bump nginx ingress chart to fix 2025 CVEs
Change-Id: I83eb8cc3088e53c083249256a93b7b66744ebe00
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 68f8b58..5da493d 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -2,6 +2,10 @@
## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/index.md
##
+global:
+ image:
+ # -- Registry host to pull images from.
+ registry: registry.k8s.io
## Overrides for generated resource names
# See templates/_helpers.tpl
# nameOverride:
@@ -17,35 +21,38 @@
controller:
name: controller
- enableAnnotationValidations: false
+ enableAnnotationValidations: true
image:
## Keep false as default for now!
chroot: false
- registry: registry.k8s.io
+ # registry: registry.k8s.io
image: ingress-nginx/controller
## for backwards compatibility consider setting the full image url via the repository value below
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
## repository:
- tag: "v1.10.1"
- digest: sha256:e24f39d3eed6bcc239a56f20098878845f62baa34b9f2be2fd2c38ce9fb0f29e
- digestChroot: sha256:c155954116b397163c88afcb3252462771bd7867017e8a17623e83601bab7ac7
+ tag: "v1.12.1"
+ digest: sha256:d2fbc4ec70d8aa2050dd91a91506e998765e86c96f32cffb56c503c9c34eed5b
+ digestChroot: sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
pullPolicy: IfNotPresent
runAsNonRoot: true
- # www-data -> uid 101
+ # -- This value must not be changed using the official image.
+ # uid=101(www-data) gid=82(www-data) groups=82(www-data)
runAsUser: 101
+ # -- This value must not be changed using the official image.
+ # uid=101(www-data) gid=82(www-data) groups=82(www-data)
+ runAsGroup: 82
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: false
- # -- Use an existing PSP instead of creating one
- existingPsp: ""
# -- Configures the controller container name
containerName: controller
# -- Configures the ports that the nginx-controller listens on
containerPort:
http: 80
https: 443
- # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
+ # -- Global configuration passed to the ConfigMap consumed by the controller. Values may contain Helm templates.
+ # Ref.: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
config: {}
# -- Annotations to be added to the controller config configuration configmap.
configAnnotations: {}
@@ -83,6 +90,10 @@
# -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto"
# Defaults to false
enableTopologyAwareRouting: false
+ # -- This configuration disable Nginx Controller Leader Election
+ disableLeaderElection: false
+ # -- Duration a leader election is valid before it's getting re-elected, e.g. `15s`, `10m` or `1h`. (Default: 30s)
+ electionTTL: ""
# -- This configuration defines if Ingress Controller should allow users to set
# their own *-snippet annotations, otherwise this is forbidden / dropped
# when users add those annotations.
@@ -120,10 +131,19 @@
# Ingress creation gets rejected if there are multiple default IngressClasses.
# Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class
default: false
+ # -- Annotations to be added to the IngressClass resource.
+ annotations: {}
# -- Controller of the IngressClass. An Ingress Controller looks for IngressClasses it should reconcile by this value.
# This value is also being set as the `--controller-class` argument of this Ingress Controller.
# Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class
controllerValue: k8s.io/ingress-nginx
+ # -- Aliases of this IngressClass. Creates copies with identical settings but the respective alias as name.
+ # Useful for development environments with only one Ingress Controller but production-like Ingress resources.
+ # `default` gets enabled on the original IngressClass only.
+ aliases: []
+ # aliases:
+ # - nginx-alias-1
+ # - nginx-alias-2
# -- A link to a custom resource containing additional configuration for the controller.
# This is optional if the controller consuming this IngressClass does not require additional parameters.
# Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class
@@ -180,7 +200,7 @@
# -- Annotations to be added to the udp config configmap
annotations: {}
# -- Maxmind license key to download GeoLite2 Databases.
- ## https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases
+ ## https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/
maxmindLicenseKey: ""
# -- Additional command line arguments to pass to Ingress-Nginx Controller
# E.g. to specify the default SSL certificate you can use
@@ -220,6 +240,9 @@
# maxUnavailable: 1
# type: RollingUpdate
+ # -- Specifies the number of seconds you want to wait for the controller deployment to progress before the system reports back that it has failed.
