to avoid downtime
- # - alert: NGINXTooMany500s
- # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5
- # for: 1m
- # labels:
- # severity: warning
- # annotations:
- # description: Too many 5XXs
- # summary: More than 5% of all requests returned 5XX, this requires your attention
- # - alert: NGINXTooMany400s
- # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5
- # for: 1m
- # labels:
- # severity: warning
- # annotations:
- # description: Too many 4XXs
- # summary: More than 5% of all requests returned 4XX, this requires your attention
-
+ # # These are just examples rules, please adapt them to your needs
+ # - alert: NGINXConfigFailed
+ # expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0
+ # for: 1s
+ # labels:
+ # severity: critical
+ # annotations:
+ # description: bad ingress config - nginx config test failed
+ # summary: uninstall the latest ingress changes to allow config reloads to resume
+ # # By default a fake self-signed certificate is generated as default and
+ # # it is fine if it expires. If `--default-ssl-certificate` flag is used
+ # # and a valid certificate passed please do not filter for `host` label!
+ # # (i.e. delete `{host!="_"}` so also the default SSL certificate is
+ # # checked for expiration)
+ # - alert: NGINXCertificateExpiry
+ # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds{host!="_"}) by (host) - time()) < 604800
+ # for: 1s
+ # labels:
+ # severity: critical
+ # annotations:
+ # description: ssl certificate(s) will expire in less then a week
+ # summary: renew expiring certificates to avoid downtime
+ # - alert: NGINXTooMany500s
+ # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5
+ # for: 1m
+ # labels:
+ # severity: warning
+ # annotations:
+ # description: Too many 5XXs
+ # summary: More than 5% of all requests returned 5XX, this requires your attention
+ # - alert: NGINXTooMany400s
+ # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5
+ # for: 1m
+ # labels:
+ # severity: warning
+ # annotations:
+ # description: Too many 4XXs
+ # summary: More than 5% of all requests returned 4XX, this requires your attention
# -- Improve connection draining when ingress controller pod is deleted using a lifecycle hook:
# With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds
# to 300, allowing the draining of connections up to five minutes.
@@ -734,48 +939,40 @@
exec:
command:
- /wait-shutdown
-
priorityClassName: ""
-
# -- Rollback limit
##
revisionHistoryLimit: 10
-
## Default 404 backend
##
defaultBackend:
##
enabled: false
-
name: defaultbackend
image:
- registry: k8s.gcr.io
+ # registry: registry.k8s.io
image: defaultbackend-amd64
## for backwards compatibility consider setting the full image url via the repository value below
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
## repository:
tag: "1.5"
pullPolicy: IfNotPresent
+ runAsNonRoot: true
# nobody user -> uid 65534
runAsUser: 65534
- runAsNonRoot: true
- readOnlyRootFilesystem: true
+ runAsGroup: 65534
allowPrivilegeEscalation: false
-
- # -- Use an existing PSP instead of creating one
- existingPsp: ""
-
+ seccompProfile:
+ type: RuntimeDefault
+ readOnlyRootFilesystem: true
extraArgs: {}
-
serviceAccount:
create: true
name: ""
automountServiceAccountToken: true
# -- Additional environment variables to set for defaultBackend pods
extraEnvs: []
-
port: 8080
-
## Readiness and liveness probes for default backend
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
##
@@ -791,7 +988,16 @@
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 5
+ # -- The update strategy to apply to the Deployment or DaemonSet
+ ##
+ updateStrategy: {}
+ # rollingUpdate:
+ # maxUnavailable: 1
+ # type: RollingUpdate
+ # -- `minReadySeconds` to avoid killing pods before we are ready
+ ##
+ minReadySeconds: 0
# -- Node tolerations for server scheduling to nodes with taints
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
##
@@ -801,38 +1007,97 @@
# value: "value"
# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
+ # -- Affinity and anti-affinity rules for server scheduling to nodes
+ ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}
+ # # An example of preferred pod anti-affinity, weight is in the range 1-100
+ # podAntiAffinity:
+ # preferredDuringSchedulingIgnoredDuringExecution:
+ # - weight: 100
+ # podAffinityTerm:
+ # labelSelector:
+ # matchExpressions:
+ # - key: app.kubernetes.io/name
+ # operator: In
+ # values:
+ # - '{{ include "ingress-nginx.name" . }}'
+ # - key: app.kubernetes.io/instance
+ # operator: In
+ # values:
+ # - '{{ .Release.Name }}'
+ # - key: app.kubernetes.io/component
+ # operator: In
+ # values:
+ # - default-backend
+ # topologyKey: kubernetes.io/hostname
- # -- Security Context policies for controller pods
- # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
- # notes on enabling and using sysctls
- ##
+ # # An example of required pod anti-affinity
+ # podAntiAffinity:
+ # requiredDuringSchedulingIgnoredDuringExecution:
+ # - labelSelector:
+ # matchExpressions:
+ # - key: app.kubernetes.io/name
+ # operator: In
+ # values:
+ # - '{{ include "ingress-nginx.name" . }}'
+ # - key: app.kubernetes.io/instance
+ # operator: In
+ # values:
+ # - '{{ .Release.Name }}'
+ # - key: app.kubernetes.io/component
+ # operator: In
+ # values:
+ # - default-backend
+ # topologyKey: kubernetes.io/hostname
+
+ # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in.