+ # Ref.: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds
+ progressDeadlineSeconds: 0
# -- `minReadySeconds` to avoid killing pods before we are ready
##
minReadySeconds: 0
@@ -246,11 +269,11 @@
# - key: app.kubernetes.io/name
# operator: In
# values:
- # - ingress-nginx
+ # - '{{ include "ingress-nginx.name" . }}'
# - key: app.kubernetes.io/instance
# operator: In
# values:
- # - ingress-nginx
+ # - '{{ .Release.Name }}'
# - key: app.kubernetes.io/component
# operator: In
# values:
@@ -265,16 +288,16 @@
# - key: app.kubernetes.io/name
# operator: In
# values:
- # - ingress-nginx
+ # - '{{ include "ingress-nginx.name" . }}'
# - key: app.kubernetes.io/instance
# operator: In
# values:
- # - ingress-nginx
+ # - '{{ .Release.Name }}'
# - key: app.kubernetes.io/component
# operator: In
# values:
# - controller
- # topologyKey: "kubernetes.io/hostname"
+ # topologyKey: kubernetes.io/hostname
# -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in.
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
@@ -285,6 +308,8 @@
# app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
# app.kubernetes.io/instance: '{{ .Release.Name }}'
# app.kubernetes.io/component: controller
+ # matchLabelKeys:
+ # - pod-template-hash
# topologyKey: topology.kubernetes.io/zone
# maxSkew: 1
# whenUnsatisfiable: ScheduleAnyway
@@ -293,6 +318,8 @@
# app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
# app.kubernetes.io/instance: '{{ .Release.Name }}'
# app.kubernetes.io/component: controller
+ # matchLabelKeys:
+ # - pod-template-hash
# topologyKey: kubernetes.io/hostname
# maxSkew: 1
# whenUnsatisfiable: ScheduleAnyway
@@ -358,7 +385,9 @@
minAvailable: 1
# -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
# maxUnavailable: 1
-
+ # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+ # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+ unhealthyPodEvictionPolicy: ""
## Define requests resources to avoid probe issues due to CPU utilization in busy nodes
## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903
## Ideally, there should be no limits.
@@ -659,11 +688,11 @@
# image: busybox
# command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;']
- # -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module
+ # -- Modules, which are mounted into the core nginx image.
extraModules: []
# - name: mytestmodule
# image:
- # registry: registry.k8s.io
+ # # registry: registry.k8s.io
# image: ingress-nginx/mytestmodule
# ## for backwards compatibility consider setting the full image url via the repository value below
# ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
@@ -674,6 +703,7 @@
# containerSecurityContext:
# runAsNonRoot: true
# runAsUser: <user-id>
+ # runAsGroup: <group-id>
# allowPrivilegeEscalation: false
# seccompProfile:
# type: RuntimeDefault
@@ -687,30 +717,6 @@
# will be executed as initContainers, to move its config files within the
# mounted volume.
- opentelemetry:
- enabled: false
- name: opentelemetry
- image:
- registry: registry.k8s.io
- image: ingress-nginx/opentelemetry
- ## for backwards compatibility consider setting the full image url via the repository value below
- ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
- ## repository:
- tag: "v20230721-3e2062ee5"
- digest: sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472
- distroless: true
- containerSecurityContext:
- runAsNonRoot: true
- # -- The image's default user, inherited from its base image `cgr.dev/chainguard/static`.
- runAsUser: 65532
- allowPrivilegeEscalation: false
- seccompProfile:
- type: RuntimeDefault
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- resources: {}
admissionWebhooks:
name: admission
annotations: {}
@@ -738,8 +744,6 @@
objectSelector: {}
# -- Labels to be added to admission webhooks
labels: {}
- # -- Use an existing PSP instead of creating one
- existingPsp: ""
service:
annotations: {}
# clusterIP: ""
@@ -754,6 +758,7 @@
securityContext:
runAsNonRoot: true
runAsUser: 65532
+ runAsGroup: 65532
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
@@ -774,6 +779,7 @@
securityContext:
runAsNonRoot: true
runAsUser: 65532
+ runAsGroup: 65532
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
@@ -785,13 +791,13 @@
patch:
enabled: true
image:
- registry: registry.k8s.io
+ # registry: registry.k8s.io
image: ingress-nginx/kube-webhook-certgen
## for backwards compatibility consider setting the full image url via the repository value below
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
## repository:
- tag: v1.4.1
- digest: sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366
+ tag: v1.5.2
+ digest: sha256:e8825994b7a2c7497375a9b945f386506ca6a3eda80b89b74ef2db743f66a5ea
pullPolicy: IfNotPresent
# -- Provide a priority class name to the webhook patching job
##
@@ -808,6 +814,18 @@
labels: {}
# -- Security context for secret creation & webhook patch pods
securityContext: {}
+ # -- Admission webhook patch job RBAC
+ rbac:
+ # -- Create RBAC or not
+ create: true
+ # -- Admission webhook patch job service account
+ serviceAccount:
+ # -- Create a service account or not
+ create: true
+ # -- Custom service account name
+ name: ""
+ # -- Auto-mount service account token or not
+ automountServiceAccountToken: true
# Use certmanager to generate webhook certs
certManager:
enabled: false
@@ -827,6 +845,8 @@
# if this port is changed, change healthz-port: in extraArgs: accordingly
enabled: false
service:
+ # -- Enable the metrics service or not.