+ # Ref.: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+ topologySpreadConstraints: []
+ # - labelSelector:
+ # matchLabels:
+ # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
+ # app.kubernetes.io/instance: '{{ .Release.Name }}'
+ # app.kubernetes.io/component: default-backend
+ # matchLabelKeys:
+ # - pod-template-hash
+ # topologyKey: topology.kubernetes.io/zone
+ # maxSkew: 1
+ # whenUnsatisfiable: ScheduleAnyway
+ # - labelSelector:
+ # matchLabels:
+ # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
+ # app.kubernetes.io/instance: '{{ .Release.Name }}'
+ # app.kubernetes.io/component: default-backend
+ # matchLabelKeys:
+ # - pod-template-hash
+ # topologyKey: kubernetes.io/hostname
+ # maxSkew: 1
+ # whenUnsatisfiable: ScheduleAnyway
+ # -- Security context for default backend pods
podSecurityContext: {}
-
- # -- Security Context policies for controller main container.
- # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
- # notes on enabling and using sysctls
- ##
+ # -- Security context for default backend containers
containerSecurityContext: {}
-
# -- Labels to add to the pod container metadata
podLabels: {}
# key: value
# -- Node labels for default backend pod assignment
- ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+ ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
##
nodeSelector:
kubernetes.io/os: linux
-
# -- Annotations to be added to default backend pods
##
podAnnotations: {}
-
replicaCount: 1
-
+ # -- Minimum available pods set in PodDisruptionBudget.
+ # Define either 'minAvailable' or 'maxUnavailable', never both.
minAvailable: 1
-
+ # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+ # maxUnavailable: 1
+ # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+ # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+ unhealthyPodEvictionPolicy: ""
resources: {}
# limits:
# cpu: 10m
@@ -851,6 +1116,21 @@
# - name: copy-portal-skins
# emptyDir: {}
+ extraConfigMaps: []
+ ## Additional configmaps to the default backend pod.
+ # - name: my-extra-configmap-1
+ # labels:
+ # type: config-1
+ # data:
+ # extra_file_1.html: |
+ # <!-- Extra HTML content for ConfigMap 1 -->
+ # - name: my-extra-configmap-2
+ # labels:
+ # type: config-2
+ # data:
+ # extra_file_2.html: |
+ # <!-- Extra HTML content for ConfigMap 2 -->
+
autoscaling:
annotations: {}
enabled: false
@@ -858,61 +1138,56 @@
maxReplicas: 2
targetCPUUtilizationPercentage: 50
targetMemoryUtilizationPercentage: 50
-
+ # NetworkPolicy for default backend component.