+ enabled: true
annotations: {}
# prometheus.io/scrape: "true"
# prometheus.io/port: "10254"
@@ -847,6 +867,7 @@
serviceMonitor:
enabled: false
additionalLabels: {}
+ # -- Annotations to be added to the ServiceMonitor.
annotations: {}
## The label to use to retrieve the job name from.
## jobLabel: "app.kubernetes.io/name"
@@ -864,6 +885,8 @@
prometheusRule:
enabled: false
additionalLabels: {}
+ # -- Annotations to be added to the PrometheusRule.
+ annotations: {}
# namespace: ""
rules: []
# # These are just examples rules, please adapt them to your needs
@@ -927,7 +950,7 @@
enabled: false
name: defaultbackend
image:
- registry: registry.k8s.io
+ # registry: registry.k8s.io
image: defaultbackend-amd64
## for backwards compatibility consider setting the full image url via the repository value below
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
@@ -937,12 +960,11 @@
runAsNonRoot: true
# nobody user -> uid 65534
runAsUser: 65534
+ runAsGroup: 65534
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
- # -- Use an existing PSP instead of creating one
- existingPsp: ""
extraArgs: {}
serviceAccount:
create: true
@@ -985,7 +1007,72 @@
# value: "value"
# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
+ # -- Affinity and anti-affinity rules for server scheduling to nodes
+ ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}
+ # # An example of preferred pod anti-affinity, weight is in the range 1-100
+ # podAntiAffinity:
+ # preferredDuringSchedulingIgnoredDuringExecution:
+ # - weight: 100
+ # podAffinityTerm:
+ # labelSelector:
+ # matchExpressions:
+ # - key: app.kubernetes.io/name
+ # operator: In
+ # values:
+ # - '{{ include "ingress-nginx.name" . }}'
+ # - key: app.kubernetes.io/instance
+ # operator: In
+ # values:
+ # - '{{ .Release.Name }}'
+ # - key: app.kubernetes.io/component
+ # operator: In
+ # values:
+ # - default-backend
+ # topologyKey: kubernetes.io/hostname
+
+ # # An example of required pod anti-affinity
+ # podAntiAffinity:
+ # requiredDuringSchedulingIgnoredDuringExecution:
+ # - labelSelector:
+ # matchExpressions:
+ # - key: app.kubernetes.io/name
+ # operator: In
+ # values:
+ # - '{{ include "ingress-nginx.name" . }}'
+ # - key: app.kubernetes.io/instance
+ # operator: In
+ # values:
+ # - '{{ .Release.Name }}'
+ # - key: app.kubernetes.io/component
+ # operator: In
+ # values:
+ # - default-backend
+ # topologyKey: kubernetes.io/hostname
+
+ # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in.
+ # Ref.: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+ topologySpreadConstraints: []
+ # - labelSelector:
+ # matchLabels:
+ # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
+ # app.kubernetes.io/instance: '{{ .Release.Name }}'
+ # app.kubernetes.io/component: default-backend
+ # matchLabelKeys:
+ # - pod-template-hash
+ # topologyKey: topology.kubernetes.io/zone
+ # maxSkew: 1
+ # whenUnsatisfiable: ScheduleAnyway
+ # - labelSelector:
+ # matchLabels:
+ # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
+ # app.kubernetes.io/instance: '{{ .Release.Name }}'
+ # app.kubernetes.io/component: default-backend
+ # matchLabelKeys:
+ # - pod-template-hash
+ # topologyKey: kubernetes.io/hostname
+ # maxSkew: 1
+ # whenUnsatisfiable: ScheduleAnyway
# -- Security context for default backend pods
podSecurityContext: {}
# -- Security context for default backend containers
@@ -1003,7 +1090,14 @@
##
podAnnotations: {}
replicaCount: 1
+ # -- Minimum available pods set in PodDisruptionBudget.
+ # Define either 'minAvailable' or 'maxUnavailable', never both.
minAvailable: 1
+ # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+ # maxUnavailable: 1
+ # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+ # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+ unhealthyPodEvictionPolicy: ""
resources: {}
# limits:
# cpu: 10m
@@ -1067,10 +1161,6 @@
rbac:
create: true
scope: false
-## If true, create & use Pod Security Policy resources
-## https://kubernetes.io/docs/concepts/policy/pod-security-policy/
-podSecurityPolicy:
- enabled: false
serviceAccount:
create: true
name: ""