+ networkPolicy:
+ # -- Enable 'networkPolicy' or not
+ enabled: false
service:
annotations: {}
-
# clusterIP: ""
# -- List of IP addresses at which the default backend service is available
- ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
+ ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
##
externalIPs: []
-
# loadBalancerIP: ""
loadBalancerSourceRanges: []
servicePort: 80
type: ClusterIP
-
priorityClassName: ""
# -- Labels to be added to the default backend resources
labels: {}
-
## Enable RBAC as per https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/rbac.md and https://github.com/kubernetes/ingress-nginx/issues/266
rbac:
create: true
scope: false
-
-## If true, create & use Pod Security Policy resources
-## https://kubernetes.io/docs/concepts/policy/pod-security-policy/
-podSecurityPolicy:
- enabled: false
-
serviceAccount:
create: true
name: ""
automountServiceAccountToken: true
# -- Annotations for the controller service account
annotations: {}
-
# -- Optional array of imagePullSecrets containing private registry credentials
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imagePullSecrets: []
# - name: secretName
-# -- TCP service key:value pairs
+# -- TCP service key-value pairs
## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md
##
tcp: {}
-# 8080: "default/example-tcp-svc:9000"
+# "8080": "default/example-tcp-svc:9000"
-# -- UDP service key:value pairs
+# -- UDP service key-value pairs
## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md
##
udp: {}
-# 53: "kube-system/kube-dns:53"
+# "53": "kube-system/kube-dns:53"
+# -- Prefix for TCP and UDP ports names in ingress controller service
+## Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration
+portNamePrefix: ""
# -- (string) A base64-encoded Diffie-Hellman parameter.
# This can be generated with: `openssl dhparam 4096 2> /dev/null | base64`
## Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param
-dhParam:
+dhParam: ""
diff --git a/releasenotes/notes/update-nginx-ingress-for-cve-6c2aea8e2c530421.yaml b/releasenotes/notes/update-nginx-ingress-for-cve-6c2aea8e2c530421.yaml
new file mode 100644
index 0000000..5d30d7d
--- /dev/null
+++ b/releasenotes/notes/update-nginx-ingress-for-cve-6c2aea8e2c530421.yaml
@@ -0,0 +1,5 @@
+---
+security:
+ - |
+ Upgrade nginx ingress controller from 1.1.1 to 1.12.1 to fix CVE-2025-1097
+ CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, CVE-2025-24514.
diff --git a/roles/defaults/vars/main.yml b/roles/defaults/vars/main.yml
index 3752633..89f20db 100644
--- a/roles/defaults/vars/main.yml
+++ b/roles/defaults/vars/main.yml
@@ -85,9 +85,9 @@
ibm_block_csi_resizer: "{{ atmosphere_image_prefix }}registry.k8s.io/sig-storage/csi-resizer:v1.7.0"
ibm_block_csi_snapshotter: "{{ atmosphere_image_prefix }}registry.k8s.io/sig-storage/csi-snapshotter:v6.2.1"
ibm_block_csi_volume_group: "{{ atmosphere_image_prefix }}quay.io/ibmcsiblock/csi-volume-group-operator:v0.9.1"
- ingress_nginx_controller: "{{ atmosphere_image_prefix }}registry.k8s.io/ingress-nginx/controller:v1.1.1"
+ ingress_nginx_controller: "{{ atmosphere_image_prefix }}registry.k8s.io/ingress-nginx/controller:v1.12.1"
ingress_nginx_default_backend: "{{ atmosphere_image_prefix }}registry.k8s.io/defaultbackend-amd64:1.5"
- ingress_nginx_kube_webhook_certgen: "{{ atmosphere_image_prefix }}registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1"
+ ingress_nginx_kube_webhook_certgen: "{{ atmosphere_image_prefix }}registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.2"
ironic_api: "{{ atmosphere_image_prefix }}registry.atmosphere.dev/library/ironic:{{ atmosphere_release }}"
ironic_conductor: "{{ atmosphere_image_prefix }}registry.atmosphere.dev/library/ironic:{{ atmosphere_release }}"
ironic_db_sync: "{{ atmosphere_image_prefix }}registry.atmosphere.dev/library/ironic:{{ atmosphere_release }}"
diff --git a/roles/ingress_nginx/vars/main.yml b/roles/ingress_nginx/vars/main.yml
index 8f2852b..3f88c0b 100644
--- a/roles/ingress_nginx/vars/main.yml
+++ b/roles/ingress_nginx/vars/main.yml
@@ -22,6 +22,8 @@
config:
proxy-buffer-size: 16k
worker-shutdown-timeout: 5s
+ annotations-risk-level: Critical
+ allowSnippetAnnotations: true
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
ingressClassResource: